As the air gap between our daily lives and the Internet continues to shrink the security of our personal data and devices grows in importance. We are facing the daily threat of putting 2000s era computers bolted to toasters online while expecting them to defend against 2017 capable attackers. This talk will explore the continuing trend of IoT, discuss how we’ve been here before, and layout strategies for keeping pace with attackers in the future. This talk will focus on enumerating this risk, discuss the challenges involved, and explore solutions.
First, we will examine this history of how we got here, and what it means to say “security is a snapshot in time.” We then introduce the idea of shared ken – the range of one’s knowledge or sight – and how it impacts security. Third, we discuss the influence of data as code, the meta game, and secrecy as a way of mastering impact and ken.
This talk will allow attendees to walk away with
A holistic view of the history of computer security and how it impacts them today
The importance of extending the range of collective vision to reduce blind spots
Practical advice for BSiders to grow their mindset and improve their impact
Adam is a founding partner and Chief Executive Officer at Deja vu Security. He is dedicated to the leadership and relentless innovation in Deja’s products and services. Previously he has lead teams conducting application and hardware penetration tests for the Fortune 500 technology firms. Adam is a contributing author to multiple security books, benchmarks, tools, and DARPA research projects. Adam holds a degree in Computer Science and a Masters from Carnegie Mellon University in Information Networking.
Scaling API-first – The story of a global engineering organization
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX 2017
1. SECURITY IS A SNAPSHOT IN TIME -
SO HOW DO WE KEEP UP?
Adam Cecchetti
Deja vu Security
2. Hello!
Adam Cecchetti
Deja vu Security : Founder, CEO
Peach Tech : Co-Founder, Chairman
CMU : M.S. Information Networking
3. Deja vu Security
Seattle based operating since 2010
100s of App and Hardware assessments
Web, IoT, Cryptocurrency, Infrastructure, etc
Training of developers, engineers, and teams to
better understand modern threats.
7. Deja vu. Deja vu. Deja vu. Deja vu.
Networks
Applications
Web
Cloud
Internet of Things (IoT)
“The tubes are on fire!”
“The desktop is on fire!”
“The world is on fire!”
“The sky is on fire!”
“Your pants are on fire!”
8. The Problem is Big
The first step to recovery is the hardest.
Awareness is good, but it doesn’t cure cancer.
Security issues must be found they can’t be created.
Inherited, passed down the software genepool.
Plentiful, defense helps but we kick over more rocks.
Random, the future is asymmetrically secured.
Polymorphic, the tools we use to build systems are
security issues.
We are going to have to start thinking differently.
10. Tick, Tock.
Data movement is a cadence to how we’ve built things.
Echoes, the ghosts of usage models past.
We leave data and code everywhere users go.
User data replicates every decade or so.
t
Centralized
Distributed
70’s 90’s 2010 2030
80’s 00’s 2020
Mainframe Web/Email Cloud Internet of Me
PC Social Networks IoT
11. Security is a Snapshot in Time
Security is a snapshot in time.
Tomorrow is a new day full of drama on Twitter!
Today is a great day to deprecate a system.
Move user data to a safer and better place.
Hackers are unstoppable in 1995.
The closer the temporal snapshot to 1995 the better for hackers.
The person building the system decides the snapshot that is
taken.
Protocols from 1995
Libraries from 2006
Binaries from 2014
A Linux build from 2016
12. 199X
No memory defense (NX, ASLR, StackCookies,etc)
No patching system or focus on security patches
Little to no security awareness
Default passwords, services, attack surface
Closer the clock is to 1995 the stronger the hackers
17. Computers are Awesome!
They don’t LET you do anything.
They DO anything!
And only things you tell them
CPU: AMMA that’s about Machine code to Microcode
Good luck with the rest! That’s not what I do!
General computation is good however it means:
No reliability, no availability, no security.
This includes anything we build.
Complexity leads to side effects and exploitation is
programing with side effects.
19. We Are at an Odd Juncture
Mobile is eating all markets just like the PC did.
User habits are changing, again.
Web ate the rest of the world.
User data flows in new directions
And lingers in the eddies.
And for those of us left that still care about general
computation we have to run unknown kernel and
firmware exploits to program our phones.
21. “Stop Putting Things on the Internet”
You might as well tell water to stop being wet.
It is free to put another computer on the Internet
Putting a Pentium Pro
in anything is free
In 4 years putting an
iPhone 1 in everything
is free. Why?
Inverse of Moore’s law
24. Free Pentium Pro for Every Dishwasher
$0.00
$200.00
$400.00
$600.00
$800.00
$1,000.00
$1,200.00
1995
1997
1998
2000
2001
2003
2004
2006
2007
2009
2010
2012
2013
2015
2016
2018
2019
2021
2022
Inverse of Moore's Law
Putting a $1000 Pentium from 1995 in a dishwasher is free, today and every day in the future.
25. Everything is an iPhone in the near future.
$0
$100
$200
$300
$400
$500
$600
2007 2009 2010 2012 2013 2015 2016 2018 2019 2021 2022
iPhone
Adding a 1st Gen iPhone worth of transistors to everything: $4 in 2018, free in 2022
Phrased another way adding Wifi, GSM, Bluetooth, GPU, CPU, storage, & sound to
everything is free in 2022.
26. The Internet Finally Showed Up!
The amount of air gap between our lives and the
Internet is shrinking daily.
Soon it will be gone. Good Riddance! Plug me in!
Unless you have decided to live in a cave.
And in another tick tock there’s still a chance it will have IP
enabled bat guano.
Technology is awesome!
In 5 years my self driving car will live stream.
Localized live traffic video broadcasting and viewing is
going to be a thing.
There are going to be people sitting in traffic watching
other people sit in traffic around the world.
28. Be Still My Beating Heart
The Internet of Me is coming soon
I can’t wait until my heart has an IP address
And firmware updates
And an app store to monetize!
Cardio Trainer+ 4.0
Now with Twitter Integration!
Cardio Trainer+ 4.0.1
Pushed a patch as some users were excessively twitching while
Tweeting.
Move fast and break things is not what I want for IP
addressable organs.
29. Everybody Bugs
Bugs happen.
They happen to the best.
They happen to the worst.
Imperfection is the proof of life and existence.
Mistakes are proof you actually did something.
Keep building a better future one mistake at a time
31. Start with Details
“The buffer can overflow causing a corruption of
the pointer which in turn is referenced by the vtable
to cause code to jump to a known location as a
result of ASLR being not compiled into a supporting
DLL”
“The password is P@ssw0rd!”
“User A can access the details of User B”
34. Helping People Understand w/Impact
The user’s bank account can be drained.
One person cares.
The company can no longer perform transactions.
The entire company cares.
The car performs a J-turn at 60 mph during rush hour
1 news cycle.
The planes crashes
2 news cycles, 4 if they can’t find the plane.
The pacemaker stops and kills the user.
2 Federal Agencies + n pacemaker users care.
The power plant explodes.
People care until the lights come back on.
37. Ken
Ken /ken/ noun
“one's range of knowledge or sight”
“know”
How far you see.
How wide or narrow are you focused.
How much you understand.
How far someone else can see, focus, and understand.
42. Ken
Their Ken: I need to move 14,000 planes a day
with 300 people in them each or the global
economy stops.
My Ken: Planes can move in ways you don’t intend if
you connect them to the Internet, might even crash.
Their Ken: Customers don’t like to crash.
My Ken: Less planes move if they crash.
Our Ken: Lets make new planes that are easier to
move and safer.
43.
44. Ken
Accepting WE > I
Knowing the range of my knowledge and vision
enables me to spend our time better.
Knowing how to better understand the range of
another’s vision helps us get to shared impact faster.
Then we can start sharing details.
46. Test for Echo
You have lost if:
All you are hearing is your own words come back.
Things you already know.
Shared exchange of ken is shared extension.
In turn it is shared vulnerability.
Sustained echo is at best rapid construction of a
chamber.
On a more than decade time scale it is slow death.
47. Details: Our Three Wins
Firewalls
Encryption
Two Factor Authentication
48. Impact: Three Extensions of Ken
Firewalls
I don’t want to run Ethernet cable in my house.
Wifi + Firewall = Win!
Encryption
I can’t make it to the bank or store today.
I need to work from home.
Commerce from home + encrypted tunnel = Win!
Two Factor Authentication
I don’t want to re-grind my character.
World of Warcraft = Win!
49. Ken: When Have We Won?
We’ve won the same way everyone else has.
When we’ve made someone’s life better they
adopted a technology.
It happened to be more secure because we spent years
working on the details.
If we want to get pedantic we used Trojan horses to
backdoor security into people’s lives.
Applying security to a shift in user behavior.
This is better!
We defined that part of being better was more secure!
50. Ken: The users
Want to do the thing and will always want to do the
thing.
Help the user keep doing the thing they want to do.
51. So how do we keep up?
Details
Impact
Ken
53. Bug: #1 Data as Code
What do Cross Site Scripting, SQL Injection, and
Buffer Overflows all have in common?
They are all data being interpreted as code.
Any place that user or machine controlled data is being
used, interpreted, parsed; a security issue awaits.
This is big enough to master that you can spend
multiple lifetimes right here.
We’ve actually started to make steps towards fixing
this problem in some places.
54. Bug: #2 Gamers are Going to Game
Logical Issues require someone to game the system
Must try and understand all the unexpected behavior
of the logic of the system.
Few good ways of automated testing here
The Meta Game
Attackers will continue to go for the weakest link
Hint: It’s in 1995
Unless the time vs. reward scenario is high
or the motivation vs. reward scenario is super high
55. Bug: #3 The Secret Isn’t Secret
Password1!
Upper Lower, Numeric, Special!
Secure by most IT and Web policy!
“ Or ‘1’=‘1’; --
Upper, Lower, Numeric, Special!
No key words!
16 characters!
Secure!
If not bad word jumbles then bits generated by a
machine given back to a machine!
56. Bug:#4 The thing is in the wrong place
What is this?
Wait, why why is this here?
This shouldn’t be here!
OMG WHY IS THIS HERE
System, person, information in the wrong place.
Sensitive data management
Asset management
Physical Pen Tests
Etc
57. To Master Impact
See the system as a graph of lists sorted by time.
Know what matters in the system.
Use the details to break the system.
When the system will not break change the game.
61. To Master Ken
Know yourself and share ideas and creations.
Ask to know and understand others.
Use impacts to connect yourself to others faster.
Seek the patterns that allow you to extend your vision
and knowledge.
Use details to demonstrate impacts
Never start with details
62. To Master Ken
In cooperation:
Use your ken to help others see what they cannot.
Ask to be shown what you cannot see.
In conflict:
Find the blind spots.
Where someone is blind they cannot defend.
64. Ken: Test for Echo
Step out of the echo chamber from time to time.
Find people who have problems in different
industries you’ll never have.
Listen to them.
See how much you can share, but more importantly
see what comes back when you do.
65. So How To Keep Up?
Understand what Snapshot you need to take (Ken)
and how often you need to take it. (Impact) Then
start to secure it by building tomorrow (Details).
Let the past go when you can.
Pull out the oldest versions when you can
Build a better tomorrow and ask people to help you
convince others to adopt it.
Ask yourself do you want to keep clawing away
from 1995 or start building a better 2020?
66. Takeaways
Security is a snapshot in time
That snapshot is part ken, impact, and details.
Building a better tomorrow can build a more secure
tomorrow.
Building a better tomorrow requires more than
details and impact.
It requires understanding of your own ken to start.
I hope this talk has extended yours.