Security Week 07: RSA and artificial intelligence, Android security, IoT government regulation

This week it flourished, flowed through meadows and valleys, and the RSA Conference 2017, the main information security conference, blossomed and fell. The conference, unlike events like Blackhat or our own Security Analyst Summit , is a little marketing. There is almost no research on security there (we have , but not so much), but there are a lot of beautiful words about innovative technologies. Words are also needed: whether one wants it or not, information security has long ceased to be a purely technical phenomenon, turning into a social one. Perhaps due to the fact that last year I was at the event, but not this year, this time I take words with RSA with a slightly larger share of skepticism.

Maybe this is also because of the fact that recently, information-safe marketing is often based on some kind of expectation of a miracle. While the techie is waiting for the project to be assembled, another marketer dreams of a blue helicopter with a wizard who will fly in and solve everything, absolutely all the problems. But no. A good example of the imbalance between dreams and harsh reality was the seminar on future technologies - specifically artificial intelligence and quantum computing - transposed to cyber defense ( news ).

Invited experts who are really versed in these technologies have somewhat cooled the ardor of the audience. In short: artificial intelligence in cybersecurity is only useful for processing large amounts of data and searching for anomalies (and if specifically, these tasks do not need the AI ​​that everyone has in mind). You should not expect smart machines to independently detect complex threats. And, no, quantum computing does not yet threaten encryption systems, neither in the near future, nor in the more distant. Encryption is threatened by a crooked code and attempts by politicians to build a state backdoor. At the end of the seminar, the conversation turned to the availability of reliable data protection technologies and comfortable conditions for security researchers - this is where there is a need for improvement. And as for technology: there is nothing to invent here. Need to work. Unresolved problems (both in cryptography, and in machine learning technologies, and in general) a wagon and a small trolley. They need to be dealt with, and not wait for the arrival of silver bullets.



Here is another Linus Torvalds spoke on the same topic. You just need to code.

Security Android ecosystem and five thousand assemblies
News .

Adrian Ludwig, Google’s chief security officer for Android, visited the RSA conference this year: he delivered a keynote speech on protecting the Android platform from cyber threats. Google’s initiatives, of course, are astounding in scope: every day malware checks on 750 million devices, regularly scan more than 6 billion applications, the total number of active devices totals 1.6 billion. Quote: “The more I think about the scale of the [problem], the more complicated it seems.”



The three key areas of work for Android security are as follows: the reliability of the platform itself (read - the operating system), security services and application security. The latter is helped by the concept of the Google Play app store, in which everyone plays (or tries to play) by the rules. With services more interesting. According to Google, the ecosystem, where there is a vendor and there are independent suppliers of conditional antivirus (and protection technologies and services in general) is a heavy legacy of Microsoft and Windows, and it needs to be done differently. According to Google, security services (for example, remote blocking of a stolen device) should be integrated into the OS, and large companies should be provided with APIs to protect corporate data, up to restricting access to the web.

This is all fine, but one figure in Ludwig’s presentation is worrying, to say the least: the company has had to deal with 5033 different versions of Android over the past two years. Yes, indeed, “315 mobile operators” are doing everything possible to deliver security patches to users as quickly as possible. But, damn it, five thousand assemblies! To summarize: Google really does a lot to improve Android security. But at the same time (both on RSA and earlier), Google is still pretending that on the subject of security for Android, and now everything is just wonderful - it remains to finish well, just a couple of bugs. But this is not so. The monstrous fragmentation of the platform was, is and will be an Android problem. It cannot be solved with beautiful words and streamlined formulations. Perhaps this problem cannot be solved at all without ditching the platform itself.

Cryptographer Bruce Schneier calls for state regulation of the Internet of things
News . Installation documents on Bruce Schneier's blog.


For the first time, the famous cryptographer Bruce Schneier expressed the idea of ​​the need for state regulation of IoT security back in November last year. At RSA, he developed the topic, and to support his arguments, he gave a long list (at the link above) of various guidelines and other recommendations for the safe development of software for stand-alone and network-connected devices. In general, they do not have to be read: it all comes down to applying the existing experience in order not to insert already known vulnerabilities in your code, encouraging an independent assessment of the security of your devices and more.

There is a problem: these beautiful words do not work. While IoTs in the form of routers and IP webcams are being made in China for a poor budget and microscopic margins, it will not get better. The main problem of such devices is not even bugs, but sometimes the fundamental impossibility of installing updates. Bruce's speech complements the discussion very well under my posts on Habré: about IoT and " forcing vendors to security ".

About the Internet of things, the discussion often comes down to the correct interpretation of the definition: they say there is a “real IoT” and a “fake”. The latter include routers, set-top boxes and cameras - these are really computers that are slightly reduced in functionality. They have little in common with things besides supporting common network protocols. That's why I proposed in my last year’s post about IoT the interpretation of “permanently connected autonomous devices”, so as not to cause another wave of crocheting. Schneier in his speech acknowledged that yet another criterion for a real IoT - namely, the inclusion of billions of new smart devices in the network - has not yet been met. His argument is that if IoT is developed in the same way, in one place, it will become the basis for the first real, global digital apocalypse when it is too late. One thing

And as for political intervention in the Internet of things, that’s all simple. Schneier, like any techie, does not like this alignment. It just seems that you can’t wait for the state agencies to come and adjust everything to your liking. We need to offer something ourselves. It will be painful: safety costs money (we recall the micromargue). But necessary.

Disclaimer : This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Here it’s how lucky.