[Ukfreebsd] OSHUG #74 — What's New In Cryptography & Security, Thurs 18th July

[Sevan Janiyan]

Event #74 — What's New In Cryptography & Security

18th July 2019, 18:30 - 20:30 at BCS London, 1st Floor, The Davidson
Building, 5 Southampton Street, London, WC2E 7HA.

Registration link at http://oshug.org/event/74

Over the last few years the security landscape has changed in several
major ways. The Internet Of Things has made security and privacy a major
problem for everyone. The move to HTTPS on almost every site and the
attacks on TLS have raised awareness of security on the web, As a
result, there has been a renewed focus on open source cryptography
libraries, including new forks and projects. This meeting will take a
look at the current state of security and cryptography and we'll look at
how open source is contributing to the solutions as well as the problems.

This is a joint meeting with the British Computer Society Open Source
Specialist Group.

— Failures in Firmware, an analysis of common weaknesses in IOT devices

The advent of the Internet of Things has created an industry filled with
incredible technologies, and incredible vulnerabilities. This talk aims
to outline common weaknesses in these devices that can occur even if the
developers are trying their best to make a device secure. This will
include problems that can occur when implementing standard
functionality, such as authentication, firmware updates, secure
communication and protection of sensitive data.

This talk will cover the following topics, with demonstrations and
recommendations:

- The basics of cryptography, how it works, how it is implemented, and
the different types of software which implement it. This will include an
introduction to Open Source encryption libraries and the pitfalls that
can occur when they are implemented incorrectly.
- An introduction to Open Source libraries used for developing embedded
software, including an assessment of example libraries for specific
chipsets which contain known vulnerabilities.
- Demonstration of weaknesses in firmware protection mechanisms,
covering what happens when you don't secure your firmware, when you
encrypt it, and when you sign it. This topic will cover exactly how an
attacker could bypass protection mechanisms when they are incorrectly
implemented, and how they can be implemented well.
- An analysis of Linux vs Real Time Operating Systems, demonstrating the
security strengths and weaknesses between the two approaches and what
can be done to improve the security of both.
- A demonstration of weaknesses that can occur in hardware,
demonstrating what can occur when electronics are designed in a manner
which allows for easy debugging, including a demonstration of how
firmware can easily be removed from a device when it is not adequately
secured.
- A discussion of how Open Source libraries can both increase and
decrease security in a product, and how they can be used effectively.

Each element of this presentation will include working demonstrations in
order to exemplify where the weaknesses lie in the standard approaches
taken when creating an IOT product.

* Christopher Wade is a seasoned security researcher and consultant. His
main focuses are in reverse engineering hardware, finger-printing USB
vulnerabilities and playing with Software Defined Radios, His key
strength lies in firmware analysis, which he utilises as part of the
hardware testing team at Pen Test Partners.

— Should you choose Open Source Crypto?

What are the arguments for and against for using open source crypto code
and how have they changed over time.

* Glyn Wintle is CTO at dxwcyber, a security consultancy focused on
attack. He has extensive experience of breaking into computer systems in
both the public and private sector.

— Why and How you should start using Onion Networking

The internet began as a network where any computer could communicate
directly with any other; but today there are host firewalls, perimeter
firewalls, content filters, NATs, DNS restrictions, BGP hijacks and all
manner of other challenges that limit you and your computers' ability to
communicate. The Tor "Onion" networking protocol is an alternate
"disintermediated" layer 3 stack where you do not require permission nor
(mostly) any setup in order to communicate directly from/to any
well-known address, plus you gain a host of security & operational
benefits. We describe this.

* Alec Muffett has worked in host and network security for 30 years,
more than 22 of those in industry, holding senior consulting,
architecture and engineering roles at Sun Microsystems and Facebook. He
is a member of the Board of Directors of the Open Rights Group, a member
of the Security and Privacy Executive of the British Computer Society,
and a security engineer at Deliveroo.

Note: Please aim to arrive by 18:15 as the event will start at 18:30 prompt.