I've recently had the pleasure of taking part in a security conference organised by The Wired in ClubLounge39 in London. What can you learn from hackers? Is it worth attending another conference organised by The Wired? Read the report below.
Let us begin by presenting a view from the windows at ClubLounge39 and evidence that UFOs do exist:
Thanks to a VIP pass, I could take part in a panel discussion with some of the conference speakers. This was a warm-up, which gave us a general insight into the things companies and services do to keep us all safe. What proved especially memorable was a statement made by vChain’s CEO, Irra Khi: Compared to Israel, Europe is still crawling and putting out fires when they break out. Israel remains a few steps ahead of the threats because this belongs to their everyday life. The country's geographic location requires the people to protect themselves non-stop. Irra believes that we will keep spending more and more money on our security and that this inflow of funds will only boost the growth of the security services market.
After the breakfast, the main part of the conference followed.
Adrian Nish from BAE Systems presented the ways in which hackers act together with a number of facts that made it possible to link the 2014 attack on Sony Pictures with the attack on the Bangladesh Bank from February 2016 and attribute two hackers from North Korea. The details of what Nish had to say can be found on WIRED's website. However, here's a spoiler for the lazier of you:
The attack was perfectly prepared. The first traces of the hack came in May 2015. Hackers had been penetrating the bank's systems for half a year and waited for the perfect moment to launch their assault. That moment came on Thursday, 4 Feb 2016. Thursday marks the end of the working week in Bangladesh, while Monday was the Chinese New Year. This gave the hackers 4 days to act. Only thanks to the vigilance of the Federal Reserve (where the Bangladesh Bank held its assets), did the hackers steal no more than $81m (their plan was to order wire transfers for a total of $951m).
The talk was moderated by Sadie Cresse, a professor of cyber security at the University of Oxford. Creese discussed the issue of insider threats. An important point of her speech was noticing the fact that nowadays, in the times when everything is linked to one network, not even firewalls can guarantee safety. Everything lies inside, and so, every threat is now an inside threat. Read more: The cyber threat within: how knowing your staff will protect your business from attack.
The best talk in this part of the conference was given by Staffan Truve. He said that the safeguards we add to our systems are like a complicated maze. Each new safeguard proves a new challenge and provokes hackers to try and break them. Read more: Is cybersecurity broken? Building walls won't prevent hacks, predicting the future will.
Cameron Colquhoun spoke about the dangers which the open-source data pose for companies and explained how the data can help in taking over them. He described the phenomenon of stock-doxxing. An unknown company compiles a financial report on a company, e.g. a startup. Newspapers start copying the report without having verified it in the first place, and we all know that a lie repeated a hundred times becomes the truth. Prices of the company's shares start dropping and get sold at a reduced price. When everyone finally realises they have become victims of a fraud, the prices of the shares witness a rapid growth, and someone rejoices at the earned money. Read more: How 'doxing' can destroy your reputation and bring company stocks to their knees.
Dave Palmer from Darktrace spoke about the threats posed by the Internet of Things as well as the way to handle them. Innovations introduced by manufacturers, unfortunately, do not go hand in hand with proper security measures for their equipment. It may soon turn out that devices present in our households, e.g. routers or network drives, are parts of a botnet and take part in an illicit activity, e.g. DNS attacks. Read more: AI will 'supercharge' cyberattacks. Meet the cyber defenders standing in its way.
This was the panel I had waited for the most because of the reversed "black-hats". The discussion began with a talk delivered by probably the most colourful figure present at the conference. The guy I have in mind is Jamie Woodruff. Suffering from autism, dyslexia and dyspraxia, Jamie has been hacking ever since he turned 9. Now, that is a truly explosive mix. He is the one who hacked Kim Kardashian.
His talk discussed how he hacks without using a computer. I will not go on and summarise his talk right here, as I think it is more than worth it to read the summary prepared by WIRED: Jamie Woodruff 'hacked' Kim Kardashian – and he'll hack your company for a fee.
The next speaker was Mustafa Al-Bassam, the member of LulzSec (not the one, who turned out to be an FBI informant). When he was 16 (born in 1995!), he and his friends hacked the FBI's website. The subject of his talk was transparency and the ways companies should communicate hacks to the public. Al-Bassam emphasised that under no circumstances should hacks be concealed, just as Yahoo did it. Mustafa believes that it is worth to insure yourself against the effects of hacker attacks (I had no idea such insurances existed!). Read more: What Yahoo can learn from LulzSec: reformed hacker reveals why transparency is key.
The last talk in this category was delivered by Alex Rice from HackerOne. He presented evidence on why companies should hire hackers. He tried to convince his audience that each company should use a "bug-bounty" program and pay hackers for security gaps they find in the company's systems. Interestingly enough, the US Department of Defense uses its own bug-bounty thanks to which they reported 138 security gaps with the first one reported 13 minutes after the program had been launched. Read more: If you can't beat them, get them to join you: why all companies should hire hackers.
Later, the time had come for another interesting panel. This one was commenced by Moty Cristal, a professional negotiator. He showed the participants how to negotiate ransom hackers demands for not disclosing sensitive data. He referred to the case of one of the banks and concluded that the main principle in this kind of negotiations is buying time. It makes no sense to pay the ransom since the data are in the wrong hands anyway. You may never be sure that the person demanding the ransom is not the hacker who had stolen the data in the first place. As this was one of the best talks at the conference, I do recommend that you read the report available at WIRED's website: How to negotiate with hackers? Emoji, WhatsApp and a little bit of flattery.
Mikko Hyponnen from F-Secure presented a rather gloomy vision of a hacked world that will never be 100% safe. He showed a number of stereotypical pictures of a hacker who always wears a hoodie when sitting in front of the computer and has a Matrix-like console with green letters on a black background. In the past, viruses used to be written for fun, whereas now they are created for money or political reasons. Ninety-five percent of the malware analysed by F-Secure can be attributed to one of the cybercrime groups. However, even discovering the hacker's identity does not guarantee to catch him or her. The author of the Zeus Trojan horse is still at large, even though he has a $3m bounty on his head. Read more: Forget 'hackers in hoodies,' cybercriminals are the new Mafia.
Troy Hunt, the author of haveibeenpwned.com (check if your accounts have been compromised in a data breach) - a database holding the names of leaked accounts, spoke about something different. He said he often receives e-mails from "scared kids" offering to send him databases of a famous website. Troy does not want his database to become a news website informing the world about details of hacked accounts and refers them to administrators of the websites which supposedly suffered data leakages. This is often the point when their contact breaks and the database ends up online. Read more: 'You can't just change your password and make it go away': Troy Hunt on rising data breaches.
Presentations on national security did not seem interesting. That is why, I paid a visit to the startup scene, where my attention was caught by one of the projects named CodeBashing.
CodeBashing is a platform for conducting trainings on developing safe apps. In a relatively simple and interactive way (a little bit like the codeschool courses), the platform points at common errors hackers can exploit and presents methods of secure coding. While being rather trivial, the examples draw our attention to the fact that we sometimes forget that you can write a code using Rails in a way that will open the way for potential hackers. You can try it out here.
What seemed especially interesting in this part of the conference was the presentation delivered by Adrian Ludwig from the Android Security Team. At some points, the presentation tried to whitewash Android in the light of the stagefright gap (apparently, there are no confirmed cases of exploitation). Ludwig also spoke about Android Safety Net, which consists in regularly scanning mobile apps on a regular basis and checking what they do on mobile phones. The entire world, except for Russia, is scanned once every 2 or 3 weeks. In Russia, mobile phones are scanned every day. This is due to huge amounts of malware being developed in that region of the world. According to Ludwig, Android will achieve its greatest success when President Obama starts using their mobile. So far, there is no official information on what Obama's new phone is. Read more: 'We will have succeeded when Obama is using Android': Adrian Ludwig on the future of the OS.
Despite my fears this would be a purely marketing event, I am glad I could attend the conference. The conference proved very interesting and substantive and did not only focus on breaking security measures, but also discussed security strategies. This was my first and definitely not the last visit in London.