centre for cyber security - gotocon.comgotocon.com/dl/goto-cph-2015/slides/thomaskristmar... ·...
TRANSCRIPT
Centre for Cyber Security Thomas Kristmar Centre for Cyber Security Danish Defence Intelligence Service
05-10-2015
05-10-2015
Who are we?
Centre for Cyber Security
In respect of the Rule of Law and Privacy – Cyber is a priority (Gov. Declaration, Oct 2011)
National Centre of excellence in Cyber Security
DK Defence Intelligence Service
5. oktober 2015
4
SDLC - Theory
Actual SDLC
Requirements Too costly /too late
Ship & Fix in future release
5. oktober 2015 7
Example– SSL certificates
05-10-2015
Example Directory Traversal
05-10-2015
“Those who don't know history are doomed to repeat it.”
05-10-2015
Societal Impact
05-10-2015
Risk
Know your code
http://cynosureprime.blogspot.dk/2015/09/how-we-cracked-millions-of-ashley.html
05-10-2015
Risk
Know your code
http://qz.com/501073/the-top-100-passwords-on-ashley-madison/
XcodeGhost http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/
Password Number of users 123456 120511 12345 48452 password 39448 DEFAULT 34275 123456789 26620 qwerty 20778
05-10-2015
Risk
Don’t implement your own crypto
Pixie Dust Attacks (flaw in three implementations of WPS)
https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?pli=1#gid=2048815923
And pls. don’t hardcode passwords
CVE-2014-0329 :DSL routers contain hardcoded password
05-10-2015
Risk
Open source isn’t secure by default
CVE-2014-0160
CVE-2014-6271
05-10-2015
Lessons Learned
Know your code AND be able to update
Don’t implement your own crypto
Open source isn’t secure by default
Read OWASP / SDLC AND do threat modeling
05-10-2015
Thank you for your attention
05-10-2015
05-10-2015