new immune system of information security from china by wooyun - code blue 2015
TRANSCRIPT
如何建设互联网安全免疫系统How To Build The Immune System For The Internet
WooYun
关于我 About Me• 80sec 安全团队创始人 Founder Of 80sec Security Team ( ID: 剑心)• 前百度安全架构师 Former Security Team Leader In Baidu
• 乌云安全社区创始人 Founder Of Wooyun Security Community
关于我 About Me
• 黑客理想主义者 Idealism In Thinking• 黑客实用主义者 Pragmatism In Hacking
关于今天的议题Topic Today
• 没有关于专业 APT 的分享 No APT To Share• 没有关于最新技术的分享 No popular Hacking skills To Share
当我们讨论安全时我们在讨论什么What Are We Talking When We
Talk About Security
• 以破坏的方式创建一个更好更安全的世界• Hacking For Building
当我们讨论安全时我们在讨论什么 What Are We Talking When We Talk About Security
• 我们可以破解世界上最安全的汽车 We Can Hack The Safest Car In The World• 但是我们却无法让人们不用弱口令 But We Can’t Stop People Using Weak
Password
我们面对的互联网环境The Internet Environment We Are
Facing
• 数以亿计的用户 Billions of users• 巨大的用户基础导致同样巨大的黑色产业
Huge Black Industry Based On Huge Amount Of Users
我们面对的互联网环境The Internet Environment We Are Facing
• 短时间爆发增长的企业和应用 The Burst Of Enterprises And
Applications During A Very Short Time• 先生存再考虑安全
To Survive Before Considering Security
• 相对不完善的规范和机制 The Relatively Deficient Of Regulation
And Mechanism• 安全的合规性大于实际应用 Focus More On Compliance Than Being
Really Secure
我们面对的互联网环境The Internet Environment We Are Facing
• 快速发展的云和新型技术 Rapid Development In Clouds And New
Technologies• 现在包括家里的锁都已经开始联网 Even Homelock Become Networking
Connected
我们面对的互联网环境The Internet Environment We Are Facing
如果你是一名白帽子If You Are A Whitehat
• 你不能获得较高的薪水和较好的职业发展 You Have No Access To Better Salary And
Career Development• 企业并不重视安全因为用户并不了解安全 Enterprises Paid No Attention Given
Customer’s Lack Of Understand
如果你是一名白帽子 If You Are A Whitehat• 因为商业安全社区缺乏分享和讨论 The Lack Of Share And Discussion In
Commercial Security Community• 你的伙伴会越来越少但是敌人会越来越多 More Enemy And Less Friend
如果你是一名白帽子 If You Are A Whitehat• 你企业的安全状况不会因为你努力而变得更好 The Safety Status Won’t Be Better For Your
Hard Work• 因为网络环境变得更糟你的敌人更多
More Enemies For Worse Internet Environment
失控的互联网Internet’s Out Of Control
• 糟糕的生态 Bad Ecological System
银弹在哪里Where Is The Silver Bullet
• 我们能用更好的安全技术来解决这些安全问题么 Can We Solve Those Security Issues
Through Better Security Technologies?
• 问题的核心在哪里 What Is The Core Of The Problem?
银弹在哪里Where Is The Silver Bullet
为什么 The Reason Why封闭 Closed environment
– 用户(封闭导致看不到真实的问题)Customers (Too Closed To Notice The Real risk)– 企业(用户看不到问题可以不投入)Enterprise ( No Invest In Fields Users Not Notice) – 行业(信息的不对称可以获得利润)Industry (Profit From Information Asymmetry )
传统漏洞披露过程Conventional Process Of Vulnerability Disclosures
• 漏洞第一时间提交给厂商Vulnerability Is Submitted To Enterprise At The First
Time• 厂商和修复确认及补丁推送Enterprise Start To Confirm And fix• 对外不主动披露任何信息No Information Will Be Made Public Initiatively • 可能的商业合作和奖励致谢Possible Commercial Cooperation And Reward
负责任漏洞披露过程The Responsible Process Of
Vulnerability Disclosures• 符合企业自身利益诉求 Conform To Enterprise Own Interest Appeal
• 符合早期信息安全环境Conform To Early Information Security
Environment
变化 Changes
• MS/Adobe/Apple– 封闭体系 Closed System– 终端安全 Terminal Security
• Google/Amazon/Apple– 开放体系 Open System– 云端安全 Cloud Security
我们希望 Our Expect
开放 Open– 用户(通过安全信息的公开披露能够了解安全)Users ( To Better Know Security Through
Information Pubic Disclosure) – 企业(用户对安全的关注和了解将使得企业提高在安全的投入)– Enterprise ( To Improve Investment In
Security To Meet Users Demand )– 行业(透明的环境使得产品和技术价值提升)– Industry ( Transparent Environment
Promotes The Value Of Product And Technology)
负责任漏洞披露过程(乌云版) Vulnerability Disclosures Process –Wooyun Version
• 漏洞第一时间提交给厂商Vulnerability Is Submitted To Enterprise At The First
Time• 厂商修复确认及补丁推送Enterprise Start To Confirm And fix• 对外公开全部漏洞细节Vulnerability Details Will Be Shared Publicly• 重要漏洞会被预警和讨论High Risk Vulnerability Will Be Warned And Discussed
In The Early Stage
负责任漏洞披露过程(乌云版) Vulnerability Disclosures Process –Wooyun Version
• 符合现有环境下行业对安全的诉求Conform To Industry Security Appeal Under
Current Environment
• 符合现在以及未来情况下安全环境Conform To The Current And Future Safety
Environment
乌云生态的核心价值体系The Core Value System --Wooyun
Ecology• 所有企业可以第一时间修复自己安全问题和了解互联网风险• All Enterprises Can Fix Their Own Vulnerability And
Know Internet Risk
• 社区和企业可以学习公开的问题细节从而避免更多问题出现• Enterprises Can Avoid More Potential Problems
Through Learning From Shared Vulnerabilities
• 用户通过公开的问题可以了解到自己数据是否存在潜在风险• Users May Find Potential Risks Through Disclosed
Information
Github but in security
Bug bounty but Free
WhiteHat School but no teacher
我们做到的What We Have Done:
• 10, 000+ 白帽子为互联网报告了100,000+ 漏洞
More Than 10,000 White Hats Have Reported 100,000 Vulnerabilities For Internet Industry
我们做到的What We Have Done:
• 重要安全漏洞发现和修复周期缩短为周甚至更短• The Disclosure And Repair Cycle For
Important Security Vulnerability Has Shortened To Weeks Or Even Shorter
我们做到的 What We Have Done:
• 重要的安全风险用户都会了解并且敦促企业进行处理High Risk Users Will Understand And Urge
Enterprises To Repair
我们做到的What We Have Done:
• 企业更好的认识安全后社区白帽子有更好的发展• Whitehats In The Community Have
Better Career Development After Enterprises Know More About Security
我们做到的What We Have Done:
• 白帽子 + 用户 + 企业 +政府形成一个良好的安全免疫机制A Healthy Security Immune Mechanism Is
Established :
Whitehats + Users + Enterprises + Government
Q&A
• :)