What is coming in 2012?                     Saumil Shah                    CEO, Net-Squarenet-square        HACKCON7 Oslo ...
# who am iSaumil Shah, CEO Net-Square.• Hacker, Speaker, Trainer,  Author - 15 yrs in Infosec.• M.S. Computer Science     ...
My area of work   Penetration       Reverse      Exploit     Testing       Engineering    Writing        New         Offen...
Highlights                                        from                                 2010-2011net-square   "The Future i...
net-square
DigiNotar - SSL Certificatesnet-square
Stuxnetnet-square
RSA SecurID...net-square
...did it lead to this?net-square
Who had the last LOL?                Infiltration is a 2 way streetnet-square
The economy is growing!!PlayersServicesPricesnet-square
net-square
net-square
The Underground Marketplace        SPAM     DDoS      Carding                 Money      Target     Botnets               ...
Underground Economy                     World of Warcraft account                                      $4                 ...
CC Search, DDoS $80/daynet-square                 credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://...
DIY Botnets for $700/yrnet-square
Exploit Packsnet-square
Trends in Exploit Developmentnet-square
It was different 10 years ago!• Individual effort.• 1 week dev time.• 3-6 months shelf life.• Hundreds of public  domain e...
Today...                 • Team effort.                 • 1-2 months dev time.                 • 24h to 10d shelf life.   ...
No More Free Bugsnet-square
High stakes gamenet-square
What the Defense is up to               •   HIGH EXPOSURE               •   Rigorous Internal Testing               •   Pr...
/GS     SafeSEH         DEP        ASLRPermanent DEPASLR and DEP net-square
/GS    SEH overwrites     SafeSEH    non-SEH DLLs         DEP    Return to LibC        ASLR     Heap SpraysPermanent DEP  ...
I can haz sploits!?net-square
The buyers                         .gov                         Exploits             corporate              organized     ...
The pricesVulnerability            Value (USD)                Source"Some exploits"          200,000-250,000            Go...
"We pay better."net-square
Exploit Sophisticationnet-square
Exploit Sophistication   ms10-002                 Java   ieobject                Applet  full ASLR+DEP      bypass        ...
Web App Vulnerabilities             HTML       HTTP        Bloated                         +0.1       standardsnet-square
Application   HTTP                 DeliveryAJAX           AuthenticationFlash          StatefulnessSandbox        Data Typ...
Breaches in 2011855 incidents                  174M records net-square                           credit: Verizon Data Brea...
Attack Techniques 2007-2011net-square                       credit: Verizon Data Breach Incident Report 2011
Popular Attack Techniques         Stolen login credentials               Keyloggers                   C&C                B...
96% attacks were"not difficult"net-square                   credit: Verizon Data Breach Incident Report 2011
The Bad Guysnet-square
Extent of damage causedSony breach• $170 millionT J Maxx breach• $17 millionnet-square
Nick Leeson $1.31b     Kweku Adoboli $2b             Jerome Kerviel                              Bernie Madoff $50bnet-squ...
Software Developers...• ...more dependent on external tools and  frameworks for security.• Less on design and proper  impl...
Software Development Trends 17 million devs                     102 billion lines of code   6000 LOC/yr                in ...
Security Products• Same ol same ol• FW IDS IPS AV SIEM  UTM DLP DPI WAF ...• "Sit back and watch  das blinkenlights"net-sq...
Do Signatures Work?net-square
Effectiveness of AV/IDS/IPS/...net-square                          credit: twitter.com/j0emccray
The weak minded are easily trickednet-square
"A wall is only as good as those               who defend it"                                Genghis Khannet-square
Change in Mindset       "We assume that all our           Internet Banking        customers computers        are compromis...
The FUTURE?             Full ASLR by 2014             Mobile Attacks             Real Time Analytics             Blurred b...
Upcoming SlideShare
Loading in …5
×

2012: The End of the World?

19,898 views

Published on

My presentation at HackCon 7 Oslo, exploring where the world of information security is headed. Crude vs. stealthy exploit techinques, the underground digital economy, failure of anti-virus, the future of web application security and the (de)evolution of browsers and HTTP.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
19,898
On SlideShare
0
From Embeds
0
Number of Embeds
319
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • DEMO (c)
  • 2012: The End of the World?

    1. What is coming in 2012? Saumil Shah CEO, Net-Squarenet-square HACKCON7 Oslo - 29.03.12
    2. # who am iSaumil Shah, CEO Net-Square.• Hacker, Speaker, Trainer, Author - 15 yrs in Infosec.• M.S. Computer Science Purdue University.• saumil@net-square.com• LinkedIn: saumilshah• Twitter: @therealsaumilnet-square
    3. My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference "Eyes and Speaker ears open"net-square
    4. Highlights from 2010-2011net-square "The Future is already here"
    5. net-square
    6. DigiNotar - SSL Certificatesnet-square
    7. Stuxnetnet-square
    8. RSA SecurID...net-square
    9. ...did it lead to this?net-square
    10. Who had the last LOL? Infiltration is a 2 way streetnet-square
    11. The economy is growing!!PlayersServicesPricesnet-square
    12. net-square
    13. net-square
    14. The Underground Marketplace SPAM DDoS Carding Money Target Botnets Exchange Profiles 0day Botnet Exploit Exploits Kits Packsnet-square
    15. Underground Economy World of Warcraft account $4 Paypal/Ebay account $8 Credit Card $25 Bank Account $1000 0-day exploits WMF Exploit $4000 Quicktime/iTunes/RealPlaye $10000 r Mac OS X $10000 + free Mac Windows 7 $50000 IE / Firefox / Chrome $100000 PDF $100000 SCADA $250000+net-square credit: Hacks Happen - Jeremiah Grossman - http://tinyurl.com/hacks-happen
    16. CC Search, DDoS $80/daynet-square credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove
    17. DIY Botnets for $700/yrnet-square
    18. Exploit Packsnet-square
    19. Trends in Exploit Developmentnet-square
    20. It was different 10 years ago!• Individual effort.• 1 week dev time.• 3-6 months shelf life.• Hundreds of public domain exploits.• "We did it for the fame."net-square
    21. Today... • Team effort. • 1-2 months dev time. • 24h to 10d shelf life. • Public domain exploits ~ 0. • Value of exploits has significantly risen.net-square
    22. No More Free Bugsnet-square
    23. High stakes gamenet-square
    24. What the Defense is up to • HIGH EXPOSURE • Rigorous Internal Testing • Proactive Exploit Mitigation Technology • Quick Turnaround Times (24 hours) • Bug Bounties • HIGH EXPOSURE • Good Efforts • Dont have resources / focus • Slow Turnaround Times (1 month) • Learning the hard waynet-square
    25. /GS SafeSEH DEP ASLRPermanent DEPASLR and DEP net-square
    26. /GS SEH overwrites SafeSEH non-SEH DLLs DEP Return to LibC ASLR Heap SpraysPermanent DEP ROPASLR and DEP ROP+memleak net-square
    27. I can haz sploits!?net-square
    28. The buyers .gov Exploits corporate organized espionage crimenet-square
    29. The pricesVulnerability Value (USD) Source"Some exploits" 200,000-250,000 Govt. official referring to what "some people" pay.A "real good" exploit > 100,000 SNOsoft Research TeamChrome exploit upto 60,000 GoogleVista exploit 50,000 Raimund Genes, Trend MicroWeaponized exploit 20,000-30,000 David Maynor, SecureworksZDI/iDefense purchases 2,000-10,000 David Maynor, SecureworksWMF exploit 4,000 Alexander Gostev, KasperskyGoogle exploit 500-3133.7 GoogleMozilla exploit 500-3000 MozillaMicrosoft Excel > 1,200 Ebay auction sitenet-square credit: Charlie Miller - http://securityevaluators.com/files/papers/0daymarket.pdf
    30. "We pay better."net-square
    31. Exploit Sophisticationnet-square
    32. Exploit Sophistication ms10-002 Java ieobject Applet full ASLR+DEP bypass Drive-bynet-square
    33. Web App Vulnerabilities HTML HTTP Bloated +0.1 standardsnet-square
    34. Application HTTP DeliveryAJAX AuthenticationFlash StatefulnessSandbox Data TypingHTML5 Non-mutableCSPCORS... net-square
    35. Breaches in 2011855 incidents 174M records net-square credit: Verizon Data Breach Incident Report 2011
    36. Attack Techniques 2007-2011net-square credit: Verizon Data Breach Incident Report 2011
    37. Popular Attack Techniques Stolen login credentials Keyloggers C&C Backdoorsnet-square credit: Verizon Data Breach Incident Report 2011
    38. 96% attacks were"not difficult"net-square credit: Verizon Data Breach Incident Report 2011
    39. The Bad Guysnet-square
    40. Extent of damage causedSony breach• $170 millionT J Maxx breach• $17 millionnet-square
    41. Nick Leeson $1.31b Kweku Adoboli $2b Jerome Kerviel Bernie Madoff $50bnet-square $7.22b
    42. Software Developers...• ...more dependent on external tools and frameworks for security.• Less on design and proper implementation.net-square
    43. Software Development Trends 17 million devs 102 billion lines of code 6000 LOC/yr in 2008 1 bug per 10000 lines of code 10,200,000 defects per year 1% exploitable? 102,000 0-days/yrnet-square credit: Hacks Happen - Jeremiah Grossman - http://tinyurl.com/hacks-happen
    44. Security Products• Same ol same ol• FW IDS IPS AV SIEM UTM DLP DPI WAF ...• "Sit back and watch das blinkenlights"net-square
    45. Do Signatures Work?net-square
    46. Effectiveness of AV/IDS/IPS/...net-square credit: twitter.com/j0emccray
    47. The weak minded are easily trickednet-square
    48. "A wall is only as good as those who defend it" Genghis Khannet-square
    49. Change in Mindset "We assume that all our Internet Banking customers computers are compromised. We now rely on near real- time fraud analytics."net-square
    50. The FUTURE? Full ASLR by 2014 Mobile Attacks Real Time Analytics Blurred boundaries IPv6net-square

    ×