The Increasing Threat to Industrial Control Systems/Supervisory Control and Data Acquisition Systems

23 03 2013

This blog has previously discussed Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition Systems (SCADA) here and again here in November 2012.  Recently, ICS-CERT has released several bulletins that have spelled out trends and numbers showing an increase in the threats to ICS.

How much is the threat increasing?

ICS-CERT noted that in Fiscal Year (FY) 2012 (10/1/2011-9/30/2012) they “responded to 198 cyber incidents reported by asset owners and industry partners” and “tracked 171 unique vulnerabilities affecting ICS products”(ICS-CERT Operational).  This is an approximately five-fold increase over the number of incidents reported in FY2010 (41) (ICS-CERT Incident).

Why is the threat increasing?

While some of this sharp increase may be attributable to ICS-CERT beginning operations in FY2009 (ICS-CERT Incident) and and associated delay in the industry being made aware of this resource, it is likely that there have been an increasing number of ICS cyber incidents for the following reasons:

1)  “Many researchers” have “begun viewing the control systems arena as an untapped area of focus for vulnerabilities and exploits” and are using “their research to call attention to it.” (ICS-CERT 2010)

2)  Availability of search engines such as SHODAN that are tailored to assist operators, researchers (and attackers) in identifying internet-accessible control systems (ICS-ALERT-12-046-01A)

3)  Increased interest by hacktivists and hackers in ICS (ICS-ALERT-12-046-01A)

4)  Release of ICS exploits for toolkits such as Metasploit (ICS-ALERT-12-046-01A)

5)  An increased interest by attackers, possibly associated with foreign governments, in obtaining information regarding ICS and ICS software, for example stealing information related to SCADA software (Rashid) or, in the case of Stuxnet, attacking ICS to damage or shut down the controlled hardware (Iran).

Why are ICS networks still so insecure?

Some responsibility for the state of ICS security should be attributed to the primacy of Availability in the minds of ICS operators when evaluating the Confidentiality-Integrity-Availability triad.  This  leads to long periods of time between declared outage windows in operations and thus an extended period of time before new hardware or network security can be put in place.  However, it should be noted that ICS insecurity can lead to or extend outages, such as the recent failure to restart operations on time seen at a power generating facility due to an infection of the control environment by a virus on a thumb drive (Virus).  In this instance, availability of the plant was impacted by a security event that extended the planned outage by approximately three weeks (Virus).

How can ICS operators increase security?

With this in mind, it is imperative that ICS operators begin or continue to treat increased security of ICS IT operations seriously, and factor increasing security into their procurement and redesign plans.  Failure to do so can lead to increased outages or damage to operating equipment (see Stuxnet).  The good news is that there are security practices that can be put in place in the (hopefully) tightly controlled ICS environment that may not work in the comparatively more free-wheeling office network, including application white-listing (ICS-TIP-12-146-01B).  As many ICS vendors recommend against applying routine operating system patches, white-listing may assist in preventing the execution of malicious code introduced into the environment (ICS-TIP-12-146-01B).

Other possible security controls that ICS operators should consider implementing include those suggested by ICS-CERT  (ICS-TIP-12-146-01B):

Network Segmentation – With the increasing frequency of taking formerly air-gapped control networks and connecting them to corporate networks and the internet, it is increasingly important that appropriate security measures be put in place to segment the control network as much as possible from more general-purpose networks (ICS-TIP-12-146-01B)

Role-Based Access Controls – Access based on job role will decrease the likelihood that an employee is given more access than needed by basing their access on their job function and managing this access by job role instead of user by user (ICS-TIP-12-146-01B)

Increased Logging and Auditing – Incident response, remediation, and recovery (including root cause analysis) in the control network requires that detailed logs be kept and available (ICS-TIP-12-146-01B)

Credential Management (including strict permission management) – Where possible, centralized management of credentials should be implemented to ensure that password policy and resets can be performed more easily.  This centralized management will also ensure that superuser/administrator accounts are tracked and can be more easily disabled if needed (ICS-TIP-12-146-01B)

Develop an Ability to Preserve Forensic Data – Much like logging, the ability to preserve forensic data is important to allow for root cause analysis and, if the event is malicious in nature, identification and prosecution of the intruder/malicious actor.  This includes the ability to capture volatile data such as network connectivity or dynamic memory in addition to the more traditional forensics of hard drives. (ICS-TIP-12-146-01B)


“ICS-ALERT-12-046-01A—(UPDATE) Increasing Threat To Industrial Control Systems.” The Industrial Control Systems Cyber Emergency Response Team. Industrial Control Systems Cyber Emergency Response Team., 25 October 2012.  Web.  28 January 2013. < >

“ICS-CERT – Operational Review Fiscal Year 2012.” ICS-CERT Monitor.  Industrial Control Systems Cyber Emergency Response Team., n.d.  Web.  28 January 2013. < >

“ICS-CERT Incident Response Summary Report.” The Industrial Control Systems Cyber Emergency Response Team. Industrial Control Systems Cyber Emergency Response Team., n.d.  Web.  28 January 2013. <  >

“ICS-CERT – 2010 Year In Review.”  The Industrial Control Systems Cyber Emergency Response Team. Industrial Control Systems Cyber Emergency Response Team., January 2011.  Web.  28 January 2013. < >

“ICS-TIP-12-146-01B— (UPDATE) Targeted Cyber Intrusion Detection And Mitigation Strategies.” The Industrial Control Systems Cyber Emergency Response Team. Industrial Control Systems Cyber Emergency Response Team., 22 January 2013.  Web.  28 January 2013. < &gt;

“Iran Confirms Stuxnet Worm Halted Centrifuges.”  CBS News., 29 November 2010. Web. 2 February 2013. < >

“Virus Infection At An Electric Utility.” ICS-CERT Monitor.  Industrial Control Systems Cyber Emergency Response Team., n.d.  Web.  28 January 2013. < >

Rashid, Fahmida Y.  “Telvent Hit by Sophisticated Cyber-Attack, SCADA Admin Tool Compromised.” Security Week.  Wired Business Media., 26 September 2012. Web. 2 February 2013. < >


Designing Non-Observable Passwords

19 03 2013

It is said that a system is only as secure as its weakest link.  It probably comes as little surprise that human beings are often cited as the weakest link when it comes to information security — often undermining system security keeping PIN codes in their wallets or even taping a password right onto a monitor.  Criminals in search of personal information need only target the user to find what they need.

But what poses a much bigger security vulnerability is that oftentimes, for criminals in search of this information, the easiest method to gaining access to the system is usually to just observe as users input their passwords or PINs directly into a system’s user interface (3).

To help solve this growing issue, password and PIN creation has had to evolve to meet increasing security violations. Criminals were able to access passwords which forced system designers to implement more stringent rules.  For instance, PIN numbers, which are usually 4-digits, were in some cases forced to be 6 or even 8-digits long.  Passwords now have rules such as needing to be 8 characters long and include a symbol, a number, and a capital letter.

But the real question is, no matter how long or complex our PINs or passwords are, if a criminal can actually see the input of the information onto a keypad or screen, how effective could that password really be?  Yearly losses due to this security vulnerability has been said to be nearly $60 million in the US  (1).

This is the fundamental problem with visual passwords today: they are too easy to observe.  But researchers have been trying to solve this problem by developing unobservable password and PIN input techniques.  This post will quickly summarize and discuss a few of the current research projects in this area and the inherent advantages and limitations of each.

Integrating an Unobservable Process with the Traditional Process

VibraPass is a system that has been created to work in conjunction with current ATMs (1).  VibraPass is unique in that it offers a second level of protection to an ATM by leveraging mobile phone devices.  The way it works is that a user hooks up their smartphone device to the ATM terminal, and each time the phone vibrates, the user knows that the next input in their password would be a “lie”.  A person trying to observe the input would be confused an unable to decipher what the real password is.

The concept behind this system is effective and, most importantly, user-friendly, as it builds upon the current easy-to-use PIN process.  The downside, however, which VibraPass admits, is that repeated observation by the criminal would eventually give away the pattern and allow them to discern the real password.  “The main weakness of VibraPass is that repeated observations can lead to successful attacks by analyzing the differences between inputs. The highest success rate for an attack can be assumed if the lie overhead is known by the attacker.” (3)

Looking at the security results of the VibraPass, we learn that 1 in 10,000 or less were able to observe the password, and that it was very weak against two or more observations in particular  (1).

Combining Audio and Sensory Perceptions into Password Creation

Spinclock is a password application developed to work on touchscreen mobile devices.  Spinclock combines several cognitive functions to create a secure, unobservable password process (1).

Ramesh_fig 1

Figure 1: A design view of the Spinlock application (2)

Figure 1 above shows the basic design of the application and how the settings work. Spinlock works in much the same way as a physical dial lock with incremental numbers and audio or haptic cue.  The user would go to their settings and select a random combination for the password.  Then they’d select the circle and spin it in the correct direction and begin to count.  Unlike a physical lock, where going three to the right had a designated position on the dial, Spinlock provides completely random auditory or haptic queues to notify the user when they have moved one “space”.  This makes it difficult for an observer to understand how many positions the user has moved on the lock (2).

Some of the disadvantages of this system would be the randomization of the sensory cues can cause confusion on the users themselves, leading to higher levels of input error when compared to traditional PIN or password input methods. “Also, the majority of errors (78%) involved entering digits one higher or lower than the target item. Comments by participants provided a feasible explanation for this; several spontaneously remarked that the randomly distributed nature of the cues made predicting the location of the final target challenging. In particular, several mentioned that unintentionally overshooting the target item was the most frustrating aspect of the experiment.” (2)

Looking at the security results of the Spinlock, we learn that 1 in 10,000 were able to observe the Spinlock password, and that multiple observations had no effect on this number (1).


From a user-experience perspective, it is likely that the traditional, visual-based password and PIN system will usually have a higher level of user input accuracy than an auditory or haptic-based system, and will also likely be faster and more efficient.  However, when we look at the security studies, it is clear that the non-visual password systems are much more effective against observation.

Additionally, I believe there is a level of comfort and familiarity between users and the long-known password and PIN system.  Use of auditory and haptic systems might be a little frustrating to understand and use in the beginning, but over time I feel that it will become a norm which people will learn to use.

Besides, if learning to get used to listening or feeling for my password is the alternative to having to memorize a 12-digit code that needs to have at least two capital letters, a symbol, three numbers and needs to be changed every 6 months, then I’m gladly open to learning something new.


  1. Bianchi, Andrea, Ian Oakely, and Dong Su Kwon. “Open Sesame: Design Guidelines for Invisible Passwords.” Computer April (2012): 58-65. Print.
  2. Bianchi, Andrea, Ian Oakley, and Dong Su Wong. Spinlock: A Single-Cue Haptic and Audio PIN Input Technique for Authentication. Tech. N.p.: Springer-Verlag Berlin Heidelberg, 2011. Print.
  3. De Luca, Alexander, Emanuel Von Zezschwitz, and Heinrick Hußmann. “VibraPass – Secure Authentication Based on Shared Lies.” Proc. Conf. Human Factors in Computing Systems (2009): 913-16. Print.

Cyber Crime and the Underground Economy

16 11 2012

by Anurag Bhatt

On a bulletin board inaccessible without a Tor browser bundle, a user identified only as “admin” asks, “so I want to ddos attack my buddies ip address for just like 20 minutes, enough to keep his internet down for just a little bit. [C]ould he find out, or could I face penalties?” A user calling himself “rolf” replies, “You can’t DDoS someone on your own. bbye.”[1]

This is an example of one of the more innocuous exchanges that take place on these boards far removed from the familiar confined of the Internet that people access every day. Few people are aware that under the reasonably well-protected and censored Internet that they are used to, lies a thriving bazaar of illegal trade, where botnets and stolen Paypal accounts are bartered in the same casual manner that one would adopt when purchasing a bestseller on

This dark corner of the Internet, called the “deep web” or the “underground,” is not indexed by conventional search engines and cannot be accessed without using Tor, the anonymous browsing software that operates on the principle of onion routing[2]. Items exchanged within the cyber underground are a mishmash of cyber-attack tools, stolen identities, stolen credit card information and in many cases, drugs and child pornography. Noah Shachtman, contributing editor at Wired refers to this underground market as, “South Bronx circa 1999.’’[3] Mr. Shachtman refers to the underground as a “real, serious crime problem” which he estimates leads to tens of billions of dollars in profits for the perpetrators involved. He also blames both state actors and people looking to make a profit for the proliferation of cybercrime, while stating that the reward to risk ratio for cyber criminals is very high, due to the low cost of committing such attacks and the low probability of getting caught.

The Cyber Underground

The Merriam-Webster online dictionary carries this as one of the definitions of “underground” – an unofficial, unsanctioned, or illegal but informal movement or group; especially: a usually avant-garde group or movement that functions outside the establishment. [5] In this context, the cyber underground refers to illicit, informal and often illegal exchanges of information, goods and money which take place through the Internet.

In general, Internet traffic is not difficult to trace due to the inherent nature of the protocols that govern information exchange. The Internet, by design, is not made for anonymity. This has led to a slew of anonymization techniques, of which the most resilient and effective is called Tor.

Tor is an acronym for “The Onion Router.” It operates on the principle of “onion routing,” wherein each packet is sent via a different path and is encrypted by the contents from its last hop. The distributed nature of the paths that the packets take make it nearly impossible to trace them back to individual users[2].

The effectiveness and simplicity of Tor has given rise to a parallel Internet far removed from the conventional Internet that people are accustomed to browsing. Pages within this parallel Internet have the domain extension “.onion” instead of the more familiar “.com”, “.net”, “.edu” and other domains that are commonly found on the conventional Internet. Onion links are also designed to be difficult to remember, with the names often being random combinations of letters and numbers.

Within the underground, many services and goods are traded illegally. These include, but are not restricted to, buying and selling botnet space, stolen bank accounts, Paypal accounts and credit card information, zero-day exploits (extremely valuable exploits, usually in new software, which have not yet been patched), hacking tools, drugs and hitman services.

The Economy of the Underground

For any illegal transaction, the most desirable property of the currency exchanged is that it should be decentralized (not issued by a central authority) and untraceable. Fortunately for cyber criminals and unfortunately for law enforcement agencies, the introduction of the cryptographic currency Bitcoin (BTC) in January 2009 provides these very features. The completely decentralized and P2P nature of Bitcoin makes it difficult to trace Bitcoin transactions, making it the currency of choice throughout the cyber underground. As of 28th October 2012, one BTC is valued at $10.4, which represents a slight drop in value from its average value of $11.63[6].

An example of a thriving underground market is the Silk Road, where illegal drugs are routinely bought and sold through a reputation based system not unlike the one found on eBay[7]. The reputation based system helps to protect buyers from potential scammers. Silk Road only allows transactions to be completed via Bitcoin to protect user anonymity. Another website called The Farmer’s Market was shut down after its administrators were traced via transaction records and months of infiltration by police forces from the United States, Colombia and the Netherlands. This website offered Paypal and Western Union as alternative modes of payment, which are easier to trace and detect[8].

Other services that can be accessed within the underground include the infamous Rent-a-Hacker[9]. On this page, a self-confessed “technical expert” encourages potential customers to send a random number of Bitcoins to his account before he would deign to reply. Services which he claims to offer include DDoS attacks on various websites, social engineering organizations, “ruining” personal lives and economic espionage.

However, Bitcoins themselves are not fully anonymous, and can be traced by sophisticated network analysis attacks. According to Jeff Garzik, a part of Bitcoin’s developer team, “Attempting major illicit transactions with bitcoin, given existing statistical analysis techniques deployed in the field by law enforcement, is pretty damned dumb.”[8]


The extent of the cybercrime problem is thrown into stark relief by 2012 statistics. So far in 2012, U.S. companies have suffered an average damage of $8.9 million from cybercrime and malware[10]. Norton estimates that cybercrime has cost U.S companies a cumulative $110 billion so far this year[11].

The relative anonymity provided by a combination of Tor and Bitcoins makes underground cybercrime extremely difficult to crack down on. One of the few methods which seems to be effective in combatting this menace is systematic infiltration of the trust networks within the online markets.

Based on the ease of hopping onto the Tor network and purchasing Bitcoins, however, it is likely that cybercrime through these illicit, underground channels will continue to proliferate.


[1] DDoS question. Web. Oct. 27 2012. <http://4eiruntyxxbgfv7o.onion/snapbbs/1b133305/showthread.php?&threadid=c9085adba44e9a6a316770ed284e28bf>

[2] Goldschlag, Reed, Syverson. ”Onion Routing for Anonymous and Private Internet Connections.” DTIC. Web. Jan. 1999. Oct. 27 2012 <>

[3]”Shachtman: Cyber Threats Akin to South Bronx, Not Pearl Harbor.’’ International Peace Institute. Web. May 2012. Oct. 27 2012. <>

[4]Bruce Schneier. “Identifying Tor Users Through Insecure Applications.” Schneier on Security. Web. Mar. 2011. Oct. 27 2012. <>

[5]”Underground.” Merriam-Webster. Web. Oct. 27 2012. <>

[6]”Bitcoin Charts.” Bitcoin Charts. Web. Oct. 2012. Oct. 28 2012. <>

[7]Adrian Chen. “The Underground Website Where You Can Buy Any Drug Imaginable.” Gawker. Web, Jun. 2011. Oct. 28 2012. <;

[8]Dan Goodin. “Feds shutter online narcotics store that used TOR to hide its tracks.” Arstechnica. Web. Apr. 2012. Oct. 28 2012. <>

[9]”Rent-a-Hacker.” Web. Oct. 28 2012. http://ugh6gtz44ifx23e7.onion/

[10]Robert Lemos. “Cybercrime Costs Jumped 6 Percent in 2012.” eWeek, Web. Oct. 2012. Oct. 28 2012. <>

[11]” 2012 Norton Study: Consumer Cybercrime Estimated at $110 Billion Annually.“ Symantec. Web. Sep. 2012. Oct. 28 2012. <>

Bitcoin: Has the Currency Renaissance Begun?

3 10 2012

The first time I heard of a Bitcoin, I was sitting at my kitchen table when my boyfriend, who has his bachelors in Computer Science/Information Systems, said to me “so, have you ever heard of a Bitcoin? I think you’d find fascinating because your undergrad was International Relations and now you’re at Carnegie Mellon.” I brushed it off initially because the terms “hashes, blocking algorithms, SHA256, and Internet Relay Chat” were not yet part of my repertoire. After disregarding the topic, then arguing about malevolent uses of the currency, problems law enforcement must face, and the Silk Road (which I do not recommend to anyone, for the record.), I had realized that he was absolutely right. Just like I am making my transition into IT, the Bitcoin is making its transition into policy, and yes, I find it fascinating.

Crypto currency, sometimes referred to as digital currency, is a very exciting and relevant concept. Rooted in cryptology, mathematical algorithms, and open source software, creating digital money certainly finds its home in IT specialties, but its influence reaches into the social sciences and economics. The most popular crypto-currency is the Bitcoin, which allows anyone around the world to configure his or her machines to buy, sell, and trade digital cash. Those who have Bitcoins use them like cash in any traditional sense when buying a good or service; there is no paper trail, no confirmed identity of the buyer or seller, no using the same coin twice. The process is complex, which is why I would argue that it has not yet hit the critical mass needed to be successful.

Is it the next wave of how we view currency as a society? Maybe. If and when a crypto-currency does become easy and accessible, will it make an impact? Absolutely.

What are Bitcoins, and How Are They Created?

A man named Satoshi Nakamoto is acknowledged as the creator of the Bitcoin when he published a cryptology paper on an online database outlining a new, digital currency, which solves for the issues that many faced in the past. He insured that the information remains secure, one coin is not spent more than once, and a finite amount is created.[i]

To solve the problem of security, Nakamoto implemented asymmetric key cryptology that gives users a public and private key, which can be used to sign transactions, and maintain the integrity of the exchange. Additionally, the keys preserve the identity of the buyer/seller, and keep the information sent between the two confidential. The coin is hashed using a double SHA256 algorithm, and is transferred over the Internet using OpenSSL protocol[ii].

Users receive coins in two ways: they can be bought and sold on exchanges, or traded directly from person to person. The buyer or seller configures a virtual wallet, which houses the virtual coins, and registers on an exchange, the most popular being In an exchange, Bitcoins are bought and sold by translating traditional currency into Bitcoin. To trade from wallet to wallet is trickier and requires a more tech-savvy user. Additionally, once a coin is spent, or traded from one wallet to another or over the exchange, it is broadcast across the network ensuring it cannot be spent again[iii].

Although the transaction and coin itself are encrypted, it is uncertain whether the wallet itself comes encrypted, too. From my understanding, a person must configure his or her own wallet to security settings that he or she chooses. This may be due to the tradeoff of functionality and security.[iv]

To maintain a finite number of coins, Nakamoto created a cryptographic, blocking algorithm that “mines;” for every time there is a solution to the algorithm, a miner, who can be any user with enough processing power, is awarded a batch of 50 coins. This algorithm causes the coins to reach a limit over time, and stops the production by 2030 at 21 million coins.[v]  These coins are pumped into the marketplace, and are bought and sold resembling a currency exchange for the other users to invest. The system is peer-to-peer and fully decentralized; it cuts out government and the banking system, the traditional places of where currency is created, lent, and traded.[vi]

Traditional Currency, How Does It Work?

Monetary policy is a study all in its own, and takes many years to fully understand it, but this is how currency works at a very high, broad level. In a nutshell, traditional currency as we know it is called “fiat,” which is Latin for “let it be so.” This means that the value of currency is not backed by a valued piece of metal, like gold, or some other object; rather, it is backed by the will of the people and their governments who believe it to be valuable. Governments will create more money given the demand, take money out of the market if there is too much supply, and set an interest rate for lending money, all of which controls currency from a central location.  Banks, on the other hand, act as the middleman between the governments and the people. They have the ability to give loans, and set their own interest rates, which can be very high at times for the layman. [vii]

Bitcoin’s Implications on Traditional Currency

Many around the world are unhappy with the centralized system of money creation. Governments have a hand in inflation rates, which causes the currency for countries to be worth less; therefore, it costs more to buy goods and services. The Bitcoin cuts out banks as the middleman. Since they can be transferred on an exchange or from wallet to wallet, there is not an interest rate on the money. If the Bitcoin gains popularity, banks can no more make money from money. As for its impact on governments, aside from the initial investment of cash from various countries, fiat money does not need to be used as frequently, which insulates users of the Bitcoin from inflation fluxes of their own currency. [viii]

Putting It All Together

For the study of Information Security, the Bitcoin is a current, relevant event happening in the real world instead of in a classroom. There are security vulnerabilities to patch or exploit depending on the camp of understanding. The system is not 100% fool proof. The exchanges are hacked, digital wallets are stolen, coins have the potential to be mined in excess, and users who do not know the intricacies can perpetuate these problems, and leave themselves at risk for malicious attacks. Furthermore, given the nature of the Bitcoin’s anonymity and decentralization, many use it for underground, illegal purchases to evade law enforcement.

So what is the impact and value that can be gained from this? Like the Internet, which was an experiment of its own, the Bitcoin is a test. It highlights the edges that people are willing to go to connect to one another, especially when large amounts of money are involved. It is a succession of what we already know about the Internet- that it is free from cultures and boarders; it has its flaws, and people may use it for malicious attacks, but it was created with good intentions. The Bitcoin is the same, it is transcendent, inherently benevolent, and illuminates the creativity and ingenuity of the human mind.

Whether the currency renaissance has started is a question left up to each individual when examining crypto-currency; but I would argue that our traditional notions of money are about to be changed.

[i] Wallace, Benjamin. “The Rise and Fall of Bitcoin.” Conde Nast Digital, 23 Nov. 2011. Web. 02 Oct. 2012. <;.

[ii] Yang, Edward Z. “The Cryptography of Bitcoin.” The Cryptography of Bitcoin :. Inside 206-105, n.d. Web. 01 Oct. 2012. <;.

[iii] “Everything You Want to Know About Bitcoin, the Digital Currency Worth More Than the Dollar.” Discovery Magazine. N.p., n.d. Web. 02 Oct. 2012. <;.

[iv] Yang, Edward Z. “The Cryptography of Bitcoin.” The Cryptography of Bitcoin :. N.p., n.d. Web. 02 Oct. 2012. <;.

[v] Ball, James. “Bitcoins: What Are They, and How Do They Work?” The Guardian. Guardian News and Media, 22 June 2011. Web. 02 Oct. 2012. <;.

[vi] “What Is a Good Way to Explain Bitcoin?” Questions and Answers. N.p., n.d. Web. 02 Oct. 2012. <;.

[vii] Bade, Robin, and Michael Parkin. Foundations of Macroeconomics. Boston: Pearson Addison Wesley, 2009. Print

[viii] “Bitcoin, Gold, and Competitive Currencies.” James Turk Interview with Economist and Trader Félix Moreno De La Cova. N.p., n.d. Web. 02 Oct. 2012. <;.

Heart Hacking

28 09 2012

by Matthew Moses

When you hear the terms DoS attack, wireless exploitation, and data alteration what comes to mind? Personally, I think of a black hat hacker operating some bot net to disable service against its target’s website. I also imagine some shady individuals cruising the streets looking for open or easily crackable wireless networks for free and anonymous internet access. While these examples certainly fit the profile, would you ever imagine these terms in relation to implantable medical devices?

Implantable Medical Devices

Implantable Medical Devices (IMD) are becoming increasingly more popular and used in the treatment of a variety of diseases. For instance, in 2001 it was estimated that 25 million Americans were using implantable defibrillators (Nelson 21). Insulin pumps are another variety of implantable medical devices, and from my personal experience I have seen their popularity boom over the past 5 – 10 years. Other types of IMD include pacemakers and neurostimulators (Security and Privacy 30). These devices have varied uses but one thing that they have in common is their ability to more effectively treat diseases and complications for the individuals utilizing them. Many of the functions they perform are inseparably connected with the well-being and health of the patient. With many of these devices allowing configuration changes and data exportation wirelessly, care needs to be taken to protect against vulnerabilities in these devices.

During a BlackHat security convention, researcher Jay Radcliffe demonstrated his ability to “hack” his insulin pump. Radcliffe was able to accomplish this feat using a custom piece of software he built in addition to some extra computer hardware (Kaplan 1). One reporter explained, “These commands can order the device to turn off, but more dangerously, they can significantly raise or lower the levels of insulin Radcliffe’s body absorbs at any given moment” (Kaplan 1).

Similar research and technological hacking feats were accomplished by the Medical Device Security Center. A group of their researchers were able to reverse engineer communications between a clinical device referred to as a “programmer” and a specific implantable cardioverter defibrillator (Pacemakers 2). The researchers successfully executed several configuration changes on the device and explained that their “experiments suggest that the ICD could be forced to remain in a mode in which it continually engages in wireless communications” (Pacemakers 10). This last attack is commonly referred to as a denial of service attack (DoS) in the information security industry and in this case battery depletion is the cause for concern. This same group of researchers note that they “have not measured the power consumed by telemetry or other RF transmissions, but it is possible that these operations decrease battery life faster than normal ICD operation alone” (Pacemakers 10).

Should We Be Concerned

For those using IMDs or who have family members using IMDs it seems like we should be worrying. However, given the present state of the matter the Medical Device Security Center said, “We strongly believe that nothing in our report should deter patients from receiving these devices if recommended by their physician. The implantable cardiac defibrillator is a proven, life-saving technology. We believe that the risk to patients is low and that patients should not be alarmed” (FAQ 2). Therefore, it seems that at this point in time we should not lose any sleep over these attacks. From the cases of successful exploitation cited above none of the authors wanted to release to the world the precise implementations of their attacks. Besides needing to engineer the attacks himself, a malicious adversary would also need a worthwhile motive for the attack and be within a close proximity of the target (FAQ 2).

The later case study mentioned comes from the Medical Device Security Center which has been researching and prompting means to further the development of security within these devices that they have referred to as “zero-power and sensible defenses for IMD security and privacy” (Pacemakers 10). I will not take the time now to dive into those suggestions but if there is interest I would make the invitation to read the cited article.

Going Forward

With the popularity of these devices growing and with the growth and spread in wireless technologies that we have seen over the last 5 years, what precautions need to be taken to protect patients using these medical devices? Currently, there appears to be little to no regulation regarding these types of wireless devices. According to a CNN Tech Report from 2010, a Food and Drug Administration representative, Karen Riley, “declined to say whether the the FDA is looking into new regulations of wireless medical devices” adding “that the responsibility for making the devices secure falls primarily on the manufacturer” (Sutter 1).

Do you believe that the a government agency like the FDA should get involved and start passing regulator requirements in regards to the security of these medical devices? Personally, its a tough question that needs further exploration. I question whether or not effective regulations could be made to ensure the proper design and manufacturer of secure medical devices. Specific technology is hard to break down and generalize for regulations, and technology built to mimic or regulate physical conditions of the human body is even more complex. I half jokingly fear that if the FDA stepped in we could potentially have IMD regulation books as large as the IRS tax codes which would hinder development and innovation more than secure it. For now I feel its in the best interest of the industry to step up and take some proactive measures towards securing their own devices without the need for government regulation. What are your thoughts?


Halperin, D., et al. “Frequently Asked Questions (FAQ): Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.” Medical Device Security Center, n.d. Web. 24 Sep 2012. <>.

Halperin, D., et al. “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses”. Security and Privacy, 2008. SP 2008. IEEE Symposium on. 2008. 129-142. Print.

Halperin, D., et al. “Security and Privacy for Implantable Medical Devices.” Pervasive Computing, IEEE 7.1 (2008): 30-9. Print.

Kaplan, Dan. “Black Hat: Insulin pumps can be hacked.” SC Magazine. Haymarket Media Security., 04 Aug. 2011. Web. 24 Sept. 2012.

Nelson, Glen D., M.D. “Innovation and Invention in Medical Devices: Implantable Defibrillators”. Workshop of the Roundtable on Research and Development of Drugs, Biologics, and Medical Devices, Board on Health Sciences Policy. Wyndham City Center Hotel, 1143 New Hampshire Avenue, N.W. Washington, D.C. 17 – 18 February 2000. Conference Presentation.

Sutter, John D. “Scientists work to keep hackers out of implanted medical devices.” CNN Tech,,16 Apr. 2010. Web. 24 Sept. 2012.

More Information Security Awareness programs

26 09 2012

by David Munyaka

This blog focuses on the United States but of course most, if not all, of the cases mentioned in this blog may happen in other countries as well. Government institutions spend a lot of money in trying to operate government information system in the most secure way possible. This is because the government stores a lot of information about its citizens such names, social security numbers, State ID numbers, passport numbers, current residences, occupations etc. The government has to protect all this information.  If the government was to fail in protecting citizens’ information in various databases, the government would also have failed in its duty to protect its citizens. For this reason, among other reasons, the government spends a lot of money making sure that this information does not end in the wrong hands.

Private institutions such as hospitals, schools and financial institutions spend large amounts of money every year to protect patients’, students’ and clients’ information respectively. The success of a business relies a lot on how well a business is able to protect its clients’ information. Even laymen who may not be so concerned about information security will discontinue their membership with an institution that suffers security breaches and security violations quite often. For this reason private institutions spend huge amounts of money to protect clients’ information.

What does a layman do to protect his or her own information?

Well a few examples may help. How often do you hear an individual on the phone placing an order for an item or service on the phone? In some cases people will read out the credit card information out loud especially when they believe that the people in their proximity are trustworthy.   I concur that this may not happen very often but it does happen. Two vulnerabilities come to mind—the person who overhears these conversations may want to use the information and also the person on the other end may end up using the credit card information for his/her own needs. All that is required in most cases to make a purchase over the phone is name, credit card number, expiry date and depending on the card sometimes the Card Security Code.  But let us assume that may be making phone purchases in the manner described above is not common enough to cause problems and that people are cautious when making purchases.

Well, what about when one is on a job search? Even though most of the applications are online (for the sake of this blog the assumption is that the online applications are well secured) but also some are on paper. For example, if one needs a job at a restaurant especially in this economy,   one job application may not be sufficient. So one may apply online or one may decide to drive around town and fill out hardcopy applications at different restaurants. In those applications they ask for information such as Name, physical address, previous employers, and yes even social security numbers.  This information is seen by most of the employees who already work at the restaurant (most of who do not fall under the “need to know” category). These applications with this information lie at some corner in the restaurant waiting for the store manager to review them. The point here is so many people can see private information (such as social security numbers) even though some of these people are not the intended recipients of the job applications.

Online purchases—customers will sometimes buy items online from stores whose reputation they may not know. In the case of a fictitious online store, one may lose thousands of dollars if their credit card information is used by someone else, but even worse a persons’ identity depending on how much information they provide. Other undesirable practices such as sharing of passwords are also common.

These examples are just to show that while the government and other private institution are spending large amounts of money making sure that our information is safe, we may be generously handing the same information to criminals. Even with major scientific advancements in information security, information will not be safe unless there is more awareness about the serious ramifications that are brought about by similar unsafe practices.

The Future of Gaming……Security

9 08 2012

When most people think of online security they don’t immediately think of online gaming through popular outlets such as Facebook (i.e. Farmville / Mafia Wars), XBOX Live, Sony PlayStation Network, or Blizzard (World of Warcraft), but the virtual world is ripe for the picking and full of vulnerabilities.  These social media outlets connect people like never before but they also expose a rich new environment for cyber criminals to exploit.  Consumers should be aware of the risks that exist in the virtual world of online gaming so that they can best protect themselves.

Online Gaming Vulnerabilities / Risks:  There are several vulnerabilities that exist in online gaming that can result in loss of confidential consumer information.  These vulnerabilities are as follows along with their associated risks and real world exploitation examples:

  • Account Hosting Vulnerabilities:  Because online gaming is typically a subscription service users must register with the provider and establish an account.  In doing so the user must provide personal information and a credit card to the provider.  This information is kept on the providers hosting environment and is used to pay for the subscription service & to purchase items relevant to the online game.  Many online games also use virtual currency to make transactions within the game, and this currency must be purchased by the user with real world money using a credit card.  Because these online gaming services contain an extremely large user base they make a desirable target for hackers interested in stealing consumers confidential information in order to conduct identity theft.  A prime example of this occurred on April 20, 2011 when the Sony PlayStation Network was hacked.  The attack resulted in theft of 24.6 million PlayStation accounts and 12,700 credit card numbers (Wikipedia, 2012).  From the stolen information it was believed that the hackers were able to obtain user’s confidential information such as names, addresses, birthdates, email addresses, PlayStation Network usernames / passwords, & security questions / answers that could be used in identity theft or fraud (Schreier, 2011).  To make matters worse Sony waited nearly a full week (6 days) before announcing to PlayStation Network users what had occurred and who was affected.  After the intrusion was detected Sony shut down its PlayStation Network for 24 days while they attempted to discover the extent of the damage and repair the vulnerabilities in the network.  The 24 day service outage outraged the Sony PlayStation Network’s 77 million customers and was estimated to cost the company $171 million dollars from lost revenue and untold amounts in reputation damage (Wikipedia, 2012).  Sony claimed that user’s credit card information was encrypted, and account passwords were stored as a hash value but hackers may have been able to decrypt the credit card info while inside the network (Wikipedia, 2012).
  • Social Engineering Vulnerabilities:  Much like traditional online scams.  Online gamers are susceptible to Phishing.  Phishing is a popular form of online game hacking because these criminals know that once they have access to a user’s account they can purchase items or cyber currency using the credit card that is stored on file.  In particular phishing has become a major issue for Microsoft where users have received phishing attempts via email or pop-ups while playing popular titles such as Modern Warfare 2 in an attempt to gain user’s confidential information (Yin, 2011).  Once this information is known a criminal can log onto the target account as the user and purchase items or cyber currency.  In some cases the stolen account information is also sold on the black market.  Microsoft has experienced a large number of compromised accounts and fraud as a result of phishing attempts coupled with an XBOX Live system vulnerability that has been discovered.  It was discovered that a hacker attempting to access an XBOX Live account via the Internet at with a valid email address was returned an error message indicating that either the account ID was invalid or that the account password was incorrect (Pereira, 2012).  With this information the hacker could attempt a brute force attack once the ID was known.  This method was successful because Microsoft failed to lock accounts after a set number of failed logon attempts.  Instead Microsoft would display a CAPTCHA screen after eight failed logon attempts.  CAPTCHA screens display characters only readable by humans that must be typed in to proceed.  The CAPTCHA screen was defeated by hackers by scripting a brute force attack to try less than seven time to crack the password and then to click on an external link.  The external link reset the CAPTCHA counter and the attack could continue (Pereira, 2012).
  • Online Game / Software Vulnerabilities:  Much like traditional application software, online games frequently have software vulnerabilities that can be exploited by hackers for malicious purposes or to wreak havoc on a virtual community.  An example of this was seen in Blizzard’s popular World of Warcraft where a group of hackers called “griefers” found and exploited a vulnerability in the game that allowed malicious players to use a contagious disease called “Corrupted Blood” against other players, causing death.  The disease was only intended to be experienced in a particular portion of the game however game developers failed to limit the affected area of the curse and the hackers were able to exploit this vulnerability with a self-propagation feature to create a plague in the virtual World of Warcraft (Lemos, 2005).  A second example of this in the online gaming world, and a predecessor to “Corrupted Blood” was seen in the Sims 2.  The Sims developer, Will Wright, intentionally added a malicious Trojan horse in the game.  In the game, players were able to purchase a pet guinea pig.  If the player failed to keep the guinea pig’s cage clean and attempted to pet the guinea pig they could be bitten.  Once bitten the player was infected with a contagious virus and would begin sneezing.  The virus could then be spread to nearby players.  If the infected player failed to get sufficient rest the virus would result in death (Markoff, 2000).  Both of these examples show how online game vulnerabilities can be exploited to disrupt game play or to cause mayhem but one could also see how software vulnerabilities could be exploited by hackers for more malicious purposes such as gaining control of an account or finding a backdoor into the system in order to steal confidential information.

Online Gaming Protection:  Clearly the vulnerabilities that exist in online gaming pose a threat to consumers that can lead to fraud or identity theft.  The question remains what can one do online to protect themselves in order to help prevent these issues.  The answer to this question is to abide by the same good access control principles that are recommended for traditional cyber security.

  • Strong IDs / Passwords:  Online gamers should use unique IDs and passwords for online gaming accounts.  Additionally passwords should be strong, greater than 10 characters containing numbers and letters as well as upper and lower cases.  Passwords should also be changed on a predefined frequency (Trendmicro, 2012).
  • Virus Protection / O/S Patches:  Usersgaming from a PC should always ensure that they are running up to date virus protection and current operating system patches (Trendmicro, 2012).
  • Never Share Credentials:  Online gaming users should never share credentials with other users or supply credentials to individuals claiming to work for the parent game hosting company (, 2012).
  • Avoid Suspicious Emails or Pop-ups:  Online gaming users should be suspicious of pop-ups or emails requesting confidential information.  Many of these are phishing attempts by hackers (Trendmicro, 2012).
  • Use Secured Networks:  Online gaming users should never play online using an unsecured Wi-Fi connection.  Users should utilize a Wi-Fi connection that utilizes WPA or WPA2 security.  Additionally online PC gamers should ensure that they are connected to the host site with a secure SSL connection as indicated by HTTPS in order to ensure their data in transit is encrypted (Trendmicro, 2012).
  • Credit vs. Debit:  When establishing an online gaming account, users should opt to use a credit card over a debit card in order to avoid responsibility should any fraudulent activity occur (Trendmicro, 2012).

Conclusion:  The world of online gaming is full of vulnerabilities that can be exploited by hackers and is a highly desirable target due to the exceedingly large number of users.  As shown by the Sony PlayStation Network case the consumer is at the mercy of the provider to ensure that personal information is kept confidential and vulnerabilities are reported in a timely manner.  However the consumer can still take certain precautions as outlined above in order to help protect their personal information’s confidentiality and integrity.


Cummings, A. (2012, June). 95-752 Information Security Management. Lectures 1-4. Pittsburgh, Pennsylvania, USA.

Lemos, R. (2005, September 9). Digital plague hits online game World of Warcraft. Retrieved June 27, 2012, from SecurityFocus:

Markoff, J. (2000, April 27). Something Is Killing the Sims, and It’s No Accident. Retrieved June 27, 2012, from The New York Times:

Pereira, C. (2012, January 1). Is to Blame for Frequent Xbox Live Account Hacks? Retrieved June 27, 2012, from

Pfleeger, C. P. (2009). Security in Computing. Upper Saddle River, NJ: Prentice Hall.

Schreier, J. (2011, April 26). PlayStation Network Hack Leaves Credit Card Info at Risk. Retrieved June 6, 2012, from

Trendmicro. (2012, April 1). A simple guide to gaming security. Retrieved June 27, 2012, from

Wikipedia. (2012, June 6). PlayStation Network outage. Retrieved June 6, 2012, from Wikipedia: (2012, June 27). Xbox LIVE Account Security Check List. Retrieved June 27, 2012, from

Yin, S. (2011, April 27). Microsoft Warns of ‘Modern Warfare 2’ Phishing Attacks. Retrieved June 27, 2012, from,2817,2384395,00.asp