Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hacker guide to adobe flash security


Published on

f you're an Adobe Flash or Flex Developer, looking to build secured and hard to break solutions - this WebiTalk is a must!
App developers, game developers, website developers - Don't miss on the opportunity to learn how to build secured Flash & Flex applications and deliver a secured experience for your customers

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Hacker guide to adobe flash security

  1. 1. Hacker guide to Adobe Flash Security<br />The open doors and the right locks<br />Lecturer: LiorBruder<br /><br />
  2. 2. What’s on the menu<br />Security introduction<br />Flash VM<br />Network security<br />Memory protection<br />Attack servers<br />
  3. 3. Attacker experience<br />Beginner<br /><ul><li> Doesn’t have a lot of system and technical knowledge
  4. 4. Using ready made tools
  5. 5. Can make a lot of damage but…
  6. 6. Can be easily tracked</li></li></ul><li>Attacker experience<br />Advanced<br /><ul><li> Using and creating scripts
  7. 7. Basic knowledge of OS and network
  8. 8. Search and share information (blogs, forums, etc.)</li></li></ul><li>Attacker experience<br />Expert<br /><ul><li> Good programmer, Creates his own special tools
  9. 9. Strong knowledge of IT systems, OS, AI, PBX, network, legal issues
  10. 10. Wide range of resources (Servers, Sniffers, etc.)
  11. 11. Hard to detect</li></li></ul><li>Hacking types<br />Man in the middle<br />Changing the rules of the game/app<br />Breaking into victim computer’s<br />Breaking into the remote server<br />
  12. 12. Hacking types<br />Listening on the network (Cloud) <br />Hacker<br />Server<br />User<br />
  13. 13. Flash VM (1)<br />
  14. 14. Flash VM (2)<br />
  15. 15. SWF file structure<br />Every SWF file is open source<br />
  16. 16. Demonstrations<br />Decompiling SWF file<br />Obfuscating SWF file<br />
  17. 17. So, how to secure you SWF?<br />Put logic on server<br />Code obfuscation<br />Do not hardcode<br />
  18. 18. Network layers<br />
  19. 19. Packet sniffing<br /><ul><li>HTTPFox (Layers 6-7)
  20. 20. Charles (Layers 6-7)
  21. 21. Fiddler (Layers 6-7)
  22. 22. WireShark (Layers 2-7)</li></li></ul><li>Demonstrations<br />HTTPFox (Ynet)<br />Fiddler (Pcman)<br />
  23. 23. So, How to protect your data?<br />Use binarry data instead of text /XML<br />Hash your data (MD5, Sha1) <br />Use sessions<br />Use secure channel (SSL/RTMPE)<br />Time changing password<br />Use common logic<br />
  24. 24. Secured loading<br />Step 4 - Decrypt SWF data and load SWF<br />(SWFLoader)<br />Step 1 - Download only frame application<br />Step 3 - Download main app<br />Client<br />Server<br />Step 2 - Open encrypted channel (SSL)<br />
  25. 25. Memory protection<br />You don’t know where your SWF will be used<br />There are many memory viewers (like Cheat engine )<br />
  26. 26. Demonstrations<br />Changing data on SWF file<br />
  27. 27. So, how to protect memory?<br />Scramble important data (Random)<br />Use checksum on data<br />Don’t count on garbage collection<br />
  28. 28. Why use attack server?<br />Cause DOS<br />Damage remote site database<br />Multiple registrations<br />Login to accounts <br />Many more<br />
  29. 29. Passwords protection<br />Encourage the user to use complex password<br />Don’t use trivial combinations<br />Hash the password (MD5)<br />IPtoLocation filter<br />Use smart captcha<br />
  30. 30. Passwords (1)<br />Encourage the user to use complex password<br />
  31. 31. Passwords (2)<br />Block trivial combinations<br />You details:<br />Name: Liorbruder<br />Birthdate: 16/7/1983<br />Id number: 033099124<br />Common passwords:<br />Liorbruder<br />Lior1<br />Lior16071983<br />Bruderlior<br />Brudergmail<br />033099124<br />
  32. 32. Passwords (3)<br />Hash the password (MD5)<br />
  33. 33. Passwords (3)<br />Trivial passwords will be easy to detect<br />PasswordHash<br />lior1 - e9d9dc5987d3fd2369e10ed0a8c32d8a<br />good - 7faae226566c91d06a0d741e0c9d3ae6<br />bruder - e9d9dc5987d3fd2369e10ed0a8c32d8a<br />test - 098f6bcd4621d373cade4e832627b4f6<br />
  34. 34. Passwords (4)<br />How to steal captcha<br />On your site<br />Somewhere on the internet…<br />Welcome to my site<br />Do you want to see the next picture? <br />User name:<br />Password:<br />For security please retype the following characters:<br />
  35. 35. What you need to learn to be a hacker? <br />What you need to learn to protect your applications?<br />Learn how to program (C++, Etc.)<br />Use Unix OS<br />Learn Web and Server side (PHP)<br />Know the network layers protocols<br />Start looking in forums<br /><ul><li>Be discrete</li></li></ul><li>Thank you<br />