Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/26/2013
01:16 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Barnaby Jack And The Hacker Ethos

Barnaby Jack's untimely death should give us pause to remember why folks hack things and ultimately why pushing the boundaries of technology benefits us all

So I was all fired up to talk about what I'm expecting to see next week at Black Hat. For those focused on vulnerabilities and threats, it's like homecoming weekend every year. You see the smartest folks in the business doing cool new things, breaking stuff that you figure shouldn't be broken, and basically expanding your mind to what's possible. Or even probable.

I was going to talk about how I'm surprised by the relatively small number of sessions focused on mobile devices. And that I'm not surprised about how a lot of research is focusing on both detecting advanced malware and evading those very detections. There will be some Big Data love at the show as well, and some new tools will make their debut. I'm particularly looking forward to learning about BinaryPig, which uses Big Data to analyze malware. If they figured out a way to throw BYOD into the abstract, they'd have hit the CFP trifecta!

Then I read this morning that Barnaby Jack had passed away. I never got a chance to meet Barnaby, and it seems I may be the only one since my Twitter timeline blew up with all sorts of stories about what a great guy he was. Clearly he led a life well-lived in the short time he was here, leaving an indelible mark on the folks who crossed his path.

In the wake of Barnaby's untimely departure, what I can say from afar is that Barnaby Jack represented well the hacker ethos. Obviously he had a flare for the dramatic, jackpotting an ATM from the Black Hat stage. When you talk about giving good demo, it doesn't get much better than having an actual ATM machine spewing money on stage. But more importantly, he shined the light on a clear (and relatively simple) attack on an integral part of modern day society -- the ATM. My mother-in-law, who may be the only person (besides Marcus Ranum) left in the U.S. without an ATM card, can feel justified that Barnaby showed her fears were not misplaced.

But even more impactful was his research on medical devices. By showing some issues with pacemakers, he highlighted a problem that needed to be addressed. If an ATM machine gets hacked, oh, well. The bank is pissed, but nobody dies. If a pacemaker is reprogrammed, that's no bueno -- especially if it's your pacemaker. My friend Martin Fisher summed it up best this morning: "For the [email protected] did more to get attention to security of medical devices than anyone else ever. That's gonna save lives. RIP."

That research opened my mind to the reality that anything with a computer can be hacked. And nowadays everything is a computer. I was having lunch with a friend recently, and he told me about his hearing loss and how cool the new hearing aids are. The doctor connects to the device via Bluetooth and can program frequency amplification at a very granular level to ensure the hearing aid is perfectly matched to the needs of the patient.

Wait, what? Did he say Bluetooth? What could possibly go wrong with that? If you would have asked me two or three years ago, I'd have said nothing. But now, because of Barnaby Jack, obviously we all know any kind of open interface on a medical device may be problematic. And you can only hope the hearing aid manufactures are paying attention as well. That's an example of what a hacker can do.

Hackers are curious, and they think out of the box. They try stuff that seems kind of wacky at first glance. Sometimes it works; a lot of the time it doesn't. It's the scientific process alive and well. By finding and proving what's possible and -- more importantly -- unexpected, hackers can force change. You can ignore a threat model. That happens every day. It's much harder to ignore a proof of concept exploit that exposes the problem to the cold, hard light of day.

So hackers keep hacking. Researchers keep researching. Live up to Barnaby's example. Not for Barnaby, but for all of us. If I knew him, I suspect that's what he'd want.

Mike Rothman is the President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11931
PUBLISHED: 2019-11-14
A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prio...
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.