Full Disclosure mailing list archives
Re: Reliable reports on attacks on medical software and IT-systems available?
From: halfdog <me () halfdog net>
Date: Wed, 11 Aug 2010 10:26:09 +0000
Paul Schmehl wrote:
--On Tuesday, August 10, 2010 21:03:35 +0000 halfdog <me () halfdog net> wrote:* All hackers keep some sense of ethics, so that they feel it is OK to attack "technical" targets but find it inacceptable to attack the health of innocent people (if this is the main cause, terrorists might cause significant change in risk assessment of medical software and services)Not a chance. How would they even know they were medical devices until *after* they have successfully attacked them?
I guess most hackers will know, to which infrastructure they are connected (If you are sitting in front of a hospital and get a connection to the WLAN with SSID "[name of hospital]-AMB" you might have a good guess where you are in). And as soon as they start looking around (e.g. sniffing of SMB broadcasts), it would take only some reasoning to find out, what the machines are for. The hospital data theft/blackmailers seem to have known where to look for data too.
* There are reports, but I do not know about them (so I'm asking around)Most likely answer. I know about some, but I'm not telling you. Or anyone else for that matter. :-)
So your are telling that problems with hospital IT/medical systems are not reported and published? From my understanding, the medical devices directive would force producers to report incidents and these reports _have_ to be published. I also think that laboratory/clinics information systems do not fall in that category, so reporting might be optional. Anyway, these reports would be useful to perform sensible risk assessment when producing new software and would allow fixing of "community-known-bugs" before someone turns them against infrastructure or people.
* Medical personal in hospitals with high grade of IT-system usage are so trained and skilled, so that they detect manipulation and no harm is doneLaughable. Medical personnel wouldn't have a clue about whether their systems have been hacked. Their IT staff *might*.
Sorry, I was unclear: Of course, they cannot detect the hackers, but they might see the results and act, e.g. normal dosage of medicament is 10mg and computer requests to give 1000mg (100 pills) or computer says "perform amputation of left leg" but leg seems health, while other one has severe circulatory disorder. -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? Paul Schmehl (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 11)
- Re: Reliable reports on attacks on medical software and IT-systems available? Caspian (Aug 12)
- Re: Reliable reports on attacks on medical software and IT-systems available? Paul Schmehl (Aug 12)
- Re: Reliable reports on attacks on medical software and IT-systems available? Jeffrey Walton (Aug 13)
- Re: Reliable reports on attacks on medical software and IT-systems available? Paul Schmehl (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? BMF (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? Shawn Merdinger (Aug 25)