IATC at ISSA Summit

On Friday, May 19, I attended the ISSA Summit 9 in Los Angeles to run the I Am The Cavalry booth. I Am The Cavalry was an honorary sponsor of the event and I thoroughly enjoyed the experience. From the keynotes about the current state of cyber security and life lessons learned from IT, to the in-depth breakdown of WanaCrypt0r, there was plenty to take away from each and every talk. Perhaps most importantly were the amazing connections we were able to establish at and around the booth. A speaker at the CISO panel mentioned I Am The Cavalry which also helped bring more interest over to the booth.

Of particular note, we received some very interesting questions, ideas, and even invitations to speak at other industry events, such as Big Data Day LA and SoCal Linux Expo (SCALE). One of the interesting enquiries we received was about creating a Pwn2Own for medical devices, which could facilitate more security research on them as more and more malware has been victimizing medical equipment. This brought to our attention the subject that is somewhat unique to healthcare and other special-device industries: the devices are so pricey that it is often impractical for security researchers to even get their hands on them in order to test. For example, an MRI machine costs upwards of hundreds of thousands of dollars and no known hospital currently has MRI machines to sacrifice on security tests.

Jennifer Granick, Stanford Law School’s Director of Civil Liberties, also stopped by the booth and asked to see some x86 disassembly, so I walked her through some WanaCrypt0r code which was a hot topic recently. Ms. Granick has a very thorough book that she recently published about the current state of privacy and surveillance in the United States entitled American Spies: Modern Surveillance, Why You Should Care, and What to Do About It. The book has a similar feel to Data and Goliath by Bruce Schneier, but as one would imagine, it covers a lot more policy and law rather than the technical focus of Schneier’s books. I feel this title makes a great companion to Data and Goliath and frankly was very necessary at this point in time. I’ve enjoyed the 50 pages that I’ve read so far and each page is jam-packed with value.

Last but not least, the CTF was put on by Somerset Recon from San Diego. These gentlemen are very, very skilled at what they do and brought an awesome, e-sports-esque head-to-head rig. If I would have had extra time, I certainly would have spent more time reversing binaries at the CTF, but every minute was well-spent at this event and I look forward to the next ISSA Summit.

Todd Cullum

5 Motivations of Security Researchers

Security researchers have diverse motivations for investigating security flaws in software and systems. As companies, policymakers, lawyers, and others interact with the security research community, understanding this truth can unlock more fruitful engagement. I Am The Cavalry has been using a simple and useful framework to discuss the drivers of security researcher behavior. While this list isn’t comprehensive, and while most of us fit at least two of these categories, this framing can catalyze a dialog that allows a fuller appreciation of why we do what we do, and that is the value of the framework.

  • Protect – make the world a safer place. These researchers are drawn to problems where they feel they can make a difference.
  • Puzzle – tinker out of curiosity. This type of researcher is typically a hobbyist and is driven to understand how things work.
  • Prestige – seek pride and notability. These researchers often want to be the best, or very well known for their work.
  • Profit – to earn money. These researchers trade on their skills as a primary or secondary income.
  • Politic – ideological and principled. These researchers, whether patriots or protestors, strongly support or oppose causes.

6 Differences in Internet of Things and Cyber Safety

We’ve been using a framework for a couple of years to explain how the Internet of Things and Cyber Safety are different from Enterprise IT and most other high tech products we’re familiar with. It’s proven useful to frame discussions, particularly with a non-technical audience, and builds a base of agreement for more substantive conversations. Most of our (debatably) “best practices” are highly tuned for financially motivated adversaries, with confidentiality impacts, in managed corporate environments, with common technologies, and established economics and time scales. As compared with Enterprise IT, the Internet of Things and Cyber Safety has several differences that must be appreciated and accounted for throughout the device’s lifecycle by all stakeholders who design, build, or operate them. 

  • Consequences – When software is a dependency for safety-critical systems, consequences of security failure may manifest in direct, individual harm including loss of life. Impacts from widescale harm can shatter confidence in the firm or the market, as well as trust in government to safeguard citizens through oversight and regulation.
  • Adversaries – Different adversaries have different goals, motivations, methods, and capabilities. While some adversaries may be chastened by potential harm from safety-impacting systems, others may seek these systems out. For instance, ideological actors may wish to inflict harm, and criminal groups may suspect owners will pay higher ransoms.
  • Composition – Some components in Internet of Things devices, including safety systems, are not found in typical IT environments. Elements such as sensors, programmable logic controllers, low power chips, embedded controllers, limited battery life, etc., limit capabilities available to the manufacturer in design and response.
  • Economics – Components for safety systems may require both a high degree of resourcing to protect and have a very low cost of goods, and margins may also be smaller. Security capabilities for million dollar data centers are likely cost prohibitive in 42 cent microchips.
  • Context and Environment – Safety critical systems often exist in unique operational, environmental, physical, network, immediacy/realtime, and legal contexts. For instance, a pacemaker is implanted in a human body, has no IT staff, must respond immediately, has no bolt-on security measures, and carries strict regulatory requirements.
  • Timescales – Timescales for design, development, implementation, operation, and retirement are often measured in decades. Response time may also be extended because of composition, context, and environment. Safety systems in design today may be with us for 10, 20, 40 years.

Hack In The Box AMS 2017

hitb-logo-regularWe’re happy to announce a partnership with Hack in the Box Security Conferences! At Hack In The Box Amsterdam (HITB2017AMS), April 10-14, 2017, 50% of the Commsec track will be dedicated to talks that fall within the IATC domains and we will be part of the CFP selection committee for these talks. The HITB Commsec track has the huge advantage that it’s open to the general public, so it will be possible to bring in interested parties from manufacturers and government without them needing to pay the conference admission fee. We will also arrange an IATC meetup again in 2017 during HITB2017AMS, so if you’re interested in our work and you’re in Europe, you should consider attending this conference.

HITB has always been run ‘by and for’ the community (everyone is essentially a volunteer), and the CommSec track is a natural extension of the main conference program. Think of it sort of like having their own ‘B-Sides’. The main conference Call for Papers gets somewhere between 4 or 5:1 talk to slot submissions and a lot of these presentations are good but there’s simply not enough space for them all. The CommSec track was partially born out of that and in keeping with the HITB spirit of ‘keeping knowledge free’, they decided that access to the CommSec track (like the CommSec Village and technology exhibition area) should be free as well.

Interesting Talks at Hacker Summer Camp, 2016

Hacker Summer Camp 2016 is almost upon us! There are a lot of really interesting talks this year, not to mention the I Am The Cavalry track at BSides Las Vegas. Since we can’t hit all of the talks, we’ve narrowed down some that look like they’re highly related to our mission. We might see you there!

BSides Las Vegas: August 2-3, 2016

Date Time Who Title
8/2 11:00 Leonard Bailey and Jen Ellis Shall We Play a Game? 30 Years of the CFAA
8/2 14:00 Chad Dewey Hacking the High Seas
8/2 14:00 Jens Devloo, Vito Rallo, and Jean-Georges Valle How to Securely Build Your Own IoT-Enabling Embedded Systems: from Design to Execution And Assessment (4h training)
8/2 14:30 Wendy Knox Everette Security Vulnerabilities, the Current State of Consumer Protection Law, and How IoT Might Change It
8/3 8:30 Arnaud Soullie Pentesting ICS: Capture the Flag! (3h training)
8/3 15:00 Philippe Lin PLC for Home Automation and How It Is as Hackable as A Honeypot

Black Hat Las Vegas: August 3-4, 2016

Date Time Who Title
8/3 13:50 Arnaud Lebrun and Jonathan-Christofer Demany CANSPY: A Platform for Auditing CAN Devices
8/3 13:50 Jeff Melrose Drone Attacks on Industrial Wireless: A New Front in Cyber Security
8/3 13:50 Slawomir Jasek GATTacking Bluetooth Smart Devices – Introducing a New BLE Proxy Tool
8/3 15:30 Paul Sabanal Into The Core – In-Depth Exploration of Windows 10 IoT Core
8/3 16:20 Michael Ossman GreatFET: Making GoodFET Great Again
8/3 17:30 Lei Ji and Yunding Jian The Risk from Power Lines: How to Sniff the G3 and Prime Data and Detect the Interfere Attack
8/4 9:00 Chris Sistrunk and Josh Triplett What's the DFIRence for ICS?
8/4 9:00 Colin O'Flynn A Lightbulb Worm?
8/4 9:45 Jason Healey Defense At Hyperscale: Technologies And Policies For A Defensible Cyberspace
8/4 9:45 Anirudh Duggal Abusing HL7 2.x Standards – Attacking Medical Devices, Hospitals and More
8/4 9:45 Charlie Miller and Chris Valasek Advanced CAN Injection Techniques for Vehicle Networks
8/4 11:00 Joe FitzPatrick The Tao of Hardware, the Te of Implants
8/4 14:30 Hendrik Schwartke, Maik Bruggemann, and Ralf Spennenberg PLC-Blaster: A Worm Living Solely in the PLC
8/4 17:00 Lynn Terwoerds Building Trust & Enabling Innovation for Voice Enabled IoT

DEF CON XXIV: August 5-7, 2016

Date Time Who Title
8/5 12:00 Javier Vazquez Vidal and Ferdinand Noelscher CAN I haz car secret plz?
8/5 12:30 Six_Volts and Haystack Cheap Tools for Hacking Heavy Trucks
8/5 13:00 Matteo Beccaro and Matteo Collura (Ab)using Smart Cities: The Dark Age of Modern Mobility
8/5 15:00 Sebastian Westerhold How to Remote Control An Airliner: Security Flaws in Avionics
8/6 10:00 Zack Fasel and Erin Jacobs I Fight For The Users, Episode I – Attacks Against Top Consumer Products
8/6 11:00 Lucas Lundgren and Neal Hindocha Light-Weight Protocol! Serious Equipment! Critical Implications!
8/6 11:00 Anthony Ross and Ben Ramsey Picking Bluetooth Low Energy Locks from a Quarter Mile Away
8/6 12:00 Arnaud Lebrun and Jonathan-Christofer Demany CANSPY: A Framework for Auditing CAN Devices
8/6 12:00 Brad Dixon pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle
8/6 14:00 Brian Gorenc and Fritz Sands Hacker-Machine Interface – State of the Union for SCADA HMI Vulnerabilities
8/7 13:00 Jianhao Liu, Wenyuan Xu, and Chen Yan Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-driving Vehicle

BSides Las Vegas I Am The Cavalry track 2016

I Am The Cavalry will have TWO DAYS at BSides Las Vegas this year: August 2-3. We’ll be in the Copa Lounge [1] – which I guess technically means we’re the opening act for the Rat Pack impersonators those nights! (Sorry, no karaoke.) It’s a bigger room than last year so more can attend. Let’s try to fill it up and keep it full both days. It’s in a bar, that shouldn’t be hard to do. The full agenda is on the BSides Las Vegas site, [2] below is an overview.

Tuesday, August 2nd, 11:00am – 5:00pm

The first day sketching in details from the past year or two – both within the Cavalry and in the broader world of Cyber Safety. We will cover quiet successes, visible wins, what’s worked, what hasn’t, and where things need to go. We’ve got some really cool people participating in these sessions, such as:

• Keren Elazari will lay out why security research matters for the coming decades, how Hacker Heroes can wield our skills for the greater good.

• Michael McNeil, who is responsible for Philips’ disclosure policy and other industry leading medical device cyber safety capabilities.

• Dr. Suzanne Schwartz, of the FDA who is shaping the entire healthcare industry to be more security researcher friendly.

• A yet-to-be-named congressional staffer – one of many helping us inject technical literacy in policymaking and the public debate.

• We also hope to bring high level White House staff, Members of Congress, and others who may – or may not – decide to introduce themselves.

Wednesday, August 3rd, 10:00am – 5:00pm

The second day will be an experiment to see if the BSidesLV community can bring the hacker mindset to bear at scale. Given several very uncomfortable truths about the pace, direction, and scale of what we need to do, how we can rise to these challenges. When what we know how to do doesn’t work, we must break from our normal patterns and find something that will – no matter how uncomfortable the approach is. We will confront the hard things head on and see who blinks first.

We will have a couple of dozen I Am The Cavalry track passes for those who don’t already have a BSidesLV badge and want to participate (first come first served). The track works better the more time you spend, though it can be experienced in more consumable chunks so don’t be shy if you miss a session or two. BSidesLV this year is more important than ever before, to make us safer, sooner, together.

[1] Copa Lounge is the Nightclub on the Casino level. Yeah I had to ask too. Down the escalator from Con Registration, straight past the bar, past the casino entrance, on the right, before the bathrooms. You can’t miss it!

[2] Add these talks to your Sched. https://bsideslv2016.sched.org/overview/type/I+Am+The+Cavalry

Comments on the FDA Postmarket Draft Guidance

On January 15, 2016, The U.S. Food and Drug Administration released Draft Guidance on Postmarket Management of Cybersecurity in Medical Devices. This guidance details and clarifies the FDA’s expectations for managing security vulnerabilities in medical devices currently on the market. It also introduces a new incentive to manufacturers to follow one particular path to vulnerability management that the FDA favors. We think security researchers will too!

The FDA draft guidance states that it expects manufacturers to have a coordinated disclosure program! This statement, while it doesn’t carry the force of law, is still a powerful signal to medical device makers who don’t already have one in place, that they need to get that ball rolling (Philips, Draeger, GE, and Medtronic all have methods to disclose vulnerabilities, by the way).

I Am The Cavalry submitted our comments and they are now publicly posted (PDF).

Meet Up at Hack In The Box Amsterdam

I am the Cavalry meet-up at Hack In The Box Amsterdam 2016 (HITBAMS)
There will be a meet-up for people involved in or interested in I am the Cavalry at the Hack in the box conference, which is going on from May 23 to May 27th. The meetup will be after the Women in Cyber Security (WICS) award show and will take place in the Comsec Track room at 18.30 immediately following the award ceremony. We will go over recent happenings related to I am the Cavalry, recent work done by the group and discuss how the  attendees can contribute to I am the Cavalry going forwards. We will also discuss the events that will be going on in H2 of 2016 around the world with I am the Cavalry involvement.
Since we have limited room and a kind sponsor is supplying food and beer, registration is needed

“I AM THE CAVALRY” PROPOSES HIPPOCRATIC OATH FOR CONNECTED MEDICAL DEVICES

“I AM THE CAVALRY” PROPOSES HIPPOCRATIC OATH FOR CONNECTED MEDICAL DEVICES (PDF)

Security Research Movement Identifies Principles to Preserve Patient Safety and Build Trust in the Healthcare System.  

Washington, DC, – January 19th, 2016I Am The Cavalry, a cybersecurity volunteer association focused on public safety concerns, today issues an open letter to leaders of the healthcare stakeholder communities, calling for the adoption of a Hippocratic Oath for Connected Medical Devices. The Oath identifies measures to preserve patient safety and trust in the healthcare system as a response to the increasing reliance placed on connected devices in the healthcare sector.

“Connected technologies provide life-saving therapies that would not be achieved without them. We want to head off unintended consequences by guiding manufacturers to build devices that are resilient against the accidents and adversaries of a connected environment,” said Beau Woods of I Am The Cavalry. “We’ve seen a lot of progress in the last two years, as stakeholders have started to proactively collaborate to advance cyber safety. We applaud those efforts and encourage others to ensure we are safer, sooner, together.”

Complex, software-driven, connected technologies are increasingly being used in every facet of modern healthcare. These technologies can offer considerable benefits to both patients and healthcare practitioners; however, these systems are also inherently likely to be vulnerable to flaws, and their connectivity opens them up to potential manipulation.  This can have catastrophic consequences, not only in terms of patient safety, but also in undermining the trust placed in healthcare systems.

In response to this, I Am The Cavalry has updated the language of the Hippocratic Oath for modern healthcare delivered by connected medical devices.  The original Hippocratic Oath, created in the late Fifth Century BC, is made by physicians as an attestation that they will provide care in the best interest of patients. As connected technologies are increasingly the instruments of delivering this care, it stands to reason that the design, development, production, deployment, use, and maintenance of medical devices should follow the symbolic spirit of the Hippocratic Oath.

Patients, care givers, and other stakeholders have the right to make informed decisions about treatment options.  When patients deny themselves the best care available out of cyber safety fears, no ones’ interests are served.  So to give them greater confidence in the safety of technologies, I Am The Cavalry is proposing that those involved in the chain of care – from device design to treatment – publish an attestation of a commitment to the best possible methods for device development and deployment, ensuring that patients are not put at unnecessary risk.

The Hippocratic Oath for Connected Medical Devices offers five core cybersecurity capabilities:

  1. Cyber Safety by Design: Inform design with security lifecycle, adversarial resilience, and secure supply chain practices.
  2. Third-Party Collaboration: Invite disclosure of potential safety or security issues, reported in good faith.
  3. Evidence Capture: Facilitate evidence capture, preservation, and analysis to learn from safety investigations.
  4. Resilience and Containment: Safeguard critical elements of care delivery in adverse conditions, and maintain a safe state with clear indicators when failure is unavoidable.
  5. Cyber Safety Updates: Support prompt, agile, and secure updates.

“In 2015 we announced a coordinated vulnerability disclosure policy, inviting researchers to contribute to our patients’ safety,” said Hannes Molsen, Product Security Manager of Dräger, a Germany based medical device manufacturer. “The Hippocratic Oath for Connected Medical Devices perfectly summarizes the challenges manufacturers, healthcare organizations and security researches face during the development, the deployment, and the maintenance of connected devices throughout their entire lifecycle. It is great to have a document at hand that focuses precisely on medical devices, so every single point matters. For our patients’ safety this is a great step to bring the community together, to establish referable norms for cyber safety, to become safer, sooner.”

“Patients, in consultation with their physicians, make the best judgement for their individual case,” said Dr. Marie Moe, security researcher at SINTEF, pacemaker patient, and I Am The Cavalry volunteer. “They should each be asking questions about the capabilities outlined in the Hippocratic Oath for Connected Medical Devices to make sure their decisions are fully informed.”

“As we seek to treat existing pathologies, we should not inadvertently create new ones,” said Dr. Christian Dameff, M.D. “A Hippocratic oath extends physicians’ commitment to patient safety to others in the chain of care delivery.”

The Open Letter and detail of the Hippocratic Oath for Connected Medical Devices are included in full below. The Oath builds on work also conducted to promote greater collaboration in the medical device sector, which includes participating in panel discussions at the upcoming FDA Public Workshop – Moving Forward: Collaborative Approaches to Medical Device Cybersecurity, on January 20-21. The Oath is also aligned to the approach I Am The Cavalry has taken in other cyber safety sectors, such as the automotive sector, where the group proposed a “Five Star Automotive Cyber Safety Program” and has been working with automakers to drive adoption of these and other security practices.

For more information on the Hippocratic Oath for Connected Medical Devices, or any other I Am The Cavalry initiative, please contact press@iamthecavalry.org.

***

About I Am The Cavalry

The I Am The Cavalry movement was formed in response to concerns over the impact of cybersecurity threats on public safety.  Its efforts are focused on cybersecurity issues relating to four main of public safety: medical, automotive, home electronics, and public infrastructure. All members are volunteers, and offer their time and expertise free of charge.

For more information, please visit: https://www.iamthecavalry.org/.

Safer. Sooner. Together.

***