"The Internet needs crime."
So said cryptographer Whitfield Diffie Wednesday in his keynote speech opening this year's Black Hat Europe conference in Amsterdam. Diffie, currently VP of information security and cryptography at ICANN, revolutionized cryptography in 1976 by publishing, together with Martin Hellman, a technique for anonymously exchanging public keys, thus laying the foundation for the public key infrastructure which now helps secure the Internet.
Diffie's crime message has obvious upsides for the 400 career information security practitioners, consultants, and analysts who are attending or speaking at this week's conference, given the job-security repercussions. But sociologically speaking, Diffie's observation that good guys can't exist without bad guys also helps explain the rise of--and collective fascination with--cybercriminals and groups such as Anonymous and LulzSec, which while not always engaged in criminal activities, oftentimes have at least skirted the edge of legality.
[We're largely to blame for hacktivists' success. Read more Anonymous Hackers' Helper: IT Security Neglect. ]
The job of information security practitioners, of course, is to find better ways to spot and block emerging attacks, including exploits launched by hacktivists, as well as advanced persistent threats. Accordingly, this year's Black Hat roster promises briefings and training sessions into everything from hacking HTML5 and Cisco's voice over IP (VoIP) systems, to details of new Oracle Database Server vulnerabilities, techniques for better securing Apple iOS devices, as well as an analysis of the effectiveness (read: failure) of "military-grade encryption" for smartphones.
The conference also promises typical Black Hat servings of information security esoterica, such as a Friday session by Steve Lord, a penetration tester and malware analyst at Mandalorian Security Services, on hacking the mobile Wi-Fi hotspots known as Mi-Fi routers. According to Lord, the portable, little black boxes, which can retail for as little as $30, are also "one of the most easily re-purposed malicious toolkits."
Such devices highlight an emerging information security challenge surrounding "the exponential growth in what needs to be secured," said Black Hat technical director and session curator Travis Carelock, in an interview at the conference. "So many micro-devices and embedded controllers now are powerful enough that they're starting to offer lots of features, but they don't offer any security." Furthermore, such devices also usually don't even play by traditional server and network rules, in which inputs can be closely scrutinized. Instead, many just ship with an active, unsecured Web server--and there's plaintext data flying everywhere.
Don Bailey, a security consultant with iSEC Partners, detailed the security downsides of that scenario Wednesday in a session on "war texting," by which he means "weaponizing machine-to-machine systems," which typically communicate via SMS text messages or via general packet radio service (GPRS), which is common to 2G and 3G cellular networks. Machine-to-machine systems can include everything from security cameras and medical devices to corporate photocopiers and smart meters.
In other words, many very physical systems have been Internet connected. "Today, all kinds of legacy engineering systems are connected to the Internet through cellular media--water controllers, electrical facilities, even now cars and ATM machines," said Bailey in an interview at the conference.
Unfortunately, many of these devices haven't been secured. As a result, would-be bad actors have new techniques at their disposal for causing damage or disruption. "Before, if Anonymous hacked into MI5 and defaced their website, but did nothing else, that's a very low-impact issue. It's an annoyance, but it's not going to hurt anybody," said Bailey. But if people hack systems that interface with the real world, such as ATMs or water processing plants, the potential for damage can look quite different.
Secure Sockets Layer isn't perfect, but there are ways to optimize it. The new Web Encryption That Works supplement from Dark Reading shows four places to start. (Free registration required.)