Category Archives: CyberSecurity

  • -

Drug Pump’s Security Flaw Lets Hackers Raise Dose Limits

Category : CyberSecurity

The Hospira PCA3 Drug Infusion Pump suffers from a number of remotely exploitable vulnerabilities. The manufacturer has been notified of critical and serious design failures that result in an insecure design.

The pumps communicate with MedNet “safety software,” a Windows-based operating system designed by Hospira that gets installed on a hospital server to send drug library updates to the pumps. The updates are processed by a communication module built into each pump. The pumps operate in listening mode so that new drug libraries and updates to existing ones can be pushed out to them as needed. To achieve this, the pumps listen through four ports—port 23 (for telnet communication), port 80 (for normal http traffic), port 443 (for https traffic) and port 5000 (for UPnP). The pumps also can use their own WiFi connection for communication.

Hospira systems don’t use authentication for their internal drug libraries, which help set upper and lower boundaries for the dosages of various intravenous drugs that a pump can safely administer. As a result, anyone on the hospital’s network—including a patient in the hospital or a hacker accessing the pumps over the internet—can load a new drug library to the pumps that alters the limits, thereby potentially allowing the delivery of a deadly dosage.

Exploitation of the improper authorization vulnerability may allow unauthenticated users to access the LifeCare PCA Infusion pump with root privileges by default. Exploitation of the insufficient verification of data authenticity vulnerability may allow an attacker to remotely push unauthorized modifications to the LifeCare PCA Infusion pump impacting medication libraries and pump configuration. While drug libraries, software updates, and pump configurations can be modified, according to Hospira, it is not possible to remotely operate the LifeCare PCA Infusion pump. Operation of the LifeCare PCA Infusion pump requires a clinician to be present at the pump to manually program the pump with a specified dosage before medication can be administered.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

Article: Hextechsecurity

Article: Wired


  • -

Google’s Password Alert Feature Flaw Fixed; Another Flaw Found

Category : CyberSecurity

Last week, Google introduced a new feature in its Chrome browser that
aims to help protect users from phishing attacks and from the security
mistake of using their Google password for multiple sites. Password
Alert warns users when they have entered their Google password into a
non-Google site. Shortly after the feature debuted, an exploit to
circumvent it was released. Google has since addressed that issue, but
there are reports that the update has its own security issue.

Article: CNET

  • -

Can Macs get viruses and malware?

Category : CyberSafety , CyberSecurity

“Mac OS X software has more high-risk vulnerabilities than all versions of Windows put together,” explains Bogdan, “Apple markets these products as virus-free. They say you don’t need an antivirus, because they know people hate antivirus software. These utilities often slow down your computer, so they don’t want to promote them.”

“We have discovered and registered more than 48 million new unique malware samples this year alone, but more than 98% have been written for the Windows platform,” says Andreas Marx, AV-Test CEO, “Less than 5,000 new viruses were written for Mac OS X, but these kinds of malicious software do exist.”

“It’s going to cost the hacker more to build Mac OS X malware than Windows-based malware,” says Bogdan.
The reputation Mac OS X has for security is also not entirely undeserved. Mac OS X does have safety mechanisms built-in. You don’t have root privileges over the machine, you have to enter your password to reconfigure the system, and there’s a gatekeeper sub-system that doesn’t allow you to install files unless they are digitally signed by Apple. Of course, none of that means you can’t write malware for Mac OS X.

Article: Digital Trends

Note from Innovice-IT B.V.

Santa is a binary whitelisting/blacklisting system for Mac OS X. It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.

Santa is not yet a 1.0. We’re writing more tests, fixing bugs, working on TODOs and finishing up a security audit.

Santa is named because it keeps track of binaries that are naughty and nice.
Santa is a project of Google’s Macintosh Operations Team.

For more information about Santa, please contact us!

  • -

eBay year-long patch stall a little XSSive, researcher says

Session jacking bug bores bug bounty boffins

Clarified Security researcher Jaanus Kääp has disclosed a year-old cross-site scripting (XSS) bug in eBay’s messaging service that lets attackers target victims through messages.

The researcher says he reported the XSS three times over more than a year and says he is surprised to find the bug be describes as dangerous has as of the time of writing not been shuttered.

His XSS could allow attackers to steal sessions to impersonate users and send seemingly any malicious payload through messages.

The disclosure is a departure from Kääp’s regular wait-till-patch procedure but is in-line with a prevailing standard to drio bugs when vendors go quiet.

After three months the regular penetration tester pinged eBay about what should have been a quick fix. He says he received boilerplate non-answers for each of the three inquiries leading up to the full disclosure.

Article: The Register

  • -

SHA-1 crypto hash retirement fraught with problems

Category : CyberSafety , CyberSecurity

Bumbling duffers using WinXP and old Android releases aren’t helping

The road towards phasing out the ageing SHA-1 crypto hash function is likely to be littered with potholes, security experts warn.

SHA-1 is a hashing (one-way) function) that converts information into a shortened “message digest”, from which it is impossible to recover the original information. This hashing technique is used in digital signatures, verifying that the contents of software downloads have not been tampered with, and many other cryptographic applications.

The ageing SHA-1 protocol – published in 1995 – is showing its age and is no longer safe from Collision Attacks, a situation where two different blocks of input data throw up the same output hash. This is terminal for a hashing protocol, because it paves the way for hackers to offer manipulated content that carries the same hash value as pukka packets of data.

Certificate bodies and others are beginning to move on from SHA-1 to its replacement, SHA-2. Microsoft announced its intent to deprecate SHA-1 in Nov 2013.

More recently, Google joined the push with a decision to make changes in he latest version of its browser, Chrome version 42, so that SHA-1 certificates are flagged up as potentially insecure.


Article: The Register

  • -

App makers, you’re STILL doing security wrong

Category : CyberSecurity

Microsoftie Troy Hunt unpicks privacy invasion and unencrypted passwords

Security expert Troy Hunt has taken a look at what mobile apps collect to send home to their owners, and isn’t impressed: even PayPal is still addicted to invasive habits, he says.

Looking at PayPal and two Australian apps – a small sample, admittedly, but we’ll get to this shortly – the prominent Microsoft security researcher concludes that app-makers are doing it so badly that “perhaps I should just stick to the browser that doesn’t leak this class of data yet one would assume is still sufficiently secure”.

The accumulation of stuff that went with the generic permissions you have to approve just to get a mobile app to work included:

  • BSSID – the device ID of Hunt’s home router, a pointless piece of data-hoovering;
  • Device – both model and the individual name given to the device, like “Troy Hunt’s iPhone”, are sent upstream;
  • Internal IP address – which Hunt points out can yield at least some information about the network, like indicating how many devices are on it;
  • Location – latitude and longitude, which Vulture South notes can be subverted by disabling location services, but most people aren’t paying that close attention;
  • SSID, and storage space – as Hunt says of the latter, “do they [PayPal] really need to know that?”

In the case of groceries shopping app Aussie Farmers Direct, his sniffing of his own traffic – no hacking involved, merely running the iPhone traffic through Fiddler – showed that the data sent to ad partner Gomeeki included first name, last name, home address, latitude and longitude.

Not only does Hunt argue that sending this data to a third party is “way too invasive”, but “the data is sent in the clear” over an ordinary HTTP connection.

It’s quite likely that Aussie Farmers Direct doesn’t know this is happening: it just plonked the ad network’s hooks into its app. Hunt also noted that Gomeeki doesn’t support encryption anyhow: “the site is simply not meant to be loaded over HTTPS”.

Article: The Register

  • -

WordPress and Plugins Patched Against Cross-Site Scripting Attacks

Category : CyberSecurity

WordPress pushed out an updated version of its content management system
to address four security issues, including two flaws that could be
exploited through cross-site scripting attacks. Patches are also
available for seventeen WordPress plugins with vulnerabilities that
could be exploited through cross-site scripting attacks. The problems
are due to the misuse of a pair of programming functions that modify or
add query strings to URLs. Administrators are urged to apply the updates
as soon as possible.

Innovice-IT B.V. has a very good service to help you to protect your WordPress website against malware. Please visit: secure or contact us via our contact details.

Article: e-week

  • -

Detecting NSA Quantum Insert Attacks

Category : CyberSecurity

Researchers have found a method for detecting NSA Quantum Insert
attacks. Open source tools can “detect duplicate sequence numbers of
HTTP packets with different data sizes,” which signals these attacks.

Article: Wired

  • -

Many eCommerce Sites Have Not Yet Patched Magento Flaw

Category : CyberSecurity

Attackers are actively exploiting a vulnerability in a widely-used
content management system for online shopping sites. The flaw lies in
Magento and a patch was released in February, but more than 98,000 sites
remain vulnerable. The attacks in the wild give the attackers full
control of the sites.

Article: Ars Technica

  • -

Unclassified e-mails from Obama to staff read by Russian hackers

Category : CyberSecurity

Hackers didn’t breach classified servers, but the close call chilled staffers.

The White House’s classified network, on which message traffic from President Obama’s Blackberry is kept, was not breached, but e-mails he sent to the unclassified network from that device (as well as e-mails sent from that network to him) were obtained. The White House discovered the breach in October 2014 and partially shut down the unclassified e-mail system until the end of the month when system administrators were sure that the hackers no longer had access to the system.

Around the same time, the less-secure unclassified network supporting the State Department also experienced a breach, the Times wrote. “The disruptions were so severe that during the Iranian nuclear negotiations in Vienna in November, officials needed to distribute personal e-mail accounts, to one another and to some reporters, to maintain contact.”

Obama has been adamant about keeping his Blackberry throughout his term of office, although the hack has renewed the debate over whether the president should be able to use e-mail at all (George W. Bush abstained from e-mail entirely). Internal sources say the frequency of his e-mails to staffers have fallen of in the last six months.

Article: Ars Technica


Innovice-IT on Twitter

  1. Bas Eikelenboom
    Bas Eikelenboom: RT @Miltenburg_14: Sinterklaas helpen gestolen pakjes naar de kinderen terug te brengen #Sinterklaas #dankbaar #blijekinderen @PolitieUtrec

  2. Bas Eikelenboom
    Bas Eikelenboom: RT @Byte_Fighter: De politiechatbot Wout is actief! @Politie

  3. Bas Eikelenboom
    Bas Eikelenboom: RT @UID_: Now all DNS goes via CloudFlare too. This thread is only getting longer, what the F are we doing?! When can I stop quoting this t…

  4. Bas Eikelenboom
    Bas Eikelenboom: RT @InfoSecHotSpot: Unfilled cybersecurity jobs are expected to reach 1.8 million by 2022, up 20 percent from 1.5 million in 2015, accordin…

  5. Bas Eikelenboom