Lions, Tigers and Hackers! Oh My!
Welcome to this review of the Developer Developer Developer 12 talk “Lions, Tigers and Hackers! Oh My!” by Phil Winstanley.
Phil Winstanley is from Microsoft and his job involves working with the National Cybercrime unit in the UK.
This was a very popular fully packed out talk that probably deserved a bigger room. Phil has a relaxed and jovial presenting style that worked really well with the audience.
It started with a promo style Microsoft video clip with Obama and other soundbites on “cyberspace” and other “cyber” stuff.
On the National security risk register, cybercrime is considered a bigger risk than nuclear war.
Question: How many targeted cyber attacks does the average company face each year?
Answer: 106 (including spear phishing etc). Although Phil says we should be suspicious about statistics because we never know for sure
What are the categories of cyber criminals?
Thieves
Ransomware is a type of theft: theft through extortion. Recently we have seen these attacks have become much more high profile with the WannaCry story.
Phil asks us “Who is our data stealing?”
An audience member shouting “Russia” gets the laughs and sets up a running joke throughout the talk.
There are hacktivists, script kiddies etc and several other types of thieves.
Hostile Military Forces
Phil says China, Russia, North Korea and Iran are attacking the UK on a daily basis.
For more information see the National Cyber Security Centre’s Report “The cyber threats to UK businesses 2016/2017”
Nation States
Tend to be intelligence gathering.
Stuxnet: The Iranian facilities were airgapped and still went down
Hacktivists
Hacktivists are associated with the masks from the Vendetta film.
Anonymous and LulzSec are famous groups but there are many others as well.
On the day immediately before the event, just after the UK election results were released, the Democratic Unionist Party website was attacked by hacktivists — their content was translated into Gaelic and republished.
Some of their activities seem much more noble than they actually are.
- Kangaroo court
- Lack of proper investigative techniques
- Sometimes blame innocent people, e.g. non paedophiles smeared as paedophiles
One of the reasons hacktivists are dangerous is because they seek maximum publicity.
Traditional Defences
Castle walls — firewalls etc.
These don’t work in the modern world anymore.
Employee — Insider Threats
Phil says developers are the biggest insider threats in any organisation.
In many countries cybercrime is considered to be a legitimate way to make money.
- $3 trillion yearly estimated market value destroyed from cybercrime industry
- 1 million new pieces of malware created each day
Approximately 20,000 security people working in Microsoft
We’re shown another soundbite video advertising the Microsoft cybercrime unit. Bad cliches and slogans such as “speed of cyber” — probably aimed at the general public rather than developer audience
Microsoft have helped take down many botnets, and child porn sites. They don’t talk about it very much because they are already the most attacked corporate entity on the planet and don’t want to receive even more attacks.
Bing does cybersecurity because it looks for illegal content on the web.
Microsoft use “Combustion chambers” — when malware is detected in one email, every other email with the same malware has the malware automatically removed.
Phil says a lot of software companies are set to go out of business after being attacked.
What can we do?
Another Microsoft video. The Code Red worm in 2001 woke up Microsoft to the seriousness of security risks, and senior management received complaints from large customers. Introduces the Secure Development Lifecycle.
This is now open source and used by Apple and Google as well as Microsoft.
Phil says its controversial but he hates penetration tests because it comes back with stuff like “headers on the server” and then development team thinks they are secure after they have fixed those issues. Not true by a longshot!
Software is often “secure by default” nowadays but it is a balance: everyone hated Vista because it valued security over useability.
Shows although people do annual data protection training, we don’t remember it on a day to day basis.
We like brand new shiny things: nuget packages etc, we don’t know what the risks are. Most developers still do this.
We patch our operating systems but forget to patch our NuGet packages.
Incident Response Plan is important. For example British Airways suffered additional reputational damage recently because they weren’t fully prepared regarding what they would do in this scenario.
There was a good question from the audience on how far to push customers insisting that the application must be secure at additional cost to them?
Phil recommends introducing additional security in Guerrila fashion: it worked for unit testing as companies didn’t want to pay extra for it but get them benefits from the practice when developers don’t ask for permission. Just do it as part of your job.
Another audience member says we spend almost all of our time coding small units of code, rather than thinking end to end.
Phil says as devs we are responsible for making other people aware of security risks. Ask them to accept the risk or fix them.
We are immature as an industry. He admits Microsoft also sometimes write insecure code: everyone does.
Friends and family are hit by malware all the time because they arent security aware.
There are psychological problems that lead to vulnerabilites: Lack of attention and impatience.
Application Installers: next, next, next, we dont have any idea of what we’re doing and suddenly we’ve got RealPlayer on our machine!
I recommend watching the final video we saw as it makes an excellent point.
