Upgrade to Pro — share decks privately, control downloads, hide ads and more …

For the greater good? Open sourcing weaponisable code

For the greater good? Open sourcing weaponisable code

Presented by Laura Bell (SafeStack) at Oscon 2015.


Laura Bell

July 23, 2015


  1. Laura Bell Founder  and  Lead  Consultant  -­‐  SafeStack @lady_nerd  

     laura@safestack.io   h6p:/ /safestack.io   For the greater good? open sourcing weaponisable code
  2. #oscon #protectyourpeople To  join  the  discussion  (but  play  nicely  please)

  3. This  talk  may  make  you  feel   uncomfortable. Sorry.

  4. Should  all  so=ware  be  open  source?

  5. Ever  wriBen  a  tool  that  could  be  used  in  

    more  ways  than  you  intended?
  6. Ever  worried  about  who  is  using  your   OS  tool

     and  what  they  use  it  for?
  7. Once  upon  a  Eme…  

  8. “Do  research!”  they  said,  “Present  it”

  9. What’s  the  worst  that  can  happen?

  10. Research  code  quality  may  vary

  11. Not  everyone  was  happy

  12. For  the  greater  good?

  13. In  this  talk   The  Story   AVA  and  building

     security  tools   The  Challenges   Lessons  learned  the  hard  way  and  ques7ons  with  difficult  answers   The  Solu4ons   The  future  and  how  we  proceed    
  14. The  story

  15. Ava first generation proof of concept 3- phase automated human

    vulnerability scanner
  16. KNOW PHASE 1

  17. We don’t know what our organisations look like

  18. Human security risk is magnified by connection

  19. Active Directory Twitter LinkedIn Facebook Email providers People Identifiers Groups

    Relationships metaData
  20. Location Time stamps Sender Receiver User agent friends contacts frequency

    aliases profiles Last login Pw Expires? Disabled? Influence Admin?
  21. TEST PHASE 2

  22. Threat injection and behaviour monitoring

  23. Attack vectors that mean something Email Social Networks Removable Media

    Files and honeypots SMS
  24. Email attacks that go beyond phishing Email phishing Internal request

    social panic Direct request External request favour authoritative
  25.   The  URL  may  be  different  on  different  messages.  

    Subject:  Security  Alert:  Update  Java  (*See  Kronos  Note)   Date:  February  22,  2013   *********************************************************** *************   This  is  an  automa4cally  generated  message.  Please  DO  NOT  REPLY.     If  you  require  assistance,  please  contact  the  Help  Center.   *********************************************************** *************   Oracle  has  released  an  update  for  Java  that  fixes  50  security  holes,   including  a     cri4cal  hole  currently  being  exploited  in  the  wild.   The  IT  Security  Office  strongly  recommends  that  you  update  Java  as   User generated and publicly sourced attacks
  26. Removing the boundaries between business and personal

  27. INSTANT, SCHEDULED AND RECURRING Security fails when it is treated

    like a special event
  28. Give the option of succeeding and reinforce good behaviours

  29. analyse PHASE 3

  30. Behaviour Vs. time

  31. Technologies •  Django •  Postgresql •  Celery •  Redis • 

    Bootstrap •  Open source •  GPL •  docker •  Integrates with exchange, ad and google apps for business
  32. The  history

  33. I’m  not  the  first  here

  34. World  famous  hacking  tool ‘wget’ (as  used  by  Snowden)

  35. Just  a  few  examples   The  Social  Engineering   Toolkit

    Metasploit SQLMap  
  36. Awareness  someEmes  leads  to  fear

  37. The  challenges

  38. Control  of  contribuEon   and  codebase

  39. DirecEon  and  Leadership

  40. Everybody  has  a  moral  compass,  we  just  don’t  agree  where

     north  is Project  values  and  ethics  are  important
  41. But  is  this  a  necessary  evil? Ve_ng  contributors  is  voodoo

    ability,  enthusiasm,  moEvaEon,  background,  employer,  maturity
  42. Peer  review  sucks

  43. Control  of  usage

  44. Having  a  license   is  simple Enforcing  a   license

     is  less  so
  45. Forking

  46. Not  typical  OS  community  members

  47. Ethics  and  the  Law

  48. The  law  in  this  space  is  immature

  49. Privacy  is  about  protecEng  people Know Update Delete Ask  

  50. Could  I  live  with  myself?

  51. The  soluEons

  52. Won’t  hold  ‘em  for  long  but  it  may  slow  them

     down. OpEon  1   Closed  source
  53. With  great  power  comes  great….  stress  related  headaches OpEon  2

      Open  source  with  vigilance
  54. Some  security  at  the  cost  of  maintainability  and  community OpEon

     3   Hybrid  model
  55. The  path  forward  is  uncertain

  56. Should  all  so=ware  be  open  source?

  57. Learn more or get involved @avasecure http://avasecure.com open source (GPL)

    https://github.com/SafeStack/ava now with docker build
  58. Laura Bell Founder  and  Lead  Consultant  -­‐  SafeStack @lady_nerd  

     laura@safestack.io   h6p:/ /safestack.io   Questions? #protectyourpeople   #oscon