DeviceLINE - The Mocana Blog

Skype VoIP: Who's listening in?

noreply@blogger.com (Mocana) — Mon, 21 Sep 2009 19:11:00 +0000

Described as the first ever "wiretap Trojan," a new virus that can eavesdrop on calls made with the popular Voice over Internet Protocol (VoIP) service Skype is raising concerns about the the security of personal computer-driven telecommunications and the prevalence of surveillance in the ecosystem of this increasingly popular technology.

With over 480 million users worldwide, Skype offers free or low-cost VoIP calling between two computers or between a computer and a phone. The new Trojan allows these voice conversations to be recorded and distributed to remote sites automatically, without the Skype users' knowledge.

The virus...doesn't target a particular vulnerability in Skype. Instead, it hooks into parts of the Windows operating system that handle audio processing. Then it intercepts all audio coming from Skype before it's encrypted by the software...The audio gets saved as mp3 files and can be sent to computers controlled by the criminals.

According to Kevin Haley, director of Symantec Security Resposne, "It's more interesting than dangerous. It's an espionage tool. That's its clear purpose. It's not practical for any type of broad-based attacks."

« Blog Home
Mocana Website »

WALL STREET JOURNAL Off-the-shelf mobile devices becoming government-issue standard

noreply@blogger.com (Mocana) — Mon, 21 Sep 2009 18:58:00 +0000

Until recently, government employees were rarely issued mobile devices like mobile internet devices or Blackberry's, usually because of the perceived security problem. That's changing, and fast. More and more often, government IT departments have decided "if you can't beat 'em, join 'em" and are rapidly outfitting their employees with commercial off-the-shelf mobile communications devices. These consumer devices, previously only issued to the highest-level government employees, are now much more likely to be found in the hands of the rank-and-file. That has dramatically expanded the government's mobile device population (and its over-the-air data traffic), leading some experts to worry that sensitive government communications are becoming less, not more, secure.

This change in government policy is happening on a massive scale.

This year, the U.S. government will spend $70 billion on information technology, including wireless devices, service contracts and applications, according to Warren Suss, president of Suss Consulting Inc...The shift is being driven by the desire to make government workers more effective and efficient by giving them access to critical information wherever they are, and by the need to cut costs -- private networks and proprietary devices are expensive to develop and require specialized staff to maintain and update.

Sara Silver of The Wall Street Journal reports on the exciting new uses government employees are finding for commercial devices and networks.

« Blog Home
Mocana Website »

MOCANA BYLINESecurity in Wireless Sensor Networks

noreply@blogger.com (Mocana) — Mon, 21 Sep 2009 16:59:00 +0000

Despite their ubiquity, security and networking technologies for sensors and other smart objects are still very much in their infancy, and there is tremendous technical and market opportunity in this arena. With major computational and communication resource constraints, these networks require new security solutions developed from the ground-up, as integral parts of their architectures.

Devices and "smart objects" like industrial sensors are rapidly outnumbering workstations on networks worldwide, with some experts projecting that within 5 years there will be over 100 non-PC devices for every workstation on a network. Some devices. . .have comparatively ample memory, processing and bandwidth resources at their disposal. As such, we can usually apply some of the security techniques originally developed for networks of PCs directly to the new "citizens" on the network. But at the very low end, devices like environmental sensors often present a unique challenge because of the extreme resource constraints they impose on security architects.

A recent RTC Magazine cover story by Mocana's own Kurt Stammberger, CISSP discusses the challenges these wireless sensor networks and smart objects present and the cutting-edge work being done to create solutions custom-built for securing them.

« Blog Home
Mocana Website »

Wyse + Mocana = Windows desktop on the iPhone

noreply@blogger.com (Mocana) — Thu, 03 Sep 2009 18:17:00 +0000

At VMWorld, Wyse Technology is selling a new iPhone app which makes it easy for users to access their Windows desktop, securely, from their iPhone. Wyse's new PocketCloud app uses Mocana's NanoSS L software to authenticate and encrypt the remote connection, making sure that unauthorized people can't log into YOUR desktop from THEIR iPhones :-).

PocketCloud works on both the iPhone and iPod Touch. The app works with either a virtualized or physical machine which supports Microsoft's RDP protocol, and also supports VMware View 3.1 connection broker (in direct or tunneling modes). $29.95 from the iTunes App Store.

Once More, With Feeling: Don't Use WPA for Wireless Security

noreply@blogger.com (Mocana) — Fri, 28 Aug 2009 21:21:00 +0000

Two Japanese university students have demonstrated hacking into encrypted wireless WPA traffic in under 60 seconds, and Mocana reiterates its warning to its wireless device security customers to migrate their implementations to the WPA2 technique, which is generally thought to be more secure. A professional WPA2 implementation is available in Mocana's NanoWireless product.

The hack, created by Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University, is based on the respected Becks-Tews method, which makes small changes to packets encrypted with TKIP (the Temporal Key Integrity Protocol within WPA) and then sending those packets back to the access point device.

The older Becks-Tews method took between 10 and 15 minutes to execute, but Ohigashi and Morii's new man in the middle variation on Becks-Tews only needs a minute. You can read their paper here.

Mocana Speaker at the Smart Grid Conference

noreply@blogger.com (Mocana) — Thu, 27 Aug 2009 23:33:00 +0000

Mocana's own Phil Montgomery will be part of an expert panel on smart grid security at the Smart Grid Conference next week in Los Angeles. He'll be talking about some of the challenges device manufacturers and integrators face when trying to rollout next-generation electricity infrastructure that's greener, but tougher for hackers to compromise.

Designing security software for the smart grid is a non-trivial undertaking, and it's a problem we've been working for a while now. Here's what we think is missing in some of the other smart grid security implementations we've seen:

1.) Smart grid security needs to interoperate with multiple security standards, and help utilities (and integrators) avoid vendor lock-in. The package should be a comprehensive solution that enables smart grid devices to interoperate with virtually any security specification, including those from Zigbee, HomePlug, AMI-SEC or IEEE1686. It should let implementers choose the algorithms and keysizes that work best for a particular device—whether that’s elliptic curve (ECC), RSA, AES or something else entirely. That keeps follow-on projects open to the best technologies at the lowest prices, and avoids taxpayers dollars being held hostage to one vendor’s proprietary approach.

2.) Smart grid security needs to scale. And we mean, really really scale. The software should enable utilities to achieve the tremendous per-byte security efficiencies they need in order to handle millions of meters and thousands of servers while maintaining high-availability and fail-over capabilities.

3.) Smart grid security needs to be efficient. The software should be comfortable working in resource-constrained environments, without a lot of spare memory or processor power. These new meters are smart, yes. But supercomputers they ain't, and cryptography is notoriously compute-intensive.

4.) Smart grid security needs to be FIPS-Certified. All government agencies and most contractors require FIPS-certification of cryptographic engines in the solutions they buy — and its a difficult certification to achieve. Smart grid security software should be available to integrators in both source code, *and* as a government-certified FIPS 140-2 Level 1 validated binary. While we're at it, it'd be nice if the engine supported NSA’s Suite B algorithms, providing secure communications between high-assurance (classified) and basic-assurance systems for those smart grid implementations interfacing directly with government agencies.

Selling to the Government and FIPS

noreply@blogger.com (Phil Montgomery) — Tue, 21 Jul 2009 16:20:00 +0000

In today's difficult economy organizations are looking to maximize their government business - after all, the business of government continues no matter the state of the economy, and government is the single largest IT spender by segment.

When selling products to the government there are a number of important criteria, and where cryptography is concerned, the first word always heard is "FIPS". What they're usually talking about is the Federal Information Processing Standard (FIPS) Publication 140-2, a federal standard used to accredit cryptographic "engines" inside of software or hardware implementations. For software, only binary software implementations compiled for specific OS and hardware environments can receive certificates.

NIST, the National Institute of Standards and Technology wrote the FIPS 140 Publication Series to standardize federal requirements for cryptography modules whether they be implemented in software, hardware, or a combination of both. Most federal agencies and departments require that any computer security implementations that they, or their contractors use, contain only FIPS-certified cryptographic modules.

FIPS 140-2 lays out the government's Cryptographic Module Validation Program (CMVP), a joint effort of NIST and the Canadian Communications Security Establishment (CSE). In addition to supporting module testing and validation projects, the CMVP program also helps develop, manage and promote security assessment tools, techniques and services. As part of its FIPS-mandated work, the CMVP develops and maintains security metrics, creates evaluation methodologies, sets criteria for certification in the lab, guides users on the proper application of tested products, and coordinates with industry standards bodies.

FIPS 140-2 identifies four levels of security, from "Level 1" to "Level 4", but it doesn't advise on what level of security to use for a specific application. FIPS 140-2 Security Level 1 is the highest certification allowed for software-only products. At least one "Approved" algorithm or "Approved" security function must be used inside the cryptographic module evaluated. No physical security mechanisms (like tamper-proofing) are required in Level 1 modules beyond the basic requirement for "production-grade components."

FIPS 140-2 is often misunderstood - the entire product does not need to be certified, as FIPS only applies to the cryptographic functions. The company building the product does not need to spend time and resources understanding the FIPS process if they purchase and integrate a FIPS certified crypto module, such as provided by Mocana.

A good example of a Security Level 1 cryptographic module would be an SSL software product compiled for a specific OS and CPU, including a binary of Mocana's NanoSSL. Federal buyers can validate that the crypto "engine" inside of a Mocana product is certified anytime, by asking Mocana to present the FIPS 140-1 and/or FIPS 140-2 certificates (issued by NIST) which specify the exact module that NIST tested, when, as well as the hardware, software, firmware, and/or applet version numbers.

Mocana has built substantial expertise in attaining FIPS 140-2 certification, and virtually every Mocana product either comes standard with FIPS-certified cryptographic modules.

IP is the glue

noreply@blogger.com (Phil Montgomery) — Tue, 16 Jun 2009 14:28:00 +0000

As we move towards the Internet of things (IOT), it's clear that we need something to be the glue holding this evolved Internet together.

The IOT can be regarded as the 3rd wave of device computing. The first was the mainframe/mini computer, followed by the PC/wintel era. Interestingly, both of these suffered from enormous security problems as networking and security was an afterthought (and we're still dealing with the security problems of the PC era).

The first two device waves were dominated by homogeneous hardware and operating systems. In particular the PC era continues to be (largely) dominated by the Microsoft Windows/Intel x86 alliance (wintel), and devices are connected (again, largely) via ethernet. This homogenous environment made it extremely easy to create a working network.

At the initial stage of networking, there were competing standards at the protocol level - Novell's IPX/SPX, Microsoft's NetBIOS, IBM's SNA, et al, and of course TCPIP. Once the world standardized on TCPIP, connecting systems became extremely easy and everything worked together. Connecting devices into a coherent system has been relatively painless, but we still live in a largely homogenous hardware/OS world, with minimal choice. Compatability is easy to develop and test (between Linux, Windows, Mac).

Think about the difference with the IOT, and we see hundreds/thousands of:

Incompatible hardware configurations
Incompatible CPUs, architectures, memory footprints
Operating systems, proprietary and open source (and some devices don't have operating systems)
Competing connectivity standards (Ethernet (multiple standards), wireless PAN (multiple standards), Zigbee, HomePlug, 15.4 technologies, etc)

According to Harbor Research's recent 2009 Pervasive Internet/M2M Forecast Report, the number of intelligent device shipments will grow from 73 million units in 2008 and to 430 million units in 2013. That's alot of incompatible devices, and we know that this diversity will only increases as new chips/os/connectivity comes on the market.

Really there is only one thing that is the the glue holding this network together: TCP/IP (to be specific, the Internet and Transport layers). IPv6 is the next generation of these protocols, giving the address capabilities needed to build the IOT (the IPv6 use of a 128-bit address, versus IPv4 32 bit address).

The path forward is clear - the only thing we can count upon to be standard moving forward is IPv6 as the glue of the Internet of Things.

Buggy Breathalyzer Bounces Boozers

noreply@blogger.com (Mocana) — Mon, 01 Jun 2009 17:22:00 +0000

DUI defendants are asking courts to mandate source code reviews on the software that runs breathalyzer devices to determine if bugs or malware is present. While it’s easy to see how this tactic would be employed in attempts to get charges reduced or dropped, the more serious issue could be the device failing to detect when a person is under the influence, thus sending them back on the road. Two independent reviews weigh in, according to an Ars Technica article.

The reviews differ in scope and offer different conclusions, but they both agree that the code falls below industry-standard best practices and that it contains bugs. The [Base One] report identifies 24 major defects and points to a wide range of troubling issues. The analysts discovered that the embedded software disables safeguard features built into the device's processor that are intended to detect and prevent the execution of invalid or corrupt instructions. The researchers contend that this circumvention can lead to unpredictable results in the event of fatal errors.

In his blog, security expert Bruce Schneier further notes:

This is an excellent lesson in the security problems inherent in trusting proprietary software. As we become more and more dependent on software for evidentiary and other legal applications, we need to be able to carefully examine that software for accuracy, reliability, etc. Every government contract for breath alcohol detectors needs to include the requirement for public source code. "You can't look at our code because we don't want you to" simply isn't good enough.

<< Blog Home
Mocana Website >>

c84dv4dw2u

Great Netbooks! Free Malware Included.

noreply@blogger.com (Mocana) — Mon, 01 Jun 2009 17:07:00 +0000

After three pieces of malware, including a variant of the AutoRun worm, were found on a brand new Windows XP netbook, consumers are being warned to run security scans before connecting to the Internet.

When Kaspersky [Labs] developers installed their recently-released Security for Ultra Portables on an M&A Companion Touch netbook purchased for testing, "they thought something strange was going on," said Roel Schouwenberg, a senior antivirus researcher with the Moscow-based firm. Schouwenberg scanned the machine -- a $499 netbook designed for the school market -- and found three pieces of malware.

One of them was a variant of the AutoRun worm, which according to a recent Computerworld posting, spreads via infected USB flash drives.

<< Blog Home
Mocana Website >>

DOE: First Smart Grid Security Standards

noreply@blogger.com (Mocana) — Mon, 01 Jun 2009 17:00:00 +0000

In a “major step forward for the commercial implementation of America’s smart grid,” the Department of Energy announced the first 16 sets of the projected 100 standards. The fact that many of these standards are already dominant in the industry could help officials meet the tight September deadline. Of the 16, five focus on security.

That includes: the AMI-SEC’s System Security Requirements, the IEC’s standard for “Information security for power system control operations,” the IEEE’s “Security for intelligent electronic devices,” the North American Electric Reliability Corp.’s “Cyber security standards for the bulk power system,” and NIST’s “Cyber security standards and guidelines for federal information systems, including those for the bulk power system.” Given security is such a controversial issue, it’s smart to release some of these at the very start.

Compared with standards for the Internet or mobile communications, developing standards for the smart grid is much more complex because there are so many different industries and technologies involved. As Steve Widergren, the Smart Grid Interoperabilty and Standards Coordinator for the DOE, explained to us recently: “The smart grid is very heterogenous, and anyone acting like it’s homogeneous is vastly oversimplifying it.” To meet the needs of that complexity, the DOE is expected to name at least 100 more standards that will make up the smart grid over the coming weeks and months.

Reuters Katie Fehrenbacher further notes that “while these decisions are just the first steps in developing standards, allocating funds, and rolling out smart-grid technology, these early choices will have a big impact on the future of the industry.

<< Blog Home
Mocana Website >>

InformationWeek: 3G Security Coming Along, But...

noreply@blogger.com (Mocana) — Mon, 01 Jun 2009 16:54:00 +0000

The good news about 3G security is that today's mobile broadband networks have some enhanced security built in. Most of the latest 3G technologies, including WiMax, at least have options for robust encryption. AT&T and T-Mobile provide High Speed Packet Access with a 128-bit Kasumi encryption algorithm. CDMA2000, offered by Sprint and Verizon, offers 128-bit AES (Advanced Encryption Standard) encryption.

The bad news is that operators may or may not actually turn your encryption "on".

AES activation is largely optional on the part of operators. AT&T claims its Kasumi encryption is "always on", but Verizon won't go there. Moreover, even if your operator offers encryption, your users may roam onto a network that doesn't. And an old 2G connection has much less robust encryption mechanisms, considered easy to defeat.

VPN and endpoint security offerings vary tremendously between the carriers and handset companies, too. The net-net is that companies need to take ownership of their device security. Fortunately, there's a growing goodie-bag of options out there, if you know where to look. Read more.

<< Blog Home
Mocana Website >>

Hints from Mocana Engineering

noreply@blogger.com (Mocana) — Mon, 01 Jun 2009 16:48:00 +0000

There is advisory against SSH using AES in CBC mode. Is NanoSSH vulnerable?

NanoSSH is not vulnerable, since NanoSSH does not automatically re-establish a session on failure. However to ensure no issues when interoperating with vulnerable implementations, the next release of NanoSSH supports AES-CTR. Please contact support for beta version, and look for several new features in the next release of NanoSSH.

Bonus Hint: How does NanoSec assign SPI?

For manual keys, SPI can be specified (configured) while being added. For automatic keys (via IKE), it’s either a random number or assigned by IPsec (e.g. PF_KEY).

<< Blog Home
Mocana Website >>

Introducing Phil Montgomery, Mocana's new VP of Products

noreply@blogger.com (Phil Montgomery) — Thu, 21 May 2009 21:49:00 +0000

I recently joined Mocana Corporation as VP of Products, and the biggest drivers for my decision was their vision around the "Internet of Things". I spent many weeks interviewing with the CEO (Adrian Turner) and key executives - after doing a lot of research and thinking became quite excited.

The Internet of things (IOT) is based on the trend of all devices becoming smart and communicating freely. Think about the possibilities in all aspects of life - the home, workplace, manufacturing, medical, military, etc. Right now I have over 14 wi fi enabled devices at home, but no way to coordinate them or set policy - and if you include non-IP devices there are about another 30 more at home (phones, cars, water sprinkler system, appliances etc).

Imagine if I could network these devices, and connect them to other information sources. I could configure an Internet based weather service to communicate with my sprinkler system, and turn off if rain is expected. My airconditioning could turn on automatically based upon a GPS read of my distance from home (check out my GPS location with the gadget on the right side of the blog).

Think about every device or article having an electronic id, so it can be tracked anywhere on the face of the earth - theft could become a thing of the past.

Think about a medical provider being able to securely monitor a patients health across the Internet - and give them advice about diet, exercise etc. Or call an ambulance if their implanted pacemarker detects a heart attack.

The opportunities are endless.

Open Standard are critical to the IOT - we live in a world where proprietary standards are no longer accepted, and companies cannot expect to make money by long term customer lock-in. One of the most important standards for the IOT is the broad use of Internet Protocol (IP) communications. IP is the backbone that enables universal device communication.

To enable these open standards, 27 companies founded the IP for Smart Objects (IPSO) organization. The IPSO Alliance is an open, informal and thought-leading association of like-minded organizations and individuals that promote the value of using the Internet Protocol for the networking of Smart Objects. Mocana is a key member of this organization.

The IPSO Alliance will perform interoperability tests, document the use of new IP-based technologies, conduct marketing activities and serve as an information repository for users seeking to understand the role of IP in networks of physical objects. Its role will complement the work of entities such as the Internet Engineering Task Force (IETF), Institute of Electrical and Electronics Engineers (IEEE) or the ISA which develop and ratify technical standards in the Internet community.

Work such as the IPSO will help device manufacturers understand the need to IP enable their devices, and even or silicon vendors to add IP capabilities to products. For hobbyists, take a look at the ardiuno microcontroller - itself open source (yes, open source HARDWARE) - a very cheap and easy way to IP enable almost any device.

However, as with the first generation of connecting IP devices, there are massive concerns around management and security. Look at the security problems in the IT industry, and magnify the issues by the exponential size of the IOT. Most vendors are not too concerned about security and management at the moment, but all that will change as the size of networks increases, and exploits start to occur.

Think of the device manufacturers, they know how to build devices, but have no experience in connecting them to the Internet. There is a massive opportunity to help these companies create the secure "glue" to enable the IOT.

This is what I'll be focusing on moving forward.

Star Trek Security Lessons

noreply@blogger.com (Mocana) — Fri, 15 May 2009 22:26:00 +0000

Of course the new Star Trek movie contains much advanced and fantastic technology, but even in the 23rd Century security can either save or doom the day. From Kirk hacking into the infamous Kobayashi Maru test at Starfleet Academy to Chekov’s botched voice authentication attempt, check out these spoilers lessons from aboard the Enterprise.

Computerworld’s Ira Winkler “Sizes up security in Star Trek”.

Early on, James Kirk becomes the only cadet to successfully pass the infamous Kobayashi Maru test at Starfleet Academy. He does so by hacking academy systems to change the test. Lesson: The biggest threat to university computers is the student body. At the very least, there should have been proper access controls to prevent Kirk from accessing the test files.

The Enterprise voice-recognition system cannot understand Chekov's thick Russian accent when he is trying to authenticate himself. Lesson: Take a look at your own authentication systems. In a situation more dire than the one Chekov faced, flawed authentication could result in disaster. And you don't want a system like the Enterprise's, which requires you to speak the password in front of everyone.

And one of our personal favorites.

I even see a lesson in the best line of the movie. A Romulan, holding Kirk up by his neck and gloating over his helplessness, asks him what he is trying to say. Kirk's response: "I have your gun." Then he shoots him. Lesson: You need to completely stop a computer hacker or other adversary before you begin celebrating.

<< Blog Home
Mocana Website >>

Free! Watch EETimes' NEW "Fundamentals of Embedded Systems Security" Course

noreply@blogger.com (Mocana) — Fri, 15 May 2009 22:17:00 +0000

Designed for engineers and developers, this free, 60-minute course provides an introduction to embedded systems security including what could happen if your security is compromised and methods to prevent this from happening. Don't miss it! Content includes.

The Need For Security
Different types of Networks
Constraints on Embedded System resources
Types of Embedded System platforms
What does "Embedded Security" mean?
Cryptography in a Nutshell
Data Integrity
Authentication
Security Constructs / Applications

Watch it today!

Michael Barr, an internationally recognized expert on the design of embedded computer systems, leads the course. Barr has provided expert witness testimony in federal court, appeared on PBS' American Business Review, and been quoted in various newspapers. He is also the author of two books and more than forty articles on related subjects and is the creator of Netrino's "Zero Bugs...Period" design methodology. For three and a half years Michael served as editor-in-chief of Embedded Systems Programming. In addition, Michael has been a member of the advisory board of the Embedded Systems Conference.

<< Blog Home
Mocana Website >>

Voice Encryption Comes to Blackberry

noreply@blogger.com (Mocana) — Fri, 15 May 2009 22:10:00 +0000

Even though the data stored on your BlackBerry is protected, along with your e-mail and other messaging, phone calls remains largely unguarded from potential threats, according to recent ITworld buzz.

Though rare, exploiting voice transmission is entirely plausible and could spell trouble for anyone who discusses sensitive matters via BlackBerry. Addressing this dropped area of security is a new product called Cellcrypt Mobile for the BlackBerry Bold.

Cellcrypt, which is the first product of its kind for BlackBerry, aims to fill in the missing piece of the BlackBerry-security-puzzle by encrypting voice communications. The product is meant for use in government, pharmaceutical, legal and finance sectors, but any senior level business executive--or anyone else--who frequently discusses sensitive matters via BlackBerry could benefit.

The application can be turned on and off at will by users, and calls using Cellcrypt are initiated through its own contact list so there's never any confusion about whether or not calls are protected. It works on any IP-enabled network, including 2G (GPRS, EDGE, 1xRTT), 3G (UMTS, HSDPA, EV-DO) and Wi-Fi, according to the company.

<< Blog Home
Mocana Website >>

Hints from Mocana Engineering

noreply@blogger.com (Mocana) — Fri, 15 May 2009 20:43:00 +0000

How much does cryptographic hardware acceleration improve performance?

Cryptographic hardware acceleration is typically implemented as a coprocessor; there are as many different forms as there are silicon vendors. Unlike floating coprocessors, it’s not a feature you can simply turn on with a compiler switch. Rather, it requires a device driver and security application software. Most silicon vendors provide proof-of-concept software. IPsec is the gold standard for showcasing performance. You can expect that IPsec tunnel with 64 byte packets will typically be two-to-eight times faster than software only with 100% CPU utilization with PoC drivers.

Mocana, with Freescale's support, has invested a great deal of effort to optimize performance for Freescale's encryption-enabled processors. Typically, NanoSec on Freescale processors with hardware acceleration is 30 times faster than software only.

For larger packets, the CPU utilization starts to drop down significantly. For non-Kernel applications, the performance can be even more significant. See NanoSec performance graph here.

<< Blog Home
Mocana Website >>

2009's Five Most Dangerous Attacks

noreply@blogger.com (Mocana) — Mon, 04 May 2009 22:27:00 +0000

Hackers continue to penetrate many more companies than administrators care to admit, according to two security experts at the RSA Conference. More interesting to our community, however, is the fact that four of the five attacks on the list are infected via devices, instead of Windows PCs.

Topping the list is an attack dubbed "super-flexible pivoting." It abuses Linux devices connected to a network's DMZ, or demilitarized zone, to bypass corporate firewalls and access sensitive resources on an internal network. The technique has already been used to steal "millions of credit cards," said Ed Skoudis, a senior security consultant for InGuardians.

Read about the rest of the dangerous exploits, from pass the hash to SSL shortcomings to unprotected VoIP here.

<< Blog Home
Mocana Website >>

Conficker Infects Critical Medical Devices

noreply@blogger.com (Mocana) — Mon, 04 May 2009 22:22:00 +0000

The Conficker worm didn't just hit PCs -- it also infected several hundred critical medical devices, a security expert said in a panel at the RSA security conference. Right now it's unclear how the devices, which control things like heart monitors and MRI machines, got infected. But it underlines the need to secure medical systems with embedded firewalls and anti-malware software like Mocana's NanoDefender™.

The computers are older machines running Windows NT and Windows 2000 in a local area network that was not supposed to have access to the Internet, however, the network was connected to one that has direct Internet access and so they were infected, he [Marcus Sachs, director of the SANS Internet Storm Center and a former White House cybersecurity official] recently told CNET news.

The situation illustrates the dangers of connecting critical networks, like in hospitals and in SCADA (Supervisory Control and Data Acquisition) systems used by utilities and other critical infrastructure providers, with networks connected to the Internet, he said during the panel "Securing Critical Infrastructures: Infrastructure Exposed."

"We're seeing a huge uptick in probing for SCADA systems," said Jerry Dixon, director of analysis and vice president of government relations at research firm Team Cymru. For years, the SCADA systems were separated from the public networks, but that's not the case anymore, he said.

While PCs do remain the primary targets, hackers and malware-writers are increasingly setting their sites on non-PC SCADA devices attached to the network. In other words, as PC security mechanisms have become more sophisticated, non-PC SCADA devices are becoming the more attractive, comparatively "soft" targets -- an easier way into the host network, thereby threatening our critical national infrastructure.

Download this FREE Whitepaper that dives further into why SCADA devices are under fire and what you can do about it.

<< Blog Home
Mocana Website >>

The (not-so) Dumb Adversary

noreply@blogger.com (Mocana) — Mon, 04 May 2009 22:14:00 +0000

"The adversary doesn't get any dumber," Kevin Fu recently commented to The Boston Globe. To prove his point, Fu, who is investigating RFID attacks and countermeasures at the RFID Consortium for Security and Privacy, or CUSP, at the University of Massachusetts at Amherst, and his researchers conducted a rather extreme experiment.

For their experiment, Fu and his colleagues at the Medical Device Security Center -- a partnership between UMass, Beth Israel Deaconess Medical Center in Boston, and the University of Washington - used a defibrillator that included a radio frequency chip and transponder to allow doctors to read and record patient information, and to reprogram the device.

The Secure Medicine team was able to glean the equivalent of personal medical records from the defibrillator by using an ad-hoc, unauthorized device. The researchers also managed to take control of the defibrillator, to create shocks that would be life-threatening to a patient.

But he believes there is a solution -- using sophisticated radio frequency devices to foil attackers.

The Secure Medicine team is developing a radio frequency gadget called WISPer, which sounds an audible alarm and vibrates when it detects unauthorized attempts to reprogram an implanted device. To test it, researchers packed the WISPer prototype into a simulated human torso, made of beef and bacon. It worked.

We wonder if a better approach might have the device "phone home" electronically to the manufacturer, who can then approach the patient in a perhaps less freaky way.

Of course the best approach is to prevent arbitrary code execution in the first place, even if that code is successfully introduced into the system. Anti-malware code purpose-built for tight device environments, like Mocana's NanoDefender™.

<< Blog Home
Mocana Website >>

Hints from Mocana Engineering

noreply@blogger.com (Mocana) — Mon, 04 May 2009 22:09:00 +0000

We make consumer and prosumer devices. We recently found a website which shows how to hack-upgrade our $100 device to a $900 device. We only have 8KB of flash available for a boot loader on our digital camera. Should we use a MD5 hash signature to protect the firmware image?

No, an MD5 hash is the incorrect approach. Instead, try Mocana's NanoBoot™. NanoBoot digitally signs your firmware image, which is then verified during a pre-boot certification process to prevent tampering by end-users or malware writers. Each device model would use a different key.

For example, the low-end camera model would use a different key than the higher end camera in order to prevent fraudulent upgrades. And since NanoBoot uses a digital signature the devices firmware, you can still upgrade cameras to newer patched firmware version by models. Finally, NanoBoot can fit into less than 8KB of uncompressed flash space, and does not require an operating system.

<< Blog Home
Mocana Website >>

Intel/GE and Next-Generation Home Health Technologies

noreply@blogger.com (Mocana) — Fri, 17 Apr 2009 17:28:00 +0000

In the rapidly growing market for home-health devices, Intel and General Electric are joining forces in a five-year, $250 million alliance to market and develop home-based health technologies. These devices will be designed to help seniors live independently and patients with chronic conditions better manage their care from home.

"We think this partnership offers the potential to lower costs by keeping people out of hospitals while giving health professionals the data they need to deliver the best possible care," said GE Chairman and CEO Jeff Immelt.

GE and Intel are both currently active in patient monitoring and home health, with well-recognized brands and strong sector expertise.

GE sells the Quiet Care system, a remote, passive monitoring system that keeps tabs on patients at home. While a senior walks about an apartment, for example, monitors in the kitchen, living room and bathroom track movements. The system is often used in assisted living facilities.

Intel has been developing health care devices built on its microprocessors for the last four or five year. Its Intel Health Guide, a system that's about the size of a PC, lets elderly and shut-ins do home tests and communicate with their physicians.

Of course, this means more opportunities for hackers and malicious software writers -- most likely with much more catastrophic consequences, according to Adrian Turner, Mocana CEO. "Right now, the barn door is wide open, at least on the medical device front," says Turner. "Especially when you think about the automated polymorphic malware that's out on the Internet today -- those programs don't care whether your device is medical or not."

Part of the solution is integrating a security system, like Mocana's Device Security Framework (DSF) into a device.

<< Blog Home
Mocana Website >>

Spies Hack into US Electricity Grid

noreply@blogger.com (Mocana) — Fri, 17 Apr 2009 17:22:00 +0000

While motivations remain unclear, US intelligence officials recently discovered that cyberspies from China and Russia have penetrated the U.S. electrical grid. No damage was done, but authorities found software tools that were left behind that could be used to destroy infrastructure components during a crises or war, according to a recent Wall Street Journal article.

The sophistication of the U.S. intrusions -- which extend beyond electric to other key infrastructure systems -- suggests that China and Russia are mainly responsible, according to intelligence officials and cybersecurity specialists. While terrorist groups could develop the ability to penetrate U.S. infrastructure, they don't appear to have yet mounted attacks, these officials say.

It is nearly impossible to know whether or not an attack is government-sponsored because of the difficulty in tracking true identities in cyberspace. U.S. officials said investigators have followed electronic trails of stolen data to China and Russia.

Russian and Chinese officials have denied any wrongdoing.

How does this relate to the Obama administration’s cybersecurity review?

<< Blog Home
Mocana Website >>

Hints from Mocana Engineering

noreply@blogger.com (Mocana) — Fri, 17 Apr 2009 17:18:00 +0000

Does Mocana implement all RFC REQUIRED, MUST and SHOULD?

Our general policy is yes to these important requirements, unless we think it would result in security issue and those have applied to a few SHOULDs. There are many security implementations that leave out required algorithms. A few SSH implementations don’t include DSA, although it is required compliance. Some implementations cut corners around blinding attack prevention. And some implementations claim compliance with a protocol, but are actually supporting a draft and not a final RFC. We show what RFCs we are compliant with on each of the product pages.

<< Blog Home
Mocana Website >>