open security - chad cravens
TRANSCRIPT
Open SecurityHow Open Source Dominates InfoSec
Chad CravensOpen Source Systems
www.ossys.com
About The Speaker
1Open Source Systems – www.ossys.com
2007 - Graduate of New Mexico Institute of Mining and Technology(Scholarship for Service Recipient)
2007 – 2011 Federal Employee at SPAWAR(Space and Naval Warfare Systems Center)
2012 – Software Engineer at Small Wall St Firm2014 – Founded Open Source Systems
Chad CravensCharleston, SC
Software Fanatic
Stickler for Software Quality and Security!
What to Expect from Today’s Talk
2Open Source Systems – www.ossys.com
A Pragmatic and Realistic View of the Landscape
• What is the problem?• What are the open source tools available?• How have these tools been used and/or exploited?• How is open source a double-edged sword?
Questions during presentation are welcomed!
Information Security
3Open Source Systems – www.ossys.com
The practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
- Confidentiality- Availability- Integrity
The Pillars of InfoSechttps://en.wikipedia.org/wiki/Information_security
A Brief History of Modern InfoSec
4Open Source Systems – www.ossys.com
1970 – John Draper uses famous Captain Crunch Whistle (2600 Mhz) to hack AT&T lines (Phreaking)
1986 – The “Brain” Computer Virus was released against MS-DOS. Computer Fraud and Abuse Act of 1986 was passed as law.
1988 – The Morris Worm was one of the first Internet-distributed worms to pop up
1990’s – As the popularity of the Internet grows, so do the complexity and frequencies of attacks, in particular viruses
2000’s – Unprecedented levels of hacks, rise of Application-layer attacks and self-propagating malware
What is Open Source?
5Open Source Systems – www.ossys.com
Open Source is Collaborative Development
We are all standing on the shoulders of giants
Programming Languages, a Foundation
6Open Source Systems – www.ossys.com
Gnu Compiler Collection (GCC)Arguably one of the most widely-adopted compilers used by the hacker community. Supports C, C++, Objective C, Java and Ado. Can be used to:- Create tools- Create exploits / shellcode- Analyze (network / system calls / encryption / etc)- Supports Linux / Unix variants, Mac OSX and Windows
PythonA go-to tool for hackers that is supported by default by a large number of systems:- Create tools- Create exploits / shellcode- Simply perform network operations
And more open source languages…
7Open Source Systems – www.ossys.com
Some of the most popular open source languages
And better late to the party than never…Welcome Microsoft!
Open Standards
8Open Source Systems – www.ossys.com
A standard that is publicly available and has various rights associated with it, and may also have various properties of how it was designed (e.g. open process).
https://en.wikipedia.org/wiki/Open_standard
Hackers Can Exploit These Standards
9Open Source Systems – www.ossys.com
Transmission Control Protocol (TCP)RFC 793 Exploit an Open Standard
Using Open Source Programming Languages
To create one of the most popular open source network
reconnaissance tools available and used by hackers
And this is how it starts…
10Open Source Systems – www.ossys.com
Open the flood gates for open source network security tools!
Real-time analysis of network trafficFiltering and color-coding
Network and vulnerability reconAnalyze firewall rules and routing
Run exploits on remote systemsCreate backdoors / control remote systems
Scan networks for vulnerable systemsRun exploits on remote systems
But wait, there’s more…
Open Source Systems – www.ossys.com
Open the flood gates for open source network security tools!
Real-time analysis of network trafficFiltering and color-coding
Used to pipe network streams“Swiss army knife” of network tools
Run exploits on remote systemsCreate backdoors / control remote systems
Real-time analysis of network traffic
11
Open Source Security Distro
Open Source Systems – www.ossys.com
Kali LinuxIncludes more than 600 open source security tools, just like the ones previously mentioned!!
Includes all the aforementioned tools and much more installed and ready to rock
• Vulnerability Scanning• Service Discovery• Password Cracking• Security Tool Development• WiFi Cracking• … and much much more
12
Additional Open Standards / Groups
Open Source Systems – www.ossys.com
Open Source VulnerabilityDatabase
Open Web ApplicationSecurity Project
Open Vulnerability andAssessment Language
Organization for the Advancement of Structured Information Standards
And many more not mentioned here….
13
OSVDB - Searching Vulnerabilities
Open Source Systems – www.ossys.com
OSVDB’s goal is to provide accurate, detailed, current, and unbiased technical security information. The project
currently covers 120,980 vulnerabilities, spanning 198,976 products from 4,735 researchers, over 113 years.
14
Application LayerSecurity
Open Source Systems – www.ossys.com 15
Multiple Layers of Attack
Open Source Systems – www.ossys.com
All aforementioned tools attack at this layer
We have not yet touched this layer
Like an Onion
16
Application Layer vs Network Layer Attacks
Open Source Systems – www.ossys.com
Network Layer Attacks Application Layer Attacks
Open StandardsReviewed Over YearsBy The Best in the Industry
Open Source ImplementationReviewed by dozens or hundreds of developers over years
Open Source ImplementationReviewed by dozens or hundredsof developers over years
Hire a Team of DevelopersUsually the lowest bidder
Knowledge and Skills..?
Deploy Your Custom AppUsually not reviewed
Hackers Exploit Your AppDirect Access to Your Data
17
Debunking the Myths
Open Source Systems – www.ossys.com
“My App is Closed Source, Therefore It’s Secure”Reality:- Source code is not needed to circumvent security- Licensing has little effect on the security of software
“We Use Open Source, Therefore we Are Secure”Reality:- Open-sourcing bad / insecure code will not make it secure- Only good coding practices will create secure code- Having more reviewers may benefit the security of a project
18
Tools to Debunk the Myths
Open Source Systems – www.ossys.com
A tool used to exploit proprietary and custom-developed applications
A tool used to exploit proprietary and custom-developed applications
Nikto
Zed Attack Proxy (ZAP)
Proxy-based application vulnerability assessment
19
Application Vulnerabilities
Open Source Systems – www.ossys.com
OWASP Top 10A1 – InjectionA2 – Broken Authentication and Session ManagementA3 – Cross-Site ScriptingA4 – Insecure Direct Object ReferencesA5 – Security MisconfigurationA6 – Sensitive Data ExposureA7 – Missing Function Level Access ControlA8 – Cross-Site Request ForgeryA9 – Using Components with Known VulnerabilitiesA10 – Unvalidated Redirects and Forwards
20
The Other Side of the Coin
Open Source Systems – www.ossys.com
Open Standards along with Open Source IS SecurityOpen Source Security Tools
OpenSSH – De-facto Standard to Connect Securely to Remote ComputersOpenSSL – De-facto Standard for Secure Web SSL/TLS Communicationand much much much more…
Open Security StandardsSAML – Open Standard for Secure Web-Based Single Sign On (SSO)CVE – Common Vulnerabilities and Exposures ListPCI DSS – Payment Card Industry Data Security StandardAES – Advanced Encryption Standardand much much much more…
US Federal LawFISMA – Federal Information Security Management ActHIPAA – Health Information Portability and Accountability Act
21
Open Source Digital Forensics
Open Source Systems – www.ossys.com 22
Open Source Forensics
Open Source Systems – www.ossys.com
… a branch of forensic science encompassing the recover and investigation of material found in digital devices, often in relation to computer crime.
Sleuthkit & Autopsy
https://en.wikipedia.org/wiki/Digital_forensics
23
Open Source Security Training
Open Source Systems – www.ossys.com 24
What’s the Missing Link?
Open Source Systems – www.ossys.com 25
Knowledge!!
Unlimited Learning Opportunities!!
Open Source Systems – www.ossys.com 26
Open Security Traininghttp://opensecuritytraining.info/
SecurityTubehttp://www.securitytube.net/
MIT OCWhttp://ocw.mit.edu/
Courserahttp://coursera.org/
The Open Source Security Ecosystem
Open Source Systems – www.ossys.com
Open Standards
Open StandardsOrganizations
Open SourceLanguages
Open SourceSecurity Tools
27
KSA
Open Source Breaks Barriers
Open Source Systems – www.ossys.com
Unlimited Opportunites / Unlimited Resources
- Learn About Cyber Security- Implement Security in Your Organization- Research Cyber Security- Attend Cyber Security Conferences- Start an Open Source Security Project- Information Security Scholarship Programs
28
To make a career or….