Tag

blackhat

Browsing

By Brett Daniel Shehadey
Special Correspondent for In Homeland Security

At the Mandalay Bay Hotel, the Black Hat USA 2015 Security Conference in Las Vegas kicked off the debate Wednesday with some 9,000 security executives.Black Hat 2015 Security Conference Las Vegas

“Black Hat – built by and for the global InfoSec community – returns to Las Vegas for its 18th year. This six day event begins with four days of intense Trainings for security practitioners of all levels (Aug. 1-4) followed by the two-day main event including over 100 independently selected Briefings, Business Hall, Arsenal, Pwnie Awards, and more (Aug. 5-6).”

It stresses the concerns for Internet overregulation and balancing concepts on freedom, access and punishment.

“The dream of Internet freedom is dying,” said Jennifer Granick, the Director of Civil Liberties at the Stanford Center for Internet and Society. From the president’s alleged Internet kill switch to the consolidating number of large backbone service provider to the domestic surveillance activities, the reins on the Internet are indeed tightening.

To be fair, the Internet is changing. It is maturing. And because it is more and more pervasive in our lives, both the benign social media friends and the unwanted malevolent attackers have access to our lives through our technology and the Internet. The digital fences, cybersecurity laws, private security precautions and government policing are required for greater order as the Internet becomes part of civilization. Or should we forget that the Internet began as a strictly government operation?

Granick stresses four main culprits infringing on freedom: centralization, regulation, globalization and the loss of the freedom to “tinker” or explore. She is correct in these assumptions but she should add that this is not a top-down process alone. It is also of prime importance to recognize these phenomenal ‘responses’ are a direct result of anarchic conditions, setting the Internet on a path to more governance and the political arena.

Nonetheless, Americans must be both cautious and vigilant and her warning is valid. People want a “free” Internet, but that freedom will be now be more limited. The caution is that such Internet activity not be controlled by governments but governed by them. It might be better to think of this as 21st century digital public roads; even as the Internet becomes more public and even the backbone becomes at best, quasi-government. Telecom and Internet providers as eventually near public utility companies. The problem is in allowing greater freedoms to people and companies to improve those roads and make new roads under such a regime. In closed countries, the noose around the Internet or the great firewalls of our time quickly become tyrannical.

As the Internet becomes the life blood of the future economy and the access point to teleoperation and automation in the Internet of things era, the government must slowly take over its infrastructure directly or through law and regulation, for safety, equity, standards and reasons of private monopolization. The problem becomes the antiquity of law in regard to Internet rights. There must be an amendment somewhere that gives people the right to Internet access and that such a right cannot be taken away or shut off. No such right exists to prevent a dark future law. Taking away Internet ‘privileges’ may not be equated with the right to free expression and free speech.

Punishment too must not be excessive or intimidating to Internet users or the notion of freedom of thought and speech.

Leonard Bailey is Senior Counsel to the Assistant Attorney General for the National Security Division of the Department of Justice’s Computer Crime and Intellectual Property division. Bailey stressed that at this point in time, prosecuting computer crimes are “reasonable…but all it takes is one flogging in the public square and there’s a chilling effect. So we have to get this right.”

Hacking into Internet of things will turn remote and wireless devices against us. This includes the need to better safeguard everything from automobiles to hospital robots.

White Hat (ethical hackers) Charlie Miller and Chris Valasek reported vulnerabilities to Fiat Chrysler after hacking into a Jeep Cherokee’s computer systems five years ago. This involved a 1.4 million vehicle recall since.

Even Tesla and BMW, who are ahead of the curve have also been among other car companies under the threat of connected Internet vehicles. Telematics systems or Bluetooth connected devices allow for a way inside the car from the outside; exposing it to the entire world. Once in, a hacker can take his time navigating these systems because they typically lack real-time defenses and countermeasures. It might take several months for them to learn the coding and eventually seep into the electronic breaking system which is often a Wi-Fi connection itself from the brake pedal to the computer to the engine. They might also target a host of other systems, such as: acceleration, engine shut-down by triggering or inserting false fault. The computer thinks the engine is overheating when it is not, for example.

Connected Internet vehicles are prime targets not simply because they are high-tech (i.e., in spite of running tens of millions of lines of code) but because companies have until now been pushing for integrated technologies without giving much or any thought to security and especially high-end security. Also, the necessary laws and regulations for software security in the auto industry are not in place.

There is some motion in Congress. Senators Edward Markey of Massachusetts and Richard Blumenthal have introduced legislation to compel carmakers to seal critical systems and add better threat mitigation efforts. Car companies are now working on this, creating new positions and or hiring security consultants, but for most, the pace continues to be slow and without necessary shared best practices and standards.

Can anyone say, “Self-driving cars”? Aside from the inordinate number of scenarios in which automated vehicles are publically dangerous within the city limits, there is now the added hacker dimension to wrestle with.

If the computer shuts the car down in a fluke, it may be fatal. Cars already have this feature and it is becoming a fast standard. You have a better chance if you are at the wheel and paying attention to the breech then being the passenger of a self-driving car reading the your favorite book, talking with friends, taking a nap and without even a handbrake in the possible future world presented by Google. The fact that a hacker could potentially kill you was stressed at the conference.

Another major problem off-the-radar is big rigs, commercial fleets and the plethora of telematics systems in other transportation circles. Transports are being tested for self-driving functions from commercial use to military use. Even farm equipment has vulnerabilities.

Today, Black Hat conference finishes off by covering: mobile payments, the hacking remote weapons via the Internet, ransomware and biometric identification security risks today.

Also in Las Vegas, another even larger hacker convention known as Def Con starts Aug. 6 and continues through Aug. 9.