Same Mistakes Again
The other common reaction to the discovery of new threats is probably to build something newer and more secure. Tempting, but another trend clearly visible at Black Hat was the number of times the focus on new technology has distracted developers sufficiently that they fail to apply lessons they should have learnt from past mistakes. Old-style electricity meters, for example, did nothing but go round and round reliably and presented little or no vulnerability to remote attacks, but the smart grid being rolled out in Miami, said Tony Flick of FYRM Associates
is being designed without sufficient attention to security.
"We're repeating history," he said. "We're making the same mistakes as past technology initiatives." Too much self-regulation, too little direction from the National Institute for Standards in Technology (NIST) on what kind of authentication is necessary. "There is," he concluded, " a missed opportunity to integrate security from the beginning."
More than that, much of what we've seen in desktop computers seems likely to be replayed in one form or another, in mobile phones. Desktops are the easiest to attack right now, but that situation, said Flexilis Mobile Security's Kevin Mahaffey, "is changing quickly." Easy is, of course, a relative term: there was nothing very easy about Dino Dai Zovi's Mac OS X root kit. But the latter presentation was a good reminder that it may only be an accident of market share that Macs have not attracted more attacks against them.
Similarly, with mobile phones: their ease of use for consumers and their relative impunity to visible attacks may have created more trust in them than is warranted. And they will be much more attractive as they become payment mechanisms and hence more valuable to attackers. "Send a packet, and money goes flying," he said. "Never in the history of the Internet could you send a single packet and money goes." What more could a cyber criminal want?
Of all devices mobile phones are the ones you'd think were closest to being locked down the way Lentz would like. And yet in presenting Fuzzit, a fuzzer for mobile phone testing, Mahaffey and his colleagues, Anthony Lineberry and John Hering, made the point that they are getting easier and easier to attack. The many custom operating systems of the analogue days have been replaced by a handful of commodity operating systems – Windows Mobile, Linux etc. Those 17 million iPhones are even more mono-cultural than Windows desktops, since users have few configuration and customisation options. Patches take months to agree and apply because changes have to go through the quality assurance cycles of 133 carriers, as well as the manufacturer's own procedures.
Plus, they said, "There are so many more developers for mobile now – and many are first-time developers and not necessarily cognisant of secure coding practices." Or even secure discussion practices: the trio noted they had found out about several bugs by monitoring Twitter and reverse-engineering the research they saw discussed. (Twitter itself won a Pwnie Award for "Most Epic FAIL" for having its internal documents copied out of the cloud and onto TechCrunch.)
The real question for everyone, though, is how to get security consciousness – that habit of mind – widely deployed. As the incentives for cyber crime continue to grow and technology continues to penetrate infrastructure areas that were formerly safely disconnected, the risk for each of us keeps growing. Security is to technology what the health service is to humans: a potentially ever-escalating cost centre.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
