Tag Archives: attack modeling

Killed by code – back to the future

Back in 2011, I thought it’s only a question of time before we have a drive by execution of a politician with an ICD (implanted cardiac device).

Fast forward to Jan 9, 2017 FDA reported in a FDA Safety Communication on “Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter.

At risk:

  • Patients with a radio frequency (RF)-enabled St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter
  • Caregivers of patients with an RF-enabled St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter
  • Cardiologists, electrophysiologists, cardiothoracic surgeons, and primary care physicians treating patients with heart failure or heart rhythm problems using an RF-enabled St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter

I’ve been talking to our medical device customers about mobile security of implanted devices for over 4 years now.

I  gave a talk on mobile medical device security at the Logtel Mobile security conference in Herzliya in 2012 ago and discussed proof of concept attacks on implanted cardiac devices with mobile connectivity.

But – ICD are the edge, the corner case of mobile medical devices.  If a typical family of 2 parents and 3 children have 5 mobile devices, it is a reasonable scenario that this number will double withe devices for fetal monitoring, remote diagnosis of children, home-based urine testing and more.

Mobile medical devices are becoming a pervasive part of the Internet of things; a space of  devices that already outnumber workstations on the Internet by about five to one, representing a $900 billion market that’s growing twice as fast as the PC market.

There are 3 dimensions to medical device security – regulatory (FDA), political (Congress) and cyber (vendors implementing the right cyber security countermeasures)

The FDA is taking a tailored, risk-based approach that focuses on the small subset of mobile apps that meet the regulatory definition of “device” and that:

  • are intended to be used as an accessory to a regulated medical device, or
  • transform a mobile platform into a regulated medical device.

Mobile apps span a wide range of health functions. While many mobile apps carry minimal risk, those that can pose a greater risk to patients will require FDA review. The FDA guidance document  provides examples of how the FDA might regulate certain moderate-risk (Class II) and high-risk (Class III) mobile medical apps. The guidance also provides examples of mobile apps that are not medical devices, mobile apps that the FDA intends to exercise enforcement discretion and mobile medical apps that the FDA will regulate in Appendix A, Appendix B and Appendix C.

Mobile and medical and regulatory is a pretty sexy area and I’m not surprised that politicians are picking up on the issues. After all, there was an episode of CSI New York  that used the concept of an EMP to kill a person with an ICD, although I imagine that a radio exploit of  an ICD or embedded insulin pump might be hard to identify unless the device itself was logging external commands.

Congress is I believe, more concerned about the regulatory issues than the patient safety and security issues:

Representatives Anna Eshoo (D-CA) and Ed Markey (D-MA), both members of the House Energy and Commerce Committee sent a letter last August asking the GAO to Study Safety, Reliability of Wireless Healthcare Tech and report on the extent to which FCC is:

  • Identifying the challenges and risks posed by the proliferation of medical implants and other devices that make use of broadband and wireless technology.
  • Taking steps to improve the efficiency of the regulatory processes applicable to broadband and wireless enabled medical devices.
  • Ensuring wireless enabled medical devices will not cause harmful interference to other equipment.
  • Overseeing such devices to ensure they are safe, reliable, and secure.Coordinating its activities with the Food and Drug Administration.

At  Black Hat August 2011, researcher Jay Radcliffe, who is also a diabetic, reported how he used his own equipment to show how attackers could compromise instructions to wireless insulin pumps.

Radcliffe found that his monitor had no verification of the remote signal. Worse, the pump broadcasts its unique ID so he was able to send the device a command that put it into SUSPEND mode (a DoS attack). That meant Radcliffe could overwrite the device configurations to inject more insulin. With insulin, you cannot remove it from the body (unless he drinks a sugary food).

The FDA position that it is sufficient for them to warn medical device makers that they are responsible for updating equipment after it’s sold and the downplaying of  the threat by industry groups like The Advanced Medical Technology Association is not constructive.

Following the proof of concept attack on ICDs by Daniel Halperin from the University of Washington, Kevin Fu from U. Mass Amherst et al “Pacemakers and Implantable Cardiac Defibrillators:Software Radio Attacks and Zero-Power Defenses”  this is a strident wakeup call to medical device vendors  to  implement more robust protocols  and tighten up software security of their devices.

Tell your friends and colleagues about us. Thanks!
Share this

The valley of death between IT and information security

IT is about executing predictable business processes.

Security is about reducing the impact of unpredictable attacks to a your organization.

In order ot bridge the chasm – IT and security need to adopt a common goal and a common language – a language  of customer-centric threat modelling

Typically, when a company ( business unit, department or manager) needs a line of business software application, IT staffers will do a system analysis starting with business requirements and then proceed to buy or build an application and deploy it.

Similarly, when the information security group needs an anti-virus or firewall, security staffers will make some requirements, test products, and proceed to buy and deploy or subscribe and deploy the new anti-virus or firewall solution.

Things have changed – both in the IT world and in the security world.

Web 2.0 SaaS (software as a service) offerings (or  Web applications in PHP that the CEO’s niece can whip together in a week…) often replace those old structured systems development methodologies. There are of course,  good things about not having to develop a design (like not coming down with an advanced case of analysis paralysis) and iterating quickly to a better product, but the downside of not developing software according to a structured systems design methodology is buggy software.

Buggy software is insecure software. The response to buggy, insecure software is generally doing nothing or installing a product that is a security countermeasure for the vulnerability  (for example, buying a database security solution) instead of fixing the SQL injection vulnerability in the code itself.   Then there is lip-service to so called security development methodologies which despite their intrinsic value, are often too detailed for practioners to follow), that are not a replacement for a serious look at business requirements followed by a structured process of implementation.

There is a fundamental divide, a metaphorical valley of death of  mentality and skill sets between IT and security professionals.

  • IT is about executing predictable business processes.
  • Security is about reducing the impact of unpredictable attacks.

IT’s “best practice” security in 2011 is  firewall/IPS/AV.  Faced with unconventional threats  (for example a combination of trusted contractors exploiting defective software applications, hacktivists or competitors mounting APT attacks behind the lines), IT management  tend to seek a vendor-proposed, one-size-fits-all “solution” instead of performing a first principles threat analysis and discovering  that the problem has nothing to do with malware on the network and everything to do with software defects that may kill customers.

Threat modeling and analysis is the antithesis of installing a firewall, anti-virus or IPS.

Analyzing the impact of attacks requires hard work, hard data collection and hard analysis.  It’s not a sexy, fun to use, feel-good application like Windows Media Player.   Risk analysis  may yield results that are not career enhancing, and as  the threats  get deeper and wider  with  bigger and more complex systems – so the IT security valley of death deepens and gets more untraversable.

There is a joke about systems programmers – they have heard that there are real users out there, actually running applications on their systems – but they know it’s only an urban legend. Like any joke, it has a grain of truth. IT and security are primarily systems and procedures-oriented instead of  customer-safety oriented.

Truly – the essence of security is protecting the people who use a company’s products and services. What utility is there in running 24×7 systems that leak 4 million credit cards or developing embedded medical devices that may kill patients?

Clearly – the challenge of running a profitable company that values customer protection must be shouldered by IT and security teams alike.

Around this common challenge, I  propose that IT and security adopt a common goal and a common language – a language  of customer-centric threat modelling – threats, vulnerabilities, attackers, entry points, assets and security countermeasures.  This may be the best or even only way for IT and security  to traverse the valley of death successfully.

Tell your friends and colleagues about us. Thanks!
Share this

Credit card shims

Using shims that fit into the ATM machine and read your mag stripe data has been around for a while.  It’s a good way to get the track 2 data but it won’t get your PIN (which if you are in Europe and the Middle East is part of the VISA chip and pin security for credit cards – the PIN is not stored on the card, so it can’t be read by skimming with a slot reader or shimming with a piece of plastic inside the ATM slot).     Now, it seems there is fairly low tech way to capture your PIN by using a flexible keypad overlay on top of the regular ATM keypad as you can see here – this ATM keyboard will steal your PIN

To these rather technical attacks on credit card data, we also have a kind of side attack as recently reported in Paris – where two women waited next to a man on line and waited until he entered his PIN number at the ATM and then dropped their shirts and flashed their boobs – as you can see in this post – stealing money with their boobs

Not bad.

Tell your friends and colleagues about us. Thanks!
Share this

How to assess risk – Part II: Use attack modeling to collect data

In my article – “How to assess risk – Part I: Asking the right questions”, I talked about using attack modeling as a tool to collect data instead of using self-assessment check lists. In this article, I’ll drill down into some of the details and provide some guidelines on how to actually use attack modeling to assess risk.

Read achieving HIPAA compliance using threat modeling for a step-by-step tutorial on how to use the popular PTA (Practical Threat Analysis) Professional software in order to perform  quantitative risk assessment for a data security  and compliance. Software Associates specializes in HIPAA data security and compliance. The concepts and techniques described here can be implemented for any regulatory area of compliance such as PCI DSS 2.0 or security certification such as ISO 27001. You can obtain a free download of the PTA Professional software from the PTA Technologies download page.

The first guideline I will lay down, is to estimate value of risk  in Dollar/Euro/Ruble values – whatever currency you like.

Attack modeling is based on the notion that any system or organization has assets of value worth protecting. These assets have certain vulnerabilities. It is a given that internal and external attacks exist, that may  exploit these vulnerabilities in order to cause damage to the assets. An additional given is that appropriate countermeasures exist that mitigate the damage caused by internal or external attackers.

With attack modeling, you make future risk scenarios vivid, tangible, and measurable in dollar terms, countering the tendency to ignore threats and do nothing. Attack modeling gives you and your employees a practical language of assets, threats, vulnerabilities and countermeasures.

Here are 6 rules for effective attack modeling –

If you’re bought into the traditional approach of consultants looking at your watch and telling you what time it is, then don’t let me stop you, but if you don’t mind considering some new ideas for cracking the risk assessment problem, here are a few ideas inspired by Tom Peters “In pursuit of Luck”:

1. Do something new. Don’t bother with the same old trade shows, talking with the same old security salespeople about the same old stuff. The first time you do attack modeling, it may take several months – and take you into unfamiliar territory of having to valuate assets and anticipate the probability of threat occurrence.

2. Listen to everyone. Ask your senior managers what are your most valued assets – customer lists, product IP, ontime delivery. Ask the CFO how much those assets are worth in dollar terms. Ask your 22 year old customer service agents how they would attack your assets.

3. Try out options. Don’t stop with the annual IT security audit. With attack modeling you can test many mitigation plans, implement countermeasures and measure effectiveness on the fly.

4. Ready, Fire, Aim. (instead of ready, aim, fire). Experiment with new attack models. Test the ramifications of turning off personal anti-viru software or opening a field office with contract technicians. Attack modeling lets you test without threatening the operation.

An ERP systems integrator maintained their own corporate messaging systems. Although they felt that security required them to keep corporate mail inhouse; the costs of content security maintenance were skyrocketing. An attack model showed a reduced dollar level of risk to their digital assets at a lower ongoing security cost; they are now using Google Apps, freeing up valuable internal resources and management attention at the cost of swallowing their pride and admitting that Google can provide better message security then their own internal IT operations team.

5. Make odd friends. Strangers can best help you see new attack scenarios, providing fresh ideas unprejudiced by your corporate judgment. Find advisors through social and professional networks who can help you anticipate the unexpected.

6. Smash functional barriers. Many companies separate IT security, fraud and physical security functions. What difference does it make if a notebook with sensitive M&A data is stolen from an executive’s desk by a competitor posing as a FedEx messenger? Attack modeling is a holistic practice that can help mitigate risk in all areas of your business.

Tell your friends and colleagues about us. Thanks!
Share this

The problem of security information sharing

Hermann von Helmholtz

In a previous post Sharing security information I suggested that fragmentation of knowledge is a root cause of security breaches.

I was thinking about the problem of sharing data loss information this past week and I realized that we are saturated with solutions, technologies, policies, security frameworks and security standards – COBIT, ISO27001 etc..

The German physicist Helmholtz identified three stages of creativity: saturation, incubation and illumination.   We appear to be in the saturation stage right now.

Henri Poincaré identified a fourth step that follows the other three. Verification is putting a solution into concrete form and checking it for errors or usefulness.

In the early 1960s, the American psychologist Jacob Getzels proposed that a preliminary stage of creativity involves formulating a problem.So let’s start with formulating the problem of security information sharing.

People and their employers are unwilling to discuss the details of security events that happened, their security vulnerabilities,  the damage in dollars was actually caused, how the events were discovered, how the threats that exploited the vulnerabilities were mitigated and most importantly – how well their current security products perform.

In our threat analysis work, we run into these problems daily.  We offer an excellent free threat modeling tool from our colleagues at PTA Technologies called PTA – Practical Threat Analysis. I think we have over 15,000 downloads. Users sometimes have questions that require taking a closer look at their threat model but it almost never happens because of the fear of disclosure. On one occasion – a user shared his threat model after obfuscating the data (you can download the software here – free risk assessment software.)

Here is a possible solution to the  problem we just formulated:

  • Define a language for describing a security event –  having a canonical language to describe things is a basic requirement for sharing information between people.
  • Build models of attackers, vulnerabilities, assets under attack and security countermeasures in order to describe loss events using the common language.
  • Enable people to build, maintain and share models anonymously. What is important is not the identity of the company who had the loss event, but the details of the model.
  • Use the models to measure the loss impact and the effectiveness of their security countermeasures in dollars. This provides a security metric that will enable people to look at models and compare ‘apples’ to ‘apples’ without involving marketing factors such as product features and distribution channels.
Tell your friends and colleagues about us. Thanks!
Share this

7 tips to improve security in a tough economy

Are you waiting for the next Gartner Security Report, making plans to evaluate some technology your CEO might not approve after she slashes your funding and maybe your job?

As a security professional, you can blame hackers, buggy software and the economy – or you can do something different.

“Life is what happens to you while you are  busy making other plans.”
-John Lennon

7 steps you can take right now to improve security in a slow economy

1.  Do not buy security technology, Add business Value.

Many companies equate information security with information technology. This is mistake. Do not buy . . . instead add value. Take your existing security products and services, create something new and offer it to your customers as a package. Why? Because you have already paid for implementation, you only have to absorb the cost of your time and internal marketing instead of taking money out of the company bottom line when you buy and implement new technologies.

2. Attack Now or Be Eaten Later!

Are you wondering how you can trace leaks of sensitive marketing documents?  Scared whitless about how your competitors will hack that new Oracle J2EE self-service application, customer service is rolling out?  Attack your own systems. Now.  Wait and you will be lunch for the sharks.

3. Reinvent your offerings

Whether you are an independent security consultant or engineer in company with 100,000 employees – you  have customers. Customers are our bosses. If you want job security, then create new interest with your customers. Repackage and rename the services you sell your customers. Start small – for example by offering attack modeling for one business unit in your company, and grow your internal practice over time with word of mouth marketing.

4. Do not hang on at any cost

Do not wait if your company starts getting engulfed in the firestorm. Your security skills are transferable to other industries, other disciplines. There are other opportunities – you will find them and survive.

5. Change your business model

If your customers cannot afford what you sell – change the rules.   Paying too much money to manage MS Exchange and  a lot of content security – drop it and migrate to Google Applications. Now is the time to make the change.

6. Do not be cheap.
This one is directed to executives. The last big downturn, I remember in 2002 got worse in 2003 and executives were looking to hire on the cheap – people with narrowly-focussed skill sets.  Not a good move.  A security professional who is smart, can hack and can communicate and costs 50% more is worth 4 or 5 of the coffee drinkers who maintain your firewall.

7. Take Action.

Do not stress out about the economy.  While you are thinking about how to negotiate a 75% discount from the new data  loss prevention system you really need – your competitors will be all over you   Take action – invest in monitoring internal transactions and start shutting down the vulnerabilities you never saw before.

Tell your friends and colleagues about us. Thanks!
Share this