But will we see cyber listed as a feature in medical advertising?

Posted in avoidable vulnerabilities on September 10th, 2017 by Rodney

Another place vulnerabilities are published.  I wonder how it’ll go with crossover items.  “Linux kernel flaw bricks insulin pump?” Read more »

Equal Expectations for Equal (Non-Person) Entities

Posted in avoidable vulnerabilities, Physical Security Infrastructure on September 6th, 2017 by Rodney

I don’t hate robots. I think that any new technology that tries to show up today has to be built with some by this time fairly obvious cyber defenses. This means, first, that the vendor has to get it that we might care. We the customers have a right to have an expectation of thorough well-tested well thought out technology solutions.

Especially if you’re gonna let that thing drive itself around my shopping mall. Or my parking lot. Or deliver drugs to the other end of my pharmaceuticals facility.

It’s 2017. You want to put a device on my network, operating within my risk responsibility, that’s mobile and at least partially outside my controlled perimeter. With credentials to access my security command center. And you want a purchase order for that?

Yeah, I expect the product to have some cyber awareness. Read more »

Rescue an XP laptop: load Linux today

Posted in avoidable vulnerabilities, Physical Security Infrastructure on August 1st, 2016 by Rodney

It’s mid-2016. XP has been end-of-life for over a year or something. What’s that mean? It means there’s approximately a 100% chance that any given XP system is exploitable. It definitely means the system has exited the vendor’s maintenance window. Either way there are few if any reasons to justify use of XP from a security standpoint.

So when you hear about present-day XP deployments, it’s disturbing. Well before March of 2016 there should be zero XP deployments out there. “Oh, yeah, that’s an old recording appliance. It’s still running XP” is not the kind of thing you should hear at a PACS user group meeting.

Party like you’re on a 1990’s network

Posted in avoidable vulnerabilities on January 26th, 2015 by Blog Operations

It’s 2015. And yet some vendors are still shipping network-attached devices like… well, at least like it’s 1999, if not before.

We’re talking about Telnet. In 2015, do not use Telnet. It’s unencrypted and it can leak passwords to an adversary. This is not a news flash.

Telnet was really cool back in the day. The user didn’t have to be in front of the computer they wanted to access. They could – gasp – connect remotely.
In the intervening decades since telnet was first introduced, we’ve learned a few things about network security. For example, it’s bad to use unencrypted protocols if it can be avoided, specifically where an adversary could trace a password. Console connections through the “telnet” protocol are “in the clear” because they are exposed.

Telnet was developed last century. Here in the future in 2015, you can’t assume anything about the network between you and the remote device you’re logging in to. You have to assume somebody’s going to wire tap it. Either the bad guys, or some off-the-reservation sysadmin, or who knows what else. This means you have to assume any password you type into telnet is really in the clear. What should you do? Don’t run telnet. Use SSH or some other protected mechanism. At this point in the 21st century telnet is really quaint, outdated and sort of scandalously unsafe.

This happens repeatedly. Apparently we have to keep reinforcing this concept. See this post from 2011…
http://www.engadget.com/2011/01/31/hackers-increasingly-using-telnet-for-attacks-port-23-looking-y
I’d like to tell you I’ve not seen telnet deployed in new vendor products but it’s January 2015 and I’ve seen one this year already.

Tags: ,