Tech, Policy Converge in Debate on Securing Things

The Department of Homeland Security (DHS) will weigh into the debate about securing the vast Internet of Things next week, laying out new guidelines for connected device makers at the third annual Security of Things Forum in Cambridge, Massachusetts.

Robert Silvers, the DHS Assistant Secretary for Cyber Policy, will use the event to present a set of strategic security principles for manufacturers, designers and developers of connected, Internet of Things products to consider when designing new products. Silver will also talk about steps that organizations can take to secure connected infrastructure and devices that are already deployed.

Robert Silvers of Department of Homeland Security will talk about forthcoming guidance from DHS on securing Internet of Things devices.
Robert Silvers of Department of Homeland Security will talk about forthcoming guidance from DHS on securing Internet of Things devices.

The talk, on Thursday, September 22, comes amid growing interest by government, industry regulators and private firms in what a burgeoning population of connected “stuff” that is predicted to number in the billions of devices by the end of the decade.

“I think what we’ve come to recognize is that the Internet of Things is a full blown phenomenon and it’s here,” Silvers said in an interview. “The IoT brings incredible value to consumers and industry, but those also come with attendant risks.”

The Department of Homeland Security is just the latest government agency to take a swing at taming the storm of connected “stuff” hitting store shelves and worming their way on to corporate networks. And there’s ample evidence of work to be done on both security and privacy.

Speaking alongside Silvers at the Cambridge Forum, Dr. Kevin Fu of the firm Virta Labs, and the Archimedes Center for Medical Device Research at the University of Michigan will discuss the challenge that hospitals face as they try to ensure continuity of operations with a population of medical devices that are often difficult or impossible to secure.

Travis Goodspeed, a world-renowned security researcher who has developed tools to research embedded systems and wireless devices, will talk about the ways in which small, subtle, hardware based flaws can become major security issues as components are used and reused across products of many different types.

More than one presentation at the conference will highlight serious vulnerabilities in home automation systems of the kind sold online and at box store retailers like Home Depot and Best Buy. In a talk entitled “Breaking BHAD,” Scott Tenaglia of the firm Invincea will delve into security holes he discovered in home automation hubs by the firm Belkin, including multiple vulnerabilities in Belkin’s WeMo line of home automation products as well as the mobile (Android) application that controls it.

Separately, researchers from the firm Senr.io will unveil a range of vulnerabilities in inexpensive embedded devices used for home networking and to connect “smart” products.

“When we first started doing this event, security and Internet of Things was kind of a novelty – like: ‘Can we really talk about these two things together?’” No more. “Today, security is front and center, because concerns about security and privacy are perceived to be one of the biggest obstacles to the IoT’s growth,” Roberts said.

A report by the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) in May found that public faith in the Internet has dimmed in the wake of data breaches, cybersecurity incidents, and reports critical of the privacy practices of online services. The biggest threat came in the form of “negative personal experience,” the report found.

In a similar vein, a report from Berkeley’s School of Information and the Hewlett Foundation noted, cybersecurity is on the cusp of “profound psycho-social impact” on human society. The Security of Things Forum will take place in Cambridge, Massachusetts on Thursday, September 22. Information on the show and tickets are available at Securityofthings.com.

The Early Bird Sleeps with the Fishes!

As of Wednesday at 13:00, the Early Bird sleeps with the fishes! Don't forget to register for the 3rd annual Security of Things Forum now and take part in the Northeast's premiere security and IoT event.
As of Wednesday at 13:00, the Early Bird sleeps with the fishes! Don’t forget to register for the 3rd annual Security of Things Forum now and take part in the Northeast’s premiere security and IoT event.

Early Bird? Won’t be hearin’ from him no more! It’s sad – but true. With just over two weeks to go until our third, annual Security of Things Forum, the early bird’s days are numbered. In fact, regular admission pricing takes effect tomorrow (Wednesday, September 7) at 13:00 ET. You can use this link to register now.

Our 2016 event, scheduled for September 22, 2016 at the Sheraton Commander in Harvard Square, Cambridge, MA, is shaping up to be an amazing event. Among the talks we’ll be presenting:

  • Kevin Fu, the noted researcher and CEO of Virta Labs will talk about managing medical device risk in the age of of stunt hacking
  • Travis Goodspeed is an independent researcher who has worked with leading universities and is one of the world’s leading authorities on the security of wireless devices.
  • Robert Silvers, the Assistant Secretary for Cyber Policy at the U.S. Department of Homeland Security, who will be talking about DHS’s development of Department-wide cyber policies and strategies.
  • Trident Capital, Accomplice & Glasswing Ventures give an investors view of IoT security
  • Scott Tenaglia of Invincea Labs: “Breaking BHAD: Abusing Belkin Home Automation Devices”

 

As always, our agenda will be second to none. We have lined up featured speakers who are recognized as experts in the security of connected devices.

Once again this year, The Security Ledger is happy to partner with Christian Science Monitor’s Passcode again on this year’s event. We’re keeping up our tradition of excellence this year, with both a Leader’s Track focused on CxOs, investors, entrepreneurs and decision makes, and a Hacker’s Track that provides detailed, technical discussions and hands-on demonstrations. Space is limited, so register now for this must-see security and IoT event. We hope you can make it!

 

Podcast from Black Hat: Looking Ahead to the 2016 Security of Things Forum

Last week saw two major security events take place: the annual Black Hat and DEF CON conferences in Las Vegas. I was in attendance and had the chance to meet with a lot of the world’s top security experts and thought leaders and check out a couple presentations, to boot.

I also got a chance to sit down with one of my favorite security writers: Chris Gonsalves, who writes (among other responsibilities) for the Institute of Applied Network Security (or IANS). Chris and I talked about the goings on at Black Hat, which included a further addition to the car hacking exploits of Charlie Miller and Chris Valasek. We also had the chance to talk about the upcoming Forum.

You can listen to our conversation here.

Will Bug Bounties Scale To The Internet of Things?

Antivirus Firewall Security

The challenge of managing bug bounty programs for the Internet of Things will be a topic of discussion at the third annual Security of Things Forum in Cambridge on September 22nd.

Rajesh Krishnan of the bug bounty firm HackerOne will present a talk entitled “Device Hacking in the Age of Bug Bounties.” In his talk, Krishnan will present data and a framework for the IoT Bug Bounty program of tomorrow.

[Use this link to register for Security of Things Forum, Sept 22.]

Rajesh Krishnan of the firm HackerOne will talk about the challenges of operating bug bounty programs for the Internet of Things.
Rajesh Krishnan of the firm HackerOne will talk about the challenges of operating bug bounty programs for the Internet of Things.

Bounty programs are one of the most notable developments and improvements in the information security space in the last 15 years. They mark the critical shift in thinking about hacking from one which viewed it as a quasi-criminal activity to a perspective of hacking as a critical skill for assessing the quality of software products. Incentive programs (aka “bounties”) aimed at vulnerability researchers have since become the preferred method for soliciting the attentions of talented vulnerability researchers.

Bounty programs aren’t new. Netscape launched the first such program in 1995 to find holes in its browser code. But the programs have attracted increasing attention from outside the software industry in recent years. Firms like HackerOne and Bugcrowd have attracted venture funding by offering to streamline bounty programs for a wide range of industries unused to dealing with finicky hackers. Among them: financial services and banking, automotive and manufacturing. Even old economy giants like GM have gotten into the act. That company launched a bounty program on the site HackerOne earlier this year.

But The Internet of Things presents challenges for would be bounty program hosts that simply don’t exist for, say, web applications, mobile applications or more traditional fare.

Hardware components like system on chips (SOCs) require special knowhow to analyze and can obscure potentially serious vulnerabilities that reverberate throughout a supply chain. Bounty programs must also address the entire IoT lifecycle from design to manufacturing.

“You can hack a website a million ways and the website should stand up to them all. Hardware can’t handle that,” Krishnan says. “Testing can involving breaking. Sending a voltage spike through a consumer device… can fry the device. The cost and effort of hacking goes up dramatically.”

That means that bounty programs will have to flex to address the unique challenges of the hardware space.

“IoT bug bounties may have to break from the pay for results model. There may be a need for pay per effort and pay per result,” he said.

In his presentation at The Security of Things, Krishnan will provide an overview of how bug bounty programs work including how market prices are set for vulnerabilities and delve into the unique challenges for hardware hacking, as learned from a 2016 HackerOne workshop held on the topic in Palo Alto and not previously discussed by the company.

We hope you can check it out!

Extending Call for Submissions to July 21- But Don’t Wait Too Long!

The deadline for submissions to the Sept. 22 Security of Things Forum has been extended until July 21. Acceptance is on a rolling basis, however, so get your submissions in soon!

The deadline for submissions to the Sept. 22 Security of Things Forum has been extended until July 21. Acceptance is on a rolling basis, however, so get your submissions in soon!

The Security of Things Forum, the premiere security and Internet of Things event in the Northeast is extending its call for submissions to July 21st. Security researchers, academics, executives, device hackers and other subject matter experts have another three weeks to submit talks for consideration ahead of the September 22nd show.

We have a great event coming together, including talks by leading wireless device security expert and “hillbilly hacker” Travis Goodspeed as well as Kevin Fu, founder of Virta Labs, a cyber security start-up focused on the medical device space and a recognized expert in the security of medical devices. The event features both a technical “Hackers Track” and strategy and investment focused discussions on the “Leaders Track.”

Talks are being accepted on a rolling basis and our first round of talks has already been approved, with public announcements due next week. Those interested in presenting at the September Forum are encouraged to complete their submissions sooner rather than later.

Long and short: we’ve received a number of excellent submissions and they continue to roll in. In the past couple days we’ve fielded a number of request for extensions, and so we’re going to give people a couple more weeks to get their submissions in.

The link to the call for submissions is here. Any questions can be directed to paul(at)securityofthings.com.

 

Connected Health Expert Dr. Kevin Fu to speak at Security of Things™ Forum

Dr. Kevin Fu, an expert in medical device security and founder of Virta Laboratories will be a featured speaker at the 2016 Security of Things Forum in Cambridge, MA.

Kevin Fu, the co-founder of Virta Labs and one of the nation’s top experts on the security of medical devices and hospitals, will be a featured speaker at the 2016 Security of Things Forum in Cambridge, Massachusetts.

Hosted by The Security Ledger and Passcode, The Christian Science Monitor’s cybersecurity publication, The Security of Things Forum (SECoT) brings together leaders in the areas of information security and privacy, developers of IoT devices and platforms, as well as investors, entrepreneurs and policy makers. Past speakers have included vehicle researcher Chris Valasek of Uber, FTC Commissioner Julie Brill, Dan Geer, the Chief Information Security Officer at In-Q-Tel as well as Michael Daly, the Chief Technology Officer at Raytheon.

Dr. Fu will be discussing his research into effective ways to improve information security in the healthcare field as well as the impact of recent developments, such as new
FDA guidance on cybersecurity.

Dr. Fu is a recognized authority on the security of embedded computer systems. An Associate Professor and Sloan Research Fellow at the University of MichiganHe ,is the Director of the Archimedes Researcher Center for Medical Device Security and of the Security and Privacy Research (SPQR) Group. Virta Labs, based in Ann Arbor, Michigan, makes Powerguard, an innovative technology that uses analysis of power consumption to spot evidence of malicious or suspicious activity.

“The healthcare field is at the leading edge of the Internet of Things, as hospitals, doctors offices and individuals embrace a new generation of sophisticated diagnostic and monitoring technologies,” said Paul Roberts, the founder of The Security of Things and Editor in Chief of The Security Ledger. “That’s why we’re thrilled to have Kevin Fu, one of the world’s top experts in the security and integrity of health devices and healthcare environments as a featured speaker at our 2016 Forum in Cambridge.”

In its third year, The Security of Things (SECoT) is a day-long event that brings together the brightest minds in industry, technology, information security, academia and government to explore the greatest and defining challenge of our times: securing The Internet of Things.

Our 2016 event, scheduled for September 22, 2016 in Cambridge, Massachusetts, promises to be even more exciting. Registration is now open and space is limited. Take advantage of early pricing and get your tickets now.

Also: if you are interested in speaking at the Forum, please see our Call for Submissions. If you or your company are interested in being a Forum sponsor, you can learn more about sponsorships here.

We hope you will attend!

Travis Goodspeed to Address 2016 Security of Things™ Forum

Travis Goodspeed, an innovative security researcher known for his research on the security of wireless devices, will be a keynote speaker for the third annual Security of Things™ Forum in Cambridge, Massachusetts.

Goodspeed will discuss recent research on wireless devices including two-way radios, and the implications of wireless device (in)security on current and future IoT deployments. He continues a tradition of visionary speakers that includes last year’s keynote speaker, Chris Valasek of Uber, and the Forum’s 2014 speaker: Dan Geer of In-Q-Tel.

Hosted by The Security Ledger and Passcode, The Christian Science Monitor’s cybersecurity publication, The Security of Things Forum (SECoT) brings together leaders in the areas of information security and privacy, developers of IoT devices and platforms, as well as investors, entrepreneurs and policy makers. Past speakers have included vehicle researcher Chris Valasek of Uber, FTC Commissioner Julie Brill, Dan Geer, the Chief Information Security Officer at In-Q-Tel as well as Michael Daly, the Chief Technology Officer at Raytheon.

A self described “circuit preacher and hardware hacker from Southern Appalachia,” Goodspeed has established a reputation as one of the most sought-after experts on the security of wireless devices. His work includes a collaboration with researchers at Dartmouth College that developed a novel and inexpensive approach to fingerprinting and attacking wireless devices that use the 802.15.4 standard, as well as USB-based attacks on embedded systems.  While working at Oak Ridge National Lab, he developed a novel side-channel timing attack for the MSP430 microcontroller, made by Texas Instruments – a common component of low-power, embedded applications including in the medical field.

Goodspeed has been a frequent speaker at leading security events including The Black Hat Briefings, DEFCON, ToorCon, 44Con and (many) others. He is the creator of the GoodFET (FET is a Flash Emulation Tool) an open source JTAG adapter as well as the Facedancer board, which allows researcher to test the security of USB device drivers. Those tools have, in turn, fueled other, independent security research – some of it headline-making.

In his free time, Goodspeed launched the Southern Appalachian Space Agency, modifying a naval telecommunications dish to track moving targets in the sky including satellites in Low Earth Orbit.

“As more and more of the physical world is connected via wireless network adaptors, or instrumented with wireless sensors, Travis’s research as well as his professional experience and personal insights are invaluable,” said Paul Roberts, the Founder of The Security of Things Forum and Editor in Chief of The Security Ledger. “His talk will be a must-attend event for anyone who is interested in understanding the challenge of securing The Internet of Things.”

In its third year, The Security of Things (SECoT) is a day-long event that brings together the brightest minds in industry, technology, information security, academia and government to explore the greatest and defining challenge of our times: securing The Internet of Things.

Our 2016 event, scheduled for September 22, 2016 in Cambridge, Massachusetts, promises to be even more exciting. Registration is now open and space is limited. Take advantage of early pricing and get your tickets now.

Also: if you are interested in speaking at the Forum, please see our Call for Submissions. If you or your company are interested in being a Forum sponsor, you can learn more about sponsorships here.

We hope you will attend!

Mike Daly of Raytheon to address Security of Things™ Forum

Michael Daly, the Chief Technology Officer of Raytheon Cybersecurity, will speak at the second annual Security of Things™ Forum on Thursday, September 10th in Cambridge, adding his voice to a roster of speakers that includes FTC Commissioner Julie Brill and noted connected vehicle hacker Chris Valasek of the firm IOActive.

Daly is a recognized expert on cyber security. At Raytheon, he serves as a Principle Engineering Fellow and provides leadership in Raytheon’s cyber technologies. At the policy level, Daly supports the National Security Telecommunications Advisory Committee for U.S. President Barack Obama. He is a frequent contributor to publications ranging from VentureBeat to CSO to Dark Reading, and is frequently quoted in articles in publications including the Wall Street Journal and Forbes.

Daly has written extensively on the subject of cyber security, including the Internet of Things, noting the high cost of lax security in Internet-connected consumer devices.

With more than 27 years in security and information systems, Michael Daly has worked with both the private sector and the federal government with responsibilities including software engineering for law enforcement, and manager of enterprise applications and distributed computing.

In its second year, the Security of Things Forum is the premiere Internet of Things and security conference in the Northeast. It brings together security researchers, executives, policymakers and thought leaders for a day of discussion and learning about the preeminent challenge of our day: securing a fast-growing population of billions of connected devices and infrastructure – the Internet of Things.

FTC Commissioner Julie Brill On Agenda For September Security of Things™ Forum

 

FTC Commissioner Julie Brill will appear at the second annual Security of Things Forum in September in Cambridge, MA.
FTC Commissioner Julie Brill will appear at the second annual Security of Things Forum in September in Cambridge, MA.

Federal Trade Commissioner Julie Brill will appear at The Security of Things™ Forum, a day-long event that explores the security and privacy implications of The Internet of Things this September in Cambridge.

Julie Brill is the Commissioner of the Federal Trade Commission.
Julie Brill is the Commissioner of the Federal Trade Commission.

Brill is an outspoken advocate of improving Internet privacy and data security issues and is known as a staunch defender of consumer privacy protections in the face of fast-evolving mobile and connected technologies. At the Forum, she will participate in a panel entitled “Security, Privacy and the IoT: a Policy Perspective.” The panel will be moderated by Michael Farrell, editor of Passcode, The Christian Science Monitor’s newly launched section that focuses on security and privacy issues.

[Register to attend the Security of Things Forum]

Brill will join other noted researchers and technologists at the Forum, including Chris Valasek, the Director of Vehicle Research at the firm IOActive and a recognized expert on the security of connected vehicles, as well as Mark Stanislav, the co-founder of BuildItSecure.ly and a Senior Research Associate at the firm Rapid7.

The FTC Commissioner since 2010, Julie Brill is widely recognized as a leader in the charge for better protections for consumer data. She received the 2014 Privacy Leader of the Year Award. Her work promoting consumer privacy protections won her recognition as one of the “50 Most Powerful People in Healthcare.”  Commissioner Brill is an advocate of protecting consumers’ privacy, especially with new online and mobile technologies, and supports the creation and implementation of mechanisms to give consumers better information and control over the collection and use of their personal online information.

“We’re thrilled to add Commissioner Brill to our schedule for the second annual Security of Things Forum,” said Paul Roberts, the editor of The Security Ledger and a founder of the The Security of Things Forum. “Even as it creates new products, services and business models, the Internet of Things is challenging long held notions about privacy and the the relationship between consumers and the ‘things’ that populate our environment. The FTC has been at the vanguard in addressing the security and privacy implications of the IoT and that is due, in large part, to Commissioner Brill’s vision and leadership. Her experience and insights will be invaluable to the discussion at our September event.”

In its second year, The Security of Things Forum is co-hosted by The Security Ledger and The Christian Science Monitor Passcode. The Forum takes place on September 10 at The Sheraton Commander Hotel, just off the campus of Harvard University in Cambridge, Massachusetts. Tickets are available with Early Bird discounts in effect for the remainder of July. To register to attend the Forum, visit this link. 

Connected Vehicle Expert Chris Valasek to Keynote Security of Things™ Forum

Chris Valasek, one of the world's top experts on the security of connected vehicles, will address the Security of Things Forum in Cambridge on September 10.
Chris Valasek, one of the world’s top experts on the security of connected vehicles, will address the Security of Things Forum in Cambridge on September 10.

The Northeast’s leading conference dedicated to securing the Internet of Things will welcome Chris Valasek, one of the world’s top experts on the security of connected vehicles, as a keynote speaker at its September 10th event in Cambridge, Massachusetts.

Valasek’s pioneering research on techniques for hacking into connected vehicles, conducted with colleague Charlie Miller, helped spark a national conversation about the dangers posed by our growing reliance on software based systems in modern vehicles. Valasek will share the fruits of his latest research, which explores the security implications of wireless and cellular connectivity in connected cars.

Chris Valasek is Director Vehicle Security Research at IOActive
Chris Valasek is Director Vehicle Security Research at IOActive

Co-produced by The Security Ledger and Passcode, The Christian Science Monitor’s new section on security and privacy in the Digital Age, the Security of Things™ Forum will bring together leading security researchers, academics, executives and practitioners to explore one of this generation’s paramount challenges: securing the Internet of Things.

The event, in its second year, will feature a range of presentations, panel discussions and hands-on workshops that explore the technical, tactical and policy implications of the Internet of Things.

“Chris Valasek and Charlie Miller’s research on techniques for compromising the security of connected vehicles is among the most powerful demonstrations we have of the consequences of insecure design to our health, safety and privacy,” said Paul Roberts, founder of The Security of Things Forum. “Chris is on the leading edge of independent researchers who are analyzing the security of IoT products, and we are thrilled to welcome him to Boston for our second annual Security of Things Forum.”

Scheduled for Thursday, September 10, the Security of Things Forum will take place just off the Harvard University Campus, at the Sheraton Commander Hotel in Cambridge, Massachusetts. The event will feature two tracks:

A Leaders track that offers a lively forum in which researchers, executives, investors and thought leaders will share their ideas.

A Hackers Track that will offer hands on workshops in everything from device hacking and reverse engineering to hands on tools demonstrations to birds of a feather discussions of both technical and policy matters.

The Security of Things forum is a great opportunity to meet and network with some of the brightest minds in IoT security. Early bird tickets are now for sale and can be purchased via Eventbrite. You can also connect with the Forum online via twitter @secthings, on Facebook and LinkedIn. If your organization is interested in being a Security of Things sponsor, contact paul@securityofthings.com.