'Smart' Hospital IV Pump Vulnerable To Remote Hack Attack
Furnished content.
By this point, the half-baked security in most internet of things devices has become a bit of a running joke, leading to amusing Twitter accounts like Internet of Shit that highlight the sordid depth of this particular apathy rabbit hole. And while refrigerators leaking your gmail credentials and tea kettles that expose your home networks are entertaining in their own way, it's easy to lose sight of the fact that the same half-assed security in the IOT space also exists on most home routers, your car, your pacemaker, and countless other essential devices and services your life may depend on.The lack of security in the medical front is particularly alarming. The latest case in point: security researchers have discovered eight vulnerabilities in a syringe infusion pump used by hospitals to help administer medication to patients intravenously. The flaws in the Medifusion 4000 infusion pump, manufactured by UK medical multinational Smiths Group, were discovered by security researcher Scott Gayou. The device is utilized to deliver medications, blood, antibiotics and other fluids to critical care patients, patients undergoing surgery (anesthesia) -- and newborn babies.The flaws were severe enough to warrant a new warning from the Department of Homeland Security, which issued an advisory that, like similar past advisories, rather downplays the fact these flaws could be utilized by a skilled hacker to kill somebody covertly:"Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage." Both the FDA and DHS have ramped up the attention they're giving such vulnerabilities, recently having issued similar first ever warnings about flaws in pacemakers by St. Jude Medical, which can be similarly abused to kill patients. And while this is all wonderful news if you're a wetworker operating in an environment where such flaws take years to discover much less fix, it's decidedly less fun for the companies being criticized for half-assed security measures. In most cases, the companies impacted make it their top priority to downplay the risks involved, as the Smiths Group did in its statement on the vulnerabilities:The possibility of this exploit taking place in a clinical setting is highly unlikely, as it requires a complex and an unlikely series of conditions. Except six of the vulnerabilities in question simply involve the use of hard-coded credentials, the same problem that has plagued the home router market for years. For its part, Smiths says it's working hard to implement a fix for the flaws -- that might be released in January 2018. In the interim Smiths is urging hospitals to assess the risk, change the default login credentials, and disconnect these devices from the network where necessary. But considering the low quality of IT support in most hospitals (a major reason for a massive spike in hospital ransomware attacks) -- there's certainly no guarantee of any of these mitigation measures actually happening.
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 23-Sep-2017
path: /Policy | permalink | edit (requires password)
Company CEO Pleads Guilty After Forging Judge's Signatures On Bogus Court Orders Sent To Google
Furnished content.
Earlier this spring, a jewelry company CEO earned himself a federal indictment for his bespoke reputation management efforts. Realizing it was extremely difficult to erase negative reviews from the net, National Sapphire Company boss Michael Arnstein took one such reviewer to court. He was awarded an injunction after the defendant no-showed, resulting in the delisting of 54 URLs.But the negative reviews kept coming. Rather than hire a lawyer and bring more defamation suits, Arnstein opted for the initially less-costly option: mocking up delisting orders and forging a judge's signature. This apparently worked well enough Arnstein felt comfortable sharing his fraudulent tactics with others. This swaggering, inculpatory statement was included in the federal complaint."No bullshit: if I could do it all over again I would have found another court order injunction for removal of links (probably something that can be found online pretty easily) made changes in photoshop to show the links that I wanted removed and then sent to 'removals@google.com' as a pdf — showing the court order docket number, the judges [sic] signature — but with the new links put in," Arnstein wrote in a July 2014 email, according to his criminal complaint. "Google isn't checking this stuff; that's the bottom line b/c I spent $30,000 fuckin thousand dollars and nearly 2 fuckin years to do what legit could have been done for about 6 hours of searching and photoshop by a guy for $200., all in ONE DAY". The DOJ -- aided greatly by Arnstein generating plenty of evidence against himself -- pulled the trigger on a federal indictment. And, thanks to several other cases of rep management firms defrauding courts, Google is indeed "checking this stuff," limiting the effectiveness of impersonating judges and/or sliding bogus paperwork past them.Arnstein has now pled guilty to a conspiracy charge, the DOJ reports.ARNSTEIN, 40, of Kailua, Hawaii, pled guilty to one count of conspiracy to forge a judicial signature, which carries a maximum sentence of five years in prison. The maximum potential sentence is prescribed by Congress and is provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge. And one more bit of schadenfreude:Acting Manhattan U.S. Attorney Joon H. Kim said: "As he admitted today, Michael Arnstein exploited the authority of the federal judiciary in a blatantly criminal scheme. By forging court orders and the signature of a U.S. District Judge, Arnstein was able to effectively erase websites critical of Arnstein's business from its search results. Now Arnstein awaits sentencing in the same court he impersonated." Some sympathy is warranted for those hoping to battle negative reviews. Even illegitimate negative reviews can be close to impossible to remove from the web. But if the system seems unfair, it has to be. Making it easier to remove bogus reviews would just make it easier for companies/individuals who've earned every acidic word in their negative reviews to scrub the web of bad things.The internet may be a well-oiled hate machine, but it's also a handy source of reference for customers who want to emerge unscathed from interactions with providers of goods and services. Easy delistings would turn the web into a cheery place where every company appears to exceed expectations, even as they screw their customers over.
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 23-Sep-2017
path: /Policy | permalink | edit (requires password)
|
|