As reported on Threat Post,

The evolution of attacks and malware targeting mobile devices is paralleling the history of attacks on PCs, but the attackers are moving at a much faster pace than the rate at which they developed new tactics for compromising desktop machines. The innovation that’s occurring in mobile attacks is outpacing the state of the art in mobile defenses by a wide margin right now, and much of that can be laid at the feet of the smartphone platform developers–Apple, Google, RIM, et al.–who are making precisely the same mistake that PC software vendors made decades ago: racing to jam more features into the platform and paying little attention to security.

Volume 1:
Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements

Volume 2:
Privacy and the Smart Grid

Volume 3:
Supportive Analyses and References

The security guidelines are intended to outline the security plan for the nation’s next-generation Smart Grid, a two-way system using intelligent networking to control the flow of electricity between power plants and end users. The security requirements and architecture will address not only deliberate attacks, but errors, failures, and natural disasters that also could destabilize the grid.

There are a lot of smartphones coming online, that’s for sure. But they account for only a small fraction of the IP-addressable devices that industry analysts say will flood onto the Internet over the next few years. Indeed, the total number of IP addressable, non-PC devices is exploding across all sectors — from datacom to appliances to smart grid. And the vast majority of these devices are sold, and fielded, with essentially no security measures board.

Smartphone security is important, and I’m glad that its finally getting the attention it deserves. But point-solutions designed for one platform won’t scale across these other (more populous) device classes. And that scalability is exactly what manufacturers desperately need, when many of them — like Sony or Panasonic — make and sell devices on literally every facet of this iceberg. Sooner or later, the security approach needs to be unified and holistic – otherwise we’re going to run out of fingers to stick in our leaky dams.

As an industry, we have reached a critical point: it is time to decide how we secure the future. It is crucial that we not make the same mistakes we made when developing PC security 15 years ago. Smart device security needs to become more platform agnostic, scalable and extensible.

Download Mocana’s Smart Device Iceberg in PDF or JPEG format.

Welcome to the future of your electrical home: It has lots of “smart” stuff, from meters that measure your consumption to appliances that know how to save you money…. It all connects to a “smart grid” that controls electrical flow so the brownouts experienced by California last decade don’t happen again and the electrical grid can take advantage of new, greener energy generators like solar and wind. All this technology will use cutting-edge security to prevent hacking the grid and protect your privacy. [...]

Digital electricity takes many forms. It could be a dedicated energy “dashboard” on your kitchen table, or it could be an application on an iPad, laptop, or TV. With the right apps, you’ll know how to cut the stand-by power on your electronics, how much your solar panels produce, or how much juice your electric car needs to get to work.

Some of the products highlighted include:

• electricity management solutions from GE
• web-based electricity monitoring from Google
• Linux-based “home energy” controllers from Cisco
• smart appliances and lighting systems from GE

In the report, we find that many businesses and organizations are well aware of — and already dealing with — the increasing security threats facing the mobile and smart device ecosystem. In fact, 71% of our security survey respondents expect a serious incident arising from attacks on, or problems with, connected smart devices within the next 24 months. Additionally, 65% reported that attacks against their smart devices already require the regular attention of their IT staff, or will start requiring it this year.

However, despite this level of awareness, results show that relatively few organizations are prepared for today’s device security problems and those that lie ahead.

For more details, download Mocana’s FREE Mobile & Smart Device Security Report here.

As described by Larry Walsh recently on Secure Channel, security is moving from a “point solution” and becoming an “embedded feature.” What was once the main focus of giants like Cisco is now playing second fiddle to other developments. The result is that many companies now “sell a portfolio of products and services [that] are increasingly minimizing core security in favor of the assumed security.”

In his article, Walsh cautions about the dangers of this development if awareness isn’t high:

Embedded security shouldn’t be assumed security. Vendors and solution providers need to articulate the intent and limitations of embedded security features. Many of the embedded security measures are designed with the assumption that there will be complementary network-level security protections bearing the brunt of the security workload. Without that level of awareness, some end users–particularly smaller companies—-might incorrectly assume that they can avoid spending money on point products.

As recently reported on Ars Technica:

The wireless sensors…can be used to track vehicles or feed bad data to the electronic control units (ECU), causing them to malfunction. [...]

The tire pressure monitors are notable because they’re wireless, allowing attacks to be made from adjacent vehicles. The researchers used equipment costing $1,500, including radio sensors and special software, to eavesdrop on, and interfere with, two different tire pressure monitoring systems.

The pressure sensors contain unique IDs, so merely eavesdropping enabled the researchers to identify and track vehicles remotely. Beyond this, they could alter and forge the readings to cause warning lights on the dashboard to turn on, or even crash the ECU completely.

Intel raised eyebrows today by announcing that they intend to purchase PC-security giant McAfee in a $7.68B deal, paying a 60% premium over McAfee’s 8/18 closing price. What’s really interesting, though, is that ’securing a device-dominated Internet’ was used as the key rationalization for the deal.

Intel President and Chief Executive Paul Otellini said, “In the past, energy-efficient performance and connectivity have defined computing requirements. Looking forward, security will join those as a third pillar of what people demand from all computing experiences.”

David DeWalt, McAfee’s CEO said, “The current cybersecurity model isn’t extensible across the proliferating spectrum of devices — providing protection to a heterogeneous world of connected devices requires a fundamentally new approach to security. Frankly, the industry needed a paradigm shift — incremental improvements simply couldn’t bridge the opportunity gap.”

Renee James, Intel’s Software and Services Chief said, “As we look at the businesses we’re in, we see that security is the No. 1 purchase consideration. We believe that we can enhance security with hardware and come up with a better solution.”

They’re all right. Device security is becoming a requirement, not an option. But smart device security is a highly specialized space and it requires a clean slate approach. The newly combined companies will need to substantially beef-up their credentials in this area. At Mocana, we believe that the security model for a device-dominated Internet needs to be fundamentally different from the networked-PC paradigm familiar to Intel and McAfee. It requires an entirely new architectural and philosophical approach to security. Today’s best-in-class approaches to securing smartphones and other smart devices simply aren’t architected to deal with emerging attack vectors.

The right approach is a ‘Smart Device Security Platform’ that is device independent, utilizing a “universal security client” that takes advantage of security features in silicon, and is serviced from the cloud with context-intelligent security services and apps. This is the approach being pursued by Mocana. It’s an approach that works for smartphones, but also for medical devices, industrial automation, military equipment, consumer electronics, appliances, cars and any other smart device, too. A common way to protect and secure networked smart devices is what device manufactures, carriers, governments, enterprises and consumers want and need.

At the end of the day, this deal is $7 billion dollar validation of Mocana’s category: Smart Device Security. We welcome Intel and McAfee’s energy and innovation and look forward to working with them and the rest of the industry to secure what’s next. In the meantime, if you’re curious about how people really feel about the security of their devices, we encourage you to download our FREE report (just published!) the 2010 Mobile & Smart Device Security Report (PDF).

What’s your take on the deal — and Smart Devices?
Leave us your comments!

Warmly,

Adrian Turner
CEO
Mocana

This figure is included in ABI’s latest report, which provides a variety of information on the changing landscape of mobile web browsing.

The iPhone Password Breaker is not the first attempt by developers to release software that compromises iPhone security; however it is the first that does so without any jailbreaking or other changes to the phone’s embedded OS or firmware.

According to The Register, Elcomsoft legitimately markets this tool as a utility for forensic investigators and positions itself as a partner to global law enforcement. There is likely some question as to whether Elcomsoft will sell its products exclusively to these parties, but a free trial version is currently available for public download at their web site.

As reported in SC Magazine, one of the vulnerabilities allows hackers to leverage the RTOS’s embedded debugging services to take (unauthorized) control of the device.

VxWorks has a service enabled by default that provides read or write access to a device’s memory and allows functions to be called…. The vulnerable service, called WDB agent, is a “debugger” for the VxWorks operating system that is used to diagnose problems and ensure code is working properly when a product is being developed. [...]

These two bugs are “just the tip of the iceberg,” Moore wrote in a blog post on Monday, August 2nd.

The WDB debugger is enabled by default, and Wind River’s marketing team touted it as the feature that facilitated the remote debugging and patching that repeatedly saved NASA’s Mars Rovers. Industry watchers surmise that partly because of this, a lot of companies made the decision to keep the WDB agent enabled in shipped devices, order to allow for remote fixing devices in the field.  Unfortunately, the exposed WDB agent also makes it a lot easier for anyone with network access to hijack control of a device, remotely.

Electricity and gas supplies might be disrupted on a massive scale by failures of smart meters, whether as a result of cyber-attack or simply from software errors. The introduction of hundreds of millions of these meters in North America and Europe over the next ten years, each containing a remotely commanded off switch, remote software upgrade and complex functionality, could create a critical vulnerability.

In their report (view PDF here), two Cambridge researchers delve deeply into issues of smart meter security in light of the remote “off switch.” A number of hypothetical possibilities are introduced as to what smart grid terrorism might look like, who might be responsible, and what measures might be taken now to prevent it.

This is the focus of a ten-part piece from business journal McKinsey Quarterly — what trends of technology will be embraced by business leaders to ensure growth in their companies, and what do these new developments mean to the structure of their organizations?

The rapidly shifting technology environment raises serious questions for executives about how to help their companies capitalize on the transformation under way. Exploiting these trends typically doesn’t fall to any one executive—and as change accelerates, the odds of missing a beat rise significantly.

Of praticular interest to those in the embedded device field, the McKinsey report notes that the Internet of Things, Cloud Computing and the Smart Grid are all tech segments to be embraced by smart business leaders in the 21st century.

Enter Barnaby Jack, Director of Research at IOActive labs who has in previous years been prevented from unveiling a custom-designed rootkit aimed at getting ATMs to release their cash payload due to complaints from ATM manufacturers. Finally at this year’s conference, Jack was able to execute this feat on not one but TWO ATMs installed especially for Jack’s demonstration, a first for the hacking community. Jack’s method takes cash from the machine without access to any customer’s account. These YouTube videos, taken from the audience perspective, show Jack’s handiwork in progress.

The Internet of Things represents a vision in which the Internet extends into the real world embracing everyday objects. Physical items are no longer disconnected from the virtual world, but can be controlled remotely and can act as physical access points to Internet services. An Internet of Things makes computing truly ubiquitous.

The paper is a must-read for anyone who wants a comprehensive look at the history of the Internet of Things, as well as the technological hurdles it will face. Current examples of “smart object” technology are also cited as well as the many implications for the economy and individuals of this “immense technical and social challenge.”

Newly released testimony from Michael Williams, chief electronics technician aboard Deepwater Horizon, the rig whose explosion caused the BP spill, indicates that security systems aboard the rig had been routinely bypassed to avoid false-alarm warnings. Additionally, computer systems that monitored and controlled drilling had been locking up for months before the accident, in what the crew called “blue-screen of death” outages.

Security expert Joe Weiss has been monitoring the situation closely, and has pointed out that security outages such as these have played a large role in a number of recent industrial, transit and utility-related accidents. More details on his findings can be found at his blog.

Usually designed to blend in with existing card readers, skimmers are installed by thieves at gas pumps and ATMs as a way to simultaneously steal and transmit card numbers as well as a video of customers’ PIN numbers being entered.

We previously posted about an identity theft ring busted in Los Angeles that used gas pump card skimmers to steal over 10,000 card numbers.

It just requires the user to visit a web address using Safari. The web site can automatically load a simple PDF document, which contains a font that hides a special program. When your iOS device tries to display the PDF file, that font causes something called stack overflow, a technical condition that allows the secret ninja code inside the font to gain complete control of your device.

The result is that, without any user intervention whatsoever, that program can do whatever it wants inside your iPhone, iPod touch or iPad. Anything you can imagine: Delete files, transmit files, install programs running on the background that can monitor your actions… anything can be done.

Until an official fix is issued, experts warn against directly visiting PDF links and opening PDF files from unknown sources.

According to the New York Times, encrypted data can be sent abroad from the devices, where it cannot be monitored for illegal activity. While authorities claim this can be exploited by terrorists, the UAE government is known to monitor communications for activism and to censor anti-Islamic sentiment.

The ban will present a particular problem for the city of Dubai, which has in recent years attempted to position itself as a destination for business and tourism. Hundreds of thousands of professionals in the area would be without the use of BlackBerry devices that have become embraced by the business community at large.

Although Citigroup was quick to recommend an update to their software that would fix the vulnerability, the episode underscores a growing concern over security in mobile devices, especially as more users continue to use smartphones for access to their bank accounts and other sensitive information. Although the iPhone has been considered a safe environment for user information due to its strict control of licensed applications, the vulnerability in Citigroup’s app is a reminder that security flaws will occur within any system over time.

According to Business Week,

The worm spreads via USB sticks, CDs or networked file-sharing computers, taking advantage of a new and currently unpatched flaw in Microsoft’s Windows operating system. But unless it finds the Siemens WinCC [industrial management] software on the computer, it simply copies itself wherever it can and goes silent.

Because SCADA systems are part of the critical infrastructure, security experts have worried that they may someday be subject to a devastating attack, but in this case the point of the worm appears to be information theft.

If Stuxnet does discover a Siemens SCADA system, it immediately uses the default password to start looking for project files, which it then tries to copy to an external website….

“Whoever wrote the code really knew Siemens products,” said Eric Byres, chief technology officer with SCADA security consulting firm Byres Security. “This is not an amateur.”

By stealing a plant’s SCADA secrets, counterfeiters could learn the manufacturing tricks needed to build a company’s products….

Equally troubling is that Stuxnet uses seemingly valid digital signatures–belonging to the Taiwanese chipmaker Realtek–in its code. It is unknown at this time how the authors of the virus obtained these digital signatures, which allow it to get past security requirements within Windows.

Since the discovery of Stuxnet, Siemens has urged its customers not to change their passwords, as to avoid problematic disruptions in large-scale industrial systems. They have since, along with security vendors, provided customers solutions for blocking and eliminating the Stuxnet code.

“The sleight of hand discovered by Heffner involves establishing an attack site which runs malicious script that means a visitor’s own IP address is presented as one of the site’s alternative IP addresses, thereby granting a trusted status to a malign site. Modern browsers are designed to block earlier types of such attacks but not with this particular scenario, for reasons Heffner is due to explain at Black Hat.”

Present in a variety of router models by companies such as Linksys, Belkin and Dell, the flaw is a vulnerability to a classic hacking technique called DNS rebinding, in which hackers use malicious code to “trick” a device into controlling it. While Heffner’s discussion will hopefully include preventative measures for the manufacturers of these routers, there is currently a list of vulnerable kits and sensible workarounds to address this flaw at Notebooks.com.

Apple ranks first, ahead of runner-up Oracle, and Microsoft in the number of security bugs found in all their products in 1H 2010. During the first six months of 2010, Secunia logged 380 vulnerabilities within the top-50 most prevalent packages on typical end-user PCs, or 89 per cent of the figure for the entire year of 2009.

This is the first time since 2005 that Apple has topped the list of vendors in Secunia’s yearly security vulnerability report. According to Secunia, the rising number of total vulnerabilities can be partially attributed to the wide variety of mechanisms required to keep software updates current. Additionally, more risks were found in systems with a higher number of third-party applications installed.

Good Technology–whose solutions can be found in some of the most sensitive government and business settings–needed a portable, universal crypto solution and the proven expertise of a smart device security leader. They chose Mocana. NanoCrypto is Mocana’s super-fast, super-small, government-certified cryptographic engine, purpose-built for the entire ecosystem of smart devices, of which smartphones are just one category.

Click here to view the full press release.

“TubeSat is different because it lets and hobbyist engineers and astronomers build the satellite themselves. Each TubeSat kit includes the satellite’s structural components, a printed circuit board, Gerber files (essentially blueprints), electronic components, solar cells, batteries, transceiver, antennas, microcomputer and some programming tools.”

Once TubeSat has been assembled, it is returned to Interorbital and scheduled for flight into space, with the first launch currently scheduled for Winter 2010. It’s yet to be seen whether the do-it-yourself kits will hold up during the rigorous launch, but for their money customers are offered a second chance for free should the first attempt fail.

“It is envisioned that the SGIC portal will be the essential gateway that connects the smart grid community to the relevant sources of information that are currently scattered and distributed on the worldwide web. The portal will also direct its users to other pertinent sources or databases for additional data, case studies, etc. It will serve as a decision support tool for both state and federal regulators in their deliberations for rule-making and evaluating the impact of their investments in the smart grid technologies and software.”

This site will likely prove to be an invaluable reference library for those involved in any aspect of the smart grid, with information available on a wide variety of subjects all aimed at providing awareness and furthering the development of the smart grid community.

Earlier this week, Google unveiled new device management features for its Google Apps suite aimed at the enforced use of data encryption and password security. Implemented for a variety of platforms such as Windows Mobile, iPhone, and Nokia Series E, the Apps will now wipe passwords after a series of failed attempts, mandate new passwords periodically and automatically trash old passwords. These changes will also reach Google’s own Android platform later this year.

Similarly, Research In Motion introduced an upgrade for its BlackBerry smartphones that targets enterprise use. Included in its 7th release of BlackBerry Enterprise Server Version 5.0.2 is the new Individual-Liable Devices Policy, which enables segregation of corporate and personal BlackBerry use. The new revision also enables remote wiping of corporate data.

As reported by Venturebeat, the new Droid phone contains “eFuse” technology designed to render itself inoperable, should the smartphone be user-modified.

[eFuse] runs when the phone boots up, and it checks to make sure that the phone’s firmware, kernel information, and bootloader are legit before it actually lets you use the device….If the eFuse failes [sic] to verify this information then the eFuse receives a command to “blow the fuse” or “trip the fuse”. This results in the booting process becoming corrupted and resulting in a permanent bricking of the Phone. This FailSafe is activated anytime the bootloader is tampered with or any of the above three parts of the phone has been tampered with.

Motorola insists that eFuse is a customer-focused security measure that helps to protect user data.

At Intel, Dr. [Joshua] Smith, working with the researcher Alanson Sample of the University of Washington, created an electronic “harvester” of ambient radio waves. It collects enough energy from a TV station broadcasting about 2.5 miles from the lab to run a temperature and humidity sensor.

The device collects enough power to produce about 50 microwatts of DC power, Dr. Smith said. That is enough for many sensing and computing jobs…. The power consumption of a typical solar-powered calculator, for example, is only about 5 microwatts…and that of a typical digital thermometer with a liquid crystal display is one microwatt.

Dr. Smith and his colleagues have built a second device, powered by radio waves, that collects signals from an outdoor weather station and transmits them to an indoor display. The unit can accumulate enough energy to send an updated temperature every five seconds.

Thanks to the virtually endless supply of radio waves in the air, these technologies could soon create wireless devices that can run continuously on an endless power supply — battery-free.

Ericsson reports that mobile broadband subscriptions are also growing at a rapid pace, and are expected to reach over 3 billion by 2015, a massive increase from the 360 million subscriptions active in 2009. Experts now believe that soon 80% of all people connecting to the internet will doing so from a mobile device.

The FBI website describes the phony phone call scheme:

During these TDOS attacks, online trading and other money management accounts are being accessed by the perpetrators who are transferring funds out of those accounts. The perpetrators will obtain account information of their victims in some way and then contact the financial institutions to change their victims’ profile information such as email addresses, telephone numbers and bank account numbers. The purpose of the malicious phone calls is to occupy the victim phone numbers on record with the financial institutions managing the accounts so that when the institutions contact the victim to verify the changes and transactions, the institution is unable to reach the victim. Consequently, the victim has no idea what has really transpired until it’s too late.

The calls, typically made in such a volume as to overwhelm the targeted line, can be identified as dead air (silence on the other end), an ‘innocuous recorded message’, advertisement or even a phony telephone sex menu. The FBI recommends anyone who suspects they may be the target of such an attack should contact their telephone service provider in addition to alerting their financial institutions.

Mocana’s NanoSSH and NanoSSL are embedded in ClearCube’s Remote Management Module (RMM) in the chassis, centralized in a remote datacenter, to secure all communication between the RMM and ClearCube’s Sentral management software suite. Sentral and the RMM provide a wide range of management functions for virtual machines, centralized PC blades, servers, chassis, and more. Mocana’s technology will help organizations leverage the power and flexibility of ClearCube’s Centralized and Virtualized solutions while securing the management channels.

NanoSSL is Mocana’s SSL/TLS solution designed to speed product development while providing best-in-class device security in resource-constrained environments like the thin clients used by ClearCube. NanoSSL is open-standards-based, extensible, platform-agnostic and includes an optional government-certified FIPS 140-2 level-1- validated crypto core. NanoSSL includes a full-featured key generator and certificate management client, and supports government Suite B crypto algorithms and the new RFC standard for TLS 1.2.

NanoSSH is Mocana’s SSH client/server solution with support for X509.v3 certificate-based authentication and comes with RADIUS client, specifically designed to speed product development while providing best-in-class device security services for resource-constrained environments. NanoSSH provides a holistic approach for securing networked devices and services, and is ideally suited for resource-constrained devices as well as high-traffic enterprise and federal environments where performance is critical. NanoSSH is open-standards-based, extensible, extremely small footprint, platform-agnostic and features an optional government-certified FIPS 140-2 level-1-validated crypto core.

Both NanoSSH and NanoSSL solutions are GPL-free, so developers can feel confident about the long-term integrity of their intellectual property. New developers can request a free trial of Mocana products at www.mocana.com. “ClearCube’s model is helping to lead the shift towards centralized and cloud computing, but with appropriate care taken for device security,” said Adrian Turner, CEO of Mocana. “The addition of heterogeneous client-side devices to this model adds another dimension to the security challenge. That’s why ClearCube is using Mocana, to make sure that today’s most flexible centralized computing architectures are safe for mission-critical users, like those in government. ”

“One of the key value propositions of our centralized and virtualized solutions is our ability to keep the management of the different components in the system simple and secure”, said Raj Mellacheruvu, Director of Engineering at ClearCube Technology. “With Mocana’s technology we are able to securely communicate with our remote management modules over the network.”

About Mocana

Mocana secures the “Internet of Things” – the 20 billion datacom, smartgrid, federal, consumer, industrial and medical devices that connect across every sector of our economy. These devices already outnumber PC’s on the Internet by five to one, representing a $900 billion market that’s growing twice as fast as the PC market. Every day, millions of people use products sold by over 100 companies that leverage Mocana’s Device Integrity software, including Dell, Cisco, Honeywell, General Electric, General Dynamics, Avaya, Harris and Radvision, among others. Mocana won Frost & Sullivan’s Technology Innovation of the Year award for 2008 for Device Security, and was named to the Red Herring Global 100 as one of the “top 100 privately-held technology companies in the world” in January 2009.

A new report from VisionMobile aims to demystify the current mobile development landscape, with a comprehensive study based on research conducted with over 400 developers for various platforms such as iPhone, Symbian, Android and Windows Mobile. According to the report,

Android stands out as the platform most popular among mobile developers. Survey results suggest nearly 60 percent of all mobile developers recently developed on Android, assuming an equal number of respondents with experience across each of eight major platforms. Second in terms of developer mindshare is iOS (iPhone), outranking Symbian and Java ME, which were in pole position in 2008.

In addition, the research document contains data regarding:

• the number of apps available for various platforms and in various markets
• the differences in the learning curves that developers face for different platforms
• the effect of app stores and advertising on sales and revenue

With this in mind, Datakey Electronics produces an anti-counterfeit memory token system that is not only rugged, but can survive repeated sessions of high temperature sterilization without failure, while retaining data. And according to Datakey,

[Using] removable memory for product authentication/anti-counterfeit…opens up a host of other capabilities, including: tracking (and limiting) the number of times an attachment has been used, automatically identifying the model of the attachment and uploading any model-specific parameters, uploading any calibration information that is unique/specific to that particular attachment, and recording settings and other usage data to ensure the device was used properly according to the manufacturer’s instructions.

In addition, the Receptacle on the base controller can be used for secondary uses, including: in-field firmware updates, medical personnel access control, rights management, and more!

But how to prepare for a war waged in the digital realm? And what are the stakes? As more and more of the world’s infrastructures are given access points on the web, the possibility of collateral damage inflicted by electronic attacks becomes increasingly real. Of particular concern is the security of the smart grid systems that will one day encompass our electrical networks. Opinions vary on the vulnerability of SCADA systems (networks that regulate industrial systems like power plants), however the consensus is that serious risks are present.

The future of cyber-warfare is uncertain, yet it will undoubtedly present myriad new challenges for peacekeepers such as NATO and governments themselves.

Perfect Citizen will use sensor-based surveillance tools to monitor computer networks, both private sector and government-operated, that connect the nation’s critical infrastructure systems–including the power grid, nuclear plants, air traffic control and others–in an effort to detect and prevent serious cyber attacks.

According to The Wall Street Journal,

Perfect Citizen will look at large, typically older computer control systems that were often designed without Internet connectivity or security in mind. Many of those systems—which run everything from subway systems to air-traffic control networks—have since been linked to the Internet, making them more efficient but also exposing them to cyber attack.

The goal is to close the “big, glaring holes” in the U.S.’s understanding of the nature of the cyber threat against its infrastructure, said one industry specialist familiar with the program….

The information gathered by Perfect Citizen could also have applications beyond the critical infrastructure sector…serving as a data bank that would also help companies and agencies who call upon NSA for help with investigations of cyber attacks, as Google did when it sustained a major attack late last year.

We recently posted about the 60 MINUTES investigation into critical infrastructure security that not only declared the U.S. unprepared for cyber attacks on the infrastructure, but described how it was already being hacked.

Among the suspects apprehended are several government officials, reportedly including a police officer, judge and a former member of Parliament. Other suspects include businessmen, doctors and engineers who used the spying software for a variety of purposes including the real-time monitoring of phone calls, retrieval of SMS text logs and even transforming the affected phone into a remote bugging device. While the FlexiSPY software suite was still being offered online as of this writing, it is unclear whether other countries will pursue measures against sellers of this questionable application.

A new report provides a concise explanation of how this security protocol functions. Download the full PDF here.

As we recently posted, smart grid security is becoming a booming industry unto itself, with billions of dollars to be spent in the coming years.

But even more concerning, Engadget reports that–while still unconfirmed–these rogue book apps were catapulted up the sales chart by fraudulent charges to unknowing iTunes customers for downloading the books — purchases these customers never authorized.

Since the initial report, Apple has confirmed the situation and has responded by removing the developer in question, and all of his apps, from the iTunes store. Apple has not commented, however, on any fraudulent credit card charges reportedly linked to this scenario.

The full PDF is available here.

Originating in the days of simplistic cell phones, these threats have evolved along with the devices themselves, and an independent security researcher recently traced their development in a post on the meedabyte blog.

In the article, security expert Cristofaro Mune cites online app stores–carrying thousands of smartphone applications from thousands of third-party developers–and the high-speed data capabilities of today’s 3G and Wi-Fi devices as two of the recent advancements that make today’s mobile phones increasingly vulnerable to viruses and malware.

It is estimated that 15 percent of total investments in the grid will be for cybersecurity, as governments develop security protocols to ward off the possibilities of sabotage. We’ve previously posted about the existing vulnerabilities in the millions of smart meters already in use across the United States and the concern among experts that, in a rush to take advantage of federal stimulus money, the 60 million smart meters being deployed in the U.S. this year alone could be critically under-secured.

The report also identifies five major areas in which smart grid security issues may arise: “transmission upgrades, substation automation, distribution automation, electric vehicle management systems, and advanced metering infrastructure.”

CNET News also reports:

…[S]ome of the apps were found to have the ability to do things like make calls and send text messages without requiring interaction from the mobile user. For instance, 5 percent of the apps can place calls to any number and 2 percent can allow an app to send unknown SMS messages to premium numbers that incur expensive charges, security firm SMobile Systems concluded in its Android market threat report. [...]

The report found that dozens of apps have the same type of access to sensitive information as known spyware does, including access to the content of e-mails and text messages, phone call information, and device location….

But CNET notes that these apps aren’t necessarily malicious or suspect. Additionally, Google has responded that Android users are specifically advised what access permissions they are granting an app when they install it, giving the user control over the visibility of their data. However, users are still being advised to be aware of the potential vulnerability of their personal data when installing any kind of app.

They are part of a new wave of smart implantable devices that is transforming the care of people with heart disease…. The hope is that the devices, now being tested in clinical trials, will save lives, reduce medical expenses and nudge heart patients toward managing their symptoms…. Patients, who often are frail or live far from their doctors, can be spared frequent office visits. Doctors can learn immediately if devices are malfunctioning or if patients’ hearts are starting to fail. [...]

The big leap forward came a few years ago when device companies figured out how to make transmitters that send data over a broader range, 20 or 30 feet. That meant that…[a patient] did not have to wait till her doctor could put a receiver directly on her chest. Instead, she simply went near a small box, which is attached to a phone jack near her bed. Once a week…that information is automatically transmitted to her doctor. If there are problems, the machine alerts her doctor.

According to one manufacturer’s study, heart patients with a heart device that transmitted information to their doctor spent less time admitted to the hospital than did those with traditional, non-communicating devices. And the hospital costs were also significantly less per admission for those patients with smart defibrillators.

We’ve previously posted a number of articles on medical device technology and the security concerns that come along with them.

While the proposed hardware and software regulations would be specific to home computers, the internet-connected mobile device market is increasingly threatened by the very same kinds of malware and crime that have plagued PCs for years. Similar requirements for devices could plausibly follow close behind.

Using Android software tools, Raytheon engineers built a basic application for military personnel that combines maps with a buddy list. Raytheon calls the entire framework the Raytheon Android Tactical System, or RATS for short. [...]

Every part of RATS is tailored for use on a battlefield. A soldier could make an unmanned plane a “buddy,” for instance, and track its progress on a map using his phone. He could then access streaming video from the plane, giving him a bird’s eye view of the area. Soldiers could also use the buddy list to trace the locations of other members of their squad.

According to an executive at Raytheon, the US Department of Defense, the Department of Homeland Security as well as law enforcement agencies could possibly adopt this technology as well.

We announced earlier this month that Mocana has earned the government’s first FIPS 140-2 level one validation for Android crypto software with NSA Suite B cryptography.

4G makes the situation more accelerated…. And what will really accelerate the growth of mobile malware and spyware will be the volume of traffic that people will be able to use. Data usage will increase and there are going to be more places that will get infected.

This is expected to become a serious concern for enterprise IT, as more executives use smartphones — and the various apps downloaded to these phones — to access corporate data in and out of the workplace. The Network World article describes a number of tactics integral to protecting enterprise security in the presence of mobile devices, including:

• remote wipe functionality on all mobile devices, (in the event that a device is lost or stolen)
• native application control capabilities allowing IT to specify which apps are and aren’t permitted on a company network-connected device

Network World also notes that anti-malware technology specifically designed for these high-powered mobile devices is still in its infancy.

CNET News

According to the CNET report, the vulnerabilities in today’s smart meters could allow for a number of malicious attacks, including the theft of private consumer data, the disruption of power to specific buildings, and even the targeted outage of entire utility grids. Many experts quoted in the article believe that US smart meter manufacturers and utility companies are treating security as an afterthought in order to quickly take advantage of Federal stimulus money.

There are about 250 active smart-metering projects worldwide, with about 49 million meters already installed and 800 million planned for installation…. Projects in the U.S. are being accelerated because of the $3.4 billion in stimulus funds set aside for smart-grid technologies. About 60 million smart meters will be deployed in the U.S. this year, covering about half of households…. Security appears to be a casualty of this haste….

“Since there is no federal mandate as to how much security to have in the meters, there aren’t the right motivation factors for security to be a major factor…It’s an afterthought.”

According to one expert, “Prominently missing are signed and encrypted firmware, secure (smart card) chips for key storage, unique cryptographic keys, and physical tamper protection.”

We’ve previously discussed the growing concern surrounding the security weaknesses in today’s smart grid technology. In addition, we recently reported on the 60 Minutes investigation into the malicious hacks that have already hit the nation’s critical infrastructures.

According to PC Authority:

The dashboard pulls in a wealth of information from both inside the house and externally. [...]

Key to this is ZigBee…[the] low-power wireless technology designed for home appliances. For our demo this took the form of a dummy dryer that reported its energy use back to the dashboard. This not only showed just how much of the monthly power bill was down to the dryer, but it also gave the option of running the dryer during off-peak energy periods. There was even a screen designed to help users upgrade to a more energy efficient model, pulling in product data with energy star ratings from other manufacturers.

PC Authority notes that the prototype will not likely enter production for the mass market but exists to demonstrate the coming possibilities in the area of energy management.

A recent article on The Register reports that a downloadable game for the Windows Mobile platform — 3D Anti-Terrorist Action — has been discovered to contain a Trojan that could potentially cost its victims a considerable amount of money. The infected version of the game, available from a number of Windows Mobile download sites, contains the “Terdial-A” Windows-CE Trojan, which makes expensive, international calls with the user’s phone. Victims are typically unaware of the malware until they receive the shocking mobile phone bill.

Internet security firm Sophos believes the infected game is the work of a Russian-speaking hacker who is likely attempting to access some of the money from the pricey calls.

A recent article on The Register describes the malware — pre-installed on the camera’s internal memory card — as an auto-run code intended to contaminate Windows PCs connected to the camera via USB.

It is estimated that approximately 1,700 of the cameras shipped with the virus which, as The Register notes, could have originated from an infected PC at the manufacturing or testing facility.

Although investigations are still ongoing, the ambulance manufacturer believes that it was an error in the embedded software that controls the built-in oxygen system that ultimately caused the unexpected failure. Pending further investigation, the fire department has placed portable oxygen systems in all the ambulances.

60 Minutes correspondent Steve Kroft spoke with retired Admiral Mike McConnell who, as former chief of national intelligence,  oversaw the National Security Agency, the Defense Intelligence Agency, and the Central Intelligence Agency.

“If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer, I probably would sack electric power on the U.S. East Cost, maybe the West Coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker,” McConnell explained.

“Do you believe our adversaries have the capability of bringing down a power grid?” Kroft asked.

“I do,” McConnell replied.

Asked if the U.S. is prepared for such an attack, McConnell told Kroft, “No. The United States is not prepared for such an attack.”

In addition to the potential for an attack on the utilities infrastructure, the report also discusses in-depth the current vulnerabilities of the banking and financial system, as well as military and defense computer networks, all of which are reported to be unprepared for or under-secured against the threats of hackers and international cyber attacks.

With this increasing use of wireless and CPU-controlled technology in cars, The Sydney Morning Herald recently published a comprehensive look at growing concern that today’s–and tomorrow’s–automobiles are becoming increasingly vulnerable to hackers.

The big problem for car makers…will be those who open up their vehicles to add-on software applications, or “apps”….

In much the same way as we add software to a mobile phone today, some car makers envisage a future where owners can add functionality to their car via an internet connection. [...]

Ford has recently asked its US customers to nominate applications they would like to see in the connected car of the future, a move that suggests makers are getting serious about rolling them into vehicles.

Ford is developing apps for products such as the iPhone, so the car’s infotainment system can, say, recognise when a friend posts a comment on Twitter and then read you what was posted….

However, download from the wrong, untrustworthy source and – just like a computer – you could get more than you’ve bargained for.

The article also describes a number of new network-connected features in automobiles from Audi, Mercedes-Benz, Volvo and Toyota.

The breach was discovered by security research group Goatse Security, who successfully captured approximately 114,000 iPad owner email addresses and their corresponding ICC-IDs.

According to Gawker,

Goatse Security obtained its data through a script on AT&T’s website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application.

To make AT&T’s servers respond, the security group merely had to send an iPad-style “User agent” header in their Web request. Such headers identify users’ browser types to websites.

The group wrote a PHP script to automate the harvesting of data.

Even more shocking is the list of compromised iPad owners. Gawker reports that among the victims of the breach are:

• multiple devices registered to DARPA (US Dept. of Defense)
• House of Representatives, US Senate, Dept. of Homeland Security, FCC and NASA staff members
• a US Air Force Commander
• Diane Sawyer of ABC News
• New York City Mayor Michael Bloomberg
• New York Times CEO Janet Robinson
• high-level executives at Dow Jones, HBO, Viacom, and Time Warner
• White House Chief of Staff Rahm Emanuel

The security researchers who discovered the breach notified AT&T (who has since publicly confirmed the vulnerability) and the issue has been corrected.

“Mobile phones are a huge source of vulnerability,” said Gordon Snow, assistant director of the Federal Bureau of Investigation’s Cyber Division. “We are definitely seeing an increase in criminal activity.”

The FBI’s Cyber Division recently began working on a number of cases based on tips about malicious programs in app stores, Mr. Snow said. The cases involve apps designed to compromise banking on cellphones, as well as mobile “malware” used for espionage by foreign nations, said a person familiar with the matter. To protect its own operations, the FBI bars its employees from downloading apps on FBI-issued smartphones.

The article points out that while some believe Google’s Android Market to be less secure than other mobile app stores, (due to its apparently less strenuous vetting process for new apps), even apps from Apple’s iPhone App Store could pose potentially harmful security threats to users.

The Register has posted a portion of IBM’s apology note, which was sent to participants of the conference.

At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth. Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected.

Recipients of the malware-infected USB drives were asked to refrain from using them and to return them via mail to IBM for disposal.

According to a press release from The University of Bristol,

Our scheme allows for computations to be performed on encrypted data, so it may eventually allow for the creation of systems in which you can store data remotely in a secure manner and still be able to access it.

Professor Smart’s milestone development could prove practical for a number of applications such as maintaining the data in encrypted medical records, electronic auctions and voting systems.

We’ve entered this really problematic situation where we have insecure infrastructure everywhere, communications being broadcast in the air around us, and anyone with a bit of radio equipment can reach out and intercept communications…. Individuals need to start taking steps to protect their privacy and the confidence of their communications.

According to the article, the number of wiretaps made legally has “exploded” since the passage of the Communications Assistance for Law Enforcement act of 1994, which required developers to include backdoors for law enforcement in their products.

Marlinspike plans to submit his apps to Apple for use on the tightly-controlled iPhone as well, though the company’s strict review process may present a challenge.

As reported on The New York Times,

The new tablets will offer a bevy of high-tech parts, including a full high-definition video encoder and 3-D graphics chip, which will enable them to interact with software like Adobe Flash. In addition, the tablet will have a built-in video and still camera, a multitouch display and a soft keyboard similar to that of the Apple iPad. [Project founder Nicholas Negroponte] said the new keyboard would also have haptic feedback so users will feel the keys vibrate on the screen as they type.

The new model tablets will emphasize open source technology, while they could ship initially with Android, Windows Mobile or Ubuntu operating systems. One of Marvell’s founders, Weili Dai, has stated her company’s intent to show the first version of the tablet at January’s Consumer Electronics show in Las Vegas.

As recently reported in InformationWeek, protecting medical devices from cyber threats has become one of the department’s “critical challenges,” according to assistant secretary for information and technology Robert Baker.

The major challenge with securing medical devices is that, because their operation must be certified, the application of operating system patches and malware protection updates is tightly restricted…. This inherent vulnerability can increase the potential for cyber attacks on the VA trusted network by creating risk to patient safety.

The VA states that not only do these security compromises have the potential to diminish the quality of patient care, but that the process of cleansing malware-infected devices has proven extremely costly. Over 122 VA medical devices have been infected with malware during the last 14 months and these attacks have occurred despite extensive preventative measures implemented last year. The department of Veteran Affairs is currently working to ensure that their more than 50,000 medical devices are equipped with isolation architecture by the end of 2010.

Official FIPS 140-2 Validation for Mocana NanoCrypto Android Should Make it Easier for Military, Government and Contractors to Specify Android Devices

San Francisco, CA (PRWEB) June 2, 2010 — Mocana Corporation, a company that focuses on securing non-PC connected devices, today announced that it has earned the government’s first FIPS 140-2 level one validation for a binary cryptographic module with Suite B cryptography running on the Android™ platform.

Mocana was in the news last week after receiving a significant strategic investment from Symantec. The resulting technology partnership will help Symantec expand its offerings from the PC into the faster-growing “smart device” market.

The 140-2 FIPS (Federal Information Processing Standards) are used to accredit the cryptographic “engines” that drive secure software or hardware implementations, and most federal agencies and contractors working on sensitive government projects are prohibited from buying products containing security software that is not officially FIPS-validated. Up until now, FIPS-validated security hasn’t been commercially available for Android devices. Today’s announcement clears an important obstacle to the more widespread use of these devices in the federal government.

NIST, the National Institute of Standards and Technology, wrote the FIPS 140 Publication Series to standardize federal cryptography requirements. Most federal agencies and departments require that any computer security implementations contain only FIPS-certified cryptographic modules. The FIPS 140-2 program tests security software and hardware approved for government “sensitive, but un-classified” information. The application and testing process is rigorous and non-trivial, but for companies selling security products to the federal government, their contractors or allies overseas, formal FIPS validations are a prerequisite to eligibility for government contracts.

Mocana applied for and received FIPS 140-2 Level 1 validation for its NanoCrypto Android product compiled for Linux on ARM-based CPUs; the FIPS-validated NanoCrypto binary will run on all current Android phones and devices. NanoCrypto is a sophisticated cryptographic engine designed for device developers. It’s purpose-built for non-PC devices and resource-constrained embedded systems. It is one of the smallest, fastest and most comprehensive cryptographic cores on the market, in addition to being one of the most popular: the cryptographic engine that drives NanoCrypto is already installed on millions of devices from hundreds of device OEMs worldwide, on everything from networked medical devices to unmanned military drones (“UAVs”). With built-in support for over 30 operating systems, NanoCrypto enables device OEMs and ISVs to add sophisticated cryptographic security features to almost any type of device or application.

“This makes it easier for developers to start building cost-effective, security-oriented commercial Android apps for use in federal and military settings,” said Adrian Turner, CEO of Mocana. “Many government buyers couldn’t purchase Android phones ‘off the shelf’, because FIPS 140-2 validated solutions weren’t available. Now this incredibly popular platform is a more viable, cost-effective option for sensitive federal and military applications that need strong cryptography.”

FIPS certification should make it easier for Android to penetrate the medical market, too – another device ecosystem where security is key. Specifying FIPS 140-2 validated encryption software in purchasing contracts is an easy, “best practices” way for hospitals and health networks to take a high assurance approach to data confidentiality and integrity protection, especially as it relates to the security and privacy of patient records. Mocana’s CEO, Adrian Turner, was interviewed recently by Maria Bartiromo on CNBC regarding the state of medical device security, and interested parties can view that video at http://www.mocana.com/video-cnbc-040110.html.

NanoCrypto, like every Mocana product, is available as a FIPS-validated binary for specific platforms or as platform-independent ANSI C source code. Designed exclusively for developers; NanoCrypto is not a “finished app” or utility for end-users. Developers can request a free trial of the NanoCrypto product at http://mocana.com/nanocrypto.html

About Mocana
Mocana secures the “Internet of Things” – the 20 billion datacom, smartgrid, federal, consumer, industrial and medical devices that connect across every sector of our economy. These devices already outnumber PC’s on the Internet by five to one, representing a $900 billion market that’s growing twice as fast as the PC market. Every day, millions of people use products sold by over 100 companies that leverage Mocana’s Device Integrity software, including Dell, Cisco, Honeywell, General Electric, General Dynamics, Avaya, Nortel Networks, Harris and Radvision, among others. Mocana won Frost & Sullivan’s Technology Innovation of the Year award for 2008 for Device Security, and was named to the Red Herring Global 100 as one of the “top 100 privately-held technology companies in the world” in January 2009.

A new report from technology research firm ABI Research estimates that in 2013 nearly half (46%) of flat panel TVs will be sold with built-in internet capability, and the report anticipates the unique challenges and opportunities created by this development. For example, due to the tight relationship between hardware and software in TVs, applications will have to be developed uniquely for each manufacturer.

However, despite the hurdles in programming, the analysts at ABI expect the growing popularity of internet-connected TVs to create a new array of opportunities for advertising and cross marketing in addition to new roles for manufacturers.

Fastcompany reports that Ford has followed the unveiling of Sync with a contest for University of Michigan engineering students to show what cloud-based computing can do for cars. The first prize was claimed by Caravan Track, whose designers intended to create a social networking app for communication between multiple vehicles on a road trip.

Most of the entries displayed a similar tendency toward social networking and GPS, such as The GreenRide Challenge, which helps users to organize carpools and accrue points for a future reward system. The winning app was displayed at this year’s Bay Area Maker’s Faire.

According to HP CEO Mark Hurd, “We expect to leverage WebOS into a variety of form factors, including slate computers and web-connected printers.”

As recently reported at InformationWeek, industry analysts–expecting HP to use WebOS primarily within the mobile device market–were not expecting printers to become the next device category for WebOS development.

Over the next year and a half, Porras and a crack team of top-level analysts from across the industry dubbed themselves the “Conficker Cabal”, and have relentlessly pursued the containment of the “Conficker” worm virus as well as its dubious origins. As of now, these cyber-sleuths have been engaged in a high tech game of chess with the worm’s creators and remain baffled as to its source, or even its intended purpose. What they do know is that an estimated 6.5 million infected PCs lie in wait to the worm’s command, their owners none the wiser.

The thrilling saga of the Conficker Worm is detailed at length in a new article in The Atlantic, and is astounding not only because it borders on espionage, but also because the virus’ mystery remains unsolved.

More on today’s announcement:

• The Wall Street Journal
• Mocana press release
• VentureBeat

As reported on The Register,

The networking giant on Wednesday urged users of the Cisco Network Building Mediator products to patch the vulnerabilities, which among other things allow adversaries to obtain administrative passwords. No authentication is required to read the system configuration files, making it possible for outsiders to take control of a building’s most critical control systems.

“Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device,” a Cisco advisory stated.

A recent article on Embedded.com addresses the technical requirements for optimal antenna performance in medical device design through four parameters: Gain Ratio, Return Loss, Efficiency and Operating Bandwidth. Because implanted transmission occurs in an environment of skin, fat, blood, muscle and bone, the potential for data loss and detuning is higher than in radiation from open air sources.

Through specialized geometry and material selection, there can be seen a great difference in antenna efficiency. As an example, the implantable patch antenna is shown to achieve optimization of geometric design, superior in transmission to a loop antenna design wherein most of the radiated power becomes dissipated within the body. Through successful antenna design, the practical power of implantable devices is increased as greater communication power is realized.

“What we have learned from decades of rapid development of information technology is that the key is relentless focus on ‘better, faster, cheaper’ — in everything,” Mr. Grove said in a statement. “The best results are achieved through the cooperative efforts of different disciplines, all aimed at the same objective.”

As reported by The New York Times, this type of interdisciplinary approach to the growing field of “translational medicine” is gaining steam, viewed by many as yielding greater results than traditional research and development within big pharmaceutical companies.

“The adoption of the iPhone and other mobile devices in the healthcare industry is just the latest example of how technology is creating greater transparency and an improved experience for consumers when dealing with service providers of all kinds. As a result, we see this as a natural use of ENOVIA V6’s data management and federation capabilities,” says Michel Tellier, CEO, ENOVIA, Dassault Systèmes.

As reported at Product Design & Development, the convenience of secure medical record access on mobile devices like the iPhone will ensure a more consistent patient experience with multiple providers, as well as freeing up 30-50 percent of doctor’s time spent entering patient data.

Check out this footage from the 5th annual Hexagon Robotic Dance Championship!

However, as an article in eWEEK Europe reports, HP may be shipping to meet that demand at the expense of security. At the company’s Executive Energy Conference in Dubai, HP’s utilities industry director Ian Mitton admitted that security has been an afterthought in smart grid and metering projects, with an emphasis being placed on early deployment to meet stimulus demand and experiment with the new technology. As we’ve previously discussed, security experts have been concerned about under-secured smart grid technology being rushed to market for some time.

Called the “Cyberspace Badge”, this medal of honor will be worn exclusively by officers who’ve proven their digital grit by completing the “X-Course”, also known as the Distance Learning Cyberspace Operations Transition Course. Its institution reflects the updated role of the Air Force mission – “to fly, fight and win in air, space and cyberspace”.

The new wings symbolize “the projection of cyber power world-wide” and will be worn by members of the 24th Air Force, the USAF’s network security organization. While this branch of the armed forces is still being built, it is expected to be on the front line of defense in cyberspace.

With formerly analog, “offline” industrial and utility systems becoming increasingly networked — such as the “Smart Grid” — IT solutions are often being applied for security. And, according to Weiss, this is part of the problem.

As reported on CNET,

The IT community views control systems as just another computer. A control system is two pieces–the human machine interface, the screens people see in the control room, which are now moving toward Windows, Unix and Linux. These systems also use TCP/IP. So people look at this and say “Aha! That’s IT. I know this.” What they don’t see are all of the devices in the field that sense, measure, control,and monitor physical processes. These devices don’t look like a computer and don’t use Windows. They use either proprietary real-time operating systems systems or fully embedded systems. There is no security at this level even though this where you go “boom in the night.” What IT sees is the engineer sitting in front of a Windows workstation and they say “I know that.”

He also warns that the existing vulnerabilities within the utility and industrial control infrastructures are already being exploited:

There are people who are starting to believe control system cyber is real, but it is still a small fraction. All I have are facts and physics. I’ve got an incident database with over 170 control system cyber incidents worldwide. Unfortunately, most incidents are not public. CERT (Computer Emergency Response Teams) and other IT security monitoring organizations are not designed to collect information for control systems. There is an unfortunate tendency to simply want to declare victory. The Department of Energy and the Department of Homeland Security both have work ongoing in this field. But neither has connected the dots on incidents that have actually happened to identify relevant R&D.

According to Businessweek, Jack’s rootkit is a first because in the past, thieves were only able to hit ATMs by installing skimmers and cameras to steal card numbers. Instead of using the machine as a point of access to user accounts, the hacker’s new method goes after the ATM itself, exploiting software vulnerabilities to get at what’s inside.

In addition to demonstrating these vulnerabilities, Jack will discuss ways that the ATM industry can protect itself from attack methods such as his own. The presentation will occur at the Black Hat Las Vegas conference, held July 28 and 29.

Official text from the application, featured at AppleInsider, describes a series of intervals within a single heartbeat that can be used as biometric data. This data can be used not only to identify the distinct pattern of the phone’s owner, but also as a way to judge the user’s heart rate and mood, which can then potentially be implemented within fitness and entertainment applications.

As reported on AppleInsider,

…[T]he electronic device can identify media having beats per minute or other characteristics that are associated with or related to a user’s cardiac signal or heart rate, and play back the identified media…. As another example, the media provided can have beats per minute faster or slower than the user’s current heart rate to direct the user to work harder (e.g., during a workout) or to cool or calm the user down (e.g., at the end of a workout).

As reported in the New York Times,

“We demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on,” [researchers] wrote in the report….

The research teams also claim that they were able to access a vehicle, remotely insert malicious code, and then completely remove any evidence of their intervention.

With the increasing popularity of wireless, internet-connected technologies in cars–such as “OnStar,” and other similar navigation and communications systems–more and more automobiles are becoming accessible through external networks. And as this technology proliferates, securing cars against hackers and viruses will become increasingly critical for driver safety.

As reported in the New York Times, current FDA policy requires manufacturers of life-sustaining devices to conduct clinical trials of new designs, however the agency is known to clear them for sale without testing based on their similarity to existing products. While infusion pumps are the immediate focus of these new guidelines, it is expected that other products will also be subject to more rigorous testing, and that this higher level of scrutiny will slow down the approval of new devices. The FDA has also supplied its own open-source testing software to manufacturers, in an effort to help them determine the effectiveness of their products.

But the problems plaguing the infusion pump market are creating more serious consequences for device manufacturers than just the delaying of new devices. As reported on Medical Device Network, the FDA has ordered Baxter Healthcare–a leading infusion pump manufacturer–to recall and destroy all of their “Colleague” model pumps due to the company’s failure to remedy a number of longstanding technical defects.

Remarkably, the prosthetic can be controlled in a fairly natural manner, allowing Claudia to perform simple tasks much in the same way she would with a real arm. It’s one of the first cases of nerve-rerouting surgery to enable control of a prosthetic via electrodes, whereas prosthetics in the past were controlled by muscle movement in the neighboring limbs.