THE THEATER WE CALL SECURITY

…. we come in

Presented by Evert Smith21 July 2008

Introd

uctio

n

Intr

odut

ion

Dom

ains

of Se

curity

C.I.A

Cau

se a

nd E

ffec

t

Entr

opy

Secu

rity

The

ater

New

sbyt

es

INTRODUCTION

Background

theBreakdown• whatisIS ? The light• whatDoesitTake? The Fu

- the person- the skill

Who

IAm

•Uni

vVan

Pta

•SACS,

SPI

,

PwC,

Se

nsep

ost

Background

the domains of security

Security Management Practices Security Architecture and Models Preventive Maintenance Application Development Security Operations Security Physical Security CryptographyTelecommunications, Network, and Internet Security Business Continuity Planning Law, Investigations, and Ethics

Security is about C.I.A

Risk drives infosec

Decisions & Importance decided by the C.I.A factor

Examples of C.I.A- Email interception- Cheque fraud- Messy computer room

AvailabilityIntegrity

Confidentiality

Recent SA

Example ?

Why do we have issues ? (I’ve been using this for years – cuz it hasn’t changed)

• Technology becoming more complex → SLOC • The Internet not designed to be safe → Redundancy• Socio-economical changes → Social networks• Rushed, Like Whatever → Time is money

* C++#include <iostream>int main(){std::cout << “Hello World!\n”;}* C++|C++/CLIint main(){System::Console::WriteLine(”Hello World!”);}

* AssemblyIDEALMODEL SMALLSTACK 100hDATASEGHW DB “hello, world”, 13, 10, ‘$’CODESEGBegin:MOV AX, @dataMOV DS, AXMOV DX, OFFSET HWMOV AH, 09HINT 21HMOV AX, 4C00HINT 21HEND Begin

* awkBEGIN { print “Hello World!” }* Windows API (in Borland Pascal)

program Hello;uses WinTypes, WinProcs;constszClassName = ‘PASCLASS32′;function WndProc(Window: HWnd; Message, WParam: Word;LParam: Longint): Longint; export;varLPPaint : TPaintStruct;TheDC : HDC;beginWndProc := 0;case Message ofwm_Destroy:beginPostQuitMessage(0);Exit;end;wm_Paint:beginTheDC := BeginPaint(Window, LPPaint);TextOut(TheDC, 5, 5, ‘hello, world’, 12);end;end;WndProc := DefWindowProc(Window, Message, WParam, LParam);end;procedure WinMain;varWindow: HWnd;Message: TMsg;constWindowClass: TWndClass = (style: 0;lpfnWndProc: @WndProc;cbClsExtra: 0;cbWndExtra: 0;hInstance: 0;hIcon: 0;hCursor: 0;hbrBackground: 0;lpszMenuName: szClassName;lpszClassName: szClassName);beginif HPrevInst = 0 thenbeginWindowClass.hInstance := HInstance;WindowClass.hIcon := LoadIcon(0, idi_Application);WindowClass.hCursor := LoadCursor(0, idc_Arrow);WindowClass.hbrBackground := GetStockObject(white_Brush);if not RegisterClass(WindowClass) thenHalt(255);end;Window := CreateWindow(szClassName,‘Win32 Pascal Program’,ws_OverlappedWindow,cw_UseDefault,cw_UseDefault,cw_UseDefault,cw_UseDefault,0,0,HInstance,nil);ShowWindow(Window, CmdShow);UpdateWindow(Window);while GetMessage(Message, 0, 0, 0) dobeginTranslateMessage(Message);DispatchMessage(Message);end;Halt(Message.wParam);end;beginWinMain;end.

Entropy:

VirusesPatchesSpamPhishing / PharmingHoaxesApathyMalware/SpywareHackers

Are you contributing?

Who is credited in being the father of the Internet?Arpanet, Vint Cerf, Bob Khan et al (1975 TCP/IP)

Who invented the mouse ?Douglas Engelbart (1964)

Who invented e-mail?Ray Tomlinson (1971)

Who invented the WWW<html>Tim Brenners-Lee (1988)

Security Theater

• Your desk – good defence against nucular attacks

• Airports in the US i.e. Liquid ban, profiling. Gun-shirts • Shopping malls intensly in your face i.e. Bag checks, guards in general

• Personal computer security – it’s a joke

Security theater consists of security countermeasures intended to provide the feeling of improved security while doing

little or nothing to actually improve security

Who says nucular

?

Security Theater – the human touch

• Security design is about psychology - ignored and exploited

• The pig vs Security

Those who desire to give up freedom in order to gain

security, will not have, nor do they deserve, either one.

• Unpatched Windows PCs "Own3d" In Less Than Four Minutes  (or Maybe 16 Hours) t

• Spammer Gets 30 Months for Inundating AOL

• Charges Against New Zealand Botmaster Dropped

• Rogue Employee Locks San Francisco's Network

• Review site furious over McAfee SiteAdvisor 'false alert‘

• Facebook Bug Exposes Members' Data

#!/bin/bash

# Funcion to prompt questions from audience and appear # to look intelligent

while [ ! –lt audience. bored ] do   verbose answering of questions   sleep like foreverdone echo “That’s All Folks. Thanks for Listening.”

….this is where

#!/bin/bash

evert@sensepost.com

….this is where

“It’s a pity you have to pay for awesomeness”