Vehicle cybersecurity

--Originally published at Hermes's Blog

Today’s behicles feature driver assistance, like collision warning, automatic emergency braking and safety vehicle communications. The NHTSA (National Highway Traffic Security Administration) is exploring the full spectrum of its tools to ensure these technologies are deployed safely and effectively. It encourages the implementation of NIST Cybersecurity Framework. NHTSA promotes a multi-layered approach to cybersecurity by focusing on a vehicle’s entry points, both wireless and wired.

Malicious exploitation of security vulnerabilities in connected cars is a major problem, with news stories of hacking interfering with consumer acceptance of the current and future capabilities of vehicles.

The first well known security compromise of a smart vehicle, a 2014 Jeep Cherokee was hacked by security reserchers Charlie Miller and Chris Valasek in 2015, they were able to turn the steering wheel, disable the brakes and shut the engine down, all remotely. They also discovered that they could access thousands of other vehicles that were using the Uconnect entertainment and navigation system, common in Dodge, Jeep and chrysler vehicles.

It is good to know that automotive manufacturers and transportation compaines are well informed about these problems and are taking it very seriously, hiring cybersecurity experts as part of a concerted auto industry effort to greatly increase the strength of security features in cars.

Sources:

https://www.nhtsa.gov/technology-innovation/vehicle-cybersecurity

https://hackernoon.com/smart-car-hacking-a-major-problem-for-iot-a66c14562419

Cybersecurity in healthcare

--Originally published at Hermes's Blog

One of the most terryfing things in cybersecurity is not our private data being leaked. Imagine our own health is compromised our healthcare data from an hospital is leaked, or even that some critical devices in our bodies could be manipulated remotely by others.

A Bayer MedRad device used to assist in MRI scans infected with the WannaCry ransomware from Forbes.

Past year, when the WannaCry ransomware was a thing, some hospital networks were infected, causing hospitals to close their doors to new patients and halting treatments for other patients because they were not able to access the patient’s data records. A lot of healthcare data is being stored in the cloud, this has a expected growth rate of 20.5% by 2020, this is such a risk because, data in the cloud must be correctly protected, it requires robust encryption measures and appropiate authentication. 90% of hospitals run legacy applications to preserve patients data, these kind of applications can have serious security holes that a cybercriminal could take advantage of, they run old and unpatched operating systems (Causing the WannaCry infection).

Last year, St Jude Medical’s pacemakers had a security scandal. It turns out that half a million of patients’ pacemakers could be hacked to run the batteries out or even alter the patient’s heartbeat. The manufactured issued a firmware update (ha! an update for your heart, isn’t that cool?). They are all radio-controlled implantable cardiac pacemakers. The FDA (Food and Drug Administration agency) says that the vulnerability allows an unauthorised user to access a device using commercially available equipment and reprogram it, this could lead to the death of the patient. The security weakness was discovered by MedSec, a cybersecurity firm that specialises in researching vulnerabilities in the medical devices and healthcare industries, and it had previously been the target of a lawsuit from SJM for disclosing such vulnerabilities. It turns out that St Jude Medical knew about this vulnerability since 2014, but did not took action until the weakness was make public. You can read more about here, the story is great, with lots of plot twists.

Another device that might be a source of security scandals in the future is the artificial pancreas system, this thing is an IOT insuline monitor glucose monitor that comunicates with an insuline pump and a computer (like a raspeberry pi) via radio waves. There is even an open source project that lets you create your own system called OpenAPS.

Sources

http://resources.infosecinstitute.com/top-10-threats-healthcare-security/

https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update

Quantum Computing

--Originally published at Hermes's Blog

Here’s a really good video that explains (vaguely) quantum computing.

The fact that quantum compures have much more computational power than modern computers and are capable of factorazing very large numbers is a big threat to today’s cryptgraphic algorithms that rely on the assumption that factorizing really large numbers is a a so expensive operation that is nearly impossible to do so, but quantum computers will be able to complete the factorization in a short enough amount of time, and when cryptigraphic algorithms collapses so does network security.

But sure enough, quantum computers are not just a threat to network security, they are too the solution. Quantum cryptography relies on the Heisenberg Unsertainty Principle, which states that an observer cannot fully measure a moving object’s position and path without affecting one or the other.

And here’s a TED video explaining The Heisenberg Unsertainty Principle:

Koley (CTO of Juniper Networks) explains: “Typically, photons are used over a fiber-optic channel to achieve this [transmit information in quantum state], any attempt to measure one of the entangled photons leads to changes in the quantum state of the other, and therefore is detected. Thus, QKD offers a key distribution mechanism where any attempt to intercept the key by eavesdropping is revealed and the keys are discarded. QKD is not vulnerable to cracking attempts by quantum computers the same way that traditional cryptographic techniques are because any interception attempts in the QKD paradigm are readily detected. This is one of the reasons QKD is considered to be a good candidate for post-quantum security.”

And here’s a video explaining the QKD algorithm:

More resources on the subject:

https://www.techrepublic.com/article/how-quantum-computing-could-create-unbreakable-encryption-and-save-the-future-of-cybersecurity/

http://www.bbc.com/news/technology-36203043

https://www.britannica.com/science/uncertainty-principle

https://research.google.com/pubs/QuantumAI.html

SQL Injection Attack

--Originally published at Hermes's Blog

Sometimes web developers don’t realize that their SQL queries are able to circumvent access control and sometimes they allow access to host operating system level commands.

An SQL Injection is a method of creating or altering existing SQL commands to expose hidden data, override existing data or even delete it. This is usually accomplished by taking advantage of existing static parameters in appliction to build SQL queries

used to combine it with user input. This way, malicious users can paste extra SQL queries into the application, and, depending on the privileges given to the app’s user (usually admin privileges), they are able to perform different actions.

What is the solution? Just sanitize the user input. It’s basically validating that the user input is what you expect it to be, check that it’s an integer, check that it has certaing format, check that it does not contain weird characters or even sql sentences. Also, mutate the original user input to convert special character to its html equivalent, remove line breaks and extra space and strip octets.

References:

https://secure.php.net/manual/en/security.database.sql-injection.php

https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data

IOT and botnets

--Originally published at Hermes's Blog

Internet of things is the name that people give to whatever device that is not a pc (a microwave, a fridge, a pan, etc.) and is connected to the internet. Its purpose is to provide the device with useful functionalities that are only possible when you have the amount of data that is available on the internet, and to be able to comunicate with other devices.

The problem is, these kind of devices are super vulnerables becacuse they are never updated. Every now and then new security issues in protocols and implementations are discovered, recent examples are the dirty cow, krack attacks, meltdown and specter. These devices basically provide an army for hackers, they can infect Iot devices and take control of them whenever they want. Infected Iot devices can even propagate the infection to other nearby devices.

And so, a botnet is capable of DDoS attacks, since all their own IP addresses are unique and usually non related.

And now, the solution is, companies should update their devices, but there’s a problem, these companies are not usually very involved in tech, I mean, Google does not manufactor microwaves (though it would be cool). These companies usually stop suporting a device as soon as a new version of the device arrives to the market. I think a more realistic solution is, users should think about what they buy, do they really need a baby monitor connected to the internet? That’s super creepy if you ask me.

Source:

https://www.forbes.com/sites/bernardmarr/2017/03/07/botnets-the-dangerous-side-effects-of-the-internet-of-things/#4c826c713304