NOTA BENE

Notes, comment and buzz from Eugene Kaspersky – Official Blog

August 4, 2015

Off-piste and off-the-ground in Iceland.

Herewith, the penultimate installment on the enchanting island of Iceland; namely, on traveling off the beaten track on the ground, and up off the ground too – in a helicopter.

In just four days we covered more than a thousand kilometers of Iceland, but these were anything but boring kilometers. From one place of – particular – interest to the next, there are hundreds more exceptional sights to be seen: ludicrously breathtaking landscapes made up variously of volcanoes, cliffs, glaciers, waterfalls, dark gray fields of volcanic slag, and lava fields coated in seas of green or the lilac of lupine, plus distractingly dazzling dusks and dawns, pastoral scenes with sheep and horses… in short, a veritable feast for the eyes!

The Ring Road's total length is 1,332 kilometres (828 mi)The Ring Road’s total length is 1332 kilometers (828 miles)

Ring Road crosses a few glacial outwash plains, which is subject to frequent glacial outburst floodsThe Ring Road crosses a few glacial outwash plains, which are subject to frequent glacial outburst floods

Icelandic roads

Read on: How we very nearly found ourselves in a drowning incident…

August 4, 2015

Have an Ice day!

All right folks, now for glacial Iceland

Now, Iceland’s glaciers aren’t the biggest in the world, but all the same, the grand glacial vistas, the glacial lakes with icebergs, and the phenomenon of natural might… in sum it’s all fairly spellbinding.

We checked out two glaciers while on the island. First up: Langjökull (here).

It was here I had a go on a snowmobile for the first time! Have to say, I was expecting an easy, comfortable glide across the snow… Turns out snowmobiling at 50+ km/h on wet and powdery snow – neither comfortable nor easy.

There are two highland tracks in Langjökull, but we used none of them. We drove snowmobiles!There are two highland tracks in Langjökull, but we used none of them. We drove snowmobiles!

Read on: more glacierities…

July 31, 2015

Icelandic Waterfallism.

Iceland‘s a very wet country in the cool time of year, and very snowy in winter. (There isn’t a warm season here to speak of – unless you submerge yourself in hot springs for three months.) So, in terms of H2O here – there’s plenty. And since there are a great many volcanoes in the country too, the conditions are perfect for a blossoming of the population of Iceland’s waterfalls – of which there are also plenty. Here’s a list of the five main ones we visited in the south and southwest parts of the country, all of which are wholly worthy of checking out in person.

Waterfall No. 1: GullfossHere. And here:

Gullfoss is one of the most popular waterfall attractions in IcelandGullfoss – one of the most popular waterfall attractions in Iceland

Read on: Four more Icelandic waterfalls you’d like to see…

July 29, 2015

Icelandic tectonic.

Everyone’s got a basic idea of how this planet of ours is constructed, even primary school kids. It goes something like this: in the middle of the planet is the core – the nucleus; then there’s the mantle, and on the outside there’s the hard crust, upon which you’re reading this blog.

But the earth’s crust isn’t a single whole piece – it consists of tectonic plates, which float around mostly imperceptibly on the surface of the magma. And they float around in different directions – into one another, perpendicularly, or away from each other. That is, they converge, chafe one another, or diverge from one another. Along the edges of the plates there are frequent earthquakes and all sorts of volcanic activity. For those interested, check out the links above.

iceland-tectonic-1

Where plates converge are to be found mountains, volcanoes, and their associated features of terra firma. We’re talking: Japan, Kamchatka, the Kurils, the Aleutians, the Andes, the Cordillera, the Himalayas, etc. Places where plates diverge are usually are on the seabed, visible on maps of sufficient quality and detail: here, under the Atlantic for example is the Mid-Atlantic Ridge. It’s here where tectonic plates move away from one another, with the space between them being filled with magma.

One of the few places where this divergence of plates occurs on land is Iceland: it’s situated along the seam between the North American and Eurasian plates. The former is moving ever-so slowly to the west, the latter ever-so slowly to the east – at a speed of 2cm a year. That is, the width of Iceland increases by two centimeters every year (not taking into account coastal erosion or, just the opposite, the expansion of the land mass on account of lava flows). 2cm a year – that’s two meters a century, 20 meters a millennium, 20 kilometers in a million years. So, if things keep going as they do, in 200 million years Iceland will become the length of Chile, and in in 300 million – the length of Russia!

iceland-tectonic-2

The crack in the ground along the fault line is best observed in Iceland at Þingvellir (Thingvellir).

Map of Thingvellir National Park, Iceland

There’s an uneven and craggy crack around five kilometers long that crosses the landscape here, plus a nice lake. This is how it all looks:

Thingvellir National Park, Iceland

Read on: Canyons, canyons, canyons!…

July 28, 2015

Iceland: Niceland.

I’d long dreamed of one day getting to the very volcanic island of Iceland for a spot of sightseeing, trekking and leisurely driving. I’d heard great things from friends and colleagues, seen some awesome pics of the scenery there, and heard some of the island’s music, but only recently did I finally find myself spending a few days there after doing some business in the country.

Iceland waterfalls

Sweeping, grandiose, lush, monumental – just a few of the adjectives that spring to mind when attempting to describe this island after having been there. And now, IMHO, I consider it to be one of the most beautiful places on the planet; and as you know, I’ve seen a lot of beautiful places on the planet. Of course the weather and climate situation here can be difficult, but that’s to be expected when the polar ice cap isn’t that far away… And anyway, it’s a minor drawback given the awesomeness of the island’s volcanoes, geysers and hot springs, glaciers and waterfalls, tectonism (a new word in my lexicon; will tell you more about it later on) and other natural beauty.

So stock up on the popcorn, for today and in coming days a series of photo-textual-travelogue posts is coming your way. For starters, a small selection of photographic masterpieces highlighting some of the best bits from the trip.

iceland-popurri-2

iceland-popurri-3

Read on: The ‘greatest hits’ of Iceland…

July 24, 2015

Your car controlled remotely by hackers: it’s arrived.

Every now and again (once every several years or so), a high-profile unpleasantness occurs in the cyberworld – some unexpected new maliciousness that fairly bowls the world over. For most ‘civilians’ it’s just the latest in a constant stream of seemingly inevitable troublesome cyber-surprises. As for my colleagues and me, we normally nod, wink, grimace, and raise the eyebrows à la Roger Moore among ourselves while exclaiming something like: ‘We’ve been expecting you Mr. Bond. What took you so long?’

For we’re forever studying and analyzing the main tendencies of the Dark Web so we can get an idea of who’s behind its murkiness and of the motivations involved; that way we can predict how things are going to develop.

Every time one of these new ‘unexpected’ events occurs, I normally find myself in the tricky position of having to give a speech (rather – speeches) along the lines of ‘Welcome to the new era‘. Trickiest of all is admitting I’m just repeating myself from a speech made years ago. The easy bit: I just have to update that old speech a bit by adding something like: ‘I did warn you about this; and you thought I was just scaremongering to sell product!’

Ok, you get it (no one likes being told ‘told you so’, so I’ll move on:).

So. What unpleasant cyber-unexpectedness is it this time? Actually, one affecting something close to my heart: the world of automobiles!

A few days ago WIRED published an article with an opening sentence that reads: ‘I was driving at 70 mph on the edge of downtown St. Louis when the exploit began to take hold.‘ Eek!

The piece goes on to describe a successful experiment in which hackers security researchers remotely ‘kill’ a car that’s too clever by half: they dissected (over months) the computerized Uconnect system of a Jeep Cherokee, eventually found a vulnerability, and then managed to seize control of the critical functions of the vehicle via the Internet – while the WIRED reporter was driving the vehicle on a highway! I kid you not folks. And we’re not talking a one-off ‘lab case’ here affecting one car. Nope, the hole the researchers found and exploited affects almost half a million cars. Oops – and eek! again.

Jeep Cherokee smart car remotely hacked by Charlie Miller and Chris Valasek. The image originally appeared in Wired

However, the problem of security of ‘smart’ cars is nothing new. I first ‘joked’ about this topic back in 2002. Ok, it was on April 1. But now it’s for real! You know what they say… Be careful what you wish for joke about (there’s many a true word spoken in jest:).

Not only is the problem not new, it’s also quite logical that it’s becoming serious: manufacturers compete for customers, and as there’s hardly a customer left who doesn’t carry at all times a smartphone, it’s only natural that the car (the more expensive – the quicker) has steadily been transformed into its appendage (an appendage of the smartphone – not the user, just in case anyone didn’t understand me correctly).

More and more control functions of smart cars are now firmly in the domain of the smartphone. And Uconnect isn’t unique here; practically every large car manufacturer has its own similar technology, some more advanced than others: there’s Volvo On CallBMW Connected DriveAudi MMIMercedes-Benz COMANDGM OnstarHyundai Blue Link and many others.

More and more convenience for the modern car-driving consumer – all well and good. The problem is though that in this manufacturers’ ‘arms race’ to try and outdo each other, critical IT security matters often go ignored.

Why? 

First, the manufacturers see being ahead of the Jones’s as paramount: the coolest tech functionality via a smartphone sells cars. ‘Security aspects? Let’s get to that later, eh? We need to roll this out yesterday.’

Second, remote control cars – it’s a market with good prospects.

Third, throughout the auto industry there’s a tendency – still today! – to view all the computerized tech on cars as something separate, mysterious, faddy (yep!) and not really car-like, so no one high up in the industry has a genuine desire to ‘get their hands dirty’ with it; therefore, the brains applied to it are chronically insufficient to make the tech secure.

It all adds up to a situation where fancy motorcars are becoming increasingly hackable and thus stealable. Great. Just what the world needs right now.

What the…?

Ok. That’s the basic outline. Now for the technical background and detail to maybe get to know what the #*@! is going on here!…

Way back in 1985 Bosch developed CAN. No, not their compatriot avant-garde rockers (who’d been around since 1968), but a ‘controller area network’ – a ‘vehicle bus’ (onboard communications network), which interconnects and regulates the exchange of data among different devices – actually, those devices’ microcontrollers – directly, without a central computer.

For example, when the ‘AC’ button on the dashboard is pressed, the dashboard’s microcontroller sends a signal to the microcontroller of the air conditioner saying ‘turn on, the driver wants cooling down’. Or when the brake pedal is pressed, the microcontroller of the pedal mechanism sends an instruction to the brake pads to press up against the brake discs.

CAN stands for 'controller area network', a 'vehicle bus' which interconnects and regulates the exchange of data among different devices шт a smart car

Put another way, the electronics system of a modern automobile is a peer-to-peer computer network – designed some 30 years ago. It gets better: despite the fact that over three decades CAN has been repeatedly updated and improved, it still doesn’t have any security functions! Maybe that’s to be expected – what extra security can be demanded of, say, a serial port? CAN too is a low level protocol and its specifications explicitly state that its security needs to be provided by the devices/applications that use it.

Maybe they don’t read the manuals. Or maybe they’re too busy trying to stay ahead of competitors and come up with the best smart car features.

Whatever the reasons, the fundamental fact causing all the trouble remains: Some auto manufacturers keep squeezing onto CAN more and more controllers without considering basic rules of security. Onto one and the same bus – which has neither access control nor any other security features – they strap the entire computerized management system that controls absolutely everything. And it’s connected to the Internet. Eek!

Hooking up devices to the Internet isn't a good idea. Engineers should think twice before doing this

Just like on any big computer network (e.g., the Internet), cars too need a strict ‘division of trust’ for controllers. Operations on a car where there’s communication with the outside world – be it installation of an app on the media system from an online store, or sending car performance diagnostics to the manufacturer – need to be firmly and securely split from the engine control, the security and other critical systems.

If you show an IT security specialist a car, lots of functions of which can be controlled by, say, an Android app, he or she would be able to demonstrate in no time at all a dozen or so different ways to get round the ‘protection’ and seize control of the functions the app can control. Such an experiment would also demonstrate how the car isn’t all that different really from a bank account: bank accounts can be hacked with specially designed technologies, in their case with banking Trojans. But there is a further potential method that could be used to hack a car just like a bank account too: with the use of a vulnerability, like in the case of the Jeep Cherokee.

Any reasons to be cheerful?…

…There are some.

Now, the auto industry (and just about everyone else) seems to be well aware of the degree of seriousness of the problem of cybersecurity of its smart car sector (thanks to security researchers like those in the WIRED article, though some manufacturers are loath to show their gratitude openly).

A sign of this is how recently the US Alliance of Automobile Manufacturers announced the creation of an Information Sharing and Analysis Center, “that will serve as a central hub for intelligence and analysis, providing timely sharing of cyber threat information and potential vulnerabilities in motor vehicle electronics or associated in-vehicle networks.” Good-o. I just don’t see how they plan to get along without security industry folks involved.

And it’s not just the motor industry that’s now on its toes: hours (!) after the publication of the WIRED article (the timing was a coincidence, it was reported) new federal legislation in the US was introduced establishing standardization of motor industry technologies in the field of cybersecurity. Meantime, we’re hardly twiddling thumbs or sat on hands: we’re actively working with several auto brands, consulting them on how to get their smart-car cybersecurity tightened up proper.

So, as you can see, there is light at the end of the tunnel. However…

…However, the described cybersecurity issue isn’t limited just to the motor industry.

CAN and other standards like it are used in manufacturing, the energy sector, transportation, utilities, ‘smart houses’, even in the elevator in your office building – in short – EVERYWHERE! And everywhere it’s the same problem: the growth of functionality of all this new tech is hurtling ahead without taking security into account!

What seems more important is always improving the tech faster, making it better than the competition, giving it smartphone connectivity and hooking it up to the Internet. And then they wonder how it’s possible to control an airplane via its entertainment system!

What needs doing?

First things first, we need to move back to pre-Internet technologies, like propeller-driven aircraft with analog-mechanical control systems…

…Not :). No one’s planning on turning the clocks back, and anyway, it just wouldn’t work: the technologies of the past are slow, cumbersome, inefficient, inconvenient and… a lot less secure! Nope, there’s no going backwards. Only forwards!

In our era of polymers, biotechnologies and all-things-digital, movement forward is producing crazy results. Just look around you – and inside your pockets. Everything is moving, flying, being communicated, delivered and received, exchanged… all at vastly faster speeds to those of the past. Cars (and other vehicles) are only a part of that.

All that does make life more comfortable and convenient, and digitization is solving many old problems of reliability and security. But alas, at the same time it’s creating new problems. And if we keep galloping forward at breakneck speed, without looking back, improvising as we hurtle along to get the very best functionality, well, in the end there are going to be unpredictable – even fatal – consequences. A bit like how it was with the Zeppelin.

There is an alternative – a much better one: What we need are industry standards; new, modern architecture, and a responsible attitude to the development of features – by taking into account security – as a priority.

In all, the WIRED article has shown us a very interesting investigation. It will be even more interesting seeing how things progress in the industry from here. Btw, at the Black Hat conference in Vegas in August there’ll be a presentation by the authors of the Jeep hack – that’ll be something worth following…

Smart cars can be remotely hacked. Fact. Period. Shall we go back to the Stone Age? @e_kaspersky explains:Tweet

PS: Call me retrogressive (in fact I’m just paranoid:), but no matter how smart the computerization of a car, I’d straight away just switch it all off – if there was such a possibility. Of course, there isn’t. There should be: a button, say, next to the hazard lights’ button: ‘No Cyber’!…

…PPS: ‘Dream on, Kasper’, you might say. And perhaps you’d be right: soon, the way things are heading, a car without a connection to the ‘cloud’ won’t start!

PPPS: But the cloud (and all cars connected to it) will soon enough be hacked via some ever-so crucial function, like facial recognition of the driver to set the mirror and seat automatically.

PPPPS: Then cars will be given away for free, but tied to a particular filling station network digital network – with pop-ups appearing right on the windscreen. During the ad-break control will be taken over and put into automatic Google mode.

PPPPPS: What else can any of you bright sparks add to this stream-of-consciousness brainstorming-rambling? :)

July 23, 2015

The tiniest biggest country in the world.

Hi folks!

This here post is the last in my mini-series from St. Petersburg. It continues the ‘places to visit‘ theme, but with a difference; for the place it describes resembles a museum, but it isn’t a museum really, I think. Or maybe it is. It claims to be one… Hmmm, whatever it is, it’s unusual, unique, and a must-see!

It is a bit like a museum or art gallery in that you’re not allowed under any circumstances to touch the… exhibits, even though they’re not really exhibits… Confused? You won’t be…

 

'He touched the exhibit/model!'Sign: ‘He touched the exhibit/model!’ On shirt: ‘I’m being punished’

This is Grand Maket Rossiya! Maket is a Russian word with numerous, similar meanings, but choosing the right one to translate into English can be tricky. This is perhaps proved by the people behind the maket having left it as just that – maket, even though it isn’t an English word. When they describe the place on the site it’s put as a ‘layout’. They mean a scale model of the Russian landscape – a miniature version of the layout of the country, making it the smallest maket of the largest country in the world for sure. It’s also the second largest scale model of its kind in the world – behind Miniatur Wunderland in Hamburg.

This is a truly unique, mind-blowing, thoroughly enjoyable place. From the outside it’s nothing much – a not-so-large, unassuming building; inside – OMG. It’s like Dr. Who’s TARDIS! A massive miniature (!) scale model – an impossibly large kid’s toy; an impossibly large adult’s toy. Again though – not really a toy; what sort of toy is one you can’t touch? :)

grand-maket-piter-2

Read on: railroads and highways, cities, towns and villages, factories, power stations… everything!…

July 21, 2015

Railroad feats in St. Pete.

There are different kinds of museums.

There are real museums (in the classic understanding of the word), there are expositions, exhibitions, installations… What other words are there for describing such events? Graffiti! Btw, good quality graffiti done in good taste – is it an exposition or installation or hooliganism? The latter I cross out since good graffiti (IMHO) is real art. Oops. Off piste before even getting on piste. I do keep doing that…

So. Museums…

St. Petersburg is ram packed full of them. It’s like the museum capital of the world.

Now, I understand that if St. P’s museums were to be compared with, say, the Louvre or the British Museum, St. P’s may lag behind somewhat. However, considering the very difficult past St. Petersburg has had, its museums are a bit of a miracle. Museums weren’t all that well supported in post-imperial times; the same goes for during the 70+ years under Communism; obviously WWII was a major setback; and of late, post-CCCP, the city’s museums have continued to be somewhat neglected with no generous state or philanthropic sponsors coming forward as they do in the West. Maybe I’m wrong. But that’s how it seems to me. Do correct me if I’m mistaken.

There I go again… OK. Back to the main topic…

In Saint Pete there are the usual suspects: the museums children visit on school trips – the typical, the bland, the traditional, the obvious. So we, naturally, decided to shake things up a bit and go alternative, rebel, renegade! We went to… the Railroad Museum!

piter-muzey-parovozy-1

Read on: let the pix do the talking…

July 20, 2015

St. Pete from above.

Hi all!

To get high up and look down and around, say, from up a mountain… it’s always cool and beautiful. But to fly up above for panoramic views of below – it’s even better. And best of all when it comes to flying for sightseeing purposes is the helicopter. Best of all when it comes to what to check out below…: a beautiful city. Best of all when it comes to beautiful cites…: one uniquely beautiful like St. Petersburg.

So of we choppered…

Pulkovo – Petergof – Bolshaya (Big) Neva – the Neva – Malaya (Little) Nevka – Pulkovo.

I’ve nothing much to say really. But a lot to show…:

Petergof:

piter-vertolet-1

Read on: Bolshaya Neva and so on…

July 17, 2015

Tricky St. Pete.

St. Petersburg in summer, especially June and July – it’s… tricky. You’ve probably already heard that there’s hardly any nighttime at all in summer, as, well, the sun – well up the northern hemisphere this time of year, just pops over the horizon for a few measly hours, before it ‘rises’ again in the wee hours of the next morning. As a result, days can seem endless; well, they almost are. And you need good thick curtains or an eye mask to get some proper shut-eye of a ‘night’.

There’s another thing: you gotta make sure you’re where you got to be before the bridges go up. If they do, and you’re not where you need to be: oops. On the other hand, these bascule bridges have their advantages: what better excuse can there be to not be where you should be (and really don’t want to be)? “Can’t make it. No really: can’t – physically. The bridges are up!”.

Like I say, Peter – it’s tricky this time of year.

It’s tricky, but it’s also awesome. Just check out some of these White Nights & bridges-up views you can get to see. Awesome indeed…

Tricky-Pete-1

Tricky-Pete-2

Read on: boats, canals, Neva…