This is what Prof. Eli Biham said yesterday (Monday), at a seminar at the Technion on cyber attacks
"The solution to the security weaknesses in all devices and protocols - educate the developers not to release a product that has not been fully tested from the security aspect." This is what Professor Eli Biham said at a seminar on cyber and information security, held yesterday (Monday) at the Technion. The conference was organized by prof.
Ohad Bobrov from Lecon said at the conference that it is very easy to plan a hack for the purpose of spying on a certain person on any mobile device. "One in every thousand mobile devices contains a dedicated spying system. The problem is that the manufacturers know about the loopholes but it takes them a long time to respond," he emphasized.
According to Prof. Biham, the problem does not lie in the fact that hackers break into computers and mobile phones, but in the weaknesses that make this possible. "There is a fundamental problem in the education of programmers all over the world, who do not make sure that those who leave the educational institution are aware of all the problems that the software they develop may cause. All those who try to release a product before a deadline give up security. The problem is that customers don't care and are willing to buy these products without security, whether it's in the mobile market, the PC market, or any product."
"The correction to the problem of basic education will only come if consumers do not agree to purchase products that have not been tested from the aspects of information security," added Prof. Biham. "I have yet to see a person willing to go to the post office and buy a transparent envelope to send mail even if it is half price. But when it comes to phones or computers, they don't ask if it's transparent."
As for the timing of the conference, on the day when a mass attack on servers in Israel is planned and carried out, Prof. Biham said that attacks of various kinds occur all the time, and are not targeted for a specific day. "The special thing today is organizing for Denial of Service attacks," he explained. "This type of attack is only successful if many requests arrive at the same server at the same time. Some said that we might close servers on this day, my answer is that this is exactly what the attackers want - to close our servers, why should we help them?"
In the first session of the conference, Prof. Arena Grimberg from the Faculty of Computer Science at the Technion presented a system she developed together with other researchers - an algorithm that automatically searches for security loopholes in the OSPF network traffic protocol that determines which route the data packets sent from computer to computer will take. The OSPF protocol learns the structure of the network to know how to forward, and it is impossible to forward a network without such a protocol. Until now, the only way to find loopholes was through experts who manually checked the code. The algorithm was able to simulate hacking events that surprised the researchers.
Ohad Bobrov, one of the founders of the Lacon company, was able to show how with simple and common means that can be downloaded from the net, you can hack into any phone, view the contact list, listen to the microphone, activate the camera, and anything else that comes to the attacker's mind.
"The samples were amazing. I always knew it was terrible and terribly easy to hack into any cellular device and any basic protocol in Internet traffic, but today I was amazed to see how easy it is," Prof. Biham concluded.
5 תגובות
I have no complaints against the outstanding scientist and cryptographer Eli Biham (if he is indeed one). I have problems with his attempt to look for the coin under the lamp, while adamantly ignoring what is happening in the global high-tech arena and all the factors operating in it (who are all pushing to go to market already, without any security nonsense, and very little code quality, if any).
It's a little strange to me that you underestimate the person who cracked the encryption algorithm of the American Ministry of Defense....
I would try to learn from his words... but maybe it's just me?
I ask myself if Prof. Biham has worked for even one day as a software developer for a living and is faced with the dilemmas that plague every software engineer in terms of software quality against a deadline, a list of features that must be realized, customer requirements (real, not made up), management, marketing, competitors and other vegetables ? I am convinced that he would not have dared to say such a stupid sentence as "educate the developers" if he had a clue.
But since it seems to me that there is an urgent need to educate Biham, I must point out that "computer science" studies, which are mistakenly also called "software engineering" are light years away from actual software engineering, and I am convinced that even Prof. Biham is not capable of being "aware of all the problems that the software which is a developer may cause". It takes expertise that is not easy at all to get close to this ability, which can be achieved with many years of experience, certainly not as part of the "bachelor's degree in computer science" studies.
It is not possible to "remove a product that has not been fully tested"
There are always untested end states. There are also combinations of end states, some of which are known and some of which are unknown.
That's what hackers are for
Did he refer to the fact that the intelligence agencies are the ones who want control over the information?