lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <EC8AD993E0BC1966903F1454@utd65257.utdallas.edu>
Date: Thu, 12 Aug 2010 12:48:50 -0500
From: Paul Schmehl <pschmehl_lists@...rr.com>
To: Caspian@...dom-interrupt.org, full-disclosure@...ts.grok.org.uk
Subject: Re: Reliable reports on attacks on medical
 software and IT-systems available?

--On Wednesday, August 11, 2010 22:48:11 -0400 Caspian@...dom-interrupt.org 
wrote:
>
> Some hospitals have a well guarded network. Some Medical IT systems are
> secure. Some are not. The Threat Environment for medical institutions is
> similar to any other large company, except there's the added risk of
> medical records and data being exposed- which might be handy for all
> sorts of things (think insurance fraud, blackmail, etc). The truth is,
> it doesn't make much of a difference- the attack surface is also pretty
> similar to any other large institution; so much of it depends on
> internal policy and politics, as well as the technical stuff.
>

Bingo!  You hit the nail on the head.  The only difference between medical 
networks and any other network is the type of data at risk.  The attacks and 
attack methodologies are the same, the success rate is the same, the quality of 
the risk aversion is the same.  There's nothing special about medical networks 
from an attack standpoint.

>
> Most Radiology personnel would catch on to this pretty quickly- assuming
> it was meant to be a lethal attack. Pretty much any operator who has to
> train to the level these people do should be able to spot a lethal
> attack in progress, since the attack would cause the machine to behave
> erratically. You need the equivalent of an associate's degree to be an
> x-ray tech where I am, at least, and I think it's the same for most of
> North America and Europe. Hospitals often have their own specialists who
> tend to train like pilots- a certain number of hours with a specific
> machine, and then retraining when it gets updated. IT staff are
> sometimes part of that group.
>

As with anything, this is only as true as the number of people who are 
conscientious and the subtlety of the attack.  I never meant to say that 
medical personnel aren't highly trained or capable.  All I'm saying is that 
humans are humans.  If you don't specialize in IT, you're less likely to be 
aware of the risks and possible attack methodologies, but you're more likely to 
detect attacks that affect things you specialize in and are aware of. 
Conversely, an IT person might not recognize a faulty setting on a machine that 
a medical person would immediately recognize as wrong.

We can't all be radiologists any more than we can all be computer specialists.

> This level of training may not, however, be the case for something like
> a network-enabled IV (don't laugh! they exist)- since the telemetry that
> the IV is sending to the nurse's station could be falsified, and you
> don't really need specialized staff for this type of system. The same
> goes for things like heart rate monitors, etc... This is why we have
> local audits, external audits and Audit repositories, along with node
> and program authentication as a base requirement for the IT and data
> interchange standards that I'm aware of that certify these devices.
> Obviously, audit trails are post-facto, but proper monitoring should be
> able to detect an attack in progress.
>

The vast majority of attacks are going to be "throw it up against the wall and 
see if some sticks" type of attacks.  Who knows what impact they might have on 
heart monitor or a networked IV?  And since most expensive equipment that 
requires a separate PC controller will be running Windows, older OSes, 
unpatched and without AV, the chances of a "throw it up" attack being 
successful are relatively high unless you've mitigated the risk in some way.

The annual Verizon Data Breach Investigations Report is a good place to start.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ