SC Magazine: ThreatSTOP CEO Talks IoT Security for Healthcare Industry

ThreatSTOP CEO and Founder Tom Byrnes recently spoke with SC Magazine about the inherent security risks of IoT devices in the healthcare industry.

According to the article, “another huge area for IoT attacks is the health care vertical. In the same way that operations and facility departments are not in the habit of having light bulbs and door locks approved by IT, their hospital counterparts are not used to getting standard medical systems, such as X-ray and ultrasound machines, approved by IT, either.”

Healthcare facilities are under attack because they enable hackers to access very valuable personal healthcare information such as Social Security numbers, medical records and dates of birth. A medical record can fetch as much as $363 on the black market.

Click here to read the SC Magazine article.

The ThreatSTOP report on security for the healthcare industry is available here.

DNS Inventor and ThreatSTOP Chief Scientist is Guest on Domain Name Wire Podcast

Paul Mockapetris

 

This week Domain Name Wire is celebrating 100 episodes of the DNW podcast, and what better way to do it than have Paul Mockapetris as its guest. Paul invented the domain name system back in the 80s, and currently serves as the Chief Scientist for ThreatSTOP.

On this podcast, he talks about the early days of DNS, new uses for DNS, and security.

Click here to listen.

AIRI 2016 — DNS Inventor Dr. Paul Mockapetris Speaking

The theme for AIRI 2016 is “disruption”.  In our lifetimes nothing has been more disruptive, or world-changing, than the invention of the Internet.  Initially the Internet allowed computers to communicate, but today virtually every digital device, phones, control systems, even our watches, communicate via the Internet. Dr. Mockapetris, Internet pioneer, will speak at AIRI 2016 about how his inventions have changed the world to be a better place, and why Internet Security poses such a serious problem to our privacy and freedom.

Dr. Mockapetris will be speaking on September 13, 2016, from 4:15 pm to 5:00 pm.

AIRI 2016 is taking place in West Palm Beach, September 11-14 at the PGA National Resort & Spa Hotel. The 55^th annual meeting will feature nearly fifty sessions.

Internet Pioneer Discusses Creation, Expectations and Security of DNS on its 33rd Birthday

“The Internet community has let legacy infrastructure designs constrain the future.”

Thirty three years ago today, Paul Mockapetris, inventor of the Internet Domain Name System,  watched the DNS take its first steps.  This critical development would open up what may be the world’s most utilized and important technological development for a mass audience. Did he understand the importance or impact that DNS would have when it was created?

“I think I saw the potential importance more clearly than the traditional ARPAnet era folks, who were busy replacing the old NCP protocols with IP and TCP,” noted Mockapetris, now Chief Scientist at ThreatSTOP.  “So I was very happy to take on the design job and build something quite beyond the task given me.”

By 1983, he had already spent 15 years designing distributed systems at what would become the Media Lab at MIT, Draper Labs, IBM, and the Distributed Computer System at UC Irvine. So he did expect his creation to be used across the Internet to manage distributed operating systems and applications. DNS was really meant to manage a heterogeneous distributed, federated cloud and its services.

Something Mockapetris did not expect was the whole marketing and branding of names. “I guess I should have taken some classes in business and marketing,” he joked.  His biggest surprise was that the research agencies in the late 80s and 90s didn’t see naming systems and DNS in particular as merely the first steps in an Internet naming architecture. The original design had many places where next steps and additional mechanisms were indicated, and were never taken.  Recent work in named data networking has revived this field a bit.

“If I’d been told in 1988 what the DNS would eventually be used for, I would have said it wasn’t possible,” said Dr. Paul Vixie, Internet pioneer and CEO of Farsight Security, Inc. “Almost all Internet activities, whether for good or evil, begin with a DNS lookup.  Defenders who can monitor, and control, and investigate their use of DNS can by extension monitor, and control, and investigate their relationship to the Internet itself.”

The DNS was introduced during the transition from the ARPAnet to the IP/TCP-based Internet, and was the largest single architectural innovation of that transition. As a critical infrastructure, DNS has been subjected to many attacks and misuse, but in today’s hardened form, it is seen as an essential tool for implementing security.

Security was intentionally left out of the initial design, along with several other functions. DNSSEC is a next step, but is very heavy weight and doesn’t solve current problems like DDoS.

“The Internet community has let legacy infrastructure designs constrain the future,” notes Mockapetris. “For example, the 512 byte datagram limit of 1983 should be more like 500 Megabytes if we adjust for the million-fold increase in transmission speed in today’s Internet, though I’d settle for 512K bytes. We are giving up on datagrams because of DDoS – while I understand the argument, I’m not ready to surrender yet.  There’s a lot of room for innovation here. It’s as if we are requiring DNS to support paper tape and floppy disks.”

Mockapetris now provides guidance to the ongoing product innovation process for ThreatSTOP, and leads research into DNS-based security. “Effective security requires real-time threat intelligence that is distributed to all of an enterprise’s enforcement devices whether they are routers, firewalls, application delivery controllers, or servers. DNS is an ideal vehicle,” said Mockapetris. “Fielding powerful, scalable security tools that leverage the ubiquity of DNS to protect organizations of all sizes is critical.”

CIO: 5 security experts share their best tips for ‘fringe’ devices

ThreatSTOP‘s own Leon Glover was quoted in an article on CIO.com (also ran on Network World) about securing fringe devices.

The article’s author John Brandon answers the question, “what is a fringe device” and offers advice from five experts on how best to secure those devices.

“As with any security concern, many of these devices are overlooked. There might be security policies and software used to track and monitor iPads and Dell laptops, but what about the old HP printer used at the receptionist’s desk? In a hospital, it might be a patient monitoring device. In a more technical shop, it could be a new smartphone running an alternate operating system.”

The article offers advice around the following:

1. Ask tough questions when speaking to vendors

2. Make sure policies cover every possible gadget

3. Know what you’re dealing with

4. Perform regular security audits

5. Put fringe devices on their own network

Worth a read.

 

US House Unanimously Passes Email Warrant Bill

The US House has passed a bill to repeal a Regan-era law allowing law enforcement to request copies of emails, and data older than 180 days. The 1986 email privacy law was written to establish electronic documents older than six months as abandoned. This allowed the government to consider the data ‘garbage’ and request copies of it from service providers without a warrant.

This new bill, H.R.699, “Amends the Electronic Communications Privacy Act of 1986 to prohibit a provider of remote computing service or electronic communication service to the public from knowingly divulging to a governmental entity the contents of any communication that is in electronic storage or otherwise maintained by the provider, subject to exceptions.” (https://www.congress.gov/bill/114th-congress/house-bill/699) emphasis ours.

This new bill requires government officials to obtain a warrant from a court before service providers—whether they are your ISP or a cloud based service—hand over your emails, regardless of the age of the email. In addition, after receiving a copy of these communications, law enforcement agencies have 10 days in which to notify the service’s customer that their emails were requested, with three days for government entities.

Of note: the bill does not cover the National Security Letters, used by federal agencies to investigate potential terrorist activities. This avenue of investigation will still be available to help combat terrorism with oversight only provided by the FISA Court.

For the moment, the passing of the bill does not mean too much. While the house passed the bill, it will still need to be approved by the Senate before being signed into law by the standing president. Given the nature of politics it is unlikely that Obama will be in office to sign the bill, pending its passing by the Senate.

Privacy rights and issues have been a growing concern for the public. While the debate has not exactly reached the presidential debates, it is certainly a hot topic that will need to be confronted by the next President.

Jeremiah Jackson

FBI Pays $1 million to ??? to Crack iPhone

The Washington Post reported today that the FBI paid a one-time fee of $1 million to hackers to crack the San Bernardino shooter’s phone. The article goes on to say that authorities have not revealed the identity of the hackers.

Hunh. According to a Los Angeles Times story previously mentioned on this blog, Israeli-firm Cellebrite is credited with cracking the now infamous phone.

Still, Israeli firm Cellebrite is said to have attempted and succeeded at defeating the device’s security measures.

The company, whose technology is heavily used by law enforcement agencies worldwide to extract and analyze data from phones, declined to comment. The FBI has said only that an “outside party” presented a new idea Sunday night that will take about two weeks to verify. Apple officials said they aren’t aware of the details.

At any case, $1 million to crack an old iPhone — good work if you can get it.

SANSFIRE 2016 — See ThreatSTOP in Action

SANSFIRE 2016 will be here in just 51 days according to the official site. This is SANS national event in Washington DC and attracts one of the largest SANS audiences. Mark your calendars: June 11 – 18, 2016.

SANSFIRE 2016  “will showcase 47 cutting-edge courses for all experience levels, a variety of evening talks, and opportunities for serious discussions with the best leaders in the industry and your peers.”

ThreatSTOP will be demonstrating new product capabilities including new threat data, reporting upgrades and how the ThreatSTOP Shield Platform works with leading next-gen firewalls and cloud environments.

We will also be hosting a cocktail reception with Johannes Ullrich, the Director of Research for the SANS Institute. Stay tuned for details.

Other SANSFIRE highlights courtesy of the show guide:

• Brad Duncan, who provides updates for the Internet Storm Center whenever an exploit kit changes, will talk about some of his latest tricks.
• Sometimes you are a bit too late and cannot prevent an infection. Kevin Liston deals with this for a living, and during his evening talk, Managing Large-Scale Incident Response, he will teach you how to manage a large-scale incident response.
• NetWars: you can participate in either the CORE or DFIR NetWars Tournament at SANSFIRE 2016 for FREE!

Complete event guide here.

Senate Floats Encryption Bill (Ack)

Just as What’s App began offering end-to-end encryption for its one billion plus users that effectively prevents anyone–including law enforcement–from reading users’ messages, members of the Senate floated the first draft of a bill aptly named “Compliance with Court Orders Act of 2016.” The bill seeks to require compliance with court orders for data.

Most news coverage has cited information related to the draft bill as “leaks”—it was not introduced with much fanfare. The bill itself was reportedly posted on scribd.com by Kara Swisher of Re/code fame.

The document starts off by declaring that “It is the sense of Congress that no person or entity is above the law.” And it goes downhill from there.

The bill would force all providers of communications services and products to “provide such information or data to such government in an intelligible format; or provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order.”

As for compensation, “a covered entity that receives a court order…and furnishes technical assistance…shall be compensated for such costs as are reasonably necessary and which have been directly incurred in providing such technical assistance or such data in an intelligible format.”

The document is a draft and likely to change on its journey.

Re/code’s report declares “new encryption bill isn’t finished and Silicon Valley already hates it.”

Stay tuned. It is going to be a bumpy ride.

Los Angeles Times: Why Hackers Are Not Lining Up to Help the FBI

In all of the debate around the Apple vs FBI tussle, many have wondered why someone has not simply stepped up and hacked the phone already.

Today, the Los Angeles Times published an article outlining why hackers are not publicly stepping up to help the FBI.

A few interesting thoughts from the article:

1. Much of the security industry’s frustration with the FBI stems from the agency’s insistence that Apple compromise its own security.
2. Going to the FBI before going to the company (in this case Apple) would violate standard practice in the hacking community.
3. An iPhone 5c vulnerability isn’t considered a hot commodity in the minds of many hackers, who seek to one-up each other by attacking newer, more widely used products.

The article is worth a read.