Page 1
Everything is Awful (And You’re Not Helping)
An op;mis;c #infosec talk based on Shamir’s Laws of Security
Jan Schaumann @jschauma
Page 2
Everything is Awful.
@jschauma BSidesSF 2016
Page 3
@jschauma BSidesSF 2016
Page 4
@jschauma BSidesSF 2016
Page 5
@jschauma BSidesSF 2016
Page 6
@jschauma BSidesSF 2016
Page 7
@jschauma BSidesSF 2016
Page 8
@jschauma BSidesSF 2016
Page 9
@jschauma BSidesSF 2016
Page 10
@jschauma BSidesSF 2016
Page 11
@jschauma BSidesSF 2016
https://v.gd/thingOfTheDay
Page 12
@jschauma BSidesSF 2016
#Infosec “research” (aka browsing Shodan)
Page 13
And YouWe’re Not Helping.
@jschauma BSidesSF 2016
Page 14
@jschauma BSidesSF 2016
One of these two people probably has some really interes;ng OpSec stories to tell…
… the other one keynotes RSAC.
Page 15
Being really good at one thing does not make you an expert
in all things.
@jschauma BSidesSF 2016
💡
Page 16
@jschauma BSidesSF 2016
#Infosec != Real World
Page 17
@jschauma BSidesSF 2016
where Hanlon’s Razor is dull.
Welcome to #Infosec,
Page 18
@jschauma BSidesSF 2016
Why Glenn can’t encrypt.
Page 19
@jschauma BSidesSF 2016
https://v.gd/hackersStealHospital
Page 20
@jschauma BSidesSF 2016
https://v.gd/ccSignatureFun
Page 21
@jschauma BSidesSF 2016
Page 22
@jschauma BSidesSF 2016
Page 23
@jschauma BSidesSF 2016
https://v.gd/securusDataBreach
Page 24
@jschauma BSidesSF 2016
Page 25
@jschauma BSidesSF 2016
https://libraryfreedomproject.org/
Page 26
Don’t fuck with librarians.
@jschauma BSidesSF 2016
💡
https://v.gd/FreedomToRead https://en.wikipedia.org/wiki/Doe_v._Gonzales
Page 27
@jschauma BSidesSF 2016
Page 28
Everything is Awful. And We’re Not Helping.
@jschauma BSidesSF 2016
Page 29
@jschauma BSidesSF 2016
Page 30
@jschauma BSidesSF 2016
The “S” in RSA… …does not stand for
Sean Penn.
💡
Page 31
@jschauma BSidesSF 2016
Absolutely secure systems do not exist.
Page 32
@jschauma BSidesSF 2016
Absolutely secure systems do not exist.
To halve your vulnerability, you have to double your expenditure.
Page 33
@jschauma BSidesSF 2016
Absolutely secure systems do not exist.
To halve your vulnerability, you have to double your expenditure.
Cryptography is typically bypassed, not penetrated.
Page 34
@jschauma BSidesSF 2016
Absolutely secure systems do not exist.
Page 35
💡 @jschauma BSidesSF 2016
Absolutely secure systems do not exist. Keep calm, that’s fine.
Raising the cost of an aaack
is oben sufficient. Know your Threat Model.
Page 36
@jschauma BSidesSF 2016
Page 37
@jschauma BSidesSF 2016
https://v.gd/noSilverBullet
Page 38
@jschauma BSidesSF 2016
HTTPS
Essen;al Complexity: • exposes port 443 • uses TLS • speaks HTTP Accidental Complexity: • weak Ciphers enabled • 30 different versions of at least 5 different
TLS libraries deployed • apache, nodejs, nginx, Tomcat , …
Page 39
💡 Reducing complexity reduces aaack surface.
@jschauma BSidesSF 2016
Page 40
@jschauma BSidesSF 2016
Data is your friend.
Page 41
@jschauma BSidesSF 2016
Page 42
@jschauma BSidesSF 2016
Page 43
@jschauma BSidesSF 2016
Page 44
@jschauma BSidesSF 2016
Data is your friend.
Page 45
@jschauma BSidesSF 2016
Avg payout
Page 46
@jschauma BSidesSF 2016
Cumula;ve payout by vuln.
Page 47
@jschauma BSidesSF 2016
Data is your friend.
Page 48
@jschauma BSidesSF 2016
Why not “APT breaking our cryptos”?
Page 49
💡 Cryptography is typically bypassed, not penetrated.
@jschauma BSidesSF 2016
Page 50
@jschauma BSidesSF 2016
Page 51
@jschauma BSidesSF 2016
US gov risk management
Page 52
@jschauma BSidesSF 2016
US gov risk management
Page 53
@jschauma BSidesSF 2016
US gov risk management
#infosec focus “APT”
breaking our cryptos SQLi
Keys on GitHub
XSS
Page 54
@jschauma BSidesSF 2016 Dat APT, tho.
Page 55
@jschauma BSidesSF 2016 Dat APT, tho.
Page 56
"If you think your problems can be solved by cryptography, you're probably wrong.”
-‐-‐ Robert Morris
@jschauma BSidesSF 2016
Page 57
@jschauma BSidesSF 2016
Page 58
@jschauma BSidesSF 2016
Page 59
Everything is Awful. And We’re Not Helping.
@jschauma BSidesSF 2016
Page 60
Everything is Awful. (Keep calm, that’s fine.)
@jschauma BSidesSF 2016
💡
Page 61
@jschauma BSidesSF 2016
Is the internet on fire?
Page 62
@jschauma BSidesSF 2016
The internet is always going to be on fire.
Page 63
Don’t waste your ;me on busy work. Measure your impact.
Priori;ze.
@jschauma BSidesSF 2016
Page 64
Don’t waste your ;me on busy work. Measure your impact.
Understand your threat model.
Priori;ze.
@jschauma BSidesSF 2016
Page 65
Don’t waste your ;me on busy work. Measure your impact.
Have a threat model.
Priori;ze.
@jschauma BSidesSF 2016
Page 67
Measure your impact.
Priori;ze.
Help others take responsibility. Guide them.
@jschauma BSidesSF 2016
Page 68
💡 Everybody else's job is more complicated than you think.
@jschauma BSidesSF 2016
Page 69
Measure your impact.
Priori;ze.
Be helpful.
Teach. Listen.
@jschauma BSidesSF 2016
Page 70
Measure your impact.
Priori;ze.
Be helpful.
Teach. Listen.
…and stop with the fucking Sun Tzu quotes.
@jschauma BSidesSF 2016
Page 71
Measure your impact.
Priori;ze.
Be helpful.
Teach. Listen.
…and stop with the fucking Sun Tzu quotes.
@jschauma BSidesSF 2016