Summary of Swiss Cyber Storm 2016

Transcript

1. A wildly incomplete summary of Swiss Cyber Storm Lucerne Switzerland

   2016 Nick Galbreath @ngalbreath

2. The Breadmakers Union, with a Golden Pretzel

3. facts • https://www.swisscyberstorm.com • Slides and video will be posted

   • This is a wildly incomplete summary. • I missed an entire track • I’m biased since I was a speaker • Lucerne is lovely. • See you next year

4. Lessons from Billions of Breached Records

5. Who is doing all these data dumps? • Bored “kids”

   (under 25, often under 18) • Lots of examples of simple SQLMap attacks

6. Time to login depending if you have an account or

   not. Who cares if the DB got dumped!

7. Exploiting Software without Bugs

8. Rowhammer Attacks • With high-velocity read/access to memory locations, may

   be able to flip a single bit of DRAM memory • OS-level memory reduplication crosses process boundaries • Lots of clever hackery to leverage this to complete machine takeover

9. “Is Physics Part of your Threat Model” • “And if

   not, it should be!” was actually said. • Sure if you are an OS vendor • Absolutely not for everyone else. • But illustrated the growing divide of ◦ Advanced attacks ◦ Incompetent defense but the attack is really interesting and otherwise a great talk
10. None
11. None
12. None

13. And here’s 10,000 mongo databases online • Exposed databases are

    mostly on public clouds, not colos • “Is Devops is sloppy?” • General sense we are failing at easy stuff • and if you thought web stuff was bad just wait till you ICS So many interesting insights based on facts. I could post every slide here. They were all good. Definitely check him out when he speaks next
14. None

15. Owww, my eyes!

16. None
17. None

18. I might be biased • Attempting to get engineering interested

    in security • Or is it security interested in engineering? • Equating safety with security • https://speakerdeck.com/ngalbreath/resilient-software-engineering
19. None

20. Details https://twitter.com/mazen160 is from Sudan! Pays for school with bug

    bounties Slide: http://blog.mazinahmed.net/2016/10/bug-bounty-hunting-swiss-cyber-storm.html Wow, just found out he also wrote: http://blog.mazinahmed.net/2015/09/evading-all-web-application-firewalls.html Which is also a great read!
21. None
22. None
23. None
24. None

25. “This is more databases than in my entire country!”

26. None
27. None
28. None
29. None
30. None
31. None
32. None
33. None

34. DarkNet Investigations

35. None
36. None
37. None
38. None
39. None
40. None
41. None

42. Cyber Threats: What Vendors are Not Telling You

43. None
44. None
45. None

46. My apologies to everyone and everything I missed Nick Galbreath

    @ngalbreath