10 Interesting Findings at LASCON 2013

·         Hackers need to work on their PR

After LASCON and BlackHat this year, I believe hackers have treated media with disdain, and they are suffering for it.  IMHO, “hackers” is a misused term.  There are engineers who tinker, take things apart and try to break them.  Breaking things like websites, applications and OS’s is the best way to understand them and their vulnerabilities.  There is a completely different category of people who are “criminals” – they want money money money for work they did not do.  It’s just crazy to mix these two groups up, and the media is over-simplifying and doing just that.

• The OWASP Top 10 Security concerns transcend whether or not you host in the cloud

Face it, most security problems are your own fault.  When time-to-market and performance eclipse security concerns in application development, and you use programmers without security training, your web presence is likely to suffer.  Where you host usually has very little to do with compromised websites, loss of data and public humiliation.

·        Compliance to laws and standards does not guarantee security

Most security pros I know are disgusted with the influence compliance has on sensible investing toward IT security.  While no one will dispute the PCI-DSS has forced people to provide a modicum of appropriate patching and attention to security, it’s not the whole story.  Compliance investing can lead to missing the big picture – following the rules seems to ensure that you will be able to deal with hackers of the past.  Remember, hackers are a lot faster at evolving than laws and standards, which are notoriously slow to evolve and adapt to reality.

·        Make your apps “secure by default” – don’t give users the opportunity to be Pwned.

IT customers, also known as “users” are just trying to get something done.  They typically have no clue as to the security impacts of clicking through revoked certificates, suggestions at application install and warnings they do not read.  Adam Blank highlighted this in his talk.

·        “Crypto doesn’t solve problems, it just moves them” – Matt Tesauro of Rackspace

How many times has data in motion been the big problem recently?   Not as much as data at rest.  Nobody is arguing the value of encryption, but it’s not the whole solution.

·        Mobile Apps are the New Frontier for Hacking

Dan Kuykendall gave an interesting talk on security for mobile apps.  Interesting thing:  when a user is on a laptop, they can see that HTTPS in their browser.  Mobile user – no such luck.  Compound that with mobile apps with lifetime sessions, no curfew for requests and easy replay with NONCE – it’s surprising we have not seen more problems, so far.  Add to this mess the fact that many users have no idea that indiscriminate use of public wifi “puts it all out there” for anyone with a Pineapple  (for the  princely sum of about $90.)

·        Google Dorking is fun and easy

Phil Purviance gave a fascinating talk at LASCON.  Simply go to www.googleguide.com, and you can learn how to get to (potentially damaging) cached pages the website has forgotten about, among other things that are amazing.  In addition, you can get personal information about others who inadvertently click “view on browser” or “web version” in an email sent to them from prominent companies.  With email incompatibilities, marketers have turned to this option of offering this option in emails – when you click on it, authentication is often assumed.  Oh dear.

·        Rule #1 of Penetration Testing: “Don’t Rub It In”

David Hughes gave a great talk to a packed house on Pen Testing.  He described many tools and techniques, but the thing that stuck with me is that it is most important to “partner” with the customer when doing Pen Testing, if you really want them to fix their problems and become more secure.

·        Mind those Blind Spots!

Robert Hansen gave a great talk on this topic.  Truth is, nobody knows everything – IT is just too complicated for that.  He also had a great quip I captured: “Don’t make the mistake of siding against consumers (and their privacy)”

·        Sure, You are Fine – Why is your website unavailable?

Denial of service is a big problem for everyone, and financials have been hit hard recently.  Pez Zivic of F5 gave a great talk about his research on classifying DOS and DDOS attacks.  The bottom line: Can you still access your website while under attack?” 

 

If Security is Theater, Matt Tesauro and OWASP can help prevent Drama

So, as we all know, IT Security involves a lot of useless theater.  What I learned today at LASCON 2013 is that really good defensive programming involves no theater - only hard work on the part of engineers.

I took part in a training today at LASCON 2013 from Matt Tesauro - "OWASP Top 10" relating to what's important in application security.  Matt was an invited speaker and incredibly talented security professional from Rackspace.  Rackspace must be very committed to application security to allow Matt the time to teach this course.

Security Theater involves drama, where identities are lost, people are hurt, company reputations are ruined. OWASP is all about preventing drama.  While there are laws (HIPAA, SB1386, SOX, breach disclosure laws) and standards (PCI, NIST, DISA STIG and Safe Harbor), the bottom line for security is how well applications are coded. No amount of auditing and regulating make an application safe - only good programming practices and diligence do that.

The OWASP Top 10 hasn't changed much recently.  It's about time (IMHO) that more security training is required of programmers - like OWASP's.  Less drama, more insightful programming.

One more observation.  A legion of security professionals I know are not developers.  Even if you're not a coder, take the time out of your busy day to learn something about application security, and become intelligent about the issues programmers face, if you intend to be effective in helping your company achieve better IT security.