Preparing for Zero Days and Other Surprises - Jason Gillam

he should it be for charities and other surprises [Music]

[Music]

so everybody's sort actually but we're going to be doing here 0:18 yourself with secure ideas have lots of experience a lot of my background is in software development a little bit by a lot of the curious base rock more of a belief I get network and it is great their minds my workshop result in architecture then so you're back in certain key more fun to start breaking this or

co2 is a running I'm hungry alright so starting off with a big question will keeps you up it I mean seven types of hungry it look or is everyone car pentest somewhere I'm a defender than connected in ok so something that's how large my semester 2014 year or breaches your target what's the latest at Selma so all these things things that you know a lot of these days and a lot of this because immediately is it sturdy low and and I just it's getting a lot more attention and fast used to be you just over CDs occasionally it sees that they go through me but with mainstream media's ingredient has been my last fusing together want to agree with that and so

next question is do those things really meant for me they do instead yeah but do they matter as much as all the other stuff disabilities into this and that's really what my messages today is you see these things are there they all but I regularly I do even running an automated skin I find a plethora of issues that have not been addressed yet I'm sure everyone will also probably agree with that it is pretty hard right so that's one type of attack targets if you have a horrible our abilities that unfitted to one of two categories is either one that's used in a more generalized that or it's really a severe specific offense and often this has more to do with the

age of our religious type of our abilities so newer vulnerabilities surveys the latest Grace's just come out more often is going to be using or generalized scenario to do a great thing people want to find it whose marble - so they'll do kind of a throw it out there you can see the model to intentionally exploit based on that whereas normally it's very informal so there's the net what x-play support for several years Thank You Zoe was except that something that's gonna be used in more forgiving status somebody's working at ease is very specific as our table and they want to see how many will respond our beliefs is that art what's going to work ask

yourself a question what kinda party girls with that generalize what everybody calls now everybody every company up there the music Filipino general ISIL has these dear vision zero days but then you also have targeted attacks and error the targets are a little less they're a little bit more than it is you know some smaller companies or companies they don't necessarily have information or data or systems that people really want right let's face it the most businesses are in business to make money people want money so almost anybody's heart even an testers who he follows these friends I work for a consultant I basically do a lot of time a lot of different clients so it's not I'm saying

I'm not going to see exactly the same thing this is what a great thing or what to do is to have new challenges interesting vulnerabilities that have stated work but then that right will often see cat I'll see this same sort of thing doesn't need every single appliance Horrible's with all the singles it just means that a lot of the same types of issues a long time so what I want to do is take those things that pop up all the time or link those to some of those fancy zero days that ruins just got a show about you why are you worth are this my uncle saw bikini girl all these other things that are very

much related so let's start off with shell-shocked just easy and be a pretty picture ago this so chelsa also hopefully some of you who may be for these aren't really that aren't quite sure exactly what they do is so shell-shocked that's so it's a it's a payload that the leadership of bash sees this so characters his word it was executed pollicis and you can see a little bit more detail Robert Graham he tweeted I'm ready to stand right now the internet to test for the recent fashion ability so you probably remember seen this is his example configuration for ms again and you can see that there's that same strand territory there loop that's going to do it with putting all the

Union was getting horny so this your usual HTTP port and he was in several Club whose competitors and adding that along with it came back to his own box but it's actually pretty straight ordering note that although the city's running a scan across the internet there's only one foot only one page for anybody remember that not all ages of all websites it's just basically the route so you just imagine that consider all of the other services out there I was interested indeed this is it was very much better going so just a bit of a shell shock sounds really that is hits for the advocacy and a little bit of that man there's several CDs that basically relate back to the

thymus shell shop is the remaining samples that they talk about the Shelf drops have to do not CGI and the ID so these are CGI scripts are the three golden around for a long time and largely they've been because we'll see deeper in this reasons they've been superseded by other technologies that do the same sort of things are talking about server-side code has engaged getting dynamic responses back so everything from PHP too java servlets to Ruby on Rails house there's lots of other technologies that there's a name that do the same job we need to do a better and do a little more Sigma Morse and postman doesn't have access to operate he sensitive so easily so he's a

wonder that was still using CGI places

so some some other old technology issues these are the things I see this all the time I would say and test except that I mean get it just priceless I'm you're right escape and in Italy use of on sport soccer through several operating systems anybody still run into Windows XP I do portraiture okay but we don't have a nanny ratings in there we go but as I speak not working this is a 98 in bed you go yeah so they're unpatched software alright we find tons and tons about that stuff for every almost every physicist it's okay you guys you better duck fat jiggle you know it's one thing if you find matches there you know maybe it's a month or two old

but when you find these systems that have been patched with four or five years the group had issue you said servers web server versions old versions of PHP you buy an old Apache because I'm just pointing out the really common ones in if you have WordPress I'm saying we're Christopher burger WordPress itself doesn't see the app that many issues that have come up by the plugins for just really bad it's a constantly if you didn't watch it okay so let's let's drop all the tune-up hit the food I love the balloon yes another having horrible on downgraded Lake singers and movie [Music] excluding that they actually go okay so once I put a little good burst so Google

isn't one ability that only affects as a cell frame and it it takes advantage it's actually a dance for the downgrade dance so we have appliance for me to go she ate addresses L divisions they figure out between themselves what's the highest burgers of encryption that we both support okay we'll use that so that's that's kind of what it takes Evangel so SSL three what's wrong with it well first of all here it uses one of two fibers so RC war which is already known to have a lot of issues with some vision and so the recommendation grow quite a while before poodle that's not news are supporting and then CBC is the CEO of

one side watching NS that's what

cipher block chain which basically there's something padding in there there's some padding in there with a change which fits a tabular how he was adding or setting a lot with the along with the message is as a result it is that change and configure along did at a time or something on that one so do you what ends up happening in case 256 Excel for your bus to decrypt a signal lightly so it's gonna have to be situation where something creational remember again the best example for that is probably [Music] there's probably other situations well that's this one thank you there's still sequel under requesters one of the deceased requests just to get one bite

of that are you suggesting with that I know she can be concerned about or not slightly shitty because back to the session token' the real goner yeah he said nothing it is speculation uh uh not do I stuff again their demonstrations you can go to a conference and you can see these guys attacker session cookie in real time so five minute you're shopping the Wi-Fi right so they've got your bank you decided to help me up to this so I'm not quite sure but point you're trying to get across here this is a Syrian for her ability they can be exploited in the why I'm absolutely MSA mountain together so well yeah you're absolutely right but so

256 times number bites and yes it you have a fast now if you're doing what was mentioned earlier today you were watching everything out Marcus mentioned several times all the things so we are doing that how people notice those 56 however any time if we just going to taxi mister crime to spend this brave where is Allah be located like he wasn't ring right back okay let me move on this will be more senseless I've been cooking all right so the issue is Google is really about anonymity and / - it's a christian-based attack that's a concern but what I would make sure to say is it's good be aware it do what you can about any

but it's not the most pretty Lawson scholarship environment and that's this we are getting is yeah we find poodle but when I'm going to stand across the network I'm very freaking you're not into lots of weaknesses all the iterations stuff us leader demented so I'll find pieces of old ciphers I find SSL too so I don't know why you're so worried about this l3 we've had me with this SSL suited that's still uses for three ciders basic purposes for your city 56 in cyber sleuth you know you know these things need to be fixed first is that saying built this cool she's saying you know why do I focus only on Moodle is just because of the media oh let's go to fix

this things like the links that helps me pick some piece under this too don't just fix the one thing that shows up just because the newsman said that that's going to be fixed we should be looking at an entire system so your things I just see a lot password scorch now this one I don't really wrote into during audience and so we confess we do get a key go pet a database password still not basically so each password for you right now I am be shy for this familiar is an older hashing algorithm super fast and easy to crack just because you can generate lots of really so which will find was there are rainbow

tables is there you know although we don't do a lot of this work or you see we didn't have to attach everything especially that's not salting or breaking even remember easy and unencrypted sources so again why are you worried - go Pluto man you have an FTP without any SSL to do any middled that I don't have to do any work well to be fair I mean it was a win the region Hartley broke down it turns out that if you had had an HTTP unencrypted then that's not going to leak information about other people's sessions even though you have trivial me in the middle or art or sleeping so that you're trading one who you know that

said I just I agree please miss oh you're right but hardly really wasn't it social normally should we know this is what we tell everyone don't you think so partly partly it is actually the result of an implementation vlog in the reason why HTTP is not no longer expensive so you remember probably episode a while probably myself and there was a point in history where a lot of people wouldn't give an HTTP server because it was expended this is handshape and happen every single time and and you know they didn't want to incur that where they had to go buy expensive yeah accelerator so vicious basically make this work easy that's no longer the case and part of the reason

is the longer the case is because heartbeat those introduced so the extension documented are see it basically the heartbeat extension what does this work keep alive mechanism that's in place here so you know I heard what you wanted it city I'm so here's a high you are too and then if you get your response by not it maybe that's these bobbin Alice so that's basically it so that's the heartbeat message now what happened to partly I throw a lot you probably see here but basically have requests for the RV you have a low domesticating Lanka with that many Thai without long the payload length is and the response message says a and it just keeps going because of all

that it's only slightly more complicated through Street world so regulation rules of a memory whatever happens to be in memory after after into the hi this is Eric from so a lot of the main concerns that an express trailer park need is his ability to come true passwords keys things that are likely to be in memory on that probably not data the database that goes into the database is not on but if you have to be able to basically do that as well but it's also it's how critical is that we want you to get that then just happens we don't know on the outside fact it was a memory announcement management is just that

we're just gonna get back whatever we get so did kind of put the mystery out again whether it's types of things that we see as an investor that involves the singing every I'm talking about passwords of these you Center loan credentials why do I need use partly on your password is your password and password or wait yep every wild that's always a really great there you go we're company name one down security I members at the end here so yeah we can ask this default passwords I like a two-factor lack of too bad you're not uh-huh that's all that's another story I did reservoir so I don't know how many of you actually see her on is that I try

to do it all time hold on are associated with the super mode of operation yeah the harbor's is said that when great spaces of injury is better there is no password or any way to change it but here is period are things that you can do to to make it a little less multi just gene he pretty much trees and very strongly passwords the basically that allows you to pull healed single requested and he tried to decrypt it online unencrypted session cookies secure keyword I can say that sort of thing so I'm gonna actually switch over him on that this year because this is one that actually spent a good time messing around there was a vulnerability called

Universal across a spirit think it's specific to Internet Explorer I was stupid to alternative or at least the most recent versions January and what this is it's actually not even process your beautiful it's called the university process goodness of the media called it is actually a life at sea emergency so seeing emergent policy that's basically a security feature your browser that prevents skirts that come from one place running these other places throughout warranties so without this working basically the holder then you just work everywhere so the bypass itself in this particular case is actually a very specific eighties how to do vibrates so you're basically loading some content oh so hard and I train and then you

basically trick the browser the gesture than the browser into taking that what's in there is actually from the same origin that description so they reports okay access that's related in a nutshell and for those of us should delve into this the proof of concept that was out there it was one available on the internet and go play around it actually had there's pop-ups and except about head press I've messed around this vegemite where there's no user interaction required well I could actually get it to run inside of a yeah we just instantly just start working some Jeff said I'm sorry retrieval I didn't publish that though it's not something I want until both sounds really really bad because it just

works you know Michigan store organization that has their next bar is there in a browser that's fixed I don't know if you can see this the Lindy on there yeah all night of June 2004 in the are building grows a certain area the ability that very closely resembles this one in fact it could be the state line I don't know for certain if it is but it really looks like it is me if you're both lying to both the same origin policy by ass both executing very subtle fashion amongst 2048 was ten years later there's a lot so kind of makes you wonder was this vulnerability in place over that ten years - I just mean there is no it

is not everything so part of the vibrance I know I'm kind of picking up a little thing right now but yes you remember seeing this before the digital perfectly Oh basically also the issue white people that there's a technique on here for using uses basically the ones of the filters the html5 filters for doing like text shadows usually like that to pull pixels out of a night cream so when I crank that that gesture this I shouldn't probably be able to access it could at least determined a Sun the time column is take the render as the is it's going through the filters so for example like if you do really do get a drop shadow on

something he might actually take a half second for that okay so one in there I'm exaggerating versus pixels black versus a lot less space so with that error recognition is how you take something that's basically antigen in the infer text around basically is able to data those clouds and says no hydrants protection for migraines for right now best thing we can do options home it is a small it's so easy to put up and the other thing to is keep an eye on is the GSP not a security policy and [Music] you know being a developer I looking at this thing I can see that CSP is is complicated you can't retrofit is a new

site she UCSD or usually pretty much ever we build the whole thing so it's too expensive organizations actually entertain fixing old websites maybe a CSP power all right so that's pretty much everything I want to say I did want to bring up two other points Marcus but at least one of these earlier these are two things that we see a lot of Memphis and I don't have a zero-day to specific zero dated mention of these but just all of them sort of together this is another thing that we do this often is first of all are you monitoring locks but you didn't spend a lot of the time things I mean everyone indiscernible sighs all

the time okay there you like this well no there's longing area we just haven't turned on yet hey chocolate stationary logs there's no need to read you have to read the likes to so the logs today everybody we just somebody lost at 19 well Pap test somes not as clear that they are monitoring the locksmiths or the weekly or bi-weekly process and I'll get it I get an email from somebody or home call and say hey I speak and you're doing your test really doing this late to be asking for this yeah we were I see no it wasn't me yeah but I guess yeah I recited purify that appliance to so you know if you see something weird on your

network and I'm doing a test don't assume is doing everything so the other one is very scared it's really depressing getting on site totally way to apply it and the piece was spent on me the skin to start things off and realize that they either don't even notice care is never used one before or the abuse they looked at the interaction action in a circus since there's the accent all the risk calculator whatever it is like I can see a 1020 hundred person shot really not even today versus a you know big enterprise financial - possibly the end I had a war instead of a personal defense contractor who simply put the number firewalls and super secure right

that I sent up a bone man who reads your logs I mean it's good it's gonna let it revival so I've been helped with your gloves they literally turn to me is the icing right no they don't work everything goes on so my appointed you know I got work with the small amount now this is not really it's have the equity don't want to think about it want to hire someone coming healthy yeah and then it works with the bigger projects got to do everything we looking a lot better if you've got a building with all the aspects though but we find it across part it doesn't mean that everybody it's really bad pineapple stuff so there are

some clients that actually do really do job but I the point is there are a lot of them there are a party the bigger visible the smaller star they did not have any insurance meetings Americans option is content so I think that's where is it was rough if you've a bottie 19 you can't afford the thousand-dollar right when we look at it okay Big Dawg a Tavares price and they rightfully should be charged a premium price and we never lost on the annals that we've been all right maybe that's kind of how we get to justice this is crazy stop trying to think you know learn about about you not even listen okay so they get they got the job is what you

want and you know that just means history bad enterprise that's it security there's waking up usually worked it so here's my my takeaways definitely evaluate your zero days take a look at it the riskless dress it don't forget and keep fighting the good fight if you're running to management barriers on addition all people all the water bilities they're all in the airport make sure you do your monitoring is your your your locking don't forget about the little bits just because your was a vulnerability at one point in time that had to do with my frames but then that lot of ways we weren't worried about it anymore well there'd been several actually vibrating so it is a small thing it's

not something you really worry about so much but maybe we should still get here and then I mean I dreams I think on that one that's that's something that developers should be where it was well there so that's pretty much it so thanks everyone questions yeah I'm just curious like your point two to four hundred five nations fine but what are you suggesting point number one into a bag readers hell I got no depth to be monitoring the other sources any other shape when they would we do have any discover when they're no more are you your take away to evaluate risk of zero bit yeah okay so it'll be mine okay I guess is you clarifies once is

rotating comes public so obviously your negative knows irritated right so when I put I meant by that is all of these fatigue a look again that shell-shocked are clean when something like that become you become aware of it call acknowledge there should be is scramble right away see okay well how badly business in that we've nominated is there anything that you can do to address

my name is Julie I believe bounties and Germany's 50 deposit all right you ready this is the Nation of Islam we saw recently a couple preaches halos marthy he had to increase from years [Music] Oh party then they come by they had to begin to loose associations a year way too hard to get up to this word oh you know I'm white basement do all of you do then we're about to lose access manager is managing the British hooker the one of the things I've been struggling with is I've started to try to talk to developers about the developer ethics security so we're reaching a point I believe in an independent kind of figure of you agree or not where there are

certain decisions that the organization's can no longer make because they have proven themselves incapable weighing the risks and amongst those likely is two factor authentication especially or other things that we know at the community it needs to be come to something that the developer just does and if the client rejects it they should the developer should resign or charge way extra money to him show that this is a negative decision that you're and because we're ethically obligated we're not going to do it so the default should be the reasonably more secure option and then stop letting the business people decide because they can't make a decision it's like no five or three hundred dollars with you VPS

and use them like you don't have a choice right problem sister is kind of tricky there's a cop there now so we call these offensive on the brakes earlier so one of the ladies here on the first thing they said look we want to achieve Ashley more people add two more characters to their password and she needed by doing that he said ten times more money supporting full customer service with Grady issues and block grant recognition if I keep it in symbols so the Biggers partner is walking a block I believe we all about feedback nerd this services is where the about people that you meet on the street you talk to our economy they feel it comes right

they're not able to but if you work for debating sure if you're gonna tell anybody it's not an option right in your internal Security's one thing don't get me buddy I'm glad you say blanket everybody external security stuff oh yeah you're never gonna stop great is I didn't have that instead of our puppies get it they're cheap I can still eat nothing because you're not family you never came back once again so it really drove a problem that you can create more problems if not longer absolutely bring the inside addresses I just think there's a little jig that offers you and to say that they're not your Haskell on every little hot in your company that we dealt with they asked

you this is amount of sets that dish deceit well what would eat implementation of this get back your art deco because which by the way are all our group so the Israel combos on your own you're adding coffee of it easy carrying it off but look up see that with I think she's very supportive Elvis like I said my vision Ethel people being anomalies are not right for you how many people are here to turn off their 80 bucks isn't due to lock it up I'm trying to get it's not like we try to agree at least make it work you should almost be at least active security is there using training right so above the developers resigning

is possible but it's really tough because you've got a lot of contract developers in it that's working in my nature we've got a lot of developers no over here in this country were fairly spoiled for developers there's a lot of them they pay very well in this incredible market I think I'm looking for angularjs on board now girl yeah I'm yeah um it's but it's not another budget this year developable because in about an hour or less irrespectively you know it's going to be a business decision to do these things is not a technological decision because honestly I'm from a business perspective if you don't know my wall almost trying something will it's a business decision is not a

developer indecision it is a wonderfully to happen or anything but the business people make the decisions have to deal with that realistic be able to impose that from above I'm working with this very different or there's some latter people you know that the new business standards that SP 800 171 160 go get happy okay so especially whoever was it said about developer division they get the both the right solution right you have to bring those questions to be asking questions right thing is no jury out of the back story and you can in pain the sector even though it makes sense from your perspective there is a high regard that's the tough part because retakes

Antoinette lock everything and I'm gonna let you know if you just hit the lock didn't ring with no lock that session today is just not realistic to a cop me money that's definitely a challenge just

me might my take on it is he is a child from a different groups with completely different goals this food we have to have to somehow work together immediately I mean we see not eating the business out of the situation per second you see the CMP these types of issues between just very in developing problem they're not the right line up so it's this well I don't know they give you have to be they're going to be

[Applause]