Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Automated Human Vulnerability Scanning with AVA

Laura Bell
August 06, 2015

Automated Human Vulnerability Scanning with AVA

Presented at BlackHat USA 2015 by Laura Bell (SafeStack)

Laura Bell

August 06, 2015

More Decks by Laura Bell

Other Decks in Technology


  1. Laura Bell Founder  and  Lead  Consultant  -­‐  SafeStack @lady_nerd  

     [email protected]   h6p:/ /safestack.io   Automated human vulnerabillity scanning with AVA
  2. In  this  talk The  Problem   The  need  for  and

     lack  of  human  defense   The  Tool   We  built  AVA…  and  we  think  you  might  like  it   The  Challenges   Building  human  security  systems  is  hard…      
  3. humans  are  sufficiently  predictable   to  make  it  suitably  annoying

        when  we  fail  to     predict  their  behaviour.
  4. we  shame  the  human  vicEms  of   human  security  aKacks*

    *while  secretly  doing  the  exact  same  things
  5. we  don't  test       because  it  makes  us

     feel  uncomfortable because we don't want people to get hurt because it’s hard because  we  don’t  know  how  to  fix  it because we don't want people to get fired
  6. AVA

  7. Location Time stamps Sender Receiver User agent friends contacts frequency

    aliases profiles Last login Pw Expires? Disabled? Influence Admin?
  8. Email attacks that go beyond phishing Email phishing Internal request

    social panic Direct request External request favour authoritative
  9.   The  URL  may  be  different  on  different  messages.  

    Subject:  Security  Alert:  Update  Java  (*See  Kronos  Note)   Date:  February  22,  2013   *********************************************************** *************   This  is  an  automaNcally  generated  message.  Please  DO  NOT  REPLY.     If  you  require  assistance,  please  contact  the  Help  Center.   *********************************************************** *************   Oracle  has  released  an  update  for  Java  that  fixes  50  security  holes,   including  a     criNcal  hole  currently  being  exploited  in  the  wild.   The  IT  Security  Office  strongly  recommends  that  you  update  Java  as   User generated and publicly sourced attacks
  10. The  process • Candidate  and  volunteer  requests  submiKed  to  social  

    media  and  contacts • Volunteers  briefed • Removed  volunteers  including  children,  students  or   health  data • AcEve  directory  users  and  groups  collected  from  acEve   directory  server  and  stored  in  json  files • Json  files  processed  to  remove  personal  informaEon • Ava  know  used  to  parse  and  idenEfy  paKerns
  11. You  want  to  show  this  at  BlackHat?   LOL  

    Wait,  you’re  serious?   Nope.  Nope.  Nope.  Nope.  Nope.  Nope.  Nope.  Nope.   Yes!   …  please?   …  yes?  
  12. 540  people  and  idenEEes   3  organisaEons   public  and

     private  sector   educaEon  and  commerce  
  13. 19  adminstrator  accounts   400  non-­‐expiring   4  groups  per

     account   35  never  logged  in   oldest  password  =  11  years   newest  password  =  3  months
  14. can  we  assess  human   vulnerability  on  this  scale  

    compromising  the  privacy  the   people  we  assess?
  15. There  is  a   reason  why   compromised   email

     accounts   have  value Can  we  simulate   aKack  aliases  in  a   manageable  way?
  16. IntegraEon Google Facebook TwiKer Linkedin Microsom Slack GitHub If  you

     are  reading  this  and   work  for  these  places,  we   should  probably  talk.
  17. TL;DR We  have  a  people  problem   A<ackers  will  choose

     the  path  of  least  resistance  and  we  are  not  prepared   AVA  is  an  early  alpha  prototype   We  want  a  future  of  con>nuous  human  vulnerability  assessment   The  road  ahead  is  hard   Privacy,  ethics,  momentum,  security,  scaling  and  much  more    
  18. Learn more or get involved hKps:/ /github.com/SafeStack/ava   now  with

     docker  build       @avasecure   hKp:/ /avasecure.com   hKp:/ /ava.rqd.org/   [email protected]