Security under a darker cloud

Should the channel take information and data security more seriously? Fleur Doidge reports from technical security forum Black Hat

Black Hat Europe - where vulnerabilities are exposed and exploits demonstrated for the cream of the world's security professionals - opened this year in Amsterdam with a demo by cryptographer Adi Shamir, who showed how to activate PC malware wirelessly from several miles away.
Granted, the set-up required the use of an inconveniently large quadcopter, but it showed what can be achieved.

Users often remain blissfully ignorant of their risk level - although risk can represent opportunity as well as threat. This year many of the panel-selected papers targeted weaknesses in mobility, cloud, software-defined architectures, and the Internet of Things.

Thomas Brandstetter, founder and general manager of Austrian consultancy Limes Security, presented research saying that the iOS, Windows and Android-supported apps from 90 per cent of banks and financial services firms are dangerously flawed.

SSL validation is failing. Many apps don't have valid security certificates. Many have hostname or public-key problems. Some companies had moved to improve their systems after being alerted by Brandstetter - but some had not, he said.

"There are still several apps of European and international banks that do not even do any validation checking, and are susceptible to man-in-the-middle attacks. This is a total fail," said Brandstetter.

A panel discussion of about 100 security experts confirmed fears of a chilling effect on IT post-Snowden. Some organisations are locking down or avoid buying new IT, partly due to fears about cloud and partly due to a perception that security is too difficult or expensive to deliver, attendees revealed when questioned by Black Hat founder Jeff Moss.

"Post-Snowden, we've probably all been asking the same questions - or at least, thinking about doing so," Moss (pictured, right) said.

"Yes," agreed one industry attendee. "We trusted our internal connectivity more although the internet was the Wild West. Now, we're treating internal connectivity as suspect as well and we have increased our monitoring activities."

One delegate quipped: "There is no such thing as cloud: there is just other people's computers."

Most agreed it is important to restrict applications and devices from releasing unencrypted data over the internet. And even virtual machines must be encrypted if data is to remain protected, said Moss.

Some were even destroying computer equipment after executives returned from abroad. Several security specialists said they were minimising the number of apps, SSL ciphers, and more on executive systems or simply having them "burned" - completely destroyed.

This was not paranoia. "We always find stuff. [For example] through the Great Firewall of China they do different things that downgrade your SSL to a lower level of encryption that they can break," one said.

"We run into this a lot and we find different types of malware and things on the server. We haven't found anyone actually taking control or anything, but that doesn't mean it is not happening."

Other presenters showed how easy it was to hack home automation or industrial control systems and gain access to data hosted on networked PCs or mobile devices. There were demos of how to break into Amazon, and hack hypervisors, software-defined network architecture or the latest Apple OS X v10.

Ian Kilpatrick, chairman of distie Wick Hill, agrees that the fundamental challenge is that organisations deploy solutions without prior consideration of the risks and security elements of the solution.

"The channel has a responsibility, as well as an opportunity, to introduce risk awareness at the point of sale," he says. "Many VARs avoid raising security issues at the point of sale for fear of ‘scaring the horses', complicating the sale, or increasing the quoted price."

Kilpatrick (pictured, right) says that having security awareness in the approach - perhaps by offering two quotes, one with security and one without - has given some VARs "spectacular" growth. Resellers can also present the cost benefits of integrating security at the point of deployment rather than "back-fitting" it. Trusted VARs can extend the understanding of their customers through education.

"For those with minimal knowledge, a good starting place is authentication, which is very topical with one to two billion passwords stolen in recent times that we're aware of. It is essential for cloud access, and security is the single biggest impediment to cloud adoption - so failure to introduce security is self-defeating. It is an easy add-on for new products and for renewals. Having added it, it is more difficult for a customer to ignore it."

Those that don't have skills can partner vendors and distributors with sales, marketing, technical and training tools. And security margins are higher for the channel than in many other areas.

"For a couple of days' engineering commitment they can make very strong service revenues," says Kilpatrick.