advertisement

$HOME Sweet $HOME Devoxx 2015

advertisement
Information about $HOME Sweet $HOME Devoxx 2015

Published on November 11, 2015

Author: xme

Source: slideshare.net

advertisement
Content

1. @xme#Devoxx #IoT $HOME Sweet $HOME Xavier Mertens TrueSec

2. @xme#Devoxx #IoT $ cat ~/whoami.xml <profile> <real_name>Xavier Mertens</real_name> <day_job>Freelance Security Consultant</day_job> <night_job>Hacker, Blogger</night_job> <![CDATA[ www.truesec.be blog.rootshell.be isc.sans.edu www.brucon.org ]]> </profile>

3. @xme#Devoxx #IoT $ cat ~/.profile • I like (your) data • Playing “active defense” • I prefer (black) t-shirts than ties • I like to play with gadgets

4. @xme#Devoxx #IoT $ cat /opt/disclaimer.txt “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”

5. @xme#Devoxx #IoT

6. @xme#Devoxx #IoT

7. @xme#Devoxx #IoT

8. @xme#Devoxx #IoT Agenda • A revolution entered our homes • “Internet of Terror” • Issues & Mitigations

9. @xme#Devoxx #IoT

10. @xme#Devoxx #IoT

11. @xme#Devoxx #IoT

12. @xme#Devoxx #IoT Do you remember? 2:291/715.9 39:120/201.9 company!bigfoot!vax!xavier

13. @xme#Devoxx #IoT

14. @xme#Devoxx #IoT

15. @xme#Devoxx #IoT

16. @xme#Devoxx #IoT

17. @xme#Devoxx #IoT

18. @xme#Devoxx #IoT What is the difference between…

19. @xme#Devoxx #IoT This…

20. @xme#Devoxx #IoT And this…

21. @xme#Devoxx #IoT Or this…

22. @xme#Devoxx #IoT FAIL!

23. @xme#Devoxx #IoT SecurityFeatures Ease of Use

24. @xme#Devoxx #IoT SecurityFeatures Ease of UseBusiness

25. @xme#Devoxx #IoT

26. @xme#Devoxx #IoT You said “Security”?

27. @xme#Devoxx #IoT

28. @xme#Devoxx #IoT Source: http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

29. @xme#Devoxx #IoT

30. @xme#Devoxx #IoT

31. @xme#Devoxx #IoT Source: http://www.engadget.com/2011/08/04/researcher-hacks-wireless-insulin-pump-to-push-lethal-doses-giv

32. @xme#Devoxx #IoT Source: http://archive.hack.lu/2015/2015-10-20-SEKOIA-Keynote%20Internet%20of%20Tchotchke-v1.0.pdf

33. @xme#Devoxx #IoT Source: http://destinhaus.com/driverless-cars-the-car-hack-security-challenge/

34. @xme#Devoxx #IoT igbrother is watching you?

35. @xme#Devoxx #IoT Tools & Languages

36. @xme#Devoxx #IoT Popularity == Nice target Source: cvedetails.com

37. @xme#Devoxx #IoT Security goals • To protect “data” • To prevent unauthorised access • To prevent unauthorised modification • To prevent loss

38. @xme#Devoxx #IoT Security is relative • Directly related to your business and needs • Security is measured at a time “T” • Security level is directly related to the weakest point • Security must be constantly reviewed and adapted “Security is a process, not a product” - Bruce Schneider

39. @xme#Devoxx #IoT Pivot! “We are always a weakest point for someone else!” You PartnerMe Trust

40. @xme#Devoxx #IoT “Developers think of ways to make things” “Security peeps think of ways to break things” Infosec guys VS. developers

41. @xme#Devoxx #IoT • Implement boring controls • Make our daily job difficult • Are paranoiac • Don’t know the business Infosec guys VS. developers • Just write lines of code • Don’t have a clue about security • Have short deadlines (“RTM”) • Re-use piece of code (and the associated bugs)

42. @xme#Devoxx #IoT

43. @xme#Devoxx #IoT Source: Intel

44. @xme#Devoxx #IoT Source: OpenDNS The 2015 Internet of Things in the Enterprise Report

45. @xme#Devoxx #IoT

46. @xme#Devoxx #IoT Sensors Software Connectivity Bigdata Vulnerability Exploit MitM PrivacyAbuse

47. @xme#Devoxx #IoT Top security threats Source: Capgemini & Sogeti,“Security of the IoT Survey”, Nov 2014

48. @xme#Devoxx #IoT Issue #1 - It’s a computer… • Insecure Web Interface • Insufficient Authentication/ Authorization • Insecure Network Services • Lack of Transport Encryption • Privacy Concerns Source: https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project • Insecure Cloud Interface • Insecure Mobile Interface • Insufficient Security Configurability • Insecure Software/Firmware • Poor Physical Security

49. @xme#Devoxx #IoT Issue #2 - In the wild • Working in our real life! • Physical access == Pwn3d! • Access personal data • Access health data • Access & control critical data (electricity, gaz, water, cars)

50. @xme#Devoxx #IoT Issue #3 - Limited resources • Slow CPU • Basic interface (who said “where is the GUI?”) • Restricted RAM • Restricted storage • Restricted API calls • Restricted features • Battery usage

51. @xme#Devoxx #IoT Issue #4 - Crypto • Use good crypto (hashing is not crypto) • Crypto requires resources (see #3) • Self-made crypto == bad crypto

52. @xme#Devoxx #IoT Issue #5 - External resources • Why reinvent the wheel? • External resources are buggy / may contain backdoors

53. @xme#Devoxx #IoT Issue #6 - Valuable data • Why store so much data? • Data classification • Data privacy

54. @xme#Devoxx #IoT Issue #7 - Back to the roots • IoT will be deployed by old school industries
 (ex: smart meters) • Know their business

55. @xme#Devoxx #IoT Tips to keep in mind • IoT is there and will(is) invade(ing) our homes & companies • Think:“IoT” == “Computers” (same issues) • Smart != Safe • Tools exists… but assess them! • Ask yourself:“Do I need it?” • Apply critical security controls (1) (1) http://www.sans.org/critical-security-controls

56. @xme#Devoxx #IoT Tips to keep in mind • Think “data privacy”. Do I need the data in the device? What if data are stolen? • Implement security from the design (remember “SDLC”)

57. @xme#Devoxx #IoT Questions? @xme [email protected] https://www.truesec.be https://blog.rootshell.be

#iot presentations

IoT Investment Overview
12. 06. 2017
0 views

IoT Investment Overview

Better the devil you know
07. 06. 2017
0 views

Better the devil you know

Related presentations


Other presentations created by xme

You have a SIEM! And now?
27. 03. 2014
0 views

You have a SIEM! And now?

Because we are just humans
04. 04. 2014
0 views

Because we are just humans

Unity Makes Strength
24. 06. 2017
0 views

Unity Makes Strength

HTTP For the Good or the Bad
29. 05. 2017
0 views

HTTP For the Good or the Bad