Wednesday, July 31, 2019

Planes are in danger ! Not this false news again.... U.S. Issues Hacking Security Alert for Small Planes

U.S. Issues Hacking Security Alert for Small Planes

Attention all shoppers.  A plane left unattended can be sabotaged!  

Hide your children, the Germans are coming!

These stories are such bullshit!

Sure... someone could develop an attack that involves flashing the memory of my Garmin 430.  Aside from the fact that it takes a special dongle, is a royal pain in the ass to do legitimately, takes a seriously long time when you are waiting under the cover of the night trying not to get caught..... and since you would have to do it to many many planes for this to become an overnight issue.......not really likely unless you're part of a "dumb" terrorist group.

Keep in mind that if one such event happens it would spark an entire investigation and countermeasures would be dictated.

Even if you are trying to off your ex-wife it would be an extremely complexe endeavour with seriously uncertain outcomes mostly falling back to you going to jail to enjoy a stainless steal potty.

Lets look at the countermeasures in place.

As I mentioned many times, planes (especially small ones) have a nervous pilot sitting in that seat that is constantly checking numerous instruments and mentally correlating data from numerous sources, looking for.... you guessed it....anomalies!  Pilots also perform preflight checks:  Brake lines=dry (check),  oil level=check, avionics=check, altimeter calibration=check....

Second countermeasure lies in the hands of our dear friends at ATC (Air Traffic Control) who would let you know.... trust me.... if you are off track or at the wrong altitude.  

Third risk reduction factor goes back to the pilot, who looks out the windows.  If your flight computer (for lack of a better term) tells you that you are at 5500 feet and your physical altimeter indicates 1000 feet....  you would notice.  Same goes for when you glance out the window.

Novices will argue that the attacker could also hack the physical altimeter, which simply indicates they have no clue how one works since making the readings match on both the physical altimeter and the flight computer simply is not attainable without swapping the entire unit out which involves partial disassembly of the planes dashboard and a replacement that would have to communicate with the onboard basically not achievable. 

Also most pilots of small planes use a flight application like ForeFlight on their iPads... well guess what.... the iPad also indicates your altitude and the screen turns red when the terrain becomes dangerously low.

So all in all, this news story is meant to grab headlines, but is mostly meaningless.

Where it is not meaningless is for the security industry.  We (along with the aviation industry) must continuously stay alert and be aware of these short comings and ensure that they do not translate into "safety" issues.  Doing research like this helps understand the complex interactions between aviation systems and helps build roadmaps for better technology.

That is the big difference between news articles and real life.  Does it really matter in context?

In the aviation world, security issues are common, however mitigation mechanisms exists to bring these risks to acceptable levels and in ensuring they do not become "safety" issues.  

In the business world for many cases this is true, and in equally many cases, this is not true.  Because business is about making money not safety.

In the aviation world, aside from a clear screw up by the FAA & Boeing with their questionnable certification of the 737 MAX 8, safety remains paramount and all involve do a superb job at keeping passengers and pilots "safe". 

Cyber Security as a whole can learn a lot from the aviation industry in that respect.

So to my nervous friends who thinks little planes will start falling out of the sky... relax....  it just isn't going to happen.

My airplane is parked at a low security field near Montreal.  I have absolutely ZERO stress about my avionics safety even with my frequent speeches about how powerful people are failing society.

News like this, one week before the worlds largest security conferences, reminds me of the year that someone reported that planes had been hacked to fly sideways.   Yes, folks the laws of physiques can be hacked (just kidding....).  Always be cautious and curious about news headlines as they rarely reflect true facts.

To any curious security friends, please join me at the DefCon Aviation Village next week where we can have a long discussion about context and safety in aviation.

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

Tuesday, July 9, 2019

Desjardins part deux: Wow.... do we actually want to fix this problem?

We are not scoring high on the smart scale this month.  

On the right track ?   Sadly... no...

The problem is that banks practically hand out credit blindly and senior executives have ZERO accountability or personal liability when they screw up your credit file.  They then team up with their "buddies" at the credit bureau to make you feel like they are helping you while you are left with a nightmare to solve that can take years.


New laws fall from the sky, always missing the point.  New York, now has a new disclosure law that is aiming to ensure that we are told when our data is breached.  But what about when our data is used ?  Nothing yet.  We are way too busy making ourselves look good because we are putting in very strict laws to tell you when your data has walked out the door.  Silly data.  Data that has walked out repeatedly over time.  

Hey, heads up, it is too late.

When your information is used to create ANY form of credit application, you should be advised.

And when a bank gives credit to the wrong "you", you should be fully protected.

Since big banks have all the power, you, the "customer" have no such protection nor will you anytime soon.  

The banks have all power, and they have the last say.  They also really want to hand out credit because well... they are kinda loan sharkish, and sharks like fresh meat.

Every bank to ever exist...

So it is totally normal for banks to hand out credit cards and loans like cotton candy at a county fair.

How crazy is this:  Credit applications handed out while you wait in line to pay at a department store.  Offering you (or anyone who says they are you) instant credit and a generous 10% discount on all todays purchases if you sign up for a new credit card that will be approved on the spot ! How is this legal...

And, lets face it, someone who is hired to get credit applications filled out and whose salary is directly attached to how many credit applications they push out.... is most certainly the highest quality of authentication. 

The fact is these credit applications all rely on using identification data, never really authenticating the person since our current credit system has no digital ID or other modern means to do so.  So, granting someone credit is easy, charging their current purchases to this new credit card is common, and out the door they go because the banks do not care, and will not be held liable past the fraudulent transactions.   Two weeks later, the real person gets their new credit card along with a welcome letter and a $3000 bill for things they never bought and they are left with a near impossible task.... clearing their credit file of this mess, and not paying the $3000....which can take a very very long time.

Desjardins pointed 2.7 million souls to a disfunctional service called Equifax who predictably failed.  In the meantime, no one thought it would be a good idea to freeze the credit files for all 2.7 million until they figure this out.  Once again, push the problem down the road.

Equifax is a "for profit" organisation.  So are banks.  They shouldn't be trusted with the information they have.  And all this is done unwillingly by citizens since the banks send all your sensitive information to these credit bureau's.  

So in short, as far as crisis management goes, it was written in stone that this wouldn't work, but crisis management calls for a Teflon™ approach and someone needs to appear to be doing something.

Well, big surprise, what is being done remains mostly wrong in the long run.

The difference between a cybersecurity professional and a Good cybersecurity professional is root cause analysis combined with taking actions that actually reduce the risk.  Not security theatre, or putting in place yet more alerting mechanisms when your data is exposed.  We know... that ship has sailed... repeatedly.

Society has all their panties in a bunch over a trusted employee leaving with what is essentially a client list.  This happens way more than you think.

Yes, this is terrible news.  Yes Desjardins shouldn't allow people to export entire segments of databases that include entire birthdays and entire social insurance numbers.....

But.....  we shouldn't rely on these meaningless artefacts that date back to the Cold War in order to award credit unless the issuer is willing to take full responsibility.

News agencies are hitting Desjardins again with news that another employee defrauded Desjardins of over $300,000.  This is almost business as usual for a bank.  Most banks fire someone every week because they did something unacceptable.  This doesn't mean they lose $300,000 every week, this case alone was spread over 8 years.  Employees who abuse their power in banks is way more common than most think.  It also has nothing to do with data exposure, so why are news agencies riding the bus and hitting Desjardins yet again with meaningless news stories.  Just to try and make them look bad?   All banks have this issue.  And while they are writing about this, they are not actually putting pressure on the right things.

So back to identity theft...

The reason this is so grave is directly attached to the fact that WHEN you get your identity stolen (used), you are left with a mess and no means to fix it without grave consequences and a task worst than assembling an IKEA kitchen in a dark room with no instructions and your wife and three kids asking "is it done yet" every 5 minutes.  

The problem is two fold.

#1 We have no concrete, modern and secure way of attaching obtained credit to a biological human being.

#2 We have no way to clean up the mess that is caused when someone creates falsified credit under your name (and this shouldn't happen in the first place).

Make banks accountable.  Make senior management accountable.

Accountable = penalties payed out of their pockets, not the share holders.

So I really wish we would stop referring to us as the banks clients, since we are not, and we simply pawns used as leverage to play a financial game for them.

I would ask our current government to make drastic changes to our banking regulations.  I would ask the privacy commissionner to be right behind this:

If ANY credit institution grants credit to someone who is not me and puts it on my file, they should be held FULLY liable and I should not only get my entire credit profile cleaned up, I should get a huge check in compensation for their error, and while we are at it, they should be fined significant penalties directly to their senior management, not the share holders.

Lets face it, ALL traded companies are in it for the cash, and ALL of management is focused on short term gains with short term objectives and short term bonus structures that work directly against protecting your credit.

HIPAA applied in US health care is a gold mine of wisdom in this area.  They wrote the law expecting people to lie and built in the penalties based on your level of competence versus honesty.

Three scales are applied when it comes to penalties (which can include jail time for executives).

Level 1:  You had no way of knowing (yes, you still get a fine)

Level 2:  You should have known if you did your job with reasonable competency (bigger fine).

Level 3:  You knew and didn't take action, or worst, you clearly covered it up, etc. (huge fine and potential jail time)

They wrote it right into the law !

So what gives with our privacy laws.

We need banks to take responsibilities for their interactions with their credit bureau's because these bureau's certainly are not "our" credit bureau's.

So here is the call to arms that we should all be forcing our government to impose in reverse order of importance:

3) Better digital ID (blockchain enabled, with mechanisms to prevent oppression, etc.)

2) Replacement of "for profit" enabled credit bureau's (an obvious and complete failure as it stands today)

1) Severe penalties including personal liabilities for senior management (including criminal penalties targeting executives when willfully blindness is in play) for any screw up to a persons credit file, including imposed clean up of such screw ups without the citizen having to suffer for months or years.

So dear media, dear government, and dear privacy commissioner, stop talking about Desjardins and their evil malicious employee (they got the memo), start talking about the real issues and start addressing them.


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

Disposerons-nous un jour d'une carte d'identité numérique provinciale qui sécurise réellement vos opérations bancaires ?

  J'ai fait une entrevue ce matin sur QUB Radio basée sur un article du Journal de Montréal qui a été publié aujourd'hui et qui disc...