Category Archives: Security

Security related issues.

Top 10 Ways to Spot a Cybersecurity Expert

When you’re looking for a cybersecurity expert it’s important to be able to spot who knows what they’re doing and who doesn’t. Well in this case the title of the post is a bit of click-bait. Got you, didn’t I? This is really how to spot someone who is NOT a cybersecurity expert. Probably I should have titled it Ten Ways to Spot a Cybersecurity Fake. Let’s take a serious topic and have a bit of fun at the same time. Here’s the list.

#10 – Mobile phone is more than a year old
You just can’t push updates to old phones. Unfortunately this is as true for security patches as it is for bug fixes. If you want to be secure you’ve got to keep it patched, and to keep it patched you’ve got to have current hardware. In the smartphone world, this means your phone is less than 12 months old. An “expert” who carries a crappy phone isn’t paranoid secure enough for me.
#9 – Still carrying a Blackberry
The internet age moves fast and you have to keep up. Blackberry is a bit of a dinosaur and you’re just not getting all the latest that you get from more agile vendors. Avoid dinosaurs when looking for technical help, they simply won’t be aware of the latest threats and rely on outdated models of security.
#8 – Wears a suit
In the IT industry nothing says sales rep like a suit does. Now this person might understand the need and value of enhanced cybersecurity, but they don’t know what you really need to do. If they’re not a sales rep, then they’re probably just a dinosaur, because tech people don’t wear suits anymore. See above.
#7 – Wears a tie
Do I really have to explain? Have you ever met someone who really got cybersecurity who was wearing a tie? See above. (Sorry Kevin – you’re the exception. You rock the cravat.)
#6 – Uses open wifi
Any security professional worth their salt is deathly afraid of open wifi. It doesn’t matter if it’s a hotel, a coffee shop, or an airport. Cyberpeople carry their own internet in their pocket.
#5 – Never uses cash
Between the Target hack and ATM skimmers at the gas pump, a healthy dose of paranoia when it comes to credit cards is a good idea. I’ve gone back to using cash a lot more than I used to and you should too.
#4 – Thinks eight characters is enough for a password
Seriously, rainbow tables people. If your password is leaked in a data breach it can take as little as a couple of milliseconds to crack an 8 character password. If they don’t know this, then their knowledge is years out-of-date.
#3 – Thinks funny characters you wont’t remember are good for passwords
I’m sorry but *#*%^)-} isn’t a great password. You will never be able to remember it, you’ll write it down and anyway it’s in a rainbow table so it’s not much better than 12345. You’re better off which an unbelievably long password you can remember that has a few funny tweaks than 8 pieces of gibberish.
#2 – Doesn’t wear glasses
Anyone spending their life on a computer has killed their eyes. If they’re not spending their life on the computer, they’re not passionate enough. You want someone who prefers the internet to real life. To paraphrase OrwellFour eyes good, two eyes bad
#1 – Doesn’t use the command line
Everyone with a hacker mentality uses the command line, regardless of operating system. Anyone without a hacker mentality isn’t qualified to be working in cybersecurity.

I warned you up front we were going to have some fun with this, and hopefully you did. But in reality some of these tips will help you vet your cybersecurity expert. Even just tossing some of the terms above at them to see how they respond may tell you something. If they use a term you don’t know make them explain it – if they can’t explain it they probably don’t understand it very well.

If you don’t know enough to tell a real expert from a fake, get help from someone you can trust, and stay safe out there!

IoT Hall-of-Shame Facebook Page

Greetings and Happy New Year. It’s early in the month and we’ve already had our first reported IoT Hall-of-Shame entry, as you know if you follow that page or my twitter @codecurmudgeon. For those who live inside Facebook I’ve decided to make your life easier by adding a Facebook page for the Internet-of-Things IoT Hall-of-Shame as well. That way you can just follow it and it will show up in your Facebook feed.

“Things” are being hacked at a furious pace – some even call it the “Internet of Evil Things”. It’s amazing how often I find out about a new hack every single day. Is your TV going to spy on you? Is it easy to hack your phone? Is the stoplight on your corner vulnerable? Keep up to date on what’s happening.

Go check it out, like the page, follow it for the latest IoT Hall-of-Shame updates, and tell your friends. And when you hear about any IoT devices getting hacked please let me know!

Software Safety Keynote EuroSPI 2016

I was honored this week to have the opportunity to present a keynote session at EuroSPI 2016. The title of my presentation was “Software Safety and Security Through Standards” and I discussed one of my favorite soapboxes. That is the idea that software development is often less disciplined than it should be, but it doesn’t have to be. We can and should develop software as an engineering discipline.

One of the key ways to start down this path is to implement coding standards properly. Too many are trying to use coding standards late in the process as a way to find bugs, rather than a way to flag improper methods of coding early on. While the former is cool, the latter is far more valuable.

The adage that “you can’t test quality in a product” is well known, but for some reason in software we think that you can indeed test quality into an application. The same goes for application security, perhaps even doubly so.

In order to break out of the current cycle of code, deploy, fix, redeploy we have to start doing things differently. We have to build a more mature software development process and static code analysis is the way to build upon the body of knowledge and best practices available.

Slides are below. Let me know if you have comments, questions, suggestions. And thanks to everyone at EuroSPI and ASQ for putting on a great conference and allowing me to participate. These are great organizations to get involved with if you’re serious about software quality. I encourage you to check them out.

Hacking: Medical Devices

Hospital buildingYou have control over your own body, right? Well, scary scenarios in the healthcare industry are increasing in awareness. In the past, with the growth of technology, hacking was just for computers, but now it is expanding to other devices including medical ones. This is not technically “cyber crime”, but can easily turn into it when it falls into the wrong hands so I’m going to cover it anyways.

Internet of Things (IoT): “refers to scenarios where network connectivity and computing capability extends to objects, sensors and everyday items not normally considered computers, allowing these devices to generate, exchange and consume data with minimal human intervention. There is, however, no single, universal definition” (Internet Society, 2015).

The IoT is an important aspect in the healthcare industry (recently the term Internet of Healthcare Things IoHT was coined by medical field personnel). Examples include; heart rate monitors, pacemakers, medicine drips, MRI, etc. all that connect to the Internet and record information. As most of us know, objects that are connected to the Internet or have computer-type technology can be hacked. One example of this was two men in Austria hacked their morphine pump while admitted to the hospital to boost the dosage (Sarvestani, 2014). This resulted in one going into respiratory arrest and both men becoming addicted to morphine (Sarvestani, 2014). They were able to achieve this by retrieving the machine’s control codes online, this information typically can be found in the device manuals that are online for user reference.Hospira LifeCare PCA pump

A more streamlined, dangerous version of the morphine pump hack is what is known as MEDJACK. MEDJACK is a “medical device hijack” (Carman, 2015). How is this done? Don’t these hospitals have firewalls and preventative measures for stuff like this? Yes and no. While the network itself and it’s computers are protected with firewall and other security the devices themselves are not secured. According to Ashley Carman at SC Magazine “attackers maneuver though healthcare systems’ main networks by initially exploiting outdated and unpatched medical devices, such as an X-ray scanner or blood gas analyzer. They build backdoors into the systems through these internet-connected devices” (2015).

Another way that this is done is through a tool known as Shodan that is “used to scan open ports on the internet is often used by security researchers to uncover critical exposed infrastructure that should be better protected” (Murdock, 2016). According to a Kaspersky researcher in Jason Murdock’s article “[Shodan] can find out about the hardware and software connected [to the internet] and if you know, for example, what feedback an MRI or laser or cardiology device gives when you connect to its port, you can go to Shodan and find hundreds of these devices and if you know a vulnerability you can hack all of them” (2016).

istan medical mannequinUnfortunately, it gets worse. Pacemakers, including ones that are fully installed, are now on the list of hackable equipment. Students at University of South Alabama hacked into iStan, a simulated human being device (Storm, 2015). IStan has “internal robotics that mimic human cardiovascular, respiratory and neurological systems. When iStan bleeds, his blood pressure, heart rate and other clinical signs change automatically.” iStan, which is used by USA’s College of Nursing, breaths, bleeds from two locations, cries, secretes bodily fluids, speaks, groans, wheezes, gags, gasps, coughs and mumbles” (Storm, 2015) allowing it to fully respond as a human being. These students hacked into the iStan and were able to launch a brute force attack and denial of service (DoS) attacks which interfered with the devices ability to function, which in turn “killed” iStan (Storm, 2015). Another source discussing pacemaker hacking is Tarun Wadhwa on Forbes. Wadhwa discussed how pacemakers are vulnerable:

“Implanted devices have been around for decades, but only in the last few years have these devices become virtually accessible.  While they allow for doctors to collect valuable data, many of these devices were distributed without any type of encryption or defensive mechanisms in place.  Unlike a regular electronic device that can be loaded with new firmware, medical devices are embedded inside the body and require surgery for “full” updates.  One of the greatest constraints to adding additional security features is the very limited amount of battery power available” (2012)

Thankfully though, there has been no recorded incident of intended harm to another individual (and a very small amount of incidents of harm to oneself) through medical device hacking. The basics? If you can, do some research into the devices being used in your hospital room to see what vulnerabilities are available on the web (through how-to’s, videos, device manuals, etc.) and if at all possible, stay healthy to avoid the hospital- I wish this for everyone!

(THIS POST IS NOT INTENDED TO INDUCE FEAR, ANGER, OR ANY OTHER EMOTION TOWARDS MEDICAL PERSONNEL, STAFF, HOSPITALS, IT STAFF, EQUIPMENT DEVELOPMENT, OR OTHER GROUP OF INDIVIDUALS HANDLING, PRODUCING, USING, UPDATING, OR INVOLVED IN MEDICAL DEVICES)

[Editors note: Maybe it SHOULD though… induce fear that is. -The Code Curmudgeon]

References:

Carman, A. (2014, June 4). ‘MEDJACK’ tactic allows cyber criminals to enter healthcare networks undetected. SC Magazine. Retrieved from http://www.scmagazine.com/trapx-profiles-medjack-threat/article/418811/

Internet Society. (2015, October). The Internet of Things: An overview. InternetSociety.org. Retrieved from https://www.internetsociety.org/sites/default/files/ISOC-IoT-Overview-20151014_0.pdf

Murdock, J. (2016, February 15). How a security researcher easily hacked a hospital and its medical devices. International Business Times. Retrieved from http://www.ibtimes.co.uk/ho w-security-researcher-easily-hacked-hospital-its-medical-devices-1544002

Sarvestani, A. (2014, August 15). Hospital patient hacks his own morphine pump. MassDevice.com On Call. Retrieved from http://www.massdevice.com/hospital-patient-hacks-his-own-morphine-pump-massdevicecom-call/

Storm, D. (2015, September 8). Researchers hack a pacemaker, kill a man(nequin). Computer World. Retrieved from http://www.computerworld.com/article/2981527/cybercri me-hacking/researchers-hack-a-pacemaker-kill-a-man-nequin.html

Wadhwa, T. (2012, December 6). Yes, you can hack a pacemaker (and other medical devices too). Forbes. Retrieved from http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/#5ab6b78313e0