Feral Jundi

Thursday, September 30, 2010

Technology: Cyber Assassination

In Italy, not too long ago, a mob boss was shot but survived the shooting. That night, while he was in the hospital, the assassins hacked into the hospital computer and changed his medication so that he would be given a lethal injection. He was a dead man a few hours later. They then changed the medication order back to its correct form, after it had been incorrectly administered, to cover their tracks so that the nurse would be blamed for the “accident.” 

*****

     This is an interesting thought.  Is cyber assassination possible and if so, is there an example of cyber assassination?  The article below is what grabbed my attention and I wanted to investigate.

     From what I can gather, I found these three sources for the mob boss killing, but I have yet to find a news source. If anyone can confirm or deny that this actually happened, complete with a source, I would be very interested to read it.  I will also make an edit.

     The other thing I wanted to do is present possible scenarios in which cyber assassination could be feasible.  Below I listed several news stories of medical device security and hospitals/industrial plants being hacked. I also think the latest cyber attack against Iran’s nuclear facilities is an example of this type of hacking. So the ability to get into these sensitive and supposedly secure places in the present day is feasible.

     Which leads me to my next point and that is if these things can be hacked into, then could the next step be actually causing death? A terrorist attack designed to kill many people, or an assassination of a specific individual? Food for thought. –Matt

—————————————————————–

Cyber terrorism hits Nigeria

Saturday, September 25, 2010

(a paragraph from the article)

In Italy, not too long ago, a mob boss was shot but survived the shooting. That night, while he was in the hospital, the assassins hacked into the hospital computer and changed his medication so that he would be given a lethal injection. He was a dead man a few hours later. They then changed the medication order back to its correct form, after it had been incorrectly administered, to cover their tracks so that the nurse would be blamed for the “accident.”Story here.

——————————————————————

From Could A Computer Kill You?

According to the sites below, a mob boss was shot but survived. That night while he was in the hospital, the assassins hacked into the hospital computer and changed his medication so that he would be given a lethal injection. He died a few hours later.

Examples of Cyber-terrorismfrom

Examples of Cyber-terrorismfrom 1998

CYBER TERRORISM

CYBER TERRORISM

IN THE CONTEXT OF GLOBALIZATION

Link to site here.

——————————————————————

Expert: Hackers penetrating industrial control systems

Digging out from infrastructure attacks could take months, Joseph Weiss says

By Grant Gross

March 19, 2009

IDG News Service – The networks powering industrial control systems have been breached more than 125 times in the past decade, with one resulting in U.S. deaths, a control systems expert said Thursday.

Joseph Weiss, managing partner of control systems security consultancy Applied Control Solutions, didn’t detail the breach that caused deaths during his testimony before a U.S. Senate committee, but he said he’s been able to find evidence of more than 125 control systems breaches involving systems in nuclear power plants, hydroelectric plants, water utilities, the oil industry and agribusiness.

“The impacts have ranged from trivial to significant environmental damage to significant equipment damage to deaths,” he told the Senate Commerce, Science and Transportation Committee. “We’ve already had a cyber incident in the United States that has killed people.”

At other times, Weiss has talked about a June 1999 gasoline pipeline rupture near Bellingham, Wash. That rupture spilled more than 200,000 gallons of gasoline into two creeks, which ignited and killed three people. Investigators found several problems that contributed to the rupture, but Weiss has identified a computer failure in the pipeline’s central control room as part of the problem.

It could take the U.S. a long time to dig out from coordinated attacks on infrastructure using control systems, Weiss told the senators. Damaged equipment could take several weeks to replace, he said. A coordinated attack “could be devastating to the U.S. economy and security,” he said. “We’re talking months to recover. We’re not talking days.”

The industrial control system industry is years behind the IT industry in protecting cybersecurity, and some of the techniques used in IT security would damage control systems, Weiss added. “If you penetration-test a legacy industrial control system, you will shut it down or kill it,” he said. “You will be your own hacker.”

Part of the problem is that there are only a handful of control systems suppliers, and their architectures and default passwords are common to each vendor, Weiss said. In addition, there are probably fewer than 100 experts in control system cybersecurity worldwide, and U.S. universities don’t have curriculums focused on control system cybersecurity, he added.

Attacks are coming from outsiders, but also from employees or former employees, Weiss said. “I believe the threat is increasing not only because of nation states … but because the economic downturn has created many disgruntled but knowledgeable antagonists,” he said.

Weiss gave three examples of cases involving disgruntled employees, including a recent case in California, where an employee disabled the leak detection systems in three oil derricks off the coast.

Senators called for an increased focus on cybersecurity in the U.S. government and private industry. “It’s very important for people to know that cybersecurity is not just about protecting our government networks from countries with terrorists or hackers who want our secrets,” said Sen. Jay Rockefeller, a West Virginia Democrat and committee chairman. “It’s about protecting our nation’s critical infrastructure from cyberattacks that could severely impact commerce and the economy, that are absolutely devastating.”

Too many U.S. residents don’t think or know about the ongoing cyberattacks, Rockefeller added.

However, James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies, also called on Congress to focus on traditional IT security in addition to control systems. Right now, intellectual property in the U.S. is being compromised, and those losses will hurt the long-term competitiveness of the nation, he said.

While control systems represent a potential for attack, “we’re under attack right now,” Lewis said. “I worry more about the loss of information. Right now, we are being robbed by foreign entities of our most valuable technology, and we have to stop that.”

Story here.

—————————————————————–

Frequently Asked Questions (FAQ)

What is the Medical Device Security Center?

The Medical Device Security Center is a cross-disciplinary partnership between researchers at:

the Beth Israel Deaconess Medical Center, Harvard Medical School,

the University of Massachusetts Amherst, and

the University of Washington.

Our mission is to help improve the understanding of and balance between security, privacy, safety, and effectiveness for next-generation medical and pervasive healthcare devices.

The center is directed by Prof. Kevin Fu (University of Massachusetts Amherst), Prof. Tadayoshi Kohno (University of Washington), and Dr. William H. Maisel (Beth Israel Deaconess Medical Center and Harvard Medical School).

 

What are implantable medical devices (IMDs)?

Implantable Medical Devices (IMDs) monitor and treat physiological conditions within the body, and can help patients lead normal and healthy lives.

There are many different kinds of IMDs, including pacemakers, implantable cardiac defibrillators (ICDs), drug delivery systems, neurostimulators, swallowable camera capsules, and cochlear implants. These devices can help manage a broad range of ailments, including: cardiac arrhythmia; diabetes; chronic pain; Parkinson’s disease; obsessive compulsive disorder; depression; epilepsy; obesity; incontinence; and hearing loss.

IMDs pervasiveness continues to swell, with approximately twenty-five million U.S. citizens currently benefiting from therapeutic implants.

What are pacemakers and implantable cardiac defibrillators (ICDs)?

Pacemakers and ICDs are both designed to treat abnormal heart conditions. About the size of a pager, each device is connected to the heart via electrodes and continuously monitors the heart rhythm.

Pacemakers automatically deliver low energy signals to the heart to cause the heart to beat when the heart rate slows. Modern ICDs include pacemaker functions, but can also deliver high voltage therapy to the heart muscle to shock dangerously fast heart rhythms back to normal.

Pacemakers and ICDs have saved innumerable lives, and there are millions of pacemaker and ICD patients in the U.S. today.

Can you summarize your findings with respect to the security and privacy of a common implantable cardiac defibrillator (ICD)?

As part of our research we evaluated the security and privacy properties of a common ICD. We investigate whether a malicious party could create his or her own equipment capable of wirelessly communicating with this ICD.

Using our own equipment (an antenna, radio hardware, and a PC), we found that someone could violate the privacy of patient information and medical telemetry. The ICD wirelessly transmits patient information and telemetry without observable encryption. The adversary’s computer could intercept wireless signals from the ICD and learn information including: the patient’s name, the patient’s medical history, the patient’s date of birth, and so on.

Using our own equipment (an antenna, radio hardware, and a PC), we found that someone could also turn off or modify therapy settings stored on the ICD. Such a person could render the ICD incapable of responding to dangerous cardiac events. A malicious person could also make the ICD deliver a shock that could induce ventricular fibrillation, a potentially lethal arrhythmia.

For all our experiments our antenna, radio hardware, and PC were near the ICD. Our experiments were conducted in a computer laboratory and utilized simulated patient data. We did not experiment with extending the distance between the antenna and the ICD.

Do other implantable medical devices have similar issues?

We only studied a single implantable medical device. We currently have no reason to believe that any other implantable devices are any more or less secure or private.

Can you summarize your approaches for defending against the security and privacy issues that you raise?

Our previous research (IEEE Pervasive Computing, January-March 2008) highlights a fundamental tension between (1) security and privacy for IMDs and (2) safety and effectiveness. Another goal we tackle in our research is the development of technological mechanisms for providing a balance between these properties. We propose three approaches for providing this balance, and we experiment with prototype implementations of our approaches. Our approaches build on the WISP technology from Intel Research.

Some IMDs, like pacemakers and ICDs, have non-replaceable batteries. When the batteries on these IMDs become low, the entire IMDs often need to be replaced. From a safety perspective, it is therefore critical to protect the battery life on these IMDs. Toward balancing security and privacy with safety and effectiveness, all three of our approaches use zero-power: they do not rely on the IMD’s battery but rather harvest power from external radio frequency (RF) signals.

Our first zero-power approach utilizes an audible alert to warn patients when an unauthorized party attempts to wirelessly communicate with their IMD. Our second approach shows that it is possible to implement cryptographic (secure) authentication schemes using RF power harvesting. Our third zero-power approach presents a new method for communicating cryptographic keys (“sophisticated passwords”) in a way that humans can physically detect (hear or feel). The latter approach allows the patient to seamlessly detect when a third party tries to communicate with their IMD.

We do not claim that our defenses are final designs that IMD manufacturers should immediately incorporate into commercial IMDs. Rather, we believe that our research helps establishes a potential foundation upon which the community can innovate other new defensive mechanisms for future IMD designs.

Where will these results be published?

Our results will be published at the IEEE Symposium on Security and Privacy in May 2008. The IEEE is a leading professional association for the advancement of technology. The IEEE Symposium on Security and Privacy is one of the top scholarly conferences in the computer security research community. This year the conference accepted 28 out of 249 submissions (11.2%). All papers were rigorously peer-reviewed by at least three members of the IEEE Security and Privacy committee.

Should patients be concerned?

We strongly believe that nothing in our report should deter patients from receiving these devices if recommended by their physician. The implantable cardiac defibrillator is a proven, life-saving technology. We believe that the risk to patients is low and that patients should not be alarmed. We do not know of a single case where an IMD patient has ever been harmed by a malicious security attack. To carry out the attacks we discuss in our paper would require: malicious intent, technical sophistication, and the ability to place electronic equipment close to the patient. Our goal in performing this study is to improve the security, privacy, safety, and effectiveness of future IMDs.

 What have you done to ensure that these findings will not be used for malicious intent?

We specifically and purposefully omitted methodologic details from our paper, thereby preventing our findings from being used for anything other than improving patient security and privacy.

How can I learn more?

Our paper is online here (PDF). Please also visit the homepage for the Medical Device Security Center.

The following answers several frequently asked questions about our research paper entitled Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.

Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, and William H. MaiselIEEE Symposium on

——————————————————————

From wikipedia.

The Therac-25 was a radiation therapy machine produced by Atomic Energy of Canada Limited (AECL) after the Therac-6 and Therac-20 units (the earlier units had been produced in partnership with CGR of France). It was involved with at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation, approximately 100 times the intended dose.[2] Three of the six patients died as a direct consequence. These accidents highlighted the dangers of software control of safety-critical systems, and they have become a standard case study in health informatics and software engineering.

 

1 Comment

  1. Such a great article which that rupture spilled more than 200,000 gallons of gasoline into two creeks, which ignited and killed three people. Investigators found several problems that contributed to the rupture, but Weiss has identified a computer failure in the pipeline’s central control room as part of the problem.
    It could take the U.S. a long time to dig out from coordinated attacks on infrastructure using control systems, Weiss told the senators. Thanks for sharing this article.

    Comment by Heather — Monday, March 12, 2012 @ 12:18 AM

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress