Software runs today’s business; however, security implications are often misunderstood, creating significant organizational risk. Poorly configured servers, 3rd-party software, and continuous release cycles put additional pressure on already stressed teams.
Hackers no longer just exploit vulnerabilities in code -- faulty cloud deployments, weak database structures, and business logic problems are also easy targets for attackers. To reduce risk, you’ve got to audit your system in the same way an attacker would.
This presentation demonstrates how attackers compromise the modern enterprise. For each attack demonstrated, mitigation practices will be discussed. WARNING: software will be harmed during this presentation. Viewer discretion advised.
3. About Security Innovation
• Authority in Software Security
• 15+ years research on software vulnerabilities
• Security testing methodology adopted by SAP,
Symantec, Microsoft and McAfee
• Authors of 18 books
• Helping organizations minimize risk
• Assessment: Show me the gaps
• Education: Guide me to the right decisions
• Standards: Set goals and make it easy and natural
• Tech-enabled services for both breadth and depth
5. Attackers View Software Differently
• Never OK with ignorance
• Identify things that are out of place quickly
• Have mental
• Horsepower: Ability to focus on difficult problems
• Agility: To quickly context switch
• Bandwidth: To hold many concepts in the mind
5
Phineas Fisher recently hacked into Cayman National Bank and Trust.
They wrote a large manifesto and guide, I’ll be lifting snippets out as
quotes throughout.
Manifesto and guide translated here: https://pastebin.com/8rXhtqgr
6. What are the Super Powers?
• Complete Knowledge of the System
• Good Imagination
• Creativity
• Observant
• Good Memory
• Evil Streak
6
7. They Build a
Complete Knowledge of the System
• What happens when I click the "login" button?
• Let’s talk technology
• Headers?
• Parameters?
• HTML Source?
• Where to ask more…
• Google
• Github
• StackOverflow
So I studied and practiced (see section 11), until I felt I was
ready to pay a visit to Hacking Team almost a year later. The
practice paid off, and this time I was able to make a
complete commitment from the company [7]. Before I
realized that I could enter with shellshock, I was willing to
spend happy whole months of life studying exploit
development and writing a reliable exploit for one of the
memory corruption vulnerabilities I had encountered.
8. They have a Good Imagination
How do people commonly use this technology stack?
• What are the common patterns people follow with this technology?
• And then what are some common mistakes made when developing
this type of thing?
• What could be running the back end?
• What assumptions were made?
• What mistakes might you make if implementing the same features?
9. They are Creative
9
https://absurd.design
Once they have a goal
they’re persistent
Never stop if they hit a
roadblock
They were using a remote citrix app …
to access the SWIFT network, where
each payment message … had to go
through three employees: one to
"create" the message, one to "verify"
it, and another to "authorize it."
Since I already had all their credentials
thanks to the keylogger, I could easily
perform all three steps myself.
10.
11. They are Observant
• What is out of place?
• What has changed?
• Load times
• Technology
• URLs and Parameters
• Content Types
• Headers
• Typos
12. Have a Good Memory & Take Great
Notes
They Remember Everything,
or have tools and automation
to make up the difference
• Error Messages
• Encodings
• Page layouts
• Load times
• Extra Information
13. They Harness Their Evil Streak
• Steal credit card numbers
• Become an admin
• Siphon off cash
• Learn private information
• Send spam
• Gain persistence on the network
OK, we’ve found some issues, what
can we do with them?
14. Polling Question
What are those Super Powers again?
• complete knowledge, creativity, access to a super computer,
fedora, evil streak
• complete knowledge, good imagination, creativity,
observant, good memory, evil streak
• complete knowledge, observant, creativity, great developer,
good memory, evil streak
• creativity, good imagination, observant, good memory, great
time management, evil streak
15. All My Demos with CMD+CTRL
• CyberRange for AppSec awareness and education
• 7 Web Apps & an Android App
• Exploits detected automatically
• Designed for beginners, but scales to experts
16. Design Goals
• Engage users of all skill levels
• Lots of vulnerabilities that can be understood quickly
• No special tools needed
• Built-in hints
• Immediate feedback
• Easter eggs
• Realism
• Full Featured Sites with Real vulnerabilities
17. Methodology & Primary Test Cases
Explore &
Gather
What does this
do?
What do you
want to attack
first?
Anything out of
the ordinary?
Information
Disclosure
Passive
Active
Parameter
Tampering
Try flipping
some switches!
URLs
Forms
Cross Site
Scripting
Notice
anything
reflected back?
SQL
Injection
Let's get the
data!
19. Passive Recon
Anything the attacker can gain
without providing input
We already found the hidden
credentials and secret
message, what else can we
find?
20. Active Recon
Start rattling door handles
Control Characters are a
good place to start
What’s running? How do
we “feel” about it?
' < ; -- #
21. OSINT: OpSec is Hard
Open Source Intelligence (OSINT) –
Gathering data about people or systems that
is publicly available
• Remember Fjord Engineering?
• Who is that Arnold Character?
https://osintframework.com
22. Polling Question
Passive and Active Recon are types of what attack?
• Information disclosure
• Social Engineering
• Parameter tampering
• Cross Site Scripting
• Server Side Request Forgery
• SQL injection
23. Cross Site Scripting (XSS)
Mixing Code and Data using control characters
in the webpage
• Try this anywhere you control a value on the page
• HTML
• JavaScript
• Headers
• How is your input being encoded?
• Test Cases
• Change your input
• Try <marquee>
• Try <script>alert('XSS')</script>
24. SQL Injection
Mixing Code and Data using control characters
in Database Queries
• Try this on any input you think may use the database
• Textboxes, URL Parameters, dropdowns, hidden fields
• Start small, build more complex SQL Queries to manipulate the
database
• Test Cases
• Does ' Produce an error message?
• Think about how to manipulate the SQL command
SELECT * FROM USERS WHERE Username = 'joe' AND Password = '
I didn't get anywhere with Hacking Team, but I
was lucky with Gamma Group, and I was able to
hack their customer support portal with basic
sql injection and file upload vulnerabilities.
27. You don’t have to run faster than the bear
You just have to run faster than the guy next to you
-Jim Butcher
“I did not set out to hack a
specific bank, what I wanted
was to hack any bank, which
ends up being a much simpler
task.”
28. What can you do?
• Create a Culture of Security
• Define Standards and Policies
• Require Systems Updates and Patching
• Test and Define Authentication, Identity and Access Control
• Centralized, tuned Logs and Auditing
The best way to learn to hack is by hacking. Put
together a laboratory with virtual machines
and start testing things, taking a break to
investigate anything you don't understand.
Security innovation is a company dedicated to helping our customers with hard application and data security problems. We’ve spent years researching security vulnerabilities, why they occur, what they look like in production code and how to find and fix them. We have experience working with some of the largest companies in a variety of industries - from software companies such as Microsoft to e-commerce companies such as amazon, financial companies and many more. We offer solutions for all phases of the SDLC including instructor led training, computer based eLearning courses, on-site consulting and security assessments as well as technology to help secure sensitive data over the network or at rest.
Over the years we’ve analyzed more than 10,000 vulnerabilities both in the course of research studies and through the assessments of software for our customers
We got our start as a security testing company, grew to a products and services company that focused on breaking systems (code review, pen test, etc) and then helping fix the problems through secure design and implementation.
We acquired NTRU in 2009 to expand our data protection services focused on data in transit as well as data at rest with best in class, high performance cryptography.
Brandon Evans Example of LetSee attack and exploitation
Samy Garage Door Openers story or Samy worm story
Nobody has ever solved all the challenges in a single sitting
Helpful error messages, stack traces, hints in the FAQ and about pages…leaked information basically wherever we could
Sabu Story
https://pastebin.com/iVujX4TR
Worked so hard to keep his ID safe, DOXd by his own “team”
XSS
Alert box
Beef
SQLi
Error messages
Auth Bypass
DB Queries
Post-Exploitation
Data Exfiltration
SQLi
DB Queries
Denial of Service
Attackers think differently than we do. We have to understand what makes them tick to be successful.
What are their goals, techniques, and tools?
How do we look to not just the auditors and compliance folks, but to the creative and potentially malicious attackers
Being 100% secure isn’t possible
You don’t need to be vulnerability free, that’s not possible you need to commit and be more secure than the next person
Open Discussion
What can you do?
Standards and Policies
Systems Updates and Patching
Identity and Access Control
System Logs and Tracking
Authentication