real threats and defenses – alex holden – qcon

This is part of my live blogging from QCon 2015. See my QCon table of contents for other posts.

The speaker discovered the Target breach.

Technology evolving faster than user education. We use different keys for our house/car/etc, but use same passwords repeatedly.

Car brakes are by feet for historical reasons. Used to need all body strength to make are go/stop. Now there because people used to it. Retraining would be too hard.

We defend with tools/people/compliance.


  • state/corporate sponsored
  • hacktivists (political/social)
  • profit seekers – if something can be monetized, of higher value
  • revenge
  • employees

Anthem breach might have been China. No way to monetize that many medical records, but could be looking for spies. [I thought medical number theft was a thing]. Sony might have been revenge from Russia.

Most hackers located in countries without extradition treaties with US

99% of hackers fail, get arrested, etc

A spam operation typically involves 10-20 people

Even for a bad hacker who desn’t steal data, have to declare PCI breach, notify customers, re-issue credit cards, etc.

Russian hackers – war of stereotypes – holy war egainst the west

Target breach
Started almost a year before actual breach. Learned from bad experience with BlackPOS with Verifone POS attempted breach in Russia. Then planned for seeral months. A week before Black Friday did large trial run spending $40 million of own money.

The POS malware auhtor was looking for a $12/hour programming job. Couldn’t get one so turned to hacker community. Thorough. Cared about error handling and working on multiple platforms. “Just a job”. His employer cared about the monetization.

Cybervor breach
1.2 billion credentials from 420K sites. Got all data via SQL Injections. Only looked for user id and passwords. Idea of stealing a little bit from different places grew to largest hack to date. Could have gotten credit card data, but chose not to.

Defense 101
Credit card theft on decline because credit card companies see patterns faster and act. For example, Chase flagged Home Depot uses quickly and hackers stopped buying the numbers.

Need to understand patterns.

Biggest vectors – viruses, zero day vulnerabilities(heartbleed, shellshock), stolen/reused credentials

Quantitiative analysis-how much of data is tranfered? What is normal? Learn to look at stats. If usually transfer 20KB on a page, set a limit of 100KB so know have a breach.

Honeypot – using a SQL Injection flaw as honeypot in your system allows detecting hack. Rather than a separate system. The idea is that hackers will think it is real and spend time on it. A zero day attack might be revealed via honeypot. Early warning system to alert you. Having fake data that can be identified as yours but looks normal. Not Hackers know about the + technique.

Auditors can get you in trouble with your boss. Hackers can get your company in trouble and end your career.

Assume you hae been breached already. Look for your data online. Look for a unique identifier. Search for “/logout” on your company’s site to see if spidered and people can use google cache to navigae. [doesn’t work on coderanch – the word shows up a lot in questions]

Treat security issues as risks; not just bugs/defects. A risk has to be addressed or mitigated. A bug can drag on for years.

Leave a Reply

Your email address will not be published. Required fields are marked *