Lock up admin accounts to stop hackers, says Cyber-Ark

Hackers typically target privileged admin accounts to gain access to all computer systems in an organisation, says David Higgins, senior sales manager Cyber-Ark “In many organisations, these accounts are not well managed or controlled, giving hackers unfettered, unaccountable access,” he told the Whitehall Media Identity Management 2013 conference … (more)

Original news article at https://www.topix.com/tech/computer-security on June 20, 2013 at 06:09AM

Use This Powerful Microsoft Tool to Provide Better Security for Windows Programs

Zero-Day Exploits. Unpatched security holes. Security weaknesses that the hackers have discovered but haven’t revealed. These security problems are all too common and conventional anti-malware is no help. So what is the PC user to do? Here is some powerful free security software from Microsoft that can help.


Original news article at https://feeds.feedburner.com/gizmosbest on June 19, 2013 at 02:41PM

Medical Devices Contain Hard-Coded Passwords, ICS-CERT Warns

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert yesterday warning that some 300 medical devices developed by roughly 40 different vendors contain hard-coded passwords that could be used by unauthorized individuals to access these machines and potentially modify critical settings and device firmware.

US-CERT published the alert in concert with a memo from the United States Food and Drug Administration outlining a set guidelines designed to encourage medical device manufacturers to better secure defibrillators, insulin pumps, pacemakers and other devices before they reach patients.

The warning is based on a yet-unreleased report developed by Cylance researchers Billy Rios and Terry McCorkle. The hundreds of vulnerable devices uncovered by the pair of researchers include surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors, and laboratory and analysis equipment.

ICS-CERT is coordinating with affected vendors to identify vulnerable devices and provide fixes for them. In the meantime, they are recommending that device manufacturers, healthcare facilities, and users of these devices take proactive measures to minimize the risk of exploitation of these and other vulnerabilities.

ISC-CERT and the FDA are not aware of any in-the-wild exploits.

The two alerts published yesterday are part of an ICS-CERT and FDA partnership aimed at better protecting patients who may receive treatments involving computerized medical devices.

“The Department of Homeland Security’s (DHS) Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) is working directly with the Food and Drug Administration (FDA) and medical devices manufacturers, health care professionals and facilities to investigate and address the reported vulnerabilities,” said DHS spokesman Sy Lee. “DHS actively collaborates with public and private sector partners every day to identify and reduce adverse impacts on the nation’s critical cyber systems.”

Original news article at https://threatpost.com on June 14, 2013 at 09:35PM

FDA Warns Medical Device Manufacturers to Take Security More Seriously

Hoping to strengthen the security of medical devices, the Food and Drug Administration today issued a new series of guidelines for manufacturers. The document was released to encourage companies to mitigate viruses and malware on devices such as defibrillators, insulin pumps and pacemakers before they reach patients.

While no company was called out, the FDA outlined general recommendations.

Manufacturers are expected to review their cybersecurity practices, ensure only trusted users can access their devices, and improve security controls like user IDs and passwords. In addition to device manufacturers, health care facilities are also reminded in the memo to properly update their antivirus software, restrict their network to authorized users and work one on one with device manufacturers when a problem surfaces.

The warnings come after several devices have been found vulnerable to hacks. Since most of them include what the FDA calls “configurable embedded computer systems,” the smaller devices could fall victim to hackers, like any desktop or laptop computer.

The FDA makes a point to assert that it’s not aware of any deaths or injuries associated with these vulnerabilities or malfunctions. The group just calls cybersecurity incidents “increasingly likely,” making the the note from the FDA really more of a siren call than a mandate for manufacturers.

The way the agency works, the FDA doesn’t have to review or approve any software changes that are made in order to improve cybersecurity. It also notes that the guidance documents are just that – guidance – they “do not establish legally enforceable responsibilities.”

The medical device and health care sector has seen a sizeable chunk of threats over the last few years but this is one of the first general warnings to come down from a specialized government agency.

Earlier this year noted researchers Billy Rios and Terry McCorkle hit the conference circuit to share details about a handful of vulnerabilities they discovered that affect medical products. One such vulnerability, a problem with an x-ray processing machine made by Philips’ could cause the machine to get owned. According to the pair at Digital Bond’s Security Scientific Symposium (S4) Conference in January, the FDA was just beginning to intervene.

Barnaby Jack, now the Director of Embedded Device Security at IOActive, Inc. unearthed bugs in 2012 that could send a lethal shock to some pacemakers and in 2011 was able to find a way to wirelessly take control of a Medtronic insulin pump.

The Government Accountability Office sent a similar warning to the FDA about recognizing the safety of medical devices last October, asking it do more to address their electronic complexities. At the time the GAO asked the FDA to “develop and implement a plan expanding its focus on information security risks.” It seems now the FDA is doing just that.

Original news article at https://threatpost.com on June 13, 2013 at 11:16PM

Unnamed, Popular ICS Firmware Contains Hard-Coded FTP Credential

Industrial control systems are rife with security issues, not the least of which is the use of hard-coded credentials. In order to minimize downtime, developers and administrators build in passwords to expedite remote troubleshooting in the event of a system crash or failure.

Problems arise when an attacker finds these credentials and the practice becomes tantamount to coding in a backdoor to the device in question.

A security researcher reported this week the discovery of hard-coded credentials in well-known ICS device firmware used to connect to the device vendor’s FTP server. Sofiane Talmat of security consultancy IOActive would not reveal the device in question to Threatpost, but said he is working on a process for remediation and disclosure with the vendor.

“I am not allowed to disclose the vendor name right now as the vulnerability is not yet publicly disclosed and unpatched and there is sensitive information on the FTP server,” Talmat said.

Talmat said he came across a script that tests connectivity transmitted in the clear from the firmware that included the FTP host name, user name and password, in addition to the file name being transferred to the vendor.  The script is designed to ping the host and then connects to an internal FTP server to download a test file and upload the results. Conspiring to make a bad situation worse, in addition to the hard-coded in-the-clear credential, the upload inserts the device serial number into the file name, Talmat said. While this facilitates the use of a unique identifier for each file, Talmat said, it also facilitates the attacker accessing any device by its serial number.

“These device serial numbers are also used by the vendor to generate default admin passwords,” he wrote on the company’s blog. “This knowledge and strategy could allow an attacker to build a database of admin passwords for all of this vendor’s devices.”

Talmat said this is the first time he’s seen serial numbers used to generate admin passwords for different devices. But this isn’t the first time he’s seen a device ID or serial number used as a naming convention for an industrial device.

Digging further, Talmat found issues with another script connecting to the same vendor’s FTP server that uses anonymous access to upload statistics used for debugging from each device. Similarly, the .zip file sent from the device to the FTP server includes the device serial number; the script also prompts the user to add the company name to the file name.

“An attacker with this information can easily build a database of admin passwords linked to the company that owns the device,” Talmat said.

A third problematic script was discovered; this one however allows only write-access to the FTP server and sends device configuration information. Talmat said the server is running an older version of the FTP service which is also vulnerable to public exploits.

“I need to check, but I am sure it’s an old version since the vulnerability was disclosed publicly five or six years before,” he said.

A similar issue was recently patched by TURCK, a German ICS vendor whose devices are deployed in manufacturing, agriculture and food services in the United States and Europe. An alert from the Industrial Control System Cyber Emergency Response Team (ICS-CERT) warned of a vulnerability in TURCK BL20 and BL67 Programmable Gateways that included hard-coded credentials reachable via a FTP server.

The flaw was also discovered by an IOActive researcher, Ruben Santamarta, who said that anyone with an understanding of embedded syntax could find the credentials by running the strings command on the firmware file. He did qualify that this can be time consuming because there are potentially thousands of strings in firmware. An IOActive tool called Stringfighter automates the process by searching for strings that are out of context to elements near it and could be hard-coded credentials.

Original news article at https://threatpost.com on June 11, 2013 at 10:45PM