open security - chad cravens

Open SecurityHow Open Source Dominates InfoSec

Chad CravensOpen Source Systems

www.ossys.com

About The Speaker

1Open Source Systems – www.ossys.com

2007 - Graduate of New Mexico Institute of Mining and Technology(Scholarship for Service Recipient)

2007 – 2011 Federal Employee at SPAWAR(Space and Naval Warfare Systems Center)

2012 – Software Engineer at Small Wall St Firm2014 – Founded Open Source Systems

Chad CravensCharleston, SC

Software Fanatic

Stickler for Software Quality and Security!

What to Expect from Today’s Talk


A Pragmatic and Realistic View of the Landscape

• What is the problem?• What are the open source tools available?• How have these tools been used and/or exploited?• How is open source a double-edged sword?

Questions during presentation are welcomed!

Information Security


The practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

- Confidentiality- Availability- Integrity

The Pillars of InfoSechttps://en.wikipedia.org/wiki/Information_security

A Brief History of Modern InfoSec


1970 – John Draper uses famous Captain Crunch Whistle (2600 Mhz) to hack AT&T lines (Phreaking)

1986 – The “Brain” Computer Virus was released against MS-DOS. Computer Fraud and Abuse Act of 1986 was passed as law.

1988 – The Morris Worm was one of the first Internet-distributed worms to pop up

1990’s – As the popularity of the Internet grows, so do the complexity and frequencies of attacks, in particular viruses

2000’s – Unprecedented levels of hacks, rise of Application-layer attacks and self-propagating malware

What is Open Source?


Open Source is Collaborative Development

We are all standing on the shoulders of giants

Programming Languages, a Foundation


Gnu Compiler Collection (GCC)Arguably one of the most widely-adopted compilers used by the hacker community. Supports C, C++, Objective C, Java and Ado. Can be used to:- Create tools- Create exploits / shellcode- Analyze (network / system calls / encryption / etc)- Supports Linux / Unix variants, Mac OSX and Windows

PythonA go-to tool for hackers that is supported by default by a large number of systems:- Create tools- Create exploits / shellcode- Simply perform network operations

And more open source languages…


Some of the most popular open source languages

And better late to the party than never…Welcome Microsoft!

Open Standards


A standard that is publicly available and has various rights associated with it, and may also have various properties of how it was designed (e.g. open process).

https://en.wikipedia.org/wiki/Open_standard

Hackers Can Exploit These Standards


Transmission Control Protocol (TCP)RFC 793 Exploit an Open Standard

Using Open Source Programming Languages

To create one of the most popular open source network

reconnaissance tools available and used by hackers

And this is how it starts…


Open the flood gates for open source network security tools!

Real-time analysis of network trafficFiltering and color-coding

Network and vulnerability reconAnalyze firewall rules and routing

Run exploits on remote systemsCreate backdoors / control remote systems

Scan networks for vulnerable systemsRun exploits on remote systems

But wait, there’s more…

Open Source Systems – www.ossys.com

Open the flood gates for open source network security tools!

Real-time analysis of network trafficFiltering and color-coding

Used to pipe network streams“Swiss army knife” of network tools

Run exploits on remote systemsCreate backdoors / control remote systems

Real-time analysis of network traffic

11

Open Source Security Distro


Kali LinuxIncludes more than 600 open source security tools, just like the ones previously mentioned!!

Includes all the aforementioned tools and much more installed and ready to rock

• Vulnerability Scanning• Service Discovery• Password Cracking• Security Tool Development• WiFi Cracking• … and much much more

12

Additional Open Standards / Groups


Open Source VulnerabilityDatabase

Open Web ApplicationSecurity Project

Open Vulnerability andAssessment Language

Organization for the Advancement of Structured Information Standards

And many more not mentioned here….

13

OSVDB - Searching Vulnerabilities


OSVDB’s goal is to provide accurate, detailed, current, and unbiased technical security information. The project

currently covers 120,980 vulnerabilities, spanning 198,976 products from 4,735 researchers, over 113 years.

14

Application LayerSecurity

Open Source Systems – www.ossys.com 15

Multiple Layers of Attack


All aforementioned tools attack at this layer

We have not yet touched this layer

Like an Onion

16

Application Layer vs Network Layer Attacks


Network Layer Attacks Application Layer Attacks

Open StandardsReviewed Over YearsBy The Best in the Industry

Open Source ImplementationReviewed by dozens or hundreds of developers over years

Open Source ImplementationReviewed by dozens or hundredsof developers over years

Hire a Team of DevelopersUsually the lowest bidder

Knowledge and Skills..?

Deploy Your Custom AppUsually not reviewed

Hackers Exploit Your AppDirect Access to Your Data

17

Debunking the Myths


“My App is Closed Source, Therefore It’s Secure”Reality:- Source code is not needed to circumvent security- Licensing has little effect on the security of software

“We Use Open Source, Therefore we Are Secure”Reality:- Open-sourcing bad / insecure code will not make it secure- Only good coding practices will create secure code- Having more reviewers may benefit the security of a project

18

Tools to Debunk the Myths


A tool used to exploit proprietary and custom-developed applications

A tool used to exploit proprietary and custom-developed applications

Nikto

Zed Attack Proxy (ZAP)

Proxy-based application vulnerability assessment

19

Application Vulnerabilities


OWASP Top 10A1 – InjectionA2 – Broken Authentication and Session ManagementA3 – Cross-Site ScriptingA4 – Insecure Direct Object ReferencesA5 – Security MisconfigurationA6 – Sensitive Data ExposureA7 – Missing Function Level Access ControlA8 – Cross-Site Request ForgeryA9 – Using Components with Known VulnerabilitiesA10 – Unvalidated Redirects and Forwards

20

The Other Side of the Coin


Open Standards along with Open Source IS SecurityOpen Source Security Tools

OpenSSH – De-facto Standard to Connect Securely to Remote ComputersOpenSSL – De-facto Standard for Secure Web SSL/TLS Communicationand much much much more…

Open Security StandardsSAML – Open Standard for Secure Web-Based Single Sign On (SSO)CVE – Common Vulnerabilities and Exposures ListPCI DSS – Payment Card Industry Data Security StandardAES – Advanced Encryption Standardand much much much more…

US Federal LawFISMA – Federal Information Security Management ActHIPAA – Health Information Portability and Accountability Act

21

Open Source Digital Forensics


Open Source Forensics


… a branch of forensic science encompassing the recover and investigation of material found in digital devices, often in relation to computer crime.

Sleuthkit & Autopsy

https://en.wikipedia.org/wiki/Digital_forensics

23

Open Source Security Training


What’s the Missing Link?


Knowledge!!

Unlimited Learning Opportunities!!


Open Security Traininghttp://opensecuritytraining.info/

SecurityTubehttp://www.securitytube.net/

MIT OCWhttp://ocw.mit.edu/

Courserahttp://coursera.org/

The Open Source Security Ecosystem


Open Standards

Open StandardsOrganizations

Open SourceLanguages

Open SourceSecurity Tools

27

KSA

Open Source Breaks Barriers


Unlimited Opportunites / Unlimited Resources

- Learn About Cyber Security- Implement Security in Your Organization- Research Cyber Security- Attend Cyber Security Conferences- Start an Open Source Security Project- Information Security Scholarship Programs

28

To make a career or….

Questions?


Thank [email protected]

29