Guest Speaker JGrossman PPT Deck

hotbroodSecurity

Nov 2, 2013 (3 years and 7 months ago)

80 views

1

© 2013 WhiteHat Security, Inc.

Careers

in computer security

2

© 2013 WhiteHat Security, Inc.

Jeremiah Grossman


Founder & CTO of WhiteHat Security


InfoWorld Top 25 CTO


Co
-
founder of the Web Application Security Consortium


Co
-
author: Cross
-
Site Scripting Attacks


Former Yahoo! information security officer


Brazilian Jiu
-
Jitsu Black Belt

3

© 2013 WhiteHat Security, Inc.

4

© 2013 WhiteHat Security, Inc.

5

© 2013 WhiteHat Security, Inc.

6

© 2013 WhiteHat Security, Inc.

MIT President L. Rafael Reif


I want you to hack the world ... until you
make the world a little more like MIT.

7

© 2013 WhiteHat Security, Inc.

LEARN TO
HACK

8

© 2013 WhiteHat Security, Inc.

9

© 2013 WhiteHat Security, Inc.

Job Description:


Hack Everything!

Official Title



the hacker yahoo


10

© 2013 WhiteHat Security, Inc.

Find the vulnerabilities before the bad guys

11

© 2013 WhiteHat Security, Inc.

12

© 2013 WhiteHat Security, Inc.


It is insufficient to protect ourselves with
laws; we need to protect ourselves with
mathematics. It's just not true.


Cryptography can't do any of that.


13

© 2013 WhiteHat Security, Inc.


Founded 2001


Headquartered in Santa Clara, CA


Employees: 280+


WhiteHat Sentinel


SaaS end
-
to
-
end website risk
management platform (static and dynamic analysis)


Customers: 650+ (Banking, Retail, Healthcare, etc)

https://www.whitehatsec.com
/

14

© 2013 WhiteHat Security, Inc.

15

© 2013 WhiteHat Security, Inc.

16

© 2013 WhiteHat Security, Inc.

Web Browser

A browser must be able
to defend itself against a
hostile website.

Website

A website must be able
to defend itself against a
hostile client [browser].

Two World of Web Security

17

© 2013 WhiteHat Security, Inc.

Websites

672,985,183

Growing in the hundreds of thousands per month

© 2013 WhiteHat Security, Inc.

17 million programmers worldwide

the future, is all about software...

19

© 2013 WhiteHat Security, Inc.

Fastest growing recruiting company

Largest bookseller

Largest video service

Dominant music companies

Best new movie production company

Largest direct marketing platform

Fastest growing telecom company

© 2013 WhiteHat Security, Inc.


86% of all websites tested by WhiteHat had
at least one serious* vulnerability, 56 to be
precise.


672,985,183 websites x 56 =

37,687,170,248 vulnerabilities.



Where are they?


On average, website are exposed to serious
vulnerabilities 231 days of the year.


21

© 2013 WhiteHat Security, Inc.

22

© 2013 WhiteHat Security, Inc.

Hacktivists

Nation
-
State
Sponsored

Cyber
-
Criminals


You

re a hacker!?

Can you hack a bank?


LEARN TO
HACK

24

The System


An ASP provides hosting for banks, credit unions, and
other financial services companies. ASPs are attractive
targets because
instead of focusing on one back at
a time
, an attack could
compromise
dozens/hundreds/thousands at a time

with the same
vulnerability.


The banking application had three important URL
parameters:
client_id, bank_id, and acct_id
. To the
ASP, each of their clients has an unique ID, each
potentially with several different banking websites, and
each bank having any number of customer bank
accounts.

http://website/app.cgi?
client_id
=10&
bank_id
=100&
acct_id
=1000

25


We changed the
acct_id

to an arbitrary yet valid
account #, and the error said,

Account #X belongs to
Bank #Y



We then changed the
bank_id

to #Y, and an error said,

Bank #Y belong to Client #Z



We changed the
client_id

to #Z, and
you could drop
into anyone else

s bank account, on any bank, on any
client
.

Success!!!

http://website/app.cgi?
client_id
=10&
bank_id
=100&
acct_id
=1000

How to hack 600 banks...

26

27

© 2013 WhiteHat Security, Inc.

28

© 2012 WhiteHat Security, Inc.

Gary McGraw (CTO, Cigital) says roughly
2% of all programmers should be software
security pros, or

Builders


in our case.
Gary, through a project called BSIMM,
arrived at 2% by surveying dozens of
software security programs among large
companies and measuring what they do.

Programmer Population (Worldwide):

17 million

We

ll need
340,000


Builders



29

© 2012 WhiteHat Security, Inc.

We

ll use a ratio of 1

breaker


per to 100
websites. This ratio comes from internal
metrics at WhiteHat Security generated
from assessment conducted over the last 8
years and encompassing more than 10,000
websites.


Important


(SSL) website population: 1.8 million

We

ll need 18,000

Breakers



30

© 2013 WhiteHat Security, Inc.

31

© 2012 WhiteHat Security, Inc.

No idea how to begin to estimate the
Defender need, but it

ll be in the tens of
thousands at least. Considering the vast
number of website assets that must be
protected, the 1 billion online users who
someone needs to ensure are playing
nice, and monitoring the serious volume
of Web traffic they generate.

32

© 2013 WhiteHat Security, Inc.

Application Security
Unemployment Rate:

0%

33

© 2012 WhiteHat Security, Inc.

1)
Technology is incapable of eliminating the need for people
in any aspect of application security.


1)
Without technology, there is far too much work than could
ever be completed manually by the number of skilled
people available.


1)
Technology offers increased efficiency and reduction in
the quantity and skill
-
level of the people necessary to
complete a given process.

3 Hard Facts About Technology

34

© 2013 WhiteHat Security, Inc.

What to Learn & How to
Differentiate Yourself

1)
Programming: Publish your software, contribute to open
source projects, etc.


1)
DIY Education: Read book & blogs, Amazon AWS,
Virtualization, Google / Facebook / Twitter APIs, etc.
Probability theory and statistics have become critical skills.


1)
Write and Engage: blog, twitter, contributed articles, mailing
lists, and attend local user
-
group meetings.


1)
Hack: Participate in Bug Bounty Programs…

35

© 2012 WhiteHat Security, Inc.

http://dankaminsky.com/2012/02/26/review/


Paypal


Facebook


37 Signals


Salesforce


Microsoft


Google


Twitter


Mozilla


eBay


Adobe


Reddit


Websites Accepting

Security

Research


$

Millions of dollars to hundreds of researchers.
Closed hundreds, if not thousands, of vulnerabilities.
Protected hundreds of millions of users.


GitHub


Constant Contact


Zeggio


Simplify, LLC


Team Unify


Skoodat


Relaso


Modus CSR


CloudNetz



EMPTrust



Apriva


36

© 2013 WhiteHat Security, Inc.

LEARN TO
HACK

37

Getting the word out...


Business Wire provides a service where registered website
users receive a stream of up
-
to
-
date press releases. Press
releases are funneled to Business Wire by various
organizations, which are sometimes embargoed temporarily
because the information may affect the value of a stock.


Press release files are uploaded to the Web server (Business
Wire),
but not linked
, until the embargo is lifted. At such time, the
press release Web pages are linked into the main website and
users are notified with URLs similar to the following:


http://website/press_release/08/29/2007/00001.html


http://website/press_release/08/29/2007/00002.html


http://website/press_release/08/29/2007/00003.html


Before granting read access to the press release Web page, the
system ensures the user is properly logged
-
in.


38

Just because you can't see it doesn't
mean it's not there.


An Estonian financial firm, Lohmus Haavel & Viisemann,
discovered that the press release Web page URLs were
named in a predictable fashion.


And, while links might not yet exist because the embargo was
in place, it didn

t mean a user couldn

t guess at the filename
and gain access to the file. This method worked because
the
only security check Business Wire conducted was to
ensure the user was properly logged
-
in, nothing more
.


According to the SEC, which began an investigation, Lohmus
Haavel & Viisemann profited over
$8 million

by trading on the
information they obtained.

39

A Ukrainian hacker breaks into Thomson
Financial and steals a gloomy results
announcement for IMS Health, hours
before its release to the stock market ...


Hacker enters ~$42,000 in sell orders betting the stock will fall


The stock fell sharply making the hacker ~$300,000


Red flags appear and the SEC freezes the funds


Funds are ordered to be released,

Dorozhko

s alleged

stealing
and trading


or

hacking and trading


does not amount to a
violation


of securities laws, Judge Naomi Reice Buchwald


The Times speculates that the DoJ has simply deemed the case
not worth pursuing
-

probably due to the difficulties involved in
gaining cooperation from local authorities to capture criminals in
Ukraine.

40

© 2013 WhiteHat Security, Inc.

Thank You

Blog: http://
blog.whitehatsec.com
/

Twitter: http://
twitter.com
/
jeremiahg

Email:
jeremiah@whitehatsec.com