Podcast: DtR NewsCast of Hot Cyber Security Topics

I had the pleasure of joining the DtR Gang for another podcast on Down the Security Rabbit Hole and, as usual with this bunch, it was more fun than anything — but I learned a lot as well. Let me just tell you, these guys are the best around at what they do and they’re really great people on top of that!

This episode had the usual suspects of Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst), though James was riding passenger in a car and could only participate through IM. Also joining as a guest along with me was was  Philip Beyer (@pjbeyer).

Go check out the podcast and let us know what you think — use hashtag #DtR on Twitter!

Thank you Raf, James, Michael and Phil — this was a lot of fun!

Podcast: CFAA, Shellshock and Cyber Security Research — What the Heck Do We Want?

Today I had a blast doing a podcast on the CFAA, Shellshock, and cyber security research with Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst) — in fact, we had so much fun that I suspect Raf had quite a time trying to edit it!

The starting point for our discussion was a recent article written by security researcher and blogger Robert Graham (@ErrataRob) titled Do shellshock scans violate CFAA?

As I mentioned on the show, when I first saw Robert’s article, I viewed it with skepticism. However, after actually reading it (yeah, I know — makes sense, right?), I found the article to be very well written, sound on the principles and issues of the CFAA — in my view, Robert did a great job of framing some key issues in the debate that definitely needs to happen.

From the article, our discussion expanded to a general discussion of the Computer Fraud and Abuse Act, its confusion as to application to “security research,” and whether it is even possible for Congress to “fix” the CFAA.

I do not think Congress is able to “fix” the CFAA right now for many reasons. However, I believe we pointed out some additional issues that must be taken into consideration during the public debate in determining what we as a society really value and want on these issues. Until “we the people” can figure that out, I see no way for Congress to “fix” this law which means the Common Law method is what we are left with.

Anyway, this post is just skimming the surface — Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Thank you Raf, James and Michael — this was a lot of fun!

A Hacker Can Takeover A Car Through Its Computer System — What About An Airplane?

malaysia jetlinerHackers can take over cars by hacking into their on board computer systems. Does it not stand to reason that they could do the same thing to an airplane? Maybe, maybe not, but a recent ruling by the FAA shows this was a concern for Boeing Model 777-200.

Over the last few years I have written several posts about whether hackers could take over the controls of cars by hacking them (here) and whether doing so would violate the Computer Fraud and Abuse Act. From the time of my first post on this subject in 2011 until now, this discussion has moved from the theoretical, of whether it was possible, to the certain. It is possible and this video shows how hackers do this to cars.

Now, with the search for answers to how the Malaysian Flight 370 jetliner — a huge Boeing 777-200 airplane — just disappeared without a trace, some are starting to question whether that jetliner could have been hacked. That is, whether it may have been taken over by hacking into its computer system, turning off its tracking devices, and diverting it to a secret location. Who knows, right?

I certainly do not profess to have any specialized knowledge about whether this is possible other than basic common sense that tells me if it can happen to a car, it can happen to an airplane.

One security researcher has purportedly demonstrated that it is possible to take control of an airplane’s navigation and cockpit systems with an Android smartphone app (Researcher takes controls of aircraft system with Android phone) but the FAA explained why the researcher’s test would not allow him to actually take over the controls of a real airplane as the researcher was using a simulator ( FAA: ‘No, you CAN’T hijack a plane with an Android app’ ).

Regardless, another very important piece of information has come to light. On November 18, 2013, the Federal Aviation Administration issued a ruling that addressed concerns it had about the Boeing Model 777-200’s computer system being vulnerable to unauthorized internal access: Special Conditions: Boeing Model 777-200, -300, and -300ER Series Airplanes; Aircraft Electronic System Security Protection From Unauthorized Internal Access The FAA’s Ruling contained the following discussion:

The integrated network configurations in the Boeing Model 777-200, -300, and -300ER series airplanes may enable increased connectivity with external network sources and will have more interconnected networks and systems, such as passenger entertainment and information services than previous airplane models. This may enable the exploitation of network security vulnerabilities and increased risks potentially resulting in unsafe conditions for the airplanes and occupants. This potential exploitation of security vulnerabilities may result in intentional or unintentional destruction, disruption, degradation, or exploitation of data and systems critical to the safety and maintenance of the airplane. . . . [T]hese special conditions are being issued to ensure that the security (i.e., confidentiality, integrity, and availability) of airplane systems is not compromised by unauthorized wired or wireless electronic connections between the airplane information services domain, aircraft control domain, and the passenger entertainment services.

Did the FAA’s special conditions issued in the Ruling alleviate this concern and adequately protect against the risk? We may never know. But, what we do know, is that this was a concern …

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex intellectual property issues such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act. He is a partner at BrittonTuma, a boutique business law firm with offices near the boarder of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as across the nation pro hac vice ). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

The Indispensability of Cyber Counterintelligence

You already know what a threat hacking and data breaches are to your business, right? Good. In that case, you will appreciate the following post from my friends at SpearTip about cyber counterintelligence. Here’s a little teaser:

If your organization is not yet retaining a provider that specializes in this technique, referred to as “Cyber Counterintelligence”, you may be significantly behind in the ever-challenging battle to indemnify yourself against catastrophic cyber breeches.

The Indispensability of Cyber Counterintelligence

US Preparing to Do Digital Battle With Hackers – Will This Violate the Computer Fraud and Abuse Act?

The US could launch pre-emptive cyber strikes against countries it suspects of threatening its interests with a digital attack, under a new set of secret guidelines to safeguard the nation’s computer systems. The rules – the country’s first on how it defends or retaliates against digital attacks – are expected to be approved in coming weeks, and are likely to be kept under wraps, much like the policies governing the country’s controversial drone programme. 

You can read more here: US draws up battle plan to stave off digital attack cyberstrikes – Americas – World – The Independent. The article states that a legal review of the guidelines has come back clear and the President has the power to order such strikes.

The question I am sure many of you are wondering is whether this preemptive counter-strike would violate the Computer Fraud and Abuse Act. The answer is no, it does not. Here is why:

18 U.S.C. § 1030 (f) states “This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.”

There you have it – go get ‘em!

The Law and the Hacker – Podcast on the Computer Fraud and Abuse Act

Not too long ago I had a nice visit with Rafal Los (@Wh1t3Rabbit) who is otherwise known as the Chief Security Evangelist for HP and blogs at Following the Wh1t3Rabbit – Practical Enterprise Security. Raf is one dude you really need to follow if you’re interested in #infosec

Anyway, our discussion was centered around the Computer Fraud and Abuse Act and how it applies to hackers. Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Break Into A Home, Violate the Computer Fraud and Abuse Act?

How’s that for a crazy sounding question? Could breaking into a home violate the Computer Fraud and Abuse Act?

I know you’re wondering just how I come up with these crazy things, right? From the news, of course! I read a really interesting article by David Goldman on CNNMoney entitled Your Jetsons Home is Almost Here in which the premise is that, based on the advanced state of technology, companies at Mobile World Congress “are showing off how everything in your home — from your door locks to your thermostat to your TV — can be controlled by a smartphone or tablet.” This is so because “the hardware, software, and cloud-based infrastructure necessary to make it a reality is finally inexpensive enough for companies to bring full-home connectivity to the mainstream market.”

Now, presumably, to make the home truly “wired” in this manner, that hardware and software would have to be integrated into the home and the home would likely be be connected to the Internet for it to all work. Let’s review a little about what makes a computer a “computer” under the Computer Fraud and Abuse Act:

  • The CFAA applies to anything with a microchip or data processor that is connected to the internet. See Can Stealing a Car Violate the Computer Fraud and Abuse Act?
  • If a home were to have a microchip or data processor integrated into it, and if such device were connected to the Internet, then that home would be a covered “computer” and the CFAA would apply if were broken into.

Now, that only covers the first part of a CFAA violation and there would be other questions remaining as to whether the intrusion amounted to a full violation of the Computer Fraud and Abuse Act but, theoretically, I’d say it would be a pretty good argument! How about you, what do you think?

Also, what do you think about my other two crazy ideas — would hacking a “human” violate the CFAA and would stealing a “car” violate the CFAA?