lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 10 Aug 2010 21:03:35 +0000
From: halfdog <me@...fdog.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Reliable reports on attacks on medical
 software and IT-systems available?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just to clarify some points from off-list messages:

I have no knowledge of ongoing or planned attacks. I was just searching for
historic reports of any age. I wonder why powerplants, telephone systems,
corporate IT systems are frequently affected by attacks, some just made for fun
of causing damage, but there are nearly no reports on attacks on medical systems
to cause damage, although these systems are quite widespread also. Possible
answers might be (sorted by probability):

* My guessing about the size of the attack surface of medical software is wrong.
Is there any data available (statistical analysis, estimations), how big the
attack surface of medical systems is compared to the surface of e.g. the
power-grid system?

* All hackers keep some sense of ethics, so that they feel it is OK to attack
"technical" targets but find it inacceptable to attack the health of innocent
people (if this is the main cause, terrorists might cause significant change in
risk assessment of medical software and services)

* There are reports, but I do not know about them (so I'm asking around)

* Medical personal in hospitals with high grade of IT-system usage are so
trained and skilled, so that they detect manipulation and no harm is done

* Medical institutions do not talk about such incidents (here for example, they
are closed systems, it took until now, that the government tries to keep records
of accidents and prevented accidents)

* Medical IT is so safe, that manipulation is not easy (Although data theft and
mass virus intrusions seem to occur from time to time. And from what I have seen
in clinics, it seems that the software is not always highly stable, which could
indicate programming weaknesses.)

* Government tries to suppress reports to avoid panic reaction (for many
patients health and logic does not go together) or to inhibit terrorism in that
area.


Searching for myself, I found some information about one incident, which I might
have heard of in the past:
http://cyb3rcrim3.blogspot.com/2009/01/attempted-computer-murder.html When I
heard the story back than it was about completed murder after administration of
chemotherapeutics, where hackers altered the dosage just for fun. So it seems
that this story back then was not reliable at all.

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFMYaM9xFmThv7tq+4RAtCtAKCLt0lagrhYQZS/BNCdvYHHnkca1gCfZKpW
gkwqTHhxDoZs6f+nWlXEKSI=
=k5RG
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ