Joaquim Espinhara é só um cara que gosta de computadores e (in)segurança. Durante o dia, é Senior Security Researcher na TSS, fazendo incontáveis testes de invasão em redes, aplicações e aplicações web e revisão de códigos com foco em segurança para várias organizações ao redor do mundo, incluindo governos, bancos, varejo etc. Também atua como Chief Hacking Officer no Bitwise Labs, um grupo de pesquisa em segurança focado em pesquisa de vulnerabilidades e desenvolvimento de exploits. Por último, mas não menos importante, é um jogador de CTF do time TheGoonies. Finalmente, como um palestrante "profissional", palestras recentes incluem Infiltrate, H2HC, YSTS, Confidence, Black Hat USA, Black Hat Brazil Summit, HITB Kuala Lumpur, HITB Amsterdam, Roadsec, Ruxmon, Turbo Talks, Silver Bullet, Secure Brasil e outras.
Your vendor might have screwed up, but it's still your problem!?
Almost two or three years ago I started by myself in my spare time to look into a popular anti-fraud software common in Brazil used by the biggest banks. In this meantime, I released details about vulnerabilities and weakness present in the "agent" installed in the bank's customer's computers that might pose risk to the users. All problems described/reported are related more to security than
the possibilities to perform frauds.
Even being an on-going project (2-3 yrs == lazy researcher :) it's noticeable that the agent/application is missing to satisfy the best practices of security development, but as a side note it's crucial say some words about how big is the software/agent attack surface, which is: nineteen (19) banks, 3 main OS with 2 (two)different architectures (x86,x64) and banks with specific needs, for instance, legacy Windows XP users. The agent mobile version is out-of-scope.
Over the recent months, I've reported vulnerabilities that were quickly fixed by the vendor but neglected by some banks that still offering their customers with old/insecure versions. The goal of this presentation is to bring light to the bank's responsibilities over their customers suggesting to implement a testing approach/methodology in order to keep the bank assets safe without decreasing the customer's security.