 Right now, we have Steve Werby up here talking about from chaos to bliss, so please welcome him to the stage. Wow, that's what 800 people clapping in a room that only holds 300 on a Sunday morning sounds like. Fantastic. I'm going to hold it like this. Can everyone hear me okay? From chaos to how we solve security in just 20 years. I'm going to take you back on a journey over the last 20 years to talk about how we collectively solve this security problem. I have not had all the copy I need to have this morning apparently. Right, so yesterday I hooked up my own adapter because this adapter would not work. I may need to do that. When the technical people suggest that I hook up my own adapter, I'm going to give it a try. I'm going to tell you this morning, $800 phone set and I picked it up and it was a lot up here. It can't be somebody from this conference. Took it up to the front desk and turned it in. The guy is standing there running. Has anybody seen that turn here before? I had that deer in the headlights. No color left in his eyes though. At least by the deer. Now he shook my hand. Wash it. I wish I got a free phone. I could use a new one. I think there's a lesson to learn for every one of you. I've been in the security field about 20 years since 99. I'm a noob. I know that if there's something that can go wrong at a presentation, it will. I was so pleased with myself that I brought my own adapter this time and yesterday I connected it and made sure it would work after the one that was up here didn't work. The fool that I am, I tried the one that was up here so we wasted a few minutes. Any case, I'm a noob but I look around the room and I see some people that are younger than me. Some of you are probably too young to remember the primitive antiquated primeval world of the second millennium. We're going to be talking about the second millennium. Some of you are probably just new to the world of security. I see some people in the back that probably fit the bill and for some of you others, maybe the one that called me a noob, it's possible your recollection of the last 20 years has probably just faded a bit. It seems a little light. I'd ask you if you could read it but it doesn't really matter what your answer to the question is because I'm not going to be able to change it. Okay. So let's do a quick comparison between 1998 and 2018. You see I made things pretty easy for you. I used some visual cues. I have a red font on the left and a sad face and a green font on the right and a happy face. By the way, there is at least one person in this room who I've just realized may actually appear in my slide deck. If you recognize yourself, I want you to jump up and shout out. It's not going to be for a while. So in 1998, it was pure chaos. We had to deal with tremendous problems like website defacements and worms, lots of worms. Today we have things pretty easy. We have phishing, cryptojacking, social media, hijacking. It's not too bad. In 1998, all we had for tools available were passwords, firewalls, antivirus, and we had documents we call policies even if they were standards or guidelines. Today we have all kinds of awesome acronyms. We have CASB, we have SOAR, we have machine learning and AI, or at least those are buzzwords that security companies like to use and throw around to claim they have these things. And we have blockchain. Blockchain is something that can pretty much solve all your problems in 2018. When I look back at 1998, I remember it was a much smaller security community. There were roughly 2,000 people in security. I knew most of them. There's one older guy here I don't know, but I'm not sure he was around then. Today we have roughly 3 billion people in Infosec and that's a pretty significant amount of growth over 20 years. Back in 1998, we only had one cert, it was the CISSP. Some people don't have a lot of positive thoughts about the CISSP, but it was the only one we had at that point. Today we have hundreds of certs. And back in the day, the senior most people in information security usually had titles like Network Admin or Security Guy, or they were the guy that was not in the room during a meeting, got tapped to do security. Today we have lofty titles like CISO and CSO. In 1998, if you ran into the CIO when you were in security, they typically would have no idea who you were. You were just that guy that worked in the basement. Today the C-suite, the senior most people, whether their titles are director CISO, are definitely very well known to the board in the C-suite. They spend a lot of time together in most organizations and they do things like strategize. In 1998, and this is really to paint the picture for you of how much different things were in 1998, there were four cons. This was one of them, there was DEF CON, there was HOPE, there was SHMU, I might be missing one or two. If we wanted to talk about security, there were three or so mailing lists in IRC. Today we have a lot easier. There's literally 1,400 different conferences. There's multiple conferences on every day of the year worldwide. There's several right now in the United States this weekend. And we have Twitter. If you want to get information or shoot information, you have social media, you have Slack. You have ways to communicate, it's a completely different world. There also in 1998 were very few, if any, laws or regulations. PCI, HIPAA, data breach notification laws at the state level, none of those existed in 1998. Today we have a lot of laws and a lot of regulations. It's even very complex and complicated because regulations and laws, they are written by nations and states that are outside of where your organization might reside will still potentially impact you based on the information of the citizens that you are the custodian of. And in 1998 we called it information security. Now we call it cyber security. So I think we can all agree that we're on solid ground here in 2018. We've pretty much solved the security problem. But to a degree it really depends on how we look at what the word problem means. If we can redefine what the word is, then we can probably redefine what the word solution means. So finding a solution basically means finding something that's causing difficulties and finding a way to address it or finding the reason or explanation for something. If you think about those definitions, it doesn't really mean that we mitigated all the risk. So I like to interpret solution that way. All right. So some of you have a skeptical look. You're questioning this truth that I'm presenting to you. And you're probably asking yourself, what makes me a credible authority? Well, I've been in security for a long time. I'm a thought leader. It's even in my title that I wrote about 10 minutes ago at the bottom of my slide. Also, I'm up here and you're not. So pretty much that's really what it comes down to. That's how it works in the security world. It works in the world today in 2018. All right. Okay, I was just kidding a little bit. So really this is a talk about the last 20 years. Not a particular theme. I'm not looking at this from the perspective of laws or technology or people. It's just kind of a potpourri. But there's a method to my madness. I really decided to take a look back in the last 20 years at the problems we ran into, the things that we did better and try to figure out what we could learn from that. So what I'm hoping to do today is help you revisit some things that you may not have remembered from the last 20 years or may not have been aware of at all. And I'm hopeful that you'll be able to leverage that to look at what you accomplished in your time in the security field, what we've collectively accomplished and think about what this means as you move forward into the next 20 years. All right. Basically, I'm showing, you probably saw before, I said 98 to 2018. Well, this is how the math works out. I'm going to start at really 99 because if you don't understand the math here, it's probably because it's a Sunday morning. Ask a friend. All right. So to paint the picture, though, I want to let you know what was going on in the world. So I'm taking these years two at a time because that's the way I decided to do it. In the 99-2000 period, federal agents went in and took a hold of Eileen Gonzalez in Miami, gave him back to his father, he ended up going back to Cuba. Everybody had to have this thing called a Furby. President Clinton was acquitted. There was the Y2K bug, which was really a whole lot of nothing. And there was a tragic event in Columbine at a high school. And then this dude right here, Naked Richard Hatch, won the first season of Survivor. All right. So there's a lot of viruses I could talk about because this was the era of viruses, but I'm going to talk about one that is not as notable. And that's a Pikachu virus. And I want to talk about this one because it's believed to be the first virus that targeted children. So if you think about this being 18 years ago, the children that were into Pokémon, let's say they were roughly 10 or 28 today, so they're almost full grown adults, they're millennials, so, you know, partially full grown. So this really started a new era because before we didn't really have to worry about our children encountering malware, but that was the dawn of the internet age and the children that grew up in that era, the internet was pervasive. They used email, they accessed the web. It's something that we take for granted today, but back then it was a pretty new thing. This is a pretty naive piece of malware, though. What it essentially did is wrote a couple lines to the auto-exec batch file on Windows and attempted to delete a couple of Windows directories on reboot. It prompted the user, do you want to delete these directories? So it's not believed to have had a significant impact. Then again, it was children that it was targeting. So it's possible that some of them did click yes and delete most of their Windows directories. Other threats that exist in this time period include the Melissa virus, I Love You, and C I H, I Love You was a worm. This was a period of worms and viruses, viruses and worms, and it got a lot of notoriety. The public got very concerned and antivirus companies made a killing off of these forms of malware. C I H was pretty interesting because it tried to do two things. Overwrite the first megabyte of the space on a hard drive, which would generally cause the system to crash or not perform on reboot, and it tried to overwrite BIOS and it wasn't able to do that successfully for all BIOS chips, but when it did it rendered that piece of hardware useless and required generally a technician to repair the computer. So it wasn't quite as easy for your novice user to figure out how to address. When we think today about denial service attacks, one of the first ones that occurred was in this time period. It was performed by a teen in Canada that went by the name Mafia Boy, and it's not really known exactly how many computers he controlled to perform these distributed denial service attacks, but it's likely estimated it was roughly on the order of 100. You think about that, he was able to bring down Yahoo, CNN, eBay, a few others, or some he was unsuccessful in bringing down, but he only controlled roughly 100 computers, largely in universities. You think about today the controls that we have in place in large organizations to mitigate distributed denial service attacks. I mean certainly there's still a problem what takes significantly more than 100 computers to send junk traffic to websites to knock them off the internet. That doesn't show up that well, but that's a screen shot from the Software Back Orphus 2000. It's the second version of an administrative tool that was distributed by the cold of the dead cow at DEF CON 7. I personally think of it as a rat. It was often labeled as a Trojan. Some people argued that it had legitimate purposes, and certainly it could be used to legitimately manage computers, but that clearly was not the intent with this particular program. One thing that's interesting and a lot of people don't remember is that within about an hour at DEF CON, CDC had burned 20 or so copies of it to CD. This was back when you had CD ROMs and you burned things to CD and it was terrible not to fill up more space than the CD you could handle. They burned about 20 copies, handed them out. Other people took those copies and then burned them to new disks and handed them out and it kind of went viral. Within a short amount of time, people were reporting that the CD ROM was compromised and infected with the C-I-H virus that I just mentioned. Well, DealDog and others from CDC thought that possibly could not have been true. It must have been somebody that had taken one of the disks either intentionally or inadvertently introduced C-I-H-S onto the copies of BackOrphous 2000. And that was their story. They got a hold of one of the original disks, put it into a machine without checking it with antivirus software. I think this is an awesome story. It really paints a picture of that particular time because these are hardcore security guys, wrote software like this, did really advanced security research and they didn't actually run antivirus because their paradigm was we didn't put the malware on the CD. Well, long story short, it turns out that the original CDs they distributed did have C-I-H and they believed that an individual that they had asked to duplicate the original CD to make those 20 infected those original 20 with C-I-H probably not intentionally. But for me, the big lesson there is don't make assumptions, right? They assumed that their CD was clean and it wasn't. Now in the complex world of 2018, it's very important not to make assumptions. I think today as a very fundamental one we would not make. We would obviously check our source to see if it was compromised, check to see if the hash is mashed up and hash, but that did not occur in that particular case. These are seven of the members of loft heavy industries. A number of these folks have gone on to quite a bit of notoriety. The one that looks like Reddish Brown here, Jesus, is co-founder and CTO of Veracode which was purchased by somebody and now is part of CA. It has much shorter here now. They are still fairly well-known. They testified in front of Congress to a congressman that went on to be a DA on law and order which is kind of odd. And basically said that any one of the seven of them could bring the entire internet down in 30 minutes. So that got a tremendous amount of attention. Within a short amount of time loft merged with that stake and eventually a stake was purchased by Symantec. For me when I look back this was a critical time period because up until this point hackers and security didn't have quite the air of legitimacy that they did after this. I'm not saying it was overnight and it happened that everyone went from black hat gray hat to white hat. This was one of those key moments because some of these individuals cut their hair off and I'm sure they were wearing suits here but that was not a normal thing because they didn't have a lot of access to security and security and security advice. And then they joined a company providing consulting services and security awareness and doing things that are pretty mainstream today. That was pretty uncommon back then. Another interesting thing that happened this period and I'm going to spend a lot of time on these two years and then less on the subsequent years was that SQL injection that at that point went by the name Rainforest Puppy and it's interesting he published his findings on it very excited on frac but did not actually use the terminology SQL injection. Here's a screenshot from part of the frac article doesn't mention what it was actually called at that point in his article. I think I have a note about that here. Oh yeah, so he titled his article NT Web Technology Vulnerability so he didn't actually call it SQL injection so it's interesting how things get the terminology that is pretty widespread today. He later referred to it as batch SQL vulnerabilities and I think that pretty much described what he was observing, he was able to do, he was able to string a couple of SQL statements together and both of them execute. He also passed this information on to Microsoft and Microsoft kind of laughed. He actually did this through a colleague of his and the word got back to him that yeah, we hear you, this is not a problem it doesn't need to be addressed. Microsoft has actually come a long ways I have a lot of respect for Microsoft today in 2018, they are nothing like the Microsoft of 1998 but 1998 I think that was a big deal. Sure, you could pretty much take ownership of the SQL server and do inserts and updates and deletes and create tables, not a big deal. And though he actually published in his frack article at least a couple of different ways to mitigate SQL injection attacks we still have SQL injection as a pretty large risk today. I think it's lumped together on the OWAS top and now is just injection there's many kinds of injection and sure it's been solved in a lot of organizations but you have a lot of people that have to move fast or they're just not security conscious so even though the solutions are out there they don't implement the solutions or they don't know what their solutions are so even though we've had fixes for this for 20 years, SQL injection is still a problem today that we're faced with. In the same time period the first POM PDA Trojan materialized. When I thought about that I found that pretty interesting for a few different reasons. One, it took me a moment to remember what PDA actually stood for. I felt like I was kind of losing it because it was never a problem for me. Then I remembered, oh yeah POM was a thing until iOS came around and then BlackBerry was a thing until Android and iOS came around but back then POM was a thing. The interesting thing about this particular piece of malware was that it was a Trojan that claimed to be a crack for a piece of software that was emulation software for I think it was Game Boy to run on POM OS. The really fascinating thing about this piece of malware is the individual that wrote it was co-author of the software it claimed to crack. So there's a whole backstory around that in different versions of what his intent was and why he did that. But pretty odd that 18, 19 years ago somebody created a piece of software and then created a piece of malware targeting his own piece of software. The software is called Liberty in case you want to look it up. So this is something I didn't remember until I started to look into it a few weeks ago. I knew that cross-site scripting was something that originated about 20 years ago. What I didn't know was that Microsoft played a critical role in discovery and naming of cross-site scripting. So 10 years after their discovery or reporting of it they disclosed that they had come up with a number of alternate names for it and then the security engineers and Microsoft got together and decided cross-site scripting feels like the right one. So URL parameter script insertion doesn't quite roll off the tongue as well. Synthesize scripting fraudulent scripting not bad names and so they passed that on to cert and coordinated that and cert did a disclosure on this particular type of vulnerability a couple of weeks afterwards they too described it using some different terminology and then ultimately described it in quotes as cross-site scripting. So if you're interested in the history of how it got its name you can think Microsoft. Continuing the Microsoft theme an individual named Scott Culp who at one point really was the public face of security from Microsoft and I feel bad for the guy because this was a time period where Microsoft was just taking a beating from the security community and he published this 10 immutable laws of security and I think it's kind of fascinating to look back at it. If I was to come up with a list today these wouldn't necessarily be my 10 but I think most of them still hold true with the exception of a couple of them I would say for me it's number three if a bad guy has unrestricted physical access through your computer it's not your computer anymore sure that's hypothetically true and I understand that hardware could be modified but for your average consumer and your average organization if encryption is in place and we do threat modeling then in general this one is not as true as it was not anywhere near as true as it was 20 years ago. The other one for me that I get a little bit of a chuckle out of is number eight an out of date virus scanner is only marginally better than no virus scanner at all today I think most of us can probably agree that signature based antivirus which is what existed at that point maybe with some things claiming to be heuristics which really weren't is of nominal value today and typically you probably would consider not even architecting your organization with that kind of technology it's one of those things that's kind of hard to make the case to get rid of it's kind of like back in the day you went with IBM because no one ever got fired for going with IBM it's very hard for most people to exercise a political capital to say I want to turn off AV though I am aware of a number of organizations and people have been doing that over the last few years it's still not that common so for me those are the two that really stand out he updated this list five or so years after that didn't make a lot of changes I think he changed antivirus to antimalware but you know a lot of this does still ring true today and so you can look at that a few different ways maybe we haven't accomplished a whole lot or certain things are just really pervasive all right moving on to 2001-2002 Laura the Rings came out 9-11 happened Michael Jackson was still alive and almost killed his kid dropping him off the balcony of a hotel he didn't do that five hour energy before that he had a drink of something called Jolt Cola or just caffeine pills we invaded Afghanistan and honestly I didn't remember Neopets I guess it's still around but Neopets at this point in time was the fourth most trafficked website on the internet Google was number 12 Flash was extremely pervasive in 2001-2002 kind of cut to the chase here there was an issue reported in Flash and Macromedia's response so Macromedia owned it at the time Adobe went on to purchase it Macromedia's response was it's simply a software crash it's not a security issue and Flash is a constrained environment by design you would never get the virus to work well if you remember anything over the next decade or more after that there were constant vulnerabilities in Flash that were being exploited it was a constant race to upgrade machines in patch and put in workarounds and there were oh days so this was a pretty enlightening piece of information but it really is a sign of the times Microsoft Adobe, Macromedia and others it was a common response it wasn't a big deal that thing ain't a vulnerability it's not a security issue it's a crash, it's a performance issue turn your screen blue won't do anything bad it's not like it's taking social security numbers to give you a little bit more flavor of this time period Interbase was a database package that had it compiled in back door with the user name politically in the password correct so OS top 10 of iteration since then most recently in 2017 gets rejiggered around there's a lot of political infighting kind of the takeaway here is boy a lot of these vulnerabilities are risk because they've changed the terminology have persisted over the last 15 years sure some of them were renamed and combined or split apart or removed just because certain people were sick of seeing them in there who's gonna pay attention if it's the same 10 every 3 years we gotta throw something new in there but it's not something that evolves all that rapidly there's a sort of the peak or roughly the peak maybe a couple years later of worms and viruses we weren't as creative with coming up with names of malware back then today you have to have a logo you have to have a slogan there'll be hell to be paid there'll be some domain with it so probably at least a day has to be spent concocting all that back then you didn't do any of that usually the person who wrote the piece of malware came up with a name and if the AV companies gave a different name they were pissed off and wrote a new version and had a bunch of back and forth but hey, Code Red was named after a pretty new Mountain Dew drink and Nimda was admin spelled backwards so I thought hey that's pretty cool cross-site scripting, we think about it today and a lot of it exists there's different forms of it one of the earliest cross-site scripting incidents involved hotmail before it was bought by Microsoft it was injecting JavaScript into the from field of the sender and to get that to execute all that had to happen was the user that received that email had to open up their mailbox they didn't have to hover over that email they didn't have to click on it they didn't have to do anything the rendering of the sender in HTML with the JavaScript when they opened their mailbox caused that to execute that gives you an idea of the state of security at that point of time I mentioned before there were mailing lists one was called full disclosure existed for a long time then went dormant restarted a couple of days afterwards a few years ago back in the day they were unmoderated, semi-moderated and moderated lists for sharing information it was a different world than exists today and I think that's an important thing to consider now whether it's threat intel or anything related security there's a tremendous amount of information willingness to share we probably have more of a difficult time finding information it's current, accurate and the best information to use but previously there were only a few spots that you really had to look obviously there were smaller private communities but it was not as diverse and readily accessible as it is today so that is one of the things that's changed so when we think about what's changed a lot of things are good and bad that changed we talk about encryption encryption we weren't able to do encryption for a long time because of export laws that limited limited the key strength our ability to use encryption outside the United States Bill Clinton eliminated most of that I wanted to say that was in 2003-2004 I don't cover that in here and now we kind of take it for granted encryption is free there's millions of encryption search that you can get off of free services that was not possible back in the day it was very difficult to implement very costly so a lot of things have changed both for good and for bad we know today there's a lot of bug bounty programs and third parties allow for reporting of vulnerabilities in this year with a vendor iDefense in this time period was either the first or one of the first independent programs that would pay individuals for reporting vulnerabilities and then they would coordinate that response with the affected vendors Tor was something that came out in this time period and moving on to 2003-2004 we had a Space Shuttle explode Trump had a TV show Paris Hilton was famous a lot of bad reasons Ken Jennings won a bunch of games on Jeopardy and we invaded Iraq and that's how I sum up those two years but then a really great tool came out Metasploit so before Metasploit there were a bunch of independent scripts I wouldn't say it took a lot of sophistication to get a hold of scripts and exploit vulnerabilities but there was not a platform that was readily available as was the case after Metasploit came out with plugins allowed other people develop additional exploits and this entire platform was built up if anyone could easily download and run follow some simple instructions and it really reduced the barrier for individuals both with positive intent negative intent to compromise and exploit vulnerabilities and I think we have a lot to owe to where we are today to HDMORE and all the other individuals that were involved in Metasploit in early days and it really drove the concept of pen testing and the ability to perform offensive attacks on organizations to test their security posture up until this point though we didn't really have a lot of laws so many organizations didn't want to do anything because they were compliance focused well yeah we understand it's a problem but we're here to make widgets and won't happen to us we don't have other things we need to spend our money and resources on California where we are today was the first state to implement a data breach notification law involved personally identifiable information like social security numbers, driver's licenses and names the way it was written meant that a large number of organizations in other states were also impacted because they had customers or records of individuals in California so this started a whole downhill where other states began creating data breach notification laws interestingly I think the 50th state didn't do so until either earlier this year or last year there were three or so holdouts the last four or so years but California was the one that really paved the trail in the same time period HIPAA came out with security rules PCI came out with its data security standards and at that point there was a whole lot of compliance that organizations had to at least start to consider at least those that were impacted within a few years there was hardly an organization that wasn't impacted to some degree and so that was really what led to a lot of change it was kind of slow change but it led to a lot of change in the field information security for these two years there were a lot of worms SQL slammer so big they all kind of run together you can look them up if you don't know them alright so moving ahead a little bit truthiness was a word there was this guy that was a meme this guy died a couple guys retired there was a flood that was a humongous deal and then the VP shot his buddy accidentally so that's what those two years were all about we take for granted now where we are from an OSINT perspective but Johnny Long was pretty instrumental at raising awareness of the concept of Google dorks or Google hacking, he came out with a book and it became very popular to perform searches on Google to look for information it is something we still do today it's not the only search engine we use we moved on from search engines to other applications to perform the same types of tasks we do other things to create puppet accounts and get access to data in other ways but we are mining publicly accessible or semi publicly available information and the attackers are doing it the defenders are doing it too and this was an early point where this was occurring Backtrack was a platform Debian based had a bunch of security technologies on it and morphed into Cali pretty much anybody on the offensive side of security uses today if they are not using it they are quite the contrarian in the same time period there is a guy last named Manchetta he was the first person charged with controlling a botnet he had about a half million computers under his control so we are talking a whole lot more than Mafia Boy with his 100 and he was sentenced to five years in prison I don't actually know how long he served a lot of these people that were sentenced in prison in terms of serving quite a bit less than what they were sentenced to so since 2008 where things really got interesting from my standpoint because iPhone was released Android was released and now oh my god there is mobile Cloud had already existed but Cloud was starting to become a big deal we had Rick rolling a couple of fast guys in the Olympics Obama became president and since we are in the IPA capital of the world here I would be remiss not to mention this was a time period where there was a worldwide hop shortage hops became very expensive you cannot make beer without hops well really can't make IPA without hops so this was kind of a big deal and so at this point many people and I'll say I was one of them I fought mobile, I fought BYOD I fought Cloud I'm like we don't know how to secure this we can't do this yet a lot of us made that mistake if we look back that was something that set us back at least five years because we didn't recognize that that was a freight train that was coming it was going to happen and us saying no repeatedly just took away all of our credibility we were in better position to acknowledge it's something that was coming find ways to test it small inform the stakeholders about the risk and get our asses in motion to figure out solutions that's not what we did probably in my mind the biggest failure in the history of information security was that time period before the DBIR I didn't really think a lot about most security publications that came out from security vendors by the way I work for a security firm now so I'm saying this I'm not pointing a finger as anyone particular but let's look at it more like I have a lot of admiration for the folks at Verizon to put together the DBIR because they pulled together a tremendous amount of information got other orgs to share information did awesome analysis data science great visualization present the information in a really usable actual way and within a couple years got the point where if you were in security you waited for that day the DBIR came out and you wanted that and your executives wanted it and that's where we are today so all the guys maybe all of them that were on that team I think have left and gone on to some very interesting roles but we still have it here today and it's really set the bar higher for others that are producing reports and publications it's definitely a different tier than it was before that point you could get in a lot of trouble if you posted this short string of information the MPAA and AACS would come after you so a lot of people posted it and it just kind of got out of control this was also a time period we knew that federal agencies and others were surveilling us but a published affidavit came out revealing that the FBI was tracking the source of an email bomb threat via program that was uncertain to exist confirmed their spyware capabilities and quite a few other things came out over the following two years that validated that this was occurring so it wasn't like we waited until Edward snowed in to go whoa, I didn't know about this we're talking ten years before the fact 2009, 2010, Kanye and Taylor Swift had an awkward moment the iPad was released the vice presidential candidate invented a word repudiate no, no it's like a mash of refute and repudiate I think she said that Shakespeare coined words so why couldn't she Tyler Woods had his mind on other things besides golf Lindsay Lohan was having troubles and then there was a big oil spill Barnaby Jack meant to give a presentation in 2009 to Black Hat and he wasn't able to give it he gave it in 2010 did a couple of exploits of vulnerabilities one remote, one requiring physical access caused a bunch of fake money to spit all these machines it was pretty awesome if you were there and you know it was a real threat it affected financial institutions and if you look even over the last few months there have been incidents involving people exploiting ATM machines, AT machines getting them to spit out money and they coordinate it and you can make a lot of money doing this he was involved in this research he was an early researcher in medical devices unfortunately he left this earth prematurely five or so years ago but I have a lot of admiration for him in the trail he paved Shodan was a thing that showed up about eight, nine years ago it was a search engine for computers that was a little different it's a huge deal today you can find the internet of things and physical facilities and webcams and everything under the sun using it it does a fantastic job surfacing a lot of issues and the media runs with it I think it's fantastic and it's run by a team of one at least I believe is a team of one alright we're getting closer to today a bad guy died and another bad guy died we killed a bad guy she's saying a song about six feet under something party rock was in a house last night and OMG LOL entered the Oxford dictionary that's pretty legit then a couple of platforms launched to allow people to earn money by finding bugs in company services where they were quite happy to pay money to have this happen and there were bug bounties before this KDMasaurus from Microsoft set up the first one to Microsoft she later went on to set up with other people at the Pentagon they weren't really at prominent bug crowd, hacker one and some others have really led a lot of organizations to set up bug bounty programs some earlier than they probably should and has made it so that people can earn a living performing bug bounties it's harder today because there's a lot more competition and you may find a bug that somebody already found but this is now a very pervasive thing today that's not going away five years back the government shut down we all know about Snowden there was a Malaysian plane that got lost bombing the Boston Marathon and ISIS surfaced Taylor Swift that we saw earlier she's like a stage security individual that has been in her presence for the last five years and there's a lot of really profound things that people share out she has 100, 200,000 followers she has 100, 200,000 followers she runs a site called decent security which is pretty good for consumers and I'm actually aware of some corporate organizations that use it to coordinate their phishing takedowns and reporting of malicious URLs so yeah Taylor Swift she's doing a lot for the community I already mentioned Katie sometimes she has pink air sometimes she does not now Brian Krebs used to work for the Washington Post he got fired probably the best thing could have ever happened to Brian because within a day he started out Krebs on security and pretty quickly he started breaking huge stories like the target data breach and the Home Depot data breach and having awesome conversations with Russians in the cyber underground who would tell him about other competitors of theirs to get them busted and vice versa and then they get mad at him and swat him and send SWAT teams to his house and so he's had to move and take a lot of steps so that no one can really find where he is that's the downside that's the downside of the situation but he's done a lot to get information out about security and so he's played a really key role in security over the last 20 years alright getting closer we found water and ice on a couple of planets and moons took worldwide extreme poverty below 10% eliminated Rubel in the Americas and then we're able to observe wavelengths of gravity to validate Einstein's theory so a pretty awesome effort in time it's been all this great stuff and then we came out with these amazing contraptions you could ride without a handle bar but they caught on fire and mattresses that you could roll up and have shipped to you and that's, I mean you gotta have that I mean mattresses that you can roll up and so there have been a lot of security companies like the last few years that have had these crazy ideas like hey that's new and so they get series A funding or seed funding and it's just not really a viable idea or you don't really know what's going on behind the hood there's cool visualizations and everybody loves it and I'm not really sure exactly what happened to Norse I know the CEO wasn't quite sure what happened when the media asked him hey what happened to your company but they had this really cool map and did things and then a couple of guys, Bob Rudis who used to be on the Verizon DBIR team and Alex Pinto a big data scientist threw some code up on GitHub and you can build your own now and Threat Butt came out and it has one you can look at and it's really cool and actionable and useful and then there were some breaches like the Democratic campaign the Me Too movement some dictators Elon Musk smoked pot in California Elon Musk, 20 other things Putin, Trump and it canceled two broke girls I hate that show I just want to see if anyone would laugh at that and apparently not what happened in 2007-2018 so we'll move on from there actually so crypto-jacking became a thing and then that kind of moved to cryptographic leveraging your computer to do crypto-jacking taking your CPU and GPU to use it to mine coins so when you think about this it was pretty quick that it went from ransomware which is still out there and it's very effective to that because the economics were such that it's easy just to switch and move to that model there were some pre-tools made available you didn't have to have any sophistication you just grabbed some JavaScript code stuck it on your website stuck it on websites that weren't yours and made some money running other people's computers out that they didn't know about big advances in OPSEC I think are going to happen soon if you think about the GM of the 76ers who posted some things some attribution was done it turns out was him and or his wife and he lost his job a lot of people are all about the blockchain now I like to think about like this if all you have is a hammer everything looks like a nail yeah I'm not sure everything is going to be solved by blockchain if you have a different theory talking to me after this presentation I'd love to know what your theory is so these guys circled around 20 years later in Congress looked a little more cleaned up and talked about the state of things so that was kind of nice all right kind of kind of wrap things up so we're kind of resetting things to zero that was the last 20 years we have the next 20 years so maybe we haven't solved everything over the last 20 years but I really do believe we've made tremendous progress there's been a lot of rapid change technology side threat landscape we continue to and we will continue to encounter lots of friction resource constraints and all kinds of other challenges that's the way it is we're no different than any other form of risk management whether it's safety or things that deal with pollution or anything like that it's the same thing those are just fields that are you know 100, 50, 100, 200 years older than us we're in our infancy still we have amazing tools commercial and open source the hard part now is figuring out how do you integrate them do you reduce your vendor portfolio and go with less best of breed how do you get these things to work together but a lot of organizations realize if you're going to sell a tool to somebody you better have a really good API because people aren't going to buy it so we have some interesting challenges in front of us I think it's a really, really awesome time for IoT especially in the enterprise even large organizations manufacture IoT, you don't have a good handle of it those that are crowdsourced don't know what they're doing at all so that's going to be a problem for us we got on the containerization this train is going to happen we better not do what we did when clown general came out so we're in no case shape with containerization but serverless has hit us we've done a good job there so we should ask ourselves what we can learn from the last 20 years and what we can do differently we're not going to have control over everything but really the best we can do when faced with these complex changes is do what we can control don't hold on to the paradigms of the past I know there's probably still some of you in the room that still believe you have to have an 8 character complex multiple composition password that you change for two days and you better memorize it not write that down and it has to be unique and not like the one before come on now that didn't work, that didn't work 20 years ago I've been telling people for the last 15 years that I put mine in my wallet and I say it's good enough for my credit cards why is it not good enough for my password sure there's a attack vector or threat scenario where somebody can hit me over the head there's a comic strip about that but if I'm dead I don't care that's somebody else's problem if I wake up in an alley I'm going to go change my password so not that big a deal for me so a lot of this information was sourced from today in InfoSec which is a twitter account that I am the custodian of if you're not familiar with it and you'd like to know about things that happened on this day or were announced on this day in the year past check it out and yeah, emoticons that's all I have for you, I appreciate your time thanks for having me here at Torcon did anyone recognize themselves in a slide? I'll show you the slide I think you might have been in it