Author Archives: Adam Jacobson

About Adam Jacobson

Adam Jacobson is a former associate editor of the Risk Management Monitor and Risk Management magazine.
Для тех, кто интересуется безопасным доступом к онлайн-играм, наш партнер предлагает зеркало Вавады, которое позволяет обходить любые блокировки и сохранять доступ ко всем функциям казино.

Insulin Pumps Recalled After Hacking Vulnerability Revealed

Posted on by

After the U.S. Food and Drug Administration (FDA) expressed concern this week that some of its internet-connected insulin pumps are vulnerable to hacking and could not be patched, medical device manufacturer Medtronic Plc has announced that they would offer an exchange for the 4,000 patients who are reportedly using the vulnerable devices. If patients are using vulnerable out-of-warranty models, Medtronic is offering a newer replacement at a discounted price, and in-warranty models will be replaced free of charge.

The Medtronic insulin pumps in question work by regularly providing insulin to the patient with the help of a continuous glucose monitor (CGM), which uses Bluetooth to connect to a computer via a CareLink USB device. This system allows patients to remotely send the device commands and share data with their health care providers. These devices are part of an industry-wide push to connect medical devices to the internet (as part of the wider internet of things, or IoT) to allow more efficient and cost-effective communication between patients and providers.

While the exact nature of the insulin pump vulnerability is unclear at this time—neither the FDA nor Medtronic has disclosed any technical details—the danger from someone exploiting the vulnerability is very serious and could be potentially fatal. According to the FDA, “an unauthorized person (someone other than a patient, patient caregiver, or health care provider) could potentially connect wirelessly to a nearby MiniMed insulin pump with cybersecurity vulnerabilities. This person could change the pump’s settings to either over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis.” In a letter to patients using one of the vulnerable pumps, Medtronic confirmed the potential danger, saying that “An unauthorized person with special technical skills and equipment could potentially connect wirelessly to a nearby insulin pump to change settings and control insulin delivery.”

Fortunately, there have not been any reported cases of anyone exploiting the vulnerability, but it is not the case of such an issue affecting these devices. In 2011, a security researcher was able to hijack nearby Medtronic insulin pumps, giving him the ability to deliver potentially fatal doses of insulin to patients within 300 feet. After the vulnerability was revealed, Medtronic released a statement saying that it was working to improve their devices’ security.

This March, it was also revealed that Medtronic’s connected pacemakers, clinic programmers and home monitors were also vulnerable to hacking. In that case, Dutch security researchers discovered the security flaws, which the company reportedly initially denied before the FDA began an investigation. The agency later issued a warning about the pacemakers, and Medtronic released a patch for the software. As with the insulin pumps, there were no reported cases of anyone taking advantage of the security flaw before the fix was implemented.

Speaking to CBS News after the March incident, the FDA’s Dr. Suzanne Schwartz said, “Any device can be hacked and that’s often not understood,” adding that companies are not prepared for this reality and that “we still have a ways to go.” This week, the FDA released a set of recommendations regarding the latest insulin pump vulnerability, including a suggestion to patients: “Talk to your health care provider about a prescription to switch to a model with more cybersecurity protection.”

Such cases highlight the continuing potential risks of internet-connected medical devices. As discussed in the recent Risk Management article “Diagnosis: Risk—The Product Liability Challenges of Diagnostic Health Tech,” cyber vulnerability is only one of the many challenges for manufacturers and users of connected medical devices. These devices—especially ones that provide medical diagnostic data—have scores of built-in product liabilities that could land their manufacturers (as well as any number of other companies in the devices’ chain of distribution) in legal trouble if something goes awry.

Global Heat Waves Signal Climate Risks

Posted on by

India is currently suffering under a heat wave that has lasted over a month, with temperatures reaching a record 118 degrees Fahrenheit (48 degrees Celsius) in New Delhi on June 10 and 122 degrees (50 degrees Celsius) in the western city of Churu. The death toll has been estimated to be at least 36, though some sources put the number at more than 150. Europe is also preparing for its own massive heat wave this week, with temperatures expected to be 36 degrees Fahrenheit (20 degrees Celsius) higher than the seasonal average of 72 degrees (22 degrees Celsius).

This pattern of heat waves has become a yearly occurrence across the globe. Europe faced similar heat last year, as did Asia, with Japan experiencing record-breaking temperatures in 2018, which sent more than 71,000 to hospitals, killing 138. North America also saw extended higher temperatures in 2018, with 41 heat records across the United States, and heat-related deaths overwhelming Montreal’s city morgue.

Experts say that these global record-breaking incidents are the result of climate change, and likely forecast a new normal of dangerous summer heat.

buy tobrex online sinusys.com/email/img/jpg/tobrex.html no prescription pharmacy

According to Stefan Rahmstorf, co-chair of Earth System Analysis at the Potsdam Institute for Climate Research (PIK), “Monthly heat records all over the globe occur five times as often today as they would in a stable climate. This increase in heat extremes is just as predicted by climate science as a consequence of global warming caused by the increasing greenhouse gases from burning coal, oil and gas.

” French national meteorological service Météo-France echoed these concerns, saying that heat waves’ frequency “is expected to double by 2050.” And according to a 2017 study from The Lancet Planetary Health journal, the number of deaths resulting from weather-related disasters could skyrocket in the future, killing as many as 152,000 people each year between 2071 and 2100, more than 50 times greater than the average annual deaths from 1980 to 2010.

As Risk Management has previously reported, these changes are also already impacting business operations globally, with direct economic losses from climate-related disasters (including heat waves) increased 151% from 1998 to 2017, according to the United Nations Office for Disaster Risk Reduction. Heat waves have serious effects on business operations, impacting things like road conditions and agriculture, as well as workers’ health and safety. More than 15 million U.S. workers have jobs requiring time outdoors, and according to the World Bank, even for indoor workers, productivity declines by 2% per degree Celsius above room temperature.

Many countries have taken steps to mitigate the effects of heat waves on their populations. For example, since 2016, India has been providing shelter for homeless people, opening water stations for hydration, cutting building heat absorption by painting roofs white and imposing working hour changes, curfews and restrictions on outdoor activities. These efforts have successfully reduced heat-related deaths from more than 2,400 in 2015 to 250 in 2017.

The U.S. Environmental Protection Agency (EPA) recommends similar steps to the ones India is taking, as well as ensuring that energy and water systems are properly functioning, establishing hotlines for reporting cases of high-risk individuals and encouraging energy conservation to reduce the chances of overwhelming electric systems. The U.S. Occupational Safety and Health Administration (OSHA) recommends that employers and workers facing higher temperatures in the workplace pay close attention for the signs of heat stroke, and keep three words in mind: water, rest and shade.

While these on-the-ground measures can reduce the immediate effects on workers and vulnerable populations like the elderly, children and the homeless, PIK’s Rahmstorf warns that “Only rapidly reducing fossil fuel use and hence CO2 emissions can prevent a disastrous further increase of weather extremes linked to global heating.”

Inside a Business Email Compromise Operation

Posted on by

A new report from cybersecurity company Agari’s Cyber Intelligence Division outlines the operations of a business email compromise (BEC) gang in West Africa, showing that criminals who engage in BEC online theft can have a diverse portfolio of online criminal activity that they use to build their capabilities, and use sophisticated methods to scam their victims, including businesses and government agencies.

BEC is a cyberfraud tactic in which a scammer will contact a target using phishing emails imitating a fellow employee of the target (often someone in the finance department or management) usually seeking to convince the victim to conduct a business transaction, most likely a money transfer to an account run by the scammer. The scammers may also try to trick their victims into clicking a link in an email or visiting a scam website, which could provide the scammers with the victim’s online credentials or download malware onto the victim’s computer and gain access to their company’s network.

As Risk Management previously reported, Beazley Breach Response Services found that BEC-related attacks cost victims an average of $70,960, but the FBI’s Internet Crime Complaint Center has estimated that the total “revenues” of BEC attacks doubled in 2018 to $1.3 billion. BEC attacks are also extremely common—approximately two-thirds of IT executives are reportedly dealing with them.

Agari’s report, titled “Scattered Canary: The Evolution of a West African Cybercriminal Startup,” shows that cybercriminal gangs diversify their criminal schemes, using their established infrastructure from one type of scam to facilitate others. Agari researchers named the group Scattered Canary and compared it to a tech startup because of its recruitment and expansion strategy. Scattered Canary has pursued a variety of different criminal social engineering efforts, including:

  • Romance scams: Creating a fake online romantic relationship with a victim and requesting gifts, access to their bank or retirement accounts, or services related to other scams.
  • Check fraud: A scammer offers to purchase an item for more than its advertised price with a check (which is fraudulent), then requests that the seller send the extra amount to a third party (a fictional shipping company, for example).
    buy cellcept online blockdrugstores.com/wp-content/uploads/2023/10/jpg/cellcept.html no prescription pharmacy

  • Credential harvesting: Tricking victims into providing their online credentials, including log-in information for online financial services.

Agari says that Scattered Canary built up a network of members and the skills to easily transfer from one scheme to another.

buy zetia online blockdrugstores.com/wp-content/uploads/2023/10/jpg/zetia.html no prescription pharmacy

The group has used multiple BEC tactics over time, transitioning from tricking employees into carrying out wire transfers from their companies’ bank accounts to convincing victims to buy gift cards that scammers would then cash out via cryptocurrency exchanges.

buy levofloxacin online blockdrugstores.com/wp-content/uploads/2023/10/jpg/levofloxacin.html no prescription pharmacy

More recently, the group has targeted human resource departments to change the direct deposit information for a company’s executive, then cashed out the deposits using prepaid debit cards.

Businesses should train their staff at all levels on how to spot BEC and other types of online scams. If employees can recognize phishing emails and websites, and know not to click links or provide information in response to either, this can protect companies from fraud and significant financial loss. In addition to training staff, the FBI suggests always verifying requests to send money, even if the email requesting the transfer is urgent, by speaking directly to the person who seems to be requesting the money on the phone (using the previously known number, not the one provided in the email) or in person. The FBI also suggests setting up filters that flag email addresses that are similar to the company’s email, and creating an email rule that notes emails coming from outside the company, among other technical steps.

For more from Risk Management about controlling the risks of BEC and other social engineering fraud, check out: