Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Loading…
Transcript

Who am I?

Assessment Manager

for SensePost

Wrote the Testing Guide

Now joint lead for ASVS

  • Devastating attack against FBI affiliates.
  • Usernames & Passwords leaked.
  • Home address details of CEO's leaked.

250, 000 contestants

info leaked.

  • Internal configuration for FOX.com leaked.
  • DB for sales staff leaked.
  • DB's for various affiliates leaked.
  • Admin data for servers available.
  • Posted the logins of all PBS local affiliates, including their plain text passwords
  • Wordpress Attack allowed local access.
  • Linux kernel exploit allowed root access.
  • Compromised additional servers due to shared passwords.
  • US Senate hacked.
  • Internal config released.
  • 26,000 user details leaked.
  • SQLi
  • Source code for scedev.net leaked.

1: SQLi

2: XSS

3: RFI

4: Botnets

What is the reason for the recent rash of hacking?

hackers aren't necessarily smart

victims are stupid

We aren't getting our message across

Lulzsec won't be the last

What lesson has been learned?

  • None really
  • Security is hard
  • No-one takes it seriously

Rarely do big IT departments communicate with each other

Last file leaked was a list of routers.

Most had default usernames and passwords.

Lulzsec have shown how ineffective the security community & market really is

Too often the thought is "let's buy a tool!!"

AT&T used pirated copy of Winrar

Tools like vuln scanners, IPSes, and WAFs will fail you when you need them most.

Security is the first business I have seen where the customer is not always right.

Everyone in security is to blame

We in security cater more to those who check boxes than we do actual security

Work with the best out there

Training

There is no silver bullet approach

Security buy in across all levels

Blackbox testing is not effective

Embedded security testing

Doing it for

the Lulz

  • 3134 ATM ID's and locations leaked

Gobble Gobble

It's hard to get the basics right

Daniel@SensePost.com

Daniel.Cuthbert@OWASP.org

@dcuthbert

Learn more about creating dynamic, engaging presentations with Prezi