UNM4SK3D: Black Hat, IoT, and 32M
#diversityThis year marks the 20th anniversary of the annual Black Hat conference in Las Vegas and quite appropriately in our digital age, the keynote was given by Facebook's CSO, Alex Stamos. Stamos' briefing covered defensive security research and took a somewhat unexpected turn to discuss empathy and diversity. Placing responsibility on the security community, Stamos reflected on the infosec culture, saying too often the focus surrounds the most complex, most interesting zero-day flaws rather than issues like phishing and spam, which have a greater likelihood to cause more human harm. Stamos said the infosec community "celebrates breaking much more than defense" and needs to work harder to "eliminate entire classes of bugs, build architectures that are resilient to failure and build relationships between the security side and developers." He believes the solution lies in broadening the industry's scope of responsibility and ensuring the diversity of individuals and their thoughts. This means not just diversity in terms of gender and ethnicity, but those without a technical background, as Stamos says, "The truth is that security people aren’t brilliant; we're not that much smarter than everybody else. We bring a very important way of looking at the world and an important set of skills and tools, but that doesn't mean that we need to denigrate others when we point out their mistakes. We aren't going to bug-squash our way out of this current situation."Stamos urged conference attendees to keep his message in mind because he believes the attitude going forward will impact where or not individuals feel a sense of belonging in the community going forward. Closing out his speech, he stressed that it is not just about doing the right thing, but rather motivation of a need to address security problems in the future. "It's a critical moment. We've been asking people to pay attention to us for over 20 years and they are. We have the world's attention, what are we going to do with it?"Meanwhile, at DEF CON, another security conference taking place in Las Vegas this week, a 20-year-old Windows SMB vulnerability is expected to be disclosed Saturday, 7/29. The vulnerability allows an attacker to remotely crash a Windows server with relative ease using only 20 lines of Python code and a Raspberry Pi. It is said to affect every version of the SMB protocol and every Windows version dating back to Windows 2000. However, Microsoft said they will not patch the vulnerability.
The security community has the tendency to punish those who implement imperfect solutions in an imperfect world,” Stamos said. “We have no empathy. We don’t have the ability to put ourselves in the shoes of people we are trying to protect. -StamosIf you've missed the coverage of this year's Black Hat conference, stay informed with 'Black Hat 2017: Inside Look.'
#biohackingUnlocking doors with a wave of your hand may sound like something out of a Harry Potter novel, but for 53 employees of US shopping self-service vendor, Three Square Market (32M), this ability will become a reality on August 1st, 2017 thanks to a company partnership with Swedish biohacking firm 'BioHax International.' The optional initiative will require the 53 workers to have a tiny $300 NFC (Near Field Communication) RFID chip inserted under the skin between their thumb and index finger, giving them the ability to buy goods and authenticate their identity, among other things. You may recall NFC as the same technology that makes contactless credit cards and mobile payments possible. 32M is hosting an inaugural 'chip party' at the company's headquarters in River Falls, Wisconsin to celebrate the occasion, which many are considering an early example of how human microchipping could be used in mainstream business. CEO of 32M, Todd Westby has big dreams of where this technology could lead in the future, saying, "Eventually, this technology will become standardized allowing you to use this as your passport, public transit, all purchasing opportunities, etc."Being the first company in the US to initiate a program like this, 32M is experiencing some doubts from the public, and has made it clear that the chip does not track the individual’s location, nor does it allow surveillance. The stored data is also encrypted and cannot be read remotely. Still, the infosec community heeds caution, as asking people to turn themselves into a walking authentication system raises legal and ethical issues for the future, not to mention the unknowns of security that biohacking raises. Formally biohacking is defined as "the activity of exploiting genetic material experimentally without regard to accepted ethical standards, or for criminal purposes." While this does not specifically fall under that definition, one has to wonder what could happen if hackers misuse the technology against the general public in any number of ways.
We foresee the use of RFID technology to drive everything from making purchases in our office break room market, opening doors, use of copy machines, logging into our office computers, unlocking phones, sharing business cards, storing medical/health information, and used as payment at other RFID terminals. -WestbyWant more on the benefits of biometric information? Read 'Biometric Verification as Identity Theft Protection.'
#securitysavingsWith Practice Tests from Transcender you gain 6-month access to a world of information that can help you succeed on the exam, including analytics on your strengths and weaknesses. This Practice Test has a few options available to enhance your learning experience:
- Select items by test objective, set study preferences, and control how your answers are accessed.
- Select preset tests. These tests are made to provide a testing experience similar to a real testing environment.
- Flashcard review allows you to review concepts in a self-graded and unlimited environment.
#factbyteResearch from Bromium, a virtual hardware company, indicates that 94% of security professionals say users are more concerned with getting their jobs done than worrying about security, 64% admit to modifying security to allow employees more freedom to get their work done because of a request from leadership and 40% admit to turning security off to accommodate a request from another part of the organization. Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!