Introducing Lion Briefs

7/15/2023

I am currently maintaining a publication site titled Lion Briefs. This is an open publication where anyone can submit articles to me for consideration.  My blog posts are now articles on the new site.

Please visit lionbriefs.com

If you wish to submit ideas I am ready to receive!

Embedded Security is an Emergency in Progress

6/13/2022

Embedded security attacks are emergencies, and we need to treat them that way.

The embedded security problem is an ongoing and escalating emergency in progress. The internet of things is so extensive and so interconnected that simply writing good code is not good enough. Conventional boundary thinking is irrelevant. Resetting systems is no guarantee to halt attacks. There’s no time for finger pointing and guesswork.  According to PSA-Certified, the average cost of a successful IoT device attack is more than $330,000 and it’s estimated that by 2025, cybercrime damages will total $10 trillion. It’s time to take crisis control lessons from the emergency management industry and get out of this spiraling failure.

Rapid response criteria are needed for embedded systems emergency management

A rapid response plan requires both technical and workflow commitments to process attack intelligence.
The basic steps include:

  • Obtain time, date, geolocation alerts to pinpoint when and where the problem began
  • Monitor for propagation patterns as the attack spreads.
  • Upload code module samples to provide evidence of the alteration of system code.
  • Share combined intelligence with all stakeholders according to assigned roles, who will coordinate together to implement remediations.

The magic words are: stakeholders coordinate together. Who are the stakeholders? What are their roles? In any system life cycle there are at least five: Developer, OEM, Product Vendor, Dealer, and Owner. The technologies chosen to build and implement embedded systems must provide the information necessary for them to rapidly resolve problems.

Steps to building the next-generation embedded system emergency response

Solving attacks quickly happens when actions can and will be taken quickly. A fundamental change in embedded software development, information sharing, monitoring and updating is required.

  • Software development must include code signing, behavioral deviation detection and trusted update mechanisms. Developers must learn to see security as integral to their reputations.
  • Stakeholders must agree to opt into event monitoring. Rapid updating, including options for real-time over-the air must be available.
  • Emergency management workflow agreements and action plans must exist for all stakeholders. The  technical design must enable stakeholders to take actions and receive positive recognition for fast responses.

Bottom Line

When embedded systems are compromised, services are affected, money is lost and lives are at risk. Emergency-ready software supply chains are needed now, not years in the future. Players at any point in the supply chain should ask tough questions about security treatments, and skip vendors who are not ready to address the life cycle commitments set forth in this opinion.

- John Girard  |  Advisor at Lionfish Tech Advisors and Managing Director of Cyber Imbiber Tech Advisor LLC.
 

Recommended Reading

Why Certify IoT Security?, PSA Certified

Top 25 Auto Cybersecurity Hacks: Too Many Glass Houses To Be Throwing Stones, Forbes

From Stuxnet to Industroyer: The biggest hacks in the history of Industrial IoT, Turn-key Technologies

 

© 2022 Cyber Imbiber Tech Advisor LLC

A New AI Program Reads Childrens' Emotions

A scary development for the best of intentions | 2/17/2021

CNN reports: Before the pandemic, Ka Tim Chu, teacher and vice principal of Hong Kong's True Light College, looked at his students' faces to gauge how they were responding to classwork. Now, with most of his lessons online, technology is helping Chu to read the room. An AI-powered learning platform monitors his students' emotions as they study at home.

What do you think about that? Assuming that the teacher can see student faces on the screen anyway, is it really necessary? Maybe working on better communication skills, having a teacher aide also on the call to look more closely at the students, and using a larger monitor would be a better idea?

I think we all can guess that this idea can and will be exploited in a variety of ways. Many tech pundits are remarking on the ways that rapid assessment of this type could be seen as almost akin to mind reading. 

What do you think?
Full story here.

It's Time to Dump Your Old Tech!!

A noble 2021 resolution is to stop hoarding your technological past. | 1/31/2021

Regardless of your generation, it’s likely that you have a growing collection of drawers and boxes of old tech that becomes a material millstone.

So, let’s do something about it!

The New Year is an opportunity to lighten your tech junk load. If you want to keep your first boom box, ok. But what about that pile of discarded earbuds, and the radio that won’t switch on? And broken cameras and yellowed 1950s TV cords and bags of wires and power adaptors? It’s time to say goodbye.

Maybe you have items that belonged to your parents and grandparents. Maybe you are just a kid and already collecting smaller tech that still turns into a pile. No matter, if you don't need it, get rid of it!

Here is a presentation I prepared for a club near me. Give it some thought.

Tell you what. If you shed something and later want it again for nostalgic reasons, you can find it on eBay!!

Virtual Conventions? Ho...Hum

There is a long way to go to create the buzz that we lost when conventions went virtual. | 11/16/2020

This weekend I attended a statewide home improvement convention, wholly virtual. I wondered how well the professional organizer would perform in terms of kindling the excitement, engagement and general buzz of a physical event.

I give the organizer credit for effort, but the event in my opinion, fell flat.

The event opened with a "live" presentation. However, since you could watch it any time after the opening at 10AM including the next day, I was annoyed by this inaccurate label. The main purpose of the opening presentation was not to discuss home improvements as issues that concern my state, but rather just to showcase the main vendors. In the past that would be OK for me but in this virtual event it causes several problems. First, the opening was too long because every vendor was given time to merge their own presentation into the opening. There was no quality control so the impact of the sessions was variable. My favorite was the "communications" company that did such a poor job of mixing that the voices were drowned by the music. Second there was no feeling of a convention. While it was true that every main vendor would have a presentation slot in the afternoon, they had already overexposed themselves with a long segment in the opening presentation. Really, the whole thing just felt like a web shopping page with added complexity.

And what about those vendors. The show was clearly geared to the folks who either had 7-figure incomes or were willing to mortgage themselves to look like the top of the heap. Again I will say, that is OK ... BUT not everyone who attends these events is looking for costly remodeling. Some folks have smaller projects, and some are showing up for the smaller vendors, who where not here, not ready to offer lower cost accessories and decorations.

Each vendor had a home page "tile" to press for a visit. After pressing the tile, you would be offered various items including pictures to scroll and a chat option with the vendor. Some vendors had additional videos.

And so we reach the "so what" point. The convention as an online experience offered nothing new in terms of user experience better that I can get by just visiting a vendor website. There was a promise of show discounts, but no general incentive such as a prize drawing for attendees that visit every vendor and make a connection.

That's the gist. I even went back the next day to have another look. There was no guiding outline or framework that added values that I cold not already get just by surfing the web, including discounts. 

What would I have done if I had created the site?

The landing page would look like a show floor. I would probably include the sounds of a showfloor. I would navigate it like a google map. Available staff would be represented by names, pictures, and qualifications. All of this could have been templated in advance. This is not new stuff, right? You have heard of Second Life? That's been around since 2003?

At times when a talk is about to begin, I would play the meeting chimes and have a floating announcement object crossing the screen. The viewer could cancel the announcement by clicking the object and would also get the link to the talk. (Click to hear meeting chimes. Press the back button to return to this page.)

I would have required vendor booth messages that succinctly identified the vendor's value and purpose for a range pf several economic levels of buyers and levels of projects. I would have provided helper apps to quickly and roughly size projects and asked the vendors to implement these apps consistently. Even if the examples are simply anecdotal, generic. This is how people get interested. 

I would have adjusted the interface to encourage visitors to click to talk with a representative, not to scroll through gallery photos. This means of course that there needs to be a person to talk to. But not just sitting at a screen. If you walk into a store, the staff may not be in front of you. My entry should be through a camera looking into the store or booth, and a chime should announce me. If more than one person enters, the staff member talk talk to us all.

Question submissions would have been a top priority with a commitment to attendees to answer their questions with targeted examples in the afternoon talk tracks.

Where I, as a vendor, saw common question themes, I would have provided updates to indicate when and where the questions would be answered, and that could be a date and time after the event.

I definitely would have included a show store that featured low end accessories, products and tools. Since this is a lot of work I would approach both local and national businesses to fill out this part of the event.

But that's just me. 

If this is the calibre of online conventions, count me out!

You ARE Being Tracked. What are Your Options?

Your Internet activities and your devices tell a lot about you. But is that a bad thing? | 10/15/2020

If you are located by your cell phone after an accident, you are happy.

If you use "find my iPhone" to recover your device, you are happy.

But if your movements are tracked in other ways, you scream "invasion of privacy"

You can't have it both ways. 

That is just one example of many. During the pandemic crisis, plenty of people complained that they might be tracked to understand the spread of the virus. But knowing that information helps save lives. If you want to live in the world today, you are going to have to accept that your ability to maintain privacy has changed. 

Cellphone serial numbers have a lot in common with radios and bands that we clamp on birds. Watch this video to see how 2020 Spring Break revelers traveled from the crowded beaches of Florida to multiple states. ALL of this information is available without violation of the fourth Amendment.  View the tracking video here.

Then there is the matter of investigations by law enforcement agencies. There are two types of warrants that do not technically violate the fourth amendment and do not qualify as wiretapping. One is a geofence warrant and the other is a keyword search warrant. Used carefully, they are great tools. Used badly, people get hurt. 

geofence warrant is a request for general location information about devices connected to hotspots and cell towers in particular areas, at particular times. A keyword search warrant is a request for everyone who is searching for particular words in particular areas and at particular times. Note that our current administration has pushed to do more keyword searches, and concern has been mentioned over use for political reasons.

Three examples:

The first story is a geofence warrant that was mishandled. 

A man is wrongly arrested based on Google tracking that was known to be unreliable.

https://www.phoenixnewtimes.com/news/google-geofence-location-data-avondale-wrongful-arrest-molina-gaeta-11426374

The second story is a keyword search warrant that was seemingly used correctly.

https://www.forbes.com/sites/siladityaray/2020/10/08/google-shared-search-data-with-feds-investigating-r-kelly-victim-intimidation-case/#6628d9b37c62

The Forbes article raises some important concerns. Consider the statements under the headings Chief Critic and Crucial Quote.

The third is a vastly broad keyword request that is poorly scoped, and could cause more trouble than good. 

https://www.forbes.com/sites/thomasbrewster/2017/03/17/google-government-data-grab-in-edina-fraud-investigation/#f64742d7ade8

---------------

Let's be clear as you read on that I always suggest to respect and stay within the law. So the following is standard technical analysis without any assumption.

Keep in mind that , you were already tracked for decades. Traffic cameras, Cable TV Boxes, E-ZPasses, store CCTV and so on were already there, sometimes used well and sometimes not. So being tracked by technology is really not a new thing.

However, the Internet and our connected devices  have certainly expanded the information that is available about you. There are limited options today to avoid "being found" and tracked. A few examples:

You could stop using cell phones. It's obvious that cellular device locations are fully trackable. Burner phones bought with cash are not a solution when you have nothing to hide.

You could stop using public hotspots, e.g. guest Wi-Fi. Even if you have tried to block every potentially detectable source of device identity.

You can install an anonymizing VPN on your devices. But if you want to really be hard to trace, you will have to learn some technology, pay for it, and configure it for multi-hop routing. Actually there are some good reasons to consider a home VPN, because your ISP really does have a record of literally every place you visit on the Internet. That might concern you even if you have nothing you want to hide, so on principle a VPN becomes interesting. If you want to experiment, you can get a free 10GB plan from a company called Windscribe. Two points. First, I mention this company only because of the free starter plan. Second, 10GB won't last long. An hour of watching an online movie can easily consume one to three GB or more.  It makes better sense to turn on the VPN while shopping or doing research but otherwise save the bandwidth.

If the above thoughts are really worrying to you, keep a record of the places you go, and hang on to receipts that prove where you traveled. And watch Sandra Bullock in the 1995 movie, The Net. I admit this will make you even more uncomfortable. But everything in that movie is coming true, including attacks on hospitals that cause patients to die.  You are better off to not be anonymous. 

A Surprising Low Tech Hearing Aid

Maybe you can postpone that expensive earbud... | 9/25/2020

I laughed out loud when I saw this hearing device online, but then I ordered a set!

Everyone knows that you can focus your hearing by cupping your hands at your ears. Indeed some crazy devices were made in the past, some that made people look like cartoon mice. The dixie hear cups are a bit more elegant. 

On a closer look you will notice that they are the size and shape of a small drinking cup. They are made of plastic and have a head band, and a little wooden ball to slide and tighten. The first thing I noticed was that the cord slips off because there is no guide to hold it in place. So I used a pair of small cable clamps and 6-32 bolts anchor the cords to the sides. 

Do they work? Yes! I felt I was getting at least a 3dB boost. But the hard plastic does make sound tinny, and for the effort, I would like a slightly larger cup. The concept is convenient: no batteries or wireless links, and you can move around while wearing them. Unfortunately the few sites that carried this silly device seem to have run out. I suspect that Georgia-Pacific is not happy about the inventor's decision to piggy-back on their brand. You can see the Amazon page here, or do a search to find others. 

SPORTS MASKS MUST HAVE THEIR AIR VALVES CLOSED

Your exhaled breath is not being filtered! | 8/16/2020

I love my sports dust mask. Of all the masks I have tried, it fits the best and is the easiest to put on or take off. I can also run the temples through the top of the ear loops which prevents them from falling off while I am exercising - hah - or leaning over a pond! But we all goofed on this idea. Because there are special vents for exhaust, your breath droplets are going right out of the mask, therefore NOT protecting other people from YOU.

I have come up with a fairly simple way to shut off the valves and present it here in a PDF instruction guide

Please note, this is a DIY project. I am not a Doctor and it's just my idea. If you choose to try this, you are taking responsibility. Stay safe!!!

 

Thunderspy: A New Problem With a Simple Old Solution

Sleeping PCs will harm you! | 5/13/2020

Thunderspy , an exploit of a DMA weakness in the Thunderbolt hardware, can take complete control of your PC, your data and your secret encryption key.  Macs are also partially vulnerable. DMA or Direct Memory Access attacks are not new. Every time a computer designer grants direct access to the computer memory, there are risks that can lead to exploits. Some history can be found here: https://en.wikipedia.org/wiki/DMA_attack  

Why should you care? This exploit can affect you even if you have never used Thunderbolt.

Like other DMA exploits, the Thunderspy attack requires physical access to a victim's computer, and several minutes to access internal components. Both PCs and Macs can be affected. This type of exploit is classified as an "Evil Maid Attack" because of people who enter hotel rooms looking for computers that are up and running. 

For anyone who has a system built with Thunderbolt version 3 or earlier - meaning PCs and Macs manufactured prior to 2019, it is a hardware problem, and at this point, cannot be eliminated with a software update. The simplest way to determine if your computer supports Thunderbolt, and which version, is to review your system documentation and specifications. You can also look for the Thunderbolt symbol printed on the side of your computer , which resembles a lightning bolt, to determine which of your port(s) support it.

image.png

During this time while we are all mostly working in isolation, the opportunities for this sort of attack are reduced. If you want to take steps to get ahead of the problem, the most effective mitigation step involves disabling the Thunderbolt capability. This may not be easy and will vary between computer models. There is also a risk if for any reason, Thunderbolt is eventually re-enabled. 

Anyone who must use Thunderbolt or does not use it, but can't determine how to disable it, can follow two basic rules. First, do not leave your computer unattended and running: you are vulnerable even if you have logged out or locked the screen. Second, remove "sleep" as an option for shutting down your system. Instead choose the hibernation mode, or better yet, disable both sleep and hibernation. Today's systems start up quite quickly, so you really don't need those settings.

And it's always in your best interest to enable device encryption. That means BitLocker on a PC and Filevault2 on a Mac.

Want to read more? Look here!

Official statement from Intel

https://blogs.intel.com/technology/2020/05/more-information-on-thunderspy/#gs.6dt8j3 

Other sources 

https://www.wired.com/story/thunderspy-thunderbolt-evil-maid-hacking/ 

https://en.wikipedia.org/wiki/Thunderspy_(security_vulnerability)

Note that the basis of the vulnerability was reported a year ago...

https://www.theverge.com/2019/2/27/18243503/thunderclap-vulnerability-thunderbolt-computers-attack

Focus on the Mac

https://www.macworld.com/article/3542683/major-thunderbolt-security-flaw-found-in-macs-and-pcs-should-you-be-worried.html 

Apparently the discoverer has written a program to test for the vulnerability. That in itself is a bit worrying! The site was down when I checked. I would advise caution before using any tool that did not originate from an accountable source.

   

Is It You Stuttering? Or Your Internet Connection?

Watch Parties and other hungry events will kill your Internet | 4/15/2020

We have to congratulate the Internet Service Providers (ISPs)! The Internet is holding up pretty well during these difficult times. Backbone capacity is not the big issue. Your problem is the last mile, meaning the connection from your home to the ISP. If you are on a small bandwidth cheaper plan, you may not get what you hoped for.

The equipment is the same but the providers put throttles on your node so that you can't go at full speed. As I said in my separate paper about Telework, it's a good idea to pay for more than the minimum bandwidth. Give yourself enough to deal with kids and spouses, at work and at play. There are lots of sites that will help you estimate not only your real connection speeds, but also the estimated demands of your apps. 

As a case in point, let's consider Watch Parties. Someone plays host.  You may be watching a stream relayed from their PC or you might be watching together in the cloud using a system called multicast. Either way, you have a lot of demand going on. First there is the show that is streaming down to you. Then, there is your own video and audio that are streaming up and out to the other participants. Then there are also streams coming to you from each of the party participants. In no time at all you could eat up most or all of your last mile bandwidth. 

What to do? 

Take your own personal camera off of the HD setting. Run in 560p or 480p instead.

Mute your audio and video when you don't need them.

Lower the resolution of the movie as you receive it. 4K movies can easily use up an entire basic/cheap Internet service connection!

Here are examples of the savings you can make on streaming movies:

4K movies need 15-25 or more Mbps (Ultra is the high end)

1080p and 720p are more manageable at 4 to 5 Mbps

480p needs as little as a 1/2 Mbps on a PC up to 3 Mbps on a TV.

So unless you really feel the need to count the pores on the actor's face, give that 4K resolution a rest for now!