Security is now at the heart of everything we do, everything we plug in, everything we implement or add to a system.
Every year, just when we think we are beginning to get good at it, along come two events that prove just the opposite. Black Hat and Defcon are now finished and have left a lot of frightened people in their wake, running back to their offices with sticky tape, yelling for their IT support guys.
The one that was funny for five minutes was the story of an Oxford University student who exposed GDPR for the pathetic attempt that it is to protect people’s data. Whilst we admit that we were less than kind about the regulation, James Pavur (said student) set about seeing how much data he could get from companies about his fiancée.
His project started with a delayed flight and he thought ‘I know, I’ll spam the airline with fake GDPR requests as revenge’ (as noted, student, Oxford University, favourite subject Hacking Stuff, no pictures needed).
He didn’t spam the airline but he did, with his girlfriends’ permission, start a project to see what information companies had on his girlfriend, citing a GDPR request to hurry them along. As we all know, eh hem, you have a month to respond to these requests or the fines get quite bitey.
Because these requests went to legal departments, or at least departments that do not think about security, the security was ludicrous and included companies sending him her passwords, email address, PIN number and in one case her entire credit card details in plain text. One company, who she never interacted with in any way, had most of the above credentials on her in their system.
Another interesting point was that several large companies replied that they were not subject to GDPR even though they have a significant presence in Europe.
Lesson – CISOs need to include every department in security prevention measures.
Another was a demonstration of the vulnerabilities of modern, internet connected TVs. Despite years of warnings these devices, that sit humming in your living room, are easily hackable. The demonstration at Defcon tended towards the flashy – it was hacked from a drone – but the lesson was stronger for it. The lack of security in modern TVs means that they can be manipulated to show whatever content the hacker chooses, give up passwords (through a screen prompt) and follow each click of the remote.
Given that many people use their TV to access the internet, this cannot be good.
On to Tesla and a demonstration of how a device fitted into the dashboard and the USB socket can turn the car into a monitoring device capable of recording license plates and faces of fellow drivers, over time. This, obviously, can be used to track behaviour of anyone who looks as if they are about to steal your car but the ease of it all makes you sit up and listen.
More promising is some proprietary hardware that DARPA is developing, for voting systems and other important events that have been vulnerable in the past. So far, the hackers at Defcon find the hardware ‘promising’, even laid bare to the best of the breed. And what they don’t know is that inside the promisingly secure hardware is some really flaky software. So the test is on.
The good news, if there is any, is that the attendees to these events are the good guys and their attendance makes things stronger.
Assuming that they are the good guys…