Recently the Automotive Information Sharing and Analysis Center (Auto-ISAC) released "Automotive Cybersecurity Best Practices" for carmakers and their suppliers. This document expands on their "Framework for Automotive Cybersecurity Best Practices" published in January 2016. This is the first time the automakers have addressed cybersecurity in a formal manner and a strong sign they are treating hacker threats seriously.
I am encouraged that the auto industry leveraged the experience of other industries when approaching this task. The Best Practices document builds upon guidelines from NIST and ISO/IEC in creating its cybersecurity guidance. While cars need different security measures from mobile phones or websites, there are elements that are the same across these platforms and the automakers have emphasized the relevant teaching from industries with a longer history of security-conscious software development.
Recently, Google announced they are testing a quantum resistant cryptographic algorithm for the Chrome browser, specifically the new Canary version used for experimentation. If you are unfamiliar with quantum resistant algorithms, you can watch the short video or read a series of blog posts.
I applaud Google's effort to take this important first step toward addressing the existential challenges of quantum computing by creating a more future-proof way for users to securely communicate over the internet. I urge the other browser vendors to follow suit.
Pop quiz: Is this a valid login screen for Google Account services?
Application security is often overlooked, under-funded, or ignored. Part of the reason for this is because it can be a complex, difficult aspect of IT security…but mostly it's because it's simply misunderstood.
When I speak with CISOs and other InfoSec professionals, the perception is that AppSec is a frustrating, vexing problem for them: the tools are expensive, burdensome, and inaccurate; developers won't take procured training; and, there's a distinct sense of being overwhelmed with dependence so many applications and so much code to run their business. Despair and lack of visibility leaves organizations with the question "Where do we start?" and that question frequently never gets answered.
Ransomware first appeared as a method of stealing money from individuals, but it is now being used to restrict access to organizations such as hospitals, financial organizations, and even local law enforcement. Over the past few years, ransomware has taken hold of the cybercriminal world, and each year we continue to see its popularity grow among cybercriminals. Why? Ransomware is not only profitable but easy for an attacker to use. Simply infect the computer using a malicious link sent through an email, website, or chat message.
Social media and dating sites can be loaded with people looking to misuse your personal information. It can also be a great source for attackers to gather information about you to attack your other services (banking, email, etc.).
Recent news shows data from 117 million compromised accounts was being sold from the 2012 LinkedIn breach, far worse than the 6.5 million accounts originally thought. The Myspace breach, occurring one year later in 2013, is reported to be one of the largest password leaks with 427 million passwords stolen. Other breaches include 65 million Tumblr accounts, 6 million Facebook accounts, and 250,000 Twitter accounts all occurring in 2013. Why is this only now becoming news? Much of this data has been recently made available for sale, stirring up commotion in the social media world. Even Facebook Founder Mark Zuckerburg reported having his Twitter, Pinterest, and LinkedIn accounts hijacked likely from the data that recently became available from the 2012 LinkedIn breach.
As software security zealots, we sometimes forget the human aspect of software development. Why wouldn't developers and organizations do every available security activity to make their software more secure? Isn't security indispensable? Isn't security king? There are some obvious reasons why they can't. For example, a lot of software security practices can be costly to implement from a pure financial or time sense. However, there are human factors that we don't always consider as well, so we might need to borrow from the fields of sociology to answer those questions.
When you buy 3rd party software or outsource application development, you inherent all the
vulnerabilities that the vendor fails to eradicate. To mitigate financial and operational risk, it’s important that security and technology professionals write clearly defined security requirements into contracts.
Recently, the US Government Accountability Office publicly released GAO-16-350 VEHICLE CYBERSECURITY: DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack.
For this 61 page report, the GAO interviewed 32 selected industry stakeholders, including 8 automakers, 8 automotive parts suppliers, 3 automotive cybersecurity firms offering vehicle cybersecurity products, and 13 subject matter experts, including 7 leading researchers. Security Innovation’s Chief Scientist, William Whyte, was one of the subject matter experts interviewed.
The National Institute of Standards and Technology (NIST), which is part of the US Department of Commerce, recently released a Report on Post-Quantum Cryptography. In the report, they review the threat posed by quantum computers on today’s most popular cryptography and review the possible quantum-resistant solutions.