Centre for Cyber Security Thomas Kristmar Centre for Cyber Security Danish Defence Intelligence Service
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Centre for Cyber Security Thomas Kristmar Centre for Cyber Security Danish Defence Intelligence Service
05-10-2015
05-10-2015
Who are we?
Centre for Cyber Security
In respect of the Rule of Law and Privacy – Cyber is a priority (Gov. Declaration, Oct 2011)
National Centre of excellence in Cyber Security
DK Defence Intelligence Service
5. oktober 2015
4
SDLC - Theory
Actual SDLC
Requirements Too costly /too late
Ship & Fix in future release
5. oktober 2015 7
Example– SSL certificates
05-10-2015
Example Directory Traversal
05-10-2015
“Those who don't know history are doomed to repeat it.”
05-10-2015
Societal Impact
05-10-2015
Risk
Know your code
http://cynosureprime.blogspot.dk/2015/09/how-we-cracked-millions-of-ashley.html
05-10-2015
Risk
Know your code
http://qz.com/501073/the-top-100-passwords-on-ashley-madison/
XcodeGhost http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/
Password Number of users 123456 120511 12345 48452 password 39448 DEFAULT 34275 123456789 26620 qwerty 20778
05-10-2015
Risk
Don’t implement your own crypto
Pixie Dust Attacks (flaw in three implementations of WPS)
https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?pli=1#gid=2048815923
And pls. don’t hardcode passwords
CVE-2014-0329 :DSL routers contain hardcoded password
05-10-2015
Risk
Open source isn’t secure by default
CVE-2014-0160
CVE-2014-6271
05-10-2015
Lessons Learned
Know your code AND be able to update
Don’t implement your own crypto
Open source isn’t secure by default
Read OWASP / SDLC AND do threat modeling
05-10-2015
Thank you for your attention
05-10-2015
05-10-2015
Related Documents
