Uploaded byGianluca Varisco
Refugees on Rails Berlin - #2 Tech Talk on Security
1. Edward Snowden's NSA leaks from 2013 increased public awareness of privacy issues and prompted tech companies to improve privacy protections for users. 2. Major security breaches in 2014-2015 exposed vulnerabilities like Heartbleed and compromised user data from companies like Ashley Madison, TalkTalk, and VTech. 3. The growing Internet of Things introduces new security threats as more devices become connected, and human error remains a major weak point that can undermine other security defenses. Basic security practices like strong unique passwords and two-factor authentication are recommended.
More Related Content
Similar to Refugees on Rails Berlin - #2 Tech Talk on Security
![UiPath Automation Suite Installation (Hands-On) [2/3]](https://cdn.slidesharecdn.com/ss_thumbnails/automationsuitecommunitysession2-251015095633-a6d862f1-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
Refugees on Rails Berlin - #2 Tech Talk on Security
- 1. Tech Talk -Security Refugees on Rails - Berlin Gianluca Varisco @gvarisco
- 2. $ whoami VP Security@ Rocket Internet SE Formerly at Red Hat, Lastminute.com Group, PrivateWave
- 3. A random walkthrough cybersecurity Turing, 1943 Draper, 1974 Morris, 1988 Diffie, 1976 Estonia, 2007 Snowden, 2013
- 4. Edward Snowden Edward Snowden'sNSA leaks have changed the way the cyber security world works.
- 5. Two years afterSnowden, what’s really changed? • Public awareness about privacy issues has improved • Foreign relations aren't as good as they used to be • Tech companies are much better at protecting users' privacy • More security bugs have been discovered on software powering Internet’s core infrastructure (NTP Daemon, OpenSSL, OpenSSH via Linux Foundation) • Open Crypto Audit Project (OCAP) • ….. Still nothing.
- 6. • Stolen orleaked IP • Stolen funds • Stolen computer resources • Stolen business information • Employee information Common threats • DDoS attack • Marketplace fraud • Physical theft / sabotage • Brand phishing • Account data breach • Email dump
- 7. The most brutalsecurity bugs (2014/2015) • Freak, Shellshock, Poodle, Heartbleed, BEAST
- 8. Data breaches -2015
- 9. • Hacked inJuly 2015. • 400 GB of data got stolen! (source code, confidential documents and email archives.) • HOW DID IT HAPPEN?? Hacking Team • They sell offensive intrusion and surveillance capabilities to government, law enforcement agencies and corporations
- 10. Hacking Team • Criminalinvestigation is still ongoing. Business got really affected by this incident. • The leaked security engineer's list of passwords doesn't make for impressive reading: UserName : Neo Password : Passw0rd UserName : c.pxxxi Password : P4ssword UserName : c.pxxxi Password : CHP0zz1!
- 11. Be open toyour customers • “It was an user error” • “It was our vendor’s fault” • “We have no evidence that the exposed data was used to harm our customers in any way” • “… some users may have experienced isolated incidents of slow page rendering”
- 12. Ashley Madison –data breach and analysis
- 13. Ashley Madison –data breach and analysis
- 14. Ashley Madison –data breach and analysis
- 15. TalkTalk • Fixed/mobile provider(UK) • Security experts believe that the recent data breach may have taken place due to SQL injection (SQLi) attack, a method used to inject SQL commands to breach the database and get access to the users' personal data.
- 16. VTech • Exposed inNovember 2015 • 4.8 million records taken • database of first names, genders, birthdays of more than 200,000 kids
- 17. Mattel’s Hello BarbieWiFi (Yes, WTF!) • Released in late 2015 • Security expert Matt Jakubowski managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone’s home.
- 18.
- 19. Internet of Things(IoT) - Security
- 20. The Internet ofthings is the Internet of threats for us • Expect attacks on smart TVs, watches, smart glasses. • As the number of connected smart devices expands fast, more and more of them will be targeted to obtain criminal profit.
- 21.
- 22. • Activity monitoringand data retrieval • Unauthorised dialing, SMS and payments • Unauthorised network connectivity (exfiltration or command & control) • Sensitive data leakage • Unsafe sensitive data storage • Unsafe sensitive data transmission • Hardcoded password/keys • System modification (rootkit, APN proxy config) Attacks through Apps (Mobile Malware)
- 23. The human factor– the weakest link The human factor plays an important role in how strong (or weak) your company’s information security defenses are.
- 24. The bare minimumof Security • Passwords / Log-ins • Pick strong ones • Use unique passwords for every site • If possible, rely on Password Managers that do not provide any ‘cloud’-sync feature • Use Two-Factor authentication whenever possible • Use misleading password hints
- 25. Your Email isthe Master Key • You should establish TRUSTED communication guidelines • GPG • X.509 and S/MIME (PKI required) • OTR (largely limited to instant messaging)
- 26. The bare minimumof Security • HTTPS everywhere (EFF browser extension) • Understand the basics of online fraud: Phishing scams, malware and other nasty things are all easy to detect if you keep a cautious eye. • Be skeptical of odd emails • Use VPN services to secure everything you do. If possible, try to have control over your endpoint.
- 27. Our companies doget targeted as well… • DDoS attacks • Internal frauds • Targeted phishing attacks on upper management that lead to: • Compromised e-mails accounts due to lack of security basics (2FA, weak passwords) • Stolen VPN certificates, domain registrars’ credentials, bank details, GDrive, Dropbox accounts
- 28.
- 30.
- 31. © 2015 RocketInternet SE. All rights reserved.