Infosec 2014: No win, no break even, no escape

The three laws of thermodynamics – “you can’t win, you can’t even break even, and you can’t even get out of the game” – can be applied to hackers who only have to succeed once and get access to one piece of data for you to have lost, said consultant Dan Klein at AusCERT 2014 event.

Klein, who describes himself as a curmudgeon, has worked for some of the largest companies in the world and is currently at Google.

He started his plenary talk at the event with the customary disclaimer given by many senior executives that their presentations represents their own plans for global domination and not those of their employers past or present.

Klein told the audience that in 1989 he wrote a paper on password security that found how insecure passwords really were and how easily they could be cracked. In the intervening 25 years he said that he is still seeing the same issues.

“We have distributed cracking systems and there are still articles on how to choose good passwords. Why is this?” he asked.

All of this is against a backdrop on massive systems breaches such as Mount Gox, an over-the-air exploit of the Samsung Galaxy smartphone and numerous other publicised breaches. DDoS attacks were up 50 per cent in 2013 and there was the recent Internet Explorer fault that affected everything from version 6 to the current release.

Data mobility has made data losses inevitable and almost impossible to stop. With microSD cards the size of a fingernail and capable of holding dozens go gigabytes of data, it’s almost impossible to even physically scan people for data they might be carrying. Klein referenced Edward Snowden, who exfiltrated data on portable USB devices from secured locations.

One of the key issues, Klein pointed out, is there are “tonnes of bugs” out there.

"The problem we are talking about is why are all these bugs there? Why aren’t they checked for?’” he asked.

“There’s an aphorism in the security business,” said Klein. “Many eyes make all bugs shallow.”

But that’s not always been the case. The recent Goto Fail bug in Apple’s SSL libraries, Heartbleed and the 25-year old readdir() bug in BSD were bugs in pieces of code that have been around for a long time and viewed by hundreds, if not thousands, of developers.

“I taught a secure programming class in one of my tours of Australia about 10 years ago’” Klein told the audience. “While I was teaching this class in Hobart I said ‘Wait a minute, there’s a bug’. All of the students who had looked at this code [over the many years it was used in courses] had looked at this code and not seen the bug.”

This was in a secure programming course, he said.

The problem is that there has been a failure in the way code is written and tested, he said, and there’s a need to carry static and dynamic analyses. Code needs to be audited and developers need to use safer programming languages. He also pushed the point that it’s important to simplify code.

Part of the problem is that important pieces of code are changed rapidly, by many developers over a short period of time, particularly in the open source world.

“When you look at the Heartbleed bug, and you look at the SSL code, it’s incomprehensible, uncommented and untested. There are no unit tests. Why aren’t the tests there before the code is released?”

While testing adds time to the development and release process, Klein said that it makes software good, secure and safe. While it won’t eliminate every bug or problem, it will reduce the number and severity.

For this to happen, Klein suggested that developers will need to make significant changes to the way they do things. Or, in Darwinian terms, they need to adapt of die.

There are some positives in the recent issues faced by the info sec industry, with both Heartbleed and Snowden’s leaks serving as important warnings, he said. He expects things are going to get worse as we deal with the balancing act between security and openness.

Klein’s view is that enormous volumes of data are being generated and collected. That data needs to be made open and accessible. The challenges won’t be around restricting access but in ensuring the integrity of data and ensuring that personally identifiable data is protected. This will usher in an era where the discussion will be around trustworthiness where the goal is knowledge.

Join the CSO newsletter!

Error: Please check your email address.

Tags laws of of thermodynamicsAusCERT 2014hacking

More about AppleGalaxyGoogleSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts