L’auto del futuro dovrà difendersi dagli hacker

Carlo Del Bo |International Security Advisor

Grazie all’evoluzione tecnologica e a grande richiesta del pubblico, le vetture d’ultima generazione trovano in internet un partner irrinunciabile: è così che ad esempio possono fungere da hot spot Wi-Fi tramite sim card integrate, oppure da semplice ripetitore per la telefonia mobile, spesso replicando in vettura alcune app originariamente progettate per gli smartphone.

Ogni conquista ha però il suo prezzo. L’accesso alla rete non è mai a senso unico, e nessun dispositivo è veramente “chiuso”. Questo il parere di Carlo Del Bo, executive advisor presso BizEmpowerment SA di Lugano e da oltre 25 anni security manager e specialista della cyber defense: «L’accesso al web porta in dote, inevitabilmente, una vulnerabilità. Non importa quale sia lo strumento che accede alla rete. Recenti attacchi hacker negli States, ad esempio, hanno avuto come vittime frigoriferi e televisori connessi a internet. Elettrodomestici che, contrariamente ai PC, nella stragrande maggioranza dei casi non sono…

View original post 272 altre parole

This Chart Shows How The US Military Is Responsible For Almost All The Technology In Your iPhone

Nearly all of the technology in many of the world’s most ubiquitous electronic devices can be traced to a single, taxpayer-funded source: the US Department of Defense.

In an article promoted by the European Commission today, Italian economist Mariana Mazzucato wrote that sparking the world’s economies after a long recession will require greater and riskier investment from government. She used Apple’s wildly popular handheld devices as a present-day example.

The world’s biggest company may have more cash on hand than many actual governments. But the technological breakthroughs behind its iconic iPods, iPhones, and iPads were funded almost exclusively by government agencies — and by one particular segment of one particular country’s government.

As the chart below demonstrates, there’s little in these devices that doesn’t owe its existence to the US Department of Defense in some form or another.

iPhone Technology Military Funding Chart PNGMariana Mazzucato, The Entrepreneurial State: Debunking the Public vs. Private Sector Myths. London: Anthem.

Later devices saw investments from the Navy for their GPS capabilities, and the Defense Advanced Research Projects Agency (DARPA) funded Siri. In fact, the parent company of Siri’s creator, which was acquired by Apple in 2010, still gets over half of its revenue from the Department of Defense, according to a report they published earlier this year.

Highlighting an idea from her recent book on the relationship between the private and public sectors, Mazzucato explains that achieving missions like putting a man on the moon required “a confident ‘entrepreneurial state’ willing and able to take on the early, capital-intensive high risk areas which the private sector tends to fear.”

The US military was often the one taking “capital-intensive risks” that resulted in Apple’s line of products. And the result is a family of devices so widely used that it’s difficult to imagine the world without them.

Read more:  http://www.businessinsider.com/the-us-military-is-responsible-for-almost-all-the-technology-in-your-iphone-2014-10#ixzz3HdqL1AXz

L’auto del futuro dovrà difendersi dagli hacker

Grazie all’evoluzione tecnologica e a grande richiesta del pubblico, le vetture d’ultima generazione trovano in internet un partner irrinunciabile: è così che ad esempio possono fungere da hot spot Wi-Fi tramite sim card integrate, oppure da semplice ripetitore per la telefonia mobile, spesso replicando in vettura alcune app originariamente progettate per gli smartphone.

Ogni conquista ha però il suo prezzo. L’accesso alla rete non è mai a senso unico, e nessun dispositivo è veramente “chiuso”. Questo il parere di Carlo Del Bo, executive advisor presso BizEmpowerment SA di Lugano e da oltre 25 anni security manager e specialista della cyber defense: «L’accesso al web porta in dote, inevitabilmente, una vulnerabilità. Non importa quale sia lo strumento che accede alla rete. Recenti attacchi hacker negli States, ad esempio, hanno avuto come vittime frigoriferi e televisori connessi a internet. Elettrodomestici che, contrariamente ai PC, nella stragrande maggioranza dei casi non sono protetti da antivirus, non hanno a disposizione firewall e non applicano gli aggiornamenti di sicurezza via via rilasciati dai produttori di software. L’auto non fa eccezione».

Tesla

La prima vettura vittima di hackeraggio è stata Tesla Model S (in figura). Il problema non riguarda soltanto la perdita o il trafugamento di dati sensibili, quanto piuttosto la sicurezza degli automobilisti. «L’auto da un lato potrebbe fungere da cavallo di Troia per quanti volessero accedere indirettamente a smartphone e dispositivi mobile che dialoghino con il veicolo – prosegue Del Bo –, dall’altro potrebbe non rispondere di se stessa. L’elettronica governa oggigiorno l’80% delle tecnologie d’una vettura. Dall’ABS all’ESP, agli air bag, senza dimenticare le smart key e i moderni dispositivi di sicurezza; ad esempio l’arresto automatico in caso di collisione imminente. Violare l’elettronica di un veicolo può significare prenderne possesso a distanza. A maggior ragione quando i sistemi di guida autonoma, attualmente in fase di prototipazione, diventeranno operativi». Una questione che solleva interrogativi rilevanti in sede di responsabilità civile e penale. Per fare un esempio, qualora l’apertura degli air bag indotta da un pirata informatico dovesse causare un incidente, la colpa sarebbe da ascrivere al solo hacker, oppure anche alla Casa automobilistica che non ha saputo prevenire un attacco cibernetico? Negli Stati Uniti il tema è già caldo, in Europa lo diventerà nei prossimi anni. Mentre il rischio di attacchi ai sistemi informatici sta acquisendo una sempre maggiore rilevanza strategica e operativa, una contromisura adeguata e univoca non è ancora disponibile. Gli esperti della sicurezza però si sono già attivati, in primis Carlo Del Bo, pioniere nel nuovo ramo della “car defense”.

The Usual Suspects: Russia or China Suspected in White House Data Breach

After months of embarrassing physical security lapses, the Presidential residence appears to suffer a digital breach

Sometimes when you’re laser focused on spying on your own citizens (more specifically 75 percent of their internet traffic and 99 percent of their phone calls) and your allies, sometimes you don’t have time for the tedious task of safeguarding your own networks from foreign hackers.  That seems to be the case for the White House, whose unclassified internal staff network was reportedly accessed by hackers.

The hackers reportedly entered through the employee virtual proxy network (VPN) system, which gives employees remote access to email and other unclassified local resources.  Traces of the intrusion were only observed post-mortem “two to three weeks ago”, according to The Washington Post.  And the intrusion had gone unnoticed until an ally took note of the peculiar traffic and sent a warning to the White House IT staff.

The White House
The White House — America’s presidential residence — has suffered embarassing security intrusions in recent months. [Image Source: Outside the Beltway]

I. Breach is Confirmed

The Washington Post cites one official as saying:

In the course of assessing recent threats, we identified activity of concern on the unclassified Executive Office of the President network.  We took immediate measures to evaluate and mitigate the activity. . . . Unfortunately, some of that resulted in the disruption of regular services to users. But people were on it and are dealing with it.

Certainly a variety of actors find our networks to be attractive targets and seek access to sensitive information.  We are still assessing the activity of concern.

A second official reportedly said:

On a regular basis, there are bad actors out there who are attempting to achieve intrusions into our system.  This is a constant battle for the government and our sensitive government computer systems, so it’s always a concern for us that individuals are trying to compromise systems and get access to our networks.

The Washington Post and The New York Times cited administration officials as stating that there was no evidence of a more serious breach of the classified networks used by the President, high-level executive branch staff, and high level members of the U.S. Military and Intelligence community.

The breach is being investigated by the Secret Service, the U.S. Federal Bureau of Investigation (FBI), and the National Security Agency (NSA).

II. Hackers Probed Network, But Reportedly Did No Damage

According to the report, the attackers did not seek to damage computers, or take over other systems at the White House.  Instead they appeared to be merely methodically mapping the network from the node they gained unauthorized access to.  This suggests a greater level of sophistication.  The Washington Post reports:

In the case of the White House, the nature of the target is consistent with a state-sponsored campaign, sources said.

Probable culprits include Russia, a prominent figure in the world of global hacking, and China, which has been developing a crack team of military hackers.  Like the U.S., both Russia and China have shown a penchant for sparing no expense in their efforts to spy on both their own people and the world at large.

There have been past reports of hackers gaining unauthorized access to the White House, but it’s unclear whether there was ever official confirmation of those incidents.

The White House IT staff responded to the recent intrusion by forcing all White House staff with VPN/intranet access to change their passwords.  Files remained inaccessible for weeks, according to reports, but email access was preserved as IT staff looked to prevent further probing of the network.

III. The White House Falls Victim to Both Cyber and Physical Intrusions.

The entire incident bears some resemblance to the recent lapses in physical security at the White House by the U.S. Secret Service.  In the past five years, the Obama administration has seen 16 separate incidents of people scaling the White House fence, according to official documents.

Secret Service reports reveal that a 2011 shooting was improperly dismissed as “cars backfiring”, telling security staff to “stand down”.  It turned out that the shooting was very real.  Four days later a housekeeper discovered signs of damage, leading to the realization that at least seven bullets, fired from a high-power automatic assault rifle had struck the White House.  One had even shattered a second story window, damage that went unnoticed for more than half a week.

White House hits
A Secret Service document details where the bullets struck the White House. [Image Source: The White House via The Washington Post]

Secret Service initially claimed that the shooting was a gang gun battle and that the bullets were accidental and not intended for the White House.  Eventually federal investigators discovered that wild claim was as much utter bunk as it sounded.  In reality the gunshots had come from an angry and troubled 21-year-old U.S. citizen from Idaho.  Before travelling to the capitol, he had told relatives that he “needed to kill” the President.  That man was eventually sentenced to 25 years in prison and fined $94,000 USD for attempted assassination.

In August, a homeless, armed veteran managed to make it into the East Room of the White House before he was finally detained.  Any armed intruder is supposed to be shot dead on sight, according to the White House’s security policy, but multiple security lapses allowed the man’s potentially dangerous impromptu tour of the White House.

White House intruder

White House Intruder
Omar Gonzalez broke into the White House armed in late September.  He was eventually arrested without anyone being harmed. [Image Source: The Washington Post (top), The Heavy (bottom)]


In a separate, more humorous incident — also in August — a toddler managed to squeeze through the fence bars, triggering a lockdown by security staff.

Sources: The Washington PostThe New York Times

– See more at: http://www.dailytech.com/The+Usual+Suspects+Russia+or+China+Suspected+in+White+House+Data+Breach/article36796.htm#sthash.pimG8rJi.dpuf

Could hackers give you a heart attack or drugs overdose? US authorities investigate

Normally when we talk about healthcare security, we’re considering how well organisations are protecting our private medical data from hackers.

After all, according to some reports, 24,800 US medical records are exposed every day, and don’t forget that it’s not unusual for medical insurance companies to store social security numbers alongside our names, physical addresses, dates of birth and other personal information.

And such hacks can have significant financial impact. As an ESET infographic published last year portrated, the estimated cost of hacks against medical providers was staggering $17 billion.

But there’s another growing concern – that in the rush to embrace technology to save and improve the lives of patients, medical scientists may have forgotten something important: are they putting your body at risk from hackers?

According to media reports, the US Department of Homeland Security is investigating “two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment” that could potentially cause serious injury or death.

According to unnamed sources said to be familiar with investigation by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), devices under investigation include infusion pumps from Hospira Inc and implantable heart devices from Medtronic Inc and St Jude Medical Inc.

Hospira, Medtronic and St Jude Medical have declined to comment on the investigation.

The security of medical devices is not a new concern, of course. In the past we have discussed fearsthat tiny chips implanted under a woman’s skin to manage her birth control could be hacked, for instance.

And just last year, ICS-CERT published a security advisory warning that hundreds of devices were using hardcoded passwords, opening the door for potential attacks that could change critical settings or modify device firmware.

The affected devices have hard-coded passwords that can be used to permit privileged access to devices such as passwords that would normally be used only by a service technician. In some devices, this access could allow critical settings or the device firmware to be modified.

The affected devices are manufactured by a broad range of vendors and fall into a broad range of categories including but not limited to:

* Surgical and anesthesia devices,
* Ventilators,
* Drug infusion pumps,
* External defibrillators,
* Patient monitors, and
* Laboratory and analysis equipment.

Perhaps most memorably, security researcher Barnaby Jack demonstrated in 2012 how he reverse-engineered a device to deliver a deadly 830 volt shock to a pacemaker from a distance of 30 feet, and discovered a method to scan insulin pumps wirelessly and configure them to deliver more or less insulin than patients required, sending patients into a hypoglycaemic shock.

Sadly Jack died in July 2013, one week before he was scheduled to present new research on how hackers could maliciously exploit medical devices.

Such threats are taken seriously, as can be seen by the fact that former US vice-president Dick Cheney was so frightened of assassination that he had the wireless feature of his implanted heart defibrillator deactivated.

Clearly there are plenty of opportunities for the mainstream media to spread fear about the potential threat, but that doesn’t mean that there isn’t any genuine concern about devices being used for medical purposes that can be communicated with wirelessly, but that haven’t been properly secured.

Chances are that you have enough things to worry about if you’re having a serious operation to embed a medical device inside your body. The last thing you need is to be also losing sleep over whether the gadget that’s helping you stay alive is at risk of being hacked.

What are your thoughts? Do you think the threat is over-hyped, or should more be done to defend devices relied upon by patients from attack? Leave a comment below.

Author Graham Cluley, We Live Security

Keyless cars ‘increasingly targeted by thieves using computers’

Organised criminal gangs are increasingly targeting high-end cars with keyless security systems, a UK motoring industry group has warned.

The thieves are able to bypass security using equipment intended only for mechanics, the Society of Motor Manufacturers and Traders (SMMT) said.

Manufacturers are trying to stay ahead of the thieves by updating software.

It has been reported that some London-based owners of Range Rovers have been denied insurance over the issue.

The warnings echoed those made by the US National Insurance Crime Bureau (NICB), which earlier this year said it had seen a “spike” in car thefts involving equipment to spoof keyless entry.

WATCH: “Thieves are somehow getting access to the car’s onboard computer”

Keyless entry and ignition typically works by the driver keeping a fob on their person which automatically opens the car and activates it so it can be driven.

As the popularity of keyless systems has increased, criminals have been buying equipment online that is able to re-programme keys.

“The criminal act of stealing vehicles through the re-programming of remote-entry keys is an on-going industry-wide problem,” said Jaguar Land Rover.

“Our line-up continues to meet the insurance industry requirements as tested and agreed with relevant insurance bodies.

“Nevertheless we are taking this issue very seriously and our engineering teams are actively working in collaboration with insurance bodies and police forces to solve this continuously evolving problem.”

Keyless ignitionKeyless ignition means drivers press a button to start a car

The statement added: “This has already resulted in a number of prosecutions.”

A specific case reported by The Times involved insurers AIG refusing insurance cover to a motorist. In a statement the company said it treated every case individually.

“We do not have a blanket policy to exclude certain vehicles from cover.

“Given the increasing likelihood that replacement vehicles may be a target for thieves we may ask for additional security measures such as secure off-road parking.

By far the most common way of a car being stolen is still from thieves breaking into homes and stealing keys”

Ian CrowderAA

“This could be, for example, secure private garaging or the installation of mechanically moveable bollards. If this is not possible then, as a last resort, we may refuse to offer insurance cover but only after exhausting every avenue.”

Thatcham Research, which collates data on behalf of UK insurers, acknowledged the problem was widespread.

“Whilst BMWs and Audis appeared to be the early targets, it’s fair to say that this was largely associated with their desirability across Europe, rather than any specific security lapse.

“Recently we’ve seen evidence of a range of makes and models being affected, including the Ford Fiesta and Focus, Range Rover Evoque and also now including light commercial vehicles such as the volume-selling Ford Transit and Mercedes Sprinter.”

Weakest link

It is becoming much harder to steal cars. According to the UK Office for National Statistics, car theft has fallen from 318,000 in 2002 to 77,500 last year.

But thefts involving computer equipment used to circumvent security are rising. The SMMT is pushing for stronger legislation to help reverse this.

“The challenge remains that the equipment being used to steal a vehicle in this way is legitimately used by workshops to carry out routine maintenance,” a spokesman said.

“As part of the need for open access to technical information to enable a flourishing after-market, this equipment is available to independent technicians. However a minority of individuals are exploiting this to obtain the equipment to access vehicles fraudulently.

“We need better safeguards within the regulatory framework to make sure this equipment does not fall into unlawful hands and, if it does, that the law provides severe penalties to act as an effective deterrent.”

But Ian Crowder, from motorists’ group the AA, warned the risk should not be overstated.

“By far the most common way of a car being stolen is still from thieves breaking into homes and stealing keys,” he said.

“The keys are still the weakest link in a car security chain. If someone has your keys, they have your car.”

L’auto del futuro? Dovrà difendersi dagli hacker

Avete acquistato un antivirus per il PC? Bravi. È realizzato da un affermato produttore di software? Ancora più bravi. E in macchina? Che antivirus utilizzate? Nessuno? Male, molto molto male…

Sono sempre più connesse, sono sempre più multimediali, sono sempre più aperte al mondo circostante: le vetture d’ultima generazione hanno un feeling speciale con la rete. Che fungano da hot spot Wi-Fi grazie a sim card integrate, oppure che facciano da semplice “ripetitore” per le connessioni mobile, spesso replicando in vettura alcune app originariamente destinate agli smartphone, le auto di oggi – e soprattutto del futuro – trovano in internet un partner irrinunciabile. L’evoluzione tecnologica lo vuole; il pubblico lo desidera. La storia, però, insegna che ogni conquista ha un prezzo. Ogni passo avanti richiede un sacrificio.

Ogni oggetto connesso è vulnerabile; le vetture non fanno eccezione. Accedendo al cuore informatico di un’auto, i pirati informatici potrebbero gestirne le funzioni vitali. Mettendo a rischio la sicurezza. Ne parliamo con un esperto di cyber defense.© Red Live Ogni oggetto connesso è vulnerabile; le vetture non fanno eccezione. Accedendo al cuore informatico di un’auto, i pirati informatici potrebbero gestirne le funzioni vitali. Mettendo a rischio la sicurezza. Ne parliamo con un esperto di cyber…

L’accesso alla rete non è mai a senso unico. E nessun device è veramente “chiuso”. “L’unico vero sistema sicuro è quello spento, gettato in una colata di cemento, sigillato in una stanza rivestita da piombo e protetta da guardie; ma anche in quel caso avrei i miei dubbi”. Parola di Eugene Spafford, professore di computer science alla celebre Purdue University dell’Indiana. Parola, soprattutto, di Carlo Del Bo, executive advisor presso la BizEmpowerment SA di Lugano (wwww.bizempowerment.ch) e da oltre 25 anni security manager in svariati settori industriali nonché specialista della cyber defense: «L’accesso al web porta in dote, inevitabilmente, una vulnerabilità. Non importa quale sia lo strumento che accede alla rete. Recenti attacchi hacker negli States, ad esempio, hanno avuto come vittime frigoriferi e televisori connessi a internet. Elettrodomestici che, contrariamente ai PC, nella stragrande maggioranza dei casi non sono protetti da antivirus, non hanno a disposizione firewall e non applicano gli aggiornamenti di sicurezza via via rilasciati dai produttori di software. L’auto non fa eccezione».

Tesla Model S, prima vettura al mondo oggetto di un attacco informatico

Ma chi potrebbe mai pensare d’hackerare una vettura? Già fatto. La prima vittima è stata Tesla. Ora toccherà ad altri costruttori? Il problema non riguarda tanto – o non solo – la perdita dei dati sensibili, quanto piuttosto la sicurezza degli automobilisti. «L’auto da un lato potrebbe fungere da cavallo di Troia per quanti volessero accedere, indirettamente, a smartphone e dispositivi mobile che dialoghino con il veicolo – prosegue Del Bo –, dall’altro potrebbe… non rispondere di se stessa. L’elettronica governa oggigiorno l’80% delle tecnologie d’una vettura. Dall’ABS all’ESP, agli air bag, senza dimenticare le smart key e i moderni dispositivi di sicurezza; ad esempio l’arresto automatico in caso di collisione imminente. Violare l’elettronica di un veicolo può significare prenderne possesso a distanza. A maggior ragione quando i sistemi di guida autonoma, attualmente in fase di prototipazione, diventeranno operativi».

Una questione tutt’altro che marginale, in grado di schiudere la porta a interrogativi altrettanto rilevanti in sede di responsabilità civile e penale. L’apertura degli air bag indotta da un pirata informatico, ad esempio, qualora dovesse portare a un incidente, sarebbe da ascrivere al solo hacker, oppure anche alla Casa automobilistica responsabile di non aver fatto il possibile per prevenire un attacco cibernetico? Negli Stati Uniti il tema è già caldo, in Europa lo diventerà nei prossimi anni. Il rischio informatico sta acquisendo per le aziende una sempre maggiore rilevanza strategica e operativa, ma le contromisure non sono ancora adeguate all’esplosività di un serio attacco ai sistemi informatici. Una soluzione univoca, pertanto, non è al momento disponibile. Ma come spesso accade nell’eterno gioco tra guardie e ladri, se i malviventi non dormono, altrettanto si può dire per i difensori della sicurezza. In primis Carlo Del Bo, pioniere nel nuovo ramo della “car defense”.

BizEmpowerment: cos’è e di cosa si occupa

BizEmpowerment è una società nata nel 2011 e con sede a Lugano, in Svizzera. Il suo obiettivo è la gestione dei rischi aziendali in forma preventiva. Le aziende sono infatti continuamente soggette a rischi, sia strategici, sia operativi, questi ultimi legati all’attività produttiva.

BizEmpowerment ha lo scopo di prevenire e gestire questi rischi, e in particolar modo si occupa di Cyber Defense in collaborazione con la società E-Maglan Europe.

La diffusione delle nuove tecnologie ha portato un aumento dei rischi di tipo informatico per una vastissima gamma di settori industriali. Grazie alla collaborazione con E-Maglan Europe, BizEmpowerment può gestire questi rischi in modo proattivo, tramite una piattaforma di intelligence che è in grado di analizzare tutta la rete in diverse lingue e di captare segnali di allerta o comunque critici per l’azienda.

Oggi moltissime persone hanno la possibilità di pubblicare contenuti in rete, e tutto ciò che si scrive sulla rete rimane e può venire rintracciato: sui social media, sui newsgroup, sui forum e via dicendo. I vari interventi sono captati e analizzati per formulare un’indicazione dei rischi di un’azienda, nonché una valutazione di intelligence sul business, sulla competitività e sul marketing..

Il feedback così ottenuto permetta di capire qual è la percezione dei punti di forza e di debolezza di un prodotto, un brand o un’azienda e risulta molto più oggettivo di quello che si può ottenere normalmente, tramite tecniche più tradizionali; può quindi raggiungere persone con potere decisionale e permettere loro di capire ad esempio se un prodotto è o meno valido.

(dall’intervista a Carlo Del Bo nell’ambito dell’ultima Cyber Warfare Conference tenutasi a Milano il 13 ottobre 2014)