Infosecurity.US

Information Security with Occasional Forays into Other Realms

  • Web Log
Image Credit: Professor Shreyas Sen

Image Credit: Professor Shreyas Sen

Securing The Internet Of The Body

March 28, 2019 by Marc Handelman in Medical Device Security, Medical Privacy, Medical Security, Medicine, Information Security

via Purdue University Professor Shreyas Sen (Assistant Professor of Electrical and Computer Engineering and his students Debayan Das, Shovan Maity and Baibhab Chatterjee) comes a definative answer to securing the various machines and other connected implants we as a species are placing into and on our bodies to assist and record. Their work - entitled 'Enabling Covert Body Area Network using Electro-Quasistatic Human Body Communication' appears in Scientific Reports (a NatureResearch journal) (a portion of the Abstract of the journal entry appears below).

"Radiative communication using electro-magnetic (EM) fields amongst the wearable and implantable devices act as the backbone for information exchange around a human body, thereby enabling prime applications in the fields of connected healthcare, electroceuticals, neuroscience, augmented and virtual reality. However, owing to such radiative nature of the traditional wireless communication, EM signals propagate in all directions, inadvertently allowing an eavesdropper to intercept the information." - via the Nature ScientificResearch Journal publication entitled Enabling Covert Body Area Network using Electro-Quasistatic Human Body Communication'- via Purdue University Professor Shreyas Sen (Assistant Professor of Electrical and Computer Engineering and his students Debayan Das, Shovan Maity and Baibhab Chatterjee)

March 28, 2019 /Marc Handelman
Medical Device Security, Medical Privacy, Medical Security, Medicine, Information Security

Medtronic Defibs Flaws, DHS Issues Alert

March 26, 2019 by Marc Handelman in Medical Device Security, Medical Security, Medical Privacy, Information Security

via Joe Carlson, writing at the Star Tribune, comes the tale of the dangers of medical device implantation, software & hardware vulnerablities and the Department of Homeland Security's watchlist for medical devices. The criticality of this issue cannot be overstated. Today's MustRead.

"The Homeland Security Department, which oversees security in critical U.S. infrastructure including medical devices, issued an alert Thursday describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients’ homes and in-office programming computers used by doctors." - via Joe Carlson, writing at the Star Tribune

March 26, 2019 /Marc Handelman
Medical Device Security, Medical Security, Medical Privacy, Information Security

University of Washington Develops Cellphone Sonar App To Detect Opioid Overdose

January 27, 2019 by Marc Handelman in All is Information, Medical Security, Medicine, Medical Device Security, Life Saving Technology, Physical Security

via Sarah McQuate, writing at the University of Washington's UW News, comes a story that may change the downward spiral of opiate addicts for the better...

"Researchers at the University of Washington have developed a cellphone app, called Second Chance, that uses sonar to monitor someone’s breathing rate and sense when an opioid overdose has occurred." - via Sarah McQuate, writing at the University of Washington's UW News

January 27, 2019 /Marc Handelman
All is Information, Medical Security, Medicine, Medical Device Security, Life Saving Technology, Physical Security
1115-08-brain-p.jpg

The Noggin Tales: Flaws of EEG →

April 10, 2018 by Marc Handelman in Medicine, Medical Device Security, Information Security, Application Security

News, via Sean Gallagher - writing at Ars Technica, details at least five critical flaws in a multi-vender software package shipped under the moniker 'Natus Xltek NeuroWorks 8'. Give’s one pause, before hooking up to the machines at your local body shop, eh?

"While attacking an EEG system won't necessarily harm a patient directly, the vulnerabilities described by Talos could be used to create a persistent presence on hospital networks for a number of malicious purposes, or to execute code that could install malware if the Internet is reachable from the system." via Sean Gallagher writing at Ars Technica

April 10, 2018 /Marc Handelman
Medicine, Medical Device Security, Information Security, Application Security

BGU Security Researchers Urge Physicians to Patch Their Systems →

February 14, 2018 by Marc Handelman in Medical Device Security, Medicine, Healthcare Infrastrucutre, Hardware Security

via Zaid Shoorbajee - reporting for Cyberscoop, comes a story of security entropy, this time in medical imaging device system patching and an esteemed University's research targeting those systems. In this case, a research paper from Israel's Ben-Gurion University of the Negev Malware-Lab yielded good (but not-necessarily-acted-upon-advice) to Medical Professionals: Patch Your Flawed Imaging Systems...

'“In cases where even a small delay can be fatal, or where a dangerous tumor is removed or erroneously added to an image, a cyberattack can be fatal,” said Tom Mahler, an author on the paper. “However, strict regulations make it difficult to conduct basic updates on medical PCs, and merely installing anti-virus protection is insufficient for preventing cyber-attacks.” ' - Zaid Shoorbajee - reporting for Cyberscoop

February 14, 2018 /Marc Handelman
Medical Device Security, Medicine, Healthcare Infrastrucutre, Hardware Security

USENIX Enigma 2017, Tamara Bonaci's "Brains Can Be Hacked. Why Should You Care?" →

September 26, 2017 by Marc Handelman in Conferences, Education, Information Security, Medicine, Medical Device Security
September 26, 2017 /Marc Handelman
Conferences, Education, Information Security, Medicine, Medical Device Security
modified ct scanner.jpeg

Low Skill Attack, The Siemens Method →

August 09, 2017 by Marc Handelman in Blatant Stupidity, Information Security, Medical Device Security, Low Skill Attacks, No Skill Attacks

Apparently, systemic - and therefore - fundamental - security incompetence 'reigns' supreme' at Siemens... Witness the reported 'low skill' (aka 'no skill') vectored attacks targeting the company's Computed Tomography (CT) and Positron Emission Tomography (PET) Medical Scanners. Shameful.

August 09, 2017 /Marc Handelman
Blatant Stupidity, Information Security, Medical Device Security, Low Skill Attacks, No Skill Attacks

Joy of Tech's Revenge of the Medical Machines →

May 17, 2017 by Marc Handelman in Medical Device Security, Joy of Tech®

via the awesome grey matter of Nitrozac and Snaggy at The Joy of Tech®!

May 17, 2017 /Marc Handelman
Medical Device Security, Joy of Tech®
nist-nccoe-logo.jpeg

NCCOE Heralds Release of NIST SP 1800-8 Securing Wireless Infusion Pumps

May 09, 2017 by Marc Handelman in All is Information, Control Systems, Defensive Infosec, Demise of Privacy, Hardware Security, Health Care Security, Health, Information Security, Medical Device Security, NIST NCCoE, NIST

The National Institute of Standards and Technology (NIST) National Center for Cybersecurity Excellence (NCCOE) has released it's latest draft medical device related security document, entitled 'NIST Special Publication 1800-8 Cybersecurity Special Publication 1800-8 Securing Wireless Infusion Pumps - In Healthcare Delivery Organizations'. Authored by Gavin O'Brien, Sallie Edwards, Kevin Littlefield, Neil McNab, Sue Wang and Kangmin Zheng - the document is available as either a PDF or web-based artifact. Enjoy.

"Medical devices, such as infusion pumps, were once standalone instruments that interacted only with the patient or medical provider. With technological improvements designed to enhance patient care, these devices now connect wirelessly to a variety of systems, networks, and other tools within a healthcare delivery organization (HDO) – ultimately contributing to the Internet of Medical Things (IoMT)." - via the National Center for Cybersecurity Excellence (NCCOE)

May 09, 2017 /Marc Handelman
All is Information, Control Systems, Defensive Infosec, Demise of Privacy, Hardware Security, Health Care Security, Health, Information Security, Medical Device Security, NIST NCCoE, NIST
Credit: Johnson & Johnson

Credit: Johnson & Johnson

Johnson & Johnson, The Warning

October 05, 2016 by Marc Handelman in Accountability, All is Information, Information Security, Medical Device Security

Jim Finkle, writing at Reuters, shares a warning - via Johnson & Johnson (NasdaqGS: JNJ) - of an insulin pump security flaw that permits exploitation thereof. Kudos are in order for the diligent efforts brought to bear on this flaw by the researcher - Jay Radcliffe, of Rapid7 (see the 2016/09/28 notification at the Rapid7 Community blog). Outstanding work.

" Using industry standard encryption with a unique key pair would mitigate these issues. Affected users can avoid these issues entirely by disabling the radio (RF) functionality of the device. On the OneTouch Ping Insulin Pump, this is done through the Setup -> Advanced -> Meter/10 screen, and selecting "RF = OFF". In addition, the vendor has provided other mitigations for these issues, described on their website and in letters being sent to all patients using the pump and health care professionals. Patients should consult with their own endocrinologist about any aspect of their ongoing medical care.' via Rapid7

 

 

October 05, 2016 /Marc Handelman /Source
Accountability, All is Information, Information Security, Medical Device Security

Brainjacking, The Study →

August 30, 2016 by Marc Handelman in Medical Device Security, Physical Security, Operating Systems

Luckily, we all know he has nothing to fear...

 

August 30, 2016 /Marc Handelman
Medical Device Security, Physical Security, Operating Systems