Tag Archives: Security

GPS implementation flaw allows hackers to “intercept, spoof, or jam”

Interesting article about how GPS has been applied as a communication mechanism beyond transport to monitoring / management of SCADA and regions w/o internet connectivity. The researchers highlight that the implementation by integrators have not deployed any kind of security that would prevent creative attackers to manipulate the data flows:

the Simplex data network that Globalstar uses for its satellites doesn’t encrypt communication between the tracking devices, orbiting satellites, and ground stations, nor does it require the communication be authenticated so that only legitimate data gets sent. As a result, someone can intercept the communication, spoof it or jam it.

“The integrity of the whole system is relying on a hacker not being able to clone or tamper with a device,” says Moore. “The way Globalstar engineered the platform leaves security up to the end integrator, and so far, no one has implemented security.”

via This security flaw allows hackers to “intercept, spoof, or jam” GPS tracking communication..

Given the amount of unsecured communication platforms from Drones to IoT, this problem is probably easily repeated across a broad number of consumer and commercial situations.

Best,

James

Author of How Not To Be Hacked

Copying access control cards is easier w/ $10 device being released at BlackHat 2015

Proximity access cards are no more secure than a standard key .. and easily replicated with a $10 (to be released) tool. This was shared on ZDNet and with Motherboard. I have highlighted 2 key sections below for those interested in greater detail definitely check out the article. If you are lucky enough to see the presentation live at BlackHat, that will surely be better.

While RFID technology can help secure enterprise offices in this way, the ease in which these access controls can be hacked has hit the spotlight in the form of a tiny device which costs only $10 to make.

Researchers Mark Baseggio from security firm Accuvant and Eric Evenchick from Faraday Future are the developers of the Bluetooth Low Energy device (BLEKey), a coin-sized device which skims RFID cards, allowing users to clone items such as access cards.The team says the release of the tool is “valuable for understanding the risks associated with insecure access controls and what steps companies can take to lower the risk of access control attacks.” – ZDNet Article

I would raise the point that these attacks can now be down so easily that can the “control” of access control physically be fully trusted from a third party assurance perspective, an industry perspective such as PCI, or risk management? One could argue that cameras support this protection, but those are only employed after damage has been discovered and insufficient for all of the stakeholders involved.

“We wanted to create a device that would concretely and absolutely show and hopefully put the final nail in the coffin that is HID prox and Wiegand. These devices are no more secure than a standard key.” – Motherboard, Baseggio

The difference though with a ‘standard key’ is that takes some crafty spy work to make a copy without the owner being aware. To copy a HID card would take only seconds – at a gym, lanyards left at a desk, etc …

Glad the research cycle is exposing these risks and looking forward to creative approaches to counter it.

James

p.s. My new book – How not to be hacked is available and is PERFECT for your family and friends who keep getting smashed by online criminals, malware, and account hijacks!

Moving forward: Who cared about encrypted phone calls to begin with…The Great SIM Heist

key-slide-540x351

TOP-SECRET GCHQ documents reveal that the intelligence agencies accessed the email and Facebook accounts of engineers and other employees of major telecom corporations and SIM card manufacturers in an effort to secretly obtain information that could give them access to millions of encryption keys.

-The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle.

This news made a number of people upset, but after studying it for several weeks and trying to consider the macro effects to regular end users and corporations I have reached a contrarian point in my analysis.

Who cared?  Nobody (enough)

Sure the implications are published and are known, but who ever considered their cell phone encrypted and secure mobile device? I don’t think any consumer ever had that feeling and most professionals that WANT security in their communications use special precautions – such as the Black Phone.

So, if nobody expected it, demanded it, and the feature was primarily used to help billing than what SHOULD happen moving forward?

  • The primary lesson here is that our assumptions must be revisited, challenged, valued, and addressed at the base level of service providers
  • Second, businesses that depend (if they ever did so for instance on mobile device encrypted communication) on such safeguards – must pay for it

I would be interested in others points of view on the lessons forward. I have spent a good deal of time coordinating with leaders in this space and believe we can make a difference if we drop the assumptions, hopes, and focus on actual effective activities.

Helpful links on the Black Phone by SGP:

Mapping the Startup Maturity Framework to flexible information security fundamentals

MappingsAfter over a decade of working with startups, private equity, and over the last 5 years of deep big 4 client services acting in different executive roles (CISO, CIO Advisor, Board of Directors support)  I am certain there is a need and lack of implementation for adapted information security that is reflective of the size, maturity, and capabilities of the business. This applies independently to the the product and the enterprise as a whole. To that end, I have begun building models of activities to match each level of maturity to try and bring clarity or at least a set of guidelines.

As I share with my clients … in some cases a founder is deciding between EATING and NOT. So every function and feature, including security habits, must contribute to the current needs!

I have begun working with several partners and venture capital firms on this model, but wanted to share a nice post that highlights some very informative ‘Patterns in Hyper-growth Organizations‘ and what needs to be considered (employee type, tools, etc..). Please check it out and I look forward to working with the community on these models.

A snippet on her approach and great details:

We’re going to look at the framework for growth. The goal is to innovate on that growth. In terms of methods, the companies I’ve explored are high-growth, technology-driven and venture-backed organizations. They experience growth and hyper-growth (doubling in size in under 9 months) frequently due to network effects, taking on investment capital, and tapping into a global customer base.

Every company hits organizational break-points. I’ve seen these happening at the following organizational sizes:

via Mapping the Startup Maturity Framework | Likes & Launch.

The “appearance of trustability” on foo.Github.io

Github is an awesome repository system that is very popular. Basically if you want to work on something (code, a book, electronic files) and then allow others to freely make suggested modifications (think track changes in a Microsoft Word doc), GitHub is the new way of life. I have used on publishing a book, writing code, taking a Python course online, and others are using it at a scale to produce some of the fantastic tools you see online.

I recently saw a post (included below) that clarified how their encryption was setup. Basically encryption allows you to confidentially send data to another party without the fear of others intercepting, stealing, or modifying it. It appears though that for foo.GitHub.io they are presenting the appearance of encryption, but in fact do not have it. Meaning the actual files are sent in the clear.

This is a problem in our structure of security and compliance. Today we have regulations and industry standards that are designed to prescribe specific security safeguards and levels to ensure a baseline amount of security. If organizations don’t meet the true intent of the regulations, do only enough to pass inspection, but create an environment that is susceptible to basic attacks – the user (you and me) are the one’s who suffer.

While it is disappointing for an organization to setup something that clearly creates false trust and checks a box, it is more a call to action for those who operate these systems to embrace pride of the services they are delivering. Much as Steve Jobs desired the insides and outsides of a system to be done correct – the security of an organization should not just look but be right.

We must do better as owners, operators, and security professionals. Trust depends on indicators and expectations being met, and to violate that begs the question… what else is being done in the same manner?

“cben” comment below on github.com issues post:

Turns out there is no end-to-end security even with foo.github.io domain. Got this response from GH support (emphasis mine):

[…opening commentary removed…]

While HTTPS requests may appear to work, our CDN provider is adding and removing the encryption at their end, and then the request is transmitted over the open internet from our CDN provider to our GitHub Pages infrastructure, creating the appearance of trustability.

This is why we do not yet officially support HTTPS for GitHub Pages. We definitely appreciate the feedback and I’ll add a +1 to this item on out internal Feature Request List.

via Add HTTPS support to Github Pages · Issue #156 · isaacs/github · GitHub.

Best,

James

Amateurs Study Strategy; Experts Study Logistics – Battlefield Leadership series

Angoville ChurchIn the business world, the military analogy “Amateurs strategy; experts study logistics” emphasizes the importance beyond the initial success of a surge effort. Specifically, in relation to D-Day, the analogy shows the importance of establishing a port to provide fuel, reinforcements, ammunition, food, and supplies to the troops. The initial Normandy invasion of 135,000 troops required a daily landing of 15,000 tons of supplies a day and as the presence increased so did the supplies. Thus, the Allies were forced to secure a port.

The Allies chose to build two ports and bring them to the coast of Normandy. This allowed them the opportunity to establish a port at an area that was not heavily fortified (the Germans defended port locations closely). This out of the box thinking allowed the Allies to achieve the objective and support the ongoing mission on land.

Business Reflections…

The importance of innovation and ability to think beyond the traditional structures is sometimes the only pathway to success. Think about Uber, Amazon, and other disruptive methods of transacting business. Each approached the same objective (black cars, books for reading), but achieved the ‘big picture’ in a manner not conceived viable by the incumbents.

The key elements to achieve innovation from lessons at Arromanches:

  1. Focus on the objective and not the details on ‘how.’ This allows for iterations on methods while maintaining the continued support structure.
  2. Establish a team with a leader to drive the innovation. The team should be organized differently than the primary organization. This was done in Britain and allowed the the Skunkworks group to succeed. The Skunkworks failed the first time and were reorganized in a new team to finally reach success.
  3. Plan redundancy. Two Allied piers were built. One of the piers was destroyed by weather (an identified risk), but luckily there was still one standing and supported the logistics for many months.
  4. Demonstrate success capability through detailed analysis. To allay counter arguments, it is necessary to present a clear and evidence-supported case proving how the solution will be successful.

The Supply Chain

Here are a few generally obvious but necessary statements on the make-up of supply chain. The service of the business and the delivery of product depends upon the inputs. These inputs are as important as the final work product. Failure to receive any input or damage of an input will lead to failure in the market. Each input must meet the integrity, quality, and security standards of the product it seeks to become.

Suppliers need to posses integrity to ensure the inputs are not damaged, sabotaged, or fraudulent. The reliability and availability of the inputs need to be vetted with redundant providers and consideration of every part of the delivery channel is key. For instance, regarding a Cloud service provider hosting data: what are the ISPs, routers, equipment, regional laws, etc. that effect this delivery of such a service?

A business must be able to achieve entry into a market category and sustain it! It is not enough to put a toe in the water, but rather sustain the patience and capability to grow in the market. Success is achieved through building scales into the business architecture and forming teams that are innovative and strong enough to become the senior management and leads.


What is Battlefield Leadership and what is this series about … 

This is the fifth paper in this series. As part of my pursuit to learn and grow, I sought out the excellent management training team at Battlefield Leadership. I am professionally leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street. My new book – How Not to be hacked seeks to be a first step in bringing deep information security practices beyond the technologist.

Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.

Kind regards,

James

 

Innovating and penetrating the market – Battlefield Leadership Series – lessons and thoughts

Longues Sur Mer

At this location on the coast of Normandy you can see the immense naval guns setup to attack oncoming ships in World War II. The Germans expended resources and relied heavily upon on these guns in their defensive strategy. Unfortunately for the Germans, the treatment of the workers and locals, the sheer lack of natural intelligence, and exposure of building such vast emplacements was their downfall.

The Allies often received intelligence on the exact positions of German construction. This was provided by those building and living in the area. Specifically, a local farmer boy who was blind and actually counted each step precisely and then supplied locations through the French resistance and Allied intelligence networks.

The result was a gap in the German defensive strategy, a waste of resources, and ultimately, a failure to defend the coast.

Business Reflections: Innovating and Penetrating the market…

  • How are you establishing a product development strategy and running your business as a whole?
  • Are there defensible attributes that you deem critical, and how can they be routed?

Practical example: In the information security and intellectual property sector, there are very real threats and running a secure business requires constant new methods of defense.  How have you reevaluated these based on the shifts internally of your business and the known threats in the market itself? How did this analysis compare to prior years, and how have the effectiveness of your defenses proven?

From a product innovation perspective – are you developing in features from the highest and lowest levels? What are the high impact:low development efforts underway, and what could be added. Product and innovation requires views on the long and short run – to often we make complexity because we are able to handle complexity, when sometimes the user really only needs something less complex.

Leadership requires action:

Simply acknowledging the risks and accepting the situation does not prevent disastrous outcomes.


 

What is Battlefield Leadership and what is this series about … 

As part of my pursuit to learn and grow, I sought out the excellent management training team at Battlefield Leadership. I am professionally leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street. My new bookHow Not to be hacked seeks to be a first step in bringing deep information security practices beyond the technologist.

Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.

Kind regards,

James