Software implication in pharmaceutical production
How lives can be at risk and the implication of governments

I was talking with one of my coworkers. He was talking of one of his friend that works has a software developer for a company that develop products for drugs pills quality control in the pharmaceutical industry. He tells me that they had some problem with their production. They had many in deep bugs and architecture misconceptions. The result is the inefficacity of their product (we’ll call it: PhaQualCon) that lead to the apparition of false results. They have an abnormal level of false results; but the product is already used by pharmaceutical manufacturers. It seem a normal software development problem with normal consequences on the product. It’s possibly the problem of many technological projects (and probably all type of projects). My co-worker was saying that pharmaceutical companies have a threshold of false results not to exceed. The problem is that they can accept, refuse and remake some production tests to degrease their false results average. By this practice they can change some numbers to make them acceptable. So, this is not illegal in itself but I don’t think that this is really fair. I don’t know how the pharmaceutical industry work, but I can imagine that this is normal procedures and habits.

So the problem that I saw is not there. He is in the fact that these manufacturers rely on some type of quality control machines to know the average number of pills that are not conform to the specifications and then give these production test results to the government to make their production accepted. The machine not only counts this statistic but also discards or keeps pills. They rely on products such as PhaQualCon and they know that they aren’t trustable. Some manufacturers stopped their contract with the company but others don’t. Globally the production quality of drug pills relies on some piece of software that controls some type of hardware. The question is: What can stop pharmaceutical companies to pay the developer company of PhaQualCon to “add bugs” in their software to help them to have acceptable production quality tests accepted by the government? If they get cough, they have only to say that the problem is the result of a software bug and that this is not their fault. The company that develop PhaQualCon don’t seem to be supervised by some governmental agencies. They don’t have accounts to give to anybody. If their bad product is accepted by pharmaceutical manufacturer then he will be used to classify drugs pills for me and you. If such regulation exist and that the developer of PhaQualCon have accounts to give to some government, what ensure that the software have not been modified to adapt to the “exigencies” of the pharmaceutical manufacturer? If such a system (probably some type of certification) exists, will the certified system be reviewed monthly, quarterly, annually?

There are many questions on the subject. I think that this is our duties to ask them. Why? Because drugs can put lives of people at risks if drugs pills aren’t really exactly what they are supposed to be.

New Canadian dollars
A possible psychological security treat

A month ago we got our new Canadian 20$. I just get my first some days ago. I was just checking it since then. This is a really beautiful piece of work. Many flashy features and probably one of the securest money on earth. While checking it, I had an interrogation by remembering what some peoples say about it. Check out his accessibility features. One of them consists of a series of symbols formed by raised dots separated by a smooth surface to help blind people. The problem is that many people think that this is a security feature.

To understand the treat you need to have in mind that people will usually rely on only one simple security feature to discover if the bank note is a real one or a counterfeit. It’s normal that they’ll not check every security measures. If they think that the raised dots is a security feature of the bank note, and also think that this is a simple feature to check, he’ll rely on it to discover the validity of the note.

The problem is that this feature is really easy to forge; anybody can do it. So, if you counterfeit money, add this ‘security feature’ and give it to seller that rely on this feature; you’ll be able to pass it for real money and your goal will be reached.

Another inconvenient is that these dots will eventually disappear. If you have a legitimate 20$ with erased dots and that the seller think that this is a false one because the dots are not present then you’ll have some inconvenience because he’ll not accept it as legitimate and he’ll possibly call the police.

Finally, another time, the only way to erase the treat is by educating people specially them who manipulate a great load of money in their work.

Urban Legends on security
What technology neophytes can think

Last week a came around an interesting “study” done by Secure Computing. What is interesting is to see what people can think about things that they don’t really understand. In many cases it’s probably the Arabic telephone effect that create such monstrosity. If I have one suggestion to say; it’s to read them and discuss about them with persons in your entourage that may think that these urban legends can be true. Remind that one of the best security practice is education; anybody can do it.
There is the list published by Secure Computing:

1. “Hackers can legally break into web sites that lack “warning” notices.”
2. “Some Windows system files are really malicious and should be deleted.”
3. “Hotel card keys secretly record personal information, which could be maliciously taken advantage of without the person knowing.”
4. “Including a fake entry in your e-mail address book will prevent e-mail Trojans.”
5. “A digital cell phone can be infected with a virus merely by answering a phone call.”
6. “Search engine “crawlers” perform security checks and notify you of vulnerabilities.”
7. “Thieves are using lists of “out of office” auto-replies to target homes for burglary.”
8. “Free patches e-mailed to you will protect your PC from the latest worm or viruses.”
9. “Signing up with a “Do Not Spam Registry” will stop you from getting spam.”
10. “Elf Bowling and Blue Mountain Greeting Cards contain viruses.”

Enjoy them, laugh at yourself and think that many people can think that they are real possible treats. Just keep in mind that the situation is normal, otherwise urban legend wouldn’t exists. Then if you’re not sure about a thing that a person tell you; just do some research on a trusted web site and you’ll be able to assess the treat by yourself.

What if?
The game to learn on yourself in special situations

A good way to learn things on yourself in special situation is by playing the “What if?” game. The purpose of the game is to imagine you in special life situations.

The first thing that you need to play at this game is a trigger event. This can be an event on the street that you see; a special scene in a movie; while discussing with another person; while watching news; etc. Then you ask yourself: what I had done in the same situation? Then you think of you in the same situation. What you can do in same the same hypothetical situation with your talents and abilities. You can think of many things, some wonderful, other surrealist. The important is that you think of yourself in the situation. Then you’ll play with your thoughts and learn by the process.

Why to play at this game? The answer is simple. Human learns by experience. He can get his experience by practice, reading, observation and in our present case by thinking. This is a really healthy exercise that can let you learn many things on your own personality. Plus it can help your to react more rapidly in certain special situations that can happen in you everyday life. Try it. It can be really funny. You can easily play at it anytime, alone or with a friend.

Do not give power to your foes
The principle of information pipeline

Many say that information is power. Then, why do you give power to your foes? Is that your wishes? There is the idea being this article: cut the information pipeline of to your enemy to prevent you greater harm.

Do not help your attackers gathering information about your network. The first step of an attack is the reconnaissance of the playground. It’s done by social engineering, physical site reconnaissance, internet search, network mapping and DNS reconnaissance. After they map their target by war dialling, network mapping (ICMP), port-scanning and vulnerability scanning.

If you cut their sources of information they’ll not easily be able to go through these first essential steps. The principle is the same as in personal self-defence, if you look self-confident, attentive and aware, most of your possible stalker will watch for another target; they don’t need to get in trouble with you; they need an easy pray; a pray that they can hunt easily. The same principle is present here; if the first steps of an attacker are hard to get troughs, most of the attackers will try to find another, more easily penetrable system. Sure that there are exception, if your attacker is searching challenge and not profit (money or peer acceptance), you’ll probably fit his prey pattern and get stock with him.

You need to always have in mind you goal. Your goal is to limit the information that attackers can gather from your organisation, his personal and your network. By remembering this goal, you’ll probably be able to find what your information leaks are and how to prevent them. There are some examples:

• Your attacker can bring much information by looking at your garbage containers.
o You can hire a specialised garbage collector that will destroy your garbage’s. (Just ensure that the company is trustable).

• Your attackers can bring information on your employees for further social engineering tricks.
o You can try to limit the information about your employees you put on the internet. (Example, by not putting your employees’ contact book.
o You can teach your employees to be aware of this situation; how attackers do this type of attack on them.

• Your attacker can map your network by ICMP querying.
o You can block the ICMP echoing of certain critical part of your network.

• Your attacker can do banner grabbing to try to know which program deliver a specific service (example sendmail for SMTP).
o You can choose a product where you can alter or delete the banner when a session is open (a banner is a signature sent by a software generally when a connection is attended).

• Your attacker can try to guess your firewall rules with a TCP ACK scan.
o You can also choose a firewall that store the stage of his connection to refuse the ACK response packet.

• Your attacker can use packet fragmentation options to do his scan to stealth the scan attempt toward the firewall and IDS (old ones)
o You can use a firewall or IDS that refragment packets before analysis.

These examples are obvious. However, the goal isn’t to do an exhaustive checklist of what to do, but to give you some example that will help you find information leaks about your company.

What’s important here is to always have the principle in mind. How to implement this principle in the everyday life of your enterprise is another question but you have some leads here.

Enjoy the principle, the lecture and feel free to add your stone to the foundation.