the dark side of security
TRANSCRIPT
![Page 1: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/1.jpg)
The Dark Side of SecurityJarrod Overson - @jsoverson - Shape Security
![Page 2: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/2.jpg)
Not this dark side…
![Page 3: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/3.jpg)
… the darkness that hides the unknown
![Page 4: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/4.jpg)
Traditional web security is like flossing.
Deep down we know we should care, but it's difficult to see if the effort is paying off.
![Page 5: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/5.jpg)
OWASP Top 10A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery (CSRF)
A9 – Using Known Vulnerable Components
A10 – Unvalidated Redirects and Forwards
![Page 6: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/6.jpg)
OWASP Automated ThreatsOAT-020 Account Aggregation OAT-006 Expediting
OAT-019 Account Creation OAT-004 Fingerprinting
OAT-003 Ad Fraud OAT-018 Footprinting
OAT-009 CAPTCHA Bypass OAT-005 Scalping
OAT-010 Card Cracking OAT-011 Scraping
OAT-001 Carding OAT-016 Skewing
OAT-012 Cashing Out OAT-013 Sniping
OAT-007 Credential Cracking OAT-017 Spamming
OAT-008 Credential Stuffing OAT-002 Token Cracking
OAT-015 Denial of Service OAT-014 Vulnerability Scanning
![Page 7: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/7.jpg)
Our user-friendly APIs enable our attackers
![Page 8: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/8.jpg)
Not just these APIs
![Page 9: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/9.jpg)
The APIs we expose unintentionally.
![Page 10: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/10.jpg)
The APIs we expose unintentionally.
![Page 11: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/11.jpg)
The APIs we expose unintentionally.
![Page 12: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/12.jpg)
![Page 13: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/13.jpg)
![Page 14: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/14.jpg)
![Page 15: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/15.jpg)
It's more than just massive breaches from large companies, too.
![Page 16: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/16.jpg)
It's small continuous, streams of exploitable data
![Page 17: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/17.jpg)
When you read about breaches, what do you do?
![Page 18: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/18.jpg)
Even if you have the most secure site in the world,
we don't protect against legitimate user logins.
![Page 19: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/19.jpg)
If your users were robots, could you tell?
![Page 20: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/20.jpg)
![Page 21: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/21.jpg)
What percentage of traffic is from bots?
![Page 22: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/22.jpg)
92%( Current record for automation against a login page, via Shape Security )
What percentage of traffic is from bots?
![Page 23: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/23.jpg)
Why?
![Page 24: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/24.jpg)
Do you… For example
Store a type of currency? actual money, point values, gift cards
Sell goods? physical, digital, services
Have unique PII? health care, social networks
Have user generated content? forums, social networks, blogs, comments
Have time sensitive features? tickets, flash sales, reservations
Pay for digitally validated behavior? ad clicks, reviews, "uber for X"
![Page 25: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/25.jpg)
If you have value, there is value in exploiting you.
![Page 26: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/26.jpg)
But we have captchas!
![Page 27: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/27.jpg)
But captchas don't work.
![Page 28: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/28.jpg)
Estimated 200 million+ hours spent every year deciphering squiggly letters.
Luis Von Ahn, creator of captcha
*
*
![Page 29: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/29.jpg)
Services have been made making captcha bypass even easier.
![Page 30: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/30.jpg)
Services have been made making captcha bypass even easier.
![Page 31: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/31.jpg)
Ever wonder where these ads go?
![Page 32: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/32.jpg)
There's big money in "Work from Home Data Entry" jobs
![Page 33: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/33.jpg)
So we seek alternatives.
![Page 34: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/34.jpg)
Some rely on simple behavior analysis
![Page 35: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/35.jpg)
Some rely on kittens
![Page 36: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/36.jpg)
Some rely on a love for death metal
![Page 37: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/37.jpg)
Some are very high profile
![Page 38: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/38.jpg)
How?
![Page 39: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/39.jpg)
They use a lot of the same tools we already use.
![Page 40: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/40.jpg)
![Page 41: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/41.jpg)
![Page 42: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/42.jpg)
![Page 43: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/43.jpg)
![Page 44: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/44.jpg)
![Page 45: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/45.jpg)
![Page 46: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/46.jpg)
Once you detect an attacker, they are easy to block.
Right?
![Page 47: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/47.jpg)
One attacker from one machine can be blocked by IP.
![Page 48: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/48.jpg)
Many attackers sound dangerous but aren't as common as they are made out to be.
![Page 49: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/49.jpg)
One attacker using proxies to look like thousands of users across the globe
is difficult to detect and block.
![Page 50: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/50.jpg)
Spikes of traffic across many IPs are normal, except when they aren't
![Page 51: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/51.jpg)
The devices themselves leave fingerprints
![Page 52: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/52.jpg)
And tools are made to leave no fingerprints
![Page 53: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/53.jpg)
Lots of tools.
![Page 54: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/54.jpg)
![Page 55: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/55.jpg)
We can't patch our way through this.
![Page 56: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/56.jpg)
How would you react if you went from …
Legitimate traffic
![Page 57: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/57.jpg)
To this
Automation detected and blockedLegitimate traffic
![Page 58: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/58.jpg)
Automation detected and blockedLegitimate traffic
To this
![Page 59: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/59.jpg)
Automation detected and blockedLegitimate traffic
To this
![Page 60: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/60.jpg)
To get an idea, search for :
• <your company, service, or CMS> fullz
• <your company, service, or CMS> sentrymba
• <your company, service, or CMS> carding
• <your company, service, or CMS> <tool> tutorial
Not sure if you have a problem?
![Page 61: The Dark Side of Security](https://reader031.vdocument.in/reader031/viewer/2022022201/58a0c23f1a28ab6d018b4719/html5/thumbnails/61.jpg)
The Dark Side of SecurityJarrod Overson - @jsoverson - Shape Security