Vienna, October 16-17 2017
We hired hackers to hack us; A case study about cloud-based authentication and security in IBM Connections
Robert Farstad @robertfarstad
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
PLATINUMSPONSORS
GOLDSPONSORS
SILVERSPONSORS
BRONZESPONSORS
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
This session… …is mainly for you tech-people. But very useful for everyone to see. Might be an eye-opener. No talk about: • What IBM Connections is… • What IBM Cnx can give you… • No ROI talk, what so ever! • How to use IBM Cnx!!
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
This session…
…is a case study where I will show you • an integration with Auth0. • how we hired hackers to hack us.
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017 Vienna, October 16-17 2017
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017 Vienna, October 16-17 2017
The customer
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
The customer - • Political party, won the election 2017, second time in a row. • Norways Prime Minister is Høyres leader. • 60.000 members
• Was a white-space customer.
• Now: Connections + Docs + Sametime • IBM Reference Customer.
• Security is a priority, more and more. • Election year = hacking attempts. • We hacked them first!
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
Høyre used Auth0 for all websites. Requirement for them to become a Connections customer was: • Authentication integration with Auth0! • è POC – Item Consulting developed a TAI
mechanism towards Auth0.
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017 Vienna, October 16-17 2017
What is Auth0?
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication You can connect any application. • Custom credentials: username + passwords • Social network logins:
• Google, Facebook, Twitter, and any OAuth2, OAuth1 or OpenID Connect provider.
• Enterprise directories: • LDAP, Google Apps, Office 365, ADFS, AD, SAML-P, WS-
Federation, etc. • Passwordless systems:
• Touch ID, one time codes on SMS, or email. • Supports several 2-factor solutions.
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
• JSON Web Token • Secure API: (TLS v1.2, AES_128_GCM and uses
ECDHE_RSA as the key exchange mechanism. ) • Extensible admin tool.
• Monitoring, (#logins, where from, who fails, hack attempts, alarms.)
• Blocking • Logs • Synced with Høyres back-end member system via
MSSQL DB, securely!
- cloud based authentication
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
+ TAI
• Item developed a WebSphere Application • TAI – Trust Association Interceptors.
• èLTPA after authenticated • New Auth0 login page. • Logout pages are modified
• Logs out of Auth0 • Logs out of Websphere
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Devices used Loginoccursfrom:• Browsers• Apps• Desktopplugins.Technically,theloginproceduresarequitedifferent.
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Web-browsers
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Apps + Plugins
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Tivoli Directory server - TDS ◘ FREE/BundledLDAPserverforIBMConnections◘ StandardsetupbetweenWebSphereandTDS◘ ImportofusersviaTDI/SDItoTDS.
◘ FromMSSQLDatabase–oversite2sitevpn.◘ Importsonlythemostrelevantfields
Name,email,mobile,position,company,department
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Tivoli Directory server – TDS + PTA ◘ PasswordfieldinTDSisblank!
◘ PTAistriggered.◘ WhatisPTA?
◘ PassThroughAuthentication◘ PTAisconfiguredtosearchin
alternativeLDAPsource.◘ ThepasswordisstoredinAuth0◘ OurPTAsourceisTDI/SDI
◘ TDIcallstheTAIapplication–getsresponsecode200ifOK.
◘ èloggedin
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
What is TDI/SDI? ◘ TivoliDirectoryIntegrator/SecurityDirectoryIntegrator◘ Datamanipulationsystem,limitlesspossibilities.◘ Eclipsebased– Javascriptcoding.◘ Usedtomove,consolidate,manipulatedata.◘ UsedinConnectionsforprofiledataimport.◘ Besttoolever,onceyou´velearnedthejiftoftheguianddebugger.
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
TDI – acting as an LDAP server. ◘ SimulatesanLDAPserver◘ GetsattemptedusernameandpasswordfromTDSPTA.◘ CredentialsèWebSphereAuth0loginapp.◘ WASappèRESTlookuptoAuth0API.◘ GetsreturncodeOKorNOT_OK.◘ TDIreceivessamecodefromtheWASapp.◘ TDSPTAreceivessamecodefromTDI.
◘ TDIrunsmultipleinstances–Canhandlelargeload.
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
TDI – acting as an LDAP server.
Simplecode–extremelypowerful!
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
TDI – acting as an LDAP server.
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Didtheygetin?
Wehiredhackers
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Whattheytested
Loginattempts
SSL+headers
AppsStolenlaptop
Me!Sensitiveinformation
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
SSLtests
www.ssllabs.com Gradewasbad Afterhardening
SSLChipersSuite,honorChipersOrderandSSLV2+V3disabling.TLSonly
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
SSLtests–httpconfigforGradeASSLEnableSSLProtocolEnableTLSSSLProtocolDisableSSLv2SSLv3#DisableSSLCompression->CRIMEATTACKSSLCompressionoff#PreferECDHE-RSAciphersSSLCipherSpecALLNONESSLCipherSpecTLSv12TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256SSLCipherSpecTLSv12TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256SSLCipherSpecTLSv12TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384SSLCipherSpecTLSv12TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384SSLCipherSpecALLTLS_RSA_WITH_AES_128_GCM_SHA256SSLCipherSpecALLTLS_RSA_WITH_AES_256_GCM_SHA384SSLCipherSpecALLTLS_RSA_WITH_AES_128_CBC_SHA256SSLCipherSpecALLTLS_RSA_WITH_AES_256_CBC_SHA256#Enablingthis3ciphersmeanA-ratingonssllabsSSLCipherSpecALLTLS_RSA_WITH_AES_128_CBC_SHASSLCipherSpecALLTLS_RSA_WITH_AES_256_CBC_SHASSLCipherSpecALLSSL_RSA_WITH_3DES_EDE_CBC_SHA
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Headers
securityheaders.io Gradewasbad Afterhardening
HTTPconfigtoachieveGradeA:HeaderalwayssetStrict-Transport-Security"max-age=31536000;includeSubDomains;preload”HeadersetReferrer-Policy"same-origin”HeadersetX-Content-Type-Options"nosniff”HeadersetX-XSS-Protection"1;mode=block”HeadersetX-Frame-Options"DENY”HeadersetX-Frame-OptionsSAMEORIGIN
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
TheMobileApp
Decompile
• Androidappisdecompilable• Brokendowntostudycode
Test• Triedeveryurlfoundincode
Result
• Foundnoinsecurities!• ButMITMattackswerepossible!
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
MITM-Man-in-the-middleattackAnemployeeisouttravelingandconnectstoapublicnetworksuchasahotelorairportWIFI.Butinstead,connectstoahackerswifihotspot.Thenclickson“Continue”….He/shewillgivethehackerrunningaMITMattack,fullvisibilityoverthetraffic.
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
MITM-Man-in-the-middleattack
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
MITM-Man-in-the-middleattackmobile-config.xmlhasthesolutionfortheconnectionsapp.Don´tpress“Continue”!.Tellyouradminstofixit.
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Demotime
ThedemoconsistedofshowingaMITMattack+username/password“clusterbomb”attackusingfreetool
BurpSuite.
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Accidentwaitingtohappen
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Whatdidtheyfindwhentheygotin?
StolenLaptopScenario
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
StolenLaptopScenario• NothardtofindpasswordonPC• Oncein,passwordstositesare
normallystoredinbrowser.• Savedwifihotspotsgiveshackers
GPScoordinates=>candriveupalongsideyourcompany'sbuildingandconnect.
• HackersfoundsensitiveinformationopentoalloftheIBMConnectionsusers.
Don´texposelogininformationavailabletoeveryone!
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Theyhackedme!
Oratleast,theytriedto…
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Theyhackedme!• TheyknewwhoIwas.• Googledme,foundmyblog.• Inoneofthescreenshots,a
passwordwascensored.
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Theyhackedme!
Iwasaweaklink…
HowhardisitforhackerstofindITstaffatyourcompany?LinkedInsearch…Googlesearch…Googleisbothyourfriendandyourenemy.
• Badcensoring!!• Found6outof9charsby
matchingfont,sizeandstudiedcurves.
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Avoidstress
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
• Mask/hidebetter!• Hackersarecleverbastards.
• HackershasALOToffreetime.
• Implement2-factorauthorizationmechanism,likeAuth0
• Hideyourstuff.• Onceagain:Hackersarecleverbastards.
• Lockoutpolicy–i.e.5attempts=>lockedout…Hackershastoolsforthat!
• Trainyourusers!
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Usefullinks:CheckSSL:https://ssllabs.comCheckHeaders:https://securityheaders.ioAnalyzeCSP:https://report-uri.io/home/analyseWhatcanyourbrowsersupport?http://caniuse.com/#search=referrer%20policyAuth0multi-factorauthentication:https://auth0.com/docs/multifactor-authenticationBurpSuite:https://portswigger.net/burpEthicalHackerCertification:https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/Myblog:http://blog.robertfarstad.comTwitter:https://www.twitter.com/robertfarstadItemConsulting:https://www.item.no
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
PLATINUMSPONSORS
GOLDSPONSORS
SILVERSPONSORS
BRONZESPONSORS