OSLO – On Thursday 7th April, the Norwegian Developers Conference (NDC) Conferences hosted its last day in its 4-day event on IT security and cybersecurity at Rebel Oslo to inspire developers to exchange knowledge, learn current best practices, and gain further training in their deep-dive workshops with well-known experts from around the world.
There is no doubt that much of our daily interactions are now through digital devices, whether we are making purchases online, transferring money overseas, connecting with friends through social media apps, or storing documents in the cloud. Technology is present in our lives for various useful means.
Global digitalisation is not without its risk. To protect our digital information from threats like identity theft, data loss, and unauthorised access, security is becoming more important than ever. Just three days ago, Mailchimp email marketing firm had a data breach that resulted in cryptocurrency phishing scams. Around 300 Mailchimp user accounts were compromised by the hack.
The NDC Security conference is part of the main NDC Conferences but focuses on security and ran for the first time in Oslo. The conference bought together 37 speakers with well-known international speakers, such as Jim Manico, Philippe De Ryck, and Scott Helme in the field.
The Oslo Desk attended Dr Philippe De Ryck’s session on web security through understanding the vulnerabilities of APIs, Per Thorsheim’s password protection and recommendations, and Einar Otto Stangvik’s findings on smart home device threats, to raise awareness of the security risks in our everyday use of technology and the current prevention measures. All speakers gave practical steps and advice for developers to prevent these security threats.
Dr Philippe De Ryck, Founder of Pragmatic Web Security and Google Developer Expert, helps developers protect companies through better web security. In De Ryck’s session, “Getting API Security Right”, he emphasised that security should never be an afterthought when building any technology, from apps to websites.
API stands for Application Programming Interface which is a set of programming codes that act as a medium for computer programs to connect. In our everyday lives, APIs run in the background of web applications. For example travel sites like Expedia retrieve and aggregate flight information from airline companies, and many convenient functions such as Facebook logins on different websites or apps are made possible by APIs.
Dr Philippe De Ryck, Founder of Pragmatic Web Security and Google Developer Expert. Photo: Ka Man Mak.
Throughout his session, he noted real-world cases such as the Bumble dating app where its insecure API exposed user photos and information, and bypassed premium features. Another is the TMobile 2021 data breach which resulted in 40 million user information such as phone numbers, social security numbers and account pins exposed. De Ryck also dived into the best practices for securing APIs for developers through OWASP API Security Top 10 tips. De Ryck travels the world to train developers on web security and security engineering, and held workshops at the conference.
On what the public could do about such security risks presented by API vulnerabilities, he said “As a member of the public using apps, it is hard to assess the security because you are fully dependent on what is disclosed. It is very hard to do something about it. Things that can work are to raise awareness if companies are misbehaving; if they lack security by getting the public to call them out. That definitely helps by demanding that they fix things.” This would then lead companies to stop using those insecure web applications.
Password Recommendations – My Phone is my Castle
Per Thorsheim, Founder of PasswordsCon, is the first and only conference dedicated to passwords and digital authentication and is the CISO for BankID and BankAxept. Thorsheim started his session going through his list of recommendations on setting passwords:
- Make your password a sentence (you can use spaces)
- For every unique account, use a unique password
- Write down your passwords
- Use 2-Factor Authorisation
Through his years of experience, mandatory and frequent change of passwords actually reduces security and destroys the user experience. This was reiterated in a Microsoft blog which stated that “When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.” Instead, policies should be enforced on banned-password lists as easily predictable passwords invite security risks. Thorsheim also recommended that one could use a client-side passphrase generator. A passphrase is a password composed of a sentence or combination of words, which is often longer than the average password.
Per Thorsheim, Founder of PasswordsCon, is the first and only conference dedicated to passwords and digital authentication and is the CISO for BankID and BankAxept. Photo: Ka Man Mak.
While Thorsheim talked about passwords, he also emphasised the user experience, provoking the service providers whether it would be necessary to make an account in order to purchase shoes for example. Another is the increased use of mobile phones for digital authentication which poses problems if people lose their phone, if the battery runs low, or if they can’t afford to buy more mobile data.
Thorsheim presented many case studies and the best practices for developers. Given that pop-ups can be a gateway for hackers to steal users’ information. Service providers should have official communication channels to which they can update their users on what new technical implementations they will carry out, say for example if they were conducting a marketing survey. He also stressed the use of NIST SP800-63B Digital Identity Guidelines for Authentication and Lifecycle Management.
On the contrary that many believed that writing down your password or using a password manager could be dangerous, Torsheim showed a video alerting parents and youth on why it is important to write down your passwords. Narrated by a young girl, “Dear mom and dad, if you are reading this, I have most probably disappeared against my own will. To make it easier for you to find me, I have written down some usernames and passwords that you will need. I probably have my mobile phone with me. Remember that it can be traced. Here is the list of usernames and passwords that will help you. Here you will find details for Facebook, my cellphone, Hotmail, Instagram and Snapchat. Please remember that I love you very much.” It ended with, “Electronic traces are getting increasingly important to locate missing people. Have you left enough information behind so that we can find you?”
Threats from Smart Home Devices
Einar Otto Stangvik is the Newsroom Security Lead at VG Norwegian newspaper, where he spent the last 8 years there contributing to advanced data investigations, story presentation and newsroom security.
Stangvik started laying out his findings on the complexity of Bluetooth-enabled smart home devices and their security risks. He dug into Qualcomm’s CSRMesh which is a technology used for smart devices to communicate with smartphones, tablets for example. The security risks could lead to devices being misused and abused, information leaks, firmware being updated over Bluetooth and control of the system which could be detrimental to businesses and home life.
Einar Otto Stangvik is the Newsroom Security Lead at VG. Photo: Ka Man Mak
The risks posed by Bluetooth could be seen in a recent unusual event where a journalist in Kyiv had a popup that requested him to pair it with his iPhone. The intention for the popup is unknown but the problem is real.
On whether the public should stop purchasing smart home devices, he said “I think there is a couple of different ways of talking about these things. So, when I talk about it in a room full of people doing technology, I emphasise that this is bad, this is terrible, this is horrible, and we need to do better. But at the same time, the actual risk for most would be somewhat lower. Like sure, there have been cases where medical equipment and so forth have been vulnerable to these things. I wouldn’t say that there is a cause for panic exactly. But we certainly need to stay vigilant and keep being sceptical but not to turn completely become techno-paranoid. Try to maintain some balance I believe.”
Reflections on Solving the Current Security Risks
The Oslo Desk asked all three speakers for their thoughts on solving the security risks that were presented during the conference. Many believed that policy making is a step forward, and many countries are starting to implement strict regulations.
“Things are happening. In California, they have passed a law that any products and services being sold in stores are not allowed to have a default password in place. They cannot have a default password across all devices. Every device needs a unique password or it has to be set up in such a way that when the user wants to start using the device, they need to start setting a unique password first,” said Per Thorsheim.
He continued, “Now if you pick 123456 then the vendor cannot be blamed for that, that is your choice. So, don’t do that. I think the UK has also passed a similar law saying that equipment sold should not be sold with default passwords in place. Norway has not done that yet and most countries haven’t done so. And yes, I think governments should most definitely put such laws in place because otherwise I don’t think security will improve or it just improved just too slow.”
Philipe De Ryck said that there are checklists that developers should follow but no one is verifying them, “So I can start a webshop today and I wouldn’t really have to follow any security guidelines. However, there are some privacy regulations on not exposing users’ data and handling responsibility, and they kind of rely on security, because you can’t protect users’ data if everything is up for grabs for everyone who knows how to ask for it. So, we do see the effects of that as companies are being fined for mishandling data. Maybe this would be the gateway to enforce security.”
Given the landscape of growing online services, De Ryck sees increased use of web applications and security is getting more complicated, and one cannot expect an early-stage developer to know everything about security. He believed that there will be a greater need for tool support that are manageable for developers to follow the right steps.
For Einar Otto Stangvik, he said “For one, it helps to have arena or conferences like this one who are in technology to get together and talk about the problems that they see on their own out there, and just meet up and exchange experiences. That would be a good way moving forward.”However when it came down to policy making he believed that it would be tricky, “It quickly becomes a case of solving things on paper versus solving them in practice. I think it is more productive to recognise certain risk areas and risk predicaments, things that can lead to risks and then try to mitigate those perhaps in policies. In this case, we deal with protocols and communication equipment that are widely understood to be complicated and misused. Then we can address that with a strategic sort of approach.”
He admitted that this was a difficult question to answer, “It’s essentially about how do we become more secure […] We said this in the last 20 years, where we are turning fully digital and it just has no end. Now we are talking about the metaverse. We are talking about VR where we need to live within those spaces. It never stops and it gets more important that we act upon these threats.”
Erlend Oftedal is a member of the Agenda Committee, who believed that individuals can demand transparency on how their data is being used given Europe’s latest GDPR policy, “I think they should demand more if they ever get an email with their password back when they try to reset their password. They should stop using the service because that means that they are storing their passwords in a reversible way. And the employees can look at them whenever they want to.” He added that it is vital for companies to educate their software developers on security.
NDC Conferences with International Ambitions
“The NDC Security conference is the first niche event where we did an open call for papers. Anyone can submit from anywhere in the world. And we have a separate Agenda Committee that selects the papers who are the experts in security. We as an organisation provide the platform. We provide the experience,” said Jakob Brandford, CEO of NDC Conferences.
Erlend Oftedal on the Agenda Committee said that “It’s important to not have the same people every year because then you limit your vision may be or what you want to hear about.”
Erlend Oftedal, Agenda Committee member for NDC Security Conferences. Photo: Ka Man Mak
He said that the Agenda Committee selected speakers based on their experience on a topic, attendees’ interests, and also picks newcomers, “If there is something that sounds really interesting but we never heard about the speaker before, we might pick them anyway and give them a chance because it is also important to get new voices and new people in.” Oftedal stressed that they encourage more women to submit talks and be part of the committee.
A Code of Conduct is stated on their conference website, “NDC is dedicated to providing a harassment-free conference experience for everyone, regardless of gender, sexual orientation, disability, physical appearance, body size, race, or religion. We do not tolerate harassment of conference participants in any form. Sexual language and imagery are not appropriate for any conference venue, including talks. Conference participants violating these rules may be sanctioned or expelled from the conference without a refund at the discretion of the conference organizers.”
Jakob Brandford, CEO of NDC Conferences. Photo: Ka Man Mak
The conference started with international intentions as Kjersti Sandberg, the founder invited speakers in her network from around the world. “To grow internationally was something I really wanted to do. In Norway, if you want to scale and do more conferences, you can only do so much in a small city like Oslo,” Brandford explained.
“There is a community around NDC events among the speakers, attendees, partners that was created by us doing these kinds of events internationally. The biggest benefit is for the local community where we do the conferences such as Porto, where we are bringing our international conference in the city that is huge for them as they never had an international conference before. So now they get to meet lots of people whom they wouldn’t meet otherwise.”
Check out keynote speaker Jim Manico on ‘The Abridged History of Application Security”