We Take Your Security Seriously, Or Do We? - The Beer Farmers

absolutely good so we're two of the six beer farmers six yeah there are six beer farmers uh we're the fat ones so anybody who's seen us in the last six months know that we we carry a parental advisory uh the guy that says [ __ ] a lot isn't here today so that's good um but if you are under the age of 18 then we do swear a little bit but we try and keep it relevant in keeping with what we're talking about so i said there were six members uh rarely really john turns up he's belgium he's got a real hatred of the uk yeah why wouldn't you rumors that he sandbox escaper are not true we'll get to her in

a bit yeah um chrissy morgan uh she's a recent addition to the team uh myself so can i just take a quick christmas story okay cool so um we were speculating in a fight between jenny and chrissy which one would win and what we felt was is it would probably go to jenny but chrissy doesn't fight fair so she would like shank her before even the fight started so jury's still out on that one we did actually have that conversation we did actually have that conversation with the two cops that we tried to buy blow from yeah that also happened right okay i need foreground in cash brian sean is uh away in the us is some

kind of amazon thing that he's doing um not with jeff bezos just some aws tech thing uh and andy gill who's our hacker in residence um he's up in scotland doing some personal stuff so can't be with us today but we are we're here to bring the fun and the burgers so it's a little bit about who we are going to flick through yeah i i send a lot of emails to people ian sends a lot of emails to people yeah they put me in charge of somebody we're managing that's right yeah we manage things i'm mentoring and we see you've got to drink this pint this way yeah okay so we've dropped this slide back in

have a look glad that i'm glad it got a laugh and you're laughing because you resonate it resonates with you yeah resonates with you so mark zuckerberg years and years ago when uh facebook was a in its youth said that he felt that privacy was a social norm of the past and i think as time has progressed and as facebook has matured and they haven't really matured right no they're still doing some pretty shady stuff they're still doing some pretty shitty stuff yeah and it's interesting because they're very hypocritical right they've got their lawyer that's basically saying things like privacy is you know a thing of the past and then you got mark asking for regulation of

giant social media companies because they wield too much power right so you you've got you've got this weird dichotomy of opinions i i honestly think that um and i read this somewhere was it was some sort of thing about mark and facebook and it's that the board would actually like to punt him uh from the company yeah and and the board is actually talking about breaking up facebook really and this is because this guy is just completely unrepentant about a full-scale i'm going to say assault on democracy and as well as the full-scale selling of all of this personal sensitive information yeah completely agree um yeah their lawyer as ian said came out and said well

users should not have social media social media in general should not have any expectation of privacy because they sign up to it fully in the knowledge that their data will be used in whatever way the platform chooses but we don't read the t's and c's and it should be more of a we should we should be more conscious our eyes should be wide open when we're getting involved with these kind of guys because we're getting [ __ ] you know there's so much anecdotal evidence that suggests that facebook especially when you log in with facebook or if you have facebook open and you're buying products and that kind of thing that all of that data is being

siphoned up and all that data is being thrown back um to facebook to push ads to you right to push ads and also you know and i'm going to get a little political for a moment okay um but in ireland it was just recently revealed that facebook deliberately censored one voice in the abortion uh issues in ireland that's obviously very divisive issue in in ireland but facebook made the deliberate choice to um quash ads for one side of the debate yeah yeah yeah that happened so we do this every talk quick show of hands who's got a facebook account yeah quite a significant number of the room um who deleted their facebook account when they started to become more

acutely aware of what this guy and his company were doing a few people hashtag delete facebook right okay it's interesting because the perception is that they're evil okay and that's not a great look for any organization they are continually trying to remove him from the top of the organization but will they will that remove the ethics of that organization i question that yeah absolutely man that's a a huge issue so they're getting kicked in the ass financially now so uh done if you read it but recently they had to make a profit adjustment of around between three and five billion us dollars and that's a fine that they're expecting to have to pay to the the federal trade

commission over in the us and that fine is against their privacy practice that's that's right it's 100 right there's another also issues uh before the uh european court or ireland court with regards to facebook and its gdpr relationship it is slowly moving its way through the courts um you know i i i can't i can't like back this enough because i think it's dangerous to use this information in a really harmful way for a lot of people out there and they're unaware that they're being manipulated i mean everyone here knows they're being manipulated because they're at b sides right so but it's everyone else out there yeah yeah couldn't agree more okay i forgot to mention at the start of the

talk actually um it's a vendor talk this yeah because we like taking the piss and ridiculing vendors okay that's the only reason it's a vendor talk yeah and that kind of happened to us because we did besides london and guess what the facebook recruiting desk was just outside of our talk awkward yeah we got away with it i think yeah yeah i think we got away i don't think any of them join us in our talk maybe okay who's this oh come on you know this crazy guy jack dorsey right yeah jack dorsey is the mark zuckerberg of twitter okay and they appear to be lower key really when it comes to egregious privacy behavior uh they don't

make the news quite as regularly as as facebook but they've got an average active user base of 330 million users monthly users and guess how many users got their data exposed in 2018 330 million every single active user had their data exposed in a breach at twitter or as troy said in london he had to correct me it wasn't technically a breach it was a backup that was created and left on the on the internet and he's got that back up if they ever needed restoring fair enough i think the other thing that i want to just throw in about twitter is the fact that um a lot of like there's a bot problem on twitter um it was

revealed that russians had set up a whole bunch of bots to tweet and retweet very divisive issues during the 2016 election also uh via um uh via brexit right um so so one of the problems that we have and it's actually an infosec problem too yeah i mean you know what has been your experience on twitter um with some folks are we do you want to talk about felon or no briefly yeah yeah okay so this um [ __ ] uh racist uh misogynist decides to weigh in on an issue with my man mike over there and let's just say it didn't end well for him at all um i think this is a real problem that we

have if we want to have an inclusive group what we need to do is stop polarizing it that our biggest problem in infosec recruiting is not the number of people out there it's the toxicity of this particular organ group of people you don't have a whole bunch of accountants weighing on twitter and smashing people down like that doesn't happen it doesn't really happen with nurses and doctors but for some reason in infosec we get to sit back and somebody with a new idea or whatever and we just try to shout at them and then that goes into this echo chamber that makes everybody feel super uncomfortable right i mean if you've ever asked a question on stack overflow as a

young programmer that experience is awful um in fact you know can end in tears right hashtag tears yeah absolutely yeah be nice to people don't be a dick uh we'll come on to that in a little while so we just want a little bit of a freestyle conversation about google okay so they can't be far away from the headlines but they're not often in the headlines the stuff that we just talked about but they're every bit as bad as facebook when it comes to your privacy so tavi saw mandy thomas ormundi or travis as we call him drivers uh he's a project zero researcher and he was sitting on a vulnerability that he discovered in uh

in microsoft windows 10 i think it was yeah so tldr uh google researcher found how to break windows really honestly that's what it was yeah yeah so project zero's got a 90-day grace period before they'll go full disclosure got to day 91 and he went full disclosure despite the fact that microsoft has said we've got a fix for this but we're not entirely sure of the integrity of the fix when it's deployed into production we'd like a little bit more time so we're not going to do it in this patch tuesday we're going to do it in that patch tuesday and just to give you an example of this too and this is where i think we could do a better job

of getting the word out about these type of vulnerabilities so in this case it was like a corrupted certificate uh issue that basically it it pooched one of the crypto services on your windows box which literally the fix restart that service didn't bring down the box it was no remote code execution it wasn't it's kind of a zero date right but like i said there's plenty of ways you can break a windows box right delete a bunch of registry keys rename a bunch of dlls like so i'm like saying 91 days plus and you're just basically a giant deck you are and don't talk to me about zero down windows 10 when you've got fleet to use

travis's term or the the yeah the um the articles term um when you've got fifty thousand windows server two thousand eight machines on the internet okay that's not zero day that's zero it's years days months whatever fix that problem zero days are very novel but actually in very few cases do they present a material problem to an organization so i ran a poll on twitter just saying actually it was a bit of a fight between google and microsoft who do you trust the least the answer was overwhelmingly people trust google less than microsoft and our take on this and the take is that i think that microsoft are a more mature organization they've been around

a lot longer okay they've got clever engineering teams they understand the idea of the software development life cycle and it's difficult um rolling out a patch for a problem is not a thing that's done overnight and i think they were responsible when they went back to google and said we need more time yeah with that certificate issue it affected uh sql installations right and bringing down sql boxes is bad news there's no question about that but honestly it's like um how many sql boxes are going to get you know hit with this thing remotely over the internet the answer is if your sql boxes are on the internet know way more serious problems than a corrupted

certificate yeah definitely okay so we always drop this one into talks and basically just to highlight the problem of the amount of data that is out there and this is known data so we think there are gazillions more records out there that we don't know about because they're not surfaced anywhere yet but i find this really useful and impactful at work because when you look at it you think [ __ ] i'm in here but not in just one place i'm here everywhere okay marriott being the example of in gold customer gold all right we got to pick up the pace a little bit but unhackable is my trigger word okay my favorite thing though was that you

guys will see this on twitter that pc that is is they took out a patent for unhackable pc yeah yeah it's it's actually filled with concrete and sadness okay so you know it's just that like they stop with the marketing department like you as security leaders you need to call them out you know you need to call them out when they do [ __ ] like that yes right yeah yeah absolutely right uh we have a lot of fun with this because we work i say we work we're good friends with pen test partners yeah let's be clear there's no commercial arrangement between the two organizations they just do all of the good tech and we they have fun with it

right yeah we're sort of like those dung beetles yeah yeah all right so there's a bit of a musical theme going on now because we're in in liverpool which is the home of rock and roll as far as the uk is concerned and there are some people doing good stuff okay so passwords it's a constant menace really in the infosec community and the industry at large but they're here to stay for at least a long time yeah so we've got to get clever about how we do password management and how we educate users around users around good password hygiene we have to have the mfa debate we talk about this regularly so if you are a

responsible organization and you can support mfa then you should deploy it out to your user base absolutely and if you want great advice as a user i'll take up that option of that have i been pawned api and warning uh for the domains like who here's 11 have i been pawned yeah okay awesome okay cool um who's really sad that it's probably gonna be sold yeah i know what can we do right although we had a really good chat with troy about it and i'm i'm really like hey troy why don't you just like donate it to the eff or something like that right i said i'd give him 50 quid for it yeah i said no

okay as professionals we're not perfect as organizations we're not perfect we do make mistakes we do issue buggy code and that's happens all the time but tell companies about it responsibly okay we're going to move on a little bit more detail in the time we've got left but if you do get told you've got a problem with your software and it's a severe the risk is severe then fix it okay it's incumbent on you to fix a problem that somebody has been responsible enough to tell you about and not just hack you and nicky data and stick it all on pace but yeah ignoring the problem doesn't make it go away trust me it doesn't test and fix your stuff so

again you know have conversations with people that build things and if you're in security have those adult conversations up front with them get them baking stuff in early doors okay there's no excuse really we are a security professionals in the front seat of technology we're not the afterthought or the guys again our last stop just before that buggy code's been released into the wild we should be there at the beginning having those conversations yeah and i mean i just want to echo josh corman who basically said you know we have a 100 failure rate in cyber security yeah 100 percent like almost every major company has been breached at some point um so yeah this becomes

really important um it's an iterative process uh securities recursive right because the your environment's always changing stuff is new stuff's coming in old stuff's going out it's always changing it's recursive and you'll learn from your mistakes yeah and you're here because you want to get involved with the community that's the whole thing about b-sides is it's not vendor heavy it's about people that feel the same way getting together and talking and sharing their problems and learning new things so long live b sites okay you see what i did there yeah good so a breach is a when not if actually many people in this room will already or will work for organizations who've already had that date breached

okay just get over it and deal with it okay because it'll feel like that a bit more music manchester that's where i come from you will panic yeah and it'll feel like the end of the world and i'll feel like that in your head because we all mess up but actually what we're defined by is our response okay so a good data breach response actually results in people having more trust in your organization which is a bit of a paradox but that's true all that i'll ask the andy question right here andy going out to our brother andy always likes to ask this question who heard of the equifax database sure not andy oh is it sean i'm [ __ ] with me we

mix them up yeah like our our fred our tour manager anyways yeah so equifax almost everybody has heard of it right and it's the breach that keeps on giving right too because they just got their credit down right downgraded recently as well right um who heard of the was it discus data breach few people way less people right because they handled their [ __ ] they went out they said we got a problem we've fixed it we've isolated the problem we want you to do this thank you very much if you have any concerns here here's where you can contact us this is not rocket science it's gonna happen equifax made page one of the news

um or from front page of the news he made the six o'clock news discuss was on page 17. it got their executives dragged into congress to testify about what [ __ ] they are yeah agreed so when it happens you really just got to accept it that's your start point it's about admitting you've got a problem okay and then you can start dealing with it moving on in a positive fashion don't blame the other guy because your control failed that led the other guy to steal your data okay that's the bottom line uh argue with me outside if you'd like to um get support so in the uk we've got some pretty powerful bodies we've got

the ncsc who uh a lot better than they used to be that's better to say and they've got some clever people and capable people that will come and actually offer you computer emergency stuff you've got to tell the ico in the uk it's horrible if you don't okay they are the supervisory body when it comes to data protection in the uk but again if you tell them then parachute people in and they're clever people and then come and help you with things like your instant response planning um notifying your users all that kind of stuff or if you've got heavy duty risk i mean there's more than a few awesome security companies here in the uk right there's a lot of talent out

there i i think you know sometimes businesses want to keep it you know on the dl as much as possible may not want to go to the police right away because you don't know what's going on there's great talent here in the uk yeah absolutely absolutely right and analyze the problem figure out where that control broke or fell over yeah was it something in your sdlc was there something not baked in at design time yeah where architectural decisions not taken that were correct did someone turn off security on their s3 bucket um until it worked yeah oops a common problem and learn from it yeah and ultimately just take it on the chain because you can't undo what

has happened but what you can do is your very level best to prevent it from happening again and if you do that trust will come back in the case of discuss a good example of that is north cairo so they had a really serious problem they i think it was a ransomware attack and took them their entire business was taken offline they're a huge aluminium manufacturer and they had people like from all over the business pulling together no matter whether they were senior executives or whatever they were doing everything they could to manually continue that company's operation but what they did was they responded really well so they their i.t systems were down but what they did was set up

azure websites that kept the flow of information to customers and shareholders and people that cared flowing nicely a bit heath robinson but it's better than nothing and actually it demonstrated that they gave a [ __ ] okay so in a very similar case our friends back at google uh were involved i think it might have actually been this one where the business started to set up a whole bunch of google accounts and basically google turned off so they're in the middle of a crisis google turned off their accounts because they had too many accounts and they felt it was business so they turned them off and demanded a bunch of payment yeah absolute dicks talking to which

okay i'm gonna do this one quick do correct yeah okay so sandbox escaper uh we know uh very angry individual it appears that she was under investigation it really moves me this is like the saddest moment in vulnerability disclosure where somebody's been kicked around so much has maybe mental issues mental problems um very angry at the world and is trying to call out intelligence agencies uh justice and law enforcement and dropping like zero day after zero day and threatening to sell it to the enemies of the united states so you know my my heart goes out to people that are get so angry and so lonely that they do stuff like that because they're looking for uh suicide by air force at

that point we all know what happened to trick a gentleman from birmingham uh here and he got vaporized by a predator due to his belief in building the cyber caliphate and conducting cyber security attacks right ransomware attacks specifically so you know it's it's sad when we lose people like that who i kind of feel like if they had just reached out you know it's not the end of the world man there's there's a lot of stuff you can do and there's a lot of money you could make as well too being that talented and certainly the skill sets there i agree and i think there is there is a long journey between responsible disclosure back to microsoft

and sticking it all out on a paste okay i do believe there are things that you can do that are in the middle ground there so yeah we'll see go back to unhackable don't make false claims about the unhackability of your technology if you think it's unhackable then just think it's unhackable don't ever tell anybody it's unhackable because rule number one because we know that there are people out there that are very clever cleverer than you and not you you and your unhackable tower that will destroy that unhackable status in a matter of days and that's if you're lucky okay be incredibly careful about the idea of dropping personal data on security searches onto twitter

if they would rather that their their privacy and anonymity was preserved in one way um i'm sure you know who i'm talking about brian kevin ryan and kev good friends um and have a bit of respect you know you're all here because you're cool yeah i think so we've all got anxieties i have things that keep me awake around security but i respect that others have got their own opinions on their own skill sets and their own knowledge areas um and you wouldn't be here really i don't think you would be in this room and in this conference if you didn't care you can give a [ __ ] right pop quiz can anybody tell me why

i've put that picture on that slide nobody can tell me i'm in liverpool wow sorry fantastic so orchestral maneuvers in the dark are a liverpool based electro pop band from the late 70s and i think they're still operating even today they had a hit called an older game um the analogy here is that they all thought it was a great idea but what they know the guy did was vaporize 144 000 people in hiroshima in um august 1945. okay and i don't know how we did it but we did it yeah we're done we're done thanks very much i know you were looking for crescendo but no we're out we'll see you at the bar y'all