RB | Bach Seat - Part 84

Archive for RB

RB | August 6, 2016

Comments Off

Slam the Door on Hackers

Last year two white-hat hackers Charlie Miller and Chris Valasek, remotely compromised a Jeep Cherokee. The cybersecurity researchers used existing functionality in the car to take control. They were able to disable the car’s transmission and brakes, while the vehicle was in reverse, and take over the steering wheel.

The Verge reports the researchers are back and have compromised their Jeep Cherokee, fooling the car into doing dangerous things. Things like turning the steering wheel or activating the parking brake at highway speeds. This year’s attack requires physical access to the car.

Hackers use the diagnostic port

The team used a laptop connected to the OBD II engine diagnostic port to control even more vehicle systems. The Verge says the researchers were able to update the electronic control unit. This allowed them to take control of the steering at any time. They could turn the steering wheel at any speed, activate the parking brake, or adjust the cruise control settings.

Electronic control unit

Most operations in a car have their own designated electronic control unit (ECU) controller. Some ECU’s manage things like a car’s navigation and entertainment systems. Others manage more critical systems like braking and fuel injection.

A connected car’s ECUs all operate on one network, self-contained within the vehicle. Tel Aviv start-up Karamba co-founder David Barzilai, warns. “If hackers gain access to just one of these controllers, they can get to all of them.”

Harden ECU

The Israeli company hopes to sell Carwall Detroit automakers. Carwall is a tool that installs anti-hacking technology into chip-bearing auto parts before they hit the assembly line. Rgis could prevent hackers from crashing your new connected car. Mr. Barzilai told TechCrunch the startup’s technology can head off hackers at the pass. Carwall “hardens” the controllers, or small computers, within a vehicle that are externally connected.

Karamba’s Carwall is installed on the controllers, either as a retrofit or before the controllers are built into new cars. The software locks in the factory settings, and prevents any foreign code or banned behaviors from running on them. This essentially blocks a hackers ability to reach into a car’s CAN Bus, and mess with the car’s critical functions.

“If indeed we are successful – if all hacks are blocked – then [you] don’t have to worry,” said Karamba’s Barzilai. “A hack that crashes your software is bad enough. A hack that crashes your car takes it to a whole new level.”

Karamba’s technology is designed to monitor every bit of code that tries to run on the ECUs and to make sure it comes from legitimate sources. “We are the gatekeepers,” Mr. Barzilai told MiTechNews.

Out of stealth mode

TechCrunch says Karamba has not yet scored a contract with top automotive suppliers that make ECU’s. They are targeting firms like Continental, Robert Bosch, Delphi Automotive, or Panasonic. But it has only just emerged from stealth and begun to shop its security software around.

YL Ventures has invested $2.5 million to fund Karamba’s growth, MiTechNews reported. Compared with the funding that some Silicon Valley security companies pick up, that’s not a huge amount. But it’s enough to move CEO Ami Dotan to Ann Arbor, where he’ll start making sales calls.

Karamba isn’t alone in attacking car security. Symantec (SYMC), the old school antivirus firm is working on auto security within its “internet of things” unit. Symantec recently released a white paper “Building Comprehensive Security into Cars,” (PDF) detailing the many electronics and sensors that have to be protected.

rb-

Chrysler is doing a small part to reduce connected car hacking. They recently launched a bug bounty program with Bugcrowd that will pay out as much as $1,500 per bug found. On the other hand, Apple is offering a bug bounty of up to $200,000 for bugs that won’t kill you.

Latest Jeep hack reminds us why we should keep our cars’ software updated (digitaltrends.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Cars | Tags: 2016, Ann Arbor, Chrysler, Connected cars, Detroit, ECU, FCA, Internet of Things, Israel, Jeep, Karamba, Michigan, Security, Start-up, Symantec, SYMC, Tel Aviv

RB | July 30, 2016

Comments Off

More IRS Tech Troubles

The U.S. gooberment agency in charge of ~~extorting~~ collecting taxes from citizens, but not businesses, has more IT troubles. In the past, the IRS has had problems with hackers attacking its online systems which exposed more than 720,000 taxpayer accounts. It has had data breaches that released 101,000 taxpayer SSNs, Its internal processes are so weak that the IRS could not find 1,300 PC’s to complete the upgrade from Windows XP.

The latest report says that the IRS off-boarding processes are so porous that former employees have “unauthorized entry.” Former employees have access to workplaces, IRS computers, taxpayer information, and could allow them to misrepresent themselves to taxpayers, according to an article at Nextgov.

The article cites a new watchdog report. In the report, there was a random sampling in 2014 that said the IRS couldn’t verify it had recovered all security items from more than 66 percent of roughly 4,100 “separated” employees. The employees had left due to retirement, resignation, death, etc.

If the IRS had just checked with me, this would not have been a surprise. In 2014 wrote about this issue. Lieberman Software released the results of a survey of IT security professionals. 13% of IT Pros at the RSA Conference 2014 admitted to being able to access previous employers’ systems using their old credentials. Perhaps even more alarming is that of those able to access previous employers’ systems nearly 23% can get into their previous two employers’ systems using old credentials.

rb-

This is just another example of why passwords suck. If the tax collectors used a two-factor authentication (2FA) process, chances are must greater that ex-employees would not be able to access taxpayer’s records. Two-factor authentication is a security process where the user provides two means of identification from separate categories of credentials.

An authentication factor is an independent category of credentials used for identity verification. The three most common categories are often described as something you know (the knowledge factor), something you have (the possession factor), and something you are (the inheritance factor). For systems with more demanding requirements for security, location and time are sometimes added as fourth and fifth factors.

One rising authentication measure is biometrics. Biometrics is the measurement and statistical analysis of people’s physical and behavioral characteristics. The technology is mainly used for identification and access control. The basic premise of biometric authentication is that everyone is unique and an individual can be identified by his or her intrinsic physical or behavioral traits. An individual’s biometric uniqueness can fulfill the inheritance factor of identify verification (“something you are”). Using biometrics in its various forms (I have written about different forms of biometrics on the Bach Seat; voice, brain waves, retina scan, behavioral biometrics, etc.) when combined with a strong password can form a 2FA.

There are drawbacks to using biometrics for authentication too.

Global Two-factor Biometrics Industry to Grow at a CAGR of 22.87% to 2020 (newsmaker.com.au)

Category: Uncategorized | Tags: 2016, 2FA, Biometrics, Hack, IRS, Passwords, Security, Two-factor authentication, US Government

RB | July 23, 2016

Comments Off

Ethernet Marches On

It has been a while since we talked about networking on the Bach Seat. So it is time to get back to my roots. Ethernet continues to dominate the world. The Institute of Electrical and Electronics Engineers (IEEE) 802.3 Ethernet Working Group, the group responsible for the Ethernet standard, recently ratified 4 new Ethernet-related standards. The committee approved IEEE 802.3bp, IEEE 802.3bq, IEEE 802.3br, and IEEE 802.3by.

IEEE 802.3br has implications for IoT and connected cars. This new standard addresses the needs of industrial control system manufacturers and the automotive market by specifying a pre-emption methodology for time-sensitive traffic. IEEE 802.3bp addresses how Ethernet operates in harsh environments found in automotive and industrial applications.

The 2 more interesting new standards to networkers are IEEE 802.3bq and IEEE 802.3by. These standards help define how 25 GB and 40 GB Ethernet will work and more importantly how products from multiple vendors should interoperate in the data center. For a summary of the rationale for the new standard here is the IEEE presentation (PDF).

IEEE 802.3bq, “Standard for Ethernet Amendment: Physical Layer and Management Parameters for 25 Gb/s and 40 Gb/s Operation, Types 25GBASE-T and 40GBASE-T“, opens the door to higher-speed 25 Gb/s and 40 Gb/s twisted pair solutions with auto-negotiation capabilities and Energy Efficient Ethernet (EEE) support for data center applications.

IEEE 802.3by, “Standard for Ethernet Amendment: Media Access Control Parameters, Physical Layers, and Management Parameters for 25 Gb/s Operation”, introduces cost-optimized 25 Gb/s PHY specifications for single-lane server and switch interconnects for data centers.

Siemon’s Standards Informant explains that 25GBASE-T will be backward-compatible with existing BASE T technology and both 25GBASE-T and 40GBASE-T are planned for operation over TIA category 8 cabling. The deployment opportunity for 25GBASE-T is aligned with 40GBASE-T and defined as the same 2-connector, 30-meter reach topology supporting data center edge connections (i.e., switch to server connections in row-based structured cabling or top of rack configurations).

The standard’s ratification comes shortly after the Telecommunications Industry Association (TIA) approved its standard specifications for Category 8 cabling, the twisted-pair type designed to support 25GBase-T and 40GBase-T.

Though 25 Gigabit Ethernet is only now becoming an official standard, Enterprise Networking Planet reports that multiple vendors already have technologies in the market. Among the early adopter of 25 GbE is Broadcom (AVGO) which announced back in 2014 that its StrataXGS Tomahawk silicon would support 25 GbE. In 2015, Arista (ANET) announced its lineup of 25 GbE switches. Cisco (CSCO) is also embedding 25 GbE support in some of its switches including the Nexus 9516 switch.

That is where 25-Gb/s Ethernet comes in. It uses the same LC fiber cables and the SFP28 transceiver modules are compatible with standard SFP+ modules. This means that data-center operators can upgrade from 10 GbE to 25 GbE using the existing installed optical cabling and get a 2.5X increase in performance.

The IEEE 25GbE standard seems to have come out of nowhere, (especially considering the L O N G D R A W N O U T 8 0 2 . 1 1 n process but the technology actually came into being as the natural single-lane version of the IEEE 802.3ba 100-Gb/s Ethernet standard. The 100-Gb/s Ethernet standard uses four separate 25-Gb/s lanes running in parallel, so defining a single lane makes it a straightforward and natural subset of the 100-Gb/s standard.

rb-

IEEE P802.3by and P802.3bq were initially targeted for server connections in mega data centers like Amazon, Facebook, and Google. In the next 5 years, 25G will be the next mainstream server upgrade from 10G, even for smaller data centers. SMB data centers will be facing a connectivity crisis in the future as the pace of virtualization increases.

According to IDC, the typical virtualized server supported about 10 virtual machines (VMs) in 2014 and will support in excess of 12 VMs by 2017. In many organizations, the majority of production workloads are already virtualized and almost all new workloads are deployed on virtualized infrastructure, placing inexorable stress on server connectivity.

In order to accommodate this growth Twinax copper and short-reach MMF are included in the “by” standard, while 25GBASE-T (twisted pair) was added to the existing 40GBASE-T “bq” project making 25G possible in smaller data centers without having to re-wire the data center.

5 Methods For Improving Data Center Efficiency (electronicdesign.com)

Category: Uncategorized | Tags: 2016, 802.3, 802.3az, 802.3bp, 802.3bq, 802.3br, 802.3by, Arista Networks, BRCM, Broadcom, Cisco, Connected cars, CSCO, Data center, Fiber optic cable, IEEE, IOT, Networking, SFP, Standards, Twisted pair cable

RB | July 14, 2016

Comments Off

Data Center in Space

Cloud computing is old technology. An LA-based start-up wants to move your data beyond the cloud. Cloud Constellation wants to store your data in space. The firm is planning on building a satellite-based data center that will have room for petabytes of data and may start orbiting Earth as early as 2019 according to Computerworld.

CEO Scott Sobhani told the author Cloud Constellation is looking upward to give companies and governments direct access to their data from anywhere in the world. Its data centers on satellites would let users bypass the Internet and the thousands of miles of fiber their bits now have to traverse in order to circle the globe. And instead of just transporting data, the company’s satellites would store it, too.

The article describes the pitch like this – Data centers and cables on Earth are susceptible to hacking and to national regulations covering things like government access to information. They can also slow data down as it goes through switches and from one carrier to another, and all those carriers need to get paid.

petabytes of data orbiting Earth Cloud Constellation’s system, called SpaceBelt, would be a one-stop-shop for data storage and transport. Need to set up a new international office? No need to call a local carrier or data-center operator. Cloud Constellation plans to sell capacity on SpaceBelt to cloud providers that could offer such services.

Security is another selling point. Data centers on satellites would be safe from disasters like earthquakes, tornadoes, and tsunami. Internet-based hacks wouldn’t directly threaten the SpaceBelt network. The system will use hardware-assisted encryption, and just to communicate with the satellites an intruder would need an advanced Earth station that couldn’t just be bought off the shelf, Mr. Sobhani told ComputerWorld.

Cloud Constellation’s secret sauce is a technology that it developed to cut the cost of all this from US$4 billion to about US$460 million, Sobhani said. The network would begin with eight or nine satellites and grow from there. Together, the linked satellites would form a computing cloud in space that could do things like transcode video as well as storing bits. Each new generation of spacecraft would have more modern data center gear inside.

The company plans to store petabytes of data across this network of satellites. Computerworld points out that the SpaceBelt hardware would have to be certified for use in space. Hardware in space is more prone to bombardment by cosmic particles that can cause errors. Most computer gear in space today is more expensive and less advanced than what’s on the ground, satellite analyst Tim Farrar of TMF Associates said.

Taneja Group storage analyst Mike Matchett told the author that the idea of petabytes in space is not as far-fetched as it may sound. A petabyte can already fit on a few shelves in a data center rack, and each generation of storage gear packs more data into the same amount of space. This is likely to get better even before the first satellites are built.

But if you do put your data in space, don’t expect it to float free from the laws of Earth. Under the United Nations Outer Space Treaty of 1967, the country where a satellite is registered still has jurisdiction over it after it’s in space, said Michael Listner, an attorney and founder of Space Law & Policy Solutions. If Cloud Constellations’ satellites are registered in the US, for example, the company will have to comply with subpoenas from the U.S. and other countries, he said.

And while the laws of physics are constant, those on Earth are unpredictable. For example, the US hasn’t passed any laws that directly address data storage in orbit, but in 1990 it extended patents to space, said Frans von der Dunk, a professor of space law at the University of Nebraska. “Looking towards the future, that gap could always be filled.”

rb-

On the Bach Seat, we have covered different theories about data centers several times. These theories included manure, sewer gas, and used cars to power DC’s as well as proposed data centers underwater and at KMart. This one however seems the most unique, considering the start-up costs to build and launch satellites.

Yahoo Wants to Sell Its ‘Chicken Coop’ Data Center Designs (datacenterknowledge.com)

Category: Uncategorized | Tags: 2014, Big data, Cloud computing, Cloud Constellation, Data center, Petabyte, Satellites, Space, SpaceBelt, United Nations Outer Space Treaty of 1967

RB | July 9, 2016

Comments Off

Security Cam Concerns in Ann Arbor

Security Cam Concerns in Ann Arbor Next time you are in Ann Arbor to get a bite to eat at Zingerman’s or attend a U of M football game at Michigan stadium someone may be watching you. NetworkWorld, says Ann Arbor is one of the top U.S. cities with the most unsecured security cameras. In fact, Ann Arbor ranks seventh nationally.

The report’s author, security firm Protection 1, analyzed the data from Insecam. Inseacam identifies open security cameras and Protection 1 estimates there are over 11,000 open security cameras on the Internet in the U.S. Protection 1 identified the cities with the most cameras that can be viewed by anyone online. The top 10 cities with unsecured security cameras are:

Walnut Creek, CA – 89.69 / 100,000 residents
Richardson, TX – 72.74 / 100,000 residents
Torrance, CA – 72.55 / 100,000 residents
Newark, NJ – 38.07 / 100,000 residents
Rancho Cucamonga, CA – 36.76 / 100,000 residents
Corvallis, OR – 37.98 / 100,000 residents
Ann Arbor, MI – 34.18 / 100,000 residents
Orlando, FL – 34.05 / 100,000 residents
Eau Claire, WI – 22.21 / 100,000 residents
Albany, NY – 20.32 / 100,000 residents

Open security cameras connect to the Internet via Wi-Fi or a cable. They have no password protection or are using the manufacturer’s default password. Malicious people and governments can record or broadcast our lives from unprotected open security cameras. Open cameras are also vulnerable attacks that can turn them into bots.

From a privacy perspective, the most worrisome finding is that 15% of the open cameras are in Americans’ homes. Anyone can watch these cameras if the default password is not changed to a unique password to lock down the camera.

Besides being spied on from the web, open cameras can be exploited by criminals. Cyber-criminals can force online cameras to attack other things on the Internet as part of a DDoS attack.

A DDoS attack against a jewelry shop website led to the discovery of a CCTV-based botnet. A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing a denial of service for users of the targeted system. TargetTech says the flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

Help Net Security reports that Sucuri researchers discovered the jewelry site was being attacked by a CCTV botnet made up of 25,000+ cameras from around the globe. The website was first attacked by a layer 7 attack (HTTP Flood) at 35,000 HTTP requests per second and then, when those efforts were thwarted, with 50,000 HTTP requests per second.

Sucuri researchers discovered that all the attacking IP addresses had a similar default page with the ‘DVR Components’ title. After digging some more, they found that all these devices are BusyBox based. Busybox is a GNU-based software that aims to be the smallest and simplest correct implementation of the standard Linux command-line tools.

CCTV botnet made up of 25,000+ cameras from around the globe The compromised CCTV cameras were located around the globe:

24% originated from Taiwan,
12% United States,
9% Indonesia,
8% Mexico,
and elsewhere.

rb-

Unless something is done, security flaws, misconfiguration, and ignorance about the dangers of connecting unsecured devices to the IoT will keep these botnets functioning well into the future.

To protect your website from botnets and DDoS, you need to be able to block or absorb malicious traffic. Firms should talk to their hosting provider about DDoS attack protection. Can they route incoming malicious traffic through distributed caching to help filter out malicious traffic — reducing the strain on existing web servers. If not find a reputable third-party service that can help filter out malicious traffic.

DDoS defense services require a paid subscription, but often cost less than scaling up your own server capacity to deal with a DDoS attack.

Arbor Networks is one firm that provides services and devices to defend against DDoS.

Google has launched Project Shield, to use Google’s infrastructure to support free expression online by helping independent sites mitigate DDoS attack traffic.

GetResponse CEO Statement Regarding the DDoS Attack (getresponse.com)

Category: Uncategorized | Tags: 2016, Ann Arbor, Arbor Networks, BusyBox, CCTV, Daniel Cid, DDOS, Denial-of-service attack, DVR, GOOG, Google, HTTPS, Inseacam, Internet of Things, IP address, Jim Harbaugh, Linux, Michigan, Protection 1, Security, Sucuri

« Older Entries Recent Entries »

Bach Seat

Archive for RB

Slam the Door on Hackers

Hackers use the diagnostic port

Electronic control unit

Harden ECU

Out of stealth mode

Related articles

More IRS Tech Troubles

Related articles

Ethernet Marches On

Related articles

Security Cam Concerns in Ann Arbor

Related articles

Meta