Keeping SecretsIn the vast Internet of Things

Zisher Mob::Web::SecIpsilon Group

Kelly Robertson

Agenda

M-Days

Part One• What are the stakes today? • We are vulnerable and dependent• Current InfoSec cannot reach the New Reality• Motivations for mis-trust• As the world turns…Part Two• Software Development – Secure by DesignPart Three• Solutions for organizations and end users

The sun rises and sets the same on the Good and the Bad

• Brightest Flashlight Free• Jekyll on iOS • Pinskimmer• FireSheep and Faceniff

Part One

The Heartbleed Bug

• SSL/TLS is used for email, banking, e-commerce and privacy throughout the Internet

• Attackers could eavesdrop on communications, steal identities and data

• Leave-no-trace, long exposure, ease-of-exploit

SnapChat

• 4.6 Million usernames and phone numbers• Anonymous posted this information and said:

“You are downloading 4.6 million users’ phone number information, along with their usernames. People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with.”

PlaceRaider

• Very Scary Smartphone Malware• US Naval Surface Warfare Center and

University of Indiana• An Android app that secretly records and

reconstructs a user’s environment as a 3D virtual model

The Mask

• 380+ Targets in 31 countries over 7 years• One of the most sophisticated attacks ever• Intercepts network traffic, Skype, PGP Keys, Wi-Fi traffic,

keystrokes, screen captures, encryption keys, and more• Three separate backdoors in Win 32/64 + Mac OS using

sophisticated Malware, a bootkit and a rootkit• The iPad and Android versions are very difficult to trace:

<b>Date: </b>Wed, 15 May 2013 23:34:01 +0000<br /> <b>Remote IP Address:</b> 200.x.x.x<br /><br /><h2>** User Agent</h2><strong>Browser User Agent String:</strong> <br/><br/><strong>Browser Name:</strong> iPad<br/>

Information Security Today

• Encryption• Authentication• DNSsec• VPN• SoftToken• Anti-virus• Anti-Malware

• Biometrics• NG Firewalls• Intrusion Detection• Threat Feeds• Manned SOCs• Forensics• And so forth…

Information Security Today

• Encryption• Authentication• DNSsec• VPN• SoftToken• Anti-virus• Anti-Malware

• Biometrics• NG Firewalls• Intrusion Detection• Threat Feeds• Manned SOCs• Forensics• And so forth…

Mobile Web Apps • Porous trust boundaries– Inherit trust/data from other components• App store curator, Operating Systems and APIs

• Physically vulnerable to booted-rooted attack• Lots of sensors and sensitive user data• User’s unwarranted trust• Client server paradigm – no control from server• Bluetooth, Baseband, Wi-Fi, RF “always on”• Jailbroken or rooted phones subvert controls

Mobile Web Apps Platform Details

• iOS apps run on Objective C– Hybrid C++ and a message parser– Introduces data leakage vulnerability– Special ‘extractors’ can harvest logic and class

declarations – details that hackers exploit– The end user can decompile an app for symmetric

keys – a component of secure transactions– Anti-tamper, use C++ wherever possible and generic

declarations can mitigate much

Mobile Web Apps Platform Details

• Android runs on Java and Dalvik• Susceptible to ‘repackaging’ exploit• Vulnerable to web proxy spoofing• Allows SD cards• But, Java is a type-safe language• Class library is well-established• Secure mobile abstraction when coded right

– Automotive • 100 million lines of code per car now• 100 + ECUs

– Body-borne computing• Health monitoring• Behavior monitoring• Vision• Fashion

– Eyeglasses– Nanorobotics – molecular scale

Science Fiction is now…

Thank you…

kelly@zisher.com

This presentation has been brought to you by Zisher Mob::Web::Sec

In collaboration with the Ipsilon Group

Keeping SecretsIn the vast Internet of Things

Zisher Mob::Web::SecIpsilon Group

Kelly Robertson

Part Two

And Three

Secure Software Development LifeCycle

“Enemies may face off for years, only to have the outcome decided in a single day.”

Sun TzuThe Art of War

Part Two

Secure Software Development LifeCycle

“The totally awakened warrior can freely utilize all of the elements contained in Heaven and Earth…with enlightened wisdom and deep calm.”

Morihei UshibaThe Art of Peace

Vibrant and Joyful

SecureSoftware Development LifeCycle

DesignModel Threats

DevelopTest

DeployValidate

UpgradePatch

Education at every step of the way…• Teach• Coach • Validate• Iterate

Developing Developers

Align with your business goalsFrom the Book of Five Rings:

• Empty as space• Hard as a diamond• Flexible as a willow in the wind• Smooth flowing like waterBe organized, but take it easyTwo stages: Document, then Prioritize

The Seven Pernicious KingdomsTaxonomy of SW Security Errors

OWASP• Input validation and response• API Abuse• Security Features• Time and State• Error Handling• Code Quality• Encapsulation

Threat Modeling TechniquesSecure software does only it’s jobTop down and bottom upScoping attack surfaces and trust Threat priority = Severity + ProbabilityMovie Plotting

Threat Modeling TechniquesScoping attack surfaces and trust boundariesSecure software does only it’s jobTop down and bottom upThreat + Severity + Probability• Movie Plotting• Attack Trees

Threat Modeling TechniquesScoping attack surfaces and trust boundariesSecure software does only it’s jobTop down and bottom upThreat + Severity + Probability• Movie Plotting• Attack Trees • S.T.R.I.D.E.– Spoofing, Tampering, Repudiation, InfoLeak,

Denial of Service and Elevation of Privilege

Spoofing

Impersonation: • Sites • Applications• Users or Roles• Components• Machines

Tampering

Manipulation• Configuration• Files• Databases• Memory• Networks or protocols

Repudiation

Deception and Denial• Business logic• Logs and forensics• Payment methods

Information Disclosure

Leaks can happen at every layer• Error codes • Obscure files or descriptive file names• Data flow

Denial of Service

Difficult to monetize, easier to defend than ever• Brute force (amplified)• Persistent (under the radar)• Logic tripwires can alert

Elevation of Privilege

Always a top goal• Bugs• Configurations• Authentication• Corrupted process• Memory • Session hijacking

The Four Pillars of Priority

Quantified, now qualified• Resolve it - Mitigate• Get rid of it - Eliminate• Deflect it - Transfer• Live with it - Accept the risk and move

on…

Education

Computer based training – SCORM compliantOn-line resources – OWASP and SlideShareUniversities – more and more, but still lightSecurity and other VendorsConferences Boutique Educators, Specialists and Authors

Elevation of Privilege

M-Days

The Game:

• Awareness• Education• Conversation• Strategy• Play once a week!

Static Code AnalysisThe process of assessing code without executing it.

“No single technique is a Silver Bullet. The best that a code review can uncover is about 50% of the security problems”

Gary McGraw, Ph.DCigital

SASTThe Good, The Bad and The Ugly

• Thorough, consistent analysis• Finds root cause much of the time• Can catch security flaws early• Great for checking lots of lines of code and branches

But..• Signal to noise ratio can dull the effectiveness• Can interrupt creativity and workflow• Can’t analyze architectural problems

And…• Algorithms cannot cannot completely analyze algorithms• Writing for language parsers is hard – dialects make it worse

Static Code AnalysisWhat to look for. . .

• Alignment with workflow, creativity, culture• Ultimate cost savings and revenue generation• Source code versus compiled code• Simultaneous analysis, multi-branch, languages• Dependency injection• Configuration files• Service-oriented architecture (SOA)• Trade off between speed and depth/accuracy• Can code be developed while under analysis?

Static Code AnalysisWhat to do with the output…

• Must be vetted by a human analyst– Bug filing, reporting, taint analysis, training

• Compliance officer can be very helpful• Most effective and least costly during development• Should drive education, training and coaching

Call-to-ActionInstitutional

Integrate a Web Application Firewall into the SDLC

• WAF in this case is a network-based proxy• Usually an appliance but can be Cloud or SW• PCI standards considered WAF as an

acceptable alternative to securing the code• Often run by network engineers or network

security practitioners, not developers

Part Three

WAFThe Good, The Bad and The Ugly

• Web apps are accessed by legitimate traffic only• Reconnaissance, application behavior and forensics • Excellent for compliance and information assurance

But..• Legitimate traffic can be malicious

• Susceptible to protocol-level evasions of many types and classes

• Automated vulnerability scanning alone is not enough• Manual analysis is required to ensure accuracy• APT and Business Logic often require human intervention

And…• Continuous & accurate tuning is hard

Call-to-ActionInstitutional

Employ Mobile Device Management• Data containers• Black listing• Remote wipe• Find a device• Secure provisioning• Corporate app store• Compliance reporting• Jailbreak detection

• Patch management• Crypto libraries• Authentication• CA integration• Firewall• Anti-virus

MDMThe Good, The Bad and The Ugly

• MDM evolved from mobile network operators• Agent-based with a control server • Audit for compliance • Provisioning is key, including bricking, wiping

But..• BYOD means anything goes• Users are a very big problem

And…• Variances between vendors are wildly different• User behavior is usually tracked

Call-to-ActionPersonally, what can you do for yourself?

Choose the source of your application carefullyQuestion the app’s need to share location/contactWhy does this app want to login with FB, et. al.?Don’t: Keep me logged in OR remember meDon’t save passwordsDo: use a secure browser – WhiteHat AviatorDon’t click on the dancing pig…

Click on theDancing Pig!

"The applet DANCING PIGS could contain malicious code that might do permanent damage to your computer, steal your life's savings, and impair your ability

to have children.”

Thank you…

kelly@zisher.com

This presentation has been brought to you by Zisher Mob::Web::Sec

In collaboration with the Ipsilon Group

Bibliograhpy• Secure Programming with Static Analysis – Chess and West• The Tangled Web - A guide to securing modern web applications –

Michael Zalewski• Threat Modeling – Designing for Security – Adam Shostack• Mobile Hacking Exposed – Bergman, Stanfield, Rouse, Scambray• Application Security for the Android Platform – Jeff Six• Hacking and Securing iOS Applications – Jonathan Zdziarski• Mobile Application Security – Dwivedi, Clark, Thiel• The Art of War – Sun Tzu• The Art of Peace – Morihei Ushiba• The Book of Five Rings - Myyamoto Musashi• Chinese Industrial Espionage: Technology Acquisition and Military

Modernisation – Hannas, Mulvenon, Puglisi

Bibliography – Web page 1

• http://users.ece.cmu.edu taint-analysis-overview.pdf• http://blogs.wsj.com 5-ways-hackers-exploit-our-bad-

byod-habits• http://www.gartner.com/technology/reprints.do?id=

1-1FRVS5W&ct=130524&st=sb

• http://www.pcmag.com/article2/0,2817,2455172,00.asp

• Hpenterprisesecurity.com

Bibliography – Web page 2

• http://techcrunch.com/2014/02/19/facebooks-whatsapp-acquisition-snapchat/

• http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-Uncovers-The-Mask-One-of-the-Most-Advanced-Global-Cyber-espionage-Operations-to-Date-Due-to-the-Complexity-of-the-Toolset-Used-by-the-Attackers

• https://sites.google.com/site/droidful/android-and-java• https://sites.google.com/site/droidful/developm/android-sdk• http://androidforums.com/nexus-7-2013/831394-art-vs-

dalvik.html• https://www.google.com/search?

client=safari&rls=en&q=android+repackaging+hacks&ie=UTF-8&oe=UTF-8

Bibliography – Web page 3• http://www.slideshare.net/DefCamp/defcamp-2013-android-hacking-

techniques• http://www.xyu.io/2013/07/proxies-ip-spoofing/• http://www.bbc.com/news/technology-27703318 ransomware article

for SD cards on Android• http://stackoverflow.com/questions/260626/what-is-type-safe• http://en.wikipedia.org/wiki/Java_Class_Library• http://docs.oracle.com/javase/7/docs/api/java/security/package-

summary.html• http://en.softonic.com/s/mobile-security-software:java• http://www.amazon.com/Oracle-Secure-Standard-Software-

Engineering/dp/0321803957

Bibliography – Web page 4• http://www.sans.org/course/secure-coding-java-jee-developing-

defensible-applications#results• http://www.sans.org/top25-software-errors/• http://spectrum.ieee.org/transportation/systems/this-car-runs-on-code• http://link.springer.com/article/10.1023/A:1021152023349 cool articles

on nano technology• https://cwe.mitre.org/documents/sources/

SevenPerniciousKingdoms.pdf• http://en.wikipedia.org/wiki/Movie_plot_threat• http://msdn.microsoft.com/en-us/magazine/cc163519.aspx• http://stackoverflow.com/questions/3334578/what-is-dependency-

injection• http://www.amazon.com/Service-Oriented-Architecture-Dummies-

Edition/dp/0470376848/

Bibliography – Web page 5• http://www.se-radio.net outstanding codecasts• http://stackoverflow.com/questions/2026523/what-is-soa-in-plain-

english• http://searchsoa.techtarget.com/definition/service-oriented-

architecture• http://en.wikipedia.org/wiki/Taint_checking• http://krebsonsecurity.com/2014/05/complexity-as-the-enemy-of-s

ecurity/comment-page-1/

• http://www.bankinfosecurity.com/disagreement-on-target-breach-cause-a-6491/op-1

• https://corporate.target.com/about/shopping-experience/payment-card-issue-FAQ.aspx#q5874

• http://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-quarter-earnings.html?_r=0