Jarrod Overson, profile picture
Uploaded byJarrod Overson
1,418 views

The Dark Side of Security

This document discusses the dark side of web security, including automated threats from bots and attackers. It notes that traditional security like flossing is difficult to measure effectiveness. It outlines the OWASP top 10 vulnerabilities and automated threats attackers use. While captchas are meant to stop bots, services have made bypassing captchas easier. If a site has value like money, data, or content, there is value in exploiting it. Detection of attacks is difficult as attackers use many proxies and fingerprints to avoid detection. Patching is not enough, and spikes in traffic from many IPs could indicate an attack.

Embed presentation

Downloaded 22 times
The Dark Side of Security Jarrod Overson - @jsoverson - Shape Security
Not this dark side…
… the darkness that hides the unknown
Traditional web security is like flossing. Deep down we know we should care, but it's difficult to see if the effort is paying off.
OWASP Top 10 A1 – Injection A2 – Broken Authentication and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery (CSRF) A9 – Using Known Vulnerable Components A10 – Unvalidated Redirects and Forwards
OWASP Automated Threats OAT-020 Account Aggregation OAT-006 Expediting OAT-019 Account Creation OAT-004 Fingerprinting OAT-003 Ad Fraud OAT-018 Footprinting OAT-009 CAPTCHA Bypass OAT-005 Scalping OAT-010 Card Cracking OAT-011 Scraping OAT-001 Carding OAT-016 Skewing OAT-012 Cashing Out OAT-013 Sniping OAT-007 Credential Cracking OAT-017 Spamming OAT-008 Credential Stuffing OAT-002 Token Cracking OAT-015 Denial of Service OAT-014 Vulnerability Scanning
Our user-friendly APIs enable our attackers
Not just these APIs
The APIs we expose unintentionally.
The APIs we expose unintentionally.
The APIs we expose unintentionally.
It's more than just massive breaches from large companies, too.
It's small continuous, streams of exploitable data
When you read about breaches, what do you do?
Even if you have the most secure site in the world, we don't protect against legitimate user logins.
If your users were robots, could you tell?
What percentage of traffic is from bots?
92% ( Current record for automation against a login page, via Shape Security ) What percentage of traffic is from bots?
Why?
Do you… For example Store a type of currency? actual money, point values, gift cards Sell goods? physical, digital, services Have unique PII? health care, social networks Have user generated content? forums, social networks, blogs, comments Have time sensitive features? tickets, flash sales, reservations Pay for digitally validated behavior? ad clicks, reviews, "uber for X"
If you have value, there is value in exploiting you.
But we have captchas!
But captchas don't work.
Estimated 200 million+ hours spent every year deciphering squiggly letters. Luis Von Ahn, creator of captcha * *
Services have been made making captcha bypass even easier.
Services have been made making captcha bypass even easier.
Ever wonder where these ads go?
There's big money in "Work from Home Data Entry" jobs
So we seek alternatives.
Some rely on simple behavior analysis
Some rely on kittens
Some rely on a love for death metal
Some are very high profile
How?
They use a lot of the same tools we already use.
Once you detect an attacker, they are easy to block. Right?
One attacker from one machine can be blocked by IP.
Many attackers sound dangerous but aren't as common as they are made out to be.
One attacker using proxies to look like thousands of users across the globe is difficult to detect and block.
Spikes of traffic across many IPs are normal, except when they aren't
The devices themselves leave fingerprints
And tools are made to leave no fingerprints
Lots of tools.
We can't patch our way through this.
How would you react if you went from … Legitimate traffic
To this Automation detected and blocked Legitimate traffic
Automation detected and blocked Legitimate traffic To this
Automation detected and blocked Legitimate traffic To this
To get an idea, search for : • <your company, service, or CMS> fullz • <your company, service, or CMS> sentrymba • <your company, service, or CMS> carding • <your company, service, or CMS> <tool> tutorial Not sure if you have a problem?
The Dark Side of Security Jarrod Overson - @jsoverson - Shape Security

More Related Content

PDF
The Life of Breached Data & The Dark Side of Security
byJarrod Overson
 
PDF
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
byDavid Freeman
 
PPTX
Email attacks and shimming attack
byPaul Mbua
 
PDF
Shape Security @ WaffleJS October 16
byJarrod Overson
 
PPT
Beyond The Norm: Building Secure Websites
byAdria Richards
 
PDF
Server-Side Second Factors: Approaches to Measuring User Authenticity
byDavid Freeman
 
PPTX
Tune in for the Ultimate WAF Torture Test: Bots Attack!
byDistil Networks
 
PPTX
2018 Hacked Website Trends
bySucuri
 
The Life of Breached Data & The Dark Side of Security
byJarrod Overson
 
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
byDavid Freeman
 
Email attacks and shimming attack
byPaul Mbua
 
Shape Security @ WaffleJS October 16
byJarrod Overson
 
Beyond The Norm: Building Secure Websites
byAdria Richards
 
Server-Side Second Factors: Approaches to Measuring User Authenticity
byDavid Freeman
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
byDistil Networks
 
2018 Hacked Website Trends
bySucuri
 

Similar to The Dark Side of Security

PDF
Web hackingtools 2015
byColdFusionConference
 
PPTX
OWASP TOP 10
byRobert MacLean
 
PDF
Web hackingtools 2015
bydevObjective
 
PDF
OWASP Top 10 - 2017
byHackerOne
 
PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
ODP
Hunting Security Bugs in Modern Web Applications
byToe Khaing
 
PDF
Web Application Security
byn|u - The Open Security Community
 
PDF
The life of breached data and the attack lifecycle
byJarrod Overson
 
PDF
Things that go bump on the web - Web Application Security
byChristian Heilmann
 
PPTX
What Makes Web Applications Desirable For Hackers
byJaime Manteiga
 
PPTX
Thoughts on Defensive Development for Sitecore
byPINT Inc
 
PPTX
A DevOps Guide to Web Application Security
byImperva Incapsula
 
PDF
Web hackingtools cf-summit2014
byColdFusionConference
 
PDF
Abuse prevention in the globally distributed economy presentation
byJustin Dorfman
 
PPTX
Owasp web application security trends
bybeched
 
PPTX
[2.1] Web application Security Trends - Omar Ganiev
byOWASP Russia
 
PDF
The State of Application Security: What Hackers Break
byImperva
 
PDF
The State of Application Security: What Hackers Break
byImperva
 
PDF
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
PPTX
Don't blink creating secure software
bylogsentinel
 
Web hackingtools 2015
byColdFusionConference
 
OWASP TOP 10
byRobert MacLean
 
Web hackingtools 2015
bydevObjective
 
OWASP Top 10 - 2017
byHackerOne
 
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
Hunting Security Bugs in Modern Web Applications
byToe Khaing
 
Web Application Security
byn|u - The Open Security Community
 
The life of breached data and the attack lifecycle
byJarrod Overson
 
Things that go bump on the web - Web Application Security
byChristian Heilmann
 
What Makes Web Applications Desirable For Hackers
byJaime Manteiga
 
Thoughts on Defensive Development for Sitecore
byPINT Inc
 
A DevOps Guide to Web Application Security
byImperva Incapsula
 
Web hackingtools cf-summit2014
byColdFusionConference
 
Abuse prevention in the globally distributed economy presentation
byJustin Dorfman
 
Owasp web application security trends
bybeched
 
[2.1] Web application Security Trends - Omar Ganiev
byOWASP Russia
 
The State of Application Security: What Hackers Break
byImperva
 
The State of Application Security: What Hackers Break
byImperva
 
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
Don't blink creating secure software
bylogsentinel
 

More from Jarrod Overson

PDF
The State of Credential Stuffing and the Future of Account Takeovers.
byJarrod Overson
 
PDF
Deepfakes - How they work and what it means for the future
byJarrod Overson
 
PDF
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
byJarrod Overson
 
PDF
Managing JavaScript Complexity
byJarrod Overson
 
PDF
Practical WebAssembly with Apex, wasmRS, and nanobus
byJarrod Overson
 
PDF
How to Reverse Engineer Web Applications
byJarrod Overson
 
PDF
How Credential Stuffing is Evolving - PasswordsCon 2019
byJarrod Overson
 
PDF
AppSecCali - How Credential Stuffing is Evolving
byJarrod Overson
 
PDF
Idiot proofing your code
byJarrod Overson
 
PDF
Maintainability SFJS Sept 4 2014
byJarrod Overson
 
PDF
Riot on the web - Kenote @ QCon Sao Paulo 2014
byJarrod Overson
 
PDF
Analysis of an OSS supply chain attack - How did 8 millions developers downlo...
byJarrod Overson
 
PDF
Managing JavaScript Complexity in Teams - Fluent
byJarrod Overson
 
PDF
JavaScript and the AST
byJarrod Overson
 
PDF
Real World Web components
byJarrod Overson
 
PDF
ES2015 workflows
byJarrod Overson
 
PDF
Continuous Delivery for the Web Platform
byJarrod Overson
 
PDF
Graphics Programming for Web Developers
byJarrod Overson
 
The State of Credential Stuffing and the Future of Account Takeovers.
byJarrod Overson
 
Deepfakes - How they work and what it means for the future
byJarrod Overson
 
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
byJarrod Overson
 
Managing JavaScript Complexity
byJarrod Overson
 
Practical WebAssembly with Apex, wasmRS, and nanobus
byJarrod Overson
 
How to Reverse Engineer Web Applications
byJarrod Overson
 
How Credential Stuffing is Evolving - PasswordsCon 2019
byJarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
byJarrod Overson
 
Idiot proofing your code
byJarrod Overson
 
Maintainability SFJS Sept 4 2014
byJarrod Overson
 
Riot on the web - Kenote @ QCon Sao Paulo 2014
byJarrod Overson
 
Analysis of an OSS supply chain attack - How did 8 millions developers downlo...
byJarrod Overson
 
Managing JavaScript Complexity in Teams - Fluent
byJarrod Overson
 
JavaScript and the AST
byJarrod Overson
 
Real World Web components
byJarrod Overson
 
ES2015 workflows
byJarrod Overson
 
Continuous Delivery for the Web Platform
byJarrod Overson
 
Graphics Programming for Web Developers
byJarrod Overson
 

Recently uploaded

PDF
OFFENSIVE OPERATIONS : THE ANATOMY OF A NETWORK TAKEOVER
byBangladesh Network Operators Group
 
PPT
INTRODUCTION_TO_SOFTWARE_APPLICATION.pptx
byMESFINBELAY4
 
PPTX
ENDNOTE refrencing how to do step by step..
byhumairasohaib19
 
PPTX
ARCHITECTURESACGCHCIUOHCOHCSAKJCOQKCHUO.pptx
bymchlrdpc2921
 
PDF
Automating ISP Networks Using Ansible and IPAM as a Source of Truth [SoT]
byBangladesh Network Operators Group
 
PDF
A Day in the Life of IPv6 Scanning by Matsuzaki ʻmazʼ
byBangladesh Network Operators Group
 
PDF
DNSSEC Implementation Journey at Prime Bank’s Domain
byBangladesh Network Operators Group
 
PDF
Cybrain Software Solutions – Building Future-Ready Digital Tools
byCybrain Software Solutions
 
PPTX
evolution of internet (internet journey)
byyamunadevi49
 
PPTX
BTCFi on Starknet,Troves.fi offers automated strategies for Bitcoin users on ...
bytrovesfi
 
PDF
A La Recherche Du Temps Perdu: In Search of the Cozy Web
byJen Looper
 
PPTX
AI Presentation it all about what is ai and how to implement in real life
byshraddhasule1710
 
PPTX
Facebook: How to Maximize for Everyday Business
byLP3I Surabaya
 
PPTX
Passive Presentation pasdskpasdasdasdasf
byNoOne501682
 
PPTX
MEANING OF EMOJIS OF SOCIAL MEDIA - RUKUNDO Emmanuel..pptx
bysongsormusics
 
OFFENSIVE OPERATIONS : THE ANATOMY OF A NETWORK TAKEOVER
byBangladesh Network Operators Group
 
INTRODUCTION_TO_SOFTWARE_APPLICATION.pptx
byMESFINBELAY4
 
ENDNOTE refrencing how to do step by step..
byhumairasohaib19
 
ARCHITECTURESACGCHCIUOHCOHCSAKJCOQKCHUO.pptx
bymchlrdpc2921
 
Automating ISP Networks Using Ansible and IPAM as a Source of Truth [SoT]
byBangladesh Network Operators Group
 
A Day in the Life of IPv6 Scanning by Matsuzaki ʻmazʼ
byBangladesh Network Operators Group
 
DNSSEC Implementation Journey at Prime Bank’s Domain
byBangladesh Network Operators Group
 
Cybrain Software Solutions – Building Future-Ready Digital Tools
byCybrain Software Solutions
 
evolution of internet (internet journey)
byyamunadevi49
 
BTCFi on Starknet,Troves.fi offers automated strategies for Bitcoin users on ...
bytrovesfi
 
A La Recherche Du Temps Perdu: In Search of the Cozy Web
byJen Looper
 
AI Presentation it all about what is ai and how to implement in real life
byshraddhasule1710
 
Facebook: How to Maximize for Everyday Business
byLP3I Surabaya
 
Passive Presentation pasdskpasdasdasdasf
byNoOne501682
 
MEANING OF EMOJIS OF SOCIAL MEDIA - RUKUNDO Emmanuel..pptx
bysongsormusics
 

The Dark Side of Security

  • 1.
    The Dark Sideof Security Jarrod Overson - @jsoverson - Shape Security
  • 2.
  • 3.
    … the darknessthat hides the unknown
  • 4.
    Traditional web securityis like flossing. Deep down we know we should care, but it's difficult to see if the effort is paying off.
  • 5.
    OWASP Top 10 A1– Injection A2 – Broken Authentication and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery (CSRF) A9 – Using Known Vulnerable Components A10 – Unvalidated Redirects and Forwards
  • 6.
    OWASP Automated Threats OAT-020Account Aggregation OAT-006 Expediting OAT-019 Account Creation OAT-004 Fingerprinting OAT-003 Ad Fraud OAT-018 Footprinting OAT-009 CAPTCHA Bypass OAT-005 Scalping OAT-010 Card Cracking OAT-011 Scraping OAT-001 Carding OAT-016 Skewing OAT-012 Cashing Out OAT-013 Sniping OAT-007 Credential Cracking OAT-017 Spamming OAT-008 Credential Stuffing OAT-002 Token Cracking OAT-015 Denial of Service OAT-014 Vulnerability Scanning
  • 7.
    Our user-friendly APIsenable our attackers
  • 8.
  • 9.
    The APIs weexpose unintentionally.
  • 10.
    The APIs weexpose unintentionally.
  • 11.
    The APIs weexpose unintentionally.
  • 15.
    It's more thanjust massive breaches from large companies, too.
  • 16.
    It's small continuous,streams of exploitable data
  • 17.
    When you readabout breaches, what do you do?
  • 18.
    Even if youhave the most secure site in the world, we don't protect against legitimate user logins.
  • 19.
    If your userswere robots, could you tell?
  • 21.
    What percentage oftraffic is from bots?
  • 22.
    92% ( Current recordfor automation against a login page, via Shape Security ) What percentage of traffic is from bots?
  • 23.
  • 24.
    Do you… Forexample Store a type of currency? actual money, point values, gift cards Sell goods? physical, digital, services Have unique PII? health care, social networks Have user generated content? forums, social networks, blogs, comments Have time sensitive features? tickets, flash sales, reservations Pay for digitally validated behavior? ad clicks, reviews, "uber for X"
  • 25.
    If you havevalue, there is value in exploiting you.
  • 26.
    But we havecaptchas!
  • 27.
  • 28.
    Estimated 200 million+hours spent every year deciphering squiggly letters. Luis Von Ahn, creator of captcha * *
  • 29.
    Services have beenmade making captcha bypass even easier.
  • 30.
    Services have beenmade making captcha bypass even easier.
  • 31.
    Ever wonder wherethese ads go?
  • 32.
    There's big moneyin "Work from Home Data Entry" jobs
  • 33.
    So we seekalternatives.
  • 34.
    Some rely onsimple behavior analysis
  • 35.
    Some rely onkittens
  • 36.
    Some rely ona love for death metal
  • 37.
    Some are veryhigh profile
  • 38.
  • 39.
    They use alot of the same tools we already use.
  • 46.
    Once you detectan attacker, they are easy to block. Right?
  • 47.
    One attacker fromone machine can be blocked by IP.
  • 48.
    Many attackers sounddangerous but aren't as common as they are made out to be.
  • 49.
    One attacker usingproxies to look like thousands of users across the globe is difficult to detect and block.
  • 50.
    Spikes of trafficacross many IPs are normal, except when they aren't
  • 51.
    The devices themselvesleave fingerprints
  • 52.
    And tools aremade to leave no fingerprints
  • 53.
  • 55.
    We can't patchour way through this.
  • 56.
    How would youreact if you went from … Legitimate traffic
  • 57.
    To this Automation detectedand blocked Legitimate traffic
  • 58.
    Automation detected andblocked Legitimate traffic To this
  • 59.
    Automation detected andblocked Legitimate traffic To this
  • 60.
    To get anidea, search for : • <your company, service, or CMS> fullz • <your company, service, or CMS> sentrymba • <your company, service, or CMS> carding • <your company, service, or CMS> <tool> tutorial Not sure if you have a problem?
  • 61.
    The Dark Sideof Security Jarrod Overson - @jsoverson - Shape Security