Other News

University Course Will Teach Medical Device Security

The University of Michigan will be among the first to offer graduate students the opportunity to study the security of advanced medical devices. The course, EECS 598-008 “Medical Device Security” will teach graduate students in UMich’s Electrical Engineering and Computer Science program “the engineering concepts and skills for creating more trustworthy software-based medical devices ranging from pacemakers to radiation planning software to mobile medical apps.” It comes amid heightened scrutiny of the security of medical device hardware and software, as more devices connected to IP-based hospital networks and add wireless monitoring and management functionality. The new course comes amid rapid change in the market for sophisticated medical devices like insulin pumps, respirators and monitoring stations, which increasingly run on versions of the same operating systems that power desktops and servers. In 2011, the US Food and Drug Administration (FDA) reported that software failures were the root cause of a quarter […]

Making It Official

For those of you who have been regular visitors to this site over the past few months, this post might seem a bit strange.  I’m taking the opportunity today to officially launch The Security Ledger: a security news website dedicated to covering the rapidly expanding landscape of the IT security space. Yes – I know: Security Ledger has been publishing regularly since late August. But think of that kind of like one of Google’s interminable “beta” periods, in which you keep expectations low and shake out all the bugs before making it official. So what’s this all about? With help from our sponsors, Qualys Inc. and Veracode, The Security Ledger is dedicated to covering the vastly expanding cyber security landscape. As more and more elements of our daily lives join the “Internet of Things,” The Security Ledger offers original reporting and curated news from the front lines, including coverage of mobile devices, intelligent consumer […]

Rush Job: Oracle Releases Fix For Critical Java Bug

Oracle Corp. has rushed out an update for its Java Standard Edition software after malicious hackers jumped on a security hole in widespread, web-based attacks. Oracle released Java Standard Edition Update 11 on Sunday, less than a week after news first broke that cyber criminals had woven exploit code for the security hole into push button “exploit kits” that are for sale in the cyber underground. The update fixes CVE-20130-0422, and Oracle urged Java users to apply the update as soon as possible. Java technology powers billions of laptop and desktop computers, as well as smart phones and embedded devices. However, the platform has been the subject of repeated, critical security holes. Most recently, in August, Oracle was forced to rush out a similar update – Java Standard Edition Update 10 – in the face of similar attacks on another security hole.  Attacks using the exploit were reported to be […]

Lights Out For Java: Experts Say Turn It Off – And Leave It Off

Security experts from around the globe are warning Internet users to disable Java while browsing the web, after attacks using a previously unknown (“zero day”) vulnerability in Java began to surface, as part of multi-purpose “exploit kits” that are used to launch attacks from hostile or compromised web sites. The exploit works on all versions of Java 7, including update 10 – the latest release from Oracle, which now manages the Java technology, after acquiring it with the assets of Sun Microsystems, according to an analysis by the firm Alienvault, which said that the exact nature of the vulnerability wasn’t known because the exploit was heavily obfuscated to slow down security researchers. According to this report from Krebsonsecurity, the first word of the new exploit came by way of underground forums, where the administrators of popular exploit kits like Blackhole and the Nuclear exploit kits added the Java exploit as […]

Update: Plumbing Facebook, Researcher Finds Hole In Secure File Transfer Platform

Updated to include response from Accellion. 1/9/2013 A security researcher who was looking for vulnerabilities in Facebook’s platform instead stumbled on a much larger hole that could affect scores of firms who rely on a secure file transfer platform from Accellion. Writing on his blog on Monday, Israeli researcher Nir Goldshlager said he uncovered a security hole affecting Accellion’s Secure File Transfer service that could allow an attacker to take control of a user’s Secure File Transfer account with little more than the e-mail address associated with the account. Accellion Secure File Transfer is a service that allows enterprises to offer secure transfer and storage of large files (up to 100GB). In contrast to consumer-focused services like DropBox, Accellion offers comprehensive file tracking and reporting as well as data security features necessary to satisfy government regulations like HIPAA, GLBA, and SOX. Secure File Transfer is offered to companies as a private cloud, public […]