that’s really not the point… haroon meer | charl van der walt sensepost

That’s Really not the Point…haroon meer | charl van der walt

SensePost

2

Who we are• SensePost

• {charl|haroon} @ sensepost.com

• What we do…

• Time…

3

The industry is flooded with

snake-oil

How many blondes does it take to change a lightbulb?

The Question of Incentives

Who is this bad for?

A market for lemonsAn informed

customer is better for everyone

Only one really – the rest is all just marketing…

4

Agenda• Introduction• A very funny joke• This really isn’t the point

– My scanner can beat up your scanner!– We have firewalls!– We have SSL / Encryption!– We have IPS / IDS !– Im safe, I use Vista / OSX / Plan9!– 0i-Wey its 0-Day. First time vulnerability release

• Conclusion.• Questions ?

5

My scanner can beat up your scanner!

Detect security vulnerabilities on your network!!!!!! makes use of of state of the art vulnerability check databases based on OVAL and SANS Top 20, providing over 15,000 vulnerability assessments when your network is scanned. !!!!!! gives you the information and tools you need to perform multi-platform scans across all …

Detect security vulnerabilities on your network!!!!!! makes use of of state of the art vulnerability check databases based on OVAL and SANS Top 20, providing over 15,000 vulnerability assessments when your network is scanned. !!!!!! gives you the information and tools you need to perform multi-platform scans across all …

6

But that’s really not the

point

7

My firewall is bigger than yours!

8

Watch how that’s done

9

• Your firewall choice IS still important:– Management

– Support

– Performance

– Etc

• Understand that the perimeter is actuallyalready dead

• Remember defense in depth

• Remember the problem you’re actually solving– Alligators in the swamp

So what is the point?

10

Luckily we have SSL…

WITH WITHOUT

11

Luckily we have SSL…

• Another comment that just wont die..• Robert Morris (Snr.) on Encryption:

– “If you think encryption will solve your problem, you probably don’t understand encryption or you don’t understand your problem”.

• The only difference between us attacking your HTTP server and your HTTPS server is that the 2nd option gives us privacy.

• We were going to do a demo for this, but decided not to insult you..

12

We are not saying:• That you should stop buying certificates..• That SSL is pointless• That you should run all your sensitive

apps over HTTP

We are saying:• Make sure you know what it buys you• Make sure you understand where it poses a threat• Quoting Dr. Mudge:

– “A security device isn't necessarily a secure device”.

So what is the point?

13

IDS / IPS / *buzzword* will save us

• A very “human” problem• By its nature reactive• Our track record with IDS…

14

That’s really not the point

15

We are not saying:• Its always useless

– “always” is “always” incorrect

We are saying: • Is an IPS any better ?

– A little.• Is it a panacea?

– Anyone? Anyone?• A good solution (to 1994’s problems?)• Does dismally against custom web

applications• In the end, its a case of man vs. machine..

– (hint: (till 2045) bet on the man)

• Know what it buys you.. • Know its limitations..

So what is the point?

16

Vista / OSX / Plan9 will keep me safe• Defenses are constantly evolving

– Sadly so are the attackers..

• “Nothing” is 100% secure..– Should that be “SAID A LITTLE LOUDER”

• Vista / OSX– The non-admin / non-root user fallacy– Why its really not the point..

• Ultimately..– An improvement - sure!– A panacea

anyone? anyone?

17

THAT’s REALLY NOT

THE POINT!!!

18

• Defenses are constantly evolving– Sadly so are the attackers..

• “Nothing” is 100% secure..– Should that be

“SAID A LITTLE LOUDER”

• Vista / OSX– The non-admin / non-root user fallacy

• Ultimately..– An improvement - sure!– A panacea

anyone? anyone?

So what is the point?

19

0i-Wey its an 0-Day!

• What is a 0-day? A threat that exposes undisclosed or unpatched computer application vulnerabilities

• All the cool kids are into it!

• Is it the end of the world as we know it?

20

Watch this 0-day attack in

action!

21

1. LM-Hashes

2. “Weak passwords always trump strong security”

3. Shared passwords

But do you want to know what really happened?

22

• There will always be another 0-day• You can’t stop the 0-day problem• Understand where on the vulnerability

life cycle you’ll burn• 0-day is probably not how you will

be owned• Security is equal parts people, technology

and process• Make sure you have the basics covered• Remember defense in depth

So what is the point?

23

• Pay attention to who is paying for the “independent research”..

• Investigate the credentials of your experts..

• Make sure that you are spending money solving problems you actually have..

• Acknowledge that its not just the “sexy” problems that need fixing!

• The next time your vendor says “It does <foo>”, ask yourself, if that is actually the point..

In conclusion…

Thank YouQuestions?