The life of a security researcher is not all beer and pizza. In most cases the days are long and very few seem to appreciate what you are doing. From the stand point of a security researcher they are the good guys trying to help push an agenda of security. They spend countless hours finding the holes in code and hardware before the “bad guys” do. Sure there are bug bounty programs that pay fairly well and some researchers work for larger firms, but it is not all about the money or attribution.
Last year at Black Hat USA 2014 we met up with a company that was looking to make some changes in the way we protect our data, Ionic Security. The concept was very simple, but the implementation was sure to be complex. I was not sure that what they wanted to accomplish could even happen. However, after a conversation with them I became more than interested. It was a simple concept, but it did not need to be overly complex. To make things even more interesting this was not a truly new idea, but it was one that had never been implemented for real data security.
In addition to seeing more than a few products and ideas during Black Hat and DEF CON we also had the chance to see something really cool from the team at Trustwave. This was not a product, but a chance to see the back end of the command and control servers for a new and improved version of the RIG exploit kit. To say that what they showed was impressive is an understatement.
The one common thing that I keep hearing everyone talk about at Black Hat and even DEF CON is how to protect your data. It is pretty much a given that if someone wants to get into your network they are going to get in. The number of flaws, vulnerabilities and compromises that are out there are simply too many to protect against. So there needs to be some other method to make sure that any sensitive data that you have is keep out of the hands of the “bad guys”. There are many suggestions about this, but most of them still try to do the same things stop the barbarians at the gate.
Have you ever lost your keys and had that moment of panic where you are not sure who might have them? This is not a good feeling. You do not know if someone has them and might use them to gain access to your things. This is the same feeling that should be running through the minds of every IT security professional right now when they think about their certificates and keys, but sadly this is just not happening. The reason that there is not more concern is that far too many even realize just how vulnerable they are.
One of the truths in security is that while an attacker can stay hidden they can continue to operate. In short, if you do not know about something, there is nothing you can do. Now you would think that this fact would encourage firms to talk about breaches and hacks more openly, but this is still not the case. One of the things I have seen over the years is that every company operates as an island. They do not share threat information (they might share your private data, but not threat information). This has created an environment where threat actors can continue to maintain attacks even after discovery at a different location. It is also why we tend to see the same threat vectors used over and over again.
For a while now (many years actually) I have argued that the rush to turn everything into a techno-gadget has been irresponsible and dangerous. However, companies that are looking into the “Internet of things” simply do not care. They see dollar signs and revenue streams in adding services to their devices that were a one-time purchase before. Because of this they are blindly rushing products to market that are open to attack on a massive scale. Consumers who are ignorant to these flaws are buying them up at a rapid pace leaving themselves exposed to data theft and worse.
Although much of the press surrounding AMD at the moment is focused on their lackluster earnings for Q2, there is some potentially good news from them. AMD’s dive into the use of High Bandwidth Memory is going to continue with their next GPU line up. According to the information available the next generation of GPUs will be code named Artic Islands and should be manufactures on a 16nm FinFET process.
Last year during DEF CON 22 we saw a demonstration of a UEFI root kit that was extremely worrying. This root kit was installed using a multipart systems to infect the UEFI BIOS in such a way as to grant the same level of access to an attacker as the CPU has (Ring 0). It was an almost unprecedented style of attack. When we reported on this many seemed to feel that it was not an issue. Now researchers are finding evidence of this same type of attack in the data lifted from the Hacking Team.
After three spate 0-day vulnerabilities are found in your product you can pretty much expect the market to call for you go away. This is the situation that Adobe is in right now. After fighting to their little slice of dominance in the computing industry Adobe’s Flash is arguably one of the most commonly used APIs to rendering rich content. This has made them a rather large target for a number of years… well this and the fact that the Flash development team has made some rather poor choices when it comes to their application.