SlideShare a Scribd company logo
Lessons from years of hacking
and defending
Vietnamese computer networks
Thái Dương, joint work with An Trịnh
Disclaimer
All hacks described in this talk were done with permission.
Many details are intentionally vague to protect the involved parties.
Opinions are our own.
whoami
● Product security/cryptography tech lead at Google
● Co-founder of popular cryptography projects Wycheproof and Tink
● Works featured on the NYTimes, BBC, taught at Stanford, MIT
● Notable awards and honors
○ 2010, 2011, 2012 - 1st place of Top 10 Web Hacking Techniques
○ 2011 - Winner of Pwnie Awards “Best Server-Side Bug”
○ 2017 - Winner of Google “Technical Infrastructure Awards”
○ 2020 - Winner of Google “Feats of Engineering Awards”
Agenda
Our adventures in hacking & defending Vietnamese banks
How banks got hacked & what you should do to avoid the same fate
Bonus: who are the hackers?
Why I started hacking Vietnamese banks
Case studies
Case study #1: mobile banking apps
All I had was a heavily obfuscated Android app.
It took me two weeks of very hard (yet exciting!) work to reverse engineer the app.
The result was terrifying: I could programmatically steal money from any accounts.
Did the bank care?
Yes. Security is front and center in the mind of bank executives and engineers.
Then... why did they get it wrong so badly?
“There are two ways of constructing a
software design: One way is to make
it so simple that there are obviously
no deficiencies, and the other way is
to make it so complicated that there
are no obvious deficiencies.”
Tony Hoare
Security through obscurity
The app was so heavily obfuscated that its obvious vulnerabilities were hiding in
plain sight for years.
Security through obscurity is not bad, but the bank relied on it as its sole defense.
Absence of security engineering
Security engineering is the art and science of balancing safety and usability.
The app, however, overdid security at the expense of usability and underdid
security at the expense of safety.
Root cause: Vietnam lacks people that can engineer security.
Một hệ thống an toàn là một hệ thống mở, ai cũng biết cách thức nó hoạt động, nhưng không ai
có thể phá vỡ nó. Nếu sự an toàn của hệ thống phụ thuộc vào giả định rằng không ai biết cách
nó hoạt động ra sao, không sớm thì muộn hệ thống đó sẽ bị tấn công. Tôi thấy sự an toàn của
<đã lược bỏ> phụ thuộc hoàn toàn vào việc giữ bí mật giao thức giữa app và máy chủ.
Đối với sản phẩm tài chính ngân hàng như <đã lược bỏ>, an toàn luôn được đặt lên hàng đầu.
Kiện toàn bảo mật cho một ứng dụng như thế này không quá khó, khó khăn nằm ở chỗ làm sao
cho an toàn mà lại không gây ảnh hưởng đến trải nghiệm của người sử dụng. Tôi thấy <đã
lược bỏ> chưa có sự cân bằng giữa an toàn và trải nghiệm người dùng.
Trích “Báo cáo kiểm tra bảo mật <đã đục bỏ>”
Case study #2: digital banking platform
Once again, I was only given a heavily obfuscated APK.
I wasn’t too excited, so reverse engineering went sluggish for months.
Then I teamed up with An Trịnh.
“Instead of reverse engineering, why don’t
we just hack [the bank] to steal their
source code?”
An Trịnh
“The attack surface is the vulnerability -
finding a bug there is just a detail.”
Mark Dowd
Infrastructure
DevOps
Backend
Apps
How we stole money from any accounts
Using a series of 0-day/N-day vulnerabilities, we compromised a test system and
obtained the source code of the digital banking servers.
We audited the code and found 3 different ways to, once again, programmatically
steal money from any accounts.
This is a recurring theme.
A fun vulnerability: predictable SMS OTP
The bank generated OTP using java.lang.Math.random() which calls java.util.Random.
But:
Result: given two consecutive OTPs, can predict the rest.
What went wrong?
The bank exposed a large attack surface with tons of outdated software.
Once we had a foothold within the bank’s network, the whole internal network was
wide open.
The digital banking platform was poorly software engineered.
What have we learned?
Lesson #1: Accept that prevention would eventually fail,
invest in detection and response
Security
D
e
t
e
c
t
i
o
n
Prevention
R
e
s
p
o
n
s
e
Lesson #2: Simulate APT regularly
Nothing makes people care more about security than witnessing the theft of
millions of dollars.
Lesson #3: Engineer away security issues
If your security team can’t code, you’re doing it wrong.
Security is an engineering discipline, solve it with technology, not regulations.
Security product != product security.
Lesson #4: Bundle security as a product feature
Product (in)security is a consequence of (bad) software engineering practices.
Only prisons need maximum security, what you need is usable security.
Lesson #5: Assume that your opponents know everything
When designing and evaluating the security of your system, assume that all
source code and documentation are publicly available.
Focus on insider threats.
“The enemy knows the system.”
Claude Shannon
Top things that help
Red teaming
Cloud, Cloud, Cloud
Two factor authentication for employees
Vulnerability management
SecDevOps
Centralized logging
Bug bounty
Trích Báo cáo “Làm an toàn thông tin cho doanh
nghiệp là làm gì?
Who are the attackers?
One more thing
Final thought
It never took us more than a few weeks to steal money from any networks that
we’ve engaged with.
We could have totally destroyed these banks or hospitals, and caused a
short-term collapse of the Vietnamese economy.
If such a small team like ours could do this, what could more resourceful
adversaries do?

More Related Content

What's hot

What's hot (20)

Grokking TechTalk #33: High Concurrency Architecture at TIKI
Grokking TechTalk #33: High Concurrency Architecture at TIKIGrokking TechTalk #33: High Concurrency Architecture at TIKI
Grokking TechTalk #33: High Concurrency Architecture at TIKI
 
Grokking Techtalk #39: How to build an event driven architecture with Kafka ...
 Grokking Techtalk #39: How to build an event driven architecture with Kafka ... Grokking Techtalk #39: How to build an event driven architecture with Kafka ...
Grokking Techtalk #39: How to build an event driven architecture with Kafka ...
 
Toi uu hoa he thong 30 trieu nguoi dung
Toi uu hoa he thong 30 trieu nguoi dungToi uu hoa he thong 30 trieu nguoi dung
Toi uu hoa he thong 30 trieu nguoi dung
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
 
The Patterns of Distributed Logging and Containers
The Patterns of Distributed Logging and ContainersThe Patterns of Distributed Logging and Containers
The Patterns of Distributed Logging and Containers
 
Mobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıMobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim Dökümanı
 
Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint   c0c0n 2017Empowering red and blue teams with osint   c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines
 
webservice scaling for newbie
webservice scaling for newbiewebservice scaling for newbie
webservice scaling for newbie
 
Blockchain Consensus Protocols
Blockchain Consensus ProtocolsBlockchain Consensus Protocols
Blockchain Consensus Protocols
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Smart contracts using web3.js
Smart contracts using web3.jsSmart contracts using web3.js
Smart contracts using web3.js
 
Write microservice in golang
Write microservice in golangWrite microservice in golang
Write microservice in golang
 
20180711 Metamask
20180711 Metamask 20180711 Metamask
20180711 Metamask
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
웹서버 부하테스트 실전 노하우
웹서버 부하테스트 실전 노하우웹서버 부하테스트 실전 노하우
웹서버 부하테스트 실전 노하우
 
Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
 
Blockchain consensus algorithms
Blockchain consensus algorithmsBlockchain consensus algorithms
Blockchain consensus algorithms
 
Git and git workflow best practice
Git and git workflow best practiceGit and git workflow best practice
Git and git workflow best practice
 

Similar to Grokking Techtalk #46: Lessons from years hacking and defending Vietnamese banks

bctntlvn (24).pdf
bctntlvn (24).pdfbctntlvn (24).pdf
bctntlvn (24).pdf
Luanvan84
 
Security Bootcamp 2013 mo hinh ung dung hoi chan ma doc truc tuyen trong ti...
Security Bootcamp 2013   mo hinh ung dung hoi chan ma doc truc tuyen trong ti...Security Bootcamp 2013   mo hinh ung dung hoi chan ma doc truc tuyen trong ti...
Security Bootcamp 2013 mo hinh ung dung hoi chan ma doc truc tuyen trong ti...
Security Bootcamp
 
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013  -  Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...Security Bootcamp 2013  -  Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp
 
Bao caothuctap
Bao caothuctapBao caothuctap
Bao caothuctap
Long Prồ
 
Báo cáo thực tập - Lần 1 - Hoàng Thanh Quý
Báo cáo thực tập - Lần 1 - Hoàng Thanh QuýBáo cáo thực tập - Lần 1 - Hoàng Thanh Quý
Báo cáo thực tập - Lần 1 - Hoàng Thanh Quý
Quý Đồng Nast
 
SYSTEM HACKING - TUẦN 2
SYSTEM HACKING - TUẦN 2SYSTEM HACKING - TUẦN 2
SYSTEM HACKING - TUẦN 2
Con Ranh
 
Tổng kết Báo cáo thực tập Athena - Hoàng Thanh Quý
Tổng kết Báo cáo thực tập Athena - Hoàng Thanh QuýTổng kết Báo cáo thực tập Athena - Hoàng Thanh Quý
Tổng kết Báo cáo thực tập Athena - Hoàng Thanh Quý
Quý Đồng Nast
 
Vu tuananh
Vu tuananhVu tuananh
Vu tuananh
Vũ Anh
 
Vu tuananh
Vu tuananhVu tuananh
Vu tuananh
Vũ Anh
 
Nghien cuu ma nguon mo openvpn
Nghien cuu ma nguon mo openvpnNghien cuu ma nguon mo openvpn
Nghien cuu ma nguon mo openvpn
peterh18
 
Thiet lap an toan mang isa cho mang doanh nghiep
Thiet lap an toan mang isa cho mang doanh nghiepThiet lap an toan mang isa cho mang doanh nghiep
Thiet lap an toan mang isa cho mang doanh nghiep
FC Loveit
 
Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải Long
Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải LongSecurity Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải Long
Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải Long
Security Bootcamp
 

Similar to Grokking Techtalk #46: Lessons from years hacking and defending Vietnamese banks (20)

Damballa automated breach defense for sales
Damballa automated breach defense for salesDamballa automated breach defense for sales
Damballa automated breach defense for sales
 
bctntlvn (24).pdf
bctntlvn (24).pdfbctntlvn (24).pdf
bctntlvn (24).pdf
 
Security Bootcamp 2013 mo hinh ung dung hoi chan ma doc truc tuyen trong ti...
Security Bootcamp 2013   mo hinh ung dung hoi chan ma doc truc tuyen trong ti...Security Bootcamp 2013   mo hinh ung dung hoi chan ma doc truc tuyen trong ti...
Security Bootcamp 2013 mo hinh ung dung hoi chan ma doc truc tuyen trong ti...
 
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013  -  Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...Security Bootcamp 2013  -  Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
 
Bao caothuctap
Bao caothuctapBao caothuctap
Bao caothuctap
 
Báo cáo thực tập - Lần 1 - Hoàng Thanh Quý
Báo cáo thực tập - Lần 1 - Hoàng Thanh QuýBáo cáo thực tập - Lần 1 - Hoàng Thanh Quý
Báo cáo thực tập - Lần 1 - Hoàng Thanh Quý
 
SYSTEM HACKING - TUẦN 2
SYSTEM HACKING - TUẦN 2SYSTEM HACKING - TUẦN 2
SYSTEM HACKING - TUẦN 2
 
SYSTEM HACKING - TUẦN 1
SYSTEM HACKING - TUẦN 1SYSTEM HACKING - TUẦN 1
SYSTEM HACKING - TUẦN 1
 
Báo cáo lần 1
Báo cáo lần 1Báo cáo lần 1
Báo cáo lần 1
 
Tổng kết Báo cáo thực tập Athena - Hoàng Thanh Quý
Tổng kết Báo cáo thực tập Athena - Hoàng Thanh QuýTổng kết Báo cáo thực tập Athena - Hoàng Thanh Quý
Tổng kết Báo cáo thực tập Athena - Hoàng Thanh Quý
 
Top kỹ năng quan trọng của chuyên gia an ninh mạng.pdf
Top kỹ năng quan trọng của chuyên gia an ninh mạng.pdfTop kỹ năng quan trọng của chuyên gia an ninh mạng.pdf
Top kỹ năng quan trọng của chuyên gia an ninh mạng.pdf
 
Vu tuananh
Vu tuananhVu tuananh
Vu tuananh
 
Vu tuananh
Vu tuananhVu tuananh
Vu tuananh
 
[ITAS.VN]Brochure_Services
[ITAS.VN]Brochure_Services[ITAS.VN]Brochure_Services
[ITAS.VN]Brochure_Services
 
Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec
Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC InfosecTình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec
Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec
 
Nghien cuu ma nguon mo openvpn
Nghien cuu ma nguon mo openvpnNghien cuu ma nguon mo openvpn
Nghien cuu ma nguon mo openvpn
 
Thiet lap an toan mang isa cho mang doanh nghiep
Thiet lap an toan mang isa cho mang doanh nghiepThiet lap an toan mang isa cho mang doanh nghiep
Thiet lap an toan mang isa cho mang doanh nghiep
 
Bai bao cao 2
Bai bao cao 2Bai bao cao 2
Bai bao cao 2
 
Bai bao cao 2
Bai bao cao 2Bai bao cao 2
Bai bao cao 2
 
Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải Long
Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải LongSecurity Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải Long
Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải Long
 

More from Grokking VN

Grokking Techtalk #45: First Principles Thinking
Grokking Techtalk #45: First Principles ThinkingGrokking Techtalk #45: First Principles Thinking
Grokking Techtalk #45: First Principles Thinking
Grokking VN
 
Grokking Techtalk #43: Payment gateway demystified
Grokking Techtalk #43: Payment gateway demystifiedGrokking Techtalk #43: Payment gateway demystified
Grokking Techtalk #43: Payment gateway demystified
Grokking VN
 
Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer...
 Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer... Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer...
Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer...
Grokking VN
 

More from Grokking VN (20)

Grokking Techtalk #45: First Principles Thinking
Grokking Techtalk #45: First Principles ThinkingGrokking Techtalk #45: First Principles Thinking
Grokking Techtalk #45: First Principles Thinking
 
Grokking Techtalk #42: Engineering challenges on building data platform for M...
Grokking Techtalk #42: Engineering challenges on building data platform for M...Grokking Techtalk #42: Engineering challenges on building data platform for M...
Grokking Techtalk #42: Engineering challenges on building data platform for M...
 
Grokking Techtalk #43: Payment gateway demystified
Grokking Techtalk #43: Payment gateway demystifiedGrokking Techtalk #43: Payment gateway demystified
Grokking Techtalk #43: Payment gateway demystified
 
Grokking Techtalk #40: Consistency and Availability tradeoff in database cluster
Grokking Techtalk #40: Consistency and Availability tradeoff in database clusterGrokking Techtalk #40: Consistency and Availability tradeoff in database cluster
Grokking Techtalk #40: Consistency and Availability tradeoff in database cluster
 
Grokking Techtalk #40: AWS’s philosophy on designing MLOps platform
Grokking Techtalk #40: AWS’s philosophy on designing MLOps platformGrokking Techtalk #40: AWS’s philosophy on designing MLOps platform
Grokking Techtalk #40: AWS’s philosophy on designing MLOps platform
 
Grokking Techtalk #37: Software design and refactoring
 Grokking Techtalk #37: Software design and refactoring Grokking Techtalk #37: Software design and refactoring
Grokking Techtalk #37: Software design and refactoring
 
Grokking TechTalk #35: Efficient spellchecking
Grokking TechTalk #35: Efficient spellcheckingGrokking TechTalk #35: Efficient spellchecking
Grokking TechTalk #35: Efficient spellchecking
 
Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer...
 Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer... Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer...
Grokking Techtalk #34: K8S On-premise: Incident & Lesson Learned ZaloPay Mer...
 
Grokking TechTalk #33: Architecture of AI-First Systems - Engineering for Big...
Grokking TechTalk #33: Architecture of AI-First Systems - Engineering for Big...Grokking TechTalk #33: Architecture of AI-First Systems - Engineering for Big...
Grokking TechTalk #33: Architecture of AI-First Systems - Engineering for Big...
 
SOLID & Design Patterns
SOLID & Design PatternsSOLID & Design Patterns
SOLID & Design Patterns
 
Grokking TechTalk #30: From App to Ecosystem: Lessons Learned at Scale
Grokking TechTalk #30: From App to Ecosystem: Lessons Learned at ScaleGrokking TechTalk #30: From App to Ecosystem: Lessons Learned at Scale
Grokking TechTalk #30: From App to Ecosystem: Lessons Learned at Scale
 
Grokking TechTalk #29: Building Realtime Metrics Platform at LinkedIn
Grokking TechTalk #29: Building Realtime Metrics Platform at LinkedInGrokking TechTalk #29: Building Realtime Metrics Platform at LinkedIn
Grokking TechTalk #29: Building Realtime Metrics Platform at LinkedIn
 
Grokking TechTalk #27: Optimal Binary Search Tree
Grokking TechTalk #27: Optimal Binary Search TreeGrokking TechTalk #27: Optimal Binary Search Tree
Grokking TechTalk #27: Optimal Binary Search Tree
 
Grokking TechTalk #26: Kotlin, Understand the Magic
Grokking TechTalk #26: Kotlin, Understand the MagicGrokking TechTalk #26: Kotlin, Understand the Magic
Grokking TechTalk #26: Kotlin, Understand the Magic
 
Grokking TechTalk #26: Compare ios and android platform
Grokking TechTalk #26: Compare ios and android platformGrokking TechTalk #26: Compare ios and android platform
Grokking TechTalk #26: Compare ios and android platform
 
Grokking TechTalk #24: Thiết kế hệ thống Background Job Queue bằng Ruby & Pos...
Grokking TechTalk #24: Thiết kế hệ thống Background Job Queue bằng Ruby & Pos...Grokking TechTalk #24: Thiết kế hệ thống Background Job Queue bằng Ruby & Pos...
Grokking TechTalk #24: Thiết kế hệ thống Background Job Queue bằng Ruby & Pos...
 
Grokking TechTalk #24: Kafka's principles and protocols
Grokking TechTalk #24: Kafka's principles and protocolsGrokking TechTalk #24: Kafka's principles and protocols
Grokking TechTalk #24: Kafka's principles and protocols
 
Grokking TechTalk #21: Deep Learning in Computer Vision
Grokking TechTalk #21: Deep Learning in Computer VisionGrokking TechTalk #21: Deep Learning in Computer Vision
Grokking TechTalk #21: Deep Learning in Computer Vision
 
Grokking TechTalk #20: PostgreSQL Internals 101
Grokking TechTalk #20: PostgreSQL Internals 101Grokking TechTalk #20: PostgreSQL Internals 101
Grokking TechTalk #20: PostgreSQL Internals 101
 
Grokking TechTalk #19: Software Development Cycle In The International Moneta...
Grokking TechTalk #19: Software Development Cycle In The International Moneta...Grokking TechTalk #19: Software Development Cycle In The International Moneta...
Grokking TechTalk #19: Software Development Cycle In The International Moneta...
 

Grokking Techtalk #46: Lessons from years hacking and defending Vietnamese banks

  • 1. Lessons from years of hacking and defending Vietnamese computer networks Thái Dương, joint work with An Trịnh
  • 2. Disclaimer All hacks described in this talk were done with permission. Many details are intentionally vague to protect the involved parties. Opinions are our own.
  • 3. whoami ● Product security/cryptography tech lead at Google ● Co-founder of popular cryptography projects Wycheproof and Tink ● Works featured on the NYTimes, BBC, taught at Stanford, MIT ● Notable awards and honors ○ 2010, 2011, 2012 - 1st place of Top 10 Web Hacking Techniques ○ 2011 - Winner of Pwnie Awards “Best Server-Side Bug” ○ 2017 - Winner of Google “Technical Infrastructure Awards” ○ 2020 - Winner of Google “Feats of Engineering Awards”
  • 4. Agenda Our adventures in hacking & defending Vietnamese banks How banks got hacked & what you should do to avoid the same fate Bonus: who are the hackers?
  • 5. Why I started hacking Vietnamese banks
  • 7. Case study #1: mobile banking apps All I had was a heavily obfuscated Android app. It took me two weeks of very hard (yet exciting!) work to reverse engineer the app. The result was terrifying: I could programmatically steal money from any accounts.
  • 8. Did the bank care? Yes. Security is front and center in the mind of bank executives and engineers. Then... why did they get it wrong so badly?
  • 9. “There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies.” Tony Hoare
  • 10. Security through obscurity The app was so heavily obfuscated that its obvious vulnerabilities were hiding in plain sight for years. Security through obscurity is not bad, but the bank relied on it as its sole defense.
  • 11. Absence of security engineering Security engineering is the art and science of balancing safety and usability. The app, however, overdid security at the expense of usability and underdid security at the expense of safety. Root cause: Vietnam lacks people that can engineer security.
  • 12. Một hệ thống an toàn là một hệ thống mở, ai cũng biết cách thức nó hoạt động, nhưng không ai có thể phá vỡ nó. Nếu sự an toàn của hệ thống phụ thuộc vào giả định rằng không ai biết cách nó hoạt động ra sao, không sớm thì muộn hệ thống đó sẽ bị tấn công. Tôi thấy sự an toàn của <đã lược bỏ> phụ thuộc hoàn toàn vào việc giữ bí mật giao thức giữa app và máy chủ. Đối với sản phẩm tài chính ngân hàng như <đã lược bỏ>, an toàn luôn được đặt lên hàng đầu. Kiện toàn bảo mật cho một ứng dụng như thế này không quá khó, khó khăn nằm ở chỗ làm sao cho an toàn mà lại không gây ảnh hưởng đến trải nghiệm của người sử dụng. Tôi thấy <đã lược bỏ> chưa có sự cân bằng giữa an toàn và trải nghiệm người dùng. Trích “Báo cáo kiểm tra bảo mật <đã đục bỏ>”
  • 13. Case study #2: digital banking platform Once again, I was only given a heavily obfuscated APK. I wasn’t too excited, so reverse engineering went sluggish for months. Then I teamed up with An Trịnh.
  • 14. “Instead of reverse engineering, why don’t we just hack [the bank] to steal their source code?” An Trịnh
  • 15. “The attack surface is the vulnerability - finding a bug there is just a detail.” Mark Dowd Infrastructure DevOps Backend Apps
  • 16. How we stole money from any accounts Using a series of 0-day/N-day vulnerabilities, we compromised a test system and obtained the source code of the digital banking servers. We audited the code and found 3 different ways to, once again, programmatically steal money from any accounts. This is a recurring theme.
  • 17. A fun vulnerability: predictable SMS OTP The bank generated OTP using java.lang.Math.random() which calls java.util.Random. But: Result: given two consecutive OTPs, can predict the rest.
  • 18. What went wrong? The bank exposed a large attack surface with tons of outdated software. Once we had a foothold within the bank’s network, the whole internal network was wide open. The digital banking platform was poorly software engineered.
  • 19. What have we learned?
  • 20. Lesson #1: Accept that prevention would eventually fail, invest in detection and response Security D e t e c t i o n Prevention R e s p o n s e
  • 21. Lesson #2: Simulate APT regularly Nothing makes people care more about security than witnessing the theft of millions of dollars.
  • 22. Lesson #3: Engineer away security issues If your security team can’t code, you’re doing it wrong. Security is an engineering discipline, solve it with technology, not regulations. Security product != product security.
  • 23. Lesson #4: Bundle security as a product feature Product (in)security is a consequence of (bad) software engineering practices. Only prisons need maximum security, what you need is usable security.
  • 24. Lesson #5: Assume that your opponents know everything When designing and evaluating the security of your system, assume that all source code and documentation are publicly available. Focus on insider threats.
  • 25. “The enemy knows the system.” Claude Shannon
  • 26. Top things that help Red teaming Cloud, Cloud, Cloud Two factor authentication for employees Vulnerability management SecDevOps Centralized logging Bug bounty Trích Báo cáo “Làm an toàn thông tin cho doanh nghiệp là làm gì?
  • 27. Who are the attackers?
  • 28.
  • 29.
  • 30.
  • 32. Final thought It never took us more than a few weeks to steal money from any networks that we’ve engaged with. We could have totally destroyed these banks or hospitals, and caused a short-term collapse of the Vietnamese economy. If such a small team like ours could do this, what could more resourceful adversaries do?