Imitation Game – The New Frontline of Security at QCon San Francisco

This week over 1400 software developers are gathering in San Francisco for QCon to share the latest innovations in the developers’ community. The conference highlights best practices in a wide range of emerging technology trends such as microservices, design thinking, and next generation security.

Below are three sessions that will inspire your thinking in next-gen web security and technology.


Wednesday Keynote: The Imitation Game – The New Frontline of Security, 9:00 am, Grand Ballroom, Shuman Ghosemajumder
As one of the four keynote speakers, Shuman Ghosemajumder, Shape’s VP of product management, will discuss the next wave of security challenges: telling the difference between humans and bots. From Blade Runner to Ex Machina, robots in sci-fi have become increasingly sophisticated and hard to distinguish from humans. How about in real life? How are bots taking advantage of user interfaces designed for humans? In his keynote on Wednesday, Shuman will explain how a complex bot ecosystem is now being used to breach applications thought to be secure.


Wednesday Track: The Dark Side of Security, 10:10 am, Bayview A/B, Nwokedi Idika
As Sun Tzu noted in The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” To win the battle against rising cyber criminals, you must know your enemy. How do they think? What do they do before and after the compromise? How do they monetize? In this track, Dr. Nwokedi Idika, Senior Research Scientist at Shape, will guide you on a journey into the minds of the cyber criminals.


Wednesday Track: Javascript Everywhere, 10:10 am, Pacific LMNO, Jarrod Overson
JavaScript usage has been expanding past the browser for years. It’s now used in server applications at companies like Paypal and Walmart, native apps like Slack and Atom, mobile apps like Untappd, and even compilers for game engines like Unreal and Unity. Come to this track led by Jarrod Overson, Director of Software Engineering at Shape and JavaScript super fan, to learn why and how JavaScript is used everywhere.

Want more QCon inspirations? Follow #ShapeSecurity and #QConSF on twitter now.

Windows XP End-of-Support Will Result In More Powerful Botnets

When Microsoft announced the official end-of-support date for Windows XP, media around the world signaled this event as the end of an era.

But to enterprise security professionals, the end-of-support for 25% of the market is a terrifying prospect. Botnets, which rely on infecting computers with weak defenses, will become more powerful as XP support drops off.

Today marks the official end-of-support for Windows XP, which means no more security updates for Windows XP installations. Non-supported Windows XP installations will not get updates and will overtime become less secure and easier to hijack.

As millions of XP machine become less secure, we will see more Windows XP machines usurped and zombified for malicious web attacks.  Now that Windows XP machines will be easier to hijack, more nodes will be available to botnets to make attacks on web servers. This will impact the day-to-day of CISOs and security professionals who’s job it is to protect web infrastructure from attacks.

While many organizations are focused on upgrading to more modern operating systems, it’s the devices that they have no control over that may end up doing the most damage. It boils down to this: while an enterprise may do everything right to upgrade and protect its own computers, they don’t control the millions of devices still running XP in the wild.

Vulnerable devices get compromised, and compromised devices become parts of a botnet. Botnets provide cybercriminals with a platform for everything from DDoS against websites to sophisticated account takeover and fraud. As official support for XP runs out, attackers will naturally rush in to take advantage of those left behind.

Here is a quick breakdown of the numbers to help quantify the significance.

Windows XP Usage Remains High

Industry statistics of operating system usage can vary wildly, and current estimates of XP usage range from 10% to 28% of the total operating systems used worldwide. With an estimated 2 billion PCs in world, that means that somewhere between 200 million to 580 million devices will be vulnerable by definition.

Source: NetMarketShare 2014

Windows XP Vulnerabilities Remain High 

2013 was a busy year for new Windows XP vulnerabilities, with a total of 88 new vulnerabilities reported. For comparison, this is twice as many vulnerabilities as were observed in 2012. The comparative view of Microsoft CVEs shows that while XP is not the leading source of vulnerabilities, it remains a very significant source of new vulnerabilities.

Source: CVEDetails.com

 Windows XP Infection Rates Remain High 

Microsoft’s latest Security Intelligence Report shows that while the popularity of XP is on par with other Windows operating systems, the infection rate is almost double that of more modern operating systems.

Source: Microsoft Security intelligence Report Volume 15

These statistics certainly favor the attackers. Even if enterprises manage the Windows XP end-of-life perfectly, all of the unprotected XP devices in the wild remain. This is why deflecting bots and automated threats has become so important for virtually any organization with an Internet-facing site or application.

Clarification: Wade Williamson wrote this article.

Introducing the Shape Shifter

The security industry has focused largely on preventing malware infections, yet has failed to protect websites against attacks from hundreds of millions of infected consumer computers.

Today we launch the most advanced website defense. 




We founded Shape Security two years ago to tackle one of the hardest problems in web security: how to protect the front door of modern websites. The pervasive rise of malware-infected desktops, botnets and automated attacks threaten the foundation of the new Internet economy. We realized this called for a new approach to security—one that dealt with the reality that we can never truly eliminate malware from the desktop. 



The security industry has focused largely on preventing malware infections, yet has failed to protect websites against attacks from hundreds of millions of infected consumer computers. Our core strategy is to provide technology to protect websites even when they are serving infected desktops. In military terms, this is called “continuing to operate in a denied and degraded environment.” The ubiquity of malware-compromised desktops creates a degraded environment within which we must still find ways to enable everyday online activities like banking, shopping, socializing, and checking health records. 

To accomplish these goals, today we unveil the ShapeShifter, a web security product that protects websites from malware, botnets and scripts. 

Botnets: A Massive Criminal Infrastructure of Infected Computers


Today’s cybercriminals assemble massive networks of infected computers (botnets) to attack websites. Most security products fail to block such attacks because criminals are able to make their botnet-based attacks look like legitimate usage. 

These botnets are the backbone for a wide variety of high-volume, automated attacks against websites. Some of these attacks are well-known, such as when banking botnets steal millions of dollars across many online banking sessions, or when bots abuse basic website functionality, crippling websites with traffic that is almost impossible to block. Other attacks are much more subtle but just as damaging. For example, a botnet can slowly test stolen usernames and passwords against an e-commerce site in order to take over millions of accounts and defraud end-users. In fact, the same underlying mechanism is likely how miscreants will turn the the vast trove of over 100 million credit cards stolen from Target into money: they will use automated scripts running on botnets to purchase things like gift cards and other easy-to-sell goods from e-commerce websites. 

There are many examples of attacks that use botnets and automated scripts to exploit websites, but they all target the same inherent vulnerability: the fact that most websites are created from publicly viewable common building blocks (HTML, Javascript, and CSS). This allows criminals to treat websites as implicit APIs, meaning the website can be operated by bots and scripts that can perform any action the website supports. Older security technologies do very little to deal with this problem. Traditional threat signatures and reputation scoring don’t work very well, because most attacks look and feel like normal usage from computers belonging to legitimate human users. Rate limits are easy to avoid by distributing an attack across thousands of IP addresses in a botnet. The ineffectiveness of these and other traditional techniques led us to seek a solution that could disable attacks from malware, botnets and scripts. So we built the ShapeShifter. 



Introducing the ShapeShifter


The ShapeShifter uses real-time polymorphism as a defense—it dynamically changes website code to break automated attacks. Cybercriminals have long used polymorphism to hide malware by making the malware appear to be different upon every new infection. We harness polymorphism to make the source code of websites appear differently on every page view, which has the effect of defeating malware, botnets and scripts. All of this happens without creating any user-visible changes. The website looks and feels exactly the same to legitimate users, but the underlying site code (HTML, JavaScript, and CSS) is different on every pageview. Because bots must reference the content is some manner, this never-ending modulation of the site code breaks scripts and deflects attacks. Ultimately, the ShapeShifter aims to stop non-human visitors from executing large-scale automated attacks. This may help break the economics of breaches like the one Target experienced in late 2013, by eliminating the monetization path. 



Many web attacks are only profitable if automated. Criminal enterprises pursue profit: without automated scripts, many of today’s attacks cease to be economically viable. Instead of constantly detecting and reacting to threats, the ShapeShifter targets the economics of web hacking, and makes the preferred approach of criminals—automation, too expensive. This provides broad protection from automated attacks against websites and represents a completely new approach to security.