After two days at the One Conference in The Hague, I came home wondering about a lot of things I’ve heard there.
It started with Rueben Paul, CEO of CyberShaolin, who is at the time of writing 11 years old. He was the opening speaker of day one. Not just a great honor for him but especially for us as he came all the way from the USA to talk about the internet of things/threats. He demonstrated how easily a smart teddy bear can be hacked by using a man-in-the-middle attack. This was brilliant to witness. Imagine seeing a boy, standing on a crate to reach the lectern, executing shell commands to his Raspberry Pi through which he is controlling his bear. I dare say, it probably wouldn’t be so cool if the person standing there would be a balding, slightly overweight, long haired nerd as that would fit the common image. But still, Rueben’s talk was very impressive! In my opinion guys like Rueben will change the world one day!
Besides the teddy-hack there were talks about hacking back phishing crews to be able to act super fast on the next attack. Amusingly, one day later I listened to an ethical discussion questioning whether it is legal to hack back even though you are protecting your assets or working for the greater good. Which is more wrong?
The last presentation I would like to mention came from Saket Modi. He was hacking a phone live in the audience to show us all how easy it is nowadays to get access. Just getting a hold on a phone for about 20 seconds was enough to get full control of, well, almost everything of the owner’s life.
Ok, back to the general concept of the One Conference. The theme this year was ‘We are all connected’ but in my opinion it could be summarized in two words: Ransomware and cooperation. Only days before the event WannaCry hit the world which made it an easy example of what effects ransomware can have, not just this time but in the near future as well.
What struck me most though was not the teddy-hack, not ransomware threats and not even the hijacking of a phone. No, it was someone I noticed in the audience. During the opening plenary on the second day I looked one row down and 4 seats to my left. The gentleman there was apparently not that fascinated by the talk so he opened his laptop. From my angle I have a perfect view on his keyboard where he enters his passphrase. A five-character code which granted access. Five. He then starts a remote session and logs in. I counted again: five stars appear in the field and done. Logged in with which I can only presume is the same passwords. Apart from being flabbergasted, he got my attention. After about a minute a very well-known pop-up appears asking to install windows updates. Guess what? One hit on the cancel-button and that annoying message disappears. Work on his powerpoint presentation can continue.
After a while it hit me: we can talk a lot about cyber security, giving examples of major risks and terrible consequences. We can have guidelines, certifications and laws with extremely high fines but this won’t do the trick. The guy in the audience is the perfect example of an imperfect mindset. Even when the whole world is talking about WannaCry, even more computers are being infected by Adylkuzz which is using the same exploit as WannaCry. Apparently many people either still missed the urgency to update their systems or were too busy rattling around that with their solution it would never have happened.
Maybe we cannot rely on just people anymore to act upon security issues? Maybe we need systems to do that for us? Maybe we do need Skynet...