SlideShare ist ein Scribd-Unternehmen logo
1 von 122
Downloaden Sie, um offline zu lesen
Security for Digital Companies 
Observations, lessons, and advice from a hacker 
Presented by Justin Bull! 
September 9th, 2014
Who am I
Who am I 
• Justin Bull 
• Software developer at 
• Security nutbar 
• Ethically curious 
• @f3ndot on Twitter
Outline 
• Canada Revenue Agency: A Case Study 
• Responsible disclosure 
• Security 101 for a digital company 
• Q & A, time permitting
“Everything is broken.” 
–Quinn Norton, 2014
“Everything is broken.” 
–Quinn Norton, 2014 
It's all about risk management & incident response
Canada Revenue Agency: 
A case study
Canada Revenue Agency: 
A tale of woe
Think of the word 
“Government”
Think of the word 
“Government” 
What comes to mind?
Think of the word 
“Government” 
• Slow 
What comes to mind?
Think of the word 
“Government” 
• Slow 
• Inefficient 
What comes to mind?
Think of the word 
“Government” 
• Slow 
• Inefficient 
What comes to mind? 
• Lots of red tape
Think of the word 
“Government” 
• Slow 
• Inefficient 
• Lots of red tape 
• Bureaucratic 
What comes to mind?
Yeah… 
We have a problem
The heartbleed bug 
affected 17.5% of all 
website servers. 
–Netcraft, 2014
That’s around half a 
million websites 
–Netcraft, 2014
Who was affected
Who was affected 
• My personal servers
Who was affected 
• My personal servers 
• Banks
Who was affected 
• My personal servers 
• Banks 
• Almost every, single digital company
Who was affected 
• My personal servers 
• Banks 
• Almost every, single digital company 
• …and the Government of Canada
Was CRA self aware?
Was CRA self aware? 
Nope.
FAIL 
Was CRA self aware? 
Nope.
Could CRA be notified?
Could CRA be notified? 
Nope, nope, nope!
Could CRA be notified? 
Nope, nope, nope!
Could FAIL 
CRA be notified? Nope, nope, nope!
Was CRA at least quick 
when they did know?
Was CRA at least quick 
when they did know? 
Sorta, not really
Was CRA at least quick 
when they did know? 
Sorta, not really
Sorta, not really FAIL 
Was CRA at least quick 
when they did know?
We all know about the 900 SIN’s 
! 
But were there other attacks? 
!
We all know about the 900 SIN’s 
! 
But were there other attacks? 
! 
We will never know
What could CRA have 
done?
What could CRA have 
done? 
• Have a competent security officer or sysadmin
What could CRA have 
done? 
• Have a competent security officer or sysadmin 
• Inter-department cooperation with CSEC 
(they knew 1 day before Heartbleed went public)
What could CRA have 
done? 
• Have a competent security officer or sysadmin 
• Inter-department cooperation with CSEC 
(they knew 1 day before Heartbleed went public) 
• A way for people to tell them security issues
What could CRA have 
done? 
• Have a competent security officer or sysadmin 
• Inter-department cooperation with CSEC 
(they knew 1 day before Heartbleed went public) 
• A way for people to tell them security issues 
• Be quick!
“We don’t have time or money to think about 
security right now.” 
–Almost any company
Responsible Disclosure 
The bare minimum for security
Responsible Disclosure 
• Officially allows users/hackers/researchers to 
contact you about security issues 
• Basically just a webpage 
• Cheapest security investment you can make* 
*depending who you talk you
Who has a RD policy? 
• 
• Microsoft 
• GitHub 
• Apple 
• Tesla Motors… Yes, really
Danger, Will Robinson! 
It’s surprisingly hard to get right
Danger, Will Robinson! 
It’s surprisingly hard to get right 
You need to set up proper encryption and 
decide on how to communicate with 
researchers.
Lessons learned
Lessons learned 
• It’s pesky and time consuming if you have security 
debt
Lessons learned 
• It’s pesky and time consuming if you have security 
debt 
• Expect a lot of bullshit, entitlement, and comedy 
(See @CluelessSec)
Lessons learned 
• It’s pesky and time consuming if you have security 
debt 
• Expect a lot of bullshit, entitlement, and comedy 
(See @CluelessSec) 
• Expect to be humbled
Responsible Disclosure: 
you should have it 
The bare minimum:
Responsible Disclosure: 
you should have it 
The bare minimum: 
• Offer no reward or swag
Responsible Disclosure: 
you should have it 
The bare minimum: 
• Offer no reward or swag 
• Tell people what’s acceptable, what’s not
Responsible Disclosure: 
you should have it 
The bare minimum: 
• Offer no reward or swag 
• Tell people what’s acceptable, what’s not 
• Provide a special email or a direct phone number
Security 101 for Digital Companies 
aka “How to not get hacked within a year”*
* no promises 
Encrypt your passwords!
Encrypt your passwords! 
No excuses.
Encrypt your passwords! 
No excuses. 
None.
Encrypt your passwords! 
The consequences
Encrypt your passwords! 
The consequences 
• Domino effect with other customer’s accounts
Encrypt your passwords! 
The consequences 
• Domino effect with other customer’s accounts 
• Permanent black mark on your company record
Encrypt your passwords! 
The consequences 
• Domino effect with other customer’s accounts 
• Permanent black mark on your company record 
• You could be sued. Maybe even class-action
Encrypt your passwords! 
The consequences 
• Domino effect with other customer’s accounts 
• Permanent black mark on your company record 
• You could be sued. Maybe even class-action 
• It’s so cheap and easy to do now. Why not?
Encrypt your passwords! 
But, don’t roll your own crypto
Encrypt your passwords! 
But, don’t roll your own crypto 
• MD5, SHA1, etc. were not designed for passwords
Encrypt your passwords! 
But, don’t roll your own crypto 
• MD5, SHA1, etc. were not designed for passwords 
• Use a password hashing library for your language
Encrypt your passwords! 
But, don’t roll your own crypto 
• MD5, SHA1, etc. were not designed for passwords 
• Use a password hashing library for your language 
• It should use bcrypt, scrypt, PBKDF2, or an 
algorithm designed for passwords
Encrypt your passwords! 
But, don’t roll your own crypto 
• MD5, SHA1, etc. were not designed for passwords 
• Use a password hashing library for your language 
• It should use bcrypt, scrypt, PBKDF2, or an 
algorithm designed for passwords 
• You want it to be slow to hash, maybe 1 second
Wat.
Wat. 
You want something to run slowly? 
! 
Why on earth…?
It’s a numbers game 
Make it expensive for attackers to brute force your 
passwords 
–Colin Percival (scrypt), 2009
Password Specifics
Password Specifics 
• You’re gonna encrypt ‘em, right?
Password Specifics 
• You’re gonna encrypt ‘em, right? 
• Enforce password minimums (min. 8 chars, etc.)
Password Specifics 
• You’re gonna encrypt ‘em, right? 
• Enforce password minimums (min. 8 chars, etc.) 
• Expire a login after 8 hours? a day? 2 months?
Password Specifics 
• You’re gonna encrypt ‘em, right? 
• Enforce password minimums (min. 8 chars, etc.) 
• Expire a login after 8 hours? a day? 2 months? 
• Changing/resetting password patterns
Password Specifics 
• You’re gonna encrypt ‘em, right? 
• Enforce password minimums (min. 8 chars, etc.) 
• Expire a login after 8 hours? a day? 2 months? 
• Changing/resetting password patterns 
• Beware of bad security questions! 
See goodsecurityquestions.com
Lock ‘em out. 
Guessed wrong too many times? 
Wait 5 minutes, or longer.
SSL/TLS 
aka 
HTTPS 
aka
SSL/TLS 
aka 
HTTPS 
aka
Why SSL/TLS, 
! 
no matter what?
• Foreign & domestic governments
• Foreign & domestic governments 
• Them nasty hackers
• Foreign & domestic governments 
• Them nasty hackers 
• Even that “innocent” person at the café
• Foreign & domestic governments 
• Them nasty hackers 
• Even that “innocent” person at the café 
• Your competitor?
• Foreign & domestic governments 
• Them nasty hackers 
• Even that “innocent” person at the café 
• Your competitor? 
• Users find comfort in green padlocks…
Get Auth & Auth Right!
Get Auth & Auth Right! 
• Research latest Authorization & Authentication 
practices or libraries
Get Auth & Auth Right! 
• Research latest Authorization & Authentication 
practices or libraries 
• The most common languages or frameworks 
already have libraries available
Get Auth & Auth Right! 
• Research latest Authorization & Authentication 
practices or libraries 
• The most common languages or frameworks 
already have libraries available 
• A rock solid login mechanism is your foundation
Have multi-level 
access?
Have multi-level 
access? 
Guest, User, Moderator, Admin?
Have multi-level 
access? 
Guest, User, Moderator, Admin? 
Research or build ACL into foundations 
of your code.
Got money, but no time? 
! 
Don’t know how screwed you are?
Got money, but no time? 
! 
Don’t know how screwed you are? 
Hire a pen tester!
Got money, but no time? 
! 
Don’t know how screwed you are? 
Hire a pen tester! 
Beware the snakeoil.
Top 10
Top 10 
• Get every dev into it, until they dream about it
Top 10 
• Get every dev into it, until they dream about it 
• Covers most common & most dangerous web app 
security issues 
(XSS, CSRF, SQLi, etc.)
Top 10 
• Get every dev into it, until they dream about it 
• Covers most common & most dangerous web app 
security issues 
(XSS, CSRF, SQLi, etc.) 
• Print out OWASP’s guide books too. 
(They’re tomes, but good desk references)
Operational Security
Operational Security 
• Don’t email passwords
Operational Security 
• Don’t email passwords 
• Don’t email passwords
Operational Security 
• Don’t email passwords 
• Don’t email passwords 
• Use a password management application 
✦ 1Password 
✦ KeePass 
✦ LastPass
Operational Security 
• Don’t email passwords 
• Don’t email passwords 
• Use a password management application 
✦ 1Password 
✦ KeePass 
✦ LastPass 
Hell, even use sticky notes 
Just don’t email passwords.
Some security is about 
good PR…
Public Relations 
• Got social? Use it." 
• Got blog? Use it." 
• Got email base? Use it." 
• Got media attention? Use it.
Public Relations 
• Got social? Use it." 
• Got blog? Use it." 
• Got email base? Use it." 
• Got media attention? Use it. 
See a pattern?
Public Relations 
• Give the facts & truth 
• Try not to spin too much 
• Transparency & honesty is key
Do it right, 
! 
and you might escape unscathed
That’s all folks! 
This presentation has been a 
C 
Attribution–ShareAlike 4.0 International licensed work.
Questions?
C Credits 
• “Anonymous Hacker” by Brian Klug (CC BY-NC 2.0) (Slide 1, 43) 
• “Heartbleed” by Leena Snidate/Codenomicon (CC0 1.0) (Slide 9) 
• “The Secret” by Cedward Brice (CC BY-NC 2.0) (Slide 24) 
• “Pure Mathematics” by Ed Brambley (CC BY-SA 2.0) (Slide 31) 
• “Widget, confused as ever” by Anna Pickard (CC BY-NC-SA 2.0) (Slide 36, 37) 
• “The Big E Day 2 2011” by RustyClark (CC BY 2.0) (Slide 40) 
• “EFF version of NSA logo” by EFF (CC BY 2.0) (Slide 43) 
• “Bryant Park, Nov 2009 - 52” by Ed Yourdon (CC BY 2.0) (Slide 43) 
• “Owasp logo” by OWASP (CC BY-SA 3.0) (Slide 47, 48) 
• “Day 342 - Hacker” by Christophe Verdier (CC BY-NC 2.0) (Slide 54) 
• “Question Box” by Raymond Bryson (CC BY 2.0) (Slide 55)

Weitere ähnliche Inhalte

Ähnlich wie Basic Security for Digital Companies - #MarketersUnbound (2014)

Blitzing with your defense bea con
Blitzing with your defense bea conBlitzing with your defense bea con
Blitzing with your defense bea con
Innismir
 

Ähnlich wie Basic Security for Digital Companies - #MarketersUnbound (2014) (20)

Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and Concerns
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home
 
Jax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerJax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developer
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & Anywhere
 
Online Security for Kids
Online Security for KidsOnline Security for Kids
Online Security for Kids
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker Side
 
My Parents Configured Their Living Room
My Parents Configured Their Living RoomMy Parents Configured Their Living Room
My Parents Configured Their Living Room
 
Keeping you and your library safe and secure
Keeping you and your library safe and secureKeeping you and your library safe and secure
Keeping you and your library safe and secure
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developer
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
 
Personal Digital Security 101
Personal Digital Security 101Personal Digital Security 101
Personal Digital Security 101
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software Technology
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application Security
 
Blitzing with your defense bea con
Blitzing with your defense bea conBlitzing with your defense bea con
Blitzing with your defense bea con
 
Connecting the Dots
Connecting the DotsConnecting the Dots
Connecting the Dots
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
 
An Introduction To IT Security And Privacy In Libraries
 An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
 
م.50-مبادرة#تواصل_تطوير-م.أشرف صلاح الدين إبراهيم-كيف تبقى آمناً وتحمى معلوما...
م.50-مبادرة#تواصل_تطوير-م.أشرف صلاح الدين إبراهيم-كيف تبقى آمناً وتحمى معلوما...م.50-مبادرة#تواصل_تطوير-م.أشرف صلاح الدين إبراهيم-كيف تبقى آمناً وتحمى معلوما...
م.50-مبادرة#تواصل_تطوير-م.أشرف صلاح الدين إبراهيم-كيف تبقى آمناً وتحمى معلوما...
 

Kürzlich hochgeladen

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 

Kürzlich hochgeladen (20)

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 

Basic Security for Digital Companies - #MarketersUnbound (2014)

  • 1. Security for Digital Companies Observations, lessons, and advice from a hacker Presented by Justin Bull! September 9th, 2014
  • 3. Who am I • Justin Bull • Software developer at • Security nutbar • Ethically curious • @f3ndot on Twitter
  • 4. Outline • Canada Revenue Agency: A Case Study • Responsible disclosure • Security 101 for a digital company • Q & A, time permitting
  • 5. “Everything is broken.” –Quinn Norton, 2014
  • 6. “Everything is broken.” –Quinn Norton, 2014 It's all about risk management & incident response
  • 7. Canada Revenue Agency: A case study
  • 8. Canada Revenue Agency: A tale of woe
  • 9. Think of the word “Government”
  • 10. Think of the word “Government” What comes to mind?
  • 11. Think of the word “Government” • Slow What comes to mind?
  • 12. Think of the word “Government” • Slow • Inefficient What comes to mind?
  • 13. Think of the word “Government” • Slow • Inefficient What comes to mind? • Lots of red tape
  • 14. Think of the word “Government” • Slow • Inefficient • Lots of red tape • Bureaucratic What comes to mind?
  • 15. Yeah… We have a problem
  • 16. The heartbleed bug affected 17.5% of all website servers. –Netcraft, 2014
  • 17. That’s around half a million websites –Netcraft, 2014
  • 19. Who was affected • My personal servers
  • 20. Who was affected • My personal servers • Banks
  • 21. Who was affected • My personal servers • Banks • Almost every, single digital company
  • 22. Who was affected • My personal servers • Banks • Almost every, single digital company • …and the Government of Canada
  • 23. Was CRA self aware?
  • 24. Was CRA self aware? Nope.
  • 25. FAIL Was CRA self aware? Nope.
  • 26. Could CRA be notified?
  • 27. Could CRA be notified? Nope, nope, nope!
  • 28.
  • 29. Could CRA be notified? Nope, nope, nope!
  • 30. Could FAIL CRA be notified? Nope, nope, nope!
  • 31. Was CRA at least quick when they did know?
  • 32. Was CRA at least quick when they did know? Sorta, not really
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38. Was CRA at least quick when they did know? Sorta, not really
  • 39. Sorta, not really FAIL Was CRA at least quick when they did know?
  • 40. We all know about the 900 SIN’s ! But were there other attacks? !
  • 41. We all know about the 900 SIN’s ! But were there other attacks? ! We will never know
  • 42. What could CRA have done?
  • 43. What could CRA have done? • Have a competent security officer or sysadmin
  • 44. What could CRA have done? • Have a competent security officer or sysadmin • Inter-department cooperation with CSEC (they knew 1 day before Heartbleed went public)
  • 45. What could CRA have done? • Have a competent security officer or sysadmin • Inter-department cooperation with CSEC (they knew 1 day before Heartbleed went public) • A way for people to tell them security issues
  • 46. What could CRA have done? • Have a competent security officer or sysadmin • Inter-department cooperation with CSEC (they knew 1 day before Heartbleed went public) • A way for people to tell them security issues • Be quick!
  • 47. “We don’t have time or money to think about security right now.” –Almost any company
  • 48. Responsible Disclosure The bare minimum for security
  • 49. Responsible Disclosure • Officially allows users/hackers/researchers to contact you about security issues • Basically just a webpage • Cheapest security investment you can make* *depending who you talk you
  • 50. Who has a RD policy? • • Microsoft • GitHub • Apple • Tesla Motors… Yes, really
  • 51. Danger, Will Robinson! It’s surprisingly hard to get right
  • 52. Danger, Will Robinson! It’s surprisingly hard to get right You need to set up proper encryption and decide on how to communicate with researchers.
  • 54. Lessons learned • It’s pesky and time consuming if you have security debt
  • 55. Lessons learned • It’s pesky and time consuming if you have security debt • Expect a lot of bullshit, entitlement, and comedy (See @CluelessSec)
  • 56. Lessons learned • It’s pesky and time consuming if you have security debt • Expect a lot of bullshit, entitlement, and comedy (See @CluelessSec) • Expect to be humbled
  • 57. Responsible Disclosure: you should have it The bare minimum:
  • 58. Responsible Disclosure: you should have it The bare minimum: • Offer no reward or swag
  • 59. Responsible Disclosure: you should have it The bare minimum: • Offer no reward or swag • Tell people what’s acceptable, what’s not
  • 60. Responsible Disclosure: you should have it The bare minimum: • Offer no reward or swag • Tell people what’s acceptable, what’s not • Provide a special email or a direct phone number
  • 61. Security 101 for Digital Companies aka “How to not get hacked within a year”*
  • 64. Encrypt your passwords! No excuses.
  • 65. Encrypt your passwords! No excuses. None.
  • 66. Encrypt your passwords! The consequences
  • 67. Encrypt your passwords! The consequences • Domino effect with other customer’s accounts
  • 68. Encrypt your passwords! The consequences • Domino effect with other customer’s accounts • Permanent black mark on your company record
  • 69. Encrypt your passwords! The consequences • Domino effect with other customer’s accounts • Permanent black mark on your company record • You could be sued. Maybe even class-action
  • 70. Encrypt your passwords! The consequences • Domino effect with other customer’s accounts • Permanent black mark on your company record • You could be sued. Maybe even class-action • It’s so cheap and easy to do now. Why not?
  • 71. Encrypt your passwords! But, don’t roll your own crypto
  • 72. Encrypt your passwords! But, don’t roll your own crypto • MD5, SHA1, etc. were not designed for passwords
  • 73. Encrypt your passwords! But, don’t roll your own crypto • MD5, SHA1, etc. were not designed for passwords • Use a password hashing library for your language
  • 74. Encrypt your passwords! But, don’t roll your own crypto • MD5, SHA1, etc. were not designed for passwords • Use a password hashing library for your language • It should use bcrypt, scrypt, PBKDF2, or an algorithm designed for passwords
  • 75. Encrypt your passwords! But, don’t roll your own crypto • MD5, SHA1, etc. were not designed for passwords • Use a password hashing library for your language • It should use bcrypt, scrypt, PBKDF2, or an algorithm designed for passwords • You want it to be slow to hash, maybe 1 second
  • 76. Wat.
  • 77. Wat. You want something to run slowly? ! Why on earth…?
  • 78. It’s a numbers game Make it expensive for attackers to brute force your passwords –Colin Percival (scrypt), 2009
  • 80. Password Specifics • You’re gonna encrypt ‘em, right?
  • 81. Password Specifics • You’re gonna encrypt ‘em, right? • Enforce password minimums (min. 8 chars, etc.)
  • 82. Password Specifics • You’re gonna encrypt ‘em, right? • Enforce password minimums (min. 8 chars, etc.) • Expire a login after 8 hours? a day? 2 months?
  • 83. Password Specifics • You’re gonna encrypt ‘em, right? • Enforce password minimums (min. 8 chars, etc.) • Expire a login after 8 hours? a day? 2 months? • Changing/resetting password patterns
  • 84. Password Specifics • You’re gonna encrypt ‘em, right? • Enforce password minimums (min. 8 chars, etc.) • Expire a login after 8 hours? a day? 2 months? • Changing/resetting password patterns • Beware of bad security questions! See goodsecurityquestions.com
  • 85. Lock ‘em out. Guessed wrong too many times? Wait 5 minutes, or longer.
  • 88. Why SSL/TLS, ! no matter what?
  • 89.
  • 90. • Foreign & domestic governments
  • 91. • Foreign & domestic governments • Them nasty hackers
  • 92. • Foreign & domestic governments • Them nasty hackers • Even that “innocent” person at the café
  • 93. • Foreign & domestic governments • Them nasty hackers • Even that “innocent” person at the café • Your competitor?
  • 94. • Foreign & domestic governments • Them nasty hackers • Even that “innocent” person at the café • Your competitor? • Users find comfort in green padlocks…
  • 95. Get Auth & Auth Right!
  • 96. Get Auth & Auth Right! • Research latest Authorization & Authentication practices or libraries
  • 97. Get Auth & Auth Right! • Research latest Authorization & Authentication practices or libraries • The most common languages or frameworks already have libraries available
  • 98. Get Auth & Auth Right! • Research latest Authorization & Authentication practices or libraries • The most common languages or frameworks already have libraries available • A rock solid login mechanism is your foundation
  • 100. Have multi-level access? Guest, User, Moderator, Admin?
  • 101. Have multi-level access? Guest, User, Moderator, Admin? Research or build ACL into foundations of your code.
  • 102. Got money, but no time? ! Don’t know how screwed you are?
  • 103. Got money, but no time? ! Don’t know how screwed you are? Hire a pen tester!
  • 104. Got money, but no time? ! Don’t know how screwed you are? Hire a pen tester! Beware the snakeoil.
  • 105.
  • 106. Top 10
  • 107. Top 10 • Get every dev into it, until they dream about it
  • 108. Top 10 • Get every dev into it, until they dream about it • Covers most common & most dangerous web app security issues (XSS, CSRF, SQLi, etc.)
  • 109. Top 10 • Get every dev into it, until they dream about it • Covers most common & most dangerous web app security issues (XSS, CSRF, SQLi, etc.) • Print out OWASP’s guide books too. (They’re tomes, but good desk references)
  • 111. Operational Security • Don’t email passwords
  • 112. Operational Security • Don’t email passwords • Don’t email passwords
  • 113. Operational Security • Don’t email passwords • Don’t email passwords • Use a password management application ✦ 1Password ✦ KeePass ✦ LastPass
  • 114. Operational Security • Don’t email passwords • Don’t email passwords • Use a password management application ✦ 1Password ✦ KeePass ✦ LastPass Hell, even use sticky notes Just don’t email passwords.
  • 115. Some security is about good PR…
  • 116. Public Relations • Got social? Use it." • Got blog? Use it." • Got email base? Use it." • Got media attention? Use it.
  • 117. Public Relations • Got social? Use it." • Got blog? Use it." • Got email base? Use it." • Got media attention? Use it. See a pattern?
  • 118. Public Relations • Give the facts & truth • Try not to spin too much • Transparency & honesty is key
  • 119. Do it right, ! and you might escape unscathed
  • 120. That’s all folks! This presentation has been a C Attribution–ShareAlike 4.0 International licensed work.
  • 122. C Credits • “Anonymous Hacker” by Brian Klug (CC BY-NC 2.0) (Slide 1, 43) • “Heartbleed” by Leena Snidate/Codenomicon (CC0 1.0) (Slide 9) • “The Secret” by Cedward Brice (CC BY-NC 2.0) (Slide 24) • “Pure Mathematics” by Ed Brambley (CC BY-SA 2.0) (Slide 31) • “Widget, confused as ever” by Anna Pickard (CC BY-NC-SA 2.0) (Slide 36, 37) • “The Big E Day 2 2011” by RustyClark (CC BY 2.0) (Slide 40) • “EFF version of NSA logo” by EFF (CC BY 2.0) (Slide 43) • “Bryant Park, Nov 2009 - 52” by Ed Yourdon (CC BY 2.0) (Slide 43) • “Owasp logo” by OWASP (CC BY-SA 3.0) (Slide 47, 48) • “Day 342 - Hacker” by Christophe Verdier (CC BY-NC 2.0) (Slide 54) • “Question Box” by Raymond Bryson (CC BY 2.0) (Slide 55)