Blogging away on Munich Cyber Security Conference 2019 & meeting the creator of the Twofish crypto algorithm and the bounty queen
(German version) planet 33 at the Munich Cyber Security Conference – a short and fragmentary sampler for those that were not present
Once a year members of European cybersecurity community (mostly the policy and corporate types with a couple of practitioners blended in) meet at the forenight of the Munich Security conference at the Bayerische Hof in Munich, this year on February 14th 2019.
planet 33 is invited to the Conference as a proud member of the “Security Network Munich” (https://it-security-munich.net/ueber-uns/about-us-english) and sees its role as transmission belt for security best practices in the everyday world of our customers. Obviously security measures and awareness differ from corporates to midsize customers.
This is by no means a complete account of the event or a piece of high journalistic standard. It is a very subjective and personal review of the event. I have validated the statements of all persons cited though.
All speakers omitted werenot left out because of their contribution but because of very basic interference issues with the authors other activities at the conference (notably my chats with other participants of the conference.
One of the openers was Julian King – one of the brave British EU commissioners who we will be missing in the EU administration.
He describes in his overview how the cyber-threat landscape has changed in the last years and cites some of the big issues of the EU security Union:
- The risk that elections are interfered with
- The need to protect critical technical infrastructure (Huawei building 5G networks in Europe)
- The need to protect EU citizens identities
He stresses that European equipment makers for Telco Infrastructure have about 30% market share, but 90% of IT devices are made in Asia, notably China.
The US and Chinese AI development expenses dwarf European spending.
The region of Shenzen spends 13.5 Billion US$ for AI research and education , whereas France as one of the more innovative politically determined EU administrations in the AI field spends 1.5 Billion US$.
The EU needs better coordination for technology and we need to beware of protective instincts!
Markets open & Trade fair does not mix well with “Huawei out!”.
He mentions the components of a successful EU policy to mitigate these risks:
The EU Cybersecurity Act, the NIS directive, foreign investment screening framework and the EU rules on procurement.
Another participant from the UK : Alexander Evans – Director Cyber, Foreign & Commonwealth Office gave insight into the cybersecurity activities of the UK – interesting before the UK leaves the EU.
He describes the NCSC deployment of national cybersecurity policy as quite technical and automated processes with involvement of behavioral sciences and big data specialist in the foreign office.
He wants to demystify what cybersecurity really is. The typical reaction before was that CS is too technical, too complicate and someone else business. The foreign office has made a grand strategic push (also following the corresponding EU directives) and continues to innovate with a 30 Mio pounds budget – and aims not be complacent.
The first PANEL had some hands-on guys that contributed their day-to-day problems to the discussion.
Dr. Stefan Lüders (CIO of CERN) is amazed by the great web apps that his researchers at CERN churn out with no security by design built-in. Academia seems to foster nice graphs and has greatly improved user interfaces but does not contribute sufficiently to the secure operation of the applications.
Stephan Micklitz (Director of engineering at Google) describes the arms race how the attack on the Google infrastructure is getting more and more sophisticated – spearfished/targeted and broad attacks are becoming more dangerous.
Larry Clinton (President of Internet Security Alliance who wrote the “cyber risk management handbook” endorsed by the US government and in a German version by the BSI) is often asked “why have you not fixed the stuff since you first wrote about it?” His answer:
The essence are not the vulnerabilities but the attraction of the “black hat attacker business modell”
Attacks happen, because they are great business model, the attempts are cheap and the economics are great. The questions are wrong – nobody teaches security – nobody wants to pay for security. This needs to change!
We need to make “white hat” cybersecurity cool and economically more interesting than “black hat activity”.
During the panel Larry Clinton and Stefan Lüders stress the role that Bug Bounty Programs can play in making “white hat” cybersecurity a profession with a future:
Larry Clinton wants bug bounty programs to be enforced. The owner of the products has to pay the bug hunter a fixed fee according to a government catalog. Stefan Lüders quips there are two product types where the producers are not responsible for damage that their products induce : software and illegal drugs. Money and legality is the key incentive for people to disclose bugs! Better the good guys stay on the legal site even if they are paid less than the bad guys.
Motohiro Tsuchiya (Cybersecurity professor at Keio University in Japan) – tells only half jokingly that his best students end up working at google and are not attracted to cybercrime.
But as a North Korean or Chinese Computer expert you can live a good live as a cybersecurity “EXPERT”.
In his research of the “bad boys” Professor Tsuchiya has identified 5 type of cyber warriors in the Chinese context.
- frustrated students
- economical spies (Chinese companies are spying on Chinese companies)
- political spies (spying as an extension of foreign policy – classical spionage with new technical means)
- cybersoldiers in regular national units (i.E Chinese PLA Unit 61398)
- mercenaries – the do not care who their employer is and who their target is
One highlight of this years MCSC was the presence of Bruce Schneier (security technologist, co-architect of the Twofish cryptoalgorithm , https://www.schneier.com ) in one of the panels.
Mr. Schneier starts of by describing stupidly insecure appliances, i.e. refrigerators who record the intake and send it to some cloud service, with manufacturers who are selling this data to third parties. Customers have their privacy compromised and provide an attack drone for the next DOS attack at the same time.
He has analysed the emerging IOT industry in his new book “Click Here to Kill Everybody – Security and Survival in a Hyper-connected World.”
He describes how strong the new market driven force based on collecting our data is and points out that security is not a competitive advantage for Facebook and the other data dealers. Schneier strongly recommends Shoshana Zuboffs “The Age of Surveillance Capitalism” as a new standard on the subject.
The regulation of these manufacturers and data dealers has failed so far, thus the lawmaker needs to raise the cost of this insecurity, such that they simply cannot afford to install insecure products any more.
Schneier continues: “Regulations is how society functions – when I board a plane whose engines are managed by regulations – I trust that since I do not how to check a plane engine.”
For consumers we need simple instructions and rules.
Plugging an usb stick into a computer can never be a security problem – because that is what they have been designed – autostarting stuff on the stick is a design problem.
Clicking on an link can never be a security problem – because the reason of existence of a link is its function – allowing insecure links is first and foremost a design problem.
“Do not blame the user!”
The problem with good regulations according to Schneier is that IT people are not in policy and the politicians are not in IT.
Mr. Schneier describes the transformation of the historical questions “how much life should be governed by the state and how much by the market” to the new question “how much of the life should be governed by technology and how much by the state” and wants more technologists to deal with policy issues.
Which is one of the reasons that he is lecturing at the Harvard Kennedy school of Government on “Cybersecurity: Technology, Policy, and Law
Schneier shows the dilemma of responsibility in cybersecurity between private enterprise and government.
We expect private enterprise to defend the state – but this is a very asymmetric warfare since SIEMENS cannot fight the Russian State (even if attacked) and the opposite is not good either – the state cannot take over the private enterprise to mitigate its economies exposition to a foreign countries attack.
Another problem according to Mr. Schneiers is the customers craving for features. The market does not reward simplicity but features, so code evolves in too many lines of code for humans to do security evaluations.
Mr. Schneiers presence at MCSC has motivated me to read his books “Data and Goliath” as well as “CLICK HERE TO KILL EVERYBODY”.
My final encounter at MCSC 2019 that I would like feature here was with Katie Moussouris (founder of Luta security , http://lutasecurity.com ) aka the “bounty queen”.
She took part in the final panel and has given me more insight into the world of bounty programs and the mistakes one can make when setting one up.
Katie – while working in vulnerability disclosure – has convinced Microsoft in 2013 to launch a Bug Bounty program after some serious analysis with internal Microsoft data that substantiated her claim that her design of the bug bounty program at Microsoft would have a positive impact on the security of Microsoft products and the bounty program is improving the quality of Microsoft products faster than internal measures.
There is an offence market , i.e. a black market for exploits and Katie considers it legitimate for the government to “keep” zero day exploits on stock and use them against “enemies”.
But she does stress the oversight requirement. The security agency who stores the zeroday exploits has to monitor closely the use of the exploits and balance risks.
Bug bounty programs are not always the right solution and can be even problematic in the open source field. Katie has asked the apache core maintainer team (less than 5 people) if it would help them to reward bug reports? The answer was please a definite no. Because already now most of the core fixes proposed are actually breaking the code and can not be used. These proposals are gutting the pipeline for the maintainers.
Katie urges the companies to handle the reported security mitigations sensibly and with a well-defined vulnerability coordination process. A negative example being the handling of an Apple facetime bug that was discovered by a 14 year old school kid who was using the group chat and could only enter the official bug bounty program when his mother registered as a developer in the Apple process. Something the mother had done not without twittering about the funny behavior of Apple in this case. Katie Moussouris summarizes: “Apple dropped the baton on the facetime bug”.
Bug bounties are often not properly used and set up. Outsourced bug bounty programs fail to produce good quality bug reports. And obviously bug bounty programs do not replace a good internal handling of bug fixing and prioritizing. The idea of having your own bug bounty program is to have a direct contact to the hacker community.
There are sometimes perverse situation with companies that offshore development to other countries and set up a “one size fits all” bug bounty program. A bug hunter in India will thus make 16 times more money than the Indian programmer that might have caused the bug.
A good process deals with identical entries to the bug bounty program, with attempts to separate a big bug into several small bugs and to maximize the rewards, the submission of the same bug to several companies in a vendor / supplier / integrator chain. And it makes a lot of sense to integrate the bug bounty programs with suppliers and vendors. These processes need to be certified, audited and … “used”. Equifax was well certified – but obviously lacking the regular routine. The Equifax beaconing system that should have alarmed the data dumping was offline because of an expired certificate.
A well implemented bug bounty program with good process has transformed the perception of Microsoft. In 1990 Microsoft is the laughing stock of security – and 2019 an industry leader in security. Some of the industries most efficient bug bounty programs (“Hack the Pentagon”) have been set up by Katie Moussouris and she is now offering her knowhow in consulting with Luta security (“100% female-owned and Native Pacific Islander-owned tech company”)
Ihnen gefallen Themen wie dieses und Sie möchten mehr relevante Informationen haben? Einmal im Monat gibt es genau dafür ‘planet 33 WISSEN’. In einer sehr persönlichen Email bekommen Sie eine Liste mit Beiträgen, Videos oder Buchempfehlungen zu Themen, die uns bei planet 33 gerade bei der täglichen Arbeit, in der Freizeit und mit einem strategischen Blick in die Zukunft beschäftigen. Hier können Sie sich anmelden: