Infosecurity 2011 Infosecurity 2011 Infosecurity 2011 Infosecurity 2011 Infosecurity 2011 Infosecurity 2011 Infosecurity 2011 Infosecurity 2011 The changing world and the technical

impact on your security Jan Guldentops ( Jan Guldentops ( Jan Guldentops ( Jan Guldentops ( j@ba.bej@ba.bej@ba.bej@ba.be ))))BA N.V. ( BA N.V. ( BA N.V. ( BA N.V. ( http://www.ba.behttp://www.ba.behttp://www.ba.behttp://www.ba.be ))))

Who am i ?Who am i ?Who am i ?Who am i ?

� Jan Guldentops

� Historian by education, techie by vocation

� > 15 years experience in the field of � > 15 years experience in the field of networking and security.

� Strong focus on open source / standards in my solutions

� Open source fundamentalist after houres

� Founder / consultant @ BA since 1996

� Do a lot of research

Who is BA ?Who is BA ?Who is BA ?Who is BA ?

� BA

� Team of technical consultants

� Design – built – support – troubleshoot

� Strong R&D division doing tests in our lab and researching new technologylab and researching new technology

� Focus on infrastructure / networking / security

� Vendor neutral advice

� Focus on openess

� Open standards / source

Security Security Security Security –––– what is it ? (again)what is it ? (again)what is it ? (again)what is it ? (again)

CIA

CONFIDENTIALITYCONFIDENTIALITY

INTEGRITY

AVAILIBILITY

(+ Accountability, Non-repudiation, Authenticity, Reliability)

What is it not ?What is it not ?What is it not ?What is it not ?

� Marketing :

� Abused by the sales guy

� Abused by the marketing guy

� Abused by the politician � Abused by the politician

� FUD

� Fear Uncertainty Doubt

� Mythology

Confessions of a dangerous mind Confessions of a dangerous mind Confessions of a dangerous mind Confessions of a dangerous mind

� I've been playing with security / insecurity my whole life

� Intellectual challenge

� 198* � 198*

� Arms race around copyright protection

� First BBS systems

� Phreaking

� Bypassing analog PBX'es

� Green numbers

Confessions of a dangerous mind Confessions of a dangerous mind Confessions of a dangerous mind Confessions of a dangerous mind

� 199* @University

� Got a big network / internet to play with

� Linux

� “discussed” securityproblems with staff

� 1996 exposed security-problems in the first Belgian Online bank

� 1998 proved and documented problems in Lotus Notes / Domino

� 2001 proved / documented problems

I sometimes feel so 1996I sometimes feel so 1996I sometimes feel so 1996I sometimes feel so 1996

� People are still... well... people

� (and this also applies to ICT / security “experts”)

� e.g.

Passwords� Passwords

� Social engineering

� All the other human vices

I sometimes feel so 1996I sometimes feel so 1996I sometimes feel so 1996I sometimes feel so 1996

� Websites are still being hacked by scriptkiddies with simple tools

� Got an LSEC statistic yesterday

� In 2010 16134 .be were defaced!

� Encryption is still not used everywhere

� Or we use selfsigned certificates !

� SMTP is still not fixed!

� Relatively simple worms and viruses can still cause havoc

� Stuxnet, Conficker

I sometimes feel so 1996I sometimes feel so 1996I sometimes feel so 1996I sometimes feel so 1996

� Companies still don't think about security when designing a (web)application :

� Play around with webscarab or firebug

� On 99% of my customers networks i can still set up a reverse tunnel !

� Ssh on an open tcp/port

� Openvpn

� Tunnel over dns

Yelo is bedoeld voor residentieel gebruik. De meeste klanten gebruiken Yelo dan ook thuis,

via een beveiligd thuisnetwerk. Voor hen is er geen enkel probleem

What has changed ?What has changed ?What has changed ?What has changed ?

� Moore's Law

� CPU

� 1996 i had a Pentium 1 - 133Mhz workstation, now I have some quad core Intel processorcore Intel processor

� Or I can rent tempory computing power in the cloud from Amazon (EC2)

� Networking

� 1996 I had an expensive 64Kbit ISDN internet connection at home, now we have all Mbits of connectivity

What has changed ?What has changed ?What has changed ?What has changed ?

� Speed

� You could get away with security stupidities for weeks, months, years.

� Now a stupidity like an open proxy or an sshd with a trivial password gets an sshd with a trivial password gets hacked in minute.

� Legal framework

� We have a CCU now

� They have laws to prosecute cybercriminals

What has changed ?What has changed ?What has changed ?What has changed ?

� Perimeter has disappeared

� The scope of who attacks you is different ?

� Globalisation Globalisation

� Used to be cyberpunks

� Now organized crime, nations (cyberwar), etc.

� People live their lives

Trends in 2010/11?Trends in 2010/11?Trends in 2010/11?Trends in 2010/11?

� Data leakage

� We are loosing confidential information to the outside world

� Mobile devices

Phones, smartphones, laptops, ipads, etc.� Phones, smartphones, laptops, ipads, etc.

� Public services

� Theft

� Once it is out there you are never getting it back in !

Trends in 2010/11?Trends in 2010/11?Trends in 2010/11?Trends in 2010/11?

� New civil movements

� People organising on the internet via facebook, twitter, etc.

� Using the internet for communication

But also going for orchestrated Dos-� But also going for orchestrated Dos-attacks

� LOIC aka Low Orbit Ion Cannon

� Examples :

� Revolutions in the middle east

� Movement supporting wikileaks

� What if you are the target ?

Trends in 2010/11?Trends in 2010/11?Trends in 2010/11?Trends in 2010/11?

� Social media

� People are living their lives online

� Putting potentialy confidential and dangerous info on their profiles

� We see a lot of targeted attacks based on info gained from social media. info gained from social media.

� Information is leaking out of your organisation

� Social networks are not very secure

� Session key sniffing, no encryption, bad privacy

� Instant news

� reputation / crisis management

Trends in 2010/11?Trends in 2010/11?Trends in 2010/11?Trends in 2010/11?

� Consumerism

� Bringing consumer applications / toys into the corporate organisation

� e.g. The ipad

� But also using google docs, facebook, But also using google docs, facebook, msn, etc. For business purposes

� Security is the last thing on their mind, ICT looses controll

� 0/1 approach -> IT becomes mister no

� Often pushed by the higher management

Trends in 2010/11?Trends in 2010/11?Trends in 2010/11?Trends in 2010/11?

� Hacking tools get GUIS

� Everybody is a threat

� Goes further then scriptkiddies

� Really everbody can hack

� “sneakers” has become a reality� “sneakers” has become a reality

� Examples :

� Firesheep

� Aircrack-NG, backtrack

� Speeds up security !

How are we going to fix this ?How are we going to fix this ?How are we going to fix this ?How are we going to fix this ?

� There is no technology fix for all this

� Next generation firewalls look promising

� Palo Alto

� Becomes a marketing term everybody Becomes a marketing term everybody uses like UTM

� Good security practices ! � Create / Implement a good security

policy

� Audit

� Limit access

� Educate your users

Questions / remarks ?Questions / remarks ?Questions / remarks ?Questions / remarks ?

� Pass by booth B116

� E-mail:

� j@ba.be

� Twitter:

JanGuldentops (me)� JanGuldentops (me)

� Linkedin:

� http://be.linkedin.com/in/janguldentops

� Website :

� http://www.ba.be

Thank YouContact us

www.ba.be

016/29.80.45

016/29.80.46

www.ba.be

Dalemhof 28 B-3000 Leuven

info@ba.be