Security of Things Forum

The first inaugural Security of Things Forum was held May 7th. The forum, organized by The Security Ledger Editor in Chief, Paul Roberts, was keynoted by Dan Geer. Mark Stanislav of Duo Security and BuildItSecure.ly, and Josh Corman of Sonatype also spoke at the conference.

CSO Online wrote an article, predominantly driven by Josh’s talk, an updated version of his Swimming with Sharks TEDx presentation.

In the Digital Ocean, predators outnumber protectors

Just because something is scary doesn’t mean it’s a figment of your paranoid imagination…. There is reason to be afraid because the dangers in the digital “ocean” are as real as swimming in a physical ocean of sharks, with blood in the water.

Editor in Chief of IoT World, Rich Quinnell also took the opportunity to write about security of the Internet of Things and introduced his readers to I Am The Cavalry and BuildItSecure.ly.

Security Cavalry is Coming to the Internet of Things

One of the biggest concerns many people have about the Internet of Things is its security. Each point of connection between our systems and services and the wide area network is a potential point of vulnerability to cyberattack, yet security is at best an afterthought in many IoT designs. Something in the way we handle IoT security has got to change, and that is a key goal for a new grassroots organization [called I Am The Cavalry].

Finally, Channelnomics wrote a detailed account of the forum and the security issues in the Internet of Things. Definitely worth a read.

A Dose of Reality in the Rush to Connect All Our Things

“Security is the absence of unmitigatable surprise,” [keynote speaker Dan] Geer told SECoT attendees. “My design goal is ‘no silent failure’.” It the end, it’s not about raining on the IoT parade, said [Forum organizer Paul] Roberts, but rather moving the conversation into a more prudent and defensible space by bringing the vendors and the often insular communities together.

Monthly Update: April

We had a full track of Cavalry-esque presentations at SOURCE Boston, and all of the keynotes ended up having some overlap. Our workshops at THOTCON and BSides Chicago were great! Thanks to all those who presented and those who participated. Craig Smith of Open Garages did a great introduction to Car Hacking and a hands on demo. Scott Erven presented on research he’s done on medical device security issues and gave an introduction to the issues in the field.

BBC Future Story, Featuring The Cavalry

bbc_icon

Last week BBC Future published a piece called Internet of Things: The ‘ghosts’ that haunt the machine. The article discusses the potential long-term network congestion that could come about from noisy IoT devices. The Cavalry gets a mention and a quote, in the context of the potential for takeover of the devices, either by targeting the endpoints or by taking over expired domains for update servers, etc.

Once the ghost machine is taken over, the potential for damage is considerable, says Beau Woods, a founding member of I Am The Cavalry, an organisation focusing on protecting the general public from digital attacks. “What could someone malicious do if they could modify or replace the software on the device? This could range from pranks, like funny photos on a fridge screen, to making profits by inserting advertisements on your television, to interception by digitally eavesdropping on your home network, to disablement through wrecking the software on the device, to doing physical damage by overloading the electronics or burning out a motor. In automobiles, medical devices, public transport, airplanes and other more critical systems the damage could be much more severe.”

The story hit the front page of the BBC website, which gave us some good exposure to a global audience.

THOTCON & BSides Chicago 2014

The Cavalry will be holding workshop sessions at both THOTCON and BSides Chicago next week. Details are below. We look forward to seeing you there.

THOTCON – Friday, April 25, 2014

Where/When: Lab 5/6, 2pm to 4pm
Approx. Capacity: 150 people

When What Who
2:00-2:30 WHY The Cavalry Josh Corman & Nick Percoco
2:30-3:00 Medical Device Security Landscape & Challenges Scott Erven
3:00-3:30 IoT Security Landscape & Challenges Mark Stanislav (BuildItSecure.ly)
3:30-3:50 Cavalry Mission, Discrete Progress & Activities Adam Brand
3:50-4:00 Next Steps & How to Get Involved Josh Corman

BSides Chicago – Saturday, April 26, 2014

Where/When: Workshop, 11:00am to 2:30pm (with lunch break)
Approx. Capacity: 25 people

When What Who
11:00-11:15 WHY The Cavalry Nick Percoco & Beau Woods
11:15-11:45 Getting Started with Medical Device Hacking Scott Erven
11:45-12:15 Automotive Security Landscape & Challenges Craig Smith (Open Garages) & Adam Brand
12:15-1:00 Getting Started with Car Hacking Craig Smith (Open Garages) & Adam Brand
1:00-1:30 Lunch & Open Q&A All
1:30-2:00 Car Hacking Demos & Q&A Craig Smith (Open Garages) & Adam Brand
2:00-2:15 Next Steps & How to Get Involved Adam Brand & Beau Woods

Current Activity

Current Activity

Circle City Con in Indianapolis invited I Am The Cavalry to keynote their conference as well as facilitate a workshop. You can view the Circle City Con Keynote on Irongeek’s website. The workshop video Executive Management (How to Manage Executives) and Engaging the Media API is also available.

Upcoming

This year’s Vegas conference season should be an exciting one. DEF CON has three of five tracks aligned to core Cavalry areas. And look for some big announcements about how we will be teaming up with BSides LV and DEF CON again this year.

Josh Corman and Nick Percoco will return to DEF CON to present on I Am The Cavalry. This talk will revisit the original premise, provide an update on the year’s activity and capture the direction forward. The talk is called The Cavalry Year[0] & a Path Forward for Public Safety.

Geoff Shively will be moderating a panel at HOPE X with Jen Ellis, Andrea Matwyshyn and Beau Woods, called I Am The Cavalry: Lessons Learned Fuzzing the Chain of Influence.

Also look for some progress on the task of formally organizing as a legal entity. This is most likely to take the form of a 501(c)3 Non-Profit Educational Foundation. We’re doing the required business planning for core activities, funding models, governance, etc.

Monthly Update: March

Jen Ellis and Trey Ford from Rapid 7, and Josh Corman from Sonatype, have been out on Capital Hill, speaking with Congressional staffers, lobbyists and lawyers. Jen and Trey have been providing a voice of technical literacy, helping to inoculate against bad legislation. Josh has been speaking to them about the bigger issues of computerizing and connecting all the devices.

The Cavalry has been on our own March Madness streak this month, barnstorming across college campuses. Josh Corman grabbed the keynote slot at the Northeast regional Collegiate Cyber Defense Competition (NECCDC) this year. He also spoke at the Center for Education and Research in Information Assurance and Security (CERIAS) 15th annual information security symposium. And Beau Woods presented to the GreyH@t student group at Georgia Tech.

Activity Report: February

As the security industry recovers from BSides SFRSA Conference and Trustycon, we here at Cavalry HQ have been pulling together everything we learned so we can be better and stronger.

  • DuoSecurity launched their initiative, co-branded with The Cavalry and with Bug Crowd, called BuildItSecure.ly. The idea is to empower small Internet of Things manufacturers (think Kickstarter) with the information needed to secure their projects, no matter how small their budget or big their ambition. Check out their presentation The Internet of Things: We’ve Got to Chat.
  • Jen Ellis from Rapid 7 and Steve Ragan from CSO Online gave a short media training session. It was great to hear from people who are the media and deal with the media every day to get a much better understanding of how we can align our incentives with those of journalists and media outlets. We’ll have to host that kind of event again.
  • The Cavalry had a booth and three speaking slots at the RSA Conference. We were in The Sandbox area, which was new this year. It was a great place, off the vendor floor, where we could really interact with people who stopped by. That drove a lot of good connections with folks, both new recruits and people who’ve been supporting us from the beginning.