Archive

Archive for the ‘Security’ Category

Leveraging IoT

March 31st, 2015 Comments off
Reading Time: 7 minutes

IoTLast week I was fortunate enough to attend the AIIA Government conference on “Navigating the Internet of Things”. This is the 4th year that they’ve run a Government specific conference for sharing experiences and educating people on what is happening in the industry, locally and globally in Government with Technology.

The conference was opened by the Honourable Malcolm Turnbull MP (Minister for Communications), who gave a great summary of the state of affairs with regards to the adoption of Internet technologies and how industry, on the back of initial Government stimulation, is thriving, constantly reinventing itself and driving innovation.

The major themes of the conference was transformation, transformation of cities and how we do things more efficiently, be it resource use, transportation or healthcare. It also reiterated that the emerging IoT world is very much a Digitally driven economic world.

 

Resource Use

One example used by Minister Turnbull was Water. Water Utilities loose 25-50% of water  due to leaks and due to the reactive nature repairs, are extremely costly to  repair – NICTA have created analytics on predicting what pipe is is most likely to fail and when, allowing for proactive maintenance, reducing the cost of the service. David Gambrel of NICTA explained how this approach was already being used on the Harbour Bridge reducing the cost of maintenance 10 fold.

Energy use and smart lighting that make up approximately 25-50% of government energy budgets, was the another area explored. The move to transforming lighting to smarter, LED based technologies has the ability to significantly reduce the cost and use of energy. One idea posed was the ability to equip smart lamp posts with ability to be charging stations, also creating an opportunity for governments and councils to offer charging to electric cars and create a new source of revenue.

 

Transportation

Another example of resource use is roads. In Australian cities, congestion on roads account for 4.26B working hours wasted, said Minister Turnbull. Connected vehicles for traffic management could solve some of this. One of the biggest hurdles to date is the getting real life data and not driver opinions. As the cost of sensors and integrated chips continues to drop, live monitoring of services becomes more feasible, especially when we include feeds from the likes of Google Traffic. Understanding how roads (as a resource are used)

Steve Leonard, Executive Deputy Chairman, Infocomm Development Authority of Singapore (IDA) presented the challenges of the Singaporean government and their approach to Transportation – how to use infrastructure more efficiently, In summary support adoption of smart cars to essentially allow them to be packed closer on roads, potentially doubling the capacity of the existing roads. This was supported by Susan Harris, CEO of Intelligent Transport Systems Australia who’s research suggested that up to 40% more cars could be put on roads if we had automated cars with smart telemetry capability.

Lutz Heuser, CTO for the Urban Institute presented his Institute’s Reference architecture for future cities (see below). This was part of a wider view that to be successful in  to create a new Government service Infrastructure of data streams and analytics – new utility provided by governments. Cloud based open and realtime.

Smart city Ref Arch

Smart Cities Reference Architecture – Lutz Heuser, Urban Institute, 2015

Finally UBER’s Melbourne General Manager explained how IoT and the marketplace they created using that technology allowed them to extend and supplement the public transport system.

The real future of the connected city or “Smarter” city will have smart and autonomous vehicles, providing better use of existing transport systems, allowing for denser and more efficient use of vehicles on the already crowded routes. All enabled by sensors that feed large inter-connected systems that make sense of the data.

 

Healthcare

Again Steve Leonard, (IDA) explained the problem they have in Singapore. Urban density of approximately 8000 people per square kilometre, means that they are not only far more dense than Australia or the U.S. but that they need to make sense of the projected needs of the population with the real estate available. Singapore, like most have an ageing population- they are all living longer and birthrate is slowing – This change in demographic has caused them to look at the statistics of hospital stays. If you are over 65 you are likely to stay 30% longer in hospital – this has a huge impact on hospitals and the projected number of future hospitals needed to support the population. Given geographic and economic constraints Singapore cannot build hospitals as much as they need; nor could they staff them. Additionally their studies have shown that 20% of patients contributed to 80% of re-admissions. So how can they offload chronic care, focus on triage and emergency care? They’ve looked to technology. leveraging their fibre network reach (1GB to each home) and eHealth technologies with in-home care to offload.

Dr James Freeman, CEO of GP2U.com.au a Telehealth business delivering services in Australia via video-conference so patients don’t have to physically see a Dr. and can have scripts filled and ready for pickup from local pharmacy. With the proliferation of sensors and cameras in consumer devices, they are able to deliver some consultation services remotely, never having to physically see a patient. Dr. Freeman pointed out that that the adoption is slow to date and this is a combination of no financial incentive to take up these services and legislation being slow to catch up to technology. The financial incentive model is absolutely necessary as there is little chance people will use these services off their own back. I’ve recently seen with my father-in-law, being issued a blood pressure monitor from his health insurer. Each measurement is logged and set directly to the provider for them to track his health. He rarely does it as there is yet no incentive to do so, no lowering of his premium or rebate for his troubles.

 

Government as a Service – The new Utility

What all of these presentations and discussions showed was that the future for Government is providing data as a service. Today the DTO is working at improving the way government delivers services, with the end goal of speaking to customers as one public sector. Delivering services on common platforms. Data.gov.au will continue to be developed and invested in.

This view was echoed by Ros Harvey, Chief Strategist and Advisor for KEI and Sirca, Government as a platform is the future, getting the community to innovate on top of the services and data that government supplies. This was reiterated by Pia Waugh, department of finance, who has been working for years working towards the goal of “Government as an API” and creating the mashable government- making what Gov does more available regardless of agency or jurisdiction.

If the Australian Government can continue with the work that they’ve started it will be well on its way to making Australia the worlds leading digital economy, an aspiration of Minister Turnbull.

 

How to make IoT successful.

The resounding themes were integrity and security will be important as IoT proliferates. Security must be the foundation of any platform (Brian McCarson, Intel) and approached from an epidemiological standpoint (Turnbull). Using high level pattern analysis and large mass data analytics to see trends and changes in the system.

 

fundemental IoT

Fundamental Tenants of IoT, Intel, 2015

 

Conclusion

IoT is breaking through the novelty and into the mainstream with the backing and support of Government. As more and more sensors find their way into roads, waterways, infrastructure components and government systems, this data, raw and refined, will become the new economy that governments will not only collect revenue from, but use to manage and shape the policies of the future. Using this knowledge and mapping the ILC cycle will help businesses (and government) understand how to leverage the innovation and properly commodities the services needed.

 

Value of Enterprise-wide Risk Management: argument against maintaining the status quo

January 26th, 2015 Comments off
Reading Time: 8 minutes

B0IuYcJCUAAox9MToday is a based off several things colliding at the same time for me – discussions with friends, colleagues and some twitter banter.

Everywhere I’ve been, risk management is broken into discreet units and managed individually ostensibly due to it’s complexity, working on the assumption that what they have is enough. Even Enterprise Architecture Frameworks skip over how Risk Management is to be engaged and offer little to no support in understanding the holistic picture.

Despite the argument of organisations that they don’t believe enterprise risk management (ERM) is necessary or that the existing static, compliance based tools or technique employed are sufficient, there is a place for ERM. By assuming that the nature of the business will stay the same, as-good-as-it-gets is an arrogant disregard for the fact that environments change. There will always be a requirement to navigate risk in business, as to avoid risk is to avoid success.

  • How do you navigate risk in your business?
  • Do you use a spreadsheet compiled from compliance questions?
  • How about a pre-canned register provided by a consulting company?
  • Is risk management handled at a project or programme level without higher level visibility within the organisation?
  • Is there a single, unified view of risk management?

To disregard risks that may destroy value, you risk destroying the business; this is what static, disaggregated risk management techniques can cause. ERM, that is looking holistically at the organisation, provides a structured and disciplined process that aligns strategy, process, people and technology in order to maximise the desired outcomes and minimise the undesirable.

A holistic ERM approach allows the identification of various types of risks, providing the necessary visibility to the business. This visibility can provide the business with the ability to apply a measured and complete approach to the remediation or mitigation of risks, through tools and techniques, as well as identifying emergent risks to the organisation. As an example, a change in one area of the business’ policy due to legislative change, may have further implications though if handled in isolation, wouldn’t allow the business to be proactive.

Focusing on a single component of risk, such as looking to insure as a loss reduction technique for operational and financial risk, neglects the other risk types (of Technical, operational, financial, commercial or project-based/time based) and has the same affect as a business silo risk management model.

Read more…

Stealing your data while you watch

December 20th, 2014 Comments off
Reading Time: 4 minutes

medium_4612834833 In IT and IT Security there is a constant complaint about the risks of shadow IT, and the adoption of consumer collaboration and sharing tools. Over the last couple of years we also saw the emergence of novel exfiltration techniques including the persistent ultrasonic technique, where the infected devices  communicates with other compromised hosts via high frequency; or the Twitter based technique, where malware sends out data 140 characters at a time for anyone to read;  and the more recent Video technique, encrypting data in video files and putting corporate secrets onto video sites or later retrieval.

Read more…

ThruGlassXfr starts to make an impact

October 2nd, 2014 Comments off
Reading Time: 2 minutes

logoIt is awesome to see that Ian Latter’s work on bypassing all security measures to exfiltrate data via the screen is starting to be received by the InfoSec community. Today an article written by Richard Stiennon on Ian’s presentation at COSAC has been syndicated through to Forbes. Well done Ian!! this follows up on a post I did in July when I was allowed to start talking about TGXf.

As part of Ian’s presentation preparation (and in response to a number of CFP reviewers NOT READING HIS SUBMISSIONS) he also prepared a number of videos demonstrating the capability of ThruGlassXfr along with his ThruKeyboardXfr.

ThruGlassXfer Open Letter (PDF) – TGXf VER8 FPS5 GD
http://youtu.be/IXlYDYjqFLU

Android smart-phone in flight mode, downloading a PDF from Youtube via a Laptop screen
http://youtu.be/2_8GlFdlb0Y

TGXf Demo – Open Letter PDF, ANSI (Terminal) Version 1 at 8 FPS
http://youtu.be/ZrMN54Rooec
(i.e. you don’t need graphical access to steal data)

TKXf Demo – Keyboard upload of virus to hardened Windows platform
http://youtu.be/2Szza7dQZsY
(i.e. I can type a virus into Windows .. stop me)

TKXf Demo – Keyboard upload of payload via Windows to Linux
http://youtu.be/QmROf-Tx92E
(i.e. I can type any payload into anything via anything .. stop me)

TCXf Demo – Attacker exfiltration from Linux via socket over PuTTY/XPe/HP Thin Client
http://youtu.be/sMHx5VDpFjQ
(i.e. I can route anything via anything over screen and keyboard)

And my personal favourite!!!!!
TCXf Demo – IP networking over Screen and Keyboard!
http://youtu.be/PdjhevoBKbs

Yes that last one is a functional network over TGXf and TKXf…

As a Security Enthusiast I love seeing this, though I have to say as a Security Technology Vendor and IT Outsourcing and Management Supplier it causes me pause. Now I finally have that enthusiasm back to write that paper on the risks of BYOD.

 

ThruGlassXFER – exfiltration via QRCode

June 10th, 2014 Comments off
Reading Time: 1 minutes

This week Ian Latter, under his MidnightCode moniker, started to release information on his proof of concept for the exfiltration of information using QR Codes called ThruGlassXFER. This is ahead of his presentation at COSAC in Ireland and time at BlackHat later this year.

The full ThruGlassXFER White-Paper and proof of concept apps are coming. I was privileged enough to see this project as it emerged including the functioning proof-of-concept. The White-Paper will walk people from first principles through to sample code. There are also some inventive ways to get the base code onto secure systems.

This can put to bed the argument that a system that delivers a remote display, mouse and keyboard, only, are secure and that information cannot be easily exfiltrated. Yes, I understand that this is an oversimplification of the potential issue. Looking forward to how this is received and what people do with it.

My hat goes off to Ian!

Categories: exploits, Security Tags: ,