SecurityByte: Cyber conflicts, cloud computing and printer hacking

Located twenty kilometers south of the city of Bangalore, Electronic City is the Indian version of Silicon Valley. Ever since the first phase of the project was finalized, the area has specialized in attracting technology companies.

In the early 1990s, P.V. Narasimha Rao (the Indian Prime Minister at the time) started working on the liberalization of the Indian economy and soon – as a result of a successful combination of great ideas and a vision – this part of the Karnataka state became THE place for global technology outsourcing.

While flying here to Bangalore, I read a book that identified Texas Instruments as the first tech company that opened its offices in this area. Nowadays, while driving around Electronic City you will see big buildings with familiar names such as HP, Siemens, 3M and, of course, some of the India’s own mega-companies like Wipro and Infosys. These organizations provide jobs, but it is also important to note that the area hosts a large number of educational institutions, mainly specializing in economics, engineering and IT.

After the inaugural event in New Delhi, held in November 2009, the SecurityByte team is back with this year’s edition of the conference. The move to Bangalore was strategic and definitely makes sense – there is no better place for hosting an information security conference than the IT capital of India. The event was planned to be held at the Sheraton hotel in center of Bangalore, but a couple of months ago a definitive decision was made to host it in the Electronic City’s deluxe Crowne Plaza.

This year’s conference is organized in three parallel tracks – technical, management and developer – but if you ask me, for an audience of around 600 individuals, that is one track too many.

The event started today with a series of keynotes by influential people in information security, as well as those in the local government.

Dr. Whitfield Diffie, one of the icons of the industry who now serves as VP for Information Security at ICANN and Scientific Advisor to Uniken (one of the event sponsors – a global technology solutions provider with innovation center in Pune, India), addressed the public first.

He talked about the importance of the invention of the radio back in the day and how the addition of cryptography had a huge impact on its usage, and compared that with cloud computing and the absolute need for new encryption mechanisms for it. He believes that cloud computing is as revolutionary as the radio was a hundred years ago.

As controversial as it might initially sound, Dr. Diffie also explained that he does not share the opinion of one of his colleagues who said that if he had the chance to go back in time and build the Internet from scratch, he would integrate strong authentication mechanisms in it.

“The incredible, commercial and cultural force that is the Internet is something that would not come about without the free communication that the lack of authentication produces,” he said, and added that he strongly believes that authentication mechanisms would have killed the Internet.

The second keynote speaker was Edward Schwartz, RSA’s CSO who was hired after the breach. He shared his opinion that we cannot protect everything and that in a number of daily information security programs there are a lot of aspects that are mostly waste of time.

He also noted that there are three winning strategies we should employ:

• Information centricity (understanding what really matters to us versus the broad view; knowing what is useful for the information assurance process and making that operational),
• Risk focus (developing adversary-based threat model), and
• Agility (certain aspects of security principles should be built-in from scratch).

The first day keynotes were closed by speeches by his excellency Shri HR Bhardwaj, The Governor of Karnataka and Shri S. Prabhu, Principal Account General of Karnataka. They applauded SecurityByte’s move to India and stressed out the importance of positioning Bangalore as a center of IT and security research, as well as pointing out the need for a nodal agency that would deal with cyber security. According to Mr. Prabhu, SecurityByte is a perfect example of a public/private partnership and that the level of research and knowledge that will be shown at the event should be continued in Bangalore on a more permanent level.

After the keynotes, I attended a couple of talks. Two of the most interesting ones were “Implementing a Joint Computer Emergency Response Team (J-CERT)” by John Bumgarner, Chief Technology Officer of the U.S. Cyber Consequences Unit, and “From Printer to Owned: Leveraging Multifunction Printers During Penetration Testing”, held by senior security engineer Deral Heiland who already exhibited variations of this presentation to fully packed rooms at ShmooCon and Defcon.

Mr. Bumgarner is a person with immense experience in intelligence and information security and his speech was an interesting take on the current status of global intra-CERT relations as told through the perspective of cyber conflicts and the events such as the Georgian cyber war. The conclusion is that joint CERTs are a way to go, but prior to this there is a need for establishing international standards.

Deral Heiland’s talk on hacking printers (you can expect more about this on Help Net Security soon) is a reality check that shows how easy you can wreak damage with multi-functional printers in corporate environments. The majority of printers connected to local networks – and some of them connected to the Internet – contain some type of a vulnerability.

If you ask yourself how can a printer endanger your network, just think about some of the usual functions in these type of devices – scanning to files, saving copies locally, LDAP connectivity, sending over email and so on. All of these functions can produce some type of data that can either generate information disclosure or become the first phase of a successful full network compromise. And the practical examples he talked about showed that the current status of security of these devices makes it seem like we are back in the mid 1990s.