1.
Vienna, October 16-17 2017
We hired hackers to hack us;
A case study about cloud-based authentication and
security in IBM Connections
Robert Farstad
@robertfarstad

2.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
PLATINUM SPONSORS
GOLD SPONSORS
SILVER SPONSORS
BRONZE SPONSORS

3.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
This session…
…is mainly for you tech-people.
But very useful for everyone to see. Might be an eye-
opener.
No talk about:
• What IBM Connections is…
• What IBM Cnx can give you…
• No ROI talk, what so ever!
• How to use IBM Cnx!!

4.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
This session…
…is a case study where I will show you
• an integration with Auth0.
• how we hired hackers to hack us.

5.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Vienna, October 16-17 2017

6.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Vienna, October 16-17 2017
The customer

7.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
The customer -
• Political party, won the election 2017, second time in a row.
• Norways Prime Minister is Høyres leader.
• 60.000 members
• Was a white-space customer.
• Now: Connections + Docs + Sametime
• IBM Reference Customer.
• Security is a priority, more and more.
• Election year = hacking attempts.
• We hacked them first!

8.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
Høyre used Auth0 for all websites.
Requirement for them to become a Connections
customer was:
• Authentication integration with Auth0!
• è POC – Item Consulting developed a TAI
mechanism towards Auth0.

9.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Vienna, October 16-17 2017
What is Auth0?

10.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
You can connect any application.
• Custom credentials: username + passwords
• Social network logins:
• Google, Facebook, Twitter, and any OAuth2, OAuth1 or OpenID
Connect provider.
• Enterprise directories:
• LDAP, Google Apps, Office 365, ADFS, AD, SAML-P, WS-
Federation, etc.
• Passwordless systems:
• Touch ID, one time codes on SMS, or email.
• Supports several 2-factor solutions.

11.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
• JSON Web Token
• Secure API: (TLS v1.2, AES_128_GCM and uses
ECDHE_RSA as the key exchange mechanism. )
• Extensible admin tool.
• Monitoring, (#logins, where from, who fails, hack
attempts, alarms.)
• Blocking
• Logs
• Synced with Høyres back-end member system via
MSSQL DB, securely!
- cloud based authentication

12.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication

13.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication

14.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
+ TAI
• Item developed a WebSphere Application
• TAI – Trust Association Interceptors.
• èLTPA after authenticated
• New Auth0 login page.
• Logout pages are modified
• Logs out of Auth0
• Logs out of Websphere

15.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Devices used
Login occurs from:
• Browsers
• Apps
• Desktop plugins.
Technically, the login procedures are
quite different.

16.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Web-browsers

17.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Apps + Plugins

18.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Tivoli Directory server - TDS
◘ FREE/Bundled LDAP server for IBM Connections
◘ Standard setup between WebSphere and TDS
◘ Import of users via TDI/SDI to TDS.
◘ From MSSQL Database – over site2site vpn.
◘ Imports only the most relevant fields
Name, email, mobile, position, company, department

19.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Tivoli Directory server – TDS + PTA
◘ Password field in TDS is blank!
◘ PTA is triggered.
◘ What is PTA?
◘ Pass Through Authentication
◘ PTA is configured to search in
alternative LDAP source.
◘ The password is stored in Auth0
◘ Our PTA source is TDI / SDI
◘ TDI calls the TAI application – gets
response code 200 if OK.
◘ è logged in

20.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
What is TDI/SDI?
◘ Tivoli Directory Integrator / Security Directory Integrator
◘ Data manipulation system, limitless possibilities.
◘ Eclipse based – Javascript coding.
◘ Used to move, consolidate, manipulate data.
◘ Used in Connections for profile data import.
◘ Best tool ever, once you´ve learned the jift of the gui and
debugger.

21.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
TDI – acting as an LDAP server.
◘ Simulates an LDAP server
◘ Gets attempted username and password from TDS PTA.
◘ Credentials è WebSphere Auth0login app.
◘ WAS app è REST lookup to Auth0 API.
◘ Gets return code OK or NOT_OK.
◘ TDI receives same code from the WAS app.
◘ TDS PTA receives same code from TDI.
◘ TDI runs multiple instances – Can handle large load.

22.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
TDI – acting as an LDAP server.
Simple code – extremely powerful!

23.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
TDI – acting as an LDAP server.

24.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Did they get in?
We hired hackers

25.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
What they tested
Login
attempts
SSL +
headers
Apps
Stolen
laptop
Me! Sensitive
information

26.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
SSL tests
www.ssllabs.com Grade was bad After hardening
SSLChipersSuite, honorChipersOrder and SSLV2
+V3 disabling. TLS only

27.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
SSL tests – http config for Grade A
SSLEnable
SSLProtocolEnable TLS
SSLProtocolDisable SSLv2 SSLv3
# Disable SSLCompression -> CRIME ATTACK
SSLCompression off
#Prefer ECDHE-RSA ciphers
SSLCipherSpec ALL NONE
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA256
# Enabling this 3 ciphers mean A- rating on ssllabs
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSpec ALL SSL_RSA_WITH_3DES_EDE_CBC_SHA

28.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Headers
securityheaders.io Grade was bad After hardening
HTTP config to achieve Grade A:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload”
Header set Referrer-Policy "same-origin”
Header set X-Content-Type-Options "nosniff”
Header set X-XSS-Protection "1; mode=block”
Header set X-Frame-Options "DENY”
Header set X-Frame-Options SAMEORIGIN

29.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
The Mobile App
Decompile
• Android app is decompilable
• Broken down to study code
Test
• Tried every url found in code
Result
• Found no insecurities!
• But MITM attacks were possible!

30.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
MITM - Man-in-the-middle attack
An employee is out traveling and
connects to a public network such as
a hotel or airport WIFI.
But instead, connects to a hackers
wifi hotspot.
Then clicks on “Continue”….
He/she will give the hacker running a
MITM attack, full visibility over the
traffic.

31.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
MITM - Man-in-the-middle attack

32.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
MITM - Man-in-the-middle attack
mobile-config.xml has the solution for
the connections app.
Don´t press “Continue”!. Tell your
admins to fix it.

33.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Demo time
The demo consisted of showing a
MITM attack + username/password
“cluster bomb” attack using free tool
Burp Suite.

34.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Accident waiting to happen

35.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
What did they find when they got in?
Stolen Laptop Scenario

36.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Stolen Laptop Scenario
• Not hard to find password on PC
• Once in, passwords to sites are
normally stored in browser.
• Saved wifi hotspots gives hackers
GPS coordinates => can drive up
alongside your company's building
and connect.
• Hackers found sensitive
information open to all of the IBM
Connections users.
Don´t expose login information
available to everyone!

37.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
They hacked me!
Or at least, they tried to…

38.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
They hacked me!
• They knew who I was.
• Googled me, found my blog.
• In one of the screenshots, a
password was censored.

39.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
They hacked me!
I was a weak link…
How hard is it for hackers to find IT
staff at your company?
LinkedIn search… Google search…
Google is both your friend and your
enemy.
• Bad censoring!!
• Found 6 out of 9 chars by
matching font, size and studied
curves.

40.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Avoid stress

41.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
• Mask/hide better!
• Hackers are clever
bastards.
• Hackers has A LOT of
free time.
• Implement 2-factor
authorization
mechanism, like Auth0
• Hide your stuff.
• Once again: Hackers are
clever bastards.
• Lockout policy – i.e. 5
attempts => locked out…
Hackers has tools for that!
• Train your users!

42.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017

43.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Useful links:
Check SSL: https://ssllabs.com
Check Headers: https://securityheaders.io
Analyze CSP: https://report-uri.io/home/analyse
What can your browser support? http://caniuse.com/#search=referrer%20policy
Auth0 multi-factor authentication: https://auth0.com/docs/multifactor-authentication
Burp Suite: https://portswigger.net/burp
Ethical Hacker Certification: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
My blog: http://blog.robertfarstad.com
Twitter: https://www.twitter.com/robertfarstad
Item Consulting: https://www.item.no

44.
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
PLATINUM SPONSORS
GOLD SPONSORS
SILVER SPONSORS
BRONZE SPONSORS