lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 25 Aug 2010 12:23:37 -0400
From: Shawn Merdinger <shawnmer@...il.com>
To: halfdog <me@...fdog.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Reliable reports on attacks on medical
 software and IT-systems available?

Hi Halfdog,

While I have not come across any specific documentation of willful
attacks, security (and software quality) issues abound in the medical
device space.  You might try researching some of the databases at the
FDA [1].  In particular, a good place to start is the FDA MAUDE
database (Manufacturer and User Facility Device Experience) [2]

A few search tips for MAUDE:

1.  Choose the "Event Type" to focus in on injuries (death, injury, etc.)
2.  Set a wide date range
3.  Do a number of different searches using the various selections
under "Product Problem" -- you can only choose one at a time.  The
values vary, but there's "Computer failure," "Computer hardware
error," "Computer operating system issue,", "Computer system security
issue," "Fail-safe design failure," "Failure to back-up," etc.

For more focused databases, such as radiation-related, there's the
"Medical & Radiation Emitting Device Recalls."  Search tips for this
DB include putting very general terms into the "Reason for recall"
field, like "computer" to start.

An example of what you'll find in these databases:

http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/detail.cfm?mdrfoi__id=1447254

"...the system locked up with a message stating there was insufficient
disk space to run windows. The system took several reboots to make it
operational. The pt was experiencing a cardiac infarct during the
failure."

Overall, I see a lack of rigorous guidelines for the data entry.  That
is, the problem descriptions are often vague, and in a narrative.  Nor
is there any severity rating or ranking, etc.  We've a long way to go
in structuring the reporting.  We've likely even further to go
regarding issue follow-up.

[1]  http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Databases/default.htm
[2]  http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/search.CFM
[3]  http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfRES/res.cfm

Cheers,
--scm


On Tue, Aug 10, 2010 at 5:03 PM, halfdog <me@...fdog.net> wrote:
> I have no knowledge of ongoing or planned attacks. I was just searching for
> historic reports of any age.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ