30 years living a happy life - breaking systems, chasing bad guys and teaching people about internet...
TRANSCRIPT
![Page 1: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/1.jpg)
30 years living a happy lifeBreaking Systems,
Chasing Bad Guys,
and Helping People Understand Internet Security
![Page 2: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/2.jpg)
About.me/jhc
Jonathan Care
@arashiyama
http://www.linkedin.com/in/computercrime
![Page 3: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/3.jpg)
What makes you happy?
![Page 4: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/4.jpg)
Highlights and lowlights
Helped build one of the first Internet backbones
Set up my own ISP from scratch (just add £2M…)
Investigated numerous breaches in conjunction with major tech vendors and law enforcement
Expert witness testimony
Cryptographic design for UK Government
Discovered the iOS “location.consolidated” bug
Dot.com millionaire!
Risk research for a large credit card company
CHECK accredited penetration tester
PCI DSS auditor
![Page 5: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/5.jpg)
Where did I get started?
![Page 6: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/6.jpg)
![Page 7: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/7.jpg)
What have I observed?
![Page 8: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/8.jpg)
Real Statistics?
![Page 9: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/9.jpg)
Real reality Regrettably the percentage of organisations reporting
computer intrusions has continued to decline. The key reason given… was the fear of negative publicity. As a consequence this has resulted in a belief that the threat and impact has also been gravely underestimated – Metropolitan Police
If I report this, I am worried what else the police will find – Anonymous IT Director
We don’t handle payments so it doesn’t really matter if our code is secure or not – Web Development firm providing e-commerce (!)
How soon can we start our web server up again? – Compromised Web Merchant
![Page 10: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/10.jpg)
Why commit crimes on the Internet?
Potentially High Financial Gain
Anonymity
Rapid, secure, global communications
Global impact – 1 billion plus users (1 in 6 of the world’s population)
Virtual marketplace – reduced risks of being detected, disrupted or caught
Volatile evidential trail – ISP limited retention of data
Cross Border investigations protracted for law enforcement
And… “Because that’s where the money is” – Willie Sutton
![Page 11: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/11.jpg)
Anonymity? Not really.
![Page 12: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/12.jpg)
Did somebody mention hacking?
![Page 13: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/13.jpg)
![Page 14: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/14.jpg)
Meanwhile …
![Page 15: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/15.jpg)
![Page 16: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/16.jpg)
Wide open webcams?
![Page 17: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/17.jpg)
Oh yeah.
![Page 18: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/18.jpg)
Data Privacy is Dead
Criminals get ongoing access
to credit reports
SSNDOB Compromise of KBA and PII at Major Data Brokers
PII data combined with financial records for sale
Serious web-code vulnerabilities compromise sensitive information
Almost 1.5 billion usernames and passwords stolen
*Source Symantec Internet Security Threat Report 2014
![Page 19: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/19.jpg)
Conclusions
![Page 20: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/20.jpg)
What have I learned?
All software has bugs.
Bugs will be discovered
Some bugs will have a security impact
Product owners continue to value functionality over security
Investors place little value on security and privacy
End users trust vendors
Security is always trumped by convenience – bad design makes bad security
![Page 21: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/21.jpg)
What can we do?
![Page 22: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/22.jpg)
Security architecture landscape
Customer friction‘harder is better’doesn’t keep badguys out and annoysgood guys
Systematiccompromise ofpersonal data &credentials
Exceptions; you are only as good as your weakest link!
Enterprises want absolute
identity proofing but must
live with shades ofuncertainty
![Page 23: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/23.jpg)
If you go into InfoSec, remember this…
PREPARE
DETECTRESPOND
![Page 24: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/24.jpg)
A final thought …
![Page 25: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/25.jpg)
Digital Humanism (don’t be a jerk)
Don’t intrude on personal space
Don’t try and engineer personal intelligence and prerogatives out of the system
Don’t try to maximise machine efficiency at the expense of usability
![Page 26: 30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security](https://reader031.vdocument.in/reader031/viewer/2022032503/55c007f9bb61ebad688b464a/html5/thumbnails/26.jpg)