Trendy new office space offers ideal setting for cutting edge research and recruiting

London, UK – September 10, 2013 – IOActive, Inc., the leading global provider of specialist information security services, today announced the opening of its new Europe, Middle East and Africa (EMEA) headquarters in London’s west end of Soho.

IOActive has been established in the UK for over five years and completed the move this week from their space at Canary Wharf to the more spacious and central location on Charing Cross Road in Soho. The new facilities provide a far more adequate and expansive environment for conducting the world-renowned security research and hardware hacking that IOActive has come to be known for, as well as a more suitable venue for engaging with customers and other members of the security community.

“We are pleased to be opening our new office in central London. As our company continues to grow and expand into new regions across the globe, our new London location will provide the team with the much-needed facilities and space to expand our local research and hardware hacking capabilities,” said Jennifer Steffens, chief executive officer for IOActive.

Additionally, IOActive’s new central location makes it an ideal recruitment hub for the EMEA region, providing the company with further opportunity to continue its rapid growth. The company already services Global 1000 clients in the financial, energy, technology and manufacturing markets, and it will soon announce the addition of a new Vice President of EMEA Sales to further support and foster the company’s expansion into this ever-growing region.

“The new central location of our office makes it easier to show our new and existing customers all our service capabilities and offerings. We are continuing to expand our team to meet the growing demand of our EMEA clients so the timing of the opening is ideal,” added Steffens.

The opening of the new EMEA headquarters follows on from the recent launch of IOActive’s South African office, which took place in July of this year. IOActive’s South African presence provides the company with the opportunity to expand its delivery capability in sub-Sahara Africa.

On Wednesday 11 September, IOActive will be hosting an open evening at its new office where guests can meet the team, enjoy music, food and drinks, as well as have a ’pitch free’ evening. For those who are interested in attending, please RSVP your details at rsvp@ioactive.com.

Supporting Resources

IOActive:                   https://www.ioactive.com/
Twitter:                      https://twitter.com/IOActive
LinkedIn:                    http://www.linkedin.com/company/ioactive-inc
Facebook:                  https://www.facebook.com/IOActive

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information.

-###-

New service to consolidate experience and deliver unprecedented insight for customers

Seattle, USA ― August 7, 2013 ― IOActive, Inc., the leading global provider of specialist information security services, today announced the launch of its new Security Intelligence Service, to help arm organisations with prioritised critical security insights based on their unique business in light of the ever growing threat landscape.

World-renowned research capabilities and extensive experience providing security-related consulting to many of the world’s largest and most demanding companies makes it possible for IOActive to offer a Security Intelligence Service like no other. Unlike typical vulnerability feed services, IOActive uses its unique industry- and customer-centric experience to deliver highly customised attack information that is tailored to the specific industries and businesses of its customers. Additionally, the information is prioritised based on the customer’s particular business dynamics and delivered as actionable intelligence. IOActive can also support customers with response, remediation, and prevention capabilities based on the intelligence provided.

IOActive is perennially recognised around the world for its cutting-edge security research, and first to release data on a wide range of industries and topics, including most recently:

• Vulnerabilities in automobiles, medical devices, and wireless devices for industrial automation and control systems (IACS);
• Radio Frequency Identification (RFID) access control limitations;
• Critical flaws in global Domain Name System (DNS) infrastructure;
• Smart Meter worms;
• “Jackpotting” automated teller machines;
• Breaking Semiconductors;

Recent IOActive research garnering widespread acknowledgement from around the world includes being the first to identify vulnerabilities in the United States Emergency Alert Systems; TURCK industrial automation devices; pacemakers and ICDs (Implantable Cardioverter Defibrillators); and major manufacturer automobile ECUs (Electronic Control Units). This research helps further solidify IOActive’s expertise in the field of security intelligence.

The real-time human intelligence gathering, combined with analysis from IOActive’s acclaimed security research team and the unique knowledge gained from a deep understanding of customer needs from IOActive consultants enables a highly focused and robust Security Intelligence capability. This service gives customers critical insight that simply cannot be effectively extrapolated for their specific business from even the best data feeds or big data crunching solutions, much less have it before it’s actually public. Customised and prioritised early warning data enables organisations to better implement action plans and apply resources more efficiently and appropriately based on the threat(s) identified and the potential business impact(s).

IOActive’s Security Intelligence Service is headed by Chris Valasek, who was recently widely acclaimed for his ground-breaking work on vulnerabilities in the Electronic Control Units (ECU) used by all major automobile manufacturers to control many of the primary functions of the vehicles they produce. Chris was able to demonstrate how these core systems can be manipulated to debilitate or even entirely remove the driver’s control of steering, braking, and other highly central functions to basic automobile usage and safety.

Supporting Quotes

• Chris Valasek, director of security intelligence for IOActive
  “Today, there is an overabundance of security information available to organisations. While most organisations have a security team to assess this information, they might not have the expertise to filter and refine the information to know what to do with it. IOActive’s new Security Intelligence Service arms our clients with the information they need to remediate and activate defences, while also providing the distillation and projection of threats that executive management teams require.”
• Chris Valasek, director of security intelligence for IOActive
  “With our new Security Intelligence Service we can provide unprecedented detail into our current research without having to divulge it all to the general public. For example, an organisation with strong interest in medical devices can get in touch with us and receive the information directly from the researcher focussed on that area, instead of having to rely on what the mass media provides them.”
• Chris Valasek, director of security intelligence for IOActive
  “We have researchers on the cutting edge of identifying security issues that can have damaging or even catastrophic impacts to businesses and this new Security Intelligence Service puts that talent to work to identify, advise, prioritise and mitigate risks to clients. We aim to provide insight into security threats directly from the people who fully understand the issues.”

Supporting Resources

IOActive:                   https://www.ioactive.com/
Twitter:                     https://twitter.com/IOActive
LinkedIn:                 http://www.linkedin.com/company/ioactive-inc
Facebook:               https://www.facebook.com/IOActive

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information.

-###-

Company exemplifies thought leadership with original research and training at world’s prestigious security conferences

Seattle, USA ― July 24, 2013 ― IOActive, Inc., the leading global provider of specialist information security services, today announced that five of its top security researchers and consultants have been selected to present their ground-breaking research and training at the annual Black Hat and DEF CON security conferences at the end of July in Las Vegas.

IOActive continues to build upon a decade of delivering industry defining security research at Black Hat and DEF CON with previous talks including RFID access control limitations, critical flaws in global DNS infrastructure, Smart Meter worms, jackpotting ATMs, and breaking Semiconductors.

This year sees the team presenting on vulnerabilities for automobiles, medical devices, and wireless for industrial automation and control systems (IACS). Training sessions in the latest Red Team Testing techniques will also be given to attendees.

News Facts:

• Here is an overview of IOActive’s presentations, training and arsenal session at Black Hat:
  • “Implantable Medical Devices: Hacking Humans”
    By Barnaby Jack, director of embedded device security
    August 1, 2013 at 14:15This talk will focus on the security of wireless implantable medical devices. Barnaby will discuss how these devices operate and communicate and the security shortcomings of the current protocols. IOActive’s internal research software will be revealed that utilizes a common bedside transmitter to scan for, and interrogate individual medical implants. Barnaby will also provide ideas manufacturers can implement to improve the security of these devices.
  • “Compromising Industrial Facilities From 40 Miles Away”
    By Lucas Apa, security researcher and Carlos Mario Penagos, security researcher
    August 1, 2013 at 15:30In this presentation, Lucas and Carlos will review the most commonly implemented key distribution schemes, their weaknesses, and how vendors can more effectively align their designs with key distribution solutions. They will also demonstrate some attacks that exploit key distribution vulnerabilities, which they recently discovered in every wireless device developed over the past few years by three leading industrial wireless automation solution providers. These devices are widely used by many energy, oil, water, nuclear, natural gas, and refined petroleum companies.To see a video of Lucas and Carlos introducing their presentation for Black Hat, please click here.
  • “Red Team Training”
    By Iftach Ian Amit, director of services
    July 27-28 and July 29-30, 2013In this training, Ian will teach attendees how Red Team (or full scope) testing works, how to create a methodology for using a red team engagement as a repeatable test with metrics and actionable results. He will cover all elements of a red team test, from planning and scoping, intelligence gathering, target selection, vulnerability analysis, risk analysis, exploitation and execution, resource usage and ad-hoc agent deployment, post-exploitation, documentation and recording of evidence, damage analysis, and final reporting.

• Here is an overview of IOActive’s presentation at DEF CON 21:
  • “Adventures in Automotive Networks and Control Units”
    By Chris Valasek, director of security intelligence for IOActive and Charlie Miller, security engineer for Twitter
    August 2, 2013 at 10:00Automotive computers, or Electronic Control Units (ECU), were originally introduced to help with fuel efficiency and emissions problems of the 1970s but evolved into integral parts of in-car entertainment, safety controls, and enhanced automotive functionality. This presentation will examine some controls in two modern automobiles from a security researcher’s point of view. Chris and Charlie will first cover the requisite tools and software needed to analyse a Controller Area Network (CAN) bus. Secondly, they will demo software to show how data can be read and written to the CAN bus. They will then show how certain proprietary messages can be replayed by a device that is hooked up to an ODB-II connection to perform critical car functionality, such as braking and steering. Finally, they will discuss aspects of reading and modifying the firmware of ECUs installed in today’s modern automobile.
• Black Hat takes place from July 27 – August 2, 2013 at Caesars Palace in Las Vegas, Nevada.
• DEF CON takes place from August 1-4 at the Rio Hotel in Las Vegas, Nevada.
• Next week IOActive will be hosting its annual IOAsis tradeshow sanctuary in the Emperors Suite of Caesars Palace in Las Vegas from 31 July – 1 August. The company will have Q&A sessions with all our speakers along with other key research team members, including Chris Tarnovsky, who will be on hand to discuss topics such as chip assessments, mobile security, cloud forensics, and more.
• IOActive recently opened a new office in South Africa to meet the increasing demand for locally delivered security services from Global 500 customers with operations in Africa.

Supporting Quotes

• Jennifer Steffens, chief executive officer for IOActive
  “Research into medical device security has emerged as a top priority at IOActive because of its direct criticality to life and death relative to other applications, systems and devices we’re focused on improving. In addition to my vested personal interest in building better life-saving and sustaining cardiac technology, due to my family’s experiences, the technical evolution of these devices has substantially broadened their threat spectrum. Barnaby’s breaking and continued research is already helping the medical device industry better appreciate the new risks and importance of building heightened security measures into the core architecture of these devices that will keep pace – nothing we do could be more important.”
• Jennifer Steffens, chief executive officer for IOActive
  “Today more vehicles are embedding fully functional computer systems to control critical functionality such as steering, braking, and acceleration. Chris and Charlie’s cutting-edge research on these systems will re-invent the way automobiles of the present and future are secured and protected from those who will exploit this new technology infusion to compromise the vehicles we depend on every day.”
• Jennifer Steffens, chief executive officer for IOActive
  “Because IOActive has one of the largest professional teams of researchers working with ICS-CERT we’re consistently able to uncover new sources of risk. One of our latest works presented by Lucas and Carlos highlights a new threat faced by industrial companies worldwide and demonstrates the need for new security measures in next generations of their mission critical technology. This is yet another example of our research team’s focus on identifying, vetting and remediating vulnerabilities in technologies that have potentially massive economic and sociological impacts when compromised.”

Supporting Resources
IOActive:                   https://www.ioactive.com/
Twitter:                      https://twitter.com/IOActive
LinkedIn:                    http://www.linkedin.com/company/ioactive-inc
Facebook:                  https://www.facebook.com/IOActive

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with operations in North and South America, and Europe. Visit www.ioactive.com for more information.

-###-

New southern hemisphere office to meet ever-growing trend for locally delivered security services

London, UK ― July 11, 2013 ― IOActive, Inc., the leading global provider of specialist information security services, today announced the opening of its new South African office, based in Johannesburg, to meet the increasing demand for locally delivered security services from Global 500 customers with operations in Africa.

The company has also observed a growing trend amongst the Global 500 companies to negotiate service contacts within a global delivery framework, while preferring to have security services delivered via a local presence.

News Facts:

• The new South African office also provides IOActive with the opportunity to expand its delivery capability in sub-Sahara Africa and will also serve as a recruitment centre for new talent into the company.
• IOActive’s international focus over the next 12-months is to expand its local delivery capability in order to address the demands of its expanding list of Global 500 clients – focusing on South Africa, South-east Asia, and the United Arab Emirates.

Supporting Quotes

• Jennifer Steffens, chief executive officer for IOActive
  “Our move into South Africa helps us to better service our multinational clients, as it is a blossoming financial hub for the African continent. We have customers in multiple industries that continue to expand their operations in the country and locating our newest office there will allow us to serve their needs more efficiently. It also presents us with an opportunity to grow our staff complement while more economically reaching new customers in this exciting and rapidly developing region.”
• Jennifer Steffens, chief executive officer for IOActive
  “We really enjoy doing business in this country and we see South Africa as the gateway to the rest of Africa. IOActive has been delivering security services in South Africa to our global clientele for several years already, and the opening of this new office allows us to more effectively meet their demands for specialist information security services and to nurture a new generation of security experts.”

Supporting Resources

IOActive:             https://www.ioactive.com
Twitter:                https://twitter.com/IOActive
LinkedIn:              http://www.linkedin.com/company/ioactive-inc
Facebook:            https://www.facebook.com/IOActive

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, Washington, with operations in North and South America, and Europe. Visit www.ioactive.com for more information.

-###-

Digital Alerting Systems DASDEC application servers found to be vulnerable to remote attack

Seattle, WA ― July 8, 2013 ― IOActive, Inc., a leading provider of application security, compliance and smart grid security services, today announced that is has discovered vulnerabilities in the Emergency Alerting System (EAS) which is widely used by TV and radio stations across the United States.

IOActive’s principal research scientist, Mike Davis, uncovered the vulnerabilities in the digital alerting systems – DASDEC – application servers. The DASDEC receives and authenticates EAS messages. Once a station receives and authenticates the message, the DASDEC interrupts the broadcast and overlays the message onto the broadcast with the alert tone containing some information about the event. The affected devices are the DASDEC-I and DASDEC-II appliances.

“Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network’s regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is,” said Mike Davis, principal research scientist for IOActive. “These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package. This key allows an attacker to remotely log on in over the Internet and can manipulate any system function. For example, they could disrupt a station’s ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances.”

The EAS is designed to enable to the President of the United States to speak to US citizens within 10-minutes of a disaster occurring. In the past these alerts were passed from station to station using the Associate Press (AP) or United Press International (UPI) “wire services” which connected to television and radio stations around the US. Whenever the station received an authenticated Emergency Action Notification (EAN), the station would disrupt its current broadcast to deliver the message to the public. On Wednesday 26 June, the Cyber Emergency Response Team (CERT) published an advisory providing details of the vulnerability.

IOActive has also issued its own IOActive Labs Advisory outlining the affected products, the impact and the solution.

About IOActive
Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, aerospace, healthcare, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com.

-###-

Seattle, WA ― May 23, 2013 ― IOActive, Inc., a leading provider of application security, compliance and smart grid security services, today announced that company security consultant Ruben Santamarta, uncovered hard-coded user accounts that could act as backdoors in two devices from German industrial automation manufacturer, TURCK. The affected devices from TURCK, which could be exploited remotely, are the BL20 and BL67 Programmable Gateways.

These devices, primarily used in the US, Europe as well as in Asia, are deployed across many industries that include agriculture and food, automotive and critical manufacturing.

“These hard-coded user accounts pose a significant threat to organizations that have deployed the vulnerable TURCK devices. Any attacker with knowledge of the credentials can effectively remotely control the devices and reap havoc on the network – easily disrupting or shutting down critical production lines. Affected organizations should immediately apply the updated firmware from TURCK to remove these backdoors,” said Ruben Santamarta, security consultant for IOActive. “It is both surprising and disappointing that hard-coded user accounts like these continue to crop up in Industrial Control Systems. Vendors and purchasers of such critical technologies should take great care to ensure that similar vulnerabilities do not affect future product lines. The industry as a whole still has a long way to go in implementing secure development lifecycle principles.”

On Friday 17 May, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published an advisory providing firmware mitigation locations associated with these vulnerabilities.

IOActive has also issued its own IOActive Labs Advisory outlining the affected products, the impact and the solution.

About IOActive
Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, aerospace, healthcare, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com or call +1.866.760.0222.

-###-

London, UK – August 24, 2012. IOActive, a leading provider of application security, compliance, and smart grid security services, today announced that that Ian Amit, one of their Director of Services, will present So the red team was here and tore us a new one. NOW WHAT? at Hashdays 2012. (more…)

London, UK – August 24, 2012. IOActive, a leading provider of application security, compliance, and smart grid security services, today announced that that Ilja van Sprundel, their Director of Penetration Testing, will present The Security (or Insecurity) of 3rd Party iOS Applications at Hashdays 2012. (more…)

Buenos Aires, AR—August 21, 2012. IOActive, a leading provider of application security, compliance, and smart grid security services, today announced that Ruben Santamarta, one of their security researchers, will present ICS Security: Time to React, as the closing keynote address at the European SCADA Summit 2012. (more…)

Seattle, WA—August 15, 2012. IOActive, a leading provider of application security, compliance, and smart grid security services, today announced that Joseph Tartaro, one of their Security Consultants, will present Occupy Burp Suite: Informing the 99% What the 1% are Taking Advantage Of at BSidesLV 2012. (more…)