UNM4SK3D: Black Hat, IoT, and 32M

July 28, 2017 | Views: 3331

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

#diversity

This year marks the 20th anniversary of the annual Black Hat conference in Las Vegas and quite appropriately in our digital age, the keynote was given by Facebook’s CSO, Alex Stamos. Stamos’ briefing covered defensive security research and took a somewhat unexpected turn to discuss empathy and diversity. 

Placing responsibility on the security community, Stamos reflected on the infosec culture, saying too often the focus surrounds the most complex, most interesting zero-day flaws rather than issues like phishing and spam, which have a greater likelihood to cause more human harm. Stamos said the infosec community “celebrates breaking much more than defense” and needs to work harder to “eliminate entire classes of bugs, build architectures that are resilient to failure and build relationships between the security side and developers.” He believes the solution lies in broadening the industry’s scope of responsibility and ensuring the diversity of individuals and their thoughts. This means not just diversity in terms of gender and ethnicity, but those without a technical background, as Stamos says, “The truth is that security people aren’t brilliant; we’re not that much smarter than everybody else. We bring a very important way of looking at the world and an important set of skills and tools, but that doesn’t mean that we need to denigrate others when we point out their mistakes. We aren’t going to bug-squash our way out of this current situation.”

Stamos urged conference attendees to keep his message in mind because he believes the attitude going forward will impact where or not individuals feel a sense of belonging in the community going forward. Closing out his speech, he stressed that it is not just about doing the right thing, but rather motivation of a need to address security problems in the future. “It’s a critical moment. We’ve been asking people to pay attention to us for over 20 years and they are. We have the world’s attention, what are we going to do with it?”

Meanwhile, at DEF CON, another security conference taking place in Las Vegas this week, a 20-year-old Windows SMB vulnerability is expected to be disclosed Saturday, 7/29. The vulnerability allows an attacker to remotely crash a Windows server with relative ease using only 20 lines of Python code and a Raspberry Pi. It is said to affect every version of the SMB protocol and every Windows version dating back to Windows 2000. However, Microsoft said they will not patch the vulnerability.

The security community has the tendency to punish those who implement imperfect solutions in an imperfect world,” Stamos said. “We have no empathy. We don’t have the ability to put ourselves in the shoes of people we are trying to protect. -Stamos

If you’ve missed the coverage of this year’s Black Hat conference, stay informed with ‘Black Hat 2017: Inside Look.’

#privacy 

You may have seen YouTube videos of various animals riding around on a Roomba vacuum, an ‘auto-vacuum robot’ of sorts, but these days the Roomba is collecting more than dirt. And this time no one is laughing. 

The debate over IoT and privacy is being waged yet again. iRobot, maker of the Roomba, is looking into selling maps of customers homes to either Google, Apple, or Amazon. In 2015, iRobot released models which have high-end Wi-Fi, a camera, and utilize Simultaneous Localisation And Mapping (SLAM) technology which knows “your home’s floor plan, the rough dimensions of everything located on your floor, the areas of your home that require the most cleanup and hence likely see the most activity, how often you clean, and the distances between all your stuff.” Newer models are also compatible with Amazon’s Alexa voice assistant, as in, “Alexa, ask Roomba to begin cleaning.”

According to iRobot CEO Colin Angle, “there’s an entire ecosystem of things and services that the smart home can deliver once you have a rich map of the home that the user has allowed to be shared,” and says the company could reach a deal to sell spatial maps of homes to Google, Amazon, and/or Apple in the next couple of years. It seems this information could be used to develop the ultimate smart home with sound systems that could match the home’s acoustics, air conditioners that can schedule airflow by room, or smart lighting that can adjust according to the time of day and window position. Not to mention, any organization with its hands on your personal data can more efficiently market home goods to customers. While Angle has stressed they do not sell user data without permission, the privacy policy suggests otherwise, meaning the privacy debate continues. It also raises the question of IoT hacks and how this could affect the safety of users should attackers gain access ‘into your home.’

We may share your information…Third party vendors, affiliates, and other service providers that perform services on our behalf, solely in order to carry out their work for us, which may include identifying and serving targeted advertisements, providing e-commerce services, content or service fulfillment, billing, web site operation, payment processing and authorization, customer service, or providing analytics services. -iRobot’s privacy policy (fine print)

Not sure how you feel about IoT or why your privacy may be at risk? Read ‘Why is IoT a Threat to Internet Security?’

#biohacking

Unlocking doors with a wave of your hand may sound like something out of a Harry Potter novel, but for 53 employees of US shopping self-service vendor, Three Square Market (32M), this ability will become a reality on August 1st, 2017 thanks to a company partnership with Swedish biohacking firm ‘BioHax International.’ 

The optional initiative will require the 53 workers to have a tiny $300 NFC (Near Field Communication) RFID chip inserted under the skin between their thumb and index finger, giving them the ability to buy goods and authenticate their identity, among other things. You may recall NFC as the same technology that makes contactless credit cards and mobile payments possible. 32M  is hosting an inaugural ‘chip party’ at the company’s headquarters in River Falls, Wisconsin to celebrate the occasion, which many are considering an early example of how human microchipping could be used in mainstream business. CEO of 32M, Todd Westby has big dreams of where this technology could lead in the future, saying, “Eventually, this technology will become standardized allowing you to use this as your passport, public transit, all purchasing opportunities, etc.”

Being the first company in the US to initiate a program like this, 32M is experiencing some doubts from the public, and has made it clear that the chip does not track the individual’s location, nor does it allow surveillance. The stored data is also encrypted and cannot be read remotely. Still, the infosec community heeds caution, as asking people to turn themselves into a walking authentication system raises legal and ethical issues for the future, not to mention the unknowns of security that biohacking raises. Formally biohacking is defined as “the activity of exploiting genetic material experimentally without regard to accepted ethical standards, or for criminal purposes.” While this does not specifically fall under that definition, one has to wonder what could happen if hackers misuse the technology against the general public in any number of ways.

We foresee the use of RFID technology to drive everything from making purchases in our office break room market, opening doors, use of copy machines, logging into our office computers, unlocking phones, sharing business cards, storing medical/health information, and used as payment at other RFID terminals. -Westby

Want more on the benefits of biometric information? Read ‘Biometric Verification as Identity Theft Protection.’ 

#securitysavings

With Practice Tests from Transcender you gain 6-month access to a world of information that can help you succeed on the exam, including analytics on your strengths and weaknesses.  This Practice Test has a few options available to enhance your learning experience:

  1. Select items by test objective, set study preferences, and control how your answers are accessed.
  2. Select preset tests. These tests are made to provide a testing experience similar to a real testing environment.
  3. Flashcard review allows you to review concepts in a self-graded and unlimited environment.

You only have until tonight, 7/28 at 11:59 PM ET to use code BIGDEAL for 25% off ANY Transcender Practice Test. Simply apply the code at checkout to redeem. 

#factbyte

Research from Bromium, a virtual hardware company, indicates that 94% of security professionals say users are more concerned with getting their jobs done than worrying about security, 64% admit to modifying security to allow employees more freedom to get their work done because of a request from leadership and 40% admit to turning security off to accommodate a request from another part of the organization. 

olivia2

Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel