Two studies are warning of thousands of vulnerabilities found in pacemakers, insulin pumps and other medical devices. "One study solely on pacemakers found more than 8,000 known vulnerabilities in code inside the cardiac devices," reports BBC. "The other study of the broader device market found only 17% of manufacturers had taken steps to secure gadgets." From the report: The report on pacemakers looked at a range of implantable devices from four manufacturers as well as the "ecosystem" of other equipment used to monitor and manage them. Researcher Billy Rios and Dr Jonathan Butts from security company Whitescope said their study showed the "serious challenges" pacemaker manufacturers faced in trying to keep devices patched and free from bugs that attackers could exploit. They found that few of the manufacturers encrypted or otherwise protected data on a device or when it was being transferred to monitoring systems. Also, none was protected with the most basic login name and password systems or checked that devices they were connecting to were authentic. Often, wrote Mr Rios, the small size and low computing power of internal devices made it hard to apply security standards that helped keep other devices safe. In a longer paper, the pair said device makers had work to do more to "protect against potential system compromises that may have implications to patient care." The separate study that quizzed manufacturers, hospitals and health organizations about the equipment they used when treating patients found that 80% said devices were hard to secure. Bugs in code, lack of knowledge about how to write secure code and time pressures made many devices vulnerable to attack, suggested the study.
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's now on IFTTT. Check it out! Check out the new SourceForge HTML5 Internet speed test! ×
Earlier this year, Chipotle announced that the their payment processing system was hacked. Today, the company has released more information about the hack, identifying the malware that was responsible and releasing a new tool to help customers check whether the restaurant they visited was involved. The company did not say how many restaurants were affected, but it did tell The Verge that "most" locations nationwide may have been involved. The Verge reports: "The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device," Chipotle said in a statement. "There is no indication that other customer information was affected." We browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well. (The list of identified restaurants can be found here, which includes locations in Kansas, Missouri, Colorado, and Ohio.) Chipotle noted that not all locations have been identified, but it's a starting guide to check whether your visit lines up with the breached period.
Dustin Volz, reporting for Reuters: Facebook, Amazon and more than two dozen other U.S. technology companies pressed Congress on Friday to make changes to a broad internet surveillance law, saying they were necessary to improve privacy protections and increase government transparency. The request marks the first significant public effort by Silicon Valley to wade into what is expected to be a contentious debate later the year over the Foreign Intelligence Surveillance Act, parts of which will expire on Dec. 31 unless Congress reauthorizes them. Of particular concern to the technology industry and privacy advocates is Section 702, which allows U.S. intelligence agencies to vacuum up vast amounts of communications from foreigners but also incidentally collects some data belonging to Americans that can be searched by analysts without a warrant.
A new study conducted by Fluent shows a majority of Americans are sharing passwords to their streaming video services. While millennials lead the pack, non-millennials are doing the same. Streaming Observer reports: Nearly 3 out of every 4 (72% exactly) Americans who have cable also have access to at least one streaming service and 8% of cable subscribers plan to eliminate their service in the next year. But that doesn't necessarily mean they're paying for their streaming service. New numbers from a study conducted by Fluent show that the majority of Americans are sharing passwords to their streaming video services. Well over half of millennials (aged 18-34) -- 60% -- are either using someone someone else's password or giving their password to someone else. And just under half -- 48% -- of non-millennials are doing the same. The study also revealed that the main factor in what drives consumers to sign up for streaming video services is price, with 34% of Americans saying that low cost was the primary factor. That number jumps to 38% among millennials. When you take in to account that some streaming TV services start with prices as low as $20, it makes sense that price is the biggest issue. Convenience was the next biggest factor, coming in at just below 25%.
Trailrunner7 quotes a report from On the Wire: A bill that would allow victims of cybercrime to use active defense techniques to stop attacks and identify attackers has been amended to require victims to notify the FBI of their actions and also add an exemption to allow victims to destroy their data once they locate it on an attacker's machine. The Active Cyber Defense Certainty Act, drafted by Rep. Tom Graves (R-Ga.) in March, is designed to enable people who have been targets of cybercrime to employ certain specific techniques to trace the attack and identify the attacker. The bill defines active cyber defense as "any measure -- (I) undertaken by, or at the direction of, a victim"; and "(II) consisting of accessing without authorization the computer of the attacker to the victim" own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim's own network." After releasing an initial draft of the bill in March, Rep. Tom Graves held a public event in Georgia to collect feedback on the legislation. Based on that event and other feedback, Graves made several changes to the bill, including the addition of the notification of law enforcement and an exception in the Computer Fraud and Abuse Act for victims who use so-called beaconing technology to identify an attacker. "The provisions of this section shall not apply with respect to the use of attributional technology in regard to a defender who uses a program, code, or command for attributional purposes that beacons or returns locational or attributional data in response to a cyber intrusion in order to identify the source of the intrusion," the bill says.
An anonymous reader shares a report: A new survey of security professionals reveals that 83 percent say colleagues in other departments turn to them to fix personal computer problems. The study by security management company FireMon shows a further 80 percent say this is taking up more than an hour of their working week, which in a year could equate to more than $88,000. For organizations, eight percent of professionals surveyed helping colleagues out five hours a week or more could be costing over $400,000. Organizations are potentially paying qualified security professionals salaries upwards of $100,000 a year and seeing up to 12.5 percent of that investment being spent on non-security related activities.
A newly found flaw in widely used networking software leaves tens of thousands of computers potentially vulnerable to an attack similar to that caused by WannaCry, which infected more than 300,000 computers worldwide, cybersecurity researchers said on Thursday. From a Reuters report: The U.S. Department of Homeland Security on Wednesday announced the vulnerability, which could be exploited to take control of an affected computer, and urged users and administrators to apply a patch. Rebekah Brown of Rapid7, a cybersecurity company, told Reuters that there were no signs yet of attackers exploiting the vulnerability in the 12 hours since its discovery was announced. But she said it had taken researchers only 15 minutes to develop malware that made use of the hole. "This one seems to be very, very easy to exploit," she said. Rapid7 said it had found more than 100,000 computers running vulnerable versions of the software, Samba, free networking software developed for Linux and Unix computers.
Two anonymous readers and Mi share an article: U.K. police investigating the Manchester terror attack say they have stopped sharing information with the U.S. after a series of leaks that have so angered the British government that Prime Minister Therese May wants to discuss them with President Donald Trump during a North Atlantic Treaty Organization meeting in Brussels. What can Trump tell her, though? The leaks drive him nuts, too. Since the beginning of this century, the U.S. intelligence services and their clients have acted as if they wanted the world to know they couldn't guarantee the confidentiality of any information that falls into their hands. At this point, the culture of leaks is not just a menace to intelligence-sharing allies. It's a threat to the intelligence community's credibility. [...] If this history has taught the U.S. intelligence community anything, it's that leaking classified information isn't particularly dangerous and those who do it largely enjoy impunity. Manning spent seven years in prison (though she'd been sentenced to 35), but Snowden, Assange, Petraeus, the unknown Chinese mole, the people who stole the hacking tools and the army of recent anonymous leakers, many of whom probably still work for U.S. intelligence agencies, have escaped any kind of meaningful punishment. President Donald Trump has just now announced that the administration would "get to the bottom" of leaks. In a statement, he said: "The alleged leaks coming out of government agencies are deeply troubling. These leaks have been going on for a long time and my Administration will get to the bottom of this. The leaks of sensitive information pose a grave threat to our national security. I am asking the Department of Justice and other relevant agencies to launch a complete review of this matter, and if appropriate, the culprit should be prosecuted to the fullest extent of the law. There is no relationship we cherish more than the Special Relationship between the United States and the United Kingdom.
New submitter boundary writes: The UK government looks to be about to put the most egregious parts of the Investigative Powers Act into force "soon after the election" (which is in a couple of weeks) in the wake of the recent bombing in Manchester. "Technical Capability Orders" require tech companies to break their own security. I wonder who'll comply? The Independent reports: "Government will ask parliament to allow the use of those powers if Theresa May is re-elected, senior ministers told The Sun. 'We will do this as soon as we can after the election, as long as we get back in,' The Sun said it was told by a government minister. 'The level of threat clearly proves there is no more time to waste now. The social media companies have been laughing in our faces for too long.'"
schwit1 quotes a report from Vocativ: The Vermont Department of Motor Vehicles has been caught using facial recognition software -- despite a state law preventing it. Documents obtained by the American Civil Liberties Union of Vermont describe such a program, which uses software to compare the DMV's database of names and driver's license photos with information with state and federal law enforcement. Vermont state law, however, specifically states that "The Department of Motor Vehicles shall not implement any procedures or processes that involve the use of biometric identifiers." The program, the ACLU says, invites state and federal agencies to submit photographs of persons of interest to the Vermont DMV, which it compares against its database of some 2.6 million Vermonters and shares potential matches. Since 2012, the agency has run at least 126 such searches on behalf of local police, the State Department, FBI, and Immigrations and Customs Enforcement.
The first robot officer has joined the Dubai Police force tasked with patrolling the city's malls and tourist attractions. "People will be able to use it to report crimes, pay fines and get information by tapping a touchscreen on its chest," reports BBC. "Data collected by the robot will also be shared with the transport and traffic authorities." From the report: The government said the aim was for 25% of the force to be robotic by 2030 but they would not replace humans. "We are not going to replace our police officers with this tool," said Brig Khalid Al Razooqi, director general of smart services at Dubai Police. "But with the number of people in Dubai increasing, we want to relocate police officers so they work in the right areas and can concentrate on providing a safe city. "Most people visit police stations or customer service, but with this tool we can reach the public 24/7. It can protect people from crime because it can broadcast what is happening right away to our command and control center."
An anonymous reader shares an article: Andy Maguire faces a challenge: tasked with upgrading HSBC's digital-banking systems, he has discovered that customers are twice as likely to trust a robot for heart surgery than for picking a savings account. "I do find it slightly odd," said the chief operating officer of Europe's largest bank, referring to its survey of more than 12,000 consumers in 11 countries published this week. Just 7 percent of respondents would trust a robot with their savings, versus the 14 percent willing to submit to a machine for heart surgery. "You think, gosh, one would've imagined the world had moved on further or was moving faster than that," Maguire said in an interview. While consumers tend naturally to trust medical professionals, the "bar is pretty high" for banks dealing with people's money, he said. Banks around the world are spending billions of dollars to bolster creaking computer systems in a push to ward off startup competitors and cut long-term operating expenses. But consumers and regulators are holding them to ever-higher standards of security and convenience, driving the cost of overhauls higher and potentially eroding any savings.
An anonymous reader shares a report: The Trump administration wants federal agencies to be able to track, hack, or even destroy drones that pose a threat to law enforcement and public safety operations, The New York Times reports. A proposed law, if passed by Congress, would let the government take down unmanned aircraft posing a danger to firefighting and search-and-rescue missions, prison operations, or "authorized protection of a person." The government will be required to respect "privacy, civil rights, and civil liberties" when exercising that power, the draft bill says. But records of anti-drone actions would be exempt from public disclosure under freedom of information laws, and people's right to sue over damaged and seized drones would be limited, according to the text of the proposal published by the Times. The administration, which would not comment on the proposal, scheduled a classified briefing on Wednesday for congressional staff members to discuss the issue.
Millions of people risk having their devices and systems compromised by malicious subtitles, according to a new research published by security firm Check Point. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes and in some cases, working on it. From a report: While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users. Researchers from Check Point, who uncovered the problem, describe the subtitle 'attack vector' as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years. "By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim's machine, whether it is a PC, a smart TV, or a mobile device," they write.
The Wikimedia Foundation has the right to sue the National Security Agency over its use of warrantless surveillance tools, a federal appeals court ruled. "A district judge shot down Wikimedia's case in 2015, saying the group hadn't proved the NSA was actually illegally spying on its communications," reports Engadget. "In this case, proof was a tall order, considering information about the targeted surveillance system, Upstream, remains classified." From the report: The appeals court today ruled Wikimedia presented sufficient evidence that the NSA was in fact monitoring its communications, even if inadvertently. The Upstream system regularly tracks the physical backbone of the internet -- the cables and routers that actually transmit our emoji. With the help of telecom providers, the NSA then intercepts specific messages that contain "selectors," email addresses or other contact information for international targets under U.S. surveillance. "To put it simply, Wikimedia has plausibly alleged that its communications travel all of the roads that a communication can take, and that the NSA seizes all of the communications along at least one of those roads," the appeals court writes. "Thus, at least at this stage of the litigation, Wikimedia has standing to sue for a violation of the Fourth Amendment. And, because Wikimedia has self-censored its speech and sometimes forgone electronic communications in response to Upstream surveillance, it also has standing to sue for a violation of the First Amendment."
An anonymous reader quotes a report from Politico: Hackers will target American voting machines -- as a public service, to prove how vulnerable they are. When over 25,000 of them descend on Caesar's Palace in Las Vegas at the end of July for DEFCON, the world's largest hacking conference, organizers are planning to have waiting what they call "a village" of different opportunities to test how easily voting machines can be manipulated. Some will let people go after the network software remotely, some will be broken apart to let people dig into the hardware, and some will be set up to see how a prepared hacker could fiddle with individual machines on site in a polling place through a combination of physical and virtual attacks. With all the attention on Russia's apparent attempts to meddle in American elections -- former President Barack Obama and aides have made many accusations toward Moscow, but insisted that there's no evidence of actual vote tampering -- voting machines were an obvious next target, said DEFCON founder Jeff Moss.
From a Motherboard report: Despite Samsung stating that a user's irises are pretty much impossible to copy, a team of hackers has done just that. Using a bare-bones selection of equipment, researchers from the Chaos Computer Club (CCC) show in a video how they managed to bypass the scanner's protections and unlock the device. "We've had iris scanners that could be bypassed using a simple print-out," Linus Neumann, one of the hackers who appears in the video. The process itself was apparently pretty simple. The hackers took a medium range photo of their subject with a digital camera's night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture. And, that's it. They're in.
At an event in China on Tuesday, Microsoft announced yet another new version of Windows 10. Called Windows 10 China Government Edition, the new edition is meant to be used by the Chinese government and state-owned enterprises, ending a standoff over the operating system by meeting the government's requests for increased security and data control. In a blog post, Windows chief Terry Myerson writes: The Windows 10 China Government Edition is based on Windows 10 Enterprise Edition, which already includes many of the security, identity, deployment, and manageability features governments and enterprises need. The China Government Edition will use these manageability features to remove features that are not needed by Chinese government employees like OneDrive, to manage all telemetry and updates, and to enable the government to use its own encryption algorithms within its computer systems.
An anonymous reader shares a report: Since 2015, a Chinese gaming website has been hacking Xbox accounts and selling the proceeds on the open market, according to a complaint filed by Microsoft in federal court on Friday. On its website, iGSKY presents itself as a gaming service company, offering players a way to pay for in-game credits and rare items -- but according to Microsoft, many of those credits were coming from someone else's wallet. The complaint alleges that the company made nearly $2 million in purchases through hacked accounts and their associated credit cards, using purchases as a way to launder the resulting cash. On the site, cheap in-game points are also available for the FIFA games, Forza Horizon 3, Grand Theft Auto V, and Pokemon Go, among others.
Russian cyber criminals used malware planted on Android mobile devices to steal from domestic bank customers and were planning to target European lenders before their arrest, investigators and sources with knowledge of the case told Reuters. From the report: Their campaign raised a relatively small sum by cyber-crime standards -- more than 50 million roubles ($892,000) -- but they had also obtained more sophisticated malicious software for a modest monthly fee to go after the clients of banks in France and possibly a range of other western nations. Russia's relationship to cyber crime is under intense scrutiny after U.S. intelligence officials alleged that Russian hackers had tried to help Republican Donald Trump win the U.S. presidency by hacking Democratic Party servers. The Kremlin has repeatedly denied the allegation. The gang members tricked the Russian banks' customers into downloading malware via fake mobile banking applications, as well as via pornography and e-commerce programs, according to a report compiled by cyber security firm Group-IB which investigated the attack with the Russian Interior Ministry.