As Black Hat security conference turns 25, a lesson: security doesn’t have an end point

LAS VEGAS–At the start of the Black Hat information-security conference here, founder Jeff Moss took a moment to reflect on the state of cybersecurity today compared to the hopes of industry professionals at the first such gathering 25 years earlier.

"A lot of things have been figured out in a quarter century,” Moss joked in his opening remarks Wednesday. “We're still trying to figure out, did you try turning it on and off?"

Watching the briefings at this annual event can’t help but be humbling. Researchers unpack how they found and exploited vulnerabilities in everything from car key fobs to Starlink satellite terminals, and not all of these security stories have the happy ending of a fixed “vuln.”

More: Inside CPAC: Lies and conspiracy theories. Is this what conservatism is all about?

But a Black Hat briefing Thursday afternoon on the conference WiFi’s performance also underscored the profound progress of a basic security measure: encrypting data in transmission so that it can’t be read or modified. Barely 3% of email sent over the network traveled in the clear, a significantly lower figure than in prior years.

Worldwide, Google reports that 86% of messages sent to Gmail users arrive encrypted; when it began posting that metric in 2014, only 50% did. And this upgrade didn’t require users to adjust any settings–mail services did the work on their end. Gmail’s web and Android apps will warn you with a red, slashed-through padlock icon if a correspondent’s service hasn’t done that work.

Other services, however, have not made comparable advances. Text messages between Android and iPhone users, for example, travel entirely in the clear, and some connected gadgets also fail to protect their own communications.

The Black Hat network admins found one such example, a “smart” cat feeder that an attendee checked online. That unsecured data revealed that the remotely-fed feline’s name was Garfield and his nature was categorized as “Very lazy.”

More: 'LET'S CHAT,' State Department tells foreign election hackers, offering $10M bounty

A talk Wednesday morning, however, reminded attendees not to apply a “lazy” label to people who fail to follow their most stringent advice. Kyle Tobener, vice president of security at Copado Solutions, urged security practitioners to adopt the harm-reduction approach many doctors now take in treating substance abuse and other behavioral conditions.

Instead of saying “don’t do that”, Tobener advised, say “Try not to do that, but if you do, here are some ways to be more safe." For example, he suggested that if you’re concerned about the data TikTok collects, don’t tell fans of that social app to quit it; instead, suggest they use it in a browser or keep the app on a dedicated device.

Reminder: Safari, Edge and Firefox offer better privacy than Chrome.

In the same vein, Tobener frowned upon password guidance that translates to “The only way to use passwords is the most insanely complex way possible." Don’t mock somebody for writing down passwords in a notebook; recognize that as the improvement it is over reusing passwords or employing the simplest ones possible.

More: 5 dangerous cybersecurity mistakes you’re probably making

An executive at a password-manager service – unlike a paper notebook, these services use end-to-end encryption to safeguard your passwords and then sync them to multiple devices–made a similar point about the security industry growing up and recognizing that it needs to meet users where they are.

“It should be easy to be safe,” said Adam Caudill, director of security at 1Password, in an interview Thursday. “If being safe is hard, people are not going to do it.”

--

Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, email Rob at rob@robpegoraro.com. Follow him on Twitter at twitter.com/robpegoraro.

This article originally appeared on USA TODAY: Can tech's biggest players solve cybersecurity's worst problems?