Monthly Update: September 2014

Welcome to the September edition of an I Am the Cavalry Monthly Update Newsletter!

This monthly update is dedicated to publishing regular information regarding IATC accomplishments, upcoming activities and our targeted long range plans. This newsletter will inform our colleagues and teammates of the ongoing progress we are making in the public and private sectors as well as how we are positively impacting security and safety in the connected technology landscape.

I’d like to thank the teammates who helped pull this together and nudge us to improve communication. Constructive feedback (and help) is welcome!

We look forward to communicating with you over the coming months!
Sincerely,
Josh Corman

 

Highlights:

 

Achievements:

1st Birthday!

We celebrated our 1st birthday while in Vegas for BSidesLV and DEF CON 22. My how time flies. We decided to give it at least 1 year to see if this was a pursuit capable of having impact. We end Year[0] encouraged. We begin the next year with more experience, more earned wisdom, and more momentum.

 

We published our 1st Open Letter and Security Framework:

5-Star Automotive Cyber Safety Framework

See also the more detailed overview of the Framework:

Detailed 5-Star Automotive Cyber Safety Framework

 

As you might imagine, the Open Letter stimulated a flurry of interest and catalyzed discussions with automakers, OEMs, regulatory bodies, insurers, government, and even the White House. Stay tuned for updates as we can share more. Cliff Notes: “You guys are SPOT ON!”

 

 

Ongoing Projects:

Research Library

The Cavalry is creating a library indexing recent research and articles related to connected device security.  This library will provide security experts with a launching pad for recent work in the field, and serve as a quick reference for those outside of the echo chamber.  If you would like to submit content or help build the library, please email in…@iamthecavalry.org.

5-Star Collateral

In response to specific requests from automotive companies, the Cavalry is creating collateral around the 5-Star Cyber Safety Framework.  This content will enable automotive industry experts to present safety ideas internally or disseminate information at conferences.

I Am the Cavalry Slide Insert

This project aims to create a slide or two that can be added to a presentation slide deck and serve as an easy launching point for connected technology safety discussions.

FAQ

An FAQ is an easy way to centralize and maintain knowledge about our positioning and external messaging. We’d love to receive samples of questions and/or answers you’ve received since becoming a member of this mailing list. Please send FAQ suggestions to in…@iamthecavalry.org.

5-Star Matrix

This matrix is a preliminary draft for categorization and classification of major carmakers and their 5-Star cyber safety capabilities.

Minor Website Updates

We’re always adding and improving our web content.  If you see an issue, please let us know and we will update the pages accordingly.

 

Long Range Future Plans:

Legal Information

Certain activities require legal incorporation, such as engaging with government entities, industry bodies, etc.  We are currently finalizes a few different options for incorporating as a non-profit educational foundation. This corporate structure will allow us to continue to serve our mission in the way we have been – collecting, connecting, collaborating, and catalyzing.

BSides Las Vegas 2015

We are working with BSides Las Vegas organizers to plan I Am the Cavalry activities for BSidesLV 2015. If you have organizational or content suggestions for next year’s conference, please post them to the discussion list or send them to us privately. Videos of some of the sessions from this year’s event can be found on the Irongeek website.

 

Conferences and Events:

Securing the Internet of Things (SIOT) Masters

SIOT Masters was put on by CyberTECH, BuildItSecure.ly and I Am the Cavalry.  It was an afternoon of presentations and conversations about security, privacy and critical infrastructure. At this year’s SIOT Masters, 50 researchers and industry professionals from the Automotive, Medical Device, Public Infrastructure and Home/IoT markets came together to explore how IoT will change lives forever and what must be done to build security into the very fiber of all things.

BSidesLV (Las Vegas)

BSides is an information/ security conference put on by and for the community.  It is 100% volunteer organized and strives to provide the latest security information for free.  At this year’s event, I Am the Cavalry provided a one day track including an introduction, overview and update of our latest activities and accomplishments.  We also hosted interactive presentations and discussions focused on Media, Legal, Public Policy, Career, Burnout, Extreme Altruism, Disclosure and Communication. Videos of some of the sessions can be found on the Irongeek website.

DEF CON 22

DEF CON is the largest and most famous hacker conference, drawing over 15,000 people.  It is a venue for community, networking and the latest information about hacking research and security.  At DEF CON 22, I am The Cavalry kicked off Saturday in the Penn & Teller Theatre with a summary of “Year[0]” : mission, strategy, activities and forward looking plans. We also announced the 5-Star Automotive Cyber Safety Framework.

Reddit Ask Me Anything (AMA)

For the first time, I Am the Cavalry hosted an AMA.  The event is intended to better communicate our messaging and dispel any misinformation and miscommunications in the industry.  The online Q&A event was well attended, and received 80+ comments.

Peggy Smedley Show

Patty Smedley had Ben Feinstein on the show and he introduced I Am the Cavalry, its mission, strategy and activities to an IoT and M2M audience.

Robot Overlordz

This podcast featured Josh Corman talking to and answering questions from Mike Johnston and Matt Bolton of Robot Overlordz on the subject of connected device security.

IT Security Guru

I am The Cavalry members Katie Moussouris, Nick Percoco and Joshua Corman joined Dan Raywood, Editor of IT Security Guru, to discuss the IATC’s activities to promote security considerations when building IoT devices.

 

Current & Upcoming Events:

44CON | London, UK | September 10-12, 2014

Beau Woods: I Am the Cavalry: Year [0]

 

Intel IDF | San Francisco, CA | September 10-12, 2014

Joshua Corman: Panel: When Light Bulbs Meet Hacker (incl Chris Valasek)

 

Derbycon | Louisville, KY | September 24-28

Space Rogue and Beau Woods: I Am the Cavalry: Year [0]

“The Cavalry Isn’t Coming… It Falls to All of Us” @iamTheCavalry Workshops

What can YOU do to affect public safety and human life? Please join @iamthecavalry at DerbyCon for workshops on: Medical & Automotive Device Security, Media Training, Communication Skills, and a Knowledge Project to discern which InfoSec beliefs & practices should (and shouldn’t) be taken to the industries we seek to collaborate with.  Thanks to DerbyCon, this year “no ticket” is “no problem”!

Cavalry Workshops and Media Training:

Like last year, the Kennedy/Derby posse is being generous and supportive by donating the same room we used last year for our “Congress”. It will take place at DerbyCon on that Friday, Saturday and Sunday and if you missed out on a Derby Ticket… fear not… no ticket is required.

 

ISC2 Congress | Atlanta, GA | September 29 – October 02, 2014

Joshua Corman: ISLA Keynote and Chapter Leadership Forum Keynote

Joshua Corman will represent I am The Cavalry as both keynote for the ISLA Awards Gala and in an address the International ISC2 Chapter Leads.

 
Related News:

Mainstream Media

The mainstream media news is a great way to get introduced to the Cavalry and the subject of connected device security.  Here you will learn the major industry concerns in non-technical language, and how various researchers are influencing the discussion with projects and fact supported assertions.

 

Hacking group wants to play nice with automakers [Reuters]

How to Keep Your Car from Becoming a High-Tech Death Trap [Huffington Post]

While you were enjoying the weekend: DEF CON edition [Politico]

Hackers Tell Car Makers: Secure Your Vulnerable Vehicles Now [Forbes]

Security experts take aim at the Internet of (unsafe) Things [USA Today]

Hackers to Automakers: Protect Cars From Cyberattacks [NBC News]

The House of Hacking Horrors [BBC News]

 

 

Security/Technology Industry Media

Here is a sample of current industry news about the Cavalry, targeted at the IT, security and high-technology community.

 

At DEF CON, hacker coalition calls for safer computer systems in vehicles [Computer World]

DEF CON’s latest challenge: Hacking altruism [IT World]

Security movement urges automakers to collaborate with researchers [SC Magazine]

Can you stop The Cavalry? [IT Security Guru]

Let us help you defend cars from cyber-attacks: Hacking group to ‘Automotive CEOs’ [TechTimes]
How to Get Involved:

  • We are looking for volunteers to contribute to the Connected Device Security blog in the areas of Home Electronics, Automotive, Medical or Public Infrastructure.  Feel free to write your perspective on the latest in IoT developments and any security concerns or news in the aforementioned verticals.  Please contact in…@iamthecavalry.org for more information.
  • We need assistance with administration of the website.  If you have web admin experience and interest in IoT security, please contact in…@iamthecavalry.org.
  • We need assistance with building, sustaining and managing the research library.  This is a great way to get involved if you are new to connected device security.  Please contact in…@iamthecavalry.org for more information.
  • We are looking for people to do research and contribute to building out a matrix of carmakers and their capabilities from our Five Star Automotive Cyber Safety Framework. If you are interested, please email in…@iamthecavalry.org.

Circle City Keynote Text

In the spirit of Dan Geer’s keynote addresses I wrote out the Keynote I did for Circle City Con in Indianapolis this year. With lots of copyediting help from @bouncinglime here it is, cleaned up and made much more readable.

Circle City Con Keynote

Friday, June 13, 2014

The witches of infosec

I was talking to a friend the other day, someone who’s not a security person or even a technology person – by his own admission, just an “average person.” Every time he uses a smartphone or the internet, it seems like magic to him. When he reads about hackers, it’s like hearing about people who are so good at magic they can bend it to their own will, and it’s spectacular. Arthur C. Clarke observed that “any sufficiently advanced technology is indistinguishable from magic,” so it’s easy to see how someone who’s not as involved as we are in technology might see our everyday world as magical.

He said being on the internet is like being dropped into The Land of Oz. Everything is in Technicolor instead of black and white, munchkins are running around, somebody hands you a lollipop, people sing and dance and cheer. It’s bizarre and wonderful and kinda confusing and completely unthinkable. But it’s a place he wants to explore and get to know. He doesn’t know the physics or normalities of the place – and he’s fine with that, as long as he can do what he wants to do. It’s fun!

Then in a splash of smoke and a billow of fire comes this haggard green-faced witch, wearing a black hat no less. That’s the evil hacker. And a white witch floats over in a bubble and sends the scary one running away. That’s the world he sees when he’s on the Internet – a wild cacophony of “average people” that is occasionally invaded by witches. The average person can’t necessarily see the difference between good and bad witches, but is glad that the good ones exist to drive the bad ones away.

Technological progress and adaptation

This view of the Internet is really not surprising. In his lifetime computer technology has turned over three times. Computers began as mainframe computers that took up a room, then were PCs that merely took up a desk, and now we have phones and tablets in our pockets, and supercomputers on demand in the Cloud… That’s somewhere over the rainbow, right? In a few short years, we’ve gone from no connectivity, to wired and wireless, now to the global always-on connectivity our pocket devices demand. And we’re about to launch into wearables/implantables, with personal-area and mesh networks.

We’re at a point right now where technology is evolving faster than we are able to adapt to it in a single generation. Only the people who are hyper-specialized can understand it. This massive intra-generational shift has a profound effect on our humanity, culture, and social contract.

Public policy, legal precedent, and law enforcement that was well adapted 30 years ago is now hopelessly antiquated. We have to conduct open debates on whether the Internet is a telecommunications network or an information service, and what that means for established laws, regulations and precedents. Our culture has to get used to pervasive tracking and surveillance, our loss of privacy, and the fact that governments and companies know more about us than we know about ourselves. Whether we like it or not, our metadata is a matter of public record now. The predictive power – and potential benefit – of this information is too much for anyone to ignore. This isn’t maliciousness, it’s simply a case of policy and law being mis-matched with a quickly changing reality.

Given 50-100 years all of these will catch up and our great grandkids, as awkward teenagers, will laugh at us for being so goofy and confused with at this time in our technological development. These growth spurts happen periodically throughout history before settling back down. We are in one of those growth spurts right now, but it will not last forever. One thing that will last forever is the persistence of computer technology into our everyday lives. This gives us, the ones with the ability to make that technology do anything we want, serious superpowers. And with great power comes great responsibility.

We’re at a key moment in history…. Will you watch? Will you heckle? Will you help? Will you lead?

Where cybersecurity meets humanity

I’ve been playing with computers all my life – building them and, more often, breaking them and having to fix what I’d broken. Sometimes even breaking into them to play practical jokes on my friends. Finding and fixing computer flaws was my hobby. I was a security amateur before I was a security professional.

My third day on the job in Infosec was terrifying. I got a call from a physician in the Natal Intensive Care Unit – where the most fragile babies are brought just after they’re born. Their Fetal Heart Monitoring systems were all down. The doctor on the phone said he knew it wasn’t our job to support them but that they needed help. So I did. A quick investigation showed the medical devices had all the signs that they’d gotten hit with the same network worm that had recently been infecting other computers.

I called the manufacturer and asked their first-line support personnel if they could fix the problem since the devices were brand new but, since it was likely malware, they couldn’t. I asked for access to the device to fix it myself. The vendor said that since it’s a medical device we weren’t allowed to modify it or have access. That wasn’t good enough for me; if the network worm could break into the medical device, could I?

Sure enough there a Metasploit module had just been released for the vulnerability that the worm used. I knew I could fix the problem technically, but it’s not enough to know that the we can do something with technology. We must still ask if we should do it.

I worked with my boss to get permission. We put together a plan and a justification which she took to the CEO of the hospital, who read and approved it. Within the day I was able to go in, get rid of the malware, apply the patch, and get the systems stable again. I went back to my job and the doctors went back to saving lives.

I Am The Cavalry inception

Josh Corman and Nick Percoco gave a talk, “The Cavalry Isn’t Coming,” at DEF CON 21. There were three simple but profound ideas behind their talk: our dependence on technology is growing faster than our ability to secure it; our technological capabilities have outstripped our ability to adapt our social contract; and our society has evolved faster than our laws. Security researchers are the key to restoring the balance between all of these aspects.

1. Computing technology is being rapidly adopted into the world around us. We struggle daily – and often fail – to secure our companies. Meanwhile software and networks permeate every aspect of our lives in our cars, our bodies, our homes, and our public infrastructure. When human life and public safety are at stake it is no longer acceptable to have the same failures that are routine in other Information Technology. We must know, not just assume, that the technology we depend on is worthy of our trust.

2. Technology has rapidly changed what we are able to do. We are being watched and tracked by corporations and governments. On the one hand this gives us the utmost convenience; on the other hand it destroys our privacy and allows repression of dissent. There is nothing in our human experience that has prepared us for pervasive surveillance and “Glassholes”. We’re struggling to adapt to the impacts that computer and network technologies have had on us as a society as humans. We no longer need to ask whether technology can do something, but we have not yet begun asking if it should.

3. Our policy and legal apparatus stabilizes society by setting a standardized expectation and reducing harm. It cannot keep pace with the rate of change of our technology. Policy is a tool for defining norms and expectations. Laws are tools to enforce these norms and expectations. When the cultural norms fall so far behind, policies and laws fall out of sync with reality. Our laws today fail to distinguish between those making good faith inquiries into the soundness of these technologies from those who wish to exploit weaknesses for personal or ideological gain.

Surely there must be some task force studying these crucial issues, or some think tank brainstorming on it. One thing has become clear: no one is waiting in the wings to save us. The Cavalry isn’t coming. It falls to us – it falls to you – to lead the charge.

We, as the information security community, know what the problems are. We have the technical knowledge to know what should be changed. We see ourselves as defenders of those who need it. This understanding compels us to do the right thing, and step up to help. Like it or not, we are the adults in the room. And that should scare the hell out of us, but it should never stop us.

I Am The Cavalry today

The idea moved the hundreds of people in the room. A web presence, social media, and discussion list brought people together who believed in helping. The idea became a meme and the meme gathered like-minded individuals to the watering holes. It spawned leadership tendencies in a lot of us who knew we couldn’t just sit here and watch; we had to be the change we wanted to see.

I Am The Cavalry, today, is a global grassroots organization that is focused on issues where computer security intersects public safety and human life. We strive to ensure that these technologies are worthy of the trust we place in them. We are seeking to organize as a non-profit educational foundation, focusing on medical devices, automobiles, home electronics and public infrastructure. We are a movement of collecting, connecting, collaborating, and catalyzing : Collecting existing research and researchers; connecting these resources with each other and stakeholders in media, policy and legal stakeholders; collaborating across a broad range of backgrounds and skillsets; catalyzing research and corrective efforts sooner than would happen on their own.

Our message is that our dependance on computer technology is increasing faster than our ability to safeguard ourselves. As computerization and connectivity become more ubiquitous, it’s important that we protect public safety and human life.

Our mission is to ensure technologies with the potential to impact public safety and human life are worthy of our trust. We will achieve this mission through education, outreach and promoting research, and as an independent voice of reason from the security community.

What we’ve learned

Over the past nine months since the I Am The Cavalry namespace started, we’ve learned a lot of lessons about how to approach getting things done in this space – where to focus, how to engage, whom to engage, etc. We have struck a chord with our focus on devices that have the potential to impact human life and public safety. These are big issues that are not just technical, they span many boundaries. These types of non-technical problems beg for non-technical solutions.

When talking with lawmakers on policies and laws we wanted to see changed, we quickly found out that they our message didn’t interest them. They simply didn’t care about theoretical problems that might come up due to Computer Fraud and Abuse Act (CFAA) or Digital Millenium Copyright Act (DMCA). The perspective we brought was at odds with what they were hearing from their peers and colleagues. They felt like we were “a bunch of whiny brats” complaining just like any other special interest group. In short, we weren’t giving them the “why.”

When we did, everything changed.

“A friend of mine, Jay Radcliffe, almost died when his insulin pump failed. He got a different one and it happened again. Both near-fatal accidents were caused by software flaws in the pumps themselves. Digging into these flaws, he found several critical security issues which could have triggered the failures. Another security researcher, Barnaby Jack, found that he could make these types of medical devices administer a fatal dose of insulin from 300 feet away.”

Those kinds of vignettes gain attention. Demonstrating public good through security research earns us the opportunity to bring up the conflict between the law and exploring the problem space. This experience taught us it was even more important than we thought to focus on the human life and public safety aspect. We need a lot more of these types of proof points if we want to keep getting through to lawyers, policymakers, and others outside the echo chamber.

Policymakers and their staffers also began bringing us in to ask intelligent questions. Recently there has been a perfect storm of several events, beginning with Senator Markey’s letter to automakers asking about ensuring the safety of the computers in the cars. Then the U.S. Food and Drug Administration (FDA) published notification of software security vulnerabilities on 300 medical devices, which could have an impact on patient care. People were “stunt hacking” cars at Black Hat a few months ago. These are the sorts of events and issues that catch the attention of public media outlets, creating instant interest and attention. The world is listening right now, and we need to have something to say.

Inspiration at the heart

A lot of people get inspired by the I Am The Cavalry message. At the heart of the movement is an inspiration and a motive to empower hackers to make the change they want to see.

There’s a great YouTube video by Dan Pink about what motivates and inspires people to take action. The gist of it is that once we get beyond a certain level of satisfying our most basic needs, people are motivated by three things : Autonomy, a feeling of control over your life priorities that allow you to produce your own results; Mastery, an urge to see progress and development in a skill; and Purpose, to have a meaning beyond profit, to “put a dent in the universe.”

For a lot of the most productive people in the world, this is why they get up in the morning. They have all three of these things. This is also what inspired a lot of us to go into security research as well – being self-directed to work on doing this cool elegant hack, learning and exploring, and then showing it off and getting it fixed.

Slowly, though, the joie de vivre of exploration and discovery gave way to something else. Our passion became our day job, and our fun turned into work. 60-80 hours of work a week. Every week. Into forever. At some point in my career I realized that the medical device hack I pulled off was the peak of my professional career. In nearly 10 years I hadn’t done anything as impactful to the real world as I did in my first week. That was a difficult realization. I burned out. Burnout isn’t something we talk about a lot in the industry. We just pour another drink or make another “stupid user” joke and get back to feeling frustrated, powerless, and overworked. It’s had some pretty devastating consequences on us as an industry. Some people never get burned out and I’m happy for them. Others do, and we have to claw out of it.

That’s the inspiration people see in I Am The Cavalry. It inspires hope, and a lot of people haven’t known hope in a long time. To make real progress on something positive and powerful. To prevent problems before they come up. To learn something new and valuable. To move from the trough of despair to the slope of enlightenment and the plane of productivity.

Why it moves us

I Am The Cavalry is one namespace within a much broader movement and community. We aren’t the first people to feel our current path will lead to no good, that we have to do better. Those are the feelings that sparked this movement, and continue to drive it forward.

Curiosity is a hacker prerequisite. This new problem space gives us a chance to once again explore the unknown, one that’s full of interesting new technologies and combinations of existing technologies. This kind of thing is why a lot of us started learning about security in the first place. The problems we are investigating aren’t trivial. We’re trusting our families’ lives with these machines. It’s not acceptable to fail and so we have to persevere.

The problems in the space will first be known, then addressed, then fade into history. You can push that timeline forward, be the one who helps things get better, faster. Whether you choose to talk about that or not, it will bring a sense of accomplishment. If you do want to talk about it there’s plenty of opportunity. Conference CFPs tend heavily towards Android malware and PCI, but a talk about hacking an insulin pump or a car will have fighting people in line to go see that talk. Ask Jay Radcliffe, Charlie Miller, or Chris Valasek. That’s beyond a stunt hack; it’s something that matters.

I think we’re going to see a rapid shift from research of convenience to research that matters. Take a look at the DEF CON tracks this year. Every one of them is something that matters. The world’s most famous hacking conference is shifting the research agenda for the industry. That’s awesome. It’s also a lot faster to research some of the areas we’re talking about. There hasn’t been nearly as much focus on it so there’s more low hanging fruit. You’ll spend the same amount of time finding the bug, but you won’t have to spend any time showing that it’s a big deal. Now your friends and family will know not just what you do but they’ll see why you do it.

Trying to make a change also means building different muscles. Ones for engaging the Media API. Ones for fuzzing the chain of influence. Ones for traversing policy and legal systems. Ones for bridging the interfaces between research and real-world application. We are simply using the methods we know very well, and applying them to a new set of systems – non-technical ones. This brings back the excitement of exploration. These new skills span boundaries into other areas of our lives, too. Explaining security to a journalist builds the same muscles as explaining them to your CEO. Understanding how to navigate complex political and legal systems helps when you want to organize community action for a new neighborhood playground.

We are pursuing a goal that’s bigger than us. This pulls us out of burnout and keeps us from going back. It transforms frustration into progress, futility into accomplishment, atrophy into exercise, and, most importantly, ignorance into education.

All of this is coming at a time when we’ve begun to get a real sense of the power we have. The media is focusing on hacking, and politicians are asking for advice. People are looking to us as if we have superpowers! It is time we stepped up and became those super heroes.

Visualization

As I said earlier, in 50-100 years all of the things we’re talking about here will be figured out. Our self-driving cars will do it better than we could hope to faster, safer, and with fewer side effects. Our implanted and wearable computers with body area networks will be fast, robust, and stable. Criminal activity will be illegal but legitimate research will be protected by laws. Researchers will be treated with the same respect in security as they are in other fields. And our civil liberties issues will be settled – one way or another. That’s not my witch’s crystal ball, that’s a forward projection of history.

We need to cut down the amount of time we spend in this awkward period before our society has caught up to our technology. It is imperative that we accelerate the process of identifying and dealing with issues before they have more severe and widespread impacts. We should push for resolution of these issues now, instead of just waiting for it to happen on its own.

  1. By being the voice for reason and thoughtful discussion, we can reduce friction and collateral damage.
  2. Our actions will nudge the final position towards openness and freedom.
  3. Avoid a Cuyahoga River moment (but prepare just in case we get one).

Individual Examples

My friend Morgan Marquis-Boire (@headhntr), who’s been working with Citizen Lab, thinks we’re way off base by not pursuing privacy issues more. Morgan has spent a lot of his time dissecting malware that foreign governments use to track and surveil dissidents. For him privacy leaks kill every single day on an individual scale, and are genocide on a mass scale. He and Citizen Lab, as well as other groups like Telecomix and Tactical Tech, are fighting to preserve the Internet and protect those who use it to empower themselves. As he likes to say, that’s his fight but it might not be your fight.

Kyle Osborn took job at Tesla to improve vehicle safety. It began as an internal IT Security role available, but he was able to push the boundaries to turn it into something more. His work has created a coordinated disclosure policy, and large automakers in Detroit are taking notice.

Scott Erven found hundreds of issues in medical devices, but after failing to get the FDA or the manufacturers to fix the problem, notify their customers, or take any action he gave up. Billy Rios knew the solution already and, through his contacts at DHS ICS-CERT, was able to get it published. This caught the attention of the FDA, who issued a public notification of the vulnerabilities. Because of all the attention, the vendor undertook internal reviews from the very top.

Many of the very small “Internet of Things” makers think more about shipping than security, not out of deliberate neglect but because they have no resources for it. Mark Stanislav and Zach Lanier got together and started Build It Securely project which works directly with with chipset makers, vendors, and others to give practical guidance to people using their products. All of the information is published openly on the Internet, giving easy access to those who don’t have time or resources to do the research themselves.

Call to action

Leaders are not born, but self-made. There’s a subtle but important difference there. Leaders make themselves when given the right motivation and opportunity. I used to think that leadership positions were given to people but I’ve come to realize that they’re never given, only taken or accepted.

Leadership is simply initiation and persistence in a particular direction. Start something, even when no one else is. Especially when no one else is. Continue in spite of, and especially after, setbacks. Find direction from whatever inspires you to start and to continue. That’s up to you. It’s not easy, but it’s also not hard.

The challenges we face are daunting but tractable. We have the right set of skills and are here at the right time to solve them, but we must start now. Every day we delay makes the work more difficult and the consequences higher and the likelihood of failure higher.

I Am The Cavalry is not just about joining a common cause under the leadership of others. Although it can be for some. It’s about becoming leaders ourselves. It’s not “I Am The Cavalry. Come join me.” It’s “I Am The Cavalry. And you are too. We are all the cavalry!” It’s not about people following, it’s about people leading. I Am The Cavalry. And you are too. It’s up to all of us to lead the charge.

Thank you.

IATC Press Mentions: Post-Vegas Edition

We’ve had a flood of press over the past few days. So much that one blog post can’t contain it all! Building on our previous post, here are the latest articles about I Am The Cavalry, our open letter to the automotive industry, and our petition to encourage carmakers and security researchers to collaborate.

Mainstream Media

  • Hacking group wants to play nice with automakers [Reuters]
  • How to Keep Your Car from Becoming a High-Tech Death Trap [Huffington Post]
  • While you were enjoying the weekend: DEF CON edition [Politico]

Security Industry Media

  • At Defcon, hacker coalition calls for safer computer systems in vehicles [Computer World]
  • Automakers Openly Challenged To Bake In Security [Dark Reading]
  • DEFCON’s latest challenge: Hacking altruism [IT World]
  • Security movement urges automakers to collaborate with researchers [SC Magazine]
  • Can you stop The Cavalry? [IT Security Guru]
  • Five Totally Believable Things Car Makers Must Do To Thwart Hackers [The Register]
  • Let us help you defend cars from cyber-attacks: Hacking group to ‘Automotive CEOs’ [TechTimes]

Foreign Language Media

  • Oeps: nieuwe auto’s nog steeds makkelijk te hacken [GeenStijl]
  • Hackersgroep wil veiligheid auto’s verbeteren [nu.nl]
  • Här är bilen som är lättast att hacka [NyTeknik]
  • Defcon: Un collectif exhorte l’industrie automobile à sécuriser les systèmes embarqués [Le Monde Informatique]

 

IATC Press Mentions: Vegas Edition

I’ve been following all the great things happening in Vegas. I had to do it from afar since I didn’t get to attend this year. I’ve heard nothing but good things about BSidesLV, Blackhat and DEF CON. Tons of a great information and better yet, a good amount of cavalry talks. The I Am The Cavalry presence did not go unnoticed. I’ve rounded up a few press mentions that IATC generated as the conference marathon comes to an end.

      • Hacker coalition sets out to improve critical device security, challenges car makers [PCWorld]
      • Want a safe car? Check its cyber safety rating [CNET]
      • Hackers Tell Car Makers: Secure Your Vulnerable Vehicles Now [Forbes]
      • Hacking group wants to play nice with automakers [TECH2]
      • Security experts take aim at the Internet of (unsafe) Things [USA Today]
      • Hackers to Automakers: Protect Cars From Cyberattacks [NBC News]

The articles mention An Open Letter to Automotive Industry. Be sure to check it out and sign the petition on Change.org.

Most of the press coverage was around the automotive, but be on the look out for the other cavalry domains. Beau Woods summed it up perfectly to me, “An amazing new day is dawning.” 

“I AM THE CAVALRY” CALLS FOR COLLABORATION WITH AUTOMOTIVE INDUSTRY TO IMPROVE PUBLIC SAFETY

“I AM THE CAVALRY” CALLS FOR COLLABORATION WITH AUTOMOTIVE INDUSTRY TO IMPROVE PUBLIC SAFETY

Security Research Movement Issues Letter Outlining Five Star Automotive Cyber Safety Program

DEF CON 22, Las Vegas, NV – August 8th – I Am The Cavalry, a cybersecurity volunteer association focused on public safety concerns, today issued a letter to leaders in the automotive industry, calling for the adoption of five key capabilities that create a baseline for safety relating to the computer systems in cars.

The letter, addressed to CEOs in the automotive industry, calls for safety to be built into the adoption and design of computer systems in vehicles.  Increasing reliance on computer systems and internet connectivity in cars is opening up a whole new area of consumer risk, much of which is still being investigated and understood.  I Am The Cavalry wants to help address this and protect people by collaborating with leaders in the automotive industry.  To start this process, they have identified five key capabilities that represent a foundation for building better cyber safety in cars:

  • Safety by Design – developing automotive computer systems with security in mind.
  • Third-Party Collaboration – publishing a clear vulnerability disclosure response policy that works with security researchers.
  • Evidence Capture – logging information that may assist with an investigation should one be necessary.
  • Security Updates – providing a mechanism for consumers to receive updates to computer systems quickly and easily as issues are found and fixed.
  • Segmentation and Isolation – ensuring that issues in non-critical systems do not impact the performance of critical systems.

“Modern cars are computers on wheels and are increasingly connected and controlled by software. Unlike your home computer, the consequences of compromise are far more severe,” said Joshua Corman, co-founder of I Am The Cavalry. “Dependence on technology in vehicles has grown faster than effective means to secure it. We’re just at the start of understanding the implications for public safety. The combined expertise of the automotive industry and the cyber security research community can rise to meet the challenge. This framework can be the foundation of that collaboration.”

“I think the proposed framework clearly states important principles and intent in a plain, sensible and workable way.” said Tony Sager, Chief Technologist for The Council on Cyber Security. “It puts information sharing between vendors and researchers into a constructive framework and establishes a shared goal of continuous safety improvement. “

The letter has also been published as a petition with a request for members of the public to show their support for car safety: https://www.change.org/petitions/automotive-industry-we-request-that-you-unite-with-us-in-a-joint-commitment-to-safety-between-the-automotive-and-cyber-security-industries

In addition, I Am The Cavalry co-founders Joshua Corman and Nicholas J. Percoco will be discussing the letter during the security research convention, DEF CON:

  • Press conference: 4:00pm, Friday, August 8th in the press room
  • Presentation: “The Cavalry Year[0] & a Path Forward for Public Safety” – 10:00am, Saturday, August 9th, Penn & Teller room

The letter is included in full below:

An Open Letter to the Automotive Industry: Collaborating for Safety 

Dear Automotive CEOs,

We request that you unite with us in a joint commitment to safety between the automotive and cyber security industries.

A hallmark of the automotive industry is extraordinary innovation in the face of market needs. 50 years ago, basic automotive safety features were an afterthought. Since then, the auto industry has steadily driven advances in safety features, safety engineering, and supply chain management in ways that software and cyber security disciplines must emulate.

Now the automotive industry faces a new challenge. Modern vehicles are computers on wheels and are increasingly connected and controlled by software and embedded devices. These new technologies enable innovations designed to increase vehicle safety and bring other positive features. Vehicle-to-vehicle communication, driverless cars, automated traffic flow, and remote control functions are just a few of the evolutions under active development.

New technology introduces new classes of accidents and adversaries that must be anticipated and addressed proactively. Malicious attackers, software flaws, and privacy concerns are the potential unintended consequences of computer technologies driving this latest round of innovation. The once distinct worlds of automobiles and cyber security have collided. In kind, now is the time for the automotive industry and the security community to connect and collaborate toward our common goals.

When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles.

The goal of our outreach effort here is to catalyze greater teamwork between security researchers and the automotive industry. Our combined expertise is required to ensure that the safety issues introduced by computer technologies are treated with the same diligence as other classes of automotive safety issues.

Will you join us in this endeavor?

We propose five critical capabilities to lay a foundation for safety, both for collaboration and for increasing consumer confidence. This content was developed jointly with leading cyber security researchers and others working in and around the automotive industry. We crafted these capabilities to be objectively defined, lasting, and to allow for adaptation and innovation within each function.

We urge the automotive industry to adopt, develop, enhance, and attest to these capabilities. Just as they consider other safety features, concerned consumers will be better enabled to make purchasing decisions based on your attestations against these five areas. We will help you navigate this road to build greater protections for your customers and set a new standard for safety.

Five Star Automotive Cyber Safety Program

Further details and explanations can be found at https://www.iamthecavalry.org/auto/5star

1. Safety by Design

VALUE: We take public safety seriously in our design, development, and testing.

PROOF: As such, we have published an attestation of our secure software development lifecycle, summarizing our design, development, and adversarial resilience testing programs for our products and our supply chain.

2. Third-Party Collaboration

VALUE: We recognize that our programs will not find all flaws.

PROOF: As such, we have a published coordinated disclosure policy inviting the assistance of third-party researchers acting in good faith.

3. Evidence Capture

VALUE: We want to learn from failures and enable continuous improvement.

PROOF: As such, our systems provide tamper evident, forensically sound logging and evidence capture to facilitate safety investigations.

4. Security Updates

VALUE: We recognize the need to address newly discovered safety issues.

PROOF: As such, our systems can be securely updated in a prompt and agile manner.

5. Segmentation & Isolation

VALUE: We believe a compromise of non-critical systems (like entertainment) should never adversely affect critical/physical systems (like braking).

PROOF: As such, we have published an attestation of the physical/logical isolation and layered defense measures we have implemented.

We are eager to start working with you within the next 90 days and to begin promoting your current and future capabilities to the public. These attestations establish a foundation and serve to catalyze an ongoing collaboration to better prepare us for the next 50 years and beyond. Given our research and experience to date, we are encouraged to see some early investments toward these capabilities. While capabilities like evidence logging will take time to bring to market, valuable policy and capability attestations can begin now. On this journey, the challenges will be many and they will be significant, but together and through collaboration we can rise to meet them. Let’s start now.

Respectfully,

“I am The Cavalry”, members of the security research community, & concerned citizens

Signatures and instructions for signing can be found at https://www.iamthecavalry.org/auto/5star

Signatures are solely the opinion of the individual.

I am The Cavalry – https://www.iamthecavalry.org – @iamthecavalry – autosafety@iamthecavalry.org

To ensure technologies with the potential to impact public safety and human life are worthy of our trust.

***

About I Am The Cavalry

The I Am The Cavalry movement was formed in response to concerns over the impact of cybersecurity threats on public safety.  Its efforts are focused on cybersecurity issues relating to four main of public safety: medical, automotive, home electronics, and public infrastructure. For more information, please visit: https://www.iamthecavalry.org/

For more information, please contact press@iamthecavalry.org

Related Talks at BSidesLV, Black Hat and DEF CON

The annual Las Vegas convergence of hackers, researchers, consultants, vendors, press and others is nearly upon us. That’s right it’s time again for BSidesLVBlack Hat USA and DEF CON. This trilogy of events sees some of the most original content presented to some of the largest crowds of the year. This year much of that content will be relavent to I Am The Cavalry topics. We have more detail on the day of I Am The Cavalry sessions at BSidesLV.

BSidesLV: August 5th-6th

Date Time Where Title Who
8/5 15:00 Common Vulnerability Assessments on SCADA: How I 'owned' the Power Grid Fadli B. Sidek
8/5 18:00 Proving Back Dooring the Digital Home David Lister
8/6 10:00 IATC Introduction and Overview – I Am The Cavalry and Empowering Researchers
8/6 11:00 IATC Problem Space Overview
8/6 12:00-18:00 IATC Building Skills, Understanding and Influencing People
8/6 12:00-18:00 TBA Drop-In Sessions

Black Hat: August 6th-7th

Date Time Where Title Who
8/6 11:45 Lag K Survey of Remote Automotive Attack Surfaces Charlie Miller & Chris Valasek
8/6 14:15 Palm A Embedded Devices Roundtable: Embedding the Modern World, Where Do We Go From Here? Don Bailey & Zach Lanier
8/6 15:30 SS CD Why Control System Cyber-Security Sucks… Dr. Stefan Lders
8/6 17:00 Palm A Responsible Disclosure Roundtable: You Mad Bro? Trey Ford
8/6 17:00 Lag K Breaking the Security of Physical Devices Silvio Cesare
8/6 17:00 MB D Learn How to Control Every Room at a Luxury Hotel Remotely: The Dangers of Insecure Home Automation Deployment Jesus Molina
8/7 10:15 Palm A Medical Devices Roundtable: Is There A Doctor In The House? Security and Privacy in the Medical World Jay Radcliffe
8/7 11:45 MB D Smart Nest Thermostat: A Smart Spy in Your Home Yier Jin, Grant Hernandez & Daniel Buentello
8/7 14:15 SS E Home Insecurity: No Alarms, False Alarms, and SIGINT Logan Lamb

DEF CON: August 7th-10th

Date Time Where Title Who
8/8 13:00 P & T Hacking US (and UK, Australia, France, etc.) traffic control systems Cesar Cerrudo
8/9 10:00 T 2 Hacking 911: Adventures in Disruption, Destruction, and Death Christian Dameff, Jeff Tully & Peter Hefley
8/9 10:00 P & T The Cavalry Year[0] & a Path Forward for Public Safety Josh Corman & Nick Percoco
8/9 10:00 T 1 Hack All The Things: 20 Devices in 45 Minutes CJ Heres, Amir Etemadieh, Khoa Hoang & Mike Baker
8/9 11:00 T 1 The Internet of Fails: Where IoT Has Gone Wrong and How We're Making It Right Mark Stanislav & Zach Lanier
8/9 12:00 101 How to Disclose an Exploit Without Getting in Trouble Jim Denaro & Tod Beardsley
8/9 12:00 T 1 Home Insecurity: No Alarms, False Alarms, and SIGINT Logan Lamb
8/9 12:00 T 2 Cyberhijacking Airplanes: Truth or Fiction? Dr. Phil Polstra & Captain Polly
8/9 13:00 T 2 Just what the Doctor Ordered? Scott Erven & Shawn Merdinger
8/9 15:00 T 1 A Survey of Remote Automotive Attack Surfaces Charlie Miller & Chris Valasek
8/9 16:00 T 1 Learn How to Control Every Room at a Luxury Hotel Remotely: The Dangers of Insecure Home Automation Deployment Jesus Molina
8/9 17:00 T 1 Attacking the Internet of Things using Time Paul McMillan
8/10 11:00 T 2 Optical Surgery; Implanting a DropCam Patrick Wardle & Colby Moore
8/10 13:00 T 1 Playing with Car Firmware or How to Brick your Car Paul Such & Agix
8/10 15:00 T 1 Elevator Hacking – From the Pit to the Penthouse Deviant Ollam & Howard Payne

The Cavalry at BSides Las Vegas 2014

On Wednesday August 6th, BSidesLV and I Am The Cavalry will hold a day of sessions to empower security researchers to make positive change. The goal is to define the problem space, inspire people to take a leadership role in solving security problems and build up the skills needed to succeed. The schedule and locations can be found at http://bsideslv2014.sched.org/.

The day will kick off with an introduction and overview of I Am The Cavalry, an update on the current status and activities, an outlook for the future as well as a rundown of the day’s event. This will be followed by focused sessions on each of the primary areas of focus over the past year – medical devices, automotive, home electronics, public infrastructure and policy. For most of the day we will have short talks and longer drop-in sessions.

The directed sessions will use a facilitated Question and Answer format called A&Q. In this format, a primary speaker will cover the topic at a high level for 10 minutes, priming the audience for a 15 minute interactive discussion into specific audience questions.

The drop in sessions will be smaller tables, with a relative subject matter expert to answer questions and facilitate discussion on a particular topic.

Topics include:

Media – Journalists and media are a powerful way to influence public perception and to get our message out. They have their own internal operations and public interface that we can tap into like an API.

Legal – The legal system has a regular and standardized set of processes, outcomes and roles. Understanding these is key to influencing precedent so that it reflects the current technical landscape.

Public Policy – Understand the influencers, decision makers and processes that go into making new laws and administering existing ones.

Career – How you choose and follow your career path shouldn’t be a random walk and shouldn’t be set in stone. Use your career to maximize your satisfaction and impact.

Burnout – The complex state of Burnout is one that affects many in our industry, but help and resources are rare. Learn what it looks like and how to deal with it.

X Altruism – Extreme Altruists go out of their way to try and do the right thing, regardless of what others may think or what harm they may face. But these features can become bugs if they don’t find the right outlet.

Disclosure – Handling the delicate issue of notifying manufacturers about security vulnerabilities when packets meet blood and bone.

Communications – Many of us are less afraid of shaking hands with SSL or modems than real people. But that doesn’t mean we can’t effectively get our ideas across to manufacturers, managers, politicians or parents.

 

Agenda

10:00 – 11:00 Introduction and Overview – I Am The Cavalry

11:00 – 12:00 Areas of Interest (Medical, Auto, Home, Public Infrastructure, Policy)

12:00 – 17:30 A&Q Sessions (see online schedule for details)

12:00 – 17:30 Drop-In Sessions (see online schedule for details)

17:30   Wrap Up and Next Steps

Position on Disclosure

Over the last couple of weeks we have been working on documenting a position on disclosure. The position explains why research, disclosure and coordination are part of a healthy manufacturing ecosystem. It provides guidance to researchers, manufacturers and other stakeholders on their roles – at a high level – as well as other resources that can be useful.

The position we have outlined is by no means the only perspective that exists. When the consequences of research are human life and public safety it is especially important for I Am The Cavalry to define a set of specific disclosure and coordination guidelines that we feel captures our outlook. This position follows from our belief that those concerned with public safety and human life should take sufficient care to avoid inadvertently putting them at risk.