Every now and then, we read about security vulnerabilities. Nowadays, they’re even given fancy code names like Shellshock and Heartbleed. Some of us who work in IT spend at least a moderate chunk of our time worrying about not only security updates, but adhering to bare minimum regulations and real world best practices. Yet, the game of fending off unintended people from running amok with your data or systems is very real and getting harder.
But where do all these vulnerabilities come from? Who discovers them? Well, an international movement of conferences is our window into the world of professional information security research.
Security researchers from a wide variety of backgrounds submit papers and presentations to conferences, and the result is a massive ruffling of feathers to show off both terrifying new exploits and wider ideas. To everyone’s benefit much of this work has been on Youtube for years now, making the best security talks available to everyone. So, let’s jump into a cast of sometimes colorful characters and the pause provoking work that they do. As far as lectures go, these really concern all of us!
If you’re going to watch one security talk this year, go with this keynote from BlackHat Europe 2015. Haaron Meer works through a terrifying reality check for defenders of information infrastructure. In short: most organizations are up against staggering complexity in a world where order is increasingly maintained by the incompetency of attackers than the success of defense strategies. If someone really wants in, we’re usually toast.
Weak links are plentiful: we can just hope that the makers of widely used open source web code use good passwords on GitHub. We’re practically unaware of the numbers of powerful chips with unknown code that run in network equipment, display adapters and even chips inside our hard drives. And companies we pay for security testing may ignore attack vectors, such as the web browser, that are used for aimless and targeted attacks alike.
Meer surely has a vision of what might shake security professionals out of targeting the wrong threats and giving inactionable advice. If you have any responsibility over networked computers, you could do worse than hearing him out.
In her Twitter bio, Adrienne Porter Felt writes that her job is to “lovingly hand-forge the green locks for Google Chrome”. That’s a pretty good summary of her work on the Chrome security team with making security understandable and approachable for people who just want to use computers to get stuff done.
In this recent talk, Porter Felt asks fundamental hard questions on the awfully unintuitive stew that is security on the web. There are no perfect answers, but that only further proves the point. Designers face a daunting task of guessing how people will react to the allegories and symbols used to deliver all the internet we all need today.
What Porter Felt has in her arsenal is data from a massive userbase. With it comes A/B testing, the method of giving different users different options to chose from. She generously shares insights her team has made. One example is the tradeoff of when to show warnings and when not to, as people quickly get used to ignoring annoying messages. The importance of paying the same amount of attention to internationalized user interface is pointed out home as well.
We’re all going on about the Internet of Things and how there are sensors and smart controls for everything. Well, when every building block of infrastructure is a networked computer, every building block needs to be taken care of. Except, “the original internet of things” already exists in a form: all the non-computer looking devices we use to get online.
Take this talk by Alexander Graf from last December’s Chaos Communication Congress in Hamburg. Graf takes to cheeky, low-key sarcasm in a shocking expose of a German internet service provider’s utterly misconfigured cable broadband network. The DOCSIS cable modems used to provide customers with Internet and VOIP services were essentially unshielded from tampering in a way that raises serious questions about similar systems around the world. Do you know if your broadband provider leaves the door open to your router?
Cryptography is used everywhere today to make the internet suitable for all kinds of transactions. But not too far back, the research and especially the publication of cryptographic methods was far from simple. Yet, after a couple of decades after the lifting of US export restriction on cryptography, the right for companies and individuals to defend themselves using widely available applied mathematics is under fire in several Western democracies and other societies.
In this panel from the RSA conference is March of this year, we have quite the meeting of the minds when some of the people who designed the technology we use today meet and discuss the state of cryptography: Ron Rivest, Adi Shamir, Whitfield Diffie and Martin Hellman. The younger fellow is Moxie Marlinspike of Open Whisper Systems fame, the company that recently helped WhatsApp incorporate the Signal secure messaging protocol into the massively popular messenger service.
At some point, you or someone you care about will probably be kept alive with external medical devices or even implants. This happened at a young age to Norwegian researcher Marie Moe. In her recent talk from Chaos Communication Congress last December, she takes a professional and non-sensationalist approach to her worries about the computer driven pacemaker she now relies on.
As it turns out, implants, including pacemakers, run undocumented code and may have wireless interfaces. The underlying issues are more complex than the infamous pacemaker-driven assassination plot in an early season of Showtime’s ‘Homeland’ spook drama. There’s also a general lack of regulation and guidelines about patient consent on things like software updates to firmware/OS running on implants. And no one can guarantee the security of the devices used to reprogram implants.
Moe’s main point is that that the field of security research of medical devices is entirely underfunded. We’re at a point where literally anyone can improve the situation by showing this talk to anyone in a medical profession.
Mobile telephony is so broken it’s not even funny. We all need it, but the way things are set up, we’re all practically carrying a surveillance system with us in our pockets.
This is, without any risk of being overly dramatic, the takeaway from this 2014 talk by Tobias Engel. The implications of the research presented has resurfaced in the media recently and for good reason: Standards used to make phones reach one another around the globe have not aged well, at all. Largely because of carrier merges, networks are oftentimes so badly implemented that the the precise physical location may be known to anyone.
Calls can be redirected and intercepted through standard business subscriptions to SS7 phone services, on a network that never, ever was designed to allow unknown parties access. In the light of this, we should all be thinking long and hard about what we use phones for.
The infosec industry employs and attracts people with a diverse set of motivations and values. It should come as no surprise that the security industry includes people who walk a sometimes very ambiguous line. Like those the individuals and companies who aid all kinds of governments run mass surveillance programs in the name of “public safety”.
Then there are the people who feel not only the urge to protest against the tendency to snoop and store information but to act against it. In this presentation from Choos Communication Congress in December of 2015, M. C. McGrath, friend of the late Aaron Schwartz, presents ICWatch and Transparency toolkit. The project is an effort to publicly mine sources of “open source intelligence”, such as LinkedIn, to “watch the watchers”, or to just publicly expose individuals with careers in the intelligence community. Oh, and the tools used are released as open source software.
This harsh example of force feeding someone their own medicine is as radical and eye-opening as it is controversial. The bluntness of ICWatch certainly fits the profile of its host, Wikileaks, the background and motives of which may or may not be more closely tied to espionage than is publicly known. But the message from ICWatch is clear: we’re all creating a massive trail of information that may be repurposed at any time.
The internet of today is full of tracking that doesn’t act in the interest of the individual. Yet, Darknet technologies, such as the Tor anonymization network are all still perceived as something of a seedy underbelly of the internet. The quickest way to gain a wider perspective is to learn how many of our fellow humans rely on anonymization to get around Internet censorship and the long, ruthless arms of oppressive regimes.
So, for security minded people, the logical question is where the limits of Darknets are drawn. How much of an invisibility cloak can technology such as Tor offer people in different situations? Has some mighty government already broken all last-ditch efforts at anonymity? Adrian Crenshaw attempts to answer these questions in this 2014 talk, by looking at how people using Tor got caught in the acts of some less flattering use cases for anonymity.
In short: if you’re doing bad things, nation states will do their best to use any small mistake to get at you. But for a normal, friendly citizen who wishes to look for health related information, without their insurance company eventually finding out? We’re just fine with Tor for now, if you read the fine print.
In this talk from 2015, Dave Chronister makes a deep dive into the horrifying world of half baked products and services not worthy of the trust their users put in them.
We get a rapid-fire walkthrough of examples of what happens when a vendor shorts its customers on the promise of solving problems fast and easy. Especially while showing the audience a glimpse of the critical business and personal information exposed on public FTP shares from bad routers and file servers, Chronister makes a great point. The overwhelming majority of businesses are tiny operations that rely on consumer hardware and retail stores to pick tools for managing information. We can’t but argue that the electronics industry is failing these users.
The bottom line in this great dark comedy? Regardless of the effortlessness with we can pick cloud providers and pray about their security, risk really can’t be outsourced.
Remember the first talk we recommended, Haroon Meer’s laundry list of things that are wrong in how where trying protect systems? Meer mentioned devices running random, unmaintained software.
If you’re not convinced about the attack surface in all our random devices, we warmly recommend this talk. Mickey Shkatov and Jesse Michael present how a current Windows laptop/tablet model includes an LTE modem. This modem happens to be designed to run a poorly configured Linux based firmware and allow for the firmware itself to be replaced, no software signing required. To paraphrase Haaron’s keynote: how does an invisible operating system on a chip inside a tablet fit into your threat model?
Despite the frightening title, this talk isn’t about literally killing people. At least not directly. Still, the consequences of following through on the information can be almost as terrifying.
If your business relies on reliably identifying people in the United States, you may want to watch this. If you’re worried that the Western superpower isn’t all that fabulous at managing the identities of its citizens, you’re right, because Chris Rock is about to show you how easy it can be for bad guys to juggle around with lives, in the eye of the system. Both in terms of ending the legal lives of persons and creating faux persons.
Ken Westin is an expert in creating tools that stalk other people, for example through infecting computers using USB drives. He has a lot to share on his profession and the conflicting role of creating tools that can help people regain both lost property and endanger lives, but also enforce export restrictions.
Mostly though, Westin’s message is uplifting in a weird way, in this world of worrying about advanced persistent threats to corporate networks. His talk is a cavalcade of petty thieves, or bad-faith buyers of stolen goods. Turns out they’re oftentimes not so smart. With the right tools installed on your equipment, you can help law enforcement help you a lot just by having software that can inform you about the location of your gadgets.
There we go, twelve long-form dives into the terrifying state of computing! If you’re an infosec buff and remember any other particularly scary security talks, feel free to share those in the comment section below. But most importantly: we mustn’t assume anyone else gets any of the things discussed above! What are your favorite strategies for trying to activate people around you with IT security?