In-brief: In a damning report, the FDA said that St. Jude Medical* knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or other mitigations, or by replacing those devices. (Editor’s note: updated to include a statement from Abbott and comment from Dr. Kevin Fu. – PFR April 14, 2017)
In-brief: a remotely exploitable flaw in a common hardware component used in phones by Apple, Samsung and others underscores the risk posed by software embedded in system on chip components that are found in almost every connected device, experts warn.
In-brief: Residents of Uncanny Valley have something more to worry about: telepresence robots by the firm Double Robotics contain numerous, exploitable vulnerabilities, the firm Rapid7 reports.
In-brief: A survey of penetration testers by Rapid7 finds most organizations are failing to detect malicious activity on their networks.
The security firm Proofpoint is writing about a new and “improved” version of DNSChanger, an exploit kit that attacks home routers in order to serve malicious advertisements to anyone connecting through the Internet using that router. From the Proofpoint analysis: Since the end of October, we have seen an improved version of the “DNSChanger EK”  used in ongoing malvertising campaigns. DNSChanger attacks internet routers via potential victims’ web browsers; the EK does not rely on browser or device vulnerabilities but rather vulnerabilities in the victims’ home or small office (SOHO) routers. Most often, DNSChanger works through the Chrome browser on Windows desktops and Android devices. However, once routers are compromised, all users connecting to the router, regardless of their operating system or browser, are vulnerable to attack and further malvertising.The router attacks appear to happen in waves that are likely associated with ongoing malvertising campaigns lasting several days. Attack […]