After leaving Edge Hill in a Grab and Go Clio in the early hours on the 22nd of April, our trip began to London Olympia’s InfoSecurity Europe 2008. Surrounded by some of the most prominent researchers, developers and consultants in the IT Security community and over 12,500 visitors, we knew there would be some cryptic conversations ahead.
In an aim to gather as much information as possible we set out to grill dozens of distributors, sellers, resellers and strategy groups. While gathering a good understanding of what is being sold and offered, there is a huge variance in the market. But some of the most informative demonstrations came from companies proving really how easy it is to gain your data.
One particular talk covered the prospect of stealing security data directly from the volatile memory of a laptop. If the user was to leave the computer in a powered on state (including hibernation), the thief could remove the memory – keeping it cool (thus reducing the degradation of the data) using a can of cooled gas – and simply dumping this data to a file for interrogation. Using this data, the thief can access vital information, including master encryption keys (stored in active memory) and essentially any information which may be required for a secure access to the victims’ company computers. The moral of that story was to never leave your laptop alone; especially powered on.
Another interesting discussion talked about how easily an attacker could spoof a Wi-Fi provider in order to monitor everything a user does and sees – this is basically known as a ‘man-in-the-middle’ attack. In order to protect against such a situation, it is down to the user to be vigilant and self manage your own trusted connections.
In a world of deceit, lies and cynicism we are surprisingly trusting and accepting of our computers even when they try to alert us. In a strange twist of irony, we make every effort to cover our pin numbers when withdrawing money from a cash machine and would hesitate to even complete the operation with a stranger standing over our shoulder watching; yet when searching for a free Wi-Fi connection we’d happily pass them every detail, username, password and even keystroke!
Even more ironically, if someone were to suggest you download and install a suspicious file, most people would have enough sense to reject the offer. However, if you found a USB pen drive, how many of us would connect it to our computers? Whether out of greed to keep the item for ourselves or in an aim to find the owner; the result could be the uncompromisingly devastating. Programs can be preinstalled on these small devises and when the unsuspecting opportunist/advocate connects the devise, it could gather a terrific amount of data from the terminal – including usernames, passwords, logs, configurations and running services – which are then automatically emailed to the real owner.
Thus we are faced with the prospect of not only protecting our systems from direct attacks, but rather challenging our policies and the reconsidering the way we think, in order to safeguard users against themselves. With so many threats present, it is clear we must have controls in place. There are so many steps which can be taken and nothing will provide a perfectly secure system, but burying our heads in the sand will guarantee disaster.
After spending two tiring days investigating dozens of products and all our options, we left the arena pondering possibilities, musing over threats and contemplating how to implement and utilise this acquired knowledge… along with the burden of our pockets filled with complimentary pens!