Our insulin pumps could be hacked, warns Johnson & Johnson

The Animas OneTouch Ping insulin pump contains vulnerabilities that could be exploited by a malicious attacker to remotely trigger an insulin injection.

Security researcher Jay Radcliffe – who is himself a Type I diabetic – discovered the flaws and wrote about his findings.

What Radcliffe discovered was that there were security weaknesses in how the medical device communicated wirelessly. Specifically, a lack of encryption meant that instructions were being sent in cleartext. Combined with weak pairing between the remote and pump, this could open opportunities for remote attackers to spoof the controller and trigger unauthorized insulin injections.

If the user does not cancel the insulin delivery on the pump, there is the potential for an attacker to cause harm and potentially create a hypoglycemic reaction.

Although the risk of widespread exploitation of the flaws is considered relatively low, and no-one should panic, Animas’s parent company Johnson & Johnson has issued an advisory to users of the insulin infusion pump:

“We have been notified of a cybersecurity issue with the OneTouch Ping®, specifically that a person could potentially gain unauthorized access to the pump through its unencrypted radio frequency communication system.  We want you to know that Animas has investigated this issue and has worked with the appropriate regulatory authorities and security experts, as we are always evaluating ways to further ensure patient safety and security.”

The advice to users?

Well, you can of course mitigate the threat by turning off the pump’s radio frequency feature. However, this means that your pump and meter can no longer communicate with each other, and blood glucose levels will need to be entered manually on the pump. That’s clearly not an entirely satisfactory solution.

Animas also proposes that OneTouch Ping users enable the vibrating alert feature which will tell them if a dose is being administered remotely, and give them the option of canceling. Also, it’s possible to program the OneTouch Ping pump to limit the amount of bolus insulin that can be delivered (either as a maximum or within certain time windows).

These mitigations are all very well, but they aren’t a fix for the underlying problem: a failure by the device to use encrypted communications and proper authentication. The lack of an easy method for users to update the devices to improve their security is telling.

I asked Mark James, an ESET security specialist, why he felt vulnerabilities like this were being found in medical equipment:

“Quite often the problem with security in the medical or health industry is financially driven; cost is a major factor both in running and supplying the equipment used. In these instances the biggest factor is often making the equipment attainable for the masses who need it. The security of these products has to be factored into the cost and may even in some cases not be a factor at all. As we work towards an IoT environment where everything has to be connected, securing those devices in some cases is a secondary concern.

“Cost will always be a factor but nowadays security is just as important, the public need to feel safe using quite often the very things that keep them alive.”

Despite his discovery, Radcliffe says that he does not believe people with diabetes should use the security concerns as a reason not to use the vulnerable equipment:

“Always take care of your diabetes first. We all know the dangers of high blood sugar and low blood sugar too. These risks often far outweigh the risks highlighted in this research.”

“If any of my children became diabetic and the medical staff recommended putting them on a pump, I would not hesitate to put them on an OneTouch Ping. It is not perfect, but nothing is. In this process I have worked with Animas and its parent company, Johnson & Johnson, and know that they are focused on taking care of the patient and doing what is right.”

http://www.welivesecurity.com/2016/10/06/insulin-pumps-hacked-warns-johnson-johnson/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

DDoS attacks ‘consistent, relentless and damaging’ to organizations

By Narinder Purba

Consistent and relentless DDoS attacks are causing “real damage” to organizations around the world, with the number of affected enterprises on the rise.

This is according to Neustar’s 2016 Worldwide DDoS Attacks & Protection Report, which found that 73% of businesses interviewed have been hit with a distributed denial of service attack.

Further, the paper revealed that 85% of organizations have been subject to multiple DDoS attacks.

The study, which involved over 1,000 directors, managers and executives worldwide, also looked at the financial impact of DDoS attacks.

It noted, for example, that 49% of respondents stand to lose $100,000 per hour “during peak periods due to a DDoS attack”.

According to the findings, “respondents are reporting increased encounters with malware, and now ransomware, in conjunction with DDoS attacks”.

Further, the authors of the paper said that organizations should be aware of “smokescreen” activity – where DDoS attacks are used to divert the attention of a more “sinister” plot.

“Organizations should be concerned that DDoS attacks are growing increasingly sophisticated and relentless, frequently serving as the first stage of a multi-stage attack against an organization’s infrastructure,” commented Rodney Joffe, senior vice president and senior technologist for Neustar.

In related news, it was recently revealed that security expert Brian Krebs had been hit with “one of the biggest web attacks ever seen”.

A massive DDoS attack – at its peak, around 620 gigabits of data per second were directed to his personal website – meant that he was eventually forced to go offline.

Writing on his site following its restoration, he said: “There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called Internet of Things (IoT) devices.”

http://www.welivesecurity.com/2016/10/05/ddos-attacks-consistent-relentless-damaging-organizations/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Lenovo kiest Talend Big Data Integration om beheer van Supply Chain Management te stroomlijnen

                    

Talend helpt Lenovo om een robuust multi-channel catalogus-systeem te bouwen dat wereldwijd actuele voorraadinformatie verschaft aan belangrijke stakeholders. De software is geïmplementeerd door Talend-partner Value Technology Co Ltd.

REDWOOD CITY, Calif.,  SINGAPORE  – Talend, (NASDAQ: TLND)vooraanstaand leverancier van cloud en big data integratie software, meldt vandaag dat Lenovo heeft gekozen voor Talend Data Fabric om product- en voorraadgegevens te stroomlijnen van leveranciers, verkopers en productiebedrijven, evenals de repositories, magazijn en e-commerce functies. Door Talend te gebruiken kan Lenovo’s wereldwijde Product Catalog Centre tegenwoordig een eenduidige blik op de voorraad geven aan het wereldwijde netwerk van medewerkers, partners en grote klanten.

In de loop der jaren heeft Lenovo een voorraad gecreëerd met meer dan vijf miljoen unieke productnamen en –kenmerken, maar de informatie over die producten was verspreid over wezenlijk verschillende databases en een scala aan ERP- en voorraadbeheersystemen. Dankzij Talend is Lenovo in staat gesteld de data bij elkaar te brengen en de kwaliteit ervan te valideren. Zo is het mogelijk een degelijke catalogus samen te stellen en het betekent dat met vertrouwen besluiten zijn te 

nemen.

"Wij hadden een eenvoudig te gebruiken en flexibele oplossing nodig die de data real-time bij elkaar kan brengen uit meerdere bronnen, en die gegevens dan efficiënt doorstuurt naar ons wereldwijde centrum voor voorraadbeheer en orderafhandeling”, zegt Robin Li, IT senior manager bij Lenovo. “De open source architectuur van Talend gaf ons veel flexibiliteit en bleek in staat heel snel en effectief enorme 

hoeveelheden data te verwerken.”

Door de product- en voorraadgegevens uit verscheidene bronnen te stroomlijnen, kunnen medewerkers, partners en klanten van Lenovo in real-time de beschikbaarheid van producten nagaan en hun klanten adviseren over de levering van producten, en tijdschema’s van reparaties en vervanging.

  

“We vinden het geweldig dat we zo’n innovatieve onderneming kunnen ondersteunen en ze te helpen met het samenstellen van eenduidige data waarop zij besluiten kunnen nemen”, zegt Kama Brar, senior vice president Zuidoost-Azië en Japan bij Talend. “Lenovo bewijst dat een moderne data-architectuur niet alleen leidt tot een doelmatiger bedrijfsvoering, maar ook een uitstekende klantervaring tot gevolg heeft.”

How do you work out a country’s level of cybersecurity?

By Miguel Ángel Mendoza 

When we talk about the cybersecurity of a nation state, we have to refer to many different aspects, such as the nation’s capacity to respond to large-scale security incidents, its legislation in this area, the protection of critical infrastructure, its capacity to work with other countries, and even the security culture that might exist among the population.

This is a complicated task, since we’re talking about initiatives that are large in scale but absolutely necessary in the present day, due to the increasing number, frequency and impact of IT threats and attacks. The complexity lies in working out which actions to track and establishing a point of reference for countries seeking to increase and improve their level of cybersecurity. In this context, where do we begin?

The Global Cybersecurity Index

One of the initiatives launched by the International Telecommunication Union (ITU) is the Global Cybersecurity Agenda (GCA), a framework for international cooperation aimed at enhancing confidence and security in the information society.

The GCA is built upon five strategic pillars, also known as work areas: legal measures, technical and procedural measures, organizational structures, capacity building, and international cooperation. Arising from these is the Global Cybersecurity Index (GCI), which aims to measure and assess the commitment of countries to this issue.

Initially developed in 2013, the GCI is engaged in a perpetual update process to determine the relevant aspects of the security of ITU member states. The purpose of the index is to measure the following elements:

·         Type, level, and development of commitment to cybersecurity in countries over the course of time

·         Progress in the commitment to cybersecurity of all countries from a global perspective

·         Progress in the commitment to cybersecurity from a regional perspective

·         Level of participation of countries in cybersecurity initiatives

The scope of the GCI’s mission is wide: it aims to act as a point of reference so that countries can identify areas of opportunity in the field of cybersecurity, and, at the same time, it can work as a kind of incentive for nation states to try and improve their Global Cybersecurity Index rating or assessment. This has the knock-on effect of increasing the country’s level of cybersecurity.

How is the cybersecurity level determined?

The index works on the basis of a questionnaire which considers 24 indicators. The document is divided into five sections; the first considers legislation and regulations on cybersecurity in the country in the question – for example, whether it has laws on unauthorized access, the misuse of information systems, and the interception of data.

The second group of questions looks at the availability of technical measures, which among other things includes the existence of a Computer Security Incident Response Team (CIRT, CSIRT or CERT) with a focus on different sectors within the country. The third point includes aspects relating to organizational measures, such as having a national cybersecurity strategy, the existence of a national body or agency responsible for the issue, or the existence of metrics by which developments can be measured.

The fourth element evaluates capacity-building activities, primarily in respect of standardization. In other words, the adoption of cybersecurity standards and good practices, as well as investment in security-related R&D programs, and also awareness campaigns aimed at the general public.

The final element looks at the provision of measures for cooperation with other countries, such as bilateral, multinational, and international agreements. This factor is a crucial one when investigating crimes that go beyond borders and are committed using new technologies.

The benefits of having an index that enables us to evaluate cybersecurity

Through the information gathered, the Global Cybersecurity Index seeks to learn how countries start to implement cybersecurity. In turn, showing the practices that have been applied in some countries enables them to be used as a point of reference or a starting point in other countries.

With this information available, other countries can adopt, adapt, and apply certain aspects depending on their national context, with the aim of promoting better practices and making them more widespread. All of this doesn’t stop at national level, but can be extended to a global level through exchange and cooperation.

Without a doubt, this initiative contributes directly to understanding the security situation of the countries involved, as well as encouraging a culture of cybersecurity, in the aim of increasing and improving the protection of information and other assets internationally.

http://www.welivesecurity.com/2016/10/03/global-cybersecurity-index/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

AEB Nederland geeft antwoord tijdens het Nationaal Douanecongres

Wat heeft de Brexit voor gevolgen voor bedrijven die zakendoen met het Verenigd Koninkrijk? Wat is de impact van de nieuwe Europese Douanewetgeving (DWU) die dit voorjaar is ingevoerd? En is uw douane-systeem er klaar voor als de Europese douane in 2020 volledig online werkt? Dat zijn de meest actuele thema’s die tijdens het Nationaal Douanecongres op 13 oktober aan bod komen. AEB Nederland is met een stand aanwezig voor vragen over douaneprocedures en de wijze waarop u die effectief en efficiënt kunt inrichten.

 De elfde editie van het Nationaal Douanecongres wordt in goede banen geleid door dagvoorzitter Toine van Peperstraten. Hij zal een groot aantal inspirerende sprekers aankondigen van onder Douane Nederland, Erasmus Universiteit en verschillende ministeries en brancheverenigingen. Godfried Smit van EVO – Fenedex maakt bijvoorbeeld een tussenbalans op van de Brexit. Wat betekent het dat de op twee na belangrijkste handelspartner van Nederland de Europese Unie verlaat?

Ruime aandacht is er bovendien voor de nieuwe Europese Dounaewetgeving die op 1 mei 2016 is ingegaan. Wat is de impact daarvan? Hoe moeten bedrijven omgaan met de diverse verordeningen die van kracht zijn geworden? In de praktijk bestaat daarover nog veel onduidelijkheid, maar het congres probeert duidelijkheid te scheppen.

Effectieve en efficiënte processen

Uiteraard komt ook de IT-ondersteuning van douaneprocessen uitgebreid aan de orde. In één van de themasessies wordt ingegaan op de vraag wat het voor IT-systemen van bedrijven betekent als de Europese douane conform die DWU in 2020 volledig online gaat werken. Een ander thema is het nieuwe aangiftesysteem AGS dat de afgelopen jaren stapsgewijs is ingevoerd. 

AEB Nederland is sponsor van het Nationaal Douanecongres en prominent aanwezig met een stand. Experts van AEB Nederland staan deelnemers te woord met alle relevante vragen over AGS en de gevolgen van de DWU voor automatiseringssystemen. Daarnaast gaan zij graag in gesprek over andere relevante thema’s zoals classificatie, preferentiële oorsprong en exportcontrole. AEB Nederland helpt bedrijven bij het inrichten van effectieve en efficiënte processen rondom deze thema’s. 

Nationaal Douanecongres 

Het Nationaal Douanecongres vindt plaats op 13 oktober in Ahoy, Rotterdam. Het programma start om 10.00 uur en telt onder meer negentien themasessies over verschillende onderwerpen. Rond 16.30 eindigt het congres met een inspirerend verhaal van trendwatcher Frank Booij en een netwerkborrel. Kijk voor meer informatie en een digitaal inschrijfformulier op www.douanecongres.nl.