It’s that time of year, again for what those of us in the industry jokingly call Security Summer Camp. To be honest, I’m *still* not entirely sure if I’ve recovered completely from the last time. Next week in Las Vegas, the Blackhat USA, BSides LV, and Defcon conferences will kick off, bringing one of the most educational, entertaining, and sporadically horrifying weeks of the year.
This is the single biggest confluence of Security professionals, researchers, and let’s admit it, hackers in the universe. A couple of years ago, I put together a list of things that I wish I would see, but don’t expect to. I was right, so let’s try this again. Here is this year’s list:
1. Tools for auditing and assessing HTTP 2.0: it’s not like this protocol is new anymore, and the browsers and other client-side tools have support, yet I don’t see much if any development on the server assessment side, at least not to any degree of maturity like we see on HTTP 1.0 tools. I love HTTP 2.0 for one feature: the server can push unrequested files down to the client. That could never be misused by an attacker, could it?
2. The death of the common password: it’s 2016, and crappy consumer video cards are able to brute force the entire eight character NTLM keyspace in mere single-digit days. Why in the name of all that is holy is anyone still relying on only a username and password for authentication. Yes, multifactor authentication is growing in its usefulness, and yes consumer acceptance of multifactor authentication is increasing every time someone gets their Facebook or Gmail hacked but when will MFA be the accepted practice?
3. Weak hashing algorithms: it’s far past time that we admit that it is simply not possible to adequately protect password stores that are used for authentication. Bad guys will be able to get the hashes. So why are we still seeing major sites that have password breaches, and the hashes are done in MD5 or SHA-1 or other readily GPU parallelizable formats. Bcrypt, with its variable number of rounds to increase complexity and compute time, was developed for reason!
4. Continuing on weak hashing algorithms: Microsoft! Can you please retire NTLM? Not only are the GPU-based password cracking tools optimized for it, there’s folks out there with ASICs and FPGAs that are cracking it even more efficiently. I know that you can’t just turn it off. There’s a need for backwards compatibility… but can we get the ball rolling on the retirement, and make sure that the new, more resistant hashing is enabled by default?
5. Cyber impacts the physical world: we’re seeing more and more purpose built devices that manage something in the real world like industrial controls or door locks. Many of these are hackable by my five year old. Mind you that she’s got an engineer brain and an affinity for explosions, but still, we’ve got to do better. You shouldn’t have a network enabled access control system that unlocks with an unauthenticated UDP packet. Yet there they are. If the manufacturers can’t or won’t properly secure the devices, maybe somebody should come up with a small, in-line network firewall that’s cheap, easy to manufacture, and easy to manage. Hint. Hint.
I’ll be at BlackHat, both attending some trainings, and working the Core Security booth (#732) all week. If you’re attending, stop by and feel free to say Hi, and swap some “There I was…” stories. Check back after the show, and I’ll review the things that I did see that I thought were cool.