We Take Your Security Seriously. Or Do We?

thanks very much for joining us we are the beer partners we're here to talk about organizations that claim they taking security seriously what in fact they do quite the opposite and we're also here to talk about some examples of good practice that are out there we've got a couple of friends so they need no introduction themselves but they're gonna join us in a little while around so so we'll kick off is anybody in the room under the age of 18 yeah okay there's always one mental age so here we carry a parental advisory because we do some of it one of us does tend to say I say all right that's just why I say okay

okay so that's why we carry the parental advisory so there might be a bit of swaying but the will make every effort to keep it in context to the talk okay if any of you start swearing then that's fine retinol advisories out so thank you very much meadow for the introduction you look fantastic would we like to introduce ourselves we'll start with Krissy hello Christy Morgan I'm Mike I'm John up the knocketh difficult name you're in England but I'm the Belgian guy I'm fat Hobbit I have one in sweet hollow hey I'm Sean okay thanks very much guys so you can you can see I have two it handles all up there and the bear farmers do have their own

Twitter account you probably see as we do propaganda [ __ ] out from there from time to time we had an APB bought bro we're apt Bock for a while which really did upset and scary people it wasn't the intention it was hashtag just for fun and we have a website which we don't keep up-to-date whatsoever so we have a website you did we have a lesson so on WordPress when it comes to redundant websites on ghost I heard it's unhackable we have a slide around that took the topic in a little while and the websites down so what I'll go through this and think so are we in the real world so Chrissy does physical security I call it closed

reception but I really didn't necessarily know what that means physical security and friendly hacking you do a lot of stuff I work for an ISP in the north of England calls an internet so we a medium-sized organization and I run the security analysis team so I'm a defender I've sent a lot of emails we'll get on to that in a second John's of security champion for his organization back in Belgium so he spends a good word about everything we do in his a defender manager and then email irate Allah didn't talk about the emails about yeah yeah and he provides great in self so if you know in who know his background its Canadian intelligence poetry it's all

yeah so he's got a lot of us half of my rock-and-roll stories you've got the best stories really Sean you're a security champion in your own organization and Andy is a friendly hacker a hot-shit reports ok fitting that a certain organization has a stand outside awkward and we try to come in quietly but clearly that's not gonna happen it didn't happen but if you see any of our talks earlier in the year throughout the first six months of the year we do tend to discuss Facebook quite a lot and we don't do it just because we want to pick on face but we do it because they're constantly in the news for egregious practice okay so you

don't really need to spend too far away from social media all the news platforms to find that's Facebook of lost data Facebook have made a really carnal decision at the very top of the organization around privacy and that goes on all the time and the the quote there that I took from an email that Mark Zuckerberg sent to senior execs who's way back was that privacy is a social norm of the past and I think that seems to be we see evidence of that evidence in support of map and as a consequence the current perception is that Facebook is evil call their lawyer came out last week and said that nobody using social media should have

any expectation of privacy because if they read the terms conditions because we all do they'll see that actually they seek our permission to do whatever they want with our personal data that may well be right when it's written down but a no one ever reads the season sees we know that Apple's T's and C's I don't read the T's and C's in a back pack packing our receipts Moschino stuff but then there's a moral argument about it and their lawyer said that we can all go and that comes a little bit after Mark Zuckerberg said the opposite like you said that we should be taking privacy and security more seriously so the the higher echelons of that company

are diametrically opposed will each other philosophically and I think that's not great so when we talk about faithful we talk about the organization at large and it's senior executives and some of its philosophical directions and decision making what we're not talking about is the security engineering and the good people at work for the organization of which there are many were the guys are at that table there those guys out there great guys yeah so a quick show of hands and we like to do this and who's got a Facebook account you'd have to tell as well who it is what is well since that's quite a few me I've got one I use it who deleted their

Facebook account in light of things that have gone on okay not soon not too many I don't know how many hundred people are in the room but that's quite low number ten percent yes who's thinking about getting rid of their Facebook account in the context of hashtag delete facebook so again not too many and I see arguments about we get involved in discussions about this and I think really it's about understanding your own threat profile the other day and I use my Facebook to chat with mates and share pictures and cat memes and stuff like that but I do that on squared C if you follow me on to it ile you'll know so understand you threat model but also

understand that to a large extent Facebook does not take your security seriously as an organisation and you guys want to comment well it's just I have a super depressing life so I don't exactly want to have it on Facebook not to mention your rookies Lord oh yeah you know I think you came under the point and I think you know Sean said it best what's your quote about Facebook that if it's free is that your quote I get the two confused to look like brothers and I'm [ __ ] with names although that's my cue yeah the quiz essentially if the player if the product is if the platform is free year of the product is the same for

anything separate where's the simple link tennis is here for social media simple pornhub it's the same for every business you are the product success is that speaking that doesn't calm so it turns out that actually privacy is a pain you Mark Zuckerberg wallet because I know if you read it in the news recently and Facebook of put aside or made it a profit adjustment between three and five billion US dollars to pay a Federal Trade Commission fine against levy of all their practice around privacy so that's kind of I'm realizing that financially it will harm them ultimately and you think well three or five billion in the context of the value of Facebook might not be much money but

in the old scheme of things finds we were seeing around this book I see a level finds at four to five hundred thousand dollars so we are starting to see some pretty serious financial penalties hitting these organizations Sean also shareholders and investors and that do not like seeing fans issued against companies because obviously should at last so again that's something that should hopefully well I'm not advocate of trying to bury businesses but provide incentives to do the right thing and treats deal with morals and that property and ethic [Music] yeah and also with Facebook and Google and some of these big companies they make this kind of money within minutes or hours you're finding them and they

don't really care it's kind of like a more of a outlook of how they look but well I think we could do is perhaps restrict them so where they've got their ads in a certain country suppling from having their ad revenue coming in or stop them from being I guess within Europe if they've got the GDP our to fall back on so yeah okay we're about to finish hammering Facebook but again it goes about four point I made earlier excuse me about their lawyer can't quite agree with them as an organisation he's defending the fact that they should really be perfectly a liberty to do what they're doing well I think to one of the

aspects of this is it's running straight into the entire concept of the GDP are so at some point they're going to be showdown right there's going to be a whole bunch of supervisory authorities on one side and there's give me a Facebook lawyer on the other side and it's gonna come to a head and and it's it's not just Facebook the the most startling thing I heard about the other day was that Google has written an email parser for anyone that's on the Gmail platform all right and what this email parser does is it looks for evidence of something that you bought I like a receipt and it stores that information away and this wasn't disclosed to

anybody using the Gmail platform that that was going on and so we're starting to see more and more of these ways that your personal private information the things that you buy are scrutinized by these companies and then they profit off of that information that you never gave a right to them to sell to a third party or to use you know to win an election or any of those things yeah absolutely and so we said we'd stop panning twice booked that's exactly what we're gonna do and we're gonna go someone else hummed in the air or shower who's this fella Jack Dorsey right so he came out with a wonderfully philosophical statement years ago about

I just want to build stuff that really simplifies our base human interaction but I think that was him saying that we want to get more people connected and that really was the fundamental basis in what started Facebook that they're stalking but it makes you wonder it makes me wonder around where did that message or that belief get lost I got lost in profitability and shareholder values and all that custom but again you know we talked about masses of data being lost they lost a Twitter 330 million records in 2018 personal data and I wonder and I said this in a couple of our talks whether we become over time a little bit desensitized if the numbers

aren't in the at least hundreds of millions and billions and squillions and gazillions that seems to only make the news these days but I used to work in local authority for a large council in the north of England and we had a root and branch investigation if a single child record was lost or a USB stick with a couple of kids records was lost a left in a taxi and that would often result in serious disciplinary action and that was before anybody really understood about the depth perception implications and stuff like that so I care about one record if that can cause harm or a disadvantage to individual we try my touch on submission a little one

so Ian's got a little story to tell and I'm just gonna push the book yeah so first America really interesting scenario there and actually I'm gonna get one of my other beer fires to jump into that huge company huge amounts of data all of it basically publicly available what was the vulnerability I'm not super technical anymore I used to know a lot about windows 2003 server well what is it where there's like no the I dorm was the attack vector and essentially this allowed you to incrementally index and see all of those records to the tune of what was 85 million eight hundred eighty five mil 885 of columbian records all of the information you would need to do

email phishing identity impersonation mortgage transfers any of those type of things or even extract money using those nefarious tactics of the immigration police are coming for you and you need to go and buy a whole bunch of Apple pay pay cards in order to not get arrested immediately so this is fuel to the fire and really detailed information histories of properties that you've owned and sold like is a massive haul and and the point that I'm trying to make about this is that the issue did not lie here I think with the intentions of the organization this happened as a result of a pressured IT environment you guys might all be able to kind of like agree with this a

high-pressure IT environment where the business said we're going to the cloud make it work and the IT guys started disabling security until it worked so that they could say project delivered on time and on budget let's go to the next thing so the question really becomes as if that's what IT did to deliver this project the security team there's some negligence there you know where was the pen test where was the audit even you know wait so this is where we're going with this in terms of this is a business failure and not an IT or IT security failure yeah the thing with that is that we see that often if you can count you can hack

literally and you have this amount of data and this is yeah like Froy is giving workshops Scott is doing them as well now this is basic security knowledge first of all you have to you need to have skilled people so train them and the second thing there was a very good remark you made that you should have found that even before a pen test this is security testing this should be part of your life cycle not not something that comes out of a pen test event as this for the special cases the more difficult ones but not for yeah just incremental number that's insanity and you should never yeah as a security team you should never agree with that

this is basic security yep I'm sure so I'm going to read the top part out you can read that yourselves but what it roughly translates doing in our parlance is we take your security seriously but evidently not so if somebody hand him a mic I'd like to welcome mr. Troy hunt for the stage I couldn't do that I couldn't do that not a chance so Troy and we know a bit about breaches but I think it's fair to say that you're recognized as somebody that knows a hell of a lot more than we do so what we'd like to get is a little bit of your insight about your current understanding of air your current thoughts on the

subject and why you think it's heading we're all screwed basically hey can I give everyone stickers well I'm here yeah plus I get to throw stuff at the audience and it's all kind of fence around they're all for you tonight on so we're all screwed yeah yeah what am i up to seven point seven billion was it last year yeah we had a we had a shout out listen couple of months ago we had a something like there were three records the human put live on the on the earth that had been written a breach that we knew about but we chatted about and you said money faster lower the number and you reckon it was probably

ten per living person on the planet and some so I guess that the raw numbers in heavy beam powers were seven point seven billion records so just put in context as obvious there's not that many people there are sixteen records that's me because I'm in Dropbox and LinkedIn and stuff like that so you know that's sort of part of the front like one person ends up propagating their data at multiple times over and then in terms of unique email addresses owns about four billion or something and and that's kind of weird too because in my mind I don't know if are there four billion people themed a Larissa's how many people on internet but two or three or something

some number of billions but then like you end up with multiple email addresses so the various data have a been pined is my work email address and my personal email address we both need OB database so you end up with multiple email addresses multiple instances and then we see a lot of data breaches as well this is serve a lot of crap in them like a lot of fabricated addresses particularly some of the data aggregators like I later I think was something like you know let's say it was Apollo to i/o one of these aggregators it just takes a whole bunch your data from different places places like you know when you sign up to that survey to win the cruise

and then you wonder why you didn't win the cruise but you've read the terms and conditions beforehand it was like we may take your data and sell it to people none of you read that wait there's no cruise this is the thing what they take your data and then they aggregate it in the seller and one of the interesting things from some of those data breaches is there's people on ever been poned who work in organizations they get domain search results so they'll you know they'll work for Acme core and I'll load something like a polo and they get this email which is like here's all the email addresses that were in Acme core on your

domain and they're like but I don't have sales at marketing at and a lot of these organizations just fabricate these addresses so of that sort of four billion unique email addresses is also a whole bunch of junk in there as well so [Music] here's a really good graphic and I kind of know this exists because you used it in your coronis UDP our briefing do you go so personally I find this really impactful at work or what I'm doing talks internally because everybody I in my organization has probably been in at least one of these things you want these blobs that we see Twitter I mentioned earlier that 330 million Marriott hotels then you're in there right several times

probably but it's impactful diagrams it's using them yes it's a really useful tool to highlight the problem and I think it's you said Troy you know is it getting any better no it's not in fact it's getting much worse right so I got a correct John something he said before Twitter didn't lose their data they they made a lot of backups of it they're never gonna lose it now like if they lose it legitimate job I'll restore it for them yeah if anyone's to say this this is from a site called informations beautiful so if your google informations beautiful data breaches and it's kind of cool like that the bubbles are animate and stuff like that

I doing some media stuff this morning at the the other conference and though like you know a data breach is getting worse so yeah because there's lots of really good reasons well they're getting worse so number one there's like more data than ever before like we've all seen stats about how much information humans create like every day well you know we're just creating a lot more of it the cloud two-hands the cloud has kind of made the whole thing a lot worse as well insofar as it's so easy now for anyone just to stand up anything publicly facing so there's so many data breaches we've seen now which is like MongoDB elasticsearch Amazon s3 publicly facing

without authentication because you know it's easy right and logging turned off so you don't even know who might have got it yeah that's the other painful thing let my so time out they only know when it's like I tweet and I go hey does anyone have a security contact anyone's like this isn't gonna be good alright so we're seeing all these data breaches in IOT so I writes one jeez a few weeks ago with with Ken Munroe as well about watches and and that was ID or - so watches where you could track your children because that sounds like a great idea doesn't watches with GPS is to track your children and you can make

calls to the API and just increment the number and pull back another child or reposition a child or set yourself as the parent of the child so that you can then call the child and the phone has got like zero interaction that's fine the watch and has has actually has anyone got one of these you've got like a kids tracking watch so no I don't want to admit it now cuz you know but always wonder like what's the point they're getting the watch for the child because if you're gonna kidnap the child wouldn't you just take the watch off them yeah and I appreciate this sounds like I've thought about it way too much and then you could do stuff like if

you're the parent you can call them and it will automatically answer because what if I imagine like what if someone's kidnapped the child and have tied up and put them in the back of a van and I can't reach it to answer like how [ __ ] up is this we have to get to this point there's far too much okay all right so the kids watches the cloud Patino got a cloud pit no good so cloud pits are connected teddy bears and the know what could go wrong so they exposed all of their MongoDB data publicly space and without a password and then they had all the kids voice recordings in a publicly facing Amazon

s3 bucket with obfuscated names but all the metadata to the file locations was in the [ __ ] and it's it's all publicly facing and we like we didn't have recordings of children before in that fashion like I remember when I was a kid if my parents wanted to record me I had to like get up a tape player thing and the microphone and all that and now it's like a kids in their bed just talking to the teddy bear and it's on the internet so like all of these are just compounding that the prevalence of which data is collected and then making it easier to expose and we're getting into more places yeah great

ok so we talked earlier about the consequences of these data breaches and hacks going on and equifax are now the chickens are coming home to roost with Equifax and they've had a lot of value wiped off their organization in yeah so that this one was really interesting so we saw two congressional reports and as well as a report in the UK on Equifax we saw the CEO of Equifax hauled in front of Congress which doesn't really look to be very fun at all and then the most interesting thing happened suddenly the bond rating company went after them and lowered their credit score and this this was really interesting because it's the first time it's happened it's first time

a bond rating company has lured a credit score as a result of their spend to clean up the horrific breach because I think they're now closing it on or have exceeded a billion dollars one point four billion point four billion in costs associated this breach so finally the real financial realities of data breach were felt at now being charged as a higher risk client to or even more money to fix your shoddy security so the other thing that's very interesting is when you're a giant company you try to sell your corporate debt to other people and the amount of money and interest that's paid is based on your credit rating and now they're risky so it's even more expensive for

them to sell their corporate debt this will put a really interesting spin on the cost of data breach if now we see the credit markets reacting negatively which will truly impact the share value as you can see in the company right there so really interesting just we're going to see the bond market wake up and go oh you know what shoddy cybersecurity is I shall now be punished yep agreed and the last part is the first point you made that Moody's downgraded them from Sables and additive now that's the kind of behavior you see happen to countries okay that's so that's that's pretty bad [ __ ] okay yep I just want to add one thing so when

you take into account that as well as the cost those cost of them this all resulted from a simple fix was just updating the patchy struts so if you look at it from that point of view it wasn't like something major that would take months and months to fix this was something really trivial in a sense not always that trivial but in terms of spent to fix it you're not talking minions yeah leave it yeah agreed okay so we'd like to pass the mic sir mr. Scott helm and welcome into the station [Music] [Applause] Thank You Troy we'll be seeing you again in a few minutes all right thank you Scott now what we'd like to do here is

allow Scott to share some of his insights around the encrypted web and the ongoing battle that is encrypting the web so he's got some fantastic insights I'm sure he'd like to share with us and Shawn's got some interesting opinions he'd like to share back but we'll make it clear we're all on the same side so Scott yeah so the encrypted web thing for me I think like the number one point always comes right to me if we were to redesign the web today and I say like we could go back to square one and start this again from the beginning would we just have quite default encryption would that be the the stance would we be like oh hey you know we

could have the option of HTTP and HTTPS and I honestly think that if we were to rebuild it now and and reset to zero we just start with an encrypted network because that would be like the smart choice so I think you know what we're doing right now is essentially fixing that kind of design flaw in the beginning that the network wasn't secure and that was largely based around the trust we had so who's who can go back and think of the web like way back in the early days why into the late 90s no test the room now haiti's okay that's right so like wait it was a small place right like things were very different back

then it was a very trusted environment we had like the internet phonebook where you could go look up an IP address and see people's like name and actual physical address and who they were and now I have toasters and scales in my house with internet connections and we've just gone like this full revolution away from what the environment originally was so for me this is not you know where we're deploying HTTPS so like protect people to which it does but we're deploying it to fix the original issue that we didn't have encryption in the first place there's no scenario that I can think of where deploying encryption make something worse nor is there a scenario

that I can think of where it won't protect you against at least something so we continue to remove barriers we've got things like let's encrypt with free SSL you can get certificates for no financial cost now just the minimal technical cost and the performance just been completely washed away you know maybe like late 90s early noughties we could make the performance argument but nowadays the cost is essentially zero and actually most of the time we can go faster on HTTPS than HTTP web apps so for me nowadays this is just kind of a given we need to like this set the clock back to zero and say right you know we just need to go and crimp the

whole network and then we can start worrying about like all of these just wide variety of attacks that we could get rid of it but while we're trying to do that right we have this kind of argument okay and Shaun you've got a real honest in geology so what is this about yeah this was about trust if I and wire did they made it to the slides just because they jumped yeah they quote tweeted sweet I did with arguments and tweeted it was about some company we had their lesson [ __ ] certificate expired and I quote we don't say ok automate all things make sure that this doesn't happen there's automation so you don't

have to this doesn't have to happen and then if I hold it he'll start okay Melvin let's say infographic about the false economy of certificates and also that the be8 British Airways Act was due to certificates we all know that British Airways Act was due to third party compromise and Sean yeah literally I tweeted a lot I mentioned some people and Chung ripped all their arguments yeah that a tear them apart so yeah so one thing I think is really important when you try to get security in that out is give the route information try be as honest as possible if you try to market something join put out false information and that's kind of what they were doing

there that there was a lot of things that were saying will compete completely inaccurate I mean the headline there is Oh good example with BA it was a JavaScript absolutely nothing to do with the certificates and that thing just really browsed me up I mean that comes back to our point earlier where we need to do things morally and ethically so your business on the things that it can do rather than false information yeah yeah if I may chime in the thing is my opinion at least if you call out companies for this kind of behavior I think that's a good thing why because other people who maybe don't understand all technical details they will just

believe them one other important thing I often see is that support employees from companies get called out and even get abused online and then that's that's not cool honestly that's not cool you can you can be not okay with something a company does but always think what the person was just doing the the Twitter or the other support and that's that's important to see don't be a dick okay can I just like yeah reaffirm that point so I go quite a bad reputation online for being like MTC a anti certificate authority because I'm constantly holding things like this apart and and it's not I'm not like anti CA or like Rage Against the Machine or whatever people

say is this what you kind of picked up on now it's that they're they're spreading this information someone will read that and believe it essentially because it's like well why would this organization why in this infographic especially if it comes from a thought leader so yeah it's this you know that's the reason for me like this is why I spend so much time on this especially in the CIA ecosystem pulling these things apart and just breaking it down to technical points not because I don't like them I mean I don't like them because what they've done but not because I have some inbuilt dislike so you know it is about correcting these facts okay if somebody mentioned

unhackable earlier so yeah and it speaks to the point about making bold and in substantiate claims about the security posture of your product bit 508 out are all products that were destroyed rather than publicly by n chess partners represented here by handing over there so you wanna say a quick few words about mr. shitty I've gotta make southern yeah yeah don't claim shit's unhackable basically as the that's the TLDR but essentially fire was was endorsed by that's kind of here it was it was said to be a super-secure unhackable Bitcoin wallet and within about well they will agree about a day it was torn apart by tyranny date so at under tyranny and cyber Gibbons on the Twitter sphere at

Turkey apart and basically went through all the claims that I had said like always got limited viewing I can go and I can see it's a dollar so that's the [ __ ] and oh it's a super secure device actually they took out a part it was using media tech which is like a really cheap Android device that was bill chef is they said it wasn't a phone it had SIM card slots hopefully not telephone and would wash it and then on to Pandora and some of you might have seen I was on the BBC Drive my rate book are let me not go [ __ ] Google it's great for one day the BBC took us to an

interview that we got to hack [ __ ] basically and essentially Pandora were claiming that they had an unhackable car alarm because who wants to connect their cars Internet and make sure that yeah yeah I'm gonna speed things up just a little bit so Beth I did repent a bit and we like that the tweet was kinda like yeah we [ __ ] up right don't use unhackable and then last week this came back with the same sort claims we've spent a lot of time there now on their 37th CTO CEO somebody and they're making the same bold statements again just just don't do it so the good news is that there are people out there doing

good things and there are organizations that actually give a [ __ ] and they do honest keeper our privacy enough a day security on the web so passwords do us with our problem and they remain a problem and there will remain a problem for a long time and we see lots of novel alternatives passwords but from a usability point of view and I'm thinking about my mum who's 80 she's not gonna get beyond a username and password and for many people in a similar sort context yes so we have to espouse responsible password management I think first and foremost we do have to have the MFA discussion and we do have to press organisations that can support

NFA to roll out as an optional tool for users that are aware and familiar and savvy enough to implement NFA for themselves and we should encourage those users to implement NFA ok so that's my take on it any other good points just so it doesn't help when the bigger firms actually don't make whole job easier so they put password length restrictions for example Microsoft and even some of the big ones that like Microsoft may even produce patents when they're actually generating a password for you which is something not very good and when it comes to the two-factor authentication as well they're actually when it comes to shared email boxes if you've got shared email boxes in your

organization make sure that you can't log in to office 365 because guess what you need two factor authentication on those also sometimes and the pickle could I say so she doesn't read aren't help in are they yeah I mean the hi by the fact that well we've got sprawling software architecture implementations are huge and it makes it really difficult but what makes life really difficult for our organization is when that date is looted to the tune millions and millions of accounts well it could be implemented so it's just one more thing on passwords an mfa using things like password manager and something I really love to see more often as we're both well within North

UTF tokens photo because not only do they the help prevent against the the password weak passwords and and that kind of thing but they're also going to help against things like fishing google there's for all the employees were UTF tokens and to date I think this is for true not one of their employees have suffered a fishing success for fishing the tent so these are some of the things that organizations that are that do care are doing so they're running things like responsible disclosure policies and show hands who's familiar with the security dot txt standard okay it's quite a few people so it's the deployment of a simple text file onto your web application that points somebody that

finds a book to how to tell you about it in a responsible fashion it's a really simple thing to do you'd have to write a lot of policy around responsible disclosure you just have to put something out there that guides somebody's to tell you about it and if they do tell you about it then it's kind of incumbent on you to fix it if they cared enough to tell you and not to hack you that I think you need to care enough to so to turn that book around severity based on severity craphead and not withstanding leave me alone but yeah be clear and make it make it really easy for people to gain such

so we've got a slide dedicate to our newest bear farmer miss Christy Morgan and that's around looking at the researchers yeah so and I recently did a talk around this so it's just a very light high-level couple of the points there are some international standards that are there to actually help researchers but these international standards out there like the ISAs they're very much aimed at the companies that they're written for they leave a lot of room for what is a researcher supposed to do when they come to a company and things don't go right one of the more reports rather than standard that I found was sir in America now those guys are really good

if you eat their report that they've done around responsible exposure coordinated disclosure you'll find that they've actually written it for the researchers because we need support and advice and help be backed up there's some changes in the law I know some of the NCC guys we're trying to get a lot of people talking about the CMA Acton sin if that can be changed at all when I've spoken to some other researchers they've said that we have to be quite careful because when they change the law they don't always change it in the best for our own benefit always and yeah I mean appreciate if someone's knocking on your door and tell you you've got a problem no I like them

in and speak to them is far too often I've got researchers coming to me now and telling me basically these guys being pricks to me all that just goes to me and you know it's not not really fair is it I just want to add something because I've had this time and time again where you afford something as Chrissy said yeah they get radio silence or no response sorry a response but then a guy silenced all and companies need to realize that researchers coming to them with these findings is not a criticism of that company everyone has forced take it on as a good thing you've not ended up in the media for the wrong reasons

fix it work with the research give him a thank you doesn't always have to be many a simple thank-you goes a long way and doing that will help strengthen your relationship with that community and make things better for your company one less thing on that as well we've actually seen companies recently the hard breaches and deal with the disclosure and then the fix so well that they actually come out looking good like the one that the one example that always sticks in my mind was cloud fly with cloud leads and you know that first CD owned company if you aren't familiar you can read the details but that that could have been like a devastating issue but

they just dealt with it so well and transparently and quickly you know actually you know what okay I don't mind using this company because I know when things eventually do go wrong they're gonna nail the fakes so yeah I think this is really important sorry so I'll just kind of say done this test on a few other venues right if you've heard of the Equifax breach majority of room he's heard of a discuss breach are only a handful yeah I just want to add one thing about this because the saddest thing in the world happened as a result of irresponsible disclosure so I don't know if you followed on Twitter the sandbox escaper saga other

I would say angry possibly mentally ill person who dropped a series of zero days that were easily weaponized into very serious malware at the same time calling out the FBI and the American government I feel like that was a giant cry for help and it was a very sad moment in irresponsible disclosure because doing that in that fashion to me is essentially like trying to get the US military to carry out your suicidal wishes we have a precedent for this a different dude by the name of trick who is with team poison and started a little something but they called the cyber caliphate who took a selfie in front of a recognizable landmark and was

vaporized by a Predator drone so even though the paper said this is like the first time so many blah blah know if you do the history and you understand what is at stake you're responsible disclosure can lead to physical violence at security conventions we saw that one we saw and possibly your untimely demise just just to be clear the the physical act at the conference that didn't the passenger three responsible disclosure yeah but then they were irresponsibly hit in the face I believe this all right we got we got 15 minutes left okay just them fix you stuff all right so do pen testing and test you processes test you people don't be afraid to get into external auditing

done yeah don't be afraid to get Authority and to come and talk to you about what you need to do to be a better organization a quick view people with the tools and the knowledge and the expertise to carry out repairs and do the right things design and build stuff securely to begin with so these guys do the half you sell first stuff which is something that Troy conceived many years ago that got me an application security in the first place and I've been quite public about that you're running courses right this year okay so Glasgow London so see so you wanna know more about that very important you can't blame people if they don't know that applies to whether

you're a software developer network up designer network engineer or an operator on a sweater again okay let's just be clear about how Ivan pwned everyone in the room is probably being pwned how many in the room should gun show of hands has proved it by using this application yeah self validating that I think it's fair enough so till there are stickers around Troy managed to throw them out at people better than we threw our swag out at Leeds lost somebody also now down a bit now I thought you're here because you want to get involved in the community you want to talk to people though fighting the same battles you're fighting have the same anxiety the same aspirations that

you have you wouldn't be here if you want to learn new stuff or you want to interact with people that are on the same side as you so that's really important sharing information hmm a breach isn't an if it's a when some of you will work for organizations that have already been breached but you don't yet know about it okay so don't live under the Troy might dot don't live under the misapprehension that never happened to us because it will and when it does it'll feel a bit like that okay so your organization but it's important that you don't panic it's important that you've prepared so it'll feel like that in everyone's head and we do all [ __ ] up

right regularly but there is a little toolkit that you can you can use to help you through so again it's about planning it's about Incident Response so it sets it there is a bit of an analogy around the bereavement curve when you've had a data breach and that's something that Troy's written about spoken about don't blame the other guy you probably failed which allowed the attacker to succeed that's more often than not the the scenario that we that we find seek support so again if you've got a cert in your country in the UK we have the NCIC very capable bunch of people that move on leaps and bounds in what they're available to do what their capabilities

are in recent times go out through the authorities so the ICO okay you need to notify these guys anyway you've got a 72 hour window from discovering a breach to notify the authority and if you are a Tele telecommunications company or your process data is that kind of wake you've got 24 hours that's not a long time to get your information in order and go out to your wrist and your data protection authority but when you do notify your ICO or equivalent they can actually parachute in some really clever people to help you out to help you through it to help you with the the PR the incident management getting getting right messages and for the public don't be a

talk talk okay so what happened to figure it all out do your analysis do your forensics speak to people don't blame people yeah just engage the right people and understand what the problem was because if you understand you've learned a lesson and you can introduce it the right controls the right technology the right processes right where nasteria leave it happening yeah and take it on the chin because it's happened and move on and you'll feel better and you and your customers and you users will feel better as well so we've got nine minutes left I'm going to just quickly blast it so North High drove they were a great example of an organization that really you messed up

but they did everything really reasonable in that power to keep messages going out to shareholders to customers to people that cared they side channels on Azure websites it was really in the scheme of things it was a pretty cool response they did a good job okay who knows what one of these is hey that's mine my next question was hands up who's got one so there's a backstory to that and well talking about stories [Laughter] we hear that the the [ __ ] cam has a particularly good resolution and you took a few pictures that you didn't share so but yeah I mean [ __ ] I'm going back to this they was for research

purposes of course yeah they had had a problem and again twittery actually Cameron Rowe got involved but they handled it really well in fact the diversity this company very quickly and then online course oh well I see those guys I'm gonna have to do this again so sorry alright so in talk very briefly about sandbox escaper earlier on so we won't revisit that example but what we need to do is make it clear that you know you don't just drop 0 days on the we're not because you pissed at the world there are different ways you can go about getting you issues dealt invented that's what this community tends to be all about and in doing that if you do choose

to drop a 0 days then you are opening yourself up to a lot of criticism and at the Center for law enforcement to be on the case and in tricks case vaporized by Tennessee yeah that's kind of extreme don't make false claims so if you think your products in hackable just think it

somebody like Ken Monroe all the guys at PT PR and you see any also works PGP there are other firms other than PT p.m. thank you for your sponsorship PTP thanks for providing us an unlimited supply of material for our talks you just need to be clear the beer farmers site is not unhackable think very long and hard before considering daxing people whose privacy and anonymity they'd rather have preserved I'll leave that hanging I heard that I heard that it's a little bit of respect the end of the day we're all here I like to think the majority was a here because we care so when people having a bad day or saying things that are at odds with your

opinion then just come with that slack and I'm guilty this as well so you know you just need to be a little bit more mindful of people and accept if you punch a cat then all Cave everybody daxing you for that yeah they recorded it on video and then they arrested the Doyle douchebag I was awesome not punching the cat that wasn't awesome no it was a bad thing it's arresting the douchebag yeah I was a training course recently where a colleague of mine came out with something he'd heard which was very individual but you meet they're having a personal battle or more that you know nothing about and I thought that was really an important point I took it was

the most valuable thing I took from the training course because it's right don't judge people and don't assume everyone's having a good day so we've been the bear farmers see you the bar but wait hang on we did an encore at Leeds because all of us were their original fibers so does anybody recognize this golden cab nope one or two babes Yeah right so we were busy at the mapping last year looking at all the [ __ ] that had been happening on the Internet of the people that were talking [ __ ] on the internet some of the events on the Internet and we came up with a retro wort and a couple of people that receive those

awards here with us today and we're gonna hand out those awards so we'll quickly flick through because longer five minutes and there are only two of them here but Simon Smith the Australian cybersecurity he invented cybersecurity in Australia he's bigger than toys on he's bigger than Troy hunt he's quiet much more quiet than trying on Scott you won the most cultivated hairdo award and car and snow and I've got Barrett car we've got a gauntlet at the golden hairspray that cost me 12 pounds 15 boots in Manchester and Andy likes to talk about his car what color is your car right [ __ ] blue right [ __ ] blue and but Scott without you he's got

a better car than you are keeping with that and in keeping with gold am i yes some map so I have bollocks pelvis fluffy nice and I expect to see a picture of those on Twitter in your car on your rear view soon as I get home okay so cowbell end of the year that's for standing a water thing until foreseeable times HotList app was the bit fire clip so while it's still available to buy on Black Bull pier the hacker collective mistakenly known as cyborg isn't a sniper Gibbons also sometimes somehow called over soft I did read out probably could sell but it was a bunch of people and attorney overstaffed tautology yeah butch colleges in the room is right

there nice dogs really get some really clever people who took took a bit prior to task in demonstrate that you could play doom on I try think that that was a cool thing I saw doom up the info center ox time sells a book called infoset Rockstar but running is ecommerce site over HTTP DCI was fixed it it is fixed it even even redirects now right anyway fingers in their ears Dave Winer we've avoided the term anti-vaxxer and so I just said it their fees on some bloke but he's got very strong opposite opinions around the encrypted web and while you were doing that Cambridge on let's go bear in mind this was January so they

were still in the news Zuckerberg Marriott because they really did lose a lot of data my date and finally the golden cowbell Award which was in our opinion worth issuing to Troy because in our opinion not just because he's here because we did say in January long before we got him to come join us but we think it was individually a lot you know mall and many in terms of furthering the cause of information security both for individuals and for businesses so for that Troy step up open this box and show everybody what we bought for you watch out front row

since we're out there honey takes a broomstick you clean up well yes it's outrageous okay bring it again congratulations guys thank you very much