Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Beyond Security Theater

89 views

Published on

Slides for a talk at the Pacific Hackers conference in Santa Clara, California
Given on Nov 11, 2018
By Sam Bowne

Published in: Education
  • Be the first to comment

Beyond Security Theater

  1. 1. Beyond Cryptography Theater Hacker Dojo, Santa Clara California November 11, 2018 Sam Bowne PhD, CISSP like, really smart
  2. 2. Me All materials freely available at samsclass.info
  3. 3. Security Theater
  4. 4. Cisco VPN 
 "Encrypted" Password
  5. 5. Public Exposure
  6. 6. Not So Encrypted
  7. 7. Kaiser Permanente •I found their Cisco password this way •Disclosure was difficult, but I managed it privately •A journalist's consultant told me it didn't matter, because "that password is not a security boundary"
  8. 8. Cryptography Theater
  9. 9. PROTECTED BY ATTACK KITTENS
  10. 10. Cryptography Theater •Obfuscation •Makes data difficult to read •But doesn't prevent a serious attacker from reading it
  11. 11. Windows Registry
  12. 12. USERASSIST • Records programs you launch on Windows • Protects your privacy by storing them in an obfuscated form
  13. 13. ROT13 • Puebzr • Chrome • Q:frghc64.rkr • D:setup64.exe
  14. 14. Android Apps
  15. 15. TD Ameritrade App
  16. 16. TD Ameritrade App • Puts password in syslog • Visible to all apps on the device • (Fixed in later versions)
  17. 17. Mayo Clinic Medical Transport
  18. 18. Mayo Clinic Medical Transport • Pull app from phone with adb • Unpack with apktool
  19. 19. Mayo Clinic Medical Transport • grep for secretpassword • Disclosure • I notified the developer about this in June of 2015. He told me to get lost.
  20. 20. GenieMd Current versions on Nov 9, 2018
  21. 21. GenieMd • Does not validate 
 TLS certificates • Allows MITM attack
  22. 22. GenieMd
  23. 23. GenieMd • Notified by CERT in 2014, and by me in 2015
  24. 24. FTC Lawsuit Settlement
  25. 25. Passwords on a Phone
  26. 26. Persistent Login •Users remain logged in even after shutting off their phone •How does the app remember who you are?
  27. 27. Target == GOOD
  28. 28. Target AU Android App
  29. 29. User Login
  30. 30. Server Response Random Number, stored in a cookie THIS IS THE RIGHT WAY
  31. 31. Staples == BAD
  32. 32. Tested in Jan 2017
  33. 33. Locally Stored Password • Right away this shows a problem • WHY store the password? <string name="encryptedPassword"> CT9SVzhhRaufBzCvmwENWQ== </string>
  34. 34. 1. Best way: Don't. Use a cookie 2. Use Android KeyChain 3. Encrypt with with a public key • Private key is kept secret on a server 4. Encrypt with with a private key • Private key is "hidden" on the phone (under the mat) 5. Store data unencrypted on the phone
  35. 35. Special Password • aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaA123 • 32 identical characters at beginning <string name="encryptedPassword"> 5V/uOkjK/Pxnb8yo7OdXzuVf7jpIyvz8Z2/ MqOznV84Chyt5lFv9LDpXXmJq9fUx </string>
  36. 36. Decode p = '5V/uOkjK/Pxnb8yo7OdXzuVf7jpIyvz8Z2/ MqOznV84Chyt5lFv9LDpXXmJq9fUx' >>> p.decode("base64").encode("hex") 'e55fee3a48cafcfc676fcca8ece757cee55fee3a4 8cafcfc676fcca8ece757ce02872b79945bfd2c3a5 75e626af5f531' e55fee3a48cafcfc676fcca8ece757ce e55fee3a48cafcfc676fcca8ece757ce 02872b79945bfd2c3a575e626af5f531
  37. 37. Read Smali Code
  38. 38. Constructing the Key
  39. 39. Final Key
  40. 40. Encryption Test
  41. 41. Notification • Notified Jan 2, 2017 • Automated response said it would be fixed • No response to follow-up email • April 13 -- Staples became homework
  42. 42. Notification • Fixed by May 9, 2017
  43. 43. Plaintext Password Storage
  44. 44. Plaintext Login
  45. 45. Broken SSL
  46. 46. A Feature, Not a Bug
  47. 47. Password Stored with Reversible Encryption
  48. 48. Home Depot Locally stored password is encrypted
  49. 49. Unpack APK
  50. 50. Salt -> Key
  51. 51. Complete Decryption
  52. 52. Kroger
  53. 53. Kroger
  54. 54. Safeway
  55. 55. Safeway
  56. 56. Walgreens
  57. 57. Walgreens
  58. 58. Multiple Vulnerabilities
  59. 59. Fixed
  60. 60. Analysis of Stolen Data Dumped by TEAMGHOSTSHELL on Aug 25, 2012
  61. 61. Password Storage:
 Awful Beyond Belief Plaintext, obvious, all the same
  62. 62. Plaintext Passwords, Easily Guessed
  63. 63. Sparklan Passwords
  64. 64. Beforward Transactions with PII
  65. 65. Plaintext Passwords
  66. 66. Password Storage:
 BASE64 Obfuscated, not hashed
  67. 67. Beforward.jp
  68. 68. BASE64 Encoding
  69. 69. Password Storage:
 Unsalted MD5 or SHA-1 Real hashing, but very easy to crack
  70. 70. MIT – MD5 Password Hashes
  71. 71. MySQL323 Password Hashes
  72. 72. Cracking Hashes with Cain
  73. 73. SHA-1 Hash
  74. 74. Cracked!
  75. 75. MySQL 5 Password Hashes
  76. 76. Wordpress Password Hashes
  77. 77. Relative Space
  78. 78. Cracked!
  79. 79. Password Hashing Algorithms
  80. 80. The Right Way
  81. 81. Basic Logic Errors
  82. 82. San Francisco Parking Meters
  83. 83. Wut? https://www.wired.com/2009/07/parking-meters/ https://www.pcworld.com/article/169376/meter_hackers.html
  84. 84. Encrypted Storage
  85. 85. •https://www.theguardian.com/politics/2016/dec/21/at- least-1000-government-laptops-and-flash-drives-reported- missing-since-2015
  86. 86. • https://www.syss.de/fileadmin/dokumente/Publikationen/2009/ SySS_Cracks_SanDisk_USB_Flash_Drive.pdf
  87. 87. "Secure cryptographic algorithms, like AES... are used in an insecure way."
  88. 88. https://www.theregister.co.uk/2015/10/20/western_digital_bad_hard_drive_encryption/
  89. 89. • https://www.engadget.com/2018/11/06/microsofts-bitlocker- compromised-by-bad-ssd-encryption/ • https://www.theregister.co.uk/2018/11/05/busted_ssd_encryption/
  90. 90. Math Learn It
  91. 91. • Management Review • Do you need this data? • Is it encrypted? • What algorithm? • Where is the key? All materials freely available at samsclass.info

×