• Like
  • Save
15 years through Infosec
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

15 years through Infosec

  • 6,031 views
Published

This talk is a collection of my thoughts and observations since my early infosec days - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to …

This talk is a collection of my thoughts and observations since my early infosec days - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to talk about my journey in the information security industry, from the fledgling years in the late 90s where I was still entrenched in academia to the present day where infosec is redefining the world's political boundaries, literally and figuratively.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
6,031
On SlideShare
0
From Embeds
0
Number of Embeds
11

Actions

Shares
Downloads
0
Comments
0
Likes
33

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 15 years through Infosec #Hack C on 201 4, Oslo Saumil Shah CEO Net Square net-square HackCon '14
  • 2. Introduction @therealsaumil saumilshah educating, entertaining and exasperating audiences since 1999 net-square HackCon '14
  • 3. volution The E f Targets o net-square HackCon '14
  • 4. How Have Targets Shifted? Servers Applications Desktops Browsers Identities net-square HackCon '14
  • 5. The Game Changers Perimeter Security Web Apps Broadband Networks WiFi Social Networks Cellular Data net-square HackCon '14
  • 6. Target Top Spot – Retail, Manufacturing, IT Shifted away from financial organizations to its users. Myth: Insiders cause the maximum damage. Attribution to external attackers: 92% (5 yr avg: >70%) 2008: Servers 94%, Users 17% 2012: Servers: 54%, Users 71% Shift in attacker profile. Organized crime, state sponsored "threat actors". Effectiveness of breach detection IT Audits, Fraud detection, IDS, Logs, MSS < 1% net-square HackCon '14
  • 7. "A wall is only as good as those who defend defend it" Genghis Khan net-square HackCon '14
  • 8. The user's going to pick dancing pigs over security every time. Bruce Schneier net-square HackCon '14
  • 9. Technology in the hands of users net-square HackCon '14
  • 10. Intelligence Driven Defence From reactive to proactive net-square HackCon '14
  • 11. volution The E f Exploits o net-square HackCon '14
  • 12. The Advance of Exploits net-square HackCon '14
  • 13. It was different 12 years ago! Individual effort. 1 week dev time. 3-6 months shelf life. Hundreds of public domain exploits. "We did it for the fame. lols." net-square HackCon '14
  • 14. Today... Team effort. 2-12 month dev time. 24h to 10d shelf life. Public domain exploits nearly zero. Cost,value of exploits has significantly risen. WEAPONIZATION. net-square HackCon '14
  • 15. "For a few hundred K, could you put together a team that would break-in just about anywhere?" Haroon Meer net-square CCDCOE Conference on Cyber Conflict - 2010 HackCon '14
  • 16. $100k – 500k net-square HackCon '14
  • 17. Attacking is (much) cheaper than defence. Attacker toolchains are far more complex than the public demonstrations we have seen so far. net-square HackCon '14
  • 18. Exploit Buyers .gov Exploits corporate espionage net-square organized crime HackCon '14
  • 19. Vulnerability $ Source "Some exploits" 250,000 A "real good" exploit > 100,000 Chrome 60,000 Google Vista 50,000 Raimund Genes, Trend Micro Weaponized exploit 30,000 David Maynor, Secureworks iDefense purchases 10,000 David Maynor, Secureworks WMF 4,000 Google 3,133.7 Google Mozilla 3,000 Mozilla Excel 1,200 Ebay auction site Govt. official referring to what "some people" pay. SNOsoft Research Team Alexander Gostev, Kaspersky credit: Forbes 23.3.2012 Shopping for Zero Days Charlie Miller, the 0-day market net-square HackCon '14
  • 20. The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious. Doctor Who, "Pirate Planet" net-square XKCD 358 "Security" HackCon '14
  • 21. t Secure Wha ns to me mea net-square HackCon '14
  • 22. Confidentiality Integrity Availability? Invulnerable? Up-to-date? Accountable? net-square HackCon '14
  • 23. Found a huge J2EE bug in 2002 BEA: Configuration mistake Sun: You can't do that! Allaire: Thanks, here is a t-shirt IBM: Fix in 7 days, gave credit net-square HackCon '14
  • 24. net-square HackCon '14
  • 25. OSX goto fail patch time: 93 hrs net-square HackCon '14
  • 26. What defenders are up to •  •  •  •  •  •  •  •  •  •  net-square HIGH EXPOSURE Rigorous Internal Testing Proactive Exploit Mitigation Technology Quick Turnaround Times (24 hours) Mature Bug Bounties HIGH EXPOSURE Good Efforts but no Transparency Don't have Resources Focus Slow Turnaround Times (4 days - 1 month) Learning the hard way HackCon '14
  • 27. Bug Bounties: high stakes game Chris Evans – Pwnium: Element 1337 net-square HackCon '14
  • 28. What "SECURE" means to me Resilience Fitness Max time to fix: 72 hrs net-square HackCon '14
  • 29. andards, On St liance & Comp fication Certi net-square HackCon '14
  • 30. net-square HackCon '14
  • 31. Compliance != Security net-square HackCon '14
  • 32. net-square HackCon '14
  • 33. Peter Gibbons, Office Space "My only real motivation is not to be hassled, that and the fear of losing my job. But you know, Bob, that will only make someone work just hard enough not to get fired." net-square HackCon '14
  • 34. Certifications... oh, the irony! net-square HackCon '14
  • 35. EC Council gets record pwnage GOING ONCE GOING TWICE net-square GONE ! HackCon '14
  • 36. Who are you more scared of? Attackers or Auditors? net-square HackCon '14
  • 37. Threat Model APT Testing Social Media Threats "Every Day is a 0-day" Red Teams Reactive to PROACTIVE net-square HackCon '14
  • 38. BSIMM net-square HackCon '14
  • 39. cessity is Ne ther of the Mo nvention I net-square HackCon '14
  • 40. Firewalls One-way Hacking IDS/IPS Packet Fragmentation Antivirus Obfuscation WAF Character Encoding Endpoint Security DNS Exfiltration ASLR, DEP Return Oriented Programming Sandbox Jailbreak net-square HackCon '14
  • 41. My attempts at writing books net-square HackCon '14
  • 42. I'm Flattered J net-square HackCon '14
  • 43. Inside Out Attacks - 1999 net-square HackCon '14
  • 44. One Way Attacks - 2001 Web application discovery Finding the entry point (command execution as nobody or web user) Uploader Web Shell Upload attack tools Pilfer web application Privilege escalation SQL command prompt GAME OVER! net-square HackCon '14
  • 45. HTTP Page Signatures - 2002 200:A302E6F1DC10112A5AF8624E5EA11B367F93DD04 Accurately identify HTTP responses Minimize false positives in error detection Content Independent Computation time: O(n) Comparison time: O(k) net-square HackCon '14
  • 46. HTTP Fingerprinting - 2003 net-square HackCon '14
  • 47. Teflon - 2008 My humble attempt at browser security. "Anti-stick for your browser's attack surface". FAILED RESEARCH. net-square HackCon '14
  • 48. Abusing URL Shorteners - 2010 Alpha Encoded Exploit net-square Tiny URL ZOMFG HackCon '14
  • 49. G r e e t net-square i n g s P r o f e s s o r F a l k e n HackCon '14
  • 50. I'm an evil Javascript I'm an innocent image net-square HackCon '14
  • 51. Cross Container Scripting - 2012 XCS <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script> net-square HackCon '14
  • 52. Alpha encoded exploit code <script src="1.gif"> </script> IMAJS CANVAS "loader" script net-square <img src="2.png" id="decodeme"> HackCon '14
  • 53. Theory Becomes Practice - 2014 net-square Hiding In Plain Sight HackCon '14
  • 54. Infosec ferences Con net-square HackCon '14
  • 55. 1999: Blackhat and Defcon Blackhat – 15 years in a row RSA 2002 – the only commercial con HITB, Cansecwest, HackLU, NullCON, Hackcon, ITWeb, IT Underground, IT Defense, DeepSec, NoSuchCon, REcon, SeacureIT, 44CON, SyScan... net-square HackCon '14
  • 56. 1 conference every 3 days... 200 150 100 50 net-square http://cc.thinkst.com 2013 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999 1998 1997 0 HackCon '14
  • 57. ...and 5000 talks for 2013! 5000 4000 3000 2000 1000 net-square http://cc.thinkst.com 2013 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999 1998 1997 0 HackCon '14
  • 58. Hacker Cons Where else will you find a more diverse, open, global, talented and energetic crowd? net-square HackCon '14
  • 59. Hackerspaces "There are many men in London, who, some from shyness, some from misanthropy, have no wish for the company of their fellows. Yet they are not averse to comfortable chairs and the latest periodicals." net-square HackCon '14
  • 60. My type of hacker cons Smaller events Single/Dual track Meet the speakers Meet the audience Learn something new! net-square HackCon '14
  • 61. Researchers Wants "Mr. Right Now" Mr. Right net-square Industry Mind the Researcher/Industry Gap HackCon '14
  • 62. ackers : H are we? who net-square HackCon '14
  • 63. WE ARE HACKERS WE PUSH THE ENVELOPE WE THRIVE ON FACTS AND LOGIC.. ..AND LATERAL THINKING WE QUESTION AND CHALLENGE AND WORK ON LIMITED RESOURCES net-square HackCon '14
  • 64. My Hacker Hero DELETES SOLAR SYSTEM FROM BRAIN CAN RECOGNISE 243 TYPES OF TOBACCO ASH net-square HackCon '14
  • 65. Rebels? Heretics? Anarchists? Free-thinkers? net-square HackCon '14
  • 66. "The time to think of your ethical boundaries is BEFORE you are put in a difficult situation." Alex Stamos The White Hat's Dilemma Defcon 21 net-square HackCon '14
  • 67. You find a critical remote exploit in a very widespread product. Do you: A) Publicly announce the flaw immediately B) Build a whole Black Hat talk around it C) Perform responsible disclosure with deadlines D) Use it to sell "consulting" to the vendor E) Weaponize and sell directly to your government F) Weaponize and sell to a trader G) Use it yourself for fun and/or profit READ HIS TALK AND ANSWER ALL HIS QUESTIONS! net-square Alex Stamos – The White Hat's Dilemma, DC21 HackCon '14
  • 68. And ho am I ? w saumil ttys001 Mar 5 17:20! saumil@gayatri:~$ _! net-square HackCon '14
  • 69. I stood on the shoulders of giants net-square HackCon '14
  • 70. Stranger Than Fiction! Big Fish (2003) net-square HackCon '14
  • 71. Security On oducts Pr net-square HackCon '14
  • 72. My Product building journey Web app scanners Network scanner Windows Desktop Scanner Share Inspector Accounts Inspector Browser plug-in for app testing ServerDefender Hardened Browser from Chromium code base net-square HackCon '14
  • 73. Everyone builds the "Homer Car" net-square HackCon '14
  • 74. Why Johnny Can't Pentest net-square http://www.cs.ucsb.edu/~vigna/publications/ 2010_doupe_cova_vigna_dimva10.pdf HackCon '14
  • 75. unts and On St tionalism Sensa net-square HackCon '14
  • 76. net-square HackCon '14
  • 77. net-square HackCon '14
  • 78. "If you can bear to hear the truth you've spoken Twisted by knaves to make a trap for fools" Rudyard Kipling net-square HackCon '14
  • 79. Media training is an OPSEC skill Vet your journo. "Off the record". Answer in writing. Putting words in your mouth. Stay on target. Watch your mouth. The Grugq grugq.tumblr.com net-square HackCon '14
  • 80. "Preventing Security Theatre is OUR responsibility" Andrea Barisani IT Security community loses reputation No Such Con #1 Keynote Remediation NOT given to original researchers net-square HackCon '14
  • 81. wget - Deadly Hacker Tool? net-square HackCon '14
  • 82. e Future Th net-square HackCon '14
  • 83. 2010 DEP bypassing ROP code Man in the Browser Political Cyber warfare net-square HackCon '14
  • 84. 2011 Browser Attacks PDF Attacks Web App Attacks Social Engineering net-square HackCon '14
  • 85. 2012 Full ASLR by 2014 Mobile Attacks Real Time Analytics Blurred boundaries IPv6 net-square HackCon '14
  • 86. 2013 net-square HackCon '14
  • 87. future is already here > the net-square HackCon '14
  • 88. Today: Realtime acquistion, storage, analysis and correlation of ALL data. Tomorrow: Predictions net-square HackCon '14
  • 89. net-square HackCon '14
  • 90. Will the Internet remain a level playing field? net-square HackCon '14
  • 91. net-square HackCon '14
  • 92. Special Thanks Haroon Meer & Marco Slaviero Andrea Barisani Roelof Temmingh Alex Stamos The Grugq Hackcon crew & our fantastic community! net-square HackCon '14
  • 93. Further Reading Con Collector http://cc.thinkst.com/ The White Hat's Dilemma http://tinyurl.com/whitehatdilemma Realtime http://www.realtime-film.com/ Media training – OPSEC for hackers http://tinyurl.com/opsecmedia1 http://tinyurl.com/opsecmedia2 net-square HackCon '14
  • 94. #Hack C nk You... Tha uestions? Q on 201 4, Oslo saumil@net-square.com @therealsaumil net-square HackCon '14