• Prev
  • Next

Volkswagen Emissions Software Scandal

Volkswagen software“Volkswagen says 11 million of its cars have emissions-test-beating software.” – Fox News.

According to an NBC report, the U.S. Environmental Protection Administration (EPA) announced that Volkswagen had surreptitiously equipped its diesel vehicles with software designed to recognize when those products were being tested on a dynamometer, essentially an automotive treadmill. In such a situation, the full complement of emissions controls systems would operate at their maximum, bringing the vehicles into compliance with U.S. – and even tougher California – emissions standards. But once the testing was over, according to the EPA, the vehicles would change over to a different mode, effectively allowing emissions levels to increase by as much as 40 times.

I have to admit, I’m impressed with the simple, yet sophisticated software embedded in these vehicles. The engineer that developed the Volkswagen software to beat emissions testing equipment should never be without work again, after inevitably getting fired from VW in the coming days, and I’m sure he’ll just be the first of many up and down the management chain. I can think of many cyber security firms who would hire this individual for their hacking/malware skills. To build a piece of software that detects the type of equipment it’s interfacing with and, in real time, adjusts the performance of the vehicle before going dormant is brilliant.

Is it or Isn’t It “Malware??

Calling the undocumented feature “software” might be incorrect, as many would label it “malware.” According to Kapersky Labs’ malware definition, “[Malware] is short for malicious software and refers to any computer program designed to do things that are harmful to or unwanted by a computer’s legitimate user,” so Volkswagen’s “emissions software” may indeed be “emissions malware.”

THE CASE FOR – Clearly the intent was to purposefully bypass testing equipment and put the car into a mode where performance was stellar. If the vehicle’s tuning was in a state of low performance prior, then turned to maximum performance during the test, to only return to low performance, then it’s hard to argue there wasn’t malicious intent. From the reports, it seems like this was the case; therefore, I believe we have been duped.

 THE CASE AGAINST – Now I will embrace the merciful side of my personality. Perhaps said brilliant engineer wasn’t so bright and built a piece of software for Volkswagen’s internal emissions testing purposes, to determine vehicle maximum performance settings by country for shipment. Again, a great test program to determine this, but perhaps it’s a sign of something different, like a flaw in their process. Maybe this software was loaded into the vehicle’s test build via their configuration management system but wasn’t excluded from their production build for shipment. If this was the case, then the engineer who built the code might be off the hook, but the process and config management people would be in the hot seat. Another possibility is a flaw in the code logic. Maybe the intent was that after maximum performance was determined, based on how the car was tested, it was supposed to use that “state” as the default versus regressing back to a low performance as the default. It might be a case of missing logic. Sounds like a great case for a software testing firm to take a look at the code to see if intent can be determined from the fingerprints in the code.

Ultimately, the classification of this little beauty inside Volkswagen’s cars will be left up to the courts and lawyers, but regardless of the final outcome, Volkswagen is paying for what comes down to a software quality issue.

What’s the So What?

Software is eating the world and the sooner automobile makers realize this, the better off we all will be. The days of driverless cars are coming faster than we think, and from collision warning sensors to infotainment, your car’s software is exponentially more complex than the hardware it rides on. This means that automotive cybersecurity is a mounting issue that will need to be addressed.  

News outlets are reporting that VW has reserved as much as $7B to clean this mess up, and their stock price dropped 17% yesterday, resulting in a loss of billions in value to shareholders for what could have been a faulty or missing code logic, mismanagement of files/builds or intentional malware loaded onto vehicles without management knowing. Either way, the days of software being treated like a second-class citizen inside auto companies are gone. Auto executives need to dial in their awareness of software security, cyber and quality defects if they don’t want their lunches to be eaten by the likes of Tesla, who puts software first.


Rob Cross
PSC Vice President

Written by Rob Cross at 05:00
Categories :

One Step Forward, Ten Steps Back in Cyber Security

Rob CrossThis past weekend, my wife and I went to visit our local jeweler to have our wedding bands repaired after many years of wear and tear. The owner of the store is your typical small business jeweler. He opens and closes his store, mops the floors, cleans the jewelry – and everything in between, including managing his own IT infrastructure. 

My wife and I were the only ones in his store at the time, and he kindly asked about my business, which I described as a software security consulting firm. This piqued his interest, and he began to engage me in "techie" talk. He showed me his backroom, full of state-of-the-art equipment. He had everything Apple, from desktops, laptops and iPads to high-end gemology equipment; it was quite impressive. 

As we were checking out, our jeweler chuckled and said, “You’re probably going to laugh later about how much of an idiot at technology I am," and he turned his screen to show me that his point-of-sale (POS) system is still a DOS-based system. It was quite a nostalgic moment – it has been forever since I have seen a DOS-based system. With shock, I asked him why he never upgraded. His explanation was simple. Like the rest of us, he reads the papers and listens to the mainstream media and has been bombarded by stories of hackers and cyber attacks over the years. His logic was, "What hacker out there is targeting DOS-based systems?" He continued to justify this by telling me that his most important customer data is stored in this DOS-based system and that he can't afford to lose it due to viruses or a hacker. 

Idiot or Idiot Savant? 

This resulted in a vicious debate inside my brain regarding whether his strategy was complete gross negligence or utterly brilliant. He is perfectly content with this system and its functionality. It offers the basics of what he needs to manage his customers and it continues to work great. One could argue that he did a very smart thing by keeping it simple – if it’s not broken, don’t fix it. Of course, I could also argue that by not upgrading or backing up his machine, he's one crash away from trashing his data; so, why not upgrade and just keep that computer as a standalone system? 

Who Will Inherit Cyberspace? 

As I continue to think it through, I have flashbacks to movies where aliens invade the planet and we're reduced to simple forms of communications, such as Morse code (thank you, Will Smith and Independence Day). Have we arrived at the same juncture in cyberspace where things have gotten so bad that we're now reduced to dialing back the clock to the days of the green screen, the Morse code equivalent?  

The Tide is Changing

In the wake of high-profile breaches (i.e. Target, Home Depot, Sony), as more executives in the C-suite begin to feel the heat for under-investing in cyber security, I have high hopes that the rest of us will benefit. 

If we as consumers demand and hold our favorite brands accountable, then perhaps small business owners, such as my jeweler, can crawl out from under the stones of MS-DOS and regain confidence in current software that could fosster potential growth.

I feel confident that the tide will soon change, cyber security will become a greater priority, and everyone from big businesses to tiny consumers will be better off for it.


Rob Cross
PSC Vice President

                          

Written by Rob Cross at 05:00
Categories :

Everything You Need to Know About Cyber Security You Can Learn From Your Plumber

Cash Is KingIs it me or do the headlines regarding compromised Point of Sale (POS) systems keep increasing in frequency? Let’s not kid ourselves, there have been some pretty big breaches …Target, Home Depot, Apple iCloud, and as of today, Jimmie John’s. To cyber attackers retail is the new banking sector!   

One of my best friends, Don, is a plumber and also a Captain in the Newark, New Jersey Fire Department. This guy works harder than anyone I know, and he’s probably one of the brightest guys I know. I always tease him that he should write a book called “Everything You Need to Know in Life You Can Learn from Your Plumber.” 

Interestingly, his solutions are always equated to how he would approach a technical problem from a plumber’s standpoint. 

FLY ON THE WALL

A conversation with Don:

RC: “Did you hear about Home Depot getting breached by a cyber attack?”

Don: “I don’t understand what’s so difficult. Let me tell you what we do in plumbing. When a home owner doesn’t like what’s coming through the pipes, like the way the water looks or tastes, we test the water. Based on the water test results, we can put on layers of water treatment solutions to eliminate the threats, and then we can offer periodic testing. In fact, there are systems now that can do real-time monitoring of water quality and alert us when there is a change.” 

RC: “First it was Target, and now it’s Jimmie John’s … who’s next?”

Don: “In plumbing, water finds the path of least resistance, even the tiniest of holes in a pipe or structure will, over time, be found and exploited. Next thing you know, the hole gets bigger and things get ruined. There is always constant isometric pressure of water inside your home or business, and if it’s not contained properly, it will run amuck. This cyber problem sounds no different to me than what I deal with daily.” 

RC: “It’s scary stuff and every time I pull out my credit card to pay for something at a store, I think twice now.”

Don: “Rob, that’s why cash is king. Let those cyber idiots try to interfere with that transaction. If I don’t have the cash, guess what? I don’t buy it. Cards are for convenience, at the cost of security and trust, and it’s obvious to me that stores aren’t smarter than the bad guys, so why should I entrust them with access to my identity, which could lead to my money. The hackers always win.”   

Don: “I don’t understand why everyone doesn’t use PSC’s software security service. No plumber is allowed to self-inspect his or her own work. There are companies out there building pretty cool and important stuff with software, and I don’t understand why they trust themselves more than your company to offer an outside opinion. I don’t get it.”

RC: “It’s not an easy answer. Companies do what they feel is right, and oftentimes, that decision is tied to how it impacts revenue or competitiveness in the marketplace. Our customers realize the software security and quality battle is about data and not what technologies are used to identify the issues. Once they make this shift, it begins cascading through the culture of their company to be driven by data instead of opinions. I’m sure in your business there are homeowners who install their own under-the-sink filtration systems and then never check their water again or don’t change their filters regularly. They feel safe because they have purchased the “tool” that is supposed to catch the harmful things. Essentially, they are making their water potentially worse for their family. There will always be someone out there that you will never convince that you can do a better job and approach their water problem from a different perspective and provide better tasting water beyond their imagination. To them you’re just the plumber that only fixes pipes and not water quality problems. It’s no different in my business.”     

Don: “Hm … but my customers aren’t building things that could potentially kill someone, cause the market to crash or cause damage to their brand in the market. You won’t find me shopping at Home Depot anymore.” 

Don makes a valid point, right? This, of course, is why I have been urging him to write a book – believe me, his brilliance doesn’t stop at the current state of cyber security in retail. 

THE FUTURE

I don’t know if Apply Pay will save the day or Bitcoin or Zerocash. What I do know is that companies need to put aside more of their budgets to address cyber security on an ongoing basis. An unbiased opinion can provide valuable information that could make or break the future of your brand and the loyalty of your customers.

 

Rob Cross
PSC Vice President, DCG Sales

Written by Rob Cross at 05:00

Medical Devices Face Cyber Security Threats

Holy Heart Attack Batman! It’s amazing how much Rob Crosssoftware touches every aspect of our daily life, from the furnace in our homes to pacemakers. Software intensive systems alone have an element of risk to them. However, once these systems are connected to a network and “on the grid,” there’s a whole new risk involved with these systems – cyber security.

The referenced article from Reuters discusses the FDA’s recent warning about the vulnerability of medical devices connected to a network. The article cites research stating that medical devices connected to a hospital’s network can be taken over and manipulated by the controller – without the hospital staff knowing. Yikes!

I know you’re thinking some of the same crazy things I’m thinking. Imagine a patient in the ICU on an air ventilator, who is also receiving medication via the IV infusion pump. Both machines are connected to the hospital network and monitored centrally at the nurse’s station, so in theory, they are “on the grid.” What’s to prevent a hacker from developing a virus to specifically target such devices and implement malicious behavior, such as shutting down the ventilator or increasing the dosage of medication to our fictitious patient? According to this article, nothing is really stopping that from happening.  That’s not only crazy but also scary.  

Now, let’s reel the crazy back in and look at reality. This is a wake-up call, not only to the medical device industry, but to all industries making network enabled products. If a product is “on the grid,” it’s a target for hackers and measures need to be taken to protect customers from malicious attacks. One of the common mistakes we see hardware-centric companies make is under-investing in their software capabilities because they don’t understand software but know it adds a lot to their bottom line. They’re hooked on the revenue.

For example, let’s add an LCD display to refrigerators, connecting your Tumblr, Facebook and Pinterest accounts to it, along with a calendar, to-do lists, grocery lists, etc. The maker of the fridge can pump up the price $600 - $1,000 with this new sexy feature. Sounds great – until someone finds a way to connect in through your unsecured home network and shut down your fridge, resulting in a loss of $1,000 worth of perishables.

I’m sure we could come up with hundreds of examples. Again, from our cars to TVs, everything is becoming a target.  

For the executives of such companies who might be reading this, from all of us consumers out here, be in it to win it! Don’t treat software and software security as second-class citizens. Your brand can’t afford to take the hit and we can’t afford to become mass targets of opportunities.

Until my next post, stay healthy and out of hospitals!


Rob Cross
ProServices, Vice President

Written by Rob Cross at 05:00
Categories :

Is Your Company Prepared to Defend Against a Hacker?

Rob Cross PSC colorLife has changed as we know it, and nothing is untouchable now, including your company’s brand! Example?

2.4 Million Credit, Debit Cards Hacked at Schnucks Markets

I’m not sure what to think anymore when you see the CEO of a grocery store chain called Schnucks explain how 2.4 million credit card numbers were stolen from their systems by cyber hackers. I live in New Jersey and have never heard of Schnucks before in my life, but their website indicated that they were founded in 1939 in North St. Louis; the well-loved, neighborhood grocery store.  

SchnucksPictured here are Edwin and Anna Schnuck back in 1937 (source: http://www.schnucks.com). These were the good old days before credit cards and cyber hackers. Everyone knew their butcher, pharmacist, mailman and barber by first name.  In fact, Schnucks is known as “The Friendliest Stores in Town.”  

Seventy-six years later, they have more than 15,000 employees and more than 100 stores. More importantly, they are on the “grid” and have been a target and victim of cyber attackers. It took this company 76 years to build their brand and a loyal customer base, but it took hackers less than a day to exploit this wonderful company’s unfortunate vulnerabilities and tarnish their relationship with their customers. Shameful, awful, horrific, and I’m sure if Edwin and Anna were still alive, they’d find it all very confusing.  

What is cyber security and why didn’t the “Friendliest Store in Town” have the systems in place to be the unfriendliest target to cyber criminals?  I don’t presume to have the definitive answer for either questions, but I have some thoughts.  

From my simple point of view, cyber security comes in many layers: social engineering, network protection, application security and database assurance. All are intertwined, and the weakest link cliché does apply. Because my company focuses on application security, I can speak knowledgeably on this topic. Regardless of whether Schnucks or other businesses do their own application development or they purchase commercial off-the-shelf or custom solutions, each should have its own strategy for identifying security risks and vulnerabilities.  

Trust But Verify!  

“Different strokes for different folks” applies here. Some companies prefer to do all in-house development so they can control their risks. Others buy software from vendors, feeling they have shifted the burden of risk to their vendors because of the special addition of lawyers being involved to clearly define this shift in responsibility.  

From the perspective of a company’s brand and the precious relationship it has with their loyal customer base, this burden should never be shifted and proper process and controls should be in place. My company performs numerous software security audits every year across different industries, and it’s the exception, not the rule when we come across an application that has zero security flaws. This applies to both in-house developed and third-party applications.  

Even though your company may trust its employees and your long-time vendors, you should verify that they have been following the proper process and controls. Your company’s brand is too important!  Whether it’s through a third-party, independent evaluator, like PSC, or an internal team firewalled from the vendor and internal team, your company should be forensically analyzing the applications riding on your networks and interfacing with your employees, vendors and customers for security flaws.  

There are many reasons why this critical activity is overlooked or improperly performed, from schedule compression to no secure code training for developers.  Not factoring these weak points into your software security risk model is fatal.  

As George W. Bush said, “In our efforts to discover and stop attacks, we have to be right every time; the terrorists only have to be right once.” This applies to your cyber security and application security posture. The cyber criminals only have to be right once and the hard work and millions of dollars you have spent in building your company’s brand, reputation and relationship with your customers can be erased in a nanosecond.  

On a positive note, this week at Schnucks is Super Triple Coupon Week! I wish them all the best in building back the trust of their customers. Triple coupons would get me back in the stores, but it’s up to them to ensure the security of their software!

Rob Cross
ProServices, Vice President

Written by Rob Cross at 08:00
Categories :

"It's frustrating that there are so many failed software projects when I know from personal experience that it's possible to do so much better - and we can help." 
- Mike Harris, DCG Owner

Subscribe to Our Newsletter
Join over 30,000 other subscribers. Subscribe to our newsletter today!