Inadequate IoT Security is Setting Regulators on Collision Course with the Entire Open Source Movement

open-source-softwareIt was Charles Dickens’ much celebrated novel Oliver Twist that first popularized the phrase “the law is an ass.” It resonated far and wide for people who viewed the British legal system of the time as unjust and at odds with common sense. Now, no one is suggesting that the highly evolved legal and regulatory system we have in the modern United States is anything like the situation Dickens described 177 years ago. But it remains that rules set by regulators and lawmakers have consistently failed to keep up with the pace of technological change – and there’s a real danger they could now threaten the development of the Internet of Things (IoT) and embedded computing.

Read more of this post

Virtualization, silicon, and open source are conspiring to secure the Internet of Things

My chat with Brandon Lewis, Technology Editor at  IoT Design, highlighting prpl’s push around roots-of-trust, virtualization, open source, and interoperability in order to secure the Internet of Things (IoT).

Credits: Brandon Lewis, IoT Design, January 28, 2016 @TechieLew

security-guidance-coverThe prpl Foundation is known for open source tools and frameworks like OpenWrt and QEMU, but has recently ventured into the security domain with a new Security prpl Engineering Group (PEG) and the “Security Guidance for Critical Areas of Embedded Computing” document, not to mention wooing you away from your role at security giant Trend Micro. What can you tell us about the drivers behind these moves?

Cesare: One way to look at it is a supply-and-demand schema. On the demand side, according to Gartner, the security market was worth $77 billion in 2015 and it’s going to grow much faster. One strong demand-side driver is the need for stronger security, because industry is not doing a very good job of it – and when I say industry I mean from silicon to software to services – and all of the spending is not resulting in better information security. Read more of this post

How to Fix the Internet of Broken Things

iot-securityThe Internet of Things is already permeating every part of our lives – from healthcare to aviation, automobiles to telecoms. But its security is fundamentally broken. In my previous blog I’ve shown how vulnerabilities found by security researchers could have catastrophic consequences for end users. This isn’t just about data breaches and reputational damage anymore – lives are quite literally on the line. The challenges are many: most vendors operate under the misapprehension that security-by-obscurity will do – and lobby for laws preventing the disclosure of vulnerabilities; a lack of security subject matter expertise creates major vulnerabilities; firmware can too easily be modified; and a lack of separation on the device opens up further avenues for attackers.

But there is something we as an industry can do about it – if we take a new hardware-led approach. This is all about creating an open security framework built on interoperable standards; one which will enable a “root of trust” thanks to secure boot capabilities, and restrict lateral movement with hardware-based virtualization.

Read more of this post

The Security Challenges Threatening to Tear the Internet of Things Apart

IoT SecurityThe Internet of Things (IoT) has the power to transform our lives, making us more productive at work, and happier and safer at home. But it’s also developing at such a rate that it threatens to outstrip our ability to adequately secure it. A piece of software hasn’t been written yet that didn’t contain mistakes – after all, we’re only human. But with non-security experts designing and building connected systems the risks grow ever greater. So what can be done?

Read more of this post

Securing The Internet of (broken) Things: A Matter of Life and Death

Securing the Internet of broken thingsIf you’re like me you’ll probably be getting desensitized by now to the ever-lengthening list of data breach headlines which have saturated the news for the past 24 months or more. Targeted attacks, Advanced Persistent Threats and the like usually end up in the capture of sensitive IP, customer information or trade secrets. The result? Economic damage, board level sackings and a heap of bad publicity for the breached organization. But that’s usually where it ends.

Read more of this post

The GitHub attack – is the worst still to come?

What we can learn from the recent cyber attack to the popular website GitHub and why we should worry about what is likely to come next.

 

TTL analysis performed by Netresec in SwedenOver the last few days the popular website GitHub has been the target of a massive Distributed Denial Of Service attack – DDoS, apparently originated from China. As I write this note, the GitHub status webpage now indicates “Everything operating normally” and “All systems reporting at 100%”. However, I am afraid the story is far from over and the worst may still be to come.

GitHub is the largest and most popular repository of open source projects and a key infrastructure website for the Internet. Among other, GitHub hosts the Linux project – arguably the world’s most widespread open source software. Various flavors of Linux power most of the Internet servers and an ever-increasing number of consumer devices across the globe.

Read more of this post