Last week I headed to Christchurch, joining a friendly group of about 100 at the CHCon conference "for security professionals and hackers". That might sound a little scary: in news and other media, hackers are bad people in black hoodies, attacking and breaking things through near-magical computer powers. By contrast, the crowd at CHCon were friendly, warm, and very keen on learning.
Through the talks, and other events, the main theme was applied curiosity. Like tricksy genies, computers and other systems do what we tell them, sometimes instead of what we want them to do.
People working in security try to understand this tricksiness from all sides: how things work, how to break them, how to make them better. People on "red teams" explore how to get into systems, revealing weaknesses and how things break. People on “blue teams” work to address problems and improve security, including preventing and detecting intruders.
Testing things we rely on
As set out below, talks at CHCon covered a range of perspectives, topics, and experience levels.
Testing websites we give our information to
"Pizza roulette", awarded best talk, was the learning journey of software testers Catherine and Fiona. New to security, they looked at pizza-ordering websites, poking around to find potential problems.
Getting people to do things
Getting people to do things, or "social engineering", is a key skill for children and parents, for people in business, and also for security testers. In the story of a physical security test, we heard how the speakers applied a combination of advance research, hanging around, and asking for help. This got them an access card. Later they got into the access card cupboard, got the manual for staff electronic lockers, and by applying a default override code, got the key which let them into the client’s server room.
Applied social awkwardness was a key technique. If a new person is hanging around and looking busy, we might all assume someone knows who they are. I really liked the constructive way this was all presented. The goal was not to blame anyone or make people paranoid and uncooperative. Better security can just be about asking good questions, without losing the helpfulness and trust we all rely on to get things done.
Bug bounties offer a reward, often money, for people who find new security risks in products and services. This helps companies test their security, getting information to address risks and frustrate potential attackers. A few talks shared stories from people getting started doing this, including the potentially expensive option of buying and testing hardware like smart cameras and game devices.
The password lottery
Passwords are the keys to lots of things we care about: our email, our bank accounts, our social media and more. They are also a pain to manage, which means people often reuse passwords, write them on post-it notes, or pick ones which are really easy to guess.
Big leaks of user data, including passwords, were a big theme at CHCon. In the final talk "Alex" (also his actual name) told us how, with permission, he hacked into a friend’s online life.
His first move was joining the dots by searching through data leaks. The 2013 Tumblr leak, included her email, but didn’t show her password. It did show that 20 other users had exactly the same password as her. Perhaps they used the same password elsewhere? The 2011 LinkedIn leak did not include the friend’s email, but did include the 20 other emails and their passwords. This got Alex a real, but old password for her account. Ultimately, he turned to phishing: sending an email with a link to a fake webpage, so she would share her password there. That did work.
The lesson is that passwords don’t work that well to protect our online accounts, at least not when normal humans use them in a normal way. Sharing info on better tools, like 2-step authentication, is something our Issues Team will be working on!
CHCon was a fun, friendly, and informative event. I’m pleased that InternetNZ can support events like this with sponsorship, and that I was lucky enough to go along.