At Okta’s experimental security event, Disclosure , leading researchers and figures from the cybersecurity world joined forces to explore the current cyber landscape, delving into hacking IoT devices, through to how the CTI League is helping businesses to fight against malicious attackers in the rise of politically and financially motivated attacks.
Marc Rogers, VP of CyberSecurity at Okta: On IoT and Hardware Security
White hat hacker and Executive Director of Cybersecurity at Okta, Marc Rogers, described and demonstrated how weak IoT devices are to attack and highlighted the “need to pay attention.” He explained how easily accessible hardware is and how “devastatingly effective” attacks are. Rogers explained: “The IoT ecosystem is littered with old vulnerable technology. Hardware flaws don’t go away. They sit, waiting, watching.”
Rogers demonstrated how in only a couple of weeks, he set himself a hackathon, giving himself 3 days to pwn 12 devices, such as home routers and card access readers. He was able to pwn 10 devices fully, 2 partially, and most devices were pwned in 5 minutes or less, revealing how easily hackable hardware is. Rogers noted that “Getting access is easy, we need to harden firmware everywhere.”
Marc also explained how easy it is to get firmware from manufacturers themselves. He noted, “A key part of the 2015 Tesla hack required them to get firmware from Tesla. You must protect firmware, it’s your firmware, your secrets…. We must stop thinking in terms of single devices. If I can buy just 6, your physical defences are meaningless after the first teardown. If your device contains secrets or IP shared across many then loss of one is loss of all.”
Some further key quotes from The Grugq and Sara-Jayne “SJ” Terp and Samy Kamkar from Disclosure can be found below:
The Grugq on Cybercraft: The maturation of cyber & cyberwarfare into the political arena
Grugq’s talk described strategic cyber warfare, including great power conflicts from a strategic level that includes cyber, and cyber operations from within a prism that includes great power contest. Under this lens, individual cyber operations are less interesting, and are advancing towards strategic objectives. Cyber operations can now achieve results typically reserved for kinetic warfare.
On cyber warfare: “The thing about cyber warfare is it’s calvinball and the only thing is you don’t play it the same way twice. Once people have seen what they’re going to do, they’ll change it up to maintain a level of surprise and initiative.”
On BTS’s cyber power: “Cyber power is similar to state power but you don’t need to be a state to have it. It’s not the exclusive domain of states. There’s a lot of non-states which now have more power than states. One of them is the K Pop band, BTS. [Its following of] 40 to 50 million people are devoted, they’re tech savvy and they will participate in actions when they’re directed to… It means cyber power now belongs to a K Pop band.”
On cyber-terrain: “Most of the elements of society, these load bearing sections, are all dependent on cyber… Social networks, communications, the arts, all of that is cyber. Now we’ve moved into an era where private politics, private networks and cosmic giants move outside of the state surveillance cone. Cyber terrain is more important in everyday life, and it’s not controlled by states.”
Sara-Jayne Derp, Head of Disinformation at the CTI League: On the Maturation of Disinformation and the emergence of both tools to counter disinformation and the availability of things like disinformation as a service
Sara discussed how with companies providing disinformation as a service (DaaS) and the US election coming up in November, we need to prepare our disinformation defences now more than ever. She spoke about how the CTI League set up and ran a real-time disinformation threat intelligence team inside a larger information security response, including tools, processes, data science support and how to keep the team sane whilst reading dangerous materials.
On the the Evolution of #WeWontStayHome: “This was interesting because the anti lockdown campaigns were part of the wider health incidents. This was a small incident but like many others, this spread across states… It’s good to see people not sitting admiring the problem anymore. It’s been a great year for countermeasures.”
On cognitive security: In 2020, cognitive security is real now. We’ve stopped admiring it, it’s a real thing. It’s this idea of brains as end points, human beings as part of the networks. Thousand point solutions into a thousand point problem. We need to build an ecosystem. It’s not just big players, we need lots of different groups, lots of different scales and we need to connect them… You have to think about privacy, sharing mechanisms and standards.”
On AI: “We can’t do it fast enough with humans. We’re using graph analysis, text analysis and cluster images. It’s not just about speed, it’s also about exposure, a lot of this material, even if you’re expecting it, can be difficult to keep reading and watching. A big part of the process manual is safety and that’s part of the process. We’re just trying this stuff out.”
Samy Kamkar, Cofounder of Openpath Security: On The Future of Exploitation:
“Now we have all sorts of more secure technology, more secure hardware, on our personal devices. There’s lots of security devices that have come out. Some have been broken, some are still improving, but there’s always going to be a cat and mouse when we’re talking about security.”
