Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A history on security and how to win the battle

A history on security and how to win the battle

Joshua Thijssen

August 19, 2012
Tweet

More Decks by Joshua Thijssen

Other Decks in Technology

Transcript

  1. A history on security
    and how to win the battle...
    Joshua Thijssen

    View Slide

  2. Channeling and restricting flow

    View Slide

  3. Sometimes channels don’t listen

    View Slide

  4. Failure is always an option

    View Slide

  5. Security is a business value

    View Slide

  6. Security is a business value

    View Slide

  7. Security is a business value

    View Slide

  8. Let others take care of security

    View Slide

  9. Let others take care of security

    View Slide

  10. History of (computer) security

    View Slide

  11. Security in the “old days”

    View Slide

  12. I wasn’t kidding when I said: “old days”

    View Slide

  13. 5.25” high density disks

    View Slide

  14. 5.25” high density disks

    View Slide

  15. Copying was a breeze

    View Slide

  16. Copy protection

    View Slide

  17. Copy protection

    View Slide

  18. Let’s try dongles

    View Slide

  19. NOPE!

    View Slide

  20. 8086 segmented memory layout

    View Slide

  21. 8086 segmented memory layout
    segment reg.
    16-bit

    View Slide

  22. 8086 segmented memory layout
    segment reg. offset reg.
    16-bit 16-bit

    View Slide

  23. 8086 segmented memory layout
    segment reg. offset reg.
    physical address
    16-bit 16-bit
    20-bit

    View Slide

  24. 8086 segmented memory layout
    segment reg. offset reg.
    << 4
    physical address
    16-bit 16-bit
    20-bit

    View Slide

  25. 8086 segmented memory layout
    segment reg. offset reg.
    << 4 +
    physical address
    16-bit 16-bit
    20-bit

    View Slide

  26. 07C0:0050
    07C00
    0050+
    07C50
    8086 segmented memory layout
    segment reg. offset reg.
    << 4 +
    physical address
    16-bit 16-bit
    20-bit

    View Slide

  27. 07C0:0050
    07C00
    0050+
    07C50
    0000:7C50
    00000
    07C50+
    07C50
    8086 segmented memory layout
    segment reg. offset reg.
    << 4 +
    physical address
    16-bit 16-bit
    20-bit

    View Slide

  28. 07C0:0050
    07C00
    0050+
    07C50
    0000:7C50
    00000
    07C50+
    07C50
    007C:7490
    007C0
    07490+
    07C50
    8086 segmented memory layout
    segment reg. offset reg.
    << 4 +
    physical address
    16-bit 16-bit
    20-bit

    View Slide

  29. 8086 segmented memory layout
    segment reg. offset reg.
    << 4 +
    physical address
    16-bit 16-bit
    20-bit

    View Slide

  30. 386 protected memory layout
    +
    descriptor
    directory entry page table entry
    physical address
    directory page offset
    cr3
    gdt / ldt
    page directory page table
    page frame
    linear address
    descriptor table
    selector offset
    32-bit
    16-bit

    View Slide

  31. View Slide

  32. View Slide

  33. Ring 0
    Kernel

    View Slide

  34. Ring 0
    Kernel
    Ring 1
    Device drivers

    View Slide

  35. Ring 0
    Kernel
    Ring 1
    Device drivers
    Ring 2
    Device Drivers

    View Slide

  36. Ring 0
    Kernel
    Ring 1
    Device drivers
    Ring 2
    Device Drivers
    Ring 3
    Applications

    View Slide

  37. Security today

    View Slide

  38. The weakest link

    View Slide

  39. Humans

    View Slide

  40. it is much easier to trick someone into
    giving a password for a system than to
    spend the effort to crack into the system
    -- K. Mitnick

    View Slide

  41. Raising awareness on browsers

    View Slide

  42. It’s a trap!

    View Slide

  43. We’re curious

    View Slide

  44. People are resourceful

    View Slide

  45. Weird hobby’s

    View Slide

  46. Weird hobby’s

    View Slide

  47. 00710022211101015511130102359000000000

    View Slide

  48. 00710033308171115011231111700000000000

    View Slide

  49. 00710033308171115011231111700000000000
    00710022211101015511130102359000000000

    View Slide

  50. 00710033308171115011231111700000000000
    00710022211101015511130102359000000000

    View Slide

  51. 00710022211101015511130102359000000000
    00710033308171115011231111700000000000

    View Slide

  52. 00710044401011200001231122359000000000

    View Slide

  53. View Slide

  54. Magnetic card reader/writer: $ 250

    View Slide

  55. Magnetic card reader/writer: $ 250
    Parking costs per night: $40

    View Slide

  56. Magnetic card reader/writer: $ 250
    Parking costs per night: $40
    Free parking: priceless

    View Slide

  57. How can we cure this problem?

    View Slide

  58. We need to implement REAL security, not fake.

    View Slide

  59. How do we win the war?
    How do we win the war?

    View Slide

  60. If we as developers have to keep thinking
    about security, we will lose...

    View Slide

  61. We need to deflect *EVERY* attack,
    They only need *ONE* to win...

    View Slide

  62. 99.999% of all programmers are NOT trained or
    have the capability to identify security threats.
    The other 0.001% will not be able to identify
    them ALL OF THEM ALL THE TIME.

    View Slide

  63. A day in the life of a PHP programmer...

    View Slide

  64. $result = mysql_query('SELECT * FROM users WHERE username="'.$_GET['username'].'"');

    View Slide

  65. You should use mysql_real_escape_string!

    View Slide

  66. No, you shouldn’t!

    View Slide

  67. You just put a developer who wasn’t aware
    of security issues, in charge of security...

    View Slide

  68. Let others handle security
    (PDO)

    View Slide

  69. There is no (quick) solution.

    View Slide

  70. There is no (quick) solution.
    but we have to change the way
    we deal with security radically,

    View Slide

  71. There is no (quick) solution.
    but we have to change the way
    we deal with security radically,
    by not dealing with security...

    View Slide

  72. Let others take care of security

    View Slide

  73. Any questions (maximum 5)?

    View Slide

  74. Find me on twitter: @jaytaph
    Find me for development and training: www.noxlogic.nl
    Find me on email: [email protected]
    Find me for blogs: www.adayinthelifeof.nl
    Thank you!
    http://joind.in/6853

    View Slide