7.4 C
London
Friday, November 24, 2017
Home Tags Malfunction

Tag: malfunction

Every year, Kaspersky Labrsquo;s experts look at the main cyberthreats facing connected businesses over the coming 12 months, based on the trends seen during the year.

For 2018, we decided to extract some top predictions that also have big implications for everyday connected life.
Casino had apologized "for any inconvenience this may have caused."
No other Flex 2 devices have reportedly had this problem.
Lawsuit began with G4, V10.
It now covers every flagship LG phone from 2015 to 2016.
Twice the normal volume of 911 calls came into the system early Saturday morning.
Australian funnel-web spider venom peptide protected rats’ brains hours after stroke.
Enlarge / A St. Jude Medical cardiac defibrillator implant like the ones MedSec claimed to have found vulnerabilities in.St. Jude Medical reader comments 33 Share this story Trading in the stock of medical device manufacturer St. Jude Medical was halted Friday afternoon after a dramatic drop in its value.

That drop was triggered by news of alleged vulnerabilities in the company's cardiac care devices.

The vulnerability was disclosed not in a report by the company but by security researchers partnered with Muddy Waters Capital, an investment firm that had "shorted" St. Jude's stock on the information in order to profit from a drop in the stock's value. The researchers at the security firm MedSec chose to take this route to disclosure, MedSec CEO Justine Bone said, to "ensure that St. Jude Medical responds appropriately and with urgency." The partnership with a short seller is a fundamental departure from the established approach of responsible disclosure normally taken by researchers.

But it also represents an approach that bypasses the sort of legal maneuverings and threats, suppression of information, and inaction that have been experienced by researchers who have discovered vulnerabilities in other products. Researchers who discovered a vulnerability in Volkswagen electronic engine locks, for example, were forced to withhold a paper for two years through a court injunction filed by the automaker in 2012. Muddy Waters issued a report on Thursday claiming that it had demonstrated "two types of cyber attacks against STJ implantable cardiac devices: a 'crash' that causes cardiac devices to malfunction... and a battery drain attack that could be particularly harmful to device dependent users." The report claimed that the vulnerabilities had been proven in "multiple demonstrations evidencing how hollow STJ's device security is." In a blog post, Bone said that St. Jude "has stood out as lagging far behind" in addressing vulnerabilities in its products. He continues: For years [St. Jude Medical] has continued to put patients at risk by profiting from the sale of devices and a device eco-system which has little to no built-in security. We believe St. Jude Medical has known about security problems in their products since at least 2013, but it is apparent from the lack of security protections or mechanisms in their product line that very little action has been taken.
In order to help address patient safety, we have chosen to depart from standard cyber security operating procedures in order to bring this to the public’s attention and to ensure that St. Jude Medical responds appropriately and with urgency. The partnership with Muddy Waters was to help the researchers "deliver this message," Bone said. Bone wrote that she believed that it was time "to re-think the way cyber security is managed." She acknowledged that partnering with a short seller would draw criticism, "but we believe this is the only way to spur St. Jude Medical into action," she explained. "Most importantly, we believe that both potential and existing patients have a right to know about their risks." After the report was released, St. Jude's stock fell 10 percent on Thursday and an additional 2 percent today before trading was halted.
In a statement published today, a St. Jude spokesperson said, "We have examined the allegations made by Capital and MedSec on August 25, 2016 regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading." The vulnerabilities applied to older versions of the "Merlin@home" devices that drive the cardiac implants that are not capable of being automatically patched, the spokesperson said.

The company claims that newer versions of the devices have already been updated.

Additionally, the spokesperson dismissed the battery drainage vulnerability as "misleading" because MedSec claimed it could be executed from 50 feet away. "This is not possible since once the device is implanted in a patient, wireless communication has an approximate 7-foot range," the spokesperson insisted, and the attack would also require "hundreds of hours of continuous and sustained pings" of the implant by an attacker.

Furthermore, St. Jude claimed that the screen shots used to demonstrate the "crash" attack actually show the device working normally. Trading in St. Jude stock resumed this afternoon and had recovered some of its losses, CNBC reports.
Some sharks wear suits and ties Analysis A team of security researchers tipped off an investment firm about software vulnerabilities in life-preserving medical equipment in order to profit from the fallout. Researchers at MedSec Holdings, a cybersecurity startup in Miami, Florida, found numerous holes in pacemakers and defibrillators manufactured by St Jude Medical.
Instead of telling the maker straightaway, the crew first went to investment house Muddy Waters Capital to make money off the situation. MedSec offered Muddy Waters the chance to short sell the stock of St Jude Medical so that when details of the flaws are made public, MedSec and Muddy Waters could all profit.

The more the shares fell, the higher MedSec's profits would be. Muddy duly published details of the flaws earlier today, on Thursday, and sent this doom-laden alert to investors: Muddy Waters Capital is short St. Jude Medical, Inc. (STJ US).

There is a strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years.
STJ’s pacemakers, ICDs, and CRTs might – and in our view, should – be recalled and remediated. (These devices collectively were 46% of STJ’s 2015 revenue.) Based on conversations with industry experts, we estimate remediation would take at least two years.

Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients. We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices (“Cardiac Devices”): a “crash” attack that causes Cardiac Devices to malfunction – including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users.

Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks. St Jude's share price fell 4.4 per cent to $77.50. MedSec claims it used Muddy Waters in order to draw attention to insecurities in St Jude's products and to fund its research efforts admittedly in a rather unorthodox manner. "We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action," said MedSec's CEO Justine Bone on her company blog. "Most importantly, we believe that both potential and existing patients have a right to know about their risks.

Consumers need to start demanding transparency from these device manufacturers, especially as it applies to the quality and functionality of their products." Alternatively they could have simply gone to the device maker, showed them the holes, and got them fixed.
If they wanted to force the manufacturer into action, MedSec could have presented a paper at any one of the many security conferences – as car hackers Charlie Miller and Chris Valasek did in the Chrysler hacking case. Instead MedSec decided to hook up with Muddy Waters and short the stock to earn a tidy profit.

Carson Block, founder of Muddy Waters, took to Bloomberg TV to put the frighteners on folks about the severity of the flaws, which could help depress the share price further and thus boost his profits. "The nightmare scenario is somebody is able to launch a mass attack and cause these devices that are implanted to malfunction," he gushed. But based on his own company's report today into the St Jude devices, that seems unlikely.

The two attack vectors mentioned include a battery draining attack and one that could crash a pacemaker, but both require the attacker to get access to the device's home control unit for about an hour. The report blames St Jude Medical for using off-the-shelf parts in its devices that any hacker could buy and analyze, and for not making a custom operating system with extra security.
It estimates the faults will take years to rectify. Dr Hemal Nayak, a cardiac electrophysiologist at the University of Chicago, recommends in the Muddy report that users turn off their home controllers and says he will not implant any of St Jude Medical's devices. Nayak just happens to be a board member of MedSec. The report claims that it would be theoretically possible to carry out a widespread attack using St Jude Medical's network, but says MedSec didn't try it because that would be morally wrong.
So it seems they publicized that some flaws were merely present instead and cashed in on short selling. Medical device hacking has been demonstrated for years now, so much so that's it's almost considered old hat. Nevertheless, it seems a cunning firm has found a way to make big bucks out of the issue. ® Sponsored: 2016 Cyberthreat defense report
EnlargeMerge HealthcareA heart patient undergoing a medical procedure earlier this year was put at risk when misconfigured antivirus software caused a crucial lab device to hang and require a reboot before doctors could continue. The incident, described in an alert issued by the Food and Drug Administration, highlights the darker side of using computers and computer networks in mission-critical environments. While a computer crash is little more than an annoyance for most people at home or in offices, it can have far more serious consequences in hospitals, power generation facilities, or other industrial settings. The computer system at issue in the FDA alert is known under the brand name Merge Hemo and is sold by Hartland, Wisconsin-based Merge Healthcare.
It comprises a patient data module and a monitor PC that are connected by a serial cable.
It's used to provide doctors with real-time diagnostic information from a patient undergoing a procedure known as a cardiac catheterization, in which doctors insert a tube into a blood vessel to see how well the patient's heart is working. In March, an unidentified healthcare provider "reported to Merge Healthcare that, in the middle of a heart catheterization procedure, the Hemo monitor PC lost communication with the Hemo client and the Hemo monitor went black," the FDA alert stated. "Information obtained from the customer indicated that there was a delay of about 5 minutes while the patient was sedated so that the application could be rebooted.
It was found that anti-malware software was performing hourly scans. With Merge Hemo not presenting physiological data during treatment, there is a potential for a delay in care that results in harm to the patient. However, it was reported that the procedure was completed successfully once the application was rebooted." The alert continued: Based upon the available information, the cause for the reported event was due to the customer not following instructions concerning the installation of anti-virus software; therefore, there is no indication that the reported event was related to product malfunction or defect.

The product security recommendations, (b)(4), explicitly state, "the intent of these guidelines is to configure the anti-virus software so that it does not affect clinical performance and uptime while still being effective.

To accomplish this, the anti-virus software needs to be configured to scan only the potentially vulnerable files on the system, while skipping the medical images and patient data files. Our experience has shown that improper configuration of anti-virus software can have adverse affects [sic] including downtime and clinically unusable performance." AV interfering with mission-critical systems isn't a widely reported problem, but it's also not unheard of. Michael Toeker, an engineer who specializes in securing industrial control systems, said he's aware of at least three incidents in North American power-generation facilities in the past five years where AV interrupted computer processes. One of the malfunctions, he said, disrupted what he described as a "mission-critical" process that had the potential to create unsafe conditions if the problem wasn't remedied promptly. Non-disclosure agreements he signed with the operators of the power-generation facilities bar him from providing further details. While the home and office PC market often thrives on having a large ecosystem of hardware and software that customers can mix and match, an almost endless list of options can be more of a liability to hospitals and industrial environments.

That's because systems carrying out life-saving procedures or potentially dangerous processes must be extensively tested before being put into production to identify and remedy any potential glitches.

To the credit of Merge Healthcare, the Merge Hemo came with safety instructions that AV be set up to skip medical images during scans. "The engineer who wrote that just earned their entire year's salary bonus," Toeker, who works for Context Industrial Security, told Ars. Catch 22 Billy Rios, a researcher specializing in medical device security and founder of a firm called White Scope, said hospitals are in a difficult spot when using computers for mission-critical procedures. Often, the devices run on Windows XP or other aging platforms that haven't received updates in years.

And it's not unusual for those devices to interact with servers that haven't received critical updates. One example: the JBOSS application server, which was recently exploited to install crypto ransomware on hospital networks. The lack of security updates is one of the reasons medical devices frequently come preinstalled with AV. While in theory AV may protect devices against attacks that exploit unpatched vulnerabilities, the protection often breaks down in practice.

That's because federal certifications often bar the AV from receiving signature updates that allow it to detect new strains of malware. "The sad part is the customer can't change it," Rios told Ars, referring to the typical computerized medical device. "This thing is built to work a certain way.

The customer can't just go in there and start modifying the software.
It's going to break." As a result, hospitals and other mission-critical computer users have few options other than to run AV, even though the AV often hasn't been updated in months or years and its improper use can have catastrophic consequences.

A better approach might be for engineers to set up a small list of software the device is permitted to run and to block everything else.
Such "whitelisting" techniques are used in some industries but still haven't been widely embraced by hospitals.

The incident disclosed in the FDA alert and a 2013 report finding vulnerabilities in a vast array of medical devices, are strong arguments for examining some of these shortcomings and making fundamental changes to the way mission-critical computing is secured in hospitals and other industrial settings.
Logistics company DHL will regularly fly drone without the use of a land-based pilot.
Updated OpenStack Telemetry packages that fix one security issue and onebug are now available for Red Hat Enterprise Linux OpenStack Platform 4.0.Red Hat Product Security has rated this update as having Important securityimpact. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available from the CVE link in theReferences section. OpenStack Telemetry (ceilometer) collects customer usage data for meteringpurposes. Telemetry implements bus listener, push, and polling agents fordata collection; this data is stored in a database and presented via theREST API. In addition, Telemetry's extensible design means it can beoptionally extended to gather customized data sets.It was found that authentication tokens were not properly sanitized fromthe message queue by the notifier middleware. An attacker with read accessto the message queue could possibly use this flaw to intercept anauthentication token and gain elevated privileges. Note that all servicesusing the notifier middleware configured after the auth_token middlewarepipeline were affected. (CVE-2014-4615)This update also fixes the following bug:* An incompatibility issue was found with the recent update of thepython-qpid package. This caused several OpenStack services, includingOpenStack Telemetry, to malfunction. By updating the RPC code, this issueis now resolved. (BZ#1116462)All OpenStack Telemetry users are advised to upgrade to these updatedpackages, which correct these issues. Before applying this update, make sure all previously released erratarelevant to your system have been applied.This update is available via the Red Hat Network. Details on how to use theRed Hat Network to apply this update are available athttps://access.redhat.com/articles/11258Red Hat OpenStack 4.0 SRPMS: openstack-ceilometer-2013.2.3-2.el6ost.src.rpm     MD5: 88a5f78421926d03102489aa955fa5daSHA-256: a6df79871a218f22f563b0a47545595dd3777308144cb27c4e87b73090f0a313   x86_64: openstack-ceilometer-alarm-2013.2.3-2.el6ost.noarch.rpm     MD5: 0c37bb2c5bf4b5656069af1feba7760bSHA-256: 5258210c115c40dec1e7cbfd2747f77d9974f33200a10fb62b1134b7cc964972 openstack-ceilometer-api-2013.2.3-2.el6ost.noarch.rpm     MD5: d496d24a74198e498ebdfaf5c3e155efSHA-256: 971c0b6ac81ff634b43ff53d2dbb4232b0058c16f77f6716a78e4bc60e8b33e5 openstack-ceilometer-central-2013.2.3-2.el6ost.noarch.rpm     MD5: b9af869e4c040a63119841efa6a01d6eSHA-256: ece088fb03df3fd3b968539f23271466d8654dea5de6439848bada3e9a379b2a openstack-ceilometer-collector-2013.2.3-2.el6ost.noarch.rpm     MD5: eacbfe205d0d2efc64d0afa8ee0b8e4dSHA-256: 07e65b8a08d6729abbbf4eb803d6c01d729b7f26af6a1eaa246f3ebe44facdc9 openstack-ceilometer-common-2013.2.3-2.el6ost.noarch.rpm     MD5: d82708ee644a40b61728aea3710d3226SHA-256: e696d86fce743c501a16f67bb9f035271c2b0caae68a37ccf22f8675567cd4c8 openstack-ceilometer-compute-2013.2.3-2.el6ost.noarch.rpm     MD5: d44812a2f50ca991060621fc10647ee7SHA-256: 2dbe5ab011dc70f50e6c6d7f59f92f3477e75b1764b53f6809eefe2245b9bb8b python-ceilometer-2013.2.3-2.el6ost.noarch.rpm     MD5: 0380dababbf548fbacf613737a23801dSHA-256: 92443f535a5aa83b42e2bdb2b28ddd1c627a1930cda8793ecff77ce91506b020   (The unlinked packages above are only available from the Red Hat Network) 1112945 - CVE-2014-4615 pycadf: token leak to message queue1116462 - RHOSP 4 is incompatible with python-qpid >= 0.18-11 These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
Advisory: RHBA-2014:1047-1 Type: Bug Fix Advisory Severity: N/A Issued on: 2014-08-12 Last updated on: 2014-08-12 Affected Products: Red Hat OpenStack 4.0 Details Updated packages which resolve an issue are now available for Red Hat EnterpriseLinux OpenStack Platform 4.0 (Icehouse) for RHEL 6. Red Hat Enterprise Linux OpenStack Platform provides the facilities for buildinga private or public infrastructure-as-a-service (IaaS) cloud running on commonlyavailable physical hardware. This advisory includes packages for:* OpenStack Orchestration service ("Heat")* OpenStack Block Storage service ("Cinder")A recent python-qpid update introduced an incompatibility issue that caused theOrchestration and Block Storage services to malfunction. This update fixes theRPC code within each service to address the incompatibility, thereby resolvingthe issue. Solution Before applying this update, ensure all previously released erratarelevant to your system have been applied.Red Hat Enterprise Linux OpenStack Platform 4.0 runs on Red Hat Enterprise Linux6.5.The Red Hat Enterprise Linux OpenStack Platform 4.0 Release Notes contain thefollowing:* An explanation of the way in which the provided components interact to form aworking cloud computing environment.* Technology Previews, Recommended Practices, and Known Issues.* The channels required for Red Hat Enterprise Linux OpenStack Platform 4.0,including which channels need to be enabled and disabled.The Release Notes are available at:https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/4/html/Release_Notes/index.htmlThis update is available through the Red Hat Network. Details on how touse the Red Hat Network to apply this update are available athttps://access.redhat.com/site/articles/11258 Updated packages Red Hat OpenStack 4.0 SRPMS: openstack-cinder-2013.2.3-3.el6ost.src.rpm     MD5: 2703dc58c58b246d55f9a1df9109b2a3SHA-256: 4892c16e45763b7833637881c8cf3efceb87d99a0ab8d1e62e7914cad21f2a1b openstack-heat-2013.2.3-2.el6ost.src.rpm     MD5: 2b9f5eccd47ab6f3f3008d8856f92c94SHA-256: 1149231d99142531bd627e5a61f35199b3ee0aa17ac1830ba8c4b027851b19a5   x86_64: openstack-cinder-2013.2.3-3.el6ost.noarch.rpm     MD5: 0c5e34a2ba4ee806288f87ad30c8fd9bSHA-256: f25705e372cacbc5e66a9fc1fdfc9d1e580bdfa1390e956d67787621f0736513 openstack-cinder-doc-2013.2.3-3.el6ost.noarch.rpm     MD5: f8f7be75010cb7a3a1dae0542c852df9SHA-256: f9eaea2e0bafa8502cdfa7d730756bc311999e4bf1d7f6175aec8593fa21c166 openstack-heat-api-2013.2.3-2.el6ost.noarch.rpm     MD5: 6363297a286045003479eb39e1d916eeSHA-256: 759ec7f3f180e3e3cb11a978870a0f5602472b1718f7765a70cbfc5d4a68ec45 openstack-heat-api-cfn-2013.2.3-2.el6ost.noarch.rpm     MD5: 72468b29bdc1118d8307b6710e0145b0SHA-256: 9d801dad745a944185f96a65211d722b3f7f516c9f2388e15623e3f79615554a openstack-heat-api-cloudwatch-2013.2.3-2.el6ost.noarch.rpm     MD5: 887e563376b2e097ed40a2ca254ae31aSHA-256: 2d129a00df77438a0e65d7dece90c8c9e61f6e65e93f796e57c2132163ba6bf7 openstack-heat-common-2013.2.3-2.el6ost.noarch.rpm     MD5: 74cc54046f56f3384b9968d76104fdbfSHA-256: 91623060896e67d16153feda577647f552bea159340b01ec87d5f1842d7a317c openstack-heat-engine-2013.2.3-2.el6ost.noarch.rpm     MD5: a36c6ef5dfec9c390ffd360d626cc318SHA-256: ca4b196ff823ed977eb622ba1a8289f59bd1d646ba5f37a8b3be33cfb086e3cc python-cinder-2013.2.3-3.el6ost.noarch.rpm     MD5: 8d8cdd79eccb852b2c5e22c222cae7c4SHA-256: f6342de0b69400c8ba44dad38a9aaf5f3572994f0e9c3cadf7abdca2c7cf19d0   (The unlinked packages above are only available from the Red Hat Network)Bugs fixed (see bugzilla for more information) 1116464 - RHOSP 4 is incompatible with python-qpid >= 0.18-11 These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/