Lessons from BSides Greenville 2019 Security Conference

I attended BSides Greenville 2019 on March 30. BSides conferences are information security conferences held around the world. Although the conferences are for professionals in cybersecurity or other areas of IT (or people working towards such a career), I noted several lessons that are relevant to the average person.

The New Age of Ransomware: Cybercriminals Adopt Nation State Techniques

Allan Liska of Recorded Future shared stats about ransomware (malware that encrypts your files so that you can’t access them and holds them for ransom). He shared these ways to defend against ransomware:

1. Use two-factor authentication.
2. Keep software updated; install updates as soon as they’re available.
3. Don’t use administrator accounts for regular use; use standard user accounts with fewer permissions (practice the least privilege principle: give users only as much access and capability as they truly need, to limit the damage they can do, deliberately or accidentally).
4. Disable unnecessary remote access services and software.
5. Disable Adobe Flash.
6. Don’t back up to a device on the same network; back up to a device on a different network, or keep the backup device offline when not in use.

Password Managers: A Tale of Secrets Lost

David Branscome of Microsoft shared research into how several popular password managers keep passwords (sometimes even master passwords) in RAM (memory), even when the password manager is locked. His testing was in Windows, with installed applications, not browser extensions or other operating systems (macOS, Linux, etc.).

He explained that a bad actor would need access to your account’s memory to steal passwords, meaning they would need to have remote access (such as malware running in your account) or physical access (such as using your computer when you walk away).

Branscome shared this advice:

1. Don’t stop using a password manager; the benefits to security still outweigh the cons.
2. Use two-factor authentication on your password manager and on all the accounts it contains.

I had heard about similar research by Independent Security Evaluators (ISE) in February, and the consensus is that this isn’t cause for alarm and that you should continue to use a password manager because it’s better than using simple passwords, or reusing passwords. If someone has physical or remote access to your computer, you’re in trouble no matter what; the attacker could use a keylogger to capture everything you type, or simply take control over your computer to do anything they want. In other words, this “flaw” or “vulnerability” applies to any software, not only password managers.

To learn more about this, check out the following resources (they’re a bit technical):

• Password managers leaking data in memory, but you should still use one (sophos.com)
• The Privacy, Security, & OSINT Show episode 112 (start at 29:25) (soundcloud.com)
• Password manager flaws can expose data on compromised devices, report says (scmagazine.com)
• Password managers remain an important security tool despite new vulnerability report (csoonline.com)
• Research sparks debate over password manager vulnerabilities (techtarget.com)
• Password Manager Firms Blast Back at ‘Leaky Password’ Revelations (threatpost.com)

The Sound of Evil

Wes Widner of Crowdstrike talked about the security challenges with voice assistants (Alexa, Siri, Google Assistant, etc.). He said the devices themselves are generally secure, but the problem is that they open you up to certain attacks. He said the commercially available voice assistants from Apple (Siri, HomePod) and Google (Google Assistant, Google Home) are about equal in security and privacy.

He walked through several challenges:

• Voice identification and authorization: voice assistants don’t recognize individuals; they make assumptions about who’s speaking based on the pitch of voice of their known owners.
• App identification and authorization: you don’t know which apps a voice assistant is using to deliver your info.
• Conveying sensitive info: anyone within the range of the voice assistant can hear (and probably ask for) sensitive info.
• Privilege separation: essentially anyone who can speak to a voice assistant has administrative access to control it; the assistant will obey.

Widner showed the voice assistant he built to have more control over the data being sent outside the device. He also showed the “hat” (cover) he created for the voice assistant that prevents it from listening except for the times he specifically enables it to listen. His advice for the average voice assistant user:

1. Be aware of the security challenges with voice assistants (the list above).
2. Disable the Unlock With Voice Match feature on Android, because it isn’t secure enough.
3. Because children implicitly trust what voice assistants say, teach them to use critical thinking and evaluate what voice assistants say, rather than blindly trusting them.

Cybersecurity Kill Chain – Structural Analysis of Cyber Attacks (and Defense)

Brandon Martin of NorthState explored several cyberattacks, going through each step that allowed the attacker to gain greater control or do greater damage. He then explained how the attack could have been stopped, or the damage decreased, by defending at each step of the attack. It was a concrete demonstration of the power of defense in depth: the concept of using multiple security layers to increase your overall security.

Though much of the advice was technical (for cybersecurity pros to use in defending the companies they work for), several points were that are valuable for average users to follow:

1. Use two-factor authentication.
2. Be careful what you reveal on social media, especially related to travel. Hackers monitor targets on social media and take advantage of situations that give them an edge.
3. Keep software updated; install updates as soon as they’re available.
4. Be cautious about email, especially links and attachments. Email is often the vehicle that allows an attacker inside access to an organization.
5. Back up frequently.
6. Don’t give up trying to be secure because you can’t achieve perfect security. Even when you can’t stop an attack, incremental increases in security can reduce the damage caused by an attack, which is worthwhile.

What You Should Do

Although BSides Greenville 2019 was a conference for cybersecurity pros, there were lessons applicable to average users as well:

1. Keep software updated; install updates as soon as they’re available.
2. Use a password manager.
3. Use two-factor authentication on your password manager and on all the accounts it contains.
4. Back up frequently.
5. Don’t back up to a device on the same network; back up to a device on a different network, or keep the backup device offline when not in use.
6. Be cautious about email, especially links and attachments. Email is often the vehicle that allows an attacker inside access.
7. Be careful what you reveal on social media, especially related to travel. Hackers monitor targets on social media and take advantage of situations that give them an edge.
8. Disable unnecessary remote access services and software.
9. Disable Adobe Flash.
10. Be aware of the security and privacy challenges with voice assistants (Alexa, Siri, Google Assistant, etc.). Consider those challenges before you buy, enable, or use a voice assistant.
11. Because children implicitly trust what voice assistants say, teach them to use critical thinking and evaluate what voice assistants say, rather than blindly trusting them.
12. Don’t give up trying to be secure because you can’t achieve perfect security. Even when you can’t stop an attack, incremental increases in security can reduce the damage caused by an attack, which is worthwhile.