Saturday, May 2, 2015

Windows in the IoT space

So this past week the annual Microsoft Build Developer Conference happened in San Francisco.  During many of the key note talks, Microsoft announced a bunch of their new platforms and products.  Among them was Visual Studio 2015, Windows 10 Insider Preview, and Windows 10 for IoT.

For my non techie friends and family, IoT = the Internet of Things.  So what does that mean?  Well as our computing devices get smaller and smaller, we are able to create more things that can connect to the ever growing internet.  It isn't just your computer or mobile phone anymore.  We have tablets, game consoles, smart TVs and other media devices.  We now also have thermostats (Nest), home automation systems, refrigerators, toasters, small robots, cats and dogs living together MASS HYSTERIA!
For the most part this space has been frequented by micro-controller boards like the Arduino, Beaglebone, and the much smarter Raspberry Pi computers.  Newer and smaller boards have now entered the market and they have come ready for the internet. has been releasing a different board every few months.  Their first was a Wi-Fi enabled Spark Core, then came the much smaller Photon (about the size of a postage stamp), and now they have a cellular enabled board called the Electron.  

So with all this IoT growth, it is only natural that Microsoft decided to jump in the pool.  As a software company, you almost need to be in there if you want to stay relevant.  So what's this new Windows 10 IoT all about?  Well it is the latest in Microsoft's embedded OS.  As of now they are supporting 3 hardware platforms - Raspberry Pi 2, MinnowBoard Max, and Galileo.  Galileo has supported previous versions of Windows embedded but does not yet support Windows 10.  But Microsoft has instructions on how to get started anyway.  I will focus on the Raspberry Pi 2.  This latest version of Pi was released a few months ago and is a pretty impressive tiny computer (just don't use high powered camera flashes next to it).  With a 900MHz quad-core ARM Cortex-A7 processor and 1GB of RAM, it certainly has some juice to run a scaled down Windows OS.  

So what will you need to get going?  Well first a Raspberry Pi 2, availability is up and down so grab one when you can.  Next you will need something to run Windows 10 Insider Preview (current version is 10074).  I ran it in a VM but there are some very annoying bugs in the current version.  I have not run it on a physical device yet since I don't have spare laptops lying around.  You will also need Visual Studio 2015 to do development on.  Follow the instructions on their github page. Flashing the SD card is pretty straight forward.  Once the Pi is booted up, you will have a screen with some basic information including the name of the device and it's IP address.  You will need to hardwire it with ethernet as it does not appear to have any out-of-box support for your standard wireless controllers.  Once you have the device info you can connect via Powershell from your dev box.  This can be done from Windows 7 or 8.1 running updated Powershell.  There are a few other steps you must complete to finish the setup.  Unfortunately the rest of the development requires Visual Studio 2015. 

One thing to note about Windows IoT, it comes with remote debugging enabled.  So I would recommend not tossing this on the public internet until it is production ready.  Visual Studio 2015 does have some IoT management features, hopefully that will allow you to enable/disable remote debugging when required.  The geek in me is loving all this, but the security guy wants to start drinking heavily.  The world is becoming more and more connected each day.  Some of these technologies are improving our lives in various ways.  We have more energy efficient homes, doctors can perform maintenance on healthcare devices without surgery, parents can keep track of their children, and brew masters can monitor their brewing processes without spending long hours at the brewery.  But with every newly connected device there is a new possible risk for exploitation.  Nothing is unhackable.  If a vendor tells you this, they are lying.  So if it can be turned on or off, it can probably be hacked.  But without hacking we would probably not have our most successful breakthroughs in science and technology.  Just like the discovery of nuclear power, it is both a great energy resource and extremely destructive force if put in the wrong hands.  

So, don't be afraid of the Internet of Things, go out there, make something!  Who knows maybe that something will be used in future space explorations or help an amputee walk again!  

Tuesday, January 20, 2015

Not a lot of drool lately... but how bout hacking in the mainstream eh???

"You work dark alleys, I work the dark nets..."  So that is the tag line that Patricia Arquette's character drops during the latest trailer for the next installment of CSI, CSI: Cyber.  It was bound to happen sooner or later.  With high profile breaches like Sony Pictures, Target etc etc..  Hollywood is cashing in on the idea of digital terrorists and cyber criminals stealing anything not secured stored in a fireproof, airtight container at the bottom of an ocean.  Seriously it is terrible out there.  It was hard enough keeping track of the latest vulnerabilities and exploits so we can defend out networks, but now this stuff has hit the main stream.  So this is both a good thing and a bad thing.

I'll start with the positives...  We, as security pros, now have a way to explain to our non-technical associates and managers about the dangers of the internet.  Granted the material in the TV and Movie versions of our daily lives is a bit inaccurate (I'm being nice), it is still being put out there.  Sure we can go back to great movies like WarGames and Sneakers, but they are a bit dated (Sneakers is still my favorite).  Swordfish was a good flick as far as action goes and well Halle Berry made it even more tolerable, but know one out there is going to hack the NSA in 60 seconds at gun point and... well you saw the movie.  Oh wait I was supposed to be positive here.  So yeah it gets the concepts in front of the civilians.  They now know there is a danger out there in the digital landscape.  Information is not as private as we once thought and anyone with motive and ability will do their best to get at it.  This will certainly help those of us who struggle with securing budget to improve our current environment.  That larger budget will help us bring in additional staff, train our current employees and install that SEIM we've been wanting all these years.  Now when the CIO questions your budget you just need to say "Because Blackhat!".  OK, you will need to do more than that but it will certainly help sway their opinion on your needs.  Also I say "CIO" because there are still big corps out there that have not yet gone the route of having an official CISO to handle InfoSec.  Also no reason you Sys Admins can't use the same argument.

OK so the negatives were mixed in with the positives a bit.  Something that I think these Hollywood interpretations of hacking may do is set an unrealistic expectation on our current security teams.  I mean, companies are going to expect their IR teams to be able to handle themselves in a firefight, or decrypt anything with a power cable attached to it, and maybe even go toe-to-toe with trained assassins while getting root on the Unix server.    Sounds exciting huh?  Believe me there are days where we wished it was a little more exciting.  The reality of it is that our jobs, on the outside, do not look all that awesome to the non-tech folks.  I mean if they tried to make a movie about what most of us due but still include action, this would be the result:

Don't get me wrong, in our minds and what we see, we do pretty exciting stuff.  But some folks may just think we are nerding out over some code or the latest gadget.  Now we can scoff at this latest trend in Hollywood or we can use it as a tool like we use PCI or HIPAA, to get what we want from our senior management.

Well, ranted enough for the day.  I'll have more here in the coming weeks I imagine.  For now you can also head over to Nutmeg Infosec and keep up with some stories there!