30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security
- 1. 30 years living a happy life
Breaking Systems,
Chasing Bad Guys,
and Helping People Understand Internet Security
- 4. Highlights and lowlights
Helped build one of the first Internet backbones
Set up my own ISP from scratch (just add £2M…)
Investigated numerous breaches in conjunction with major tech vendors and
law enforcement
Expert witness testimony
Cryptographic design for UK Government
Discovered the iOS “location.consolidated” bug
Dot.com millionaire!
Risk research for a large credit card company
CHECK accredited penetration tester
PCI DSS auditor
- 9. Real reality
Regrettably the percentage of organisations reporting
computer intrusions has continued to decline. The key
reason given… was the fear of negative publicity. As a
consequence this has resulted in a belief that the threat
and impact has also been gravely underestimated –
Metropolitan Police
If I report this, I am worried what else the police will find –
Anonymous IT Director
We don’t handle payments so it doesn’t really matter if
our code is secure or not – Web Development firm
providing e-commerce (!)
How soon can we start our web server up again?
– Compromised Web Merchant
- 10. Why commit crimes on the Internet?
Potentially High Financial Gain
Anonymity
Rapid, secure, global communications
Global impact – 1 billion plus users (1 in 6 of the world’s
population)
Virtual marketplace – reduced risks of being detected,
disrupted or caught
Volatile evidential trail – ISP limited retention of data
Cross Border investigations protracted for law enforcement
And… “Because that’s where the money is” – Willie Sutton
- 18. Data Privacy is Dead
Criminals get
ongoing access to
credit reports
SSNDOB Compromise of KBA and PII at Major Data Brokers
PII data combined with
financial records for sale
Serious web-code
vulnerabilities
compromise sensitive
information
Almost 1.5 billion usernames
and passwords stolen
*Source Symantec Internet Security Threat Report 2014
- 20. What have I learned?
All software has bugs.
Bugs will be discovered
Some bugs will have a security impact
Product owners continue to value functionality over security
Investors place little value on security and privacy
End users trust vendors
Security is always trumped by convenience – bad design makes bad
security
- 22. Security architecture landscape
Customer friction
‘harder is better’
doesn’t keep bad
guys out and annoys
good guys
Systematic
compromise of
personal data &
credentials
Exceptions; you are
only as good as your
weakest link!
Enterprises want absolute
identity proofing but must
live with shades of
uncertainty
- 23. If you go into InfoSec, remember this…
PREPARE
DETECTRESPOND
- 25. Digital Humanism (don’t be a jerk)
Don’t intrude on personal space
Don’t try and engineer personal intelligence and prerogatives out of the
system
Don’t try to maximise machine efficiency at the expense of usability