For the greater good? Open sourcing weaponisable code

Transcript

1. Laura Bell Founder  and  Lead  Consultant  -­‐  SafeStack @lady_nerd  

    [email protected]   h6p:/ /safestack.io   For the greater good? open sourcing weaponisable code

2. #oscon #protectyourpeople To  join  the  discussion  (but  play  nicely  please)

3. This  talk  may  make  you  feel   uncomfortable. Sorry.

4. Should  all  so=ware  be  open  source?

5. Ever  wriBen  a  tool  that  could  be  used  in  

   more  ways  than  you  intended?

6. Ever  worried  about  who  is  using  your   OS  tool

    and  what  they  use  it  for?

7. Once  upon  a  Eme…  

8. “Do  research!”  they  said,  “Present  it”

9. What’s  the  worst  that  can  happen?

10. Research  code  quality  may  vary

11. Not  everyone  was  happy

12. For  the  greater  good?

13. In  this  talk   The  Story   AVA  and  building

     security  tools   The  Challenges   Lessons  learned  the  hard  way  and  ques7ons  with  difficult  answers   The  Solu4ons   The  future  and  how  we  proceed    

14. The  story

15. Ava first generation proof of concept 3- phase automated human

    vulnerability scanner

16. KNOW PHASE 1

17. We don’t know what our organisations look like

18. Human security risk is magnified by connection

19. Active Directory Twitter LinkedIn Facebook Email providers People Identifiers Groups

    Relationships metaData

20. Location Time stamps Sender Receiver User agent friends contacts frequency

    aliases profiles Last login Pw Expires? Disabled? Influence Admin?

21. TEST PHASE 2

22. Threat injection and behaviour monitoring

23. Attack vectors that mean something Email Social Networks Removable Media

    Files and honeypots SMS

24. Email attacks that go beyond phishing Email phishing Internal request

    social panic Direct request External request favour authoritative

25.   The  URL  may  be  different  on  different  messages.  

    Subject:  Security  Alert:  Update  Java  (*See  Kronos  Note)   Date:  February  22,  2013   *********************************************************** *************   This  is  an  automa4cally  generated  message.  Please  DO  NOT  REPLY.     If  you  require  assistance,  please  contact  the  Help  Center.   *********************************************************** *************   Oracle  has  released  an  update  for  Java  that  fixes  50  security  holes,   including  a     cri4cal  hole  currently  being  exploited  in  the  wild.   The  IT  Security  Office  strongly  recommends  that  you  update  Java  as   User generated and publicly sourced attacks

26. Removing the boundaries between business and personal

27. INSTANT, SCHEDULED AND RECURRING Security fails when it is treated

    like a special event

28. Give the option of succeeding and reinforce good behaviours

29. analyse PHASE 3

30. Behaviour Vs. time

31. Technologies •  Django •  Postgresql •  Celery •  Redis • 

    Bootstrap •  Open source •  GPL •  docker •  Integrates with exchange, ad and google apps for business

32. The  history

33. I’m  not  the  first  here

34. World  famous  hacking  tool ‘wget’ (as  used  by  Snowden)

35. Just  a  few  examples   The  Social  Engineering   Toolkit

    Metasploit SQLMap  

36. Awareness  someEmes  leads  to  fear

37. The  challenges

38. Control  of  contribuEon   and  codebase

39. DirecEon  and  Leadership

40. Everybody  has  a  moral  compass,  we  just  don’t  agree  where

     north  is Project  values  and  ethics  are  important

41. But  is  this  a  necessary  evil? Ve_ng  contributors  is  voodoo

    ability,  enthusiasm,  moEvaEon,  background,  employer,  maturity

42. Peer  review  sucks

43. Control  of  usage

44. Having  a  license   is  simple Enforcing  a   license

     is  less  so

45. Forking

46. Not  typical  OS  community  members

47. Ethics  and  the  Law

48. The  law  in  this  space  is  immature

49. Privacy  is  about  protecEng  people Know Update Delete Ask  

     

50. Could  I  live  with  myself?

51. The  soluEons

52. Won’t  hold  ‘em  for  long  but  it  may  slow  them

     down. OpEon  1   Closed  source

53. With  great  power  comes  great….  stress  related  headaches OpEon  2

      Open  source  with  vigilance

54. Some  security  at  the  cost  of  maintainability  and  community OpEon

     3   Hybrid  model

55. The  path  forward  is  uncertain

56. Should  all  so=ware  be  open  source?

57. Learn more or get involved @avasecure http://avasecure.com open source (GPL)

    https://github.com/SafeStack/ava now with docker build

58. Laura Bell Founder  and  Lead  Consultant  -­‐  SafeStack @lady_nerd  

     [email protected]   h6p:/ /safestack.io   Questions? #protectyourpeople   #oscon