security war stories – shuman ghosemajumder – qcon

For my other blog posts on QCon, see the live blog table of contents. Shuman is from ShapeSecurity and used to be the “Click Fraud Czar” at Google – which protects AdWords from malicious users.

  • “Computer security is like broccoli. You know you should have it but would rather have chocolate”
  • “My objective today is not to scare you, but it doesn’t necessarily hurt”
  • “If I were legally responsible for the security of the software I wrote, I would quit my job immediately … and probably move to a non-extredition country” – anon at QCon

How make completely secure

  1. Get rid of business model
  2. Don’t connect to internet

Security is relative – really about tradeoffs


  • 1903 – Marconi showing telegraph at Royal Institution. Tapping didn’t sound right to his assistant’s assistant. A magician (Nevil Maskelyne) was tapping “rats” in morse code. Then changed to “There was a young fellow if Italy who diddled the public quite prettily.” Marconi claimed nobody could interfere – don’t promise what you can’t deliver! And an early white hat hacker to identify that.
  • 1939 – Bletchley Park – crack Enigma during World War II
  • 1957 – Joe Engressia learned if one whistles at a certain frequency, can get free long distance calls. In 60’s and 70’s if couldn’t whistle at 2600 hertz, produced blue box to hack this.
  • 1968 – Morris worm – one of first worms
  • 1992 – First polymorphic virus – constantly changes as infect each new machine so anti-virsu looking for standard signature can’t see it
  • 1994 – First kit for script kiddies. Didn’t need to be very skilled to attack.
  • 2002 – Bill Gates finally made security a top priority at Microsoft


  • Don’t even have to go back 24 hours to find a data breach.
  • Mark Zuckerberg’s bad password
  • Credential stuffing – relatively new type of attack with multiple specialists. Has multiple parts.
    • Attackers usually have .1%-2% success rate in finding password reuse.  (using one stolen password on another site)
    • If steal a million stolen passwords, can quickly take over 10K accounts without anyone knowing.
    • Invisible – don’t know account is hacked.
    • Using botnet so target site can’t detect pattern of bad attempts either. Looks like a popular day on your website and not a hacking attempt
    • Over 500 million leaked passwords on dark net. So starting with known good passwords
    • Good – Netflix reset passwords based on ANOTHER company’s breach
    • Sentry MDA has credentials stuffing tool. Raw materials: credentials that are out there, IP addresses in proxy list and even help to get past captchas. Third party system for getting passed captchas as well mixing OCR (computers doing it) and mturk (humans doing it in developing countries)
    • Organic traffic has pattern/cycles throughout day. Inorganic traffic has different shape. Can see normal shape if look at graph without login URLs.
    • Botnets are distributed globally so can’t block IP by region.
    • Other things like monitoring also produces a spike.
    • Every website has a tiny bit of attacks. These crawlers are just the background radiation of the internet. This is an opportunistic probe. A bigger attacher has a profit motive so will stop or re-tool. The idea is to make is as expensive as possible for the attacker.


  • Because the present isn’t scary enough, the future is scarier
  • Attack surface is related to complexity
  • “Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can” – Jamie Zawinski.
  • Weak AI is already here. (ex: AIs representing users) Strong AI is much further out.
  • Sci fi: Black Mirror. Device records everything and you can replay it on demand. Privacy and security implications. Imagine if this data could be changed or published.
  • New attack surfaces:
    • autonomous vehicles
    • always on IoT devices like Amazon Echo could do surveillance
    • Apple Home – can unlock your home doors. Can turn on your lights/stereo at night randomly like horror movie. Someone could have a heard attack because think house is possessed
  • New technology creates new attacks
    • Audio/video fidelity – could steal fingerprints from far away or record every conversation from far away
    • Battery life – run surveillance device for weeks
    • CPU power – defeat encryption
  • New attacks create unforeseen consequences – now we have to take off shoes before flying

What can we do?

  • Pareto Principle – focus on where get most benefit
  • Cybercriminals innovate. So do security services/standards/platforms

Leave a Reply

Your email address will not be published. Required fields are marked *