30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security
Download as PPTX, PDF2 likes1,354 views
The document reflects on 30 years of experience in internet security, highlighting achievements like building one of the first internet backbones and investigating security breaches. It notes the decline in organizations reporting intrusions due to fear of negative publicity and emphasizes the challenges presented by anonymity and data vulnerabilities in the digital landscape. The conclusions drawn address the inherent issues in software security prioritization, the need for better security architecture, and the importance of digital humanism in technology design.
30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teaching People about Internet Security
- 1. 30 years living a happy life Breaking Systems, Chasing Bad Guys, and Helping People Understand Internet Security
- 2. About.me/jhc Jonathan Care @arashiyama http://www.linkedin.com/in/computercrime
- 3. What makes you happy?
- 4. Highlights and lowlights Helped build one of the first Internet backbones Set up my own ISP from scratch (just add £2M…) Investigated numerous breaches in conjunction with major tech vendors and law enforcement Expert witness testimony Cryptographic design for UK Government Discovered the iOS “location.consolidated” bug Dot.com millionaire! Risk research for a large credit card company CHECK accredited penetration tester PCI DSS auditor
- 5. Where did I get started?
- 7. What have I observed?
- 9. Real reality Regrettably the percentage of organisations reporting computer intrusions has continued to decline. The key reason given… was the fear of negative publicity. As a consequence this has resulted in a belief that the threat and impact has also been gravely underestimated – Metropolitan Police If I report this, I am worried what else the police will find – Anonymous IT Director We don’t handle payments so it doesn’t really matter if our code is secure or not – Web Development firm providing e-commerce (!) How soon can we start our web server up again? – Compromised Web Merchant
- 10. Why commit crimes on the Internet? Potentially High Financial Gain Anonymity Rapid, secure, global communications Global impact – 1 billion plus users (1 in 6 of the world’s population) Virtual marketplace – reduced risks of being detected, disrupted or caught Volatile evidential trail – ISP limited retention of data Cross Border investigations protracted for law enforcement And… “Because that’s where the money is” – Willie Sutton
- 12. Did somebody mention hacking?
- 14. Meanwhile …
- 17. Oh yeah.
- 18. Data Privacy is Dead Criminals get ongoing access to credit reports SSNDOB Compromise of KBA and PII at Major Data Brokers PII data combined with financial records for sale Serious web-code vulnerabilities compromise sensitive information Almost 1.5 billion usernames and passwords stolen *Source Symantec Internet Security Threat Report 2014
- 19. Conclusions
- 20. What have I learned? All software has bugs. Bugs will be discovered Some bugs will have a security impact Product owners continue to value functionality over security Investors place little value on security and privacy End users trust vendors Security is always trumped by convenience – bad design makes bad security
- 21. What can we do?
- 22. Security architecture landscape Customer friction ‘harder is better’ doesn’t keep bad guys out and annoys good guys Systematic compromise of personal data & credentials Exceptions; you are only as good as your weakest link! Enterprises want absolute identity proofing but must live with shades of uncertainty
- 23. If you go into InfoSec, remember this… PREPARE DETECTRESPOND
- 24. A final thought …
- 25. Digital Humanism (don’t be a jerk) Don’t intrude on personal space Don’t try and engineer personal intelligence and prerogatives out of the system Don’t try to maximise machine efficiency at the expense of usability