The Good
Yes, Apple announced a bug bounty program at Black Hat. But that was just the last 10 minutes of a presentation by Ivan Krstic, Apple's head of security engineering and architecture. During the preceding 40 minutes he offered an unprecedented deep dive into the ways Apple protects users' devices and data, both from malefactors and from itself. And yes, it does involve using an honest-to-God blender.
As Internet of Things devices become more and more popular, security professionals are becoming more and more concerned. These are, after all, devices with microcomputers connected to networks and fully capable of running code. That's an attacker's dream. The good news is, at least in the case of the Philip's Hue system, creating a worm to jump from lightbulb to lightbulb is very difficult. The bad news? It's apparently very simple to trick Hue systems into joining an attacker's network.
Every security training in every business include the admonition that employees should never click links in emails from unknown sources. And employees continue to be duped into clicking them regardless. Dr. Zinaida Benenson, from the University of Erlangen-Nuremberg, concluded that it's simply not reasonable to expect employees to resist curiosity and other motivations. If you want them to be James Bond, you should put that in the job description and pay them accordingly.
A lot of security research and execution can be mind-numbingly tedious, but new techniques in machine learning might soon lead to a safer Internet. Researchers detailed their efforts at teaching machines to identify botnet command and control servers, which allow the bad guys to control hundreds of thousands (if not millions) of infected computers. The tool could help keep a lid on such nefarious activity, but it wasn't all heavy research. To conclude their session, researchers demonstrated how machine learning systems could be used to generate a passable Taylor Swift song.
The who-knows hotel network may be fine for a pet supply conference, but not for Black Hat. The conference has its own entirely separate network and an impressive Network Operations Center to manage it. Visitors can peer in through the glass wall at the many glowing screens, hacker movies, and long-term security experts in the NOC, which gets packed up in its entirety and moved around the world to the next Black Hat conference.
IT security wonks and white-hat hackers just can't get enough of security trainings, but they're not the ones that really need them. The sales staff, HR team, and call center crew don't necessarily understand or appreciate security trainings, and yet you really need them to step up their security game. Researcher Tiphaine Romand Latapie suggested reworking security training as a role-playing game. She found that it totally worked, and produced significant new engagement between the security team and the rest of the staff. Dungeons and dragons, anyone?
Scam phone call are a huge problem. IRS scams convince unsuspecting Americans to fork over cash. Password reset scams trick call centers into giving away customer data. Professor Judith Tabron, a forensic linguist analyzed real scam calls and devised a two-part test to help you spot them. Read this and learn, OK? It's a simple and worthwhile technique.ers, hackers, and industry that meets in Las Vegas to do three things: outline the latest threats, show how the good guys and the bad guys can be defeated, and launch attacks on the attendees. This year saw plenty of scary attacks, including one against show attendees, along with car hacks, new ways to steal cash from ATMs, and why smart lightbulbs might not be as safe as we thought. But we also saw lots of reason to hope, like teaching machines to spot dangerous servers, using Dungeons and Dragons to train employees on handling security threats, and how Apple handles the security of your iPhone. It was, all told, a pretty mind-bending year.source:PCmag
No comments:
Post a Comment