Category Archives: Security

Security related issues.

Software Cybersecurity Podcast

My friend Kevin Greene is devoted to improving the state of software security in the United States and he’s passionate about it. Kevin now has a regular podcast at FedScoop on cybersecurity insights and perspectives and it’s well worth listening to.

Choose Software Security

We recently got together and chatted about the state of cybersecurity today. In particular we talked about the “Internet of Things” (IoT) and my IoT Hall-of-Shame as well as static analysis in general. Kevin was instrumental in getting the Software Assurance Marketplace (SWAMP) setup and funded and we talked about our participation there as well.

‚ÄúProbably if we did a really great job [with software security], the rest of cybersecurity would be a whole lot easier.”

So have some fun and learn something useful about software security at the same time. Here’s where you can listen: FedScoop Cybersecurity Insights & Perspectives. If you have other topics you’d like to cover, let he and I know in the comments or on Twitter.

For more security info check out the security resources page and a few of these books can help.
Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development,

Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine,

Software Test Attacks to Break Mobile and Embedded Devices (Chapman & Hall/CRC Innovations in Software Engineering and Software Development Series)

AutoSec Automotive CyberSecurity

parasoft car small
Last week with Alan Zeichick and I did a webinar for Parasoft on automotive cybersecurity. Now Alan thinks that cybersecurity is an odd term, especially as it applies to automotive and I mostly agree with him. But appsec is also pretty poorly fitted to automotive so maybe we should be calling it AutoSec. Feel free to chime-in using the comments below or on twitter.

I guess the point is that as cars get more complicated and get more “smart” parts and get more connected (The connected car) as part of the “internet of things”, you will start to see more and more automotive security breaches occurring. From taking over the car to stealing data to triggering airbags we’ve already had several high-profile incidents which you can see in my IoT Hall-of-Shame.

To help out we’ve put together a high-level overview of a 7-point plan to get you started. In the near future we’ll be diving into detail on each of these topics, including how standards can help you not only get quality but safety and security, the role of black-box, pen-test, and DAST as well as how to get ahead of the curve and harden your vehicle software using static code analysis (SAST) and hybrid testing (IAST).

The webinar was recorded for your convenience, so be sure and check it out. If you have automotive software topics that are near and dear to your heart, but sure to let me know in the comments or on Twitter or Facebook.

In the meantime, for more security info check out the security resources page and a few of these books can help.
Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development,

Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine,

Software Test Attacks to Break Mobile and Embedded Devices (Chapman & Hall/CRC Innovations in Software Engineering and Software Development Series)

Internet of Things (IoT) Hall-of-Shame

A collage of various devices that not only can be hacked, but already have been.
A collage of various devices that not only can be hacked, but already have been.
As I’ve said before, the “Internet of Things” aka IoT has become the internet of hacks. More and more devices are being internet enabled, but security on the devices isn’t keeping up. Some vulnerabilities are difficult, but many of those that have been in the news seem to have been more from either lack of training or simply not prioritizing software security.

In the grand tradition of my SQLi Hall-of-Shame, I’ve decided to start creating a list of IoT hacks that have hit the press. The list is small but will surely grow. Please let me know if you’re aware of publicized hacks on IoT devices. If this doesn’t scare you then you’re not thinking about it enough. You should be running screaming to empty your bank account, buy an old pre-70s car, and smash your phones, thermostats, and other electronic devices.

I know the answer to this isn’t easy, but I’m hoping that at least you’ll spend more time thinking about it than you have. So take a look, and let me know in the comments, twitter, email, etc. when you hear about new ones I haven’t covered. You can view it at the IoT Hall-of-Shame.

IoT Security Resources

Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development,

Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine,

Software Test Attacks to Break Mobile and Embedded Devices

IoT Security – A Contradiction in Terms

A collage of various devices that not only can be hacked, but already have been.
A collage of various devices that not only can be hacked, but already have been.

The internet of things aka IoT has become the internet of hacks. More and more devices are being internet enabled. While this makes many aspects of our lives easier it opens us up to a wide range of cybersecurity problems. From direct control of devices to lost of personal private data to actual control of the networks and computers in our homes and offices, the IoT is creating a security risk at a faster rate than it’s fixing them.

Vendors are driven to get items to market fast in order to make money. Along the way security is given short shrift, or all-too-often not even considered. After all, it’s only a light bulb, what’s the worst that could happen? The answer of course is a lot, and probably much more than you think.

Compounding this problem is the fact that consumer simply don’t like doing sysadmin work and maintenance on their hardware. It’s difficult enough to convince people to update their computers and mobile devices. Worse than that are things like keeping routers up-to-date. Way down everyone’s list of things to do is monitor all the smart devices in the house for CVEs (known vulnerabilities) in the national vulnerability database. Hardware manufacturers have to take this into account and put even more care into the software security for software embedded in internet enabled things.

Just for giggles in a scary sort of way, here’s a brief partial list of a few devices that have known hacks available for them. If this doesn’t scare you then you’re not thinking about it enough. You should be running screaming to empty your bank account, buy an old pre-70s car, and smash your phones, thermostats, and other electronic devices.

airbags,
Fitbit health bracelet,
Baby monitors,
VOIP phones,
road signs,
printers,
cctv cameras,
pacemakers,
kettles,
ATM,
USB,
USB-C port,
gas station tank gauges,
cars,
Blu-Ray discs,
light bulbs,
smartwatches,
CD players,
electricity smart meters,
thermostats,
SD cards,
mag stripe readers

Again, this list is only a (very) small subset of things that not only CAN be hacked but already have been. I may have to create an IoT Hall-of-Shame for this stuff to see if we can get better security going.

The scary thing is that many of these aren’t just access to the device itself, or even data from the device (which is already a huge privacy issue) but are gateways to attack other pieces of your network. Read more about the lightbulb and blu-ray hacks above.

Now the answer to all this isn’t easy, but I’m hoping that at least you’ll spend more time thinking about it than you have.

[Update 2015-11-24 – added link to Hall-of-Shame]
FYI – I just finally created a new Hall-of-Shame for IoT – you can view it at the IoT Hall-of-Shame.

Resources:

[Update 2015-11-23 – added resources list]