Full Disclosure mailing list archives
Reliable reports on attacks on medical software and IT-systems available?
From: halfdog <me () halfdog net>
Date: Tue, 10 Aug 2010 12:43:21 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am searching for reliable reports on attacks on medical software and infrastructure ___aiming to harm or kill patients___. There are quite a few reports on data theft combined with blackmailing or data disclosure but rather no information if there were already attacks that tried to or have really harmed patients. Cases of interest are (just examples): * Data manipulation: Change of medication, changing of radiotherapy data to administer lethal doses, swapping of patient records to perform unnecessary operations * IT-System DOS: Patients harmed because therapy could not be determined or administered due to system downtime/data loss, harm because best therapy could not be used, inferior one caused harm * Medical device manipulation: Diabetes pen firmware manipulation at vendor site to report wrong values/use wrong dosage, manipulation of laboratory analytic devices to mislead medical personal It is not necessary that the attack was caused primary by a software flaw, that was exploited. It would be sufficient, that e.g. weak passwords were guessed, fired or unhappy personal used their account data or hospital visitors watched personal using equipment and then used it themselves afterwards. Key factor is, that the action to cause harm was performed with intent. Reliable sources for reports on such attacks would be: * Articles in medium to high quality media (newspaper, online magazines, ..) * References to court cases * Warning messages from national bodies (e.g. FDA and alike) to mitigate the effects or requesting people to participate in clarification of facts * Scientific papers analyzing the attack (similar to papers on the software failure in the Therac system) * Word from (named) persons, that were engaged in fighting such attacks, (computer) forensics afterwards, crime investigation or court operation Example for report: http://www.wired.com/politics/security/news/2008/03/epilepsy It is suspected, that this might have been the first targeted attack to harm patients (In a forum a poster claimed, that this was no attack on the patients but just blinking advertisements embedded via XSS hole). - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD4DBQFMYS4rxFmThv7tq+4RAg1WAJj91WJ3qCKdv0W32lHFJRucSdWhAJ9PC/V3 uXujEijCBf1T7ntDSm13Gg== =sqmX -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? Paul Schmehl (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 11)
- Re: Reliable reports on attacks on medical software and IT-systems available? Caspian (Aug 12)
- Re: Reliable reports on attacks on medical software and IT-systems available? Paul Schmehl (Aug 12)
- Re: Reliable reports on attacks on medical software and IT-systems available? Jeffrey Walton (Aug 13)
- Re: Reliable reports on attacks on medical software and IT-systems available? Paul Schmehl (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? BMF (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? Shawn Merdinger (Aug 25)