Hack The Planet

So one of the guys over at gizmodo created a video to show you how to get past the security password on the iPhone. As cool as Apple is the one thing they are definitely not is a security aware company.

Almost to add on my previous (or a previous) post I think one of the big things stopping people from moving to a more secure OS or infrastructure is the desire to not learn. It is really easy to sit back in our ignorance and blame outside sources for our security faults. What would the insurance company say if your house was robbed and they found out you left the doors and windows open all the time, even when you weren’t there. Your answer better not be “Well I didn’t know better.” They may not reimburse much if it is.

In our technology filled world it is no different. Being ignorant is no longer acceptable. If people are unwilling take the time to learn how to “lock their doors” then they are going to have to come to grips with getting hacked. I don’t mean that the hacker is not to blame but if you leave the sandwich on the counter, there is a good chance the dog will eat it.

I recently gave my parents a new computer and when I was installing it I couldn’t help but feel dread knowing that it was Windows. I have tried to move them over to Linux for the last few years but I have been unable to get them to switch. I think part of it has to do with their work computers being on Windows also. How do you show the value of change?

When I first tried to get them to switch it was because they had infected their computer beyond recovery. I installed Ubuntu as it is the most friendly Linux OS I have found. They gave up on it before they even logged in because it wasn’t Windows. Now they have Windows again and I can only imagine how long it will be before I have to rebuild the PC again.

There needs to be an easier way to get regular people to use a more secure OS.

I should have published this right after I got back from Defcon when it was all fresh in my mind. Sadly as things go I forgot to and now most of my memories of it have a shadow around them.

BlackHat this year was pretty good with some good talks this year. There are some very good presenters and there are some not so good ones. The information can be good but if you don’t know how to present it then a lot gets lost in translation. Not meaning dialect but meaning in what you mean and what the listener hears. One of the better speakers at the show was Jeremiah Grossman and also Dan Kaminsky who both know how to engage an audience.

Defcon was a bit more of the same old but I enjoyed the capture the flag as always. I don’t know why it interests me so much but it does. The parties were great also. The Freakshow went awesome. I think it was all about the contortionist though. She seemed to have a pretty captive audience for most the night.

The big thing I took away from this year was that you should spend your time looking into the easy solutions before you hammer away at the more difficult. So often we get caught up in the thing that looks coolest but is more likely to fail than trying to just walk in the front door. Low tech hacks are usually faster than a more complex (or even cooler) hack.

With the recent conflict between Russia and Georgia (not the US state although that would make things very, very interesting if it was) there is a lot of debate on what is cyber war. There is an article today on CNN.com that discusses potential cyberattacks on US infrastructure. There was another article somewhere, I forget where now, that talked about hackers as terrorists and DOS attacks as cyberwarfare. What constitutes a cyberattack? I mean, I know what should but what do government officials think cyberwarfare is? Defacing a website? Maybe throwing a few packets someones way? If we are so worried about hackers knocking out our power then why is the grid still open to those types of attacks? It seems like we as a country talk a lot about all of the ways we can be attacked and then we put in false security measures to make the masses feel safer. Airport security anyone?

Security Engineers are in high demand and with the recent vulnerability found by Dan Kaminsky it is clear why there are just not enough of them out there. We can all patch our systems and keep them up to date with the latest hot fix or security update but the bigger issue is that patches only come out after a vulnerability or issue is found. How do you prepare for the unpublished vulnerabilities and unknown attacks? The answer is to build your environment with security in mind from the ground up, not as an after thought.

There are too many people who feel that security is an add-on or a nice to have so they don’t design it in to their environment. If more people would start with security in mind they would find that they had less risk and fewer incidents.