that’s really not the point… haroon meer | charl van der walt sensepost
TRANSCRIPT
That’s Really not the Point…haroon meer | charl van der walt
SensePost
2
Who we are• SensePost
• {charl|haroon} @ sensepost.com
• What we do…
• Time…
3
The industry is flooded with
snake-oil
How many blondes does it take to change a lightbulb?
The Question of Incentives
Who is this bad for?
A market for lemonsAn informed
customer is better for everyone
Only one really – the rest is all just marketing…
4
Agenda• Introduction• A very funny joke• This really isn’t the point
– My scanner can beat up your scanner!– We have firewalls!– We have SSL / Encryption!– We have IPS / IDS !– Im safe, I use Vista / OSX / Plan9!– 0i-Wey its 0-Day. First time vulnerability release
• Conclusion.• Questions ?
5
My scanner can beat up your scanner!
Detect security vulnerabilities on your network!!!!!! makes use of of state of the art vulnerability check databases based on OVAL and SANS Top 20, providing over 15,000 vulnerability assessments when your network is scanned. !!!!!! gives you the information and tools you need to perform multi-platform scans across all …
Detect security vulnerabilities on your network!!!!!! makes use of of state of the art vulnerability check databases based on OVAL and SANS Top 20, providing over 15,000 vulnerability assessments when your network is scanned. !!!!!! gives you the information and tools you need to perform multi-platform scans across all …
6
But that’s really not the
point
7
My firewall is bigger than yours!
8
Watch how that’s done
9
• Your firewall choice IS still important:– Management
– Support
– Performance
– Etc
• Understand that the perimeter is actuallyalready dead
• Remember defense in depth
• Remember the problem you’re actually solving– Alligators in the swamp
So what is the point?
10
Luckily we have SSL…
WITH WITHOUT
11
Luckily we have SSL…
• Another comment that just wont die..• Robert Morris (Snr.) on Encryption:
– “If you think encryption will solve your problem, you probably don’t understand encryption or you don’t understand your problem”.
• The only difference between us attacking your HTTP server and your HTTPS server is that the 2nd option gives us privacy.
• We were going to do a demo for this, but decided not to insult you..
12
We are not saying:• That you should stop buying certificates..• That SSL is pointless• That you should run all your sensitive
apps over HTTP
We are saying:• Make sure you know what it buys you• Make sure you understand where it poses a threat• Quoting Dr. Mudge:
– “A security device isn't necessarily a secure device”.
So what is the point?
13
IDS / IPS / *buzzword* will save us
• A very “human” problem• By its nature reactive• Our track record with IDS…
14
That’s really not the point
15
We are not saying:• Its always useless
– “always” is “always” incorrect
We are saying: • Is an IPS any better ?
– A little.• Is it a panacea?
– Anyone? Anyone?• A good solution (to 1994’s problems?)• Does dismally against custom web
applications• In the end, its a case of man vs. machine..
– (hint: (till 2045) bet on the man)
• Know what it buys you.. • Know its limitations..
So what is the point?
16
Vista / OSX / Plan9 will keep me safe• Defenses are constantly evolving
– Sadly so are the attackers..
• “Nothing” is 100% secure..– Should that be “SAID A LITTLE LOUDER”
• Vista / OSX– The non-admin / non-root user fallacy– Why its really not the point..
• Ultimately..– An improvement - sure!– A panacea
anyone? anyone?
17
THAT’s REALLY NOT
THE POINT!!!
18
• Defenses are constantly evolving– Sadly so are the attackers..
• “Nothing” is 100% secure..– Should that be
“SAID A LITTLE LOUDER”
• Vista / OSX– The non-admin / non-root user fallacy
• Ultimately..– An improvement - sure!– A panacea
anyone? anyone?
So what is the point?
19
0i-Wey its an 0-Day!
• What is a 0-day? A threat that exposes undisclosed or unpatched computer application vulnerabilities
• All the cool kids are into it!
• Is it the end of the world as we know it?
20
Watch this 0-day attack in
action!
21
1. LM-Hashes
2. “Weak passwords always trump strong security”
3. Shared passwords
But do you want to know what really happened?
22
• There will always be another 0-day• You can’t stop the 0-day problem• Understand where on the vulnerability
life cycle you’ll burn• 0-day is probably not how you will
be owned• Security is equal parts people, technology
and process• Make sure you have the basics covered• Remember defense in depth
So what is the point?
23
• Pay attention to who is paying for the “independent research”..
• Investigate the credentials of your experts..
• Make sure that you are spending money solving problems you actually have..
• Acknowledge that its not just the “sexy” problems that need fixing!
• The next time your vendor says “It does <foo>”, ask yourself, if that is actually the point..
In conclusion…
Thank YouQuestions?