Jun 192013
 

Western Union. Image courtesy of ShutterstockA US man in Louisville, Kentucky has manifested a nightmare that has long been haunting bankers: 34-year-old Boma Robert Spero-Jack has been arrested for allegedly double-cashing checks by using mobile banking with good old-fashioned Western Union money orders.

Security reporter Brian Krebs spotted the news as reported by the Credit Union Times.

According to local news outlet WDRB News, the arrest report says that Spero-Jack went into several Kroger stores and bought at least 32 Western Union money orders, each for between $195 and $500.

He allegedly then left the store and deposited the money into his Bank of America checking or savings account via mobile remote deposit capture (MRDC).

What that entails, quite simply, is capturing an image of a check – which can be done with a plain old consumer scanner, as shown in this video from insurer USAA – and sending it to your bank.

Some banks even allow customers to capture the check image with their mobile phones or other consumer device cameras.

Mobile banking. Image courtesy of ShutterstockPolice allege that after he remotely deposited the money orders, Spero-Jack then turned around and headed right back to a Kroger store to cash the same money order.

Next, he’d withdraw the same amount from his bank account, according to police, for a total of $12,620 worth of double-dipping.

Spero-Jack was charged with theft by unlawful taking.

According to the Credit Union Times’ Robert McGarvey, the incident is stirring up long-held fears about MRDC.

There are no clearinghouses to track incidents of MRDC fraud. Whether it’s growing more common depends on whom you talk to.

McGarvey talked to Paul Henninger, an executive with security company Detica, who told him that this type of fraud is verging on “an epidemic.”

But Alan Bernstein, president of Vertifi, the technology-focused subsidiary of Eastern Corporate Federal Credit Union, says it’s anything but:

“What we have for evidence of system abuse through five years of experience is almost exclusively anecdotal… In this regard, the number and dollar losses attributable to outright fraud, such as the type described in the [Boma Robert Spero-Jack] story, and which we have learned about, is absolutely incidental.”

At any rate, what we do know, as Bernstein pointed out, is that there’s an inherent vulnerability in today’s MRDC technology.

Vertifi’s systems do send a warning if it detects a duplicate image, allowing an administrator to review items to check if they’re really the same.

If the images are the same, the administrator just deletes the duplicate.

However, there’s lag time between flagging duplicates, giving criminals a window of time to exploit the system.

The risk vanishes, McGarvey writes, if and when:

  • Vendors manage to offer real-time duplicate detection databases – something they’re rushing to do;
  • Good security hygiene is practiced, such as if banks were to offer MRDC only to customers after they’ve had access to their accounts for, say, six months; and
  • MRDC privileges are revoked if an account holder has more than one duplicate deposit in a year.

From a crook’s perspective, the scheme has an upside – it seems, somehow, easier and safer because it’s done remotely – and the downside of having to pony up the money to buy, for example, a Western Union money order.

As Krebs and others, such as McGarvey, note, a particularly worrisome prospect is that organized criminal gangs will latch onto the exploitation of MRDC.

ATM. Image courtesy of ShutterstockExamples of such gangs include the Chicago woman sentenced in August 2012 for managing an ATM-sucking gang of money mules who used bogus accounts, PINs and ATM cards to drain more than $9 million from WorldPay US in what was called the “most sophisticated and organised computer fraud attack ever”.

The MRDC vendors are said to already be hard at work to get the technology more scam-proof.

Hopefully, this Kentucky bust will fan the fire and get them to the desired goal before organized crime does latch onto this exploit, and banks will further lock down requirements for using MRDC.


Image of Western Union, mobile banking, and ATM courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JmNedeRmE4o/

Jun 192013
 

EU fingerprint, image courtesy of ShutterstockA top EU data privacy advocate has criticised the European Union’s plans to combat cybercrime, saying they don’t provide enough protection for personal data.

In the same statement, the European Data Protection Supervisor (EDPS) Peter Hustinx suggested that too little attention has been paid to existing regulations and agencies, and that it would be useful to have tighter definitions of what exactly the European Commission means by “cybercrime” and related terms.

The statement comes as an official “opinion” document [PDF] responding to the EU’s Cybersecurity Strategy [PDF] plan.

The strategy was issued in February alongside proposals for a set of unified network and information security rules, referred to as the “NIS Directive [PDF]“.

The strategy document got a lukewarm reception at the time, with general approval that the EC was heading in the right direction but worries that the proposals were too vague and open-ended. The opinions from the EDPS seem to echo this, welcoming the existence of the strategy but pointing out some potential problems.

The main thing the EDPS finds “regrettable” (a term repeated many times in the opinion document) is that the strategy does not adequately emphasize privacy as a key part of any planned dealing with personal data.

While acknowledging that privacy issues are covered in some parts of the strategy, there is little mention of them in the sections covering cybercrime, where privacy is pivotal.

Most cybercrime involves theft or abuse of personal data in some way, and any effort to tackle it must inevitably involve the collection and sharing of private data, by police and other bodies.

Data shared may include information on victims, suspects and innocent bystanders, so ensuring that this gathering and sharing is done within well-defined and regulated boundaries is a prime concern.

These worries tie in with another point regretted by the EDPS – the lack of mention, or indeed apparent awareness, of existing parallel plans and bodies in the field of digital data protection.

These include a proposed General Data Protection Regulation from last year, and also cover existing national Data Protection Authorities, such as the UK’s Information Commissioner’s Office.

The EDPS believes these bodies should be playing a major role in ensuring plans to combat cybercrime do not infringe on privacy, but they are omitted from the strategy document. Many of the same criticisms are also leveled at the NIS Directive.

Another point of criticism is the rather broad definition of cybercrime given in a footnote to the strategy:

Cybercrime commonly refers to a broad range of different criminal activities where computers and information systems are involved either as a primary tool or as a primary target.

Cybercrime comprises traditional offences (e.g. fraud, forgery, and identity theft), content-related offences (e.g. on-line distribution of child pornography or incitement to racial hatred) and offences unique to computers and information systems (e.g. attacks against information systems, denial of service and malware).

The EDPS points out that cybercrime and related terms “are used as a justification for certain special measures which could cause interference with fundamental rights, including the rights to privacy and data protection.”

Handcuff on keyboard, image courtesy of ShutterstockIt is clearly more than a little worrying that the EU might be granting police and other bodies special powers in cases where a “cybercrime” may have occurred, if a “cybercrime” is defined as any of an unlimited “broad range” of generally bad things with some sort of association with computers.

It would seem more sensible in this case to have a very restrictive definition of “cybercrime” as only crimes of a type which could only occur digitally, and to treat “normal” crimes – theft, fraud, porn or hatred offences etc – as mere variations on their “real-world” equivalent, which just happen to take place online.

The other option would be to stick with the vague definition, but not allow it to be used as the basis of any special legal powers.

If the investigation of any crime or other issue involves the gathering, processing or sharing of private information, then there should be comprehensive and strongly-enforced rules on what data can be dealt with, how, and by whom. This should apply regardless of whether it relates to a “cybercrime” or any other kind of incident.

Despite the raised profile of data protection issues lately, there does seem to be some way to go to ensuring that those in political circles pay enough attention to data privacy. It’s good to hear someone out there is pushing the right agenda.


Image of EU fingerprint and handcuff on keyboard courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZCJVyVqw9qU/

Jun 192013
 

Texas image courtesy of Shutterstock.Texas has become the first US state to ban email snooping without a warrant.

Governor Rick Perry signed the new privacy bill – HB 2268 – into law on Friday. It went into effect immediately.

The bill enacts a law that sets Texas residents apart from the other 49 states by protecting them from state and local law enforcement surveillance carried out without a warrant.

The portion of the bill that pertains to privacy was written by 29-year-old freshman Republican legislator Jonathan Stickland, who represents an area between Dallas and Fort Worth.

Stickland told the Star-Telegram that he’s fighting for ideals that all US citizens can get behind – a sentiment the newspaper applauded:

“Despite the many differences between Tea Party Republicans like Stickland and the most liberal weenies you might find in Austin, there also tend to be some similarities.

“One of them is that whatever government does, it should do in the open. There can be arguments over exactly what government transparency is, but both liberals and Tea Partiers tend to be for it.”

As Ars Technica’s Cyrus Farivar points out, the Electronic Communications Privacy Act (ECPA) requires federal law enforcement to get a warrant only to access email that hasn’t yet been opened by its recipient.

After it’s open, sitting around in an inbox, it’s been fair game. Ditto if the email has been left unopened in an inbox for 180 days.

The Department of Justice for the first time acknowledged in March that maintaining different legal standards for finely aged email is an outdated notion, supporting revisions to ECPA.

In the meantime, as we wait for revisions to ECPA, the residents of 49 US states are subject to a lower level of privacy than the Lone Star State.

That’s a nickname granted to Texas, some say, to signify that it’s a former independent republic, as well as a reminder of the state’s struggle for independence from Mexico.

Let’s hope that 49 other states follow the privacy path pointed out by that star.


Image of Texas courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NM05DEz_RGk/

Jun 182013
 

Prism image courtesy of ShutterstockApple, like its giant internet company comrades, has already denied having the foggiest notion of what PRISM is.

When the “they’re spying on everybody and everything” PRISM story broke two weeks ago, Apple told The Wall Street Journal in a statement that:

“We have never heard of PRISM. We do not provide any government agency with direct access to our servers.”

On the morning of June 17, Apple went beyond that terse statement to make a rare public statement insisting that customer privacy data is a priority for the company.

Apple says that it first heard of the government’s PRISM program when news organizations asked the company about it on June 6.

Apple, Google, Microsoft and Facebook well may never heard of PRISM because that moniker, in fact, turned out to be the name of the computer system that runs the surveillance program.

Nobody can pronounce nor wants to type out its real name – Collection of Intelligence Pursuant to Section 702 of the Foreign Intelligence Surveillance Act – so we’re all still calling it PRISM.

At any rate, Apple is now clarifying, as Google and Facebook have done, that it doesn’t provide direct access to its servers, nor to any government agency requesting customer content, unless the request comes with a court order:

Regardless of the circumstances, our Legal team conducts an evaluation of each request and, only if appropriate, we retrieve and deliver the narrowest possible set of information to the authorities. In fact, from time to time when we see inconsistencies or inaccuracies in a request, we will refuse to fulfill it.

Google, Facebook, Microsoft, and Twitter have all beseeched the government to loosen the gag orders that prevent them from being transparent about the number of information requests they get and comply with, along with how many users and accounts are affected.

Apple image courtesy of Skyme/ShutterstockApple’s with them in the desire for more transparency. In fact, it requested, and received, authorization to reveal that from December 1, 2012 to May 31, 2013, it received between 4,000 and 5,000 requests from US law enforcement for customer data.

Those data demands specified between 9,000 and 10,000 accounts or devices. The requests came from federal, state and local authorities and included both criminal investigations and national security matter.

In fact, the most common form of request Apple received in that time period came from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer’s disease, or hoping to prevent a suicide, the company said.

In a somewhat indignant, “who do you think we are, Google or something?” tone, Apple went on to say that it doesn’t “collect or maintain a mountain of personal details about our customers in the first place.”

Apple says:

There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it.

That means conversations on iMessage and FaceTime, which are protected by end-to-end encryption so no one but the sender and receiver can see or read messages, Apple says.

Apple can’t decrypt that data, it says. And it doesn’t store data related to customers’ location, Map searches or Siri requests “in any identifiable form.”

What do you think?

Did the media overreact over PRISM? Or was it a welcome spotlight to shed light on a surveillance-happy age?


Image of prism courtesy of Shutterstock and image of Apple logo courtesy of skyme / Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vfX26X65ljI/

Jun 182013
 

Yahoo logoBeginning next month, Yahoo will attempt to resuscitate inactive email accounts by giving them away, according to Associated Press.

If you haven’t checked in on your Yahoo account for at least a year, there’s still time to save your handle from being given away to a stranger, and that might be a very good idea indeed.

On July 15, any newcomers can claim a handle from the dead pool that was previously unavailable. The new accounts will be usable by mid-August.

Yahoo hasn’t revealed how many emails are in its dead pool, but it’s probably a substantial number, given competitor Google’s robust growth.

As of June 2012, Google’s Gmail was reported to be the most widely used web-based email, with over 425 million active users worldwide.

Yahoo Mail reportedly had 281 million global users as of last year.

The move to purge the dead-account pool is obviously designed to re-energize the Yahoo mail user base. Once newcomers have new handles, as Associated Press suggests, they well might try out all the other services Yahoo is offering.

All well and good.

I would assume that Yahoo isn’t giving away personal details associated with defunct handles.

I can’t help but wonder, however, about the potential for identity fraud.

Let’s say that Joe Schmoe hasn’t used his JoeSchmoe@yahoo.com account for over a year. (Pardon me if there’s really a Joe Schmoe with that Yahoo account out there.)

Therefore, JoeSchmoe@yahoo.com is up for grabs as of July 15.

What’s to stop a miscreant from claiming the JoeSchmoe handle (and any other handles from the dead pool, for that matter) and then just sitting back and waiting for email to arrive?

Yahoo login screen

If a personal email comes in from a relative who hasn’t updated her address book for a while, or, say, if Joe Schmoe hadn’t informed her of his new email address, what’s to stop a crook from pretending to be Joe Schmoe, given that he’s now got the JoeSchmoe@yahoo.com handle?

What’s to stop such email identities from being exploited for anything that miscreants can suck out of unknowing email correspondents, be it financial scams or personal information?

I asked Yahoo about this scenario. I’ll update this story when they reply. While we’re waiting, please do let us all know if there are further unintended consequences that you can imagine.

In the meantime, if you have a defunct account and don’t like the idea of somebody else controlling it, get thee to Yahoo before July 15 and resurrect it from the dead.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WP_c5mB3FNQ/

Monday review

 Anti-Virus  Comments Off
Jun 172013
 

Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time.

General interest

Dozing bank clerk turns €64 into €22 million – and teaches us all a security lesson!

Google files patent to let you unlock your phone by grimacing at it

PRISM, UK Surveillance, Sweden vs. Google, Blackberry Z10 – 60 Sec Security [VIDEO]

Naked Security’s Graham Cluley and Carole Theriault say goodbye

Law and order

Hacker who helped to expose Steubenville attack could face more prison time than rapists

EU to vote on harsher penalties for hackers

Malware and exploits

Was Microsoft’s takedown of Citadel effective?

Guntior bootkit up to new tricks

Social networks

Facebook gets #hashtags, which does #WTF to your #privacy?

OS and software

Get ready! Oracle to fix 40 holes in Java on Tuesday, 18 June 2013

Blackberry releases first security fixes for new Z10 smartphone

Patch Tuesday June 2013 – Office, Windows and Flash

Privacy and online safety

UK political bigwigs demand return of snoopers’ charter. Seriously? Today?

“Nej till Google!” – Sweden tells a local council that Google’s cloud is a no-go area

Internet giants call for transparency in government surveillance requests

PRISM – not as bad as you thought? (And don’t call it PRISM!)

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Days of the week image from Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5Lvw86phRAQ/

SSCC 111

 Anti-Virus  Comments Off
Jun 172013
 

Episode #111 of the Sophos Security Chet Chat podcast is here.

Chet and Duck (Chester Wisniewski and Paul Ducklin) are back, wrangling the latest security stories into an entertaining and informative quarter-hour of useful news.

(You can keep up with our podcasts via RSS or iTunes, and catch up on previous Chet Chats and other Sophos podcasts by browsing our podcast archive.)

Listen now:

(17 June 2013, duration 15’07″, size 9.1 MBytes)

Download now:

Sophos Security Chet Chat #111 (MP3)

Chet Chat episode 111 shownotes:

For the benefit of North American listeners, Duck points out the curious relevance of the episode number (111) to the game of cricket, and neatly ties that back to security.

PRISM made the news for its surveillance and spying aspects. Chet and Duck wonder if the underlying problem of “how did the leak happen at all” isn’t a much bigger deal. Full disk encryption, the pair conclude, is your friend.

Swedish data protection mandarins instructed a local council not to use Google’s cloud. Chet and Duck explain why, and argue that having at least some gung-ho privacy commissioners in some parts of the world is probably good for everyone.

Blackberry ships Flash on its latest smartphones. Chet asks, very bluntly, “Is this a good idea?” Duck thinks not – and Chet makes the point that it’s not just that Flash is installed, but that it languishes behind on patches, too.

Don’t forget: for a regular Chet Chat fix, follow us via RSS or on iTunes.

No flash image courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XjUuJeABoK4/

Jun 172013
 

FDAThe US government in October told the Food and Drug Administration (FDA) to finally start taking medical device security seriously, whether we’re talking about intentional hacking, unencrypted data transfer that can be manipulated or a host of other threat vectors.

Eight months later, the FDA has complied.

On Thursday, the agency put out a call to medical device manufacturers and health care facilities to start addressing medical devices’ vulnerability to cyberattack, be it by malware or unauthorized access to configuration settings in either the devices themselves or in hospital networks.

Although the FDA hasn’t seen patient injuries or death, it has seen botched security, equipment manufacturers who more or less ignore the concept of updating or patching, and passwords passed around like so many after-dinner mints.

Here’s a list of the cybersecurity vulnerabilities and incidents to which the FDA says it’s been made aware:

  • Malware infection or outright disabling of network-connected/configured medical devices;
  • Malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices [for example, defibrillators];
  • Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel);
  • Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models;
  • Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection.

Emergency sign, courtesy of ShutterstockThe FDA suggested various means of limiting unauthorized device access that manufacturers should consider, particularly if their products are life-sustaining or could be directly connected to hospital networks:

  • User authentication such as user ID and password, smartcard or biometric; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
  • Timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code.
  • Design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
  • Methods for retention and recovery after an incident where security has been compromised.
  • Incident response plans that address the possibility of degraded operation and efficient restoration and recovery.

The FDA also gave suggestions for securing hospital systems:

  • Restrict unauthorized access to the network and networked medical devices.
  • Keep anti-virus software and firewalls up-to-date.
  • Monitor network activity for unauthorized use.
  • Protect individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
  • Contact the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.
  • Develop and evaluate strategies to maintain critical functionality during adverse conditions.

Medical equipment, image courtesy of ShutterstockMedical device hacking can be hard to take seriously in lieu of patient death and injury.

But it’s not just terrorism or other homicidal deeds – such as the Tylenol poisonings of the 1980s – we’ve got to worry about.

Also at play, for example, as the FDA made clear, is conventional malware that’s been described as “rampant” in hospital medical devices that use unpatched operating systems.

The MIT Technology Review in October reported on potential consequences of real-life medical device security as recounted at the National Institute of Standards and Technology Information Security Privacy Advisory Board, in Washington, DC.

One such incident involved malware that slowed down fetal monitors used on women with high-risk pregnancies being treated in intensive care wards.

Experts point to issues in a wide variety of devices, including compounders, which prepare intravenous drugs and intravenous nutrition; picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging (MRI) devices; insulin pumps; defibrillators; blood gas analyzers; radiology equipment; and nuclear-medical delivery systems.

It’s way past the time when the FDA should have been taking these matters seriously.

Now, it’s up to device manufacturers and those responsible for securing hospital systems to take up the FDA’s call to secure these overlooked technologies.


Image of emergency sign and medical equipment courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/i8pGsSbSPkk/

Jun 172013
 

FDAThe US government in October told the Food and Drug Administration (FDA) to finally start taking medical device security seriously, whether we’re talking about intentional hacking, unencrypted data transfer that can be manipulated or a host of other threat vectors.

Eight months later, the FDA has complied.

On Thursday, the agency put out a call to medical device manufacturers and health care facilities to start addressing medical devices’ vulnerability to cyberattack, be it by malware or unauthorized access to configuration settings in either the devices themselves or in hospital networks.

Although the FDA hasn’t seen patient injuries or death, it has seen botched security, equipment manufacturers who more or less ignore the concept of updating or patching, and passwords passed around like so many after-dinner mints.

Here’s a list of the cybersecurity vulnerabilities and incidents to which the FDA says it’s been made aware:

  • Malware infection or outright disabling of network-connected/configured medical devices;
  • Malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices [for example, defibrillators];
  • Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel);
  • Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models;
  • Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection.

Emergency sign, courtesy of ShutterstockThe FDA suggested various means of limiting unauthorized device access that manufacturers should consider, particularly if their products are life-sustaining or could be directly connected to hospital networks:

  • User authentication such as user ID and password, smartcard or biometric; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
  • Timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code.
  • Design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
  • Methods for retention and recovery after an incident where security has been compromised.
  • Incident response plans that address the possibility of degraded operation and efficient restoration and recovery.

The FDA also gave suggestions for securing hospital systems:

  • Restrict unauthorized access to the network and networked medical devices.
  • Keep anti-virus software and firewalls up-to-date.
  • Monitor network activity for unauthorized use.
  • Protect individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
  • Contact the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.
  • Develop and evaluate strategies to maintain critical functionality during adverse conditions.

Medical equipment, image courtesy of ShutterstockMedical device hacking can be hard to take seriously in lieu of patient death and injury.

But it’s not just terrorism or other homicidal deeds – such as the Tylenol poisonings of the 1980s – we’ve got to worry about.

Also at play, for example, as the FDA made clear, is conventional malware that’s been described as “rampant” in hospital medical devices that use unpatched operating systems.

The MIT Technology Review in October reported on potential consequences of real-life medical device security as recounted at the National Institute of Standards and Technology Information Security Privacy Advisory Board, in Washington, DC.

One such incident involved malware that slowed down fetal monitors used on women with high-risk pregnancies being treated in intensive care wards.

Experts point to issues in a wide variety of devices, including compounders, which prepare intravenous drugs and intravenous nutrition; picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging (MRI) devices; insulin pumps; defibrillators; blood gas analyzers; radiology equipment; and nuclear-medical delivery systems.

It’s way past the time when the FDA should have been taking these matters seriously.

Now, it’s up to device manufacturers and those responsible for securing hospital systems to take up the FDA’s call to secure these overlooked technologies.


Image of emergency sign and medical equipment courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/i8pGsSbSPkk/

Jun 172013
 

Red button. Image courtesy of Shutterstock.US law enforcers are demanding a kill switch on our smartphones that would theoretically brick them after they’re stolen.

New York’s top prosecutor, State Attorney General Eric Schneiderman, together with San Francisco District Attorney George Gascón, put out a statement on Thursday about the launch of an initiative devoted to drying up the secondary market on which stolen devices are sold.

The initiative, dubbed Secure Our Smartphones (SOS), is a coalition of law enforcers from across the country: state attorneys general, district attorneys, major city police chiefs, state and city comptrollers, as well as public safety activists and consumer advocates.

The announcement came on the same day that Gascón and Schneiderman co-hosted a “Smartphone Summit” with representatives from smartphone makers Apple, Samsung, Google and Microsoft.

Schneiderman said in the statement that about 113 smartphones are stolen or lost every minute in the US, with many of the thefts turning violent.

Here’s how the SOS coalition describes this “epidemic”:

In 2012, 1.6 million Americans were victimized for their smartphones. This is a growing epidemic
affecting all corners of our nation and accounting for a majority of the robberies in our cities.

Last year, 50 percent of the robberies in San Francisco involved a stolen mobile communications
device.

Washington D.C Police report smartphone theft accounting for 38 percent of their
robberies, with Philadelphia Police reporting this type of theft accounting for 33 percent of all
robberies.

In New York City, 20 percent of all robberies involved the theft of a smartphone; a 40
percent increase in the past year.

These crimes have led to severe injuries and the loss of life. The trend indicates that the problem will only get worse if manufacturers and carriers do not take immediate action.

The coalition aims to curb the problem of mobile phone theft by focusing on five things:

  • Analyzing patterns, causes and trends behind device theft;
  • Investigating the capability of manufacturers to develop technology that would deter theft, including a kill switch that would brick stolen devices permanently, eliminating the economic incentives for would-be thieves;
  • Understanding how the economics of device theft have affected decision-making by the smartphone industry;
  • Working with device manufacturers to make a kill switch, or equally effective deterrent technology, a standard feature of their products; and
  • Investigating impropriety on the part of manufacturers, raising public and shareholder awareness about industry practices in this area, and using all available tools to press for safety-oriented innovation and responsible corporate citizenship.

The concept of a kill switch plays nicely with Apple’s just-announced mobile operating system, iOS 7, which features exactly that: an activation lock.

Apple previously did have a Find My iPhone feature, but the new activation lock takes it a step further by not only tracking the lost phone but also enabling users to remotely nuke it.

(And, of course, Sophos has a free Mobile Security app for Android that lets you remote-lock or remote-wipe your phone.)

Samsung has reportedly promised a similar feature, while Google and Microsoft apparently talked about the concept at the Smartphone Summit.

Mobile phone thief. Image courtesy of Shutterstock.Would this type of kill switch actually work?

The Register’s Bill Ray, for one, thinks that it might have less impact than you’d imagine.

Ray notes that, at least as far as the UK goes, while most muggers do steal mobile phones, it’s not so much the phone they’re after as a delay in the time when muggees can call the police – a delay that gives crooks more time to turn stolen credit cards into cash.

Not that stolen phones can’t be sold, if a thief manages to change a handset’s International Mobile Station Equipment Identity (IMEI) number – a unique 15 digit code assigned at production to GSM and other phones.

That’s illegal in the UK, Ray points out, but it’s still possible to do on most handsets. A quick online search will reveal how easy it is.

Most mobile networks subscribe to a system – the Central Equipment Identity Register (CEIR) – that blocks stolen IMEI numbers from their networks. But given a changed IMEI on a handset, all bets are off that its original owner can track it down.

That means that once a thief has changed a handset’s IMEI, the phone can be used anywhere.

A kill switch, in short, might be a good addition to the tools already in existence to protect our smartphones.

If we do see manufacturers install kill switches on all smartphones, I’d still suggest that it’s a ton of fun to install an app that lets you snap photos of people trying to unlock your phone.

Wait until you’ve snapped a photo of a suspect – like this one! – I say, before you brick the thing.


Image of red button and mobile phone thief courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fN2ME43yJOU/