Upload
kelly-robertson
View
185
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Have you ever wondered why our web apps, and mobile web apps in particular, are hard to secure? Be sure to read the speakers notes in this presentation In this lengthy presentation, you will observe where researchers and hackers corrupt the developer's intentions...then, you will look at the Good, the Bad and the Ugly of Secure Software Development, WAF considerations, and Mobile Device Management...
Citation preview
Keeping SecretsIn the vast Internet of Things
Zisher Mob::Web::SecIpsilon Group
Kelly Robertson
Agenda
M-Days
Part One• What are the stakes today? • We are vulnerable and dependent• Current InfoSec cannot reach the New Reality• Motivations for mis-trust• As the world turns…Part Two• Software Development – Secure by DesignPart Three• Solutions for organizations and end users
The sun rises and sets the same on the Good and the Bad
• Brightest Flashlight Free• Jekyll on iOS • Pinskimmer• FireSheep and Faceniff
Part One
The Heartbleed Bug
• SSL/TLS is used for email, banking, e-commerce and privacy throughout the Internet
• Attackers could eavesdrop on communications, steal identities and data
• Leave-no-trace, long exposure, ease-of-exploit
SnapChat
• 4.6 Million usernames and phone numbers• Anonymous posted this information and said:
“You are downloading 4.6 million users’ phone number information, along with their usernames. People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with.”
PlaceRaider
• Very Scary Smartphone Malware• US Naval Surface Warfare Center and
University of Indiana• An Android app that secretly records and
reconstructs a user’s environment as a 3D virtual model
The Mask
• 380+ Targets in 31 countries over 7 years• One of the most sophisticated attacks ever• Intercepts network traffic, Skype, PGP Keys, Wi-Fi traffic,
keystrokes, screen captures, encryption keys, and more• Three separate backdoors in Win 32/64 + Mac OS using
sophisticated Malware, a bootkit and a rootkit• The iPad and Android versions are very difficult to trace:
<b>Date: </b>Wed, 15 May 2013 23:34:01 +0000<br /> <b>Remote IP Address:</b> 200.x.x.x<br /><br /><h2>** User Agent</h2><strong>Browser User Agent String:</strong> <br/><br/><strong>Browser Name:</strong> iPad<br/>
Information Security Today
• Encryption• Authentication• DNSsec• VPN• SoftToken• Anti-virus• Anti-Malware
• Biometrics• NG Firewalls• Intrusion Detection• Threat Feeds• Manned SOCs• Forensics• And so forth…
Information Security Today
• Encryption• Authentication• DNSsec• VPN• SoftToken• Anti-virus• Anti-Malware
• Biometrics• NG Firewalls• Intrusion Detection• Threat Feeds• Manned SOCs• Forensics• And so forth…
Mobile Web Apps • Porous trust boundaries– Inherit trust/data from other components• App store curator, Operating Systems and APIs
• Physically vulnerable to booted-rooted attack• Lots of sensors and sensitive user data• User’s unwarranted trust• Client server paradigm – no control from server• Bluetooth, Baseband, Wi-Fi, RF “always on”• Jailbroken or rooted phones subvert controls
Mobile Web Apps Platform Details
• iOS apps run on Objective C– Hybrid C++ and a message parser– Introduces data leakage vulnerability– Special ‘extractors’ can harvest logic and class
declarations – details that hackers exploit– The end user can decompile an app for symmetric
keys – a component of secure transactions– Anti-tamper, use C++ wherever possible and generic
declarations can mitigate much
Mobile Web Apps Platform Details
• Android runs on Java and Dalvik• Susceptible to ‘repackaging’ exploit• Vulnerable to web proxy spoofing• Allows SD cards• But, Java is a type-safe language• Class library is well-established• Secure mobile abstraction when coded right
– Automotive • 100 million lines of code per car now• 100 + ECUs
– Body-borne computing• Health monitoring• Behavior monitoring• Vision• Fashion
– Eyeglasses– Nanorobotics – molecular scale
Science Fiction is now…
Thank you…
This presentation has been brought to you by Zisher Mob::Web::Sec
In collaboration with the Ipsilon Group
Keeping SecretsIn the vast Internet of Things
Zisher Mob::Web::SecIpsilon Group
Kelly Robertson
Part Two
And Three
Secure Software Development LifeCycle
“Enemies may face off for years, only to have the outcome decided in a single day.”
Sun TzuThe Art of War
Part Two
Secure Software Development LifeCycle
“The totally awakened warrior can freely utilize all of the elements contained in Heaven and Earth…with enlightened wisdom and deep calm.”
Morihei UshibaThe Art of Peace
Vibrant and Joyful
SecureSoftware Development LifeCycle
DesignModel Threats
DevelopTest
DeployValidate
UpgradePatch
Education at every step of the way…• Teach• Coach • Validate• Iterate
Developing Developers
Align with your business goalsFrom the Book of Five Rings:
• Empty as space• Hard as a diamond• Flexible as a willow in the wind• Smooth flowing like waterBe organized, but take it easyTwo stages: Document, then Prioritize
The Seven Pernicious KingdomsTaxonomy of SW Security Errors
OWASP• Input validation and response• API Abuse• Security Features• Time and State• Error Handling• Code Quality• Encapsulation
Threat Modeling TechniquesSecure software does only it’s jobTop down and bottom upScoping attack surfaces and trust Threat priority = Severity + ProbabilityMovie Plotting
Threat Modeling TechniquesScoping attack surfaces and trust boundariesSecure software does only it’s jobTop down and bottom upThreat + Severity + Probability• Movie Plotting• Attack Trees
Threat Modeling TechniquesScoping attack surfaces and trust boundariesSecure software does only it’s jobTop down and bottom upThreat + Severity + Probability• Movie Plotting• Attack Trees • S.T.R.I.D.E.– Spoofing, Tampering, Repudiation, InfoLeak,
Denial of Service and Elevation of Privilege
Spoofing
Impersonation: • Sites • Applications• Users or Roles• Components• Machines
Tampering
Manipulation• Configuration• Files• Databases• Memory• Networks or protocols
Repudiation
Deception and Denial• Business logic• Logs and forensics• Payment methods
Information Disclosure
Leaks can happen at every layer• Error codes • Obscure files or descriptive file names• Data flow
Denial of Service
Difficult to monetize, easier to defend than ever• Brute force (amplified)• Persistent (under the radar)• Logic tripwires can alert
Elevation of Privilege
Always a top goal• Bugs• Configurations• Authentication• Corrupted process• Memory • Session hijacking
The Four Pillars of Priority
Quantified, now qualified• Resolve it - Mitigate• Get rid of it - Eliminate• Deflect it - Transfer• Live with it - Accept the risk and move
on…
Education
Computer based training – SCORM compliantOn-line resources – OWASP and SlideShareUniversities – more and more, but still lightSecurity and other VendorsConferences Boutique Educators, Specialists and Authors
Elevation of Privilege
M-Days
The Game:
• Awareness• Education• Conversation• Strategy• Play once a week!
Static Code AnalysisThe process of assessing code without executing it.
“No single technique is a Silver Bullet. The best that a code review can uncover is about 50% of the security problems”
Gary McGraw, Ph.DCigital
SASTThe Good, The Bad and The Ugly
• Thorough, consistent analysis• Finds root cause much of the time• Can catch security flaws early• Great for checking lots of lines of code and branches
But..• Signal to noise ratio can dull the effectiveness• Can interrupt creativity and workflow• Can’t analyze architectural problems
And…• Algorithms cannot cannot completely analyze algorithms• Writing for language parsers is hard – dialects make it worse
Static Code AnalysisWhat to look for. . .
• Alignment with workflow, creativity, culture• Ultimate cost savings and revenue generation• Source code versus compiled code• Simultaneous analysis, multi-branch, languages• Dependency injection• Configuration files• Service-oriented architecture (SOA)• Trade off between speed and depth/accuracy• Can code be developed while under analysis?
Static Code AnalysisWhat to do with the output…
• Must be vetted by a human analyst– Bug filing, reporting, taint analysis, training
• Compliance officer can be very helpful• Most effective and least costly during development• Should drive education, training and coaching
Call-to-ActionInstitutional
Integrate a Web Application Firewall into the SDLC
• WAF in this case is a network-based proxy• Usually an appliance but can be Cloud or SW• PCI standards considered WAF as an
acceptable alternative to securing the code• Often run by network engineers or network
security practitioners, not developers
Part Three
WAFThe Good, The Bad and The Ugly
• Web apps are accessed by legitimate traffic only• Reconnaissance, application behavior and forensics • Excellent for compliance and information assurance
But..• Legitimate traffic can be malicious
• Susceptible to protocol-level evasions of many types and classes
• Automated vulnerability scanning alone is not enough• Manual analysis is required to ensure accuracy• APT and Business Logic often require human intervention
And…• Continuous & accurate tuning is hard
Call-to-ActionInstitutional
Employ Mobile Device Management• Data containers• Black listing• Remote wipe• Find a device• Secure provisioning• Corporate app store• Compliance reporting• Jailbreak detection
• Patch management• Crypto libraries• Authentication• CA integration• Firewall• Anti-virus
MDMThe Good, The Bad and The Ugly
• MDM evolved from mobile network operators• Agent-based with a control server • Audit for compliance • Provisioning is key, including bricking, wiping
But..• BYOD means anything goes• Users are a very big problem
And…• Variances between vendors are wildly different• User behavior is usually tracked
Call-to-ActionPersonally, what can you do for yourself?
Choose the source of your application carefullyQuestion the app’s need to share location/contactWhy does this app want to login with FB, et. al.?Don’t: Keep me logged in OR remember meDon’t save passwordsDo: use a secure browser – WhiteHat AviatorDon’t click on the dancing pig…
Click on theDancing Pig!
"The applet DANCING PIGS could contain malicious code that might do permanent damage to your computer, steal your life's savings, and impair your ability
to have children.”
Thank you…
This presentation has been brought to you by Zisher Mob::Web::Sec
In collaboration with the Ipsilon Group
Bibliograhpy• Secure Programming with Static Analysis – Chess and West• The Tangled Web - A guide to securing modern web applications –
Michael Zalewski• Threat Modeling – Designing for Security – Adam Shostack• Mobile Hacking Exposed – Bergman, Stanfield, Rouse, Scambray• Application Security for the Android Platform – Jeff Six• Hacking and Securing iOS Applications – Jonathan Zdziarski• Mobile Application Security – Dwivedi, Clark, Thiel• The Art of War – Sun Tzu• The Art of Peace – Morihei Ushiba• The Book of Five Rings - Myyamoto Musashi• Chinese Industrial Espionage: Technology Acquisition and Military
Modernisation – Hannas, Mulvenon, Puglisi
Bibliography – Web page 1
• http://users.ece.cmu.edu taint-analysis-overview.pdf• http://blogs.wsj.com 5-ways-hackers-exploit-our-bad-
byod-habits• http://www.gartner.com/technology/reprints.do?id=
1-1FRVS5W&ct=130524&st=sb
• http://www.pcmag.com/article2/0,2817,2455172,00.asp
• Hpenterprisesecurity.com
Bibliography – Web page 2
• http://techcrunch.com/2014/02/19/facebooks-whatsapp-acquisition-snapchat/
• http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-Uncovers-The-Mask-One-of-the-Most-Advanced-Global-Cyber-espionage-Operations-to-Date-Due-to-the-Complexity-of-the-Toolset-Used-by-the-Attackers
• https://sites.google.com/site/droidful/android-and-java• https://sites.google.com/site/droidful/developm/android-sdk• http://androidforums.com/nexus-7-2013/831394-art-vs-
dalvik.html• https://www.google.com/search?
client=safari&rls=en&q=android+repackaging+hacks&ie=UTF-8&oe=UTF-8
Bibliography – Web page 3• http://www.slideshare.net/DefCamp/defcamp-2013-android-hacking-
techniques• http://www.xyu.io/2013/07/proxies-ip-spoofing/• http://www.bbc.com/news/technology-27703318 ransomware article
for SD cards on Android• http://stackoverflow.com/questions/260626/what-is-type-safe• http://en.wikipedia.org/wiki/Java_Class_Library• http://docs.oracle.com/javase/7/docs/api/java/security/package-
summary.html• http://en.softonic.com/s/mobile-security-software:java• http://www.amazon.com/Oracle-Secure-Standard-Software-
Engineering/dp/0321803957
Bibliography – Web page 4• http://www.sans.org/course/secure-coding-java-jee-developing-
defensible-applications#results• http://www.sans.org/top25-software-errors/• http://spectrum.ieee.org/transportation/systems/this-car-runs-on-code• http://link.springer.com/article/10.1023/A:1021152023349 cool articles
on nano technology• https://cwe.mitre.org/documents/sources/
SevenPerniciousKingdoms.pdf• http://en.wikipedia.org/wiki/Movie_plot_threat• http://msdn.microsoft.com/en-us/magazine/cc163519.aspx• http://stackoverflow.com/questions/3334578/what-is-dependency-
injection• http://www.amazon.com/Service-Oriented-Architecture-Dummies-
Edition/dp/0470376848/
Bibliography – Web page 5• http://www.se-radio.net outstanding codecasts• http://stackoverflow.com/questions/2026523/what-is-soa-in-plain-
english• http://searchsoa.techtarget.com/definition/service-oriented-
architecture• http://en.wikipedia.org/wiki/Taint_checking• http://krebsonsecurity.com/2014/05/complexity-as-the-enemy-of-s
ecurity/comment-page-1/
• http://www.bankinfosecurity.com/disagreement-on-target-breach-cause-a-6491/op-1
• https://corporate.target.com/about/shopping-experience/payment-card-issue-FAQ.aspx#q5874
• http://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-quarter-earnings.html?_r=0