Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for July 2019

Insulin Pumps Recalled By FDA For Cybersecurity Risks

Insulin Pumps Recalled By FDA For Cybersecurity Risks

The U.S. Food and Drug Administration (FDA) is warning patients and healthcare providers that some insulin pumps carry cybersecurity risks. 

In an alert published on June 27 2019, the FDA said that certain Medtronic MiniMed™ insulin pumps carry potential cybersecurity risks and that patients with diabetes using these models should switch their insulin pump to other models. 

The alert says: “The FDA has become aware that an unauthorized person (someone other than a patient, patient caregiver, or health care provider) could potentially connect wirelessly to a nearby MiniMed insulin pump with cybersecurity vulnerabilities." The alert goes onto say that a person could change a pump’s settings to either "over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis.” Both are life-threatening.

According to the FDA website, Medtronic cannot update the MiniMed™ 508 and Paradigm™ insulin pump models to address these potential cybersecurity risks, meaning that patients are advised to replace affected pumps with models that are better equipped to protect them from these risks. 

Medtronic was founded in 1949 as a medical equipment repair shop, which evantually went on to create a wearable, battery-powered cardiac pacemaker. The company is recalling the following affected MiniMed pumps and providing alternative insulin pumps to patients:

  • MiniMed™ 508, All versions
  • MiniMed™ Paradigm™ 511, All versions
  • MiniMed™ Paradigm™ 512/712, All versions
  • MiniMed™ Paradigm™ 515/715, All versions
  • MiniMed™ Paradigm™ 522/722, All versions
  • MiniMed™ Paradigm™ 522K/722K, All versions
  • MiniMed™ Paradigm™ 523/723, Version 2.4A or lower
  • MiniMed™ Paradigm™ 523K/723K, Version 2.4A or lower
  • MiniMed™ Paradigm™ 712E*, All versions
  • MiniMed™ Paradigm™ Veo 554CM/754CM*, Version 2.7A or lower
  • MiniMed™ Paradigm™ Veo 554/754*, Version 2.6A or lower

This recall follows a report made by Siemplify last week that found that healthcare companies lacked maturity when it came to cybersecurity. The report was based on a survey of more than 250 security operations practitioners working at enterprises and managed security service providers (MSSPs).
 
To date, the FDA is not aware of any reports of patient harm related to these potential cybersecurity risks. 

*Denotes patients are affected outside of the US. 

Source: Information Security Magazine

Vulnerability in Cirque Du Soleil Show App

Vulnerability in Cirque Du Soleil Show App

June 30th was the closing night for the Cirque du Soleil show Toruk – The First Flight in London, which ESET researchers said is good news for fans who used the show’s corresponding mobile app, as it reportedly lacked security and made mobile phones vulnerable. 

According to Lukáš Štefanko, the ESET security researcher who analyzed the app, also named “TORUK – The First Flight,” those who connected to the network during the show could have gained admin access to the app, which was designed so that audiences could engage with the show via audiovisual effects generated on their mobile devices.

“It appears that the TORUK app wasn’t designed with security in mind. As a result, anyone who was connected to the network during the show had the same admin possibilities as the Cirque du Soleil operators,” explained Štefanko. The app, which is no longer being marketed now that the show has concluded, was installed on Google Play over 100,000 times, and there is also a version for iOS. Cirque du Soleil’s staff did reportedly tell ESET that they would pull it from both the Android and Apple official app stores.

Because the app had no authentication protocol, Štefanko said that an adversary could scan the network and get the IP addresses of devices with the defined port 6161 opened. An attacker could then send commands to all devices running the app, explained Štefanko, a vulnerability which he said could have been avoided quite easily.

“If the app generated a unique token for each device, then it would be impossible to access all the devices en masse, without any authentication. After the show, all the devices with this app installed remain vulnerable, so its users may experience unpleasant surprises at any point in the future if they are connected to a public network.”

“Those who installed this app should uninstall it immediately. By the way, we highly recommend doing that with all single-purpose apps,” said Štefanko. 

Source: Information Security Magazine

Financial Industry Hit By Surging Numbers of Cyber-Incidents

Financial Industry Hit By Surging Numbers of Cyber-Incidents

Financial services companies in the UK were hit by 819 cyber-incidents, which were reported to the Financial Conduct Authority in 2018. According to a freedom of information (FOI) request made by accountancy firm RSM, the data showed that there had been a huge rise from the previous year, with 69 reported in 2017.

Retail banks were hit the hardest and had the highest number of reports (486), which is almost 60% of the total. This was followed by wholesale financial markets on 115 reports and retail investment firms on 53.

The majority of reports found that the root causes of the incidents were attributed to third-party failure (21%). Hardware and software issues followed (19%) and change management (18%). The information also shows that there were 93 cyber-attacks in 2018 reported to the FCA, with over half of them identified as phishing attacks, and 20% ransomware. 

Steve Snaith, a technology risk assurance partner at RSM, believed that this surge is probably linked to more proactive reporting to the FCA, but worries that there are still many more non-disclosed incidents: “We suspect that there is still a high level of under-reporting and failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties.

“As the FCA has previously pointed out, eliminating the threat of cyber-attacks is all but impossible,” he continued. “While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber-attacks that it faces.”

In 2019, Metro Bank became the first major retail bank to fall victim to the SS7 exploit, which showed momentum continued into the next year. Hackers were able to intercept an additional layer of security offered by Metro Bank, which asks customers to type in a code sent by text message to their phones to confirm transfers and payments.

Snaith also pointed out that some of the incidents were down to human error or IT environments being mismanaged: “The requirements for Privacy Impact Assessments as a formal requirement of GDPR/DPA2018 should hopefully drive a greater level of governance in this area.”

Nigel Hawthorn, data privacy expert at McAfee, commented: “Financial institutions must find the right combination of people, process and technology to effectively protect themselves from attacks and human error, detect any threats as soon as they appear and, if targeted, rapidly correct systems. This means redoubling efforts in training and managing user activities to quickly detect any unusual activity which may signal an attack as well as protecting against accidental errors from staff or partners. With the prospect of damaged customer trust and fines from the FCA or ICO looming as the result of a data breach, the stakes have never been higher.”

Source: Information Security Magazine

Dubai Bank Invokes Shaggy in Awareness Video

Dubai Bank Invokes Shaggy in Awareness Video

Shaggy’s chart-topping hit from 2000, “It Wasn’t Me,” has made a comeback. Emirates NBD, a bank in Dubai, in conjunction with the Dubai Police, adapted the lyrics and produced a video rendition as part of a cybersecurity awareness campaign. 

Set to the song’s tune, the video conveys a conversation between the bank’s customer service department and a scam victim who asks, “How could I be so clumsy and click on that dubious link?”

“I love the sheer unexpectedness of their creativity,” said Perry Carpenter, chief security strategist at KnowBe4. “A campaign like this works because they are leveraging multiple tactics simultaneously. From a format that cuts past the doldrums of ‘talking head’ style videos, to the way they leverage music, story, and imagery – along with humor – as effective Trojan Horses for the Mind, the creators demonstrated a masterful understanding of how to grab attention and embed a meaningful message.”

As a word of caution to practitioners, Carpenter said that relying on a single ‘flavor’ of content can be ineffective. “Like any flavor, not everyone will like it or respond to it, and that’s not a problem as long as the creators account for that fact. Working across a variety of flavors and formats can help drive any message home to a wider audience.”

However, security awareness practitioners have long encouraged the use of creativity and humor in awareness and training campaigns, according to Lisa Plaggemier, chief security evangelist at InfoSec Institute

“I’ve heard plenty of security professionals and thought leaders in training and awareness question the legitimacy and efficacy of using humor to communicate about security. Many of them advise against it. When I see a spot as well-made as this one from the Dubai Police, I just don’t understand that perspective,” Plaggemier said.

The use of humor in advertising is more nuanced than a hard ‘yes’ or ‘no’. “It’s highly dependent on context (like existing perception of the issue), the type of humor (satire, slapstick, etc.),or the demographics of the audience,” Plaggemier said. 

“Humor is very effective for getting attention, it can help a campaign go viral, and it can positively affect retention. As a training and awareness lead, I had great success using humorous videos to get security content in front of people that wouldn’t otherwise engage with security messaging. The Dubai Police video is so good, I showed it to my kids and their friends. I clearly couldn’t have gotten them to watch a security video with less entertainment value. I’ve watched it three times and I’m still chuckling.”

Source: Information Security Magazine

Nearly 20% of UK Children Exposed to Self-Harm Images Online

Nearly 20% of UK Children Exposed to Self-Harm Images Online

Primary school-aged children have seen content online which encouraged them to hurt themselves, according to the NSPCC

In its latest report, How safe are our children? 2019: an overview of data on child abuse online, the children's charity interviewed children across the UK as part of its sixth annual report on the subject of staying safe online. The research found that 16% of primary school children and 19% of secondary school-aged students had seen content which encouraged self-harm. 

Secondary school students also reported that they see sexual content (16%) in reviews of the “most popular social networks, apps and games,” as well as seeing (31%) worrying or nasty online content. 

“Right now, internet companies are a black box that nobody on the outside world is allowed to open,” writes Peter Wanless, chief executive of the NSPCC. “Many don’t publish any details about the scale and scope of the dangers children have been facing on their platforms. 

“Despite calls for openness, they stay silent.”

The report shows that there has been a year-on-year increase in the numbers and rates of police-recorded online child sexual offences in England, Wales and Northern Ireland, with increases in police-recorded offences of obscene publications or indecent photos in all four UK nations over the last five years. Further, there have been increases in the number of URLs containing child sexual abuse imagery since 2015. 

This year, Libby, 16, spoke to the BBC about how she used social media channels to promote her self-harming. Her father, Ian, told the BBC that images were reported to Instagram, but the social media company did nothing. The NSPCC report found that the majority of parents, carers and members of the public believe that social networks should have a legal responsibility to keep children safe on their platforms.

Wanless agrees: “We are seeking a convincing demonstration of a duty of care to young users, so the internet can genuinely be a place that benefits us all. Nothing will concentrate minds better than effective sanctions for the tech giants who fail to take reasonable steps to protect our children. 

“These companies make vast sums of money every year and the penalties need to be proportionate. Named directors need to be liable for their actions and inactions,” he continues. "In other industries like financial services this is now accepted practice in terms of expecting and enforcing responsible corporate behaviour."

NSPCC's research also found that young children were being exposed to sexual images online, sometimes being preyed upon by adults: 21% of surveyed girls aged 11 to 18 said they had received a request for a sexual image or message, with 5% saying they had been sent or shown a naked or semi-naked picture or video from an adult. Also, 4% of primary school children had been sent or shown such an image. Most shockingly, 2% of surveyed primary and secondary school children said they had sent a naked or semi-naked picture or video to an adult.

Source: Information Security Magazine