Big Data IoT Security, The Mosaic Effect, Demise of Passwords, IoT TOCTOU Attacks, IoT Security Loose Membranes, and more

Internet of things concept illustration Controlling your home appliances with smartphone

This episode is sponsored by the CIO Scoreboard

In the following interview Hadi and I discuss Big Data Security Topics like the Mosaic Effect and Privacy, Mobile Security, The Demise of Passwords, IoT TOCTOU Attacks, Driverless Cars, Atomic Views of IoT, Orchestration Layer Limitations with Big Data Security, and what he describes as ‘Loose Membranes’ with IoT security.

I recently had a fascinating conversation with Hadi Nahari who is the Chief Security Architect at NVIDIA. He can be reached on Linkedin and Twitter.

Hadi Nahari

Hadi Nahari is a security professional with over 20 years of experience in extensive work in design & implementation of secure systems. Hadi has worked on large-scale enterprise solutions as well as embedded systems with primary focus on security, crypto, complex systems design, and vulnerability assessment & threat analysis. Author of “Web Commerce Security: Design & Development” published by John Wiley & Sons, Hadi is a frequent speaker in U.S. and international security events and has led various security projects for Netscape, Sun Micro, U.S. government, Motorola, MontaVista, eBay, PayPal, and NVIDIA among others. Hadi is currently in charge of the security architecture and strategy of Software, Mobile, Automotive, and HPC at NVIDIA as Chief Security Architect.

The main points we cover are the following:

  • What should we be concerned about with Car Security?
  • Step by step tech capabilities have been built into cars:
    • Lane Departure control
    • Tesla cars have a built in browser
    • Cars are moving to a state of ‘Always connected’ and ‘Always on’
    • Car is not designed to self-protect
  • Atomic View of IoT security – In conjunction with other systems (receiving and sending data with other systems)
  • TOCTOU Attack, pronounced “TOCK too” attack – Time of Check Time of Use Attack – When a IoT device connects and initiates there can be months that go by before this happens again. This gives hackers a huge window of opportunity in order to exploit a vulnerability. 50:00 (explanation here)
  • Big Data has nothing to do with Big/Size
  • There is really no framework of what Security and Big Data Security Means. This is a big issue now. What about the Mosaic Effect?
  • Dynamic and changing effect of data is a big issue with determining what information is private
  • Signing your life away with EUL agreements is the current solution for Big Data Security. This is in effect not a solution; it is a way to not have to solve the problem!
  • What is a ‘loose membrane’ and IoT Security?
  • At what point will hackers no longer need your password?
  • Learn about the Mosaic Effect with Big Data and science as it relates to possibly not needing a password in the future. In the Payment Card Industry we know that we don’t really need your password anymore.
  • What is the Creepy Factor as it relates to the Mosaic Effect and Big Data? 10:13
  • Google Effect – Password Recovery Questions are worthless.
  • Password is the current currency…..to think about better ways to hack into systems.
  • We have to learn a new language. No is not an option!
  • We can’t prevent innovation. A Wise CISO and CIO doesn’t prevent access to Dropbox but instead finds ways to tame the beast.
  • A smart CIO is one who says my job is to enable the business.
  • The Key to Security working is to have a well-defined “Orchestration Layer” and standardization @31:00
  • IoT Security – Mobile exposure – Hackers know that Orchestration Layer is a gaping hole for hackers.
  • All technologies that mature become invisible.
  • Maturity will drive security. It already has with Android.
  • We have a better understanding of Risk and Liability boundaries.

The presentation that he presented related to this topic is titled: Mobile and IoT Security: Will

Big Data Make it Better or Worse. And can be located here on the RSA Conference site. Slides 41-54.



All methods of how to access the show are below:

If you enjoy the show, you can help us out by leaving a review on iTunes. Here’s How!

Below are some segment notes that you will find interesting.



Show Notes

  • Big Data – “A massive digital orgy with no reliable membranes” – will it get better or worse? [3:40]
  • The Mosaic effect – Personal Identification through the combination metadata [8:07]
  • “When I collect a lot of information about you, so called ‘metadata’, and put them through these mobile and IoT and all these devices, into this massive cruncher which we call data and analytics, at some point I pass that barrier that I no longer need to crack your password, or I no longer need you to have a password” [9:22]
  • “Payment infrastructure and financial services verticals, the ones that are worth their salt, are able to identify and authenticate users without requiring the passcode entrance” [11:20]
  • Complex System Analysis and False Identity Presentation, how hackers can break into a complex security system without crypt analysis [13:34]
  • Google – Your password recovery questions are worthless [16:59]
  • The blurring line between building security and device security – regardless of how we think or what we like, it’s happening [19:00]
  • “We just have to, as security professionals, we have to learn a new language as to, ‘no that cannot be done’, is not an option … A wise CIO and CISO would understand the problem, understand the situation, realize that it’s inevitable, it’s already happening, and try to find ways to tame the beast.” [20:44]
  • The Orchestration Layer – The layer of coordinating security alphabets [27:49]
  • Mobile Liability Boundaries – How secure are mobile devices and who is responsible if something goes wrong? [31:23]
  • IoT and Vehicle Security – The evolution of technology in vehicles and devices [37:38]
  • “What used to be just a hacker trying to break your phone and have a good lolz, … if done in a car could be potentially resulting in the death of human beings” [42:43]
  • Big Data and an Atomic View of IoT devices [43:23]
  • TOCTOU Attacks – the risk of always-on devices and connection validation [46:17]
  • Defining Big Data Security – why it’s important to identify context [48:31]
  • End User License Agreements – understanding Big Data privacy ramifications [52:15]

This episode is sponsored by the CIO Scoreboard

Communicate the Status of Your IT Security in 2 minutes

To participate in discussions about these topics and others join our CIO Group on LinkedIn.

Bill is dedicated to your success as an IT Business Leader. Sign up/Subscribe for weekly podcast, CIO Mastermind and CISO Mastermind updates delivered to your inbox easily and effortlessly: Follow Bill on LinkedIn and Twitter.

Leave a podcast review here

How do I leave a review?