CODE BLUE 2014 : [基調講演] サイバーセキュリティの5つの問題 - セキュリティプロフェッショナルとハッカーが地球を救う by ケレン・エラザリ KEREN ELAZARI
•
0 gostou•897 visualizações
ハッカーは免疫システムという話でTEDスピーカーとして今年話題になったケレン氏。彼女のプレゼンでは、世界が実はハッカーを必要としていて世界の中でハッカーは重要な役割を果たしてる事に触れた。「ハッカー達こそ私のヒーロー、私はハッカー達が今後のデジタル社会を救う事が可能な逸材であり、私たち皆がハッカーの様に考えて行動を起こすべきだと提案したいと考えている。今日の目的はそれを伝えることです。ナイーブでロマンチックと思うかもしれません、また私が1337じゃないと思うかもしれません、でも暗い未来を変えられるのはハッカー達と私は信じています。なぜ、今こそ行動を起こすべきか、また前線にいる私たちが今こそヒーローになる時だという事を今日は発表したいと思ってます。」とケレン氏は述べている。
Recomendados
Recomendados
Mais conteúdo relacionado
Destaque
Destaque (19)
Semelhante a CODE BLUE 2014 : [基調講演] サイバーセキュリティの5つの問題 - セキュリティプロフェッショナルとハッカーが地球を救う by ケレン・エラザリ KEREN ELAZARI
Semelhante a CODE BLUE 2014 : [基調講演] サイバーセキュリティの5つの問題 - セキュリティプロフェッショナルとハッカーが地球を救う by ケレン・エラザリ KEREN ELAZARI (10)
Mais de CODE BLUE
Mais de CODE BLUE (20)
CODE BLUE 2014 : [基調講演] サイバーセキュリティの5つの問題 - セキュリティプロフェッショナルとハッカーが地球を救う by ケレン・エラザリ KEREN ELAZARI
- 8. アクセスは許可された
- 16. ! TAKE THE RED PILL?
- 24. Source : “25 Years Of Vulnerabilities: 1988-2012 Sourcefire
- 31. 全全ててののものを守ろう!
- 40. おそらく182 倍 Malvertising 広告 > ポルノサイト Source : Cisco Annual Security Repo
- 41. 偽偽アアンンチチウウイイルルスス
- 47. 共共有有のの時時だだ
- 48. 分かち合いは思いやり
- 54. ゼロデイによる 世界大戦
- 55. Don’t Keep Your Bugs To Yourselfババググをを自自分分のの手手元元にに留留めめてておおかかなないいでで
- 57. ババググ報報奨奨金金制制度度
- 75. Heatmap by TeamGHOSTCLICK / DNS CHA
- 77. 大衆に力を与えよう Image by Scoobay CC BY-NC-SA 2.0
- 79. 事例の紹介・・・
- 81. サイバー 防火訓練
- 82. 100万万人人 ののセセキキュュリリ テティィ 専専門門家家がが 必必要要だだ!! Source : Cisco 2014 Annual
Notas do Editor
- The 5 Big Problems of Cyber Security - And How Security Professionals & Hackers Can Save The World, by Keren Elazari aka @K3r3n3 for CODE BLUE, Japan Thank you for inviting me to Japan. Hackers are my heroes, and the perspective I’d like to offer you today is that hackers represent an exceptional force for change with the power to literally save our digital future – and we need to think like hackers and take actions today.
- Thank you for inviting me to Japan. Hackers are my heroes, and the perspective I’d like to offer you today is that hackers represent an exceptional force for change with the power to literally save our digital future – and we need to think like hackers and take actions today.
- What’s the biggest problem discovered in 2014 ? IoT? Spam? Private data leaks? PoS breachs? Retail? APTs? Spam serving Botnets ? DDoS? Is it problems with Tor/ darknet? Threats to Apple’s IoS ? Crypto failures like OpenSSL heartbleed? Poodle? Microsoft Schannel? The prevalence of Zero days ? attacks on energy sector? >> 2014 what a monumental year for breaches and bug and problems.
- Think about the past year – what was the biggest SECURITY problem discovered in 2014? Was it TARGET, JP MORGAN and HOME DEPOT credit card theft? Maybe P2P BOTNETS like GAMEOVER ZEUS? Or the problems discovered in fundamental internet building blocks, like HEARTBLEED, BASH SHELL SHOCK and SSL Poodle? Maybe you are thinking about mobile malware and attacks on Apple ecosystem, like the icloud hacks, or wirelurker - or perhaps about threats to energy and public infrastructure? Or about more threats to people’s PRIVACY?
- The recent attack into SONY PICTURES ENTERTAINMENT, by the so called “guardians of peace”… (allegedly from North Korea)?
- Each way you look at it, the past year, 2014 , has been record breaking in breaches and cyber-attacks. A year that showed everyone is affected by security problems. This year has proved that We are all connected, no one is safe. There is an old security saying: there are two types of organizations: those who have been hit and those who don’t yet know it.
- We are all connected, no one is safe Only two types of organization: those who have been hit and those who don’t yet know it.
- Hackers know how to get anywhere. I learned this lesson almost 20 years ago -
- From this lady. ANGELINA JOLIE. I was 14 when I saw the 1995 movie hackers – and I realized all the stuff I loved doing was called being hacker , and if Angelina Jolie could do it, why not try it myself …
- Since then, I’ve been in security / hacking community industry almost 20 years now. I come from Tel Aviv Israel. I’ve been in security / hacking community industry almost 20 years now. I’ve worked with working for all kinds of technology companies, government agencies and academic think tanks. Now I’m an independent analyst: I track trends and bring different points of view together.
- Our world is changing. We don’t know what’s around the corner, how technology is going to shape our future. I have a prediction: the safety of the digital ecosystem we rely on is at risk/.
- 6 months ago I had the honor of speaking At TED. I claimed that hackers, CAN BE part the information age’s immune system, IF WE SEE THEM AS A distributed force, made of individual actors, that identify the problems and the vulnerable aspects in the world, and pushes technology's onward evolution
- More than 1 million people have already watched in on TED.com and it’s been translated to 20 languages – But after some time, I realized that while TED helped me reach the general population. But really, it’s YOU, I should be talking to: the hackers and security professionals who can actually make a difference in this world!
- TODAY I’d like to broaden that PERSPECTIVE AND TAKE THE IMMUNE SYSTEM ANALOGY FURTHER. if we are all connected, We all have to be part of that immune system, and we can be!
- Now is the time. Everyone of us in on the front lines. ! It’s time to be the heroes.
- In order to make that difference, we have to make a choice. To help you make that choice, in the next 30 minutes I will show you some of the biggest problems of cyber security, which is why cyberspace needs you and what are the things we can do, right now, to make a difference.
- Here is PROBLEM 1, probably the most complicated one: IT’S Cyber Space, NOT just the WWW. We are no longer dealing with securing web sites, internet servers, databases or INFORMATION SYSTEMS. Some people make fun of the term CYBERSPACE. But I think there’s a valid reason to use the term – and here why. Do any of you know where the word actually comes from? Research it - “cyber” isn’t just a buzzword, it actually means something!
- in 1948 an American math Prof Norbert Wiener borrowed the term Kybernetes, Ancient Greek for steersman- to describe the new science of CONTROL AND COMMUNICATION SYSTEMS IN THE ANIMAL AND THE MACHINE.
- That’s because in 1948 a math prof Norbert Wiener borrowed the term Kybernetes, Ancient Greek for steersman- to describe the new science of CONTROL AND COMMUNICATION SYSTEMS IN THE ANIMAL AND THE MACHINE. Cybernetics is a network of constant interactions and communications. The term describes feedback — communication and control in systems—where a system obtains information on its progress, assesses the feedback, corrects its course and receives further feedback on the success of the transmission.
- This is the Kybernetas, the guy running the ship. Telling it where to go, how fast, and what to do. So I think it is accurate we talk about CYBER SECURITY as the effort to secure all of the command, control and communication technologies that fuel modern society – it’s not just information, passwords or databases.
- It’s the same technology that’s controling freaking laser shooting robots on mars –
- And lets it twit about it!
- BTW - What is the most prevalent language in the galaxy? it’s JAVA. Java running on Billion of DEVICES.
- We should talk about CYBER SECURITY because there is a change going on: In the past 25 years, these technologies and software environments were the source for most software bugs that lead to security problems. 25 years of vulnerability research report - a historical look at vulnerabilities : Linux kernel having the most CVE vulnerabilities of all other products Microsoft being the vendor with the most vulnerabilities buffer overflow is the top vulnerability of the quarter century OS Level bugs e.g. Font rendering bugs for one major OS family (MS Windows) Software bugs in popular applications e.g. MS Office, Web browsers, Adobe PDF Display / rendering bugs Web application bugs Network protocols vulnerabilities and exploitable design flaws Telecom systems (Phreaking & GSM)
- But in the next 25 years? It’s going to be these technologies: GPS, Radio, Satellite, Air traffic control and many more - connected vulnerable environments that are not just “IT (information technology) : cars, ATMs, medical devise, homes, And it’s now connected to GPS , radio systems, satellite communication, industrial controls systems. Some of these are controlled by governments, some are publicly owned or privately run by technology companies. And most of it is owned by companies that just make stuff, like submarines, or medical devices, or traffic lights – and NOBODY told them their supposed to be a cyber-security company, too. These are old and new technologies used in new unexpected ways that expose more vulnerabilities and design flaws that ever before. And there’s isn’t one government agency on the planet hat has the power or authority to secure all of it, even if they wanted to with all their heart.
- CYBER SECURITY is also about spoofing GPS signals the University of Texas students used to dupe the human steersman on this 80 million $ yacht – and hijack its course. Students from the University of Texas gave us another reason not to mess with the Lone Star state: they'll hack your yacht. In cooperation with a luxury boat's owners, the Longhorns manipulated their $80 million vessel's nav system, covertly guiding it off-course -- all without the crew ever suspecting foul play. By transmitting spoofed global positioning system signals toward the craft, the students tricked its drivers into correcting a non-existent, three-degree course deviation, thus leading them off track http://arstechnica.com/security/2013/07/professor-spoofs-80m-superyachts-gps-receiver-on-the-high-seas/ Humphreys conducted the test in the Ionian Sea in late June 2013 and early July 2013 with the full consent of the “White Rose of Drachs” yacht captain. His work shows just how vulnerable and relatively easy it is to send out a false GPS signal and trick the on-board receiver into believing it. “What we did was out in the open. It was against a live vehicle, a vessel—an $80 million superyacht, controlling it with a $2,000 box”. “There were no alarms on the bridge. The GPS receiver showed a strong signal the whole time. You just need to have approximate line of sight visibility. Let’s say you had an unmanned drone. You could do it from 20 to 30 kilometers away, or on the ocean you could do two to three kilometers.”
- It’s the radio frequencies that allowed Hackers to hack into insulin pump and pacemakers
- Its about hacking satellites –
- but Cyber Security is also about hacking a blue tooth enabled toilet !
- Unless you want to join the Amish, we better start doing something differently about all of these tech.
- Can we SECURE ALL THE THINGS? The reality is, There’s no way any single government organizations, or single vendor, ISP or mega corporate could find and solve all of the problems. Even if they really wanted to and had the best intentions in mind.
- And what about all the new WEB giants that host a vast percentage of the human experience?
- So this is CYBERSPACE, this is the world we need to consider THE JOINT RESPONSIBILITY of hackers and security professionals - one big ecosystem! We are all connected.
- So the biggest problem might be part of the a solution: if we are all connected - that is the nature of the cybernetic world - then we are all part of one big eco system, where we can all work together to find the problems.
- Here’s REASON NUMBER 2 YOU SHOULD CARE , the second big problem: We share this ecosystem with Creative, Innovative And Collaborative, BAD GUYS, criminals and spies!
- Bad guys that will do anything to get what they want – and they are CREATIVE.
- this year we have seen things like Peer to Peer versions of Zeus , GAMEOVER, or the new Citadel variant.
- New destructive attacks like cryptolockers that take over entire hard drives and WIPERs that delete hardrives and wipe BIOS
- or MALVERTISING which is posting MALWARE in ads on well known websites.
- CISCO claims you are 182 times more likely to be infected by a malcious ad than by visiting adult content site.
- ROGUE ANTI VIRUS which tricks the users and installs MALWARE.
- We have seen massive growth in MOBILE DEVICE malware
- and POINT OF SALE (POS) malware stealing credit card nunbers directly from the cash registers
- All this to show you that The current wave of cybercrime entrepreneurs – have learned the trick : innovate, diversify and create new revenue streams and get their hands on your machines.
- What should WE do faced with these threats? Well,you could Keep calm and carry on . What about taking a cue from the bad guys themselves, and working to collaborate & innovate?
- What about taking a cue from the bad guys themselves, and working to collaborate & innovate?
- One way is to Set up & Participate in Information sharing groups , within your sector, industry or community, where everyone can share real time data about attacks they are dealing with, or Even if you can’t share data about attacks because of privacy or technical concerns – there’s nothing stopping you from sharing knowledge and experience of practical methods that work.
- Sharing is caring – but many people say, we still prefer to not share and not care.
- So why should YOU care? Problem number 3, reason number 3: there are huge resources invested in keeping the world vulnerable - not just criminals.
- Over the past year, we have learned that certain govs ae spending billions on vulnerability research. Not just cybercriminals, There is a lot of money & resources that is actually making the world vulnerable.
- Paying security companies to include weak encryption algorithms and backdoors.
- Or learning about the Heartbleed OpenSSL bug for 2 years - which affected anyone who’s used the internet basically in the past two years – and not telling anyone.
- What really my heart bleed about this though, is things like this: a publication that came out in July 2014, the cover of time – with a story about the zero day vulnerability industry. This is about the small private companies that sell zero day exploits to the highest bidder – and the headline sets out HACKERS as ARMS DEALERS.
- So the solution to this problem : My perspective is that you should not keep your bugs to yourself, and don’t be an arms dealer Instead, Practice Responsible / Coordinated disclosure - disclose vulnerabilities and exploits to vendors who will get it fixed. How has posted to a BB program? expose bugs , participate in bug bounties, do what ASUS hackers did, IBB, Project Zero watch “5 stages of vul resposne grief” – Katie Missouris
- No better disinfectant that the light of day! By Exposing and disclosing bugs and vulnerabilities, we make everyone safer!
- And there are now many incentive programs for that : who has heard about, or posted to a Bug Bounty program?
- There are many BB programs – like FACEBOOK , August 2013: 1 miilion $ already paid in 2 years of the program, some researchers netting 20K and 100K!~ https://www.facebook.com/notes/facebook-security/an-update-on-our-bug-bounty-program/10151508163265766
- SAMSUNG, YAHOO, MOZILLA, PAYPAL . You can Contribute to Bug bounty programs for fun and profit – tomorrow you will hear from a BUG hunter. There are literary hundreds of them! ALL THE COOL KIDS ARE DOING IT. Source : https://bugcrowd.com/list-of-bug-bounty-programs/ There’s also /hackerone.com vulnerability disclosure programs
- The Internet Bug Bounty by HackerOne is rewarding friendly hackers who contribute to a more secure internet by finding bugs in things like Php, OpenSSL and Ruby – technologies that everyone's relies on!
- I heard that in Japan there some signs of opening up to this idea. I know it’s scary - but there is huge potential in letting hundreds of hackers go through your code. Japanese BB from article http://www.yomiuri.co.jp/it/security/snews/20141031-OYT8T50180.html “"when society does not appreciate the act of discovering a vulnerability, flows rapidly into the world of back“ 社会が脆弱性を発見する行為を高く評価しないと、どんどん裏の世界に流れてしまう」と懸念する Quote by MR TOSHIO NAWA Japanese bug hunter, Higashi-nai Ito Akira嗣's Tokyo of software development companies and Cybozu (34), explains: a reward system that began this year in June. The person who told me to find the vulnerability of their products and services, to provide a reward of up to one million yen, depending on such as the degree of risk. So far there are engineers and students more than 200 reports from, certification and vulnerability: Restaurants about 100, it was decided to pay about 8.1 million yen. Upon receipt of the report, and verify its contents in-house team, to be published in helping to prepare a fix.After system introduction, reports from outside was more than tripled. Its corresponding also but very, "Nante" so much defect is found from customers, dangerous company of whether "the place is the is painful is misunderstood" (Ito-san). Before also introduced in-house there was a dispute between the "discredit the company." But, Mr. Ito et al. Decided by persuasion that "rather than leaving the vulnerability, will let you understand that I'm safe is better to re-locate aggressively".
- If you don’t do vulnerability research but have some working exploits, or malware samples, you can upload to exploit db
- open source vulnerability database
- or virus total – there are all sites where you can upload samples of exploits , potential vulnerabilities and suspicious files. Google acquired VirusTotal back in September 2012, promising VirusTotal will continue to operate independently. BTW, Regin suspicious files were first identified by Microsoft in 2011 after files were uploaded there. By default any file/URL submitted to VirusTotal which is detected by at least one scanner is freely sent to all those scanners that do not detect the resource. Free to use, PC & MAC uploaders Der Spiegel reported that, according to Snowden documents, the computer networks of the European Union were infiltrated by the NSA in the months before the first discovery of Regin.
- SOME OF YOU ARE STILL NOT CONVINCED. Maybe don’t rely on any of these technologies, or you are not into vulnerability research – or you don’t think YOUR organizations will be affected. Why should you care ? My next two points are kind of like two side of the same coin:
- Problem #4 We Are As Vulnerable As Our Weakest Link
- We are all connected to our Partners, employees, parents – and some of them are weak, easy TARGETS. Example: Target, the massive US retailers – the attackers got in by hacking first into Fazio Mechanical Services, their REFIGERATOR company - from there, the criminals got into the internal systems, and eventually the point of sale system.
- Even the F35 fighter jet program, developed by LOCKHEED MATIN and BAE, was hacked because first, their SECURITY provider, RSA was hacked – and RSA was hacked because someone at EMC got an email with a excel file embedded with flash code utilizing a new adobe flash vul.
- RSA was hacked – and RSA was hacked because someone at EMC got an email with a excel file embedded with flash code utilizing a new adobe flash vul.
- That’s what is behind the fact the F35 looks like the J22 CHENGDU model from China.
- If they haven’t gotten into YOUR Business YET – It might be a question of time before they get into a weak provider, customer, employee or partner. And then it will take even more time before you know it!
- The second side of this problem – while we think that militaries or security agencies are protecting us , but actually this is an illusion: Most of the “exposed attack surface” is civilian space, publicly used infrastructure , software or services the world’s fiercest cyber warriors might be making the world a safer by targeting terrorists and tyrants, but they are making the rest of cyber space insecure for the rest of us. They have a vested interest - instead of protecting everyone, they are exploiting everyone – that’s the PARADOX OF THE NSA’s DUAL ROLE which I mentioned. But the problem is bigger: we think that no matter how much these agencies invade our privacy, they are keeping us safe – but it’s actually not them really guarding the front lines. So we have to work that much more on defense. We are the front lines – not militaries or security agencies who have a vested interest to keep bugs to themselves and exploiting everyone. Most of the “exposed attack surface” is civilian space, publicly used infrastructure owned by a variety of stake holders, most of which private corps.
- So The Front Lines – Are all of us, and everyone! Every PC, device, social network account or cloud instance is an outpost on the “global battlefield”. We are all part of the playground. Our CPU cycles are commodities. Our secrets are useless – but our clicks and likes are worth money.
- This is the heat map of the DNSChanger (aka Ghostclick) operation that infected 4 millions devices a few years ago - all over the world, including NASA. 3 Profit engines : click jacking, rouge AV sells and malicious hosting
- Everything has value : stolen credentials, cloud storage, infected devices –things that becomes resources the bad guys can use to stage other attacks ! What this means is, that every insecure organization or person is a part of the problem – if they are not part of the solution!
- A solution to the problem? Empower the Masses – these are the “shiny happy people” that surround us, whom we must reach out , so we can make them stronger, more resilient and prepared to be part of the solution!
- We need to make them more like us. Armed and ready Simple thing : were going to need people from all walks of life, genders, ethnicities, what have you. So white hat , black hat, or 50 shades of grey – just don’t be a douchhat. Reach out to people starting their way in this community and open the gates. Be a mentor . Start propagating – we need more security professionals out there. We’ve got to man those front lines.
- Reach out to your community. One way to do it is with Crypto parties : open events teaching the basics of computer privacy and encryption methods. popular in Europe, it’s open source, distributed and easy to start one in your home town.
- Another great example is Voluntary red teams: |A tel Aviv University, a voluntary team of pen testers began offering pro bono red team testing on their spare time to public institutions that needed it, but could not afford it, like a major hospitals near Tel Aviv. They got the CIO’s permission – and what they found was enough to get the hospital’s management attention. But it doesn't stop there.
- You can also run cyber security drills - simulations or WarGames to help prepare for dealing with an attack. the City of San Diego offers “cyber fire drills” for small businesses in partnership with the Naval Postgraduate School. They help people understand the ramifications of a successful attack and how to protect against it.
- To get BONUS POINTS - The Industry needs more security professionals! Cisco 2014 Security Report indicates a shortage of more than a million security professionals across the globe in 2014. Were going to need people from all walks of life, genders, ethnicities – so let’s stop being a closed club. Reach out to people starting their way in this community and open the gates. Be a mentor. Start propagating – we need more security professionals out there. We’ve got to man those front lines. BONUS POINTS: The Industry needs you : The 2014 Cisco Annual Security Report indicates a shortage of more than a million security professionals across the globe in 2014. “The Internet drives growth and everything is dependent on one thing, having security,” said Netanyahu. “We will balance our security needs with our business.” Israel’s cyber-security industry has grown from a few dozen companies to more than 220 in the past three years, according to the Tel Aviv-based IVC Research Center that monitors the industry. Seventy-eight companies in the space raised more than $400 million during that period and 20 multinationals operate development centers in Israel. מיליון מקצוענים 220 חברות 78 חברות הזנק גייסו 400 מיליון דולר 20 תאגידים בינלאומיים
- Now for the 5th and final reason. why you should care and try to save the world? THERE IS A GAP about “cyber”: it’s not considered an issue for everyone (like taylor swift).
- It’s a realm of geeks, or a “government and military issue”, for “diplomats, generals & spies” - but in fact it matters to everyone. We’ve got to close that gap.
- How? with FACTS. With information, with reaching out to the larger global community : it’s about influencing perceptions! Mind the gap: communicate outside the security industry, working with policy makers, media and academic group. Talk about security in a new way that matters to people.
- it’s about influencing perceptions with overwhelming data and news article spread -Don’t say “it’s complicated”. Make it accessible.
- Ask your managers: are you spending more money and attention on your coffee budget than on your security budget? Than it’s a problem! Lets wake up and smell the coffee – As recent attacks have proven, bas guys are more agile than ever, They are Undeterred. Motivated – and RESULTS ORIENTED. Not afraid to use new technologies and business models all in the effort of illicit gains. But what is your organization doing about it? Do you “Spend more money on coffee than security?” Richard Clarke, 2002 - "If you spend more on coffee than on IT security, then you will be hacked," Clarke said during his keynote address. "What's more, you deserve to be hacked."
- Let’s reflect. These are all big problems. But there is some good news : we have the power to change that - There is a critical mass forming. But it needs a crucial ingredient: YOU. So act now. Even if you do one thing, you did well. Tell another hacker to do one thing. You did well. Join the movement. Each of you can make a change. Some say: “I WOULD LOVE TO CHANGE THE WORLD, BUT THEY WON'T GIVE ME THE SOURCE CODE”
- Some say: “I WOULD LOVE TO CHANGE THE WORLD, BUT THEY WON'T GIVE ME THE SOURCE CODE”
- We can work together, and come up with our own solutions – which is what I am suggesting today. I read somewhere that “The main difference between White Hats and Black Hats is having permission” – The great All of the things I told you about are stuff you can do right now, legally.
- I have told you Why, how and what. Now it’s up to you. What will you choose to do? Choose wisely, because whatever we do now, will shape our digital future. hack the planet.
- Send me comments, feedback, or multicolored ponies.