lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 10 Aug 2010 12:43:21 +0000
From: halfdog <me@...fdog.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Reliable reports on attacks on medical software
	and IT-systems available?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am searching for reliable reports on attacks on medical software and
infrastructure ___aiming to harm or kill patients___. There are quite a few
reports on data theft combined with blackmailing or data disclosure but rather
no information if there were already attacks that tried to or have really harmed
patients. Cases of interest are (just examples):

* Data manipulation: Change of medication, changing of radiotherapy data to
administer lethal doses, swapping of patient records to perform unnecessary
operations
* IT-System DOS: Patients harmed because therapy could not be determined or
administered due to system downtime/data loss, harm because best therapy could
not be used, inferior one caused harm
* Medical device manipulation: Diabetes pen firmware manipulation at vendor site
to report wrong values/use wrong dosage, manipulation of laboratory analytic
devices to mislead medical personal

It is not necessary that the attack was caused primary by a software flaw, that
was exploited. It would be sufficient, that e.g. weak passwords were guessed,
fired or unhappy personal used their account data or hospital visitors watched
personal using equipment and then used it themselves afterwards. Key factor is,
that the action to cause harm was performed with intent.

Reliable sources for reports on such attacks would be:
* Articles in medium to high quality media (newspaper, online magazines, ..)
* References to court cases
* Warning messages from national bodies (e.g. FDA and alike) to mitigate the
effects or requesting people to participate in clarification of facts
* Scientific papers analyzing the attack (similar to papers on the software
failure in the Therac system)
* Word from (named) persons, that were engaged in fighting such attacks,
(computer) forensics afterwards, crime investigation or court operation

Example for report: http://www.wired.com/politics/security/news/2008/03/epilepsy
It is suspected, that this might have been the first targeted attack to harm
patients (In a forum a poster claimed, that this was no attack on the patients
but just blinking advertisements embedded via XSS hole).

- --
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD4DBQFMYS4rxFmThv7tq+4RAg1WAJj91WJ3qCKdv0W32lHFJRucSdWhAJ9PC/V3
uXujEijCBf1T7ntDSm13Gg==
=sqmX
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ