Attacks on Mobile and Embedded Systems: Current Trends

8/8/2019 Attacks on Mobile and Embedded Systems: Current Trends

1/18

Attacks on Mobile and

Embedded Systems:Current Trends

Introduction

A Brief History of Hacking

Hackings Dangerous Third Wave

Conclusion

References and Further Reading

Revised April 30, 2009

350 Sansome Street

Suite 1010

San Francisco, CA 94104

415-617-0055 Phone

866-213-1273 Toll Free

[email protected]

www.mocana.com

Copyright 2009Mocana Corp.


2/18

Attacks on Mobile and Embedded Systems: Current Trends Free evaluation code at www.mocana.com/evaluate.html

Introduction

In todays world of ubiquitous computing, cyberattacks are becoming morevirulent, costlier, and larger in scope than ever before. Unlike previous

incarnations of hacking, current attacks on computer systems are professionally

coordinated, multifaceted, and motivated by the promise of profits on a massive

scale.

With millions of new electronic devices connecting to the internet every day,

hackers are increasingly focused on a new type of target: mobile and embedded

systems. Such systems include point-of-sale terminals, wireless routers, smart

phones, networked office machines such as printers, and even the utility

infrastructure.

In March 2008, European authorities uncovered a credit card data siphoning

operation using point-of-sale terminals manufactured in China. The scam involved

conspirators in several countries, including workers at the Chinese factory.

Before the point-of-sale readers were sent to Europe, they were hacked with

a tiny, extra chip behind the motherboard. Once the machines were installed,

their specially programmed chips siphoned off customers credit card dataat

unpredictable and nearly undetectable intervalsand relayed it from Europe to

Pakistan. The thieves made off with at least $50 million before the scheme was

discovered [H4].

Cutting-edge hackers are acutely aware that many of the security procedures

and applications in use today have been designed for PC workstations, and are

thus unable to thwart attacks on mobile and embedded systems. Smartphones,

for example, remain notoriously insecure, yet they are gaining popularity as

platforms for exchanging confidential data and conducting financial transactions.

Billions of dollars are at risk as people do more and more of their everyday

banking and shopping on mobile and wireless devices. Even heart pacemakers

have joined the networked world and are now vulnerable to hacking.

Perhaps most ominous of the new hacking trends is the upsurge in cyberattacks

against our utility infrastructure. If hackers continue to attack the so-called smart

grid, which connects sensors and control systems with sophisticated computers

and networks, they could bring our nations commerce to a standstill, endanger

lives, and put our national security at risk.

.last year[2008] now

appears to have

been a turning

point in the

professionalism

of cyber crime.

The software

development

skills anddata mining

capabilities of

organized crime

are believed

to be second

to none. They

(whoever that

is) are stealingvast amounts of

our data, though

no-one really

understands

the logic in their

targets.David Lacy, Computer Weekly, March 4,

2009 (http://www.computerweekly.com/

blogs/david_lacey/2009/03/apocalypse_

soon.html)


3/18


In this dangerous new interconnected world, we need to take a serious look

at what types of hacking strategies are being employed today, and implement

security solutions that are designed specifically for mobile and embeddeddevices. This paper attempts to highlight some of the latest attacks against

embedded systems, including mobile phones, medical devices, and the nations

electric infrastructure.

A Brief History of Hacking

Years ago, hacking was an amateur, underground activity, commonly associated

with thrill-seeking pranksters whose main intent was showing off their

computing prowess or expressing their anti-authoritarian sentiments. To be a

hacker was to have street credat least among the technologically savvy.

Although hackers activity was often illegal it was rarely malicious, and they

usually didnt fit the profile of career criminals.

Phone

Phreaking

1970 1982 1988 1993 2005 2009

TCP/IP

Internet Protocol /

amateur hackers /

BBSes

Paris Hiltons

T-Mobile USA

Sidekick hacked

Kevin Mitnick /

Increase in attacks

on commercial

enterprises

Increase in attacks

on mobile devices, em-

bedded systems, the

internet of things

FIRST WAVE SECOND WAVE THIRD WAVE

Hacking group

414s break into

Los Alamos Natl

Lab. computers

U.S. House of

Rep. begins hear-

ings on computer

security hacking

Morris

worm /

CERT

established

1977

Federal Computer Systems

Protection Act, defining

computer crimes & recom-mended penalties, fails to pass

2000

ILOVEYOU

worm infects

millions

within hours

Dmitry Sklyarov becomes 1st

person charged with violating

the Digital Millenium CopyrightAct (DCMA) at DEFCON

First DEFCON

hacking conference

held; becomesan annual event

U.S. GAO reports that in 1995,

hackers tried to break into

Defense Dept. files 250,000 times;

~65% of tries were successful

First RSA

Conference

held

Some of the early hackers of the 1970s focused on the telephone system.

Calling themselves [phone] phreaks, or phreakers, they helped themselves to

free long distance by simulating the sounds of phone signals. In the 1980s, when

personal computers became widely available, phone phreaks and other hackers


4/18


began using modems to connect to Bulletin Board Systems (BBSes), where they

exchanged messages about how to break into computers, steal passwords, and

wreak other kinds of electronic havoc. By 1986, hackers had threatened enough

government and corporate computer systems to prompt the U.S. Government

to make hacking a crime. In 1988, foreshadowing the types of attacks that lay

ahead, ArpaNET, the U.S. governments precursor to the internet, was brought

to a standstill by a hackers experimental, self-replicating worm program that

spread to 6000 of the networks computers.

Around the dawn of the commercial internet in the 1990s, a second wave of

hacking, which took on a more overtly criminal sensibility, began to emerge. One

of the most famous of these second-wave attacks was traced to the notorious

serial hacker, Kevin Mitnick, who was eventually arrested for stealing 20,000

credit card numbers.

Also in the 1990s, a group of hackers broke into Citibanks computers and

siphoned off $10 million to their overseas bank accounts [H5].

Since the early 1990s, hackers have developed a rapidly mutating and

increasingly clever repertoire of attack strategies: embedding rogue programs

in legitimate applications, installing keystroke recorders on unwitting users

computers, spoofing legitimate websites to phish for personal data, hijacking

database information through SQL injection attacks, and even enlisting massive

armies of zombie computers (botnets) to spew out phishing emails and spam.

Today, all classes of cybercrooks, from small-time con artists out to make a quickbuck to international crime syndicates, are logging into the global cybercrime

marketplace to buy and sell malware kits, stolen credit card numbers, how-to-

hack manuals, and criminalized software development services, in a shadow

economy worth over $750 million in 2007 [H2].

Hackings Dangerous Third Wave

Now, with the advent of what some technologists call the internet of

things (see Figure 3), we are encountering a third wave of hackingone that

encompasses not only wired computers and networks, but intelligent devices:

wireless phones, routers and switches, printers, SCADA (Supervisory Control

And Data Acquisition) systems, and even medical devices. This new hacking

wave is poised to bypass the amateur street-cred phase and move directly to

well-honed, massively coordinated, sophisticated attacks. It is now becoming

clear that hackings third wave will almost certainly include terrorist cyberstrikes


5/18


against the utility and industrial infrastructure (the smart grid)a danger we

can no longer dismiss as a spy movie scenario.

Electric Toothbrush:Automatically reordersbrush heads, sharesbrushing habitswith your dentist

Automobile:Maps traffic in realtime; others cantrack your location

Computer:Centralized control forremote interface toany other device

Media Player:Remotely ordersnew songs & video

Microwave:Automatically setscook cycle withRFID recognition

Printer:Automaticallyreorders toner andpaper as needed

VoIP phone:Automatic updates,integration andforwarding

Refrigerator:RFID tags reordersgroceries asneeded, andsuggests recipes

Alarm Clock:Remote programs,custom tones, turnson coffee maker

Coffee Maker:Custom setting foreach coffee type,starts when alarmgoes off

Oven: Ovensettings fromcomputer or phoneif running late

HVAC: Controlstemperature &lights for maximumefficiency

Television:Immediate one-clickordering of productsseen on commercials

Exercise Equipment:Recognizes individualuser and tracksworkout schedule

Vending:Automaticallyreorders suppliesbefore its empty

Cell Phone:Secure performs

identification &verification forpayments

Smart Scale:Measures andsends weight info forprogress tracking

Building Security:Security camerasinteract with facialrecognition database

Home / Bed Workplace Home / Bed

COMMUTE COMMUTE

Figure 3. The Internet of Things

This paper discusses several of these new attack trends:

Growing attacks on soft infrastructure targets

Long-predicted threats to cellular network & smartphones manifesting

themselves

The rush to network medical devices outpaces security

Ubiquity of easily-hacked RFID technology threatening privacy, driving the

growth of sophisticated identity thefts

Everyday home and office deviceshackers gateway to your network


6/18


7/18


8/18


not want any information about SCADA breaches to fall into the wrong hands, so

they fail to share information freely. According to Alan Paller, Director of Research

for the SANS Institute, A careful statistical analysis of validated control

system incidents at 22 major corporations indicates that the incidents are

far more widespread than commonly believed, the targets more wide ranging

and the attackers are not who we think they are. Even more ominous, the data

shows that getting into most control systems is surprisingly easy [S11]. For

example, in March of 2008, a nuclear power plant was accidentally shut down

because a computer used to monitor chemical and diagnostic data rebooted after

a software update. In another incident in 2008, a teenager in Poland rigged a TV

remote control to control the switch tracks of trams. There were four derailments

and twelve resultant injuries [S4].

Most frighteningly, attacks against SCADA devices are being carried out byenemy nations as part of a greater cyberwarfare strategy to sabotage the

U.S. economy and infrastructure. In the U.K., government agencies report that

attacks against infrastructure targets have increased dramatically. In June 2008,

the UKs National Infrastructure Security Co-Ordination Centre issued a public

advisory about a series of targeted attacks against the UK central government

and commercial organizations for the purpose of gathering and transmitting

otherwise privileged information[H8].

Trend #2: Long-Predicted Threats

to Cellular Network & Smartphones

Manifesting Themselves

Researchers are predicting that 2009 will be a significant year for mobile attacks

[H10]. With the rise of unlimited data plans, open networks, readily downloadable

applications, and the lack of strong security, hackers, spammers, and phishers

are now beginning to recognize the profit potential of mobile phones [M4].

Adding to the allure of mobile hacking for cybercriminals are the fraud

opportunities presented by the burgeoning mobile financial services market.

The number of active users of mobile banking and related financial servicesworldwide is expected to rise from 20 million in 2008 to 913 million in 2014 [M4].

The latest mobile phones are also the most vulnerable to attack. Smartphones,

such as the Apple iPhone and the Google Android phone, now come with

real browsers with JavaScript engines, exposing them to traditional browser

attacks, such as Cross-Site Scripting (XSS), Clickjacking, phishing, and other

A careful

statistical

analysis ofvalidated control

system incidents

at 22 major

corporations

indicates that

the incidents

are far more

widespread

than commonly

believed, the

targets more

wide ranging

and the attackers

are not who we

think they are.Alan Paller, Director of Research for the

SANS Institute


9/18


malicious techniques. These phones are also vulnerable to man-in-the-middle

attacks, in which a hacker could come between the phone and a web server and

offer malware in the guise of a legitimate update to one of the users trusted

applications. Other vectors for smartphone attacks include email, attachments,

web pages, MMS, Facebook, WiFi, and Bluetooth [M3].

As the iPhone and other smart phones continue to gain market share at a rapid

rate, hackers will increasingly focus their efforts on mobile devices. However,

it is doubtful that this new wave of hacking will go through an extended phase

of nuisance hacking as was the case with PCs, instead skipping straight to

for-profit hacking. Although the first iPhone or Android malware writers might

be motivated by street cred like earlier hackers, professional criminals are sure

to follow quickly. According to researchers, the newest of the 420 smartphone

viruses identified since 2004 have reached a state of sophistication that tookcomputer viruses about two decades to achieve [M6]. Figure 6, from McAfee

[M2], illustrates how mobile security threats have been increasing since the

introduction of popular smartphones.

2008

2007

2006

2008

2007

2006

2008

2007

2006

2008

2007

2006

2008

2007

2006

2008

2007

2006

2008

2007

2006

2008

2007

2006

60%

50%

40%

30%

20%

10%

0%

Networkorservice

capacityissues

Virus/spyware

infections

Voiceo

rtext

spama

ttacks

Third

party

application/co

ntent

problems

Lossofuse

rdata

fromd

evices

Phishinga

ttacks

inany

form

Privac

yand

regulatoryissues

Denialof

servicea

ttacks

Figure 6. The increase in security issues experienced by mobile device usersfrom 2006 to 2008; % of respondents. McAfee Mobile Security Report 2009


10/18


11/18


Trend #3: The Rush to Network Medical

Devices Outpaces Security

One truly scary attack trend is the growing offensive against medical devices.

A large number of medical devices, such as heart pacemakers, implantable

cardioverter-defibrillators (ICDs), bedside monitors, MRI machines, and portable

drug-delivery pumps, have a CPU and an IP address that enable them to transmit

and receive information, but also expose them to attacks.

Medical devices, which far outnumber hospital PC workstations, are usually

the softest targets on a hospital network, lacking firewalls, malware protection,

strong encryption, or even recent security or OS updates. Medical devices are

increasingly leveraging IP and common OS platforms that enable them to utilize

large libraries of software and communicate more easily. But in the rush toestablish common platforms and network these devices, security concerns have

been poorly addressed.

Mocanas CEO, Adrian Turner, says, The same types of attacks that have

traditionally targeted sectors such as consumer electronics are being directed at

medical devices, with potentially fatal consequences. Attacks were beginning to

see directed at medical devices include:

Sniffing (also called snooping) or eavesdropping.

Theft of sensitive information.

Data destruction.

Zombification. A zombie is a device attached to the Internet that has been

compromised by a hacker, virus, or Trojan horse, and can be remotely used,

without the owners knowledge, to perform malicious tasks [D4].

Bricking. This usually refers to damage to system software or firmware, which

would require a complete system wipe and reinstall in order to regain use

of the device. In the case of medical devices, this could entail sending the

product back to the manufacturer.

In a paper published last year by the Medical Device Security center about

pacemakers and ICDs, researchers described how they were able to hack into an

ICD and intercept private data transmissions [D3]. They revealed that ICDs could

be hacked to alter patient data or reset how shocks are administered. Tadayoshi

Kohno, a lead researcher on the project at the University of Washington, who has

studied vulnerability to hacking of networked computers and voting machines,

says that the risks to patients now are very low, but I worry that they could

increase in the future [D1].


12/18


Trend #4: Ubiquity of Easily-Hacked RFID

Technology Threatening Privacy, Driving the

Growth of Sophisticated Identity Thefts

One of the most common attacks on wireless networks is war driving, in which

hackers drive around a neighborhood, hunting for unsecured wireless nodes.

In the latest twist on war driving, a security expert cruised around Fishermans

Wharf, armed with a cheap RFID scanner and a low-profile antenna, and

managed to clone half a dozen electronic, wallet-sized passports in an hour.

This war cloning experiment was so successful, says the researcher, because

the type of RFID in the Homeland Securitys version of a passport emits a real

radio signal, which could conceivably be tracked from a couple of miles away.

Although no criminal hacks of passports or e-licenses have been detected to

date, this insecure technology poses a strong risk for identity theft and invasion

of privacy [R1].

In another RFID hack, anyone with $8 worth of equipment bought on EBay can

sniff the credit card number, cardholder name, and other personal information off

an RFID-equipped, smart credit cardwithout physically coming into contact

with the card. The problem with these contactless credit cards, says inventor

Pablos Herman, is that the data is decrypted at the point of sale by a machine

rather than at the card companys secure data center [R3].

Trend #5: Everyday Home and Office Devices

Hackers Gateway to your Network

In todays hypernetworked corporate environment, more and more office

machines are equipped with an IP addresswhich means that even a seemingly

harmless and mundane peripheral, such as a shared printer, can pose a

dangerous security risk. Hackers are increasingly exploiting long-forgotten

or ignored printers, faxes, and scanners to bypass firewalls and penetrate a

network. If, as one amateur hacker has shown, its possible to gain access to an

unsecured printer using just Google and a web browser, imagine what a hacker

could do with access to a fax machine and an outside phone line. [P1] No matter

how ordinary, every device on a network needs good security!


13/18


ConclusionClearly, weve come a long way from the days of phone phreaks and Kevin

Mitnick. The latest attack trends threaten not only our privacy, our data, and

our money, but our national security and even our lives. When the possibility

of hackers controlling peoples pacemakers is a topic of serious research, we

know were in a new world, one that holds the great promise of connectivity and

ubiquitous computing, but also the potential for criminality and disruption on a

grand scale.

To defend against the new wave of attacks, we need a strategy that is equal

to the adversarymultilayered, complex, and well-organizedand is focused

on the mobile and embedded devices that make up the internet of things.

The alternative to protecting these devices (mobile botnets and compromisedwater systems; out-of-sync heart pacemakers and stolen identities) presents an

unacceptably high risk.


14/18


References and Further Reading

[H1] Cisco, Inc. Cisco 2008 Annual Security Report, December 2008, URL: http://www.

cisco.com/go/securityreport.

[H2] Marc Fossi, Eric Johnson, Dean Turner, et al., Symantec report on the underground

economy, November 2008, URL: http://eval.symantec.com/mktginfo/enterprise/

white_papers/b-whitepaper_underground_economy_report_11-2008-14525717.

en-us.pdf, accessed: 2009-4-6. (Archived by WebCite at http://www.webcitation.

org/5gELyrFgr)

[H3] Merrick Furst, Richard M. George, George Heron, et al., Georgia Tech Information

Security Center Emerging Cyber Threats Report for 2009, October, 2008.

[H4] Siobhan Gorman, Fraud Ring Funnels Data From Cards to Pakistan

Wall Street Journal, October 11, 2008, URL: http://online.wsj.com/article/

SB122366999999723871.html, accessed 2009-3-20. (Archived by WebCite at

http://www.webcitation.org/5gF1zAfd1 )

[H5] Is Hacking Always Bad? Hacking Alert.com, URL: http://www.hackingalert.

com/hacking-articles/history-of-hacking.php, accessed 2009-3-20. (Archived by

WebCite at http://www.webcitation.org/5gELyrFhH )

[H6] Malware Trends: What Will Attack Us in 2009? H-Desk.com, Nov 25, 2008,

URL: http://www.h-desk.com/articles/Malware_Trends__What_Will_Attack_Us_

in_2009__a45_f0.html, accessed: 2009-4-6. (Archived by WebCite at http://www.

webcitation.org/5gELyrFhl)

[H7] Networking and Information Technology Research and Development Program

(NITRDP), Networking and Information Technology Research and Development,

Supplement to the Presidents Budget for Fiscal Year 2009, February 2008.

[H8] Pinsent Masons LLP, Hack Attacks Shift to Applications, November 23, 2005,

URL: http://www.out-law.com/page-6374, accessed: 2009-4-6. (Archived by

WebCite at http://www.webcitation.org/5gELyrFhS )

[H9] Sophos, Sophos Security Threat Report: 2009, 2008.

[H10] Trend Micro, Inc., Trend Micro 2008 Annual Threat Roundup and 2009 Forecast,

2008.

[H11] ZScaler, 2009 Web Security Predictions, January 6, 2009. URL: http://research.

zscaler.com/2009/01/web-security-predictions.html , accessed: 2009-4-6. (Archived

by WebCite at http://www.webcitation.org/5gELyrFhc )


15/18


[M1] Bill Brenner, Mobile Malware: What Happens Next? CSO, November 13, 2008,

URL: http://www.cso.com.au/article/267157/mobile_malware_what_happens_

next?pp=1, accessed: 2009-4-6. (Archived by WebCite at http://www.webcitation.

org/5gELyrFij)

[M2] McAfee and Informa Telecoms and Media, Mobile Security Report 2009, 2009,

URL: http://www.mcafee.com/us/local_content/reports/mobile_security_

report_2009.pdf, accessed: 2009-4-2 (Archived by WebCite at http://www.

webcitation.org/5gExlvgs2)

[M3] Elinor Mills, Mobile: The holy grail at security conference, CNet News, March

20, 2009, URL: http://news.cnet.com/security/?keyword=smartphones , accessed

2009-3-20. (Archived by WebCite at http://www.webcitation.org/5gELyrFi4 )

[M4] Mobile hackers cash in on lack of protection offered by networks, SC Magazine,

April 2, 2009, URL: http://www.scmagazineuk.com/Mobile-hackers-cash-in-on-lack-of-protection-offered-by-networks/article/129941/, accessed 2009-3-20. (Archived

by WebCite at http://www.webcitation.org/5gELyrFiZ )

[M5] Sarah Perez, First Came Geo-Awareness, Then Came Geo-Aware Malware,

ReadWriteWeb, March 17, 2009, URL: http://www.readwriteweb.com/archives/

first_came_geo-awareness_then_came_geo-aware_malware.php , accessed 2009-

3-20. (Archived by WebCite at http://www.webcitation.org/5gELyrFiE )

[M6] Pu Wang, Marta C. Gonzlez, Csar A. Hidalgo, Albert-Lszl Barabsi,

Understanding the Spreading Patterns of Mobile Phone Viruses, ScienceExpress

Report, April 2, 2009, URL: http://www.sciencexpress.org, accessed 2009-3-20.

(Archived by WebCite at http://www.webcitation.org/5gELyrFiO )

[D1] Barnaby J. Feder, A Heart Device Is Found Vulnerable to Hacker Attacks,

New York Times, March 12, 2008, URL: http://www.nytimes.com/2008/03/12/

business/12heart-web.html, accessed: 2009-4-6. (Archived by WebCite at http://

www.webcitation.org/5gExlvgsU )

[D2] Maria Fontenazza, Hackers May Prey on Medical Devices, Medical Device Link,

Medical Device and Diagnostic Industry, URL: http://www.devicelink.com/mddi/

archive/09/03/011.html , accessed: 2009-4-6. (Archived by WebCite at http://www.

devicelink.com/mddi/archive/09/03/011.html)

[D3] Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, et al. Pacemakersand Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power

Defenses, May 2008, URL: http://www.secure-medicine.org/icd-study/icd-study.

pdf, accessed: 2009-4-6. (Archived by WebCite at http://www.webcitation.

org/5gELyrFit)


16/18


[D4] Ryan Singel, WiFi Pacemaker Hack Leads to Real Life Zombie Armies? Wired,

March 12, 2008, URL: http://blog.wired.com/27bstroke6/2008/03/wifi-pacemaker.

html, accessed: 2009-4-6. (Archived by WebCite at http://www.webcitation.

org/5gExlvgsg)

[S1] Ted Bridis, CIA: Hackers demanding cash disrupted power - Electrical utilities in

multiple overseas cities affected MSNBC.com, January 18, 2008, URL: http://

www.msnbc.msn.com/id/22734229/, accessed: 2009-4-6. (Archived by WebCite

at http://www.webcitation.org/5gExlvgt2 )

[S2] Eric Byres, David Leversage, and Nate Kube, Security incidents and trends in

SCADA and process industries, May 2007, URL: http://www.mtl-inst.com/images/

uploads/datasheets/IEBook_May_07_SCADA_Security_Trends.pdf .

[S3] Alvaro A. Crdenas, Saurabh Amin, Shankar Sastry, UC Berkeley, ResearchChallenges for the Security of Control Systems, 1999. URL: http://www.usenix.

org/event/hotsec08/tech/full_papers/cardenas/cardenas_html/, accessed: 2009-4-6.

(Archived by WebCite at http://www.webcitation.org/5gExlvgtK )

[S4] Glenn Derene, How Vulnerable is U.S. Infrastructure to a Major Cyber Attack?

Popular Mechanics, April, 2009, URL: http://www.popularmechanics.com/

technology/military_law/4307521.html , accessed: 2009-4-6. (Archived by WebCite

at http://www.webcitation.org/5gExlvgtT )

[S5] Grant Gross, Expert: Hackers penetrating control systems, InfoWorld Security

Central, March 19, 2009, URL: http://www.infoworld.com/d/security-central/

expert-hackers-penetrating-control-systems-084, accessed: 2009-4-6. (Archived by

WebCite at http://www.webcitation.org/5gELyrFjb )

[S6] Wes Iverson, Hackers Step Up SCADA Attacks, Automation World, November

1, 2004, URL: http://www.automationworld.com/news-957, accessed: 2009-4-6

(Archived by WebCite at http://www.webcitation.org/5gExlvgsq )

[S7] David Lacy, Apocalypse Soon? Computer Weekly, March 4, 2009, URL: http://

www.computerweekly.com/blogs/david_lacey/2009/03/apocalypse_soon.

html, accessed: 2009-4-6. (Archived by WebCite at http://www.webcitation.

org/5gELyrFjm)

[S8] Nathan McFeters, Hacking SCADA for terrorism and destruction, Zero Day

(ZDNet), June 12, 2008, URL: http://blogs.zdnet.com/security/?p=1268, accessed:

2009-4-6. (Archived by WebCite at http://www.webcitation.org/5gELyrFjS )

[S9] National Cyber Security Research and Development Challenges, Institute for

Information Infrastructure Protection (I3P), A Report to the Senate Committee on

Homeland Security and Governmental Affairs, 2009.

[S10] The Return of SCADA vulnerability, Industrial IT, February 9, 2008, URL:

http://www.industrialit.com.au/Article/The-return-of-the-SCADA-security-


17/18


vulnerability/437404.aspx , accessed: 2009-4-6. (Archived by WebCite at http://

www.webcitation.org/5gELyrFjw)

[S11] SANS Institute, Special Webcast: Cyber Attacks Against SCADA and Control

SystemsReal World Trends and Real World Solutions, September 7, 2008,

URL: https://www.sans.org/webcasts/show.php?webcastid=90748. (Archived by

WebCite at http://www.webcitation.org/5gExlvgtB )

[R1] Kelly Jackson Higgins, Drive-By War Cloning Attack Hacks Electronic Passports,

Drivers Licenses: researcher demonstrates the ease of scanning and cloning new

Homeland Security-issued ID cards, Dark Reading, February 2, 2009, URL: http://

www.darkreading.com/security/privacy/showArticle.jhtml?articleID=213000321,

accessed 2009-4-6. (Archived by WebCite at http://www.webcitation.

org/5gELyrFkE)

[R2] Joel Hruska, Internet tubes dripping with raw sewage of DDoS attacks, Ars

Technica, April 3, 2008 http://arstechnica.com/news.ars/post/20080403-internet-

tubes-dripping-with-raw-sewage-of-ddos-attacks.html , accessed 2009-3-20.

(Archived by WebCite at http://www.webcitation.org/5gELyrFkW )

[R3] Joanne Kelleher, Another RFID HackContactless Credit Cards, RFID Security,

March 25, 2008, URL: http://www.securerf.com/RFID-Security-blog/?p=47,

accessed 2009-4-22. (Archived by WebCite at http://www.webcitation.

org/5gExlvgtc)

[P1] David Strom, Beware of Network Printer Hacks, David Stroms Web Informant,

May 30, 2008, URL: http://strom.wordpress.com/2008/05/30/beware-of-network-

printer-hacks/, accessed 2009-4-22. (Archived by WebCite at http://www.

webcitation.org/5gExlvgt)


18/18


Tech

Choice2008

VPNCCERTIFIED

Basic

Interop

AES

Interop

IKEv2 BasicInterop

IPv6Interop

About MocanaMocana secures the Internet of Things: the ubiquitous devices of our lives,

our infrastructure, and the enterprise networks to which they connect. As

connected devices proliferatethey already outnumber workstations on the

Internet by about 5 to 1attacks on these soft targets are rising exponentially.

Mocanas solutions ensure that wired and wireless devices, servers, networks,

and their services all scale securely. Customers include Dell, Cisco, Avaya,

Nortel Networks, Harris, Honeywell, Symbol, and Radvision, among others. The

company was recently named one of Red Herrings GLOBAL 100one of the

Top 100 Privately-Held Companies in the World for 2008, and also won Frost

& Sullivans Technology Innovation of the Year award. For more information, visit

www.mocana.com.

Downloads and Contacts

For details about the Mocana Device Security Framework, visit http://www.

mocana.com/device-security-framework.html.

For your 90-day free trial, visit www.mocana.com/evaluate.html .

For pricing and purchase information, email [email protected] or call

866-213-1273.

Mocana Solutions

NanoBoot

Secure preboot verification

for firmware

NanoUpdate

Secure firmware updates

NanoWall

Embedded system firewall

NanoSSH

High-performance

SSH client and server

NanoSSL

Super-small SSL client and

server

NanoSec

Device-optimized IPsec,

IKEv1/v2, MOBIKE

NanoEAP

EAP supplicant and

802.11 extensions

NanoCert

Certificate management

for client devices

NanoDTLS

Embedded DTLS client

NanoDefender

Intrusion detection

for devicesDSF for Android

Quick-development

security toolkit for

Google Android handsets
http://www.mocana.com/device-security-framework.htmlhttp://www.mocana.com/device-security-framework.htmlhttp://www.mocana.com/evaluate.htmlmailto:[email protected]://www.mocana.com/evaluate.htmlhttp://www.mocana.com/device-security-framework.htmlhttp://www.mocana.com/device-security-framework.htmlmailto:[email protected]

Attacks on Mobile and Embedded Systems: Current Trends

Documents