Showing posts from May, 2018

GRIMM’s New Michigan Cybersecurity Research Lab

GRIMM’s New Michigan Cybersecurity Research Lab GRIMM has been a long time advocate of building Connected and Automated Vehicles (CAV) with a security-by-design approach. We advance our automotive and aerospace clients’ cybersecurity posture for all forms of embedded security concerns. For example, for the past several years, GRIMM has been a co-sponsor and staple at the  SANS Automotive conference  - a one-stop shop for bringing the automotive sector, including manufacturers as well as vendors, and the security industry together to discuss the complexities of securing citizens in commercial and personal vehicles. Hacking automobiles is not  new , but as vehicles become more and more connected, and reliant on transferring digital information, the attack surface has grown tremendously, putting citizens’ privacy and potentially safety at risk. Bad guy’s no longer need physical access to your car to control the steering, acceleration, braking, or communications of your own vehicle. Th

Guided Fuzzing with Driller

Guided Fuzzing with Driller At GRIMM, we are always trying out new tools to build our capabilities in vulnerability research. We frequently use fuzzing to search for bugs in applications, but there are some bugs a fuzzer alone would not be able to find. So, we were excited to try out  Driller , a tool written by Shellphish. Driller uses symbolic execution to find new parts of the code to fuzz, helping the fuzzer to find bugs that it might not have reached otherwise. We found it a little tricky to get up and running, but it did succeed in helping a stuck fuzzer to make progress, so it seems like a potentially valuable tool. In this post, we’ll show how we installed AFL and Driller on Linux, and discuss our experiences using and troubleshooting it. How Does Driller Work? Fuzzing is an extremely useful technique for discovering software bugs that can cause crashes, which often lead to vulnerabilities. A fuzzer provides randomly-generated inputs to a target program, attempting to fin

Making security decisions based on verifiable facts

Making security decisions based on verifiable facts Security decisions should be based on verifiable data - facts - rather than opinions. I’ve seen the trend of CISOs and many security operators being impeded by the lack of transparency into security data, jaded by product features and marketing fluff and limited by their ability to glean high quality, data-driven insights to inform decision making. This is a problem that GRIMM is working to solve. Although there is no single solution to address this issue, CISOs and security operators can start by looking to integrate the right combination of technology and policy to enable better data collection and information sharing. It will force operators to hedge against “vendor trust” that so many incumbent technology providers have worked decades to achieve. And, most importantly, it will also require a marked shift away from outdated “best practices” ingrained into security practitioners from early in their careers. Let’s use the conc

SCYTHE and the ICS Village’s inaugural RSAC!

SCYTHE and the ICS Village’s inaugural RSAC! Whew. Who’s still recovering from RSAC 2018?  GRIMM  has been making appearances at the annual conference since launching in 2012. However, this was the inaugural visit for  SCYTHE , GRIMM’s sister product company which launched last October, and the  ICS Village , a non-profit the GRIMM and SCYTHE leadership helped launch this spring. And what a splash it was! In case you missed it, we were busy! Here’s a recap: Howdy Neighbor and CROSSBOW in the RSAC Sandbox It’s not news that Industrial Control Systems (ICS) are some of the most insecure. We believe that advocacy in securing ICS is the best place we can be putting our (outside of work) free time, so along with some other friends (ICS stalwarts: Tom VanNorman, Larry Vandenaweele, and Beau Woods), we launched the  ICS Village  non-profit in February. Then, we packed up the ICS range, and took it to the RSAC Sandbox. Interested in learning more about ICS security, or how the ICS vil