Security Week 07: RSA and Artificial Intelligence, Android Security, State Regulation IoT

This week, the main information security conference, the RSA Conference 2017, blossomed in meadows and valleys, and the main information security conference, the RSA Conference 2017, has blossomed and fallen. There are almost no safety studies (we have , and not so much), but there are many beautiful words about innovative technologies. Words are also needed: whether you want to or not, information security has long ceased to be a purely technical phenomenon, becoming social. Perhaps due to the fact that last year I was at the event, but this time it was not, this time I perceive the words with RSA with a little more skepticism.



Maybe this is also the case, because info-safe marketing in recent times is often based on some expectation of a miracle. While the techie is waiting for the project to be assembled, another marketer dreams of a blue helicopter with a wizard who will fly in and solve everything, absolutely all problems. But no. An illustrative example of the imbalance between dreams and harsh reality was a seminar on the technologies of the future — specifically, artificial intelligence and quantum computing — on cyber defense ( news ).



Invited experts, really versed in these technologies, somewhat cooled the ardor of the audience. In short: artificial intelligence in cyber defense is only useful for processing large amounts of data and searching for anomalies (and, if specifically, for these tasks, the AI ​​that everyone has in mind is not needed). Do not expect smart machines to self-detect complex threats. And, no, quantum computing does not threaten encryption systems yet, neither in the near future, nor in the more distant one. Encryption is threatened by a crooked code and attempts by politicians to build a state-sponsor. At the end of the seminar, the conversation turned to the availability of reliable data protection technologies and comfortable conditions for security researchers - this is where there is a need for improvement. As for technology: there’s nothing to invent. Need to work. Unresolved tasks (both in cryptography, and in machine learning technologies, and in general) the car and a small truck. They need to do, and not wait for the coming of silver bullets.





')

Here is another Linus Torvalds spoke on the same topic. You just have to code.



Android ecosystem security and five thousand builds

News



The RSA conference this year was attended by Adrien Ludwig, the main Google security officer on Android: he delivered a keynote speech about protecting the Android platform from cyber threats. Google’s initiatives, of course, hit the scale: every day a malware test is conducted on 750 million devices, more than 6 billion applications are regularly scanned, the total number of active devices is 1.6 billion. Quote: "The more I think about the scale [of the problem], the more difficult it seems."







The three key areas of work for Android security are the following: the reliability of the platform itself (read the operating system), protection services, and application security. The concept of the Google Play app store, in which everyone is playing (or trying to play) by the rules, helps to ensure the latter. With services more interesting. According to Google, the ecosystem where there is a vendor and there are independent vendors of conditional antivirus (and in general technologies and protection services) is a heavy legacy of Microsoft and Windows, and it should be done differently. According to Google, security services (for example, remote locking of a stolen device) should be integrated into the OS, and large companies should be provided with an API to protect corporate data, including restricting access to the web.



This is all fine, but one figure in the presentation of Ludwig is, to put it mildly, disturbing: the company has had to deal with 5033 different versions of Android over the past two years. Yes, indeed, "315 cellular operators" are doing everything possible to deliver security patches to users as quickly as possible. But, damn it, five thousand assemblies! I summarize: Google really does a lot to improve the security of Android. But at the same time (and on RSA, and earlier), Google still pretends that on the subject of security in Android, and now everything is just wonderful - you just have to finish a couple of bugs. And it is not. The monstrous fragmentation of the platform was, is and will be the problem of Android. It can not be solved with beautiful words and streamlined formulations. Perhaps this problem cannot be solved at all without ditching the platform itself. In such a situation, it is better to proceed from a really difficult situation, and not to make soothing movements with your hands.



Cryptographer Bruce Schneier calls for state regulation of the Internet of Things

News Installation documents on the Bruce Schneier blog.





For the first time, the well-known cryptographer Bruce Schneier suggested the need for state security regulation of IoT as early as November last year. At RSA, he developed the topic, and to support his arguments, he gave a long list (by reference above) of various guidelines and other recommendations for the safe development of software for autonomous and network-connected devices. In general, they are not necessarily read: it all comes down to applying existing experience, so as not to insert already known vulnerabilities into your code, encourage independent assessment of the security of your devices and so on.



There is a problem: these beautiful words do not work. While IoT in the form of routers and IP webcams is being made in China for a poor budget and microscopic margin, it will not be better. The main problem of such devices is not even bugs, and sometimes the fundamental impossibility of installing updates. Bruce's speech very well complements the discussions under my posts on Habré: about IoT and " forcing vendors to security ."



About the Internet of Things itself, the discussion often comes down to the correct interpretation of the definition: they say there is a “real IoT” and a “fake”. The latter includes just the routers, set-top boxes and cameras - this is true, computers that are slightly trimmed in terms of functionality. With things, they have little in common except support for common network protocols. That's why I proposed in my last year's post about IoT an interpretation of “autonomous devices permanently connected to the network”, so as not to cause another wave of chichentation. Schneier, in his speech, acknowledged that another criterion of this IoT - namely, the inclusion of billions of new smart devices into the network - has not yet been fulfilled. His argument is that if IoT is developed in the same place, it will become the basis for the first real, global digital apocalypse, when it will be too late. It’s one thing when the site with cats seals off due to DDoS, and another when the thermostat stops being available in the winter.



As for the political intervention in the Internet of Things, everything is simple here. Schneier, like any techie, does not like this situation. It just seems that you can’t wait for government agencies to come and adjust everything to taste. We need to offer something ourselves. It will hurt: security costs money (remembering the micromarg). But necessary.



Disclaimer : This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.