One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 9074 |
| Date de publication | 2016-08-26 23:01:43 (vue: 2016-08-26 23:01:43) |
| Titre | Notes on that StJude/MuddyWatters/MedSec thing |
| Texte | I thought I'd write up some notes on the StJude/MedSec/MuddyWaters affair. Some references: [1] [2] [3] [4].The story so fartl;dr: hackers drop 0day on medical device company hoping to profit by shorting their stockSt Jude Medical (STJ) is one of the largest providers of pacemakers (aka. cardiac devices) in the country, around ~$2.5 billion in revenue, which accounts for about half their business. They provide "smart" pacemakers with an on-board computer that talks via radio-waves to a nearby monitor that records the functioning of the device (and health data). That monitor, "Merlin@Home", then talks back up to St Jude (via phone lines, 3G cell phone, or wifi). Pretty much all pacemakers work that way (my father's does, although his is from a different vendor).MedSec is a bunch of cybersecurity researchers (white-hat hackers) who have been investigating medical devices. In theory, their primary business is to sell their services to medical device companies, to help companies secure their devices. Their CEO is Justine Bone, a long-time white-hat hacker.Muddy Waters is an investment company known for investigating companies, finding problems like accounting fraud, and profiting by shorting the stock of misbehaving companies.Apparently, MedSec did a survey of many pacemaker manufacturers, chose the one with the most cybersecurity problems, and went to Muddy Waters with their findings, asking for a share of the profits Muddy Waters got from shorting the stock.Muddy Waters published their findings in [1] above. St Jude published their response in [2] above. They are both highly dishonest. I point that out because people want to discuss the ethics of using 0day to short stock when we should talk about the ethics of lying."Why you should sell the stock" [finance issues]In this section, I try to briefly summarize Muddy Water's argument why St Jude's stock will drop. I'm not an expert in this area (though I do a bunch of investment), but they do seem flimsy to me.Muddy Water's argument is that these pacemakers are half of St Jude's business, and that fixing them will first require recalling them all, then take another 2 year to fix, during which time they can't be selling pacemakers. Much of the Muddy Waters paper is taken up explaining this, citing similar medical cases, and so on.If at all true, and if the cybersecurity claims hold up, then yes, this would be good reason to short the stock. However, I suspect they aren't true -- and they are simply trying to scare people about long-term consequences allowing Muddy Waters to profit in the short term.@selenakyle on Twitter suggests this interest document [4] about market-solutions to vuln-disclosure, if you are interested in this angle of things.The 0day being droppedWell, they didn't actually drop 0day as such, just claims that 0day exists -- that it's been "demonstrated". Reading through their document a few times, I've created a list of the 0day they found, to the granularity that |
| Envoyé | Oui |
| Condensat | $10 but most okay our this 0day 0days 100 2013 2015 2016 27001:2013 30s 70s @selenakyle able about above absolutely access account accounting accounts achieve acquiring across action actions actual actually address adept adversaries affair affects after again against agree airplane all allegations allow allowing almost already also although american among amplifiers angle another answer antennas anti any anybody doing apparently appear approximate are area areas aren argument arguments around ask asking assessed assigned assigns attacks attacksthe attempts auditors august authentication authentication/encryption available awards back background bad badly bar barring based basis battery bearing because becomes been before begin behind being believe benefit besides betrayal better betterin between bigger billion blamed board bone both branch branching break breast brick briefly brings budget bugs building bunch business but buy can cancer cannot capabilities capital capitalism capitalist cardiac care carted case cases cell ceo certainly certification challenge change cheating cheney chest children chips chose citing citizens: claim claimed claims cleaning clear clearly clients close coded come common communication community companies company competitor complete completed computer concern conclude conclusion conclusion: i conclusionthe conference confirmed conformance congress connect consequences consider constant constraint consultants consultants/white consumer contained contains content continue contract contrast copyright cost costly costs could couldn country court courts crapthere crash crash/drain crashed crashes crashing created creates credentials credibility customer cut cutoff cve cyber cybersec cybersecurity data day days dead death deathwithin debate decisions defamation defend defibrillators deliberately deloitte demand demonstrated denials department depending depleted describe described deserve design designed desktop despite destroy detail detailed details detroit developed developing device devices dick did didn die dies different digging directional disable disagree disclosed disclosure disclosures discovered discuss discuss:is discussed discussing disease dishonest dishonesty distance ditch dmca doctor doctors document documented does doesn doing don done doubt drain drained draining drop dropped droppedwell dropping during each earners easier easily ehtics either else embedded emerge employees enable encryption enemies enemy engineered engineering enough enter entire equally especially estimate ethical ethically ethics ethicsfirst evaluate evaluated even event every everyone evil evildoer exaggerate examined example executive executives exemption exists expect expert expertise experts explain explaining explicit exploit exploiting exploits extra fact facto justifies factual factually fail failure falling falls false family far fartl;dr: father feel feels fees feet fight figuring finally finance find finding findings first fix fixing flawed flimsy following:the following:we foot former found frankly fraud fraudulent frequently friends from full fully functioning gain galore gave generous get gets getting giving going good got government grabs granularity grasp great greater grossly group gun hack hacked hacker hackers hacks had hair half hand happen happening happens hard harm harm may harmful has hat hate have having heading health heart help helpful here hide highly hipaa hire hired his his/her hold holder home homeland honest hope hoping hospital hour hours house how however human hunting hurt hurts idea illegal illegitimate/windfall impact impinges implanted important incentive incentives inches including incompetent indeed independent indicator individual industry info information inherently insecure insecurity insider insiders instead insulin intelligence interest interested interjected investigating investment investors isis isn iso isolation issue issues items its itself jude just justine keep keeps kept kerckhoff key keysthe kill kill/harm killi |
| Tags | Guideline |
| Stories | Deloitte |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.