A little while back I got an invite to take a trip over to Amsterdam and do the opening keynote for the AppSecEU conference put on by OWASP, the Open Web Application Security Conference. Keynotes are always a bit unique in conferences because nobody gets to choose to do something else – it’s the only show on and you have a captive audience. As such, they tend to be aimed at a broader group of interests so higher level and usually insightful about some important trend in the industry. Which had me completely stumped.
The thing I was struggling with in terms of the security industry was the sheer breadth, diversity and frankly, the downright insanity of it all. Where do you even start?! And then it hit me – this was the keynote – the bizarre stranger than life world that is appsec today. So I wrote up a talk to cover 50 discrete crazy things going on in the industry and called it “50 Shades of AppSec”.
For example, the number of kids that get themselves into security now. Take the 5 year old who hacked the Xbox and is now listed on Microsoft’s security researchers page. Or whilst we’re on kids, the number of them that unfortunately find themselves in front of court for activities performed from the confines of their bedrooms. Sometimes this is “kids” in the colloquial sense of them being younger than those of us using the term, others times the term is legally correct – they’re literally just children. Yet here they are doxing’ing, RAT’ing and DDoS’ing their way to jail.
But of course there are plenty of criminals out there profiting from both the low-hanging fruit of security risks and the eager black-market buyers. There are criminals who’ll sell stolen data, criminals who’ll extort the companies of stolen data (Nokia is a standout here) and even criminals who’ve not yet been able to compromise any form of security but are happy threatening to do so unless an extortion is paid.
But it’s not all bad news either – criminals can come undone in spectacular style. Ross Ulbricht of Silk Road fame made the mistake of asking a question very specific to his underground drug market operations on Stack Overflow and at one time, had his account there linked to his real identity. Jihadi John decided to buy some web design software from his “secret” liar in Syria… and used his British student card to get a discount. Then there’s the young lady whose hacker boyfriend decided she should snap a pic of her, uh, “assets” with her iPhone in order to taunt law enforcement. You know what goes into a pic snapped by iPhone? Geotags!
Then there’s the new frontier that is the internet of things; you know the one, the idea where it would be cool if your toaster and your fridge could converse with each other because [insert marketing spiel here]. There are some very cool IoT things, however. For example, LIFX lightbulbs that you can control via your smartphone. Unfortunately, they had a little glitch which could hand an attacker the wifi credentials for your network which is a whole lot less cool. It could be worse though – imagine an attacker could control your toilet?! Scary, but true.
The craziness of the industry made for fantastic material and overwhelmingly positive feedback on the keynote, in fact so much so that I’ll be over at the AppSecUSA conference in a few months to do it all again. I can only begin to imagine how much more material I’ll have by then if this industry keeps up its current pace!