12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey

60 %
40 %
Information about 12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec...

Published on February 16, 2014

Author: saumilshah

Source: slideshare.net


I started my company, Net-Square, 12 years ago. This talk is a collection of 13 thoughts and observations from the past 12 years - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to talk about my journey in the information security industry, from the fledgling years in the late 90s where I was still entrenched in academia to the present day where infosec is redefining the world's political boundaries, literally and figuratively. This talk is not a rant, not a venting session and certainly not a criticism of sorts as many infosec talks have now become.

12 years and a 13aker's Dozen #NullC ON 20 14, Goa rom rnings f lea ons and Less ney sec jour my Info Saumil Shah CEO Net Square net-square NullCON '14

net-square NullCON '14

@therealsaumil saumilshah net-square NullCON '14

1. volution The E Targets of net-square NullCON '14

How Have Targets Shifted? Servers Applications Desktops Browsers Identities net-square NullCON '14

The Game Changers Perimeter Security Web Apps Broadband Networks WiFi Social Networks Cellular Data net-square NullCON '14

Target Top Spot – Retail, Manufacturing, IT Shifted away from financial organizations to its users. Myth: Insiders cause the maximum damage. Attributed to external attackers: 92% (5 yr avg: >70%) 2008: Servers 94%, Users 17% 2012: Servers: 54%, Users 71% Shift in attacker profile. Organized crime, state sponsored "threat actors". Effectiveness of breach detection IT Audits, Fraud detection, IDS, Logs, MSS < 1% net-square NullCON '14

"A wall is only as good as those who defend defend it" Genghis Khan net-square NullCON '14

The user's going to pick dancing pigs over security every time. Bruce Schneier net-square NullCON '14

Intelligence Driven Defence From reactive to proactive net-square NullCON '14

2. volution The E Exploits of net-square NullCON '14

The Advance of Exploits net-square NullCON '14

It was different 12 years ago! Individual effort. 1 week dev time. 3-6 months shelf life. Hundreds of public domain exploits. •  "We did it for the fame. lols." •  •  •  •  net-square NullCON '14

Today... Team effort 2-12 month dev time 24h to 10d shelf life Public domain exploits nearly zero •  Cost,value of exploits has significantly risen •  WEAPONIZATION. •  •  •  •  net-square NullCON '14

"For a few hundred K, could you put together a team that would break-in just about anywhere?" Haroon Meer net-square CCDCOE Conference on Cyber Conflict - 2010 NullCON '14

$100k – 500k net-square NullCON '14

Attacking is (much) cheaper than defence. Attacker toolchains are far more complex than the public demonstrations we have seen so far. net-square NullCON '14

Exploit Buyers .gov Exploits corporate espionage net-square organized crime NullCON '14

Vulnerability $ Source "Some exploits" 250,000 A "real good" exploit > 100,000 Chrome 60,000 Google Vista 50,000 Raimund Genes, Trend Micro Weaponized exploit 30,000 David Maynor, Secureworks iDefense purchases 10,000 David Maynor, Secureworks WMF 4,000 Google 3,133.7 Google Mozilla 3,000 Mozilla Excel 1,200 Ebay auction site Govt. official referring to what "some people" pay. SNOsoft Research Team Alexander Gostev, Kaspersky credit: Forbes 23.3.2012 Shopping for Zero Days Charlie Miller, the 0-day market net-square NullCON '14

Attack Sophistication net-square NullCON '14

3. Secure What ns to me mea net-square NullCON '14

Confidentiality Integrity Availability Invulnerable Up-to-date Accountable net-square NullCON '14

Found a huge J2EE bug in 2002 net-square NullCON '14

Found a huge J2EE bug in 2002 BEA: Configuration mistake Sun: You can't do that! Allaire: Thanks, here is a t-shirt IBM: Fix in 7 days, gave credit net-square NullCON '14

What defenders are up to •  •  •  •  •  •  •  •  •  •  net-square HIGH EXPOSURE Rigorous Internal Testing Proactive Exploit Mitigation Technology Quick Turnaround Times (24 hours) Mature Bug Bounties HIGH EXPOSURE Good Efforts Don't have resources / focus Slow Turnaround Times (1 month) Learning the hard way NullCON '14

Bug Bounties: high stakes game net-square Chris Evans – Pwnium: Element 1337 NullCON '14

The Lure of Bug Bounties Take up a QA job instead, or better yet, build the goose that lays the golden eggs net-square NullCON '14

What "SECURE" means to me Resilience Fitness Max time to fix: 72 hrs net-square NullCON '14

4. andards On St mpliance & Co net-square NullCON '14

Feeling Secure? net-square NullCON '14

Compliance != Security net-square NullCON '14

net-square NullCON '14

Peter Gibbons, Office Space "My only real motivation is not to be hassled, that and the fear of losing my job. But you know, Bob, that will only make someone work just hard enough not to get fired." net-square NullCON '14



Who are you more scared of? net-square NullCON '14

Who are you more scared of? Attackers or Auditors? net-square NullCON '14

5. cessity is Ne ther of the Mo vention In net-square NullCON '14

Firewalls One-way Hacking IDS/IPS Packet Fragmentation Antivirus Obfuscation WAF Character Encoding Endpoint Security DNS Exfiltration ASLR, DEP Return Oriented Programming Sandbox Jailbreak net-square NullCON '14

My attempts at writing books net-square NullCON '14

Inside Out Attacks - 1999 net-square NullCON '14

One Way Attacks - 2001 Web application discovery Finding the entry point (command execution as nobody or web user) Uploader Web Shell Upload attack tools Pilfer web application Privilege escalation SQL command prompt GAME OVER! net-square NullCON '14

HTTP Page Signatures - 2002 200:A302E6F1DC10112A5AF8624E5EA11B367F93DD04 Accurately identify HTTP responses Minimize false positives in error detection Content Independent Computation time: O(n) Comparison time: O(k) net-square NullCON '14

HTTP Fingerprinting - 2003 net-square NullCON '14

Teflon - 2008 My humble attempt at browser security. "Anti-stick for your browser's attack surface". FAILED RESEARCH. net-square NullCON '14

Abusing URL Shorteners - 2010 Alpha Encoded Exploit net-square Tiny URL ZOMFG NullCON '14

G r e e t net-square i n g s P r o f e s s o r F a l k e n NullCON '14

I'm an evil Javascript I'm an innocent image net-square NullCON '14

Cross Container Scripting - 2012 XCS <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script> net-square NullCON '14

Alpha encoded exploit code <script src="1.gif"> </script> IMAJS CANVAS "loader" script net-square <img src="2.png" id="decodeme"> NullCON '14

Theory Becomes Practice - 2014 net-square Hiding In Plain Sight NullCON '14

6. Infosec erences Conf net-square NullCON '14

1999: Blackhat and Defcon Blackhat – 15 years in a row RSA 2002 – the only commercial con HITB, Cansecwest, HackLU, NullCON, Hackcon, ITWeb, IT Underground, IT Defense, DeepSec, NoSuchCon, REcon, SeacureIT, 44CON, SyScan... net-square NullCON '14

1 conference every 3 days... 200 150 100 50 net-square http://cc.thinkst.com 2013 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999 1998 1997 0 NullCON '14

...and 5000 talks for 2013! 5000 4000 3000 2000 1000 net-square http://cc.thinkst.com 2013 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999 1998 1997 0 NullCON '14

Hacker Cons Where else will you find a more diverse, open, global, talented and energetic crowd? net-square NullCON '14

Hackerspaces net-square NullCON '14

Hackerspaces "There are many men in London, who, some from shyness, some from misanthropy, have no wish for the company of their fellows. Yet they are not averse to comfortable chairs and the latest periodicals." net-square NullCON '14

My type of hacker cons Smaller events Single/Dual track Meet the speakers Meet the audience Learn something new! net-square NullCON '14

Researchers Wants "Mr. Right Now" Mr. Right net-square Industry Mind the Researcher/Industry Gap NullCON '14

7. ackers : H are we? who net-square NullCON '14


My Hacker Hero net-square NullCON '14

Heretics? Blasphemers? Anarchists? Free-thinkers? Rebels? net-square NullCON '14

Heretics Blasphemers Anarchists Free-thinkers Rebels net-square NullCON '14

"The time to think of your ethical boundaries is BEFORE you are put in a difficult situation." Alex Stamos The White Hat's Dilemma Defcon 21 net-square NullCON '14

You find a critical remote exploit in a very widespread product. Do you: A) Publicly announce the flaw immediately B) Build a whole Black Hat talk around it C) Perform responsible disclosure with deadlines D) Use it to sell “consulting” to the vendor E) Weaponize and sell directly to your government F) Weaponize and sell to a trader G) Use it yourself for fun and/or profit READ HIS TALK AND ANSWER ALL HIS QUESTIONS! net-square NullCON '14 Alex Stamos – The White Hat's Dilemma, DC21

8. And o am I ? wh saumil ttys001 Feb 15 14:35! saumil@gayatri:~$ _! net-square NullCON '14

I stood on the shoulders of giants net-square NullCON '14

I stood on the shoulders of giants net-square NullCON '14

Stranger Than Fiction Big Fish (2003) net-square NullCON '14

9. building On Products net-square NullCON '14

My Product building journey Web app scanners Network scanner Windows Desktop Scanner Share Inspector Accounts Inspector Browser plug-in for app testing ServerDefender Hardened Browser from Chromium code base net-square NullCON '14

Don't build the "Homer Car" net-square NullCON '14

Why Johnny Can't Pentest net-square http://www.cs.ucsb.edu/~vigna/publications/ 2010_doupe_cova_vigna_dimva10.pdf NullCON '14

Schools Shaping Our Thoughts net-square NullCON '14

10. hen the W ing gets go tough net-square NullCON '14

Stolen Ideas Stolen Content net-square NullCON '14

I'm Flattered J net-square NullCON '14

Stolen Ideas Stolen Content net-square NullCON '14

...fool me twice shame on me. net-square NullCON '14

11. unts and On St ionalism Sensat net-square NullCON '14

"If you can bear to hear the truth you've spoken Twisted by knaves to make a trap for fools" Rudyard Kipling net-square NullCON '14

Media training is an OPSEC skill Vet your journo. "Off the record". Answer in writing. Putting words in your mouth. Stay on target. Watch your mouth. The Grugq grugq.tumblr.com net-square NullCON '14

net-square NullCON '14

net-square NullCON '14

"Preventing Security Theatre is OUR responsibility" Andrea Barisani IT Security community loses reputation No Such Con #1 Keynote Remediation NOT given to original researchers net-square NullCON '14

net-square NullCON '14

12. dia and On In security Cyber net-square NullCON '14

DARPA CFT New way of working with people in a change-resistant organization. Fresh thought, fresh talent. Low overhead and investment. Crowdsource. Catalyse. Did not LOCK IN participants. Mudge net-square NullCON '14

Indigenous Cryptography Military Grade net-square Commercial Grade NullCON '14

Trusted OS Initiative The "Theo de Raadt" approach to OpenBSD. Open Source. Maintained, verified, updated and distributed. net-square NullCON '14

13. Future The net-square NullCON '14

2010 DEP bypassing ROP code Man in the Browser Political Cyber warfare net-square NullCON '14

2011 Browser Attacks PDF Attacks Web App Attacks Social Engineering net-square NullCON '14

2012 Full ASLR by 2014 Mobile Attacks Real Time Analytics Blurred boundaries IPv6 net-square NullCON '14

2013 net-square NullCON '14

future is already here > the net-square NullCON '14

Today: Realtime acquistion, storage, analysis and correlation of ALL data. Tomorrow: Predictions net-square NullCON '14

net-square NullCON '14

Will the Internet remain a level playing field? net-square NullCON '14

net-square NullCON '14

Special Thanks Haroon Meer & Marco Slaviero Andrea Barisani Roelof Temmingh Alex Stamos The Grugq NULL & our fantastic community! net-square NullCON '14

Further Reading Con Collector http://cc.thinkst.com/ The White Hat's Dilemma http://tinyurl.com/whitehatdilemma Realtime http://www.realtime-film.com/ Media training – OPSEC for hackers http://tinyurl.com/opsecmedia1 http://tinyurl.com/opsecmedia2 net-square NullCON '14

nk You... Tha uestions? Q #NullC ON 20 14, Goa saumil@net-square.com @therealsaumil net-square NullCON '14

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Track, Build, Shape by ctof magazine - issuu

By Pam Baker. S. ecurity issues are ... When we set out 12 years ago, ... I have accomplished a lot throughout my years and the education is something I ...
Read more