Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/26/2013
01:16 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Barnaby Jack And The Hacker Ethos

Barnaby Jack's untimely death should give us pause to remember why folks hack things and ultimately why pushing the boundaries of technology benefits us all

So I was all fired up to talk about what I'm expecting to see next week at Black Hat. For those focused on vulnerabilities and threats, it's like homecoming weekend every year. You see the smartest folks in the business doing cool new things, breaking stuff that you figure shouldn't be broken, and basically expanding your mind to what's possible. Or even probable.

I was going to talk about how I'm surprised by the relatively small number of sessions focused on mobile devices. And that I'm not surprised about how a lot of research is focusing on both detecting advanced malware and evading those very detections. There will be some Big Data love at the show as well, and some new tools will make their debut. I'm particularly looking forward to learning about BinaryPig, which uses Big Data to analyze malware. If they figured out a way to throw BYOD into the abstract, they'd have hit the CFP trifecta!

Then I read this morning that Barnaby Jack had passed away. I never got a chance to meet Barnaby, and it seems I may be the only one since my Twitter timeline blew up with all sorts of stories about what a great guy he was. Clearly he led a life well-lived in the short time he was here, leaving an indelible mark on the folks who crossed his path.

In the wake of Barnaby's untimely departure, what I can say from afar is that Barnaby Jack represented well the hacker ethos. Obviously he had a flare for the dramatic, jackpotting an ATM from the Black Hat stage. When you talk about giving good demo, it doesn't get much better than having an actual ATM machine spewing money on stage. But more importantly, he shined the light on a clear (and relatively simple) attack on an integral part of modern day society -- the ATM. My mother-in-law, who may be the only person (besides Marcus Ranum) left in the U.S. without an ATM card, can feel justified that Barnaby showed her fears were not misplaced.

But even more impactful was his research on medical devices. By showing some issues with pacemakers, he highlighted a problem that needed to be addressed. If an ATM machine gets hacked, oh, well. The bank is pissed, but nobody dies. If a pacemaker is reprogrammed, that's no bueno -- especially if it's your pacemaker. My friend Martin Fisher summed it up best this morning: "For the [email protected] did more to get attention to security of medical devices than anyone else ever. That's gonna save lives. RIP."

That research opened my mind to the reality that anything with a computer can be hacked. And nowadays everything is a computer. I was having lunch with a friend recently, and he told me about his hearing loss and how cool the new hearing aids are. The doctor connects to the device via Bluetooth and can program frequency amplification at a very granular level to ensure the hearing aid is perfectly matched to the needs of the patient.

Wait, what? Did he say Bluetooth? What could possibly go wrong with that? If you would have asked me two or three years ago, I'd have said nothing. But now, because of Barnaby Jack, obviously we all know any kind of open interface on a medical device may be problematic. And you can only hope the hearing aid manufactures are paying attention as well. That's an example of what a hacker can do.

Hackers are curious, and they think out of the box. They try stuff that seems kind of wacky at first glance. Sometimes it works; a lot of the time it doesn't. It's the scientific process alive and well. By finding and proving what's possible and -- more importantly -- unexpected, hackers can force change. You can ignore a threat model. That happens every day. It's much harder to ignore a proof of concept exploit that exposes the problem to the cold, hard light of day.

So hackers keep hacking. Researchers keep researching. Live up to Barnaby's example. Not for Barnaby, but for all of us. If I knew him, I suspect that's what he'd want.

Mike Rothman is the President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.