Security Acquisitions Oct 2015

Lancope, Viewfinity, Vormetric, LogEntries, Boxer, Secure Islands, Silanis

http://www.infoworld.com/article/3000479/security/security-acquisitions-reach-a-fever-pitch.html

Lancope – StealthWatch provides a visual representation of the network to detect anomalies that could signify an attack. In the event of an infection, StealthWatch analyzes traffic between servers to determine which hosts were affected. Acquired by Cisco, $453m.

Viewfinity – Endpoint security for windows. App control features and administrative privilege capabilities to protect against zero-day attacks, malware and threats.

Vormetric – Filesystem encryption, keeping metadata in clear and enterprise key-management for third party encryption keys. Acquired by Thales Security for $400m

LogEntries – machine data search technology to help security teams  investigate security incidents deeply. Spun out of University College Dublin (UCD). Acquired by Rapid7, $68m. 3k customers.

Boxer – Android email app, acquired by VMWare

Secure Islands –  IQProtector looks at content and wraps/protects it based with policy based DRM automatically. “Secure Islands’ Data Immunization uniquely embeds protection within information itself at the moment of creation or initial organizational access. This process is automatic and accompanies sensitive information throughout its lifecycle from creation, through usage and collaboration to storage.” Acquired by Microsoft.

Silanis – e-Signatures with strong crypto algorithmic and keys

ThingWorx IOT Platform and Marketplace

The premise behind ThingWorx is that manufactured products are transforming into services. A product can be remotely monitored, maintained, and its data analyzed as part of the extended service wrapper. It is an interesting point of view on the evolution of products.

GE provides the engine not as a product but as a service, it continues to maintain it after the sale. Boeing provides the plane as a service, it continues to maintain it after the sale.

ThingWorkx claims to makes it easier for any product to be converted to such a service. It’s not clear how this works with legacy systems – whether it is an agent or a wrapper and how easy it is to add. Its security whitepaper discusses authentication, authorization, encryption, security models, audit etc.

Imagine a hyperconnected supply chain consisting of components that are tracked back by their supplier. Security and access controls would be a challenge in such a dynamic environment.

An example of a product/application on ThingWorx is Velio OBD device and Velio Webhook application.  The Webhook application displays basic data coming from OBD modules: GPS, accelerometer and OBD-II. It enables users to create customized views depicting the data that is important to them while also enabling access to both live and historical data. The application will be available in the ThingWorx Marketplace.

Some competitors include  Spark DevicesAyla NetworksCarriotsXively, Axeda, Arrayent and Berg Cloud.

Cloud Security and Compliance Standards

Cloud processing of information affects existing information processing flows, controls and compliance standards. Cloud service providers show the level to which they support diverse compliance standards that are specific to verticals such as payments, health, finance, enterprise. A reference is https://aws.amazon.com/compliance/ .

CSA-CCM Cloud Security Alliance Cloud-Controls Matrix. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP. Part of Governance, Risk Management and Compliance (GRC) stack – CloudAudit, CCM, CAIQ, CTP.

PCI-DSS Payments Card Industry-Data Security Standards released guidelines for storing credit card data in the cloud. See https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf

SSAE16 Statement on Standards for Attestation Engagements (SSAE) 16. SSAE 16 reporting can help service organizations comply with Sarbanes Oxley‘s requirement. It is not limited to financial reporting; it can also be applied to other sectors, and is useful for datacentres. SSAE 16 is one of the most widely known tools for providing assurances to data center customers. See discussion at http://www.datacenterknowledge.com/archives/2012/01/19/aicpa-fumbles-audit-standards-at-the-5-yard-line/ and related SOC1, SOC2.

ISO27001 Specification for an information security management system, released 2013.

FedRAMP U.S. federal agencies have been directed use a process called FedRAMP (Federal Risk and Authorization Management Program) to assess and authorize federal cloud computing products and services. See https://aws.amazon.com/compliance/fedramp/

UK G-Cloud Framework for faster procurement of IT Services over the cloud. See also CESG Communications-Electronics Security Group

IRAP Information Security Registered Assessors Program is an Australian Signals Directorate initiative to provide high-quality information and communications technology services to government in support of Australia’s security. A list of certified clouds – http://www.asd.gov.au/infosec/irap/certified_clouds.htm

HIPAA Health Insurance Portability and Accountability Act. The privacy rule ensures patients access to their health information and Protected Heath Information data (PHI) and de-identification of such data before health information being shared publicly. The security rule covers physical and technical safeguards such as control and monitoring of information against intrusions, encryption over networks etc.

DIACAP DoD Information Assurance Certification and Accreditation Process.  United States Department of Defense (DoD) process to ensure that companies and organizations apply risk management to information systems. Aligns with NIST Risk Management Framework (RMF).

GLBA Financial Services Modernization act of 1999. Removed barriers in the market among banking companies, securities companies and insurance companies acting as one,  allowing them consolidate. GLBA compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity.

NIST-SP800 30 NIST Risk Management Guide for Information Technology Systems

FISMA Federal Information Security Management Act of 2002. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.[

UK Data Protection Act Governs the protection of personal data in the UK

EU Data Privacy Directive Officially officially Directive 95/46/EC. European Union directive adopted in 1995 which regulates the processing of personal data within the European Union. It is an important component of EU privacy and human rights law. On 25 January 2012, the European Commission unveiled a draft European General Data Protection Regulation that will supersede the Data Protection Directive.

FIPS 140-2  Federal Information Processing Standard  Publication 140-2 is a U.S. government computer security standard used to accredit cryptographic modules.

It’s Back to the Future day

30 years out in the future seemed far out. But here we are on Oct 21, 2015 when Marty arrives back to the future.

What were some security features in the movie ?

  1. Thumbpads or fixed fingerprint scanners are used as a door locks.  They are well integrated in the life of people.
  2. Vehicle had barcode license plates that were remotely scannable. This could allow remote scanning by other vehicles or building infrastructure.
  3. Police carry mobile fingerprint scanners to identify a person – they press their thumb and obtain the name, address and date of birth.
  4. An autonomous drone walks the dog and apparently is safe enough on the roads.

How does Marty identify the characters in a different age ? It is interesting to think about identification schemes that can last for decades. He first recognizes their mannerisms and relationships. Identification mechanisms are being built to leverage such signatures.

In Minority Report, there is personal advertising scene of the future which uses face/eye recognition to flash ads to Tom Cruise. https://www.youtube.com/watch?v=7bXJ_obaiYQ

In Mission Impossible, Rogue Nation there are several futuristic authentication schemes (gait, hand, eye) and security schemes (automatic wipe, isolation). https://www.youtube.com/watch?v=0iZ-nQ4yFn4

Integrate Conference 2015

This conference has a focus on integration between technologies and is held with API World. A dominant theme was connected cars.

ActiveScaler demonstrated its Connected Car platform and API that delivers five types of information. It had a great session with visits from a number of car companies, partners, vendors advisors, investors and interested public.

The highlight was a visit by Maria Roat, CTO, US Department of Transportation where she and her colleague shared their views on the evolution of transportation technologies with ActiveScaler team.

ActiveScaler demonstrated an app that connects the car to the cloud to provide rich vehicle and driver analytics in real time.

Privacy and Marketing Automation

Oracle bought Eloqua, and sells marketing automation as a business service.

A quote from What is Eloquoa all about : “At their core, Eloqua, and other MAPs, help you connect an email address you have (or have collected) to activities of an anonymous person (prospect) interacting with you and your brand across online channels. The fundamental value in these tools and platforms is that help you de-anonymize prospects(unknown) into contacts(known) from interactions like clicking on an email you sent them or by submitting a form, which should at the minimum collect email address and name, from your website, chat bot, landing page etc.

A Paper on privacy and marketing by Princeton CS – The web never forgets, persistent tracking methods in the wild.

How web analytics javascript reports back information from the referring url.

Difference between first party and third party cookies.

Flash cookies are shared across different browsers.

A good explanation of SSP and DSP and the mechanism and need for cookie syncing is here. The end-user supplies attention. The agency/brand demands attention.

Purpose of all this amazing tracking is to build personal profiles to personalize and market various offers, cars and credit cards (?).

Top advertisers on google and facebook indicates many top brands are paying top dollar for the ads.

In some ways it is inevitable that a better advertising medium than TV/Radio should appear.

The raw data creates linked data.  Profile data gets built up over years and hoarded  competitively to achieve a higher rate of advertising effectiveness.  Asymmetry of information between user and the ad companies grows over time. Does it have to be so ?

TechCrunch Disrupt Hackathon – Safety for Connected Cars

The Ford Hackathon at Techcrunch Disrupt (San Francisco, 2015) encouraged use of the Ford SmartDeviceLink (SDL) iOS SDK to talk to their in-car head units. The apps can be submitted to Ford for cars supporting Ford Sync. Toyota was present to lend support to this open source effort. With a joint open source effort  the number of cars targetted by such apps could be higher.

The SDL SDK can be useful for insurance applications for measuring ride and driver quality. Many applications were built at the hackathon around this idea.

My team built an iOS application to synchronize brakes between two cars in real-time to prevent vehicle pileups in low visibility conditions. It alerted the driver that another car is braking ahead of his car, by acting as a virtual brake light that turns on if a connected car ahead is braking. Our goal was distraction-free safe driving, so it used voice commands to alert the driver and automatic brake detection from the SmartDeviceLink SDK, instead of manual alert generation.

A previous SDK supported by Ford was OpenXC, an open API for connected cars. Another popular SDK at the hackathon was Vin.li SDK.

There was discussion of a Waze like app that is built into cars. Talking to people I learnt of the role the Department of Transportation is playing to bring Intelligent Transportation to reality.

DSRC is a communication standard for such use cases – Dedicated Short Range Communications.

Salesforce Dreamforce Conference

At the Salesforce conference were several interesting IOT demonstrations.

One of them could Docker to be run inside a Raspberry Pi. This can be used for seamless OTA upgrade of IOT software. Another allowed instant analysis of the chemical composition of a drug and the information is connected to an app.

Another interesting demo was Built.io, which is like an IFTTT for different apis and IOT flows – a virtual circuit diagram allows inputs to be cascaded together in a flexible manner to achieve a variety of outcomes.

Salesforce made the announcement of the IOT Cloud which is built on Salesforce Thunder, a massively scalable real-time event-processing engine. Business can create alerts or filters to identity important data from event streams. This can be used to send alerts from manufacturers to customers or customers to manufacturers, for instance for a malfunctioning device or for a car recall.

Marc Benioff – “The Salesforce IOT Cloud will empower businesses to build proactive 1:1 relationships with their customers to deliver a new kind of customer success”.

Here’s a review of this announcement with the opinion that it is currently more of a positioning statement than a real capability – http://www.zdnet.com/article/dreamforce-2015-salesforce-thunder-unavailable-2016/

CAN bus attacks

A CAN is a Controller Area Network. Electronic Control Units (ECUs) are networked together in a car using a bus based on the CAN standard. A car will have one more CAN buses which are typically accessible via the Onboard Diagnostics (OBD II) port.

The CAN allows a distributed network of micro-controllers and devices to do real time messaging with each other with CAN packets, to exercise real time control. It is used in industrial control systems, vechicles such as airplanes and ships, and automotive systems.

ECU examples are Airbag, HVAC, ABS and Engine Control Unit.

Some CAN related security resources –

  1. Hopping on the CAN bus. https://www.blackhat.com/docs/asia-15/materials/asia-15-Evenchick-Hopping-On-The-Can-Bus.pdf
  2. Charlie Miller, Chris Valasek.  http://illmatics.com/car_hacking.pdf
  3. Craig Smith, opengarages. http://opengarages.org/handbook/
  4. Original Spec by Bosch. http://www.bosch-semiconductors.de/media/pdf_1/canliteratur/can2spec.pdf
  5. http://www.instructables.com/id/Exploring-the-Tesla-Model-S-CAN-Bus/?ALLSTEPS
  6. http://tucrrc.utulsa.edu/DodgeCAN.html

A podcast interview with Chris Valasek: https://securityledger.com/2015/07/podcast-interview-with-car-hacker-chris-valasek-of-ioactive/

Most cars do allow CAN access via OBD. Tesla does not, but the CAN information is still accessible via another port.

It may sound unusual that the OBD port meant for diagnostics should allow sending commands to the CAN bus, but this is in fact possible, in part because there is no source identifier or authentication build into CAN packets.

What if an ECU itself has some kind of problem or degradation ? This can increase vulnerability when combined with open CAN bus access.

For example, there were two independent recalls in early 2015 related to defective airbag deployments. The Jeep recall was due to software that detected rollover aggressively and deployed the airbags. The NHTSA recall was due to Takata airbags with faulty inflators.

As we bravely head to an IOT world where various devices and controllers are networked to external entities, such concerns will increase.

There are attacks on other car interfaces such as bluetooth, telematics unit and remote key. Recently (July) there was an attack on Jeep which caused an update to fix the bug. The Israeli media reported a couple startups, Argus and TowerSec could have prevented this attack.   Update Jan 2016: TowerSec is acquired by Harman – CES 2016 announcement.

OpenDNS and Cisco

Cisco recently acquired OpenDNS and its security offerings.

The Domain Name Service is a hierarchical lookup service that converts human readable names to IP addresses that are used for routing. As such the DNS lookup servers can see the names being accessed, their access trends, web security attack patterns such as phishing redirects and so on.

But how did OpenDNS come to focus on security ? It was preceded by a free DNS service called EveryDNS started by David Ulevitch in his college dorm in 2001. The free nature of it attracted an interesting clientele– a number of malicious services, sites and agents.  This gave EveryDNS visibility into this part of the internet – both the customer view and a real-time view. David realized the potential and started a new company OpenDNS with both a free+paid dns offering and a growing number of security services.

In 2012 OpenDNS offered an Umbrella service to blacklist malicious sites. The most interesting offering is its OpenDNS Security Graph. The Umbrella Security Graph maintains and automatically updates malware, botnet, phishing domain and IP blacklists. This is then sold to enterprises – a higher margin business than providing DNS lookup alone.

Verisign is also in the DNS security business after it sold its certificate business to Symantec.

Tesla Model S hacked by researchers

Tesla is an advanced computer on wheels. How is security for such systems designed ? Snippets from below are insightful.

http://www.wired.com/2015/08/researchers-hacked-model-s-teslas-already/

“Two researchers have found that they could plug their laptop into a network cable behind a Model S’ driver’s-side dashboard, start the car with a software command, and drive it. They could also plant a remote-access Trojan on the Model S’ network while they had physical access, then later remotely cut its engine while someone else was driving.”

“Tesla distributed a patch to every Model S on the road on Wednesday. Unlike Fiat Chrysler, which recently had to issue a recall for 1.4 million cars and mail updates to users on a USB stick to fix vulnerabilities found in its cars, Tesla has the ability to quickly and remotely deliver software updates to its vehicles. Car owners only have to click “yes” when they see a prompt asking if they want to install the upgrade.”

“The Model S has a 17-inch touchscreen that has two critical computer systems. One is an Ubuntu server responsible for driving the screen and running the browser; the other is a gateway system that talks to the car. The Tesla gateway and car interact through a vehicle API so that when a driver uses the touchscreen to change the car’s suspension, lock the doors, or engage its parking brake, the touchscreen communicates with the gateway through an API, and the gateway communicates with the car. The touchscreen never communicates directly with the car. “At least so our research has found so far,” Mahaffey says.”

“The Model S has an Ethernet cable for diagnostic purposes and by connecting to this they were able to get access to the car’s LAN. This allowed them to uncover information about the firmware update process, such as the configuration of the VPN the car used to obtain updates as well as the URLs from where the updates were downloaded. They also found four SD cards inside the car that contained keys for the VPN structure, and they found unsecured passwords in an update file that allowed them to gain access to the Tesla firmware update server. “By using the VPN credentials we got from the SD card, we were able to configure and open VPN clients to go and talk to Tesla’s infrastructure and mimic the car.”

Even though Tesla provided the update quickly, having unsecured passwords in a file that allowed access to go to the firmware update server should alert one to the risks of connected cars.

Zigbee Scanning from a Flying Drone

From http://thehackernews.com/2015/08/hacking-internet-of-things-drone.html

Security researchers have developed a Flying Drone with a custom-made tracking tool capable of sniffing out data from the devices connected to the Internet – better known as the Internet-of-things.

Under its Internet of Things Map Project, a team of security researchers at the Texas-based firm Praetorian wanted to create a searchable database that will be the Shodan search engine for SCADA devices.

 

The researchers located all ZigBee-enabled smart devices and networks and then started expanding their research.
“When [IoT devices] communicated over a wireless protocol called ZigBee, this protocol is open at a network level. So when the devices start connecting, they send out beacon requests. We capture data based on this,” says Paul West Jauregui, from Praetorian.
ZigBee is a popular smart-home wireless communication standard used by the majority of Internet of Things (IoT) devices today.
ZigBee protocol, which lets IoT devices talk to each other, is implemented by major vendors including Toshiba, Philips, Huawei, Sony, Siemens, Samsung, Motorola, and many more.

Building Automation Security Plan (Target, HVAC)

The Target data breach in 2013 affected 40million credit cards. It was traced back to an onsite HVAC (that was remotely accessible for billing) being on the same network as the rest of the system . The credentials for the HVAC were breached and used to attack the internal computers.

The link below discusses a comprehensive security plan for a building automation system. The connected components are identified and the network and systems are designed for authorized access.

http://www.automatedbuildings.com/news/may14/articles/llnl/140425010101llnl.html

One can see such a plan being useful for a number of sensor/IOT systems – e.g. energy, temperature and and video sensors.