如何建设互联网安全免疫系统How To Build The Immune System For The Internet

WooYun

关于我 About Me• 80sec 安全团队创始人 Founder Of 80sec Security Team （ ID: 剑心）• 前百度安全架构师 Former Security Team Leader In Baidu

• 乌云安全社区创始人 Founder Of Wooyun Security Community

关于我 About Me

• 黑客理想主义者 Idealism In Thinking• 黑客实用主义者 Pragmatism In Hacking

关于今天的议题Topic Today

• 没有关于专业 APT 的分享 No APT To Share• 没有关于最新技术的分享 No popular Hacking skills To Share

当我们讨论安全时我们在讨论什么What Are We Talking When We

Talk About Security

• 以破坏的方式创建一个更好更安全的世界• Hacking For Building

当我们讨论安全时我们在讨论什么 What Are We Talking When We Talk About Security

• 我们可以破解世界上最安全的汽车 We Can Hack The Safest Car In The World• 但是我们却无法让人们不用弱口令 But We Can’t Stop People Using Weak

Password

我们面对的互联网环境The Internet Environment We Are

Facing

• 数以亿计的用户 Billions of users• 巨大的用户基础导致同样巨大的黑色产业

Huge Black Industry Based On Huge Amount Of Users

我们面对的互联网环境The Internet Environment We Are Facing

• 短时间爆发增长的企业和应用 The Burst Of Enterprises And

Applications During A Very Short Time• 先生存再考虑安全

To Survive Before Considering Security

• 相对不完善的规范和机制 The Relatively Deficient Of Regulation

And Mechanism• 安全的合规性大于实际应用 Focus More On Compliance Than Being

Really Secure

我们面对的互联网环境The Internet Environment We Are Facing

• 快速发展的云和新型技术 Rapid Development In Clouds And New

Technologies• 现在包括家里的锁都已经开始联网 Even Homelock Become Networking

Connected

我们面对的互联网环境The Internet Environment We Are Facing

如果你是一名白帽子If You Are A Whitehat

• 你不能获得较高的薪水和较好的职业发展 You Have No Access To Better Salary And

Career Development• 企业并不重视安全因为用户并不了解安全 Enterprises Paid No Attention Given

Customer’s Lack Of Understand

如果你是一名白帽子 If You Are A Whitehat• 因为商业安全社区缺乏分享和讨论 The Lack Of Share And Discussion In

Commercial Security Community• 你的伙伴会越来越少但是敌人会越来越多 More Enemy And Less Friend

如果你是一名白帽子 If You Are A Whitehat• 你企业的安全状况不会因为你努力而变得更好 The Safety Status Won’t Be Better For Your

Hard Work• 因为网络环境变得更糟你的敌人更多

More Enemies For Worse Internet Environment

失控的互联网Internet’s Out Of Control

• 糟糕的生态 Bad Ecological System

银弹在哪里Where Is The Silver Bullet

• 我们能用更好的安全技术来解决这些安全问题么 Can We Solve Those Security Issues

Through Better Security Technologies?

• 问题的核心在哪里 What Is The Core Of The Problem?

银弹在哪里Where Is The Silver Bullet

为什么 The Reason Why封闭 Closed environment

– 用户（封闭导致看不到真实的问题）Customers (Too Closed To Notice The Real risk)– 企业（用户看不到问题可以不投入）Enterprise ( No Invest In Fields Users Not Notice) – 行业（信息的不对称可以获得利润）Industry (Profit From  Information Asymmetry )

传统漏洞披露过程Conventional Process Of Vulnerability Disclosures

• 漏洞第一时间提交给厂商Vulnerability Is Submitted To Enterprise At The First

Time• 厂商和修复确认及补丁推送Enterprise Start To Confirm And fix• 对外不主动披露任何信息No Information Will Be Made Public Initiatively • 可能的商业合作和奖励致谢Possible Commercial Cooperation And Reward

负责任漏洞披露过程The Responsible Process Of

Vulnerability Disclosures• 符合企业自身利益诉求 Conform To Enterprise Own Interest Appeal

• 符合早期信息安全环境Conform To Early Information Security

Environment

变化 Changes

• MS/Adobe/Apple– 封闭体系 Closed System– 终端安全 Terminal Security

• Google/Amazon/Apple– 开放体系 Open System– 云端安全 Cloud Security

我们希望 Our Expect

开放 Open– 用户（通过安全信息的公开披露能够了解安全）Users ( To Better Know Security Through

Information Pubic Disclosure) – 企业（用户对安全的关注和了解将使得企业提高在安全的投入）– Enterprise ( To Improve Investment In

Security To Meet Users Demand )– 行业（透明的环境使得产品和技术价值提升）– Industry ( Transparent Environment

Promotes The Value Of Product And Technology)

负责任漏洞披露过程（乌云版） Vulnerability Disclosures Process –Wooyun Version

• 漏洞第一时间提交给厂商Vulnerability Is Submitted To Enterprise At The First

Time• 厂商修复确认及补丁推送Enterprise Start To Confirm And fix• 对外公开全部漏洞细节Vulnerability Details Will Be Shared Publicly• 重要漏洞会被预警和讨论High Risk Vulnerability Will Be Warned And Discussed

In The Early Stage

负责任漏洞披露过程（乌云版） Vulnerability Disclosures Process –Wooyun Version

• 符合现有环境下行业对安全的诉求Conform To Industry Security Appeal Under

Current Environment

• 符合现在以及未来情况下安全环境Conform To The Current And Future Safety

Environment

乌云生态的核心价值体系The Core Value System --Wooyun

Ecology• 所有企业可以第一时间修复自己安全问题和了解互联网风险• All Enterprises Can Fix Their Own Vulnerability And

Know Internet Risk

• 社区和企业可以学习公开的问题细节从而避免更多问题出现• Enterprises Can Avoid More Potential Problems

Through Learning From Shared Vulnerabilities

• 用户通过公开的问题可以了解到自己数据是否存在潜在风险• Users May Find Potential Risks Through Disclosed

Information

Github but in security

Bug bounty but Free

WhiteHat School but no teacher

我们做到的What We Have Done:

• 10， 000+ 白帽子为互联网报告了100,000+ 漏洞

More Than 10,000 White Hats Have Reported 100,000 Vulnerabilities For Internet Industry

我们做到的What We Have Done:

• 重要安全漏洞发现和修复周期缩短为周甚至更短• The Disclosure And Repair Cycle For

Important Security Vulnerability Has Shortened To Weeks Or Even Shorter

我们做到的 What We Have Done:

• 重要的安全风险用户都会了解并且敦促企业进行处理High Risk Users Will Understand And Urge

Enterprises To Repair

我们做到的What We Have Done:

• 企业更好的认识安全后社区白帽子有更好的发展• Whitehats In The Community Have

Better Career Development After Enterprises Know More About Security

我们做到的What We Have Done:

• 白帽子 + 用户 + 企业 +政府形成一个良好的安全免疫机制A Healthy Security Immune Mechanism Is

Established :

Whitehats + Users + Enterprises + Government

Q&A

• ：）