Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Vienna, October 16-17 2017
We hired hackers to hack us;
A case study about cloud-based authentication and
security in IBM ...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
	
	
	
	
	
	
	
	
	
	
	
	
	
	
	...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
This session…
…is mainly for ...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
This session…
…is a case stud...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Vienna, October 16-17 2017
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Vienna, October 16-17 2017
Th...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
The customer -
•  Political p...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Vienna, October 16-17 2017
Wh...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
•  JSON Web Token
•  Secure A...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
+ TAI
•  Item developed a Web...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Devices used
Login	occurs	fro...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Web-browsers
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Apps + Plugins
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Tivoli Directory server - TDS...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Tivoli Directory server – TDS...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
What is TDI/SDI?
◘ Tivoli	Dir...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
TDI – acting as an LDAP serve...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
TDI – acting as an LDAP serve...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
TDI – acting as an LDAP serve...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Did	they	get	in?	
We	hired	ha...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
What	they	tested	
Login	
atte...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
	SSL	tests	
www.ssllabs.com	 ...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
	SSL	tests	–	http	config	for	...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
	Headers	
securityheaders.io	...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
The	Mobile	App	
Decompile	
• ...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
MITM	-	Man-in-the-middle	atta...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
MITM	-	Man-in-the-middle	atta...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
MITM	-	Man-in-the-middle	atta...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Demo	time	
The	demo	consisted...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Accident	waiting	to	happen
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
What	did	they	find	when	they	...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Stolen	Laptop	Scenario	
•  No...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
They	hacked	me!	
Or	at	least,...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
They	hacked	me!	
•  They	knew...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
They	hacked	me!	
I	was	a	weak...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Avoid	stress
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
•  Mask/hide	better!	
•  Hack...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Useful	links:	
Check	SSL:	htt...
Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
PLATINUM	SPONSORS	
GOLD	SPONS...
Social Connections 12. We hired hackers to hack us
Upcoming SlideShare
Loading in …5
×

Social Connections 12. We hired hackers to hack us

1,286 views

Published on

This is the presentation I gave at Social Connections 12 in Vienna 17. oct 2017.

  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • The section I talk about regarding tightening Header Security, setting the "Header set X-Frame-Options SAMEORIGIN", this might break your Sametime Awareness inside of IBM Connections. There is a X-Frame-Option "Allow From", where you can set the Sametime Proxy´s hostname to be allowed, but this one is not supported by Chrome. So, setting the "Header set X-Frame-Options SAMEORIGIN" will work for IBM Connections and IBM Docs, but not if you have Sametime Proxy integration into Connections.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Social Connections 12. We hired hackers to hack us

  1. 1. Vienna, October 16-17 2017 We hired hackers to hack us; A case study about cloud-based authentication and security in IBM Connections Robert Farstad @robertfarstad
  2. 2. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 PLATINUM SPONSORS GOLD SPONSORS SILVER SPONSORS BRONZE SPONSORS
  3. 3. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 This session… …is mainly for you tech-people. But very useful for everyone to see. Might be an eye- opener. No talk about: •  What IBM Connections is… •  What IBM Cnx can give you… •  No ROI talk, what so ever! •  How to use IBM Cnx!!
  4. 4. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 This session… …is a case study where I will show you •  an integration with Auth0. •  how we hired hackers to hack us.
  5. 5. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 Vienna, October 16-17 2017
  6. 6. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 Vienna, October 16-17 2017 The customer
  7. 7. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 The customer - •  Political party, won the election 2017, second time in a row. •  Norways Prime Minister is Høyres leader. •  60.000 members •  Was a white-space customer. •  Now: Connections + Docs + Sametime •  IBM Reference Customer. •  Security is a priority, more and more. •  Election year = hacking attempts. •  We hacked them first!
  8. 8. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 - cloud based authentication Høyre used Auth0 for all websites. Requirement for them to become a Connections customer was: •  Authentication integration with Auth0! •  è POC – Item Consulting developed a TAI mechanism towards Auth0.
  9. 9. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 Vienna, October 16-17 2017 What is Auth0?
  10. 10. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 - cloud based authentication You can connect any application. •  Custom credentials: username + passwords •  Social network logins: •  Google, Facebook, Twitter, and any OAuth2, OAuth1 or OpenID Connect provider. •  Enterprise directories: •  LDAP, Google Apps, Office 365, ADFS, AD, SAML-P, WS- Federation, etc. •  Passwordless systems: •  Touch ID, one time codes on SMS, or email. •  Supports several 2-factor solutions.
  11. 11. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 •  JSON Web Token •  Secure API: (TLS v1.2, AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. ) •  Extensible admin tool. •  Monitoring, (#logins, where from, who fails, hack attempts, alarms.) •  Blocking •  Logs •  Synced with Høyres back-end member system via MSSQL DB, securely! - cloud based authentication
  12. 12. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 - cloud based authentication
  13. 13. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 - cloud based authentication
  14. 14. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 + TAI •  Item developed a WebSphere Application •  TAI – Trust Association Interceptors. •  èLTPA after authenticated •  New Auth0 login page. •  Logout pages are modified •  Logs out of Auth0 •  Logs out of Websphere
  15. 15. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 Devices used Login occurs from: •  Browsers •  Apps •  Desktop plugins. Technically, the login procedures are quite different.
  16. 16. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 Web-browsers
  17. 17. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 Apps + Plugins
  18. 18. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 Tivoli Directory server - TDS ◘  FREE/Bundled LDAP server for IBM Connections ◘  Standard setup between WebSphere and TDS ◘  Import of users via TDI/SDI to TDS. ◘  From MSSQL Database – over site2site vpn. ◘  Imports only the most relevant fields Name, email, mobile, position, company, department
  19. 19. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 Tivoli Directory server – TDS + PTA ◘  Password field in TDS is blank! ◘  PTA is triggered. ◘  What is PTA? ◘  Pass Through Authentication ◘  PTA is configured to search in alternative LDAP source. ◘  The password is stored in Auth0 ◘  Our PTA source is TDI / SDI ◘  TDI calls the TAI application – gets response code 200 if OK. ◘  è logged in
  20. 20. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 What is TDI/SDI? ◘ Tivoli Directory Integrator / Security Directory Integrator ◘ Data manipulation system, limitless possibilities. ◘ Eclipse based – Javascript coding. ◘ Used to move, consolidate, manipulate data. ◘ Used in Connections for profile data import. ◘ Best tool ever, once you´ve learned the jift of the gui and debugger.
  21. 21. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 TDI – acting as an LDAP server. ◘ Simulates an LDAP server ◘ Gets attempted username and password from TDS PTA. ◘ Credentials è WebSphere Auth0login app. ◘ WAS app è REST lookup to Auth0 API. ◘ Gets return code OK or NOT_OK. ◘ TDI receives same code from the WAS app. ◘ TDS PTA receives same code from TDI. ◘ TDI runs multiple instances – Can handle large load.
  22. 22. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 TDI – acting as an LDAP server. Simple code – extremely powerful!
  23. 23. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 TDI – acting as an LDAP server.
  24. 24. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 Did they get in? We hired hackers
  25. 25. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 What they tested Login attempts SSL + headers Apps Stolen laptop Me! Sensitive information
  26. 26. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 SSL tests www.ssllabs.com Grade was bad After hardening SSLChipersSuite, honorChipersOrder and SSLV2 +V3 disabling. TLS only
  27. 27. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 SSL tests – http config for Grade A SSLEnable SSLProtocolEnable TLS SSLProtocolDisable SSLv2 SSLv3 # Disable SSLCompression -> CRIME ATTACK SSLCompression off #Prefer ECDHE-RSA ciphers SSLCipherSpec ALL NONE SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSLCipherSpec ALL TLS_RSA_WITH_AES_128_GCM_SHA256 SSLCipherSpec ALL TLS_RSA_WITH_AES_256_GCM_SHA384 SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA256 SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA256 # Enabling this 3 ciphers mean A- rating on ssllabs SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA SSLCipherSpec ALL SSL_RSA_WITH_3DES_EDE_CBC_SHA
  28. 28. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 Headers securityheaders.io Grade was bad After hardening HTTP config to achieve Grade A: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload” Header set Referrer-Policy "same-origin” Header set X-Content-Type-Options "nosniff” Header set X-XSS-Protection "1; mode=block” Header set X-Frame-Options "DENY” Header set X-Frame-Options SAMEORIGIN
  29. 29. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 The Mobile App Decompile • Android app is decompilable • Broken down to study code Test • Tried every url found in code Result • Found no insecurities! • But MITM attacks were possible!
  30. 30. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 MITM - Man-in-the-middle attack An employee is out traveling and connects to a public network such as a hotel or airport WIFI. But instead, connects to a hackers wifi hotspot. Then clicks on “Continue”…. He/she will give the hacker running a MITM attack, full visibility over the traffic.
  31. 31. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 MITM - Man-in-the-middle attack
  32. 32. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 MITM - Man-in-the-middle attack mobile-config.xml has the solution for the connections app. Don´t press “Continue”!. Tell your admins to fix it.
  33. 33. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 Demo time The demo consisted of showing a MITM attack + username/password “cluster bomb” attack using free tool Burp Suite.
  34. 34. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 Accident waiting to happen
  35. 35. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 What did they find when they got in? Stolen Laptop Scenario
  36. 36. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 Stolen Laptop Scenario •  Not hard to find password on PC •  Once in, passwords to sites are normally stored in browser. •  Saved wifi hotspots gives hackers GPS coordinates => can drive up alongside your company's building and connect. •  Hackers found sensitive information open to all of the IBM Connections users. Don´t expose login information available to everyone!
  37. 37. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 They hacked me! Or at least, they tried to…
  38. 38. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 They hacked me! •  They knew who I was. •  Googled me, found my blog. •  In one of the screenshots, a password was censored.
  39. 39. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 They hacked me! I was a weak link… How hard is it for hackers to find IT staff at your company? LinkedIn search… Google search… Google is both your friend and your enemy. •  Bad censoring!! •  Found 6 out of 9 chars by matching font, size and studied curves.
  40. 40. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 Avoid stress
  41. 41. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 •  Mask/hide better! •  Hackers are clever bastards. •  Hackers has A LOT of free time. •  Implement 2-factor authorization mechanism, like Auth0 •  Hide your stuff. •  Once again: Hackers are clever bastards. •  Lockout policy – i.e. 5 attempts => locked out… Hackers has tools for that! •  Train your users!
  42. 42. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
  43. 43. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 Useful links: Check SSL: https://ssllabs.com Check Headers: https://securityheaders.io Analyze CSP: https://report-uri.io/home/analyse What can your browser support? http://caniuse.com/#search=referrer%20policy Auth0 multi-factor authentication: https://auth0.com/docs/multifactor-authentication Burp Suite: https://portswigger.net/burp Ethical Hacker Certification: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/ My blog: http://blog.robertfarstad.com Twitter: https://www.twitter.com/robertfarstad Item Consulting: https://www.item.no
  44. 44. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017 PLATINUM SPONSORS GOLD SPONSORS SILVER SPONSORS BRONZE SPONSORS

×