LAS VEGAS, August 7-9 2018 – As nearly 19,000 of us from the hacker and research community descended upon Vegas for Black Hat, the outside temp hit 111 degrees, a record last set in 1994.
Fortunately, the power grid held, and we were kept comfortable (sometimes too cold) for the duration of the two-day security training event at the Mandalay Bay Hotel and Casino. However, some slot machines, elevators, and other embedded systems didn’t fare so well under hacker tinkering over the weekend at Black Hat sister conference, Def Con, as covered by Jack Morse, fellow member of the press.
These hotel hacks reported by Morse were simple demonstrations of software and hardware hacking into critical infrastructure systems (hey, elevators are critical). Demonstrations of grid hacking, car hacking and voting machine hacking were also urgently covered during sessions at both Black Hat and Def Con.
Everything Cyber is Hackable
Risks from IoT, cloud-based computing, mobility, and lack of resources were topics well-covered by Parisa Tabriz, Google’s Director of Engineering and Project Zero Manager, during her conference kick off keynote, “Optimistic Dissatisfaction with the Status Quo: Steps we Must Take to Improve Security in Complex Landscapes.”
In it, she argued convincingly about going back to the basics – secure design, fast and accurate patching of vulnerabilities - and she told her personal story of challenging the status quo.
Improvement Takes Time
Tabriz used examples of long-term infrastructure improvements, like Chrome’s enforcement of encrypted browsing (HTTPS). Internet providers that use HTTP rather than HTTPS are labeled as insecure starting this past July.
Some businesses object to this ‘Migrate or face embarrassment’ move on Google’s part. Google countered by posting comprehensive help documents for businesses to make the migration.
She also described the time (nearly 7 years) and team commitment put into this upgrade that she called a “feat of engineering.” Myriad browser program interdependencies – from plug ins to the O/S – had to be considered (and no, none of them made it easier with a common language).
“The message that it took years to make this change is incredibly important,” said Adam Shostack (author of Threat Modelling: Designing for Security) during an impromptu hallway interview shortly after the keynote. “Changes that really matter take time.”
Tabriz also used the keynote to showcase another long-term program developed by her team at Google, Project Zero, which, she says so far has identified 1,400 critical vulnerabilities across O/S, software, cloud-based and hardware systems while speeding up vendor patch times to 90 days or less.
In Support of DevOps
While these Google projects were long in the works, they specifically support today’s demand for faster development by providing more secure foundations and libraries for developers and vulnerability managers, Tabriz explained.
Investments, industry collaboration, and buy-in to infrastructure improvements like this, Tabriz said, take us one step closer to getting ahead of criminals rather than “playing whack-a-mole with our attackers.”
Recent Comments