Notes on that StJude/MuddyWatters/MedSec thing

I thought I'd write up some notes on the StJude/MedSec/MuddyWaters affair. Some references: [1] [2] [3] [4].


The story so far

tl;dr: hackers drop 0day on medical device company hoping to profit by shorting their stock

St Jude Medical (STJ) is one of the largest providers of pacemakers (aka. cardiac devices) in the country, around ~$2.5 billion in revenue, which accounts for about half their business. They provide "smart" pacemakers with an on-board computer that talks via radio-waves to a nearby monitor that records the functioning of the device (and health data). That monitor, "[email protected]", then talks back up to St Jude (via phone lines, 3G cell phone, or wifi). Pretty much all pacemakers work that way (my father's does, although his is from a different vendor).

MedSec is a bunch of cybersecurity researchers (white-hat hackers) who have been investigating medical devices. In theory, their primary business is to sell their services to medical device companies, to help companies secure their devices. Their CEO is Justine Bone, a long-time white-hat hacker. Despite Muddy Waters garbling the research, there's no reason to doubt that there's quality research underlying all this.

Continue reading

Medical device security ignites an ethics firestorm

One security research company is taking a controversial approach to disclosing vulnerabilities: It’s publicizing the flaws as a way to tank a company’s stock.

The security firm, MedSec, made news on Thursday when it claimed that pacemakers and other health care products from St. Jude Medical contain vulnerabilities that expose them to hacks.

However, MedSec is also cashing in on the disclosure by partnering with an investment firm that’s betting against St. Jude Medical’s stock.

The whole affair is raising eyebrows around the security community. It may be the first time someone has tried to get compensated for discovering vulnerabilities by shorting a stock, said Casey Ellis, CEO of Bugcrowd, a bug bounty platform.

To read this article in full or to leave a comment, please click here

Medical device security ignites an ethics firestorm

One security research company is taking a controversial approach to disclosing vulnerabilities: It’s publicizing the flaws as a way to tank a company’s stock.

The security firm, MedSec, made news on Thursday when it claimed that pacemakers and other health care products from St. Jude Medical contain vulnerabilities that expose them to hacks.

However, MedSec is also cashing in on the disclosure by partnering with an investment firm that’s betting against St. Jude Medical’s stock.

The whole affair is raising eyebrows around the security community. It may be the first time someone has tried to get compensated for discovering vulnerabilities by shorting a stock, said Casey Ellis, CEO of Bugcrowd, a bug bounty platform.

To read this article in full or to leave a comment, please click here

Weekly Roundup: Top 5 Docker Articles for this week

Here’s the buzz from this week we think you should know about! We shared a preview of Microsoft’s Docker container monitoring, reviewed the Docker Engine security feature set, and delivered a quick tutorial for getting 1.12.1 running on Raspberry Pi 3. As we begin a new week, let’s recap our top five most-read stories for the week of August 21, 2016:

 

43c0a3aa-5abd-4ec8-ae52-80a3cb61d837.jpg
 

  • Docker security: the Docker Engine has strong security default for all containerized applications.
  • Securing the Enterprise: how Docker’s security features can be used to provide active and continuous security for a software supply chain.
  • Container Monitoring: Microsoft previews open Docker container monitoring. Aimed at users who want a simplified view of containers’ usage, to diagnose issues whether containers are running in the cloud or on-premises by Sam Dean.  

Weekly roundup: Top 5 #Docker stories of the week
Click To Tweet


The post Weekly Continue reading

Debunking the most common big data backup and recovery myths

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Big data has become a priority for most organizations, which are increasingly aware of the central role data can play in their success.  But firms continue to struggle with how to best protect, manage and analyze data within today's modern architectures. Not doing so can result in extended downtime and potential data loss costing the organization millions of dollars.

Unlike traditional data platforms (Oracle, SQL*Server, etc.), which are managed by IT professionals, big data platforms (Hadoop, Cassandra, Couchbase, HPE Vertica, etc.) are often managed by engineers or DevOps groups and there are some common misconceptions around big data backup and recovery that need to be cleared up.  

To read this article in full or to leave a comment, please click here

Fake resumes, jobs, lead to real guilty plea in H-1B fraud case

A Virginia couple has pled guilty to H-1B fraud charges in a scheme that made them millions, the U.S. Department of Justice announced Thursday.

A married couple -- Raju Kosuri, 44, and Smriti Jharia, 45 -- created a visa-for-sale system involving some 900 H-1B visa petitions over a multi-year period, according to the U.S. attorney in the Eastern District of Virginia.

Court records detail an elaborate operation that required a series of fictions to pull off.

Through a series of shell companies that purported to provide IT staffing and services to corporate clients, the defendants H-1B visa petitions on behalf of workers. These workers had to pay the visa fees, legal and administrative costs -- as much as $4,000 -- in violation of the visa program's rules.

To read this article in full or to leave a comment, please click here

Got big data? Check out these 100 best practices for keeping it secure

Big data is best known for its volume, variety, and velocity -- collectively referred to as the "3 Vs" -- and all three of those traits make security an elusive goal. Targeting companies grappling with that challenge, the Cloud Security Alliance on Friday released a new report offering 100 best practices.

As its name would suggest, the CSA focuses on promoting the use of security best practices within the cloud computing world; corporate members include VMware, Microsoft, AWS, and Red Hat. In an earlier report, the CSA broke down big data security risks into a set of the top 10 major challenges. Now, for each of those, it presents 10 best practices designed to help enterprises keep their information safe.

To read this article in full or to leave a comment, please click here

Got big data? Check out these 100 best practices for keeping it secure

Big data is best known for its volume, variety, and velocity -- collectively referred to as the "3 Vs" -- and all three of those traits make security an elusive goal. Targeting companies grappling with that challenge, the Cloud Security Alliance on Friday released a new report offering 100 best practices.

As its name would suggest, the CSA focuses on promoting the use of security best practices within the cloud computing world; corporate members include VMware, Microsoft, AWS, and Red Hat. In an earlier report, the CSA broke down big data security risks into a set of the top 10 major challenges. Now, for each of those, it presents 10 best practices designed to help enterprises keep their information safe.

To read this article in full or to leave a comment, please click here

BrandPost: Bringing flexibility to the WAN

MPLS (multi-protocol label switching) VPNs (Virtual Private Network) have long been recognized as a preferred option for dedicated, high performance connectivity over a wide area network (WAN), such as linking data centers or branch offices that require high volume and reliability. Often these MPLS VPNs would use a broadband internet connection, either DSL, Cable or LTE, as a backup option.  It has become more common recently to leverage that broadband for internet offload.  In fact, the broadband internet is also being used as the primary VPN link for many locations and is even being combined with single user remote access options.  Regardless of the use case for the broadband VPN, it uses the IPSec protocol to encrypt the VPN traffic to keep it secure. 

To read this article in full or to leave a comment, please click here

Distil Networks uses device fingerprints to detect malicious web bots

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

Who's that coming to your website? Is it friend or foe? Is it a customer wanting to buy your products, or someone or something wanting to steal your web content? Is it a community member that wants to post a relevant comment, or a spammer intent on planting junk links and content in your open comments section? Is it a real person clicking on an ad, or a web bot driving up fraudulent clicks?

Web applications are increasingly being subjected to automated threats such as click fraud, comment spam, content scraping, abusive account creation, and more. These and other illicit or unwanted activities are described in detail in the OWASP Automated Threat Handbook for Web Applications.

To read this article in full or to leave a comment, please click here

Distil Networks uses device fingerprints to detect malicious web bots

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

Who's that coming to your website? Is it friend or foe? Is it a customer wanting to buy your products, or someone or something wanting to steal your web content? Is it a community member that wants to post a relevant comment, or a spammer intent on planting junk links and content in your open comments section? Is it a real person clicking on an ad, or a web bot driving up fraudulent clicks?

Web applications are increasingly being subjected to automated threats such as click fraud, comment spam, content scraping, abusive account creation, and more. These and other illicit or unwanted activities are described in detail in the OWASP Automated Threat Handbook for Web Applications.

To read this article in full or to leave a comment, please click here

5 security practices hackers say make their lives harder

Whether they identify as white hats, black hats or something in-between, a majority of hackers agree that no password is safe from them — or the government for that matter. Regardless of where they sit with respect to the law, hackers mostly agree that five key security measures can make it a lot harder to penetrate enterprise networks.

At the Black Hat USA 2016 conference in Las Vegas earlier this month, Thycotic, a specialist in privileged account management (PAM) solutions, surveyed more than 250 attendees who self-identified as hackers (respondents remained anonymous). Eighty-four percent of respondents identified as white hat hackers — security researchers that help organizations uncover and remediate vulnerabilities. And 15 percent identified as black hat hackers, who penetrate networks with criminal intent.

To read this article in full or to leave a comment, please click here

5 security practices hackers say make their lives harder

Whether they identify as white hats, black hats or something in-between, a majority of hackers agree that no password is safe from them — or the government for that matter. Regardless of where they sit with respect to the law, hackers mostly agree that five key security measures can make it a lot harder to penetrate enterprise networks.

At the Black Hat USA 2016 conference in Las Vegas earlier this month, Thycotic, a specialist in privileged account management (PAM) solutions, surveyed more than 250 attendees who self-identified as hackers (respondents remained anonymous). Eighty-four percent of respondents identified as white hat hackers — security researchers that help organizations uncover and remediate vulnerabilities. And 15 percent identified as black hat hackers, who penetrate networks with criminal intent.

To read this article in full or to leave a comment, please click here

Autonomic offerings set to transform IT, but outsourcing customers beware

Wipro has Holmes, Tata Consultancy Services introduced Ignio, Syntel is selling Synbots. HCL Systems calls its Dry Ice. And Infosys is promoting Mana. With traditional IT outsourcing revenue streams at risk to automation, a number of IT service providers are responding by developing their own homegrown systems which are designed to perform routine tasks and operations otherwise performed by humans.

The good news is that CIOs now have a number of automation options to choose from. The bad news? The array of choices can be confusing and the unproven systems can be risky. It may not be immediately clear how these new automation options from traditional IT service providers differ from the solutions of the more well-established robotic systems companies like IPSoft or BluePrism.

To read this article in full or to leave a comment, please click here

Cloud player Rackspace goes private in $4.3B deal

A private equity firm has signed an agreement to buy major cloud player Rackspace for $4.3 billion.

Rackspace announced today that Apollo Global Management, a U.S.-based investment manager, will acquire the company in a deal that will give Rackspace shareholders $32 per share.

"Our board, with the assistance of independent advisors, determined that this transaction, upon closing, will deliver immediate, significant and certain cash value to our stockholders," said Graham Weston, co-founder and chairman of Rackspace, in a statement. "We are also excited that this transaction will provide Rackspace with more flexibility to manage the business for long-term growth and enhance our product offerings."

To read this article in full or to leave a comment, please click here

1 2 3 1,068