The Internet of Broken Things Politecnico di Milano - aula Osvaldo De Donato September 7th 2016
The Internet of Things is upon us: by 2020, estimates say over 50 billion devices will be connected to some form of local or global network. Unfortunately, it seems that the Things we want to network are broken and insecure. What are the challenges across different domains (automotive, avionics, industrial controls)? What are the potential solutions, from a regulatory and technical standpoint? FREE EVENT - REGISTRATION REQUIRED: https://calendario.eventi.polimi.it/iscrizioni.php?id_evento=1954&lang=it We gratefully acknowledge the support of Cisco Systems, UNICRI, Politecnico di Milano, Uninsubria, Tech and Law 09.30 doors open 10.00 Introduction and greeting - prof. Donatella Sciuto, vice-rector of Politecnico di Milano 10.15 Automotive security: challenges and perspectives - Eric Evenchick, Linklayer Labs 11.15 break 11.30 Real-life experiences in avionics security assessment - Andrea Barisani, Inverse Path 12.30 networking lunch (sponsored by Cisco Systems) 14.00 Security in Industry 4.0: Control Systems and Robots - Prof. Stefano Zanero, Politecnico di Milano 14.45 The bad, the ugly and the weird about IoT - Gianluca Varisco, Rocket Internet 15.30 Legal Framework and Policy Perspectives - Prof. Giuseppe Vaciago, University of Como - Uninsubria; Dr. Francesca Bosco, UNICRI 16.30 Roundtable discussion: the State of Security in IoT Eric Evenchick, Linklayer Labs Francesca Bosco, UNICRI Fabio Guasconi, UNINFO Andrea Barisani, Inverse Path Story Tweedie-Yates, Cisco Systems Moderator: Giuseppe Vaciago, Uninsubria ***** Eric Evenchick, “Automotive Security: Challenges and Perspectives” Abstract: In recent years, cars have become more computerized, connected, and more vulnerable to attack. Cars are also integrating more autonomous features, increasing the damage potential of attacks. Recently, we have seen a range of attacks on automotive systems presented by researchers. In this seminar, we will provide an introduction to automotive control systems and vehicle networks. Using this knowledge, we'll take a look into the history of automotive security, and some notable attacks that have been demonstrated. After looking at the past, we'll cover the challenges of the industry today and looking into the future. We will use this knowledge to discuss at the current and future risk posed to vehicle owners and OEMs. Attendees can expect to receive a crash course in automotive systems, which will help their understanding of automotive security topics. The attack examples serve as case studies, which detail the mistakes made and how they can be prevented. Bio: Eric Evenchick is the founder of Linklayer Labs, a company focused on embedded systems and automotive security. Linklayer aims to help companies understand the risks present in embedded devices, identify countermeasures, and implement security functionality. Eric has worked on automotive firmware at Tesla Motors and Faraday Future, where he was primarily responsible for over-the-air firmware update capabilities and security design. His experience in automotive began with research in alternative fuel vehicles at the University of Waterloo, in conjunction with the US Environmental Protection Agency and General Motors. Here, Eric led the team performing electrical and control systems integration of fuel cell and hybrid vehicle prototypes. The CANtact device, an open-source hardware tool for CAN networks, was released by Eric at Blackhat Asia 2015. In 2015, Eric also developed BLEKey, a hardware tool for bypassing the most popular electronic access control systems. BLEKey was presented at Blackhat USA and Europe. Andrea Barisani, “Real-life experiences in avionics security assessment” Abstract: The session aims to provide insights on real-life experiences gathered from the security assessment of modern avionics systems. Particular focus is placed on explaining how the interaction between safety and security is assessed and how responsible teams can interact and to combine their diverse set of skills.An example technical overview of the classes of systems, interfaces and audit methodologies is given to precisely demonstrate how work in this area is laid out and executed, and to emphasize its importance in the transportation industry. Finally the unique culture of safety in modern aviation is compared to similar safety-critical areas, such as the automotive field, to highlight the differences and similarities. Bio: Andrea Barisani is an internationally recognized security researcher and founder of Inverse Path information security consultancy firm. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick… and break. His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and code auditing with particular focus on safety critical environments, with more than 14 years of professional experience in security consulting. Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is the founder of the oCERT effort, the Open Source Computer Security Incident Response Team. He is a well known international speaker, having presented at BlackHat, CanSecWest, Chaos Communication Congress, DEFCON, Hack In The Box, among many other conferences, speaking about innovative research on automotive hacking, side-channel attacks, payment systems, embedded systems security and many other topics. Stefano Zanero, “Security in Industry 4.0: Control Systems and Robots” Abstract: This talk will explore the significant challenges in securing computer systems that are interconnected to (and control) physical industrial systems. We will explore how the interactions between the digital and the physical world creates unique challenges. We will explore how the physical control of processes generates further attack strategies, potentially violating safety constraints and endangering personnel and the environment. Bio: Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently an associate professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on malware analysis, security of cyber-physical systems, and systems security. Besides teaching “Computer Security” and “Computer Forensics” at Politecnico, he has an extensive speaking and training experience in Italy and abroad. He co-authored over 60 scientific papers and books. He is a Senior Member of the IEEE, the IEEE Computer Society (for which he is a member of the Board of Governors), and a lifetime senior member of the ACM. Stefano co-founded the Italian chapter of ISSA (Information System Security Association). He has been named a Fellow of ISSA and sits in its International Board of Directors. Stefano is also a co-founder and chairman of Secure Network, a leading information security consulting firm based in Milan and in London; co-founder of 18Months, a cloud-based ticketing solutions provider; co-founder of BankSealer, a FinTech startup focused on banking fraud detection. Gianluca Varisco, “The bad, the ugly and the weird about IoT” Abstract: The Internet of Things isn’t coming, it is already here. IoT is at the peak of the hype cycle - what they call the 'Peak of Inflated Expectations’. Every IT organization wants to ride the IoT wave. As with all new technologies, the battle over standards is always a struggle. The unresolved problem of software updates and short vendor support cycle combined with the lack of effort into systems security and application security makes these devices an easy target. Internet accessible embedded systems are being compromised via vulnerabilities (like Shellshock) or because of their weak default configuration. As more things from the IoT start trickling into people’s homes, this talk will try to shine a light into this bizarre and scary future with a steady stream of funny and smart (as in clever, not internet-connected) jokes. Think about misconfigured cameras, televisions, home routers, baby monitors, toys and spammy refrigerators! Bio: Gianluca Varisco is the VP of Security at Rocket Internet SE, responsible for overseeing the security architecture and compliance of the company's massive, globally distributed network. All aspects of corporate security, including information protection, ID management, network security, threat analysis, emergency response, security policy, and IT audit/compliance programs fall under his purview. Gianluca has over 8 years of experience in developing and managing information systems. Prior to Rocket Internet, he held engineering roles at Red Hat, Lastminute.com Group, PrivateWave. Giuseppe Vaciago and Francesca Bosco, “Legal Framework and Policy Perspectives” Abstract: Increasingly, the types of devices connected to the internet are proliferating at a rapid pace.The development of the IoT opens up a multitude of doors for efficient, streamlined device management and operation, paving the way for major advances in technology. This advance brings with it a labyrinth of privacy and security issues that our laws have currently challenges to address. This session intends to explore the impact of the new NIS Directive on the IoT world and to discuss possible policies on safety and security of the IoT, analyzing some concrete examples in the Italian context. Bio: Giuseppe Vaciago is a lawyer and a member of the Milan Bar since 2002. Holding a PhD in Digital Forensics he is for several years teaching Information Technology Law at the University of Milan and University of Insubria (Varese and Como). He has been visiting scholar at Fordham Law School and Stanford Law School (Centre for Internet and Society). He is a fellow member of Cybercrime Institute, Nexa Center and he is co-founder of Tech and Law Center of Milan and member of the Editorial Board of Digital Investigation Journal. Bio: Francesca Bosco is Project Officer within the Emerging Crimes Unit in UNICRI. She earned a law degree in International Law and joined UNICRI in 2006 as a member of the Emerging Crimes Unit. She is responsible for cybercrime and cybersecurity related projects, both at the European and at international level. She is member of the Advisory Groups on Internet Security Expert Group of the EC3, member of the Internet & Human Rights Centre of the European University Viadrina and co-founder of the Tech and Law Center. -- Cordiali saluti, Stefano Zanero Politecnico di Milano - Dip. Elettronica, Informazione e Bioingegneria Via Ponzio, 34/5 I-20133 Milano - ITALY Tel. +39 02 2399-4017 Fax. +39 02 2399-3411 E-mail: [email protected] Web: http://home.deib.polimi.it/zanero/ ________________________________________________________ http://www.sikurezza.org - Italian Security Mailing List
