FDA Begins Process to Change Patching of Medical Devices
The Food and Drug administration is beginning to understand that their 19th century strategy that requires manufacturers to recertify their products every time they apply a patch only leads to the devices being hacked – which they are being, regularly. They have also asked Congress for more authority to manage the cyber security process including creating a cyber advisory board. They are talking about requiring medical device makers to integrate patchability into device design. Lastly, they are considering requiring manufacturers to provide the FDA with a software bill of materials at submission time. Note that mostly, this is talk, so expect this process to take years. In the meantime, medical device security will be right behind baby monitor security (Source: Health IT Security).
Hey Alexa, Are You Hacked? Again?
Checkmarx researchers built a proof of concept attack using Amazon Echo “skills”, those extensions that allow third parties to add features to an Echo. Until the exploits were patched earlier this month the attacker would have been able to capture and transcribe every word you said within range of an Echo. Glad they are the good guys. The moral is that with convenience comes risk. You have to decide what your acceptable level of risk is. (Source: Threatpost).
For Drupal Users is the Third Time a Charm?
For the third time in just a few weeks, Drupal has pushed out a critical patch for all versions. This patch is a follow-on to Drupalgeddon 2, which allows a hacker to take over the server and if there are other servers on the network or other servers that the attacked server can talk to, use that compromised server as a launchpad to further attacks. Just in case anyone has forgotten, this is exactly what allowed for the Equifax breach – a forgotten patch in the Apache Struts web framework. If you have not applied this patch along with the other two, today is a good day to do that since there are active exploits for this vulnerability in the wild (source: The Register).
Ever Wonder if Hotel Keycard Locks are Safe?
Well wonder no more. Researchers are scheduled to disclose a security vulnerability in older generation Vingcard locks, covering a million rooms in over a hundred thousand hotels later this month at a security conference. The attack takes about a minute and creates a master key for the entire hotel. The bad news is that there really is nothing that you, as a guest, can do about it. Assa Abloy, who make the locks, has created a fix, but the fix has to be downloaded and manually deployed to each individual room lock, so likely many hotels have not done this labor intensive task (Source: Wired).
FISA Court Denies More Requests in Last Year than in Entire History
The secret FISA court that approves classified snooping requests for the FBI and NSA turned down 26 requests in full last year and 50 requests in part. That is compared to 21 denials since the court was founded in 1976 through the end of the Obama presidency. Out of 1,100+ requests last year that is still a small number, but still an indication of a higher level of review (Source: ZDNet).