TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
Looking at information security from different perspectives
1. Looking at Information
Security from different
perspectives
Edgard Chammas
University Of Balamand
Byblos Startup Weekend – March 1, 2013
2. Outline
* How users see it?
* How hackers see it?
* How developers see it?
* How companies see it?
* How the media sees it?
* How governments see it?
* The current state in Lebanon
* Some security incidents and facts in Lebanon
* For a better digital Lebanon
3. How users see it?
* Not all people have a good technical background
* Most of them are not security aware
* They are prone to attacks such as “Social Engineering”
* Security is always an end-to-end solution
=> If you fail at any point, you FAIL!
* Securing a process from Source to Sink is a big challenge
=> You can't blame Facebook when your password is your
phone number :)
* Security awareness for users is inevitable
4. How hackers see it?
* Simply. It's a “game”
* They can be any anyone. No exceptions.
* They are human => prone to errors
* But, they have an advantage over you
=> They think “out of the box”
=> A single bug is enough for a hacker to break in
* Security is a chain; it's only as secure as the weakest link
* Relying on the fact that nothing is 100% secure
* They seek for vulnerabilities that can be exploited to pwn you!
6. How developers see it?
* It's hard to build a product that meets security standards
* Some developers aren't security aware
=> Sometimes it is not enough to just look “sexy”
* Some developers tend to secure their product at the testing stage
=> You will FAIL! Especially in big and complex systems
* Some of them take the role of a penetration tester
=> Can psychologists diagnose their own mental health
problems? No.
* Some of them adopt Security Through obscurity practices
8. `
How companies see it?
* Companies only care about making profit
* They start investing in security as soon as they realize they risk
loosing money
=> This often happens right after a security incident
* Big companies invest millions of dollars to secure their Infrastructure
against all know attacks
Q: What about 0-day attacks?
A: Proactive solutions? Hmm...
* Some of them went further by creating “Bug Bounty” programs!
10. `
How the media sees it?
* It says the truth most of the times
* Most of the times it goes wrong on details
* Nevertheless, It does the job of highlighting security incidents
=> Pushing companies and governments to improve security
* Sometimes it goes mad. It abuses security for other purposes
=> You most probably heard of WikiLeaks
=> Most of its leaks donors are hackers
* Obviously, the media is part of the “game”
11. `
How the governments see it?
* They want to know everything about anyone
* But they absolutely don't want you to get into their business
=> Wikileaks for governments, is what Jerry is to Tom
* They hire hackers of different colors (the good and the bad)
1) to take care of internal security
2) or take part of the global cyber war
=> Haven't you heard of Flame, Duqu and Stuxnet? ;)
* Now we have a war taking place on the internet!
=> It's not a cold war. A real one!
12. `
The current state in Lebanon
* Poor security!
* Leading companies and parties in the public and private sectors
(internet, telecommunication, education, e-commerce,
financial... etc) are vulnerable to primitive and basic types of
attacks
=> Absence of minimal security measures
* This tragic state is influencing the outcome of the internet while it
was essentially made for our benefits
=> We need a move!
13. `
Some security incidents and facts in Lebanon
* Good amount of bad security practices by the major ISPs
* WEP can be cracked in 5 minutes. But some deployed routers
passwords can be retrieved instantly with a small Python code
=> Privacy invasion, abuse of the internet resources
* Clone a DSL router configuration in Saida, connect it in Batroun
then hack everyone without a proxy ^^
=> The next day you hear about the cyber crime team
investigating in Saida
14. `
Some security incidents and facts in Lebanon
* Clone your SIM card, appear in two different locations at the
same time and no one cares (+1 for Telecom companies)
=> National Security agencies, good luck
trying to track foreign agents and terrorists
when they use time machine
* A database containing thousands of phone numbers information
and their IMSIs has been leaked online
=> Tracking mobile users for fun and profit!
15. `
Some security incidents and facts in Lebanon
* One of the biggest companies for online e-commerce having its
admin panel login page injectable via 'OR 1=1--
=> Information disclosure and compromise of
hundreds of credit cards
* Serious vulnerabilities in Telecom companies web services
=> Privacy invasion, and abuse of web and mobile services
* A number of government websites main pages defaced
=> 4 shared-hosting servers, hundreds of websites penetrated
16. `
Some security incidents and facts in Lebanon
* We keep hearing about local websites being hacked
=> among them are for media, universities and big parties...
* Some ISP companies are abusing customer's data traffic
=> eg: hijacking Facebook accounts
* Tried to approach a number of big Lebanese companies about
security weaknesses in their systems
=> No reply. Silence. They don't care?!
17. `
For a better digital Lebanon
* Need for a cyber crime law
* Need for skilled personnel at the different parties involved in
cyber crime in Lebanon
* Need for a good coordination between the ISPs and the
government agencies
* Need obligations by the government on ISPs about a clear and
strict policy for their operation
* Where is the media? We need awareness!
* Need a call for a Lebanese Hacking group. Are you in?
18. `
Thank You!
Looking forward to see you at the
Web Security Workshop :)