You read that a simple trojan can bring down the biggest part of local government and people still store clear-text passwords in databases that consequently are stolen with the 10.000s, you would think there is in the world of ICT-security. Despite carloads of marketing-material and a continuous stream of catchy new terminology and technology, old security-attacks still are viable and get a hacker were he wants to go. In a short, to-the-point presentation we will talk about which lessons you should learn from the past and what new challenges lay ahead. This is a practical, technical talk with real-life examples.

1. Nihil novi sub solem?
Security: Past, present and future...
Jan Guldentops ( j@ba.be )
BA N.V. ( http://www.ba.be )

2. My personal story
● Jan Guldentops (° 1973)
● Historian by Education, ICT consultant & researcher by
vocation, security-guy by accident
● Strong background in:
– Open Source / Linux ( since 1993 )
– Research ( BA Testlab )
– Security
● Better Access / BA N.V. (°1996)
● Small team of consultants
● Macguyver, security and infrastructure projects

3. For the record:
I never considered myself a
security-expert...

4. Belgium Online
● 1996 exposed security-problems in the first Belgian
internet-bank
● Amateurism
– browseable cgi-bin-dir
– clear-text, downloadable perlscripts
– mainframe userid/password connection
– (internal) documentation downloadable
– debug logging to a browseable directory
– ...
● “experts”
● Built by Netvision ( later Ubizen now Verizon )

5. In security there is often a big
difference between reality and
theory, marketing and sales

6. What did I think in 1996 would be
fixed by Now?

7. User Authentication
● We still mostly use userid/passwords for
authentication
● Strong, tokenbased authentication ?
● Often no centralised user / role management
system
● Bad passwords / usage
● Clear-text storage of userid / passwords
● ...

8. E-mail
● Has become one of the most important forms of
communication...
● BUT
● Nobody encrypts, signs his e-mail
● Still use SMTP with all its problems
● We haven't fundamentally solved the spam-problem
● Often it is a miracle e-mail works at all

9. IPv6
● 1996 we already were running out of ip-
adresses ( “Imminent death of the internet,
episode 3097”)
● Adaption of IPV6 is still pretty marginal
● In Belgian one of the companies developing
smart metering uses IPV4 adresses in the most
recent design!

10. Encryption
● We still don't encrypt everything !
● Disks
● Devices
● Communications
● And if we use encryption we often use it in a
bad, insecure way.
● Basic awareness of how encryption works is
quite rare even with IT-professionals.

11. Secure communications
● We still communicate clear text or use badly
setup encryption!
● No use of third party signed certificates in for
instance web applications
● Man-in-the-middle attacks are still easy to do
● You can still sniff passwords !

12. Amateurism
● Security is in a lot of projects still a side-show
● Even for security orientated companies
● Biggest example is the Diginotar case...

13. The official report :
The successful hack implies that the current network setup and / or procedures at DigiNotar
are not sufficiently secure to prevent this kind of attack.
The most critical servers contain malicious software that can normally be detected by
anti-virus software. The separation of critical components was not functioning or was not in
place. We have strong indications that the CA-servers, although physically very securely
placed in a tempest proof environment, were accessible over the network from the
management LAN.
The network has been severely breached. All CA servers were members of one Windows
domain, which made it possible to access them all using one obtained user/password
combination. The password was not very strong and could easily be brute-forced.
The software installed on the public web servers was outdated and not patched.
No antivirus protection was present on the investigated servers.
An intrusion prevention system is operational. It is not clear at the moment why it didn ‟t block
some of the outside web server attacks. No secure central network logging is in place.

14. Good system administration
● Integrity checks
● For instance host based IDS
● Centralized tamper-proof logging
● Decent password policies
● Automated, regular security-updates
● Etc.

15. Business Continuity
● Correct risk assessment is still a problem
● RTO
● RPO
● Testing and common sense are often forgotten
● We still see major data loss problems on a
regular basis
● RT @JeremiadLee: There’s an assumption that
when you host in the cloud, the datacenter is
well above sea level.

16. Security awareness is incredibly low

17. Operating systems
● Are still not secure
● Not only a problem of the OS anymore but all
the components in it ( java, flash, browsers,
etc.)
● Also a enduser problem :
● e.g. SE Linux everybody turns it off

18. What has been fixed ?

19. Cyber police
● In 1996 there hardly existed anything like a
computer crime unit or a Digitale recherche
● Now there is an infrastructure and professionals
for this.
● But often money is wasted by politicians
● Digitale meldpunten
● Etc.

20. Law itself
● In 1996 there was no law allowing us to
prosecute cybercriminals.
● A whole framework has been put in place.
● But the balance between privacy / civil rights
and the war on cybercrime is always delicate.
● Especially when it concerns copyright.

21. Best practices
There now is a complete framework of best
practices, advisories, trainings, certifications, etc.

22. Other changes

23. M(o)ore
● Moore's law is still working :
● Exponential growth of the available bandwidth
● Computing power
● Globalisation
● Doesn't make it easier
● Encryption can be broken more quickly
● Denial-of-service attacks get more lethal

24. Cloud / Cloud washing
● One million different definitions :
● Private / public / hybride
● SAAS, PAAS, IAAS,
● A lot is marketing blabla and Cloud washing
● But it doesn't change the basic security
paradigm:
● CIA
● Cloud doesn't change the rules !

25. ICT has lost control
● IT / Security manager were always no-men
● In the past they were the ones that are the alfa
and omega of what happens in an enterprise /
organisation
● Is being challenged by :
● Consumerism
● BYOD

26. Mobilisation
● Perimeter has completely disappeared
● Enormous consequences we are still getting to
grasp with :
● Network
● Authentication
● Devices
● Data Leakage
● ...

27. Cyber criminals have organized
● 1996 organized crime was not really big in
cyberspace
● Hackers were mostly cyberpunks
● Now organized crime going for the big money
● Scamming
● Trade and industrial secrets
● Hacking
● Blackmail...

28. Privacy Impact
● We did the “Dave”-project for Febelfin
● Idea is to create awareness to be careful what you post on the
internet
● http://www.youtube.com/watch?v=F7pYHN9iC9I
● 3 factors
● What we give away ourself on social media, blog, etc.
● Open, often governmental data
● What large players (Google, Facebook) do with this data
● One rule: everything you post on the net is public !

29. The future ?
● There is only one security killer product :
common sense, everything is marketing !
● Be critical !
● Standards and frameworks should not be
paper tigers but practical tools.
● Create awareness on every level from the
enduser, over the IT-staff to highest
management level.
● If you go cloud, get legal and real guarantees

30. Questions ?
Jan Guldentops
j@ba.be
Twitter: JanGuldentops