DEF CON Forum Site Header Art


No announcement yet.

Zero-days and Cyber Weapons, Politico, Tim Starks, DEF CON 27


  • Zero-days and Cyber Weapons, Politico, Tim Starks, DEF CON 27

    Their Title 1: From Vegas: A scoop, zero-days and cyber weapons

    See Also:

    Originally posted by URL1
    By Tim Starks With help from Eric Geller and Martin Matishak
    08/08/2019 10:00 AM EDT

    FIRST IN MC: A GOVERNMENTWIDE SECUREDROP? — The Trump administration is exploring the idea of creating a secure anonymous portal where anyone can report vulnerabilities, threats, incidents and any other cyber information that federal agencies should know about — and DHS Cybersecurity and Infrastructure Security Agency Director Chris Krebs will participate in a panel at DEF CON on Friday morning designed to gather feedback about the idea, according to DEF CON founder Jeff Moss. Moss — whose organization would develop the platform — will also be on the panel in Las Vegas, along with: Pablo Breuer, director of U.S. Special Operations Command at the Donovan Group; Jennifer Granick, surveillance and cybersecurity counsel with the ACLU Speech, Privacy and Technology Project; and The New York Times’ senior director of information security, Runa Sandvik.

    The panel will involve a lot of audience interaction, Moss told Eric, as Krebs and the other speakers seek suggestions for how to structure the portal. The system will be "built on open source technology from [the] Freedom of the Press Foundation," according to a description of the DEF CON panel shared with MC. The goal is to create a governmentwide cyber tipline, a way to notify federal officials of intrusions, vulnerabilities and other issues without having to identify oneself. The system could also help build bridges between agencies and tech experts. DHS is expected to announce the panel today along with the rest of Krebs’ DEF CON schedule.

    ZERO-DAY BUSINESS TIPS — Security researchers who want to sell a zero-day vulnerability to a company should look for one with an in-house security team, because “they will understand the value of it and be willing to pay more,” zero-day broker Maor Shwartz said during a candid presentation Wednesday at Black Hat in Vegas.

    That was one of several interesting pieces of advice from Shwartz, who previously ran a for-profit broker service and now advises researchers pro bono. Among his other insights: when you sign a contract to sell a zero-day, read the terms closely; provide a “full test environment” for the client to ensure that they can successfully test your vulnerability; and be sure to retain the right to use your vulnerability for testing purposes after you sell it. He also warned researchers not to fall for “hustlers” offering bogus “advance payments.”

    In his conversations with researchers, Shwartz said, he saw an interesting trend: Researchers would publish zero-days for fun, start selling them once they realized they could make serious money, found their own companies to focus on zero-days full time, and then realize that they were in over their head. Finding vulnerabilities is one thing, but zero-day companies need lawyers, accountants and sales executives. “It’s really hard work to do,” Shwartz said. “And usually, you get paid only solely on your items that you sell. So if you didn’t find a vulnerability for four months in a row, you don’t have any income.” This financial stress, he said, is what leads to the last phase of the typical researcher career cycle: expanding beyond vulnerability research — perhaps into things like penetration testing — to make some extra money.

    TIME FOR A CYBER WEAPONS PARADE? — The fact that governments’ cyber weapons offer no deterrent value because they’re secret is dangerous, F-Secure Chief Research Officer Mikko Hyppönen argued during a Black Hat talk on Wednesday. The problem, he said, lies in the fact that cyber weapons have short shelf lives. Physical weapons rust, too, but they at least have a deterrent value while they’re sitting in a stockpile. That’s not true with cyber weapons, which are among the most closely guarded secrets in open and closed societies alike.

    “When you do investments of millions into cyber weapons, nobody knows you have them,” Hyppönen said. “And they only work for a limited time. Then they expire, and you have to delete them, and you get no bang for your buck. … And this problem actually makes it more likely that cyber weapons end up being used.” According to Hyppönen, civilian and military leaders around the world who oversee the development of offensive cyber capabilities will feel pressure to use the expensive digital tools for which they advocated and secured funding.

    Hyppönen stressed that he wasn’t suggesting that nations would use cyber weapons simply because they had them lying around. Instead, he argued, their eventual, highly escalatory use would be the product of diverse incentives on the part of political leaders and cyber commanders, including the “use it or lose it” mentality associated with computer exploits. So, how to solve this problem? Publish more information about cyber weapons, Hyppönen argued. One option: a cyber version of the elaborate military parades common in China, Russia and North Korea that serve as periodic showcases of their latest destructive hardware.

    — ELSEWHERE IN VEGAS: Researchers debuted some original research at Black Hat, as is their wont. FireEye identified a Chinese hacking group that conducts both cyberespionage and cybercrime operations, suggesting it contracts to Beijing and makes profits on the side. Purdue University researcher Sze Yiu Chau warned about encryption threats via vulnerabilities discovered more than a decade ago. The speech on a Boeing vulnerability we mentioned in Wednesday’s MC happened. Checkmarx found flaws in a tablet that would allow hackers to track children. And IBM released research about “warshipping,” where hackers merely mail their exploits to their targets.

    Other odds and ends: Moss kicked off Black Hat with a speech about cultural differences with China over cybercrime, and the need for cyber pros to communicate more effectively. Black Hat and DEF CON are trying to increase diversity by offering daycare. At BSides Las Vegas, the DNC’s chief information security officer, Bob Lord, emphasized the usability of security products. And DOJ is in Vegas trying to make pals with ethical hackers.
      Posting comments is disabled.

    Article Tags


    Latest Articles