There’s nothing like attendance at the annual Black Hat and Def Con security/hacker conferences to hike your paranoia into the red zone and keep it there forever. You come away with the sense that nothing, anywhere, ever, is safe–and that’s just from talks given by people willing to publicize their work. Compared to the secret legions of the NSA and other governments’ equivalents, and invisible armies of mercenary black-hats selling zero-day exploits to the highest bidder, Def Con may well only be the iceberg’s tip.
What follows is a brief and highly subjective summary of the talks that people seemed to be talking about most, and/or the ones I found most interesting:
A seriously ill wind blows some good news for BlackBerry
Alex Stamos warned the world of a potential Cryptopocalypse: the RSA encryption algorithm, which is “by far the most widely used public-key cryptosystem in the world,” may be killed by math within the next five years, along with the standard Diffie-Hellman key-exchange protocol. A viable alternative is available — but guess what? Many of its crucial patents are owned by none other than everyone’s favorite crippled dinosaur, BlackBerry.
HTTPS isn’t really so S
Even if some bright mathematician doesn’t destroy online security as we know it, HTTPS still has plenty of other vulnerabilities. The BREACH exploit can use a vulnerability in compression algorithms to pluck email addresses and other data from encrypted connections. A fake termination of a TLS session (note to power users; what you’ve been calling SSL has probably really been TLS for some time now) can lead to the hijacking of a Gmail session (for five minutes) or an Outlook one (for much longer.) Oh, yeah, and client-side TLS sessions appear to be vulnerable too.
The secret computer inside your phone
There are more than 7 billion SIM cards out there, including, probably, the one in yours. Did you know that each one is a tiny little computer in its own right, is under the complete control of your carrier, and can cause phones to make and receive calls, send and receive SMSes, open up URLs, and many other actions? Karl Koscher and Eric Butler (the creator of Firesheep) walked their audience through a great software-archaeology talk on how to program these quasi-obsolete but ubiquitous devices…which is particularly relevant in light of Karsten Nohl’s talk on how approximately 1/4 of all SIM cards in existence can be exploited via a serious security flaw.
CDMA phone? No SIM card! You’re…totally not safe either. Sorry.
Your home is not your castle
Primus locks were supposed to be high-security. Not any more: nowadays Primus keys can be reliably duplicated with a 3D printer. We’re not far from the days when people can simply take a picture of a key and have a perfect physical copy mailed to them a few days later. Even if your door is secure, your home is not: smart TVs can be hacked and even used to spy on you, and your home network and home automation systems are no less vulnerable to hackers.
Et tu, Apple?
But at least we can rely on Apple products to stay safe, right? Guess again: if you plug your unlocked iOS device into a charging station, then that station can upload and run arbitrary code on your device – in other words, take it over completely. If you’re a Person Of Interest you’d best think thrice before plugging your iPhone into a hotel charger ever again.
The Chinese have hacked into American water plants…
…well, at least one honeypot water plant, as shown by Kyle Wilhoit of Trend Micro. Meanwhile, Lucas Apa and Carlos Penagos explained to the world how industrial facilities can be compromised from many miles away.
So you can’t trust your Internet connection, your phone, your home, your iPad, or your local infrastructure. And those are just the bugs that people are willing to talk about. Stay alert! Trust no one! Keep your laser handy!
Image credit: Sinauridze, Deviant Art.