world is a looming uncertainty. >> and a reminder that you can keep up to date with all the news on our website. the clashes in hong kong are the main story. aljazeera.com. >> my cohost is bringing in your feedback throughout the show. we have been talking about this all morning and feeling quite disturbed about it. this idea that just about anything can be hacked. >> very disturbing it isn't like the simple days in the '80 a less where matthew broderick tapped in to i psalm air computer and played tick tack toe. now they can hack in to medical equipment doctors using facebook saying this is the first i am hearing of medical hackers. the idea of disabling equipment i use to keep patience alive much less improve their health

is frightening. even a millisecond of equipment failure can be the difference between live and death. >> that makes it all the more disturbing because it's been known about in larger circles for years and years and doctors and hospitals are still unaware. >> did you know about did? >> not until we started doing the show. that's why i have been freaked out since we started working on it. the next time you visit your doctor, think about this, your x-rays, drug dosages and even medical records could be controlled by an outsider. it's a scary thought. but according to a new study, it's way easier than you might think. from the radiation level on your ct scan to defibrillators to ventilators and even refrigerators storing blood samples, hacking medical equipment is surprisingly simple. due to security loopholes that investigators say most hospitals don't even know about. the extent of what a hospital hacker can do is incredibly disturbing. they could take control of critical equipment during emergencies. or alter patient information in a physician's database impacting that person's treatment.

earlier this month, the fbi warned health care providers about weaknesses in their cyber security systems that we say could make your health insurance data and medical records vulnerable to hackers. so clearly with great innovation comes great risk as hospitals increasingly introduce digital technology in to their services, are they prepared to insure your privacy and safety? we have a great lineup of guests joining us to breakdown the topic, joining us on set is billy rios, the director of vulnerability research and threat intelligence at an information security provider. he's also work odd security issues for google and microsoft and notified the department of homeland security last year about the ease of manipulating medical instruments after hacking in to them himself. and out of oakland, california on skype is kim setter, she is senior reporter for wired magazine, covering cyber crime, privacy and security. thanks for both of you guys for joining us, so billy, this new study that hacking in to medical equipment is extremely easy and

the equipment is vulnerable. >> and we are talking about hacking in to medical equipment. what does that really mean? what's going on? >> if you look at a modern hospital, it's an amazing facility and they treat patients there, probably one of the most intimate organizations that we can think of in the world. and in order to make themselves more efficient and effective, they have basically put all of their stuff online, put it in networks and so when you go in to a hospital and you see a device or you see a doctor walking around, they don't have a paper chart anymore. that tells you what the patient is ailing from or what their symptoms are. instead, everything is digital. and so that means not only is the ipad they are working around with digital but all the equipment that they are working with is digital as well. so the mri scanner doing the mri on you is connected to a network and feeding digital information to a centralized server someplace collecting the data. the pumps or monitors are doing the same thing. and this allows a hospital to collect the data on you so that they can do a analytics that mae find things that they would not normally have found through normal investigations which is awesome. which is great.

innovation of technology. but it also introduces new risks, right from because all the devices are now on networks. >> in they are all interconnected in the hospital, if you hack in to one thing does that mean you have gotten in to all of it? >> what we have seen in real hospitals, you know, in the world basically, is pretty much that. so the devices are really fragile. and i think the latest study that we saw mentioned this as well. as soon as someone gets onto a hospital network. it seems like the shot in a lot of trouble the devices aren't resill i didn't wanresilient ag. we have to keep people off the hospital networks but it's a really difficult task, extremely difficult task. now people are shifting focus to the devices themselves asking ourselves basically how we can make these devices more resilient to attacks, because right now they are not. >> kim, between 2009 and 2011, we know that at least -- at least 181 malicious attacks on equipment at v.a. hospitals. you have been report on the ground this. is it your sense that hospitals

are prepared to protect our security? >> no. you mentioned in your intro they aren't really ware of the problems here. security experts have been looking in the systems and vulnerabilities with them for quite a long time. the hospitals themselves, you know, obviously their first priority is treating patience and necessarily the security of their equipment or records and so they don't understand the complexities of the networks and how easy it is to get in to them. >> it's going to be become one in the same treating your patients and protecting them. >> the patients are the ones that are pour i had worried. that actually happened in a fictional episode of homelands. rosemary as a nurse says: >> now, billy, unleash your cyber geek.

guide us through the loopholes here, the security loopholes that would allow a hack tore bypass the security passwords and actually, you know, perhaps, if you will, change x-rays, medical records or drug infusion pumps. >> i actually brought in some equipment here. this is an infusion pump if i were to look for vulnerabilities in a devicsin a device like thid just buy one, go to ebay, have it sent to your home. >> how much does it do some of cost? >> a few hundred dollars. >> totally legal. >> totally legal. nothing wrong with it. the most important piece here if you look in the back there is a network connection. >> show that at that to dave. >> it's meant to be on the network. there is a network connection there. what you can't see is also on top is a wireless connective at this. it connects to a wireless network. the first thing i would do is take it

away they are just really computers it's the same as a laptop or desktop. >> what did you look for when you tear it a apart like this? >> the main thing i look for is how it works, to understand how it works. and a lot of times what we discover when we do vulnerability research on a device like this, at the end of the day, after a couple of months, we probably understand how this device works better than the people that actually made this device. but specifically, what we are looking for are the chips, the firm ware that have the software and that's the brain for the device, that tells this device how it's supposed to run, that's where we find vulnerabilities, we take the software off the chips and get it onto our computers that's when we start looking for bugs and vulnerabilities. guy? >> a lot of different things. this is an important piece here, anyone can do this. i am just an individual, i bought this thing, you know, from an auction site. >> you glossed right over that. you are not going to tell me what the vulnerabilities are?

>> we did find a the lot. this is happen important piece, anyone can do this. right? and i know what they look like, and i won't talk about the specifics because i am writing a report that will be sent to d.h.s. on what they are. no one knows what they are exempts me. if i wanted to take advantages of the vulnerabilities in the hospital i would know how to do it. >> how do we know if somebody out there isn't doing the exact same thing you are. >> there could be. >> with tha nefarious intention. >> there could be. the route i take is i usually tell dhs. in this case i'll tell dhs via a plays that they have ics certificate. the cyber emergency response team. i spends my findings to them it. since this is a medical device they have a channel with the fda. the fda will be notified then the fda will notify the vendor and they start working on a fix. >> the wheels of government turn so slowly, this is the kind of information that you want back to vendor very quickly. >> yes, exact. >> i. >> do you get the sense that it

gets turned over rapidly. >> i think it does. the fixes do not get turned over very rapidly. so if we look at the historical, you know, context that we have for devices like this, it could take years for a software update to come out for a device like this. >> wow. >> so that's a big window. right? for any kind of devise, so hopefully things move faster in the future, but right now it is a slow process. >> well, unlikely allies are teaming up to protect you from potential internet bugs, up next we discuss the crucial market for hiring hackers. their employers might surprise you, plus we'll speak to a scientist and hacker who just hacked his own body to treat a chronic condition a few days ago, hear his bizarre story next. ♪ ♪

primetime news. >> welcome to al jazeera america. >> stories that impact the world, affect the nation and touch your life. >> i'm back. i'm not going anywhere this time. >> only on al jazeera america. on tech know, >> i landed head first at 120 mph >> a shocking new way to treat brain injuries >> transcranial direct stimulation... don't try this at home... >> but some people are... >> it's not too much that we'ed fry any important brain parts... >> before you flip the switch, get the facts... >> to say that passing a low level of current is automatically safe, is not true >> every saturday, go where technology meets humanity...

>> sharks like affection >> tech know, only on al jazeera america

so many money stories sound complicated. but don't worry. i'm here to take the fear out of finance. every night on my show i break down the confusing financial speak and make it real. ♪ ♪ we hope the stream never actually gets hacked, like that. but considering the conversation that we are slug i am beginning to believe that anything can be hacked. the least of it would be a tv show compared to medical devices. >> i am probably being hacked right now. so, you know, that's probably what's happening. you know, but please hackers, we are nice and kind and be our friend. >> if you are just tuning in we are talking about the new ways that hackers are using their

skills not always with malicious intent. one of the abilities they have is to identify security bugs or vulnerabilities that attack specific programs. they are making up to a whopping $160,000 per bug that they find. and you'll never guess who is buying? private businesses, in confronting the complex challenge of souper security companies are turn to this attitude if you can't beat them. he join them. the hackers for hire is increasing in relevance especially in the wake of discovery of heart bleed, internet explorer bug that just happened a week ago. our own government spend $25 million last year on acquiring these vulnerabilities. how effective is hiring hackers to protect the public from cyber attacks? joining us now is dan chief scientist, he's a noted security researchers that has advised several fortunate 500 companies including cisco and microsoft. he's also an experienced hacker. i want to get to the government and the industry work in a second.

but before the break, dan, we said that you hacked your own body to treat a chronic condition. what is that all about? >> well, we are kind of living in this incredible era around what's actually diabetes. this disease has become enormously experience i have. it's hurting a lot of people. with the amount of investment gone in there is a lot of new technology. in my hands i had this little device by a company that actually gives me a real time feed of this is your blood glucose level from minute to minute. i have better monitoring on my body than i do on some of my servers and it's really important. because this sort of technology is going to save lives. the challenge that we have, with a lot security, is, yes, hackers come in and do some damage, but there are other sources of damage. there is just not knowing your blood sugar is too high or more

importantly too low until it's too late so they are many ways a system can fail. medicine for the long effort tile has been optimized for how do we deal with the random failures and the lack of information. a lot of people have died because handwriting couldn't be read. >> we are talking about this booming hacking market, lisa. and shawn says marketing critical software flaws should be a crime. walter says this isn't new, certain companies have been brokering underground hacking markets to government and.com companies for year, and in any case the middle man equals a big part of the problem. a good step might be to push them out but that's as much as the researchers. kim, how does a perna choir the tastiest cyber goods and how do i hookup with a broker? do they take a fee, a commission, what's going on? >> yeah, so there are a couple of ways that they are being sold one through is third pert

companies, some defense companies, some private brokers and some individual researchers that sale to the government . the average hacker doesn't know how to make contact with the government. and may not get government's attention if they find a vulnerability so the broker induces them, agents as liaison and takes a percentage of that. in terms of defense contractors that's part of their business plan is to find vulnerabilities and sale them to the government. >> billy, business is booming right now globally for what hackers call the discovery of zero days of vulnerabilities. explain to folks what that means and why it's such a big industry right now? >> sure. so zero day of vulnerability doesn't have a patch. so you can't basically defends yourself defense it. the you cannot go microsoft or google and get a patch that protects from you that exploit. >> that means you have zero days to fix it, once they are in they are in and you don't know it. >> zero days means there is no knowledge of other than the people uses it against you.

>> i read most r-6 day vulnerabilities exist for 312 days on average before they are discovered. is that what your experience has led you to believe? >> it could very. depends on the system that you are looking for. the one problem with zero days is you don't know who has them. right? because no one knows about the zero day vulnerability. only the people that have them or are willing to use them against people. and so you can't guess and say i think this person has five zero days, it doesn't work that way. that's the hard part of regulating. the twitter feed said we should stop this. it doesn't work that way. any person can get software and find vulnerabilities. those are zero day vulnerabilities. whether we know that they have them or not, it's impossible to tell. >> speaking of vulnerabilities, you brought a small piece of equipment here. but it could have very significant impact. >> yeah. let me show you this this is actually a chip that's part of the firm ware for a device that does explosive detection.

>> like at the airport? >> exactly. >> they swab your hands and put it in to a device this, tells someone whether or not you have explosive residue your hand. this chip is the brain for that device. the device is too big to the bring in the stou studio. this chip is where the software is at. no one on would know that i have this in my pocket and extracted the software off this chip and found vulnerabilities. no one would know that i gave the vulnerability report that i wrote found this particular software that dhs. no one knows that, those are zero day vulnerabilities. if i decided not to tell dhs and gave it to someone else, who would know? only myself and the person i gave it to. that's the difficult in regulating. >> there is now a bug bounty program. an unlikely alliance between corporations and hackers to find out these vulnerabilities and erica says i think it's a great program but most companies that have these vulnerabilities don't offer the programs. how do you think bug bounty programs have influenced hackers who find vulnerabilities in software?

billy says i can't say for sure, but here are the possibility. hack for cashing. number two, exploit vulnerabilities and number three, learn from exploits. now, dan, about these bug bounty programs, do you think they incentivize hackers to be good and ethical? >> absolutely . it's kind i've cynical quote but not everyone wants to be a dug dealer, not everyone wants to go ahead and make things that blow stuff up. turns out to be true. this his toll klee - toll i historically. hackers have been selling these tools. offense came first and people were getting hit who like how do we stop getting hit? how do we protect ourselves? so really starting in the 2000s, a lot of corporations started spending real money bringing in hackers as consultants and employing hackers to go ahead and build more effective defenses. you need hackers to fight hackers.

like you need soldiers for fight soldiers, you can't have people on the battlefields there are bullets that move fast, gosh, they hurt when they hit. >> you we have mercenaries with information out there, vital security information and it's available to the highest bidder, that seems to be creating a very, very serious problem. something i want to talk about after the break is why is there such a lack of regulation, we >> a conflict that started 100 year ago, some say, never ended... revealing... untold stories of the valor... >> they opened fire on the english officers... >> sacrifice... >> i order you to die... >> and ultimate betrayal... drawing lines in the sand that would shape the middle east and frame the conflict today >> world war one: through arab eyes only on al jazeera america

♪ welcome back, we are discussing hackers for hire where companies and government agencies employ skilled hackers to find software security loopholes. so, dan, governments are hiring hackers to find loopholes. but are they also purchasing cyber bugs from the hackers?

>> always have and always will, i hate to say. surprise gonna spy, that's how the whole nation system works . that's changed is there are other buyers looking at defense. >> and what kind of buyers are we talking about? >> you know, the big thing with bug bounty is his not that they don't pay as much as if you sold to somebody that breaks in to networks, it turns out there is a different aspects defending versus robbing a bang, there are different amounts of cash to get back. >> and run counties are getting involved with this too, right? >> yes. >> go ahead. >> i think it's important to understand this. buying and selling software bugs, and exploits is actually not illegal. so if i wanted to sell a bug to someone, i wanted to sell you a software bug and up today purchase it.

we can do that here you can do that as much as up to. i can have a legitimate business that says i buy software vulnerabilities. >> what about the bug that disabled iran's uranium en run of. >> it's not illegal. it may cost legal bound reu bouy united stating but buying or uniteunited stating but buying and selling is not. >> th paul tweets in like all tech that has proceeded it will be integrateed in to warfare but not replace boots on the ground. kim, are we looking at sky net? is sky net online? is this the future of warfare? will it be cyber? explain the scenario to me. >> yeah, i think that, you know, the cyber armageddon will not ham. i think the doubling 258 warfare

will become an element of future warfare and it already is currently an element of president day warfare, i don't think it will replace boots on the ground but it will enhance the capabilities of militaries. >> so billy i want to get back to the idea of bug bounties. if a company like microsoft is playing $150,000, that's a lot of money. but that's not going to compete with russia or brazil or any other major company that really wants this coding flaw. >> right. >> so one, doesn't sounds like the incentive is there for the hacker to go to a small company versus a country. but secondly, what is the incentive on the parts of countries particularly the u.s. to regulate it this if they are engaged in it? >> i think these are very complicated questions. i actually disagree with dan in that i don't think bug bounties will sway someone to be a good hacker as opposed to a bad hacker. i think you are a good hacker you give the bug do a bug bounty that's respected. you will take less money than

you would if you sold it on the black market. if the option didn't exist you probably wouldn't sale it on the black market anyway. but if all you cared about was money you would never consider an official bounty program by microsoft or google you would just sale it on the black market as you could for as much money as you could. >> what's the sin tentative for the government to regulate it if the government is buying it. >> i don't think the government can regulate it. it's not like we are buying widgets where you need certain materials it's totally intellectually property. finding the vulnerability is end lex tull property. you don't know someone has this until it's either used against you or they tell you that they have it. >> it makes it very difficult to regulate it. >> does the government have a responsibility to inform citizens that it's sitting on a software vulnerability? kaleb says, yes, the government should warn citizens. what if 100 to $200 million in a bank account were hacked from a known flaw it's only a matter of

time. kim, how much should the government inform the public when they discover a software vulnerability? >> it's being debated in the government right now. it's been a problem for a long time. the public hasn't been aware that the government is using zero data and sitting to ofoegbu flaws, heart bleed brought it forward when it should that nsa knew about it for two years. president obama has inning doubt aid new policy in january where he says these plays will be disclosed to vendors to be fixed unless ther there is an you were gents national security need to use it or a law enforcement need to use it. that leaves a lot of loopholes, i don't think the government has been very transparent about how they make the decision on what they will or will won't disclose. >> you are shaking your head. >> there is such a thing as a bomb that is too big. a vulnerability that would be

very nice to use but by the way, everyone else can use it and oh, we sort of built our global economy on his this technology, so people talk about the duel missioduedualmission for offens, it is a dual mission, there is a defensive need as well. the united states national interest actually includes the economy functioning. >> okay, so billy, i want to back this off the big picture for a him. because while everybody who is watching this i am sure is as disturbed as we are about the implications, ultimately you come back to yourself and you think how do i protect myself? how do i protect my own equipment and where i am going online? how do i protect myself even in hey hospital. what do you tell people? >> the first step is to understand what your exposure is and that's different for everyone organization. when the government decides how they need to defends defend their

network than a person at the home. understanding that is important. that's part of the reason we do the vulnerability research. we want to help organizations understand the risk. if medical devices are not robust, we want hospital to his know that. that i weigh they can readjust their posture to make sure they take it in to consideration when they are architecting their networks, deploying these devices and using they devices s in critical situations that's the first step. and is sounds really easy but it's a hard step and that's the step that needs to be given the most thought. >> all right. thanks to all of our guests, bill i y row owes, kim and dan. until next time we'll see on you line. ♪ ♪ ♪

>> if we don't have a verdict by one o'clock it's gonna be another day. >> well it's either gonna be before noon, or they get to come back at one thirty. >> the waiting is what will knock you for a loop. if she goes to jail again i think she'll come out in a body bag. >> are they out? we are sitting right there in my office on pins and needles.