Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Beyond Security Theater -- With a CTF

106 views

Published on

A talk for the CCSF CyberClub by Sam Bowne
Nov 13, 2018
CTF at https://samsclass.info/141/proj/ob-ctf.htm

Published in: Education
  • Be the first to comment

  • Be the first to like this

Beyond Security Theater -- With a CTF

  1. 1. Beyond Cryptography Theater November 13, 2018 Sam Bowne PhD, CISSP like, really smart
  2. 2. Me All materials freely available at samsclass.info
  3. 3. Website samsclass.info
  4. 4. CTF
  5. 5. https://www.kaspersky.com/ blog/ciso-report/24288/
  6. 6. Purpose
  7. 7. Are Breaches Inevitable?
  8. 8. Risks
  9. 9. Consequences
  10. 10. Role
  11. 11. Pressure
  12. 12. Qualifications
  13. 13. Skills
  14. 14. Security Theater
  15. 15. Cisco VPN 
 "Encrypted" Password
  16. 16. Public Exposure
  17. 17. Not So Encrypted
  18. 18. Kaiser Permanente •I found their Cisco password this way •Disclosure was difficult, but I managed it privately •A journalist's consultant told me it didn't matter, because "that password is not a security boundary"
  19. 19. Cryptography Theater
  20. 20. PROTECTED BY ATTACK KITTENS
  21. 21. Cryptography Theater •Obfuscation •Makes data difficult to read •But doesn't prevent a serious attacker from reading it
  22. 22. Windows Registry
  23. 23. USERASSIST • Records programs you launch on Windows • Protects your privacy by storing them in an obfuscated form
  24. 24. ROT13 • Puebzr • Chrome • Q:frghc64.rkr • D:setup64.exe
  25. 25. Android Apps
  26. 26. TD Ameritrade App
  27. 27. TD Ameritrade App • Puts password in syslog • Visible to all apps on the device • (Fixed in later versions)
  28. 28. Mayo Clinic Medical Transport
  29. 29. Mayo Clinic Medical Transport • Pull app from phone with adb • Unpack with apktool
  30. 30. Mayo Clinic Medical Transport • grep for secretpassword • Disclosure • I notified the developer about this in June of 2015. He told me to get lost.
  31. 31. GenieMd Current versions on Nov 9, 2018
  32. 32. GenieMd • Does not validate 
 TLS certificates • Allows MITM attack
  33. 33. GenieMd
  34. 34. GenieMd • Notified by CERT in 2014, and by me in 2015
  35. 35. FTC Lawsuit Settlement
  36. 36. Passwords on a Phone
  37. 37. Persistent Login •Users remain logged in even after shutting off their phone •How does the app remember who you are?
  38. 38. Target == GOOD
  39. 39. Target AU Android App
  40. 40. User Login
  41. 41. Server Response Random Number, stored in a cookie THIS IS THE RIGHT WAY
  42. 42. Staples == BAD
  43. 43. Tested in Jan 2017
  44. 44. Locally Stored Password • Right away this shows a problem • WHY store the password? <string name="encryptedPassword"> CT9SVzhhRaufBzCvmwENWQ== </string>
  45. 45. 1. Best way: Don't. Use a cookie 2. Use Android KeyChain 3. Encrypt with with a public key • Private key is kept secret on a server 4. Encrypt with with a private key • Private key is "hidden" on the phone (under the mat) 5. Store data unencrypted on the phone
  46. 46. Special Password • aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaA123 • 32 identical characters at beginning <string name="encryptedPassword"> 5V/uOkjK/Pxnb8yo7OdXzuVf7jpIyvz8Z2/ MqOznV84Chyt5lFv9LDpXXmJq9fUx </string>
  47. 47. Decode p = '5V/uOkjK/Pxnb8yo7OdXzuVf7jpIyvz8Z2/ MqOznV84Chyt5lFv9LDpXXmJq9fUx' >>> p.decode("base64").encode("hex") 'e55fee3a48cafcfc676fcca8ece757cee55fee3a4 8cafcfc676fcca8ece757ce02872b79945bfd2c3a5 75e626af5f531' e55fee3a48cafcfc676fcca8ece757ce e55fee3a48cafcfc676fcca8ece757ce 02872b79945bfd2c3a575e626af5f531
  48. 48. Read Smali Code
  49. 49. Constructing the Key
  50. 50. Final Key
  51. 51. Encryption Test
  52. 52. Notification • Notified Jan 2, 2017 • Automated response said it would be fixed • No response to follow-up email • April 13 -- Staples became homework
  53. 53. Notification • Fixed by May 9, 2017
  54. 54. Plaintext Password Storage
  55. 55. Plaintext Login
  56. 56. Broken SSL
  57. 57. A Feature, Not a Bug
  58. 58. Password Stored with Reversible Encryption
  59. 59. Home Depot Locally stored password is encrypted
  60. 60. Unpack APK
  61. 61. Salt -> Key
  62. 62. Complete Decryption
  63. 63. Kroger
  64. 64. Kroger
  65. 65. Safeway
  66. 66. Safeway
  67. 67. Walgreens
  68. 68. Walgreens
  69. 69. Multiple Vulnerabilities
  70. 70. Fixed
  71. 71. Analysis of Stolen Data Dumped by TEAMGHOSTSHELL on Aug 25, 2012
  72. 72. Password Storage:
 Awful Beyond Belief Plaintext, obvious, all the same
  73. 73. Plaintext Passwords, Easily Guessed
  74. 74. Sparklan Passwords
  75. 75. Beforward Transactions with PII
  76. 76. Plaintext Passwords
  77. 77. Password Storage:
 BASE64 Obfuscated, not hashed
  78. 78. Beforward.jp
  79. 79. BASE64 Encoding
  80. 80. Password Storage:
 Unsalted MD5 or SHA-1 Real hashing, but very easy to crack
  81. 81. MIT – MD5 Password Hashes
  82. 82. MySQL323 Password Hashes
  83. 83. Cracking Hashes with Cain
  84. 84. SHA-1 Hash
  85. 85. Cracked!
  86. 86. MySQL 5 Password Hashes
  87. 87. Wordpress Password Hashes
  88. 88. Relative Space
  89. 89. Cracked!
  90. 90. Password Hashing Algorithms
  91. 91. The Right Way
  92. 92. Basic Logic Errors
  93. 93. San Francisco Parking Meters
  94. 94. Wut? https://www.wired.com/2009/07/parking-meters/ https://www.pcworld.com/article/169376/meter_hackers.html
  95. 95. Encrypted Storage
  96. 96. •https://www.theguardian.com/politics/2016/dec/21/at- least-1000-government-laptops-and-flash-drives-reported- missing-since-2015
  97. 97. • https://www.syss.de/fileadmin/dokumente/Publikationen/2009/ SySS_Cracks_SanDisk_USB_Flash_Drive.pdf
  98. 98. "Secure cryptographic algorithms, like AES... are used in an insecure way."
  99. 99. https://www.theregister.co.uk/2015/10/20/western_digital_bad_hard_drive_encryption/
  100. 100. • https://www.engadget.com/2018/11/06/microsofts-bitlocker- compromised-by-bad-ssd-encryption/ • https://www.theregister.co.uk/2018/11/05/busted_ssd_encryption/
  101. 101. Math Learn It
  102. 102. • Management Review • Do you need this data? • Is it encrypted? • What algorithm? • Where is the key? All materials freely available at samsclass.info

×