A history on security and how to win the battle

Transcript

1. A history on security
   and how to win the battle...
   Joshua Thijssen
   

   View Slide

2. Channeling and restricting flow
   

   View Slide

3. Sometimes channels don’t listen
   

   View Slide

4. Failure is always an option
   

   View Slide

5. Security is a business value
   

   View Slide

6. Security is a business value
   

   View Slide

7. Security is a business value
   

   View Slide

8. Let others take care of security
   

   View Slide

9. Let others take care of security
   

   View Slide

10. History of (computer) security
    

    View Slide

11. Security in the “old days”
    

    View Slide

12. I wasn’t kidding when I said: “old days”
    

    View Slide

13. 5.25” high density disks
    

    View Slide

14. 5.25” high density disks
    

    View Slide

15. Copying was a breeze
    

    View Slide

16. Copy protection
    

    View Slide

17. Copy protection
    

    View Slide

18. Let’s try dongles
    

    View Slide

19. NOPE!
    

    View Slide

20. 8086 segmented memory layout
    

    View Slide

21. 8086 segmented memory layout
    segment reg.
    16-bit
    

    View Slide

22. 8086 segmented memory layout
    segment reg. offset reg.
    16-bit 16-bit
    

    View Slide

23. 8086 segmented memory layout
    segment reg. offset reg.
    physical address
    16-bit 16-bit
    20-bit
    

    View Slide

24. 8086 segmented memory layout
    segment reg. offset reg.
    << 4
    physical address
    16-bit 16-bit
    20-bit
    

    View Slide

25. 8086 segmented memory layout
    segment reg. offset reg.
    << 4 +
    physical address
    16-bit 16-bit
    20-bit
    

    View Slide

26. 07C0:0050
    07C00
    0050+
    07C50
    8086 segmented memory layout
    segment reg. offset reg.
    << 4 +
    physical address
    16-bit 16-bit
    20-bit
    

    View Slide

27. 07C0:0050
    07C00
    0050+
    07C50
    0000:7C50
    00000
    07C50+
    07C50
    8086 segmented memory layout
    segment reg. offset reg.
    << 4 +
    physical address
    16-bit 16-bit
    20-bit
    

    View Slide

28. 07C0:0050
    07C00
    0050+
    07C50
    0000:7C50
    00000
    07C50+
    07C50
    007C:7490
    007C0
    07490+
    07C50
    8086 segmented memory layout
    segment reg. offset reg.
    << 4 +
    physical address
    16-bit 16-bit
    20-bit
    

    View Slide

29. 8086 segmented memory layout
    segment reg. offset reg.
    << 4 +
    physical address
    16-bit 16-bit
    20-bit
    

    View Slide

30. 386 protected memory layout
    +
    descriptor
    directory entry page table entry
    physical address
    directory page offset
    cr3
    gdt / ldt
    page directory page table
    page frame
    linear address
    descriptor table
    selector offset
    32-bit
    16-bit
    

    View Slide

31. View Slide

32. View Slide

33. Ring 0
    Kernel
    

    View Slide

34. Ring 0
    Kernel
    Ring 1
    Device drivers
    

    View Slide

35. Ring 0
    Kernel
    Ring 1
    Device drivers
    Ring 2
    Device Drivers
    

    View Slide

36. Ring 0
    Kernel
    Ring 1
    Device drivers
    Ring 2
    Device Drivers
    Ring 3
    Applications
    

    View Slide

37. Security today
    

    View Slide

38. The weakest link
    

    View Slide

39. Humans
    

    View Slide

40. it is much easier to trick someone into
    giving a password for a system than to
    spend the effort to crack into the system
    -- K. Mitnick
    

    View Slide

41. Raising awareness on browsers
    

    View Slide

42. It’s a trap!
    

    View Slide

43. We’re curious
    

    View Slide

44. People are resourceful
    

    View Slide

45. Weird hobby’s
    

    View Slide

46. Weird hobby’s
    

    View Slide

47. 00710022211101015511130102359000000000
    

    View Slide

48. 00710033308171115011231111700000000000
    

    View Slide

49. 00710033308171115011231111700000000000
    00710022211101015511130102359000000000
    

    View Slide

50. 00710033308171115011231111700000000000
    00710022211101015511130102359000000000
    

    View Slide

51. 00710022211101015511130102359000000000
    00710033308171115011231111700000000000
    

    View Slide

52. 00710044401011200001231122359000000000
    

    View Slide

53. View Slide

54. Magnetic card reader/writer: $ 250
    

    View Slide

55. Magnetic card reader/writer: $ 250
    Parking costs per night: $40
    

    View Slide

56. Magnetic card reader/writer: $ 250
    Parking costs per night: $40
    Free parking: priceless
    

    View Slide

57. How can we cure this problem?
    

    View Slide

58. We need to implement REAL security, not fake.
    

    View Slide

59. How do we win the war?
    How do we win the war?
    

    View Slide

60. If we as developers have to keep thinking
    about security, we will lose...
    

    View Slide

61. We need to deflect *EVERY* attack,
    They only need *ONE* to win...
    

    View Slide

62. 99.999% of all programmers are NOT trained or
    have the capability to identify security threats.
    The other 0.001% will not be able to identify
    them ALL OF THEM ALL THE TIME.
    

    View Slide

63. A day in the life of a PHP programmer...
    

    View Slide

64. $result = mysql_query('SELECT * FROM users WHERE username="'.$_GET['username'].'"');
    

    View Slide

65. You should use mysql_real_escape_string!
    

    View Slide

66. No, you shouldn’t!
    

    View Slide

67. You just put a developer who wasn’t aware
    of security issues, in charge of security...
    

    View Slide

68. Let others handle security
    (PDO)
    

    View Slide

69. There is no (quick) solution.
    

    View Slide

70. There is no (quick) solution.
    but we have to change the way
    we deal with security radically,
    

    View Slide

71. There is no (quick) solution.
    but we have to change the way
    we deal with security radically,
    by not dealing with security...
    

    View Slide

72. Let others take care of security
    

    View Slide

73. Any questions (maximum 5)?
    

    View Slide

74. Find me on twitter: @jaytaph
    Find me for development and training: www.noxlogic.nl
    Find me on email: [email protected]
    Find me for blogs: www.adayinthelifeof.nl
    Thank you!
    http://joind.in/6853
    

    View Slide