At hacker summit, a new focus on preventing brazen attacks
Against a backdrop of cyberattacks that amount to full-fledged sabotage, Facebook chief security officer Alex Stamos brought a sobering message to the hackers and security experts assembled at the Black Hat conference in Las Vegas. In effect, he said, it’s time to grow up. Too many security researchers, he suggested, are focused on “really sexy, difficult problems” that don’t address the common vulnerabilities that allow malware attacks to wreak havoc.
And too many security-minded hackers seem intent on demonstrating newly discovered hacks, such as making an ATM spit out cash or taking remote control of an internet-controlled car, rather than shoring up more mundane defenses. While part of that reflects the healthy intellectual curiosity of hackers, it’s also driven by marketing and economic incentives, Stamos said. “I appreciate the showmanship, but we need a little more thoughtfulness, a little less showmanship in our field,” he told reporters after his speech.
Global attacks, serious damage
Since May, the world has been rocked by two major international cyberattacks - the ransomware WannaCry and a likely state-sponsored attack called NotPetya that spread out of Ukraine. Those and other recent digital assaults have paralyzed hospitals, disrupted commerce, caused blackouts and interfered with national elections. Stamos himself was formerly the chief security officer at Yahoo, which last year disclosed breaches of more than a billion user accounts that dated back to 2013 and 2014.
Black Hat, now in its 20th year, has matured since what Stamos, a longtime attendee of the computer security conference, described as its “edgy and transgressive” early days. It has grown more professional and corporate over time. Stamos called for a culture change among hackers and more emphasis on defense - and basic digital hygiene - over the thrilling hunt for undiscovered vulnerabilities. And he called for diversifying an industry that skews white and male, and generally showing more empathy for the people whom security professionals are tasked to protect.
“It’s unfair for us to say that users should be better,” said Stamos, challenging his profession to find better ways to help people solve the most common vulnerabilities, such as reuse of passwords , email phishing attempts, and not updating devices to patch bugs. —AP