Day Two at PHDays IV: Most Notable Quotes
5/26/2014
With the heart in the middle of Moscow, the grand forum on practical information security Positive Hack Days IV walked around the planet and reached its finale. Many thanks to all of you! Incredible concentration of out-of-the-box thinkers from different parts of the world made these two days run way too quickly. The winners of the international CTF competition, 2drunk2hack and many other contests have been decided, important reports and entertaining hands-on labs have been held. Fifteen PHDays Everywhere hackspaces in four countries saw not less interesting events. Keep track of our news and twitter @phdays.
Today we are citing the most remarkable ideas expressed during the key discussions on May 22.
Who Owns the Internet?
The leading information security experts, the Internet leaders, representatives of the Ministry of Foreign Affairs and Federation Council met during the section Government and Information Security at Positive Hack Days IV on May 22 to discuss such burning problems as global surveillance, weak points of the Internet, methods to control the Web and so on.
Boris Vasilyev, a representative of the Ministry of Foreign Affairs, criticized the Budapest Convention on the Internet Control developed by the USA for the Council of Europe. Its paragraph B of article 32 stipulates monitoring of information systems, including closed ones, without any notification of their owners. Therefore, 35 countries that signed this Convention literary agreed to be followed and exposed their citizens to surveillance as well.
"Every country has the right of sovereignty in its information space," specified Boris Vasilyev. Russia is among the developers of the international private data protection law that must ensure such an approach. However, the law has its opponents struggling against international control over the Internet. They believe the Internet belongs to everybody and to nobody at the same time.
Achilles' Heel
Andrey Kolesnikov, Head of the Coordination Center for TLD RU, continued with international regulation and noted that the Internet was very solid to be broken, but it had its Achilles' heel — a point where technical control faced information security. His question to the audience was very intricate: what would happen with the Internet if a court officer came to VeriSign engineers with a warrant to disconnect, for example, Iran's domain?
Laws to Fear
Lyudmila Bokova, a member of the Federation Council, Chairman of the Provisional Commission for the Development of Information Society, commented on the most thorny question — regulation of the Internet in Russia and recent law initiatives (prohibition on government websites to be hosted abroad, requirement to 3,000-audience bloggers to register, etc.). She pointed out that the law concerned blogs with audience of more than 3,000 readers per day and it was just one of the criteria to register them. Moreover, the procedure for creation of such a register would be developed in the nearest future.
However, according to Andrey Kolesnikov, it is not this law on bloggers to be feared, but an initiative announced recently that suggests three-level model for the Runet, restriction of trans-border data transfer and movement of DNS servers to the territory of the Russian Federation. He believes such a configuration will isolate Russia along the information perimeter.
Hygienic Differences
Leonid Filatov, Head of OpenStat, touched upon personal data provided to websites by their users. He noted that in Russia only 6 out of 40 companies that implement user data collection tools has adopted a personal data policy. In other words, such companies take no responsibilities on securing personal information. In Europe, they at least ask users to permit cookies. "Simple hygienic rules hardly work on our network," Filatov stated.
Dirty guys make use of law gaps and online hygiene deficiencies to sell personal data, keep track of users, carry out dishonest election campaigns using cyberweapon. Evgeny Venedictov, a representative of the press center of the Liberal Democratic Party of Russia, informed on how mush DDoS, MITM and Flood attacks, hacked emails, and other hacking tricks cost according to a "price list" he had once received from a service providing "specialist".
The discussion also touched upon the education of citizens. The participants voiced their hope that lawmakers would cooperate with information security experts more often.
Direct speech:
"Lawmakers often seem too shy to ask specialists how the Internet works," one of the participants commented.
Why Do TV Sets Draw Hackers' Attention?
"Modern TV sets are equipped with web cameras and microphones. Smart TV is getting very popular," stated Luigi Auriemma and Donato Ferrante, well-known information security experts. "The attack scale can turn out to be very wide." An attacker can eavesdrop and watch you having hacked, for instance, Smart TV in a meeting room. Moreover, the bidirectional channel allows for MITM attacks that help to affect audience with a certain content. It is evident that Smart TV has insecure software and late security updates. If a browser vulnerability can be eliminated within a day, then TV vendors are not always that quick.
Threats 3.0 and Internet of Things
One more section dealt with threat prognosis as well. Its participants discussed new information dangers to business and users hidden within "smart things" able to connect to the Internet. Data collected by fridges and toasters can be used against you: new cars connected to the Web can give away their location, air-conditioners controlled via a phone can freeze rival's employees to cold. Data on energy consumption will evidence when someone is home.
What about Convenient and Secure Apps?
Anna Armarchuk, an analyst and specialist in antifraud systems at Yandex.Money, believes the conflict between ergonomics and security cannot be solved, and we must keep the risks on an acceptable level when business makes profit and clients are satisfied with your service. She explained how to avoid cybercriminals and how a good antifraud system looked like during the section AppSec: From Mail to E-Government Portals.
As a rule, victims of attacks against Yandex.Money did not use OTP or antiviruses, disclosed codes from SMS, kept keys in hacked accounts or lost their cellphones. To detect fraud, a good antifraud system should register new data, block out suspicious transactions and accounts of a possible victim. Yandex.Money participates in the Bug Bounty Program initiated by Yandex and carries out load testing on a regular basis.
Hammer Against MacBook
Vladimir Dubrovin, Head of Testing Group at Mail.Ru, spoke about bug bounty as well. He told about the program hackerone.com, which had been initiated to help improve security of their own and partners' projects — from a flash card with funny cats to emails. Mail.Ru offered a prize (MacBook Air) for the best vulnerability detected and promised to hammer it down if nobody found a real bug. News on this weepy conflict is coming soon!
Nice Abbreviations and Secure Development
The whole world is actively promoting SDDL (Secure Software Development Lifecycle) systems, which help create secure code and promise to minimize various risks — from hacked applications to car riots. Andrey Bershadsky, a lead expert at Positive Technologies, is confident that SDDL cannot solve all the problems. "You cannot use an out-of-the-box workflow system right away. You must create custom modules and adjust other elements to meet your business requirements; it drives you into the arms of your or third party's developers. However, security is not a key point for them — if you ignore it, it won't affect the deadline or ruin the project. Functionality is of primary concern."
What Happens to "Black Hats"?
Ilya Sachkov, the General Director of Group-IB engaged in cybercrime investigation, spoke about the arrest of the developer of Blackhole (notorious utility and script set used to exploit vulnerabilities). According to the investigators, the owner spent hundreds of thousands of dollars to buy specific exploits for his collection.
Direct speech:
"Black hacking may seem just a game," Ilya Sachkov noted. "However, people responsible for project's funds take you in their hands, bring you probably somewhere to Dagestan; your life and psyche gets broken; and with your reputation damaged, you won't be able to leave this country. You will either work for some criminals or, if you're lucky enough, for government bodies for the rest of your life."
Competitive Intelligence: Cyberluck Soldiers
"A part of industrial espionage, competitive intelligence appeared almost 25 years ago," this is how Andrey Masalovich started his report " Life After Snowden. Modern Tools of Internet Intelligence ". Competitive intelligence is collection and processing of information from open sources within the laws and ethical norms. It serves to support and improve competitive ability of a commercial organization. Cyberscouts can earn 1,000 Euro per day, but they must stick to strict rules: the security services of the most powerful countries resist them fighting for control over the cyberspace. Andrey spoke about anonymization techniques that allow getting rid of the main identifiers and an ordinary Internet user has at least fifty of them. He also touched upon the function Multipeer Connectivity Framework on Apple iOS 7, which ensures a WMN (when the Internet is made up of radio nodes without cell towers).
All the reports recorded during the second day of Positive Hack Days IV are available at the address: http://www.phdays.ru/broadcast/#2