Blog | SafeLogic

Blog

8 Feb 2015

On Encryption Keys (and Anthem) – Part 2 of 2

SafeHealth_option2_orangeThe Anthem breach encouraged me to wrap up this blog series and talk about key management in a genuine security context. When the Anthem breach first was public, it looked as if patient records were accessed because of lack of data encryption. Then Anthem stated the real reason for the breach: they only encrypt data in flight to/from the database(s) and rely on user credentials for access to data in the database. Why didn’t they encrypt the data in the database? Well, per Health Insurance Portability and Accountability Act (HIPAA) requirements, they don’t have to as long as they provide protection of the data via other means. Like elevated credentials.

That worked well, didn’t it?

They were compliant, but obviously not secure. To add more security to compliance programs like HIPAA, there have been some cries for enterprises to implement encryption. So how do you encrypt data properly? Well, it all depends on your environment, the sensitivity of the data, the threat models, and any tangible requirements for regulatory compliance. Here are some general guidelines:

  • Use validated encryption.
  • Use strong, well-generated keys.
  • Manage the keys properly.

Use validated encryption. Federal Information Processing Standard (FIPS) 140 is the gold standard. The Advanced Encryption Standard (AES) is one of the FIPS-approved algorithms for data encryption, and it is a better encryption algorithm than what Joe the Computer Science Intern presented in his thesis project. It just is. Plus, part of the FIPS 140 process involves strenuous black box testing of the algorithms to ensure they’re implemented properly. This is crucial for interoperability, and proper implementation of the AES standard also provides a measure of confidence that there aren’t leaks, faults, etc. Always look for the FIPS 140 certificate for your encryption solution.

Use well-generated keys. A password-based key (PBK) is crap. Here a key is derived from a password after it’s hashed with a message digest function. PBKs are crap because most passwords are crap. They’re subject to brute-force attack and just should not be used. Password-Based Key Derivation Function v2 (PBKDF2) makes password-based keys a bit stronger by conditioning the digest with random elements (called salt) to decrease the threat of brute force. But the threat is still there.

Keys should be as unpredictable and “random” as possible. Unfortunately in software environments it’s difficult to obtain truly random data because computers are designed to function predictably (if I do X, then Y happens). But let’s say you can get provable random data from your mobile device or your appliance. Use that to feed a conditioning algorithm and/or pseudorandom number generator. Then use that output for your key.

Use strong keys. The strength of a key depends on how it’s generated (see above) and how long the key is. For example, the AES algorithm can accommodate key sizes of 128-bits, 192-bits, or 256-bits. Consider using a key size that correlates to the overall sensitivity of your data. In Suite B, 256-bit keys can be used to protect classified data at the Top Secret level. Is your data tantamount to what the government would consider Top Secret?

Also consider the environment. Constrained and embedded environments (think wearables) may not have the processing power to handle bulk encryption with 256-bit keys. Or maybe data is ephemeral and wiped after a few seconds and therefore doesn’t need “top secret level” encryption. Or maybe there’s just not enough space for a 256-bit key.

Use a key that is strong enough to protect the data within the constraints of the environment and one that can counter the threats to that environment.

Manage your keys properly. You wouldn’t leave the key to your front door taped to the door itself. Hopefully you don’t put it under the doormat either. What would be the point of the lock? The same applies to information security. Don’t encrypt your data with a strong, properly generated data encryption key (DEK) then leave that key under the doormat.

Consider a key vault and use key encryption keys (KEK) to encrypt the data encryption keys. Access to this key vault or key manager should also be suitably locked down and tightly controlled (again, many different ways to do this). Otherwise you might as well just not encrypt your data.

While we’re at it: rotate your keys, especially your KEKs. Key rotation essentially means “key replacement” … and it’s a good idea in case the key or system is compromised. When you replace a key, be sure to overwrite with Fs or 0s to reduce any chance of traceability.

Store those DEKs encrypted with KEKs and protect those KEKs with tools and processes. And remember to balance security with usability: rotating your KEK every 2 seconds might be secure, but is your system usable?

Anthem wanted the data to be useful, which is why it wasn’t encrypted at the database. But that usability came at a high cost. The good news is that it is possible to encrypt data and have it be usable.

 


Encryption is a critical, necessary piece of a system’s overall security posture. But it’s not the sole answer. In Anthem’s case, records were accessed via those “elevated user credentials” … which means that malicious hackers were able to get in to the authentication server and raise privilege levels of user credentials (usernames/passwords) that they either knew or gleaned from the auth server. So in this case, it’s irrelevant if the breached data was encrypted; the hackers had authenticated and authorized access to it.

So what’s the answer?

When this was first reported I tweeted this:

Editing_Encryption_Keys — Part_1__What_Are_Keys_Exactly_

Defense in depth means providing security controls to address all aspects of the system: people, process, and technology. Technology is the most difficult pillar to lock down because there are so many layers and threats, hence so many products such as firewalls, IDP, APT, IDS, SIEM, 2FA, AV, smart cards, cloud gateways, etc.

Encryption is a fundamental element for security of data at rest and data in motion (control plane and data plane). Even the strongest encryption with proper key management won’t protect data that is accessed by an authorized user, because it has to be usable. However, encrypted data and tight management of keys provides a critical, necessary piece to a robust security posture.

I hope this provides some guidance on how to think about encryption and key management in your organization.

 

BlogFooter_Ray

3 Feb 2015

Privacy, Liberty & Encryption

David Cameron

David Cameron

It is unfortunate, that in the aftermath of the Charlie Hebdo murders and hate crimes in France, rallying cries for freedom of speech were twisted to interpret “free” speech as the opposite of “private” speech.  A few weeks ago, British Prime Minister David Cameron spoke out, radically saying that “we must not allow terrorists safe space to communicate with each other,” going on to suggest that there should be no means of communication which the government cannot read.  I’m in no way sympathetic to extremists or rebels who leverage privacy to plan nefarious and destructive acts, but I am certainly sympathetic to all of the innocent, law-abiding citizens whose civil rights would be trampled by such a policy.

It was just a few short months ago that certain US government officials cried foul when Apple solidified their encryption capabilities to the point that consumer data could not be deciphered, even under federal subpoena.  As Matthew Green wrote on Slate.com at the time, “Designing backdoors is easy. The challenge is in designing backdoors that only the right people can get through. In order to maintain its access to your phone, Apple would need a backdoor that allowed them to execute legitimate law enforcement requests, while locking hackers and well-resourced foreign intelligence services out.”  For this, among a myriad of other reasons, Apple relieved themselves of the headache and built the ‘Secure Enclave’ instead.  Individual iPhones encrypt extended data using a unique key, mathematically derived by combining their passcode with a set of secret numbers that are built into the phone.  Tim Cook himself couldn’t decrypt it without the user’s passcode and physical access to the device.  By extension, Apple is now rid of thousands of subpoena requests and pressure from a variety of global governments.

Despite the claims that law enforcement’s hands would be tied by this development in time sensitive situations such as kidnapping cases, Bruce Schneier asserted in a CNN editorial that “of the 3,576 major offenses for which warrants were granted for communications interception in 2013, exactly one involved kidnapping.”  So much for that theoretical importance of maintaining access to user phones.  More importantly, Schneier points out that phone data “can no longer be accessed by criminals, governments, or rogue employees. Access to it can no longer be demanded by totalitarian governments.”

This is another complication.  Even if the FBI and other US law enforcement agencies were the absolute pinnacle of tech-fueled crime-fighting and the removal of communication intercepts truly shackled their efforts… at least it closes the door to other, more suspect governments.  Apple, Samsung and others can’t really play international favorites, after all.  If they were able to, and willing to, provide backdoor access to the USA, they would have obligations to North Korea as well.

Apple washed their hands of the encryption problem by abdicating their role as a middle man and gatekeeper, and the internet didn’t break.  Law enforcement and other agencies seem to still be solving crimes, even without their former favorite toy.  Possibly most important, the ship has sailed, before another government flexes their muscles.  Just like Iran banned WhatsApp.  Just like India forced Blackberry to provide a law enforcement backdoor.  The UK has long been a supporter of citizens rights and privacy.  Thankfully, Apple ended this conversation long before the Prime Minister’s kneejerk reaction, wishing out loud for a technology-driven vaccination from terrorism.  We can only hope that other phone manufacturers follow suit quickly.

I sympathize with the victims in France.  I understand the sentiments of David Cameron.  But now, more than ever, it is crucial that we protect our liberty by protecting our privacy.  If we are forced to sacrifice our rights, we have already lost the war.

BlogFooterWalt2

24 Jan 2015

On Encryption Keys – Part 1 – What Is a Key?

Last week I met with a customer to help solve, among other things, some challenges around key management and key lifecycles. I thought I’d kick off a blog series on keys: what they are, their generation, use, recommended strength, etc.

First, let’s briefly address what a key is: a key is what protects your data. It’s a (hopefully!) secret parameter fed into an encryption algorithm to obfuscate data in a way that only someone with the same key can decrypt the data and read it as intended.*

Here’s how I explained it to my 10-year-old daughter:

Think about the door to our house. When the door is locked, only someone with a key can get inside. (Ok sounds more like authorization but stay with me). When inserted and turned, the key hits the pins that triggers the locking mechanism and unlocks the door. That key is the only key that can lock and unlock our door.

While quite elementary in my mind, it’s a relatively good example of the value and importance of the key lifecycle, which I briefly discussed with my daughter after she asked the following questions:

  • What if someone copies the key?
  • What if our neighbors lose our spare key?
  • How do we know if someone else used our key?
  • Does someone else’s key work in our lock?

All are relevant questions in relation to cryptography as well. Over the next couple of weeks, we’ll talk about how keys should be generated, ideal key sizes, and general key management issues and best practices.

Fair warning: there is no single, correct answer. We’ll use this series to address dependencies and variables such as environments, data sensitivity, and threat models.

*This is known as symmetric encryption, where one key encrypts and decrypts data. In asymmetric encryption a public key is used to encrypt data and only its associated private key can decrypt the data.

 

BlogFooter_Ray

5 Jan 2015

My Worry and Optimism for Cybersecurity in 2015

toughroad8ball

Let’s face it – 2014 was pretty bad from an information security perspective, and I believe we will see a rise in the frequency, severity, and publicity of malicious hacks and breaches in 2015.

I’m worried that as a community, hell, as a society, we won’t see enough progress in this uphill battle of infosec. I’m not blaming anyone or pointing fingers. Security is hard because every organization is different: different people, different policies, different network topologies, different vendors, different missions, etc. (and that is why there is no silver bullet for security). In general, I’m worried about some SMBs that lack the resources to set up a proactive security posture. I’m concerned about some large enterprises that will continue to lag and not fully embrace security.

But… I’m optimistic. Security is at the tip of everyone’s tongue now. It’s “cool” … and cool is good.

SMBs have options for cloud productivity and storage solutions with security built in – at the very least, better security than what they could do themselves. Larger organizations can integrate many different solutions to enable their security posture.

Security is about defense-in-depth, which is to say having security at all layers, from policy and training to two-factor auth and encryption. Aggregate organizational differences can be met with the right technologies in the right place.

I’m optimistic because there are so many good and talented people working very hard to stay ahead of the bad guys. There are new technologies and new ways of thinking. There are VCs willing to fund such companies. There is more adoption and acceptance of security in the marketplace. There are companies with an assigned CISO to keep their business focused on security and out of the news.

So how do we make 2015 better to ease my worrying and reinforce my optimism?

Everyone: keep evangelizing. We have to keep talking about security and encouraging it. We need to think about security in new and emerging markets like wearables and IoT. I think after all the news in 2014, stakeholders are starting to get it. Perhaps we need better / tighter regulations. We need to talk about what’s real, what’s viable, and what’s manageable.

Product vendors: build security into your lifecycle. It’s doable. Microsoft initiated the Security Development Lifecycle with impressive if not astounding results. Cisco is doing it, along with many others. Security is a process. Bake it in to your software development. It’s good for you and your customers.

Buyers: check for the right encryption. Not all encryption is equal. Is your vendor using homegrown encryption written by Joe the Intern? Or is it standards-based? Just because a vendor says they implement AES doesn’t mean they do it correctly. Encryption needs to be correct to be true and interoperable. Look for FIPS 140 validation on your preferred vendor’s encryption library or ask for the certificate number.

All businesses: Assess the value of your data and where it resides. Then deploy the right products. Security is a process. Organizational security starts with security risk management, which guides the organization in protecting its assets. Before selecting security controls, the organization must know what data it needs to protect, the value of that data, and the lifecycle of that data. Whether protecting credit card numbers, user files, intellectual property, internal emails, provocative Mardi Gras photos, product roadmaps, money… all of that needs to be protected in an organized and actionable way.


Over time, we’ll explore more in each of these areas. In the meantime, this worrier is optimistic that we will stay focused, deliver, and do our best to make 2015 better.

 

BlogFooter_Ray

22 Dec 2014

The Sony Hack Just Does Not Matter

Several times this year we’ve heard about hacks and compromised systems (more so than I can remember in recent history), and I have to say I’m truly amazed at all the press on the Sony hack. But why is this garnering so much attention?

Simply put, its effects are felt by a wider audience.The_Interview_2014_poster

  • Sony cares because of loss of revenue and tarnished reputation.
  • Movie stakeholders (the producers, actors, etc.) care because it could impact them financially. I have never read the relevant agreements for this industry, but I’m sure there is a force majeure clause that will now be subject to an unprecedented interpretation and a great deal of legal precedence going forward.
  • Theater owners / workers care because of supposed threats against their establishment, loss of revenue, and the inconvenience of replacing a movie in their lineup.
  • Consumers care because they can’t see a movie with some very funny comedians.

Banks or retailers get hacked and it makes the news for a couple of days and fades. Maybe it’s not serious enough? The Home Depot, Target, and Staples attacks don’t really take anything away from the consumer. They can still shop at those places, albeit with new credit card numbers. So they don’t really feel the effects. An entertainment company is hacked and it’s an act of war cyber-vandalism. So much so that the President has weighed in and vowed a response. I guess compromising a retailer is just a nuisance.

Finally, there is breach that consumers actually care about. The JPMorgan breach doesn’t directly affect the average family. We are, sadly, getting accustomed to being issued new credit cards and putting band aids on breaches in that industry. We can tolerate the Fortune 50 losing money, but don’t mess with our entertainment. That is intrinsically American.

Perhaps I should rethink this title, as now attackers may have found an avenue that will encourage even more attacks. And let’s face it: we have thoughts of actual war dancing through our heads. This isn’t script kiddies and folks just looking to make a quick buck. These are hackers with nukes.

At SafeLogic we’ve done a fair bit of evangelizing this year, trying to get makers of IoT devices and health wearables to build security in as opposed to treating it as a cost center and a reactive initiative. So with that in mind, let’s think about this:

If halting the release of a movie gets this much attention and buzz , what happens if critical infrastructure is compromised? What if people can’t get water? Or they get only contaminated water? What if the power grid is blacked out? What happens when connected “things” are compromised? These are the absolute scariest scenarios, the effects of which are far more impactful than what you’ve been reading about this week. These effects are real.

Let’s not discover what happens in these “what if” scenarios. We need awareness and we need plans and we need action. I’m hoping that everyone takes the Sony hacks to heart and thinks about what truly matters… Especially this time of year.

Oh, and encrypt your data with SafeLogic’s validated and widely-deployed encryption solutions.

BlogFooter_Ray

27 Oct 2014

Exposing the Risks of Data-Driven Healthcare

BlogFooter_Guest_JaredThis is a guest post from blogger Jared Hill as a special contribution to SafeLogic.

The recent Heartbleed and POODLE data leaks exposed some of the major dangers of living in a digitized world. With the entire healthcare system becoming increasingly reliant upon digital organizational systems, a patient’s most private information — prescriptions, records, communications, you name it — might be vulnerable to hacks. While many hoped doctor-patient confidentiality and legal privacy rights would be easily applicable across the board, this guarantee can simply not be made in the digital realm.

Illegally obtained medical records promise huge sums of money on the black market, more so than customer or banking information, or even risque photos of famous celebrities. Certain kinds of personal information are very valuable for those wanting to pose as someone else in order to obtain medical care. Although there are dozens of cybersecurity-related legislative proposals before Congress and amendments made to pre-existing legislation, notably, the Health Information Portability and Accountability Act (HIPAA), there is still much work to be done to safeguard patients against data hacking.

The Heartbleed “mishap” incited widespread privacy and identity panic, particularly from those within the healthcare sector, but also among other professionals who are now culpable for such dataleaks. It has suddenly become glaringly obvious that thousands of servers are vulnerable to attacks from outside intruders, and it’s also clear that unsophisticated Secured Sockets Layer (SSL) certificates are not as safe as experts believed.  POODLE has illustrated the dangers of misconfiguration and untrusted networks in its own way.

SafeHealth_option2_orange
The real question, then, is by what means can healthcare companies safeguard themselves against the next threat?  Some are confident that newly drafted legislation like FedRAMP will be helpful towards that end. One health IT expert was optimistic recently, saying, “Ideally, the FedRAMP regulations will adequately address common security concerns, such as multi-tenancy and shared resource pooling, and provide a standard set of regulations that would ensure secure cloud usage in the Healthcare industry.”  That would be a major step in the right direction.

Whether FedRAMP or the amendments made to HIPAA will increase patient privacy and data security remains to be seen. They may not be strong enough legislation.  Devices are emerging that have the ability to record DNA, heartbeat patterns, and a myriad of other integral and unique personal characteristics. Instead of solely responding to current issues and security breaches, startups and tech industries need to have a conversation now regarding exactly how users will be protected from technology that won’t arrive for another decade.

Rohit Sethi, vice president of security consulting firm Security Compass said, “Maybe down the road our heartbeat, for example, becomes the main way we prove our identities.  And if we didn’t protect it 10 years ago, we don’t have a way of correcting it. So we have to treat it as serious now because we can’t predict the future.”

Sethi has a point, and a frightening one at that. Sethi cites startups (responsible for creating many of the latest apps and storage systems) as a particularly worrisome area. While established companies have spent years understanding security breaches, startups are often run by young, motivated techies who are concerned about the innovation of the product first, and user security as a distant second.

Sethi predicted that, unless strong regulations are implemented and upheld, everything from medical information to our DNA fingerprints could all become subject to theft and misuse. “You can get a credit card reissued,” Sethi said, “but you can’t reset your heartbeat or your DNA.”

15 Oct 2014

Putting a Muzzle on POODLE

SafeLogic is not vulnerable to POODLEYou may have seen the news about POODLE recently.  The good news is that it’s not as severe as Heartbleed, which affected server-side SSL implementations and had repercussions across most web traffic. The bad news is that it’s still seriously nasty.

POODLE is an acronym for Padding Oracle On Downgraded Legacy Encryption and essentially allows an attacker to decrypt SSL v3.0 browser sessions. This man-in-the-middle attack has one major constraint: the attacker has to be on the same wireless network.

That renders POODLE irrelevant because everyone locks down their wireless networks, right? Oh yeah, except those customer-friendly coffee shops with public wifi. In places like Palo Alto, you can bet there is a *lot* of interesting information going over the air there. Or at conferences, where diligent employees handle pressing business and aggressive stock traders log in to their account to buy the stock of the keynote speaker (or short it if his presentation lacks luster).  The threat is real – session hijacking and identity theft are just the tip of the iceberg.

It’s worth noting that this is a protocol-specific vulnerability and not tied to vendor implementation (such as Heartbleed with OpenSSL and the default Dual_EC_DRBG fiasco with RSA). That makes it a mixed bag. The issue affects a wide variety of browsers and servers (Twitter, for example, scrambled to disable SSLv3 altogether), but users do have some control.  This is because SSLv3 can also be disabled in the client within some browser configurations, so check your current settings for vulnerability at PoodleTest.com and install any patches when available for your browser.

Some browser vendors have already made moves to patch against this threat and permanently disable SSLv3.  Meanwhile, others have dubbed server-side vulnerability “Poodlebleed” and offer a diagnostic tool to assess connectivity.

From a government and compliance perspective, Federal agencies should be using TLS 1.1 according to Special Publication 800-52 Rev 1. TLS 1.1 is not susceptible to POODLE. FIPS 140 validations and SafeLogic customers are not affected.

If you’re interested in a deep dive, I recommend this fantastic technical post by Daniel Franke, which also provides a great history of SSL and its challenges.

BlogFooter_Ray

6 Oct 2014

It’s Q4 Already?

It’s hard to believe we are in Q4 already. If you’re in the Bay Area, it still feels like summer!  But here we are, rapidly approaching Halloween and the holidays, watching football and playoff baseball.

I don’t really do quarterly company updates on the blog; in fact, I think Walt would argue I don’t write enough blog posts in general. But I’m just too excited. SafeLogic has had a great year and I’m really proud of the work that the team is done. A more detailed recap will happen towards the end of the year – Walt will be sure of that!

I’m on the way to Orlando now to talk at Gartner Symposium about security and compliance with Paul DePond of Globo, one of our customers in mobility. If you follow us on Twitter (and why wouldn’t you?), you’ll notice that I’ve been on the road speaking quite a bit recently. The content has been a blend of education and evangelism. I’m trying to get developers in emerging areas of technology to think about building security in to their solutions. I know it’s no easy task but I want to be sure folks are thinking about emerging threats. It’s easier with SafeLogic, but that’s another story. I want folks to understand the need for and value of strong encryption built with compliance in mind.

We have talked to customers and potential clients in some very cool new spaces, and it’s encouraging to see a more mature comprehension of the advantages offered by validated crypto.  Questions from analysts and press are becoming more sophisticated, and end users are really adapting to the landscape.  It’s gratifying to see folks genuinely care about how their data is being protected.

It’s been a very fun and very busy year… and we have some cool surprises in store, in both the short and long term. I can’t wait to share more.

BlogFooter_Ray

30 Sep 2014

CTIA and the Quantified Self

logo_ctiaA few weeks ago, Ray and I attended CTIA’s Super Mobility Week in Las Vegas. We won, we lost, we had some laughs, we had some drinks, he gave some talks. Overall, it was a very good trip.

The conference was huge, full of fascinating products and interesting people, and SafeLogic was proud to be a part of the Appsolutely Enterprise agenda in the MobileCON area. Ray’s keynote primer before the security panel was well received, which was very encouraging. Folks really seemed to understand why they should care about validated encryption. Between showing support for our customers on-site, meeting with potential new CryptoComply users, and evangelizing the virtues of RapidCert, we were definitely productive.

jawbone-up24-11

That’s really just part of the story, however. I was in the midst of field testing the Jawbone UP24 activity tracker bracelet when I hitched a ride with Southwest to McCarran Airport. This was just a terrible idea. In general, I exercise and I sleep because I should. I took care to specifically prioritize both when I hit 30, along with a consistent emphasis on healthy, organic, often vegetarian meals. I honestly had no idea that Brussels sprouts were so tasty. But the quantified self movement has no place in Las Vegas, no matter how sleek and sexy the wristband is.

In a city where there are no clocks and you can order a Moscow Mule at anytime and anywhere, information that leads to self-examination is practically banned. Forget about processing the proper amount of guilt that normally influences whether I would have another drink, or stay out for another hour. All that goes out the window in Sin City, yielding a Jawbone activity report that looks like this:WaltJawbone

You read that right. Instead of sleeping, I was doing laps around the casino floor of the Palazzo. Remind me not to track myself again in this city.

og_apple_watchIn all seriousness, the bigger disruption to my Jawbone UP24 experiment was the announcement of the Apple Watch. It’s finally been revealed, and it’s coming soon-ish. Probably Q1 of 2015, but they weren’t very clear (not even in Mandarin). To me, it really looks like a 1.0 effort from the esteemed 1 Infinite Loop engineers – too thick, too limited in features, too gimmicky (yes, I’m talking about that extensive demo of the Astronomy mode) – but I’m optimistic for future versions and I’m looking forward to trying one out. It really needs to incorporate technology similar to what Healbe is promoting, to track true cardio activity and caloric burn.  Then I will be much more interested.

That was the real nail in the coffin for the Jawbone – thinking about everything that it doesn’t do. I must have been asked a dozen times what my heart rate was. “I have no idea,” I’d reply, before explaining that the Jawbone only tracks activity, not biometrics. Even the sleep tracker is iffy. I didn’t find the results of the in-sleep motion monitor to be particularly accurate, and it was self-reported for start and stop times. This left me with a very trendy pedometer. I downloaded an app instead and called it a day.

So the Jawbone is gone and not a moment too soon, since I’m returning to Vegas for a 22-hour bachelor party excursion this weekend. This time, I’ll be unplugged and deliberately unquantified.

BlogFooterWalt

27 Aug 2014

Vegas is Scary

Vegas is scary. Well, not the city itself.  I love Las Vegas!  (And I’ll be there again soon for CTIA’s Super Mobility Week. Ping me to meet up.)  The hackers that descended upon the desert oasis for Black Hat and DEFCON are the scary ones.  Their bag of tricks, more specifically.

I was on a mission to find and pick the brains of the most interesting attendees.  I came away somewhat traumatized, since I knew just enough to be truly disturbed by how many vulnerabilities were discussed.  Here are just a few, with links to more commentary by PC Mag. Max Eddy and Fahmida Rashid both did a stellar job and should be followed on Twitter.

Nest is Cracked

Saw it, wrote about it, followed Yier Jin on Twitter (and he followed me back. Very cool.)  Bottom line – Internet of Things devices should not be a doorway into your entire home network.  Consumers should consider setting up a quarantine, at least until these manufacturers figure it out.

Side note: what the hell, Nest? You’re part of Google now. You’re commonly considered some of the best and brightest. Shouldn’t you be setting a better example for the IoT vendors to come?

Airport Security Scanners Are Vulnerable

I’m not sure this is a great classic hack, per se, but it’s definitely a candidate for the Darwin Awards.  Who are the geniuses that are hardwiring login credentials into TSA-issue airport security scanners?  And to make it better, connecting them to the public internet?  Billy Rios, director of threat intelligence at Qualys, successfully identified two such systems.  He located 6,000 connected scanners, two of which were at airports.  PC Mag reported that one has been decommissioned since.  I want to know where this last rogue system is located… and I’m considering not flying until it is removed.

Satcom Links Become Slot Machines

IOActive’s Ruben Santamarta was able to hack the satellite communications systems used in airliners, cruise ships and other remote deployments.  Again, using hardcoded credentials and backdoors, Santamarta proved that several methods of alternate communications are vulnerable.  Making matters worse, the use cases when these devices are in play are exactly the situations that you don’t want to be hacked.  If you’re hitting SOS on a plane or a boat, the last thing you want to see is a Black Hat video slot machine!

Google Glass Steals Passwords

Ok, that one looks like click bait. In a way, it is. Qinggang Yue demonstrated that an iPhone or even a traditional camcorder would still do the trick, but the popular wearable poster child is the most sneaky.  He was stealing Android users’ PIN codes at an alarming rate – even 100% of attempts from 44 meters away, albeit with a camcorder on the fourth floor of the building to achieve an advantageous angle.  The upshot? Randomized keypads can’t become ubiquitous fast enough. They will negate the advantage of most PIN-stealing techniques, including this voyeur strategy. Without a direct and clear angle, Yue’s model was built to make assumptions about the location of each button.  By randomizing the location, users will not be able to rely on muscle memory to unlock their phone, access the ATM, enter their front door, etc., but hackers will have to work much, much harder.

Photo by Ryan Clarke

Photo by Ryan Clarke

Bonus Story – The Puzzle Mastermind Behind DEFCON’s Hackable Badges

Ryan Clarke aka LostboY aka LosT has a really cool gig. Wired’s Kim Zetter has the story, and while it’s not about a vulnerability, impending danger or security, I highly recommend taking a couple minutes to read it. Clarke designs seven badge types each year: attendees (humans), goons (conference volunteers), vendors, speakers, contest leaders, the press, and the Uber badge. Players have to collect each of them to decipher part of a math-based challenge. The lanyards holding the badges also contain puzzles. This level of creativity and craftsmanship is not commonplace, and it makes you want to attend DEFCON just to get one of these sophisticated works of art. And it makes me want to watch a movie like The Game again, just to get that thrill. Well done, LostboY, well done.

BlogFooterWalt