My Guests Today

Today I’m joined by 3 guests from the digital security community here in Toronto.

I had a cold when we recorded this episode. It wasn't really noticeable, until 1:18:00 when my voice starts cracking heavily. It’s funny :)

  1. Dolev, mentioned by Nick https://dc416.com/speakers/dolev-farhi/
  2. Correction: Owasp Toronto Chapter was started in 2008, not 2018. The OWASP Foundation came online in 2001.
  3. List of OWASP projects & statuses: https://www.owasp.org/index.php/Project_Inventory This is a great way to get involved!
  4. Charlie Miller & Chris Valasek completely take over a Jeep, including disabling the brakes and driving it into a ditch. Yes, this is real life! https://www.youtube.com/watch?v=OobLb1McxnI
  5. Shout-out to Laura Payne for being a huge influence on Nick getting starting in this field. Thank you ❤️
  6. Opheliar makes a joke about entry to the industry via ‘side channel attack’. The technical definition in the computer world is an indirect attack against a system or target based on the implementation of the system/target. In crypto, for example, rather than attacking the algorithm, a side channel attack might exploit a flaw in the implementation of the algorithm. In physical hardware, side channel attacks might exploit the temperature or light intensity or blinking frequency of the hardware to infer what state the hardware is in. For more examples, look up timing attacks, power analysis accounts, thermal imaging attacks, and padding oracles. In this context, Ophe means that many people over 30 did not get into the industry via direct job application and presentation of a set of credentials, but via invitation, role/job description changes - curiosity leading to opportunity leading to job offers.
  7. Nick and Ophe first met when they were part of SecTor‘s 2016 FAIL Panel.
  8. Brian mentions Ben Sapiro and James Arlen of Liquidmatrix Security Digest. Amongst other goodies, they maintain a list of default usernames/passwords for over 1000 commercial devices.
  9. Shout-out to Kurtis Armour of the FAIL Panel.
  10. Learn more about the Mitre Attack Framework: https://attack.mitre.org/
  11. Brian mentions the various FIRST Robotics programs, including one for kids as young as 6 years old.
  12. Nick mentions https://hourofcode.com/ca. This is another mentorship opportunity as well.
  13. CultureLink (Toronto-based) helps new immigrants get established. They offer training specifically in cybersecurity: http://www.culturelink.ca/services/mentorship-program/cybersecurity-training/
  14. We talk about how to get started in security. Here are a few resources to help get started:
    1. Hi, I am X. How do I get into AppSec / Security? by OWASP Toronto
    2. NIST cyber security workforce framework
    3. Youtube is a fantastic resource!
    4. Youtube and Kali Linux
    5. in depth wifi security primers
  15. In many professions there are well-established paths of education/entry (ie. for a lawyer, a nurse, a fighter pilot). Security isn’t usually this way. Many people in security have a background in something else. The best way to break in is to get involved! https://toronto.hackstudent.com/ is great for students, or check out the #mentor channel on https://owasp.slack.com/, (contact Ophe for an invitation).
  16. CTF stands for Capture the Flag: a contest/game where deliberately vulnerable applications/infrastructure/stuff is built for people to hack. Usually each challenge contains a file or string that is ‘the flag’ which can be retrieved by hacking the applications/infrastructure/stuff, beating the challenge, and presenting the flag as proof of success. Players get points for flags captured/difficulty of challenge. CTFs are often tournaments, and the team with the most points at the end wins! Find out more:
    1. https://ctftime.org/
    2. https://trailofbits.github.io/ctf/
    3. http://captf.com/practice-ctf/
    4. https://microcorruption.com/login
  17. Niagara Motoring is a Niagara-on-the-Lake car show that Brian is a part of organizing.
  18. The first DC416 event featured little doors with locks (made by Nick) where people could learn how easy it is to pick a lock! Check out Sparrows Lock Picks or even Amazon for getting-started lock-picking sets.
  19. Another great resource is https://learnlockpicking.com/
  20. Wouldn’t it be amazing if you could test-drive your anti-virus software the same way you test-drive a car? You could easily prove if it works or not. It would be a better world, but we haven’t quite figured this out yet. That is, until Nick releases his research! Look for it in May(ish) of 2019.
  21. There’s also an international non-profit trying to introduce standards into anti-malware: https://www.amtso.org/
  22. The buzzwords of today: cloud, blockchain, AI, microservice, … Investors pay attention, but many people in the industry know these are not silver bullets. In fact, your app/service would probably do worse in the cloud, or split into microservices.
  23. Agile & related SCRUM, Kanban, Lean, DevOps and DevSecOps. These are approaches to handling software development life cycles. And they’re buzz words.
  24. On a related note, SAFEcode fundamental practices for secure software development: https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf
  25. You’ve automated your problem. Congratulations! You haven’t solved anything, but now your problem is more complex.
  26. A backdoor is a method, often secret, of bypassing normal authentication or encryption in a computer system, a product, or an embedded device. A hardware backdoor is a backdoor that is implemented in the circuitry (the actual wiring) of a processor. I only learned about this in 2016; I had no idea this concept was decades old!
  27. The most well-known backdoor is probably the TSA-approved suitcase locks & the related master key for all suitcases.
  28. Why are TSA lock backdoors bad? https://lock-picking.wonderhowto.com/how-to/is-why-your-tsa-approved-luggage-locks-are-useless-0164446/
  29. Now, a software backdoor is more like putting a common ‘admin’ password on every person’s email/facebook/paypal/online banking account. The reason why this is so alarming is that software is mostly on the Internet and is virtual. So no matter how complicated the password is, if you could crack it, you’d get access to ANYONEs account from ANYWHERE. At that point, it might be worth it for nation states and criminal organizations to spend the time to crack the password or find the backdoor because it’s a guaranteed hack into all the related systems and data connected to the backdoored system. And it’s usually difficult to change, so the exposure from a potential breach is longer and wider.
  30. The push-pull between security features being abused by ‘cyber attackers’ and being used by security practitioners to protect users means that law enforcement has brought the issue of backdoors to governmental levels and certain parties in countries like UK, Five-Eyes countries, and Australia are advocating for country-wide backdoors to be put in all products.
    1. australian backdoor law commentary by Bruce Schneier
    2. US Democrat backdoor discussions
    3. UK Draft Investigatory Powers
    4. and commentary from TechCrunch
    5. The security and tech industries are pushing back, but there is a serious disconnect. Security/tech has responded with opposing legislation like:
    6. EFF secure data act
  31. Huawei and ZTE were banned from being used in Australia’s upcoming 5G mobile networks. This follows the US benning its government from using tech from the same 2 companies. What’s the meaning of all this? Do these tech companies really have backdoors in their devices?
    1. Wired explains one kind of hardware backdoor: https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip/
  32. Malicious actors may backdoor chips or devices, but Internet-of-Things (IoT) devices are so notoriously flawed to begin with that there’s no need for a malicious actors! For laughable examples, check out https://twitter.com/internetofshit or for non-twitter-ers: https://internetofshit.net/
  33. In 2017, a fishtank was used to exfiltrate data from a Casino. Yes, this really happened! https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to-steal-data-from-a-casino/#142757bc32b9
  34. PII stands for Personally Identifiable Information. Your PII is protected by law.
    1. Privacy Commissioner of Canada
    2. GDPR definition of Personal Data
    3. Michael Geist is a really good resource information and reasoned commentary on privacy and Canadian technology law.