9-11-17 – News This Past Week

Hackers Can Remotely Access Syringe Infusion Pumps to Deliver Fatal Overdoses
Now, it turns out that a syringe infusion pump used in acute care settings could be remotely accessed and manipulated by hackers to impact the intended operation of the device, ICS-CERT warned in an advisory issued on Thursday.


Syringe infusion pumps can be fiddled with by remote attackers
The vulnerabilities, identified by independent researcher Scott Gayou, include buffer overflows, hard-coded credentials and passwords, improper certificate validation, passwords stored in the configuration field, and improper access control.


Symantec Researchers Reveal New Ramped-up Attacks on U.S. Power Grid
The malware is delivered using old phishing techniques, but with new payloads. Several power generation and control facilities, perhaps including one nuclear power plant, have already been penetrated.


Hackers lie in wait after penetrating US and Europe power grid networks
Nation-sponsored hackers have penetrated the operational networks multiple US and European energy companies use to control key parts of the power grid that supplies electricity to hundreds of millions of people, researchers warned Wednesday.


Symantec: ‘Dragonfly’ Attack Group Targets Energy Companies In US, Turkey, Switzerland
The company also said the attackers were careful to cover their tracks. Dragonfly is said to have relied on off-the-shelf malware anyone can use, to have avoided using zero-day exploits, and to have used both Russian and French in various code strings to avoid giving away the country of origin via the language used. All of these factors led Symantec to hold off on officially attributing Dragonfly’s actions to a specific country.


Serious Flaws Found in Westermo Industrial Routers
Qualys researcher Mandar Jadhav discovered that Westermo’s MRD-305-DIN, MRD-315, MRD-355 and MRD-455 industrial routers, which are used for remote access worldwide in the commercial facilities, critical manufacturing and energy sectors, are exposed to attacks by three vulnerabilities


Fixing, upgrading and patching IoT devices can be a real nightmare
Ensuring cybersecurity for computers and mobile phones is a huge, complex business. The ever-widening scope and unbelievable variety of threats makes keeping these devices safe from cyber criminals and malware a full-time challenge for companies, governments and individuals around the world.


News This Past Week

Siemens Patches Flaws in Automation, Power Distribution Products
Siemens customers were informed last week that some of the company’s automation and power distribution products are affected by vulnerabilities that can be exploited for denial-of-service (DoS) attacks and session hijacking

30 ways to improve IoT privacy
To improve IoT security and privacy, we need to create a security culture. Here are 30 ways IoT device makers and developers can do their part.

This Linux tool could improve the security of IoT devices
Snappy, a software deployment and management system designed by Canonical for the Ubuntu operating system, could be a shortcut to building trusted IoT applications

UK infrastructure failing to meet the most basic cybersecurity standards
More than a third of national critical infrastructure organisations have not met basic cybersecurity standards issued by the UK government, according to Freedom of Information requests by Corero Network Security

Need to Jumpstart IoT Security? Consider Segmentation
In the healthcare industry, medical devices connecting patients, care givers, and systems across facilities are being used to save lives and find cures. Manufacturers embarking on their digital transformation journey are connecting devices on the factory floor to increase uptime, productivity, and competitive advantage

FDA issues recall of 465,000 St. Jude pacemakers to patch security holes
Heart patients will have to visit their doctors to have their pacemakers patched for the “voluntary” recall — but there are risks

Advantech fixes serious vulns in WebAccess HMI/SCADA software
Advantech WebAccess is a web browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA).

Advantech fixes serious vulns in WebAccess HMI/SCADA software

IoT Device Hit by Credential Attack Every Two Minutes: Experiment
Internet of Things (IoT) botnets such as Mirai might not be in the headlines as often as they were several months ago, but the threat posed by insecure IoT devices is as high as before, a recent experiment has revealed

News This Past Week

Cisco IOS Flaws Expose Rockwell Industrial Switches to Remote Attacks
The Allen-Bradley Stratix and ArmorStratix switches, which ICS-CERT says are used worldwide in the critical manufacturing, energy and water sectors, rely on Cisco’s IOS software for secure integration with enterprise networks. That means Cisco IOS flaws can also affect Rockwell Automation products

IoT Thermostat Bug Allows Hackers to Turn Up the Heat
With the ever-increasing impact of smart and connected devices in our daily lives, Cybersecurity has a variety of security challenges to deal with. The field of traditional computer security deals with a myriad of issues like data theft or sabotage. However, when it comes to IoT security, the consequences of a successful attack can be even more diverse.

This Linux tool could improve the security of IoT devices
Snappy, a software deployment and management system designed by Canonical for the Ubuntu operating system, could be a shortcut to building trusted IoT applications

Germany publishes ethical guidelines for self-driving cars
The technological developments are forcing government and society to reflect on the emerging changes. The decision that has to be taken is whether the licensing of automated driving systems is ethically justifiable or possibly even imperative

Unfixable Automobile Computer Security Vulnerability
Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable

Unpatchable Flaw in Modern Cars Allows Hackers to Disable Safety Features
Today, many automobiles companies are offering vehicles that run on the mostly drive-by-wire system, which means a majority of car’s functions—from instrument cluster to steering, brakes, and accelerator—are electronically controlled

‘Smart’ solar power inverters raise risk of energy grid attacks
Given the dearth of research on this class of device, it’s an eye-catching if sensational claim that shouldn’t come as a total surprise in the light of recent technological developments
‘Smart’ solar power inverters raise risk of energy grid attacks

‘Gloomy times ahead’ for security on critical infrastructure, warn experts
It looks like pretty good timing. Less than a week after a couple of critical infrastructure experts bemoaned the ongoing lack of security in the industry, the US National Institute of Standards and Technology (NIST) is out with the latest (fifth) draft of its Security and Privacy Controls for Information Systems and Organizations
‘Gloomy times ahead’ for security on critical infrastructure, warn experts

How likely is a ‘digital Pearl Harbor’ attack on critical infrastructure?
Richard A Clarke, who in 2000 was the US’s top counter-terrorism and cybersecurity chief, gets credit for coining the term “digital Pearl Harbor”. He said at the time that it was “improbable,” but added that “statistically improbable events can occur”.
How likely is a ‘digital Pearl Harbor’ attack on critical infrastructure?

Hacked robots can be a deadly insider threat
IOActive researchers have probed the security of a number of humanoid home and business robots as well industrial collaborative robots, and have found it seriously wanting

Hacked robots can be a deadly insider threat

Medical devices and the Internet of Things: Defending against cyber threats
More than one-third (35.6 percent) of surveyed professionals in the Internet of Things-connected medical device ecosystem say their organizations have experienced a cybersecurity incident in the past year, according to Deloitte

Medical devices and the Internet of Things: Defending against cyber threats

Insecure IoT Devices Pose Physical Threat to General Public
At the car wash, look out for attack robots. Billy Rios, CEO of Whitescope, visits the Dark Reading News Desk to discuss how IoT devices could be hacked to physically attack people in everyday public settings.

Report Suggests ‘Fleeting Window’ to Prevent Major Cyber Attack on Critical Infrastructure
The National Infrastructure Advisory Council (NIAC) published a draft report this week titled Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure (PDF). The report warns there is a narrow and fleeting window to prepare for and prevent “a 9/11-level cyber-attack” against the U.S. critical infrastructure

Healthcare Providers Warned of Flaws in Philips Product
The U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and Philips have warned healthcare providers that one of the company’s radiation dose management tools is affected by potentially serious vulnerabilities

Overcoming the Lost Decade of Information Security in ICS Networks
Despite the collective failures in that space – leading to billions in stolen intellectual property, massive intelligence gains like OPM, hundreds of millions of stolen identities, etc. – there were clearly major advances in terms of security controls. Countless innovations – tons of investment in terms of people and money, the birth and evolution of an industry/subindustries, a proven ability to respond to (although not foresee) emerging threats – depict a tremendous number of positives hidden behind the losses

Fourth US Navy Collision This Year Raises Suspicion of Cyber-Attacks
Early Monday morning a U.S. Navy Destroyer collided with a merchant vessel off the coast of Singapore. The U.S. Navy initially reported that 10 sailors were missing, and today found “some of the remains” in flooded compartments

Industrial hack can turn powerful machines into killer robots
In a post titled “Exploiting Industrial Collaborative Robots,” security researchers at IOActive detail how popular models of consumer and industrial robots have already been compromised in such a way that could cause humans bodily harm. The study examines a class of collaborative robots designed to work together with their human counterparts, often in industrial settings.

DJI Spark Gets Mandatory Firmware Update, Won’t Fly Unless Updated
Given that drones are basically robots with fast-spinning rotary blades that can fly high up in the sky, clearly there are safety issues to be considered since you don’t want these drones to fall out of the sky and land on someone’s head. This is why we can’t say we’re surprised to learn of one of the measures DJI is taking to ensure drone safety

08-13-17 – News This Past Week

UK publishes Laws of Robotics for self-driving cars
The United Kingdom has published a set of “Key principles of vehicle cyber security for connected and automated vehicles” outlining how auto-makers need to behave if they want computerised cars to hit Blighty’s byways and highways

NotBeingPetya: UK critical infrastructure firms face huge fines for lax security
The UK government has announced that businesses providing essential services like energy and transport could be fined as much as £17m or 4 per cent of global turnover for failing to have effective cyber security measures in place

How a Port Misconfiguration Exposed Critical Infrastructure Data
Attacks hitting companies’ electrical systems are possible, especially when information that provides insight into those systems’ weak points is freely accessible online. If you think that such a thing is unlikely, you probably haven’t yet heard about the most recent discovery made by UpGuard researchers

Malicious code written into DNA infects the computer that reads it
“One of the big things we try to do in the computer security community is to avoid a situation where we say, ‘Oh shoot, adversaries are here and knocking on our door and we’re not prepared,’” said professor Tadayoshi Kohno, who has a history of pursuing unusual attack vectors for embedded and niche electronics like pacemakers.

Firmware update blunder bricks hundreds of home ‘smart’ locks
The upshot is you can’t use the builtin keypad on the devices to unlock the door. Lockstate’s smart locks are popular among Airbnb hosts as it allows them to give guests an entry code to get into properties without having to share physical keys. Lockstate is even a partner with Airbnb

Critical Flaws Found in Solar Panels Could Shut Down Power Grids
Willem Westerhof, a cybersecurity researcher at Dutch security firm ITsec, discovered 21 security vulnerabilities in the Internet-connected inverters – an essential component of solar panel that turns direct current (DC) into alternating current (AC).

Who is better prepared for IoT-related attacks, SMEs or large organizations?

Small and midsized organizations (SMEs) are taking more steps to protect themselves from security risks associated with the Internet of Things (IoT) than large businesses, according to Pwnie Express. Small businesses are more likely to close the IoT security gap and better protect mission critical systems and business operations

Siemens CT scanners open to remote compromise via publicly available exploits
After WannaCry hit systems around the world in May, the company acknowledged that some of its customers may be facing impacts from the cyber-attack, as some of Siemens Healthineers’ products “may be affected by the Microsoft vulnerability being exploited by the WannaCry ransomware.”

How a port misconfiguration exposed critical infrastructure data
If you think that such a thing is unlikely, you probably haven’t yet heard about the most recent discovery made by UpGuard researchers: an open port used for rsync server synchronization has left the network of Power Quality Engineering (PQE) wide open to malicious attackers

Fuji Electric Patches Vulnerabilities in HMI Software
ICS-CERT informed organizations on Thursday that the Monitouch V-SFT software is affected by stack and heap buffer overflows and improper privilege management vulnerabilities that can be exploited to execute arbitrary code and escalate privileges.

Engineering Firm Exposed Electrical Infrastructure Details: Researchers
Misconfiguration Issues with systems operated by Texas-based electrical engineering operator Power Quality Engineering (PQE) resulted in the information of various clients being exposed to the Internet, along with sensisitve corprorate information from PQE itself, UpGuard security researchers warn.

Has healthcare misdiagnosed the cybersecurity problem?
Most senior leadership in healthcare is medically trained with a clinical background in an industry built on such noble concepts as “do no harm” and forward-thinking practices like evidence-based medicine. Through this lens, healthcare organizations regularly misinterpret the nature of the cybersecurity problem and consequently, how to treat it.

Fuzzing Tests Show ICS Protocols Least Mature
Fuzzing tests conducted last year by customers of Synopsys, a company that provides tools and services for designing chips and electronic systems, revealed that protocols used in industrial control systems (ICS) are the least mature.

Cyberattacks on GPS leave ships sailing in dangerous waters
And well they might after a recent spate of GPS jamming incidents involving these countries. Last year North Korea was accused of being behind the mass jamming of dozens of South Korean vessels that was serious enough to force them back to port.

Carmakers warned to focus on security of connected vehicles
Following up 2016’s demonstration of an attack in which the team disabled the car’s brakes via Wi-Fi, this year they remotely turned on the lights while opening and closing the doors, producing a slick video showing off their handiwork.

Air Gap FAILs, Configuration Mistakes Causing ICS/SCADA Cyberattacks
It had the markings of a possible sabotage operation. Stealthy, patient cyber attackers had wrested control of an ICS/SCADA controller in a power plant and were rooting around in what appeared to be a reconnaissance effort to map out the plant’s infrastructure

Schneider Electric, Claroty Partner on Industrial Network Security
Energy management and automation giant Schneider Electric has teamed up with industrial cybersecurity startup Claroty to offer its customers solutions for protecting industrial control systems (ICS) and operational technology (OT) networks

Exploited Windows Flaws Affect Siemens Medical Imaging Products
One advisory, published by both Siemens and ICS-CERT, warns of two critical Windows vulnerabilities that allow a remote, unauthenticated attacker to execute arbitrary code. The security holes impact Siemens Healthineers’ PET/CT and SPECT/CT medical imaging products running on Windows XP.

IoT Security: Where There is Smoke, There is Fire
We have collectively heard the saying, “where there is smoke, there is fire” throughout our lives. And, sure enough, it is true far more often than it is false. I have been seeing a lot of smoke lately, so I suspect that there is an interesting fire burning.

Attacks on manufacturing industry continue to rise
The motivations for these attacks are often criminal in nature, including extortion via ransomware, industrial espionage, and theft of data such as account numbers. What poses an even greater problem is that when these breaches are successful, yet go undetected, they allow hackers to establish footholds in organizations’ networks where they have free reign to wreak havoc over extended periods.

News This Past Week

Researchers Find a Malicious Way to Meddle with Autonomous Cars
While automakers focus on defending the systems in their cars against hackers, there may be other ways for the malicious to mess with self-driving cars. Security researchers at the University of Washington have shown they can get computer vision systems to misidentify road signs using nothing more than stickers made on a home printer.

Can US senators secure the Internet of Things?
In an intriguing choice of words, the bill aims to specify what the regulators are calling “minimal cybersecurity operational standards” for IoT devices.

New Legislation Could Force Security Into IoT
After years of warnings from security experts and researchers, the Internet of Things (IoT) remains fundamentally insecure. Now a group of senators has introduced bipartisan legislation to force vendors to ensure basic security within their IoT devices if they wish to sell into the government market.

Multiple vulnerabilities found in radiation monitoring gateways
Every now and then, a presentation at Black Hat throws up a security vulnerability that has been missed either because it exists in equipment researchers haven’t been paying attention to, or is simply inherently difficult to uncover.

Bipartisan Group Proposes IoT Cybersecurity Improvement Act
U.S. Senators Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-WA), and Steve Daines (R-MT) have introduced the Internet of Things Cybersecurity Improvement Act of 2017, a new bill that seeks to ensure that IoT devices sold to the U.S. government meet security requirements.

It’s 2017 and Hayes AT modem commands can hack luxury cars
A bunch of mid-age Ford, Infiniti, Nissan and BMW vehicles are carrying around a vulnerable chipset from Infineon that America’s ICS-CERT reckons is easy to exploit.

07-31-17 – News This Past Week

Testing the security of connected cars and IOT devices
Finding issues in your products and services upfront is a far better investment than the expense of letting cybercriminals find and exploit vulnerabilities. Our own investments in people, tools and expertise have more than tripled our security testing capabilities in the first year of IBM X-Force Red, making our offense our clients’ best defense

Testing the security of connected cars and IOT devices


ICS Networks Not Immune To Insider Threats
The security threat from within can be even more potent than many external attacks. This is particularly the case with Industrial Control System (ICS) networks, which manage critical infrastructure and manufacturing processes. A smart, motivated, perhaps disgruntled employee or ex-employee with knowledge of a plant and access to the network, can cause a variety of disruptions that may result in tainted products, financial losses, equipment damages and even threaten human lives.


WHISTL Labs will be Cyber Range for Medical Devices
Amid increasing concerns about cyber threats to healthcare environments, a global network of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms


What is the car industry’s problem with over-the-air software updates?
Boiled down to its essence, OEMs can’t offer existing customers new features for their vehicles without the car dealerships getting their cut. This is in contrast to Tesla, which has done much to highlight the utility of OTA updates


‘Devil’s Ivy’ Is Another Wake-Up Call for IoT Security
The vulnerability — called Devil’s Ivy or CVE-2017-9765 — was made public last week by Senrio, a company that specializes in IoT security. It initially found the bug in the M3004 model security camera marketed by Axis Communications, but further research found that 249 of Axis’s 251 surveillance camera models are affected.


IBM Will Expand Security Testing Services To Automotive And IoT Companies
IBM seems to have recently refocused its efforts towards digital security, with the release of the new IBM Z mainframe, too, a computing system that aims to fully encrypt cloud services and data for its corporate customers.


Majority of Consumers Believe IoT Needs Security Built In
Respondents to a global survey say Internet of Things security is a shared responsibility between consumers and manufacturers


Car Wash Hack Can Strike Vehicle, Trap Passengers, Douse Them With Water
“We believe this to be the first exploit of a connected device that causes the device to physically attack someone,” researchers presenting the proof-of-concept say.


Independent labs to probe medical devices for security flaws
They suffer from many miseries: lack of quality assurance and testing, rush to release pressures on product development teams, accidental coding errors, malicious coding, inherent bugs in product development tools, being tiny, having low computing power in internal devices, and, well, the list goes on.
Independent labs to probe medical devices for security flaws


How to protect the power grid from low-budget cyberattacks
Cyberattacks against power grids and other critical infrastructure systems have long been considered a threat limited to nation-states due to the sophistication and resources necessary to mount them

How to protect the power grid from low-budget cyberattacks


Security vulnerabilities in radiation monitoring devices
IOActive researcher Ruben Santamarta has uncovered a number of cybersecurity vulnerabilities in widely deployed Radiation Monitoring Devices (RDMs), and has presented his research at the Black Hat conference in Las Vegas.

Security vulnerabilities in radiation monitoring devices


Researchers Release Free Tool to Analyze ICS Malware
The researchers who discovered the game-changing malware used against Ukraine’s power grid in 2016 that knocked out power for an hour in part of Kiev released a tool here this week for analyzing malicious code targeting industrial networks.


ICS-CERT Warns of CAN Bus Vulnerability
A team of Italian researchers published a paper last year describing various CAN weaknesses and an attack method that can be leveraged for denial-of-service (DoS) attacks. They also published a proof-of-concept (PoC) exploit and a video showing how they managed to exploit the flaw to disable the parking sensors on a 2012 Alfa Romeo Giulietta.


Researchers remotely hack Tesla Model X
Security researchers from Tencent’s Keen Security Lab have done it again: they’ve found vulnerabilities in one of Tesla’s cars and demonstrated that they can be exploited remotely to do things like open the car’s doors and force it to break while in motion

Researchers remotely hack Tesla Model X


Lethal Dosage of Cybercrime: Hacking the IV Pump
Why would someone hack an IV pump? There are several reasons, Regalado pointed out. If successful, an attacker could steal personally identifiable information (PII), hijack hospital devices and demand ransom, corrupt the device in a denial-of-service attack, or use the pump as an entryway into the broader corporate network.


Medical Device (Virtual) Village at DEF CON

There will be a Medical Device (Virtual) Village this year at DEF CON, organized in conjunction with I Am The Cavalry, the BioHacking Village, and the IoT Village (located in IoT Village) from July 28-30th at Caesars Palace in Las Vegas, Nevada. We seek to establish a high-trust, high-collaboration environment where security researchers, medical device makers, healthcare providers, doctors, and others can come together in a joint mission to preserve patient safety. This event builds on work such as our Hippocratic Oath for Connected Medical Devices and our Position on Disclosure.

The latest medical advances lay at the intersection of patient care and connected technology. Integration of new technology enables innovations that improve patient outcomes, reduce cost of care delivery, and advance medical research. A growing number of medical devices are designed to be networked to facilitate patient care. As such, accidents and adversaries that trigger software vulnerabilities may harm human life, patient safety, and public trust.

Researchers may be more reluctant to disclose if they know a vulnerability has not been (or cannot be) fixed. On the other hand, the prospect of high consequence failures may motivate action. Remediation urgency can preserve safety, life, and trust; at the same time, validation and verification avoid unintended consequences, Vulnerability discovery, disclosure and remediation in public safety and human life contexts should be handled with both due haste and due care.

News This Past Week 2017-07-09

Russian hackers target the US nuclear industry
The New York Times and Bloomberg both claim that Russian hackers have been attempting to infiltrate America’s nuclear power industry. The infiltrations themselves have been public knowledge since last week, but now fingers are being pointed towards the usual suspects.

Unpatched Flaws in Schneider Electric U.motion Builder Disclosed
Schneider Electric’s U.motion is a building automation solution used around the world mainly in the commercial facilities, critical manufacturing and energy sectors. U.motion Builder is a tool that allows users to create projects for their U.motion devices

Breach at US nuclear plants raises concerns in wake of Petya
For anyone old enough to remember the 1980s, the Chernobyl accident and the radiation it released in a cloud across Europe is a byword for nuclear disaster, and the human tendency to underestimate the importance of having a plan B. The area around the plant (pictured)  is still an abandoned exclusion zone, 31 years after the disaster

In ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine
While there is little doubt that MeDoc users were infected via malicious updates with ExPetr, it appears that ExPetr was not the only malware they received. Our telemetry confirms that MeDoc users received at least one other malicious program at the same time. This additional malware, which was run as “ed.exe” in the “MeDoc” program folder

Intel AMT bug bit Siemens industrial PCs
You don’t need state-sponsored hackers to crack industrial control systems, just an empty Intel AMT login – something Siemens started patching against last week

This weekly report was compiled, with comments, by Tim Anater (@bfbcping). Tim comments on security, beer, and movies. In that order. All views are his, except links. Those belong to whomever is on the other side of the link.

IATC at ISSA Summit

On Friday, May 19, I attended the ISSA Summit 9 in Los Angeles to run the I Am The Cavalry booth. I Am The Cavalry was an honorary sponsor of the event and I thoroughly enjoyed the experience. From the keynotes about the current state of cyber security and life lessons learned from IT, to the in-depth breakdown of WanaCrypt0r, there was plenty to take away from each and every talk. Perhaps most importantly were the amazing connections we were able to establish at and around the booth. A speaker at the CISO panel mentioned I Am The Cavalry which also helped bring more interest over to the booth.

Of particular note, we received some very interesting questions, ideas, and even invitations to speak at other industry events, such as Big Data Day LA and SoCal Linux Expo (SCALE). One of the interesting enquiries we received was about creating a Pwn2Own for medical devices, which could facilitate more security research on them as more and more malware has been victimizing medical equipment. This brought to our attention the subject that is somewhat unique to healthcare and other special-device industries: the devices are so pricey that it is often impractical for security researchers to even get their hands on them in order to test. For example, an MRI machine costs upwards of hundreds of thousands of dollars and no known hospital currently has MRI machines to sacrifice on security tests.

Jennifer Granick, Stanford Law School’s Director of Civil Liberties, also stopped by the booth and asked to see some x86 disassembly, so I walked her through some WanaCrypt0r code which was a hot topic recently. Ms. Granick has a very thorough book that she recently published about the current state of privacy and surveillance in the United States entitled American Spies: Modern Surveillance, Why You Should Care, and What to Do About It. The book has a similar feel to Data and Goliath by Bruce Schneier, but as one would imagine, it covers a lot more policy and law rather than the technical focus of Schneier’s books. I feel this title makes a great companion to Data and Goliath and frankly was very necessary at this point in time. I’ve enjoyed the 50 pages that I’ve read so far and each page is jam-packed with value.

Last but not least, the CTF was put on by Somerset Recon from San Diego. These gentlemen are very, very skilled at what they do and brought an awesome, e-sports-esque head-to-head rig. If I would have had extra time, I certainly would have spent more time reversing binaries at the CTF, but every minute was well-spent at this event and I look forward to the next ISSA Summit.

Todd Cullum

US Government ❤ Coordinated Disclosure

Thanks to a great friend and graphic designer, @NguyetV, we have an infographic of the US Federal Government’s work around coordinated disclosure over the last two years.

UPDATE: Since publication, the FDA released their final postmarket guidance on December 28.

UPDATE 2017.06.07: In May, a Senate bill was introduced for a government-wide bug bounty, and in June the House bug bounty equivalent was also introduced. And Mårten Mickos, of HackerOne pointed out that the General Services Administration’s (GSA) 18F  has a disclosure policy, and that Hack The Air Force is currently running.

UPDATE 2017.11.06: A couple of new examples, in the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 introduced by Senators Mark Warner and Corey Gardner, which calls for companies to have a coordinated disclosure policy and would provide safe harbor for researchers reporting in good faith.

Also, thanks to Harley Geiger who identified four new updates.