When you find yourself on a business trip and forget the code to your corporate AmEx, you know you haven’t been on the road for a while. This is why I found myself making a frantic search through my online files while I was trying to check in at the hotel for the awesome NDC Security Conference in Oslo: I hadn’t been to a conference since Cisco Live in Barcelona in 2020.
NDC Security was a great way to get myself back into the conference configuration. I learned a lot at this show. I also had a great time giving two talks myself.
Keynote: An Abridged History of Application Security
Before I gave my talks, I sat in on the conference keynote from rockstar security educator and author Jim Manico. He took us through an rapid history of application security, from before the second world war, to the present day. He wove security testing, HTTP/S, passwords, OWASP and XSS through his intertwined and fascinating timeline. For me there were two big takeaways:
First takeaway: Polish researchers laid the groundwork for the British cracking of Enigma. Prior to WWII, in the Russo-Polish war in 1920 the Polish cryptography skills were instrumental in the saving of Warsaw: They were able to decode a telegram from Red Army military commander Joseph Stalin, which indicated that an attack on Warsaw was imminent. They were able to jam the Russians’ radio communications and by doing so bought enough time to secure and save the city. Groundwork laid by Polish mathematicians paved the way for Alan Turing, who famously cracked Enigma. In my opinion these events were the beginning of cyber security warfare – a game of cat and mouse that reaches far back into the history of computing.
Second takeaway: Being a jerk on Twitter can make the world a safer place. Jim Manico likes to be a jerk on Twitter from time to time. He walked through a couple of example Twitter threads, where he pointed out certain flaws, like the lack of CSP3 support in Apple’s native browser Safari.
Content Security Policy (CSP) is a tool which developers can use to lock down their applications in various ways, mitigating the risk of content injection vulnerabilities such as cross-site scripting, and reducing the privilege with which their applications execute. When Manico called out a flaw in public, other industry experts responded in this thread, which ultimately led to Apple implementing CSP3 into WebKit for Safari 15.4. According to Jim, this proves how being a jerk sometimes can help to make things better!
Check out his full session here:
Breakout: Make Passwords Easier
One of the most useful sessions I attended was Per Thorsheim‘s session on creating better passwords – both the passwords you create for yourself and how to make passwords creation easier in your applications.
For example, he argued you should make passwords in sentences, since they are both easier to remember and longer that single words or codes. He did emphasize that you should have a different password sentence for each service. To remember all of these, Per advised to either use a digital password manager, or to write down passwords in a notebook stored somewhere safe in the house – especially for the elderly. A password manager is better, but Per believes the risk of notebook theft is low enough.
He also mentioned that it makes no sense to periodically change your password, unless there is an indication that you password was compromised and stolen. Enforcing regular password changes is a bad user experience, and ultimately makes everything less secure, since the worse the user experience is, the higher the chance someone will try to circumvent it, or use a different application instead. In passwords, Per says, usability is everything.
My first session: Common Python Vulnerabilities and How to Fix Them
After the keynote, I started to prepare for my first session, about Python vulnerabilities. Python is more popular than ever, ranking as the most used language today. It is searched even more often than Kim Kardashian on Google:
It’s a powerful language and it’s used by a lot of beginners – potentially a dangerous mix. My presentation focused on basic beginner security mistakes – that a lot experienced developers make, too. I covered the 5 common vulnerabilities seen in Python.
Second session: Detecting Malware in Encrypted Traffic
My second session was about encryption protocols, malware hiding in them, and how to solve this problem using machine learning. I explained how TLS1.3 is on the rise and how this new cryptographic protocol is used extensively in HTTPS, and is more efficient and secure. It also immediately encrypts the traffic coming from the server (ServerHello), leaving legacy systems that rely on decryption with a challenge.
Luckily, two of my Cisco colleagues have created an open source project called Mercury. It can fingerprint encrypted network traffic and capture and analyze the packet metadata, which is unencrypted. It uses two giant knowledge bases (one with safe traffic, and one with malicious traffic), in a machine learning model that classifies traffic. Mercury has already been implemented as beta feature in Cisco Secure Firewall, and I think it will have broad usage elsewhere, too.
To explain a bit more about the machine learning, I covered some of the statistics that are behind the Weighted Naive Bayes algorithm that they used. This algorithm works by taking in contextual information when calculating probability. A famous example is the experiment where and audience is asked to decide of their fictional neighbor Steve is more likely to be a librarian or a farmer based on the following description:
“Steve is very shy and withdrawn, invariably helpful but with very little interest in people or in the world of reality. A meek and tidy soul, he has a need for order and structure, and a passion for detail.”
Kahneman and Tversky discovered that most people would choose librarian, even though there are many more farmers than librarians in the total population. People forget to take the general chance that Steve is a librarian in to account, which is very small.
In Project Mercury, an algorithm is used that is based on this general principle, however it then allows for adding weights to certain features. Mercury uses the TLS fingerprint, in combination with destination context to decide whether the traffic is malicious or not — without decryption!
Go to Project Mercury on GitHub.
After a lot of learning and teaching, it was time to fly home again. To celebrate everything that I learned and the sessions I gave, I had a classic “airport beer”, a ritual I definitely had missed. Fortunately I had my corporate Amex handy.
Check out the entire NDC Security conference for more.
What’s next? I’ll be at KubeCon + CloudNativeCon Europe 2022 this May in the beautiful city of Valencia, Spain. Come visit the Cisco booth or join us virtually. Learn more about Cisco at KubeCon.
We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!