Tag Archives: Hacking

Phishing Alert – Secret Army Gold

Two phun phishing emails in two days. Both from the same domain, nac.net, which you might want to add to your block list. Yesterday is was a fake FBI email, today it’s the Army.

This is another that falls into the ridiculous category, and maybe the get-rich-quick category as well. How come this army general decided to include me in his $26,000,000.00 windfall of “secret army gold”? (Sound like Three Kings anyone?) And if he really trusts me, why doesn’t he know my name? That alone should be enough reason to ignore such emails automatically.

phishing-army

In review, here’s a few of the things that are wrong with this email:

  • The “From:” email address clearly is not the any valid domain, either military or normal social channels. In fact, it’s known for phishing scams.
  • addressed to “Friend” – He trust me with millions, but doesn’t know my name
  • Random people don’t send you email offering you millions of dollars – not happening
  • Official email address at the bottom doesn’t match the from address. Everything on the left side of the @ sign is the same, but the domain is nac.net at the top, and outlook.com at the bottom. Normal people don’t usually send email like that, with obvious reasonable exceptions.
  • Why is the story a plot from a 90s movie?

FYI nac.net is registered through Godaddy.com since 1995 to a US company called “Net Access Corporation”, so I’m wondering are they purveyors of scams, or just a crappy email provider? Registrant is in New Jersey, server is in Colorado, and domain name redirects to cologix, so who knows.

Stay on the alert – best not to click anything in emails from unknown senders, and anyone who really has millions of dollars for you will figure out how to reach you. That kind of money makes it easy to find out.

== RESOURCES ==

Hacking: Medical Devices

Hospital buildingYou have control over your own body, right? Well, scary scenarios in the healthcare industry are increasing in awareness. In the past, with the growth of technology, hacking was just for computers, but now it is expanding to other devices including medical ones. This is not technically “cyber crime”, but can easily turn into it when it falls into the wrong hands so I’m going to cover it anyways.

Internet of Things (IoT): “refers to scenarios where network connectivity and computing capability extends to objects, sensors and everyday items not normally considered computers, allowing these devices to generate, exchange and consume data with minimal human intervention. There is, however, no single, universal definition” (Internet Society, 2015).

The IoT is an important aspect in the healthcare industry (recently the term Internet of Healthcare Things IoHT was coined by medical field personnel). Examples include; heart rate monitors, pacemakers, medicine drips, MRI, etc. all that connect to the Internet and record information. As most of us know, objects that are connected to the Internet or have computer-type technology can be hacked. One example of this was two men in Austria hacked their morphine pump while admitted to the hospital to boost the dosage (Sarvestani, 2014). This resulted in one going into respiratory arrest and both men becoming addicted to morphine (Sarvestani, 2014). They were able to achieve this by retrieving the machine’s control codes online, this information typically can be found in the device manuals that are online for user reference.Hospira LifeCare PCA pump

A more streamlined, dangerous version of the morphine pump hack is what is known as MEDJACK. MEDJACK is a “medical device hijack” (Carman, 2015). How is this done? Don’t these hospitals have firewalls and preventative measures for stuff like this? Yes and no. While the network itself and it’s computers are protected with firewall and other security the devices themselves are not secured. According to Ashley Carman at SC Magazine “attackers maneuver though healthcare systems’ main networks by initially exploiting outdated and unpatched medical devices, such as an X-ray scanner or blood gas analyzer. They build backdoors into the systems through these internet-connected devices” (2015).

Another way that this is done is through a tool known as Shodan that is “used to scan open ports on the internet is often used by security researchers to uncover critical exposed infrastructure that should be better protected” (Murdock, 2016). According to a Kaspersky researcher in Jason Murdock’s article “[Shodan] can find out about the hardware and software connected [to the internet] and if you know, for example, what feedback an MRI or laser or cardiology device gives when you connect to its port, you can go to Shodan and find hundreds of these devices and if you know a vulnerability you can hack all of them” (2016).

istan medical mannequinUnfortunately, it gets worse. Pacemakers, including ones that are fully installed, are now on the list of hackable equipment. Students at University of South Alabama hacked into iStan, a simulated human being device (Storm, 2015). IStan has “internal robotics that mimic human cardiovascular, respiratory and neurological systems. When iStan bleeds, his blood pressure, heart rate and other clinical signs change automatically.” iStan, which is used by USA’s College of Nursing, breaths, bleeds from two locations, cries, secretes bodily fluids, speaks, groans, wheezes, gags, gasps, coughs and mumbles” (Storm, 2015) allowing it to fully respond as a human being. These students hacked into the iStan and were able to launch a brute force attack and denial of service (DoS) attacks which interfered with the devices ability to function, which in turn “killed” iStan (Storm, 2015). Another source discussing pacemaker hacking is Tarun Wadhwa on Forbes. Wadhwa discussed how pacemakers are vulnerable:

“Implanted devices have been around for decades, but only in the last few years have these devices become virtually accessible.  While they allow for doctors to collect valuable data, many of these devices were distributed without any type of encryption or defensive mechanisms in place.  Unlike a regular electronic device that can be loaded with new firmware, medical devices are embedded inside the body and require surgery for “full” updates.  One of the greatest constraints to adding additional security features is the very limited amount of battery power available” (2012)

Thankfully though, there has been no recorded incident of intended harm to another individual (and a very small amount of incidents of harm to oneself) through medical device hacking. The basics? If you can, do some research into the devices being used in your hospital room to see what vulnerabilities are available on the web (through how-to’s, videos, device manuals, etc.) and if at all possible, stay healthy to avoid the hospital- I wish this for everyone!

(THIS POST IS NOT INTENDED TO INDUCE FEAR, ANGER, OR ANY OTHER EMOTION TOWARDS MEDICAL PERSONNEL, STAFF, HOSPITALS, IT STAFF, EQUIPMENT DEVELOPMENT, OR OTHER GROUP OF INDIVIDUALS HANDLING, PRODUCING, USING, UPDATING, OR INVOLVED IN MEDICAL DEVICES)

[Editors note: Maybe it SHOULD though… induce fear that is. -The Code Curmudgeon]

References:

Carman, A. (2014, June 4). ‘MEDJACK’ tactic allows cyber criminals to enter healthcare networks undetected. SC Magazine. Retrieved from http://www.scmagazine.com/trapx-profiles-medjack-threat/article/418811/

Internet Society. (2015, October). The Internet of Things: An overview. InternetSociety.org. Retrieved from https://www.internetsociety.org/sites/default/files/ISOC-IoT-Overview-20151014_0.pdf

Murdock, J. (2016, February 15). How a security researcher easily hacked a hospital and its medical devices. International Business Times. Retrieved from http://www.ibtimes.co.uk/ho w-security-researcher-easily-hacked-hospital-its-medical-devices-1544002

Sarvestani, A. (2014, August 15). Hospital patient hacks his own morphine pump. MassDevice.com On Call. Retrieved from http://www.massdevice.com/hospital-patient-hacks-his-own-morphine-pump-massdevicecom-call/

Storm, D. (2015, September 8). Researchers hack a pacemaker, kill a man(nequin). Computer World. Retrieved from http://www.computerworld.com/article/2981527/cybercri me-hacking/researchers-hack-a-pacemaker-kill-a-man-nequin.html

Wadhwa, T. (2012, December 6). Yes, you can hack a pacemaker (and other medical devices too). Forbes. Retrieved from http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/#5ab6b78313e0

Internet of Things (IoT) Hall-of-Shame

A collage of various devices that not only can be hacked, but already have been.
A collage of various devices that not only can be hacked, but already have been.
As I’ve said before, the “Internet of Things” aka IoT has become the internet of hacks. More and more devices are being internet enabled, but security on the devices isn’t keeping up. Some vulnerabilities are difficult, but many of those that have been in the news seem to have been more from either lack of training or simply not prioritizing software security.

In the grand tradition of my SQLi Hall-of-Shame, I’ve decided to start creating a list of IoT hacks that have hit the press. The list is small but will surely grow. Please let me know if you’re aware of publicized hacks on IoT devices. If this doesn’t scare you then you’re not thinking about it enough. You should be running screaming to empty your bank account, buy an old pre-70s car, and smash your phones, thermostats, and other electronic devices.

I know the answer to this isn’t easy, but I’m hoping that at least you’ll spend more time thinking about it than you have. So take a look, and let me know in the comments, twitter, email, etc. when you hear about new ones I haven’t covered. You can view it at the IoT Hall-of-Shame.

IoT Security Resources

Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development,

Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine,

Software Test Attacks to Break Mobile and Embedded Devices

IoT Security – A Contradiction in Terms

A collage of various devices that not only can be hacked, but already have been.
A collage of various devices that not only can be hacked, but already have been.

The internet of things aka IoT has become the internet of hacks. More and more devices are being internet enabled. While this makes many aspects of our lives easier it opens us up to a wide range of cybersecurity problems. From direct control of devices to lost of personal private data to actual control of the networks and computers in our homes and offices, the IoT is creating a security risk at a faster rate than it’s fixing them.

Vendors are driven to get items to market fast in order to make money. Along the way security is given short shrift, or all-too-often not even considered. After all, it’s only a light bulb, what’s the worst that could happen? The answer of course is a lot, and probably much more than you think.

Compounding this problem is the fact that consumer simply don’t like doing sysadmin work and maintenance on their hardware. It’s difficult enough to convince people to update their computers and mobile devices. Worse than that are things like keeping routers up-to-date. Way down everyone’s list of things to do is monitor all the smart devices in the house for CVEs (known vulnerabilities) in the national vulnerability database. Hardware manufacturers have to take this into account and put even more care into the software security for software embedded in internet enabled things.

Just for giggles in a scary sort of way, here’s a brief partial list of a few devices that have known hacks available for them. If this doesn’t scare you then you’re not thinking about it enough. You should be running screaming to empty your bank account, buy an old pre-70s car, and smash your phones, thermostats, and other electronic devices.

airbags,
Fitbit health bracelet,
Baby monitors,
VOIP phones,
road signs,
printers,
cctv cameras,
pacemakers,
kettles,
ATM,
USB,
USB-C port,
gas station tank gauges,
cars,
Blu-Ray discs,
light bulbs,
smartwatches,
CD players,
electricity smart meters,
thermostats,
SD cards,
mag stripe readers

Again, this list is only a (very) small subset of things that not only CAN be hacked but already have been. I may have to create an IoT Hall-of-Shame for this stuff to see if we can get better security going.

The scary thing is that many of these aren’t just access to the device itself, or even data from the device (which is already a huge privacy issue) but are gateways to attack other pieces of your network. Read more about the lightbulb and blu-ray hacks above.

Now the answer to all this isn’t easy, but I’m hoping that at least you’ll spend more time thinking about it than you have.

[Update 2015-11-24 – added link to Hall-of-Shame]
FYI – I just finally created a new Hall-of-Shame for IoT – you can view it at the IoT Hall-of-Shame.

Resources:

[Update 2015-11-23 – added resources list]