Bsides Wellington 2017: Better understanding “our fellow flesh friends”, for better security outcomes

Last week the inaugural Bsides Wellington was held, an infosec (information security) conference which brings together information security specialists, hobbyists, and policy nerds who are trying to fit in. I went along as an infosec outsider but was never made to feel that way, and instead, I got to join in on the discussion, and use as many bee puns as anyone else. Here are a few highlights from me. 

photo of Bsides programme

 

Infosec as an outsider

Information security, hacking, and *cyber* things are often shrouded in mystery to the average internet user/human person. They are concepts that are alien and removed from most people’s daily lives, and the barrier to entry to having information security conversations is high, because the first step is admitting that you have a terrible password, and you use it everywhere. But my takeaway from Bsides, is that information security is about people. It is about knowing how people think, seeing how other people abuse that knowledge, and figuring out good, bad, and interesting responses.

 

Social engineering

Hacking seems to be about 20% technical skill, and 80% knowing how to manipulate someone into revealing their password. If you’re like most of us online, the amount of personal information you share may be enough for anyone to crack into your accounts. ‘Operation Luigi’ was a fantastic talk about how “Alex” used social engineering to hack into his friend’s online life (with their permission). James has written about this more here: https://internetnz.nz/blog/checking-out-chcon

BSides was a reminder that the weakest point in any security system is YOU, and that we all need to consider our vulnerability to phishing, and password breaches. Security experts showed examples of fake login pages and said: “I’d fall for that”. As one response, InternetNZ encourages everyone to use multifactor authentication wherever possible. CERTNZ has more info on how to activate this here


Integrating security principles into everything we do and make online

photo of Designing for Security presentation

Photo: Katie McLaughlin 

People online and elsewhere are going about their lives, doing what they want to do. Security advice often seems to add barriers that interfere with that. Serena Chen’s talk “design for security” made the point that security should be about helping people to do what they want to do safely. Bad security design can put up walls that people want to go around or jump over, like pop-ups that interrupt what you’re doing. Users learn to “just click OK” to get on with what they are doing. The result is to annoy people and increase security risks.

Good security design helps people get where they want to go, in a way that makes sense to them. We could compare this with a comfortable handrail, which people want to use for guidance and support, and which also protects them from falling. If you understand what people want to do, then you can enable that while preventing other, perhaps suspicious activity. Building that understanding of users is key.

 Full presentation: https://speakerdeck.com/heisenburger/design-for-security-bsides-wellington-2017

 

Using Emoji to bring the internet to its (bees) knees

Katie McLaughlin opened our eyes to the trouble emojis can cause to systems that aren’t built for them. Emoji are built slightly differently than normal characters, and different operating systems can choose how they look on your phone or computer:


bee emoji in iOS, Android, and Windows 10

 

Credit and full presentation: http://glasnt.com/talks/2017_11_BSidesWLG/#/

Kate has a habit of testing emojis on any computer she finds as a way to discover vulnerabilities, like old software versions and lack of security updates. We’ve linked to her talk above.


Diversity, inclusion and taking care of yourself

Bsides was organized by a dedicated team with inclusion and diversity at the heart of what they set out to do, so the conference had a mix of technical talks (which live demos in terminal), to more accessible talks about how social engineering works, and introspective sessions about the information security community, and the personal difficulties infosec people face, like overcoming imposter syndrome, and mental health and burnout in a high-pressure environment.

As someone who exists on the edges of the information security, I am always kept on my toes at conferences like this one, but the event was welcoming, and I learnt a lot, including how alarmingly easy it is to create a network of troll accounts on Twitter and Facebook to make (robot) friends and influence (real) people. Which sounds like a good topic for a future blog post…