insecurity in a connected planet - mtug · insecurity in a connected planet rear admiral bill...
TRANSCRIPT
Insecurity in a Connected Planet
Rear Admiral Bill Leigher (USN-Ret) 2015 MTUG Summit and Tradeshow
28 May 2015
Or perhaps…
Why You Really Need to Worry About Internet
Security
But remember…
It’s Not the Internet of Things;
It’s a Business Case
Agenda • The Problem Space • The Attack Surface
o Basic access controls o Industrial systems o Automobiles o Aircraft o Health care
• What you can do
My View of the Internet During my Navy Career
A Different View of the Internet
A Matter of Perspective
Fundamentally, it’s About Access to Your Network
Source: http://searchsecurity.techtarget.com/news/2240237020/Survey-Guest-network-security-lacking-at-many-businesses
Survey: Guest network security lacking at many businesses
• 71% of businesses don’t implement measures such as providing unique, temporary passwords to users connecting to guest networks
• More than 50% of those businesses don’t monitor for malicious traffic or malware
• And this doesn’t account for your employees’ behaviors
Data and Applications at Risk
Source: http://www.popsci.com/most-sophisticated-malware-ever-can-infect-hard-drive-firmware
The World's Most Sophisticated Malware Ever Infects Hard Drive Firmware
• Dubbed “Equation” by Kaspersky Labs • Delivered by Trojan Horse. • Rewrite the firmware of hard drives making it
virtually impossible to detect, let alone remove. • Infections in more than 40 nations.
Stuxnet
Source: http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdfion
Langner: To Kill a Centrifuge • SCADA: Supervisory Control And Data Acquisition, a
category of computer programs used to display and analyze process conditions.
• IT Layer: propagate via networks, OS and applications • Control layer: manipulate via controllers and sub-controllers • Physical layer: damage specific equipment.
Physical Destruction – Not Just a Nation State Threat
Source: http://www.wired.com/2015/01/german-steel-mill-hack-destruction
A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever
• Manipulated and disrupted control system so that a blast furnace could not be properly shut down resulting in “massive” damage.
• Infiltrated corporate network via a spear phishing attack. • “Failures accumulated in individual control components or
entire systems.
Planes, Trains & Automobiles
The Next Cybersecurity Concern: Your Car • 14 year-old with $15 of parts from Radio Shack
accesses a car’s computer, unlocks the doors, starts the engine, streams music.
• Consequence of OnStar, mBrace, SYNC…and oh yeah, Bluetooth.
• Throttle, steering, braking and collision avoidance in play
Source: record-eagle.com · by Jim Koscs 3/4/15
Planes, Trains & Automobiles
FBI Claims security researcher took control of plane • Admitted that he has taken control of networks
‘around’ 15 times, solely for the purpose of observation.
• "exploited/gained access to the [in-flight entertainment] system, overwrote code on the airplane's Thrust Management Computer while aboard a flight and commanded the system he had accessed to issue the climb command.
Source: http://www.cnet.com/news/fbi-claims-security-researcher-took-control-of-plane/
Planes, Trains & Automobiles
United Airlines offers air miles as bug bounty reward
• Low-severity-rated vulnerabilities, are worth 50,000 air miles. High-severity vulnerabilities related to remote code execution are worth a maximum of 1,000,000 air miles.
• Testing on in-flight systems will result in disqualification and possible criminal investigation.
Source: http://www.zdnet.com/article/united-offers-air-miles-as-bug-bounty-reward/
Medical Device Vulnerability
It’s Insanely Easy to Hack Hospital Equipment • Everything Was Tested, And Most Of It Was Hackable:
drug infusion pumps, Bluetooth-enabled defibrillators, remote access to X-rays, blood and drug storage refrigerators storing and digital medical records.
• Open systems often with web interfaces to facilitate communication. Hardcoded passwords
• Hackers could gain access via a phishing attack, then exploring the internal network simply plug his laptop into the network to discover and attack vulnerable systems. --“Once you get a foothold into the network … you can scan and find almost all of these devices, and it’s fairly easy to get on these networks.”
Source: http://www.wired.com/2014/04/hospital-equipment-vulnerable/
Bio-Hacking? Well Sort Of Hacker Implants NFC Chip In His Hand To Bypass
Security Scans And Exploit Android Phones • Think the NFC chip in your pet. • Pings and Android device and asks to install a
(malicious) file. • Can be remotely controlled
Source: http://www.forbes.com/sites/thomasbrewster/2015/04/27/implant-android-attack//
Six Fundamental Questions About Connected Cevices.
• Do the devices store and transmit data securely? • Do they accept software security updates to address
new risks? • Do they provide a new avenue to unauthorized access of
data? • Do they provide a new way to steal data? • Do they connect to the institution's existing IT
infrastructure in a way that puts data stored there are greater risk?
• Are the APIs – through which software and devices connect – secure?
It’s Not the Internet of Things; It’s a Business Case
Questions Thank You