Wednesday, September 15, 2021

Security Smörgåsbord, vol. 13 no. 5

Report: Direct patient safety risk posed by infusion pump vulnerability exploit
A group of five vulnerabilities in the B. Braun Infusomat Space Large Volume Pump could allow an attacker to modify system configurations in standby mode and deliver an unexpected dose of medication to patients without any need for authentication, according to a new report from McAfee Enterprise Advanced Threat Research.

I've been posting about the security problems in medical devices for going on a decade now.  It's interesting to see major security research players start to issue advisories about these.  Hopefully the FDA expedites these sort of security updates.

DEFCON: Internet of Things random number generators stink

In a DEF CON talk officially released on Saturday (many of this year's talks were pre-recorded and available to stream before their scheduled time) Dan Petro and Allan Cecil, both of Bishop Fox, outline systemic problems with hardware random number generators. That creates systemic problems for the devices that obtain random numbers directly from hardware random number generators.

"One of our top-line takeaways is that this process of talking to hardware RNG [random number generators] directly is just untenable. It's far too complicated on so many levels, to the point where it should really be considered like writing cryptographic code, where it is just too unsafe to do on your own," Petro told SC Media.

You might wonder what the heck a random number generator is and why you need a good one.  Basically, all of the encryption in use today depends on cypher computations starting with as close to truly random numbers as possible.  If the "random number" used are not really random - or worse, if they are predictable - than a Bad Guy could decrypt your communications, masquerade as you (well, as your TV), and do all the bad things to you that encryption is supposed to prevent.  Home computers (and cell phones) don't have this problem because they invest in good random number generation circuitry.  IoT devices are so inexpensive that this isn't done.  Probably having unpatched high risk security vulnerabilities in these devices is worse, but this is just another reason why there isn't much security at all in these pieces of junk.

Firefox 91 has new privacy features

Firefox is still around?  Who knew?  They blew any credibility on user privacy when they ditched Brendan Eich to include RIAA tracking features.

The most secure browser is ... Microsoft?

Microsoft has announced that the Edge Vulnerability Research team is experimenting with a new feature dubbed "Super Duper Secure Mode" and designed to bring security improvements without significant performance losses.

When enabled, the new Microsoft Edge Super Duper Secure Mode will remove Just-In-Time Compilation (JIT) from the V8 processing pipeline, reducing the attack surface threat actors can use to hack into Edge users' systems.


Based on CVE (Common Vulnerabilities and Exposures) data collected since 2019, around 45% of vulnerabilities found in the V8 JavaScript and WebAssembly engine were related to the JIT engine, more than half of all 'in the wild' Chrome exploits abusing JIT bugs.

"This reduction of attack surface has potential to significantly improve user security; it would remove roughly half of the V8 bugs that must be fixed," explained Johnathan Norman, Microsoft Edge Vulnerability Research Lead.

That's a neat piece of security work.  And I love "Super Duper Secure Mode".  It reminds me of Tesla's "Ludicrous Mode" which is shamelessly stolen from Spaceballs.

 Google to block old Android phones starting September 27
Google has started emailing users of very old Android devices to tell them it's time to say goodbye.

Starting September 27, devices running Android 2.3.7 and lower will no longer be able to log in to Google services, effectively killing a big portion of the on-rails Android experience. As Google puts it in an official community post, "If you sign in to your device after September 27, you may get username or password errors when you try to use Google products and services like Gmail, YouTube, and Maps."

Android is one of the most cloud-based operating systems ever. Especially in older versions, many included apps and services were tied to your Google login, and if that stops working, a large chunk of your phone is bricked. While Android can update many core components without shipping a full system update today, Android 2.3.7 Gingerbread, released around 10 years ago, was not so modular.

This is actually a Good Thing.  Android has a lot of security holes and there are no updates coming for these 10 year old systems.  If you got 10 years out of your phone, it's really in your best (security) interest to update.

US Government Agencies score low on cyber security

In the "Federal Cybersecurity: America's Data Still At Risk" report, the US Senate Committee on Homeland Security and Governmental Affairs graded the departments of State, Transportation, Education, and the Social Security Administration a "D" for cybersecurity. The departments of Housing and Urban Development, Agriculture, and Health and Human Services each received a "C." The highest grade for cybersecurity, a "B," went to the Department of Homeland Security (DHS). Among the major issues, several agencies, including the State Department, did not deactivate former employees' accounts, allowing access for extended periods of time after the workers left government service.

Maybe the Cloud will help.  These Agencies can't buy cloud services that are not security approved (FedRAMP).  Most of these issues are covered under that certification. 


Jonathan H said...

I doubt the cloud will help... I've heard stories of agencies violating requirements and standards and fighting audits, reviews, etc.

Another topic not usually mentioned is the sheer number of network and hardware problems the agencies experience.
The agencies I have worked for have near constant phone, network, update, and hardware issues...
I suspect the two problems have common cause.

HMS Defiant said...

What Jonathan said. Ditto.