SlideShare a Scribd company logo
Lessons from years of hacking
and defending
Vietnamese computer networks
Thái Dương, joint work with An Trịnh
Disclaimer
All hacks described in this talk were done with permission.
Many details are intentionally vague to protect the involved parties.
Opinions are our own.
whoami
● Product security/cryptography tech lead at Google
● Co-founder of popular cryptography projects Wycheproof and Tink
● Works featured on the NYTimes, BBC, taught at Stanford, MIT
● Notable awards and honors
○ 2010, 2011, 2012 - 1st place of Top 10 Web Hacking Techniques
○ 2011 - Winner of Pwnie Awards “Best Server-Side Bug”
○ 2017 - Winner of Google “Technical Infrastructure Awards”
○ 2020 - Winner of Google “Feats of Engineering Awards”
Agenda
Our adventures in hacking & defending Vietnamese banks
How banks got hacked & what you should do to avoid the same fate
Bonus: who are the hackers?
Why I started hacking Vietnamese banks
Case studies
Case study #1: mobile banking apps
All I had was a heavily obfuscated Android app.
It took me two weeks of very hard (yet exciting!) work to reverse engineer the app.
The result was terrifying: I could programmatically steal money from any accounts.
Did the bank care?
Yes. Security is front and center in the mind of bank executives and engineers.
Then... why did they get it wrong so badly?
“There are two ways of constructing a
software design: One way is to make
it so simple that there are obviously
no deficiencies, and the other way is
to make it so complicated that there
are no obvious deficiencies.”
Tony Hoare
Security through obscurity
The app was so heavily obfuscated that its obvious vulnerabilities were hiding in
plain sight for years.
Security through obscurity is not bad, but the bank relied on it as its sole defense.
Absence of security engineering
Security engineering is the art and science of balancing safety and usability.
The app, however, overdid security at the expense of usability and underdid
security at the expense of safety.
Root cause: Vietnam lacks people that can engineer security.
Một hệ thống an toàn là một hệ thống mở, ai cũng biết cách thức nó hoạt động, nhưng không ai
có thể phá vỡ nó. Nếu sự an toàn của hệ thống phụ thuộc vào giả định rằng không ai biết cách
nó hoạt động ra sao, không sớm thì muộn hệ thống đó sẽ bị tấn công. Tôi thấy sự an toàn của
<đã lược bỏ> phụ thuộc hoàn toàn vào việc giữ bí mật giao thức giữa app và máy chủ.
Đối với sản phẩm tài chính ngân hàng như <đã lược bỏ>, an toàn luôn được đặt lên hàng đầu.
Kiện toàn bảo mật cho một ứng dụng như thế này không quá khó, khó khăn nằm ở chỗ làm sao
cho an toàn mà lại không gây ảnh hưởng đến trải nghiệm của người sử dụng. Tôi thấy <đã
lược bỏ> chưa có sự cân bằng giữa an toàn và trải nghiệm người dùng.
Trích “Báo cáo kiểm tra bảo mật <đã đục bỏ>”
Case study #2: digital banking platform
Once again, I was only given a heavily obfuscated APK.
I wasn’t too excited, so reverse engineering went sluggish for months.
Then I teamed up with An Trịnh.
“Instead of reverse engineering, why don’t
we just hack [the bank] to steal their
source code?”
An Trịnh
“The attack surface is the vulnerability -
finding a bug there is just a detail.”
Mark Dowd
Infrastructure
DevOps
Backend
Apps
How we stole money from any accounts
Using a series of 0-day/N-day vulnerabilities, we compromised a test system and
obtained the source code of the digital banking servers.
We audited the code and found 3 different ways to, once again, programmatically
steal money from any accounts.
This is a recurring theme.
A fun vulnerability: predictable SMS OTP
The bank generated OTP using java.lang.Math.random() which calls java.util.Random.
But:
Result: given two consecutive OTPs, can predict the rest.
What went wrong?
The bank exposed a large attack surface with tons of outdated software.
Once we had a foothold within the bank’s network, the whole internal network was
wide open.
The digital banking platform was poorly software engineered.
What have we learned?
Lesson #1: Accept that prevention would eventually fail,
invest in detection and response
Security
D
e
t
e
c
t
i
o
n
Prevention
R
e
s
p
o
n
s
e
Lesson #2: Simulate APT regularly
Nothing makes people care more about security than witnessing the theft of
millions of dollars.
Lesson #3: Engineer away security issues
If your security team can’t code, you’re doing it wrong.
Security is an engineering discipline, solve it with technology, not regulations.
Security product != product security.
Lesson #4: Bundle security as a product feature
Product (in)security is a consequence of (bad) software engineering practices.
Only prisons need maximum security, what you need is usable security.
Lesson #5: Assume that your opponents know everything
When designing and evaluating the security of your system, assume that all
source code and documentation are publicly available.
Focus on insider threats.
“The enemy knows the system.”
Claude Shannon
Top things that help
Red teaming
Cloud, Cloud, Cloud
Two factor authentication for employees
Vulnerability management
SecDevOps
Centralized logging
Bug bounty
Trích Báo cáo “Làm an toàn thông tin cho doanh
nghiệp là làm gì?
Who are the attackers?
One more thing
Final thought
It never took us more than a few weeks to steal money from any networks that
we’ve engaged with.
We could have totally destroyed these banks or hospitals, and caused a
short-term collapse of the Vietnamese economy.
If such a small team like ours could do this, what could more resourceful
adversaries do?

More Related Content

What's hot

Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability Patterns
Jonas Bonér
 
Kafka: All an engineer needs to know
Kafka: All an engineer needs to knowKafka: All an engineer needs to know
Kafka: All an engineer needs to know
Thao Huynh Quang
 
Tiki.vn - How we scale as a tech startup
Tiki.vn - How we scale as a tech startupTiki.vn - How we scale as a tech startup
Tiki.vn - How we scale as a tech startup
Tung Ns
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Design patterns for microservice architecture
Design patterns for microservice architectureDesign patterns for microservice architecture
Design patterns for microservice architecture
The Software House
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql Injection
NSConclave
 
Twitter의 snowflake 소개 및 활용
Twitter의 snowflake 소개 및 활용Twitter의 snowflake 소개 및 활용
Twitter의 snowflake 소개 및 활용
흥배 최
 
Grokking Techtalk #45: First Principles Thinking
Grokking Techtalk #45: First Principles ThinkingGrokking Techtalk #45: First Principles Thinking
Grokking Techtalk #45: First Principles Thinking
Grokking VN
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
Sylvain Martinez
 
How Uber scaled its Real Time Infrastructure to Trillion events per day
How Uber scaled its Real Time Infrastructure to Trillion events per dayHow Uber scaled its Real Time Infrastructure to Trillion events per day
How Uber scaled its Real Time Infrastructure to Trillion events per day
DataWorks Summit
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
야, 너두 짤수있어 - IaC Basic(210131 김성익)
야, 너두 짤수있어 - IaC Basic(210131 김성익)야, 너두 짤수있어 - IaC Basic(210131 김성익)
야, 너두 짤수있어 - IaC Basic(210131 김성익)
SeongIkKim2
 
LevelDB 간단한 소개
LevelDB 간단한 소개LevelDB 간단한 소개
LevelDB 간단한 소개종빈 오
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best Practices
NGINX, Inc.
 
Presto At Treasure Data
Presto At Treasure DataPresto At Treasure Data
Presto At Treasure Data
Taro L. Saito
 

What's hot (20)

Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability Patterns
 
Kafka: All an engineer needs to know
Kafka: All an engineer needs to knowKafka: All an engineer needs to know
Kafka: All an engineer needs to know
 
Tiki.vn - How we scale as a tech startup
Tiki.vn - How we scale as a tech startupTiki.vn - How we scale as a tech startup
Tiki.vn - How we scale as a tech startup
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Design patterns for microservice architecture
Design patterns for microservice architectureDesign patterns for microservice architecture
Design patterns for microservice architecture
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql Injection
 
Twitter의 snowflake 소개 및 활용
Twitter의 snowflake 소개 및 활용Twitter의 snowflake 소개 및 활용
Twitter의 snowflake 소개 및 활용
 
Grokking Techtalk #45: First Principles Thinking
Grokking Techtalk #45: First Principles ThinkingGrokking Techtalk #45: First Principles Thinking
Grokking Techtalk #45: First Principles Thinking
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
 
How Uber scaled its Real Time Infrastructure to Trillion events per day
How Uber scaled its Real Time Infrastructure to Trillion events per dayHow Uber scaled its Real Time Infrastructure to Trillion events per day
How Uber scaled its Real Time Infrastructure to Trillion events per day
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
야, 너두 짤수있어 - IaC Basic(210131 김성익)
야, 너두 짤수있어 - IaC Basic(210131 김성익)야, 너두 짤수있어 - IaC Basic(210131 김성익)
야, 너두 짤수있어 - IaC Basic(210131 김성익)
 
LevelDB 간단한 소개
LevelDB 간단한 소개LevelDB 간단한 소개
LevelDB 간단한 소개
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best Practices
 
Presto At Treasure Data
Presto At Treasure DataPresto At Treasure Data
Presto At Treasure Data
 

Similar to Grokking Techtalk #46: Lessons from years hacking and defending Vietnamese banks

Damballa automated breach defense for sales
Damballa automated breach defense for salesDamballa automated breach defense for sales
Damballa automated breach defense for sales
labmentor
 
bctntlvn (24).pdf
bctntlvn (24).pdfbctntlvn (24).pdf
bctntlvn (24).pdfLuanvan84
 
Security Bootcamp 2013 mo hinh ung dung hoi chan ma doc truc tuyen trong ti...
Security Bootcamp 2013   mo hinh ung dung hoi chan ma doc truc tuyen trong ti...Security Bootcamp 2013   mo hinh ung dung hoi chan ma doc truc tuyen trong ti...
Security Bootcamp 2013 mo hinh ung dung hoi chan ma doc truc tuyen trong ti...Security Bootcamp
 
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013  -  Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...Security Bootcamp 2013  -  Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...Security Bootcamp
 
Bao caothuctap
Bao caothuctapBao caothuctap
Bao caothuctapLong Prồ
 
Báo cáo thực tập - Lần 1 - Hoàng Thanh Quý
Báo cáo thực tập - Lần 1 - Hoàng Thanh QuýBáo cáo thực tập - Lần 1 - Hoàng Thanh Quý
Báo cáo thực tập - Lần 1 - Hoàng Thanh QuýQuý Đồng Nast
 
SYSTEM HACKING - TUẦN 2
SYSTEM HACKING - TUẦN 2SYSTEM HACKING - TUẦN 2
SYSTEM HACKING - TUẦN 2Con Ranh
 
SYSTEM HACKING - TUẦN 1
SYSTEM HACKING - TUẦN 1SYSTEM HACKING - TUẦN 1
SYSTEM HACKING - TUẦN 1
Con Ranh
 
Báo cáo lần 1
Báo cáo lần 1Báo cáo lần 1
Báo cáo lần 1
Anhh Hữu
 
Tổng kết Báo cáo thực tập Athena - Hoàng Thanh Quý
Tổng kết Báo cáo thực tập Athena - Hoàng Thanh QuýTổng kết Báo cáo thực tập Athena - Hoàng Thanh Quý
Tổng kết Báo cáo thực tập Athena - Hoàng Thanh QuýQuý Đồng Nast
 
Top kỹ năng quan trọng của chuyên gia an ninh mạng.pdf
Top kỹ năng quan trọng của chuyên gia an ninh mạng.pdfTop kỹ năng quan trọng của chuyên gia an ninh mạng.pdf
Top kỹ năng quan trọng của chuyên gia an ninh mạng.pdf
Growup Work
 
Vu tuananh
Vu tuananhVu tuananh
Vu tuananhVũ Anh
 
Vu tuananh
Vu tuananhVu tuananh
Vu tuananhVũ Anh
 
[ITAS.VN]Brochure_Services
[ITAS.VN]Brochure_Services[ITAS.VN]Brochure_Services
[ITAS.VN]Brochure_Services
ITAS VIETNAM
 
Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec
Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC InfosecTình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec
Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec
Security Bootcamp
 
Nghien cuu ma nguon mo openvpn
Nghien cuu ma nguon mo openvpnNghien cuu ma nguon mo openvpn
Nghien cuu ma nguon mo openvpn
peterh18
 
Thiet lap an toan mang isa cho mang doanh nghiep
Thiet lap an toan mang isa cho mang doanh nghiepThiet lap an toan mang isa cho mang doanh nghiep
Thiet lap an toan mang isa cho mang doanh nghiepFC Loveit
 
Bai bao cao 2
Bai bao cao 2Bai bao cao 2
Bai bao cao 2
tuankiet123
 
Bai bao cao 2
Bai bao cao 2Bai bao cao 2
Bai bao cao 2
tuankiet123
 
Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải Long
Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải LongSecurity Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải Long
Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải LongSecurity Bootcamp
 

Similar to Grokking Techtalk #46: Lessons from years hacking and defending Vietnamese banks (20)

Damballa automated breach defense for sales
Damballa automated breach defense for salesDamballa automated breach defense for sales
Damballa automated breach defense for sales
 
bctntlvn (24).pdf
bctntlvn (24).pdfbctntlvn (24).pdf
bctntlvn (24).pdf
 
Security Bootcamp 2013 mo hinh ung dung hoi chan ma doc truc tuyen trong ti...
Security Bootcamp 2013   mo hinh ung dung hoi chan ma doc truc tuyen trong ti...Security Bootcamp 2013   mo hinh ung dung hoi chan ma doc truc tuyen trong ti...
Security Bootcamp 2013 mo hinh ung dung hoi chan ma doc truc tuyen trong ti...
 
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013  -  Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...Security Bootcamp 2013  -  Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
 
Bao caothuctap
Bao caothuctapBao caothuctap
Bao caothuctap
 
Báo cáo thực tập - Lần 1 - Hoàng Thanh Quý
Báo cáo thực tập - Lần 1 - Hoàng Thanh QuýBáo cáo thực tập - Lần 1 - Hoàng Thanh Quý
Báo cáo thực tập - Lần 1 - Hoàng Thanh Quý
 
SYSTEM HACKING - TUẦN 2
SYSTEM HACKING - TUẦN 2SYSTEM HACKING - TUẦN 2
SYSTEM HACKING - TUẦN 2
 
SYSTEM HACKING - TUẦN 1
SYSTEM HACKING - TUẦN 1SYSTEM HACKING - TUẦN 1
SYSTEM HACKING - TUẦN 1
 
Báo cáo lần 1
Báo cáo lần 1Báo cáo lần 1
Báo cáo lần 1
 
Tổng kết Báo cáo thực tập Athena - Hoàng Thanh Quý
Tổng kết Báo cáo thực tập Athena - Hoàng Thanh QuýTổng kết Báo cáo thực tập Athena - Hoàng Thanh Quý
Tổng kết Báo cáo thực tập Athena - Hoàng Thanh Quý
 
Top kỹ năng quan trọng của chuyên gia an ninh mạng.pdf
Top kỹ năng quan trọng của chuyên gia an ninh mạng.pdfTop kỹ năng quan trọng của chuyên gia an ninh mạng.pdf
Top kỹ năng quan trọng của chuyên gia an ninh mạng.pdf
 
Vu tuananh
Vu tuananhVu tuananh
Vu tuananh
 
Vu tuananh
Vu tuananhVu tuananh
Vu tuananh
 
[ITAS.VN]Brochure_Services
[ITAS.VN]Brochure_Services[ITAS.VN]Brochure_Services
[ITAS.VN]Brochure_Services
 
Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec
Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC InfosecTình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec
Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec
 
Nghien cuu ma nguon mo openvpn
Nghien cuu ma nguon mo openvpnNghien cuu ma nguon mo openvpn
Nghien cuu ma nguon mo openvpn
 
Thiet lap an toan mang isa cho mang doanh nghiep
Thiet lap an toan mang isa cho mang doanh nghiepThiet lap an toan mang isa cho mang doanh nghiep
Thiet lap an toan mang isa cho mang doanh nghiep
 
Bai bao cao 2
Bai bao cao 2Bai bao cao 2
Bai bao cao 2
 
Bai bao cao 2
Bai bao cao 2Bai bao cao 2
Bai bao cao 2
 
Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải Long
Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải LongSecurity Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải Long
Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải Long
 

More from Grokking VN

Grokking Techtalk #42: Engineering challenges on building data platform for M...
Grokking Techtalk #42: Engineering challenges on building data platform for M...Grokking Techtalk #42: Engineering challenges on building data platform for M...
Grokking Techtalk #42: Engineering challenges on building data platform for M...
Grokking VN
 
Grokking Techtalk #43: Payment gateway demystified
Grokking Techtalk #43: Payment gateway demystifiedGrokking Techtalk #43: Payment gateway demystified
Grokking Techtalk #43: Payment gateway demystified
Grokking VN
 
Grokking Techtalk #40: Consistency and Availability tradeoff in database cluster
Grokking Techtalk #40: Consistency and Availability tradeoff in database clusterGrokking Techtalk #40: Consistency and Availability tradeoff in database cluster
Grokking Techtalk #40: Consistency and Availability tradeoff in database cluster
Grokking VN
 
Grokking Techtalk #40: AWS’s philosophy on designing MLOps platform
Grokking Techtalk #40: AWS’s philosophy on designing MLOps platformGrokking Techtalk #40: AWS’s philosophy on designing MLOps platform
Grokking Techtalk #40: AWS’s philosophy on designing MLOps platform
Grokking VN
 
Grokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applicationsGrokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applications
Grokking VN
 
Grokking Techtalk #39: How to build an event driven architecture with Kafka ...
 Grokking Techtalk #39: How to build an event driven architecture with Kafka ... Grokking Techtalk #39: How to build an event driven architecture with Kafka ...
Grokking Techtalk #39: How to build an event driven architecture with Kafka ...
Grokking VN
 
Grokking Techtalk #38: Escape Analysis in Go compiler
 Grokking Techtalk #38: Escape Analysis in Go compiler Grokking Techtalk #38: Escape Analysis in Go compiler
Grokking Techtalk #38: Escape Analysis in Go compiler
Grokking VN
 
Grokking Techtalk #37: Software design and refactoring
 Grokking Techtalk #37: Software design and refactoring Grokking Techtalk #37: Software design and refactoring
Grokking Techtalk #37: Software design and refactoring
Grokking VN
 
Grokking TechTalk #35: Efficient spellchecking
Grokking TechTalk #35: Efficient spellcheckingGrokking TechTalk #35: Efficient spellchecking
Grokking TechTalk #35: Efficient spellchecking
Grokking VN
 
Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer...
 Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer... Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer...
Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer...
Grokking VN
 
Grokking TechTalk #33: High Concurrency Architecture at TIKI
Grokking TechTalk #33: High Concurrency Architecture at TIKIGrokking TechTalk #33: High Concurrency Architecture at TIKI
Grokking TechTalk #33: High Concurrency Architecture at TIKI
Grokking VN
 
Grokking TechTalk #33: Architecture of AI-First Systems - Engineering for Big...
Grokking TechTalk #33: Architecture of AI-First Systems - Engineering for Big...Grokking TechTalk #33: Architecture of AI-First Systems - Engineering for Big...
Grokking TechTalk #33: Architecture of AI-First Systems - Engineering for Big...
Grokking VN
 
SOLID & Design Patterns
SOLID & Design PatternsSOLID & Design Patterns
SOLID & Design Patterns
Grokking VN
 
Grokking TechTalk #31: Asynchronous Communications
Grokking TechTalk #31: Asynchronous CommunicationsGrokking TechTalk #31: Asynchronous Communications
Grokking TechTalk #31: Asynchronous Communications
Grokking VN
 
Grokking TechTalk #30: From App to Ecosystem: Lessons Learned at Scale
Grokking TechTalk #30: From App to Ecosystem: Lessons Learned at ScaleGrokking TechTalk #30: From App to Ecosystem: Lessons Learned at Scale
Grokking TechTalk #30: From App to Ecosystem: Lessons Learned at Scale
Grokking VN
 
Grokking TechTalk #29: Building Realtime Metrics Platform at LinkedIn
Grokking TechTalk #29: Building Realtime Metrics Platform at LinkedInGrokking TechTalk #29: Building Realtime Metrics Platform at LinkedIn
Grokking TechTalk #29: Building Realtime Metrics Platform at LinkedIn
Grokking VN
 
Grokking TechTalk #27: Optimal Binary Search Tree
Grokking TechTalk #27: Optimal Binary Search TreeGrokking TechTalk #27: Optimal Binary Search Tree
Grokking TechTalk #27: Optimal Binary Search Tree
Grokking VN
 
Grokking TechTalk #26: Kotlin, Understand the Magic
Grokking TechTalk #26: Kotlin, Understand the MagicGrokking TechTalk #26: Kotlin, Understand the Magic
Grokking TechTalk #26: Kotlin, Understand the Magic
Grokking VN
 
Grokking TechTalk #26: Compare ios and android platform
Grokking TechTalk #26: Compare ios and android platformGrokking TechTalk #26: Compare ios and android platform
Grokking TechTalk #26: Compare ios and android platform
Grokking VN
 
Grokking TechTalk #24: Thiết kế hệ thống Background Job Queue bằng Ruby & Pos...
Grokking TechTalk #24: Thiết kế hệ thống Background Job Queue bằng Ruby & Pos...Grokking TechTalk #24: Thiết kế hệ thống Background Job Queue bằng Ruby & Pos...
Grokking TechTalk #24: Thiết kế hệ thống Background Job Queue bằng Ruby & Pos...
Grokking VN
 

More from Grokking VN (20)

Grokking Techtalk #42: Engineering challenges on building data platform for M...
Grokking Techtalk #42: Engineering challenges on building data platform for M...Grokking Techtalk #42: Engineering challenges on building data platform for M...
Grokking Techtalk #42: Engineering challenges on building data platform for M...
 
Grokking Techtalk #43: Payment gateway demystified
Grokking Techtalk #43: Payment gateway demystifiedGrokking Techtalk #43: Payment gateway demystified
Grokking Techtalk #43: Payment gateway demystified
 
Grokking Techtalk #40: Consistency and Availability tradeoff in database cluster
Grokking Techtalk #40: Consistency and Availability tradeoff in database clusterGrokking Techtalk #40: Consistency and Availability tradeoff in database cluster
Grokking Techtalk #40: Consistency and Availability tradeoff in database cluster
 
Grokking Techtalk #40: AWS’s philosophy on designing MLOps platform
Grokking Techtalk #40: AWS’s philosophy on designing MLOps platformGrokking Techtalk #40: AWS’s philosophy on designing MLOps platform
Grokking Techtalk #40: AWS’s philosophy on designing MLOps platform
 
Grokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applicationsGrokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applications
 
Grokking Techtalk #39: How to build an event driven architecture with Kafka ...
 Grokking Techtalk #39: How to build an event driven architecture with Kafka ... Grokking Techtalk #39: How to build an event driven architecture with Kafka ...
Grokking Techtalk #39: How to build an event driven architecture with Kafka ...
 
Grokking Techtalk #38: Escape Analysis in Go compiler
 Grokking Techtalk #38: Escape Analysis in Go compiler Grokking Techtalk #38: Escape Analysis in Go compiler
Grokking Techtalk #38: Escape Analysis in Go compiler
 
Grokking Techtalk #37: Software design and refactoring
 Grokking Techtalk #37: Software design and refactoring Grokking Techtalk #37: Software design and refactoring
Grokking Techtalk #37: Software design and refactoring
 
Grokking TechTalk #35: Efficient spellchecking
Grokking TechTalk #35: Efficient spellcheckingGrokking TechTalk #35: Efficient spellchecking
Grokking TechTalk #35: Efficient spellchecking
 
Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer...
 Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer... Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer...
Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer...
 
Grokking TechTalk #33: High Concurrency Architecture at TIKI
Grokking TechTalk #33: High Concurrency Architecture at TIKIGrokking TechTalk #33: High Concurrency Architecture at TIKI
Grokking TechTalk #33: High Concurrency Architecture at TIKI
 
Grokking TechTalk #33: Architecture of AI-First Systems - Engineering for Big...
Grokking TechTalk #33: Architecture of AI-First Systems - Engineering for Big...Grokking TechTalk #33: Architecture of AI-First Systems - Engineering for Big...
Grokking TechTalk #33: Architecture of AI-First Systems - Engineering for Big...
 
SOLID & Design Patterns
SOLID & Design PatternsSOLID & Design Patterns
SOLID & Design Patterns
 
Grokking TechTalk #31: Asynchronous Communications
Grokking TechTalk #31: Asynchronous CommunicationsGrokking TechTalk #31: Asynchronous Communications
Grokking TechTalk #31: Asynchronous Communications
 
Grokking TechTalk #30: From App to Ecosystem: Lessons Learned at Scale
Grokking TechTalk #30: From App to Ecosystem: Lessons Learned at ScaleGrokking TechTalk #30: From App to Ecosystem: Lessons Learned at Scale
Grokking TechTalk #30: From App to Ecosystem: Lessons Learned at Scale
 
Grokking TechTalk #29: Building Realtime Metrics Platform at LinkedIn
Grokking TechTalk #29: Building Realtime Metrics Platform at LinkedInGrokking TechTalk #29: Building Realtime Metrics Platform at LinkedIn
Grokking TechTalk #29: Building Realtime Metrics Platform at LinkedIn
 
Grokking TechTalk #27: Optimal Binary Search Tree
Grokking TechTalk #27: Optimal Binary Search TreeGrokking TechTalk #27: Optimal Binary Search Tree
Grokking TechTalk #27: Optimal Binary Search Tree
 
Grokking TechTalk #26: Kotlin, Understand the Magic
Grokking TechTalk #26: Kotlin, Understand the MagicGrokking TechTalk #26: Kotlin, Understand the Magic
Grokking TechTalk #26: Kotlin, Understand the Magic
 
Grokking TechTalk #26: Compare ios and android platform
Grokking TechTalk #26: Compare ios and android platformGrokking TechTalk #26: Compare ios and android platform
Grokking TechTalk #26: Compare ios and android platform
 
Grokking TechTalk #24: Thiết kế hệ thống Background Job Queue bằng Ruby & Pos...
Grokking TechTalk #24: Thiết kế hệ thống Background Job Queue bằng Ruby & Pos...Grokking TechTalk #24: Thiết kế hệ thống Background Job Queue bằng Ruby & Pos...
Grokking TechTalk #24: Thiết kế hệ thống Background Job Queue bằng Ruby & Pos...
 

Grokking Techtalk #46: Lessons from years hacking and defending Vietnamese banks

  • 1. Lessons from years of hacking and defending Vietnamese computer networks Thái Dương, joint work with An Trịnh
  • 2. Disclaimer All hacks described in this talk were done with permission. Many details are intentionally vague to protect the involved parties. Opinions are our own.
  • 3. whoami ● Product security/cryptography tech lead at Google ● Co-founder of popular cryptography projects Wycheproof and Tink ● Works featured on the NYTimes, BBC, taught at Stanford, MIT ● Notable awards and honors ○ 2010, 2011, 2012 - 1st place of Top 10 Web Hacking Techniques ○ 2011 - Winner of Pwnie Awards “Best Server-Side Bug” ○ 2017 - Winner of Google “Technical Infrastructure Awards” ○ 2020 - Winner of Google “Feats of Engineering Awards”
  • 4. Agenda Our adventures in hacking & defending Vietnamese banks How banks got hacked & what you should do to avoid the same fate Bonus: who are the hackers?
  • 5. Why I started hacking Vietnamese banks
  • 7. Case study #1: mobile banking apps All I had was a heavily obfuscated Android app. It took me two weeks of very hard (yet exciting!) work to reverse engineer the app. The result was terrifying: I could programmatically steal money from any accounts.
  • 8. Did the bank care? Yes. Security is front and center in the mind of bank executives and engineers. Then... why did they get it wrong so badly?
  • 9. “There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies.” Tony Hoare
  • 10. Security through obscurity The app was so heavily obfuscated that its obvious vulnerabilities were hiding in plain sight for years. Security through obscurity is not bad, but the bank relied on it as its sole defense.
  • 11. Absence of security engineering Security engineering is the art and science of balancing safety and usability. The app, however, overdid security at the expense of usability and underdid security at the expense of safety. Root cause: Vietnam lacks people that can engineer security.
  • 12. Một hệ thống an toàn là một hệ thống mở, ai cũng biết cách thức nó hoạt động, nhưng không ai có thể phá vỡ nó. Nếu sự an toàn của hệ thống phụ thuộc vào giả định rằng không ai biết cách nó hoạt động ra sao, không sớm thì muộn hệ thống đó sẽ bị tấn công. Tôi thấy sự an toàn của <đã lược bỏ> phụ thuộc hoàn toàn vào việc giữ bí mật giao thức giữa app và máy chủ. Đối với sản phẩm tài chính ngân hàng như <đã lược bỏ>, an toàn luôn được đặt lên hàng đầu. Kiện toàn bảo mật cho một ứng dụng như thế này không quá khó, khó khăn nằm ở chỗ làm sao cho an toàn mà lại không gây ảnh hưởng đến trải nghiệm của người sử dụng. Tôi thấy <đã lược bỏ> chưa có sự cân bằng giữa an toàn và trải nghiệm người dùng. Trích “Báo cáo kiểm tra bảo mật <đã đục bỏ>”
  • 13. Case study #2: digital banking platform Once again, I was only given a heavily obfuscated APK. I wasn’t too excited, so reverse engineering went sluggish for months. Then I teamed up with An Trịnh.
  • 14. “Instead of reverse engineering, why don’t we just hack [the bank] to steal their source code?” An Trịnh
  • 15. “The attack surface is the vulnerability - finding a bug there is just a detail.” Mark Dowd Infrastructure DevOps Backend Apps
  • 16. How we stole money from any accounts Using a series of 0-day/N-day vulnerabilities, we compromised a test system and obtained the source code of the digital banking servers. We audited the code and found 3 different ways to, once again, programmatically steal money from any accounts. This is a recurring theme.
  • 17. A fun vulnerability: predictable SMS OTP The bank generated OTP using java.lang.Math.random() which calls java.util.Random. But: Result: given two consecutive OTPs, can predict the rest.
  • 18. What went wrong? The bank exposed a large attack surface with tons of outdated software. Once we had a foothold within the bank’s network, the whole internal network was wide open. The digital banking platform was poorly software engineered.
  • 19. What have we learned?
  • 20. Lesson #1: Accept that prevention would eventually fail, invest in detection and response Security D e t e c t i o n Prevention R e s p o n s e
  • 21. Lesson #2: Simulate APT regularly Nothing makes people care more about security than witnessing the theft of millions of dollars.
  • 22. Lesson #3: Engineer away security issues If your security team can’t code, you’re doing it wrong. Security is an engineering discipline, solve it with technology, not regulations. Security product != product security.
  • 23. Lesson #4: Bundle security as a product feature Product (in)security is a consequence of (bad) software engineering practices. Only prisons need maximum security, what you need is usable security.
  • 24. Lesson #5: Assume that your opponents know everything When designing and evaluating the security of your system, assume that all source code and documentation are publicly available. Focus on insider threats.
  • 25. “The enemy knows the system.” Claude Shannon
  • 26. Top things that help Red teaming Cloud, Cloud, Cloud Two factor authentication for employees Vulnerability management SecDevOps Centralized logging Bug bounty Trích Báo cáo “Làm an toàn thông tin cho doanh nghiệp là làm gì?
  • 27. Who are the attackers?
  • 28.
  • 29.
  • 30.
  • 32. Final thought It never took us more than a few weeks to steal money from any networks that we’ve engaged with. We could have totally destroyed these banks or hospitals, and caused a short-term collapse of the Vietnamese economy. If such a small team like ours could do this, what could more resourceful adversaries do?