Podcast: #DtR Episode on Lines in the Sand on “Security Research”

You really need to hear this podcast where we draw lines in the sand staking out what is – and what is not — security research

The #DtR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] invited me to tag along for another episode of the Down the Security Rabbit Hole podcast.

Also joining us for this episode were Chris John Riley (@ChrisJohnRiley) and Kevin Johnson (@SecureIdeasllc).

You can click here to see a list of the topics we covered in this episode or just jump straight into the podcast.

Let us know what you think by tagging your comments with #DtR on Twitter!

Podcast: DtR NewsCast of Hot Cyber Security Topics

I had the pleasure of joining the DtR Gang for another podcast on Down the Security Rabbit Hole and, as usual with this bunch, it was more fun than anything — but I learned a lot as well. Let me just tell you, these guys are the best around at what they do and they’re really great people on top of that!

This episode had the usual suspects of Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst), though James was riding passenger in a car and could only participate through IM. Also joining as a guest along with me was was  Philip Beyer (@pjbeyer).

Go check out the podcast and let us know what you think — use hashtag #DtR on Twitter!

Thank you Raf, James, Michael and Phil — this was a lot of fun!

Podcast: CFAA, Shellshock and Cyber Security Research — What the Heck Do We Want?

Today I had a blast doing a podcast on the CFAA, Shellshock, and cyber security research with Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst) — in fact, we had so much fun that I suspect Raf had quite a time trying to edit it!

The starting point for our discussion was a recent article written by security researcher and blogger Robert Graham (@ErrataRob) titled Do shellshock scans violate CFAA?

As I mentioned on the show, when I first saw Robert’s article, I viewed it with skepticism. However, after actually reading it (yeah, I know — makes sense, right?), I found the article to be very well written, sound on the principles and issues of the CFAA — in my view, Robert did a great job of framing some key issues in the debate that definitely needs to happen.

From the article, our discussion expanded to a general discussion of the Computer Fraud and Abuse Act, its confusion as to application to “security research,” and whether it is even possible for Congress to “fix” the CFAA.

I do not think Congress is able to “fix” the CFAA right now for many reasons. However, I believe we pointed out some additional issues that must be taken into consideration during the public debate in determining what we as a society really value and want on these issues. Until “we the people” can figure that out, I see no way for Congress to “fix” this law which means the Common Law method is what we are left with.

Anyway, this post is just skimming the surface — Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Thank you Raf, James and Michael — this was a lot of fun!

A Hacker Can Takeover A Car Through Its Computer System — What About An Airplane?

malaysia jetlinerHackers can take over cars by hacking into their on board computer systems. Does it not stand to reason that they could do the same thing to an airplane? Maybe, maybe not, but a recent ruling by the FAA shows this was a concern for Boeing Model 777-200.

Over the last few years I have written several posts about whether hackers could take over the controls of cars by hacking them (here) and whether doing so would violate the Computer Fraud and Abuse Act. From the time of my first post on this subject in 2011 until now, this discussion has moved from the theoretical, of whether it was possible, to the certain. It is possible and this video shows how hackers do this to cars.

Now, with the search for answers to how the Malaysian Flight 370 jetliner — a huge Boeing 777-200 airplane — just disappeared without a trace, some are starting to question whether that jetliner could have been hacked. That is, whether it may have been taken over by hacking into its computer system, turning off its tracking devices, and diverting it to a secret location. Who knows, right?

I certainly do not profess to have any specialized knowledge about whether this is possible other than basic common sense that tells me if it can happen to a car, it can happen to an airplane.

One security researcher has purportedly demonstrated that it is possible to take control of an airplane’s navigation and cockpit systems with an Android smartphone app (Researcher takes controls of aircraft system with Android phone) but the FAA explained why the researcher’s test would not allow him to actually take over the controls of a real airplane as the researcher was using a simulator ( FAA: ‘No, you CAN’T hijack a plane with an Android app’ ).

Regardless, another very important piece of information has come to light. On November 18, 2013, the Federal Aviation Administration issued a ruling that addressed concerns it had about the Boeing Model 777-200′s computer system being vulnerable to unauthorized internal access: Special Conditions: Boeing Model 777-200, -300, and -300ER Series Airplanes; Aircraft Electronic System Security Protection From Unauthorized Internal Access The FAA’s Ruling contained the following discussion:

The integrated network configurations in the Boeing Model 777-200, -300, and -300ER series airplanes may enable increased connectivity with external network sources and will have more interconnected networks and systems, such as passenger entertainment and information services than previous airplane models. This may enable the exploitation of network security vulnerabilities and increased risks potentially resulting in unsafe conditions for the airplanes and occupants. This potential exploitation of security vulnerabilities may result in intentional or unintentional destruction, disruption, degradation, or exploitation of data and systems critical to the safety and maintenance of the airplane. . . . [T]hese special conditions are being issued to ensure that the security (i.e., confidentiality, integrity, and availability) of airplane systems is not compromised by unauthorized wired or wireless electronic connections between the airplane information services domain, aircraft control domain, and the passenger entertainment services.

Did the FAA’s special conditions issued in the Ruling alleviate this concern and adequately protect against the risk? We may never know. But, what we do know, is that this was a concern …

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex intellectual property issues such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act. He is a partner at BrittonTuma, a boutique business law firm with offices near the boarder of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as across the nation pro hac vice ). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

The Indispensability of Cyber Counterintelligence

You already know what a threat hacking and data breaches are to your business, right? Good. In that case, you will appreciate the following post from my friends at SpearTip about cyber counterintelligence. Here’s a little teaser:

If your organization is not yet retaining a provider that specializes in this technique, referred to as “Cyber Counterintelligence”, you may be significantly behind in the ever-challenging battle to indemnify yourself against catastrophic cyber breeches.

The Indispensability of Cyber Counterintelligence

US Preparing to Do Digital Battle With Hackers – Will This Violate the Computer Fraud and Abuse Act?

The US could launch pre-emptive cyber strikes against countries it suspects of threatening its interests with a digital attack, under a new set of secret guidelines to safeguard the nation’s computer systems. The rules – the country’s first on how it defends or retaliates against digital attacks – are expected to be approved in coming weeks, and are likely to be kept under wraps, much like the policies governing the country’s controversial drone programme. 

You can read more here: US draws up battle plan to stave off digital attack cyberstrikes – Americas – World – The Independent. The article states that a legal review of the guidelines has come back clear and the President has the power to order such strikes.

The question I am sure many of you are wondering is whether this preemptive counter-strike would violate the Computer Fraud and Abuse Act. The answer is no, it does not. Here is why:

18 U.S.C. § 1030 (f) states “This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.”

There you have it – go get ‘em!

The Law and the Hacker – Podcast on the Computer Fraud and Abuse Act

Not too long ago I had a nice visit with Rafal Los (@Wh1t3Rabbit) who is otherwise known as the Chief Security Evangelist for HP and blogs at Following the Wh1t3Rabbit – Practical Enterprise Security. Raf is one dude you really need to follow if you’re interested in #infosec

Anyway, our discussion was centered around the Computer Fraud and Abuse Act and how it applies to hackers. Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.