For the greater good? Open sourcing weaponisable code

Transcript

1. Laura Bell
   Founder  and  Lead  Consultant  -­‐  SafeStack
   @lady_nerd    [email protected]  
   h6p:/
   /safestack.io
    
   For the greater good?
   open sourcing
   weaponisable code
   

   View Slide

2. #oscon
   #protectyourpeople
   
   To  join  the  discussion  (but  play  nicely  please)
   

   View Slide

3. This  talk  may  make  you  feel  
   uncomfortable.
   
   Sorry.
   

   View Slide

4. Should  all  so=ware
    be  open  source?
   

   View Slide

5. Ever  wriBen  a  tool  that  could  be  used  in  
   more  ways  than  you  intended?
   

   View Slide

6. Ever  worried  about  who  is  using  your  
   OS  tool  and  what  they  use  it  for?
   

   View Slide

7. Once  upon  a  Eme…  
   

   View Slide

8. “Do  research!”  they  said,  “Present  it”
   

   View Slide

9. What’s  the  worst  that  can  happen?
   

   View Slide

10. Research  code  quality  may  vary
    

    View Slide

11. Not  everyone  was  happy
    

    View Slide

12. For  the  greater  good?
    

    View Slide

13. In  this  talk  
    The  Story  
    AVA  and  building  security  tools  
    The  Challenges  
    Lessons  learned  the  hard  way  and  ques7ons  with  difficult  answers  
    The  Solu4ons  
    The  future  and  how  we  proceed  
     
    

    View Slide

14. The  story
    

    View Slide

15. Ava
    first generation
    proof of concept
    3- phase
    automated
    human vulnerability
    scanner
    

    View Slide

16. KNOW
    PHASE 1
    

    View Slide

17. We don’t know what our organisations look like
    

    View Slide

18. Human
    security
    risk is
    magnified
    by
    connection
    

    View Slide

19. Active Directory
    Twitter
    LinkedIn
    Facebook
    Email providers
    People
    Identifiers
    Groups
    Relationships
    metaData
    

    View Slide

20. Location
    Time stamps
    Sender
    Receiver
    User agent
    friends
    contacts
    frequency
    aliases
    profiles
    Last login
    Pw Expires?
    Disabled?
    Influence
    Admin?
    

    View Slide

21. TEST
    PHASE 2
    

    View Slide

22. Threat
    injection
    and
    behaviour
    monitoring
    

    View Slide

23. Attack vectors that mean something
    Email
    Social Networks
    Removable Media
    Files and honeypots
    SMS
    

    View Slide

24. Email attacks that go beyond phishing
    Email
    phishing Internal
    request
    social
    panic
    Direct request External request
    favour
    authoritative
    

    View Slide

25.  
    The  URL  may  be  different  on  different  messages.  
    Subject:  Security  Alert:  Update  Java  (*See  Kronos  Note)  
    Date:  February  22,  2013  
    ***********************************************************
    *************  
    This  is  an  automa4cally  generated  message.  Please  DO  NOT  REPLY.    
    If  you  require  assistance,  please  contact  the  Help  Center.  
    ***********************************************************
    *************  
    Oracle  has  released  an  update  for  Java  that  fixes  50  security  holes,  
    including  a    
    cri4cal  hole  currently  being  exploited  in  the  wild.  
    The  IT  Security  Office  strongly  recommends  that  you  update  Java  as  
    User generated and publicly sourced attacks
    

    View Slide

26. Removing the boundaries between business and personal
    

    View Slide

27. INSTANT, SCHEDULED AND RECURRING
    Security fails when it is treated like a special event
    

    View Slide

28. Give the option of succeeding
    and reinforce good behaviours
    

    View Slide

29. analyse
    PHASE 3
    

    View Slide

30. Behaviour Vs. time
    

    View Slide

31. Technologies
    •  Django
    •  Postgresql
    •  Celery
    •  Redis
    •  Bootstrap
    •  Open source
    •  GPL
    •  docker
    •  Integrates with exchange,
    ad and google apps for
    business
    

    View Slide

32. The  history
    

    View Slide

33. I’m  not  the  first  here
    

    View Slide

34. World  famous  hacking  tool
    ‘wget’
    
    (as  used  by  Snowden)
    

    View Slide

35. Just  a  few  examples  
    The  Social  Engineering  
    Toolkit
    Metasploit
    SQLMap
     
    

    View Slide

36. Awareness  someEmes  leads  to  fear
    

    View Slide

37. The  challenges
    

    View Slide

38. Control  of  contribuEon  
    and  codebase
    

    View Slide

39. DirecEon  and  Leadership
    

    View Slide

40. Everybody  has  a  moral  compass,  we  just  don’t  agree  where  north  is
    Project  values  and  ethics
     are  important
    

    View Slide

41. But  is  this  a  necessary  evil?
    Ve_ng  contributors  is  voodoo
    ability,  enthusiasm,  moEvaEon,  background,  employer,  maturity
    

    View Slide

42. Peer  review  sucks
    

    View Slide

43. Control  of  usage
    

    View Slide

44. Having  a  license  
    is  simple
    
    Enforcing  a  
    license  is  less  so
    

    View Slide

45. Forking
    

    View Slide

46. Not  typical  OS  community  members
    

    View Slide

47. Ethics  and  the  Law
    

    View Slide

48. The  law  in  this  space  is  immature
    

    View Slide

49. Privacy  is  about  protecEng  people
    Know
    Update
    
    Delete
    Ask  
     
    

    View Slide

50. Could  I  live  with  myself?
    

    View Slide

51. The  soluEons
    

    View Slide

52. Won’t  hold  ‘em  for  long  but  it  may  slow  them  down.
    OpEon  1  
    Closed  source
    

    View Slide

53. With  great  power  comes  great….  stress  related  headaches
    OpEon  2  
    Open  source  with  vigilance
    

    View Slide

54. Some  security  at  the  cost  of  maintainability  and  community
    OpEon  3  
    Hybrid  model
    

    View Slide

55. The  path  forward  is  uncertain
    

    View Slide

56. Should  all  so=ware
     be  open  source?
    

    View Slide

57. Learn more or get involved
    @avasecure
    http://avasecure.com
    open source (GPL)
    https://github.com/SafeStack/ava
    now with docker build
    

    View Slide

58. Laura Bell
    Founder  and  Lead  Consultant  -­‐  SafeStack
    @lady_nerd    [email protected]  
    h6p:/
    /safestack.io
     
    Questions?
    #protectyourpeople  
    #oscon
    

    View Slide