White Hat Security Research

In August, there are a couple very influential conferences in the area of computer security.  The first is the Black Hat Cybersecurity Conference in  Las Vegas, with the other the USENIX Security Symposium in Washington, DC.   These conferences serve and attract a wide variety of experts in cyber security defense, as well as various white hat hackers and presumably some black hat hackers also.

whitehat

The terms white vs black hats use the old western movie convention to identify the good guys (white) from the bad guys (black) by the color of their  hats.   There is some incredible work being done by white hat experts in academic, government and commercial spaces to help manufacturers identify ways their products can be exploited so that the manufacturers can plug the holes.  These two conferences are two of several that offer these researchers opportunities to present and demonstrate what they have found.

Conferences such as these would normally not get any more press coverage than a few specialized technical publications.  I was a member and participant in USENIX for many years and there was absolutely no interest by the press in our proceedings.  However, since these conferences focus on cyber security, exploits found and presented in these conferences do draw both technical and general press.  After all, it is eye catching to offer the headline  Hackers Crack the iPhone, and AntiVirus Software Won’t Help.     

Before going on, have a look at that Scientific American article because  in spite of the alarmist headline, it’s very good at describing why viruses haven’t been much of a problem with iOS devices and the extreme measures taken to work around the safeguards. They describe two ways researchers have found to inject malware, first to load an app that didn’t get tested or distributed via the Apple App Store.   The other is a special power plugin that exploits a problem in iOS bypassing the security features.

The problem is not the exploits as they could be used in the real world, rather it’s the lack of balance these articles typically exhibit.  I wrote about this a while back in my post about researchers hacking smart TVs.  Yes, researchers were able to take control of a smart TV, but only within the LAN environment of a personal network, not from the Internet.  It’s a real security hole, but not one that is practical for black hat hackers to exploit.  This problem and the two noted by the Scientific American article above are critical for manufacturers to understand and address, but simply not something the average consumer needs to worry about at this time.  Said more generally, these symposia inform manufacturers and IT personnel about important security flaws in their products and service offerings, but rarely offer anything that the average consumer can address nor needs to be concerned about.

OK wait a minute, on one hand you state that these issues are critical, but on the other hand you are saying don’t worry about it?  Which is it?

The issue is critical in that it’s a real security hole that needs to be repaired because though researchers exploited it using non-practical methods, it is likely that someone will figure out how to do it in a manner could mainstream the exploit.  The normal consumer doesn’t need to worry about it because by the time someone figures out how to make it mainstream, the issue will likely be addressed.   Most mainstream security problems are already being exploited or will be without being demonstrated at a conference.

So, the best way to protect your smart phone, tablet and computer is to follow best practices:

  • Be sure your software is up-to-date.  Most exploits occur on systems that are not running the latest software.
  • If you’re running older versions of Windows than Windows 8, be sure to be running anti-virus software.  Even with Windows 8, it’s not a bad idea to use anti-virus software.
  • For devices, use the appropriate app store.  The idea is that the app is tested and approved by the app store prior to download.  It’s not perfect, but has been pretty reliable especially with Apple’s App Store.
  • Keep physical control of your devices, devices and networks.  It’s significantly easier to exploit issues if a bad guy has access.   Never let anyone you don’t trust completely have complete access.  For WIFI, use a guest account.  Same with your computer.  Don’t let them have access to your devices.
  • Never install software that you didn’t explicitly request.   Also, only load software from reputable sites.
  • Updates are a little more problematic since they are typically automatic or semi-automatic.  OS updates are fine to be automatic (in fact, preferred).  For App Store updates, they are fine also.  For computer apps, if you get a notice of update being available and you’re not sure, cancel, then open the application and manually look for an update.  In Windows, this will likely be in the application HELP tab, on Macs, it will be in the pull down with the application name.  A fake Adobe Flash update was the method for installing malware on Macs a while back.

1 Comment

  1. Joe

    Greg, as always an interesting commentary. I was particularly interested in your comment about bogus Adobe upgrade notices for Mac’s. Thanks. Joe

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: