The February 2015 the Superfish security incident at Lenovo is evidence of the ever increasing vacuum in top executive security leadership.  A security leadership vacuum is important strategically since without proper leadership it’s extremely difficult to effect a positive outcome, secure products and services.  If we are sick we would not dream of diagnosing our own medical conditions but this is exactly what is happening in security programs across the world.  Top leaders of corporations and governments are making decisions that are quite frankly – wrong.  Poor strategic decisions carry dire consequences for us all.  Unlike a software bug or poor tactical decision a poor strategic decision creates an unfavorable environment for security resulting in highly vulnerable products and services that are difficult to remedy.  Poor security strategy is a systemic industry problem and not unique to Lenovo.  But using Lenovo as a convenient example, let’s examine the concerns more closely.

A quick check to Lenovo’s management page reveals the company has no top security executive.  Consider this a subtle warning sign.  Security at Lenovo is one of the many responsibilities assigned to Chief Information Officer (CIO), Xiaoyan WANG.  We can learn much about a company’s emphasis on security by reviewing it’s leadership structure on it’s web site or financial reports.  If you review Lenovo’s management page one of the things you will notice is, 1) security is not the primary roles but instead one of many CIO responsibilities, 2) other responsibilities of the CIO present a direct conflict of interest to security.

First, let’s look at security as a primary responsibility.  Security is like other areas of an organization, the more resources you invest the better results you can expect.  I don’t mean to imply blindly pumping cash into your security program is helpful but understanding how to apply resources to the problem is where partnership between business and security executives is important.  A poor security leader or no leader at all is the surest way to kill a security effort before it even begins.  To be clear, no company says do a bad job on security.  The problem is without proper security leadership and resource allocation – a good job is next to impossible.  Company’s with the best chance of success in their security programs place security on at least equal footing with other top business priorities.  In a security conscious company I expect to see at least one top security executive like Chief Security Officer (CSO) or Chief Information Security Officer (CISO).  Ideally, I want to see others like a Chief Privacy Officer (CPO) as well. This tells me this company really understands the impact of digital age on our products and services.  Of course, Lenovo may have a CSO that reports to the CIO, or to a leader that reports to the CIO, and many companies do, but in the the end this is a conflict of interest because CIOs are focused on delivery.  Ultimately, product delivery may trump security but without an independent advocate to argue on the side of product quality productivity will win every time and this may not be best the organization.

Next, the conflict of interest issue.  It may not be obvious but WANG’s many responsibilities include, “information service delivery and security”.  For years, IT organizations and software developers are accustomed to the idea of a Test group that performs independent quality assessments of products and services before customer delivery. Independent assessment is an essential quality control measure for producing consistent high quality products and services.  All too often security lump into the same bucket as other technical product quality review.  I believe this is a mistake.  Placing application security responsibility into the same group responsible for product delivery is like placing the fox in charge of the hen house.  Security product quality is a business concern not a concern for a technology group.  Few CEO’s were ever fired over a software bug but many more CEO’s will be fired in the future over software vulnerabilities.  Additionally, vulnerabilities are unique among bugs since they can shake the very foundations of your organizations credibility with customers which may take years to reestablish.  In today’s highly optimized world of software development, leaders often don’t have the necessary resources to deliver products on time and schedule.  In such a climate, it’s too tempting to focus limited resources on tangible features customers to can see.  However, with security it’s far to easy to make bold claims of a strong security posture.  Without specialized tools and testing security posture claims must be accepted at face value.  I see security differently, security is a top business concern not a technology concern.  As a top business concern, security must answer through it’s own leadership which ideally terminates at the security executive that answers with accountability to the board.  This will allow security to be considered on equal footing with other business priorities and risks.

A final note on security responsibility for C-level readers.  The days of blaming breaches on the ingenuity of hackers is coming to an end.  Overesteeming hacker abilities to infiltrate systems is a convenient way of shifting public scrutiny away from poor leadership and security practices back to attackers.  Increasingly the broader public and regulatory agencies are becoming less accepting of such excuses.  If you don’t make security a top priority in your board room, with all due proper funding, with security leaders leveled like other leaders – you will be accountable on breach day.  Leaders of America’s largest corporations are learning painful lessons security responsibility can be delegated but blame cannot see, Target CEO Fired – Can You Be Fired If Your Company Is Hacked?

For those interested in a previous post, So You Want to be a Security Professional, I cover some background on security positions and ways to organize security duties.  For full background on the Lenovo’s incident, I refer readers to Bruce Schneier’s article, Man-in-the-Middle Attacks on Lenovo Computers.

[1] Superfish cover by Anelis, DeviantArt

Information about this breaking SSL attack is coming in from a variety of sources.  I will share some better links.

A couple of articles to get you started sent to me via Jan Schaumann (Twitter: @jschauma).  The Errata article describes browser settings you can apply to stop POODLE’s dead in their tracks.

Errata Security: Some POODLE Notes
Matthew Green: Attack of the Week, POODLE

Next, a link from Oona Räisänen (Twitter: @windyoona) for a POODLE test tool to check if your browser is vulnerable.

POODLE Test

For OS X users who would like to run Chrome or Firefox with command line options from the desktop read-on.

To easily click an open from your desktop, create a bash script, like the following.  Use VI, TextEdit, TextMate, TextWrangler, or your favorite text editor.

#!/bin/bash
#
open -a “Google Chrome” –args –ssl-version-min=tls1 &

Save the preceding to a file named, chrometls.command.  Open the directory where chrometls.command is stored, on my system I store scripts in ~/bin.   Next you need to make sure chometls.command is executable, run the following.

chmod +x chrometls.command

Now open up Finder and drop a copy of chrometls.command you created on your desktop.  Double-click this file on your desktop and OS X you will launch Chrome – bada bing, bada boom, your done!

If the terminated shell is messing with your OCD there is an option to automatically close shell windows once the command or script terminates.  Open a Terminal, from the Terminal preferences on the profile tab you will see a set of drop down options, “When the shell exits”.  Change the value to be, “close if the shell exited cleanly”.  After you launch the browse the shell will close automagically.  I write some shell scripts on occasion but not usually under OS X so I thought I would pass this along for those in need.

When I run Chrome in this way I see the Springfield Terrier, indicating I’m not vulnerable, the command line arguments from Errata work for me.

–Milton

In my post, The Home Depot Letter of Shame, I mentioned the, “I told you so’s” we would hear from former employees.  It’s unusual I receive such instant gratification after I post an article but nevertheless following is a report from the The New York Times,  Ex-Employees Say Home Depot Left Data Vulnerable.

“But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, according to former employees.”

Apparently Home Depot ex-employees had a wealth of information,

“Some members of its [The Home Depot] security team left as managers dismissed their concerns. Others wondered how Home Depot met industry standards for protecting customer data. One went so far as to warn friends to use cash, rather than credit cards, at the company’s stores.”

Ignored warnings from security staff was also noted in the Target incident.  Target ex-security staff warned management long in advance but management refused to acknowledge concerns.  In both these cases, the companies had advanced knowledge security weaknesses existed, willfully refused to improve, and even ousted outspoken security staffers to the peril of cardholders.

–Milton

The letter sent by The Home Depot to customers (on left, click to enlarge) about their recent security incident.  I can only think of 56 million reasons why this letter is unacceptable.  Offering free identity services is helpful but it’s entirely irrelevant to the top concern – poor security.  A more satisfying plan would be additional transparency around security efforts, communicate an improvement plan, and regular public reports of progress against the plan.  In testimony to Congress Target provided several assurances and the first item on the list,

“First, we are undertaking an end-to-end review of our entire network and will make security
enhancements, as appropriate.”  [Target to Congress]

The Home Depot seems to be following Target’s game plan.  However, due to the lack of transparency at the The Home Depot it’s not clear the actions taken address the security concerns.  Perhaps as the investigation progresses more communications are forthcoming.

I’m seeing a trend, a public weary of excuses around poor security and lack luster responses.  If this incident takes a similar trajectory to the Target incident, I would not be surprised to to see some executive turn over, finger pointing, and “I told you so’s” from ex-security staffers, in the coming months.  Given the magnitude of this incident, we may even see renewed enthusiasm from Congress on security.

–Milton

ADS-B.jpg
Photo: Raspberry Pi RLT-SDR receiver

What can you do with a RLT-SDR receiver, dump1090 software, and a Raspberry PI?  Easy, you can capture data like flight numbers, altitude, speed, and position information from ADS-B equipped aircraft in your area.

Ever since I was a kid I always enjoyed listening to my Grandfather’s shortwave radio.  Every twist of the tuner knob would produce a new discovery, aircraft, beeps and bleeps of Morse Code, far away news broadcasts.  Now I’m much older and technology has matured but so have my skills.  Now I have I have a Raspberry Pi, RLT-SDR, and know how to program (which means I’m dangerous).

Awhile back I built a Raspberry Pi project with a 2.8″ display from Adafruit.  I also purchased a low cost RLT-SDR receiver at DEFCON 22.  Shortly after I built my Pi project I could not make up my mind what I wanted to do with it so it sat on my shelf collecting dust.  Same goes with the SDR receiver after I returned from DEFCON.  That is until yesterday evening when I had the bright idea to put the Pi and SDR receiver together and make it do something useful.  Around the time I was searching for more information on Internet to get SDR going on Raspberian I discovered some information about ADS-B.  ADS-B equipped aircraft transmit telemetry on 1090mhz and within my SDR receivers bandwidth.  You can learn more about ADS-B on RLT-SDR.com.  I still learning myself so I don’t have a good idea where ADS-B fits into aircraft management just yet but ADS-B is definitely interesting technology.

Untitled%2B2014-08-27%2B16-10-12%2B2014-08-27%2B16-11-14.png
Photo: FlightRadar24.com

As you can see in the picture of my Raspberry Pi screen photo (first photo), various information about aircraft flying in my area are presented near my home.  I had no idea if this information was accurate so to verify I opened FlightRadar24 in my web browser (2nd photo on right).  The results were accurate although I only receive a fraction of the plans arriving or departing from San Francisco, Oakland, San Jose, and Sacramento.  I’m still not sure what the negative longitude is just yet.  In any case, I noticed that I receive telemetry from some aircraft almost 100 miles away with a 4″ antenna – wow!  Other aircraft passing over the mountains near my home would drop off my display and to be expected since mountains interfere with radio signals.  I was very impressed with the unit I purchased at DEFCON from Hacker Warehouse and at $20US there’s no reason not to experiment.  I noticed at the conference Hacker Warehouse sold a larger microwave antennas at the conference as well as directional antennas which would be interesting to experiment with.

The software package on the Raspberry Pi that makes detecting ADS-B transmissions possible is dump1090.  Dump1090 is used to tune your RLT-SDR radio and receive the ADS-B.  If you want to get dump1090 running on your Pi I then recommend reading Ferran Casanovas blog.  Following are the command line options for dump1090 so you can get some idea for what it does.

pi@raspberrypi ~/dump1090 $ ./dump1090 –help
—————————————————————————–
|                        dump1090 ModeS Receiver         Ver : 1.09.0608.14 |
—————————————————————————–
–device-index <index>   Select RTL device (default: 0)
–gain <db>              Set gain (default: max gain. Use -10 for auto-gain)
–enable-agc             Enable the Automatic Gain Control (default: off)
–freq <hz>              Set frequency (default: 1090 Mhz)
–ifile <filename>       Read data from file (use ‘-‘ for stdin)
–interactive            Interactive mode refreshing data on screen
–interactive-rows <num> Max number of rows in interactive mode (default: 15)
–interactive-ttl <sec>  Remove from list if idle for <sec> (default: 60)
–interactive-rtl1090    Display flight table in RTL1090 format
–raw                    Show only messages hex values
–net                    Enable networking
–modeac                 Enable decoding of SSR Modes 3/A & 3/C
–net-beast              TCP raw output in Beast binary format
–net-only               Enable just networking, no RTL device or file used
–net-http-port <port>   HTTP server port (default: 8080)
–net-ri-port <port>     TCP raw input listen port  (default: 30001)
–net-ro-port <port>     TCP raw output listen port (default: 30002)
–net-sbs-port <port>    TCP BaseStation output listen port (default: 30003)
–net-bi-port <port>     TCP Beast input listen port  (default: 30004)
–net-bo-port <port>     TCP Beast output listen port (default: 30005)
–net-ro-size <size>     TCP raw output minimum size (default: 0)
–net-ro-rate <rate>     TCP raw output memory flush rate (default: 0)
–net-heartbeat <rate>   TCP heartbeat rate in seconds (default: 60 sec; 0 to disable)
–net-buffer <n>         TCP buffer size 64Kb * (2^n) (default: n=0, 64Kb)
–lat <latitude>         Reference/receiver latitude for surface posn (opt)
–lon <longitude>        Reference/receiver longitude for surface posn (opt)
–fix                    Enable single-bits error correction using CRC
–no-fix                 Disable single-bits error correction using CRC
–no-crc-check           Disable messages with broken CRC (discouraged)
–phase-enhance          Enable phase enhancement
–aggressive             More CPU for more messages (two bits fixes, …)
–mlat                   display raw messages in Beast ascii mode
–stats                  With –ifile print stats at exit. No other output
–onlyaddr               Show only ICAO addresses (testing purposes)
–metric                 Use metric units (meters, km/h, …)
–snip <level>           Strip IQ file removing samples < level
–debug <flags>          Debug mode (verbose), see README for details
–quiet                  Disable output to stdout. Use for daemon applications
–ppm <error>            Set receiver error in parts per million (default 0)
–help                   Show this help
 
Debug mode flags: d = Log frames decoded with errors
                  D = Log frames decoded with zero errors
                  c = Log frames with bad CRC
                  C = Log frames with good CRC
                  p = Log frames with bad preamble
                  n = Log network debugging info
                  j = Log frames to frames.js, loadable by debug.html

My experience with dump1090 was excellent.  The output is more or less what is shown on my Pi photo (first photo).  I say, more or less, since I made some changes to the program for my smaller display on my Pi.  The problem I had on my 2.8″ screen was that the lines would wrap around past the edge of the screen and into the next line.  All the information was on the screen but it was hard to read in –interactive mode.  To get the Pi display cleaned up I was thinking I could find a command line option and then grep something together for a cleaner display.  Unfortunately, I didn’t notice any easy way to do this.  As a workaround, I made some changes to the program to shorten the output to only the fields of interest within interactive.c.  The code is customized for the 2.8″ PiTFT Mini Kit at Adafruit.  After apply the changes, I recompiled dump1090 and output was shortened to fit my display as I expected.  Next, I made some changes to force the Pi to login automatically and start the dump1090 program running.  I know, not very secure but I don’t have any data on this device.  For now, I just used the default account on the Pi but it would be more secure if I created a new account with less privilege.  Anyway, I was lazy and wanted to get this thing finished before I went to bed so I improvised.

b747-8i_lufthansa_02.jpgOne final thought I have rolling around inside my head, since my profession is application security, is that ADS-B does not seem very secure.  ADS-B telemetry is sent from aircraft real-time in route completely unencrypted so far as I know.  I wonder what would happen if an ADS-B transmitter was built and launched in a ballon or drone by an adversary?  It seems possible for adversaries to fake flight numbers, altitude, air speed, and position at a minimum.  Transmitting on ADS-B band is more than likely highly illegal but then again adversaries give little regard to laws.  I hope critical air traffic management systems don’t use these signals for routing traffic but I really have no idea.  If anyone is an ADS-B expert and would like to post a comment to educate readers please do.  I’m a noob in this area.

Update March 4, 2015, I have since learned other security researchers consider insecure ADS-B a security safety problem, Air Traffic Control Systems Vulnerabilities Could Make for Unfriendly Skies [Black Hat].  Apparently the Government Accountability Office (GAO) is recommending improvements, FAA Must Address Cyber-Security of Air Traffic Control Systems: GAO.

Update April 22, 2015, I discovered a presentation on the ADS-B at a security conference about 2 years ago, “DEFCON 20: Hacker + Airplanes = No Good Can Come Of This“.  The presentation is provided by Brad Haines, Render Man(@iheckedwhat).  Render Man goes a step further to demonstration ADS-B spoofing and does a simulated pass by an airport tower.  The radio transmissions were terminated into a dummy load so no danger of harming any real aircraft.  According to Render Man, FAA representatives where attending his conference session.

Update May 1, 2015, FAA’s answer to aging air traffic infrastructure is NextGen.  Apparently, NextGen is falling short of expectations.  A little digging on NextGen reveals it’s not the deep overhaul expected but more of tune-up.  In fact, NextGen still includes proven insecure technologies like ADS-B.  Unfortunately, the FAA efforts seem to focus on efficiency and safety as opposed to security which is a distinctly different challenge.  FAA continues to press forward with NextGen even after debate on public research and the GAO report noting security concerns.  The price tag for NextGen is around $40 billion but a complete overhaul would likely cost far more.  New infrastructure or sharing military infrastructure may be required to develop a secure solution since foundational technologies like GPS were proven insecure long ago.

Red lights got you down?  No problem, a laptop, radio card, some experimenting, and you can change red lights to green before you arrive at an intersection.

“attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage”

Research by the University of Michigan presented at the 8th USENIX Workshop on Offensive Technologies, Green Lights Forever: Analyzing the Security of Traffic Infrastructure.

–Milton