NDSS 2018: Automating the Process of Vulnerability Discovery

NDSS 2018 is in full swing in San Diego this week and a couple of papers that really grabbed my attention were both in the same session on Network Security and Cellular Networks yesterday.

Samuel Jero, a PhD student at Purdue University and past IRTF Applied Networking Research Prize Winner, presented a fascinating paper on “Automated Attack Discovery in TCP Congestion Control Using a Model-guided Approach”. Of the many protocols and algorithms that are in daily use on the Internet, some are more fundamental and important than others and it doesn’t get much more fundamental and important than TCP congestion control.

TCP congestion control is what makes it possible for millions of autonomous devices and networks to seamlessly, and more-or-less fairly, share available bandwidth. Without it the network would literally collapse.

Attacks against congestion control to manipulate senders’ or receivers’ understanding of the state of the network have been known for some time. Jero and his co-authors Endadul Hoque, David Choffnes, Alan Mislove and Cristina Nita-Rotaru developed an approach using model-based testing to address the scalability challenges of previous work to automate the discovery of manipulation attacks against congestion control algorithms.

By building abstract models of several congestion control algorithms from IETF RFCs, the team were able to generate abstract attack strategies. These abstract strategies could then be mapped to concrete attack strategies including details of how attack packets should be created and timing information for injecting malicious traffic to effect an attack. Both off-path and on-path attackers were considered.

Armed with a set of concrete attack strategies, the team built a platform on which to test them against different congestion control implementations running on a variety of OS environments. Evaluating five TCP implementations from four Linux distributions and Windows 8 they found 11 classes of attacks, eight of which were previously unknown.

This work illustrates the vulnerability of transport protocols that carry their signalling in the clear, as TCP does. It is relatively trivial for an attacker to confuse congestion control state machines about the state of the network which leads to the large and diverse set of attack methods discovered. The new and rapidly developing QUIC protocol is perhaps one of the key next steps in defending the Internet against these kinds of manipulations: QUIC encrypts signalling by design.

In his paper, “LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE”, Syed Hussain (with co-authors Omar Chowdhury, Shagufta Mehnaz and Elisa Bertino) also employs a model-based testing approach to uncover 10 new attacks against the three fundamental protocol operations of the 4G LTE protocol (attach, detach and paging).

To ensure that the theoretical attacks were actually practical against real deployed 4G LTE networks, the team validated eight attacks using a real-world testbed. The most interesting attack discovered in this way is referred to as the ‘authentication relay attack,’ which enables an adversary to poison the core network’s knowledge of the location of a victim device, without possessing any legitimate credentials. This attack could provide a means to create a false alibi or plant fake evidence during a criminal investigation for example.

Both of these papers illustrate the power of applying model-based testing approaches to deployed systems to effectively automate the process of vulnerability discovery. As the dependence of modern society on Internet and cellular technologies continues to grow, this kind of work is crucial to help us move beyond the ‘whack-a-mole’ response to security vulnerabilities we’re familiar with.

These two papers are great examples of the strength of the work presented at NDSS and the importance of the research undertaken by this community for the security of our networked, distributed future. Both papers are already on the NDSS website, and slides and videos from these and all other presentations will be posted shortly after NDSS.

The post NDSS 2018: Automating the Process of Vulnerability Discovery appeared first on Internet Society.

Internet Society

How the gig economy will transform field service

A use case for the future

Imagine the scenario: a master electrician is responsible for fixing motors, transformers, generators and electronic controllers on industrial robots. He finishes the first shift at a manufacturing plant, gets an alert on his phone as he’s driving home. Something is wrong with a nearby photovoltaic system – aka a solar array – operated by a regional energy provider. The company is offering $ 125 an hour to someone who can fix the problem in the next four hours. It’s easy money – so he accepts the job and his phone guides him to a field a few miles away.

He arrives on site, grabs his tools, and puts on his augmented reality glasses. On his phone he receives the work order from the energy company for the troublesome equipment. An hour before, the company had received an alert that the electrical output from the system is atypical based on the current weather conditions. He reviews the system blueprints on his phone. Following a blueprint map displayed on his glasses, he begins his inspection.

After some testing, he realizes there is a problem with the inverter and calls the energy company’s engineering team. They help him diagnose the problem based on a video stream from his glasses to their headquarters 200 miles away. After some wiring improvements guided by the engineers, the system is performing well. And he receives a $ 125 payment directly in his bank account within 5 minutes of leaving the job site.

A cloud-connected, utility-grade Conext SmartGen solar inverter from Schneider Electric

A cloud-connected, utility-grade Conext SmartGen solar inverter from Schneider Electric

The rise of the gig economy

Currently, stories such as the one above are uncommon. But, with extreme growth and interest predicted in freelancing, this may not always be the case. The application of gig economy staffing models to industry seems inevitable.

So, what does this mean? Well, the gig economy refers to the increase in the number of temporary, flexible jobs. It also incorporates the trend of companies hiring independent contractors and freelancers instead of full-time employees. It’s widely believed that over 30 percent of the U.S. workforce is involved in the gig economy.

A freelance economy specifically refers to hiring self-employed workers to undertake specific, short-term jobs in return for an agreed upon wage. There are lots of examples of B2C companies using the gig economy to support their business models – such as Uber, Lyft, TaskRabbit, Instacart, Airbnb and Shyp.

Field Service Management basics

Field service management (FSM) is the process of planning and dispatching workers to a location to meet service commitments. It’s complex. Companies need to predict service needs, forecast staffing around demand, schedule work efficiently, and enable staff to complete works.

Technology is already changing how the FSM process works at its core. For example, using weather data and advanced analytics from equipment data in the field, companies can more accurately predict outages and deploy their workforce. Systems such as Maximo are used to track work orders and maintenance records for all field infrastructure. Maximo Anywhere enables field technicians to work more productively on site. It’s no wonder the world’s largest asset-intensive organizations rely on IBM for operations solutions.

How will technology enable freelancing in FSM?

There are a few emerging technologies that will make the story above become real, faster than anyone is anticipating. First, the Internet of Things is connecting equipment and operations in unimaginable ways. This means improvements in uptime and operational efficiency. With new sources of data, Field Service can be optimized much more efficiently.

Second, artificial intelligence (AI) is changing how field equipment is managed. For example, IBM provides the ability to apply analytics to video and audio to see whether there are issues in the field. AI can also help optimize the deployment of field resources. This is partly because machine learning models can account for more variables than a human can comprehend.

Over time, services like Watson might be able to give field technicians advice. For instance, by working out the probability that certain equipment is the cause of operational failures. With the world’s computing power at its disposal, Watson might even serve as am educator for apprentice electricians on the job site.

Finally, augmented reality is developing rapidly beyond its initial commercial applications. Not only is augmented reality hardware improving, but the software powering the hardware is finding powerful industrial use cases. In the near future, cloud-based solutions such as Maximo will be easily accessible via augmented reality. This means technicians can both learn from and use Maximo as another tool in their toolbox.

Learn more and join us at Think 2018

When do you think the story above will become a reality? How do you see technology changing field service? We’ll be exploring answers to these questions and more at Think 2018: our landmark conference in Las Vegas. Join us there from 19-22 March, and meet partners, thinkers and innovators from around the world.

In the meantime, you can learn more about Maximo, the world’s leading enterprise asset management solution, by visiting our website.

The post How the gig economy will transform field service appeared first on Internet of Things blog.

Internet of Things blog

Capturing Value From Free Digital Goods

Scientists refer to portions of the universe that they know exist but can’t easily measure as “dark matter.” As direct measurement is difficult, they study the indirect gravitational effects or galaxy rotation speeds to understand the phenomenon. Similarly, in the digital economy a broad range of “dark” elements are free and essentially limitless, and traditional tools can’t measure them.

One of the best-known examples of this phenomenon is Wikipedia. People use Wikipedia at no charge, and the content is created primarily by contributions from volunteers. Because no money changes hands (except for donations to help pay for technical infrastructure and office staff), Wikipedia has almost no direct impact on gross domestic product (GDP). Moreover, because Wikipedia has replaced physical and digital encyclopedias that people paid for, it has likely had a negative impact on GDP. Nevertheless, Wikipedia provides significant value for consumers, even if its economic worth is difficult to measure.

For companies, tapping into a faceless crowd for contributions to their innovation or production process can be daunting. Managers worry about the quality and availability of product support, and about security and intellectual property issues. And there are serious questions about who’s responsible if or when something goes wrong. However, in my research I’ve found that companies have opportunities to capture substantial value by using digital goods created by external communities and even greater value by paying their employees to give back and help build such goods, even if competitors are able to use them for free.

Consider open source software (OSS), which is produced through crowdsourcing, is generally free, and is critical to the digital economy. Over the past decade, OSS, long considered the purview of geeks, has played an increasingly important role at companies. More than 60% of web servers run OSS, and many of the technologies used for big data analytics are open source. In recent studies, I have found that using OSS and contributing to its creation allows companies to capture value more efficiently.

Effects on Productivity

There has been a long-running debate about whether OSS truly saves companies money. Although the software is free, it has limited official support and can require specialized technical knowledge to implement. However, until this point, the productivity impact independent of any cost savings has gone unexplored. For my forthcoming article in Management Science titled “Open Source Software and Firm Productivity,” I measured the productivity impact of managers’ decisions to use free and open source software by examining data on technology usage from 2000 to 2009 at more than 1,500 U.S. companies in industries such as manufacturing, technology, and retail.

The results showed an important dichotomy: Companies that were heavy IT users or in IT-producing industries (such as computer manufacturing, software publishing, and data processing) saw an immediate positive impact on productivity; other companies showed no productivity increases in the year of adoption and only small increases later. For IT producers, an increase in the amount of free OSS used at the company led to a moderate, but significant, increase in value-added productivity. The results were similar for heavy IT users. The positive impact on productivity from using OSS was larger for smaller companies, for which capital availability was apt to be an issue. In the paper, I argue that these benefits arise from both the cost savings associated with OSS and the ability of the company to tap into the collective wisdom of the crowd.

Learning by Contributing

In addition to being consumers of OSS, some companies support its creation — even paying employees to contribute to it. In another forthcoming article (in Organization Science) titled “Learning by Contributing: Gaining Competitive Advantage Through Contribution to Crowdsourced Public Goods,” I look at the impact of this type of support in practice. Although it has long been argued (by Michael Porter, Jay Barney, and others) that a company’s competitive advantage is tied to its unique resources or capabilities, as the economy becomes more information-based, companies need to take greater advantage of free digital goods. Given that such goods are available to anyone, it’s incumbent upon companies to find ways to use them strategically as inputs into their innovation and production processes.

Although paying one’s employees to create a good that competitors can use for free might seem counterintuitive, evidence suggests that contributing to public goods teaches companies how to capture value by using them more effectively than those competitors that don’t contribute. This is especially likely with regard to OSS, where contributors receive feedback from the crowd, much of it from people who have expertise in that piece of OSS.

To explore how this works, I paired the technology usage data from a subset of companies in the Management Science study with data from the Linux Foundation on code contributions to Linux, the world’s largest OSS project. The results show that contributing companies were able to capture up to 100% more value from usage of OSS than their noncontributing peers, and that higher levels of employee contribution led to greater productivity. The benefits came primarily from content contributions, where contributors wrote the code, as opposed to editorial contributions, where contributors approved code written by others. This seems logical: Editorial contributions tend to come from more-senior members who already have a great deal of experience and have less to learn than newcomers.

These findings have important implications for managers making technology-related decisions within their enterprises. It’s likely that companies in IT-producing industries and companies that are heavy IT users already have assets, such as an IT labor force and IT infrastructure, that will allow them to realize productive value from implementing OSS. Other companies may benefit as well, but their productivity boost will depend on how quickly they can develop the ability to extract value. Given that small companies appear to derive bigger benefits from using OSS, large companies may want to evaluate the potential benefits carefully before changing existing IT infrastructure.

The advantages of contributing to the creation of OSS are clear. Odd as it may seem to pay employees to create software that competitors can use for free, doing so enables companies to add to their technological capabilities and gain an advantage. Companies that support crowdsourcing activities are likely to benefit from using crowdsourcing communities to promote innovative ideas that feed into the production process, potentially leading to further competitive advantage over their rivals. In addition, supporting crowdsourcing activities also contributes to societal welfare and helps society progress to the next stage of the digital revolution.


MIT Sloan Management Review

The Future of Online Privacy and Personal Data Protection in Africa

African experts are gathered for two days (19-20 February 2018) in Addis Ababa, Ethiopia to contribute to the development of the African Privacy and Personal Data Protection Guidelines. The meeting, facilitated by the African Union Commission (AUC) and supported by Internet Society, explored the future of privacy and data protection and provided some practical suggestions that African states can consider in implementing the Malabo convention provisions related to online privacy. The guidelines are aimed at empowering citizens, as well as establishing legal certainty for stakeholders through clear and uniform personal data protection rules for the region.

The expert meeting comes amidst growing concern across the world on the need to prepare for the EU General Data Protection Regulation (GDPR), which will be enforced on 25 May 2018. The expert meeting is rather focused on creating general principles for African member states in developing good practices now and in the future. The project, a partnership of the AUC and the Internet Society, comes as a follow up to the recommendations of the Africa Infrastructure Security Guidelines, developed in 2017 to assist speed up their adoption and subsequent ratification of the Malabo Convention.

Both the Heads of States Summit in January 2018 and Specialized Technical Committee Ministerial meeting endorsed the development of these guidelines as a way to strengthen the capacity of African states to deal with emerging issues in the digital space.

The African privacy and data protection landscape is still nascent with only 16 of the 55 countries having adopted comprehensive privacy laws regulating the collection and use of personal information (C Fichet, 2015). The African Union Convention on Cyber Security and Personal Data Protection  is considered an important first step aimed at creating a uniform system of data processing and determining a common set of rules to govern cross-border transfer of personal data at the continental (African) level to avoid divergent regulatory approaches between the Member States of the African Union. Now that a continental framework is in place, there is a need for more detailed best practice guidelines on personal data protection to assist countries in the process of domesticating the Malabo Convention into the national laws.

The post The Future of Online Privacy and Personal Data Protection in Africa appeared first on Internet Society.

Internet Society

Three Reasons Discrete Manufacturers Must Integrate Digital And Physical Products

Discrete manufacturers in automotive, aerospace and defense, high tech, and industrial machinery and components are facing unprecedented pressures on their ability to innovate, engage with customers and consumers, and maximize return on their assets. By 2018, nearly one-third of discrete manufacturing leaders will be disrupted by competitors that are digitally enabled, reports IDC. In the age of digital disruption and transformation, discrete manufacturers must rethink traditional business models to capitalize on new, digital opportunities. One such opportunity is the sale of digital products.

Digital products offer many benefits over physical products, including frictionless buying, immediate delivery, and no shipping or supply chain management costs. But digital products can be difficult to sell on their own. To address this challenge, companies are pairing digital products with physical ones. For discrete manufacturers, this pairing offers new business models and revenue-stream opportunities.

Valuing digital products: Using physical products to drive digital sales

What is the value of a digital product? Consumers in the B2C world have historically been slow to jump at the purchase of digital products. As Fast Company reports, it takes a companion physical product to give the digital product value. For example, consider the case of Apple’s iPod and digital music downloads. In the age of Napster and free MP3s, digital music downloads were a slow seller. This changed after Apple introduced its iPod in 2001, creating a new physical product to house these digital downloads. More than 5 billion songs were sold through Apple’s iTunes store by 2008.

Learning from Apple, discrete manufacturers can adopt a similar approach by integrating their physical and digital offerings. Digital offerings, such as remote upgrade service and preventive maintenance contracts, are a natural add-on to physical products. IDC estimates that by 2018, 60% of large manufacturers will bring in new revenue from information-based products and services with embedded intelligence driving the highest profitability levels.

Three applications for digital-physical product integration

For discrete manufacturers, integrating digital and physical products offer three key benefits:

  1. Increased aftermarket value. Selling remote monitoring and digital services is perhaps the most obvious application for digital and physical product integration. Offering upgrades, continuous service, and preventive maintenance via remote monitoring is an important new revenue stream for discrete manufacturers. For example, remote monitoring can dramatically extend the shelf life of industrial machinery used in the food and beverage industries, high-tech manufacturing and automotive manufacturing. Typically, an industrial machine has a shelf life of 20+ years. But the rapid pace of technological change means machines constantly need to be retrofitted. Conditioning-monitoring sensors combined with the Internet of Things (IoT), cloud technology, and analytics would enable discrete manufacturers to offer ongoing digital service plans.
  1. Data monetization. IDC estimates that less than 10% of data is effectively used. Discrete manufacturers must treat data as a digital asset and use this data to improve user experiences, provide insight, influence decisions, and set directions. In the automotive space, discrete manufacturers can leverage usage and engagement information to effectively send content, such as software upgrades and infotainment. Like the Apple iPod/digital download model, auto manufacturers could use the physical product (the car entertainment system) to sell the digital product (the infotainment) to drivers. Automobile manufacturers can use analytic data to better understand driving patterns and preferences, location usage, and demographics. Analyzing this data will allow manufacturers to better target their digital infotainment offerings.
  1. Faster design-to-market cycles. Embedding sensors in industrial machines will generate a wealth of digital performance data that is useful not only for predictive maintenance but also for streamlining future production. Industrial machines are incredibly complex. Ideally, these machines are built following a model-based systems engineering approach that allows designs to be reused for a variety of customers. Integrating sensors into these machines will produce a stream of data that discrete manufacturers can use for future production guidelines. This includes using the data to configure new customer orders. This approach accelerates design-to-market cycles and increases customer satisfaction.

For discrete manufacturers to capitalize on new business opportunities, they need a strategic partner to support digital and physical product integration. Manufacturers need a platform that enables the seamless integration of industrial IoT with advanced analytics process to support product development.

Learn how to innovate at scale by incorporating individual innovations back to the core business to drive tangible business value by reading Accelerating Digital Transformation in Industrial Machinery and Components. Explore how to bring Industry 4.0 insights into your business today by reading Industry 4.0: What’s Next?


Internet of Things – Digitalist Magazine