Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/26/2013
01:16 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Barnaby Jack And The Hacker Ethos

Barnaby Jack's untimely death should give us pause to remember why folks hack things and ultimately why pushing the boundaries of technology benefits us all

So I was all fired up to talk about what I'm expecting to see next week at Black Hat. For those focused on vulnerabilities and threats, it's like homecoming weekend every year. You see the smartest folks in the business doing cool new things, breaking stuff that you figure shouldn't be broken, and basically expanding your mind to what's possible. Or even probable.

I was going to talk about how I'm surprised by the relatively small number of sessions focused on mobile devices. And that I'm not surprised about how a lot of research is focusing on both detecting advanced malware and evading those very detections. There will be some Big Data love at the show as well, and some new tools will make their debut. I'm particularly looking forward to learning about BinaryPig, which uses Big Data to analyze malware. If they figured out a way to throw BYOD into the abstract, they'd have hit the CFP trifecta!

Then I read this morning that Barnaby Jack had passed away. I never got a chance to meet Barnaby, and it seems I may be the only one since my Twitter timeline blew up with all sorts of stories about what a great guy he was. Clearly he led a life well-lived in the short time he was here, leaving an indelible mark on the folks who crossed his path.

In the wake of Barnaby's untimely departure, what I can say from afar is that Barnaby Jack represented well the hacker ethos. Obviously he had a flare for the dramatic, jackpotting an ATM from the Black Hat stage. When you talk about giving good demo, it doesn't get much better than having an actual ATM machine spewing money on stage. But more importantly, he shined the light on a clear (and relatively simple) attack on an integral part of modern day society -- the ATM. My mother-in-law, who may be the only person (besides Marcus Ranum) left in the U.S. without an ATM card, can feel justified that Barnaby showed her fears were not misplaced.

But even more impactful was his research on medical devices. By showing some issues with pacemakers, he highlighted a problem that needed to be addressed. If an ATM machine gets hacked, oh, well. The bank is pissed, but nobody dies. If a pacemaker is reprogrammed, that's no bueno -- especially if it's your pacemaker. My friend Martin Fisher summed it up best this morning: "For the [email protected] did more to get attention to security of medical devices than anyone else ever. That's gonna save lives. RIP."

That research opened my mind to the reality that anything with a computer can be hacked. And nowadays everything is a computer. I was having lunch with a friend recently, and he told me about his hearing loss and how cool the new hearing aids are. The doctor connects to the device via Bluetooth and can program frequency amplification at a very granular level to ensure the hearing aid is perfectly matched to the needs of the patient.

Wait, what? Did he say Bluetooth? What could possibly go wrong with that? If you would have asked me two or three years ago, I'd have said nothing. But now, because of Barnaby Jack, obviously we all know any kind of open interface on a medical device may be problematic. And you can only hope the hearing aid manufactures are paying attention as well. That's an example of what a hacker can do.

Hackers are curious, and they think out of the box. They try stuff that seems kind of wacky at first glance. Sometimes it works; a lot of the time it doesn't. It's the scientific process alive and well. By finding and proving what's possible and -- more importantly -- unexpected, hackers can force change. You can ignore a threat model. That happens every day. It's much harder to ignore a proof of concept exploit that exposes the problem to the cold, hard light of day.

So hackers keep hacking. Researchers keep researching. Live up to Barnaby's example. Not for Barnaby, but for all of us. If I knew him, I suspect that's what he'd want.

Mike Rothman is the President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: If it's not in CRM... it didn't happen!
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28488
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
CVE-2021-22847
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
CVE-2021-22849
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...