OSHUG

— Open Source Hardware User Group

Event #74 — What's New In Cryptography & Security

On the 18 July 2019, 18:30 - 20:30 at BCS London, 25 Copthall Avenue, London, EC2R 7BP, [map] (51.5168155, -0.090039)

Please register to attend.

Over the last few years the security landscape has changed in several major ways. The Internet Of Things has made security and privacy a major problem for everyone. The move to HTTPS on almost every site and the attacks on TLS have raised awareness of security on the web, As a result, there has been a renewed focus on open source cryptography libraries, including new forks and projects. This meeting will take a look at the current state of security and cryptography and we'll look at how open source is contributing to the solutions as well as the problems.

This is a joint meeting with the British Computer Society Open Source Specialist Group.

Failures in Firmware, an analysis of common weaknesses in IOT devices

The advent of the Internet of Things has created an industry filled with incredible technologies, and incredible vulnerabilities. This talk aims to outline common weaknesses in these devices that can occur even if the developers are trying their best to make a device secure. This will include problems that can occur when implementing standard functionality, such as authentication, firmware updates, secure communication and protection of sensitive data.

This talk will cover the following topics, with demonstrations and recommendations:

  • The basics of cryptography, how it works, how it is implemented, and the different types of software which implement it. This will include an introduction to Open Source encryption libraries and the pitfalls that can occur when they are implemented incorrectly.
  • An introduction to Open Source libraries used for developing embedded software, including an assessment of example libraries for specific chipsets which contain known vulnerabilities.
  • Demonstration of weaknesses in firmware protection mechanisms, covering what happens when you don't secure your firmware, when you encrypt it, and when you sign it. This topic will cover exactly how an attacker could bypass protection mechanisms when they are incorrectly implemented, and how they can be implemented well.
  • An analysis of Linux vs Real Time Operating Systems, demonstrating the security strengths and weaknesses between the two approaches and what can be done to improve the security of both.
  • A demonstration of weaknesses that can occur in hardware, demonstrating what can occur when electronics are designed in a manner which allows for easy debugging, including a demonstration of how firmware can easily be removed from a device when it is not adequately secured.
  • A discussion of how Open Source libraries can both increase and decrease security in a product, and how they can be used effectively.

Each element of this presentation will include working demonstrations in order to exemplify where the weaknesses lie in the standard approaches taken when creating an IOT product.

Christopher Wade is a seasoned security researcher and consultant. His main focuses are in reverse engineering hardware, finger-printing USB vulnerabilities and playing with Software Defined Radios, His key strength lies in firmware analysis, which he utilises as part of the hardware testing team at Pen Test Partners.

Should you choose Open Source Crypto?

What are the arguments for and against for using open source crypto code and how have they changed over time.

Glyn Wintle is CTO at dxwcyber, a security consultancy focused on attack. He has extensive experience of breaking into computer systems in both the public and private sector.

Why and How you should start using Onion Networking

The internet began as a network where any computer could communicate directly with any other; but today there are host firewalls, perimeter firewalls, content filters, NATs, DNS restrictions, BGP hijacks and all manner of other challenges that limit you and your computers' ability to communicate. The Tor "Onion" networking protocol is an alternate "disintermediated" layer 3 stack where you do not require permission nor (mostly) any setup in order to communicate directly from/to any well-known address, plus you gain a host of security & operational benefits. We describe this.

Alec Muffett has worked in host and network security for 30 years, more than 22 of those in industry, holding senior consulting, architecture and engineering roles at Sun Microsystems and Facebook. He is a member of the Board of Directors of the Open Rights Group, a member of the Security and Privacy Executive of the British Computer Society, and a security engineer at Deliveroo.

Note: Please aim to arrive by 18:15 as the event will start at 18:30 prompt.

To add your photographs to ones shown here, upload them to Flickr with the tag "oshug:event=74". You might also like to join the OSHUG Flickr Pool.