Upload
jonathan-care
View
74
Download
0
Tags:
Embed Size (px)
Citation preview
30 years living a happy lifeBreaking Systems,
Chasing Bad Guys,
and Helping People Understand Internet Security
About.me/jhc
Jonathan Care
@arashiyama
http://www.linkedin.com/in/computercrime
What makes you happy?
Highlights and lowlights
Helped build one of the first Internet backbones
Set up my own ISP from scratch (just add £2M…)
Investigated numerous breaches in conjunction with major tech vendors and law enforcement
Expert witness testimony
Cryptographic design for UK Government
Discovered the iOS “location.consolidated” bug
Dot.com millionaire!
Risk research for a large credit card company
CHECK accredited penetration tester
PCI DSS auditor
Where did I get started?
What have I observed?
Real Statistics?
Real reality Regrettably the percentage of organisations reporting
computer intrusions has continued to decline. The key reason given… was the fear of negative publicity. As a consequence this has resulted in a belief that the threat and impact has also been gravely underestimated – Metropolitan Police
If I report this, I am worried what else the police will find – Anonymous IT Director
We don’t handle payments so it doesn’t really matter if our code is secure or not – Web Development firm providing e-commerce (!)
How soon can we start our web server up again? – Compromised Web Merchant
Why commit crimes on the Internet?
Potentially High Financial Gain
Anonymity
Rapid, secure, global communications
Global impact – 1 billion plus users (1 in 6 of the world’s population)
Virtual marketplace – reduced risks of being detected, disrupted or caught
Volatile evidential trail – ISP limited retention of data
Cross Border investigations protracted for law enforcement
And… “Because that’s where the money is” – Willie Sutton
Anonymity? Not really.
Did somebody mention hacking?
Meanwhile …
Wide open webcams?
Oh yeah.
Data Privacy is Dead
Criminals get ongoing access
to credit reports
SSNDOB Compromise of KBA and PII at Major Data Brokers
PII data combined with financial records for sale
Serious web-code vulnerabilities compromise sensitive information
Almost 1.5 billion usernames and passwords stolen
*Source Symantec Internet Security Threat Report 2014
Conclusions
What have I learned?
All software has bugs.
Bugs will be discovered
Some bugs will have a security impact
Product owners continue to value functionality over security
Investors place little value on security and privacy
End users trust vendors
Security is always trumped by convenience – bad design makes bad security
What can we do?
Security architecture landscape
Customer friction‘harder is better’doesn’t keep badguys out and annoysgood guys
Systematiccompromise ofpersonal data &credentials
Exceptions; you are only as good as your weakest link!
Enterprises want absolute
identity proofing but must
live with shades ofuncertainty
If you go into InfoSec, remember this…
PREPARE
DETECTRESPOND
A final thought …
Digital Humanism (don’t be a jerk)
Don’t intrude on personal space
Don’t try and engineer personal intelligence and prerogatives out of the system
Don’t try to maximise machine efficiency at the expense of usability