50 000 Internet Defense Prize awarded today at USENIX Security

50 000 Internet Defense Prize awarded today at USENIX Security

Graduate Research

Today, Facebook awarded $50,000 to a pair of security researchers who authored a peer-reviewed paper at the 23rd Annual USENIX Security Symposium on �Static Detection of Second-Order Vulnerabilities in Web Applications."  The authors intend to use the funds to take their software prototype to the next level. As the program chair of the USENIX Security Symposium, I am delighted that Facebook selected our conference to search for the best defensive work that prevents vulnerabilities and reduces the effectiveness of attacks.  Facebook intends to make this an annual prize, and may even increase the prize amount.

The reason I mention this award here is for the medical device community to think about effective strategies to encourage the security research community to engage in constructive problem solving to improve medical device security.  I think the industry would see a shift in thinking if constructive problem solving were better rewarded.

Read More

A Fluke of Security Issues from Updating Software on Windows Based X Ray Testers

A Fluke of Security Issues from Updating Software on Windows Based X Ray Testers

Imagine youd like to test X-ray machines in a hospital, dental office, etc. for safety and calibration.  X-ray testers come into play.  So how does one maintain the software used with X-ray testers?  How do you know that youve downloaded the legitimate software? 

The TNT 12000 X-Ray Test Device from Fluke Biomedical distributes its software updates online.  Worried about the security of your hospital network while downloading software?  Concerned that installing software might violate your hospitals corporate security policies and get you in hot water with your CIO or CISO if you accidentally download malware?  No problem.  Trust the Internet.  Just download the .EXE file or the ZIP file using any shared Internet connection from an HTTP site.  No need for connection-oriented SSL security or pesky end-to-end digital signatures of integrity-protected content.  Another time saver for increased productivity.

Read More

A major security problem with the Linux operating system

A major security problem with the Linux operating system

If you read this article will see this can be one big issue. I try to find the bug under bugzilla. I think is already here and will be solve it. Also under lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

The GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them:

It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. It is aimed to be portable and efficient with focus on security and interoperability.

Updated gnutls packages that fix one security issue read more about this here.

Read More

A Musical Interlude to Medical Device Security

A Musical Interlude to Medical Device Security

We at Archimedes have been busy running security engineering tutorials at medical device manufacturers and hospitals over the past several months, so we have not had the opportunity to post new material lately. We are also in the middle of scheduling various seminars on medical device security at hospitals as part of Octobers National Cybersecurity Awareness month.

In the meantime...to brighten your day, here is a music video co-authored by yours truly about the woes of compilers, gdb, and autograders for programming homework to the tune of Taylor Swifts "Shake It Off."

Read More