Centre for Cyber Security Thomas Kristmar Centre for Cyber Security - - PowerPoint PPT Presentation

Centre for Cyber Security

Thomas Kristmar Centre for Cyber Security Danish Defence Intelligence Service

05-10-2015

05-10-2015

Who are we?

Centre for Cyber Security

• In respect of the Rule of Law and Privacy – Cyber is a

priority (Gov. Declaration, Oct 2011)

• National Centre of excellence in Cyber Security
• DK Defence Intelligence Service
• 5. oktober 2015

4

• SDLC - Theory

• Actual SDLC

Requirements Too costly /too late Ship & Fix in future release

• 5. oktober 2015

7

Example– SSL certificates

05-10-2015

Example Directory Traversal

05-10-2015

“Those who don't know history are doomed to repeat it.”

05-10-2015

Societal Impact

05-10-2015

Risk

• Know your code

http://cynosureprime.blogspot.dk/2015/09/ how-we-cracked-millions-of-ashley.html

05-10-2015

Risk

• Know your code

http://qz.com/501073/the-top-100-passwords-on-ashley- madison/

• XcodeGhost

http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies- xcode-infects-apple-ios-apps-and-hits-app-store/ Password Number of users 123456 120511 12345 48452 password 39448 DEFAULT 34275 123456789 26620 qwerty 20778

05-10-2015

Risk

• Don’t implement your own crypto
• Pixie Dust Attacks (flaw in three

implementations of WPS)

• https://docs.google.com/spreadsheets/d/1tSl

bqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p 7Nnj5Y/edit?pli=1#gid=2048815923

• And pls. don’t hardcode passwords
• CVE-2014-0329 :DSL routers contain

hardcoded password

05-10-2015

Risk

• Open source isn’t secure by default

CVE-2014-0160 CVE-2014-6271

05-10-2015

Lessons Learned

• Know your code AND be able to update
• Don’t implement your own crypto
• Open source isn’t secure by default
• Read OWASP / SDLC AND do threat

modeling

05-10-2015

Thank you for your attention

05-10-2015

05-10-2015