Cyberwars: The Month of Cyberattacks

hackers_securityThe month of August has been a busy time for online security specialists, due to numerous cyberattacks being reported close to each other. First came word that supermarket chain Supervalu had been hacked, followed by news of security breaches at a largest American medical group, the Nuclear Regulatory Commission and then the UPS Store. In all cases, the intrusions led to the theft of millions of users’ personal data.

The worst of the lot appears to have been the massive cyberattack on Community Health Systems, one of the largest hospital chains in the US that oversees 206 hospitals in 29 states. According to the company, the intrusion led to stolen Social Security numbers, patient names, addresses, birth dates and telephone numbers of some 4.5 million patients. And as usual, the attack is believed to have had the backing of a foreign government.

https://i2.wp.com/www.chs.net/wp-content/uploads/2013/12/hma-map.pngThis is the largest known attack to involve hospital patient information since the US government began tracking these types of data breaches in 2009. According to Elysium Digital data security expert Joseph Calandrino:

One possible goal of this attack is to facilitate future targeted attacks. The type of data that was stolen from the hospital system is often used to verify a person’s identify. The exposure of this data creates a risk that the hackers could leverage it to gain access to other accounts and information.

As is so often the case these days, it is believed the cyberattack originated in China. Security firm Mandiant, which investigated the breach in April and June, said the hackers belong to a group that targets crucial infrastructure, such as defense, engineering, financial services, and health care companies. It’s unclear if these hackers are affiliated with the Chinese government.

Unit-61398-Chinese-Army-Hacking-Jobs-With-Great-BenefitsVarious security experts have long accused China of waging a cyberwar on US government and private company websites. For example, a report that was released by Mandiant back in 2013 linked Unit 61398 of the China’s People’s Liberation Army to a large number of cyberattacks on US soil. However, the Chinese government has flatly denied that it is involved in cyber-espionage or hacking.

Community Health Systems has since reported that it stopped the cyberattack by removing the malicious software used by the hackers and is notifying its patients of the breach. It has also been reported that the hack may have been facilitated by the Heartbleed bug, a flaw in OpenSSL that hackers use to exploit to obtain encrypted data. The timing certainly seems apt, as the bug was revealed back in April and the attack took place between April and June.

nsasecurity_primary-100041064-largeHowever, this was were merely one of several breaches that took place over the past few months. In addition to the CHS, UPS, and numerous major outlets, cybersecurity firm Hold Security identified what was arguably the largest known data breach in history earlier this month. In this attack, the Russian cybergang Cybervor allegedly stole 1.2 billion username and password combinations and more than 500 million email addresses.

With these latest attacks, it appears that large-scale security breaches carried out by individual hackers and sponsored by nation-states is becoming the new normal. And as these kinds of attacks become more common, cybersecurity experts are concerned that people may suffer from “alert fatigue”, where they will basically cease caring about and not be aware of breaches that affect them.

RAND_hqIn addition, security experts would like people to keep in mind that there is a difference between a spike in activity and reporting on activity. Much like the problems of violence, teen sex and crime rates, there is likely a gap between an actual increase and the perception of one. As Lillian Ablon, a researcher for the RAND Corporation, explained:

Back during Operation Aurora [in 2009], when Google got hacked, Google coming out [in 2010] was a big step in the industry. Before that, companies didn’t really talk about being breached.

Legally, companies and government agencies are required to report security breaches to the public only when customer data is involved, and only in 47 states. Alabama, New Mexico, and South Dakota lack mandatory reporting laws, and few laws on the books extract penalties when a breach occurs. Still, whatever the magnitude of the number of security breaches, it’s also true that we are living in an increasingly uncertain world when it comes to keeping our data safe.

internetNaturally, public vigilance is a good policy, but its not exactly a solution. When the hacks at the Nuclear Regulatory Commission, the Community Health Systems, the Cybervor attack, and hack of the DHS, the attacks were suspected of coming from abroad. More and more, attacks are being staged from a location that is far removed from the source, and backed by third parties who are likely unknown.

Security experts believe that the eventual solution will require businesses to rethink how they operate, putting a much bigger emphasis on security. But the consequences of that could have global economic implications, if better security hurts competitiveness. In the short term, it means that customers who do business with companies that suffer security breaches will need to be that much more vigilant.

That means not reusing passwords for multiple accounts, using two-factor authentication when available, and keeping a close eye on bank statements and credit card activity. And as for the breaches themselves, there’s not much you can do except be prepared to hear about more of them, more often. For better or for worse, it is the age we live in, where big data means big data intrusion!

Sources: cnet.com, (2), (3)

The Future is Here: The Real-Life Tricorder

medical_tricorderIt was only a matter of time, I guess. But we really should have known that with all the improvements being made in biometrics and biotechnology – giving patients and doctors the means to monitor their vitals, blood pressure, glucose levels and the like with tiny devices – and all the talk of how it looked like something out of science fiction that it wouldn’t be long before someone took it upon themselves to build a device right out of Star Trek.

It’s known as a the Scanadu Scout, a non-invasive medical device that is capable of measuring your vitals simply by being held up to your temple for a mere 10 seconds. The people responsible for its creation are a startup named Scanadu, a group of research and medtech enthusiasts who are based at the NASA Ames Research Center. For the past two years, they have been seeking to create the world’s first handheld medical scanner, and with the production of the Scout, they have their prototype!

scanaduAll told, the device is able to track pulse transit time (to measure blood pressure), temperature, ECG, oximetry, heart rate, and the breathing rate of a patient or subject. A 10 second scan of a person’s temple yields data that has a 99% accuracy rate, which can then be transmitted automatically via Bluetooth to the user’s smartphone, tablet or mobile device.

The device has since been upgraded from its original version and runs at a rate of 32 bits (up from the original 8). And interestingly enough, the Scouts now runs on Micrium, the operation system that NASA uses for Mars sample analysis on the Curiosity rover. The upgrade became necessary when Scanadu co-founder Walter De Brouwer, decided to add an extra feature: the ability to remotely trigger new algorithms and plug in new sensors (like a spectrometer).

medtechOne would think that working with NASA is effecting his thinking. But as Brouwer points out, the more information the machine is capable of collecting, the better is will be at monitoring your health:

If we find new algorithms to find relationships between several readings, we can use more of the sensors than we would first activate. If you know a couple of the variables, you could statistically predict that something is going to happen. The more data we have, the more we can also predict, because we’re using data mining at the same time as statistics.

One of the Scout’s cornerstone algorithms, for example, allows it to read blood pressure without the inflating cuff that we’ve all come to know and find so uncomfortable. In the future, Scanadu could discover an algorithm that connects, age, weight, blood pressure, and heart rate with some other variable, and then be able to make recommendations.

2009_world_subdivisions_flu_pandemicEveryone who pre-orders a Scout has their data sent to a cloud service, where Scanadu will collect it in a big file for the FDA. Anyone who opts-in will also gain access to the data of other users who have also elected to share their vitals. Brouwer explains that this is part of the products early mission to test the parameters of information sharing and cloud-medical computing:

It’s going to be a consumer product in the future, but right now we are positioning it as a research tool so that it can be used to finalize the design and collect data to eventually gain regulatory approval. In the end, you have to prove how people are going to use the device, how many times a day, and how they are going to react to the information.

In the future, De Brouwer imagines this kind of shared information could be used for population scanning, kind of like Google Flu Trends does, except with data being provided directly from individuals. The focus will also be much more local, with people using the Scout’s stats to able to see if their child, who suddenly has flu symptoms, is alone of ir other kids at their school are also sick. Pandemics and the outbreaks of fatal diseases could also be tracked in the same way and people forewarned.

medical-technologyNaturally, this raises some additional questions. With it now possible to share and communicate medical information so easily between devices, from people to their doctors, and stored within databases of varying accessibility, there is the ongoing issue of privacy. If in fact medical information can be actively shared in real-time or with the touch of a button, how hard will it be for third parties to gain access to them?

The upsides are clear: a society where health information is easily accessible is likely to avoid outbreaks of infectious disease and be able to contain pandemics with greater ease. But on the flip side, hackers are likely to find ways to access and abuse this information, since it will be in a public place where people can get at it. And naturally, there are plenty of people who will feel squeamish or downright terrified about the FDA having access to up-to-the-moment medical info on them.

It’s the age of cloud computing, wireless communications, and information sharing my friends. And much as people feel guarded about their personal information now, this is likely to take on extra dimensions when their personal medical info is added to the mix. Not a simple or comfortable subject.

But while I’ve still got you’re here, no doubt contemplating the future of medicine, take a look at this video of the Scanadu Scout in action:


Source:
fastcoexist.com, google.org/flutrends/

Should We Be Afraid? A List for 2013

emerg_techIn a recent study, the John J. Reilly Center at University of Notre Dame published a rather list of possible threats that could be seen in the new year. The study, which was called “Emerging Ethical Dilemmas and Policy Issues in Science and Technology” sought to address all the likely threats people might face as a result of all developments and changes made of late, particularly in the fields of medical research, autonomous machines, 3D printing, Climate Change and enhancements.

The list contained eleven articles, presented in random order so people can assess what they think is the most important and vote accordingly. And of course, each one was detailed and sourced so as to ensure people understood the nature of the issue and where the information was obtained. They included:

1. Personalized Medicine:
dna_selfassemblyWithin the last ten years, the creation of fast, low-cost genetic sequencing has given the public direct access to genome sequencing and analysis, with little or no guidance from physicians or genetic counselors on how to process the information. Genetic testing may result in prevention and early detection of diseases and conditions, but may also create a new set of moral, legal, ethical, and policy issues surrounding the use of these tests. These include equal access, privacy, terms of use, accuracy, and the possibility of an age of eugenics.

2. Hacking medical devices:
pacemakerThough no reported incidents have taken place (yet), there is concern that wireless medical devices could prove vulnerable to hacking. The US Government Accountability Office recently released a report warning of this while Barnaby Jack – a hacker and director of embedded device security at IOActive Inc. – demonstrated the vulnerability of a pacemaker by breaching the security of the wireless device from his laptop and reprogramming it to deliver an 830-volt shock. Because many devices are programmed to allow doctors easy access in case reprogramming is necessary in an emergency, the design of many of these devices is not geared toward security.

3. Driverless zipcars:
googlecarIn three states – Nevada, Florida, and California – it is now legal for Google to operate its driverless cars. A human in the vehicle is still required, but not at the controls. Google also plans to marry this idea to the zipcar, fleets of automobiles shared by a group of users on an as-needed basis and sharing in costs. These fully automated zipcars will change the way people travel but also the entire urban/suburban landscape. And once it gets going, ethical questions surrounding access, oversight, legality and safety are naturally likely to emerge.

4. 3-D Printing:
AR-153D printing has astounded many scientists and researchers thanks to the sheer number of possibilities it has created for manufacturing. At the same time, there is concern that some usages might be unethical, illegal, and just plain dangerous. Take for example, recent effort by groups such as Distributed Defense, a group intent on using 3D printers to create “Wiki-weapons”, or the possibility that DNA assembling and bioprinting could yield infectious or dangerous agents.

5. Adaptation to Climate Change:
climatewarsThe effects of climate change are likely to be felt differently by different people’s around the world. Geography plays a role in susceptibility, but a nation’s respective level of development is also intrinsic to how its citizens are likely to adapt. What’s more, we need to address how we intend to manage and manipulate wild species and nature in order to preserve biodiversity.This warrants an ethical discussion, not to mention suggestions of how we will address it when it comes.

6. Counterfeit Pharmaceuticals:
Syringe___Spritze___by_F4U_DraconiXIn developing nations, where life saving drugs are most needed, low-quality and counterfeit pharmaceuticals are extremely common. Detecting such drugs requires the use of expensive equipment which is often unavailable, and expanding trade in pharmaceuticals is giving rise to the need to establish legal measures to combat foreign markets being flooded with cheap or ineffective knock-offs.

7. Autonomous Systems:
X-47BWar machines and other robotic systems are evolving to the point that they can do away with human controllers or oversight. In the coming decades, machines that can perform surgery, carry out airstrikes, diffuse bombs and even conduct research and development are likely to be created, giving rise to a myriad of ethical, safety and existential issues. Debate needs to be fostered on how this will effect us and what steps should be taken to ensure that the outcome is foreseeable and controllable.

8. Human-animal hybrids:
human animal hybrid
Is interspecies research the next frontier in understanding humanity and curing disease, or a slippery slope, rife with ethical dilemmas, toward creating new species? So far, scientists have kept experimentation with human-animal hybrids on the cellular level and have recieved support for their research goals. But to some, even modest experiments involving animal embryos and human stem cells are ethical violation. An examination of the long-term goals and potential consequences is arguably needed.

9. Wireless technology:
vortex-radio-waves-348x196Mobile devices, PDAs and wireless connectivity are having a profound effect in developed nations, with the rate of data usage doubling on an annual basis. As a result, telecommunications and government agencies are under intense pressure to regulate the radio frequency spectrum. The very way government and society does business, communicates, and conducts its most critical missions is changing rapidly. As such, a policy conversation is needed about how to make the most effective use of the precious radio spectrum, and to close the digital access divide for underdeveloped populations.

10. Data collection/privacy:
privacy1With all the data that is being transmitted on a daily basis, the issue of privacy is a major concern that is growing all the time. Considering the amount of personal information a person gives simply to participate in a social network, establish an email account, or install software to their computer, it is no surprise that hacking and identity theft are also major conerns. And now that data storage, microprocessors and cloud computing have become inexpensive and so widespread, a discussion on what kinds of information gathering and how quickly a person should be willing to surrender details about their life needs to be had.

11. Human enhancements:
transhumanismA tremendous amount of progress has been made in recent decades when it comes to prosthetic, neurological, pharmaceutical and therapeutic devices and methods. Naturally, there is warranted concern that progress in these fields will reach past addressing disabilities and restorative measures and venture into the realm of pure enhancement. With the line between biological and artificial being blurred, many are concerned that we may very well be entering into an era where the two are indistinguishable, and where cybernetic, biotechnological and other enhancements lead to a new form of competition where people must alter their bodies in order to maintain their jobs or avoid behind left behind.

Feel scared yet? Well you shouldn’t. The issue here is about remaining informed about possible threats, likely scenarios, and how we as people can address and deal with them now and later. If there’s one thing we should always keep in mind, it is that the future is always in the process of formation. What we do at any given time controls the shape of it and together we are always deciding what kind of world we want to live in. Things only change because all of us, either through action or inaction, allow them to. And if we want things to go a certain way, we need to be prepared to learn all we can about the causes, consequences, and likely outcomes of every scenario.

To view the whole report, follow the link below. And to vote on which issue you think is the most important, click here.

Source: reilly.nd.edu