bsidesroc 2016 - holly turner - how to hug a hacker
TRANSCRIPT
How to Hug a Hacker(Lessons from Manufacturing)
Holly Turner, XeroxInformation Security Manager
CISSP, PMP, Six Sigma Black Belt
"My father taught me many things here — he taught me in this room. He taught me — keep your friends close but your enemies
closer.“
"Michael Corleone" in The Godfather Part II (1974)
• Mike Lynn, age 24, presented vulnerabilities in Cisco IOS at Black Hat in Vegas
https://www.blackhat.com/html/bh-blackpage/bh-blackpage-11092005.htmlhttps://www.schneier.com/blog/archives/2005/07/cisco_harasses.html
• Resigned from ISS, after being asked to ‘edit’ presentation content
• Lawsuit filed by Cisco, ISS
2005 “Ciscogate”
"No one really thought this …was possible, until Wednesday, so no one really looked to defend against it," [Mike]Lynn said. "A router is like any computer in that, when it has a vulnerability, you can hack it.“
Blowback - 1 http://www.securityfocus.com/news/11260
"The whole attempt at security through obscurity is amazing, especially when a big company like Cisco tries to keep a researcher quiet““ People are definitely going to want to find more vulnerabilities ... and now people aren't going to care to report things to Cisco.”Marc Maiffret, chief hacking officer for network protection firm eEye Digital Security
Blowback - 2 http://www.securityfocus.com/news/11260
"You have EULAs that tell people they can't reverse engineer and companies who are ready to levy the most severe penalties for anyone who breaks those agreements,“[Jennifer] Granick said. "It is time to begin to worry about the rights that companies are trying to take away from us.”
Blowback- 3 http://www.securityfocus.com/news/11260
EULA
• Processor• RAM, ROM, SDRAM• HD• NIC• Analog Fax Modem• Linux OS• Apache, Open SSL, Open LDAP, Samba,
Kerberos, PHP, Netsnmp
Say hello to my little friend.
• Brendan O’Connor, undergrad intern, presents “Vulnerabilities in embedded systems”
https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-OConnor.pdf
Black Hat 2006
XRX06-001, XRX06-003
https://www.xerox.com/download/security/security-bulletin/95dc-49fa773808540/cert_XRX06_001.pdfhttps://www.xerox.com/download/security/security-bulletin/390bd-49fa772c96a40/cert_XRX06_007_v1.pdf
• Senior Security Advisor at Leviathan Security Group
• Juris Doctor, Law, University of Wisconsin, MSE Computer Science, Johns Hopkins
• CIPP/US, CIPP/G, CISSP, Certificate of Cloud Security Knowledge https://www.linkedin.com/in/ussjoin
Where is he now?
• Researchers at Columbia School of Engineering and Applied Science reverse engineer printer
• Software updates are not digitally signed and checked for authenticity
• Malware can replace OShttp://www.nbcnews.com/business/consumer/exclusive-millions-printers-open-devastating-hack-attack-researchers-say-f118851
Printers on Fire? 2012
• Dr. Ang Cui, CEO and chief scientist• Dr. Salvatore Stolfo, co-founder• Red Balloon Security
https://www.redballoonsecurity.com/ • Project Symbiote – software to defend
embedded devices, in HP devices
Where are they now?
• Andrei Costin, presentation on “Embedded Devices Security and Firmware Reverse Engineering”
https://www.blackhat.com/us-13/briefings.html#Costin
Black Hat 2013
More Security Bulletins
https://www.xerox.com/download/security/security-bulletin/2e639-4d7bcb40a048e/cert_XRX12-003_v1.13.pdf
• Co-founder at Firmware.RE• PhD from EURECOM/Telecom ParisTech• Google Security Hall of Fame• 12/29/2015 presentation on “(In)Security of
Embedded Devices' Firmware - Fast and Furious at Large Scale “
https://www.youtube.com/watch?v=Rum1e8ZJlys
Where is he now?
• Andrew Auernheimer, Weev, hacktivist claims ‘mass printer trolling’ sending an unauthorized document to printers on open, unsecured Internet connections.
• http://www.nytimes.com/2016/03/29/nyregion/hacker-weev-says-he-printed-anti-semitic-and-racist-fliers-at-colleges-across-us.html?_r=0
Fast forward, March 2016
• Self-Employed• Seeking Crowdfunding on Liberapay• Twitter – “Tons of Soviet bureaucracy. Submitted
my request for a 15 year residency. If you don't travel to Eastern Europe I'll see you when I'm 45”
https://www.linkedin.com/in/rabite
Where is he now?
How hugging works1. Contact
– Dedicated webpage.com/security– Technical Support, phone or email
2. Publication Pause – Negotiated time period for manufacturer to develop
patch, 60 to 90 days3. Acknowledgement
– Public recognition of researcher
Options:• Contest/Challenge• Payment/Bug Bounty
www.xerox.com/security
https://www.google.com/appserve/security-bugs/m2/new?rl=&key=
https://technet.microsoft.com/en-us/security/ff852094.aspx
http://www.cisco.com/c/en/us/about/security-center/security-vulnerability-policy.html#roosfassv
Questions?