The Cavalry In Europe

The Cavalry made our first appearance at a European conference. Josh Corman was invited to The Hague as the closing keynote for the National Cyber Security Center’s One Conference. In his keynote he chose to revisit the theme of his TEDx talk, which highlights issues that The Cavalry is addressing. 

Claus Houmann, a strong supporter of The Cavalry, and someone who has urged us to come deliver our messages in person across the Atlantic, gave us a warm welcome post entitled Call to arms! Fellow Europeans, mount up. Thanks, Claus. We look forward to many good interactions on your Continent.

IATC News Roundup (5/31): Car Hacking

Battelle to Host Automobile Cyber Hackathon

Battelle is hosting their third annual CyberAuto Challenge. The challenge will be held July 13-18th in Troy, MI at Delphi Automotive. According to the Battelle the CyberAuto Challenge Press release

“students will be divided into teams with an equal ratio of working professionals from a variety of organizations, including automotive manufacturers, federal agencies such as the U.S. Departments of Transportation, Homeland Security and Defense; and research organizations. During the week-long educational and training event, the teams will participate in daily lecture and instruction in subjects such as secure system design, secure programming, embedded systems, IT law and ethics. Then, each day, they will apply their new knowledge to practical challenges on actual cars. Many of the sessions will have time constraints to simulate real-world conditions”

How Security Researchers Are Hacking Cars to Save Lives

In the article, it shows the reality of car hacking. The top of the article has a pretty sobering video about car security. The article and video show a proof of concept and various attack surfaces. The good news is that automakers have this on their radar. “And automakers are listening:

Currently, Mathew and Alberto are both currently consulting for multiple automotive manufacturers in order to secure that vehicles become less vulnerable to potential future attacks.

Major Rise In Car Hacking Thefts

In London, high-end cars are being stolen by CAN Hacking Tool (CHT). The article claims that:

Electronic car hacking was responsible for almost half of the vehicle thefts in London last year, the Metropolitan Police has confirmed.

Google self-driving cars ‘risk being caught in spam traffic jams’

There has been a lot of hype over Google’s self-driving cars. My mind was a bit blown by the demo Google performed on their self-driving cars. It may be revolutionary but has it’s risks. Wil Rockall, a director at KPMG discusses some of the  potential issues in the article

the industry will need to be very alert to the risk of cyber manipulation and attack.

Self-drive cars will probably work through internet connectivity and, just as large volumes of electronic traffic can be routed to overwhelm websites, the opportunity for self-drive traffic being routed to create ‘spam jams’ or disruption is a very real prospect.

Down The Rabbithole Cavalry-esque Discussion

For those of you who don’t already listen to it, the Down The Rabbithole (DtR) podcast is a long-running podcast hosted by Raf Los (aka. Wh1t3 Rabbit) and James Jardine. Over the holiday weekend I was catching up on the podcast and ran across a great Cavalry-esque episode I thought I’d draw your attention to.

On the April 7th Newscast Raf and James discussed the downfall of Windows XP and how this will affect life critical systems. They went beyond the superficial issues and talked about the bad assumptions that have led to decision making failures for several years in the computer technology space. The true costs, they mention, won’t be on the Internet, they’ll come when computer security affects humanity. Our inability to accurately predict the future leads to public safety, human life and trust problems.

They also discuss wholly managed devices, such as the Google Nest thermostat. What are the implications of that management? If an update breaks a device what are the ramifications? They also talked about the fact that the updates themselves can be an attack vector, similar to my comments in the BBC article on ghosts in the Internet of Things.

We’re placing ever more trust in those who are behind our connected systems. We are trusting that they are acting in good faith. And we are trusting that their decision making process is sound. Shouldn’t we KNOW that these decisions are worthy of our trust?

IATC at ISSA Los Angeles, May 16th, 2014

I Am The Cavalry is proud to be an organizational sponsor of ISSA Los Angeles (Event Flyer). The conference will be on May 16th, 2014, from 7:30 am to 6:00pm, at the University City Hilton in Los Angeles. Keynotes include Richard Clarke and Marcus Ranum, and featured speakers include Jackie Lacey (LA County District Attorney), Marc Manfred (Beyond Trust), Jim Manico (OWASP), and Jeremiah Grossman (White Hat Security). I Am The Cavalry will have a table at the event – come by and say “hi”!

Security of Things Forum

The first inaugural Security of Things Forum was held May 7th. The forum, organized by The Security Ledger Editor in Chief, Paul Roberts, was keynoted by Dan Geer. Mark Stanislav of Duo Security and BuildItSecure.ly, and Josh Corman of Sonatype also spoke at the conference.

CSO Online wrote an article, predominantly driven by Josh’s talk, an updated version of his Swimming with Sharks TEDx presentation.

In the Digital Ocean, predators outnumber protectors

Just because something is scary doesn’t mean it’s a figment of your paranoid imagination…. There is reason to be afraid because the dangers in the digital “ocean” are as real as swimming in a physical ocean of sharks, with blood in the water.

Editor in Chief of IoT World, Rich Quinnell also took the opportunity to write about security of the Internet of Things and introduced his readers to I Am The Cavalry and BuildItSecure.ly.

Security Cavalry is Coming to the Internet of Things

One of the biggest concerns many people have about the Internet of Things is its security. Each point of connection between our systems and services and the wide area network is a potential point of vulnerability to cyberattack, yet security is at best an afterthought in many IoT designs. Something in the way we handle IoT security has got to change, and that is a key goal for a new grassroots organization [called I Am The Cavalry].

Finally, Channelnomics wrote a detailed account of the forum and the security issues in the Internet of Things. Definitely worth a read.

A Dose of Reality in the Rush to Connect All Our Things

“Security is the absence of unmitigatable surprise,” [keynote speaker Dan] Geer told SECoT attendees. “My design goal is ‘no silent failure’.” It the end, it’s not about raining on the IoT parade, said [Forum organizer Paul] Roberts, but rather moving the conversation into a more prudent and defensible space by bringing the vendors and the often insular communities together.

Monthly Update: April

We had a full track of Cavalry-esque presentations at SOURCE Boston, and all of the keynotes ended up having some overlap. Our workshops at THOTCON and BSides Chicago were great! Thanks to all those who presented and those who participated. Craig Smith of Open Garages did a great introduction to Car Hacking and a hands on demo. Scott Erven presented on research he’s done on medical device security issues and gave an introduction to the issues in the field.

BBC Future Story, Featuring The Cavalry

bbc_icon

Last week BBC Future published a piece called Internet of Things: The ‘ghosts’ that haunt the machine. The article discusses the potential long-term network congestion that could come about from noisy IoT devices. The Cavalry gets a mention and a quote, in the context of the potential for takeover of the devices, either by targeting the endpoints or by taking over expired domains for update servers, etc.

Once the ghost machine is taken over, the potential for damage is considerable, says Beau Woods, a founding member of I Am The Cavalry, an organisation focusing on protecting the general public from digital attacks. “What could someone malicious do if they could modify or replace the software on the device? This could range from pranks, like funny photos on a fridge screen, to making profits by inserting advertisements on your television, to interception by digitally eavesdropping on your home network, to disablement through wrecking the software on the device, to doing physical damage by overloading the electronics or burning out a motor. In automobiles, medical devices, public transport, airplanes and other more critical systems the damage could be much more severe.”

The story hit the front page of the BBC website, which gave us some good exposure to a global audience.

THOTCON & BSides Chicago 2014

The Cavalry will be holding workshop sessions at both THOTCON and BSides Chicago next week. Details are below. We look forward to seeing you there.

THOTCON – Friday, April 25, 2014

Where/When: Lab 5/6, 2pm to 4pm
Approx. Capacity: 150 people

When What Who
2:00-2:30 WHY The Cavalry Josh Corman & Nick Percoco
2:30-3:00 Medical Device Security Landscape & Challenges Scott Erven
3:00-3:30 IoT Security Landscape & Challenges Mark Stanislav (BuildItSecure.ly)
3:30-3:50 Cavalry Mission, Discrete Progress & Activities Adam Brand
3:50-4:00 Next Steps & How to Get Involved Josh Corman

BSides Chicago – Saturday, April 26, 2014

Where/When: Workshop, 11:00am to 2:30pm (with lunch break)
Approx. Capacity: 25 people

When What Who
11:00-11:15 WHY The Cavalry Nick Percoco & Beau Woods
11:15-11:45 Getting Started with Medical Device Hacking Scott Erven
11:45-12:15 Automotive Security Landscape & Challenges Craig Smith (Open Garages) & Adam Brand
12:15-1:00 Getting Started with Car Hacking Craig Smith (Open Garages) & Adam Brand
1:00-1:30 Lunch & Open Q&A All
1:30-2:00 Car Hacking Demos & Q&A Craig Smith (Open Garages) & Adam Brand
2:00-2:15 Next Steps & How to Get Involved Adam Brand & Beau Woods

Current Activity

Current Activity

Circle City Con in Indianapolis invited I Am The Cavalry to keynote their conference as well as facilitate a workshop. You can view the Circle City Con Keynote on Irongeek’s website. The workshop video Executive Management (How to Manage Executives) and Engaging the Media API is also available.

Upcoming

This year’s Vegas conference season should be an exciting one. DEF CON has three of five tracks aligned to core Cavalry areas. And look for some big announcements about how we will be teaming up with BSides LV and DEF CON again this year.

Josh Corman and Nick Percoco will return to DEF CON to present on I Am The Cavalry. This talk will revisit the original premise, provide an update on the year’s activity and capture the direction forward. The talk is called The Cavalry Year[0] & a Path Forward for Public Safety.

Geoff Shively will be moderating a panel at HOPE X with Jen Ellis, Andrea Matwyshyn and Beau Woods, called I Am The Cavalry: Lessons Learned Fuzzing the Chain of Influence.

Also look for some progress on the task of formally organizing as a legal entity. This is most likely to take the form of a 501(c)3 Non-Profit Educational Foundation. We’re doing the required business planning for core activities, funding models, governance, etc.