Category

Industry Verticals

The PYPI Python Package Hack

By Security, ToolsNo Comments

There is a brand new hack out there that has very quietly affected many of people.  Malicious developers uploaded slightly misspelled library names in Python’s package installer PyPi. Prominent examples include urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code. It is very similar to what happens when you type in https://cnnn.com/ vs. https://cnn.com/

Reference  You can read a pretty good discussion here: https://news.ycombinator.com/item?id=15256121

What does PyPi do exactly?

PyPi (Python Package Index)  is a repository of software for the Python programming language. There are currently 117,189 packages installed that users can download. It is the default repository for python developers around the world. If you want to install a common library, you use a special tool called pip, which knows how to pull files down from the PyPi.

What can you do about it?

1. Run this simple one-page python code to check for bad packages. Ref: https://github.com/williamforbes/pypi_hacked_names

The output will look something like this in verbose mode.

pypi hacked list

Output from https://github.com/williamforbes/pypi_hacked_names

2. if you don’t have any of the bad packages, then there is no problem.  However, make sure you review all of your virtual environments and run the same script.

3. If you do have a potentially compromised library, don’t use pip uninstall as it runs code in the package. Just go to the directory and delete the package.

That’s it! This is a very insidious attack. Will keep tracking this at PyPi to see if we can help protect users.

What should you do when your IIS server is hacked?

By Security, Tips & TutorialsNo Comments

Maryland Government Site Hacked By ISIS

On July 25th, 2017 multiple government sites were hacked by friends of ISIS according to Bloomberg’s Mark Niquette. It turns out that Maryland’s Howard County Website server was hacked.  The site was running IIS and had some critical vulnerabilities that were exploited. Ref: https://www.howardcountymd.gov/

screen-shot-2017-06-25-at-5-49-47-pm

First Things First… Don’t Blame Your Team

Your site was hacked.  The first thing you naturally want to do is get angry.  We agree with you that you should be angry, but not at your IT staff. The actors taking your site down are making your life difficult and have every tool in the world available to them. The deck is stacked against your in-house team who have to juggle multiple issues, including the side job of training to maintain a cutting-edge cyber defensive capability on a limited budget.    The “hackers” of the world that are running scripts to break into your computer 24/7, looking for any vulnerabilities that could creep up over time.  Don’t blame your IT staff!

Move Fast

The first thing you should do is re-route your domain to a safe domain, like the fail whale. For more about the fail whale, please see this.

fail_whale

The Famous Fail Whale – What you show when your website is down

With a temporary down page on display, you aren’t promoting ISIS’s propaganda, and you are free to get your site back online. Your other option is just to kill the DNS name complete or shut the server down.  This is exactly what Howard County did.

screen-shot-2017-06-25-at-6-05-35-pm

Restore

Hopefully, you have a decent recovery system in place and can restore your site from a previous backup.  We recommend a full server rebuild (or imaged) and then reload your content. It starts with a clean server, with a trusted OS configuration, loading IIS, and then your content.

Inspect

Review your logs to see if you can see how people are accessing your site.  We recommend publishing your IIS logs to an offsite file storage location as the records are created so you can see how potential hackers are entering your site and what commands they are running.

Open Ports

Also, review your firewalls and look to see what ports you have open. There is a chance that you left a port open that could be bottled up. You should only have 443 and 80.  All HTTP traffic should be forwarded to https.

Plan

The best way you can solve this problem is by building up your infrastructure enough so you could throw it away and restart in a few minutes.  Hacking happens, so you should plan for the inevitable.  Your solution should include building out a separate database from your CMS solution, a decoupled server, backed up file content, and of course a separate copy of your code on a server.  Your downtime should be in minutes, not hours or days.

Outsource

Get this off of your plate.  Many hosting providers and service companies can handle your website extremely efficiently and at scale.  Website hosting is a commodity and should be framed out to keep your team focused on what it does best, like providing incredibly helpful information to your clients. Sites like liquidweb.com  or azure.microsoft.com can take a huge burden off your team.

 

Alexa Logo

Alexa Push Notifications | When?

By AWS, Development, Health, ToolsNo Comments

Eventually, Amazon will allow developers to deliver Alexa push notifications to their device. It is only a matter of time. This change, while seemingly subtle, will unleash an avalanche of innovations. Parents, imagine you are sitting in your kitchen and suddenly you get a report that your child’s bus will be at the drop off point in 3 minutes. Imagine eliminating time spent standing outside in the cold for a bus, simply by checking a phone interface. What if you could be notified when a storm is coming in your area?

The risk for abuse is real, but it is better off in the hands of the willing. All sorts of annoying advertising services will likely pop up. But for entrepreneurs and nerds like us, this is an exciting time.

Alexa Push Notification Work Arounds

Developers from all walks of life have opined on this topic. They have hacked together some incredibly creative solutions. Here are some of them:

From the Amazon Developer Forums

There has been some brain power expended to solve this without a clean solution from Amazon. It is left up to the reader to determine which is best. The approaches are:

Option 1: Developer Forum | Video

Option 2:  Hack |  Video

Timing Rumors

So far, there are only whispers of this capability on the internet.

Source: theinformation.com

Source: theinformation.com

Official Response

Here is the official response from Amazon developer services as of 15 Nov 2016.

Question: “I am a software developer and have read that Alexa may soon support push notifications to allow Alexa to trigger a conversation with a human instead of the other way around. Is this true and if so, when is it coming?”

Answer: From Amazon, as of 19 Nov 2016

I’m not sure where you read this, but unfortunately, we have nothing to announce at this time regarding this. I’d suggest keeping an eye on our official blog for any official announcements. 

PillBox API icon

Pillbox API. Does it Have Commercial Use?

By Health, Industry Verticals, Innovators

“Working with innovators in the medical space, we are always looking for an edge we can give our clients when it comes to data sources. The PillBox API looks to really be innovative regarding this.” – Mark Majer @Bytelion

Introduction

Pillbox.nlm.nih.gov is a drug ‘cross referencing’ site. You can fill out certain aspects of a drug you have seen, for instance, color, shape, imprint, size, etc. and the site will (potentially) identify it for you. Pillbox’s API is publicly available for developers to build medication-related applications and services.  

Why does this matter to medical innovators?

The biggest problem we are trying to solve is helping people understand what their medications look like.  It doesn’t sound like a big problem, but it actually is.  As the world population ages and the numbers of medications increase, tools like this are going to be sought after.  So far, no one is using this API to build a product on.

 

Who is Responsible for Pillbox?

The primary organization that is responsible for Pillbox, is the National Library of Medicine. David Hale has worked tirelessly over the years to ensure that data fidelity is as high quality as possible. In addition to the National Library of Medicine, the National Library of Medicine works with The Food and Drug Administration, the Department of Veterans Affairs and pharmaceutical companies to make sure that drug labeling is accurate.

How it Works

Query Example:

                               Imprint: 3759
                               Shape: Triangle
                               Color: White

Returned Result:
                               {Image of example pill}

                               Name: Lisinopril – Lisinopril 10 MG Oral Tablet
                               Ingredient(s): LISINOPRIL
                               Imprint(s): 3759; I

Potential Issues

The first thing on Pillbox’s developer page is the following disclaimer: “Pillbox’s source data is known to have errors and inconsistencies.” The problem arises: how can developers build anything reliable/trustworthy with this API?

As stated above, the Food and Drug Administration, National Library of Medicine, and pharmaceutical companies are working on improving the reliability of the product. As they develop the API so too shall the products built on them evolve.  For now, the companies which have employed the use of the API have created workarounds for issues that may arise from the damaged areas of the API.

Is the project dead?

We have reviewed the source for several repositories.  While we have seen fits and spurts, we have not seen a public facing focused effort to deliver working software.

GitHub Project HHS

GitHub has a project dedicated to creating a Pillbox engine, a “local web-based application for downloading and management of DailyMed SPL Data.”

Although a significant amount of work was accomplished, the project fizzled out at the beginning of 2015. You can reference it here. https://hhs.github.io/pillbox/

No one is using this data in a commercial product from the Pillbox API.

Possible Innovators

Home Nursing

Looking after the elderly/sick is a difficult task, which is much easier with a knowledge of medicine. If one were seeking to savvy up the Home Nursing industry, it would be worthwhile looking into Pillbox. Using the API, any confusion involving mixed up medicines or which drugs may be taken simultaneously etc. can easily be resolved.

Law enforcement

Law Enforcement is a difficult task, but hey, that’s what software is for! Cops that may have found suspicious drugs would have use of an app/device which utilizes the API to verify whether the suspicious pill they have found is actually ‘medication.’

Medical adherence systems

Drugs do not tend to get mixed up frequently for those at home because they are labeled and organized in containers. But who knows what you may take with those drugs? Can you take ibuprofen with it? Maybe you did mix up your containers, and you need to verify if you need to take the small white rectangular one or the small white circle one! Once again, Pillbox API to the rescue. A relatively straightforward app could verify all of this information. A more complex app may even be able to create a schedule with reminders based on the logged drugs.

Have any questions or comments? Feel free to email us at info@bytelion.com