Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/26/2013
01:16 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Barnaby Jack And The Hacker Ethos

Barnaby Jack's untimely death should give us pause to remember why folks hack things and ultimately why pushing the boundaries of technology benefits us all

So I was all fired up to talk about what I'm expecting to see next week at Black Hat. For those focused on vulnerabilities and threats, it's like homecoming weekend every year. You see the smartest folks in the business doing cool new things, breaking stuff that you figure shouldn't be broken, and basically expanding your mind to what's possible. Or even probable.

I was going to talk about how I'm surprised by the relatively small number of sessions focused on mobile devices. And that I'm not surprised about how a lot of research is focusing on both detecting advanced malware and evading those very detections. There will be some Big Data love at the show as well, and some new tools will make their debut. I'm particularly looking forward to learning about BinaryPig, which uses Big Data to analyze malware. If they figured out a way to throw BYOD into the abstract, they'd have hit the CFP trifecta!

Then I read this morning that Barnaby Jack had passed away. I never got a chance to meet Barnaby, and it seems I may be the only one since my Twitter timeline blew up with all sorts of stories about what a great guy he was. Clearly he led a life well-lived in the short time he was here, leaving an indelible mark on the folks who crossed his path.

In the wake of Barnaby's untimely departure, what I can say from afar is that Barnaby Jack represented well the hacker ethos. Obviously he had a flare for the dramatic, jackpotting an ATM from the Black Hat stage. When you talk about giving good demo, it doesn't get much better than having an actual ATM machine spewing money on stage. But more importantly, he shined the light on a clear (and relatively simple) attack on an integral part of modern day society -- the ATM. My mother-in-law, who may be the only person (besides Marcus Ranum) left in the U.S. without an ATM card, can feel justified that Barnaby showed her fears were not misplaced.

But even more impactful was his research on medical devices. By showing some issues with pacemakers, he highlighted a problem that needed to be addressed. If an ATM machine gets hacked, oh, well. The bank is pissed, but nobody dies. If a pacemaker is reprogrammed, that's no bueno -- especially if it's your pacemaker. My friend Martin Fisher summed it up best this morning: "For the [email protected] did more to get attention to security of medical devices than anyone else ever. That's gonna save lives. RIP."

That research opened my mind to the reality that anything with a computer can be hacked. And nowadays everything is a computer. I was having lunch with a friend recently, and he told me about his hearing loss and how cool the new hearing aids are. The doctor connects to the device via Bluetooth and can program frequency amplification at a very granular level to ensure the hearing aid is perfectly matched to the needs of the patient.

Wait, what? Did he say Bluetooth? What could possibly go wrong with that? If you would have asked me two or three years ago, I'd have said nothing. But now, because of Barnaby Jack, obviously we all know any kind of open interface on a medical device may be problematic. And you can only hope the hearing aid manufactures are paying attention as well. That's an example of what a hacker can do.

Hackers are curious, and they think out of the box. They try stuff that seems kind of wacky at first glance. Sometimes it works; a lot of the time it doesn't. It's the scientific process alive and well. By finding and proving what's possible and -- more importantly -- unexpected, hackers can force change. You can ignore a threat model. That happens every day. It's much harder to ignore a proof of concept exploit that exposes the problem to the cold, hard light of day.

So hackers keep hacking. Researchers keep researching. Live up to Barnaby's example. Not for Barnaby, but for all of us. If I knew him, I suspect that's what he'd want.

Mike Rothman is the President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.