In this week's podcast, professor Barry Burd talks to Shuman Ghosemajumder. Ghosemajumder is VP of product management at Shape Security and former click fraud czar for Google. Ghosemajumder is also the co-author of the book CGI Programming Unleashed, and was a keynote speaker at QCon New York 2016 presenting Security War Stories.
Key Takeaways
With more of our lives conducted online through technology and information retrieval systems, the use of advanced technology gives criminals the opportunity to be able to do things that they weren't able to do.
- Cyber-criminals come from all over the world and every socioeconomic background, so long as there's some level of access to computers and technology.
- You see organised cyber-crime focusing on large companies because of the fact that they get a much greater sense of efficiency for their attacks.
- Cyber-criminals are getting creative, and coming up with ways to interact with websites we haven't thought of before.
- You can have very large scale attacks that are completely invisible from the point of view of the application that's being attacked.
- The context of what are you are using software for is more important than just going through an understanding of the code level vulnerability.
Notes
The Increasing Pace of Data Breaches
1m:13s - As society has moved online, that's simply where business is being transacted and where people's lives are being conducted. That's why you see criminals starting to focus on using technology, because that's simply the way that they get to people.
1m:32s - There has also been a technological shift. When you have more of our lives conducted online through technology and information retrieval systems, the use of advanced technology gives criminals the opportunity to be able to do things that they weren't able to do in the old model of crime.
2m:01s - Using technology, now it's possible for criminals to burgle the equivalent of thousands of houses simultaneously, using automation tools that allow them to distribute their attack in a very efficient way.
2m:55s - It really depends on the nature of the cyber-criminal and the value of the targets that they're after when they're figuring out what kind of scheme they want to engage in. If you're talking about getting at some data that's very valuable and you're willing to invest significant amounts in order to get that value, that lends itself to different types of technology.
The People Behind Cyber-Crime
5m:28s - There are all kinds of different personalities and demographics involved. Cyber-criminals come from all over the world and every socioeconomic background, so long as there's some level of access to computers and technology. Even in cases where a cyber criminal doesn't know how to use technology directly, or how to create something like a piece of malware, they can still be involved in a cyber-criminal's scheme.
6m:29s - A scheme which uses large groups of individuals and which doesn’t necessarily need to have skills itself, is stealing money from bank accounts. Being able to transfer money using malware on people’s machines from one account to another account that the cyber-criminal controls still involves getting that money out. That last step can involve a set of bank accounts that are assigned to real individuals.
7m:43s - In the case of building up botnets and compromising millions of people's machines, unbeknownst to them, that's the kind of scheme where the individuals providing these resources have no idea that their machines are involved. Or, in other cases, where they are solving things like Captchas online- those can be solved using a combination of programmatic and manual efforts; you can take Captchas that you haven't been able to solve, as a cyber-criminal, use optical character recognition and instead farm them out to millions of users as a challenge that's issued to them to get content from behind a paywall.
The Differences Between Individual Consumer Fraud and Corporate
9m:13s - There's a very strong overlap between the two, in the sense that there are many companies that serve millions of customers. In those cases, cyber-criminals are trying to get access to those customer accounts and the value behind those accounts; then it becomes an issue for both the customer themselves, and for the company that's providing that service.
9m:37s - If somebody can get access to your bank account, that’s an issue for you but also an issue for your bank; so both of you are trying to work to prevent that. It can be exceedingly difficult, and there are different things that each of you are capable of looking for, or interested in looking for. In the case of an individual, you are going to be very concerned if you see any anomalies associated with your bank balance. A bank needs to look for indicators of fraud that aren't visible to the naked eye, because one of the ways that cyber-criminals can steal money is in much smaller chunks.
11m:18s - Banks are looking for signs of many different fraud schemes, so in some cases the giveaway is not even money that is directly stolen out of someone's account; it's the act of logging into account and checking to see whether or not you have credentials that are valid on that account, that could then allow the cyber-criminal to sell those credentials to someone else.
The Profile of a Cyber-Criminal
14m:21s - One of the reasons that you see organised cyber-crime focusing on large companies is because of the fact that they get a much greater sense of efficiency for their attacks when they go to one particular mechanism that has a lot of value behind it. If you can figure out a way to be able to breach a single website that has millions of users account value, or millions of users' data that you can steal and sell on underground markets, that's a very efficient type of attack versus having to compromise millions of users machines directly.
15m:19s - In the past you might have thought that there would be a greater level of capability and education on the part of cyber-criminal organisations that are concentrating on those corporate types of attacks, but I think now you see factors that balance both sides. For example, there can be a lot of sophistication associated with compromising individual end users, being able to create that malware that's able to get through all of the anti-virus and all of the network level filters that people have in place and compromise millions of machines. That's not something that's technologically trivial. At the same time there are tools available that allow even script kiddies to be able to attack large corporations in very successful ways.
How Culture Has Contributed to the Increase in Cyber-Crime
16m:36s - Cyber-criminals are getting creative, and coming up with ways to be able to interact with websites that we hadn't even thought of before and might not be thinking of from an application developer perspective. They're coming up with schemes that we haven't thought of from the perspective of the end users.
The Password Problem: Security
17m:19s - People haven't really thought a lot about how using the same password across multiple sites can make them extremely vulnerable. You can have a very strong password but when you use it across multiple sites, you have the same password for your banking site as for a social network; and if that social network gets breached and your password gets out then cyber criminals are going to take that list of breach passwords and test it on every single other website that they want to attack, including your banking site.
18m:40s - You have to use different password across all of your sites, and that's something that that introduces a lot of cognitive burden.
19m:02s - If you've got a password manager that you're using to generate a unique password on every single website that you access, and that password manager gets breached by a cyber criminal, now all of a sudden they have a nicely structured data set of all of your usernames and passwords that they can use to be able to access your accounts.
20m:19s - When you ask people throughout the security industry what they do personally, you get all kinds of different answers. Some people have evolved their own housework formula systems, that they keep memorized with various mnemonics and they have different levels of security for different types of websites.
20m:56s - The best compromise for a lot of users is using a password manager, that takes care of a lot of complexity, but what we still see unfortunately throughout account systems and throughout the security industry is rampant of reuse simple passwords.
Security War Stories
22m:29s - You can have very large scale attacks that are completely invisible from the point of view of the application that's being attacked.
22m:47s - There are so many different ways that people interact with applications and so many different demographics and sources of traffic, that it's very difficult to be able to understand whether or not someone is a real user or an attacker. That's the opportunity that attackers use to be able to create a scale of attack that can be breathtaking, while simultaneously pretty much invisible to even very sophisticated defenders.
24m:10s - You can discover many different attacks after they've occurred, and you can learn from those discoveries. But you are only aware of what you have become aware of, so you can do your best job doing those types of retrospective analyses. But what about the things that you didn't catch?
24m:42s - You see examples of this throughout the security industry: pieces of malware that were in the wild for years before anyone in the entire industry discovered them.
The Appeal of the Security Industry
26m:03s - Part of what attracts people to security industry is the opportunity to be able to protect people using sophisticated techniques that are staying ahead of cyber criminals, and being able to take the battle to cyber criminals in terms of seeing if you can outsmart them.
27m:03s - The attacks that cyber criminals are going to come up with are going to be much more sophisticated than bugs that you just encounter in the process of application development. I think that if you really want to have a difficult intellectual challenge then the security industry offers a lot in that area.
Security Auditing
27m:44s - The big challenge is how you measure something like percentage of vulnerabilities. You can have one single vulnerability that has a massive impact in terms of whether or not that application is actually secure, versus just a large set of vulnerabilities that may not be a big deal for that particular application, depending on what it's trying to do.
28m:20s - How do you figure out the things that you aren't aware of right now, that are vulnerabilities that you have no way of measuring? Then there are problems of being able to do both manual and automatic analysis of code.
29m:06s - There are important roles for both types of mechanisms to play, but the main thing to keep in mind is that you're only going to be able to get a certain level of assurance by doing those types of audit. I think that the fundamental design of the application and the business purpose for it, or the logical purpose for it, is something that is difficult for a general auditing mechanism to be able to take into account.
29m:48s - You have to have the business owners, the software developers, the folks that are working in finance and the folks that are working in risk, all working together to be able to figure out what the level of risk that's associated with a given application or piece of software really is.
Challenges of Software Vulnerability
30m:52s - The bigger context of what are you are using software for is probably even more important than just going through an understanding of the code level vulnerability. The discussion is really something that goes beyond security, and the way that we think about it in terms of IT security, which is generally more vulnerability focused.
32m:05s - One of the real challenges associated with software development is the complexity of the stack that we're using to be able to create any type of application. Being able to understand whether or not a given component is secure is a much more constrained type of task than figuring out whether or not that component is going to be capable of interacting with all the other components in a system in a guaranteed secure fashion.
33m:20s - There are different types of exploits people pick through that come from components where you wouldn't expect there to be a vulnerability, and I think that's what the challenge really is.
What Makes Someone Good At Security Auditing
37m:26s - The desire to really understand the mistakes that people can make when creating software, the desire to stay ahead of what other very smart people that are acting against them are doing, the desire to be able to protect individuals and society. I think that there are all kinds of different factors that motivate people to get into the security industry.
38m:12s - You have to be able to relate to your opponents. You have to be able to think like they do in order to be able to anticipate what their next move is going to be, but you also want to be extremely careful in how you engage with folks that have knowledge of those types of areas.
The Future of Security
39m:19s - I think that we've seen that security has become a boardroom level issue now for companies, especially as they're engaged with more online activity in the course of the regular businesses, and security is becoming interesting to the mainstream.
39m:45s - There is a great potential for there to be much more sophistication in terms of the technology that's going to be created by the security industry in the next few years and by everyone when it comes to security and innovations.
40m:17s - There are many exciting things that are coming from security startups, as well as from large companies like Google's Project Zero; I think is a great example of real desire to be able to make a difference in the security industry. Our own technology at Shape Security has been making a very large difference in terms of being able to deal with these large scale automated attacks.
41m:10s - The introduction of Touch ID by Apple into iPhones was a great innovation, in terms of being the first time that fingerprint technology was installed as a default option on the standard platform that hundreds of millions of people use.
41m:42s - Just like the real world you can never achieve one hundred percent security so you can never say that we are secure in an absolute sense, however I do think that everyone is becoming much more security-minded when it comes to how they use technology.
Companies mentioned
Products mentioned
About QCon
QCon is a practitioner-driven conference designed for technical team leads, architects, and project managers who influence software innovation in their teams. QCon takes place 7 times per year in London, New York, San Francisco, Sao Paolo, Beijing, Shanghai & Tokyo. QCon San Francisco is at its 10th Edition and will take place Nov 7-11, 2016. 100+ expert practitioner speakers, 1300+ attendees and 18 tracks will cover topics driving the evolution of software development today. Visit qconsf.com to get more details.
More about our podcasts
You can keep up to date with the podcasts via our RSS feed, and they are available via SoundCloud and iTunes. From this page you also have access to our recorded show notes. They all have clickable links that will take you directly to that part of the audio.