Month: June 2013

Hoping to strengthen the security of medical devices, the Food and Drug Administration today issued a new series of guidelines for manufacturers. The document was released to encourage companies to mitigate viruses and malware on devices such as defibrillators, insulin pumps and pacemakers before they reach patients.

While no company was called out, the FDA outlined general recommendations.

Manufacturers are expected to review their cybersecurity practices, ensure only trusted users can access their devices, and improve security controls like user IDs and passwords. In addition to device manufacturers, health care facilities are also reminded in the memo to properly update their antivirus software, restrict their network to authorized users and work one on one with device manufacturers when a problem surfaces.

The warnings come after several devices have been found vulnerable to hacks. Since most of them include what the FDA calls “configurable embedded computer systems,” the smaller devices could fall victim to hackers, like any desktop or laptop computer.

The FDA makes a point to assert that it’s not aware of any deaths or injuries associated with these vulnerabilities or malfunctions. The group just calls cybersecurity incidents “increasingly likely,” making the the note from the FDA really more of a siren call than a mandate for manufacturers.

The way the agency works, the FDA doesn’t have to review or approve any software changes that are made in order to improve cybersecurity. It also notes that the guidance documents are just that – guidance – they “do not establish legally enforceable responsibilities.”

The medical device and health care sector has seen a sizeable chunk of threats over the last few years but this is one of the first general warnings to come down from a specialized government agency.

Earlier this year noted researchers Billy Rios and Terry McCorkle hit the conference circuit to share details about a handful of vulnerabilities they discovered that affect medical products. One such vulnerability, a problem with an x-ray processing machine made by Philips’ could cause the machine to get owned. According to the pair at Digital Bond’s Security Scientific Symposium (S4) Conference in January, the FDA was just beginning to intervene.

Barnaby Jack, now the Director of Embedded Device Security at IOActive, Inc. unearthed bugs in 2012 that could send a lethal shock to some pacemakers and in 2011 was able to find a way to wirelessly take control of a Medtronic insulin pump.

The Government Accountability Office sent a similar warning to the FDA about recognizing the safety of medical devices last October, asking it do more to address their electronic complexities. At the time the GAO asked the FDA to “develop and implement a plan expanding its focus on information security risks.” It seems now the FDA is doing just that.

Original news article at https://threatpost.com on June 13, 2013 at 11:16PM

Industrial control systems are rife with security issues, not the least of which is the use of hard-coded credentials. In order to minimize downtime, developers and administrators build in passwords to expedite remote troubleshooting in the event of a system crash or failure.

Problems arise when an attacker finds these credentials and the practice becomes tantamount to coding in a backdoor to the device in question.

A security researcher reported this week the discovery of hard-coded credentials in well-known ICS device firmware used to connect to the device vendor’s FTP server. Sofiane Talmat of security consultancy IOActive would not reveal the device in question to Threatpost, but said he is working on a process for remediation and disclosure with the vendor.

“I am not allowed to disclose the vendor name right now as the vulnerability is not yet publicly disclosed and unpatched and there is sensitive information on the FTP server,” Talmat said.

Talmat said he came across a script that tests connectivity transmitted in the clear from the firmware that included the FTP host name, user name and password, in addition to the file name being transferred to the vendor.  The script is designed to ping the host and then connects to an internal FTP server to download a test file and upload the results. Conspiring to make a bad situation worse, in addition to the hard-coded in-the-clear credential, the upload inserts the device serial number into the file name, Talmat said. While this facilitates the use of a unique identifier for each file, Talmat said, it also facilitates the attacker accessing any device by its serial number.

“These device serial numbers are also used by the vendor to generate default admin passwords,” he wrote on the company’s blog. “This knowledge and strategy could allow an attacker to build a database of admin passwords for all of this vendor’s devices.”

Talmat said this is the first time he’s seen serial numbers used to generate admin passwords for different devices. But this isn’t the first time he’s seen a device ID or serial number used as a naming convention for an industrial device.

Digging further, Talmat found issues with another script connecting to the same vendor’s FTP server that uses anonymous access to upload statistics used for debugging from each device. Similarly, the .zip file sent from the device to the FTP server includes the device serial number; the script also prompts the user to add the company name to the file name.

“An attacker with this information can easily build a database of admin passwords linked to the company that owns the device,” Talmat said.

A third problematic script was discovered; this one however allows only write-access to the FTP server and sends device configuration information. Talmat said the server is running an older version of the FTP service which is also vulnerable to public exploits.

“I need to check, but I am sure it’s an old version since the vulnerability was disclosed publicly five or six years before,” he said.

A similar issue was recently patched by TURCK, a German ICS vendor whose devices are deployed in manufacturing, agriculture and food services in the United States and Europe. An alert from the Industrial Control System Cyber Emergency Response Team (ICS-CERT) warned of a vulnerability in TURCK BL20 and BL67 Programmable Gateways that included hard-coded credentials reachable via a FTP server.

The flaw was also discovered by an IOActive researcher, Ruben Santamarta, who said that anyone with an understanding of embedded syntax could find the credentials by running the strings command on the firmware file. He did qualify that this can be time consuming because there are potentially thousands of strings in firmware. An IOActive tool called Stringfighter automates the process by searching for strings that are out of context to elements near it and could be hard-coded credentials.

Original news article at https://threatpost.com on June 11, 2013 at 10:45PM

Recent statistics regarding the U.S. payment and fraud volumes indicate that the shift to EMV is a necessary step in order to reduce fraud. More than $3.9 trillion in payment transactions were made …

Read more…

Original news article at https://www.atmmarketplace.com/ on June 11, 2013 at 02:30PM

ThreatMetrix announced its Cybercrime Index, a series of Web fraud data aggregated from 1,500 customers, 9,000 websites and more than 1.7 billion cyber events.

In a recent six-month snapshot ending…

Original news article at https://www.net-security.org on June 17, 2013 at 02:47PM

For decades, it’s been making computer users miserable. It’s like the common cold.

Original news article at https://www.topix.com/tech/computer-security on June 17, 2013 at 11:59AM

I do not like how apps are displayed on Google Play, for the same reason I do not like Chrome’s web store: there is no option to sort by date, which means that it is really difficult to find new apps and games in the store. While a top new apps or games listing is displayed, it consists only of a selection of games that have already been in store for some time.

That leaves apps that provide you with information about new and interesting games or applications for Android.

Fetch is one of those, basing its recommendations on the things that you like. You can either select a game or app that you like and get similar recommendations based on it, or use the search to find new apps or games based on that.

To find similar apps, tap on the fetch menu at the top and pick the similar option from the menu. All your apps and games installed on the device are listed here, and all you need to do is pick on to get similar recommendations based on it.

A list of related apps or games are displayed to you after you make the selection. Each application is displayed with its name, screenshot, the number of downloads and the categories it has been sorted in to.

A category filter is displayed for games that you can make use of to add or remove traits which has a direct impact on the search results. This filter is currently only available for games, but the developers promise that it will be added to apps searches as well in the near future.

You can click on install to be taken directly to Google Play from where the selected program can be installed to the device.

You can follow searches so that new additions are automatically displayed to you on the apps’ home screen. Here you find a selection of new apps and games that match your preferences.

The selection is not always made up of new games or apps though, you also find established applications listed here.

To search, select the search icon at the top or tap on games or apps on the screen instead. The search uses keywords including names of apps, genres, or certain characteristics such as cartoony. You can combine these keywords, for instance to find tower defense war games, or wallpaper apps, or virtual pets.

Verdict

What I like most about Fetch is that you can customize the feed of new apps or games that are presented to you by it regularly. While you may miss out on some that do not match your preferences, you can be certain that you won’t miss any great new ones matching them that are released to store.

The post Fetch for Android suggests new apps and games based on the ones you like appeared first on gHacks Technology News | Latest Tech News, Software And Tutorials.

Original news article at https://www.ghacks.net on June 13, 2013 at 07:08PM

Since 2003, application security researchers and experts from all over the world at the Open Web Application Security Project (OWASP) have carefully monitored the state of web application security and…

Original news article at https://www.net-security.org on June 13, 2013 at 03:08PM

Increasingly powerful computer systems and all-time low memory prices have made tweaking software programs obsolete for many users. If you are running 4, 8, 16 or even more Gigabytes of RAM, there is simply no need anymore to optimize the system to free up one hundred or two hundred Megabytes.

Tweaks may still be beneficial to the overall system, both performance and stability wise, especially if you want to get the most out of your system.

8Smoker Pro is a free tweaking software for Windows 8 that you can use to make lots of modifications to the system.

The program displays system resources such as the free and available RAM on startup. Next to that are categories that it makes available, with tweaks being selected by default.

Widgets that belong to the selected category are displayed below. For tweaks, you find Internet Explorer, performance, Shell tweaks and a couple of others listed here.

Once you click on a tweak widget you are taken to a new window where you can browse the available tweaks and settings that you can modify.

Each widget uses all of the available window space, which is a lot, to display its tweaks and configuration options. This makes it rather difficult to orientate yourself quickly, as you need to move your eyes left and right to focus on all the options displayed.

From what I can tell, it includes many of the tweaks that you would come to expect from an application of its kind. You can disable balloon tips, disable various operating system features such as the recycle bin or if programs or background services should be prioritized by the application.

The number if tweaks is surprisingly small considering that the developer divided them into eight tool categories that are all displayed in a large window. It would have probably been better to reduce the number of categories and font settings to cut down on that.

This would have also resolved part of the orientation issues that you may have when using the program for the first time.

You can access several maintenance related tools or system tools from within the program. This includes a startup and services manager under tweaks, and a variety of tools found when you click on the maintenance icon at the top of the screen.

Here you find direct links to Windows system tools and tools integrated by the author of the application.

One interesting feature that you find here in the “Toolbox” is the option to display the applications folder. It contains shortcuts to all apps that you have installed on the system so that you can run them directly from here, or move them to another location to run them directly from the desktop.

It appears that the security category is offering more tweaks than the tweaks category, which is somewhat puzzling. Here you can make many changes to the system, mostly to remove or disable programs and options for users of it.

You can launch the help file with a click on the question mark in the program interface. It offers descriptions for all tweaks and settings the program makes available so that you can look them up here in case you need to find out more about a change before you make it on your system.

The program offers to create a system restore point on start up, and also whenever you modify certain settings in the applications such as removing startup programs. You can create manual restore points at any time with a click on Maintenance > System Restore > Create System Restore Point in the program interface.

Verdict

If you are looking for a tweaking program for Windows 8, then you may want to check this one out. It offers many features and options to you and while the way they are displayed is not ideal, it is nothing that should keep you from taking the application for a test ride. (via)

The post 8Smoker Pro is a comprehensive Windows 8 tweaking software appeared first on gHacks Technology News | Latest Tech News, Software And Tutorials.

Original news article at https://www.ghacks.net on June 12, 2013 at 07:22PM

The Best WiFi hacking suite AirCrack-NG updated to 1.2 Beta 1 after three years from the last release. Aircrack-ng is a set of tools for auditing wireless networks.

<!– adsense –>

New version added a few new tools and scripts (including distributed cracking tool). Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been

Original news article at https://thehackernews.com/ on June 04, 2013 at 12:47AM

You might want to be a little more careful the next time you pick up a cheap knock-off accessory for your device to save a few bucks because new hardware hacks could be the next big thing among cyber criminals.

<!– adsense –>

Researchers say they’ve built a custom iPhone wall charger that can Install malware in any iOS device using a custom made malicious chargers called Mactans, which

Original news article at https://thehackernews.com/ on June 03, 2013 at 11:53PM