by Tiago Alcobia / AMS Architect
Crossjoin was present for the third time in a row at BSides Lisbon annual security conference.
This conference, which started in Portugal in 2013, is a great opportunity to keep up to date with cybersecurity trends and creates awareness on new or existing security breaches that any IT professional should be aware of in order to be more proficient.
Increased participation and venue change
Each year, the number of participants in this conference is growing. Last year, there were 400 participants and this year, over the course of 2 days, they reached 580.
To keep up with this growth a new venue, inside Cidade Universitária, was chosen with a larger auditorium. It was noticeable that there were much more foreign participants and also a lot more students which is a contrast from the previous editions that were exclusively attended by IT professionals. It was also interesting to see a presentation by Cloudflare that this summer chose Portugal (amongst other cities) to be their third European office. Lisbon is definitely cemented as an IT hub for international companies due to other timezone, great talent pool and quality of life.
Changes in format
There were some noticeable changes to the format of the event in relation to last year.
Instead of two tracks of talks, there was only one track this year which meant there was no need to deal with the decision of which talks to attend.
This meant fewer talks this year but nonetheless the quality of the talks and the schedule itself were still very appealing.
Lighting talks were abandoned and training was added as an optional activity at the conference. There were two training sessions (Paid) given a few days before the conference (one on all you need to know about web hacking and how to prevent your site/web app from being breached and another regarding malware analysis and forensics).
This year, some thought was also given to making the festival “greener” by spreading several recycling bins across the conference and also partnering with refood (https://www.re-food.org/pt) to collect unwanted items from the lunch pack so that it can be offered to the less fortunate.
The general admission ticket was raised and a new ticket was also created, called supporters, to those who wish to contribute a little bit more to the organization of the event that is community driven and non profit.
There were some topics that also came up over the course of the conference:
Lack of cyber security professionals
It is estimated that there are 2.93 million cybersecurity positions open and unfilled around the world, according to non-profit IT security organization (ISC)² – The International Information System Security Certification Consortium.
In recent years, companies had to resort to hiring people from non-traditional IT backgrounds which had another positive effect: A whole new generation of experts capable at looking at security in different perspectives/angles based on their diverse academic backgrounds. Some of those backgrounds are arts, political science, music, etc.
In fact, one of the keynotes of this year was from Leigh-Anne Galloway, who started as an Artist before becoming a security researcher. Her talk Art as a Methodology for Security Research is a good example of how a non-IT background can be helpful in exploring security.
Indeed, in the old days when IT security was not a concern, the hackers and phreakers (public telephone networks hackers) were not necessarily from IT backgrounds. All you needed was a lot of curiosity, creativity and persistence.
An interesting fact is that Joe Engressia (Joybubbles), a blind five-year-old discovered he could dial phone numbers by clicking the hang-up switch rapidly (“tapping”), and at the age of 7 he accidentally discovered that whistling at certain frequencies could activate phone switches. Engressia had perfect pitch, and discovered that whistling the fourth E above middle C (a frequency of 2637.02 Hz) would stop a dialed phone recording!
Contrary to the old days, today’s hacking has become easy and accessible, because vulnerability information is free flowing. What is hard is to code securely.
The keynote by Daniel Cuthbert discussed precisely this point and the debate regarding publicly disclosing/publishing security vulnerabilities that in one sense force companies to take measures but, in the other sense, helps governments hacking groups use their vulnerabilities to spy on their citizens.
An example of this are messaging apps (i.e. Telegram) that have bugs exploited by governments to repress anti-government groups.
This year, saw Google announcing they had reached Quantum supremacy by demonstrating the potential of a new kind of computer that can perform certain tasks in many orders of magnitude faster than than most advanced supercomputers.
The Wall Street Journal even published an article named The Quantum Computing Threat to American Security!
Is quantum computing the end of security as we know it? No, but it will mean that those that do not start stronger, quantum-safe, complex cryptography algorithms for communication, will be vulnerable.
This year also saw the mediatization of apps that take a person in an existing image or video and replace them with someone else’s likeness, age them, etc. with the help of Artificial Intelligence algorithms and cloud computing power.
Russian Faceapp and China’s Zao raised a lot of privacy concerns since millions of people voluntarily uploaded their picture without thinking about the potential consequences.
Deepfakes are also being used to build fake news, hoaxes, and financial fraud and that’s why some governments have started to push legislation to classify this type of activity as crime.
China Cables and Russian Sovereign Internet
Tied together with the last point, the China Cables, obtained by the International Consortium of Investigative Journalists, include a classified list of guidelines, that effectively serves as a manual for operating camps holding hundreds of thousands of Muslim Uighurs and other minorities.
The leak features previously undisclosed intelligence briefings that reveal, in the government’s own words, how Chinese police are guided by a massive data collection and analysis system that uses artificial intelligence to select entire categories of Xinjiang residents for detention.
The China Cables also reveal how the system is able to amass vast amounts of intimate personal data through warrantless manual searches, facial recognition cameras, and other means to identify candidates for detention, flagging for investigation hundreds of thousands merely for using certain popular mobile phone apps.
Recently, Russia also passed a controversial new ‘sovereign internet’ law that requires the country’s ISPs to set up deep packet inspection of all internet traffic and ready themselves for the imposition of a separate Domain Name System (DNS) under Government control.
Also a recent order says that from July 2020 all computing devices sold in Russia will be required to come pre-loaded with what is loosely described as “Russian software”.
The law covers all devices including mobiles, desktop and laptop computers and smart TVs which today ship with Russian language versions of the same apps used elsewhere in the world.
Both China and Russia block the popular Telegram messaging app. Even using VPNs is becoming a difficult alternative.
A honeypot is a network-attached system set up as a decoy to lure cyberattackers and to detect, deflect or study hacking attempts in order to gain unauthorized access to information systems.
Honeypot purposely contains data that appears to be a legitimate part of the site, but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers.
An attack against a honeypot is made to look successful while any activity is triggering monitors and event loggers.
While honeypots have been around for a long time and can be used for many purposes, the talk The Internet Is Talking To You, But Do You Listen? discussed how their cloud geographically operated honeypot allows the automatic detection of bad actors and the trends on types of attacks/malware tools/exploit attacks/scanning/crypto mining being attempted to be used.
These trends or waves of attack are useful to be detected so that authorities can be notified and in this case create a blacklist of bad actor IP’s/botnets that can be publicly shared so that companies can fight back against this type of activity.
Cheap chinese IoT security
More and more home devices are being cheaply bought that have zero or weak security whilst being exposed on the internet.
Security cameras are a typical example but nowadays it is still surprising that even commercial Physical access controls such as meeting room locks, that open through fingerprint scanners, are easily exploitable. The talk Lets Get Physical: Physical Access Controls Security showed how such a known commercial product was hacked.
Since this product, from Anviz, uses a software to centrally and wirelessly manage all the deployed locks in a physical space, it is possible to eavesdrop on that communication and try to replicate actions (replay attacks). With some investigation and persistence they were able to absolutely control the devices thanks to the hardware vendor not implementing some standard security safeguards.
The hardware vendor even provided instructions on how to expose the device on the internet for inter-site management which for hackers is a sure way to wreak havoc.
This is the case with many vendors. Anviz was contacted but did not respond. In this case, the course of action was to contact the CNCS (Centro Nacional de Cibersegurança) that notified as many ISP’s as possible about the possible threat.
Ransomware targeting small cities in U.S and Twitter CEO hack
While data breaches in 2019 in major companies (while with lower impact than in previous years) another trend that continued were ransomware attacks.
One trend in 2019 were hackers targeting small cities in the U.S (but also elsewhere) taking advantage of cash-strapped local governments unlikely to have updated their cyberdefenses or backed up their data.
Beyond the disruptions at local city halls and public libraries, the attacks have serious consequences, with recovery (or ransom payout) costing significant amounts.
Even when the information is again accessible and the networks restored, there is a loss of confidence in the integrity of systems that handle basic services like water, power, emergency communications and vote counting.
Many small municipalities are turning to cyber insurance which is only making the problem worse and ransomware more lucrative.
Another interesting event was Twitter CEO Jack Dorsey, getting hacked this year when a group managed to gain access to Dorsey’s phone number and fooling the phone carrier into transferring that number to a new SIM card. They then hacked into Dorsey’s account and sent out multiple tweets containing racial slurs.
While I was at the conference, an email dropped in my email box from Edenred (French company), which manages meal cards, announcing they had a Malware Incident and that their app and portal were unavailable.
This public admission, would most probably not have happened if not for GDPR.
See you next year!