An EU agency has grappled with thorny issues surrounding the adoption of IoT technology in hospitals to draft a series of best practice guidelines.

The European Union Agency for Network and Information Security (ENISA) study engaged information security officers from more than 10 hospitals across the EU, painting a picture of the smart hospital ICT ecosystem. Security experts at the agency analysed attack scenarios before coming up with a risk-based approach that focuses on relevant threats and vulnerabilities.

Increased risks ranging from ransomware attacks on hospitals IT systems and DDoS assault to hackers selling stolen medical data through cybercrime forums shows that a change in mentality by hospital IT staff and their mangers is required, according to ENISA. Modernisation and innovations such as remote patient care are pushing hospitals towards the adoption of smart solutions. Emerging security and safety issues are sometimes getting overlooked or ignored in this headlong rush.

The introduction of Internet of Things (IoT) components in the hospital ecosystem, increases the variety and volume of potential ways hospitals might become vulnerable to cyber-attacks, ENISA warns.

ENISA's recommendations from its report (PDF) centre on a three point plan.

  • Healthcare organisations should provide specific IT security requirements for IoT components. Only state-of-the-art security measures should be applied.
  • Smart hospitals should identify assets and how these will be interconnected before drawing up policies and practices.
  • Device manufacturers should incorporate security into existing quality assurance systems. Healthcare organisation should be involved in the designing systems and services from the very beginning.

ENISA executive director Udo Helmbrecht commented: "Interconnected, decision-making devices offer automation and efficiency in hospitals, making them at the same time vulnerable to malicious actions. ENISA seeks to co-operate with all stakeholders to enhance security and safety in hospitals adopting smart solutions, namely smart hospitals."

Healthcare is moving up on the policy agenda. The adoption of the EU Directive on Security of Network and Information Systems (NIS) covers healthcare organisations. ENISA plans to support EU member states with the introduction of baseline security measures to the critical sectors, focusing on healthcare organisations, from next year onwards. ®

Sponsored: 10 Reasons LinuxONE is the best choice for Linux workloads

The Register - Security

Microsoft recently announced that it would begin banning weak passwords for a variety of its services and also...

introduced a feature called Smart Password Lockout to prevent attackers from guessing passwords. How is Microsoft banning these weak passwords, and how does the Smart Password Lockout work? Will these things benefit enterprises or just complicate matters?

Stealing passwords is big business in the world of cybercrime. One Russian hacker known as the Collector has recently been offering more than 250 million stolen usernames and passwords for, Yahoo Mail, Gmail, Hotmail and other accounts. Another hacker nicknamed Peace is advertising for sale a database of 167 million emails and hashed passwords belonging to LinkedIn users. As many people use the same username and password for multiple sites, their credentials can potentially provide easy access to social media accounts, online banking services and enterprise networks and resources. According to Microsoft's  Security Intelligence Report Volume 20, it detects more than 10 million credential attacks every day across its various identity systems.

When these big password lists come on to the market they are analyzed both by cybercriminals and security teams, such as Microsoft's Azure Active Directory Identity Protection team -- everyone is looking to see which passwords are the most common. Microsoft is using this information to dynamically update its banned list of common and similar weak passwords. Now, before a user's proposed password is accepted for her Microsoft Account or in Azure AD, it's compared against this list to ensure it's not present. If it is on the list, the user is prompted to choose a password that's harder for other people to guess. By preventing users from choosing common and easy to guess weak passwords, it will reduce the chances of their passwords being cracked by a rainbow table or dictionary-based, brute force attack.

On top of this feature, Microsoft is also introducing Smart Password Lockout to reduce the disruption caused by hackers trying to guess an account password online and triggering an account lockdown. When Microsoft's security system detects someone trying to guess a password online, it will only lock out that specific login session. This means when the genuine user tries to log in, the account is not locked, and as long as she enters the correct username and password, she can access her account. This will save huge amounts of time and frustration given the millions of attacks that occur each day. The only time a genuine user will be locked out is if someone is judged to be trying to guess her password while using the user's own machine or network.

Although many policies and online services try to enforce strong passwords by requiring users to choose a password with a minimum length and complexity, Microsoft has found that this forces people to standardize their passwords in order to remember them, making it easier for hackers to crack them. Preventing users from choosing common weak passwords will certainly improve the effectiveness of many password policies by ensuring passwords are more unique, and therefore harder to guess. Although these security features will certainly help improve password security, some users may struggle to remember harder passwords.

As bad passwords are a major weakness in endpoint security, enterprises should be moving to multifactor authentication (MFA), particularly when users need to access sensitive resources or information. MFA makes it a lot harder for a hacker to use stolen credentials to gain access to endpoint devices and the rest of the network. The presence of high quality cameras, microphones and fingerprint readers in many of today's devices means it's never been easier to implement. The FIDO specification supports a wide range of authentication technologies, including biometrics, USB security tokens and smart cards that can be deployed without extensive programming. Hopefully these technologies will help end the role of the password as the primary authentication factor.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Pick from the top multifactor authentication products

Find out how to protect your organization from bad passwords

Learn how to avoid data breaches with better passwords

This was first published in September 2016

SearchSecurity: Security Wire Daily News

security light

Kuna is a smart home security camera in a stylish outdoor light that detects and allows you to interact with people outside your door. The security device includes HD live and recorded video, two-way intercom, alarm, smart motion detection alerts to your phone, and more. Easy 15 minute installation with no batteries to replace so you have continuous protection around the clock. Be protected at all times - Access HD live video with its 720P wide angle camera, communicate via its two way intercom from your mobile device, or activate its 100 dB alarm siren. Smart light control lets you turn on or off your lights remotely, or program a schedule for when you're away. Access live video or review & download events for 2 hours free or up to 30-days on an optional subscription plan, starting as low as $ 4.99 per month. This Kuna security light averages 4 out of 5 stars from over 330 people (read reviews), and its typical list price of $ 199 has been reduced 20% to $ 159. See the discounted Kuna Smart Home Security Light and Camera on Amazon.

This story, "20% off Kuna Smart Home Security Outdoor Light & Camera - Deal Alert" was originally published by TechConnect.

A popular brand of smart electrical sockets is plagued by several serious vulnerabilities that expose networks to remote attacks, Bitdefender researchers reported on Thursday.

The affected vendor has not been named since it has yet to release patches for the vulnerable product. The fix is expected to become available sometime in the third quarter of 2016.

Smart electrical sockets allow users to create on/off schedules for their devices, monitor energy usage and prevent overheating. In many cases, these products can be controlled remotely using a mobile application.

The product analyzed by Bitdefender researchers Dragos Gavrilut, Radu Basaraba and George Cabau is a smart socket that is installed, configured and controlled using iOS and Android apps available on the App Store and Google Play.

During the setup process, the user is instructed to provide the Wi-Fi credentials needed by the device to connect to the local wireless network. The device is also registered with the vendor’s server through a UDP message containing the device’s name, model and MAC address.

Experts discovered several vulnerabilities, including the fact that the socket’s hotspot is protected by weak, default credentials, and users are not warned about the risks of leaving them unchanged.

Vulnerabilities found in smart socketsAnother problem is related to the fact that the mobile app transfers Wi-Fi credentials in clear text, allowing an attacker to intercept the information. Furthermore, communications between the device and the application go through the manufacturer’s server without being encrypted – the data is only encoded and it can be easily decoded.

According to researchers, the security weaknesses plaguing the product can be exploited by a remote attacker who knows the MAC and default password to take control of the device. This includes making configuration changes (e.g. modifying schedules) and obtaining user information.

While some might argue that a smart socket does not store any sensitive information, the product analyzed by the security firm includes an email notification feature that requires the user to provide their email username and password. If an attacker gains access to the device, they can steal the victim’s email credentials and hack their account.

Experts also found that due to the lack of password sanitization, attackers can inject arbitrary commands into new password requests. This allows them not only to overwrite the root password, but also to open the embedded Telnet service and remotely hijack the device. The method can also be used to install malicious firmware, which gives hackers persistent access to the socket and from there to all the other devices on the local network.

“This type of attack enables a malicious party to leverage the vulnerability from anywhere in the world”, said Alexandru Balan, chief security researcher at Bitdefender. “Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the Internet and bypass the limitations of the network address translation. This is a serious vulnerability, we could see botnets made up of these power outlets.”

Related Reading: Security Pros Show Extensive Distrust of IoT Security

Related Reading: The IoT Sky is Falling - How Being Connected Makes Us Insecure

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed