Kaspersky Security Analyst Summit brought forward a lot of things to think about, and in this post we’ll pick a handful (well, actually quite a lot) of twitter highlights from those two days of security-related keynotes and presentations.
Best tweets of #TheSAS2015
Tweet
“Insecurity isn’t coincidence, it’s consequence“, said famous security researcher Dan Kaminski in his keynote.
Wise words from @dakami – insecurity isn't coincidence, it's consequence. #TheSAS2015
— Costin Raiu (@craiu) February 16, 2015
Wise words indeed: both security and the lack of it are the results of certain decisions and actions, and negligence is a sort of action as well.
It’s a big mistake to think that vulnerabilities exploited by the cybercriminals are coming out of the blue: they may be unexpected, but it’s “an expected unexpectability”. A proper approach to security allows for the protection from next to any sort of threat. In reality, though, “holes in the fence” are ubiquitous (just look at the graph below), which allows for large-scale campaigns.
Vulnerability stats by product/library from @Kym_Possible. It's not only about Flash and Java. #TheSAS2015 pic.twitter.com/bAKHtZU3DU
— Threatpost (@threatpost) February 17, 2015
Carbanak, for instance, or another drawing card of SAS 2015: The Equation APT. A lot has been said about both of them: Carbanak, for instance, is a huge APT campaign – a Great Bank Robbery of XXI century’s second decade. The still-active APT was reported at SAS by Kaspersky Lab’s researchers Sergey Golovanov and Sergey Lozhkin. The audience appeared quite impressed by the Carbanak-related keynotes.
https://twitter.com/k8em0/status/567366634038251520
A full report is available here.
The Equation has also stirred a lot of interest, and the fact that this APT has some apparent ties to Stuxnet (and actually precedes it) drew additional attention as well.
Suite of Sophisticated Nation-State Attack Tools Found With Connection to Stuxnet – http://t.co/FsaH0Jzq5O
— Kim Zetter (@KimZetter) February 16, 2015
People just couldn’t pass by the fabulous Grzegorz Brzęczyszczykiewicz. How many times have you tried to learn how it is properly pronounced?
Grzegorz Brzęczyszczykiewicz https://t.co/jvKEAK8kOJ @vkamluk #TheSAS2015
— David Barroso (@lostinsecurity) February 17, 2015
Yet another point of interest for The Equation is that its main component appears to be only removable by physically destroying the infected hard-drive. Pictures of a totally ruined HD have been tweeted quite a few times.
The only way to remove nls_933w.dll #TheSAS2015 #EquationAPT pic.twitter.com/zfVE1kKyha
— Fabio Assolini (@assolini) February 16, 2015
Insecurity isn’t coincidence, it’s consequence (c) Dan Kaminski #TheSAS2015
Tweet
Hardware was a hot topic throughout the entirety of SAS 2015. As Runa A. Sandvik summarized it, “That feeling when you wake up, read Twitter, and question whether you can trust any of the hardware you own.”
That feeling when you wake up, read Twitter, and question whether you can trust any of the hardware you own.
— Runa Sandvik (@runasand) February 20, 2015
And indeed: here goes some biohacking:
https://twitter.com/k8em0/status/567446257950400513
then – obtaining the data by scanning the Bluetooth-enabled wearables:
Data which can be easily obtained via Bluetooth scan of wearables devices in the range #IoT #TheSAS2015 pic.twitter.com/zdGbeoqmyg
— Dmitry Bestuzhev (@dimitribest) February 17, 2015
The much-glorified and eagerly-expected Internet of Things looks anything but secure, right now, yet it is being quickly implemented. Even on the urban level, as pointed out by Cesar Cerrudo from IOActive Labs, an expert researcher on ICS/SCADA and Smart Cities, “Smart city becomes Dumb city when the tech is implemented with no security in mind”.
"Smart city becomes Dumb city when the tech is implemented with no security in mind" @cesarcer #theSAS2015
— Eugene Kaspersky (@e_kaspersky) February 17, 2015
The lack of the “security in mind” approach is the cornerstone of a lot of today’s security issues with software, especially the legacy ones, and especially with the aging ICS designed in the pre-Internet era. If “Smart Cities” will be plagued by the same problems, it’s a bit scary to imagine what may follow.
A full summary of the Kaspersky Security Summit is available in our blog here.