It’s interesting to realize how much cybersecurity has changed during the 15 years since the CanSecWest conference debuted in Vancouver.
For example, the 2005 agenda listed one session on “mobile phone security” and another titled “Own3d by an iPod.” These days we call mobile phones ‘smartphones.’ And Apple quietly put the original iPod model out to pasture last year. So yeah, a lot has changed.
What hasn’t changed, though, is that bad guys are still lurking in the shadows of cyberspace. Fortunately, some of the best security minds on the planet gathered once again in Vancouver to bolster their battle plans. Here are highlights from this year’s event.
Bypassing biometrics: If you thought biometrics was here to secure your network access with the blink of an eye, think again. T-Labs researcher Jan Krissler hosted a session showing how easy it is to fool an iris security scanner using a large high-res photo of someone’s eye from Google Images.
Krissler (aka Starbug in cyber circles) claims he’s also cloned the thumbprint of Germany’s defence minister by applying latex or wood glue to a transparency made from photos of her hand. Maybe Queen Elizabeth is smart to wear those white gloves after all.
Foiling firmware: A couple of years ago, leaked documents detailed efforts by the U.S. government’s National Security Agency to spy on computers and control them by implanting malicious code in their BIOS firmware chips. Xeno Kovah and Corey Kallenberg of LegbaCore explained at CanSecWest how they’ve duplicated that by building their own BIOS malware called LightEater.
Kovah and Kallenberg were able to infect a computer with LightEater in just two minutes. Since BIOS chips aren’t usually scanned by tools like by anti-virus software, the duo warned that IT security experts need to focus more on the weaknesses within firmware.
Pwn2Own paycheques: How do you make $225,000 in one day? If you’re South Korean Jung Hoon Lee, you crack three of the web’s main browsers (IE, Chrome and Safari) to snag top honours at Pwn2Own. The contest has been held at CanSecWest since 2007 and this year Apple, Google, Mozilla and Microsoft tempted hackers with cash prizes to break into their browsers. The idea is that IT companies reward hackers for bringing security bugs to their attention.
All four major browsers were compromised during the 2015 competition, where Lee took home nearly half the total prize money of $557,000. But as noted in our next section, some observers wondered if the potential cost of such contests – and of the entire conference itself – is just way too high from a risk perspective.
Paranoid much?: Last year veteran French cyberwarrior Eric Filiol was set to present a session titled “Hacking 9/11” but backed out over his own fears that terrorists could use his data to plot attacks against the United States.
This year, security experts raised new concerns that Pwn2Own contestants could face legal action for potentially violating a treaty called the Wassenaar Arrangement. It’s an international law against exporting weapons or technology that might compromise military or civilian security operations. As noted by the UK’s Register blog site, German security expert Stefan Esser sent out a tweet advising Pwn2Own competitors to “check with your lawyer” or “notify your government” before heading to Vancouver.
Just weeks before CanSecWest, Google also generated questions about the ethics of annual hacking contests by cancelling its own yearly competition called Pwnium. Instead, Google will allow security researchers to submit bugs (and win cash bounties) all year-round. Without pointing fingers directly at Pwn2Own, Google’s security team stated in a blog that annual contests create “a bad scenario” by encouraging hackers to hoard information about bugs vs. disclosing them immediately.
All of which goes to show you: even cybersecurity folks are never completely safe from threats – or scrutiny.