- Everyone Knows What "Cybersecurity" Means
- We Can Measure How Secure Our Systems Are
- The Primary Goal of Cybersecurity Is Security
- Cybersecurity Is About Obvious Risks
- Sharing More Cyber Threat Intel Will Make Things Better
- What Matters to You Matters to Everyone Else
- Product X Will Make You Secure
- Macs Are Safer Than PCs, Linux Is Safer Than Windows
- Open Source Software Is More Secure Than Closed Source Software
- Technology X Will Make You Secure
- Process X Will Make You Secure
- Faerie Dust Can Make Old Ideas Magically Revolutionary
- Passwords Should Be Changed Often
- Believe and Fear Every Hacking Demo You See
- Cyber Offense Is Easier Than Defense
- Operational Technology (OT) Is Not Vulnerable
- Breaking Systems Is the Best Way to Establish Yourself
- Because You Can, You Should
- Better Security Means Worse Privacy
- Further Reading
This chapter is from the book
This chapter is from the book
This chapter is from the book
Believe and Fear Every Hacking Demo You See
DEF CON is an annual hacker conference known for new revelations and showy demos. In 2010, presenters demonstrated the hack of a car. In 2017, someone hacked a voting machine. In 2020, it was a satellite. These demonstrations make for great shows and stories, lots of applause (from other hackers), and widespread hype and fear (from the public and the press). It’s like movies coming to life! They are amazing and scary, and who would not want to report on the fantastic things done outside of movie magic?
Cybersecurity professionals understand, appreciate, and admire new contributions to the field. Sometimes we even admire the skill of an attack or new offensive techniques. We can see the implications and severity of new vulnerabilities before they are understood or known by the general public. Vendors participating in bug bounty programs routinely ask for proof-of-concept code to demonstrate that a new bug can be exploited. Hackers also demand proof-of-concept examples to be taken seriously. One publication puts a fine point on this: International Journal of Proof-of-Concept or Get the Fuck Out.60
There is a misconception, however, that every demo or academic finding will result in widespread use. These demonstrations are revealing but often ignore the context and complexity of the real world. They often make many assumptions. Vote tallies are audited, as are ATMs. Physical protections might prevent an attacker from quickly or undetectably making a change. Hacking a voting machine or ATM is a different threat than undermining an election or financial system.
Rowhammer was a novel attack technique.61 Cool, even. Researchers have created several proof-of-concept exploits. But we have no documented evidence (yet) of Rowhammer being used in the wild. TCP Shrew is another novel attack technique for Distributed Denial of Service (DDoS). It’s cool and awesome, but there is no documented evidence of it being used in the wild. The Exploit Prediction Scoring System (EPSS) is one model that uses threat information and real-world exploit data to calculate the probability that a vulnerability will be exploited. Hundreds of CVE are not a threat for most people. According to Kenna Security and Cyentia Institute, only around one-third of all CVEs are ever seen in live environments, and, of those, only 5% have known exploits.62
Simply because an attack can be demonstrated does not mean it will be used.