Myths of Security. by John Viega
Market wants to believe that one security product will solve all their security problems.
Update AV,software and talk to genuine sites online.
good and bad intelligent guys.
security is a performance overhead.
Making things simple can be difficult.
There is no silver bullet for any solution.
Intention: money,ego
Nothing can ever be frozen in the software field.
selling to endusers or companies?
illegal software masquerading as legal.
security problem of browser.
geting access to one pc on corporate lan.
what data of yours is available on social networking sites can be used to create a personalized attack on you.
compromise a website/page that has active users.
rest attack.
get control of a system and use it for further attacks using botnet software.
vendors who do lots of different things are rarely best at anything.
ad companies are evil.
dat files or signature files.
if there are no thieves, the police has no job. if there is no one to buy, the one who sells is out of job.
what is the duration between the software upgrade release, vulnerability detected & malware created, AV detects the malware and software patch released and patch upgraded?
heuristic detection
cryptographic signature verification.
network address translation
some security companies create fear and sell.
Bruce Schneier
John Viega
north of 80%
It is important to be passionate about security.
closed software may have more bugs than open but source code is not available.
it is not if you are best, it is if you are better than your competition.
out of sight, out of mind..advertising.
virtualization and security.
security problems exist, found by bad guys, found by good guys, found by strong guys.not found.
process of finding involves costs. if found by bad guy, can cause loss of face,data,control,money
PCI payment card industry
disclosure models: let it all hang out, keep it secret, responsible disclosure.
pwn=own
dvlabs tippingpoint zeroday
n(network)ips-h(host)ips intrusion prevention systems.
Cisco Router Operating System IOS.
Middle attacks are possible using ARP poisoning using tools like Dsniff,ethercap, Cain & Abel or using an unencrypted Wireless Access Point.
insider / physical attack.
electronic locks.
disconnect between academics and industry
craptcha/decaptcher.com Usability trade-off
Minimal (A.V)bar is better than no bar.
No death for passwords.
Lock a valid user intentionally.
Zero Knowledge password protocol.
One time password. zork.org/opus
Site specific password with generic string
sxipper.com Firefox password storage plugin
First lines of a popular sentence.
goodpassword.com
Spam Legitimate mails may go there
Junk mail from legitimate users?
mailnator.com/mxlogic.com
Sitekey/ 2 factor auth
False positives.
Comments