Published on August 16, 2012
What is coming in 2012? Saumil Shah CEO, Net-Squarenet-square HACKCON7 Oslo - 29.03.12
# who am iSaumil Shah, CEO Net-Square.• Hacker, Speaker, Trainer, Author - 15 yrs in Infosec.• M.S. Computer Science Purdue University.• firstname.lastname@example.org• LinkedIn: saumilshah• Twitter: @therealsaumilnet-square
My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference "Eyes and Speaker ears open"net-square
Highlights from 2010-2011net-square "The Future is already here"
DigiNotar - SSL Certificatesnet-square
...did it lead to this?net-square
Who had the last LOL? Infiltration is a 2 way streetnet-square
The economy is growing!!PlayersServicesPricesnet-square
The Underground Marketplace SPAM DDoS Carding Money Target Botnets Exchange Profiles 0day Botnet Exploit Exploits Kits Packsnet-square
Underground Economy World of Warcraft account $4 Paypal/Ebay account $8 Credit Card $25 Bank Account $1000 0-day exploits WMF Exploit $4000 Quicktime/iTunes/RealPlaye $10000 r Mac OS X $10000 + free Mac Windows 7 $50000 IE / Firefox / Chrome $100000 PDF $100000 SCADA $250000+net-square credit: Hacks Happen - Jeremiah Grossman - http://tinyurl.com/hacks-happen
CC Search, DDoS $80/daynet-square credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove
DIY Botnets for $700/yrnet-square
Trends in Exploit Developmentnet-square
It was different 10 years ago!• Individual effort.• 1 week dev time.• 3-6 months shelf life.• Hundreds of public domain exploits.• "We did it for the fame."net-square
Today... • Team effort. • 1-2 months dev time. • 24h to 10d shelf life. • Public domain exploits ~ 0. • Value of exploits has significantly risen.net-square
No More Free Bugsnet-square
High stakes gamenet-square
What the Defense is up to • HIGH EXPOSURE • Rigorous Internal Testing • Proactive Exploit Mitigation Technology • Quick Turnaround Times (24 hours) • Bug Bounties • HIGH EXPOSURE • Good Efforts • Dont have resources / focus • Slow Turnaround Times (1 month) • Learning the hard waynet-square
/GS SafeSEH DEP ASLRPermanent DEPASLR and DEP net-square
/GS SEH overwrites SafeSEH non-SEH DLLs DEP Return to LibC ASLR Heap SpraysPermanent DEP ROPASLR and DEP ROP+memleak net-square
I can haz sploits!?net-square
The buyers .gov Exploits corporate organized espionage crimenet-square
The pricesVulnerability Value (USD) Source"Some exploits" 200,000-250,000 Govt. official referring to what "some people" pay.A "real good" exploit > 100,000 SNOsoft Research TeamChrome exploit upto 60,000 GoogleVista exploit 50,000 Raimund Genes, Trend MicroWeaponized exploit 20,000-30,000 David Maynor, SecureworksZDI/iDefense purchases 2,000-10,000 David Maynor, SecureworksWMF exploit 4,000 Alexander Gostev, KasperskyGoogle exploit 500-3133.7 GoogleMozilla exploit 500-3000 MozillaMicrosoft Excel > 1,200 Ebay auction sitenet-square credit: Charlie Miller - http://securityevaluators.com/files/papers/0daymarket.pdf
"We pay better."net-square
Exploit Sophistication ms10-002 Java ieobject Applet full ASLR+DEP bypass Drive-bynet-square
Web App Vulnerabilities HTML HTTP Bloated +0.1 standardsnet-square
Application HTTP DeliveryAJAX AuthenticationFlash StatefulnessSandbox Data TypingHTML5 Non-mutableCSPCORS... net-square
Breaches in 2011855 incidents 174M records net-square credit: Verizon Data Breach Incident Report 2011
Attack Techniques 2007-2011net-square credit: Verizon Data Breach Incident Report 2011
Popular Attack Techniques Stolen login credentials Keyloggers C&C Backdoorsnet-square credit: Verizon Data Breach Incident Report 2011
96% attacks were"not difficult"net-square credit: Verizon Data Breach Incident Report 2011
The Bad Guysnet-square
Extent of damage causedSony breach• $170 millionT J Maxx breach• $17 millionnet-square
Nick Leeson $1.31b Kweku Adoboli $2b Jerome Kerviel Bernie Madoff $50bnet-square $7.22b
Software Developers...• ...more dependent on external tools and frameworks for security.• Less on design and proper implementation.net-square
Software Development Trends 17 million devs 102 billion lines of code 6000 LOC/yr in 2008 1 bug per 10000 lines of code 10,200,000 defects per year 1% exploitable? 102,000 0-days/yrnet-square credit: Hacks Happen - Jeremiah Grossman - http://tinyurl.com/hacks-happen
Security Products• Same ol same ol• FW IDS IPS AV SIEM UTM DLP DPI WAF ...• "Sit back and watch das blinkenlights"net-square
Do Signatures Work?net-square
Effectiveness of AV/IDS/IPS/...net-square credit: twitter.com/j0emccray
The weak minded are easily trickednet-square
"A wall is only as good as those who defend it" Genghis Khannet-square
Change in Mindset "We assume that all our Internet Banking customers computers are compromised. We now rely on near real- time fraud analytics."net-square
The FUTURE? Full ASLR by 2014 Mobile Attacks Real Time Analytics Blurred boundaries IPv6net-square
The 2012 phenomenon was a range of eschatological beliefs that cataclysmic ... earnings by 2010 because they believed the world would end in 2012. ...
End of the world 2012 [Short Cut] Never before has a date in history been so significant to so many cultures, so many religions, scientists, and ...
Dec. 21, 2012, wasn't the end of the world, and here's why. ...
The Mayan calendar ended one of its great cycles in December 2012, which has fueled countless predictions about the end of the world on December 21, 2012 ...
Get the single "2012 (If the World Would End)" here: ... Published on Mar 16, 2012. Get the single "2012 (If the World Would End)" here: ...
2009 2010 2011 – 2012 – 2013 2014 2015: ... July 30–31 – In the worst power outage in world history, the 2012 India blackouts leave 620 million ...
Will World End in 2012? Many Prepare ... Sections; Top Stories; Video; Election; U.S. World; Entertainment; Health; Tech; Lifestyle
End Of The World Doomsday explains doomsday predictions like galactic alignment, solar flares, nostradamus and other end of the world doomsday theories
Ich stimme zu, dass diese Seite Cookies für Analysen, personalisierte Inhalte und Werbung verwendet.
Title: 2012 (2009) 5.8 /10. Want to share IMDb's rating on your own site? Use the HTML below. You must be a registered ...