SlideShare une entreprise Scribd logo

The theater we call security

Télécharger en tant que PPTX, PDF
SensePost
SensePost

Presentation by Evert Smith at the University of Pretoria to the honors class of 2008. The presentation begins by naming the different domains of security and an explanation of C.I.A. A graphical illustration of how attack sophistication vs intruder knowledge has changed between 1990 and 2004 is given. The presentation ends with an explanation of what the security theater is and a few interesting IT security news.

TechnologieBusiness
1  sur  16
…. we come in THE THEATER WE CALL SECURITY Presented by Evert Smith 21 July 2008
I N N T R O D theBreakdown U •whatisIS ? The light C •whatDoesitTake? The T Fu I Background - the person O - the skill
Background
the domains of security Security Management Practices Security Architecture and Models Preventive Maintenance Application Development Security Operations Security Physical Security Cryptography Telecommunications, Network, and Internet Security Business Continuity Planning Law, Investigations, and Ethics
Security is about C.I.A Risk drives infosec Decisions & Importance decided by the C.I.A factor Confidentiality Examples of C.I.A Integrity Availability - Email interception - Cheque fraud - Messy computer room
* C++ #include <iostream> * Assembly int main() IDEAL * awk { MODELWindows API (in Borland Pascal) World!” } BEGIN Hello; program { print “Hello * SMALL std::coutconst “Hello World!n”; << uses WinTypes, WinProcs; STACKszClassName = „PASCLASS32′; 100h } DATASEG WndProc(Window:export; Message, WParam: Word; function LParam: Longint): Longint; HWnd; * HW DB “hello, world”, 13, 10, „$‟ C++|C++/CLI var LPPaint : TPaintStruct; int main() : HDC; CODESEGTheDC begin WndProc := 0; { Begin: case Message of wm_Destroy: System::Console::WriteLine(”Hello World!”); MOV AX, @data begin PostQuitMessage(0); } MOV DS, AX Exit; end; wm_Paint: MOV DX, OFFSET HW begin TheDC := BeginPaint(Window, LPPaint); MOV AH, 09H 5, 5, „hello, world‟, 12); TextOut(TheDC, Why doINT 21H issues ? (I’ve been using this for years – cuz it hasn’t we have end; end; changed)MOV AX, 4C00H WndProc := DefWindowProc(Window, Message, WParam, LParam); end; procedure WinMain; • TechnologyHWnd; becoming more complex → SLOC var INT 21HWindow: Message: TMsg; END Begin TWndClass = ( • The Internet not designed to be safe → Redundancy const WindowClass: style: 0; • Socio-economical changes → Social networks lpfnWndProc: @WndProc; cbClsExtra: 0; cbWndExtra: 0; • Rushed, Like Whatever → Time is money hInstance: 0; hIcon: 0; hCursor: 0; hbrBackground: 0; lpszMenuName: szClassName;
Entropy: Viruses Patches Spam Phishing / Pharming Hoaxes Apathy Malware/Spyware Hackers
Are you contributing?
Who is credited in being the father of the Internet? Arpanet, Vint Cerf, Bob Khan et al (1975 TCP/IP) Who invented the mouse ? Douglas Engelbart (1964) Who invented e-mail? Ray Tomlinson (1971) Who invented the WWW<html> Tim Brenners-Lee (1988)
Security theater consists of security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security Who says nucular ? Security Theater • Your desk – good defence against nucular attacks •Airports in the US i.e. Liquid ban, profiling. Gun-shirts •Shopping malls intensly in your face i.e. Bag checks, guards in gene • Personal computer security – it’s a joke
Security Theater – the human touch • Security design is about psychology - ignored and exploited • The pig vs Security
• Unpatched Windows PCs "Own3d" In Less Than Four Minutes (or Maybe 16 Hours) t • Spammer Gets 30 Months for Inundating AOL • Charges Against New Zealand Botmaster Dropped • Rogue Employee Locks San Francisco's Network • Review site furious over McAfee SiteAdvisor 'false alert‘ • Facebook Bug Exposes Members' Data
#!/bin/bash # Funcion to prompt questions from audience and appear # to look intelligent while [ ! –lt audience. bored ] do verbose answering of questions sleep like forever done echo “That’s All Folks. Thanks for Listening.” ….this is where
#!/bin/bash “It’s a pity you have to pay for awesomeness” evert@sensepost.com ….this is where 

Recommandé

Cybercrime future perspectives
Cybercrime future perspectivesCybercrime future perspectives
Cybercrime future perspectives
SensePost
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
SensePost
 
Setiri : Advances in trojan technology
Setiri : Advances in trojan technologySetiri : Advances in trojan technology
Setiri : Advances in trojan technology
SensePost
 
The game has changed
The game has changedThe game has changed
The game has changed
SensePost
 
Clobbering the Cloud
Clobbering the CloudClobbering the Cloud
Clobbering the Cloud
SensePost
 
Pushing a camel through the eye of a needle
Pushing a camel through the eye of a needlePushing a camel through the eye of a needle
Pushing a camel through the eye of a needle
SensePost
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
SensePost
 
objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
SensePost
 

Recommandé

Cybercrime future perspectives
Cybercrime future perspectivesCybercrime future perspectives
Cybercrime future perspectives
SensePost
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
SensePost
 
Setiri : Advances in trojan technology
Setiri : Advances in trojan technologySetiri : Advances in trojan technology
Setiri : Advances in trojan technology
SensePost
 
The game has changed
The game has changedThe game has changed
The game has changed
SensePost
 
Clobbering the Cloud
Clobbering the CloudClobbering the Cloud
Clobbering the Cloud
SensePost
 
Pushing a camel through the eye of a needle
Pushing a camel through the eye of a needlePushing a camel through the eye of a needle
Pushing a camel through the eye of a needle
SensePost
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
SensePost
 
objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
SensePost
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
SensePost
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
SensePost
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
SensePost
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
SensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
SensePost
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
SensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
SensePost
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
SensePost
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
SensePost
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
SensePost
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
SensePost
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
SensePost
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
SensePost
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
SensePost
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
SensePost
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
SensePost
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
SensePost
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nation
SensePost
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?
SensePost
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessess
SensePost
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
 

Contenu connexe

Plus de SensePost

Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
SensePost
 

Plus de SensePost (20)

Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nation
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessess
 

Dernier

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Dernier (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 

The theater we call security

  • 1. …. we come in THE THEATER WE CALL SECURITY Presented by Evert Smith 21 July 2008
  • 2.
  • 3. I N N T R O D theBreakdown U •whatisIS ? The light C •whatDoesitTake? The T Fu I Background - the person O - the skill
  • 5. the domains of security Security Management Practices Security Architecture and Models Preventive Maintenance Application Development Security Operations Security Physical Security Cryptography Telecommunications, Network, and Internet Security Business Continuity Planning Law, Investigations, and Ethics
  • 6. Security is about C.I.A Risk drives infosec Decisions & Importance decided by the C.I.A factor Confidentiality Examples of C.I.A Integrity Availability - Email interception - Cheque fraud - Messy computer room
  • 7. * C++ #include <iostream> * Assembly int main() IDEAL * awk { MODELWindows API (in Borland Pascal) World!” } BEGIN Hello; program { print “Hello * SMALL std::coutconst “Hello World!n”; << uses WinTypes, WinProcs; STACKszClassName = „PASCLASS32′; 100h } DATASEG WndProc(Window:export; Message, WParam: Word; function LParam: Longint): Longint; HWnd; * HW DB “hello, world”, 13, 10, „$‟ C++|C++/CLI var LPPaint : TPaintStruct; int main() : HDC; CODESEGTheDC begin WndProc := 0; { Begin: case Message of wm_Destroy: System::Console::WriteLine(”Hello World!”); MOV AX, @data begin PostQuitMessage(0); } MOV DS, AX Exit; end; wm_Paint: MOV DX, OFFSET HW begin TheDC := BeginPaint(Window, LPPaint); MOV AH, 09H 5, 5, „hello, world‟, 12); TextOut(TheDC, Why doINT 21H issues ? (I’ve been using this for years – cuz it hasn’t we have end; end; changed)MOV AX, 4C00H WndProc := DefWindowProc(Window, Message, WParam, LParam); end; procedure WinMain; • TechnologyHWnd; becoming more complex → SLOC var INT 21HWindow: Message: TMsg; END Begin TWndClass = ( • The Internet not designed to be safe → Redundancy const WindowClass: style: 0; • Socio-economical changes → Social networks lpfnWndProc: @WndProc; cbClsExtra: 0; cbWndExtra: 0; • Rushed, Like Whatever → Time is money hInstance: 0; hIcon: 0; hCursor: 0; hbrBackground: 0; lpszMenuName: szClassName;
  • 10.
  • 11. Who is credited in being the father of the Internet? Arpanet, Vint Cerf, Bob Khan et al (1975 TCP/IP) Who invented the mouse ? Douglas Engelbart (1964) Who invented e-mail? Ray Tomlinson (1971) Who invented the WWW<html> Tim Brenners-Lee (1988)
  • 12. Security theater consists of security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security Who says nucular ? Security Theater • Your desk – good defence against nucular attacks •Airports in the US i.e. Liquid ban, profiling. Gun-shirts •Shopping malls intensly in your face i.e. Bag checks, guards in gene • Personal computer security – it’s a joke
  • 13. Security Theater – the human touch • Security design is about psychology - ignored and exploited • The pig vs Security
  • 14. • Unpatched Windows PCs "Own3d" In Less Than Four Minutes (or Maybe 16 Hours) t • Spammer Gets 30 Months for Inundating AOL • Charges Against New Zealand Botmaster Dropped • Rogue Employee Locks San Francisco's Network • Review site furious over McAfee SiteAdvisor 'false alert‘ • Facebook Bug Exposes Members' Data
  • 15. #!/bin/bash # Funcion to prompt questions from audience and appear # to look intelligent while [ ! –lt audience. bored ] do verbose answering of questions sleep like forever done echo “That’s All Folks. Thanks for Listening.” ….this is where
  • 16. #!/bin/bash “It’s a pity you have to pay for awesomeness” evert@sensepost.com ….this is where 