2,773 views
HITB2014AMS – Day 2 – Keynote 4: Hack It Forward
Good morning Amsterdam, good morning readers, welcome to the second day of the Hack In The Box conference. The speaker for the first keynote didn’t show up, so we’ll jump right into the next keynote.
Jennifer starts her keynote by explaining that she’s fortunate to be able to travel to a lot of conferences and meet a lot of amazing people. When talking to people in infosec/hackers, they often mention that they are inspired by a lot of things, and often driven by the “live free” ideology. Some hackers are inspired by movies, and inspiring movies. Hackers are even inspiring comics, Jennifer explains. Quoting Confucius (“Choose a job you love and you will never have to work a day in your life”), Jennifer explains that she really enjoys working in Infosec and can’t think of any other industry to work in. Although things can be hard and things are not perfect all the time, it’s fun and there’s a lot of great stuff that the technology gives us. Infosec should figure out ways to use that new technology and do so in a secure way.
Security is hard. It’s one of the hardest thing anyone can do. We must think outside of the box, how we can do things differently so we can provide more/bettter security. But if it wasn’t hard, we would all be bored. If you’re scared by that idea, perhaps you should pick a different industry, Jennifer continues. “Bring it on”, she says. If you do the same things over and over again, you shouldn’t be surprised you get breached.
The industry has limitless possibilities. Everyone can do great things, make good money, have fun… rinse & repeat. Bug bounties allow researchers to get paid for the work they do. If we want to take advantage of those opportunities, we need to change our game and think about things differently. Security is a game of give and take, pull and give. The Internet of Things proves that there are crazy ways to use the technology available.
“Captain” Jennifer continues by sharing some “Pirate Tales” from IOActive, tales that show the motivation and inspiration of people at IOActive, including projects that involve car hacking, ATM takeovers, Medical devices, Satellite communications and Nuclear bombs.
“Work Hard”
The car hacking research (C. Valasek/C. Miller) was initially funded by the DARPA Cyber Fast Track program which allows researchers to do great things, get access to funding and resources that would otherwise be very hard to get. Doing research like this is hard work, but also a lot of fun and it gets people’s attention through media coverage. The side-effect of all of the attention is that people now start to be concerned about the security inside the cars that we drive.
“Just Do It”
Work in infosec is hard. There are a thousand reasons to explain why you were not able to get the work done. Excuses are *bleep*. Cesar Cerrudo has a long laundry list of accomplishments. He was born in Argentina and had to work his way up the hard way. He didn’t have budget to buy a lot of computers and had to resort to books and his own research to get where he is today. His recent work on hacking the US traffic system is just one example of the cool stuff he has done. Stop hiding behind excuses, Jennifer says. Don’t take no for an answer.
“Teach Others”
Barnaby Jack was one of the most brilliant minds in the industry. We all know him from his innovative work on ATM machines. Work that took months to complete, work that often failed, but he never gave up. And when preparing for a talk at BlackHat, Jennifer explains, he really wanted to put his ego aside and make sure all people in the room would understand what he was talking about. When you fail, learn from it and do it again.
“Hack with Hearts”
“My dad inspired me”, Jennifer continues. Barnaby Jack wanted to hack things that relate to things that we use on a daily basis. He knew that Jennifer’s father has a pacemaker and wanted to look at the security of these devices. When you put things in your body, it’s not that easy to patch things from time to time. Research like this will make this world a safer place. Hacking real things is important and necessary.
“Think differently”
There’s some cool stuff coming out. Ruben Santamarta got bored with smartphones and came up with the idea to hack satellite communications. After sharing some preliminary results with Jennifer, while she was on a sailing trip, she got terrified and, for a moment, even thought that he had hacked into the communication system that was being used on the sailing boat.
“Speak the right language”
Reporting security issues in satellite communications is a big deal and should be handled in a proper way, so the technical details go to the right people, so issues can be solved. Instead of reporting the technical details, Jennifer explains, Ruben focused on the impact of the problems, which helped convincing the people that should be convinced to get the issues fixed.
“Have fun”
People at IOActive purchased a bunch of smart grid meters from eBay and hacked away. As a result of the work done by a lot of smart people, researchers are being spoken to, some ICS deployments are being slowed down and security is assessed… which is a good evolution. At the same time, not everything can be bought off eBay for 500$. Why buy something, if you can build it yourself ? Inspired by the “Manhattan Project”, Mike Davis decided to build a nuclear bomb. “You need to understand technology before you can hack it”, Jennifer says. You don’t need to be a programmer to hack something together that works.
“What do I look for in our next hacker?”
You don’t need to be the next Chris Valasek or Ruben Santamarta. All you need is the desire to work hard and be passionate. You need to want to do the work whether you get paid for it or not. Come up with new ideas, and work for it. Start breaking things. Get to know the community. Ask questions, disclose responsibly, be inspired and have fun. In the end, the goal is to make the world a safer place. Infosec is the coolest industry out there. You can do amazing things.
About Jennifer Steffens
As its Chief Executive Officer, Jennifer Steffens is responsible for all aspects of IOActive’s business including sales, delivery, and finance as well as driving the company’s strategic vision. Steffens brings a wealth of industry and business experience to the company, having been an early member of several successful startups.
Earlier in her career, Steffens was a Director at Sourcefire, where she helped build and grow the business from $250K to an over $35M run rate in just four years. Working closely with the CTO, Steffens helped commercialize the open source Snort technology and build several service offerings around the research initiatives. Prior to joining IOActive, she came to Seattle to help the struggling startup GraniteEdge reinvent itself. She spearheaded initiatives to restructure the company, and developed a product strategy to drive early market penetration that ultimately secured two additional rounds of funding.
With over 10 years of industry experience, Steffens has also held senior management positions at Ubizen, NFR Security, and StillSecure. She graduated from Mary Washington University with a Bachelor of Science in Psychology.
© 2014, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.