A vulnerability found in an interaction between a Wi-Fi-enabled battery system and an infusion pump for the delivery of medication could provide bad actors with a method for stealing access to Wi-Fi networks used by healthcare organizations, according to Boston-based security firm Rapid7.

The most serious issue involves Baxter International’s SIGMA Spectrum infusion pump and its associated Wi-Fi battery system, Rapid7 reported this week. The attack requires physical access to the infusion pump. The root of the problem is that the Spectrum battery units store Wi-Fi credential information on the device in non-volatile memory, which means that a bad actor could simply purchase a battery unit, connect it to the infusion pump, and quicky turn it on and off again to force the infusion pump to write Wi-Fi credentials to the battery’s memory.

To read this article in full, please click here

Read More

Stewart Baker discusses why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software.

Why can’t the cryptocurrency industry solve the problem the way the software and hardware industries do, by patching and updating security as flaws are found? Two reasons: First, many customers don’t have an ongoing relationship with the hardware and software providers that protect their funds­—nor do they have an incentive to update security on a regular basis. Turning to a new security provider or using updated software creates risks; leaving everything the way it was feels safer. So users won’t be rushing to pay for and install new security patches.

Second, cryptocurrency is famously and deliberately decentralized, anonymized, and low friction. That means that the company responsible for hardware or software security may have no way to identify who used its product, or to get the patch to those users. It also means that many wallets with security flaws will be publicly accessible, protected only by an elaborate password. Once word of the flaw leaks, the password can be reverse engineered by anyone, and the legitimate owners are likely to find themselves in a race to move their assets before the thieves do. Even in the software industry, hackers routinely reverse engineer Microsoft’s patches to find the security flaws they fix and then try to exploit them before the patches have been fully installed.

He doesn’t have any good ideas to fix this. I don’t either. Just add it to the pile of blockchain’s many problems.

Read More

Communities like Craigslist, OfferUp, Facebook Marketplace and others are great for finding low- or no-cost stuff that one can pick up directly from a nearby seller, and for getting rid of useful things that don’t deserve to end up in a landfill. But when dealing with strangers from the Internet, there is always a risk that the person you’ve agreed to meet has other intentions.

Nearly all U.S. states now have designated safe trading stations — mostly at local police departments — which ensure that all transactions are handled in plain view of both the authorities and security cameras.

These safe trading places exist because sometimes in-person transactions from the Internet don’t end well for one or more parties involved. The website Craigslistkillers has catalogued news links for at least 132 murders linked to Craigslist transactions since 2015. Many of these killings involved high-priced items like automobiles and consumer electronics, where the prospective buyer apparently intended all along to kill the owner and steal the item offered for sale. Others were motivated simply by a desire to hurt people.

This is not to say that using Craigslist is uniquely risky or dangerous; I’m sure the vast majority of transactions generated by the site end amicably and without physical violence. And that probably holds true for all of Craigslist’s competitors.

Still, the risk of a deal going badly when one meets total strangers from the Internet is not zero, and so it’s only sensible to take a few simple precautions. For example, choosing to transact at a designated safe place such as a police station dramatically reduces the likelihood that anyone wishing you harm would even show up.

I recently stumbled upon one of these designated exchange places by accident, hence my interest in learning more about them. The one I encountered was at a Virginia county sheriff’s office, and it has two parking spots reserved with a sign that reads, “Internet Purchase & Exchange Location: This Area is Under 24 Hour Video Surveillance” [image above].

According to the list maintained at Safetradestations.com, there are four other such designated locations in Northern Virginia. And it appears most states now have them in at least some major cities. Safeexchangepoint.com also has a searchable index of safe trading locations in the United States and Canada.

Granted, not everyone is going to live close to one of these designated trading stations. Or maybe what you want to buy, sell or trade you’d rather not have recorded in front of police cameras. Either way, here are a few tips on staying safe while transacting in real life with strangers from the Internet (compliments of the aforementioned safe trading websites).

The safest exchange points are easily accessible and in a well-lit, public place where transactions are visible to others nearby. Try to arrange a meeting time that is during daylight hours, and consider bringing a friend along — especially when dealing with high-value items like laptops and smart phones.

Safeexchangepoint.com also advises that police or merchants that host their own exchange locations generally won’t get involved in the details of your transaction unless specified otherwise, and that many police departments (but not all) are willing to check the serial number of an item for sale to make sure it’s not known to be stolen property.

Of course, it’s not always practical or possible to haul that old sofa to the local police department, or a used car that isn’t working. In those situations, safetradestations.com has some decent suggestions:

Meet at a police station where you can exchange and photocopy each others’ identification papers, such as a driver’s license. Do NOT carry cash to this location.
Photocopy the license or identification paper, or use your phone to photograph it.
Email the ID information to a friend, or to someone trusted (not to yourself).
If you’re selling at home, or going to someone’s home, never be outnumbered. If you’re at home, make sure you have two or three people there — and tell the person who is coming that you will have others with you.
At home or an apartment, NEVER let someone go anywhere unaccompanied. Always make sure they are escorted.
Never let more than one group come to your home at one time to buy or sell.
Beware of common scams, like checks for an amount higher than the amount of the deal; “cashier’s checks” that are forged and presented when the bank is closed.
If you are given a cashier’s check, money order or other equivalent, call the bank — at the number listed online, not a number the buyer gives you — to verify the validity of the check.

Read More

We are deeply saddened by the passing of Her Majesty Queen Elizabeth II. We send our sincerest condolences to the Royal Family.

Read More

Topics that are top of mind for the week ending Sept. 9 | Software supply chain security in the spotlight. Guidance for evaluating IoT security tools. Increasing diversity in cybersecurity. Another look at the major cloud security threats. And much more!

U.S. government stresses software supply chain security

Developers got concrete guidance and specific recommendations for protecting their software supply chains via a 64-page document from the U.S. government. 

This new guide reflects lessons learned from recent major supply chain attacks, like the one against SolarWinds, and from the discovery of the Log4Shell vulnerability.

Attackers are increasingly targeting software development environments, commonly used frameworks and widely adopted libraries in order to compromise components of otherwise legitimate applications that are then distributed through trusted channels to customers.

Published by the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Office of the Director of National Intelligence, the document groups its recommendations into five main categories:

Secure product criteria and management, including:

Creating threat models of the products while in development and of their critical components
Defining and implementing security test plans
Establishing how vulnerabilities in the product will be handled throughout its lifecycle

Develop secure code, following principles like:

Least privilege
Fail-safe defaults
Open design

Verify third-party components through practices including:

Vulnerability analysis
Secure composition analysis
Source code evaluation

Harden the build environment with steps like:

Lock down and monitor for data leakage all systems that interact with the dev and build processes
Use version control for pipeline configurations
Make sure all systems use multi-factor authentication

Deliver code safely through practices like:

Scan binaries with software composition analysis tools to ensure the integrity of the final build and create a software bill of materials (SBOM)
After receiving the build from the vendor, customers can perform their own scanning to ensure its safety and integrity

Alongside the guidance from these U.S. agencies, the Open Source Security Foundation released a best practice guide for securing npm, the largest package ecosystem that undergirds countless software projects. 

(Claire Tills, senior research engineer with Tenable’s Security Response Team, contributed to this item.)

For more information:

Video: “Using CNCF Best Practices for Software Supply Chain” (Cloud Native Computing Foundation – CNCF)
“Software Supply Chain Best Practices” (CNCF)
“Software Supply Chain Security Guidance” (National Institute of Standards and Technology)
“The Open Source Software Security Mobilization Plan” (The Linux Foundation and The Open Source Security Foundation)

Guidance for testing IoT security products

The Anti-Malware Testing Standards Organization (AMTSO) has released a guide for helping security teams test and benchmark IoT security products, an area the non-profit group says is still in its infancy.

In providing its recommendations after gathering input from testers and vendors, the AMTSO noted that there are particular challenges involved in testing IoT security wares because these products:

Protect a wide variety of smart devices both for home and work, which complicates the setup of a test environment
Are used in smart devices that overwhelmingly run on Linux, so testers must use specific threat samples for their evaluations

The document focuses on areas including sample selection, determination of detection, test environments, specific security functionality assessment and performance benchmarking.

For more information:

“IoT Security Acquisition Guidance” (CISA)
“Ten best practices for securing IoT in your organization” (ZDNet)
“4 advanced IoT security best practices to boost your defense” (TechTarget)
“Secure IoT best practice guidelines” (IoT Security Foundation)
“NIST cybersecurity for IoT program” (NIST)

Consumer protection agency to businesses: Failure to protect customer data is illegal

Here’s yet another reminder to businesses that they can get into legal hot water if they don’t properly secure sensitive customer data.

The U.S. Consumer Financial Protection Bureau (CFPB) has issued a formal circular addressing this specific question: 

“Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?”

Answer: Yes.

So what could be considered “insufficient” protection for this data? For example, organizations that lack:

Multi-factor authentication to protect access to the accounts of employees and customers
Adequate password management policies and practices
Timely patching of the software products they use

New efforts to increase diversity in cybersecurity

A couple of new initiatives are seeking to increase the number of female and of African American cybersecurity professionals.

The National Cybersecurity Alliance (NCA), a non-profit that promotes cybersecurity education and awareness, launched the Historically Black Colleges and Universities Career Program, in partnership with top HBCUs and cybersecurity organizations.

The NCA noted in its announcement that currently only 9% of cybersecurity professionals identify as black, and that there are about 715,000 unfilled cybersecurity roles in the U.S.

Meanwhile, a group of about 90 women working in leadership positions in cybersecurity formed The Forte Group, an advocacy and education non-profit whose mission is supporting current and future female leaders in cybersecurity.

For more information:

“4 Barriers to Diversity in Cybersecurity and How to Address Them” (Society of Women Engineers)
“The defensive power of diversity in cybersecurity (TechCrunch)
“Making Space for Diversity in Cybersecurity” (Ms. Magazine)
“Diversity, Equity, and Inclusion in Cybersecurity” (Aspen Institute)

Revisiting the CSA’s top cloud security threats

The Cloud Security Alliance published its “Top Threats to Cloud Computing” report earlier this summer, and every month it zooms in on each threat on its blog. So, as we prepare to welcome the fall, we thought it’d be good to refresh our memory and take another look at this list, which the CSA dubbed “the pandemic eleven.”

Insufficient identity, credentials, access and key management
Insecure interfaces and APIs
Misconfiguration and inadequate change control 
Lack of cloud security architecture and strategy 
Insecure software development
Unsecured third-party resources
System vulnerabilities 
Accidental cloud data disclosure
Misconfiguration and exploitation of serverless and container workloads
Organized crime/hackers/APT
Cloud storage data exfiltration

You can check out the blogs about the first three threats here, here and here.

For more information:

Video: “Cloud Security for Dummies” (SANS Institute)
“Cloud security in 2022: A business guide to essential tools and best practices” (ZDNet)
Video: “Cloud Security for Beginners: Part 1 and Part 2” (SANS Institute)
“The cloud security principles” (U.K. National Cyber Security Centre)

Quick takes

Check out this roundup of important vulnerabilities, trends, news and incidents.

The Los Angeles Unified School District, the second-largest school district in the U.S., was hit by a ransomware attack that gained national attention. On the same day, the U.S. government issued an advisory about the targeting of educational institutions by the Vice Society ransomware group. It’s not yet known which attacker hit the Los Angeles school district.

QNAP patched a zero-day vulnerability in some of its network attached storage (NAS) devices that had been exploited by the DeadBolt ransomware group, which has targeted QNAP several times this year. 

The hacking group AgainstTheWest claimed it stole 2 billion records with data on TikTok and WeChat users from an Alibaba database, but TikTok countered that the data sampled is publicly available and that its systems weren’t breached. In related news, Microsoft said it discovered a now-fixed vulnerability in the TikTok Android app that could lead to account hijacking.

Google rushed out an emergency patch for the sixth zero-day vulnerability in Chrome so far this year. Users are advised to install the update immediately.

Montenegro was hit by a large-scale ransomware attack that prompted the U.S. embassy in the Balkan country to warn American citizens living there about disruptions to critical services, as a team from the U.S. Federal Bureau of Investigation flew in to help with the investigation.

Read More