Blog

    banner-asset-med

    Hope X Conference Takeaways

    Published On: August 4, 2014

    snowden-at-hopex-955x500 Edward Snowden and Daniel Ellsberg (bottom-left). (Twitter/Zen Albatross)

     

    A number of the K logix technical team had the pleasure of attending the HOPE X conference in NYC this year.  HOPE, short for Hackers on Planet Earth, is an interesting combination of security and advocacy.  Talks at the conference ranged from relevant to our industry and customer base ("HTTP Must Die"), to amusing ("Rickrolling Your Neighbors with Google Chromecast"), to downright disturbing ("You've Lost Privacy, Now They're Taking Anonymity"). You can see with keynote speakers like Edward Snowden (remotely, obviously) and Daniel Ellsberg, HOPE is seriously mired in activism.

     

    Even if you aren’t the type who anxiously awaits the next Anonymous hack, HOPE still produced some insight into current exploits and had interesting thoughts on the possible future of security. Here are takeaways from our team.

    •  Opportunistic “HTTPS” – This focuses less on the authenticity of the site, and more on the privacy of the data exchange.  When requesting an HTTP web page in an opportunistic browser, the browser would ask to perform encryption anyway using TLS instead of SSL.  Its intent is not to provide non-repudiation or defeat active attacks, like Man-in-the-Middle, but to keep passive ones, like network sniffing, from exposing sensitive or private data.
    • Unexpected malware channelsMichael Sikorski from Mandiant explored some of the latest techniques hackers are using to exfiltrate data.  Clever avenues leveraged hide-amongst-the-noise, Outlook Assistant, and even Tweets.  In short, malware will likely find a way to call home to its C & C server in one way or another. One of the key defensive takeaways from the talk was that security professionals can benefit by focusing less on signature-based detection of malware executables (since these can be evaded with tactics such as packing and encryption/encoding) and more on detecting patterns of network call back activity (since these are far more consistent within a particular malware family).
    • Backdoors in iOS devices – Security researcher Jonathan Zdziarski presented his analysis of undocumented back-doors in iOS devices that could allow an adversary to snoop sensitive data remotely. One iOS service in particular, known as the pcapd service, could allow an attacker to wirelessly monitor all traffic coming into and out of a user’s device. Jonathan called on Apple to explain to the public what these undocumented features are and explain their purpose. The slides from Jonathan’s presentation can be seen here.
    • Threat modeling during SDLC: Sooner is better – The cost to remediate a bug that was overlooked in the Software Development Life Cycle and found its way into production code can reach a magnitude of 1000 times the cost to resolve if caught during testing.  Application vulnerabilities and security flaws are no different. In fact, they can exact an even greater toll if remediation of the security issues requires the re-architecture of the entire application. In this talk, Eleanor Saitta discussed how and when to involve security architects during the SDLC, and explored some systemic approaches to threat modeling including the open source framework she helped develop called Trike.

     

    Were you at HOPE X? What did you think about these talks and others?

     

    - The K logix security team

      Subscribe

      Stay up to date with cyber security trends and more