Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Summary of Swiss Cyber Storm 2016

Summary of Swiss Cyber Storm 2016

I went to Lucerne for Swiss Cyber Storm. Here are my notes.

Nick Galbreath

October 25, 2016
Tweet

More Decks by Nick Galbreath

Other Decks in Technology

Transcript

  1. facts • https://www.swisscyberstorm.com • Slides and video will be posted

    • This is a wildly incomplete summary. • I missed an entire track • I’m biased since I was a speaker • Lucerne is lovely. • See you next year
  2. Who is doing all these data dumps? • Bored “kids”

    (under 25, often under 18) • Lots of examples of simple SQLMap attacks
  3. Time to login depending if you have an account or

    not. Who cares if the DB got dumped!
  4. Rowhammer Attacks • With high-velocity read/access to memory locations, may

    be able to flip a single bit of DRAM memory • OS-level memory reduplication crosses process boundaries • Lots of clever hackery to leverage this to complete machine takeover
  5. “Is Physics Part of your Threat Model” • “And if

    not, it should be!” was actually said. • Sure if you are an OS vendor • Absolutely not for everyone else. • But illustrated the growing divide of ◦ Advanced attacks ◦ Incompetent defense but the attack is really interesting and otherwise a great talk
  6. And here’s 10,000 mongo databases online • Exposed databases are

    mostly on public clouds, not colos • “Is Devops is sloppy?” • General sense we are failing at easy stuff • and if you thought web stuff was bad just wait till you ICS So many interesting insights based on facts. I could post every slide here. They were all good. Definitely check him out when he speaks next
  7. I might be biased • Attempting to get engineering interested

    in security • Or is it security interested in engineering? • Equating safety with security • https://speakerdeck.com/ngalbreath/resilient-software-engineering
  8. Details https://twitter.com/mazen160 is from Sudan! Pays for school with bug

    bounties Slide: http://blog.mazinahmed.net/2016/10/bug-bounty-hunting-swiss-cyber-storm.html Wow, just found out he also wrote: http://blog.mazinahmed.net/2015/09/evading-all-web-application-firewalls.html Which is also a great read!