Hacker guide to Adobe Flash Security<br />The open doors and the right locks<br />Lecturer: LiorBruder<br />lior@11sheep.c...
What’s on the menu<br />Security introduction<br />Flash VM<br />Network security<br />Memory protection<br />Attack serve...
Attacker experience<br />Beginner<br /><ul><li> Doesn’t have a lot of system and technical knowledge
 Using ready made tools
 Can make a lot of damage but…
 Can be easily tracked</li></li></ul><li>Attacker experience<br />Advanced<br /><ul><li> Using and creating scripts
 Basic knowledge of OS and network
 Search and share information (blogs, forums, etc.)</li></li></ul><li>Attacker experience<br />Expert<br /><ul><li> Good p...
 Strong knowledge of  IT systems, OS, AI, PBX, network, legal issues
 Wide range of resources (Servers, Sniffers, etc.)
 Hard to detect</li></li></ul><li>Hacking types<br />Man in the middle<br />Changing the rules of the game/app<br />Breaki...
Hacking types<br />Listening on the network (Cloud) <br />Hacker<br />Server<br />User<br />
Flash VM (1)<br />
Flash VM (2)<br />
SWF file structure<br />Every SWF file is open source<br />
Demonstrations<br />Decompiling SWF file<br />Obfuscating SWF file<br />
So, how to secure you SWF?<br />Put logic on server<br />Code obfuscation<br />Do not hardcode<br />
Network layers<br />
Packet sniffing<br /><ul><li>HTTPFox (Layers 6-7)
 Charles (Layers 6-7)
 Fiddler (Layers 6-7)
WireShark (Layers 2-7)</li></li></ul><li>Demonstrations<br />HTTPFox (Ynet)<br />Fiddler (Pcman)<br />
So, How to protect your data?<br />Use binarry data instead of text /XML<br />Hash your data (MD5, Sha1) <br />Use session...
Secured loading<br />Step 4  - Decrypt SWF data and load SWF<br />(SWFLoader)<br />Step 1  - Download only frame applicati...
Memory protection<br />You don’t know where your SWF will be used<br />There are many memory viewers (like Cheat engine ht...
Demonstrations<br />Changing data on SWF file<br />
So, how to protect memory?<br />Scramble important data (Random)<br />Use checksum on data<br />Don’t count on garbage col...
Why use attack server?<br />Cause DOS<br />Damage remote site database<br />Multiple registrations<br />Login to accounts ...
Passwords protection<br />Encourage the user to use complex password<br />Don’t use trivial combinations<br />Hash the pas...
Upcoming SlideShare
Loading in …5
×

Hacker guide to adobe flash security

900 views
818 views

Published on

f you're an Adobe Flash or Flex Developer, looking to build secured and hard to break solutions - this WebiTalk is a must!
App developers, game developers, website developers - Don't miss on the opportunity to learn how to build secured Flash & Flex applications and deliver a secured experience for your customers

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
900
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Hacker guide to adobe flash security

  1. 1. Hacker guide to Adobe Flash Security<br />The open doors and the right locks<br />Lecturer: LiorBruder<br />lior@11sheep.com<br />
  2. 2. What’s on the menu<br />Security introduction<br />Flash VM<br />Network security<br />Memory protection<br />Attack servers<br />
  3. 3. Attacker experience<br />Beginner<br /><ul><li> Doesn’t have a lot of system and technical knowledge
  4. 4. Using ready made tools
  5. 5. Can make a lot of damage but…
  6. 6. Can be easily tracked</li></li></ul><li>Attacker experience<br />Advanced<br /><ul><li> Using and creating scripts
  7. 7. Basic knowledge of OS and network
  8. 8. Search and share information (blogs, forums, etc.)</li></li></ul><li>Attacker experience<br />Expert<br /><ul><li> Good programmer, Creates his own special tools
  9. 9. Strong knowledge of IT systems, OS, AI, PBX, network, legal issues
  10. 10. Wide range of resources (Servers, Sniffers, etc.)
  11. 11. Hard to detect</li></li></ul><li>Hacking types<br />Man in the middle<br />Changing the rules of the game/app<br />Breaking into victim computer’s<br />Breaking into the remote server<br />
  12. 12. Hacking types<br />Listening on the network (Cloud) <br />Hacker<br />Server<br />User<br />
  13. 13. Flash VM (1)<br />
  14. 14. Flash VM (2)<br />
  15. 15. SWF file structure<br />Every SWF file is open source<br />
  16. 16. Demonstrations<br />Decompiling SWF file<br />Obfuscating SWF file<br />
  17. 17. So, how to secure you SWF?<br />Put logic on server<br />Code obfuscation<br />Do not hardcode<br />
  18. 18. Network layers<br />
  19. 19. Packet sniffing<br /><ul><li>HTTPFox (Layers 6-7)
  20. 20. Charles (Layers 6-7)
  21. 21. Fiddler (Layers 6-7)
  22. 22. WireShark (Layers 2-7)</li></li></ul><li>Demonstrations<br />HTTPFox (Ynet)<br />Fiddler (Pcman)<br />
  23. 23. So, How to protect your data?<br />Use binarry data instead of text /XML<br />Hash your data (MD5, Sha1) <br />Use sessions<br />Use secure channel (SSL/RTMPE)<br />Time changing password<br />Use common logic<br />
  24. 24. Secured loading<br />Step 4 - Decrypt SWF data and load SWF<br />(SWFLoader)<br />Step 1 - Download only frame application<br />Step 3 - Download main app<br />Client<br />Server<br />Step 2 - Open encrypted channel (SSL)<br />
  25. 25. Memory protection<br />You don’t know where your SWF will be used<br />There are many memory viewers (like Cheat engine http://www.cheatengine.org/ )<br />
  26. 26. Demonstrations<br />Changing data on SWF file<br />
  27. 27. So, how to protect memory?<br />Scramble important data (Random)<br />Use checksum on data<br />Don’t count on garbage collection<br />
  28. 28. Why use attack server?<br />Cause DOS<br />Damage remote site database<br />Multiple registrations<br />Login to accounts <br />Many more<br />
  29. 29. Passwords protection<br />Encourage the user to use complex password<br />Don’t use trivial combinations<br />Hash the password (MD5)<br />IPtoLocation filter<br />Use smart captcha<br />
  30. 30. Passwords (1)<br />Encourage the user to use complex password<br />
  31. 31. Passwords (2)<br />Block trivial combinations<br />You details:<br />Name: Liorbruder<br />Birthdate: 16/7/1983<br />Id number: 033099124<br />Common passwords:<br />Liorbruder<br />Lior1<br />Lior16071983<br />Bruderlior<br />Brudergmail<br />033099124<br />
  32. 32. Passwords (3)<br />Hash the password (MD5)<br />
  33. 33. Passwords (3)<br />Trivial passwords will be easy to detect<br />PasswordHash<br />lior1 - e9d9dc5987d3fd2369e10ed0a8c32d8a<br />good - 7faae226566c91d06a0d741e0c9d3ae6<br />bruder - e9d9dc5987d3fd2369e10ed0a8c32d8a<br />test - 098f6bcd4621d373cade4e832627b4f6<br />
  34. 34. Passwords (4)<br />How to steal captcha<br />On your site<br />Somewhere on the internet…<br />Welcome to my site<br />Do you want to see the next picture? <br />User name:<br />Password:<br />For security please retype the following characters:<br />
  35. 35. What you need to learn to be a hacker? <br />What you need to learn to protect your applications?<br />Learn how to program (C++, Etc.)<br />Use Unix OS<br />Learn Web and Server side (PHP)<br />Know the network layers protocols<br />Start looking in forums<br /><ul><li>Be discrete</li></li></ul><li>Thank you<br />

×