What’s better than interviewing one infosec professional?

Interviewing two, of course!

Andrei Cotaie, Senior Security Engineer, and Tiberiu Boros, Software Developer and Computer Scientist, colleagues at Adobe, will hold a joint presentation at DefCamp #9 titled “Weaponizing Neural Networks. In your browser!”.

While Andrei specializes in incident response, Tiberiu’s research is focused on applied Natural Language and Speech Processing. Their skills and knowledge make for a fascinating combination, bound to open up new perspectives for everyone who’ll see them live at DefCamp.

It was interesting to see how Andrei sees the differences between working in infosec in the public sector versus doing the same in the private sector.

I’m really happy to say that some of the best information security professionals I worked with are/were from the public sector.

From my experience, there are two main differences between the two environments.

Of course, one of them is the resources topic, the private sector is more open to investing and onboarding new technologies much faster.

The second one I would mention is regarding responsibilities. In the private sector, you must protect your business, your infrastructure or your client, while public institutions as the CERT-RO or CyberINT have a much wider set of responsibilities or entities for which they are responsible for, resulting in a larger attack surface to cover.

Learning fast is a must for any infosec professional nowadays. Tiberiu knows this very well, given his field of work and research.

We’ve already seen examples of how technology such as Speech Recognition and Face Recognition can be abused in creating deceiving content and spreading fake news. Surely, deepfakes, for example, are just the beginning. Here’s how Tiberiu sees these threats evolving.

These fakes are already affecting security systems that rely on face/voice biometric information for user recognition/authentication.

Back in 2006, when statistical speech synthesis started to emerge, there were reports of security systems confusing HTS voices with that of humans.

Surely, things have come a long way in terms of security, but today’s TTS systems are much more advanced. They can fool humans, as reported in many cases. If you’re interested in natural versus synthetic voices, you can look here for English or here for the Romanian case study. The latter system is still work in progress, and far better results are still unpublished but will be made available soon.

Curious to dig into these resources?

So are we, but, hang on! We still have more to learn from Andrei and Tiberiu.

Moving on to Neural Networks and what they’ll be able to do soon, we wondered how their applications could affect the humans’ ability to distinguish what is real from what is artificial and how long it would be before we’ll have to deal with this reality.

Well, this is already happening for speech and, while image generation systems like DeepFake have still a road ahead, it is a matter of time until we are faced with having to come up with countermeasures.

It is important to mention that these systems use something called Generative Adversarial Networks or GANs. The idea behind GANs is to use two networks.

The first network generates samples, while the second network tries to distinguish between natural and synthetic samples.

The objective of the first network is to fool the second one. What this means is that automated systems designed to distinguish between real and fake samples might have a lot of problems in dealing with the output generated by GANs and the only chance, at least now, would be to rely on human validation.

Things are getting a lot trickier, I bet you’ll agree. These complex threats already hiding in browsers, but that’s not the only place you’ll find them (or, actually, where they’ll find you).

Well, it’s not just browsers.

Such threats can be hidden in any type of software that runs on a machine.

The point is that you cannot just rely on static analysis to detect them unless you want to block functionalities that would normally be harmless to the system.

Instead, you could detect these threats by analyzing the behavior of the software itself (it must execute code generated on the fly), but this is likely to slow down all processes that are not whitelisted as non-threats.

And while all this madness unfolds in the background, billions of people spread their most personal data across the internet, through their connected devices, without suspecting that any of this is happening.

Andrei and Tiberiu observe that, for most of them,:

Ignorance is bliss.

Just as a comparison, most people don’t go to the dentist unless their tooth hurts.

People and small businesses are becoming one with their digital persona and they still don’t understand why and how they should protect themselves.

As we go deeper and deeper in the era of technology and IoT, I think wider Security Awareness programs should become a national objective (in schools for example).

Until then, security awareness is our objective as well, both as a community and as individuals.

The more united we are in this mission, the more we share and learn from one another, the more progress we’ll make.

Join us at DefCamp 2018 to contribute!

This interview was made by Andra Zaharia. You can get in touch with her on LinkedIn or say hi on Twitter.

DefCamp is powered by Orange Romania and it’s organized by the Association “Research Center for Information Security in Romania” (CCSIR).

DefCamp 2018 is sponsored by Ixia, Keysight Business, SecureWorks and Intralinks as Platinum Partners and it’s supported by IPSX, Bit Sentinel, TAD Group, Enevo, Crowdstrike, CryptoCoin.pro, Siemens, Alef, UiPath, Atos and Kaspersky Lab.