Security Fixes Kill Hospital Patients

2015 ‘security fixes’ on computers resulted in 34 to 45 more deaths per 1,000 heart attack patients

From another article in Dark Reading. The data is old (most recent from year 2015) and updated data should be collected because we learn and change how we deal with security breaches. The underlying reason however seems very timely: clinicians trying to use hospital computer systems after a vulnerability is “fixed” face radical problems getting access to care for patients, and as a result more patients die due to the security “fix” preventing timely care. In medical terms, we would say “The cure is worse than the disease.”

Healthcare IT systems may show that shock in slower and more disruptive change than those in other industries because they start from a relatively weakened position security-wise. “For the most part the healthcare industry, and especially the providers, has been a laggard for information security,” says Larry Ponemon, founder and chairman of the Ponemon Institute.

When hospitals respond to a breach, the response tends to have a major impact on their legitimate users. According to Choi’s research, “new access and authentication procedures, new protocols, new software after any breach incident is likely to disrupt clinicians.”

That disruption is where the patient is affected, through inaccurate or delayed information reaching the people caring for them. And how much, in blunt terms, can that effect be? The study says an additional 34- to 45 deaths per 1,000 heart attack discharges every year.

Read the article at https://www.darkreading.com/endpoint/privacy/fixing-hacks-has-deadly-impact-on-hospitals/d/d-id/1331386. I had a link to the study here also, but the link goes to a “registration” web site. You can follow that link in the Dark Reading article if you so desire.


Dark Reading was good today

Dark Reading was good today. Several interesting tid bits. Suggest that you check it out at http://www.darkreading.com/

Accused LinkedIn, DropBox Hacker Appears in US Court After Diplomatic Battle

In the Czech Republic since October 2016, Yevgeniy Nikulin had requested asylum there after warrants for his arrest were issued by both Russia and the US. The Czech government denied his bid for asylum and turned him over the US, where he appeared in a federal courtroom on Friday morning.

Nikulin, the Russian hacker accused of being responsible for breaching DropBox and the 2012 LinkedIn attack that saw 117 million passwords stolen, has been extradited to the US in a process that has implications for the larger relationship between the US and Russia.  https://www.darkreading.com/attacks-breaches/accused-linkedin-dropbox-hacker-appears-in-us-court-after-diplomatic-battle/d/d-id/1331413

The Cybersecurity Mandates Keep On Coming

With threats more complex than ever, and with more data to protect and more technologies touching that data, more cyber regulation is bound to happen. The questions are How can a company possibly keep up, and Are we safely in compliance? https://www.darkreading.com/risk/compliance/the-cybersecurity-mandates-keep-on-coming/a/d-id/1331366

Microsoft Rushes Out Fix for Major Hole Caused by Previous Meltdown Patch

While fixing an obscure potential vulnerability, they created a real hack vector! Don’t cha jus’ luv high tech?

Chris Goetti, director of product management at Ivanti, says … “When Microsoft issued a fix for Windows 7 and Windows Server 2008, they made a mistake and ended up opening up read and write access in RAM so anybody could access anything in memory and write to it,”

Cautions Jack Danahy, CTO and co-founder of Barkly. “This is an easy-to-exploit zero-day vulnerability and a much more probable attack vector that the original problem that Microsoft was trying to correct. … Microsoft accidentally distributed a new zero-day vulnerability of their own design.”

Microsoft has rushed out an out-of-cycle security patch to address problems created by what were supposed to be fixes for the Meltdown vulnerability that it had previously issued for 64-bit Windows 7 and Windows Server 2008 systems. https://www.darkreading.com/attacks-breaches/microsoft-rushes-out-fix-for-major-hole-caused-by-previous-meltdown-patch/d/d-id/1331415#


Drupal core bug allows remote code execution

This just arrived in email from wordfence.com. If you use Drupal or know someone who does, the Drupal patches need to be applied immediately to prevent / stop remote code execution attacks.

A more detailed overview of upgrade recommendations from the Drupal security team is available on Drupal.org. They have also published a detailed FAQ. This attack has been nicknamed “Drupalgeddon 2.” The previous Drupalgeddon was as high in severity as this, and had automated attacks against unpatched Drupal sites within a matter of hours after the public announcement of the vulnerability was made.

—<snip>—

This morning we are publishing a public service announcement about a severe Drupal core remote code execution vulnerability announced yesterday. If you use Drupal or know someone who does, I’d encourage you to read this post and spread the word.
The vulnerability allows an attacker, leveraging multiple attack vectors, to take complete control of a website. The Drupal team estimates that at the time of the announcement over 1 million sites are affected, about 9% of Drupal sites.
Our focus is usually WordPress security, but given the severity and wide impact of this vulnerability, we feel it justifies a PSA to help spread the word.
Regards,
Mark Maunder
Defiant Inc CEO
—<snip>—


The “Data Center” of the Future

A visual model of the Data Center of the Future: Coffee Maker insides after years of use.

I just read through Network World’sHow a data center works, today and tomorrow” (see https://www.networkworld.com/article/3223692/data-center/how-a-data-center-works-today-and-tomorrow.html).

They feel ‘The future of data centers will rely on cloud, hyperconverged infrastructure and more powerful components’.

I partly agree, and partly disagree.

The IT business cycle is well known: IT starts as a centralized department, becomes a bottleneck, other departments set up their own IT for operational survival, the uncoordinated small IT becomes unmanageable, policy swings back to standardizing and centralizing IT, and the cycle repeats. So “Data Centers” will be centralized, then distributed, then centralized again … likely forever at the corporate level.

The controlling force will not be commercial dominance: no one company will succeed at becoming the global “Data Center Hegemon” – grass roots, open source, widely varied people driven interests will take over IN SPITE of corporate attempts to “own” the Data Center scene. The “Data Centers” inside large organizations will be a tiny part of the planetary Data Center.

Photo of a Nest Thermostat in The Bond Building. 20 June 2013, 11:54:32 by Amanitamano

I also disagree that the Data Center of the future will be composed mostly of more powerful things, rather I feel that it will be made up of far less powerful things, redundant, error correcting, in massive numbers, using cooperative computing protocols, to become a massive unified computing power. As each cell in a human body is little by itself, coordinated together all the cells form a much more significant and powerful organism: an organism that can loose many cells, survive, heal, and grow. No single corporation, or corporate alliance, can approach this potential because of management, legal, contractual, and financial encumbrances. The Data Center’s life blood is network connectivity and its future body will be shaped accordingly.

All technologies must eventually inter-operate, and those which do not will be relegated to irrelevance, but most of this will be from non-corporate innovation, not for profit initiatives. There will likely be government attempts initiated by corporate influence to eradicate all “unauthorized” software on some pretense: any software not sold by “authorized” programmers, such as that created by programmers not under corporate control and released for the public good without mandated government “back doors” or for profit motives may even be criminalized. Public software will not only survive but it will grow and the attempts to destroy it will drive it underground, improve it, increase its sophistication, and make it harder, not easier, to oppose.

And yes, I believe some large corporations will contribute to the process, which will eventually be overwhelmed and confiscated by massive grass roots factors, gently, slowly, imperceptibly until it is too late. The surviving Corporations will be the ones which recognize this from the start and design to work together with rather than oppose global communications.

There will always be “free public cloud” ( that is, network based file and app servers), sometimes  bootlegged inside ‘secure’ corporate systems, but there will be much more storage a kilobyte at a time from mundane and ignored things such as Mom’s pacemaker or Uncle Joe’s radio all coordinated by Harriot’s thermostat. IoT device security and control will improve accordingly. Remember BitCoin. In the future, my FitBit may be harboring 1% of your favorite vacation picture for you – but don’t worry, if I upgrade my watch Harry’s fish locator and Mary’s microwave have redundant copies just in case.

The idea that people in mass will keep their most private data on a server owned by some for profit entity that will turn everything over to secret government agencies or marketers at a whim is unworkable until people have absolute confidence that their private data will remain absolutely private NO MATTER WHAT. This can never happen with any ownership of centralized “Cloud” services because government can and will seize those centralized computers if they think it necessary.

Reading, gaming, sleeping… All in Kyiv subway by teteria sonnna from Obukhiv, Ukraine

There will probably be significant human influencers wearing rags and living in dilapidated buildings or on the streets as well as those wearing jeans or tuxedos and living in middle-class homes or skyscrapers. BOT nets will no longer be merely for mafia profits, ransomware,  and spam generators but will be a means to suborn “secure” private networks or effect communications kept temporarily private from “official” corporate or government eyes.

The “Data Center” of the future will not be one place but every place. It will be connected by multiple redundant means to circumvent corporate power to use government to silence profit syphoning opposition. It will not look like a ‘Max Headroom’ dystopia but free open source software will be critical in its reliable operation even though specific corporate proprietary software will also be present.

And the one thing we can count on is that it will be constantly changing all of the time. How can for profit corporate interests survive or thrive in this new world? Easy, simply make your corporation indispensable to the victors.