Powerful Google developer tools for immediate impact! (2023-24 C)
Open Security - Chad Cravens
1. Open Security
How Open Source Dominates InfoSec
Chad Cravens
Open Source Systems
www.ossys.com
2. About The Speaker
1Open Source Systems – www.ossys.com
2007 - Graduate of New Mexico Institute of Mining and Technology
(Scholarship for Service Recipient)
2007 – 2011 Federal Employee at SPAWAR
(Space and Naval Warfare Systems Center)
2012 – Software Engineer at Small Wall St Firm
2014 – Founded Open Source Systems
Chad Cravens
Charleston, SC
Software Fanatic
Stickler for Software Quality and Security!
3. What to Expect from Today’s Talk
2Open Source Systems – www.ossys.com
A Pragmatic and Realistic View of the Landscape
• What is the problem?
• What are the open source tools available?
• How have these tools been used and/or exploited?
• How is open source a double-edged sword?
Questions during presentation are welcomed!
4. Information Security
3Open Source Systems – www.ossys.com
The practice of defending information from
unauthorized access, use, disclosure, disruption,
modification, perusal, inspection, recording or
destruction.
- Confidentiality
- Availability
- Integrity
The Pillars of InfoSec
https://en.wikipedia.org/wiki/Information_security
5. A Brief History of Modern InfoSec
4Open Source Systems – www.ossys.com
1970 – John Draper uses famous Captain Crunch Whistle (2600
Mhz) to hack AT&T lines (Phreaking)
1986 – The “Brain” Computer Virus was released against MS-DOS.
Computer Fraud and Abuse Act of 1986 was passed as law.
1988 – The Morris Worm was one of the first Internet-distributed
worms to pop up
1990’s – As the popularity of the Internet grows, so do the
complexity and frequencies of attacks, in particular viruses
2000’s – Unprecedented levels of hacks, rise of Application-layer
attacks and self-propagating malware
6. What is Open Source?
5Open Source Systems – www.ossys.com
Open Source is Collaborative Development
We are all standing on the shoulders of giants
7. Programming Languages, a Foundation
6Open Source Systems – www.ossys.com
Gnu Compiler Collection (GCC)
Arguably one of the most widely-adopted compilers used by the hacker
community. Supports C, C++, Objective C, Java and Ado. Can be used to:
- Create tools
- Create exploits / shellcode
- Analyze (network / system calls / encryption / etc)
- Supports Linux / Unix variants, Mac OSX and Windows
Python
A go-to tool for hackers that is supported by default by
a large number of systems:
- Create tools
- Create exploits / shellcode
- Simply perform network operations
8. And more open source languages…
7Open Source Systems – www.ossys.com
Some of the most popular open source languages
And better late to the party than never…
Welcome Microsoft!
9. Open Standards
8Open Source Systems – www.ossys.com
A standard that is publicly available and has
various rights associated with it, and may also
have various properties of how it was designed
(e.g. open process).
https://en.wikipedia.org/wiki/Open_standard
10. Hackers Can Exploit These Standards
9Open Source Systems – www.ossys.com
Transmission Control Protocol (TCP)
RFC 793 Exploit an Open Standard
Using Open Source Programming
Languages
To create one of the most popular
open source network
reconnaissance tools available and
used by hackers
11. And this is how it starts…
10Open Source Systems – www.ossys.com
Open the flood gates for open source network security tools!
Real-time analysis of network traffic
Filtering and color-coding
Network and vulnerability recon
Analyze firewall rules and routing
Run exploits on remote systems
Create backdoors / control remote systems
Scan networks for vulnerable systems
Run exploits on remote systems
12. But wait, there’s more…
Open Source Systems – www.ossys.com
Open the flood gates for open source network security tools!
Real-time analysis of network traffic
Filtering and color-coding
Used to pipe network streams
“Swiss army knife” of network tools
Run exploits on remote systems
Create backdoors / control remote systems
Real-time analysis of network traffic
11
13. Open Source Security Distro
Open Source Systems – www.ossys.com
Kali Linux
Includes more than 600
open source security
tools, just like the ones
previously mentioned!!
Includes all the aforementioned tools and much more installed and ready to rock
• Vulnerability Scanning
• Service Discovery
• Password Cracking
• Security Tool Development
• WiFi Cracking
• … and much much more
12
14. Additional Open Standards / Groups
Open Source Systems – www.ossys.com
Open Source Vulnerability
Database
Open Web Application
Security Project
Open Vulnerability and
Assessment Language
Organization for the Advancement of
Structured Information Standards
And many more not mentioned here….
13
15. OSVDB - Searching Vulnerabilities
Open Source Systems – www.ossys.com
OSVDB’s goal is to provide accurate, detailed, current, and
unbiased technical security information. The project
currently covers 120,980 vulnerabilities, spanning 198,976
products from 4,735 researchers, over 113 years.
14
17. Multiple Layers of Attack
Open Source Systems – www.ossys.com
All aforementioned tools
attack at this layer
We have not yet touched
this layer
Like an Onion
16
18. Application Layer vs Network Layer Attacks
Open Source Systems – www.ossys.com
Network Layer Attacks Application Layer Attacks
Open Standards
Reviewed Over Years
By The Best in the Industry
Open Source
Implementation
Reviewed by dozens or
hundreds of developers
over years
Open Source
Implementation
Reviewed by dozens or
hundreds
of developers over years
Hire a Team of Developers
Usually the lowest bidder
Knowledge and Skills..?
Deploy Your Custom App
Usually not reviewed
Hackers Exploit Your App
Direct Access to Your Data
17
19. Debunking the Myths
Open Source Systems – www.ossys.com
“My App is Closed Source, Therefore It’s
Secure”
Reality:
- Source code is not needed to circumvent security
- Licensing has little effect on the security of software
“We Use Open Source, Therefore we Are
Secure”
Reality:
- Open-sourcing bad / insecure code will not make it secure
- Only good coding practices will create secure code
- Having more reviewers may benefit the security of a project
18
20. Tools to Debunk the Myths
Open Source Systems – www.ossys.com
A tool used to exploit proprietary and
custom-developed applications
A tool used to exploit proprietary and
custom-developed applications
Nikto
Zed Attack Proxy (ZAP)
Proxy-based application vulnerability
assessment
19
21. Application Vulnerabilities
Open Source Systems – www.ossys.com
OWASP Top 10
A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery
A9 – Using Components with Known Vulnerabilities
A10 – Unvalidated Redirects and Forwards
20
22. The Other Side of the Coin
Open Source Systems – www.ossys.com
Open Standards along with Open Source IS Security
Open Source Security Tools
OpenSSH – De-facto Standard to Connect Securely to Remote Computers
OpenSSL – De-facto Standard for Secure Web SSL/TLS Communication
and much much much more…
Open Security Standards
SAML – Open Standard for Secure Web-Based Single Sign On (SSO)
CVE – Common Vulnerabilities and Exposures List
PCI DSS – Payment Card Industry Data Security Standard
AES – Advanced Encryption Standard
and much much much more…
US Federal Law
FISMA – Federal Information Security Management Act
HIPAA – Health Information Portability and Accountability Act
21
24. Open Source Forensics
Open Source Systems – www.ossys.com
… a branch of forensic science encompassing the
recover and investigation of material found in
digital devices, often in relation to computer crime.
Sleuthkit & Autopsy
https://en.wikipedia.org/wiki/Digital_forensics
23
26. What’s the Missing Link?
Open Source Systems – www.ossys.com 25
Knowledge!!
27. Unlimited Learning Opportunities!!
Open Source Systems – www.ossys.com 26
Open Security Training
http://opensecuritytraining.info/
SecurityTube
http://www.securitytube.net/
MIT OCW
http://ocw.mit.edu/
Coursera
http://coursera.org/
28. The Open Source Security Ecosystem
Open Source Systems – www.ossys.com
Open Standards
Open Standards
Organizations
Open Source
Languages
Open Source
Security Tools
27
KSA
29. Open Source Breaks Barriers
Open Source Systems – www.ossys.com
Unlimited Opportunites / Unlimited Resources
- Learn About Cyber Security
- Implement Security in Your Organization
- Research Cyber Security
- Attend Cyber Security Conferences
- Start an Open Source Security Project
- Information Security Scholarship Programs
28
To make a career or….