30 years living a happy lifeBreaking Systems,

Chasing Bad Guys,

and Helping People Understand Internet Security

About.me/jhc

Jonathan Care

@arashiyama

http://www.linkedin.com/in/computercrime

What makes you happy?

Highlights and lowlights

Helped build one of the first Internet backbones

Set up my own ISP from scratch (just add £2M…)

Investigated numerous breaches in conjunction with major tech vendors and law enforcement

Expert witness testimony

Cryptographic design for UK Government

Discovered the iOS “location.consolidated” bug

Dot.com millionaire!

Risk research for a large credit card company

CHECK accredited penetration tester

PCI DSS auditor

Where did I get started?

What have I observed?

Real Statistics?

Real reality Regrettably the percentage of organisations reporting

computer intrusions has continued to decline. The key reason given… was the fear of negative publicity. As a consequence this has resulted in a belief that the threat and impact has also been gravely underestimated – Metropolitan Police

If I report this, I am worried what else the police will find – Anonymous IT Director

We don’t handle payments so it doesn’t really matter if our code is secure or not – Web Development firm providing e-commerce (!)

How soon can we start our web server up again? – Compromised Web Merchant

Why commit crimes on the Internet?

Potentially High Financial Gain

Anonymity

Rapid, secure, global communications

Global impact – 1 billion plus users (1 in 6 of the world’s population)

Virtual marketplace – reduced risks of being detected, disrupted or caught

Volatile evidential trail – ISP limited retention of data

Cross Border investigations protracted for law enforcement

And… “Because that’s where the money is” – Willie Sutton

Anonymity? Not really.

Did somebody mention hacking?

Meanwhile …

Wide open webcams?

Oh yeah.

Data Privacy is Dead

Criminals get ongoing access

to credit reports

SSNDOB Compromise of KBA and PII at Major Data Brokers

PII data combined with financial records for sale

Serious web-code vulnerabilities compromise sensitive information

Almost 1.5 billion usernames and passwords stolen

*Source Symantec Internet Security Threat Report 2014

Conclusions

What have I learned?

All software has bugs.

Bugs will be discovered

Some bugs will have a security impact

Product owners continue to value functionality over security

Investors place little value on security and privacy

End users trust vendors

Security is always trumped by convenience – bad design makes bad security

What can we do?

Security architecture landscape

Customer friction‘harder is better’doesn’t keep badguys out and annoysgood guys

Systematiccompromise ofpersonal data &credentials

Exceptions; you are only as good as your weakest link!

Enterprises want absolute

identity proofing but must

live with shades ofuncertainty

If you go into InfoSec, remember this…

PREPARE

DETECTRESPOND

A final thought …

Digital Humanism (don’t be a jerk)

Don’t intrude on personal space

Don’t try and engineer personal intelligence and prerogatives out of the system

Don’t try to maximise machine efficiency at the expense of usability