security war stories – shuman ghosemajumder – qcon

For my other blog posts on QCon, see the live blog table of contents. Shuman is from ShapeSecurity and used to be the “Click Fraud Czar” at Google – which protects AdWords from malicious users.

  • “Computer security is like broccoli. You know you should have it but would rather have chocolate”
  • “My objective today is not to scare you, but it doesn’t necessarily hurt”
  • “If I were legally responsible for the security of the software I wrote, I would quit my job immediately … and probably move to a non-extredition country” – anon at QCon

How make completely secure

  1. Get rid of business model
  2. Don’t connect to internet

Security is relative – really about tradeoffs

History

  • 1903 – Marconi showing telegraph at Royal Institution. Tapping didn’t sound right to his assistant’s assistant. A magician (Nevil Maskelyne) was tapping “rats” in morse code. Then changed to “There was a young fellow if Italy who diddled the public quite prettily.” Marconi claimed nobody could interfere – don’t promise what you can’t deliver! And an early white hat hacker to identify that.
  • 1939 – Bletchley Park – crack Enigma during World War II
  • 1957 – Joe Engressia learned if one whistles at a certain frequency, can get free long distance calls. In 60’s and 70’s if couldn’t whistle at 2600 hertz, produced blue box to hack this.
  • 1968 – Morris worm – one of first worms
  • 1992 – First polymorphic virus – constantly changes as infect each new machine so anti-virsu looking for standard signature can’t see it
  • 1994 – First kit for script kiddies. Didn’t need to be very skilled to attack.
  • 2002 – Bill Gates finally made security a top priority at Microsoft

Present

  • Don’t even have to go back 24 hours to find a data breach.
  • Mark Zuckerberg’s bad password
  • Credential stuffing – relatively new type of attack with multiple specialists. Has multiple parts.
    • Attackers usually have .1%-2% success rate in finding password reuse.  (using one stolen password on another site)
    • If steal a million stolen passwords, can quickly take over 10K accounts without anyone knowing.
    • Invisible – don’t know account is hacked.
    • Using botnet so target site can’t detect pattern of bad attempts either. Looks like a popular day on your website and not a hacking attempt
    • Over 500 million leaked passwords on dark net. So starting with known good passwords
    • Good – Netflix reset passwords based on ANOTHER company’s breach
    • Sentry MDA has credentials stuffing tool. Raw materials: credentials that are out there, IP addresses in proxy list and even help to get past captchas. Third party system for getting passed captchas as well mixing OCR (computers doing it) and mturk (humans doing it in developing countries)
    • Organic traffic has pattern/cycles throughout day. Inorganic traffic has different shape. Can see normal shape if look at graph without login URLs.
    • Botnets are distributed globally so can’t block IP by region.
    • Other things like monitoring also produces a spike.
    • Every website has a tiny bit of attacks. These crawlers are just the background radiation of the internet. This is an opportunistic probe. A bigger attacher has a profit motive so will stop or re-tool. The idea is to make is as expensive as possible for the attacker.

Future

  • Because the present isn’t scary enough, the future is scarier
  • Attack surface is related to complexity
  • “Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can” – Jamie Zawinski.
  • Weak AI is already here. (ex: AIs representing users) Strong AI is much further out.
  • Sci fi: Black Mirror. Device records everything and you can replay it on demand. Privacy and security implications. Imagine if this data could be changed or published.
  • New attack surfaces:
    • autonomous vehicles
    • always on IoT devices like Amazon Echo could do surveillance
    • Apple Home – can unlock your home doors. Can turn on your lights/stereo at night randomly like horror movie. Someone could have a heard attack because think house is possessed
  • New technology creates new attacks
    • Audio/video fidelity – could steal fingerprints from far away or record every conversation from far away
    • Battery life – run surveillance device for weeks
    • CPU power – defeat encryption
  • New attacks create unforeseen consequences – now we have to take off shoes before flying

What can we do?

  • Pareto Principle – focus on where get most benefit
  • Cybercriminals innovate. So do security services/standards/platforms

qcon tuesday 2016 – live blog table of contents

I’m attending QCon New York 2016 for one day (Tuesday). I got a free pass for being selected for a BoF (Birds of A Feather) tonight. This post is the table of contents for all the sessions I attended (and will be filled in with blog posts as the day goes on)

Interesting logistics

  • InfoQ is 10 years old
  • Community night – 7:15-9:55 is open to non conference attendees
  • I’m doing one of four BoFs. Plus conference session on papers, JavaSig and vendor sessions. Lots of things at the same time. To incentivize people to stay, they are raffling a conference ticket.
  • Wireless has a 20 minute timeout. And there’s 25 minutes between session. Sounds like a lot of re-connecting over the day.

Note: I’m blogging from a computer rather than an iPad (since I needed the computer for the BoF) – so typing quality is better than usual.

qcon – live blog table of contents

I’m attending QCon New York which is run by InfoQ.com. At the end, I’ll update this post to be a table of contents of my blog posts from the conference.

My live blog posts

Wednesday

Thursday

Friday

That’s 9742 words live blogged not counting this post (which gets it to 10K) and an average blog post size of 487. The “Too Big To Fail” session was an outlier at 827; must have liked it a lot.

My overall impressions
The conference in general seem set up well with 25 minutes between talks along with an open space by area at the end of the day (not presentations; discussions). For lunch they have tables designed for discussion – large normal confernece tables, 4 people discussion tables and “loner” tables. I also like the intro about usbility including the big names on the badge.

The intro also had each track lead give an overview of th talks in their track. This felt like overkill as this was online and most people think about what they want to attend before showing up.

Logistically, I really like that you gave feedback by putting a green, yellow or red paper as you walk out the door of the session. Low overhead; low time commitment and asked while you still remember the details.