SlideShare a Scribd company logo

30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security

Download as PPTX, PDF
Jonathan Care
Jonathan Care

Slides from keynote presentation at London Metropolitan University. Lessons learned, experiences in the InfoSec industry. etc.

Related slideshows

Callcredit's Fraud Summit 2016 - Identity verification stream
Callcredit's Fraud Summit 2016 - Identity verification streamCallcredit's Fraud Summit 2016 - Identity verification stream
Callcredit's Fraud Summit 2016 - Identity verification stream
 
Privacy and Security in Mobile E-Commerce
Privacy and Security in Mobile E-CommercePrivacy and Security in Mobile E-Commerce
Privacy and Security in Mobile E-Commerce
 
Protecting Your Law Office Against Data Breaches and Other Cyber Threats
Protecting Your Law Office Against Data Breaches and Other Cyber ThreatsProtecting Your Law Office Against Data Breaches and Other Cyber Threats
Protecting Your Law Office Against Data Breaches and Other Cyber Threats
 
1 of 26
30 years living a happy life Breaking Systems, Chasing Bad Guys, and Helping People Understand Internet Security
About.me/jhc  Jonathan Care  @arashiyama  http://www.linkedin.com/in/computercrime
What makes you happy?
Highlights and lowlights  Helped build one of the first Internet backbones  Set up my own ISP from scratch (just add £2M…)  Investigated numerous breaches in conjunction with major tech vendors and law enforcement  Expert witness testimony  Cryptographic design for UK Government  Discovered the iOS “location.consolidated” bug  Dot.com millionaire!  Risk research for a large credit card company  CHECK accredited penetration tester  PCI DSS auditor
Where did I get started?
30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security
What have I observed?
Real Statistics?
Real reality  Regrettably the percentage of organisations reporting computer intrusions has continued to decline. The key reason given… was the fear of negative publicity. As a consequence this has resulted in a belief that the threat and impact has also been gravely underestimated – Metropolitan Police  If I report this, I am worried what else the police will find – Anonymous IT Director  We don’t handle payments so it doesn’t really matter if our code is secure or not – Web Development firm providing e-commerce (!) How soon can we start our web server up again? – Compromised Web Merchant
Why commit crimes on the Internet?  Potentially High Financial Gain  Anonymity  Rapid, secure, global communications  Global impact – 1 billion plus users (1 in 6 of the world’s population)  Virtual marketplace – reduced risks of being detected, disrupted or caught  Volatile evidential trail – ISP limited retention of data  Cross Border investigations protracted for law enforcement And… “Because that’s where the money is” – Willie Sutton
Anonymity? Not really.
Did somebody mention hacking?
30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security
Meanwhile …
30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security
Wide open webcams?
Oh yeah.
Data Privacy is Dead Criminals get ongoing access to credit reports SSNDOB Compromise of KBA and PII at Major Data Brokers PII data combined with financial records for sale Serious web-code vulnerabilities compromise sensitive information Almost 1.5 billion usernames and passwords stolen *Source Symantec Internet Security Threat Report 2014
Conclusions
What have I learned?  All software has bugs.  Bugs will be discovered  Some bugs will have a security impact  Product owners continue to value functionality over security  Investors place little value on security and privacy  End users trust vendors  Security is always trumped by convenience – bad design makes bad security
What can we do?
Security architecture landscape Customer friction ‘harder is better’ doesn’t keep bad guys out and annoys good guys Systematic compromise of personal data & credentials Exceptions; you are only as good as your weakest link! Enterprises want absolute identity proofing but must live with shades of uncertainty
If you go into InfoSec, remember this… PREPARE DETECTRESPOND
A final thought …
Digital Humanism (don’t be a jerk)  Don’t intrude on personal space  Don’t try and engineer personal intelligence and prerogatives out of the system  Don’t try to maximise machine efficiency at the expense of usability
30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security

More Related Content

30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security

  • 1. 30 years living a happy life Breaking Systems, Chasing Bad Guys, and Helping People Understand Internet Security
  • 2. About.me/jhc  Jonathan Care  @arashiyama  http://www.linkedin.com/in/computercrime
  • 3. What makes you happy?
  • 4. Highlights and lowlights  Helped build one of the first Internet backbones  Set up my own ISP from scratch (just add £2M…)  Investigated numerous breaches in conjunction with major tech vendors and law enforcement  Expert witness testimony  Cryptographic design for UK Government  Discovered the iOS “location.consolidated” bug  Dot.com millionaire!  Risk research for a large credit card company  CHECK accredited penetration tester  PCI DSS auditor
  • 5. Where did I get started?
  • 7. What have I observed?
  • 9. Real reality  Regrettably the percentage of organisations reporting computer intrusions has continued to decline. The key reason given… was the fear of negative publicity. As a consequence this has resulted in a belief that the threat and impact has also been gravely underestimated – Metropolitan Police  If I report this, I am worried what else the police will find – Anonymous IT Director  We don’t handle payments so it doesn’t really matter if our code is secure or not – Web Development firm providing e-commerce (!) How soon can we start our web server up again? – Compromised Web Merchant
  • 10. Why commit crimes on the Internet?  Potentially High Financial Gain  Anonymity  Rapid, secure, global communications  Global impact – 1 billion plus users (1 in 6 of the world’s population)  Virtual marketplace – reduced risks of being detected, disrupted or caught  Volatile evidential trail – ISP limited retention of data  Cross Border investigations protracted for law enforcement And… “Because that’s where the money is” – Willie Sutton
  • 18. Data Privacy is Dead Criminals get ongoing access to credit reports SSNDOB Compromise of KBA and PII at Major Data Brokers PII data combined with financial records for sale Serious web-code vulnerabilities compromise sensitive information Almost 1.5 billion usernames and passwords stolen *Source Symantec Internet Security Threat Report 2014
  • 20. What have I learned?  All software has bugs.  Bugs will be discovered  Some bugs will have a security impact  Product owners continue to value functionality over security  Investors place little value on security and privacy  End users trust vendors  Security is always trumped by convenience – bad design makes bad security
  • 21. What can we do?
  • 22. Security architecture landscape Customer friction ‘harder is better’ doesn’t keep bad guys out and annoys good guys Systematic compromise of personal data & credentials Exceptions; you are only as good as your weakest link! Enterprises want absolute identity proofing but must live with shades of uncertainty
  • 23. If you go into InfoSec, remember this… PREPARE DETECTRESPOND
  • 25. Digital Humanism (don’t be a jerk)  Don’t intrude on personal space  Don’t try and engineer personal intelligence and prerogatives out of the system  Don’t try to maximise machine efficiency at the expense of usability