Smart Phones & Tablets – Security vs Usability

31 07 2012

Let’s start with some interesting facts on Smart Phone and Tablets

  • In June 2011, for first time ever people spent more time using mobile applications (81 mins) than browsing mobile web (74 mins) (Lookout Mobile Security)[1]
  • In 2011, for the first time, smartphone and tablet shipments exceed those of desktop and notebook shipments (Meeker)[2]
  • As of July 19th, 2012, total number of applications available on Android Market is “485422” (Appbrain)[3]
  • As of July 21st 2012, Estimated number of applications downloaded from Android Market  are 9,613,765,347 (Androlib)[4]
  • Total Active Apps available for download on iTunes: 684,396 (Biz)[5]
  • 83 percent of young people sleep next to their cell phones (Pearcy) [6]
  • The value of mobile payment transactions is projected to reach almost $630 billion by 2014, up from $170 billion in 20105 (Lookout Mobile Security)[7]

How many of you used smartphone in last one hour and how many of you have it next to you while reading this blog?  How many of you are reading this blog on smartphone or tablet?

Don’t you think that the exponential growth in the Mobile Application and usage of Smart Phones is also attracting cybercriminals who want to take advantage by spreading Mobile Malware, Virus or using smart phones to steal information or get access to sensitive data? Hackers will try to spread virus over mobile network as smart phones besides making phone calls are used for SMS, MMS, Email, Mobile Application including personal and business and Mobile Commerce including internet banking. This gives hacker’s multitude of options of exploit networks, phone/tablet and mobile applications.

You may be surprised that Smart Phones have more threats of security breach compared to your desktop or laptop. Unlike desktops or laptops, Smart Phones do not receive patches and upgrades commonly. Users don’t change their O/S or Mobile server frequently – in most cases it never gets changes. Contrary to laptop or tablet, smartphones are always on and running.

There are growing number of viruses, worms and Trojan horses that are targeting smart phones. Though so far none of the new attacks have done extensive damage, it may be a matter of time before it occurs. The nature of these attacks may be impacting an individual user e.g. using their personal information to make calls, use their payment information in case of Mobile Commerce or internet banking over phone. It can also impact the organization either by stealing the company related data residing on smart phones and tablets, or using the smart phones to get on to their network. Besides this attackers can also generate attacks to degrade or overload mobile networks eventually resulting in Denial of Services or causing phones to make hoax calls – dial and disconnect.

Some of the threats faced by Smart Phones & Tablets are

  • Application Based Threats – Malware, Spyware, Privacy Threats, Vulnerable Applications
  • Web-Based Threats– Phishing Scams, Social Engineering, Drive-By Downloads, Browser exploits
  • Network Threats – Network Exploits, Wi-Fi Sniffing, Man In the Middle attacks, Bluetooth Sniffing and SMS hijacking
  • Physical Threats – Lost or Stolen Devices, Data Breach, Loss of Personal or intellectual property and trade secrets

Both iOS and Android, the two leading smartphone O/S have their own unique security model. iOS is extremely proprietary while Android is open. This very fact has its own implications and these vulnerabilities have been exploited on both of them. E.g the DroidDream malware that emerged in the Android Market in Q1, 2011 utilized two exploits, Exploid and RageAgainstTheCage to break out of the Android security sandbox, gain root control of the operating system and install applications without user intervention (Strazzere)[8]. As a result of DroidDream, Google ended up pulling more than 50 apps from Android Market. Similarly, JailbreakMe 3.0 for Apple iOS device, even though non-malicious web page, it exploits two vulnerabilities to jailbreak a device. (Jean)[9] Mac hacker Charlie Miller has found a way to sneak a fully-evil app onto your phone or tablet, right under Apple’s nose. (Greenberg) [10]

Despite the threats and security concerns, there is no denying that the growth of Smart Phones and tablets is on rise and we are going to see more and more applications and functionalities available on these devices. Now you might be thinking about the classic two factor conundrum – Usability vs Security. Below are some of the steps that will help us striking a balance between Usability and Security

Data Protection – Do not store any sensitive data e.g passwords, personal data on phone. Ensure that applications are storing all the confidential data on server rather than on phone. For the data stored on phone use the encryption API or software provided by OS or third party. When the application is closed, ensure that the data from the cache is also cleared.  Data Management and secure key management helps in protecting the sensitive data not only on phone but also on any external/flash media e.g. SD cards, Flash Media

Credentials and Tokens – Rather than using password only authentication, consider using authorization tokens (e.g. OAuth 2.0 Model) on the device. These tokens can be encrypted in transmit using SSL/TLS. Ensure that these tokens are time bound and ensure that either password or keys are not visible in cache or logs.

Securing Data in Transit – Smartphone support various communication networks and they can join a particular network randomly. For sending any data one can use signed certificates by CA providers or use strong encryption algorithm like AES with appropriate key length. To avoid man in the middle attach, avoid establishing a connection without verifying end point. Last but not least, do not send any sensitive information using SMS or MMS. For securing data and communication, one can integrate the solution in Network based technologies e.g. NAC to identify the appropriate access rights based on the user identification and security profile of handheld device.

Mobile Device Management – Besides using the OS password and application remote kill possibilities, consider implementing a Mobile Device Management solution that can implement various policies like phone lock or data wipe after ‘N’ number of failed login attempt. Using MDM solution you can lock, wipe, track, manage applications downloaded and do a remote restore if required. This provides a safety not only against any loss or theft but also helps managing the applications that can reside on phone along with implementation of corporate mobile polices.

Anti-Virus and Anti-Malware – You might be thinking, what about various Anti-Malware or Anti-spyware solutions. The good news is that there is plenty of options available including on device personal firewall. Anti-spam software can be used to protect against any unwanted SMS or MMS messages. However one needs to be careful, as they do have a negative impact on the performance of phones and applications. Smartphones are highly optimized and somewhat tight on resources – RAM, CPU and Battery. Running Anti-Virus, malware tools can have significant impact on the performance and consumption of resources. During the scan, CPU utilization goes up to 80% and wide fluctuations in batter up to 264mA (Stephanow & Subramanian). This consumption is directly associated with the amount of data, hence back to the point discussed above – one must be careful in identifying which data needs to reside on phone. One shall try to have the data available on the cloud or back end server, reason it is easier to secure a server; not only maintain the data integrity but also securing it in case of any loss or theft of phone.

Conclusion: By implementing some or all of the above mentioned steps, organizations and individuals can secure their smartphones and ensure that they are enjoying increased productivity without worrying about the securing their data, applications and phones.

________

  1. Androlib. (n.d.). http://www.androlib.com/appstats.aspx. Retrieved from http://www.androlib.com.
  2. appbrain. (n.d.). http://www.appbrain.com/stats/number-of-android-apps. Retrieved from http://www.appbrain.com.
  3. Biz, A. (n.d.). App Store Statistics. Retrieved from http://148apps.biz/app-store-metrics/.
  4. Greenberg, A. (n.d.). iPhone Security Bug Lets Innocent-Looking Apps Go Bad. Retrieved from http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/.
  5. Jean. (n.d.). Analysis of the jailbreakme v3 font exploit. Retrieved from http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit.
  6. Lookout Mobile Security. (n.d.). MOBILE THREAT REPORT. Retrieved from https://www.mylookout.com/mobile-threat-report: https://www.mylookout.com/mobile-threat-report
  7. Meeker, M. (n.d.). techcrunch.com/2011/02/10/meeker-mobile-slides/.
  8. OWASP. (n.d.). OWASP Mobile Security Project. Retrieved from https://www.owasp.org/index.php/OWASP_Mobile_Security_Project.
  9. Pearcy, A. (n.d.). http://www.prdaily.com/Main/Articles/Infographic_83_percent_of_young_people_sleep_next_9391.aspx. Retrieved from prdaily.com.
  10. Stephanow, P., & Subramanian, L. (n.d.). An Architecture To Provide Cloud Based Security Services for Smartphones.
  11. Strazzere, T. (n.d.). Update: Android Malware DroidDream: How it Works. Retrieved from http://blog.mylookout.com/blog/2011/03/02/android-malware-droiddream-how-it-works.

 

Advertisements




Transnational Organized Crime and Internet Fraud

30 07 2012

Over the past decade the internet has accelerated as a prime tool for transnational organized crime (TOC) to commit fraud.  The internet is a great haven for TOC to commit crime against a great number of victims, from just about any point on the globe,  with limited chance of prosecution (Cukier).  It is user demand for online financial account access which has fueled organized crime to aggressively invest in technological tools and relationships, to intercept this financial data for their own gain (Smith), all the while building a most efficient business machine.

Following we discuss the technical tools, business strategies, and current trends, as they relate to fraudulent activity within the boundaries of the world wide web.

Technical Tools

It follows that organized crime has driven malware development and distribution to infect computer systems worldwide.  While our focus here is on fraudulent activity, malware is indeed used for a greater number of purposes.

Malware is ‘any malicious software, script or code developed or used for the purpose of compromising or harming information assets without the owner’s informed consent’ (Verizon).  It’s popularity is likely due to an attacker’s desire to stay in control of a system after gaining access, and it’s successful use in high volume automated attacks. (Verizon).

We define ‘crimeware’, a subcategory of malware, as ‘software that performs illegal actions unanticipated by a user running the software, which are intended to yield financial benefits to the distributor of the software’ (Smith).  Hence, crimeware used for fraudulent purposes involves the acquisition of personal private information for one’s own use, or the resale of personal information or access to a computer system to a second party (Smith).

Crimeware is distributed via many techniques, including social engineering exploits, content injection attacks, software vulnerabilities, and software downloads.  Two basic types of crimeware are utilized for data information theft (Smith):

1.  System reconfiguration crimeware

Here the code runs one time and alters a system configuration, leading the user system to send off data to a server without requiring software to remain on the system.

2.  Resident crimeware

Here the code remains on the system while collecting user information and sending it to a site accessible to the attacker.  Two components are typical: A sending component on the user’s computer and a receiving component on an external server used for data collection.  The sending component assembles data from the execution of crimeware (via web Trojan, key or screenlogger) and sends data outbound.  Transmission occurs via different systems: Email to a fixed location (typically a free email account set up by the attacker); data sent over a chat channel, such as an IRC channel, which the attacker monitors; data sent over a TCP/IP to a data collection server, or servers, accessible to the attacker.

Malware is a vital tool used to gain, and potentially maintain access to a computer system, with the possible objective to accumulate confidential, personal data. In addition, we can add that the way in which malware is deployed can assist attackers to avoid detection, and maintain their presence on a system.  For instance, multiple variants of one specific malware code may be used, and each in limited applications.  A ‘long tail approach’ can be used  (Liston).  Instead of infiltrating a large number of systems with small amounts of code, a large number of malware variants are used to hide evidence of a malware ‘outbreak’.  Additionally, malware communication may be limited to ways that follow typical user behavior, and system resources can be used sparingly so as not to raise any flags.

One last item here: the sheer number of malware code in existence today is considered ‘the ultimate weapon’ (Liston).  Antivirus analysts cannot keep up with the number of signatures needed to keep systems free and clear of known malware code, not to mention worry about the malicious code still unknown, running undetected.

Business Model

The TOC business model is one which takes advantage of the strengths of technology such as malware, as well as the weaknesses of system users.

1.  Cartel-like business structure.  The TOC model has been compared to a cartel-like model (Berinato).  A shift to a layered service organization disseminates risk of all involved. Services are doled out to various players, from malware developer, malware distributor, and middlemen who sell temporary ‘access’ to infected systems.  The buyers who ultimately intercept and withdraw personal data from a system are far removed from the initial players.

2. Keeping it under wraps.  The goal of organized crime on the internet is to retain a low profile.  Hence the focus on deploying malware code in a manner which ensures its longevity.  Another method to successfully maintain the operation: taking small bites. Those who purchase access to infected systems and reap the rewards of coming across personal financial data use that information wisely.  Best to charge $10 per compromised credit card, on 1,000 cards, versus a charge of $1,000 on 10 cards.  The odds that credit card holders will notice or care is minimized.  Also, this model distributes risk among multiple banks, who are thus better able to write off the loss.  Law enforcement remains uninvolved, with no complaints issued.

3. Location, location, location.  TOCs tend to base their operations in countries with no legal ties to the U.S., often remaining in areas with ‘weak legal and policing systems’ (Verizon).  This is supported by the fact that in 2011, Eastern Europe (specifically Russia and Turkey) accounted for 67% of all originating data theft attacks against organizations (Verizon).

Recent Data

We have a come a long way over the past decade.  Malware development has increased dramatically.  Sophos reported seeing approximately 95,000 unique samples of malware per day in 2011.  Two years prior, the number was under 5,000 per day (Ragan).

Malware was a tool utilized in more than two thirds of the data breach caseload covered in Verizon’s 2012 Data Breach Investigation Report, and was a definite tool in 95% of all cases involving stolen data.  External agents accounted for 98% of all data breaches. Organized criminals were behind the majority of these breaches, at 83%, and money was the motivating factor in 96% of these particular cases.  Small organizations with less than 100 employees represent the majority of the victims.  Investigators believe this is related to the ease at which their internet facing point-of-sale systems can be breached (Verizon).

The Future

There are definite steps which can be taken to help mitigate threats and attacks from TOC or other potential external (and internal) attackers.  The recent Verizon data breach report does highlight how well external attackers have taken advantage of small business system vulnerabilities.  Special care should be taken to educate and assist these organizations with mitigation strategies, specifically ensuring that they attain and maintain PCI compliancy.

Additionally, we need adequate law enforcement to deter, investigate and prosecute crimes.  We need to continue work internationally, and encourage minimum standards and cooperation in regard to cyber crime (Cukier).

___________

Berinato, S. (2007, September 1). Inside the Global Hacker Service Economy. Retrieved July 19, 2012, from http://www.csoonline.com/‌article/‌456863/‌inside-the-global-hacker-service-economy

Cukier, W., & Levin, A. (2009). Internet Fraud and Cybercrime. In Crimes of the Internet. Upper Saddle River, NJ: Prentice Hall. (Reprinted from Crimes of the Internet, 251-279, 2009)

Liston, T. (2011, March). Malware War: How Malicious Code Authors Battle to Evade Detection (Publication). Retrieved from Information Week website: http://reports.informationweek.com/‌abstract/‌21/‌5854/‌security/‌strategy-malware-war.html

Ragan, S. (2011, February 15). RSAC 2011: Malware and Cyber Crime Evolved. Retrieved from http://www.thetechherald.com/‌articles/‌RSAC-2011-Malware-and-cyber-crime-evolved/‌12807/

Smith, A. (2006, October). The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond (Report). Retrieved from http://www.antiphishing.org/‌reports/‌APWG_CrimewareReport.pdf

2012 Data Breach Investigation Report (Research Report). (2012). Retrieved from Verizon website: http://www.verizonbusiness.com/‌us/‌about/‌events/‌2012dbir/





Vehicle Telecommunication: Services and Security

26 07 2012

Auto manufacturers today are focusing on enhancing the connectivity and networking experience by embedding microcontrollers and communication capabilities in the vehicle. Features such as Bluetooth, Navigation system, in vehicle infotainment, remote commands, and Wi-Fi hotspot capabilities are becoming standard fitments. These are some of the services available today:

  • Companies like ‘Relay Rides’ are offering peer-to-peer car sharing service with the help of telecommunication service providers like OnStar, where a car owner can rent out their car to another Relay Ride subscriber [1]. Both parties don’t need to meet to hand over keys. Owner leaves the keys in the car, doors are unlocked remotely, renter uses the car for the duration as per rent contract and then leaves the car with keys inside and locks the car.
  • A stolen vehicle can be slowed down remotely on the advice of police, avoiding a high speed car chase.
  • Emergency services can be dispatched to locations even when the driver is unable to communicate.
  • One can send a vehicle lock or unlock request to their car which could be several hundred miles away, using a Mobile app.
  • Similarly, start the car or stop it using key fob or mobile app.
  • There are players who offer Wi-Fi hot spot in the car so that kids can stream their favorite videos relaxing at the rear seats on a long trip. Up to eight devices can be connected at once [2].
  • There are services available which read vehicle data and present it on mobile app or in an email. One doesn’t need to check the tire pressure using a gauge anymore; mobile app reads the tire pressure, gas remaining, mileage etc. for you.

There are several players in today’s market like GM’s OnStar, Ford’s SYNC, BMW’s Assist, Lexus’ Enform, Toyota’s Safety Connect, and Mercedes’ mbrace. There is a growing concern that the security features available, to protect these devices and services is not as robust as one would like it to be. There have been several instances of security breach. ‘Proof-of-concept’ software developed using homemade software and a standard computer port dubbed ‘Carshark’ was used to demonstrate that critical safety components of a vehicle can be hacked. Another situation where approx.. 100 vehicles were disabled from a ‘remote disable system’ that was installed by a car dealership. It was later found out that it was a disgruntled former employee who remotely disabled the cars and set off the horns. There was also a case where, an aftermarket GPS navigation service provider, recorded driver behavior and was selling that data to Dutch police to target speeding vehicles [3].

Swiss researchers tested scenarios of car hacking, with key fobs in close proximity to the vehicle (within range of the antenna). Using the two-antenna approach, cars were successfully hacked and driven away. Security researchers have cracked the keys used by multiple types of key fobs, including the Hitag 2 encryption key. The proprietary encryption keys used to transmit data between the key fob, receiver, and engine are not secure enough. Only a few car manufacturers use 128-bit Advanced Encryption Standard (AES) keys. Many use 40- or 48-bit keys, which security experts regard as ineffective [4]. Similar research was carried out on tire pressure gauges and found that wireless networks built in many cars did not perform authentication or input validation.

Automotive manufacturers have been focusing on security of these embedded devices. NXP Semiconductors, which is one of the solution providers, offers authentication capabilities based on device identity and service profiling. Their microcontrollers feature hardware cryptographic accelerators (ECC, RSA, AES, DES), and support a broad range of symmetric and asymmetric (public key) algorithms and protocols. One can enable access control to in-vehicle network ensuring messages from wireless interfaces and between ECUs, are authenticated and encrypted [5].

Conclusion: Several vehicle features and services are available today, using wireless communication involving private data. This attracts hackers so that they could gather data and sell them to prospective buyers. Automobile manufacturers and telecommunication service providers are coming up with technology to secure the connection, but a lot more needs to be done.

_______________

  1. Relay Rides. https://relayrides.com/onstar
  2. Audiusa.com Home page. http://www.audiusa.com/us/brand/en/owners/audi_connect/wifi_hotspot.html
  3. Shane McGlaun, Sept 7, 2011. Automotive Security.pdf http://www.mcafee.com/us/resources/reports/rp-caution-malware-ahead.pdf
  4. Mathew J. Schwartz, http://www.informationweek.com/news/security/vulnerabilities/229000561
  5. NXP Semiconductors NV., http://www.nxp.com/campaigns/connected-mobility/technologies

 





Security Issues thwarting RFID adoption

24 07 2012

Radio Frequency Identification (RFID) technology had gained popularity over the past several years in the supply chain and asset management areas. The main advantage of RFID is the automated identification of products and people. Mandates from Department of Defenses and supply-chain giants like Wal-Mart to their suppliers, push wider adoption of this technology.  Automated unique identification advantages of RFID and falling tag costs help develop innovative RFID applications in areas of access control, supply chain /retail services, sub-dermal tags, tags in libraries and smart applications etc. Despite these factors, the adoption rate of RFID technology has stalled significantly in the recent years, security issues and privacy concerns are among the key factors.

RFIDs are small electronic devices that consist of a microchip and an antenna designed for wireless data transmission. The RFID reader interrogates the tags so data can be transmitted over the air. So collectively the RFID system consists of RFID Tags, Readers, communication protocols, Information systems, Networks, Lookup/Location services etc. All elements of the RFID systems need to be secured and its integration between themselves must be considered keeping data security in mind. From the consumer’s aspect, the privacy issue is more important therefore getting more media coverage.

Security and Privacy Issues

Security issues are due to good readers reading data from malicious tags. It is very easy to copy the data from the tags and develop counterfeited tags. Current RFID systems are unsafe:

  1. No authentication – No friend/foe distinction
  2. No access control – Rogue reader can link to tag and Rogue tag can mess up the reader
  3. No encryption – Eavesdropping possible
  4. No RFID protocols standardization  – Available standards are susceptible to reverse engineering
  5. RFID based worms/viruses

Privacy Concerns: The RFID tags pose exponentially greater risk to personal privacy. A malicious reader can read information from good tags leading to two common privacy threats:

  1. Tracking – Private issue happens when the product or person movements, or data is tracked or accessed without explicit permission. The user or product owner cannot turn off the tracking as tag can always be read. Even if we use encryption, only data can be encrypted and tracking can still be done.
  2. Information Leakage – When the data in the tag can reveal the sensitive information to the rouge readers this falls into privacy issues. For example, if the person carries medicines (box) implanted with RFID tags, then the information could be read and their aliments can be found thereby violating the privacy laws.

Some of the countermeasures to address security & privacy issues:

  1. RFID tagged products can be clearly labeled so consumer would have the choice to select products without RFID. One of the product, ‘Kill Codes’, which turns off all RFID tags immediately as the consumer comes into contact.
  2. ‘RSA Blocker Tags’, address privacy concerns while maintaining the integrity of the product. The item can be tracked only by the store’s authorized reader.
  3. Use challenge-response when querying for data.
  4. Good and secure distributed database and web service security.

Conclusion

While the security and privacy issues exist, RFID tags have the potential to revolutionize many areas increasing productivity and cost effectiveness. RFID technology leaders and enablers should focus on developing protocols and standardization to address to security and privacy issues, meanwhile the adoption should be based on corporation/industries being aware of the existing security issues in the RFID systems, current limitations and consumer privacy laws.

____________

  1. http://www.ibiblio.org/Dave/ar00503.htm
  2. https://www.rsa.com/rsalabs/staff/bios/ajuels/publications/pdfs/rfid_survey_28_09_05.pdf
  3. http://www.thingmagic.com/rfid-security-issues
  4. http://www.edri.org/docs/EDRi_RFID_Security_Issues.pdf
  5. http://features.techworld.com/mobile-wireless/1178/security-issues-swamp-rfid/




Risk IT – A Risk Management Framework by Information Technology Governance Institute (ITGI)

22 07 2012

Risk assessment and risk management is integral part of IT security at any organizations, or at least should be an integral part of the IT security within an organization.

Although one would think that the IT being critical in nature to an organization’s operations, the risk related to IT and IT security were covered by many different risk management frameworks, however, such was not the case until recently. There was no comprehensive exclusively IT focused risk management framework, which covered the entire IT, until the Information Technology Governance Institute (ITGI – ISACA) developed and published “Risk IT”.  This framework is designed to address all IT risks, including IT security risks. This entire framework is based on best practices and developed with the help of the industry subject matter experts.  It was designed to connect the IT risk management, including IT security risks’ management, with the overall enterprise risk management.

Not only is “Risk IT” a framework for the IT risk assessment, but it is also integrated with both, the “COBIT 5” (Control Objectives for Information and Related Technologies) framework and “Val IT 2” frameworks (IT value management).  For the readers who are not familiar with the above frameworks,  COBIT framework is a widely used by organizations to implement IT controls and Val IT framework deals with the value and cost effectiveness aspect of IT and IT security measures. These close tie-ups between “Risk IT”, with COBIT & Val IT offers an entire eco-system in terms of IT controls, value proposition and IT Risk management, a first in the IT industry.

More on “Risk IT” framework

This framework, as suggested by ISACA (formerly, Information Systems Audit and Control Association), is the only business framework for the Governance and management of enterprise IT.

The “Risk IT” model is defined to handle the entire lifecycle of IT risks. The model is divided into three domains, Risk Governance, Risk Evaluations and Risk Response. First, Risk Governance focuses on establishing baseline for risk management within a particular organization, second, Risk Evaluations focuses efforts on performing risk assessments, and lastly Risk Response, is the final stage of risk management, manages and responds to ongoing risks. The framework provides a way to connect IT risks with the enterprise risks, and goes on to include the cost/benefits, and alignment with the business objectives, among other things. This approach, therefore, offers more openness to the IT risk environment and also to some degree focuses on aspects other than purely technical aspects of IT risks.

The framework categorizes IT risks in the following three categories,

  • IT Benefits/Value enablement risks, i.e., risks associated with missed opportunities.
  • IT programmer and project delivery risks, i.e., risks associated with the contribution of IT projects and programs.
  • IT Operations and service delivery risks, i.e., tasks associated with all aspects of the IT service and systems.

The above categorization offers to include not only the risks within the organizations, but also is an attempt to look at risks from not pursuing certain options in the IT environment.

Additionally, the framework is founded on the following principles about IT risks:

1)  Connect to Business objectives

2)  Align IT risk management with enterprise risk management.

3)  Balance cost/benefits of IT risk.

4)  Promote fair and open communications

5)  Establish a tone at the top and accountability

6)  Function as part of daily activities.

These principles are designed with the IT risks being the focal point and reaching out to accomplish various needs that exist within the IT environment for creating a more robust risk management structure within the IT environment.

The “Risk IT” provides detailed implementation of to the framework in the form of the following requirements:

Risk Governance: These requirements establish the overall governance of the IT risks management process and structure.

  • RG1 – Establish and maintain a common risk view.
  • RG2 – Integrate with ERM.
  • RG3 – Make risk-aware business decisions.

Risk Evaluations: These requirements establish the processes of data collection for risk monitoring, analyze risks and maintain risk profiles.

  • RE1 – Collect data.
  • RE2 – Analyze risk.
  • RE3 – Maintain risk profile.

Risk Response: These requirements establish the process for risk articulations, manage risks and react to events on an ongoing basis.

  • RR1 – Articulate risk.
  • RR2 – Manage risk.
  • RR3 – React to events.

As you may have noticed, the two very distinct features of this framework are that it is an effort to define tangible benefits in contrast to the often intangible benefits of many other risk management frameworks, and the framework covers the entire lifecycle of the IT risk management. These same features are also the strengths of “Risk IT” framework and can certainly be the catalysts for the organizations who are either looking to adopt this framework for the IT risk assessments or are included towards using this framework as opposed to other IT risk frameworks.

In my opinion,  the following can be some of the pros and cons of the “Risk IT” framework and approach to the IT risk assessment:

Pros

  • The touted benefits of the “Risk IT” frameworks include tangible benefits.
  • Entire lifecycle management of IT risks.
  • It encourages executives and senior management, along with the rest of the IT organization to partake in the IT risk management and provide clear visibility for risk management guided from top of the organization, and makes the risk-management  process very effective. Additionally, the framework does support a bottom up approach for IT risk management.
  • The “Risk IT” framework is an all-encompassing  approach, including IT controls, costs and risks. The close tie ups with the COBIT and Val IT framework provides the entire eco-system for IT controls, Value proposition and risk management. At the same time, this may be its drawback as well, see below.
  • This framework has appeal to the senior management since it offers to leverage the existing investments in IT controls for  IT risk management prior to new investments in IT controls.

Cons

  • While the framework’s purpose and design are to address Risk IT, the framework has been recently developed and therefore, the assessments of touted benefits are not available for longer terms.
  • The framework is left flexible and therefore, the incorrect or less robust implementation may not be able to provide the benefits, and may leave un-addressed or undetected risks within the enterprise IT organization.
  • The framework is maintained and published by ISACA, and not adopted by any standards body, such as ANSI, etc. but instead is based on best practices and therefore, the acceptability of the framework may not have wider appeal.
  • The framework relies on appropriate implementation of both COBIT and Val IT, which may not be the case at all organizations, and therefore, may offer hindrance in its acceptability within many organizations.
  • The comprehensive nature of the framework can quickly become a cost overhead of IT risk management, in spite of utilization of existing IT controls.

Conclusion

In conclusion, the focused approach to all IT risks is certainly a step in the right direction, and may help bridge the gap between the enterprise risk management and IT security risks by  offering a comprehensive IT risk management framework. The long-term benefits of the “Risk IT” framework will emerge only with the passage of time. As we all know, for something great to happen there always has to be a beginning and only time will tell!

Note:

ANSI, ITGI, ISACA, Risk IT, COBIT, Val IT and other terms are registered trademarks, service marks, etc. of respective organizations.

___________

New Framework for Enterprise Risk Management in IT, Urs Fischer, CISA, CIA, CPA Swiss, IT systems Control Journal, Volume 4, 2008

Risk IT Framework for Management of IT Related Business Risks  (http://www.isaca.org/Knowledge-Center/Risk-IT-IT-Risk-Management/Pages/Risk-IT1.aspx)

COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (http://www.isaca.org/COBIT/Pages/default.aspx)

Val IT Framework for Business Technology Management (http://www.isaca.org/Knowledge-Center/Val-IT-IT-Value-Delivery-/Pages/Val-IT1.aspx)

http://www.isaca.org/Knowledge-Center/Standards/Documents/Risk-IT-Overview.ppt

THE “Risk IT” FRAMEWORK (http://www.isaca.org/Knowledge-Center/Research/Documents/RiskIT_FW_30June2010_Research.pdf (registration required))

THE “Risk IT” PRACTITIONER GUIDE (http://www.isaca.org/Knowledge-Center/Research/Documents/RiskIT_PG_30June2010_Research.pdf (registration required))





Automotive Telematics/Infotainment Systems: Security Vulnerabilities and Risks

21 07 2012

Audi Chairman Rupert Stadler was spot on when he said:

 There is a revolution taking place. Some of the most exciting new consumer electronics aren’t the ones in your living rooms or in your offices. They’re the ones in your cars.” [1]

However with the rapid advancement in the development of vehicle telematics/infotainment systems and integration of numerous technologies in them the scope of security vulnerabilities in vehicles are exponentially expanding and the risk of potential hacker attack are rapidly growing.

A number of latest and upcoming telematics/infotainment systems in today’s automotive include the following features and technologies:

  • Vehicle Communication Systems: The main purpose of these systems is to establish an external data connection of the vehicle with telematics service provider using existing cellular technologies such as LTE, GSM, CDMA, etc. that practically makes the vehicle as a mobile node and provides it access to the cloud.
  • Radio User Apps: A number of new and almost all upcoming future vehicles are planned to be equipped with In-Vehicle Infotainment systems that support a wide variety of user apps. The user apps provide a variety of services that include audio/video services, access to social media, internet browsing capabilities, etc. A number of these app services are subscriptions based and typically contain sensitive user information.
  • Wi-Fi/Bluetooth/USB Mediums: A variety of connectivity mediums are supported in the latest vehicles that include Wi-Fi, Bluetooth and USB technologies that allow the vehicles to communicate and pair with external consumer devices such as user smart phones, cameras, entertainment systems, gadgets, etc. as well as with external data hotspots for internet access.
  • Web-Based Services: A number of web-based features are also available for the latest vehicles that offer services such as vehicle location capabilities, locking/unlocking vehicles remotely, remote start features, remote diagnostics, software updates, etc.

Now let’s look at some of the challenges and security vulnerabilities these services/features pose to the vehicle owner, service providers or the automotive manufacturers…

Firstly, when the vehicle is connected to the telematics service provider, it becomes a network/cloud node and usually gets assigned an IP address that allows it to communicate over the cellular link. This makes the vehicle as an interesting target for hackers as it can provide them with potentially free access to internet or backend systems through which they can perform all sorts of illegal cyber activities as well as allow them to potentially steal sensitive personal information of the user. Also, having a public IP address makes the car vulnerable to all sorts of cyber viruses and security attacks. Furthermore, a hacker can use networking hacking techniques such as port scanning, firewall loop holes, etc. to get unauthorized access to the vehicles as well as the service providers.

The other important security vulnerability is how the communication between the vehicle and telematics service provides is secured and protected. A hacker can potentially sniff the communication between the vehicle and backend service provider and can potentially steal sensitive user information such as account numbers, contact information, user names, and passwords along with other billing related information. This information can then be used by hacker on web based services to track user activities, vehicle usage, location of vehicle, etc.

Another interesting challenge/vulnerability that the new features pose is the management and storage of the static and dynamic data that is generated with the use of these telematics services in a secured manner. [2] The main challenge is to identify the different types of data services used and to manage them in a way that security of sensitive information (important personal data) is not compromised. If certain data is not stored in the automotive itself, the user needs to be notified where and how their data is getting stored and what security protocol is followed in order to address privacy concerns.

The other series of security vulnerabilities arise from the inclusion of a variety of web based apps in the infotainment systems on the vehicles. A number of apps included are supposed to provide access to social media sites to the user. Any unauthorized access to these apps can expose personal information of user to the hacker that may include usernames, passwords and other personal information. Also, a number of other apps are subscription based services that contain user information with respect to the purchased subscription. Any vulnerability or unauthorized exposure of this information to the hacker would allow him to use it in a way that would result in financial losses to the user.

The integration of different connectivity technologies brings another set of security vulnerabilities for the telematics/infotainment systems. For example, any security compromises in the Bluetooth protocol can result in the hacking of personal contacts information by the hacker or unauthorized access of user’s phone by the hacker. Any vulnerability in the USB stack can potentially result in hackers accessing the operating system of the telematics/infotainment systems that can expose sensitive system information of the user or vehicle.

Conclusion

In summary, the security vulnerabilities discussed above can result in the identity theft of vehicle users, loss of critical information such as usernames/passwords, unauthorized access to the internet by the hackers that can result in cybercrimes which can get the user in legal complications. Also, any loopholes or security weaknesses can result in legal complications and bad media publicity for the automotive manufacturers as users can potentially sue them if their security or privacy is breached or compromised.
____________

[1] Telematics Update. (Jan 12, 2011). Telematics and security: Protecting the connected car. Retrieved July 10, 2012 from < http://analysis.telematicsupdate.com/intelligent-safety/telematics-and-security-protecting-connected-car >

[2] Sastry Duri, Marco Grutese. (2002). Framework for Security and Privacy in Automotive Telematics. IBM Thomas J. Watson Research Center.





Is your vehicle safe?

20 07 2012

Problem

Everyone is starting to realize that modern vehicles have tons of computers inside them. By some counts, there are 30+ modules computing and performing different functions for your vehicle. Some control the vehicle’s engine and propulsion system, while others control various body functionalities. These computers can be hacked, just like any other. Vehicle hacking started out with people creating custom EEPROM chips that allowed racers and sports drivers to modify their vehicle’s performance for very little cost. While this could cost vehicle manufactures money it in warranty costs, it was generally of little interest, since, in some cases, it accounted for new sales—people who were interested in purchasing a car that could be easily modified. Racing and driving is already a dangerous sport, so it would be unlikely that someone modifying their vehicle’s performance would have any legal grounds to pursue against the manufacturer.

Twenty years later, today’s cars present a new problem. Modules don’t just control the performance; they can accelerate the car, turn the car, roll the windows up\down, disable propulsion, change gears, etc. Anyone with time and persistence can figure out how these work. Some information is even readily available for purchase from the OEMs, and tools can be found for around $500 US[1]. Additional users can cheat the system to reduce their costs[2]. Take, for example, OnStar, a paid service offered by General Motors that sends directions to your car, makes phone calls, connects you to a personal assistant, etc. If this system is hacked by an outside user, that person might gain the ability to send the driver bogus directions, or worse yet, disable the vehicle as it is driving 75MPH down the interstate.

These may seem like pretty rare problems or perhaps not even that serious, but picture the future of vehicles driving themselves[3]. If you tell your vehicle to go to Orlando, FL but you end up driving down a boat dock in Northern Michigan, you may end up, at the very least, pretty upset, or worse yet injured or even killed.  This is why we need to worry about tapping in!

Tapping in

How can this be possible, you ask? As any computer hacker will tell you, having access to the computer is critical, and we leave our cars parked and exposed out in the open all the time. If I told you someone could slip under your car, pinch a wire and know your driving habits or disable your car, you may not believe me. But you would be wrong. It is a very real possibility. Yesterday’s car problems were mechanical; today’s stem from software and electronics issues.

For the service community or the service savvy, it could be as simple as buying a vehicle connector and sending commands to your car. I can cite one example in particular, where on a cold weather trip, the passenger played a joke on the unaware driver by rolling the windows up and down from his laptop. Now, that just is a simple example of what can be done, but perhaps running the cruise control by

creating a gateway from your PC is another possibility. Essentially, if the hacker could pass through all messages until he starts to understand what each CAN message contains, and then slowly start to change the data between the two, this could definitely be done for cruise control and probably a few other distributed systems on today’s car.

It is the malicious few that we have to worry about and protect our vehicles against. It would be nice to know that if there was some attached module or gateway sending and changing the commands to modules, we would know about it.

Solutions

Encrypting the data could go very far in preventing most of these types of attack. Using both confusion and diffusion, bytes of messages could be scattered into multiple messages, making the message a discontinuous set of bytes rather than a set of 8,16 or 32 bit raw values. Encrypting the data using a key could also help in eliminating the values. Perhaps rather than speed going from 0-15, it goes from 0, 5,1,2 making the pattern unrecognizable, for the most, part as vehicle speed or something linear.

As to the service type attacks, these would need better passwords to protect the features they provide. Currently, these are done with fairly small numbers; let’s say a 16 bit password. Even at 16-bit, if one key is tried every three seconds, that will only take 28 hours. Three seconds is probably on the low end for someone that desperately wanted to figure that out. Not to mention, that is the max time to crack the code. In addition, the password, or “unlocking mechanism,” can be purchased through the OEM, due to legislated mandates to support your local mom and pop shops[4].

The service part is the most difficult to solve, as how does one know if the commands are coming from a legitimate user trying to fix their car or a rogue device that is going to roll down up your windows, lock your doors and turn the heat on full blast with you inside it? I would almost like to advocate that the owner of the car provides the locking key and provides it only to those he feels he can trust, rather than the key being randomly programmed at the factory and never changing over the vehicle’s life. Additionally, making the key longer will prevent much of the brute force attack, but where there is time, there is a way….