10 great security TED Talks
I love watching TED Talks. The conference, which covers technology, entertainment, and design, was founded by Ricky Wurman in 1984 and has spawned a cottage industry featuring some of the greatest speakers in the world. I attended a TED Talk when it was still an annual event. I was also fortunate to meet Wurman when he was producing his Access city guides, an interesting mix of travelogue and design.
This is an idiosyncratic guide to my favorites TED Talks around cybersecurity and general IT operations, plus some of the lessons I’ve learned. If you get a chance to attend a local event, do it. You will meet interesting people both on and off the stage.
Things that seem new are often variations of old attacks. A recent phishing campaign dubbed Heatstroke is a good example. The campaign involves malware-laced images used to hide code from easy detection by defenders and threat hunters. Security researchers have seen this technique for years. Rodrigo Bijou’s 2015 TED Talk mentions malware-injected images as part of ad-based clickjacking attacks. Heatstroke is just a new take on an old problem.
Bijou also references the Arab Spring. One of the consequences of public protests, particularly in countries with totalitarian governments, is that the government can restrict communications by blocking overall Internet access, which is being done more frequently. NetBlocks tracks such outages in countries all over the world, including Papua, Algeria, Ethiopia, and Yemen. Bijou shows a now-famous photo of the Google public DNS address (126.96.36.199) that had been spray-painted on a wall in the hope that people would know what it means and use it to avoid the net blockade.
Since 2015, numerous public DNS services have been established, many of them free or low cost. If you haven’t already, investigate your DNS supplier for both performance gains and security options—many services filter out bad URL links and phishing lures, for example. Consider switching after using a similar testing regimen to find the best technology that works for you.
Email encryption is another technology that has been around a long time. Andy Yen, one of the founders of encrypted email service ProtonMail, describes how encryption works in his 2014 TED Talk. It’s been viewed 1.7 million times as of the time of this writing. Three of those views are mine. The gist is that we still have a love-hate relationship with email encryption. Many companies still don’t use end-to-end encryption to protect their communications, in spite of numerous improvements made to products and the continuous improvement of encryption technologies. Bottom line is that you have choices. In addition to ProtonMail, there are small business encryption solutions such as the Helm server that make encryption easier to deploy.
Bruce Schneier gave his talk in 2004 at Penn State about the difference between the perception and reality of security. Part of the staying power of Schneier’s message is that humans still process threats pretty much the same way we’ve done since we lived in caves: We tend to downplay common risks (such as finding food or driving to the store) and fear more spectacular ones (such as a plane crash or being eaten by a tiger). Schneier has been talking about “security theater” for many years now, such as the process by which we get screened at the airport. Part of understanding your own corporate theatrical enactment is in evaluating how we tend to trade off security for money, time, and convenience. What’s your security trade-off?
Juan Enriquez’s talk in 2013 examines the rise of social networks and our hyperconnected world. Enriquez discusses the effect of social media posts, calling them “digital tattoos.” The issue—then and now—is that all the information we provide on ourselves is easily assembled, often by just tapping into facial databases, and without even knowing that our picture has been taken by someone nearby with a cell phone. “Warhol got it wrong,” he says. “Now, you are only anonymous for 15 minutes.” He suggests that we are threatened with immortality because our digital tattoos follow us around the Internet. This talk is a good reminder to pause before sharing on social media, and for companies to create formal policies and provisions for social media. If you haven’t yet, get a move on and think before you post.
Lorrie Faith Cranor, a professor of computer science and engineering at Carnegie Mellon University (CMU), talks about passwords in this 2014 TED Talk.
If it isn’t already abundantly clear, watching several TED talks underscores that passwords are still the bane of our existence—despite the technologies to improve how we use them and harden them against attacks. You might be surprised to learn that once upon a time, college students only had to type a single digit for their passwords. This was at CMU, a leading computer science school and the location of one of the computer emergency response teams. The CMU policy was in effect until 2009, when the school changed the minimum requirements to something a lot more complex. Researchers found that 80 percent of the CMU students reused passwords, and when asked to make them more complex, they merely added an exclamation point or an @ symbol to them. Cranor also found that the password strength meters provided by websites to help create stronger passwords don’t really measure complexity accurately, with the meters being too soft on users as a whole.
A classic password meme is the XKCD cartoon that suggests stringing together four random common words to make more complex passwords. The problem, though, is that these passwords are error-prone and take a long time to type in. A better choice, Cranor’s research suggests, is to use a collection of letters that can be pronounced. This is also much harder to crack.
Passwords are the weak entry point into our networks, and corporations that have deployed password managers or single-sign-on tools are a leg up on protecting their data and their users’ logins.
Another frequently viewed talk is by German security consultant Ralph Langer in 2011. He tells the now-familiar story about how Stuxnet came to be created and how it was deployed against the Iranian nuclear plant at Natanz in 2010.
What makes this relevant for today is the effort that the Stuxnet creators (supposedly a combination of U.S. and Israeli intelligence agencies) designed the malware to work in a very specific set of circumstances. In the years since Stuxnet’s creation, we’ve seen less-capable malware authors also design custom code for specific purposes, target individual corporations, and leverage multiple zero-day attacks. It is worth reviewing the history of Stuxnet to refresh your knowledge of its origins. "How Symantec cracked Stuxnet" is also worth reading.
Computer science professor Avi Rubin talks about how IoT devices can be hacked and the fact that attacks have been going on for years—as far back as 2006. They have also become common, such as the Mirai attacks that began in 2016. Since then, we have seen connected cars, smart home devices, and other networked devices become compromised. One takeaway from Rubin’s talk is that attackers may not always follow your anticipated threat model but instead look for a way to compromise your endpoints with new and clever methods. Rubin urges defenders to think outside the box to anticipate the next threat.
Del Harvey handles security for Twitter. Her talk focuses on the huge scale brought about by the Internet and the problems she faces daily. The Tweet volume screened and examined for potential abuse, spam, or other malicious circumstances is staggering: 500 million Tweets per day in 2014. Add the lack of context to evaluate what the Tweet means and the task is that much harder. Security defenders face similar challenges while processing daily network traffic to find that one bad piece of malware buried in log files. Harvey says it helps to visualize an impending catastrophe where she assumes the worst will happen and then works backward to prevent it. For the rest of us, that means we must approach the scale problem through the use of better automated visualization tools to track down potential bad actors.
This 2014 talk by Carey Kolaja examines her experiences working for PayPal. She was responsible for establishing new markets that could help the world move money with fewer fees and less effort. Part of her challenge was establishing the right level of trust so that payments would be processed properly and bad actors would be quickly identified. She tells the story of a U.S. soldier in Iraq that was trying to send a gift to his family in New York. The transaction path was flagged by PayPal’s systems because of the convoluted payment route. This was a legitimate transaction, but it showed that human evaluation was required to deal with oddball payment events. The lesson here is in how we examine authentication events worldwide and that risk-based security scoring tools to flag similar complex transactions should be implemented. “Today, trust is established in seconds,” she says, which also means that trust can be broken just as quickly.
Our final talk is by Guy-Philippe Goldstein in 2010 on how hard it is to correctly get attribution after a cyberattack—pinning down why you were targeted, who was behind the attack, and when you were first penetrated by the adversary. “Attribution is hard to get right,” says Goldstein, “and the consequences of getting it wrong are severe.” Wise words, and why you need to have red teams to boost defensive capabilities to anticipate where an attack originates.
A final word
As you can see, a lot can be learned from TED Talks, even the ones given years ago. There are still security issues to be solved, and many of the lessons in these talks are relevant to today’s environment.
Security-related TED Talks: Lessons for leaders
- Check out public DNS providers to protect networks from outages in conflict-prone hotspots around the world.
- Consider privacy implications of users' social media posts. Assemble appropriate guidelines for how they consume social media.
- Improve your password portfolio by using a password manager, a single-sign-on tool, or some other mechanism for making them stronger and less onerous in their creation for your users.
- Think outside the box, and visualize where your next threats will appear on your network.
- Examine whether risk-based authentication security tools can help provide more trustworthy transactions to thwart phishers.
- Build red teams to help harden your defenses.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.