It seems that one of the trendy subject of the moment is the return of the fappening (a portmanteau of the words “fap”, a slang term for masturbation, and the word “happening”[according to Wkikipedia]). As most sequel, the second one is not better than the first one. But my point isn’t to make a parallel with the cinema industry.
For the Fappening 2, it seems that this time two young actresses have been the new victims of hackers disclosing some intimate or sexy pictures. It is not necessary, I hope, to remind that this kind of behaviour is not only illegal as an illegal hacking but that it is aggravated by its intimate implications for the victims.
According to the journalists, there is not yet an explanation on how these pictures have been compromised. There is already a lot of advises given by newspapers and blogs on what to do and not do to avoid such situation. However, one thing that seems to be a common point to these pictures is that they have been taken by someone else than the victims themselves.
When you share information with a third party, you need to ensure that they are at least as careful as you are in their handling of your information.
In this case (and it is just a theory, I have no evidence or clue so far), if friends of these young ladies have taken pictures of them in some more intimate context, even if they trust their friends with their lives, they should ensure that their beloved friends were (also) careful and were following good practices with their phones and their “cloud” storage accounts. It is what we (should) do with our suppliers or any third party in a corporate context, and it is also the right thing to do with your friend (if you want to take intimate pictures of yourself).
In the future, Fashion stores will likely be equipped with interactive mirrors encompassing cameras and allowing them to display an image of yourself in any outfit available in the store (yes, it already exist). This will be the next IoT (Internet of Things) nightmare that will likely cause more Fappening if we don’t add a S for Security to the IoT accronym.
This week, during the CanSecWest 2017 Conference in Vancouver, British Columbia, is held the PWN2OWN™ CONTEST organized by Zero-Day Initiative (http://zerodayinitiative.com/). A team carried on an attack on Microsoft’s Edge browser allowing them to escape a VMware Workstation virtual machine in which it ran. This exploit fetched them 105 000$ of reward. On the same day, another team successfully exploited 3 vulnerabilities and succeed to perform a virtual machine escape.
I will state what is obvious to me since the rising of the hardware virtualization technologies: Virtual Machines aren’t as safe as Physical one. I feel stupid writing it as it is just a matter of fact but it seems it has not yet been accepted by a lot of system admins who are still in denial.
And VMware is not the only to blame, all the Virtualization solutions have already been breached (Xen, KVM,…) one way or another. And those ares just the known exploits. So, whoever you’re talking too, there is no way (s)he can pretend the risks are the same between a physical and a virtual machine.
Of course, there is economics upsides using virtualization and that’s why it is a matter of risk management. But when it comes to crown jewels, we might have to think twice or at least strongly insist on a physical segregation between more sensitive systems and internet facing one.
I don’t say we shouldn’t use virtual machine, I just say we must stop pretending they are as safe as physical one. It is just not true. Risk are different and we must take that into account. The wolfs can pass the fences…
This past few years, interest and budgets for ethical hackers and pentesters has grown rapidly. They gain more and more visibility (see the Belgian Cyber Security Challenge or the European Cyber Security Challenge). More important, consulting companies are recruiting young and talented hackers by the dozen those last years.
During the last decade, lot of (nor to say most) TV shows and even novels have included or even starred a hacker:
Lisbeth Salander in Millenium,
Harold Finch in Person of Interest,
Felicity Smoak in Arrow,
Elliot Alderson in Mr Robot,
Skye in Marvell’s Agent of Shields,
Christopher Pelant in Bones,
Penelope Garcia in Criminal Minds,
Luther Stickell in Mission Impossible,
and the list goes on.
Nowadays, being an (ethical) hacker is sexy, trendy and well paid. It’s no surprise that a lot of young graduates want to embrace this professional career. As such, it is a good thing as we need more skilled and talented professionals in cyber Security.
However, it might be a bit short sighted as Artificial Intelligence’s powered automated hacking systems are on our doorstep (see DARPA’s Cyber Grand Challenge and other AI powered systems in the links at the bottom of this post).
Nevertheless, that’s not really my point here. With all these young genius at work uncovering our weaknesses, we still don’t have enough talented people to fix the issues.
WE NEED MORE FIXERS!
When I talk about fixers, I don’t only mean people skilled enough to fix the vulnerabilities discovered by our code breakers but also people able to fix governance, processes, organization and people. We need professional who can make effective security awareness (meaning that will make people change their behaviour), people who can implement a flawless IT & security governance. People able to define processes preventing attacks by design. People able to define new strategies and able to implement them (or at least to make people implement them). Person who can understand in which detail the devil is hidden. Hackers just need to find one vulnerability, we have to fix them all. It is less sexy, even more complicated and there is not enough people who wants to fix the problems… but we clearly need more. So, young geniuses, when you’ll be bored of breaking things, please come to the light side and help us fix this mess.