We Take Your Security Seriously (Or Do We?) — The Beer Farmers

okay good morning thank you for coming and really difficult tasks falling tall yeah Wow but we'll do our best we're starting a GoFundMe for our legal defense so please contribute generously yeah also heard one wants on our backs yeah how no coincidence coincidence so we out there flowers and thank you for coming bad anybody under the age of 18 in the room see a couple of people well done there might be a little bit of swearing now talk and because that's what we do so folks yes but we'll keep in context it'll be relevant hopefully to all the new okay so I'm Mike I am a security man I speak South corner John is Belgium who doesn't like

Scotland that's why I know it turns up 20 of us Scott it just doesn't let a Yuki into action but he's a fellow member with a problem fortunately travelers yeah I write assertive emails to try not to offense special snowflakes for a living so that's kind of what my role is sure I'm sure I focus my on abstract which eternity is shot in that dead we're trying to work on that yep I do my kids [ __ ] that's basically what I do this way yeah that's awesome yeah oh you have got blue collar first wake up and the blue darts in fact oh yeah yeah the greatest superhero okay so that's how you get was on Twitter and so

we did a bit research in the studio last week but we've actually definitively proven that we're all Scottish so we'll explain I was born in Eddie Redmayne but this Scottish Italian Scottish Glaswegian that's still Scottish though yeah no yeah sure tell us a story yes my great-grandfather went to school with Sir James Barry you're right Peter Pan so and that's where my family name comes from yeah the only thing I have is that at one time the name the family name was little and there is a Scottish clan called the littles who didn't get invited to many battles for clearly obvious reason well six gosh we think because they're hidden yeah Canadians guys and John has got so

did your hair is bed yeah switcheroo can that qualifies unfortunately okay so we included facebooking are talks quite a lot because they're egregious and they tend to do bad things with your personal day on a weekly if not daily basis so I am elective qualifies from the things I say about Mark Zuckerberg so I do a bit and that was a mistake he came up with quite a few other privacy is the norm social normal past I think from his point of view that's absolutely accurate and there's a clear perception that Facebook is an evil organization people are very little a zero trust of that organization to do the right things with your data and that they need regulation and I

fully agree with this as soon as Mark Zuckerberg people actually came out the other day instead that particularly the US and Facebook government should do more to help regulate social media and large tech groups generally accepted some unhappy paying the fine it slows the the ICO for the example if you've reached actually appeal and not fine so yeah mistrust of government is but just to clarify that so I converse said he was supported the government but not the part yeah yeah coincident you scratch my back so I want to point out something as a keen study of human beings their face that you see there of mr. Zuckerberg is not one filled with contrition he's a

super yeah I think that what this is is the face of an individual that is now become being called to task for what the cavalier attitude towards privacy had the business model that he's made monetizing private yeah stuff so he's not sickened the weight businesses behave is actually sick of being caught just a really Shipman yeah who is deleted facebooking a shot man to delete facebook as a consequence to see quite a few people yeah great who's happy to continue using Facebook despite the fact that they are continue to use so quick look at some of the numbers and 50 million in 2014 was can be generally together so we all know about that that's a part the why these were

inspired not just the FBI because the ICO raided Claire be gentle acres offices a week after all the day there was some player in a field but yet 15 million accounts were manipulated and sent off to be used to target election campaigns and political activity and just on that there was a about a five-minute TED talk that I posted and see seed in the beer farmers he could find it in our in our timeline I found it very interesting that before this all went down Facebook attempted to sue the journalists that were going to break the story of Cambridge about a little in order to keep the salt quiet so again not exactly what I call contrition and

more recently last year 29 million accounts were compromised due to authorization tokens being leaked and that was to do with the way the apps that allow you to sign into using your Facebook credentials were working properly there was a bit of a officer positive you know off made around the way and this and that cause 29 million records to be to be leaked under the nearly 7 million and then more recently 1.5 million records were and also in the news you may have heard that Facebook actually requested that your primary email countless who have been provided as part of alternate authentication into that platform why okay no idea they admitted it bad practice so it's a bad practice

continues and I think they messed up with that email because they sent the emails to someone or something yeah but

[Music] again and going back to the narrative here they didn't accept responsibility for it they said it was a actual mistake even though many in the security community pointed out that it's not really a mistake somebody somewhere set up a juror a ticket and developers actually worked on that's not really a mistake okay so who do you can shower with this guy

all right you have not put it to one side you can come get it I'm not a different things anymore yeah it was a business leads yeah different honey it was tonight it was jealousy easy the founder of Twitter and he's gone from a look better hit me Karen with thing so his original idea here was I just want to build stuff that really simplifies our peer interaction and previously could get lost to piss off that's what these people think this is how they operate so 340 million Twitter accounts were lost in 2018 if anybody was aware of that but again it was to do with a have been compromised because they were taking your security seriously

if these guys these guys can't get it right but and actually something to add to this is just as the newly report came out they saw a three hundred and sixty two percent increase in bought activity associated with you know the the release of the Mueller report and starting rumors and trying to construct some information there yeah complete misinformation campaign but it's very easy to create software played column what you like and then make a causal - it says we see quite regularly it doesn't places so I've seen probably this last week about twenty to thirty bar counts try to mount a day yeah because everyone wants I never been this popular so I think the Paradise Lost

counted back for is around the idea they start with the great intentions about how they're gonna change people's lives for the better and almost invariably it goes to [ __ ] because they get bigger and then money becomes the primary motivator money money is known we're money into this opposed to them yes oh yeah if the products free you in the front this is the see like your data delete money on them so this lies benebabe and since last couple of talks at Windham we have it around 21 billion records kicking out the kickin around their leaves that was considered to three records per human on the planet I supposed to try not about that just to

get his day because he's kind of authority update reaches it's nearly ten records perhaps every single human moving the moon walking on the planet 77 billion and now I still think that set style playing another but see we listen Tommy Norment yeah woman reaches a good way to test missus gets if you're in a company gets so much for them they email and how about be informed what their one is going to you to pop up with someone else so who's heard of 63 reg your hands it's gonna be a good story then not too many up and they are sort of right-wing American organisation saw a rate they are a right-wing conservative us motorcyle again I said it trying to make

America great again what we do is we're making the blue hoodie Greg that's right that's this black we use ours yeah the slimming is they are their troop sympathizing organization and they don't take too kindly or anybody that criticized securely on Twitter that's who they are and anyone who heard them earlier obviously not be mr. robot of the show of the security researcher yeah also known as party scrubber Nazis real man that's design uses exercises to our really good guy really capable really very active in trying out things around with organizations and trying to work there and a little bit of weight loss 63 we found the vulnerability 63 went went a big [ __ ] now head start calling him

names and things threatened to report it to the FBI are claiming the good morning was completely futile exercise even if it were true if you know good people of course the content yeah but the guy that put the garlic tomato crime okay just to be clear when he did took the Apple AppStore publicly available to assemble that again no legal things around there as far than I and then just view the trigger baby comes out yet all the servers so you wasn't doing anything because they messed up but they will talk about a little bit more detail a few minutes had about dipped and but they the community cannon which got stuck in and I was included in some self

immunity all the lambie's colleagues it was suddenly morning that we decided it would know any better plan take this guy down so that's what we went about doing so Andy and I piled on a few other people got involved and then we did some research because the guide had it was passing quite bad upsetting other websites that Iran they had a number of read he claimed containers original iPad copyright material which we found to be old or empty and then eventually we found out that it was a white supremacist okay because we traced back to the started between that where it was basically saying that there are enough opportunities for white edge America because of anybody white not and so not

that outage we prevailed I think there's a group of people and now it's back that was the end of their job done oh my god his name was full I don't know bounced it forward yeah yeah you reimbursed you took it yes he reared his ugly head and decided to be divisive in the community and I stomped on that pretty hard nope hey yeah don't baby I love this so what we've done anis has actually been a teaching tool for a lot of businesses because what we've come up with is a hurricane like scale for the level of ships form that a company can get into any when they mystery researchers we've seen this play out

over and over again it happens all the time and with the best intentions of in most cases I'm gonna say the security researchers are generally trying to identify a problem a customer facing problem a security problem and they get treated pretty horribly when that happens the community is sort of a little bit I would say defensive and there's a overreaction and I think what really came out of this scale was we see the pattern going over and over again we know some basic rules like having John McAfee talk about your product is probably not the best idea ever how could that happen talk first often on yeah yeah on his boat in an undisclosed location pay for you later

on yes but this has been now a good teaching instrument when we start to see something go sideways we'll post it into the thread stream kind of folks can understand exactly what's gonna happen and then we see the meme count going up we know that from a cyber depression a full-on cyber tropical [ __ ] storm is about to impact the company we've seen I think a lot of success in educating companies about how to approach and deal with security researchers and I think I'm hopeful because the last couple ones that we've seen as much to nip it in the bud and just kind of say hey you know you're not out to get you they're not

out to like hurt you they're actually out there to fix things for for the company and it can either sacrifice just to further strength from that simply try to call them out for my legal threats doesn't make this you go away if she's still there and it just makes you look that yeah and also like physically assaulting a security researcher at a conference that happened no no it's it's not I think what highlights it occurred to me you sold stolen so that's the question about researchers being afraid to be Jasman could be the first place for therapy thank you Rick yeah I think there's a kind of schism between the researcher that wants to do the right thing and how

the company should be responding as well so I think in a lot of the help Givens scenarios that we see it woke up early just flustered they don't know how to do about it so the media reaction is a negative reaction because you're accusing the axillary so I'm going to backlash against that so I think the better education around how to respond I don't mean which model this version per se I mean how does a couple gear itself work to get back to that surgery in a responsible way well then there's how many of you have heard responsible disclosure okay quite a few so responsible disclosure phobos you don't know is when a researcher works with the company to

go through the issue and not release anything information about the issue and told that issues been fixed right we'll give them a suitable time period to do that everything is emphasis on the researcher with emphasis on the companies for their part of it so I wrote a while ago responsible disclose their response ball countability companies need to be equally accountable why is everything on the researcher shouldn't be that way if it was a bear man the researchers doing this of their many of them or throwing back there are new sources there in time an equipment social company they don't have much to petty or anything at all so it just doesn't make sense one thing that was really frustrating

Chrissie store at the any set big was they trying to develop international standards around disclosure to protect the researcher and I'm fascinated by them I think not soon enough it has to be I think I think one of the other factors too is as a security kind of community analyst for lack of a better word the impatience that our profession instills on us like that sense of urgency that doesn't translate well to large enterprise organizations with a software development lifecycle and a project management cycle that is like months small yeah right my Alison doesn't timely well known with the rest of the business so like what these an entity might think is a critical risk

ideally realistically of is an internal system it's not very interesting it's going to be wasn't impact the business and what looking at where the money is their economy DeMarre custom 20 my name's effects its verses 10 minutes they get reached up a little comforting to not pay for this yeah okay so tropical I'm gonna go quickly through this because this is a really interesting scenario and bleeds into that area that I love to explore which is the politics behind a lot of cyber breaches so if you're familiar with why Pro they're similar to the data communications they're an outsourced player eight billion in annual revenue Brian Krebs broke an amazing story about how they basically it was leaked that

they were breached at a very sensitive time in the company just before earnings way there was a small paragraph that I dug into around this because it seemed that prior to this leak occurring about how this company compromised allegedly by apt tan cloud hopper operatives who target managed service providers and IT people so that the TTP's look like it's cloud hopper for now anyways what was really interesting about this is that the Chinese and Pakistan have been working on a project in a Kashmir and the default position of the Indian government is that anything that's good for Pakistan is bad by default for India prior to this hack the Indian government forced 166 million u.s. dollars in

shares and repatriated them to Indian companies allegedly that the shares were illegally held by Pakistan investors and Chinese investors so there is kind of this theory that I'm working with that suggests that this company was basically used to instill more patriotic fervor in the Indian government by repatriating these shares well interestingly enough they data leak happened on and just prior to an earnings call and you guys are smart people so you know that if a company's boo breached what does their share price do as soon as that announcement it head south right exactly so if you know and you have friends that are holding shares in that company and you know there's been a data breach what do you do well

in America you go to jail for something called insider trading I'm not sure if that law actually applies in India but you let your friends know that you're gonna leak the fact that this company got data breach so you can take that 166 million and what's called short the stock in order to make even more money okay so this is my hypothesis and the most interesting thing about this is what we're seeing is the monetization of the information about the company's posture during a data breach event so it really worth exploring and understanding why stuff is occurring okay anybody familiar with collection one the rest and Leona yeah yeah so I the collection done for those of you who don't know is

probably one of the biggest public breaches a breach dumpsters been essentially rode the boat the start of the year in the last year there was about 1.5 1 terabyte of personal details leaked on the Internet this was user details user credentials passwords Bitcoin addresses lots of stuff and it's made available but that's what snow contributed to figure out the beaches and the I think absolutely written recently through up Troy hunts gone through and with a fine-tooth comb unique references about 70 million which is I mean it's a few it's not quite a billion cover you'll get civilian at one point but it's getting its put the kind of national sea national the global average or breaches up by a factor of

million yes and it's it's great for me as a pen tester because it gives me massive lesser passwords to crack but as an individual you're guaranteed at least one of your accountability on that you're always doing people you probably have multiple email addresses here I'm a fuel person than a native from back in the 90s might get breached that you're I'm not so cool mm may not be so I think the there was a lot of conjecture at the time about well should we really care it's not you day away you should get annex all day and it's now probably and if you're using any of this these potential another big the big problem the biggest problem is hassle reduce it

even even if you've changed your account most of your security over said I assume your change of password every few months right some of you might up if you reason your passwords don't [ __ ] change them and but yeah they'll probably be in this list the thing is as well because it's such a big list just because you change your password your new password maybe in the West so don't use that you know most people use past previous big of all passwords password or a pass for miles as well it was that held in fair yeah boy family is when you can all right that's that's that okay and yeah I mean the problem is huge and

anybody recognize this your hands that's a no you still awake it's information is beautiful its website go and look at it it's a really powerful way of showing your business or I'm going to get trying to get your head around the the scope of this problem and I haven't see that you'll find yourself in there you will have an account in that multiple accounts unless you'd never be with them unless you know me on the internet which so what they're this is what we see it does this goes back to our our previous point around how how businesses react it makes a few good points what we'd like to see versus what we witness viewed eminently what what

does it effectively repeat soon you know and this brings up a really point you know how we talked about like users security awareness training your user security training we need like companies security training but the opposite right you know Todd made some really great points about you're gonna get breached you should have a plan let's slice its this part of your plan is how to communicate did you know that that we have a situation we're working through it yeah you know we talk about this all the time but there doesn't seem to be educational resources available for companies you know to the point where you know we're focused on the user who don't click on links or I click on links

for a living all day long that's what I did okay Hajj Allah he surfaces from time to time publicly attention of some toys continuously attention jobs colleagues back spent but this is the the hash tag unhackable the idea that you can create a product and then sell it on the premise that is completely invincible in service to attack we see everything to preserve you and a hundred percent of the time it's proven to be wrong what we find is that it's a popular topic of research and test partners doesn't mean a free pen thirst they didn't still be but generally you all get a free pen tastic you do splits it on Twitter yeah if you think about it yeah because yeah

because it was even pointed out you know well pretty smart people write everything that we know is these things really quickly and when somebody goes online near a public forum and says yeah hi guys we've got your lock think that's gonna secure all your things any so by the way some hacker book we've got the best kind of secure all you've got yeah the best you can expect a week a week yet a past before it's been completely absent the world know that action well that so Pandora get pulled inside of ten minutes and you get the guy who had watched repentance partners who we call the EPA Jesus he literally looked at see the eyes all day long and he he found

either in said attainment and secured direct object reference which would allow you to a through it through people's details and access their cars unlocked them drive away yep fast and easy stealing you can still find the video on the beach there's my blue cars feature it's pretty loud and interesting bit my yeah if I took on the chin and eventually they realized that it was probably a ludicrous statement to make and somebody else happens and Apple and Bill are chips in there saying that's probably buying it from their own personal experience to say that anything is when I see that contrition that's learning is often a problem is you know it's not taking yourself too seriously

our time but after them fittings are very very serious and yeah around but they were able oh yeah fine for what they originally did and I had a public spot with the then-ceo they went through CEOs two or three days and marketing - you make you stop every two days absolute appraiser just don't goof Jorma cap is your product yeah ambassador but in the end they gave us mental health $10,000 which I could confirm warning containment breach there's a couple of things around us we see many CA is being kind of in some form intimidated by let's encrypt I guess they be read a secret is a threat to them which so this one it was actually joined he posted

something online or something about evey sure to remember exactly and these guys basically check the thread and started putting their own things on on there as well as a list of all the 10 reasons why you shouldn't use the debt in concert and I went through each one and I looked at them and I think every single one was false not to mention the very first or the headline there I pointed out to you let's encrypt and let's just say it followed its own course legal reasons the story is let's encrypt doing a fantastic job they're the world's largest CA because they're doing something great it's free its automated they've changed the whole landscape of

how we deal with certificates and now a lot of VCS are trying you have to play catch-up and trying to push things like easy search which there's a lot of debate whether the worth of the mat analogy they want to go make up their own minds down yeah but at the end of the day trying to sell something on false data or promises or whatever is just not the way to do business in you're right and I think if you look at the open gathered that way the reference British Airways yeah right oh yes keepsake BT possibly but yeah 380,000 VA data compromise was credit card rates it there was nothing to do with transport layer security was to do

with mage JavaScript boys yeah there was JavaScript only behind the scenes nothing at all what says yeah [ __ ] over Jeff and the story so there are good guys out there and heroes there exists the company's up there are fat without that yeah this is trying to experience is they have not things like robust security controls they are they original demonstration testing they are engaging that I published coming in help you out we talked about responsible disclosure policies specialist and this is where we both companies are doing a great job I think we should call them out more and put those guys at war because hopefully that will prove to other companies that doing the right thing is actually going

to get to you in a battle armor so for example here years a herd of Equifax and knows about the Equifax breach who knows about discuss and the discuss Creech to account the big difference between those two aircraft backs in the reach echo effect how not to handle with the breach three things on the carpet white blame and that the jessamine come out with a robust explanation of what happened what they're doing going forward it's quite clear to see how the two different things play out and how your reputation can get happened entity and one gets you cold in front of the US Congress which doesn't seem a whole lot of fun and and then the other doesn't right yeah okay

Pete seems not this year so multi-factor authentication we talked about this so that's pretty read without me yeah yeah last night things I thought about the show and multi-factor off okay so I think we all we all agree that you should use it you think we should be more we should have a robust approach is to token based on that cops know cuerpaso lights agree to an extent without because I think it's not accessible for the masses technically I think it's the trade-off between years ability Institute yeah but I think where we are I'm married into the tire as we increase the market I can reduce the cost in the-- but I'm not gonna roll out

$20,000 fee devices or irrigates to my business but it's just a marriage nightmare that's too much wealth is available then it's bad not the most ideal then you get okay so responsible disclosure which we talked about so they can quickly skip it though I think do the right things there's anybody familiar with the security got Texas scheme show house so it's a web application scheme that's it's not quite a scam together it's on which way where you just trust is got an RNC snap right here so it's out yeah you just drop a tax filing on your web applications and that tells research you how to contact your sort of live / simple you can write out that rule that

when pages who's not aware its dot dogbert don't whale - Lawrence my security of speeds in the work group most helping some people put in the roof of some interview said if and if you're like you know got something and though you're worried or have questions but that's what we're here for it anyone it's in this industry like reach out to any of the beer farmers that will point you in the right direction you might be going to a cert team somewhere you might be you know talking to the public relations people at a particular company but we're here to help are here for you yeah we're here to sense of somewhat yes in the back okay so as a

business you're going to be you're going to be doing podcasting so we're not just talking about my destiny web applications are you structurally network we're talking about fantastic you people you're building who processes everything that they are their attack surface in the though full-time security yes don't we don't be afraid to get a third PI company to come in and tell you where you're not doing the right things because they are specialists sometimes that's actually compliant readings yeah an order ability you have 200 sent and the nice thing though is is that then you have like a baseline to work from at a document that will help you build business cases for the things you need

to fix the problem is your second pen test right it's never the first one because the first one will be a completely demoralizing material the second one is like Oh have we moved the bar anywhere have we actually gotten better and from a compliance perspective it makes a really great story for your business to tell listen we had no security awareness training program we implemented we implemented one good you know improvement show that improvement over time it's good to show about the business as well because it aligns where your money's going spending surgeries in the neighborhood so yeah thanks Gerry and how those conversations really up straight when you when you talk about an idea well what I do do things a business

right there what securit what the Dead section considerations game on the ground floor this is also all too often this monsoon ok so five mile-per-hour tectum so quickly sure mention driving home have a look at that website put your email address in your morgue license to get a hit and just quickly if you don't know if you're in the domain putting your domain will automatically notify you and just another thing you can get like the top 5,000 like worst passwords and blacklist them in your organization through Active Directory add-on and that lets that means that no one can actually use like the name of your company the heads the password yeah okay so each is a when not if so I think

except that we've talked about how they get you plan your plan in order because when it happens it's gonna probably feel a little bit like this but a company knows what to do we'll be able to untangle all of that stuff and get to a point where they follow up basically response plan a well defined incident response plan okay so don't worry shared only he had this happen get on with it stop ready to play some people having a helper puddings right there's a lots of free resources on the NCSC website and cyber business the administration for small business in the US has a great website with the thing that you literally start answering questions and it builds your whole plan

I've used it myself that's great very tool yeah I talk sense you know reach out to you sir you look at serve dad to help you okay I should be afraid of it and sorry as long as you're not doing something that really something that you shouldn't be doing something I don't want to say stupid but yeah if you handle it really well such as I'm discuss case you might even come away a little bit better than pre breach because it shows you immature you wouldn't take on responsibility its economic chair yeah you're going to feel better about yourself so we human or make mistake you customers going to build that to this court time back to a Granger so Hydro

yet they did a good job that they're in an ongoing incident still but the government the job will communicate what's going on in setting up side channels I guess I've mentioned about outbound communication with you when everything's been poem you've gotta do something else than this out put that in place we'll call the sepal all and it's your website anyone know what one of these is no one's okay they got found out again it was a Peter Pan chess partners Beauty might of Kenda Glory side project yeah we can probably job they are actually resolution on the gamblers violence astronomical Helms and you'd be bought one that's nice right okay okay people in the crew day I'm just

rushing fears because we're outside now but connect with the community so nobody's stuff and it's very easy to make comments all social media like Twitter that very quickly for me death happens to all so you don't have to be a thirty a tech person I'm a it's been around a long time you guys are well experienced I'm just the dominant we all we all hook up yeah but they have suspects there was no less governor about subjects engage and share with the communities that little one article that you found that you found useful just you know get a value just somebody else just don't become a CD wheat we don't don't become an influencer and all that [ __ ] don't

do that yeah don't be a big yeah thanks for coming so we've been the best father Sylvia wants to do but we don't know what I wish to do not what their war beautiful men Awards probably doesn't that was January I was year should come to me