Good news! The missing security certificate has been applied and you need no longer fear visiting the Green Comet website. I scolded them for their lapse and they promised that it would renew automatically next time. No harm done, I hope.
You might be wondering why Green Comet is reported as an insecure website even though it has gone SSL and has that reassuring “https” up there in the address. (Note the yellow triangle superimposed over the image of the lock.) There is no conflict in those two facts. Green Comet is secure and if you were to use a password to log in it would be encrypted. Your precious data would be hidden from that sneaky man-in-the-middle who apparently goes skulking about the internet stealing that information.
While the Green Comet website is secure, though, some of the links on it might not be. If an image links to an original on an unsecured website, for example. Or if any of the links on the page start with “http” instead of “https.”
Here’s what it looks like when there are no insecure links on the webpage. (Note: these pictures are taken using the Firefox web browser. Other browsers have other ways of indicating whether or not a web page is secure.)
So, do not fear. Your secrets are safe on Green Comet.
There are strict regulations for computing devices installed in our cars. Even stricter if they go into airplanes. Implantable devices that go in our bodies apparently don’t have the same level of protection. The manufacturers like to keep the details secret to protect their “intellectual property,” so in most cases we don’t even get to know exactly what is going in there. If there are any problems with security, they like to keep quiet about it to protect their reputation. If an outside researcher discovers a problem, they don’t want to hear about it.
More often than not, the response to the disclosure of a security vulnerability is not a gracious, “Thank you.” It is an impulse to punish. The ethical hackers who find and report flaws are often sued or arrested. It’s as if they’d rather hide the problem than fix it.
Fortunately, that seems to be changing.
This summer, the Food and Drug Administration warned hospitals to stop using a line of drug pumps because of a cybersecurity risk: a vulnerability that could allow an attacker to remotely deliver a fatal dose to a patient. SAINT Corporation engineer Jeremy Richards, one of the researchers who discovered the vulnerability, called the drug pump the “the least secure IP enabled device I’ve ever touched in my life.”
There is a growing body of research that shows just how defenseless many critical medical devices are to cyberattack. Research over the last couple of years has revealed that hundreds of medical devices use hard-coded passwords. Other devices use default admin passwords, then warn hospitals in the documentation not to change them.
A big part of the problem is there are no regulations requiring medical devices to meet minimum cybersecurity standards before going to market. The FDA has issued formal guidelines, but these guidelines “do not establish legally enforceable responsibilities.”
Go to the Motherboard article for the full story.