Wednesday, August 20, 2014

$50,000 Internet Defense Prize awarded today at USENIX Security

Graduate Research
Today, Facebook awarded $50,000 to a pair of security researchers who authored a peer-reviewed paper at the 23rd Annual USENIX Security Symposium on “Static Detection of Second-Order Vulnerabilities in Web Applications."  The authors intend to use the funds to take their software prototype to the next level. As the program chair of the USENIX Security Symposium, I am delighted that Facebook selected our conference to search for the best defensive work that prevents vulnerabilities and reduces the effectiveness of attacks.  Facebook intends to make this an annual prize, and may even increase the prize amount.

The reason I mention this award here is for the medical device community to think about effective strategies to encourage the security research community to engage in constructive problem solving to improve medical device security.  I think the industry would see a shift in thinking if constructive problem solving were better rewarded.

Tuesday, August 19, 2014

NY Times implicates a nation state in compromise of data of 4.5 million patients

Photo from NY Times
The NY Times has an article that examines a recent information breach at a hospital based on an SEC filing.  One interesting aspect is that that article claims the attack was carried out by a nation state.  I would like to see more information to back up this claim, but it is in the realm of possibility.  The SEC filing believes no medical records were compromised, so it's not clear what exactly was taken.

Saturday, August 2, 2014

What's Bugging Cigital on Security Analysis of Medical Devices

Bug finding?  (Image licensed with permission.)
Earlier this summer, Gary McGraw and Chandu Ketkar wrote up a refreshingly analytic article on their experiences in analyzing the security of medical devices. Chandu presented more detailed results at the Archimedes Workshop on Medical Device Security. (slides available to institutional members.) It's natural for humans to focus on inputs or outputs that are easily counted (e.g., bugs) rather than less easily countable things such as deeper analysis of causation. Such outcomes often require expert engineers to grok the findings and recommendations. Don't get me wrong: bug finding is an essential ingredient for security. And finding oodles of bugs can help in tangible ways if management needs convincing. However, at the end of the day there are still basic engineering issues one must solve to actionably improve medical device security.

Gary and Chandu talk about the typical architectural flaws they find in medical devices. Want some meaningful improvements in security architecture? Read on.