© Critical Informatics Inc., All Right Reserved 2016

CI Blogs

Tech Takedown Blog

A   place   where   our   incredibly   talented   staff   of   geniuses,   whiz   kids   and   mad   scientists   let   you know how their virtual world works and what it feels like to live there. We’re just happy to let everyone know why we’re so glad we have them on our side.
(206) 687-9100
(206) 687-9100
Tech Takedown Blog CRITICAL INFORMATICS INC.
Imagine   a   world   where   you’re   an   auto-mechanic.      One   day,   while   working   on   a   client's   car,   you   discover   the   seat   belt bolts   are   made   of   plastic.      Shocked,   you   investigate   further   and   find   several   other   critical   safety   issues   with   the vehicle.      The   door   locks   don't   actually   lock   the   doors   (visually,   it   looks   like   they're   locked),   the   coolant   isn't   actually distributed   throughout   the   engine   and   instead   just   sits   in   a   container   in   the   engine,   and   the   mirrors   have   all   been replaced with realistic photos. To   the   everyday   person,   nothing   appears   to   be   wrong   with   the   car.      The   engine   turns   on   and   transports   them   from   one point   to   another   without   causing   many   problems.      To   a   mechanic,   the   car   is   a   disaster   waiting   to   happen.      Dangerous safety   and   reliability   problems   are   present   and   it’s   only   a   matter   of   time   before   a   catastrophic   failure   results   in   serious injury, or worse. Now   imagine   in   this   world,   you   can   tell   the   owner   and   the   manufacturer   about   the   problems,   but   nobody   else.      In   fact, just   opening   up   the   hood   of   the   car   possibly   broke   the   law.      Without   looking   under   the   hood,   you   would   never   have discovered.      If   your   family   member   asked   you   which   car   to   buy,   or   avoid,   you   are   not   allowed   to   use   your   new knowledge to advise them. You   advise   the   customer,   who   is   rightly   shocked   and   doesn't   quite   understand   how   this   can   happen,   or   how   serious the problems are. Then,   you   go   on   to   advise   the   company.      At   first,   they're   not   responsive.      They   don't   believe   you.      When   they   finally   do believe   you,   you're   informed   they're   "working   on   a   solution".      Months   go   by.      People   continue   to   buy,   and   drive   these unsafe   cars.      Frustrated,   you   again   contact   the   manufacturer,   who   informs   you   that   they   don't   think   the   problems   are that   serious.      Now   intensely   concerned   about   others’   safety,   you   inform   the   company   you   will   tell   everyone   about   the false door locks.  The company responds by threatening a law suit. Meanwhile,   news   reports   start   trickling   out   about   increased   car   thefts.      To   most   people,   this   might   sound   like   a random   increase.      To   you,   you   know   the   increase   means   the   criminals   have   figured   out   the   doors   don’t   lock   properly.     People are already being affected, and you're still not allowed to share what you found. Finally,   the   car   company   comes   out   with   a   fix   and   a   recall.      They   fix   the   door   locks,   they   fix   the   seat   belt   bolt,   but   they omit the false mirrors and coolant problems.  ----------------- That   world   exists   today.      The   cars   are   software,   and   the   mechanics   are   computer   security   researchers.      Every   day, researchers   are   finding   vulnerabilities   in   common   software   and   often   are   not   allowed   to   talk   or   share   their   findings.     Certainly,   giving   time   for   the   manufacturer   to   fix   the   problem   before   publication   is   the   responsible   way   to   get   it   fixed.     However, all too often companies are unresponsive or outright hostile to these findings. Meanwhile,   attackers   are   finding   these   same   software   flaws   and   exploiting   them.      These   flaws   exist   in   all   manner   of software   and   hardware   devices.      Everything   from   ubiquitous   desktop   software   such   as   Adobe   Flash,   to   less   popular devices like Internet-connected cameras, radios, and industrial control devices. Reporting   these   flaws   is   critically   important.      Failure   do   so   gives   our   attackers   the   means   and   opportunity   to   hide   and strike from the shadows. At   Critical   Informatics,   where   our   customers   are   primarily   government   organizations,   we   are   focused   on   making   the world   a   safer   place.      Very   often,   we   discover   these   unknown   vulnerabilities   while   performing   client   work.      We   need our clients’ insights to resolve these vulnerabilities with the vendor, and are always appreciative when we do get it.
Lack of Disclosure of Known Vulnerabilities is a Threat in Itself   2/10/2016 By Jeremy Johnson Lead Consultant
© Critical Informatics Inc. 2016 All Rights Reserved

News

Critical Informatics IT Security

Daily News Blast

Sign   up   for   a   truly   essential   Daily   Briefing   on   all the      Industry,      National      and      International Cybersecurity   and   Information   Security   events you need to know and be able to act on today!

Search the Blast Archive

Search by Date, Range, or Keyword September 2015 August 2015 June 2015 May 2015 April 2015 March 2015 February 2015 December 2014 October 2014 September 2014 August 2014 July 2014 May 2014 April 2014 February 2014 December 2013 November 2013 August 2013 July 2013 June 2013

CI Blogs

Tech Takedown Blog

A   place   where   our   incredibly   talented   staff   of geniuses,   whiz   kids   and   mad   scientists   let   you know   how   their   virtual   world   works   and   what   it feels like to live there. We’re    just    happy    to    let    everyone    know    why we’re so glad we have them on our side.
(206) 687-9100