lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 11 Aug 2010 10:26:09 +0000
From: halfdog <me@...fdog.net>
To: Paul Schmehl <pschmehl_lists@...rr.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Reliable reports on attacks on medical
 software and IT-systems available?

Paul Schmehl wrote:
> --On Tuesday, August 10, 2010 21:03:35 +0000 halfdog <me@...fdog.net> wrote:
>> * All hackers keep some sense of ethics, so that they feel it is OK to attack
>> "technical" targets but find it inacceptable to attack the health of innocent
>> people (if this is the main cause, terrorists might cause significant change
>> in risk assessment of medical software and services)
>>
> 
> Not a chance.  How would they even know they were medical devices until *after*
> they have successfully attacked them?

I guess most hackers will know, to which infrastructure they are connected (If
you are sitting in front of a hospital and get a connection to the WLAN with
SSID "[name of hospital]-AMB" you might have a good guess where you are in). And
as soon as they start looking around (e.g. sniffing of SMB broadcasts), it would
take only some reasoning to find out, what the machines are for. The hospital
data theft/blackmailers seem to have known where to look for data too.

>> * There are reports, but I do not know about them (so I'm asking around)
>>
> 
> Most likely answer.  I know about some, but I'm not telling you.  Or anyone else
> for that matter.  :-)

So your are telling that problems with hospital IT/medical systems are not
reported and published? From my understanding, the medical devices directive
would force producers to report incidents and these reports _have_ to be
published. I also think that laboratory/clinics information systems do not fall
in that category, so reporting might be optional.

Anyway, these reports would be useful to perform sensible risk assessment when
producing new software and would allow fixing of "community-known-bugs" before
someone turns them against infrastructure or people.
 
>> * Medical personal in hospitals with high grade of IT-system usage are so
>> trained and skilled, so that they detect manipulation and no harm is done
>>
> 
> Laughable.  Medical personnel wouldn't have a clue about whether their systems
> have been hacked.  Their IT staff *might*.

Sorry, I was unclear: Of course, they cannot detect the hackers, but they might
see the results and act, e.g. normal dosage of medicament is 10mg and computer
requests to give 1000mg (100 pills) or computer says "perform amputation of left
leg" but leg seems health, while other one has severe circulatory disorder.

-- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ