It’s always nice when you leave an event excited and enthused, not so much when that excitement and enthusiasm is to turn off every wifi enabled device you own and keep it that way. More on that later dear reader.
In this post I’ll explain why but also what Reuben Cook (Co-Director) and I thought about it and the quality of the companies there showing there products.
I would like to point out one major disappointment before going any further. Despite entering no less than four competitions to win an iPad 3 I didn’t win a single one… thoroughly unimpressed.
UK Cyber Security Policy
It’s clear from the presentations given by several of the speakers that the UK is finally getting itself together with a coherent security policy. While it’s not clear what the likes of GCHQ have in terms of offensive and defensive capability (I’m sure it’s not to be laughed at) up until quite recently, i.e. less than 4 years ago, the UK didn’t have a cyber security policy in place. It sounds like only through the determined efforts of people like Lord West were things actually changing inside government.
It is the norm for government to be staffed at it’s most senior levels today people who didn’t grow up with, and aren’t in the digital revolution, certainty not to the extent that people younger than 40 are anyway. While not always the most security conscious at all times, the DR’s (Digital Revolutionaries) we understand the risks and benefits, the technology and most importantly – the terminology of the paradigm shift taking place around us on a daily basis.
In 10 years the situation should be very different. The generation that is “wired in” will be be filling the halls of government and the digital economy will be the economy. The importance of the security and integrity of the system will be the on par with energy supply. Hopefully nothing nasty happens before then to the beautiful, ugly, amazing and appalling thing that the internet, this network of our thoughts and ideas.
At the start I mentioned the enthusiasm and excitement I felt; well now I’m going to tell you why. Jason Hart, guest speaker for Orange demonstrated a simple attack which pretty much anyone with a little motivation and very little skill could deploy.
Who knew fruit could be so scary? The attack consisted of a pineapple – a modified wifi access point which reported to be any access point your device trusts – and Kane & Able attack software. With it, after the obligatory disclaimers and implicit approval from the audience, he got every wifi device within range (about 100 devices by the looks of it) to connect to his access point. From there the devices happily started communicating with web services automatically. Meanwhile he was intercepting SSL certificates and very soon after, passwords started showing up too. To protect peoples anonymity he hid the usernames but displayed about 10 passwords in clear text.
This scary example of an effective attack against any wifi device has always existed. It goes to show that if you don’t own the network, you don’t own your data, period. Leaving your wifi on might improve location accuracy (which all our devices encourage us to do) but that is exactly what makes this attack so effective. It’s only shortfall is it requires proximity.
- The UK is doing something about cyber security, it’s not ignoring the threat or the opportunities.
- Security education is the responsibility of everyone
- It’s a people problem as much as a technology problem
- End point security is everything
- Patching is the best defence against malicious code
- Don’t trust pineapple’s, they will only steel your passwords.