
Ask HN: What are current problems or trends regarding cybersecurity? - yasinaydin
I am asking for possible subjects and ideas for my cybersecurity bachelor thesis. I have 10+ years of experience as fullstack dev and sysadmin. I have been following HN for a long time and learned so many things. I am not expecting a thesis idea, but a discussion would definetely help me think about possibilities and widen my horizon.<p>I already have few items in my list, but I can&#x27;t find any of these strong enough, because they are either too general or too vague: - Container (Docker, etc) security
- Media originality check (eg anti-deep fake or propaganda)
- Security of IoT data, especially in cloud
- Security of health care (don&#x27;t know how)
======
thewizardofaus
What about companies not taking responsibility of their own data?

You could talk about how FB makes $15 per quarter from users and they give up
X,Y,Z of data. Yet 90% of the userbase wouldn't pay $15 a month for a
advertisement free platform.

Alternatively, how about the Equifax hacks? And your Thesis could be on
pricing users data. And viable compensation measures.

~~~
yasinaydin
Thank you very much for the thought. A quick Google Scholar results showed
almost no researches about this subject. I find this subject very important,
but I also don't see the impact of a such research, since these "big evil
corps" done or caused much worse problems and they still exist.

Another thing is, I don't know if I can do this research by myself, or need
some other professionals/academicians and where to start.

Could you please provide more info or insight, if you have?

------
badrabbit
SOAR platforms and how ML can help is a good topic for you. (Check out
siemplify and demisto). No FOSS solutions to date for SOAR!

Cheap and good cross-platform endpoint security,reducing and simplifying the
overhead of managing endpoint security is also another.

Email security is also big but not as popular of a topic (again,no cheap or
foss solutions other than a DIY mess you hope management will accept).

I am personally interested and working around the area of methodical
approaches to blue teaming. MITRE's ATT&CK techniques have laid some basic
foundations. Different people or companies basically throw money on an
expensive solution(s) and even more expensive staff and basically put forth a
best effort use of tools and skills,which isn't bad but even with good threat
modelling,attackers will still find a way and typically you just throw darts
in the dark or use buest guess (or popular trends). Methodically defining
attacker techniques against your specific environment,threat hunting based on
attacker techniques,continually updating your tools+skills+processes will
allow for measurable increase in maturity and actual ability to find and
respond to attacks.

Like it or not,the biggest gaps in security are architectural,process and
managerial in nature. But I hope the more technical ideas I mentioned helps,
there are also other trendy things like "zero trust". As a dev and admin you
should definetly look at SOAR and challenges around collecting and storing
very high volume of logs efficiently and cheaply.

------
thephyber
I'm currently interested in mining bug bounty disclosed reports and bounty
hunter profiles to come up with archetypes of both defending organizations and
attacking groups/individuals.

Long term, I would like to see attack+defense hacking incidents run as
computer simulations (in a framework like OpenAI's "gym"), but I suspect the
public (outside of intelligence and a few select private cybersecurity
companies) doesn't have enough information to build this type of model yet.
Developing sensors and converting raw data into information to be able to
build those models is a prerequisite.

------
CM30
Generally, the biggest problem is that many companies just don't see updates
as all that important unless they're offering a computer program or internet
service. Many smart devices, IoT devices, etc don't get updates at all, which
leaves them wide open to anyone with the technical knowhow to attack them.
Especially if they're internet connected, like many of them are.

Getting companies to issue updates and fix security problems in these devices
seems like one of the most important issues we're dealing with security wise.

~~~
thephyber
> Getting companies to issue updates and fix security problems in these
> devices seems like one of the most important issues we're dealing with
> security wise.

I would argue this is tangential to another massive problem: corporate IT
teams are largely overwhelmed with the number of security patches required to
keep their entire network updated (my company is in this space).

Device manufacturers not patching their devices is one issue (zero day), but
it's not likely the largest issue. I would say that devices that have patches
available, but unapplied (Unpatched Vulnerabilities) are at least 10x bigger
problem. I don't think your observation and the UV problem are unlinked --
most electronics manufacturers don't have a streamlined way of developing a
patch, notifying the device owners/controllers, and pushing it quickly+easily
to their devices.

The {CVE database, OVAL, OSQuery} are useful, but it's very difficult for
network owners to identify devices and know whether they are patched, let
alone act on that and test+apply patches organization-wide.

~~~
yasinaydin
I agree. Between 2005-2009, I used to work in systems of factories which has
some CNC machines that were using Windows 95 and 98. They were not connected
to internet or company network and were receiving the files required via USB
sticks. That was also how Stuxnet infected power plants.

------
lacker
Cryptocurrency has some pretty interesting security implications. There are
threats to individual keys, as well as threats from hackers who find flaws in
smart contracts.

------
lestorbanks
Supply chain security is another interesting one. Both hardware and software.
Products are built with components from many suppliers, from all over the
world, and understanding the security of these is hard. All the current
geopolitical excitability / nation state influences make this topical. NSA
intercepting networking hardware and implanting monitoring, or AV software
build pipelines being compromised; there’s a lot to think about and improve.

~~~
thephyber
Along these lines, I've considered trying to come up with a system for
evaluating risk to your software applications based on observable risk factors
for any given (3rd party) library used in your application.

Basically the idea revolves around identifying data points of risk for the
project including: comprehensive unit tests, integration tests, public design
documents, adhering to some non-trivial code standards, automated
linting/static analysis, dynamic analysis, automation of builds, automated
updating upstream libraries as soon as they are released, all project
developers have some sort of public identity + verifiable employer +
reputation.

Bonus points for security audit, whitehat communication guidelines, bug bounty
program with incentives, fast fixes for reported security issues.

Negative points for the absence of any of these coding practices, slow to
respond to security reports/incidents, lack of 2FA on accounts, high number of
historical CVEs, difficult to protect languages/frameworks/architectures, etc.

These likely aren't easy to identify (probably the largest reason this hasn't
publicly happened yet), but imagine some of them can be automated or MTurked
or at least approximated. I imagine the large nation-states (could) have
dossiers on (many/most/all?) developers and code projects they have come
across and their code projects.

------
chelmzy
Log management. Specifically tracking what you are currently ingesting vs what
you could be. Basically a visibility dashboard.

Another is automated testing of detections on a regular basis. Although some
people are doing this with the automated pentests and stuff. I would like to
see a platform that imports your current rules and generates attacks based off
of them. Then it can run once a month to make sure your alerts are firing.

------
adamnemecek
I think that a lack of a simple identity and authentication solution is a
problem. In some sense, it makes no sense that file permissions and website
logins are two different authentication schemes.

~~~
thephyber
I don't think it's that the stack doesn't exist anywhere. It's more that the
best authentication systems are siloed within a few select organizations and
trust across organizations is spotty.

If I had to recommend a single simple+powerful auth system right now, it would
likely be Duo Security[1].

And there are countries (SKorea, Estonia) and even organizations within the US
(US DoD) which have largely solved authentication. SKorea and Estonia allow
(require?) digital transactions to use their state-issued digital ID. The US
DoD has ID cards, digital login systems, etc (although it's not clear to me
how homogenous or "simple" it is).

Windows is working on "Hello".

Apple has (TouchID + FaceID + iTunes/iCloud).

Facebook properties use the FB auth stack(s).

Google properties use its auth stack.

Amazon properties use its auth stack.

I think the complexity is that there is no "one account to rule them all", but
I'm not sure I would trust any organization listed above to not screw it up.
The US DoD is probably best equipped to understand the needs of building a
robust authentication solution, but they also have physical control of their
persons and don't necessarily need to work on the timeframes that the other
companies listed here work on. Every single organization I've listed has had
at least one high profile data/IP breach, so I would argue it's the asymmetric
nature of defense versus attack that is the problem in the current internet
space.

[1] [https://duo.com/](https://duo.com/)

~~~
yasinaydin
I thought projects like OpenID and Oauth were created to solve this problem
(yet it didn't).

Also, Zero Trust also made my possible subjects list, thanks!

I live in Estonia for last 3 years and I only had to use my physical signature
once. Estonia has various authentication methods[1] where everything is signed
digitally, so finding a good idea is hard because of competition.

I wouldn't trust US DoD or any US gov institutions to build systems which does
not have a backdoor. As for data breaches: it whouldn't be a problem if data
is encrypted, would it? That's why I think distributed systems might be a
solution for this.

[1]: [https://e-estonia.com/solutions/e-identity/mobile-
id/](https://e-estonia.com/solutions/e-identity/mobile-id/)

------
toomuchtodo
Institutional challenges in implementing information security best practices.

We know how to be secure, but lots of folks still ignore doing so until it’s
too late.

------
cjbprime
C code is rather suddenly toxic due to advances in fuzzing and reverse
engineering and needs to be moved away from quickly.

~~~
jpkiser
Can you point me to any reading or resources on this topic?

~~~
thephyber
Not a specialist in C and I'm not sure about the "suddenly" (it's always been
a "powerful but dangerous" language), but for fuzzing look into AFL[1] (a
fuzzing program which uses a genetic algorithm to search a massive space of
all possible inputs, but gravitate towards interesting fuzz inputs once a
crash is observed) and for recent reverse engineering, the NSA released
Ghidra[2] (reverse engineering framework).

[1] [http://lcamtuf.coredump.cx/afl/](http://lcamtuf.coredump.cx/afl/)

[2]
[https://github.com/NationalSecurityAgency/ghidra](https://github.com/NationalSecurityAgency/ghidra)

~~~
cjbprime
Yeah, the "suddenly" part refers to new techniques for using non-random inputs
to fuzzers like AFL, combined with massive compute power from e.g. Google's
ClusterFuzz. I don't have any good summary links, though.

------
thephyber
A few observations. Make of them what you will.

Basic fraud is still 100x larger of a problem than the more exotic/interesting
cybersecurity problems. Former Facebook CSO Alex Stamos had a convention
talk[1] about this. The average cybersecurity problem is still of the template
like:

    
    
      - Nigerian 419 scam (or similar social media fake account used to pull heartstrings)
      - Romanian spam email e-commerce
      - 12 year old boy steals parents credit card info to pay for $100s in Fortnite (or similar vidya game) customizations
      - 15 year old girl is convinced to give her website credentials to her friend for fear of social reprisals
      - Harvesting of contact info + Open Source Intelligence for more traditional phone scams
    

There is an arms race in just about every aspect of cybersecurity:

    
    
      - Detection of fraud versus bypass
      - IDS/WAF attack signatures
      - Email spam filters
      - Endpoint malware detection signatures
      - Behavior detection (like conditional challenges via ReCaptcha or for Google authentication)
      - Math+security researchers try hard to break cryptographic hash schemes (using techniques more efficient than just brute force)
    

Game theory is a large part of cybersecurity, because it's largely a human
endeavor (even if it's executed by software/bots). The paid bug bounty
programs are an interesting exercise in economics and markets (as a bug bounty
hunter how they choose a target from all of the possible companies that
participate in bug bounty programs).

Cybersecurity is an asymmetric game, as it is currently set up. The attacker
"only has to be right once", whereas the defender "has to be right all the
time". IT teams "think in lists", whereas hackers "think in graphs".

It's easier than ever to automate security and updates, but increasingly it
takes more and more cognitive effort to set up those systems (which inevitably
slow down business) so the long-term-optimal is frequently abandoned for the
short term convenience.

The massive explosion of social media in the past 10 years could have
compromised OpsSec for an entire generation of computer operators. When we
post credit card details on Twitter[2], it's clear that the average person
needs to have better OpsSec.

OpsSec is bad even when not on social media, as shown when hackers saw account
credentials on a desk in the background of a television interview[3]. Kids are
conditioned by their parents to share their passwords, then develop the bad
habit of sharing passwords as a sign of affection for their social peers[4].

AI/ML and Quantum Computing have the _potential_ to cause a massive shift in
the current attack/defense posture and current security practices, but when it
might show up in practical applications is anyone's guess.

There are legal+policy questions about whether we should try and entrust
secret keys to all smart devices to the manufacturer, police, or intelligence
services. Even among the Five Eyes countries, the answers to these questions
are currently in very different places.

[1] [https://youtu.be/YJOMTAREFtY?t=1099](https://youtu.be/YJOMTAREFtY?t=1099)

[2] [https://twitter.com/Needadebitcard](https://twitter.com/Needadebitcard)

[3] [https://arstechnica.com/information-
technology/2015/04/hacke...](https://arstechnica.com/information-
technology/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-
interview/)

[4] [https://www.nytimes.com/2012/01/18/us/teenagers-sharing-
pass...](https://www.nytimes.com/2012/01/18/us/teenagers-sharing-passwords-as-
show-of-affection.html)

