Tweet
Tweet

Slide 1

Slide 1 text

Laura Bell Founder  and  Lead  Consultant  -­‐  SafeStack @lady_nerd    [email protected]   h6p:/ /safestack.io   For the greater good? open sourcing weaponisable code

Slide 2

Slide 2 text

#oscon #protectyourpeople To  join  the  discussion  (but  play  nicely  please)

Slide 3

Slide 3 text

This  talk  may  make  you  feel   uncomfortable. Sorry.

Slide 4

Slide 4 text

Should  all  so=ware  be  open  source?

Slide 5

Slide 5 text

Ever  wriBen  a  tool  that  could  be  used  in   more  ways  than  you  intended?

Slide 6

Slide 6 text

Ever  worried  about  who  is  using  your   OS  tool  and  what  they  use  it  for?

Slide 7

Slide 7 text

Once  upon  a  Eme…  

Slide 8

Slide 8 text

“Do  research!”  they  said,  “Present  it”

Slide 9

Slide 9 text

What’s  the  worst  that  can  happen?

Slide 10

Slide 10 text

Research  code  quality  may  vary

Slide 11

Slide 11 text

Not  everyone  was  happy

Slide 12

Slide 12 text

For  the  greater  good?

Slide 13

Slide 13 text

In  this  talk   The  Story   AVA  and  building  security  tools   The  Challenges   Lessons  learned  the  hard  way  and  ques7ons  with  difficult  answers   The  Solu4ons   The  future  and  how  we  proceed    

Slide 14

Slide 14 text

The  story

Slide 15

Slide 15 text

Ava first generation proof of concept 3- phase automated human vulnerability scanner

Slide 16

Slide 16 text

KNOW PHASE 1

Slide 17

Slide 17 text

We don’t know what our organisations look like

Slide 18

Slide 18 text

Human security risk is magnified by connection

Slide 19

Slide 19 text

Active Directory Twitter LinkedIn Facebook Email providers People Identifiers Groups Relationships metaData

Slide 20

Slide 20 text

Location Time stamps Sender Receiver User agent friends contacts frequency aliases profiles Last login Pw Expires? Disabled? Influence Admin?

Slide 21

Slide 21 text

TEST PHASE 2

Slide 22

Slide 22 text

Threat injection and behaviour monitoring

Slide 23

Slide 23 text

Attack vectors that mean something Email Social Networks Removable Media Files and honeypots SMS

Slide 24

Slide 24 text

Email attacks that go beyond phishing Email phishing Internal request social panic Direct request External request favour authoritative

Slide 25

Slide 25 text

  The  URL  may  be  different  on  different  messages.   Subject:  Security  Alert:  Update  Java  (*See  Kronos  Note)   Date:  February  22,  2013   *********************************************************** *************   This  is  an  automa4cally  generated  message.  Please  DO  NOT  REPLY.     If  you  require  assistance,  please  contact  the  Help  Center.   *********************************************************** *************   Oracle  has  released  an  update  for  Java  that  fixes  50  security  holes,   including  a     cri4cal  hole  currently  being  exploited  in  the  wild.   The  IT  Security  Office  strongly  recommends  that  you  update  Java  as   User generated and publicly sourced attacks

Slide 26

Slide 26 text

Removing the boundaries between business and personal

Slide 27

Slide 27 text

INSTANT, SCHEDULED AND RECURRING Security fails when it is treated like a special event

Slide 28

Slide 28 text

Give the option of succeeding and reinforce good behaviours

Slide 29

Slide 29 text

analyse PHASE 3

Slide 30

Slide 30 text

Behaviour Vs. time

Slide 31

Slide 31 text

Technologies •  Django •  Postgresql •  Celery •  Redis •  Bootstrap •  Open source •  GPL •  docker •  Integrates with exchange, ad and google apps for business

Slide 32

Slide 32 text

The  history

Slide 33

Slide 33 text

I’m  not  the  first  here

Slide 34

Slide 34 text

World  famous  hacking  tool ‘wget’ (as  used  by  Snowden)

Slide 35

Slide 35 text

Just  a  few  examples   The  Social  Engineering   Toolkit Metasploit SQLMap  

Slide 36

Slide 36 text

Awareness  someEmes  leads  to  fear

Slide 37

Slide 37 text

The  challenges

Slide 38

Slide 38 text

Control  of  contribuEon   and  codebase

Slide 39

Slide 39 text

DirecEon  and  Leadership

Slide 40

Slide 40 text

Everybody  has  a  moral  compass,  we  just  don’t  agree  where  north  is Project  values  and  ethics  are  important

Slide 41

Slide 41 text

But  is  this  a  necessary  evil? Ve_ng  contributors  is  voodoo ability,  enthusiasm,  moEvaEon,  background,  employer,  maturity

Slide 42

Slide 42 text

Peer  review  sucks

Slide 43

Slide 43 text

Control  of  usage

Slide 44

Slide 44 text

Having  a  license   is  simple Enforcing  a   license  is  less  so

Slide 45

Slide 45 text

Forking

Slide 46

Slide 46 text

Not  typical  OS  community  members

Slide 47

Slide 47 text

Ethics  and  the  Law

Slide 48

Slide 48 text

The  law  in  this  space  is  immature

Slide 49

Slide 49 text

Privacy  is  about  protecEng  people Know Update Delete Ask    

Slide 50

Slide 50 text

Could  I  live  with  myself?

Slide 51

Slide 51 text

The  soluEons

Slide 52

Slide 52 text

Won’t  hold  ‘em  for  long  but  it  may  slow  them  down. OpEon  1   Closed  source

Slide 53

Slide 53 text

With  great  power  comes  great….  stress  related  headaches OpEon  2   Open  source  with  vigilance

Slide 54

Slide 54 text

Some  security  at  the  cost  of  maintainability  and  community OpEon  3   Hybrid  model

Slide 55

Slide 55 text

The  path  forward  is  uncertain

Slide 56

Slide 56 text

Should  all  so=ware  be  open  source?

Slide 57

Slide 57 text

Learn more or get involved @avasecure http://avasecure.com open source (GPL) https://github.com/SafeStack/ava now with docker build

Slide 58

Slide 58 text

Laura Bell Founder  and  Lead  Consultant  -­‐  SafeStack @lady_nerd    [email protected]   h6p:/ /safestack.io   Questions? #protectyourpeople   #oscon