Successfully reported this slideshow.

The Dark Side of Security

2

Share

Mar. 10, 2016
2 likes 1,418 views
Upcoming SlideShare
The Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of Security
Loading in …3
×
1 of 61
1 of 61

The Dark Side of Security

Mar. 10, 2016
2 likes 1,418 views

2

Share

Download to read offline

Internet

Talk given at Fluent Conference 2016 about the dangers of automated attacks against websites.

Talk given at Fluent Conference 2016 about the dangers of automated attacks against websites.

Internet

Recommended

More Related Content

Similar to The Dark Side of Security

Shadow Data Exposed
Elastica Inc.
Understanding word press security wwc-4-7-17
Nicholas Batik
Why Cybercriminals are targeting Small Businesses
D-Amies Technologies (P) Ltd.
SUDOCON Sri Lanka - Colombo By Nitin Pandey
Nitin Pandey
LTS Secure User Entity Behavior Analytics(ueba) boon to Cyber Security
rver21
What does "monitoring" mean? (FOSDEM 2017)
Brian Brazil
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Imperva Incapsula
Network Security ppt
SAIKAT BISWAS
How Cybercriminals Cheat Email Authentication
Return Path
Introduction to the Current Threat Landscape
Melbourne IT
Marketers' Playbook Questions to Ask Verification Vendors
Dr. Augustine Fou - Independent Ad Fraud Researcher
Deconstructing Application DoS Attacks
Imperva
Panama Papers Leak and Precautions Law firms should take
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
Cyber security 2013
Ariel Evans
CYREN_Q1_2015_Trend_Report
Chris Taylor
Symantec Internet Security Threat Report 2014 - Volume 19
Symantec
FNC Free Seminar (public)
forensicsnation
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Steve Poole
Five habits that might be a cyber security risk
K. A. M Lutfullah
Ted - CyberSecurity for your Business
Ted Sanders

More from Jarrod Overson

AppSecCali - How Credential Stuffing is Evolving
Jarrod Overson
How Credential Stuffing is Evolving - PasswordsCon 2019
Jarrod Overson
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
Jarrod Overson
Analysis of an OSS supply chain attack - How did 8 millions developers downlo...
Jarrod Overson
Deepfakes - How they work and what it means for the future
Jarrod Overson
The State of Credential Stuffing and the Future of Account Takeovers.
Jarrod Overson
How to Reverse Engineer Web Applications
Jarrod Overson
The life of breached data and the attack lifecycle
Jarrod Overson
Graphics Programming for Web Developers
Jarrod Overson
JavaScript and the AST
Jarrod Overson
ES2015 workflows
Jarrod Overson
Maintainability SFJS Sept 4 2014
Jarrod Overson
Idiot proofing your code
Jarrod Overson
Riot on the web - Kenote @ QCon Sao Paulo 2014
Jarrod Overson
Managing JavaScript Complexity in Teams - Fluent
Jarrod Overson
Real World Web components
Jarrod Overson
Managing JavaScript Complexity
Jarrod Overson
Continuous Delivery for the Web Platform
Jarrod Overson

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths Glenn Reynolds
(4/5)
Free
World Wide Mind: The Coming Integration of Humanity, Machines, and the Internet Michael Chorost
(4/5)
Free
Emergence: The Connected Lives of Ants, Brains, Cities, and Software Steven Johnson
(4.5/5)
Free
Tubes: A Journey to the Center of the Internet Andrew Blum
(4/5)
Free
The Impulse Economy: Understanding Mobile Shoppers and What Makes Them Buy Gary Schwartz
(4.5/5)
Free
Hamlet's BlackBerry: A Practical Philosophy for Building a Good Life in the Digital Age William Powers
(4/5)
Free
In the Plex: How Google Thinks, Works, and Shapes Our Lives Steven Levy
(4.5/5)
Free
Socialnomics: How Social Media Transforms the Way We Live and Do Business Erik Qualman
(4/5)
Free
The Nature of the Future: Dispatches from the Socialstructed World Marina Gorbis
(4/5)
Free
Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live Jeff Jarvis
(3.5/5)
Free
Talking Back to Facebook: The Common Sense Guide to Raising Kids in the Digital Age James P. Steyer
(4.5/5)
Free
The Thank You Economy Gary Vaynerchuk
(4/5)
Free
Blog Schmog: The Truth About What Blogs Can (and Can't) Do for Your Business Robert W. Bly
(4/5)
Free
The End of Business As Usual: Rewire the Way You Work to Succeed in the Consumer Revolution Brian Solis
(5/5)
Free
Bit by Bit: Social Research in the Digital Age Matthew J. Salganik
(4/5)
Free
No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State Glenn Greenwald
(4.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Kill All Normies: Online Culture Wars From 4Chan And Tumblr To Trump And The Alt-Right Angela Nagle
(4/5)
Free
Cryptography: The Key to Digital Security, How It Works, and Why It Matters Keith Martin
(4/5)
Free
Who Owns the Future? Jaron Lanier
(4/5)
Free
This Machine Kills Secrets: How Wikileakers, Cypherpunks, and Hacktivists Aim to Free the World's Information Andy Greenberg
(4/5)
Free
The Dark Net: Inside the Digital Underworld Jamie Bartlett
(4/5)
Free
Stop Checking Your Likes: Shake Off the Need for Approval and Live an Incredible Life Susie Moore
(4/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community that Will Listen Findaway
(4.5/5)
Free
Ten Arguments for Deleting Your Social Media Accounts Right Now Jaron Lanier
(4/5)
Free
Platform: Get Noticed in a Noisy World Michael Hyatt
(4.5/5)
Free
The Secret Life: Three True Stories of the Digital Age Andrew O'Hagan
(4/5)
Free
Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World Don Tapscott
(4/5)
Free
Internet Riches: The Simple Money-Making Secrets of Online Millionaires Scott Fox
(4/5)
Free
Exploding Data: Reclaiming Our Cyber Security in the Digital Age Michael Chertoff
(4.5/5)
Free
Cyberwar: How Russian Hackers and Trolls Helped Elect a President—What We Don't, Can't, and Do Know Kathleen Hall Jamieson
(3/5)
Free
Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous Gabriella Coleman
(4/5)
Free
The Art of Social Media: Power Tips for Power Users Guy Kawasaki
(4/5)
Free

The Dark Side of Security

  1. 1. The Dark Side of Security Jarrod Overson - @jsoverson - Shape Security
  2. 2. Not this dark side…
  3. 3. … the darkness that hides the unknown
  4. 4. Traditional web security is like flossing. Deep down we know we should care, but it's difficult to see if the effort is paying off.
  5. 5. OWASP Top 10 A1 – Injection A2 – Broken Authentication and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery (CSRF) A9 – Using Known Vulnerable Components A10 – Unvalidated Redirects and Forwards
  6. 6. OWASP Automated Threats OAT-020 Account Aggregation OAT-006 Expediting OAT-019 Account Creation OAT-004 Fingerprinting OAT-003 Ad Fraud OAT-018 Footprinting OAT-009 CAPTCHA Bypass OAT-005 Scalping OAT-010 Card Cracking OAT-011 Scraping OAT-001 Carding OAT-016 Skewing OAT-012 Cashing Out OAT-013 Sniping OAT-007 Credential Cracking OAT-017 Spamming OAT-008 Credential Stuffing OAT-002 Token Cracking OAT-015 Denial of Service OAT-014 Vulnerability Scanning
  7. 7. Our user-friendly APIs enable our attackers
  8. 8. Not just these APIs
  9. 9. The APIs we expose unintentionally.
  10. 10. The APIs we expose unintentionally.
  11. 11. The APIs we expose unintentionally.
  12. 12. It's more than just massive breaches from large companies, too.
  13. 13. It's small continuous, streams of exploitable data
  14. 14. When you read about breaches, what do you do?
  15. 15. Even if you have the most secure site in the world, we don't protect against legitimate user logins.
  16. 16. If your users were robots, could you tell?
  17. 17. What percentage of traffic is from bots?
  18. 18. 92% ( Current record for automation against a login page, via Shape Security ) What percentage of traffic is from bots?
  19. 19. Why?
  20. 20. Do you… For example Store a type of currency? actual money, point values, gift cards Sell goods? physical, digital, services Have unique PII? health care, social networks Have user generated content? forums, social networks, blogs, comments Have time sensitive features? tickets, flash sales, reservations Pay for digitally validated behavior? ad clicks, reviews, "uber for X"
  21. 21. If you have value, there is value in exploiting you.
  22. 22. But we have captchas!
  23. 23. But captchas don't work.
  24. 24. Estimated 200 million+ hours spent every year deciphering squiggly letters. Luis Von Ahn, creator of captcha * *
  25. 25. Services have been made making captcha bypass even easier.
  26. 26. Services have been made making captcha bypass even easier.
  27. 27. Ever wonder where these ads go?
  28. 28. There's big money in "Work from Home Data Entry" jobs
  29. 29. So we seek alternatives.
  30. 30. Some rely on simple behavior analysis
  31. 31. Some rely on kittens
  32. 32. Some rely on a love for death metal
  33. 33. Some are very high profile
  34. 34. How?
  35. 35. They use a lot of the same tools we already use.
  36. 36. Once you detect an attacker, they are easy to block. Right?
  37. 37. One attacker from one machine can be blocked by IP.
  38. 38. Many attackers sound dangerous but aren't as common as they are made out to be.
  39. 39. One attacker using proxies to look like thousands of users across the globe is difficult to detect and block.
  40. 40. Spikes of traffic across many IPs are normal, except when they aren't
  41. 41. The devices themselves leave fingerprints
  42. 42. And tools are made to leave no fingerprints
  43. 43. Lots of tools.
  44. 44. We can't patch our way through this.
  45. 45. How would you react if you went from … Legitimate traffic
  46. 46. To this Automation detected and blocked Legitimate traffic
  47. 47. Automation detected and blocked Legitimate traffic To this
  48. 48. Automation detected and blocked Legitimate traffic To this
  49. 49. To get an idea, search for : • <your company, service, or CMS> fullz • <your company, service, or CMS> sentrymba • <your company, service, or CMS> carding • <your company, service, or CMS> <tool> tutorial Not sure if you have a problem?
  50. 50. The Dark Side of Security Jarrod Overson - @jsoverson - Shape Security

×