Upload
martha-chemas
View
325
Download
6
Embed Size (px)
Citation preview
Hot Topics in
Information Security
ABA-ISC
November 18, 2014
Medical Device Security
iHack
Net Neutrality
IOT (Internet of Things)
Topics:
Medical Device Security
● Despite many proof of concept attacks, there
are no known incidents of harm resulting
from deliberate attacks on a medical device.
● BUT ... there are many known cases of
software faults causing harm, even death,
absent external attack.
The Therac-25, aka The Death Ray.
Late 80s, See www.ccnr.org/fatal_dose.html
"Inside the treatment room Cox was hit with a powerful shock. He knew from
previous treatments this was not supposed to happen. He tried to get up. Not
seeing or hearing him because of the broken communications between the
rooms, the technician pushed the "p" key, meaning "proceed." Cox was hit
again. The treatment finally stopped when Cox stumbled to the door of the
room and beat it with his fists."
● Cause was a variable rolling over from 255 to 000
(rather than 256) opening a window during which a
safely protocol might be bypassed.
● People died.
New FDA Guidelines (Oct 2 2014)
“Content of Premarket Submissions for
Management of Cybersecurity in Medical
Devices”http://www.fda.gov/downloads/MedicalDevices/DeviceR
egulationandGuidance/GuidanceDocuments/UCM3561
90.pdf
General Principles
● Manufacturers should develop a set of cybersecurity
controls to assure medical device cybersecurity and
maintain medical device functionality and safety.
o Onus is on manufacturers to develop controls
o Specific recommendations (ie code signing) are ALL
nonbinding.
o FDA recognition that patients have a role in security
Akin to saying that those with pacemakers being
told not to stand beside microwaves
● Cybersecurity should not limit core
functionalityo "Controls should not unreasonably hinder access to
a device intended to be used during an emergency
situation."
o DRM?
● Documentation standards remain focused on
case-by-case inspections
o "Should" provide a specific list of all cybersecurity
risks considered, along with controls.
o Traceability matrix linking threats to controls.
o "Summary describing a plan for providing software
updates"
A Glimmer of Progress!
"The FDA typically will not need to review or
approve medical device software changes
made solely to strengthen cybersecurity"
Conclusion: FDA is Treading Water
● Everything remains nonbinding, to be judged
on a case-by-case basiso Software documentation requirements remain as
they were in 1999
o See "Off-The-Shelf Software Use in Medical
Devices"
http://www.fda.gov/downloads/MedicalDevices/D
eviceRegulationandGuidance/GuidanceDocume
nts/UCM073779.pdf
● FDA has basically adopted basic NIST
processes.o Identify, Protect, Detect, Respond and Recover.
The 2014 Celeb iPhone/iCloud hack
(aka The Fappening)
● Initial public release of images began on
August 31st.
● Prior to this public release, most images
were trading privately for some time.
● Four distinct batches spaced over a month.
Sharing methods were advanced,
persistent and immediate
● Initial public leaks were of individual images
via 4chan and image hosting services
● Torrents of collections quickly appeared.
● Mirrors were made to cyberlockers (ie
rapidgator)
● A few BTsync shares became the go-to
source for new public releaseso Caused a dramatic growth in the use of this
technology
o Pushed filesharing forwards much as Metallica did
with Napster.
Limitations of standard takedown
procedures
● Standard DMCA takedowns were/are
insufficient.o Copyrights vest in the taker of a photograph, not the subject.
o Not registered copyrights → no threat of attorney fees.
o Not published, never to be published → no threat of financial loss.
● Many notices were improper.o Example: Google initially rejected upwards of 50% of takedown
notices for links to images
https://torrentfreak.com/google-refuses-remove-links-kate-uptons-
fappening-images-140912/
o Most came from "Reputation Management" firms.
Many Images Contained Metadata
● GPS location/time ecto Allowed for "creepy" maps to be generated tracking
celeb movement.
o Extra creepy when tied to Google street view
● All images with metadata were taken with
iPhones.
How Were the Images Gathered?
Options:
● Deliberate release?
● Negligent / Accidental Release?
● Hack of iPhones?
● Hack of iCloud Accounts?
● Not a hack.
IBrute (Hack of iCloud)
● https://github.com/hackappcom/ibruteo "It uses Find My Iphone service API, where
bruteforce protection was not implemented.
Password list was generated from top 500 RockYou
leaked passwords, which satisfy appleID password
policy. Before you start, make sure it's not illegal in
your country. "
● Certainly a part, but not the complete answero Questions as to timing
● Gave Apple an easy outo Blame put on users with easy-to-guess passwords
Non-Hacking Suspects
● Deliberate leak for publicity.o Possible if only one or two, but very unlikely given
the number.
o Several have made statements under oath that this
was not the case.
● Negligent leak / images sent to con artist.
● Leak by Apple employee.o Apple retains some access to all iCloud material
o None from iOS 8 / iPhone6
Possible LOVINT ?
● Leak from within US intelligence communityo NSA admits multiple incidents of "LOVEINT"
o Snowden described the gathering of such images as
a "fringe benefit" http://www.washingtontimes.com/news/2014/jul/18/edward-snowden-says-nsa-treats-nude-file-
photos-fr/
● Selected Celebs point to western, white,
male attackers.o Predominantly US film/TV personalities
o No Russian/Japanese targets
o Matt Smith (although through girlfriend’s phone)
● Images were taken without detection
Implications for Non-Celebs
● Watch out for BYOD
● Everything touching an iPhone or other
cloud-connected device should never be
considered deleted.
● Passwords still matter.o iBrute used a very short and known password list
o Any password not on list might have survived the
week
● Cloud providers cannot be trusted to react
quickly, or ever. Do your own encryption!
Net Neutrality
● Rooted in Powell-era (Bush-era) FCC
decisions
● Rate preferences posing distinctions
between:o Cable-company-owned ISPs
o ISPs owned by telephone companies
Common Carriers, nearly all Baby Bells
Net Neutrality
Rulemaking
● The typical FCC rulemaking proceeding gets
a few hundred comments
● The Net Neutrality proceeding already has
4M filings, with several thousand significant,
substantive filings
Net Neutrality
Why is there no answer?
● Telecommunications Act of 1996
o Assigned jurisdiction of the services now known as
the Internet to Title I
● The debate has more energy because
Congress has abdicated its policymaking
role in this area
● Huge finances of Baby Bells (including
Verizon) and cable companies give them a
louder voice than all the other interests
Net Neutrality
Conclusion
● This debate isn’t two-sided; it’s much more
complex
● Leaving the decision to the FCC ignores the
voices of less-well-represented parties
● The ABA could advocate for lesser voices,
instead of just repeating corporate counsel
talking points
● This is the watershed digital moment for this
era
Internet of Things at NIST
● Directed by Obama administration to
establish standards for security of industrial
control systems (SCADA) and other
emerging technologies
● Began August 2014
● Close connection to Cyber Framework
Working Party established pursuant to
February 2013 Executive Order
Internet of Things
Process
● Managed as a pseudo-voluntary process at
NIST
o Working groups on architecture, taxonomy, cyber
security
o Dramatic implications based on billions of port
connections across Critical Infrastructure
● Objective is draft standards documentation
circulated early in 2015
o Eventual voluntary use in Critical Infrastructure
sectors
Internet of Things
Process Failures
● No connections to other, truly voluntary,
standards processes at OMG, Open Group,
and other standards bodies
o Serious defect in process; could lead to incompatible
standards and/or NIST-process irrelevance
● NIST-typical confirmation of a pre-ordained
draft
o No tolerance for debate not on track for confirmation
of original Report outlines created in August plenary
meetings
Acknowledgements:
Created by the
Information Security Committee
of the
American Bar Association
Richard Abbott, Chairperson
Martha Chemas, Chairperson
Michael Aisenberg, Vice Chair
Brendon O’Connor, Vice Chair
Science and Technology Law Section
Security, Privacy & Information Law
Fair Use Encouraged