One of my old L0pht collegues, Peiter "Mudge" Zatko, is featured in Mass High Tech today in an article titled Bay State hackers find security holes in defibrillators, RFID.

Hackers getting a free T pass may be the least of our worries — local hackers-turned-security experts suggest RFID keycards, wireless networks and medical devices implanted in the body are also vulnerable to hacks.

At last week’s Defcon hacker convention in Las Vegas, a team of researchers showed it was possible to get information such as Social Security numbers and medical diagnoses, and change the settings on an implantable defibrillator by impersonating the computer it communicates with wirelessly. By doing so, a hacker could send a fatal shock to a patient’s heart, said William Maisel of the Beth Israel Deaconess Medical Center.

It is almost like things haven't changed since the 90's when the L0pht worked to change the mindset of security:

    1. Don't trust vendor claims around security
    2. Attacks aren't "theoretical"
    3. Security by obscurity is no security


The L0pht worked as an independent security research think tank. For us it was non-profit side job researching and publishing vulnerabilities in software and hardware. We did it for our love of technology and published what we found out because purchasers and users of the vulnerable systems deserve to know.

It's 10 years later and the situation hasn't improved much. Mudge talks about the vulnerabilities the L0pht found in highway transponder systems that are still in systems being fielded today. But more important than the vulnerabilities themselves is the nature of how these vulnerabilities are coming to light. They are being found by hobbyists, students, and IT people working in their spare time. How can something as important as the security of public fare collection systems and medical equipment not have a standard process for security acceptance testing?

As we become more reliant on digital systems, with some even keeping us alive, it is high time for security testing to move beyond student papers and part time IT work. Security testing needs to become a formal part of the process of purchasing and fielding digital systems. Our lives are starting to depend on it.

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (1)

Ben | August 25, 2008 6:17 pm

Incentive, incentive, incentive. Until orgs see a major downside to lousy security practices, nothing will change. PCI DSS sort of helps with that, but it's in a very specific vertical where corps generally already had some incentive to be a little smarter than an amoeba. Personally, I don't think anything short of massive liability reform will result in the improved security of systems and protection of data (particularly the fabled PII). For example, if you were to say that personally identifiable data is to be treated the same as a physical appendage, and then apply the same types of liability protections, I think you'd see a swift change in how serious orgs take security. One successful case on this basis resulting in a multi-million-dollar victory for the victim(s) would then provide reasonable incentive.

Instead, we're stuck in this time-warp to the Dark Ages where incidents like the MBTA hack are seen as voodoo black magick and the response is a desire to burn the witches/warlocks at the stake (incidental pun). Talk about a screwed-up mentality. We need a new Enlightenment.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.