Kiwicon is an IT security conference created by the community and for the community. It was my great pleasure to attend this year. The venue is spectacular but the content is even better. I will summarise a few highlights in a series of posts.Securing a World of Physically Capable Computers by Bruce Schneiner
The software is eating the world and everything is a computer. The phone in your hand is just a computer happens to make phone calls. Your car is a distributed computer system mounted on four wheels.Extensibility
Back in the old days, each device only does one thing. However, the devices in our daily life today can be extended infinitely. Remember, Apple’s iPhone slogan “There is an APP for that”.Complexity
The extensibility introduces complexity which makes cybersecurity harder and harder. You can see the malware are also extensibilities/features. It may not be the features you want but you get the idea.Vulnerability
When everything is connected, the attack can be from everywhere. In April 2018, a hacker stole a Las Vegas casino’s high roller database . Guess where the hacker went in? An internet-connected fish tank!Easier, Faster, Better
Hurricanes affect part of the USA every year and the protection people build is getting better and better. Hurricanes don’t get smarter every year but the hackers do. It is a cat and mouse game. Ideas and methods will trickle down from NSA to someone’s PhD thesis to hackers’ tools.Ignorance
We are living with security vulnerabilities. For example, our cell phone network has a critical flaw called (Signalling System No. 7) SS7 . It makes your overseas phone and data roaming possible. Unfortunately, hackers can use it to ear drop into your phone calls and text messages. This vulnerability will also void many 2-factor authentication effectiveness.Priorities
There are so many cybersecurity vulnerabilities. Where should we start to address them given limited resource? An attack on data integrity is much more serious than on data availability. For example, while a data leak on my blood type is very worrying, a change of my blood type on a hospital database will kill me.
Also, if you make the cost of an attack more expensive than the profit to be gained from an attack, it may be enough to stop the hackers.Security Paradigm: Patching
Patching is good but many IoT manufacture’s margins are so thin. They simply have no budget left for patching their firmware, drivers, and software. So, you should replace your IoT devices every a couple of years, especially your router.
We will soon have more things than people authenticate to things. So, it is important that they are patched, secure and smart. Your future router should understand the source of an email. If a fridge tries to send an email, the router should decide a fridge should not send out emails and stop it.Supply Chain Security
Bruce doesn’t think the recent Chinese security chip allegation from Bloomberg is true. If it is true, some (photo) evidence should have been leaked out by now. Also, there is a better way to do it, for example adding an extra layer in the circuit board will be much more stealth than adding a chip. “That is how professional will do it”. Bloomberg has been a credible source of news for me, I will be very disappointed if Bruce is right.
Regardless the above allegation, when a product is designed in the USA, its hardware is made in China, assembled in Vietnam, it software is made in Slovakia. Any node in this supply chain is an opportunity for hacking, and the cost of replacing the supply chain is prohibitive.Government
Our governments are not ready for this brave new world yet. Policymakers should also be technologies. The recent Facebook / Cambridge Analytica scandal is a wake-up call. Are our electronic vote machines safe?
Governments must produce regulations for cybersecurity and AI just like what they did for medicines. Everything counts. A regulation change by a single government may benefit us all. For example, in order to comply with the new EU GDPR, product manufacturers and service providers have to modify their hardware and software, and they are not going to cut another version for a different region.