Black Hat, DefCon Talk to Focus on Smartphone Security, USB Flaws

NEWS ANALYSIS: Bolstering smartphone security, USB vulnerabilities and the endless reverberations from the National Security Agency document leaks will be the talk of the 2014 Black Hat and DefCon events.

Black Hat ChatterB

Digital security is much in the news this week as the annual Black Hat and DefCon events convene in Las Vegas. New hacks, new ways to stop hacks and new ways to attempt secure communications and user authentication will all be intensely discussed.

Also, the massive leak by former government contractor Edward Snowden of National Security Agency classified documents continues to have repercussions as individuals, enterprises and governments strive to shore up their digital defenses. I’m not in Las Vegas this year, but here are some of the digital security trends I expect to see play out.

The smartphones keep getting smarter while the sensors and cloud connections enabled by smartphones hold promise for more secure authentication. While attributes such as fingerprint scanners (the iPhone 5S has one) are nifty ideas, we are still years out from using fingerprint authentication on a regular basis.

Fingerprint scans can be tripped up by smudgy screens, high resolution photos of fingerprints can dupe the reader; and what users really want more than a replacement for a four digit pin to lock and unlock phones are secure, authenticated applications.

One company that has an interesting approach to using smartphones for authentication is Authentify. Authentify’s xFA is a cloud-based voice biometric approach that promises app authentication that would be very difficult to hack.

While Blackphone has received a lot of attention for offering a secure crypto-phone, the $600 pricetag (which also requires a similar phone on the other end) coupled with the need for users to either carry two phones or ditch their existing smartphone presents sales stumbling blocks.

TechCrunch recently highlighted Kickstarter-hopeful Jackpair which is a less costly hardware approach to crypto-phones and potentially a more secure approach than software only solutions. While each caller would require the $89 device, the hardware would work with any phone including landlines. The hardware approach of cryptography still has a lot of appeal in establishing secure communications.

In the meantime, the hacks being announced around the Black Hat—and later in the week the less corporate Def Con—have already started appearing. The ubiquitous USB drive was the target of an early and thorough thrashing by two security pros intending to expose the full range of USB deficiencies at Black Hat.

The USB drives and ports have long been an avenue of hack attacks to the point where more than one CIO ordered IT tech support to pour glue into gullets of all USB ports to prevent their use. It will be interesting to see if the USB 3.0 standard will cure some of the highlighted digital ills.

The Snowden revelations related to NSA privacy intrusions and tampering with vendor communications equipment, continue to play out at an international level. The latest crisis come from China where according to a Reuters report, “China has excluded U.S.-based Symantec and Russia's Kaspersky Lab from a list of approved antivirus software vendors," according to a Chinese media report suggesting Beijing is expanding efforts to limit use of foreign technology. The approved list contained all Chinese companies.

This move follows the deterioration of U.S. and Russia relations over the Ukraine crisis one result of which has Russian authorities demanding to see the source code from Apple and SAP.

The chances of either Apple or SAP complying with the demands are less than zero. But in both the Chinese and Russian examples it is clear the Snowden reverberations are going to continue to play out in social, technological and political realms in ways never predicted.

Digital security has moved from a cat and mouse game between vendors and lone hackers to sophisticated organized attacks against corporations. The unfolding digital security news this week shows that the hackers and the defenders are not going to lie quiet this summer.

Eric Lundquist is a technology analyst at Ziff Brothers Investments, a private investment firm. Lundquist, who was editor-in-chief at eWEEK (previously PC WEEK) from 1996-2008 authored this article for eWEEK to share his thoughts on technology, products and services. No investment advice is offered in this article. All duties are disclaimed. Lundquist works separately for a private investment firm which may at any time invest in companies whose products are discussed in this article and no disclosure of securities transactions will be made.