SlideShare a Scribd company logo

How Developers Can Start Defending Against Cybercrime

Download as PPTX, PDF
Steve Poole
Steve Poole

In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviours you must change) to create a more secure Java application for the cloud. The world of the cybercriminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.

Technology
1 of 90
Cybercrime and the Developer: How to Start Defending against the Dark Side Code Europe 2017
About me Steve Poole IBM Lead Engineer / Developer advocate @spoole167 Making Java Real Since Version 0.9 Open Source Advocate DevOps Practitioner (whatever that means!) Driving Change
Outline Cybercrime realities Our perception, The bitter truth & why the future looks bleak How our behavior makes cybercrime even easier How we perceive ourselves and how we act Vulnerabilities The ammunition of choice: Hardware & Software why talking about vulnerabilities is good and bad What can we do better Changing behavior, Architecture and systems, Coding and developing Summary The situation is going to get worse before it gets better We as a community need to take this seriously Next steps. Education, risk assessment and active defense @spoole167
Take away one thing As a developer, security is your problem @spoole167
This talk • I’m a developer – not a security expert. • Arose because of “compliance”: what does that mean? How do I find out more? • Arose because I didn’t understand what the fuss was all about • Arose because giving uneducated developers access to cloud resources generally has unfortunate consequences • Is about how and why we need to behave differently. • Here’s what I’ve learnt so far… @spoole167
Do you know how strong your system is? @spoole167
@spoole167 https://www.flickr.com/photos/karen_roe/ Is this your system? Secure firewalls? Strong encryption? Can see any intrusion?
@spoole167ttps://www.flickr.com/photos/77278206@N02/ Maybe its more like this? Uses https occasionally? A firewall at least Can see any intrusion out of this window
@spoole167https://www.flickr.com/photos/bambe1964/ Unless you pay attention it’s soon going to be like this
Cybercrime realities @spoole167
https://www.flickr.com/photos/stignygaard/ Do you think cybercriminals are lone hackers?
https://www.flickr.com/photos/bk1bennett/ Do you think cybercrime is as obvious?
Dear Winner, This is to inform you that you have been selected for a prize of a brand new 2016 Model BMW Hydrogen 7 Series Car, a Check of $500,000.00 USD and an Apple laptop from the international balloting programs held on the 27th, section of the 2016 annual award promo in the UNITED STATE OF AMERICA. Think you’re too smart to be suckered? @spoole167
Cybercrime Realities
“Organized Cybercrime is the most profitable type of crime” • In 2016 Cybercrime was estimated to be worth 445 Billion Dollars a Year • In 2013 the United Nations Office on Drugs and Crime (UNODC) estimated globally the illicit drug trade was worth 435 Billion Dollars • Guess which one has the least risk to the criminal? • Guess which is growing the fastest? • Guess which one is the hardest to prosecute? • Guess which one is predicted to reach 2100 Billion Dollars by 2019? @spoole167
@spoole167 https://en.wikipedia.org/w/index.php?curid=54032765
@spoole167 Wanna Cry? Steve Poole @spoole167
@spoole167 Wanna Cry • Friday, 12 May 2017 • Has infected 250K computers in 150+ countries • It encrypts data and holds it for ransom • The computer owner has a limited time to pay (in bitcoin) about $500 • So far the bitcoin owners have received about 50 bitcoins ~= $85K ($3/infected machine) UK: National Health Service impacted: India: All ATMs closed Nissan: Halted all production Renault: Halted some production https://en.wikipedia.org/wiki/WannaCry_ransomware_attack Think how much disruption was caused for $85K What about the other $449,915,000 ? @spoole167
So who are the bad guys? https://www.flickr.com/photos/monsieurlui/
A mirror of you? • Organized and methodical • organized like startup companies. • “employ” highly experienced developers with deep knowledge • Constantly innovating malware, seeking out vulnerabilities • Sharing what they find with each other (for $ of course) • Goal focused • the average age of a cybercriminal is 35 years old. @spoole167
Already into crime • Commissioner of the City of London Police: • “We estimate that around 25 per cent of the organized crime groups in this country are now involved in financial crime in one shape or another…” • University of Cambridge: • 60% of cyber-criminals had criminal records which were completely unrelated to cyber-crime • “those traditional offenders are changing their behavior and moving to the internet”. Cybercriminals mostly get caught for something other than cybercrime @spoole167
What data are they after? • Moving beyond credit card numbers • Long term identify theft • Medical data, Sensitive Personal Information, insurance information, Social Security numbers • Information that gives insight into behavior • Information that give access Quiet and repeated Infiltration Ransomware instead of cyber-graffiti All personal data is useful and worth $$$ http://www.darkreading.com/attacks- breaches/stolen-health-record-databases-sell- for-$500000-in-the-deep-web/d/d- id/1328225? @spoole167
They want facts about you and colleagues • Any piece of personal information about YOU is useful. It get’s sold on and somewhere someone brings it all together. • Can I connect your email address to your date of birth? • Can I find out where you live? • Can I find out who you work for? • Can I find out what you think about your boss? • Can I find out what sites you’ve visited? • The more I know about you – the more I can refine the attack. • The more I know about you – the more $$ I can make • And attacks are more than “technical” @spoole167
Social Engineering: No-one falls for those sort of things do they? @spoole167
DEAR SIR/MA'AM. YOUR ATM CARD OF $10.5MILLION DOLLARS WAS RETURNED TODAY BY OUR COURIER DELIVERY COMPANY, AND WE ARE GOING TO CANCEL THE ATM CARD IF YOU FAILS TO ACKNOWLEDGE THIS MESSAGE, WE SHALL ALSO ASSUME THAT WHAT OUR COURIER DELIVERY COMPANY TOLD US IS NOTHING BUT THE TRUTH THAT YOU DON'T NEED YOUR ATM CARD OF $10.5 MILLION DOLLARS ANY LONGER. DO ACKNOWLEDGE THIS MESSAGE AS SOON AS POSSIBLE. YOURS FAITHFULLY. YOURS SINCERELY, MR MARK WRIGHT, DIRECTOR FOREIGN REMITTANCE ATM CARD SWIFT PAYMENT DEPARTMENT ZENITH BANK OF NIGERIA. @spoole167
Federal Bureau of Investigation (FBI) Anti-Terrorist And Monitory Crime Division. Federal Bureau Of Investigation. J.Edgar.Hoover Building Washington Dc Customers Service Hours / Monday To Saturday Office Hours Monday To Saturday: Dear Beneficiary, Series of meetings have been held over the past 7 months with the secretary general of the United Nations Organization. This ended 3 days ago. It is obvious that you have not received your fund which is to the tune of $16.5million due to past corrupt Governmental Officials who almost held the fund to themselves for their selfish reason and some individuals who have taken advantage of your fund all in an attempt to swindle your fund which has led to so many losses from your end and unnecessary delay in the receipt of your fund.for more information do get back to us. …. Upon receipt of payment the delivery officer will ensure that your package is sent within 24 working hours. @spoole167
From <your boss> I’ve spoken to the Italians and they will send us the goods if we pay $3M immediately. Details below. I’m off to the golf course – no distractions -period.
an email from an international transport company urging recipients to open a waybill in a zip (The Zip content launches a downloader) The targets are busy and not IT savy. The criminals are IT savy and industry savy ☹️ ☹️
Phishing -> Spear Phishing -> Personalised Attacks The move is towards more organised and long term attacks that are hidden from view. Think about this – when you’re trawling the net for gullible people you set the bar low. With personalised attacks you invest more and make it compelling. You victims views on Facebook about their boss, how busy they are, important deals coming up. It all helps to craft that million dollar scam… @spoole167
Who’s being targeted? • Middle level executives – afraid of their bosses? • New joiners – easy to make a mistake? • Busy and harassed key individuals – too busy to take time to consider? • Disgruntled employees – want to hurt the company? Make some $? • And Developers – the golden goose. The bad guys prey on the weak, vulnerable and ignorant
Developers – why? We know the inside story We write the code We have elevated privileges We are over trusting We use other peoples code and tools without inspection We are ignorant of security matters The bad guys prey on the weak, vulnerable and ignorant
Don’t agree? “The bad guys prey on the weak, vulnerable and ignorant” That’s you @spoole167
Ever googled for: “very trusting trust manager” “Getting Java to accept all certs over HTTPS” “How to Trust Any SSL Certificate” “Disable Certificate Validation in Java” @spoole167
TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( X509Certificate[] certs, String authType) { } public void checkServerTrusted( X509Certificate[] certs, String authType) { } public boolean isClientTrusted( X509Certificate[] cert) { return true; } public boolean isServerTrusted( X509Certificate[] cert) { return true; } }} Ever written something like this? @spoole167
We’ve all done something like that @spoole167
We’ve all done something like that We do it all the time @spoole167
We’ve all done something like that We do it all the time The whole world does it How bad can it be? @spoole167
We’ve all done something like that We do it all the time The whole world does it Github search “implements TrustManager” …. @spoole167
We’ve found 72,609 code results AlwaysValidTrustManager TrustAllServersWrappingTrustManager A very friendly, accepting trust manager factory. Allows anything through. all kind of certificates are accepted and trusted. A very trusting trust manager that accepts anything // Install the all-trusting trust manager OverTrustingTrustProvider AllTrustingSecurityManagerPlugin.java AcceptingTrustManagerFactory.java AllTrustingCertHttpRequester.java
Developers are too trusting. Linux Repos npm “npm is the package manager for JavaScript. Find, share, and reuse packages of code from hundreds of thousands of developers — and assemble them in powerful new ways.” Great sentiments. “But Caveat Emptor”
@spoole167https://www.flickr.com/photos/bambe1964/ Are you still paying attention?
https://www.flickr.com/photos/koolmann/ It gets scarier
Cybercrime: Expanding the attack vector @spoole167
Basic ways in: The old fashioned set • Social engineering – convince you to open the door • Vulnerability exploits – find doors already open • Inside information – you tell them where the keys are for gain The bad guys can already get into your systems easier than you ever thought possible. @spoole167
The new attack vectors • Devices, Devices, Devices • Eavesdropping, network devices with default passwords • Drive-by gateways • Ransomware • Blackmail and extortion • Extending Malware into real products. • Helpful free stuff – like docker images • Dangerous paid stuff - like game trainers • Actual ’at the source’ injections - like pull requests! • Like unknown helpful people – do you know what can happen in a git merge? https://www.flickr.com/photos/famzoo/
Devices inside your network What’s CPU’s are connected to your network? • Smart printers? • Smart TV’s? • BYODs? How many devices have default passwords? How many have passwords that everyone knows? How many are running older unpatched software? You cannot ever assume your internal network is safe and uncompromised ByKonstantinLanzet-CPUcollectionKonstantinLanzet,CCBY-SA3.0, https://commons.wikimedia.org/w/index.php?curid=6834217
Internet websitegateway Give me data browser Here is data How safe is your interaction with the web?
websitegatewaybrowserhttp:// websitegatewaybrowserhttp:// websitegatewaybrowserhttps:// websitegatewaybrowserhttps://
Simple hijacked https:// case – you accept the certificate but at least you saw it
Simple hijacked https case 2: You have a bogus certificate authority locally – and you didn’t even know it was there It might even have been issued by your company and been stolen and used against you @spoole167
It can be even easier/worse If your initial request to a server is http (ie unencrypted) • A MITM can replace all inline https references with http • Then when your form is submitted it’s sent unencrypted • Maybe the server will bounce the request. But it’s too late- your private data is gone. @spoole167
Internet websitegateway Stealing your data with http http browser post to https://foo.com http post to http://foo.com http post Server unavailable RELOAD http https post post to https://foo.com switched
Typical Pattern 1. MITM tracks a single important server target. The thieves know how the flows work. They track your usage 2. When your userid / password is requested the https is already forced to http. 3. Your data is sent in the clear. The MITM sends you a ‘there was a problem’ msg and gets out of your way. 4. You refresh and resubmit. 5. None the wiser… @spoole167
What – you’d never connect to a bogus wifi? @spoole167
Wifi Gateways Are everywhere How do you know that a SSID you see is not fake? In your office? In your home? In a Coffee Shop? At a conference in Poland? @spoole167
Wifi Gateways Pi Zero WIFI Dongle USB Power Would you notice this stuck to the wall?
Wifi Gateways Are everywhere Many legitimate ones encourage bad practices
https://www.flickr.com/photos/yodelanecdotal/ Spoofing Wifi gateways is really, really easy And we follow access instructions without question Even adding certs to our browsers
Q: So given how important using encryption correctly is… @spoole167
Why do we turn it off? curl –insecure wget --no-check-certificate sudo apt-get --allow-unauthenticated @spoole167
For reasonable reasons? • “The server I access is self-signed” • “I want to access multiple servers “ Unexpectedly? • “I thought I was using the tool correctly” • “I didn’t realize what the default setting was” • “I trusted the tool to do the right thing” Maliciously? • “Someone changed the script and I don’t know why” @spoole167
And… • Developers download code, tools, certificates etc without considering the consequences. • We believe implicitly that other developers are trustworthy. How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript Code pulled from NPM – which everyone was using http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/ What if he’d added malware instead?
Why aren’t we taking this seriously? Cyber criminal @spoole167
Would help if we used a different name? Cyber criminal Advanced Persistent Threat @spoole167
 Innovative  Imaginative  Without boundaries  Well funded  Ruthless  Uncaring Advanced Persistent Threat And more @spoole167
Remember that scene from Oceans 13? https://www.flickr.com/photos/andereri/ Where they went to Mexico to fix the dice?
Suppose they had to get into a Smart TV factory And they had to ’fix’ the SoC chips ByKonstantinLanzet-CPUcollectionKonstantinLanzet,CCBY-SA3.0, https://commons.wikimedia.org/w/index.php?curid=6834217 @spoole167
It’s already happened Any device you buy may have already been compromised at the factory @spoole167
Vulnerabilities • Bugs and design flaws in your software and the software you use. • Everyone has them. • Researchers are looking for them all the time. • So are the bad guys https://www.flickr.com/photos/electronicfrontierfoundation/
CVE’s https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=* Keyword=javascript “1572” keyword=java “1692”
Vulnerabilities The bad news is that talking about the specifics of a vulnerability is not something anyone wants to do. The relationship between CVE’s and bug fixes is kept tenuous So how do you assess the impact of vulnerability or even where its fixed? Using CVSS (Common Vulnerability Scoring System) an agreed open process vulnerabilities are scored. Scores and ship vehicles are published https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19117/Oracle-JRE.html https://developer.ibm.com/javasdk/support/security-vulnerabilities/ Struts-Shock March: Apache Struts fix high impact vulnerability Hours later: exploit published on Chinese-language website & real attacks start @spoole167
Content-Type: %{(#_='multipart/form-data'). (#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS) . (@java.lang.Runtime@getRuntime().exec('curl localhost:8000'))} https://dzone.com/articles/will-it-pwn-cve-2017-5638-remote-code- execution-in Apache Struts OGNL If type contains “multipart/form-data’ try to parse it as form data This fails and as part of the building an error message the OGNL is evaluated…
Checkpoint: The fundamentals • Strong access controls and access management • Accountability • Validation • Effective compartmentalisation • Ability to detect intrusions • Encrypted data As developers we are all guilty of weakening or bypassing the efforts of our IT organizations to keep our systems safe @spoole167
We were ignorant. Now you’re not @spoole167
First steps Keep current. Every vulnerability fix you apply is one less way in. Compartmentalise. Separate data, code, access controls etc. Just like bulkhead doors in a ship: ensure one compromise doesn’t sink your boat. Design for intrusion. Review you levels of ‘helpfulness’ and flexibility Learn about Penetration Testing Understand that making your development life easier makes the hackers job easier @spoole167
Next steps Take control of your dependencies. Build your own internal caches and repositories. Scan them for known vulnerabilities and change all those embedded default passwords OR buy the service from someone you trust. Don’t download or depend on random code. Ensure you trust the providers and you understand what they are doing to earn and keep your trust. Examine the processes they have to ensure that the code / binaries / certificates being hosted are legitimate Educate yourself Learn about secure engineering techniques Learn about how to assess security risks @spoole167
cwe.mitre.org Coding Practises
1. Input Validation and Representation 2. API Abuse 3. Security Features 4. Time and State 5. Error Handling 6. Code Quality 7. Encapsulation * Environment The Seven Pernicious Kingdoms
Secure Coding Guidelines for Java SE http://www.oracle.com/technetwork/java/seccodeguide-139067.html
Analysis Tools
find-sec-bugs.github.io Analysis Tools
Secure by Design - Security Design Principles for the Rest of Us https://www.slideshare.net/EoinWoods1/secure-by-design-security-design-principles- for-the-rest-of-us Online Guides
Online Guides https://www.owasp.org
This isn’t as challenging or costly as it seems @spoole167
We’re already starting to do this Microservices is helping with compartmentatisation Continuous Delivery is helping with frequent patching Containers are helping with dependency management Infrastructure As Code is helping with locking down environments DevOps is bringing IT practices and awareness to the developer Moving to the cloud allows us to have industry leading security like firewalls, advanced intrusion detection, vulnerability assessments etc Does your cloud provider offer these services ? @spoole167
Recap • The simple truth is that we are going to be engaged in an arms race over security for the foreseeable future • We’ve on the back foot right now. • Our behavior makes cybercrime even easier • How we perceive ourselves and how we act has got to change • Vulnerabilities, Compromised devices etc • We have to behave as if every server we have is publically addressable • We have to focus on reducing our exposure @spoole167
But maybe there is some light at the end of the tunnel https://www.flickr.com/photos/bovinity/ Remember: Security is your problem @spoole167
Thank you. Any questions? @spoole167

Recommended

Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side... Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side...Steve Poole
 
Jax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerJax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerSteve Poole
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developerSteve Poole
 
Webinar: Stop Complex Fraud in its Tracks with Neo4j
Webinar: Stop Complex Fraud in its Tracks with Neo4jWebinar: Stop Complex Fraud in its Tracks with Neo4j
Webinar: Stop Complex Fraud in its Tracks with Neo4jNeo4j
 
Could you find the fix and control the crisis?
Could you find the fix and control the crisis?Could you find the fix and control the crisis?
Could you find the fix and control the crisis?Imogen Pickering
 
Fighting Fraud with Neo4j, Kees Vegter
Fighting Fraud with Neo4j, Kees VegterFighting Fraud with Neo4j, Kees Vegter
Fighting Fraud with Neo4j, Kees VegterNeo4j
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentationJesse Ratcliffe, OSCP
 
Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)phexcom1
 

Recommended

Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side... Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side...Steve Poole
 
Jax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerJax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerSteve Poole
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developerSteve Poole
 
Webinar: Stop Complex Fraud in its Tracks with Neo4j
Webinar: Stop Complex Fraud in its Tracks with Neo4jWebinar: Stop Complex Fraud in its Tracks with Neo4j
Webinar: Stop Complex Fraud in its Tracks with Neo4jNeo4j
 
Could you find the fix and control the crisis?
Could you find the fix and control the crisis?Could you find the fix and control the crisis?
Could you find the fix and control the crisis?Imogen Pickering
 
Fighting Fraud with Neo4j, Kees Vegter
Fighting Fraud with Neo4j, Kees VegterFighting Fraud with Neo4j, Kees Vegter
Fighting Fraud with Neo4j, Kees VegterNeo4j
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentationJesse Ratcliffe, OSCP
 
Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)phexcom1
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptxSteve Poole
 
Cyber Security Motivation
Cyber Security MotivationCyber Security Motivation
Cyber Security MotivationSuman Thapaliya
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againSteve Poole
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Hovhannes Aghajanyan
 
Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and ConcernsPINT Inc
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextSteve Poole
 
Rayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayanehaz
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technicalStephen Cobb
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Steve Poole
 
ImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyAlisa Alvich
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyShawn Tuma
 
Keeping you and your library safe and secure
Keeping you and your library safe and secureKeeping you and your library safe and secure
Keeping you and your library safe and secureLYRASIS
 
Rayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane Hazimeh
 
Rayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane Hazimeh
 
Building Trust in the Digital Age
Building Trust in the Digital AgeBuilding Trust in the Digital Age
Building Trust in the Digital AgeMarian Merritt
 
Spam as social engineering presentation.
Spam as social engineering presentation.Spam as social engineering presentation.
Spam as social engineering presentation.fificoco
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
 

More Related Content

Similar to How Developers Can Start Defending Against Cybercrime

Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptxSteve Poole
 
Cyber Security Motivation
Cyber Security MotivationCyber Security Motivation
Cyber Security MotivationSuman Thapaliya
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againSteve Poole
 
Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and ConcernsPINT Inc
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextSteve Poole
 
Rayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayanehaz
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technicalStephen Cobb
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Steve Poole
 
ImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyAlisa Alvich
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyShawn Tuma
 
Keeping you and your library safe and secure
Keeping you and your library safe and secureKeeping you and your library safe and secure
Keeping you and your library safe and secureLYRASIS
 
Rayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane Hazimeh
 
Rayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane Hazimeh
 
Building Trust in the Digital Age
Building Trust in the Digital AgeBuilding Trust in the Digital Age
Building Trust in the Digital AgeMarian Merritt
 
Spam as social engineering presentation.
Spam as social engineering presentation.Spam as social engineering presentation.
Spam as social engineering presentation.fificoco
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 

Similar to How Developers Can Start Defending Against Cybercrime (20)

Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptx
 
Cyber Security Motivation
Cyber Security MotivationCyber Security Motivation
Cyber Security Motivation
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same again
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
 
Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and Concerns
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn next
 
Rayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and students
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & Anywhere
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technical
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
 
ImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copy
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software Technology
 
Keeping you and your library safe and secure
Keeping you and your library safe and secureKeeping you and your library safe and secure
Keeping you and your library safe and secure
 
Rayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and students
 
Rayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and studentsRayane hazimeh building trust in the digital age teenagers and students
Rayane hazimeh building trust in the digital age teenagers and students
 
Building Trust in the Digital Age
Building Trust in the Digital AgeBuilding Trust in the Digital Age
Building Trust in the Digital Age
 
Spam as social engineering presentation.
Spam as social engineering presentation.Spam as social engineering presentation.
Spam as social engineering presentation.
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
 

More from Steve Poole

Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxSteve Poole
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Steve Poole
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven CentralSteve Poole
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxSteve Poole
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxSteve Poole
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleSteve Poole
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureSteve Poole
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020Steve Poole
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Steve Poole
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Steve Poole
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization Steve Poole
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkSteve Poole
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...Steve Poole
 
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Steve Poole
 
Keynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourKeynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourSteve Poole
 
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Steve Poole
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 

More from Steve Poole (20)

Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chain
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptx
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven Central
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptx
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptx
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 style
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and Culture
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
 
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
 
Keynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourKeynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviour
 
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 

Recently uploaded

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Recently uploaded (20)

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 

How Developers Can Start Defending Against Cybercrime

  • 1. Cybercrime and the Developer: How to Start Defending against the Dark Side Code Europe 2017
  • 2. About me Steve Poole IBM Lead Engineer / Developer advocate @spoole167 Making Java Real Since Version 0.9 Open Source Advocate DevOps Practitioner (whatever that means!) Driving Change
  • 3. Outline Cybercrime realities Our perception, The bitter truth & why the future looks bleak How our behavior makes cybercrime even easier How we perceive ourselves and how we act Vulnerabilities The ammunition of choice: Hardware & Software why talking about vulnerabilities is good and bad What can we do better Changing behavior, Architecture and systems, Coding and developing Summary The situation is going to get worse before it gets better We as a community need to take this seriously Next steps. Education, risk assessment and active defense @spoole167
  • 4. Take away one thing As a developer, security is your problem @spoole167
  • 5. This talk • I’m a developer – not a security expert. • Arose because of “compliance”: what does that mean? How do I find out more? • Arose because I didn’t understand what the fuss was all about • Arose because giving uneducated developers access to cloud resources generally has unfortunate consequences • Is about how and why we need to behave differently. • Here’s what I’ve learnt so far… @spoole167
  • 6. Do you know how strong your system is? @spoole167
  • 7. @spoole167 https://www.flickr.com/photos/karen_roe/ Is this your system? Secure firewalls? Strong encryption? Can see any intrusion?
  • 8. @spoole167ttps://www.flickr.com/photos/77278206@N02/ Maybe its more like this? Uses https occasionally? A firewall at least Can see any intrusion out of this window
  • 13. Dear Winner, This is to inform you that you have been selected for a prize of a brand new 2016 Model BMW Hydrogen 7 Series Car, a Check of $500,000.00 USD and an Apple laptop from the international balloting programs held on the 27th, section of the 2016 annual award promo in the UNITED STATE OF AMERICA. Think you’re too smart to be suckered? @spoole167
  • 15. “Organized Cybercrime is the most profitable type of crime” • In 2016 Cybercrime was estimated to be worth 445 Billion Dollars a Year • In 2013 the United Nations Office on Drugs and Crime (UNODC) estimated globally the illicit drug trade was worth 435 Billion Dollars • Guess which one has the least risk to the criminal? • Guess which is growing the fastest? • Guess which one is the hardest to prosecute? • Guess which one is predicted to reach 2100 Billion Dollars by 2019? @spoole167
  • 18. @spoole167 Wanna Cry • Friday, 12 May 2017 • Has infected 250K computers in 150+ countries • It encrypts data and holds it for ransom • The computer owner has a limited time to pay (in bitcoin) about $500 • So far the bitcoin owners have received about 50 bitcoins ~= $85K ($3/infected machine) UK: National Health Service impacted: India: All ATMs closed Nissan: Halted all production Renault: Halted some production https://en.wikipedia.org/wiki/WannaCry_ransomware_attack Think how much disruption was caused for $85K What about the other $449,915,000 ? @spoole167
  • 19. So who are the bad guys? https://www.flickr.com/photos/monsieurlui/
  • 20. A mirror of you? • Organized and methodical • organized like startup companies. • “employ” highly experienced developers with deep knowledge • Constantly innovating malware, seeking out vulnerabilities • Sharing what they find with each other (for $ of course) • Goal focused • the average age of a cybercriminal is 35 years old. @spoole167
  • 21. Already into crime • Commissioner of the City of London Police: • “We estimate that around 25 per cent of the organized crime groups in this country are now involved in financial crime in one shape or another…” • University of Cambridge: • 60% of cyber-criminals had criminal records which were completely unrelated to cyber-crime • “those traditional offenders are changing their behavior and moving to the internet”. Cybercriminals mostly get caught for something other than cybercrime @spoole167
  • 22. What data are they after? • Moving beyond credit card numbers • Long term identify theft • Medical data, Sensitive Personal Information, insurance information, Social Security numbers • Information that gives insight into behavior • Information that give access Quiet and repeated Infiltration Ransomware instead of cyber-graffiti All personal data is useful and worth $$$ http://www.darkreading.com/attacks- breaches/stolen-health-record-databases-sell- for-$500000-in-the-deep-web/d/d- id/1328225? @spoole167
  • 23. They want facts about you and colleagues • Any piece of personal information about YOU is useful. It get’s sold on and somewhere someone brings it all together. • Can I connect your email address to your date of birth? • Can I find out where you live? • Can I find out who you work for? • Can I find out what you think about your boss? • Can I find out what sites you’ve visited? • The more I know about you – the more I can refine the attack. • The more I know about you – the more $$ I can make • And attacks are more than “technical” @spoole167
  • 24. Social Engineering: No-one falls for those sort of things do they? @spoole167
  • 25. DEAR SIR/MA'AM. YOUR ATM CARD OF $10.5MILLION DOLLARS WAS RETURNED TODAY BY OUR COURIER DELIVERY COMPANY, AND WE ARE GOING TO CANCEL THE ATM CARD IF YOU FAILS TO ACKNOWLEDGE THIS MESSAGE, WE SHALL ALSO ASSUME THAT WHAT OUR COURIER DELIVERY COMPANY TOLD US IS NOTHING BUT THE TRUTH THAT YOU DON'T NEED YOUR ATM CARD OF $10.5 MILLION DOLLARS ANY LONGER. DO ACKNOWLEDGE THIS MESSAGE AS SOON AS POSSIBLE. YOURS FAITHFULLY. YOURS SINCERELY, MR MARK WRIGHT, DIRECTOR FOREIGN REMITTANCE ATM CARD SWIFT PAYMENT DEPARTMENT ZENITH BANK OF NIGERIA. @spoole167
  • 26. Federal Bureau of Investigation (FBI) Anti-Terrorist And Monitory Crime Division. Federal Bureau Of Investigation. J.Edgar.Hoover Building Washington Dc Customers Service Hours / Monday To Saturday Office Hours Monday To Saturday: Dear Beneficiary, Series of meetings have been held over the past 7 months with the secretary general of the United Nations Organization. This ended 3 days ago. It is obvious that you have not received your fund which is to the tune of $16.5million due to past corrupt Governmental Officials who almost held the fund to themselves for their selfish reason and some individuals who have taken advantage of your fund all in an attempt to swindle your fund which has led to so many losses from your end and unnecessary delay in the receipt of your fund.for more information do get back to us. …. Upon receipt of payment the delivery officer will ensure that your package is sent within 24 working hours. @spoole167
  • 27. From <your boss> I’ve spoken to the Italians and they will send us the goods if we pay $3M immediately. Details below. I’m off to the golf course – no distractions -period.
  • 28. an email from an international transport company urging recipients to open a waybill in a zip (The Zip content launches a downloader) The targets are busy and not IT savy. The criminals are IT savy and industry savy ☹️ ☹️
  • 29. Phishing -> Spear Phishing -> Personalised Attacks The move is towards more organised and long term attacks that are hidden from view. Think about this – when you’re trawling the net for gullible people you set the bar low. With personalised attacks you invest more and make it compelling. You victims views on Facebook about their boss, how busy they are, important deals coming up. It all helps to craft that million dollar scam… @spoole167
  • 30. Who’s being targeted? • Middle level executives – afraid of their bosses? • New joiners – easy to make a mistake? • Busy and harassed key individuals – too busy to take time to consider? • Disgruntled employees – want to hurt the company? Make some $? • And Developers – the golden goose. The bad guys prey on the weak, vulnerable and ignorant
  • 31. Developers – why? We know the inside story We write the code We have elevated privileges We are over trusting We use other peoples code and tools without inspection We are ignorant of security matters The bad guys prey on the weak, vulnerable and ignorant
  • 32. Don’t agree? “The bad guys prey on the weak, vulnerable and ignorant” That’s you @spoole167
  • 33. Ever googled for: “very trusting trust manager” “Getting Java to accept all certs over HTTPS” “How to Trust Any SSL Certificate” “Disable Certificate Validation in Java” @spoole167
  • 34. TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( X509Certificate[] certs, String authType) { } public void checkServerTrusted( X509Certificate[] certs, String authType) { } public boolean isClientTrusted( X509Certificate[] cert) { return true; } public boolean isServerTrusted( X509Certificate[] cert) { return true; } }} Ever written something like this? @spoole167
  • 35. We’ve all done something like that @spoole167
  • 36. We’ve all done something like that We do it all the time @spoole167
  • 37. We’ve all done something like that We do it all the time The whole world does it How bad can it be? @spoole167
  • 38. We’ve all done something like that We do it all the time The whole world does it Github search “implements TrustManager” …. @spoole167
  • 39. We’ve found 72,609 code results AlwaysValidTrustManager TrustAllServersWrappingTrustManager A very friendly, accepting trust manager factory. Allows anything through. all kind of certificates are accepted and trusted. A very trusting trust manager that accepts anything // Install the all-trusting trust manager OverTrustingTrustProvider AllTrustingSecurityManagerPlugin.java AcceptingTrustManagerFactory.java AllTrustingCertHttpRequester.java
  • 40. Developers are too trusting. Linux Repos npm “npm is the package manager for JavaScript. Find, share, and reuse packages of code from hundreds of thousands of developers — and assemble them in powerful new ways.” Great sentiments. “But Caveat Emptor”
  • 43. Cybercrime: Expanding the attack vector @spoole167
  • 44. Basic ways in: The old fashioned set • Social engineering – convince you to open the door • Vulnerability exploits – find doors already open • Inside information – you tell them where the keys are for gain The bad guys can already get into your systems easier than you ever thought possible. @spoole167
  • 45. The new attack vectors • Devices, Devices, Devices • Eavesdropping, network devices with default passwords • Drive-by gateways • Ransomware • Blackmail and extortion • Extending Malware into real products. • Helpful free stuff – like docker images • Dangerous paid stuff - like game trainers • Actual ’at the source’ injections - like pull requests! • Like unknown helpful people – do you know what can happen in a git merge? https://www.flickr.com/photos/famzoo/
  • 46. Devices inside your network What’s CPU’s are connected to your network? • Smart printers? • Smart TV’s? • BYODs? How many devices have default passwords? How many have passwords that everyone knows? How many are running older unpatched software? You cannot ever assume your internal network is safe and uncompromised ByKonstantinLanzet-CPUcollectionKonstantinLanzet,CCBY-SA3.0, https://commons.wikimedia.org/w/index.php?curid=6834217
  • 47. Internet websitegateway Give me data browser Here is data How safe is your interaction with the web?
  • 49. Simple hijacked https:// case – you accept the certificate but at least you saw it
  • 50. Simple hijacked https case 2: You have a bogus certificate authority locally – and you didn’t even know it was there It might even have been issued by your company and been stolen and used against you @spoole167
  • 51. It can be even easier/worse If your initial request to a server is http (ie unencrypted) • A MITM can replace all inline https references with http • Then when your form is submitted it’s sent unencrypted • Maybe the server will bounce the request. But it’s too late- your private data is gone. @spoole167
  • 52. Internet websitegateway Stealing your data with http http browser post to https://foo.com http post to http://foo.com http post Server unavailable RELOAD http https post post to https://foo.com switched
  • 53. Typical Pattern 1. MITM tracks a single important server target. The thieves know how the flows work. They track your usage 2. When your userid / password is requested the https is already forced to http. 3. Your data is sent in the clear. The MITM sends you a ‘there was a problem’ msg and gets out of your way. 4. You refresh and resubmit. 5. None the wiser… @spoole167
  • 54. What – you’d never connect to a bogus wifi? @spoole167
  • 55. Wifi Gateways Are everywhere How do you know that a SSID you see is not fake? In your office? In your home? In a Coffee Shop? At a conference in Poland? @spoole167
  • 56. Wifi Gateways Pi Zero WIFI Dongle USB Power Would you notice this stuck to the wall?
  • 57. Wifi Gateways Are everywhere Many legitimate ones encourage bad practices
  • 58. https://www.flickr.com/photos/yodelanecdotal/ Spoofing Wifi gateways is really, really easy And we follow access instructions without question Even adding certs to our browsers
  • 59. Q: So given how important using encryption correctly is… @spoole167
  • 60. Why do we turn it off? curl –insecure wget --no-check-certificate sudo apt-get --allow-unauthenticated @spoole167
  • 61. For reasonable reasons? • “The server I access is self-signed” • “I want to access multiple servers “ Unexpectedly? • “I thought I was using the tool correctly” • “I didn’t realize what the default setting was” • “I trusted the tool to do the right thing” Maliciously? • “Someone changed the script and I don’t know why” @spoole167
  • 62. And… • Developers download code, tools, certificates etc without considering the consequences. • We believe implicitly that other developers are trustworthy. How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript Code pulled from NPM – which everyone was using http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/ What if he’d added malware instead?
  • 63. Why aren’t we taking this seriously? Cyber criminal @spoole167
  • 64. Would help if we used a different name? Cyber criminal Advanced Persistent Threat @spoole167
  • 65.  Innovative  Imaginative  Without boundaries  Well funded  Ruthless  Uncaring Advanced Persistent Threat And more @spoole167
  • 66. Remember that scene from Oceans 13? https://www.flickr.com/photos/andereri/ Where they went to Mexico to fix the dice?
  • 67. Suppose they had to get into a Smart TV factory And they had to ’fix’ the SoC chips ByKonstantinLanzet-CPUcollectionKonstantinLanzet,CCBY-SA3.0, https://commons.wikimedia.org/w/index.php?curid=6834217 @spoole167
  • 68. It’s already happened Any device you buy may have already been compromised at the factory @spoole167
  • 69.
  • 70. Vulnerabilities • Bugs and design flaws in your software and the software you use. • Everyone has them. • Researchers are looking for them all the time. • So are the bad guys https://www.flickr.com/photos/electronicfrontierfoundation/
  • 72. Vulnerabilities The bad news is that talking about the specifics of a vulnerability is not something anyone wants to do. The relationship between CVE’s and bug fixes is kept tenuous So how do you assess the impact of vulnerability or even where its fixed? Using CVSS (Common Vulnerability Scoring System) an agreed open process vulnerabilities are scored. Scores and ship vehicles are published https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19117/Oracle-JRE.html https://developer.ibm.com/javasdk/support/security-vulnerabilities/ Struts-Shock March: Apache Struts fix high impact vulnerability Hours later: exploit published on Chinese-language website & real attacks start @spoole167
  • 74. Checkpoint: The fundamentals • Strong access controls and access management • Accountability • Validation • Effective compartmentalisation • Ability to detect intrusions • Encrypted data As developers we are all guilty of weakening or bypassing the efforts of our IT organizations to keep our systems safe @spoole167
  • 75. We were ignorant. Now you’re not @spoole167
  • 76. First steps Keep current. Every vulnerability fix you apply is one less way in. Compartmentalise. Separate data, code, access controls etc. Just like bulkhead doors in a ship: ensure one compromise doesn’t sink your boat. Design for intrusion. Review you levels of ‘helpfulness’ and flexibility Learn about Penetration Testing Understand that making your development life easier makes the hackers job easier @spoole167
  • 77. Next steps Take control of your dependencies. Build your own internal caches and repositories. Scan them for known vulnerabilities and change all those embedded default passwords OR buy the service from someone you trust. Don’t download or depend on random code. Ensure you trust the providers and you understand what they are doing to earn and keep your trust. Examine the processes they have to ensure that the code / binaries / certificates being hosted are legitimate Educate yourself Learn about secure engineering techniques Learn about how to assess security risks @spoole167
  • 79.
  • 80. 1. Input Validation and Representation 2. API Abuse 3. Security Features 4. Time and State 5. Error Handling 6. Code Quality 7. Encapsulation * Environment The Seven Pernicious Kingdoms
  • 84. Secure by Design - Security Design Principles for the Rest of Us https://www.slideshare.net/EoinWoods1/secure-by-design-security-design-principles- for-the-rest-of-us Online Guides
  • 86. This isn’t as challenging or costly as it seems @spoole167
  • 87. We’re already starting to do this Microservices is helping with compartmentatisation Continuous Delivery is helping with frequent patching Containers are helping with dependency management Infrastructure As Code is helping with locking down environments DevOps is bringing IT practices and awareness to the developer Moving to the cloud allows us to have industry leading security like firewalls, advanced intrusion detection, vulnerability assessments etc Does your cloud provider offer these services ? @spoole167
  • 88. Recap • The simple truth is that we are going to be engaged in an arms race over security for the foreseeable future • We’ve on the back foot right now. • Our behavior makes cybercrime even easier • How we perceive ourselves and how we act has got to change • Vulnerabilities, Compromised devices etc • We have to behave as if every server we have is publically addressable • We have to focus on reducing our exposure @spoole167
  • 89. But maybe there is some light at the end of the tunnel https://www.flickr.com/photos/bovinity/ Remember: Security is your problem @spoole167