Open Security - Chad Cravens

Open Security
How Open Source Dominates InfoSec
Chad Cravens
Open Source Systems
www.ossys.com

About The Speaker
1Open Source Systems – www.ossys.com
2007 - Graduate of New Mexico Institute of Mining and Technology
(Scholarship for Service Recipient)
2007 – 2011 Federal Employee at SPAWAR
(Space and Naval Warfare Systems Center)
2012 – Software Engineer at Small Wall St Firm
2014 – Founded Open Source Systems
Chad Cravens
Charleston, SC
Software Fanatic
Stickler for Software Quality and Security!

What to Expect from Today’s Talk
A Pragmatic and Realistic View of the Landscape
• What is the problem?
• What are the open source tools available?
• How have these tools been used and/or exploited?
• How is open source a double-edged sword?
Questions during presentation are welcomed!

Information Security
The practice of defending information from
unauthorized access, use, disclosure, disruption,
modification, perusal, inspection, recording or
destruction.
- Confidentiality
- Availability
- Integrity
The Pillars of InfoSec
https://en.wikipedia.org/wiki/Information_security

A Brief History of Modern InfoSec
1970 – John Draper uses famous Captain Crunch Whistle (2600
Mhz) to hack AT&T lines (Phreaking)
1986 – The “Brain” Computer Virus was released against MS-DOS.
Computer Fraud and Abuse Act of 1986 was passed as law.
1988 – The Morris Worm was one of the first Internet-distributed
worms to pop up
1990’s – As the popularity of the Internet grows, so do the
complexity and frequencies of attacks, in particular viruses
2000’s – Unprecedented levels of hacks, rise of Application-layer
attacks and self-propagating malware

What is Open Source?
Open Source is Collaborative Development
We are all standing on the shoulders of giants

Programming Languages, a Foundation
Gnu Compiler Collection (GCC)
Arguably one of the most widely-adopted compilers used by the hacker
community. Supports C, C++, Objective C, Java and Ado. Can be used to:
- Create tools
- Create exploits / shellcode
- Analyze (network / system calls / encryption / etc)
- Supports Linux / Unix variants, Mac OSX and Windows
Python
A go-to tool for hackers that is supported by default by
a large number of systems:
- Create tools
- Create exploits / shellcode
- Simply perform network operations

And more open source languages…
Some of the most popular open source languages
And better late to the party than never…
Welcome Microsoft!

Open Standards
A standard that is publicly available and has
various rights associated with it, and may also
have various properties of how it was designed
(e.g. open process).
https://en.wikipedia.org/wiki/Open_standard

Hackers Can Exploit These Standards
Transmission Control Protocol (TCP)
RFC 793 Exploit an Open Standard
Using Open Source Programming
Languages
To create one of the most popular
open source network
reconnaissance tools available and
used by hackers

And this is how it starts…
Open the flood gates for open source network security tools!
Real-time analysis of network traffic
Filtering and color-coding
Network and vulnerability recon
Analyze firewall rules and routing
Run exploits on remote systems
Create backdoors / control remote systems
Scan networks for vulnerable systems

But wait, there’s more…
Open Source Systems – www.ossys.com
Open the flood gates for open source network security tools!
Filtering and color-coding
Used to pipe network streams
“Swiss army knife” of network tools
Create backdoors / control remote systems
11

Open Source Security Distro
Kali Linux
Includes more than 600
open source security
tools, just like the ones
previously mentioned!!
Includes all the aforementioned tools and much more installed and ready to rock
• Vulnerability Scanning
• Service Discovery
• Password Cracking
• Security Tool Development
• WiFi Cracking
• … and much much more
12

Additional Open Standards / Groups
Open Source Vulnerability
Database
Open Web Application
Security Project
Open Vulnerability and
Assessment Language
Organization for the Advancement of
Structured Information Standards
And many more not mentioned here….
13

OSVDB - Searching Vulnerabilities
OSVDB’s goal is to provide accurate, detailed, current, and
unbiased technical security information. The project
currently covers 120,980 vulnerabilities, spanning 198,976
products from 4,735 researchers, over 113 years.
14

Application Layer
Security
Open Source Systems – www.ossys.com 15

Multiple Layers of Attack
All aforementioned tools
attack at this layer
We have not yet touched
this layer
Like an Onion
16

Application Layer vs Network Layer Attacks
Network Layer Attacks Application Layer Attacks
Open Standards
Reviewed Over Years
By The Best in the Industry
Open Source
Implementation
Reviewed by dozens or
hundreds of developers
over years
Open Source
Implementation
Reviewed by dozens or
hundreds
of developers over years
Hire a Team of Developers
Usually the lowest bidder
Knowledge and Skills..?
Deploy Your Custom App
Usually not reviewed
Hackers Exploit Your App
Direct Access to Your Data
17

Debunking the Myths
“My App is Closed Source, Therefore It’s
Secure”
Reality:
- Source code is not needed to circumvent security
- Licensing has little effect on the security of software
“We Use Open Source, Therefore we Are
Secure”
Reality:
- Open-sourcing bad / insecure code will not make it secure
- Only good coding practices will create secure code
- Having more reviewers may benefit the security of a project
18

Tools to Debunk the Myths
A tool used to exploit proprietary and
custom-developed applications
A tool used to exploit proprietary and
custom-developed applications
Nikto
Zed Attack Proxy (ZAP)
Proxy-based application vulnerability
assessment
19

Application Vulnerabilities
OWASP Top 10
A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery
A9 – Using Components with Known Vulnerabilities
A10 – Unvalidated Redirects and Forwards
20

The Other Side of the Coin
Open Standards along with Open Source IS Security
Open Source Security Tools
OpenSSH – De-facto Standard to Connect Securely to Remote Computers
OpenSSL – De-facto Standard for Secure Web SSL/TLS Communication
and much much much more…
Open Security Standards
SAML – Open Standard for Secure Web-Based Single Sign On (SSO)
CVE – Common Vulnerabilities and Exposures List
PCI DSS – Payment Card Industry Data Security Standard
AES – Advanced Encryption Standard
and much much much more…
US Federal Law
FISMA – Federal Information Security Management Act
HIPAA – Health Information Portability and Accountability Act
21

Open Source Digital
Forensics

Open Source Forensics
… a branch of forensic science encompassing the
recover and investigation of material found in
digital devices, often in relation to computer crime.
Sleuthkit & Autopsy
https://en.wikipedia.org/wiki/Digital_forensics
23

Open Source Security
Training

What’s the Missing Link?
Knowledge!!

Unlimited Learning Opportunities!!
Open Security Training
http://opensecuritytraining.info/
SecurityTube
http://www.securitytube.net/
MIT OCW
http://ocw.mit.edu/
Coursera
http://coursera.org/

The Open Source Security Ecosystem
Open Standards
Open Standards
Organizations
Open Source
Languages
Open Source
Security Tools
27
KSA

Open Source Breaks Barriers
Unlimited Opportunites / Unlimited Resources
- Learn About Cyber Security
- Implement Security in Your Organization
- Research Cyber Security
- Attend Cyber Security Conferences
- Start an Open Source Security Project
- Information Security Scholarship Programs
28
To make a career or….

Questions?
Thank you!
chad.cravens@ossys.com
29

Open Security - Chad Cravens

Recomendados

Recomendados

Mais conteúdo relacionado

Destaque

Destaque (19)

Semelhante a Open Security - Chad Cravens

Semelhante a Open Security - Chad Cravens (20)

Mais de IT-oLogy

Mais de IT-oLogy (20)

Último

Último (20)

Open Security - Chad Cravens