DEF CON 21: Where We Learn That Good Security Is Hard
The annual gathering in the Las Vegas heat known as DEF CON is always… interesting. Newly discovered potential threats that are talked about in DEF CON are always intriguing, to say the least. There were plenty of good talks, but there were several common threads that piqued my interest.
By “unconventional” I mean threats against devices that people outside of the security community — and even some inside it — would not consider to be targets. Charlie Miller and Chris Valasek talked about how cars could be “hacked” if an attacker gained access to the car’s internal networks. Another talk, smartly called “Home Invasion 2.0″, discussed how many networked devices – like home automation systems, baby monitors, and even toilets — are insecure. This has been discussed by our researchers before, as well as by our CTO in our 2013 predictions. The insights they’ve shared then are similar to the concerns raised in the talks I mentioned earlier: the fact that these systems were not designed with attacks in mind.
Designing secure systems — as opposed to systems that “just work” — is hard. It takes more time, it takes more resources, and it takes more money. It also requires awareness on the vendor’s part that their system needs to be secured in the first place.
These unconventional threats will be a significant problem moving forward. We are seeing devices connected to the Internet that have few good reasons, if any, to be online. Hopefully it wouldn’t take long before the importance of securing these devices will be realized.
Conventional Threats Still Ripe Targets
Don’t mistake that conventional threats have gone away. Chema Alonso’s talk discussed the serious risks of IPv6 in existing networks — thanks in part to OSes enabling it by default. There was also a release and demo of a new tool called Evil FOCA . Said tool enabled ordinary man-in-the-middle attacks.
BYOD was under fire, too. Problems with WPA2-Enterprise wireless access were the subject of two separate talks — and were punctuated by DEF CON itself shutting down its own secure wireless network midday on the last day of the conference! In some ways, the problem is less broken protocols and more broken processes. Secure protocols exist, but aren’t used because they’re more difficult to use.
In short: just because “unconventional” threats are increasing does not mean “conventional” threats will go away. But I’d like to make the point that in so many cases, security “problems” are of a human nature, not always a technical one.
The Snowden Factor
Of course, you couldn’t talk about DEF CON without talking about the issues raised by Edward Snowden’s revelations. After all, DEF CON founder Jeff Moss (known by his handle, The Dark Tangent) asked “feds” to stay away this year. Attendees expressed just how they felt about the matter with (multiple) Snowden cutouts making the rounds of the hallways and by attending talks by the American Civil Liberties Union (ACLU) on this matter. No one paying attention to the ACLU’s position will be surprised by what was said today, but the depth of concern (to say the least) among attendees should not be underestimated. Whatever one feels about Snowden, the impact will be felt for quite some time.
It’s quite a turnaround from just last year, where NSA head General Keith Alexander actually had a well-attended talk. (Alexander was also present at Blackhat this year.) Privacy against government surveillance has always been a worry with the DEF CON audience, but the concern this year was, without doubt, unprecedented.
What DEF CON 21 boils down to is this: good security is hard. For new, Internet-enabled gadgets, we’re finding out what happens when unsecured systems are targeted by smart people trying to break them. In the “post-PC era”, it will only become harder as more and more targets come online. Things could get interesting — in all senses of the word.