Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Devnexus 2017 Cybercrime and the Developer: How do you make a difference?

510 views

Published on

Cybercrime how bad can it be? Organised attacks around the world in 2016 have shown how unprepared we are to deal with the growth of Cybercrime. In this talk learn a little about the scale of the challenge developers face from assaults on our systems. Be prepared to be appalled and scared. Fainting is not allowed. Discover how to fight back and see how you can change your behaviour and your code to defend against these attacks.

Your destiny is clear - it’s time to be come a Cyber Defender

Published in: Technology
  • Be the first to comment

Devnexus 2017 Cybercrime and the Developer: How do you make a difference?

  1. 1. Cybercrime and the Developer: How do you make a difference? Cybercrime how bad can it be? Organised attacks around the world in 2016 have shown how unprepared we are to deal with the growth of Cybercrime. In this talk learn a little about the scale of the challenge developers face from assaults on our systems. Be prepared to be appalled and scared. Fainting is not allowed. Discover how to fight back and see how you can change your behaviour and your code to defend against these attacks. Your destiny is clear - it’s time to be come a Cyber Defender
  2. 2. About me Steve Poole IBM Lead Engineer / Developer advocate @spoole167 Making Java Real Since Version 0.9 Open Source Advocate DevOps Practitioner (whatever that means!) Driving Change
  3. 3. Outline Cybercrime realities Our perception, The bitter truth & why the future looks bleak How our behavior makes cybercrime even easier How we perceive ourselves and how we act Vulnerabilities The ammunition of choice: Hardware & Software why talking about vulnerabilities is good Java (as an example) keep, fix or avoid? What can we do better Changing behavior, Architecture and systems, Coding and developing Summary The situation is going to get worse before it gets better We as a community need to take this seriously Next steps. Education, risk assessment and active defense
  4. 4. This talk • I’m a developer – not a security expert. • Arose because of “compliance”: what does that mean? How do I find out more? • Arose because I didn’t understand what the fuss was all about • Arose because giving uneducated developers access to cloud resources generally has unfortunate consequences • Is about how and why we need to behave differently. • Here’s what I’ve learnt so far…
  5. 5. @spoole167 https://www.flickr.com/photos/karen_roe/ Is this your system? Secure firewalls? Strong encryption? Can see any intrusion?
  6. 6. @spoole167ttps://www.flickr.com/photos/77278206@N02/ Maybe its more like this? Uses https occasionally? A firewall at least Can see any intrusion out of this window
  7. 7. @spoole167https://www.flickr.com/photos/bambe1964/ Unless you pay attention it’s soon going to be like this
  8. 8. Cybercrime realities
  9. 9. https://www.flickr.com/photos/stignygaard/ Do you think cybercriminals are lone hackers?
  10. 10. https://www.flickr.com/photos/bk1bennett/ Do you think cybercrime is as obvious?
  11. 11. Dear Winner, This is to inform you that you have been selected for a prize of a brand new 2016 Model BMW Hydrogen 7 Series Car, a Check of $500,000.00 USD and an Apple laptop from the international balloting programs held on the 27th, section of the 2016 annual award promo in the UNITED STATE OF AMERICA. Think you’re too smart to be suckered?
  12. 12. Cybercrime Realities
  13. 13. “Organized Cybercrime is the most profitable type of crime” • In 2016 Cybercrime was estimated to be worth 445 Billion Dollars a Year • In 2013 the United Nations Office on Drugs and Crime (UNODC) estimated globally the illicit drug trade was worth 435 Billion Dollars • Guess which one has the least risk to the criminal? • Guess which is growing the fastest? • Guess which one is the hardest to prosecute? • Guess which one is predicted to reach 2100 Billion Dollars by 2019?
  14. 14. So who are the bad guys? https://www.flickr.com/photos/monsieurlui/
  15. 15. A mirror of you? • Organized and methodical • organized like startup companies. • “employ” highly experienced developers with deep knowledge • Constantly innovating malware, seeking out vulnerabilities • Sharing what they find with each other (for $ of course) • Goal focused • the average age of a cybercriminal is 35 years old.
  16. 16. Already into crime • Commissioner of the City of London Police: • “We estimate that around 25 per cent of the organized crime groups in this country are now involved in financial crime in one shape or another…” • University of Cambridge researchers report that 60% of cyber-criminals had criminal records which were completely unrelated to cyber-crime • “those traditional offenders are changing their behavior and moving to the internet”. Cybercriminals mostly get caught for something other than cybercrime
  17. 17. https://www.flickr.com/photos/gotcredit/ What data are they after? Medical data, insurance information, Social Security numbers any Sensitive Personal Information,
  18. 18. What data are they after? • Moving beyond credit card numbers • Long term identify theft • Medical data, Sensitive Personal Information, insurance information, Social Security numbers • Information that gives insight into behavior • Information that give access Quiet and repeated Infiltration Ransomware instead of cyber-graffiti All personal data is useful and worth $$$ http://www.darkreading.com/attacks- breaches/stolen-health-record-databases-sell- for-$500000-in-the-deep-web/d/d- id/1328225?
  19. 19. They want facts about you and colleagues • Any piece of personal information about YOU is useful. It get’s sold on and somewhere someone brings it all together. • Can I connect your email address to your data of birth? • Can I find out where you live? • Can I find out who you work for? • Can I find out what you think about your boss? • Can I find out what sites you’ve visited? • The more I know about you – the more I can refine the attack. • The more I know about you – the more $$ I can make • And attacks are more than “technical”
  20. 20. Social Engineering: No-one falls for those sort of things do they?
  21. 21. DEAR SIR/MA'AM. YOUR ATM CARD OF $10.5MILLION DOLLARS WAS RETURNED TODAY BY OUR COURIER DELIVERY COMPANY, AND WE ARE GOING TO CANCEL THE ATM CARD IF YOU FAILS TO ACKNOWLEDGE THIS MESSAGE, WE SHALL ALSO ASSUME THAT WHAT OUR COURIER DELIVERY COMPANY TOLD US IS NOTHING BUT THE TRUTH THAT YOU DON'T NEED YOUR ATM CARD OF $10.5 MILLION DOLLARS ANY LONGER. DO ACKNOWLEDGE THIS MESSAGE AS SOON AS POSSIBLE. YOURS FAITHFULLY. YOURS SINCERELY, MR MARK WRIGHT, DIRECTOR FOREIGN REMITTANCE ATM CARD SWIFT PAYMENT DEPARTMENT ZENITH BANK OF NIGERIA.
  22. 22. Federal Bureau of Investigation (FBI) Anti-Terrorist And Monitory Crime Division. Federal Bureau Of Investigation. J.Edgar.Hoover Building Washington Dc Customers Service Hours / Monday To Saturday Office Hours Monday To Saturday: Dear Beneficiary, Series of meetings have been held over the past 7 months with the secretary general of the United Nations Organization. This ended 3 days ago. It is obvious that you have not received your fund which is to the tune of $16.5million due to past corrupt Governmental Officials who almost held the fund to themselves for their selfish reason and some individuals who have taken advantage of your fund all in an attempt to swindle your fund which has led to so many losses from your end and unnecessary delay in the receipt of your fund.for more information do get back to us. …. Upon receipt of payment the delivery officer will ensure that your package is sent within 24 working hours.
  23. 23. From <your boss> I’ve spoken to the Italians and they will send us the goods if we pay $3M immediately. Details below. I’m off to the golf course – no distractions please.
  24. 24. an email from an international transport company urging recipients to open a waybill in a zip (The Zip content launches a downloader) The targets are busy and not IT savy. The criminals are IT savy and industry savy ☹️ ☹️
  25. 25. Phishing -> Spear Phishing -> Personalised Attacks The move is towards more organised and long term attacks that are hidden from view. Think about this – when you’re trawling the net for gullible people you set the bar low. With personalised attacks you invest more and make it compelling. You victims views on Facebook about their boss, how busy they are, important deals coming up. It all helps to craft that million dollar scam…
  26. 26. Another personal experience This: “Is your laptop eligible for upgrade? All employees are entitled to regular laptop refreshes depending on job role. Check <here> to check your status and eligibility for upgrade“ Plus the detailed outline of IBMs internal policy almost had me convinced. What saved me was the referenced url seemed obviously bogus But I wasn’t totally convinced it was a Phish
  27. 27. Who’s being targeted? • Middle level executives – afraid of their bosses? • New joiners – easy to make a mistake? • Busy and harassed key individuals – too busy to take time to consider? • Disgruntled employees – want to hurt the company? Make some $? • And Developers – the golden goose. The bad guys prey on the weak, vulnerable and ignorant
  28. 28. Developers • Why ? • We know the inside story • We write the code • We have elevated privileges • We are over trusting • We use other peoples code and tools without inspection • we are ignorant of security matters The bad guys prey on the weak, vulnerable and ignorant
  29. 29. Don’t agree? “The bad guys prey on the weak, vulnerable and ignorant: That’s you”
  30. 30. Ever googled for: “very trusting trust manager” “Getting Java to accept all certs over HTTPS” “How to Trust Any SSL Certificate” “Disable Certificate Validation in Java”
  31. 31. TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( X509Certificate[] certs, String authType) { } public void checkServerTrusted( X509Certificate[] certs, String authType) { } public boolean isClientTrusted( X509Certificate[] cert) { return true; } public boolean isServerTrusted( X509Certificate[] cert) { return true; } } }; Ever written something like this?
  32. 32. We’ve all done something like that
  33. 33. We’ve all done something like that We do it all the time
  34. 34. We’ve all done something like that We do it all the time The whole world does it How bad can it be?
  35. 35. We’ve all done something like that We do it all the time The whole world does it Github search “implements TrustManager” ….
  36. 36. We’ve found 72,609 code results AlwaysValidTrustManager TrustAllServersWrappingTrustManager A very friendly, accepting trust manager factory. Allows anything through. all kind of certificates are accepted and trusted. A very trusting trust manager that accepts anything // Install the all-trusting trust manager OverTrustingTrustProvider AllTrustingSecurityManagerPlugin.java AcceptingTrustManagerFactory.java AllTrustingCertHttpRequester.java
  37. 37. Developers are too trusting. Linux Repos npm “npm is the package manager for JavaScript. Find, share, and reuse packages of code from hundreds of thousands of developers — and assemble them in powerful new ways.” Great sentiments. “But Caveat Emptor”
  38. 38. @spoole167https://www.flickr.com/photos/bambe1964/ Are you still paying attention?
  39. 39. https://www.flickr.com/photos/koolmann/ It gets scarier
  40. 40. Cybercrime: Expanding the attack vector
  41. 41. Basic ways in: The old fashioned set • Social engineering – convince you to open the door • Vulnerability exploits – find doors already open • Inside information – you tell them where the keys are for gain The bad guys can already get into your systems easier than you ever thought possible.
  42. 42. The new attack vectors • Devices, Devices, Devices • Eavesdropping, network devices with default passwords • Drive-by gateways • Ransomware • Blackmail and extortion • Extending Malware into real products. • Helpful free stuff – like docker images • Dangerous paid stuff - like game trainers • Actual ’at the source’ injections - like pull requests! • Like unknown helpful people – do you know what can happen in a git merge? https://www.flickr.com/photos/famzoo/
  43. 43. Devices inside your network What’s CPU’s are connected to your network? • Smart printers? • Smart TV’s? • BYODs? How many devices have default passwords? How many have passwords that everyone knows? How many are running older unpatched software? You cannot ever assume your internal network is safe and uncompromised ByKonstantinLanzet-CPUcollectionKonstantinLanzet,CCBY-SA3.0, https://commons.wikimedia.org/w/index.php?curid=6834217
  44. 44. The S in IoT stands for security
  45. 45. Wifi Gateways Are everywhere How do you know that a SSID you see is not fake? In your office? In your home? In a Coffee Shop? At a conference in Atlanta?
  46. 46. Wifi Gateways Pi Zero WIFI Dongle USB Power Would you notice this stuck to the wall?
  47. 47. Wifi Gateways Are everywhere Many legitimate ones encourage bad practices
  48. 48. https://www.flickr.com/photos/yodelanecdotal/ Spoofing Wifi gateways is really, really easy Here‘s how it works
  49. 49. Simple http case
  50. 50. Internet websitegateway The normal (simplified) flow for http Give me data browser Here is data
  51. 51. Simple hijacked http case
  52. 52. Internet websitegateway Man in the middle attack for http Give me data browser Here is data Give me data Do bad things with data Here is data SSID: OpenConference Password: easy
  53. 53. 1) Simple https case
  54. 54. Internet websitegateway The normal (simplfied) flow for https Client Hello (max SSL version supported) browser Server Hello (what SSL version to be used) Server SSL CertificateCheck Certificate Send random local key encoded using Server SSL certificate Secure, two way encrypted communications Certificate Authorities
  55. 55. Simple hijacked https case – you accept the certificate
  56. 56. Internet websitegateway Man in the middle attack for https – you accept the certificate Client Hello browser Server Hello Server SSL Certificate Check Certificate Send different random local key Secure communications Client Hello Server Hello Gateway SSL Certificate Send random local key Secure, two way communications Certificate Authorities switched
  57. 57. 1) Simple hijacked https case – you accepted the certificate – but at least you saw it
  58. 58. 2) Simple hijacked https case – you have a bogus certificate authority locally
  59. 59. Internet websitegateway Man in the middle attack for https – version 2 Client Hello browser Server Hello Server SSL Certificate Check Certificate Send different random local key Secure communications Client Hello Server Hello Gateway SSL Certificate Send random local key Secure, two way communications Bogus Certificate Authority switched
  60. 60. 2) Simple hijacked https case – you have a bogus certificate authority locally – and you didn’t even know it was there It might even have been issued by your company and been stolen and used against you
  61. 61. It can be even easier/worse If your initial request to a server is http (ie unencrypted) • A MITM can replace all inline https references with http • Then when your form is submitted it’s sent unencrypted • Maybe the server will bounce the request. But it’s too late- your private data is gone.
  62. 62. Internet websitegateway Stealing your data with http http browser post to https://foo.com http post to http://foo.com http post Server unavailable RELOAD http https post post to https://foo.com switched
  63. 63. Typical Pattern 1. MITM tracks a single important server target. The thieves know how the flows work. They track your usage 2. When your userid / password is requested the https is already forced to http. 3. Your data is sent in the clear. The MITM sends you a ‘there was a problem’ msg and gets out of your way. 4. You refresh and resubmit. 5. None the wiser…
  64. 64. Given how important using https correctly is…
  65. 65. Why do we turn it off? curl –insecure wget --no-check-certificate sudo apt-get --allow-unauthenticated
  66. 66. For reasonable reasons? • “The server I access is self-signed” • “I want to access multiple servers “ Unexpectedly? • “I thought I was using the tool correctly” • “I didn’t realize what the default setting was” • “I trusted the tool to do the right thing” Maliciously? • “Someone changed the script and I don’t know why”
  67. 67. And… • Developers download code, tools, certificates etc without considering the consequences. • We believe implicitly that other developers are trustworthy. How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript Code pulled from NPM – which everyone was using http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/ What if he’d added malware instead?
  68. 68. Why aren’t we taking this seriously? Cyber criminal
  69. 69. Would help if we used a different name? Cyber criminal Advanced Persistent Threat
  70. 70.  Innovative  Imaginative  Without boundaries  Well funded  Ruthless  Uncaring Advanced Persistent Threat And more
  71. 71. Remember that scene from Oceans 13? https://www.flickr.com/photos/andereri/ Where they went to Mexico to fix the dice?
  72. 72. Suppose they had to get into a Smart TV factory And they had to ’fix’ the SoC chips ByKonstantinLanzet-CPUcollectionKonstantinLanzet,CCBY-SA3.0, https://commons.wikimedia.org/w/index.php?curid=6834217
  73. 73. It’s already happened
  74. 74. Vulnerabilities • Bugs and design flaws in your software and the software you use. • Everyone has them. • Researchers are looking for them all the time. • So are the bad guys https://www.flickr.com/photos/electronicfrontierfoundation/
  75. 75. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=java Vulnerabilities https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=serialization https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=javascript
  76. 76. Java Vulnerability example In a version of a java communications library a long time ago. A Properties object which mapped labels to classnames “decode” = “org.foo.decoder.Decoder” When the class couldn’t be instantated an exception was returned “Cannot instantiate ‘decoder’ class ‘org.foo.decoder.Decoder’”
  77. 77. Unfortunately When retrieving the label if it wasn’t found in the Properties object then the library looked in the System Properties object. The result? A remote attacker could systematically retrieve the value of every System Property. “Cannot instantiate ’user.home’ class ‘/Users/joe’”
  78. 78. Vulnerabilities The bad news is that talking about the specifics of a vulnerability is not something anyone wants to do. The relationship between CVE’s and bug fixes is kept tenuous So how do you assess the impact of vulnerability or even where its fixed? Using CVSS (Common Vulnerability Scoring System) an agreed open process vulnerabilities are scored. Scores and ship vehicles are published https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id- 19117/Oracle-JRE.html https://developer.ibm.com/javasdk/support/security-vulnerabilities/
  79. 79. Java Vulnerabilities • Breakdown for just over 300 Java vulnerabilities since mid 2013: 69% Applet/Browser issues and security sandbox escapes (many different issues in many different components, but the vulnerabilities only apply when running untrusted code under a security manager) 13% Untrusted data (usually DoS issues involving malicious fonts, images or XML) 12% Cryptographic (including SSL/TLS) 6% Other (many different categories)
  80. 80. Recap • The simple truth is that we are going to be engaged in an arms race over security for the foreseeable future • We’ve on the back foot right now. • Our behavior makes cybercrime even easier • How we perceive ourselves and how we act has got to change • Vulnerabilities, Compromised devices etc • We have to behave as if every server we have is publically addressable • We have to focus on reducing our exposure Here’s how to get started.
  81. 81. First steps Keep current. Every vulnerability fix you apply is one less way in. Compartmentalise. Separate data, code, access controls etc. Just like bulkhead doors in a ship: ensure one compromise doesn’t sink your boat. Design for intrusion. Review you levels of ‘helpfulness’ and flexibility Learn about Penetration Testing Understand that making your development life easier makes the hackers job easier
  82. 82. next steps Take control of your dependencies. Build your own internal caches and repositories. Scan them for known vulnerabilities and change all those embedded default passwords OR buy the service from someone you trust. Don’t download or depend on random code. Ensure you trust the providers and you understand what they are doing to earn and keep your trust. Examine the processes they have to ensure that the code / binaries / certificates being hosted are legitimate Educate yourself Learn about secure engineering techniques Learn about how to assess security risks
  83. 83. This isn’t as challenging or costly as it seems
  84. 84. We’re already starting to do this Microservices is helping us with compartmentatisation Continuous Delivery is helping with frequent patching Containers are helping with dependency management Infrastructure As Code is helping with locking down environments DevOps is bringing IT practices into the realm of the developer Moving to the Cloud allows us to have industry leading security like firewalls, advanced intrusion detection, vulnerability assessments etc
  85. 85. May be there is some light at the end of the tunnel https://www.flickr.com/photos/bovinity/

×