1,400+ vulnerabilities found in automated medical supply system

Security researchers have discovered 1,418 vulnerabilities in CareFusion’s Pyxis SupplyStation system – automated cabinets used to dispense medical supplies – that are still being used in the healthcare and public health sectors around the world.

The vulnerabilities can be exploited remotely by attackers with low skills, and exploits that target these vulnerabilities are publicly available, ICS-CERT has warned in an advisory.
The worst part of it is that the affected versions of the software are at end‑of-life, and won’t be receiving a patch even though they are widely used.

What is the Pyxis SupplyStation system?

Developed by CareFusion, which was recently acquired by Becton, Dickinson and Company (BD), the Pyxis SupplyStation system dispenses medical supplies and documents usage in real-time.
“The Pyxis SupplyStation systems include automated devices that may be deployed using a variety of functional configurations. [They] have an architecture that typically includes a network of units, or workstations, located in various patient care areas throughout a facility and managed by the Pyxis SupplyCenter server, which links to the facility’s existing information systems,” ICS-CERT explained.
“Exploitation of these vulnerabilities may allow a remote attacker to compromise the Pyxis SupplyStation system. The SupplyStation system is designed to maintain critical functionality and provide access to supplies in ‘fail-safe mode’ in the event that the cabinet is rendered inoperable. Manual keys can be used to access the cabinet if it is rendered inoperable.”

Which versions are vulnerable?

Versions 8.0, 8.1.3, 9.0, 9.1, 9.2 and 9.3 that operate on Windows Server 2003/XP of the Pyxis SupplyStation system software are affected. Versions 9.3, 9.4, and 10.0 that operate on Server 2008/Server 2012/Windows 7 do not sport these vulnerabilities.

The discovery

Independent researchers Billy Rios and Mike Ahmadi obtained a Pyxis SupplyStation through a third-party that resells decommissioned systems from healthcare systems, and used an automated software analysis tool to ferret out the vulnerabilities.
The flaws are present in seven different third-party vendor software packages bundled in the vulnerable system, including MS Windows XP, Symantec Antivirus 9, and Symantec pcAnywhere 10.5.
715 of the found vulnerabilities are critical or high-severity.

What’s to be done about it?

CareFusion has been involved in the research, and has confirmed the existence of these flaws. Still, no updates will be offered for these end-of-life systems.
Instead, the company has started contacting customers that bought the automated supply cabinets, advising them to upgrade to newer versions and explaining how to do it.
But, aware that’s not always possible, the company has also issued recommendations on how to minimize the risk of those systems being compromised – things like monitoring network traffic attempting to reach the affected products for suspicious activity, and isolating them from the business network, untrusted systems and the Internet, but also updating the software packages included in the system software (where possible).

Healthcare and security

It’s true that cyber attackers are mostly after healthcare data, as it usually contains the perfect bundle of individuals’ personal information, credit information, and protected health information.
It’s also true that healthcare organizations need a healthy dose of investment in technologies in order to prevent successful attacks.
It’s understandable that healthcare organizations are currently more concentrated on fending off ransomware, as that will impact their functioning at all levels.
But with more and more researchers concentrating on finding vulnerabilities in medical devices and systems (systems found exposed online, sporting hard-coded passwords, etc.), it’s becoming obvious that cyber attacks can – and inevitably some day will – result in physical harm.
The healthcare industry – from manufacturers to practitioners – must start considering system and data security important.

The dangers of bad cyber threat intelligence programs

I love a surprise ending in a movie. Whether I’m watching drama, action, or sci-fi, there’s nothing better than a plot twist you can’t predict.
At work, however, I feel the exact opposite. Movies are one thing, but surprise endings in the real world are rarely as welcome or harmless. Much has been written about cyber threat intelligence (CTI), including proposed standards on how to share the information (e.g., TAXI and STIX), what the information should look like, what role governments and private industries play as key stakeholders of information, and how actionable the intelligence should be, what formats they should be published, etc. In the U.S., the Federal Financial Institutions Examination Council (FFIEC) is asking member financial institutions to seriously consider adding CTI as one of the key attributes of their overall risk management strategies.
While I largely agree with the need for academic solutions, in many cases these programs introduce more questions and unknowns into an organization’s security environment. To date, there hasn’t been enough discussion about the key success criteria of a CTI program or enough documentation about its potential risks.
I’ll attempt to remedy that below by outlining four key areas where a CTI program can actually harm your organization by exposing vulnerabilities, a surprise ending neither welcome nor easily remedied.

CTI vulnerability 1: Failure to establish bona fides

Many of my security brethren believe deeply in sharing all information available, but they don’t seem to understand the potential threat of doing so. We don’t need to look far for a powerful analogy: The lessons honed over the centuries by key nation-state intelligence-gathering apparats. These programs work in an effective manner because they establish how worthy the information is. Nation-states have learned, often the hard way, to understand the worthiness of the intelligence they’ve gathered and to tag the data based on its source and methods used in collecting it.
In fact the military definition of bona fides is:
1. The lack of fraud or deceit: a determination that a person is who he/she says he/she is.
2. In personnel recovery, the use of verbal or visual communication by individuals who are unknown to one another, to establish their authenticity, sincerity, honesty, and truthfulness.
The military and intelligence community have relied on bona fides because simply trusting information because we want to believe it is fraught with potential failures. As a result, most security organizations have a process to evaluate the bona fides of the information they collect to protect themselves from low-quality or purposely false information. This system requires trust and has produced much of the classified information in government today.
We also hear a lot about a Pollyanna, almost innocent cry for the sharing of data, as if open sharing of information will enable us to reach a higher state of awareness and a higher level of security. History begs to differ.
Free information sharing services would likely be the least reliable. Meanwhile organizations that could afford to pay for high-quality, highly vetted, and actionable intelligence would obtain the best level of CTI in the industry.

CTI vulnerability 2: Ethno-centric information and not enough data points

There are, of course, other fallacies of a highly functioning CTI program:

• Government-provided data is trustworthy.
• Government-provided data is good enough and covers enough.
• There is no risk to government-sourced data.

Data derived by one nation-state is skewed to that nation-state and is qualified for the threat to the resident nation-state. As a result, the information may serve some companies well, but not all. Why?
The closer a company works with one nation-state, the less likely others will follow as they don’t want to risk losing their own data to another nation-state through that company. For example, if a company works closely with the U.S., it stands that intel from China and Russia will be hard to come by. But even countries like Switzerland, Canada, Germany, and France have publicly stated reservations on information-sharing with the U.S.
Data from a nation-state has numerous restrictions and is mired by many laws and quagmires on gathering information or releasing the data. As a result, the data may be non-actionable, may have been altered in some way to benefit the nation-state, or may not be available at all. In any of these scenarios, threats to the company come from relying either too heavily or too centrally on government-driven data.

CTI vulnerability 3: Failure to establish “backout” criteria

Imagine a bad guy acting as a good guy shares hot information with a security community, and advocates certain actions, such as the onboarding of certain signatures, changes in configurations, automating a certain defense, etc. If executed successfully, companies would be implementing security protocols and initiatives that, instead of protecting themselves against the supposed threats, play right into the hands of the bad guy. These perpetrators now have a wonderful new way to quickly open up an industry or set of companies.

CTI vulnerability 4: The system is too automated (or too manual)

A proper CTI program needs a key decider to determine whether the information is relevant for your organization, not for an industry or particular technology. This is a necessary step in the process that’s often overlooked when the industry discusses fast implementations. Either the system is automated and brushes past the issue, or conversely, builds complicated change-management profiles to implement changes, negating the whole point of actionable and fast-moving CTI.
In the end, the information security function has taken on more roles and responsibilities, including intelligence gathering and risk weighting. These new functions act more like modern day war-fighting functions, and we’d all be advantaged to learn the deep historic lessons of nation-state intelligence organizations before standing up well-heeled intelligence functions or CTI ourselves.
Modern day CTI must evolve to include the following key attributes – a process to understand what information needs to be harvested, such as:

• Operational
• Technical – Tools, techniques, types.
• Source / Attacker Profile
• Destination / Victim Profile
• Trajectory Data – In transit
• Motivation.

As you can tell from the list above, today’s way of looking at the data sharing conundrum is flawed and needs to evolve. You must evolve too! That way, you can better avoid a surprise ending.

SIM Swap fraud is gaining momentum

SIM Swap fraud or SIM Splitting, a financially-motivated mobile phone threat, is gaining momentum according to Foursys.
Remote banking losses increased significantly last year, according to the latest FFA UK (Financial Fraud Action UK) report. “Total remote banking loses increased by 72 per cent to £168.6 million in 2015. A key driver of this increase was the rise in impersonation and deception scams in which a criminal dupes the victim into giving away their personal and security details. The criminal then uses these details to gain access to their victim’s remote banking account.

SIM Swap fraud explained

SIM Swap is the process of replacing your mobile’s existing SIM card with a new one. SIM swapping is often useful, letting you to keep your existing mobile number when you change to a handset requiring a different SIM card type. However, financially-motivated criminals have found a loophole in this process.
Armed with a mobile phone and a blank SIM card, attackers pretend to be the victim when they contact the victim’s telecommunication provider saying the mobile has been stolen. The plan is to get the operator to cancel the existing SIM card, on the victim’s phone, and activate the new SIM on the criminal’s phone.
“Before SIM swaps are authorised, many mobile providers verify the identity of the caller using security questions, a process that’s certainly not foolproof,” said James Miller, Managing Director at Foursys. “Some answers may have unwittingly been shared online by target victims, let alone by someone in their social networks. How many people name their pet, favourite restaurant or primary school on social media sites? Scouring social media profiles, can prove very useful indeed to a criminal wanting to conduct fraud.”
The window of opportunity starts to close as soon as the SIM Swap victim notices that his/her mobile is no longer working and raises the alarm.
Once texts and calls are rerouted to the fraudster’s handset, the criminals work quickly to reset passwords, locking the victim out of his/her accounts, before authorising bank transactions or securing loans in the victim’s name.
Recent Sim Swap victims include Nottingham-based Chris Sims, whose bank account was emptied of its £1,200. The criminals also applied for a £8,000 loan in his name, reported The Guardian.
“Security questions based on supposedly secret information are far too easy for criminals to defeat, given the huge amounts of data about ourselves available online”, said John Hawes, Chief of Operations at Virus Bulletin. “Any system which still uses this out-dated mechanism really needs to rethink its approach. In the interim, Foursys’s recommendation to fabricate falsehoods for the security questions is a smart one.”

SIM Swap fraud: Preventative tips

• Contact your mobile operator immediately if you stop receiving calls or texts unexpectedly. Don’t assume it is a technical fault that will resolve itself.
• Ensure passwords are long, complex and known only to you. Consider using a reputable password manager if you think you might forget them.
• Consider using made-up answers to the security questions to ensure your publicly available information cannot be used to identify you and store these securely.
• Use up-to-date security software on your computer and systems to block email phishing scams.
• Carefully dispose of phone bills and other paper work detailing sensitive information, such as shredding or incinerating.
• Remove apps that you do not use from your devices. If you don’t use your bank’s mobile app, remove it from your phone.

Hacking Team hacker explains how he did it

Some nine moths ago, a hacker that calls himself Phineas Fisher managed to breach the systems and networks of Hacking Team, the (in)famous Italian company that provides offensive intrusion and surveillance software to governments, intelligence and law enforcement agencies around the world.
He took off with the company’s internal emails, files and source code, and leaked it all online.
This weekend, he decided to explain how he managed to carry out this attack.
In a Pastebin post, he shared that he exploited a zero-day vulnerability in a embedded device deployed inside the company’s network in order to gain a foothold in the network. (He declined to give more details about the vulnerabilities, as they are still not patched.)
“I did a lot of work and testing before using the exploit against Hacking Team.
I wrote a backdoored firmware, and compiled various post-exploitation tools
for the embedded device,” he said, and explained that “the backdoor serves to protect the exploit. Using the exploit just once and then returning through the backdoor makes it harder to identify and patch the vulnerabilities.”
He enumerated the tools he used to sniff the trafic within the network, as well as to scan it, and he found:

• Several MongoDB databases that didn’t require authentication in order to access them
• Backups that shouldn’t have been on that network
• A BES admin password in the backups, which allowed him to unearth other employees passwords and the Domain Admin one
• The Domain Admin password allowed him to access the company’s email server
• Finally, he managed to get access to the stored source code of the company’s surveillance software. He got that by using the “forgot my password” function for the Git server.

All in all, he says that it took him 100 hours of work to do all this and to exfiltrate the crucial data.
This account of the attack also contains other information about hacking techniques and tools, and about ways for hackers for keeping their identity hidden from the authorities, but also reveals more about Phineas Fisher’s motives.
He obviously hoped that the breach and subsequent leak would result in Hacking Team going out of business.
“Hacking Team was a company that helped governments hack and spy on journalists, activists, political opposition, and other threats to their power. And, occasionally, on actual criminals and terrorists,” he noted. “They also claimed to have technology to solve the ‘problem’ posed by Tor and the darknet. But seeing as I’m still free, I have my doubts about its effectiveness.”
“Unfortunately, our world is backwards. You get rich by doing bad things and go
to jail for doing good,” he says.
“That’s the beauty and asymmetry of hacking: with 100 hours of work, one person can undo years of work by a multi-million dollar company. Hacking gives the underdog a chance to fight and win,” he concluded.
Before successfully breaching Hacking Team, Phineas Fisher compromised UK-based Gamma International, another provider that sells spying software to governments.
Hacking Team might not have been ruined by the breach, but it recently got its global export license revoked by the Italian Ministry of Economical Progress.

Facebook vulnerability allowed access to personal and payment information

Bitdefender has discovered a significant vulnerability within Facebook which allowed access to any user account through simple social login manipulation. The attacker was able to gain access to personal user information, a contacts list for potential malware distribution and payment information – allowing purchases to be made in the user’s name.

Attack vector

The attack vector in this case – social logins – are an alternative to traditional authentication. This form of access offers users a convenient way to sign in to their web accounts without entering their username and password, with a majority of websites offering social login through Facebook, LinkedIn, Twitter or Google+. Bitdefender researchers identified a method to steal a user’s identity and access their account using Facebook’s Login plugin.
Ionut Cernica, Vulnerability Researcher at Bitdefender and the researcher behind the discovery of the flaw, states, “This is a serious vulnerability – it allows attackers to log in on most websites that feature Facebook Login. This means an attacker can make payments on the user’s behalf on an e-commerce site, for instance.”

Details of the discovery

The Bitdefender researcher successfully bypassed the confirmation step typically required when registering a new Facebook email address. He created a Facebook account utilising the user’s email address, and during the registration process, swapped the email address for one under his control.
For the attack to succeed, the email address of the user must not be registered on Facebook. As most internet users have more than one e-mail address published online, this information presented little challenge for the attacker to identify and leverage in order to gain access to a user’s Facebook account.
To verify the identity of a user without exposing their credentials, Login with Facebook uses the OAuth protocol, through which Facebook is authorised to share some user information with third-party websites. When the Bitdefender researcher attempted to sign in via the “Facebook Login” button on a separate site, he was asked to confirm his own email address, and not that of the user. Under ‘account settings’ in Facebook, the user’s address was the primary contact, even though the researcher had only confirmed his personal account.
Ionut Cernica adds, “I used Facebook Login again and decided to switch the primary contact from the user’s address to mine, then switch them again to change the user account to the primary. This is an important step in reproducing the issue.”
Facebook fixed the vulnerability after notification from the Bitdefender security team.

Facebook made to serve phishing forms to users

Netcraft researchers have recently spotted an extremely convincing Facebook phishing attack.
The fraudsters made it look like the fake “Facebook Page Verification” form they’ve asked the victims to fill and submit is legitimate, as the page serving it is on a Facebook subdomain and uses HTTPS:


The attack will work whether the user is already logged in or not, and all the links on the page work as they should. This is because, apart from the bogus form, the rest of the page is legitimate.
The phishers have registered Facebook apps, and have managed to load the form inside it via iframes. The form is hosted on the crooks’ own servers, which also uses HTTPS, so no warnings about unsecure connections will pop up.
Another trick up the fraudsters’ sleeve is that they made the form return an “incorrect credentials” notification the first time the user submits them (whether they are correct or not). This trick is used to convince the most suspicious users, who might have inserted incorrect credentials on purpose, that the form works as it should and is legitimate.
On the second try, the form accepts the inserted credentials, sends them to the attackers’ servers quietly in the background, and shows the victim a response saying they will be contacted by the “Facebook Verification Team” within 24 hours.
“But of course, this email will never arrive,” says Netcraft’s Paul Mutton.
“By this point, the fraudster already has the victim’s credentials and is just using this tactic to buy himself some time. He can either use the stolen Facebook credentials himself, or sell them to others who might monetize them by posting spam or trying to trick victims’ friends into helping them out of trouble by transferring money. If more victims are required, then the compromised accounts could also be used to propagate the attack to thousands of other Facebook users.”
Potential victims are likely directed to the fraudulent form via bogus emails or messages supposedly sent by Facebook.

Cybercrime economy: The business of hacking

The profile of typical cyber attackers – and the interconnected nature of their underground economy – have evolved in the last several years. Adversaries are increasingly leveraging management principles in the creation and expansion of their operations to ultimately increase their impact and financial profits. Enterprises can use this inside knowledge against the attackers to disrupt the organizational structure and mitigate their risks, according to HP Enterprise.

 

The attackers’ value chain

Today’s adversaries often create a formalized operating model and ‘value chain’ that is very similar to legitimate businesses in structure, and delivers greater ROI for the cybercriminal organization throughout the attack lifecycle. If enterprise-level security leaders, regulators and law enforcement are to disrupt the attackers’ organization, they must first understand every step in the value chain of this cybercrime economy.
Critical elements to the attackers’ value chain models typically include:
Human resources management – Includes recruiting, vetting and paying the supporting ‘staff’ needed to deliver on specific attack requirements; the skills-based training and education of attackers also falls within this category.
Operations – The ‘management team’ that ensures the smooth flow of information and funds throughout the attack lifecycle; this group will actively seek to reduce costs and maximize ROI at every step.
Technical development – The front-line ‘workers’ providing the technical expertise required to perform any given attack, including research, vulnerability exploitation, automation, and more.
Marketing and sales – These teams ensure that the attack group’s reputation in the underground marketplace is strong and the illicit products are both known and trusted among the target audience of potential buyers.
Outbound logistics – This encompasses both the people and systems responsible for delivering purchased goods to a buyer, be it large batches of stolen credit card data, medical records, intellectual property or otherwise.
“Cybercriminals are highly professional, have robust funding, and are working together to launch concentrated attacks,” said Chris Christiansen, Program Vice President, Security Products and Services, IDC.

Disrupting the chain and advancing enterprise protection

HPE recommends a number of approaches for enterprise security professionals to better defend against these organized attackers:
Reduce the profits – Limit the financial rewards adversaries can realize from an attack on the enterprise by implementing end-to-end encryption solutions. By encrypting data at rest, in motion and in use, the information is rendered useless to the attackers, restricting their ability to sell and reducing profits.
Reduce the target pool – The expansion of mobile and IoT has dramatically increased the possible attack surface for all enterprises. Organizations must build security into their development processes, and focus on protecting the interactions between data, apps and users regardless of device to better mitigate and disrupt adversary attacks.
Learn from the adversaries – New technologies such as ‘deception grids’ provide methods of trapping, monitoring and learning from attackers as they navigate their way through a realistic duplication of the network. Enterprises can use this information to better protect their real network, disrupt similar attacks before they begin, and slow down the progress of attackers.

Online transaction fraud to reach $25 billion by 2020

Online transaction fraud is expected to reach $25.6 billion by 2020, up from $10.7 billion last year, according to Juniper Research. This means that by the end of the decade, $4 in every $1,000 of online payments will be fraudulent.


The implementation of CHIP and PIN services at POS (Point of Sale) locations in the US is likely to be a key factor driving activity in the online fraud space. The greater security afforded by CHIP and PIN would persuade fraudsters to switch their attention from the in-store environment to the CNP (Card Not Present) space.
The new study identified 3 hot areas for online fraud:

• eRetail (65% of fraud by value in 2020 – $16.6 billion)
• Banking (27% – $6.9 billion)
• Airline ticketing (6% – $1.5 billion).

The study also claimed that eRetail would be particularly susceptible to online fraud, with the value of fraud in this sector increasing at twice that of banking and seven times that of airline ticketing. The research highlighted two key areas for fraud within eRetail: ‘buy-online, pay in-store’ and electronic gift cards.
It argued that the continuing migration to online and mobile shopping, of both digital and physical goods (reaching over $1.7 trillion in 2015) will provide a further incentive for fraudsters to focus their attention on these channels.

Countermeasures provide only temporary respite

Meanwhile, the research claimed that although banks are able to counter online banking fraud by deploying new technologies such as 3D-Secure and device fingerprinting, these measures often only provide temporary respite as fraudsters quickly find new ways to defraud.
Similarly, while extensive efforts by the airline industry to deploy sophisticated Fraud Detection and Prevention (FDP) systems has reduced fraud significantly for some major airlines, this industry has also seen fraudsters shift their focus to other perceived weak spots in the system.
“A few larger airlines claim that they have reduced eTicket sales fraud to less than 0.1% or 10 basis points of revenues” said research author Gareth Owen. “When thwarted, however, fraudsters quickly move on to easier pickings such as frequent flyer fraud, for example.”
“Just like we are moving away from static passwords as the sole means of verification, so must credit cards and Card Verification Values (CVVs) when making online purchases. Fraud can be dramatically reduced if a dynamic verification value is used instead of the static CVV. This dynamic card verification technology is available today on credit cards and mobile. It will bring a high level of trust between the vendor and the consumer who is making the purchase. In order for banks to ensure consumers continue to spend using their credit card, they must show them protecting their data is their number one priority,” Hakan Nordfjell, SVP of eBanking and eCommerce at Gemalto told Help Net Security.

Europol to get new powers to disrupt terrorists’ online presence

The EU police agency Europol is expected to gain new powers that will help it fight terrorism and cybercrime, thanks to new governance rules endorsed by Civil Liberties Committee MEPs on Thursday.
The draft rules, which have already been approved by the European Parliament and European Council, will make it easier for Europol to set up specialised units to respond immediately to emerging threats.
The new regulation also includes clear rules for existing units or centres such as the Internet Referral Unit, which ensures the swift removal of websites praising terrorist acts or encouraging EU citizens to join terrorist organisations.
Europol will in some cases be able to exchange information directly with private entities such as firms or NGOs, which should enable it to work faster. For example, it will be able to contact social network service provider Facebook directly to ask it to delete a web page run by ISIS or request details of other pages that might be run by the same user, so as to prevent the spread of terrorist propaganda.
In order to avoid information gaps in the fight against organised crime and terrorism, the new rules state that member states should provide Europol with the data necessary to fulfil its objectives.
MEPs have ensured that Europol’s new powers will go hand in hand with increased data protection safeguards and parliamentary scrutiny. The European Data Protection Supervisor (EDPS) will be responsible for monitoring Europol’s work and there will be a clear complaints procedure under EU law for citizens.
To ensure democratic control, Europol’s work will be overseen by a Joint Parliamentary Scrutiny Group with members from both national parliaments and the European Parliament.
Parliaments’ negotiators also ensured that all information exchange agreements between Europol and third countries will be assessed within 5 years after the entry into force of the new regulation, to ensure that they comply with data protection rules and EU standards for policing.

Hacker finds vulnerability in Mr. Robot’s website

A white hat hacker going by the name Zemnmez found the flaw on the new promotional website for upcoming season 2 of Mr. Robot. Mr. Robot was the biggest 'Hacking Drama' television show of 2015 and its second season will return to American TV screens on July 13, 2016. The vulnerability could have given Zemnmez an easy way to pawn fans of the show, tricking them into giving over much of their Facebook information. But, shortly after a quick note to Mr. Robot’s writer Sam Esmail, the vulnerability was closed off. The vulnerability known as cross-site scripting (XSS) was discovered on the day when the show launched its promo for the second series. During the launch ceremony, a clip of President Obama was shown condemning a destructive attack launched on the US financial system at the end of the first series, and a website, whoismrrobot.com, mimicking a mix of Linux command line and IRC chat. The series had already received praise for its relatively accurate portrayal of hacking, something other shows and films have failed at miserably. USA Network’s owner NBC Universal confirmed that the website was patched late Tuesday (May 10) night, hours after Zemnmez reported the flaw. XSS bugs are widespread. It’s the most common vulnerability class on the web. If the reporter would have been a malicious hacker, he’d have abused it to steal users’ Facebook information. In particular, he’d have targeted a section of the website that contains a quiz, whoismrrobot.com/fsociety, which requested access to players’ Facebook data. FSociety is the hacktivist collective that central character Elliot Alderson, played by Rami Malek joins early in series one.