Information security professionals working to beat hackers
Conference in London demonstrated threats and solutions
Mobile devices, bank accounts and website all vulnerable
People need to be aware of risks before taking action, suggests experts
Barely a day passes without news of another major computer security breach. Last week a hacking network named “Hollywood Leaks” began their attack on the personal data of celebrities, officially adding the glitterati to a roll of shame that already includes targets as diffuse as Sony, the Church of Scientology and PayPal.
However only a few days before the emergence of this latest hacking outfit, a far less conspicuous but similarly-skilled group met at a London hotel to discuss the other side of all matters of information security, otherwise known as “infosec”.
The inaugural 44Con was Britain’s first major conference for the good guys of infosec. Among the 300 delegates and speakers were a number of so-called “white hats”, programmers and penetration testers specifically employed to discover businesses’ weak spots.
Using information from these ethical hackers, manufacturers can remedy or “patch” the problem before its release and companies can take measures to safeguard their data.
Although their more destructive brethren might continue to grab headlines, 44Con demonstrated that the fight against hackers, and other more traditional threats to information security, is also strong.
“The way people use and consume media and share information has drastically changed over the past ten years,” said Steve Lord, a security professional and co-founder of 44Con.
“The information that we used to think would stay on a computer, in an increasingly networked world, it goes everywhere. So there is an increasing demand for people to secure that information because otherwise people won’t put it there.”
44Con attracted representatives from governments and members of the military, alongside risk managers, consultants and students. According to Lord, the roll call included “hackers, freaks, geeks, spooks and kooks,” none of whom was required to identify themselves further than a first name.
“It’s everyone around the table all looking at the same problems and hopefully coming up with some solutions,” Lord said.
High-profile hacking is only one strand of the ongoing battle to protect electronic information from damage or infiltration.
Events at 44Con ran the gamut from workshops demonstrating old-fashioned lock-picking with a paperclip, through discussions of threats to iPads and smart phones and even a presentation of how NASA’s transmissions to astronauts have recently been intercepted.
“We’ve got a serious problem here… like the global financial crisis,” said Haroon Meer, a researcher at the infosec consultancy, Thinkst. But although Meer also referred to “our upcoming security apocalypse”, others were focused on how intelligence can be used to predict attacks before they occur and, crucially, how to acquire boardroom backing for improved security measures.
Infosec professionals often converse in a language that is not always immediately accessible to a layman (executives included), but the result of their endeavors can often be startlingly clear.
“Every single guy at boardroom level that I speak to says, ‘Are we going to be the next Sony?’” said Lord, referring to the recent devastating hack on the electronics giant. “Everybody had a look at the Sony thing and thought, ‘Oh God, I hope I’m not next.’”
Several presentations at 44Con offered chilling demonstrations of the vulnerabilities of common business devices. Alex Plaskett, a consultant at MWR InfoSecurity, who described himself as someone who has been “professionally breaking things” for many years, performed a so-called “drive-by” exploit on a Windows 7 smart phone.
Independent security consultant, Neil Kettle, performed a take-down of the much garlanded online banking security software Trusteer Rapport, running a key-logging program that replicated on screen anything a user might be entering into supposedly secure password fields.
Another security expert Roelof Temmingh showcased the most recent version of Maltego, software that analyzes and compares freely available information from numerous social networking sites.
Using the website of the Executive Office of the President as an example, Temmingh was able to extract specific information such as favored restaurants among White House staffers, as well as other behavioral trends.
“Even if we don’t want to attack, what can we learn?” Temmingh asked, before revealing that at least one member of the Bush administration was a fan of Moody’s Diner, visited a psychic medium named “Rosemary the Celtic Lady” and was a keen editor of Wikipedia pages.
The examples were deliberately banal and outdated, but the implication was clear. Through similar paths, hackers of more nefarious intentions could determine what versions of browsers are being used in the White House, for instance, and probe specific vulnerabilities. “If you can exploit the browser of a leader, then you’ve exploited the PC of a president,” Temmingh warned.
However it was left to Alexis Conran, a former confidence trickster who appeared in a British TV show called “The Real Hustle”, to sum up the challenges still faced by the infosec sector.
“The general public will only take steps to protect themselves if they know what the dangers are,” he said.