Critical flaw lets hackers control lifesaving devices implanted inside patients

An X-ray showing an cardio defibrillator implanted in a patient.

The federal government on Thursday warned of a serious flaw in Medtronic cardio defibrillators that allows attackers to use radio communications to surreptitiously take full control of the lifesaving devices after they are implanted in a patient.

Defibrillators are small, surgically implanted devices that deliver electrical shocks to treat potentially fatal irregular heart rhythms. In recent decades, doctors have increasingly used radios to monitor and adjust the devices once they’re implanted rather than using older, costlier, and more invasive means. An array of implanted cardio defibrillators made by Medtronic rely on two types of radio-based consoles for initial setup, periodic maintenance, and regular monitoring. Doctors use the company’s CareLink Programmer in clinics, while patients use the MyCareLink Monitor in homes to regularly ensure the defibrillators are working properly.

No encryption, no authentication, and a raft of other flaws

Researchers from security firm Clever Security discovered that the Conexus Radio Frequency Telemetry Protocol (Medtronic’s proprietary means for the monitors to wirelessly connect to implanted devices) provides no encryption to secure communications. That makes it possible for attackers within radio range to eavesdrop on the communications. Even worse, the protocol has no means of authentication for legitimate devices to prove they are authorized to take control of the implanted devices. That lack of authentication, combined with a raft of other vulnerabilities, makes it possible for attackers within radio range to completely rewrite the defibrillator firmware, an exploit that’s rarely seen affecting most medical device vulnerabilities to date.

Read 12 remaining paragraphs | Comments

How hackers pulled off a $20 million bank heist

How hackers pulled off a $20 million bank heist

In January 2018 a group of hackers, now thought to be working for the North Korean state-sponsored group Lazarus, attempted to steal $110 million from the Mexican commercial bank Bancomext. That effort failed. But just a few months later, a smaller yet still elaborate series of attacks allowed hackers to siphon off 300 to 400 million pesos, or roughly $15 to $20 million from Mexican banks. Here’s how they did it.

At the RSA security conference in San Francisco last Friday, penetration tester and security advisor Josu Loza, who was an incident responder in the wake of the April attacks, presented findings on how hackers executed the heists both digitally and on the ground around Mexico. The hackers’ affiliation remains publicly unknown. Loza emphasizes that while the attacks likely required extensive expertise and planning over months, or even years, they were enabled by sloppy and insecure network architecture within the Mexican financial system, and security oversights in SPEI, Mexico’s domestic money transfer platform run by central bank Banco de México, also known as Banxico.

Easy pickings

Thanks to security holes in the targeted bank systems, attackers could have accessed internal servers from the public Internet, or launched phishing attacks to compromise executives—or even regular employees—to gain a foothold. Many networks didn’t have strong access controls, so hackers could get a lot of mileage out of compromised employee credentials. The networks also weren’t well segmented, meaning intruders could use that initial access to penetrate deep into banks’s connections to SPEI, and eventually SPEI’s transaction servers, or even its underlying code base.

Read 9 remaining paragraphs | Comments

Beto O’Rourke could be the first hacker president

Democratic presidential candidate Beto O’Rourke has revealed he was a member of a notorious decades-old hacking group.

The former congressman was a member of the Texas-based hacker group, the Cult of the Dead Cow, known for inspiring early hacktivism in the internet age and building exploits and hacks for Microsoft Windows. The group used the internet as a platform in the 1990s to protest real-world events, often to promote human rights and denouncing censorship. Among its many releases, the Cult of the Dead Cow was best known for its Back Orifice program, a remote access and administration tool.

O’Rourke went by the handle “Psychedelic Warlord,” as revealed by Reuters, which broke the story.

But as he climbed the political ranks, first elected to the El Paso city council in 2005, he reportedly grew concerned that his membership with the group would harm his political aspirations. The group’s members kept O’Rourke’s secret safe until the ex-hacker confirmed to Reuters his association with the group.

Reuters described him as the “most prominent ex-hacker in American political history,” who on Thursday announced his candidacy for president of the United States.

If he wins the White House, he would become the first hacker president.

O’Rourke’s history sheds light on how the candidate approaches and understands the technological issues that face the U.S. today. He’s one of the few presidential candidates to run for the White House with more than a modicum of tech knowledge — and the crucial awareness of the good and the problems tech can bring at a policy level.

“I understand the democratizing power of the internet, and how transformative it was for me personally, and how it leveraged the extraordinary intelligence of these people all over the country who were sharing ideas and techniques,” O’Rourke told Reuters.

The 46-year-old has yet to address supporters about the new revelations.

Flawed visitor check-in systems let anyone steal guest logs and sneak into buildings

Security researchers at IBM have found, reported and disclosed 19 vulnerabilities in five popular visitor management systems, which they say can be used to steal data on visitors — or even sneak into sensitive and off-limit areas of office buildings.

You’ve probably seen one of these visitor check-in systems before: they’re often found in lobbies or reception areas of office buildings to check staff and visitors onto the work floor. Visitors check in with their name and who they’re meeting using the touch-screen display or tablet, and a name badge is either printed or issued.

But the IBM researchers say flaws in these systems provided “a false sense of security.”

The researchers examined five of the most popular systems: Lobby Track Desktop, built by Jolly Technologies, had seven vulnerabilities; eVisitorPass, recently rebranded as Threshold Security, had five vulnerabilities; EasyLobby Solo, built by HID Global, had four vulnerabilities; Envoy’s flagship Passport system had two vulnerabilities; and The Receptionist, an iPad app, had one vulnerability.

According to IBM, the vulnerabilities could only be exploited by someone physically at check-in. The bugs ranged from allowing someone to download visitor logs, such as names, driver license and Social Security data, and phone numbers; or in some cases, the buggy software could be exploited to escape “kiosk” mode, allowing access to the underlying operating system, which the researchers say could be used to pivot to other applications and on the network, if connected.

Worse of all, the use of default admin credentials that would give “allow complete control of the application,” such as the ability to edit the visitor database. Some systems “can even issue and provision RFID badges, giving an attacker a key to open doors,” the researchers wrote.

Daniel Crowley, research director at IBM X-Force Red, the company’s pen-testing and vulnerability hunting team, told TechCrunch that all of the companies responded to the team’s findings.

“Some responded much more quickly than others,” said Crowley. “The Lobby Track vulnerabilities were acknowledged by Jolly Technologies, but they stated that the issues can be addressed through configuration options. X-Force Red tested the Lobby Track software in its default configuration,” he added.

We contacted the companies and received — for the most part — dismal responses.

Kate Miller, a spokesperson for Envoy, confirmed it fixed the bugs but “customer and visitor data was never at risk.”

Andy Alsop, chief executive of The Receptionist, did not respond to a request for comment but instead automatically signed us up to a mailing list without our permission, which we swiftly unsubscribed from. When reached, Michael Ashford, director of marketing, did not comment.

David Jordan, a representative for Jolly, declined to comment. And, neither Threshold Security and HID Global responded to our requests for comment.

Report: Bezos-hired sleuth suspects sexts stolen by “government entity”

Jeff Bezos.

Yesterday Jeff Bezos alleged that David Pecker, CEO of the company that publishes the National Enquirer, attempted to blackmail Bezos by threatening to publish nude photos of Bezos. The married Bezos allegedly sent the explicit photos to another woman, broadcaster Lauren Sanchez.

One of the big unanswered questions in the story is how the National Enquirer obtained the photos. One obvious possibility is that someone hacked Bezos’ phone—or possibly Sanchez’s.

But in an interview on MSNBC, Washington Post reporter Manuel Roig-Franzia pointed to a different possibility. The Post is owned by Bezos, and while Roig-Franzia says he hasn’t talked to Bezos directly, he has talked to Gavin De Becker, a legendary security consultant who is working for Bezos. “Gavin De Becker told us that he does not believe that Jeff Bezos’ phone was hacked,” Roig-Franzia said. “He thinks it’s possible that a government entity might have gotten hold of his text messages.”

Read 4 remaining paragraphs | Comments

Fire (and lots of it): Berkeley researcher on the only way to fix cryptocurrency

Marines use flamethrower to spectacular effect in field.

Nicholas Weaver made no bones about it: he really, really dislikes cryptocurrencies.

Speaking at the Enigma security conference in Burlingame, California, last week, the researcher at UC Berkeley’s International Computer Science Institute characterized bitcoin and its many follow-on digital currencies as energy-sucking leeches with no redeeming qualities. Their chief, if not only, function, he said, is to fund ransomware campaigns, online drug bazaars, and other criminal enterprises.

Meanwhile, Weaver said, there’s no basis for the promises that cryptocurrencies’ decentralized structure and blockchain basis will fundamentally transform commerce or economics. That means the sky-high valuations spawned by those false promises are completely unjustified. He also said investors’ irrational exuberance just adds to the unviability of cryptocurrency.

Read 18 remaining paragraphs | Comments

Is Huawei a friend or foe in the battle for 5G dominance?

While the UK woos China’s telecoms giant, fears grow over the risks it poses to national security

If, according to an ancient Chinese proverb, “a crisis is an opportunity riding the dangerous wind”, then Huawei is barrelling in on a storm force 12. Where the hurricane takes it, though, may be out of the telecoms giant’s control.

A slew of bombshell allegations have raised troubling questions about the telecoms company’s probity and revived long-held concerns about its relationship with China’s intelligence services. The UK, in need of friends as Brexit looms, is struggling to negotiate the fallout. To ignore the mounting brouhaha risks alienating its closest ally, the United States, currently locked in a bitter trade war with China which has become synonymous with Huawei. But the UK needs Chinese technology to keep pace with the 21st century.

Huawei’s cyber-security approach fell short but no hostile Chinese state activity was uncovered

Continue reading…

Nine defendants charged in SEC hacking scheme that netted $4.1 million

Nine defendants charged in SEC hacking scheme that netted $4.1 million

Federal authorities have charged nine defendants with participating in a scheme to hack a Securities and Exchange Commission database to steal confidential information that netted $4.1 million in illegal stock trade profits.

Two of the defendants, federal prosecutors in New Jersey said, breached SEC networks starting in May 2016 by subjecting them to hacks that included directory traversal, phishing attacks, and infecting computers with malware. From there, the defendants allegedly accessed EDGAR (the SEC’s Electronic Data Gathering, Analysis, and Retrieval system) and stole nonpublic earnings reports that publicly traded companies had filed with the commission. The hackers then passed the confidential information to individuals who used it to trade in the narrow window between when the files were stolen and when the companies released the information to the public.

“Defendants’ scheme reaped over $4.1 million in gross ill-gotten gains from trading based on nonpublic EDGAR filings,” SEC officials charged in a civil complaint. It named Ukrainian nationalist Oleksandr Ieremenko as a hacker, along with six individual traders in California, Ukraine, and Russia, and it also named two entities. A criminal complaint filed by federal prosecutors in New Jersey charged Ieremenko and a separate Ukrainian named Artem Radchenko with carrying out the hack.

Read 5 remaining paragraphs | Comments