15 years through Infosec

42 %
58 %
Information about 15 years through Infosec

Published on March 5, 2014

Author: saumilshah

Source: slideshare.net


This talk is a collection of my thoughts and observations since my early infosec days - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to talk about my journey in the information security industry, from the fledgling years in the late 90s where I was still entrenched in academia to the present day where infosec is redefining the world's political boundaries, literally and figuratively.

15 years through Infosec #Hack C on 201 4, Oslo Saumil Shah CEO Net Square net-square HackCon '14

Introduction @therealsaumil saumilshah educating, entertaining and exasperating audiences since 1999 net-square HackCon '14

volution The E f Targets o net-square HackCon '14

How Have Targets Shifted? Servers Applications Desktops Browsers Identities net-square HackCon '14

The Game Changers Perimeter Security Web Apps Broadband Networks WiFi Social Networks Cellular Data net-square HackCon '14

Target Top Spot – Retail, Manufacturing, IT Shifted away from financial organizations to its users. Myth: Insiders cause the maximum damage. Attribution to external attackers: 92% (5 yr avg: >70%) 2008: Servers 94%, Users 17% 2012: Servers: 54%, Users 71% Shift in attacker profile. Organized crime, state sponsored "threat actors". Effectiveness of breach detection IT Audits, Fraud detection, IDS, Logs, MSS < 1% net-square HackCon '14

"A wall is only as good as those who defend defend it" Genghis Khan net-square HackCon '14

The user's going to pick dancing pigs over security every time. Bruce Schneier net-square HackCon '14

Technology in the hands of users net-square HackCon '14

Intelligence Driven Defence From reactive to proactive net-square HackCon '14

volution The E f Exploits o net-square HackCon '14

The Advance of Exploits net-square HackCon '14

It was different 12 years ago! Individual effort. 1 week dev time. 3-6 months shelf life. Hundreds of public domain exploits. "We did it for the fame. lols." net-square HackCon '14

Today... Team effort. 2-12 month dev time. 24h to 10d shelf life. Public domain exploits nearly zero. Cost,value of exploits has significantly risen. WEAPONIZATION. net-square HackCon '14

"For a few hundred K, could you put together a team that would break-in just about anywhere?" Haroon Meer net-square CCDCOE Conference on Cyber Conflict - 2010 HackCon '14

$100k – 500k net-square HackCon '14

Attacking is (much) cheaper than defence. Attacker toolchains are far more complex than the public demonstrations we have seen so far. net-square HackCon '14

Exploit Buyers .gov Exploits corporate espionage net-square organized crime HackCon '14

Vulnerability $ Source "Some exploits" 250,000 A "real good" exploit > 100,000 Chrome 60,000 Google Vista 50,000 Raimund Genes, Trend Micro Weaponized exploit 30,000 David Maynor, Secureworks iDefense purchases 10,000 David Maynor, Secureworks WMF 4,000 Google 3,133.7 Google Mozilla 3,000 Mozilla Excel 1,200 Ebay auction site Govt. official referring to what "some people" pay. SNOsoft Research Team Alexander Gostev, Kaspersky credit: Forbes 23.3.2012 Shopping for Zero Days Charlie Miller, the 0-day market net-square HackCon '14

The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious. Doctor Who, "Pirate Planet" net-square XKCD 358 "Security" HackCon '14

t Secure Wha ns to me mea net-square HackCon '14

Confidentiality Integrity Availability? Invulnerable? Up-to-date? Accountable? net-square HackCon '14

Found a huge J2EE bug in 2002 BEA: Configuration mistake Sun: You can't do that! Allaire: Thanks, here is a t-shirt IBM: Fix in 7 days, gave credit net-square HackCon '14

net-square HackCon '14

OSX goto fail patch time: 93 hrs net-square HackCon '14

What defenders are up to •  •  •  •  •  •  •  •  •  •  net-square HIGH EXPOSURE Rigorous Internal Testing Proactive Exploit Mitigation Technology Quick Turnaround Times (24 hours) Mature Bug Bounties HIGH EXPOSURE Good Efforts but no Transparency Don't have Resources Focus Slow Turnaround Times (4 days - 1 month) Learning the hard way HackCon '14

Bug Bounties: high stakes game Chris Evans – Pwnium: Element 1337 net-square HackCon '14

What "SECURE" means to me Resilience Fitness Max time to fix: 72 hrs net-square HackCon '14

andards, On St liance & Comp fication Certi net-square HackCon '14

net-square HackCon '14

Compliance != Security net-square HackCon '14

net-square HackCon '14

Peter Gibbons, Office Space "My only real motivation is not to be hassled, that and the fear of losing my job. But you know, Bob, that will only make someone work just hard enough not to get fired." net-square HackCon '14

Certifications... oh, the irony! net-square HackCon '14

EC Council gets record pwnage GOING ONCE GOING TWICE net-square GONE ! HackCon '14

Who are you more scared of? Attackers or Auditors? net-square HackCon '14

Threat Model APT Testing Social Media Threats "Every Day is a 0-day" Red Teams Reactive to PROACTIVE net-square HackCon '14

BSIMM net-square HackCon '14

cessity is Ne ther of the Mo nvention I net-square HackCon '14

Firewalls One-way Hacking IDS/IPS Packet Fragmentation Antivirus Obfuscation WAF Character Encoding Endpoint Security DNS Exfiltration ASLR, DEP Return Oriented Programming Sandbox Jailbreak net-square HackCon '14

My attempts at writing books net-square HackCon '14

I'm Flattered J net-square HackCon '14

Inside Out Attacks - 1999 net-square HackCon '14

One Way Attacks - 2001 Web application discovery Finding the entry point (command execution as nobody or web user) Uploader Web Shell Upload attack tools Pilfer web application Privilege escalation SQL command prompt GAME OVER! net-square HackCon '14

HTTP Page Signatures - 2002 200:A302E6F1DC10112A5AF8624E5EA11B367F93DD04 Accurately identify HTTP responses Minimize false positives in error detection Content Independent Computation time: O(n) Comparison time: O(k) net-square HackCon '14

HTTP Fingerprinting - 2003 net-square HackCon '14

Teflon - 2008 My humble attempt at browser security. "Anti-stick for your browser's attack surface". FAILED RESEARCH. net-square HackCon '14

Abusing URL Shorteners - 2010 Alpha Encoded Exploit net-square Tiny URL ZOMFG HackCon '14

G r e e t net-square i n g s P r o f e s s o r F a l k e n HackCon '14

I'm an evil Javascript I'm an innocent image net-square HackCon '14

Cross Container Scripting - 2012 XCS <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script> net-square HackCon '14

Alpha encoded exploit code <script src="1.gif"> </script> IMAJS CANVAS "loader" script net-square <img src="2.png" id="decodeme"> HackCon '14

Theory Becomes Practice - 2014 net-square Hiding In Plain Sight HackCon '14

Infosec ferences Con net-square HackCon '14

1999: Blackhat and Defcon Blackhat – 15 years in a row RSA 2002 – the only commercial con HITB, Cansecwest, HackLU, NullCON, Hackcon, ITWeb, IT Underground, IT Defense, DeepSec, NoSuchCon, REcon, SeacureIT, 44CON, SyScan... net-square HackCon '14

1 conference every 3 days... 200 150 100 50 net-square http://cc.thinkst.com 2013 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999 1998 1997 0 HackCon '14

...and 5000 talks for 2013! 5000 4000 3000 2000 1000 net-square http://cc.thinkst.com 2013 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999 1998 1997 0 HackCon '14

Hacker Cons Where else will you find a more diverse, open, global, talented and energetic crowd? net-square HackCon '14

Hackerspaces "There are many men in London, who, some from shyness, some from misanthropy, have no wish for the company of their fellows. Yet they are not averse to comfortable chairs and the latest periodicals." net-square HackCon '14

My type of hacker cons Smaller events Single/Dual track Meet the speakers Meet the audience Learn something new! net-square HackCon '14

Researchers Wants "Mr. Right Now" Mr. Right net-square Industry Mind the Researcher/Industry Gap HackCon '14

ackers : H are we? who net-square HackCon '14



Rebels? Heretics? Anarchists? Free-thinkers? net-square HackCon '14

"The time to think of your ethical boundaries is BEFORE you are put in a difficult situation." Alex Stamos The White Hat's Dilemma Defcon 21 net-square HackCon '14

You find a critical remote exploit in a very widespread product. Do you: A) Publicly announce the flaw immediately B) Build a whole Black Hat talk around it C) Perform responsible disclosure with deadlines D) Use it to sell "consulting" to the vendor E) Weaponize and sell directly to your government F) Weaponize and sell to a trader G) Use it yourself for fun and/or profit READ HIS TALK AND ANSWER ALL HIS QUESTIONS! net-square Alex Stamos – The White Hat's Dilemma, DC21 HackCon '14

And ho am I ? w saumil ttys001 Mar 5 17:20! saumil@gayatri:~$ _! net-square HackCon '14

I stood on the shoulders of giants net-square HackCon '14

Stranger Than Fiction! Big Fish (2003) net-square HackCon '14

Security On oducts Pr net-square HackCon '14

My Product building journey Web app scanners Network scanner Windows Desktop Scanner Share Inspector Accounts Inspector Browser plug-in for app testing ServerDefender Hardened Browser from Chromium code base net-square HackCon '14

Everyone builds the "Homer Car" net-square HackCon '14

Why Johnny Can't Pentest net-square http://www.cs.ucsb.edu/~vigna/publications/ 2010_doupe_cova_vigna_dimva10.pdf HackCon '14

unts and On St tionalism Sensa net-square HackCon '14

net-square HackCon '14

net-square HackCon '14

"If you can bear to hear the truth you've spoken Twisted by knaves to make a trap for fools" Rudyard Kipling net-square HackCon '14

Media training is an OPSEC skill Vet your journo. "Off the record". Answer in writing. Putting words in your mouth. Stay on target. Watch your mouth. The Grugq grugq.tumblr.com net-square HackCon '14

"Preventing Security Theatre is OUR responsibility" Andrea Barisani IT Security community loses reputation No Such Con #1 Keynote Remediation NOT given to original researchers net-square HackCon '14

wget - Deadly Hacker Tool? net-square HackCon '14

e Future Th net-square HackCon '14

2010 DEP bypassing ROP code Man in the Browser Political Cyber warfare net-square HackCon '14

2011 Browser Attacks PDF Attacks Web App Attacks Social Engineering net-square HackCon '14

2012 Full ASLR by 2014 Mobile Attacks Real Time Analytics Blurred boundaries IPv6 net-square HackCon '14

2013 net-square HackCon '14

future is already here > the net-square HackCon '14

Today: Realtime acquistion, storage, analysis and correlation of ALL data. Tomorrow: Predictions net-square HackCon '14

net-square HackCon '14

Will the Internet remain a level playing field? net-square HackCon '14

net-square HackCon '14

Special Thanks Haroon Meer & Marco Slaviero Andrea Barisani Roelof Temmingh Alex Stamos The Grugq Hackcon crew & our fantastic community! net-square HackCon '14

Further Reading Con Collector http://cc.thinkst.com/ The White Hat's Dilemma http://tinyurl.com/whitehatdilemma Realtime http://www.realtime-film.com/ Media training – OPSEC for hackers http://tinyurl.com/opsecmedia1 http://tinyurl.com/opsecmedia2 net-square HackCon '14

#Hack C nk You... Tha uestions? Q on 201 4, Oslo saumil@net-square.com @therealsaumil net-square HackCon '14

#hack presentations

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

The Evolution of InfoSec Through 25 Years of RSA ...

Abu Dhabi 2016 15 – 16 ... The Evolution of InfoSec Through ... I was able to obtain session titles from the RSAC website for the last four years ...
Read more

The Evolution of InfoSec Through 25 Years of RSA ...

The Evolution of InfoSec Through 25 Years of RSA Conference Sessions, Part 4: We Echo That Sentiment
Read more

InfoSec Institute - Information Technology Training and ...

We’ve been offering the highest quality information security training for the past 15 years, both online and offline. (708) 689-0131
Read more

What 17 years as an infosec trainer have taught me - Help ...

What 17 years as an infosec trainer ... It was through The Exploit Lab that I learned one of the ... doing what we do best for the past 15 years ...
Read more

Tiro Security | Dedicated to your infosec requirements

Tiro Security is California’s go-to company ... Tirosec team have over 15 years of technical ... We are heavily involved in the local InfoSec and ...
Read more

Infosec FS: Next-Gen Cyber security strategy - Enabling ...

The Infosec FS Dialogue is the productof a ... Bjorn R. Watne has 15 years of professional ... Managed Security services through our ...
Read more

InfoSec Dialogue Benelux | NOORD-GROUP LTD

Infosec Dialogue Benelux, ... Through this work, ... the consulting department for Internet and Information Security which he headed for 15 years.
Read more

Committee Bios - Palo Alto Networks

Dawn-Marie Hutchinson brings 15 years of enterprise ... Dawn-Marie currently sits on the Cyber Security Canon Committee, ... supported TVA through NERC CIP ...
Read more