2012: The End of the World?

57 %
43 %
Information about 2012: The End of the World?

Published on August 16, 2012

Author: saumilshah

Source: slideshare.net


My presentation at HackCon 7 Oslo, exploring where the world of information security is headed. Crude vs. stealthy exploit techinques, the underground digital economy, failure of anti-virus, the future of web application security and the (de)evolution of browsers and HTTP.

What is coming in 2012? Saumil Shah CEO, Net-Squarenet-square HACKCON7 Oslo - 29.03.12

# who am iSaumil Shah, CEO Net-Square.• Hacker, Speaker, Trainer, Author - 15 yrs in Infosec.• M.S. Computer Science Purdue University.• saumil@net-square.com• LinkedIn: saumilshah• Twitter: @therealsaumilnet-square

My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference "Eyes and Speaker ears open"net-square

Highlights from 2010-2011net-square "The Future is already here"


DigiNotar - SSL Certificatesnet-square


RSA SecurID...net-square

...did it lead to this?net-square

Who had the last LOL? Infiltration is a 2 way streetnet-square

The economy is growing!!PlayersServicesPricesnet-square



The Underground Marketplace SPAM DDoS Carding Money Target Botnets Exchange Profiles 0day Botnet Exploit Exploits Kits Packsnet-square

Underground Economy World of Warcraft account $4 Paypal/Ebay account $8 Credit Card $25 Bank Account $1000 0-day exploits WMF Exploit $4000 Quicktime/iTunes/RealPlaye $10000 r Mac OS X $10000 + free Mac Windows 7 $50000 IE / Firefox / Chrome $100000 PDF $100000 SCADA $250000+net-square credit: Hacks Happen - Jeremiah Grossman - http://tinyurl.com/hacks-happen

CC Search, DDoS $80/daynet-square credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove

DIY Botnets for $700/yrnet-square

Exploit Packsnet-square

Trends in Exploit Developmentnet-square

It was different 10 years ago!• Individual effort.• 1 week dev time.• 3-6 months shelf life.• Hundreds of public domain exploits.• "We did it for the fame."net-square

Today... • Team effort. • 1-2 months dev time. • 24h to 10d shelf life. • Public domain exploits ~ 0. • Value of exploits has significantly risen.net-square

No More Free Bugsnet-square

High stakes gamenet-square

What the Defense is up to • HIGH EXPOSURE • Rigorous Internal Testing • Proactive Exploit Mitigation Technology • Quick Turnaround Times (24 hours) • Bug Bounties • HIGH EXPOSURE • Good Efforts • Dont have resources / focus • Slow Turnaround Times (1 month) • Learning the hard waynet-square

/GS SafeSEH DEP ASLRPermanent DEPASLR and DEP net-square

/GS SEH overwrites SafeSEH non-SEH DLLs DEP Return to LibC ASLR Heap SpraysPermanent DEP ROPASLR and DEP ROP+memleak net-square

I can haz sploits!?net-square

The buyers .gov Exploits corporate organized espionage crimenet-square

The pricesVulnerability Value (USD) Source"Some exploits" 200,000-250,000 Govt. official referring to what "some people" pay.A "real good" exploit > 100,000 SNOsoft Research TeamChrome exploit upto 60,000 GoogleVista exploit 50,000 Raimund Genes, Trend MicroWeaponized exploit 20,000-30,000 David Maynor, SecureworksZDI/iDefense purchases 2,000-10,000 David Maynor, SecureworksWMF exploit 4,000 Alexander Gostev, KasperskyGoogle exploit 500-3133.7 GoogleMozilla exploit 500-3000 MozillaMicrosoft Excel > 1,200 Ebay auction sitenet-square credit: Charlie Miller - http://securityevaluators.com/files/papers/0daymarket.pdf

"We pay better."net-square

Exploit Sophisticationnet-square

Exploit Sophistication ms10-002 Java ieobject Applet full ASLR+DEP bypass Drive-bynet-square

Web App Vulnerabilities HTML HTTP Bloated +0.1 standardsnet-square

Application HTTP DeliveryAJAX AuthenticationFlash StatefulnessSandbox Data TypingHTML5 Non-mutableCSPCORS... net-square

Breaches in 2011855 incidents 174M records net-square credit: Verizon Data Breach Incident Report 2011

Attack Techniques 2007-2011net-square credit: Verizon Data Breach Incident Report 2011

Popular Attack Techniques Stolen login credentials Keyloggers C&C Backdoorsnet-square credit: Verizon Data Breach Incident Report 2011

96% attacks were"not difficult"net-square credit: Verizon Data Breach Incident Report 2011

The Bad Guysnet-square

Extent of damage causedSony breach• $170 millionT J Maxx breach• $17 millionnet-square

Nick Leeson $1.31b Kweku Adoboli $2b Jerome Kerviel Bernie Madoff $50bnet-square $7.22b

Software Developers...• ...more dependent on external tools and frameworks for security.• Less on design and proper implementation.net-square

Software Development Trends 17 million devs 102 billion lines of code 6000 LOC/yr in 2008 1 bug per 10000 lines of code 10,200,000 defects per year 1% exploitable? 102,000 0-days/yrnet-square credit: Hacks Happen - Jeremiah Grossman - http://tinyurl.com/hacks-happen

Security Products• Same ol same ol• FW IDS IPS AV SIEM UTM DLP DPI WAF ...• "Sit back and watch das blinkenlights"net-square

Do Signatures Work?net-square

Effectiveness of AV/IDS/IPS/...net-square credit: twitter.com/j0emccray

The weak minded are easily trickednet-square

"A wall is only as good as those who defend it" Genghis Khannet-square

Change in Mindset "We assume that all our Internet Banking customers computers are compromised. We now rely on near real- time fraud analytics."net-square

The FUTURE? Full ASLR by 2014 Mobile Attacks Real Time Analytics Blurred boundaries IPv6net-square

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

2012 phenomenon - Wikipedia, the free encyclopedia

The 2012 phenomenon was a range of eschatological beliefs that cataclysmic ... earnings by 2010 because they believed the world would end in 2012. ...
Read more

End of the world 2012 - YouTube

End of the world 2012 [Short Cut] Never before has a date in history been so significant to so many cultures, so many religions, scientists, and ...
Read more

Why the World Didn't End | NASA

Dec. 21, 2012, wasn't the end of the world, and here's why. ...
Read more

End of the world December 21, 2012? - timeanddate.com

The Mayan calendar ended one of its great cycles in December 2012, which has fueled countless predictions about the end of the world on December 21, 2012 ...
Read more

Mike Candys - 2012 (If The World Would End) (Official ...

Get the single "2012 (If the World Would End)" here: ... Published on Mar 16, 2012. Get the single "2012 (If the World Would End)" here: ...
Read more

2012 - Wikipedia, the free encyclopedia

2009 2010 2011 – 2012 – 2013 2014 2015: ... July 30–31 – In the worst power outage in world history, the 2012 India blackouts leave 620 million ...
Read more

Will the World End in 2012? - ABC News

Will World End in 2012? Many Prepare ... Sections; Top Stories; Video; Election; U.S. World; Entertainment; Health; Tech; Lifestyle
Read more

End Of The World - End Of The World Predictions

End Of The World Doomsday explains doomsday predictions like galactic alignment, solar flares, nostradamus and other end of the world doomsday theories
Read more

2012 End Of The World Compilation, Vol. 6 - Microsoft Store

Ich stimme zu, dass diese Seite Cookies für Analysen, personalisierte Inhalte und Werbung verwendet.
Read more

2012 (2009) - IMDb

Title: 2012 (2009) 5.8 /10. Want to share IMDb's rating on your own site? Use the HTML below. You must be a registered ...
Read more