Error Code

There’s a lot of talk about using AI and LLM in security. For example, could ChatGPT detect the vulnerable spots for power for analysis in particular pieces of code using Advanced Encryption Standard?  Witold Waligora, CEO of CloudVA, talks about his Black Hat Europe presentation, How We Taught ChatGPT-4 to Break mbedTLS AES With Side-Channel Attacks.

You might think that internet connected cameras would be limited in use by a bad actor. Actually such devices can be an entry point into an organization, providing yet another means of accessing the internal network. Mohammad Waqas, a field CTO at Armis, spoke at SecTor 2023 about the threat posed by IoT and OT devices in future cyberwarfare and discusses here why we need to broaden our attack surface defenses to include them. 

There’s a fake news report about three million internet-enabled toothbrushes contributing to a botnet. Unfortunately the mainstream media ran with the story before questioning its basic assumptions. This is a story about IoT devices and the fact that we still don’t understand how they are vulnerable. Tom Pace, co-founder and CEO of NetRise, talks about vulnerabilities inherent in the IoT space that are often misconstrued and how we need to ask more questions about the software and the hardware being used if we want to secure critical infrastructure tomorrow.

Ransomware groups have bifurcated with some doing pure ransomware and others going straight to extortion; it's whether the data is ransomed on your network or theirs. Nick Biasini from Cisco Talos talks about the threats he’s seeing, in particular, SapphireStealer which is open source and using GitHub to crowdsource new features.

The Purdue Model used in OT is essentially network security from the 1990s. New threats and new tech however required us to rethink that on the network side so how do we bring that new thinking to work with legacy OT systems? John Taylor of Versa Networks explains how there's a lot of implicit trust in the IoT and OT devices themselves, yet they don't have antivirus. Or firewalls. Worse, you're basically depending on the manufacturer of that device to provide security updates if necessary, and oftentimes they don't. Perhaps it’s time for a new approach such as SASE or secure access service edge.

Flaws within the chips in our laptops, in our homes, and in our critical infrastructure could become the access one needs to steal data if not just shut down an assembly line, or hold up production of a vital resource like power or water. Josh Salmanson, senior vice president at Telos, discusses why we’re seeing more and more pre-compromised routers in critical environments today and what we might do to mitigate that in the near future.

Can your OT function if the IT system goes down? OT self-sufficiency is critical for infrastructure such as rail systems. Christopher Warner, from GuidePoint Security, discusses how this infrastructure resilience is important not only for the rail industry but for most of the other critical infrastructures in general. 

Quantum computers will change and even break the cryptography we have today. To defeat a "Harvest Now, Decrypt Later" strategy by bad actors (even nation states), Denis Mandich, CTO and co-founder of Qrypt, is proposing a type of crypto agility that compiles the keys on your laptop instead of distributing them across the internet. He also talks about how you won’t need a quantum computer in your home; you’ll be able to access one in the cloud the way you can access AWS today.

When we think of massive compute power, we think of the Cloud when we really should consider the millions of unprotected OT devices with even greater slack computer power than all our current Cloud services combined. Sonu Shankar, Vice President of Product at Phosphorus Cybersecurity, talks about the challenge of communicating with PLCs and other devices, the risks from newer OT devices, and how all password-less OT devices really need to be protected. He says attacks aren’t just DDoS; today OT attacks can exfiltrate data as well.

There’s much of the electromagnetic spectrum that we cannot see. Like how LED wristbands are triggered at concerts or how to identify someone at DEF CON in a crowd of cellphones and electrical devices. Eric Escobar of SecureWorks provides some really clear analogies to help anyone visualize the differences between NFC, Bluetooth, and Wi Fi such as how your router and your microwave are both 2.4GHz - the difference is the number of watts behind each signal.

How might we mitigate the risk to millions of unauthenticated devices already out in the field?  Ron Fabela, Field CTO at XONA Systems, has some ideas about how to achieve zero trust in either legacy or new OT systems. Really, it’s just a matter of reducing the attack surface.

In a talk at Black Hat USA 2023, Sharon Brizinov and Noam Moshe from Claroty Team82, disclosed a significant vulnerability in the Open Platform Communications Universal Architecture or OPC-UA, a univsersal protocol used to synchronize different OT devices. In this episode they also discuss a new open source OPC exploit framework designed to help OT vendors check their devices in development.

Transcript.

What would happen if someone stole the encryption keys for a major satellite? Well, it’d be game over. Unless the satellite used quantum cryptography. Skip Sanzeri from QuSecure explains how using “quantum tunnels” will allow even legacy satellites in orbit today to become secure in a rapidly approaching post-quantum world.

This is a story of what's needed for the Capture The Flag competition at DEF CON 31 to be hosted for the first time on a live satellite orbiting 400 kilometers above the Earth. Mike Walker continues his conversation, focusing more on the game to be played in Hack-A-Sat 4.

Moonlighter is the world’s first and only hacking sandbox in space. Currently orbiting the earth near the International Space Station, the satellite is the playground for this year’s Hack-A-Sat 4 competition at DEF CON 31. Mike Walker, from Cromulence, discusses the difference between hacking a live satellite in orbit vs the previous Hack-A-Sat CTFs which only simulated the experience. We discuss limited contact windows, latency, and other aspects of orbital mechanics which will surely influence how Hack-a-Sat 4 will be played.

Could a personal medical device be a threat for an organization? Turns out it’s similar to protecting against an attack on a mobile device. Except a denial of service here could prove fatal. Todd Brasel, the author of Security Issues of Personal Medical Devices: Concerns, Characteristics, and Controls, discusses with Error Code the research he’s done on devices either inside the body or just outside, the vulnerabilities in communications they sometimes have, and the mitigations available today.

Josh Corman, VP of Cyber Safety Strategy at Claroty, is a hacker who knows U.S. public policy well. Ten years ago he created a volunteer organization, I Am The Cavalry, to help educate sitting legislators on active cybersecurity issues. In this episode of Error Code, Josh talks about the recently passed PATCH ACT and how it addresses some of the issues around patching medical devices over the lifetime of the device rather than just at the time of FDA certification. He also talks about his experience working for CISA during COVID-19 and how that helped inform issues within the PATCH ACT.

This is the story about researchers who monitor the threats against IoT and OT systems, and the steps being taken to mitigate them.  Ishmael Valenzuela, Vice President of the threat research and Intelligence Team at BlackBerry, shares the latest insights from his company’s Cybersecurity Global Threat Intelligence Report. We talk about threats from Latin America and elsewhere, how firewalls alone won’t necessarily protect OT devices, how attackers and defenders are using AI technology, and how hospitals are seeing perhaps the most increase in threats.

There’s a lot of FUD around hacking the power grid. Most often, there’s a more common cause: Soot. Even Squirrels. Jori VanAntwerp, CEO of SynSaber. talks about the realities of the US power grid vs the myths. While there’s room to improve, there’s also a great amount of resilience already in the electrical system today.

How the rapid proliferation of EV charging stations is already leading to attacks on the stations and the vehicles themselves, and what we should do about it.  Charles Eagan, CTO of BlackBerry, talks about the rush to create these charging stations and the traditional problems with IoT – vulnerable versions of the OS, of the open source, and even some of the protocols being used. He also talks about how we can improve the security of software defined vehicles and their ecosystems.

The Biden-Harris 2023 National Cybersecurity Strategy breaks with Cold War thinking and offers a bold new approach to today’s online offense and defense. Danielle Jablanski from Nozomi Networks breaks down the ambitious new policy which includes explicit mention of ICS and OT technologies for the first time.

We’ve already seen botnets composed of compromised devices like routers and security cameras. So how do we secure them and our smart lightbulbs too? Window Snyder, CEO of Thistle Technologies, explains how new devices can be partitioned with failovers and then serviced with regular updates all monitored from a central dashboard. Even devices already in the field today can also be upgraded and secured in some cases.  

This is the story of Cris Thomas aka Space Rogue, who’s written perhaps the best book about the early days of hacking, Space Rogue: How the Hackers Known as the Loft Changed The World. Unlike a journalist merely chronicling events in Boston in the 1990s from the outside, Cris was on the inside. This is not only the story of the L0pht but it's also the story of his life, so he seamlessly provides the often missing context of the time with countless asides and anecdotes woven in instead of tacked on. In this episode of Error Code, Cris also drops a lot of names.

This is the story of Zhadnost, of how an IoT-based botnet was conscripted into an online war in the days immediately before the kinetic Ukraine invasion. Ryan Slaney of SecurityScorecard walks us through the timeline of these attacks and the evidence of attribution he found linking it to Russia’s GRU.

What if a vulnerability exists in popular ICS devices, yet the only fix is to re-issue the hardware? This is true with some embedded security flaws. Ang Cui, founder and CEO of Red Balloon Security, talks about his company’s discovery of CVE-2022-38773, which affects the secure boot process in Siemens S7 1500 PLCs, and what the mitigations for devices using that might look like.

IoT can make patient care easier.. But how do we introduce new IoT medical devices into an ecosystem where we can’t even keep tabs on our legacy devices? Mohammad Waqas discusses conversations he’s had with hospitals about the device profiles they don’t necessarily know about – the over-the-counter glucose monitor app on an iPad that hasn’t gone through IT provisioning - and what they can do about it.

The Vastaamo data breach stands as one of the most heinous of internet crimes because of the 30,000 psychiatric records that were exposed and the lives it ruined. Antti Kurittu discusses his presentation at SecTor 2022, what we know thus far from the public record, and the news of the Finnish arrest warrant for the individual only previously known as “Ransomware_Man”. 

IoT and Machine Learning can help farmers provide more food with fewer resources, so long as the devices in the field and the backend systems are secure. Seth Hardy, co-founder and CTO of Bug Mars, a precision agtech company for insect farms, discusses his SecTor 2022 presentation, drawing upon his more than 20 years of security experience in his new role in sustainable food production.

Quantum computing will make great advances in science; it will also have the ability to decrypt banking, healthcare, and other industries' stolen data. Skip Sanzeri of QuSecure explains how quantum computing is advancing rapidly, how it has the power to crack RSA 2048 and other encryption that we know take for granted today, and why his and other companies are talking about our post-quantum encryption world today. Dn3NZumn4pPpnVhpt6GH

This is the history of hardware hacking and the story of Joe Grand. From testifying before Congress to creating badgelife at DEF CON, Joe has done it all. And he’s darn humble about it, too. Joe just wants to share through his classes, website, and YouTube channel all that he’s learned since his days with the L0pht, the tools he’s created, and the work he’s currently doing with Right to Repair. He just wants to make the art of hardware hacking more accessible to others. 

What happens now to the digital test environment built for Hack-A-Sat 3? Well, it becomes a rich testing and training environment for all on GitHub. Login Finch and Frank Pound continue sharing some of the behind-the-scenes challenges presented by hosting a Hack-A-Sat capture the flag competition, this time drilling down details behind the Digital Twins environment that needed to be built in advance of next year’s hack of an actual satellite in orbit.

Satellites today lack basic security controls. With as little as $300, you, too, can hack into commercial satellites. So that’s an emerging IoT problem. 

Frank Pound and Login Finch share in this episode their work with Hack-A-Sat. It’s a unique Capture the Flag challenge that’s never been tried before. Here’s the background story of how the project got started … and where it’s going.

Error Code is a biweekly narrative podcast that provides you both context and conversation with some of the best minds working today toward code reliance and dependability. Work that can lead to autonomous vehicles and smart cities. It's your window in the research solving tomorrow's code problems today