· Hackers need to work on their PR
After LASCON and BlackHat this year, I believe hackers have treated media with disdain, and they are suffering for it. IMHO, “hackers” is a misused term. There are engineers who tinker, take things apart and try to break them. Breaking things like websites, applications and OS’s is the best way to understand them and their vulnerabilities. There is a completely different category of people who are “criminals” – they want money money money for work they did not do. It’s just crazy to mix these two groups up, and the media is over-simplifying and doing just that.
- The OWASP Top 10 Security concerns transcend whether or not you host in the cloud
Face it, most security problems are your own fault. When time-to-market and performance eclipse
security concerns in application development, and you use programmers without
security training, your web presence is likely to suffer. Where you host usually has very little to do
with compromised websites, loss of data and public humiliation.
· Compliance to laws and standards does not guarantee security
Most security pros I know are disgusted with the influence
compliance has on sensible investing toward IT security. While no one will dispute the PCI-DSS has
forced people to provide a modicum of appropriate patching and attention to
security, it’s not the whole story.
Compliance investing can lead to missing the big picture – following the
rules seems to ensure that you will be able to deal with hackers of the
past. Remember, hackers are a lot faster
at evolving than laws and standards, which are notoriously slow to evolve and
adapt to reality.
· Make your apps “secure by default” – don’t give users the opportunity to be Pwned.
IT customers, also known as “users” are just trying to get
something done. They typically have no
clue as to the security impacts of clicking through revoked certificates,
suggestions at application install and warnings they do not read. Adam Blank highlighted this in his talk.
· “Crypto doesn’t solve problems, it just moves them” – Matt Tesauro of Rackspace
How many times has data in motion been the big problem recently? Not as
much as data at rest. Nobody is arguing
the value of encryption, but it’s not the whole solution.
· Mobile Apps are the New Frontier for Hacking
Dan Kuykendall gave an interesting talk on security for
mobile apps. Interesting thing: when a user is on a laptop, they can see that
HTTPS in their browser. Mobile user – no
such luck. Compound that with mobile
apps with lifetime sessions, no curfew for requests and easy replay with NONCE –
it’s surprising we have not seen more problems, so far. Add to this mess the fact that many users
have no idea that indiscriminate use of public wifi “puts it all out there” for
anyone with a Pineapple
(for the princely sum of about $90.)
· Google Dorking is fun and easy
Phil Purviance gave a fascinating talk at LASCON. Simply go to www.googleguide.com, and you can learn
how to get to (potentially damaging) cached pages the website has forgotten
about, among other things that are amazing.
In addition, you can get personal information about others who
inadvertently click “view on browser” or “web version” in an email sent to them
from prominent companies. With email
incompatibilities, marketers have turned to this option of offering this option
in emails – when you click on it, authentication is often assumed. Oh dear.
· Rule #1 of Penetration Testing: “Don’t Rub It In”
David Hughes gave a great talk to a packed house on Pen
Testing. He described many tools and
techniques, but the thing that stuck with me is that it is most important to “partner”
with the customer when doing Pen Testing, if you really want them to fix their
problems and become more secure.
· Mind those Blind Spots!
Robert Hansen gave a great talk on this topic. Truth is, nobody knows everything – IT is
just too complicated for that. He also
had a great quip I captured: “Don’t make the mistake of siding against
consumers (and their privacy)”
· Sure, You are Fine – Why is your website unavailable?
Denial of service is a big problem for everyone, and
financials have been hit hard recently.
Pez Zivic of F5 gave a great talk about his research on classifying DOS
and DDOS attacks. The bottom line: Can
you still access your website while under attack?”
