The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and ... the compromised programmer would then infect the next pacemaker or ICD and then each would subsequently infect all others in rangeBarnaby Jack
The exploit took advantage of a "secret function" that would activate all devices in range, and return model and serial number information. "With that information, we have enough information to authenticate with any device in range," Jack said. While reverse-engineering the transmitter terminal he found there was no encryption or obfuscation and even found user names and passwords that appeared to be for the manufacturer's development server.
He was able to show the technique in action via a demonstration video, that could not be released publicly in-case it was possible to identify the manufacturer. He hopes that the demonstration would spur manufacturers to correctly secure such devices, "sometimes you have to demonstrate the darker side," he said.
(i) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (ii) any storage of such communication by an electronic communication service for the purposes of backup protection of such communication.Stored Communications Act
In a case decided on Wednesday 10th Oct 2012, the South Carolina Supreme Court ruled that accessing someone's online e-mail without their permission doesn't violate the SCA. The justices decided that emails left on the server/cloud didn't fall under the SCA because it constitutes 2 components, the storage clause (i) and a purpose clause (ii). Since there were no other copies of the emails, they weren't considered as backup and thus fail to fill the purpose clause.
While this case deals with a fairly narrow subsection of the SCA - what constitutes electronic storage - it's yet another example that the Stored Communications Act needs more judicial review at the very least, and possibly an entire overhaul.
Woodrow Hartzog, a professor at the Cumberland School of Law at Samford University, still pointed out that in a case like this, there could still be federal liability under the Computer Fraud and Abuse Act.
...this is an issue that really calls out for U.S. Supreme Court review. Internet providers often have a national customer base. A provider in one state or circuit can have millions of customers in any other state or circuit. Given the national customer base, any disagreement among lower courts causes major headaches: ISPs don't know which rule to followOrin Kerr, Fred C. Stevenson Research Professor of Law
The ruling is the first step in a larger case against a company called Innovatio IP Ventures. Who have accused various businesses that offer WiFi services to the public of infringing 17 of their patents. Innovatio wanted to use packet sniffing techniques to gather traffic to use as evidence. The firm was concerned that doing so might violate federal laws, so sought a preliminary ruling.
Innovatio is intercepting WiFi communications with a Riverbed AirPcap Nx packet capture adapter, which is available to the public for purchase for $698.00. A more basic packet capture adapter is available for only $198.00. The software necessary to analyse the data that the packet capture adapters collect is available for download for free. With a packet capture adapter and the software, along with a basic laptop computer, any member of the general public within range of an unencrypted WiFi network can begin intercepting communications sent on that network. Many WiFi networks provided by commercial establishments (such as coffee shops and restaurants) are unencrypted, and open to such interference from anyone with the right equipment. In light of the ease of "sniffing" WiFi networks, the court concludes that the communications sent on an unencrypted WiFi network are readily available to the general public.Judge Holderman
The practice of sniffing packets from an unencrypted network needs special software, such as Wireshark, and a computer to connect a packet capture device like the Riverbed AirPcap Nx. Although the judge states that such devices cost between $198 and $698, similar products can be purchased for as little as $10 from well known online retailers.
If you capture the flag, you'll get a special-edition Stripe CTF t-shirt. So it's worth giving it a go.
Head over to Stripe.com for more information.
Start: Wednesday, August 22nd, 2012 at 11:59 AM PDTStripe
End: Wednesday, August 29th, 2012 at 11:59 AM PDT