While it is easy to say that Meltdown and Spectre prove that hardware is just as risky as software, I believe we should instead focus on how we got here.  I believe there is a lesson rooted in our approach to technological innovation as highlighted by Marc Andreessen’s seminal article Why Software Is Eating the World.

Software Defined Everything has become the rallying cry of organizations.  In a drive to reduce cost and speed up innovation we have started to treat hardware as a commodity and focus on software as the solution.  But there is a problem.  What if our hardware cannot keep up with our software?  Are we asking too much of our hardware?

Moore’s law states that processor speeds double every two years (or eighteen months according to Intel).  In technology two years is an eternity so engineers have devised ground breaking methods to speed up processors.   One such method, called speculative execution, allows a processor to perform a function before it knows whether the function is required.  If the function is not required then it is discarded but the act of completing it, just in case, allows the processor to perform operations more quickly.

Click to Subscribe

While designed as an optimization technique, Meltdown and Spectre proved that a cache timing attack could take advantage of speculative execution to expose secure kernel memory.  As described by The Register, “To make the transition from user mode to kernel mode and back to user mode as fast and efficient as possible, the kernel is present in all processes’ virtual memory address spaces, although it is invisible to these programs…It seems it may be possible to craft software in such a way that the processor starts executing an instruction that would normally be blocked – such as reading kernel memory from user mode – and completes that instruction before the privilege level check occurs.”

https://youtu.be/q3WZiiaXHps

Another example of the desire to use software to solve the limitations of hardware is the deployment of Virtual Machines (VMs).  VMs have truly changed the world, creating the cloud and allowing organizations to dramatically reduce cost.  VM technology allows collocated, software-based operating systems to share expensive hardware resources.  VM security is based on hardware Trusted Platform Module (TPM) storing secure information and software hypervisors scheduling access to hardware resources.

Despite these barriers, side channel attacks can still be used to cross the boundary between collocated VMs and steal private information.  These attacks involve an attacker VM alternating execution with a target VM to observe behavior of the underlying hardware.  They take advantage of the fact that, in order to conserve memory and speed up processing, VMs often share caches and libraries (i.e., memory page deduplication).  While difficult, multiple researchers have shown a side channel attack’s ability to retrieve secure information including private keys.  Other researchers have shown the ability to perform Denial of Service (DoS) attacks by using the VM scheduler to monopolize hardware resources at the expense of collocated VMs.

With the advent of Software Defined Networking (SDN) will the next attack be listening to other people’s traffic on bare metal switches?

If we are asking too much of our hardware what can we do to correct it?  Should we accept slower processors, which has been the result of Intel’s patches?  Should we no longer allow collocation of VMs or demand completely separate data centers for our servers?

I am sure we will not start accepting slower speeds or higher costs so the next best option seems to be education.  Developers need to understand how hardware and software interoperates in order to prevent future cybersecurity attacks.  For instance, in addition to a six week course on Python, developers should also invest in a six week course on machine language.  Perhaps if they understood how hardware resources are actually used by software they will know when to push hardware and when not to.

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, and Multi-Factor Authentication (MFA).

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Hardware’s Burden: Meltdown and Spectre appeared first on TELEGRID.

As an embedded software developer I can go on and on about the many benefits of LINUX.  I can easily list hundreds of benefits.  What I believe is the greatest though is the LINUX repository.

The LINUX repository is an online archive of open source and proprietary software packages that programmers use for development or maintenance.  There is a repository for every LINUX distribution with compiled packages for a multitude of hardware configurations.  Software developers can create upgrades or security patches and upload them to the LINUX repository where they can be easily downloaded by users.

Click to Subscribe

Unfortunately, new security risks are forcing system administrators to limit connectivity between secure networks and the internet.   You can’t be hacked if a hacker can’t get in. While a closed network is ideal for security, it is a big problem for software maintenance.

Since the LINUX repository is online, the software upgrades are inaccessible on a secure network.  For years defense contractors, like TELEGRID, have had to go to great lengths to deploy software upgrades on secure networks.  This leads to delays in the deployment of security patches and seemingly endless upgrade cycles.

To resolve these issues we recommend replicating the LINUX repository inside secure networks with an offline LINUX repository.  But how do we update the LINUX repository if it is offline? One solution is to deploy a cross domain solution that straddles the secure and unsecure networks.  Another solution is compressing repository updates and sending them to a system administrator who can upload them into the offline LINUX repository.

While secure networks are important we must not forget that the main goal is functional, bug-free and secure code.  An offline LINUX repository will make it easier to maintain code on secure networks and apply needed security patches.  It seems the President agrees.

Beth Flippo is Vice President of Embedded Software at TELEGRID.  TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, and Multi-Factor Authentication (MFA).

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Does President Trump Want an Offline LINUX Repository? appeared first on TELEGRID.

• On December 30, 2016 the Congressional Internet of Things Working Group released a white paper on IoT stating that, “Recent examples of cyberattacks on IoT devices have exposed not just the potential impact on individual consumers, but the possible vulnerability on the broader Internet infrastructure.”

• On January 5, 2017 the Federal Trade Commission issued a complaint against D-Link claiming that D-Link’s “routers and cameras have been vulnerable to attacks that subject consumers’ sensitive personal information and local networks to a significant risk of unauthorized access.”

• On January 9, 2017 the Federal Drug Administration released a note about St. Jude Medical stating that its devices had vulnerabilities that, “if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device.”

• On January 12, 2017 the Department of Commerce released a Green Paper highlighting the security concerns around IoT. It states that the DDoS attack, “was the most visible and far-reaching example of the potential risks that must be mitigated when considering IoT.”

It appears that this the beginning of an activist approach taken by the Government to monitor IoT device manufacturers.  Indeed, the Congressional Internet of Things Working Group white paper states that participants, “grappled with whether or not a solution should rely on industry established standards, agency recommendations, legislation, or a combination of all the above.”

Click to Subscribe

TELEGRID is a designer of secure embedded systems for the US Military and has developed a framework to design systems in line with DISA’s Security Technical Implementation Guides (DISA STIGs).  While some commercial manufacturers follow NIST guidelines others ignore security completely.  As Senator Mark Warner, co-founder of the Senate Cybersecurity Caucus stated, “Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support.”

Is the Government going to “incentivize” commercial manufacturers to bake in security?  Will the Government shut certain companies out of the market for selling unsecure IoT devices?  What will be the cost impact to consumers?

These are all very tough questions and it seems the Government is moving quickly to try to answer them.  Are IoT manufacturers paying attention?

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, Multi-Factor Authentication (MFA).

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Government Activism and IoT appeared first on TELEGRID.

There is an interesting story in the Bible about Moses and his father-in-law Yitro.  Yitro visits Moses and sees him sitting in his tent day and night as thousands of people ask for his advice. Yitro advises his son-in-law to set up a court system where he would delegate the easy problems to lower level judges and only judge the most difficult cases. Moses ends up taking Yitro’s advice and sets up a full court system.

I believe there are a many lessons in this story that apply to engineers. Firstly we see that since the dawn of time father-in-laws have been telling their son-in-laws what to do. Apparently this trait is in our DNA. Secondly we learn that Moses was the world’s first Project Management Professional (PMP). Yitro literally invented Project Management. Thirdly, we learn the value of delegating responsibility.

As engineers, how often do we try to solve a problem ourselves instead of asking for help? Like an engineer who never took a literature course believing that people want to read his blog…purely hypothetical.

Click to Subscribe

What has the lack of delegating meant for the cybersecurity of our embedded systems? Engineers designing a radio are focused on RF propagation and those developing a vehicle are focused on fuel efficiency – as they should be. However the new reality of the Internet of Things means that everything is connected and everything can become an attack vector. Many engineers are not equipped for this new reality. Instead of asking for help, they kick the can down the road to the platform certification stage where the redesign increases schedule delays and cost. For instance, in a recent study of weapons systems, the GAO estimated that system redesigns increased development time twofold and development cost threefold.

Some of our greatest leaders were expert delegators. It is important to understand the value of asking for help and to ask for it early. When TELEGRID is designing and developing a new product we will actively search out experts in every discipline. We probably do not need a mechanical designer of tanks to design a handset, but when a device needs to be MIL-STD-810G it is important to use the best. The same should be said of embedded software security.

Eric Sharret is the Vice President of Business Development for TELEGRID. TELEGRID designs and develops secure embedded systems for the US Military.

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  TELEGRID Technologies, Inc. will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Moses the Project Management Professional appeared first on TELEGRID.

My guess is that Cam was so focused on beating the Arizona Cardinals that he did not want to think about the Super Bowl. How often in sports do we see the dominant team lose because they “looked past” the current opponent? How often do they disregard the easier team only to suffer an upset? Maybe Cam Newton made a conscious decision not to look past Arizona and get distracted from the job of winning the NFC Championship. Perhaps he would have gotten overwhelmed if he thought about all of the games between him and a Super Bowl.  Maybe he knew that the only way for him to accomplish his goal was to take it “one game at a time.”

This lesson is obvious to all of us Northeasterners who just emerged from our igloos on Sunday after Winter Storm Jonas. Looking out at the multiple feet of snow we knew that the only way we were ever going to clear our driveways was to take it one shovel at a time (or one phone call to the plow guy – not judging). If we started worrying about the hours we were going to spend, or the potential chiropractor bills, we never would have survived.

Click to Subscribe

So what can Cam Newton teach us about embedded software cybersecurity? Just like winning the Super Bowl developing a secure embedded system is really hard (but not nearly as cool). If we stand back and look at the breadth of the problem we can easily get overwhelmed. But, if we break the problem down into pieces we will make it through. Start with a FIPS 140-2 validated encryption engine, then focus on PKI and then build your application on top. Take each step independently and make sure you develop it correctly before you move on to the next step.

This is the reason TELEGRID developed its Embedded Security Framework (ESF).  The ESF is a structured collection of encryption and authentication modules designed to accelerate the design and development of embedded systems. It is based on TELEGRID’s 30+ years of design, development and production of embedded systems in the field of voice and data encryption, secure unified communications and management of networked encryptors. The ESF helps Government Engineers design STIG compliant embedded systems quickly.

Eric Sharret is the Vice President of TELEGRID Technologies, Inc. TELEGRID designs and develops secure embedded systems for the US Military.

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  TELEGRID Technologies, Inc. will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Cam Newton, Blizzards, and Cybersecurity appeared first on TELEGRID.

The post 10 Commandments of Embedded Software Security appeared first on TELEGRID.

The Department of Defense released its report on defense spending by State for 2014.  It is no shock that the draw down in Iraq and Afghanistan, as well as Sequestration, have resulted in a major reduction in defense spending.  The value in this report though lies in the incredibly detailed breakdown of defense spending by State and County.  This report is not only valuable to defense contractors, like TELEGRID, but also to ordinary citizens who want to see what this impact will have on their local economy and housing market.  Below are some highlights of the report:

From FY2011 to FY2019 real defense spending is expected to decline by 28%. From FY2013 to FY2021 defense spending will be reduced by $454bn

The 5 states with the largest defense spending as a percentage of GDP were Virginia, Hawaii, Alabama, District of Columbia and Alaska. The state with the lowest defense spending as a percentage of GDP was Oregon.

The 5 states with the largest defense spending (in dollar terms) were Virginia, California, Texas, Maryland, and Florida. The state with the lowest defense spending was Vermont. The 10 states with the highest DoD spending accounted for almost three-fifths of total DoD spending in the nation.

To see how your State and County performed click here.

The post Defense Spending by State – Report Released appeared first on TELEGRID.

In the past two weeks TELEGRID engineers gave presentations on Embedded Software Security and attended talks on M2M cybersecurity, IPv6 security flaws, and personal cybersecurity best practices.  Since TELEGRID designs embedded software security tools for the US Military all of these talks were aimed at the Government.

As we sat and listened we began to notice a common theme.  According to the presenters, Commercial cybersecurity is head and shoulders above the Government and the only way the Government will defeat this enemy is to learn from the Commercial sector (and pay the consultant giving the talk).  We were therefore quite amused to read in this month’s issue of Harvard Business Review, the de facto bible of Industry, that HBR believes that the Government is in fact better than the Commercial sector at cybersecurity.

We think the simple takeaway is that cybersecurity is difficult and everyone feels like the other guy is doing it better.  We also think Government engineers should print out this article, hang it on their wall and show it to a consultant the next time they are told they should learn from the Commercial sector.

To read the Harvard Business Review article Click Here.

The post Government vs. Commercial Cybersecurity appeared first on TELEGRID.