Devices All Around Us Are NOT SAFE!!

Conficker has now invaded medical devices: http://tinyurl.com/ck3z3n

Why and how is pretty easy to understand:

- medical devices with "intelligence" embedded in them (microprocessors and a lot of software to control the device) are sometimes designed using Windows. Yes I think this is a horrible horrible choice but it is a choice that is often made.
- once developed and certified, these devices rarely get updated. So "old" security flaws in Windows stay there, "forever".
- sometimes the devices are not supposed to get connected to the internet, but do anyway.
- viola, detection and infection...

So what are the device types in general we have to worry about potentially be targetted by viruses or other takeovers by "bad guys"?

Well, let's see, not too many, it only includes:

- internal systems on automobiles
- internal systems on airplanes
- home networking equipment
- home TV's (my 42" high def LCD TV is running Windows inside, I'm almost certain!)
- digital video recorders
- DVD players, particularly Blu-Ray devices
- medical equipment, both hospital based and advance home care devices
- automated tellers
- traffic control systems
- railway control systems
- power control systems

Folks I could go on. The point is, increasingly, the world around us is "controlled" by "intelligent" devices. And these devices are hugely suscpetible to being compromised in their operations, through software/network based attacks.

I don't want the owners of conficker effectively "owning" my TV, much less the system that controls the local mass transit system, much less systems on the Boeing or Airbus plane I'll be on later today.

The world needs secure software and systems, and we need it NOW. Getting there includes:

- better security training for s/w development engineers
- better security requirements managed through the software lifecycle
- use of best of breed tools for security assessment of code, both through static and dynamic analysis
- use of defensive mechanism in code to detect, defend and react to internal security breachs (yes this is where my company, Arxan Technologies, has solutions).
- use of updating capabilities and processes to ensure that security faults in ALL devices are addressed quickly and responsibily, rather than left to be taken advantage of in later months or years.
- choice of appropriate operating systems and other tools for the task, rather than use of known low security quality software such as Microsoft Windows

So are the conficker owners going to issue an update that is specific to a medical device to cause it to misbehave? Not likely...but they could. It's really quite unbelievable. We are giving control of the world around us away, to those whose only interest is leverage their control for profit and/or mayhem.

Funny, that hunting and gathering life is sounding more and more appealing. No you may not take over my spear!!