[Interview] Georg Knabl: we’ll see talking bots used in social engineering and the "battle of the algorithms"

Georg Knabl defcamp 2018

Did that headline pique your interest?
We hope it did because there’s a lot more where that came from.
And it’s all due to the excitement of having Georg Knabl as a speaker at DefCamp #9!
Infosec specialists are most often self-taught. Experiences vary wildly and that’s what keeps things interesting and keep us eager to learn.
As a result, we’re always thrilled to meet people in the field who pack a lot of knowledge and practical experience and who can teach others about it. Georg is one of those people. In his current role as Freelance Technical Director and Senior Software Engineer, he focuses mainly on solving the key issues around authentication today.

In my opinion, the lack of usable and secure authentication methods is the biggest issue regarding authentication.
Passwords, for example, especially when considering machine learning attacks, will most likely have to be generated by a randomization-based algorithm in order to withstand such attacks. But this approach causes another issue as Troy Hunt best described as “The only secure password is the one you can’t remember.

One thing that infosec specialists, cybersecurity students, and enthusiasts share is a common concern for this issue. They also know that, in reality, the situation is highly complex because it combines technological limitations and human flaws in a mix that sometimes results in the massive data breaches we’ll all witnessed (or even been a victim of).

In general, passwords are basically broken. People usually reuse them on many services online. Most of them have personal information included or poor entropy.
Forcing people to use secure passwords can be done but will annoy them, ultimately resulting in reduced revenue.
Two-factor authentication helps but decreases usability. Password managers have their own issues.

Acknowledging we’re stuck is one part of the problem but the other one is about moving forward.

Georg suggests keeping an eye on tomorrow while remembering to cover the basics today.

Today, we almost daily read about new and challenging attacks shown by researchers. Many of them are related to machine learning.
As this technology is currently thoroughly researched on and the number of publications in this field increases rapidly, infosec professionals will more than ever need to keep an eye on the upcoming challenges.

Nevertheless, common security basics such as keeping the network secure or building awareness amongst the company’s staff are as important as ever.

The same authentication security issues have been plaguing the tech world since what it feels like forever and there’s no palpable fix in sight. So what happens if years go by and these issues are left unsolved? What are the long-term problems they could cause?
Georg paints a future as complicated as our current context:

If there ever will be quantum computers that are able to basically break public key cryptography and can be used for a reasonable price as a service we are in trouble.
In this scenario, authentication as we know it is a thing from the past and securing a service will either be hardly possible, unusable or highly expensive.
However, I personally think that such services won’t be available to the general public and will most likely be regulated and controlled by governments and their intelligence agencies. Which isn’t a good thing either.

By now, you already know that Georg is truly passionate about securing authentication and the role it plays in information security. That’s one more reason why we wanted to find out what specifically fascinated him about defining identity online.

I’m fascinated by the creativity researchers and attackers show when it comes to finding weaknesses.
Who would have thought attackers could just put a smartphone on a desk while a victim presses some keys on the keyboard next to it and an algorithm utilizing the built-in gyro sensor is able to recognize the pressed keys?

And this is happening today. Let that sink in.
Good thing we’re all going to DefCamp because we all know it’s up to us to contribute to improving things for users who know nothing about security. And that’s millions and millions of people around the world.
If we’re to take one step in the not so distant future, Georg points out some key challenges that new tech has added to securing authentication (and also gives us hope): 

Not only authentication but infosec as a whole is greatly affected by advancements in machine learning.
We will see talking bots perfectly faking the voice of a human and generating a live webcam feed with correct facial expressions, passing the Turing test and being used in social engineering, especially spear phishing and webcam authentication.
We will see almost undetectable malware created by generative adversarial networks.
Even advanced captchas are already broken by this technology. Reinforcement learning algorithms are already able to play many computer games better than the best human players in the world. Their use, however, is not limited to games. Their environmental model can be a computer network abstraction, whereas their possible actions can be command line input instead of controller buttons.
We will see highly automated attack botsthat will be able to adapt to mitigations in real time.
The good news is that the same technology can be used for securing assets resulting in a “battle of the algorithms”.

If you’ve read any Sci-Fi and seen most of it come true, you’ll know that the battle Georg Knabl talks about could soon lose its quotes and become a news headline.
But before that happens, we have a lot to learn that could contribute to changing things for the better!
Join us at DefCamp #9 on November 8 and 9 to see Georg Knabl and many other top infosec specialists live! We promise you’re going to learn something valuable.
This interview was made by Andra Zaharia. You can get in touch with her on LinkedIn or say hi on Twitter.
DefCamp is powered by Orange Romania and it’s organized by the Association “Research Center for Information Security in Romania” (CCSIR).
DefCamp 2018 is sponsored by Ixia, Keysight Business, SecureWorks and Intralinks as Platinum Partners and it’s supported by IPSX, Bit Sentinel, TAD Group, Enevo, Crowdstrike, CryptoCoin.pro, Siemens, Alef, UiPath, Atos and Kaspersky Lab.

    Related articles​

    Securing the cloud: insights on threats, ..

    BY Adina Harabagiu
    There is no mystery that everything nowadays has a digital component. A growing number of companies are ..

    Striking a balance between security updates, ..

    BY Adina Harabagiu
    The world of cybersecurity is fast paced, there’s no denying it. Innovation is constant and threats are ..

    Pentesting: a tool for empowering – not ..

    BY Adina Harabagiu
    You’ve likely caught wind of this rising tide – offensive security, pentesting, and #RedTeams are not ..