SlideShare une entreprise Scribd logo

Broken by design (Danny Fullerton)

Hackfest Communication
Hackfest Communication

If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that’s not security. That’s obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications and a hundred identical safes with their combinations so that the world’s best safecrackers can study it and you still can’t open the safe, that’s security.

Technologie
1  sur  24
Something's wrong. So much computers compromised, so much in botnets, so much stolen credit cards, everyday sees more zero-days and weakens our posture. We‟re still relying on reactive technology such as anti- virus which can‟t keep up with the threat. Do you feel safe after installing the latest security patch? I don‟t, not anymore. It‟s a chase between us trying to keep up with vulnerabilities. We still heavily rely on too much reaction and too little prevention. We are playing mouse and cat. I believe we are doing something wrong. I believe we have to change the way we do security. At this point I feel like we are loosing the battle.
The fact is: it‟s really hard to write secure software. It‟s hard to justify in the first place and it‟s really hard to get right. It‟s been like that since the beginning and nothing has changed. The question is « what do we do about it? »
… we use isolation. Those rectangles represent the code of an application. The blue part is sensitive code which, as an example, might be used to administer the application. At the left, any bug would compromise the entire application while at the right, the sensitive code is isolated. Thereof, the application on the right is much easier to secure. You can put your « limited » effort/time in securing this part instead of the entire picture. « Security by Correctness » is highly dependent on size and simplicity. In that sense « Security by Isolation » is a great complement to it.
Architecture (ia32, amd64): ● At first, we tried isolation. The goal was to build a deep Isolation (3 layer) between untrusted code and the kernel. ● Obviouly it dind‟t work as intended and there is a good reason for this: performance issues, complexity issues. ● The end result? Current OS security model (unix/linux/windows/macosx) are highly dependent on « Security by Correctness ». Any bug in drivers, services or the kernel is a major issue. ● Don‟t get me wrong, « Security by Correctness » is an important aspect of security but it should not be used at this magnitude.
On the server, we do have some tools but the problem? It‟s still not defacto. Most company does not use this. It‟s not available by default, requires custom setup (AIX, HPUX,Solaris, Redhat, most Linux). Still loads of commercial « enterprise » application require administrator/root privilege. On the workstation side it‟s a lot worst. Every software you download and run get access to everything you have. I remember seeing some notice such as « don‟t run Xchat under root privilege »… yeah right, like root had more to protect then I do: everything I need to protect, all my documents are owned by me, not root. On android each app runs in a different context and have different rights. This is a great start, but still not perfect.
Nothing new for any security guy but I think this one really show how deeply our system architecture is broken. If I hook a Firewire cable from my laptop to yours, I get direct access to your entire system memory which mean I can unlock your screen, inject a rootkit or whatever. It‟s game over. BTW, a PoC is available. Shouldn't the network card be limited to the network driver memory space?
Really, something's wrong.
I believe Qubes OS should have a lot more attention from the community. This is one model which really has the ability to bring our workstation to a new level. In order to understand QubesOS you have to free your mind about what you used to think when we say Virtual Machine. We are not talking about VMware server/ESX here. We‟re talking about running multiple environments isolated from each other. Disposable VM: An environment where you don‟t care being vulnerable and compromised. You have no personal info in this VM and each time you close the window, everything is restored. Net VM: Your network stack get compromised? No big deal, it‟s isolated! Storage VM…
The different window border colors identifies the different VMs. In this model the VM running my MP3 player wouldn't have access to my financial reports. The PDF I just downloaded from an untrusted website could be open in a Disposable VM. If the PDF was malicious it wouldn't have access to anything interesting and the malware would vanish as soon as I close it.
This is a really big project which will radically change the way we do security. [explain (Intel, IBM, HP, AMD, etc), VT-d/IOMMU] It‟s very different from other security measures: it‟s hardware supported. TXT aka « lagrande » is the Intel implementation of Trusted Computing. Measurements: ability to determine which environment is running (bios, bootloader, os, etc) in a secure manner. Sealed storage: Unlock data only when a specific environment is running. For more info a highly recommend reading: Dynamics of Trusted Computing- A Building block approach from David Grawrock Intel Senior Principal Engineer and Security Architect.
Here‟s a really simple use case which uses some trusted computing mechanism. Trusted computing is a tool and can be used in different ways and this is only a simple example of what can be done. In this example, the principle is to send a validation request to a trusted environment which is isolated (and can be small and simple) and can be verified (audited).
On the left we have a standard operating system, let‟s say Windows or Linux with Firefox. On the right side, we have a very limited protected operating system. Protected means protected by TXT. Therefor, it would not be affected by the Firewire (DMA) attack I talked about or whatever else. At the bottom we have a VMM/Hypervisor using TXT too. The VMM and the limited OS are very small and simple software in which we can have a high level of trust (tested/audited).
An XML confirmation request is created and sent to the protected system which displays a confirmation message to user using a “trusted output”: « Ready to buy this item for 45$? ». The user accepts or denies the confirmation request using “trusted input”. Both “trusted input and trusted output” are paths which cannot be manipulated by the Standard partition.
If the user accepts, the applet asks the TPM to sign the request with sealed « user‟s ebay key ». Since the key is sealed, the TPM will take measurements of the current system and evaluate if the required environment is loaded before signing the request. This measurement process is done by the hardware and it validates every piece of software running (VMM, Limited OS, Applet). This process ensures the confirmation has been done in a trusted state. No malware, no standard partition, no rootkit can interfere. This is an excellent demonstration of « security by isolation » and « security by correctness » in the right place (small and simple). I believe this is a better way of getting real security.
Ok, let‟s get on something else. The technical stuff is always the easy part in Enterprise. The biggest problem is never on the technical side. It‟s always, `the Enterprise` itself: paperwork, political issues and so on. We, the security community, have been putting all our focus on technical stuff and I believe we‟ve been overlooking an important aspect for too long: Security is a Process (Bruce Schneier) nothing else; but what kind of efforts are we putting into getting this process done correctly??!
ISO and NIST are fine but they are audit oriented and they do not tell you how to build this „security process‟. They tell you what you should be doing. Nothing else. The « how » part is somehow missing. At this date, I consider we apply security in a ad-hoc fashion. It is still badly understood and badly implemented in Enterprise. We have no way to measure our posture. Any new security effort, let‟s say a new antivirus, could actually weaken our security posture and we couldn‟t know. At the end of the project we would congratulate ourselves for the good work we *think* we just did. After all this new antivirus sale pitch was promoting a 60% higher rate of detection! What they weren't telling us is that they detected a lot more, but their quarantine functionality sucked. Would you see the increase in workstation reinstallation due to malware infection?
Now we‟re asked to use external services/infrastructures (clouds) while we have absolutely no clue how they manage security. How can we trust a 3rd party? Does it has something to do with reputation? What processes do they have in place? I want some proof!!!
The community has been putting not much effort on getting those processes right. In enterprise it‟s always a question of getting a global picture and putting our energy/money on what requires it the most. I believe Enterprise security should be just like a game. We should be able to see our score and find out if we did better then the previous months. But the problem is that we don‟t have any *metrics*. We‟re blind.
The idea we had is to build a security standard as we do « Test-Driven Development ». A standard which would take form depending on what you *really* put in place (measured). A standard which is brought alive instead of being an ideal we fantasize about. Let‟s say: all interactive access must be strong (2- factor, encrypted, strong password (8 char). The standard would test and ensure telnet/ftp are disabled, pam require 8 char password and 2-factor authentication. The software is no magic, he won‟t do security for you but will help you getting a structure and better visibility. It is presently develop in Ruby on Rails 3 while probe/agent are written in mostly any language.
Some are manual controls, some are automated. What if we could see exactly how we score. Example: Instead of saying we patch high vulnerability within 2 weeks, speak the truth and get some metrics! SDLC: Each time you deploy a new software. Depending on the classification it would require your developer to comply to the standard: peer review, threat modeling, vulnerability testing, penetration testing with proof and approval.
What type of controls do we most have in place? (Preventive? Detective? Reactive? Etc.) How mature are we within each process? (patch management CMM 2) Process coverage: what part of my policy do I cover with tests? (Oh I have very few test on “physical access management”!) What security domain do I neglect? (Hum, we have no controls on the “human resource background check”) All of this is be address by this “live security standard”.
In the next few months, Mantor will be providing a DNSSEC management service. Since this a security product, I don‟t get to see how people would let us manage their DNS record without trusting us. They need to known what we do from a security standpoint… Well, that‟s what we‟ll do. We‟ll use the « live security standard » application to provide insight into how we manage and maintain the security of our infrastructure (2011).
At the end, if we leverage « security by isolation » to use « security by correctness » at the right place and we work on getting metrics out of our « security processes », I believe we will bring information system security to a all new level.
Broken by design (Danny Fullerton)

Recommandé

Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAaron Rinehart
 
Symantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to MaturitySymantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to MaturitySymantec
 
Source Code Security the Symantec Way
Source Code Security the Symantec WaySource Code Security the Symantec Way
Source Code Security the Symantec WaySymantec
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia
 
Secure webdev 3.0
Secure webdev 3.0Secure webdev 3.0
Secure webdev 3.0toots marcelo
 

Recommandé

Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAaron Rinehart
 
Symantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to MaturitySymantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to MaturitySymantec
 
Source Code Security the Symantec Way
Source Code Security the Symantec WaySource Code Security the Symantec Way
Source Code Security the Symantec WaySymantec
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia
 
Secure webdev 3.0
Secure webdev 3.0Secure webdev 3.0
Secure webdev 3.0toots marcelo
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec
 
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...Jose Lopez
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Bemorisson
 
Keeping Your Cloud Data in Check
Keeping Your Cloud Data in CheckKeeping Your Cloud Data in Check
Keeping Your Cloud Data in CheckAlliance Data card services - Know More Sell More
 
The 10 Commandments of Computer Security
The 10 Commandments of Computer SecurityThe 10 Commandments of Computer Security
The 10 Commandments of Computer SecurityTechvera
 
Butler
ButlerButler
ButlerThomas Butler, CISSP, CEH, CHFI, CISA, CPA, CIA
 
Saving One Network At a Time
Saving One Network At a TimeSaving One Network At a Time
Saving One Network At a TimeJeffrey Ong
 
What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401Chris Ross
 
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSIJMIT JOURNAL
 
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target 2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target Raleigh ISSA
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
Network Environments
Network EnvironmentsNetwork Environments
Network EnvironmentsGFI Software
 
OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...
OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...
OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...Mighty Guides, Inc.
 
Mongoose H4D 2021 Lessons Learned
Mongoose H4D 2021 Lessons LearnedMongoose H4D 2021 Lessons Learned
Mongoose H4D 2021 Lessons LearnedStanford University
 
Building Great Companies on the Cloud
Building Great Companies on the CloudBuilding Great Companies on the Cloud
Building Great Companies on the CloudRoman Stanek
 
Rothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security ProductsRothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security ProductsBen Rothke
 
10 things to teach end users
10 things to teach end users10 things to teach end users
10 things to teach end usersProgressive Integrations
 
Stack Smashing Protector (Paul Rascagneres)
Stack Smashing Protector (Paul Rascagneres)Stack Smashing Protector (Paul Rascagneres)
Stack Smashing Protector (Paul Rascagneres)Hackfest Communication
 
Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...
Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...
Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...Hackfest Communication
 
Du fuzzing dans les tests d'intrusions? (Éric Gingras)
Du fuzzing dans les tests d'intrusions? (Éric Gingras)Du fuzzing dans les tests d'intrusions? (Éric Gingras)
Du fuzzing dans les tests d'intrusions? (Éric Gingras)Hackfest Communication
 
Hackerspace jan-2013
Hackerspace jan-2013Hackerspace jan-2013
Hackerspace jan-2013Hackfest Communication
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 

Contenu connexe

Tendances

Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec
 
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...Jose Lopez
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Bemorisson
 
The 10 Commandments of Computer Security
The 10 Commandments of Computer SecurityThe 10 Commandments of Computer Security
The 10 Commandments of Computer SecurityTechvera
 
Saving One Network At a Time
Saving One Network At a TimeSaving One Network At a Time
Saving One Network At a TimeJeffrey Ong
 
What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401Chris Ross
 
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSIJMIT JOURNAL
 
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target 2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target Raleigh ISSA
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
Network Environments
Network EnvironmentsNetwork Environments
Network EnvironmentsGFI Software
 
OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...
OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...
OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...Mighty Guides, Inc.
 
Mongoose H4D 2021 Lessons Learned
Mongoose H4D 2021 Lessons LearnedMongoose H4D 2021 Lessons Learned
Mongoose H4D 2021 Lessons LearnedStanford University
 
Building Great Companies on the Cloud
Building Great Companies on the CloudBuilding Great Companies on the Cloud
Building Great Companies on the CloudRoman Stanek
 
Rothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security ProductsRothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security ProductsBen Rothke
 

Tendances (17)

Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
 
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Be
 
Keeping Your Cloud Data in Check
Keeping Your Cloud Data in CheckKeeping Your Cloud Data in Check
Keeping Your Cloud Data in Check
 
The 10 Commandments of Computer Security
The 10 Commandments of Computer SecurityThe 10 Commandments of Computer Security
The 10 Commandments of Computer Security
 
Butler
ButlerButler
Butler
 
Saving One Network At a Time
Saving One Network At a TimeSaving One Network At a Time
Saving One Network At a Time
 
What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401
 
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
 
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target 2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
Network Environments
Network EnvironmentsNetwork Environments
Network Environments
 
OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...
OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...
OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...
 
Mongoose H4D 2021 Lessons Learned
Mongoose H4D 2021 Lessons LearnedMongoose H4D 2021 Lessons Learned
Mongoose H4D 2021 Lessons Learned
 
Building Great Companies on the Cloud
Building Great Companies on the CloudBuilding Great Companies on the Cloud
Building Great Companies on the Cloud
 
Rothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security ProductsRothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security Products
 
10 things to teach end users
10 things to teach end users10 things to teach end users
10 things to teach end users
 

En vedette

Stack Smashing Protector (Paul Rascagneres)
Stack Smashing Protector (Paul Rascagneres)Stack Smashing Protector (Paul Rascagneres)
Stack Smashing Protector (Paul Rascagneres)Hackfest Communication
 
Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...
Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...
Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...Hackfest Communication
 
Du fuzzing dans les tests d'intrusions? (Éric Gingras)
Du fuzzing dans les tests d'intrusions? (Éric Gingras)Du fuzzing dans les tests d'intrusions? (Éric Gingras)
Du fuzzing dans les tests d'intrusions? (Éric Gingras)Hackfest Communication
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 

En vedette (6)

Stack Smashing Protector (Paul Rascagneres)
Stack Smashing Protector (Paul Rascagneres)Stack Smashing Protector (Paul Rascagneres)
Stack Smashing Protector (Paul Rascagneres)
 
Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...
Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...
Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...
 
Du fuzzing dans les tests d'intrusions? (Éric Gingras)
Du fuzzing dans les tests d'intrusions? (Éric Gingras)Du fuzzing dans les tests d'intrusions? (Éric Gingras)
Du fuzzing dans les tests d'intrusions? (Éric Gingras)
 
Hackerspace jan-2013
Hackerspace jan-2013Hackerspace jan-2013
Hackerspace jan-2013
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
Hackfest @ WAQ2011
Hackfest @ WAQ2011Hackfest @ WAQ2011
Hackfest @ WAQ2011
 

Similaire à Broken by design (Danny Fullerton)

Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)ClubHack
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️Ori Pekelman
 
Cyber Security and GDPR Made Easy
Cyber Security and GDPR Made EasyCyber Security and GDPR Made Easy
Cyber Security and GDPR Made EasyChristoanSmit
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionService2Media
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using KautilyaNikhil Mittal
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Data security in practice
Data security in practiceData security in practice
Data security in practiceAndres Kütt
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingDan Kaminsky
 
SELJE - VFP and IT Security.pdf
SELJE - VFP and IT Security.pdfSELJE - VFP and IT Security.pdf
SELJE - VFP and IT Security.pdfEric Selje
 
amrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapalibuildersreviews
 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guideCristian Calderon
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 
Security - The WLF Principle
Security - The WLF PrincipleSecurity - The WLF Principle
Security - The WLF PrincipleMarco Gralike
 
Chapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t hChapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t hWilheminaRossi174
 

Similaire à Broken by design (Danny Fullerton) (20)

Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
 
Security
SecuritySecurity
Security
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
 
Cyber Security and GDPR Made Easy
Cyber Security and GDPR Made EasyCyber Security and GDPR Made Easy
Cyber Security and GDPR Made Easy
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
BNI, 10-Minute Pres, IT Business
BNI, 10-Minute Pres, IT BusinessBNI, 10-Minute Pres, IT Business
BNI, 10-Minute Pres, IT Business
 
Data security in practice
Data security in practiceData security in practice
Data security in practice
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
 
SELJE - VFP and IT Security.pdf
SELJE - VFP and IT Security.pdfSELJE - VFP and IT Security.pdf
SELJE - VFP and IT Security.pdf
 
amrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdf
 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guide
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
 
Security - The WLF Principle
Security - The WLF PrincipleSecurity - The WLF Principle
Security - The WLF Principle
 
Chapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t hChapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t h
 

Plus de Hackfest Communication

Conservation et la circulation des renseignements personnels des services de ...
Conservation et la circulation des renseignements personnels des services de ...Conservation et la circulation des renseignements personnels des services de ...
Conservation et la circulation des renseignements personnels des services de ...Hackfest Communication
 
Mots de passe et mécanismes d’authentification (Thomas Pornin)
Mots de passe et mécanismes d’authentification (Thomas Pornin)Mots de passe et mécanismes d’authentification (Thomas Pornin)
Mots de passe et mécanismes d’authentification (Thomas Pornin)Hackfest Communication
 
Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...
Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...
Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...Hackfest Communication
 
Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...
Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...
Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...Hackfest Communication
 
PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)
PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)
PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)Hackfest Communication
 
La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)
La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)
La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)Hackfest Communication
 
Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)
Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)
Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)Hackfest Communication
 
Le GPU à la rescousse du CPU (Charles Demers-Tremblay)
Le GPU à la rescousse du CPU (Charles Demers-Tremblay)Le GPU à la rescousse du CPU (Charles Demers-Tremblay)
Le GPU à la rescousse du CPU (Charles Demers-Tremblay)Hackfest Communication
 
802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)
802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)
802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)Hackfest Communication
 

Plus de Hackfest Communication (9)

Conservation et la circulation des renseignements personnels des services de ...
Conservation et la circulation des renseignements personnels des services de ...Conservation et la circulation des renseignements personnels des services de ...
Conservation et la circulation des renseignements personnels des services de ...
 
Mots de passe et mécanismes d’authentification (Thomas Pornin)
Mots de passe et mécanismes d’authentification (Thomas Pornin)Mots de passe et mécanismes d’authentification (Thomas Pornin)
Mots de passe et mécanismes d’authentification (Thomas Pornin)
 
Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...
Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...
Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...
 
Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...
Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...
Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...
 
PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)
PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)
PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)
 
La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)
La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)
La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)
 
Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)
Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)
Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)
 
Le GPU à la rescousse du CPU (Charles Demers-Tremblay)
Le GPU à la rescousse du CPU (Charles Demers-Tremblay)Le GPU à la rescousse du CPU (Charles Demers-Tremblay)
Le GPU à la rescousse du CPU (Charles Demers-Tremblay)
 
802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)
802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)
802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)
 

Dernier

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 

Dernier (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 

Broken by design (Danny Fullerton)

  • 1. Something's wrong. So much computers compromised, so much in botnets, so much stolen credit cards, everyday sees more zero-days and weakens our posture. We‟re still relying on reactive technology such as anti- virus which can‟t keep up with the threat. Do you feel safe after installing the latest security patch? I don‟t, not anymore. It‟s a chase between us trying to keep up with vulnerabilities. We still heavily rely on too much reaction and too little prevention. We are playing mouse and cat. I believe we are doing something wrong. I believe we have to change the way we do security. At this point I feel like we are loosing the battle.
  • 2. The fact is: it‟s really hard to write secure software. It‟s hard to justify in the first place and it‟s really hard to get right. It‟s been like that since the beginning and nothing has changed. The question is « what do we do about it? »
  • 3. … we use isolation. Those rectangles represent the code of an application. The blue part is sensitive code which, as an example, might be used to administer the application. At the left, any bug would compromise the entire application while at the right, the sensitive code is isolated. Thereof, the application on the right is much easier to secure. You can put your « limited » effort/time in securing this part instead of the entire picture. « Security by Correctness » is highly dependent on size and simplicity. In that sense « Security by Isolation » is a great complement to it.
  • 4. Architecture (ia32, amd64): ● At first, we tried isolation. The goal was to build a deep Isolation (3 layer) between untrusted code and the kernel. ● Obviouly it dind‟t work as intended and there is a good reason for this: performance issues, complexity issues. ● The end result? Current OS security model (unix/linux/windows/macosx) are highly dependent on « Security by Correctness ». Any bug in drivers, services or the kernel is a major issue. ● Don‟t get me wrong, « Security by Correctness » is an important aspect of security but it should not be used at this magnitude.
  • 5. On the server, we do have some tools but the problem? It‟s still not defacto. Most company does not use this. It‟s not available by default, requires custom setup (AIX, HPUX,Solaris, Redhat, most Linux). Still loads of commercial « enterprise » application require administrator/root privilege. On the workstation side it‟s a lot worst. Every software you download and run get access to everything you have. I remember seeing some notice such as « don‟t run Xchat under root privilege »… yeah right, like root had more to protect then I do: everything I need to protect, all my documents are owned by me, not root. On android each app runs in a different context and have different rights. This is a great start, but still not perfect.
  • 6. Nothing new for any security guy but I think this one really show how deeply our system architecture is broken. If I hook a Firewire cable from my laptop to yours, I get direct access to your entire system memory which mean I can unlock your screen, inject a rootkit or whatever. It‟s game over. BTW, a PoC is available. Shouldn't the network card be limited to the network driver memory space?
  • 8. I believe Qubes OS should have a lot more attention from the community. This is one model which really has the ability to bring our workstation to a new level. In order to understand QubesOS you have to free your mind about what you used to think when we say Virtual Machine. We are not talking about VMware server/ESX here. We‟re talking about running multiple environments isolated from each other. Disposable VM: An environment where you don‟t care being vulnerable and compromised. You have no personal info in this VM and each time you close the window, everything is restored. Net VM: Your network stack get compromised? No big deal, it‟s isolated! Storage VM…
  • 9. The different window border colors identifies the different VMs. In this model the VM running my MP3 player wouldn't have access to my financial reports. The PDF I just downloaded from an untrusted website could be open in a Disposable VM. If the PDF was malicious it wouldn't have access to anything interesting and the malware would vanish as soon as I close it.
  • 10. This is a really big project which will radically change the way we do security. [explain (Intel, IBM, HP, AMD, etc), VT-d/IOMMU] It‟s very different from other security measures: it‟s hardware supported. TXT aka « lagrande » is the Intel implementation of Trusted Computing. Measurements: ability to determine which environment is running (bios, bootloader, os, etc) in a secure manner. Sealed storage: Unlock data only when a specific environment is running. For more info a highly recommend reading: Dynamics of Trusted Computing- A Building block approach from David Grawrock Intel Senior Principal Engineer and Security Architect.
  • 11. Here‟s a really simple use case which uses some trusted computing mechanism. Trusted computing is a tool and can be used in different ways and this is only a simple example of what can be done. In this example, the principle is to send a validation request to a trusted environment which is isolated (and can be small and simple) and can be verified (audited).
  • 12. On the left we have a standard operating system, let‟s say Windows or Linux with Firefox. On the right side, we have a very limited protected operating system. Protected means protected by TXT. Therefor, it would not be affected by the Firewire (DMA) attack I talked about or whatever else. At the bottom we have a VMM/Hypervisor using TXT too. The VMM and the limited OS are very small and simple software in which we can have a high level of trust (tested/audited).
  • 13. An XML confirmation request is created and sent to the protected system which displays a confirmation message to user using a “trusted output”: « Ready to buy this item for 45$? ». The user accepts or denies the confirmation request using “trusted input”. Both “trusted input and trusted output” are paths which cannot be manipulated by the Standard partition.
  • 14. If the user accepts, the applet asks the TPM to sign the request with sealed « user‟s ebay key ». Since the key is sealed, the TPM will take measurements of the current system and evaluate if the required environment is loaded before signing the request. This measurement process is done by the hardware and it validates every piece of software running (VMM, Limited OS, Applet). This process ensures the confirmation has been done in a trusted state. No malware, no standard partition, no rootkit can interfere. This is an excellent demonstration of « security by isolation » and « security by correctness » in the right place (small and simple). I believe this is a better way of getting real security.
  • 15. Ok, let‟s get on something else. The technical stuff is always the easy part in Enterprise. The biggest problem is never on the technical side. It‟s always, `the Enterprise` itself: paperwork, political issues and so on. We, the security community, have been putting all our focus on technical stuff and I believe we‟ve been overlooking an important aspect for too long: Security is a Process (Bruce Schneier) nothing else; but what kind of efforts are we putting into getting this process done correctly??!
  • 16. ISO and NIST are fine but they are audit oriented and they do not tell you how to build this „security process‟. They tell you what you should be doing. Nothing else. The « how » part is somehow missing. At this date, I consider we apply security in a ad-hoc fashion. It is still badly understood and badly implemented in Enterprise. We have no way to measure our posture. Any new security effort, let‟s say a new antivirus, could actually weaken our security posture and we couldn‟t know. At the end of the project we would congratulate ourselves for the good work we *think* we just did. After all this new antivirus sale pitch was promoting a 60% higher rate of detection! What they weren't telling us is that they detected a lot more, but their quarantine functionality sucked. Would you see the increase in workstation reinstallation due to malware infection?
  • 17. Now we‟re asked to use external services/infrastructures (clouds) while we have absolutely no clue how they manage security. How can we trust a 3rd party? Does it has something to do with reputation? What processes do they have in place? I want some proof!!!
  • 18. The community has been putting not much effort on getting those processes right. In enterprise it‟s always a question of getting a global picture and putting our energy/money on what requires it the most. I believe Enterprise security should be just like a game. We should be able to see our score and find out if we did better then the previous months. But the problem is that we don‟t have any *metrics*. We‟re blind.
  • 19. The idea we had is to build a security standard as we do « Test-Driven Development ». A standard which would take form depending on what you *really* put in place (measured). A standard which is brought alive instead of being an ideal we fantasize about. Let‟s say: all interactive access must be strong (2- factor, encrypted, strong password (8 char). The standard would test and ensure telnet/ftp are disabled, pam require 8 char password and 2-factor authentication. The software is no magic, he won‟t do security for you but will help you getting a structure and better visibility. It is presently develop in Ruby on Rails 3 while probe/agent are written in mostly any language.
  • 20. Some are manual controls, some are automated. What if we could see exactly how we score. Example: Instead of saying we patch high vulnerability within 2 weeks, speak the truth and get some metrics! SDLC: Each time you deploy a new software. Depending on the classification it would require your developer to comply to the standard: peer review, threat modeling, vulnerability testing, penetration testing with proof and approval.
  • 21. What type of controls do we most have in place? (Preventive? Detective? Reactive? Etc.) How mature are we within each process? (patch management CMM 2) Process coverage: what part of my policy do I cover with tests? (Oh I have very few test on “physical access management”!) What security domain do I neglect? (Hum, we have no controls on the “human resource background check”) All of this is be address by this “live security standard”.
  • 22. In the next few months, Mantor will be providing a DNSSEC management service. Since this a security product, I don‟t get to see how people would let us manage their DNS record without trusting us. They need to known what we do from a security standpoint… Well, that‟s what we‟ll do. We‟ll use the « live security standard » application to provide insight into how we manage and maintain the security of our infrastructure (2011).
  • 23. At the end, if we leverage « security by isolation » to use « security by correctness » at the right place and we work on getting metrics out of our « security processes », I believe we will bring information system security to a all new level.