As you might have guessed from my recent blogs, I have a bit of a security orientation with the work I do. Personally, I find the subject to be both interesting and important, especially given the rapid advancement of the kinds of collaboration technologies that PointBridge specializes in. And its not just the technical advancements, but the changing social dynamics and expectations with information sharing that, in my opinion, greatly increases the importance of this conversation.
That’s why I was interested to see one of the keynote addresses at last week’s ChicagoCon to be “Social Engineering”. Marc Rogers’ presentation covered a diversity of subjects ranging from why “Social Engineering” is such a bad term for Information Security (agreed), to the nature of trust in online social networks, to the evolution of the next wave of threats (often described as “Social Malware”). It was particularly sobering when Mr. Rogers cited some studies that show the vast majority of information security and compliance training simply doesn’t work. Theories exist that suggest said training just doesn’t deal enough with personal consequences or address bad habits, which can’t be changed with just training. Few good answers or remedies exist. Much more research needs to be done.
And it needs to be done quickly. The following presentation showed the latest and greatest Meatsploit goodies that can be used to completely hijack PCs. And we’re not talking about hacking Windows here. We’re talking about using known vulnerabilities in a multitude of applications including (of course) Adobe PDF and Microsoft Word / PowerPoint (to name a few) files. And I swear these exploits are subtle and scary. All that is required is an unpatched application (how many of you make sure you have the latest, greatest version of Adobe Flash on your computer? Did you know there recently was a major security hole in PowerPoint 2009?), and a convincing email to get you to “click that link”. Or alternately “open that attachment”. This is why its critical for all IT organizations to ensure all applications on desktops are fully patched. Patching Windows is simply not good enough. And if you allow users to install their own software according to their own whims? Well, let’s just say your askin’ for it.
The last presentation was probably the most entertaining. Craig Heffner and Derek Yap from SourceSec gave a great presentation on hacking home wireless routers. In one case, Craig showed how one can defeat Wi-Fi Protected Setup (WPS) with a pack of gum:
Cross Site Request Forgery and anti-DNS pinning were both attack modes that were discussed in good detail. Protecting your home WiFi router certainly isn’t something folks lose sleep over, but since WiFi is so ubiquitous these days, this kind of research is important. I highly recommend you check out their slide deck here.
All in all, I found this to be an excellent conference with lots of great information presented with very little pomp and fanfare. Application developers, security professionals, and managers at any level (not just IT) would benefit greatly by attending this event.
