mailing list archives
Don't look now, you've been hacked!
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Tue, 5 Mar 2013 15:35:39 -0600
Attendees at HIMSS13 -- in one way or another entrusted with the protection
of their patients' personal health information -- may not be pleased to
learn that they work in the most widely breached industry in the United
"The security tools that you put in place aren't really stopping us as
hackers," said David Kennedy, founder and principal security consultant at
TrustedSec, an information security firm based in Strongsville, Ohio.
Kennedy, whose professional experience includes work for the National
Security Agency and the U.S Marines (cyber warfare and forensics analysis),
presented "Hacking Your Life," a Views from the Top educational session at
HIMSS13 on Tuesday.
"When we look at different industry verticals such as retail or
manufacturing or banking, they're trying to be very proactive when it comes
to what mechanisms they have in place. However, it seems that time and time
again, for us to get into medical systems or hospitals, it's very trivial,"
Statistics bear out his claim. Last year, Kennedy performed about 150
penetration tests against hospitals. "Out of those 150, not one of them
stopped us from breaking in and taking all their data," he said. "With
current technology, it's never been easier to break into an organization."
According to the Open Security Foundation's DataLossDB, which tracks the
loss, theft or exposure of personally identifiable information, the highest
number of such incidents over time occurred in 2012. And of the 1,520 total
incidents reported last year, 327 occurred in the medical industry.
What can happen if hackers break into a hospital or specific medical
devices? Kennedy's answer is chilling: "Anything is possible. "
For example, medical equipment can be used to kill patients – by delivering
a lethal charge of electricity into a hacked pacemaker from a distance as
great as 50 feet. Kennedy also provided evidence from his hacking
experience of being able to change information on intended surgical
Kennedy warned that current anti-virus technology only protects against
breaches about three percent of the time. He said organizations need to
assess security from a business perspective. "If you start securing systems
at the business level -- by finding where your critical assets are and
securing them instead of trying to secure the entire infrastructure -- it's
a much better approach to defending against the attacks that are out there."
Kennedy will be signing copies of his book Metasploit: The Penetration
Tester's Guide at the Diebold booth (#1661) on the exhibit floor.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
- Don't look now, you've been hacked! Erica Absetz (Mar 05)