This document summarizes an information security presentation about keeping secrets in the Internet of Things era. It discusses increasing vulnerabilities and dependencies, limitations of current security approaches, and motivations for lack of trust. It then covers secure software development best practices including threat modeling techniques. Lastly, it discusses solutions for organizations and end users, including encryption, authentication, firewalls, intrusion detection and more. Specific examples of security breaches like Heartbleed, Snapchat, and PlaceRaider are also summarized.
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
Keeping Secrets on the Internet of Things - Mobile Web Application Security
1. Keeping Secrets
In the vast Internet of Things
Zisher Mob::Web::Sec
Ipsilon Group
Kelly Robertson
2. Agenda
M-Days
Part One
• What are the stakes today?
• We are vulnerable and dependent
• Current InfoSec cannot reach the New Reality
• Motivations for mis-trust
• As the world turns…
Part Two
• Software Development – Secure by Design
Part Three
• Solutions for organizations and end users
3. The sun rises and sets the same on
the Good and the Bad
• Brightest Flashlight Free
• Jekyll on iOS
• Pinskimmer
• FireSheep and Faceniff
4. The Heartbleed Bug
• SSL/TLS is used for email, banking, e-commerce
and privacy throughout the Internet
• Attackers could eavesdrop on communications,
steal identities and data
• Leave-no-trace, long exposure, ease-of-exploit
5. SnapChat
• 4.6 Million usernames and phone numbers
• Anonymous posted this information and said:
“You are downloading 4.6 million users’ phone number
information, along with their usernames. People tend to use the
same username around the web so you can use this information
to find phone number information associated with Facebook and
Twitter accounts, or simply to figure out the phone numbers of
people you wish to get in touch with.”
6. PlaceRaider
• Very Scary Smartphone Malware
• US Naval Surface Warfare Center and
University of Indiana
• An Android app that secretly records and
reconstructs a user’s environment as a 3D
virtual model
7. The Mask
• 380+ Targets in 31 countries over 7 years
• One of the most sophisticated attacks ever
• Intercepts network traffic, Skype, PGP Keys, Wi-Fi traffic,
keystrokes, screen captures, encryption keys, and more
• Three separate backdoors in Win 32/64 + Mac OS using
sophisticated Malware, a bootkit and a rootkit
• The iPad and Android versions are very difficult to trace:
<b>Date: </b>Wed, 15 May 2013 23:34:01 +0000<br /> <b>Remote IP Address:</b> 200.x.x.x<br /><br /><h2>
** User Agent</h2><strong>Browser User Agent String:</strong>
<br/><br/>
<strong>Browser Name:</strong> iPad<br/>
8. Information Security Today
• Encryption
• Authentication
• DNSsec
• VPN
• SoftToken
• Anti-virus
• Anti-Malware
• Biometrics
• NG Firewalls
• Intrusion Detection
• Threat Feeds
• Manned SOCs
• Forensics
• And so forth…
9. Information Security Today
• Encryption
• Authentication
• DNSsec
• VPN
• SoftToken
• Anti-virus
• Anti-Malware
• Biometrics
• NG Firewalls
• Intrusion Detection
• Threat Feeds
• Manned SOCs
• Forensics
• And so forth…
10. Mobile Web Apps
• Porous trust boundaries
– Inherit trust/data from other components
• App store curator, Operating Systems and APIs
• Physically vulnerable to booted-rooted attack
• Lots of sensors and sensitive user data
• User’s unwarranted trust
• Client server paradigm – no control from server
• Bluetooth, Baseband, Wi-Fi, RF “always on”
• Jailbroken or rooted phones subvert controls
11. Mobile Web Apps
Platform Details
• iOS apps run on Objective C
– Hybrid C++ and a message parser
– Introduces data leakage vulnerability
– Special ‘extractors’ can harvest logic and class
declarations – details that hackers exploit
– The end user can decompile an app for symmetric
keys – a component of secure transactions
– Anti-tamper, use C++ wherever possible and generic
declarations can mitigate much
12. Mobile Web Apps
Platform Details
• Android runs on Java and Dalvik
• Susceptible to ‘repackaging’ exploit
• Vulnerable to web proxy spoofing
• Allows SD cards
• But, Java is a type-safe language
• Class library is well-established
• Secure mobile abstraction when coded right
13. – Automotive
• 100 million lines of code per car now
• 100 + ECUs
– Body-borne computing
• Health monitoring
• Behavior monitoring
• Vision
• Fashion
– Eyeglasses
– Nanorobotics – molecular scale
Science Fiction
is now…
15. Keeping Secrets
In the vast Internet of Things
Zisher Mob::Web::Sec
Ipsilon Group
Kelly Robertson
16. Secure Software Development LifeCycle
“Enemies may face off for years, only to have
the outcome decided in a single day.”
Sun Tzu
The Art of War
17. Secure Software Development LifeCycle
“The totally awakened warrior can freely utilize all
of the elements contained in Heaven and
Earth…with enlightened wisdom and deep calm.”
Morihei Ushiba
The Art of Peace
Vibrant and Joyful
19. Developing Developers
Align with your business goals
From the Book of Five Rings:
• Empty as space
• Hard as a diamond
• Flexible as a willow in the wind
• Smooth flowing like water
Be organized, but take it easy
Two stages: Document, then Prioritize
20. The Seven Pernicious Kingdoms
Taxonomy of SW Security Errors
OWASP
• Input validation and response
• API Abuse
• Security Features
• Time and State
• Error Handling
• Code Quality
• Encapsulation
21. Threat Modeling Techniques
Secure software does only it’s job
Top down and bottom up
Scoping attack surfaces and trust
Threat priority = Severity + Probability
Movie Plotting
22.
23. Threat Modeling Techniques
Scoping attack surfaces and trust boundaries
Secure software does only it’s job
Top down and bottom up
Threat + Severity + Probability
• Movie Plotting
• Attack Trees
24.
25. Threat Modeling Techniques
Scoping attack surfaces and trust boundaries
Secure software does only it’s job
Top down and bottom up
Threat + Severity + Probability
• Movie Plotting
• Attack Trees
• S.T.R.I.D.E.
– Spoofing, Tampering, Repudiation, InfoLeak,
Denial of Service and Elevation of Privilege
30. Denial of Service
Difficult to monetize, easier to defend than ever
• Brute force (amplified)
• Persistent (under the radar)
• Logic tripwires can alert
31. Elevation of Privilege
Always a top goal
• Bugs
• Configurations
• Authentication
• Corrupted process
• Memory
• Session hijacking
32. The Four Pillars of Priority
Quantified, now qualified
• Resolve it - Mitigate
• Get rid of it - Eliminate
• Deflect it - Transfer
• Live with it - Accept the risk and move on…
33. Education
Computer based training – SCORM compliant
On-line resources – OWASP and SlideShare
Universities – more and more, but still light
Security and other Vendors
Conferences
Boutique Educators, Specialists and Authors
35. Static Code Analysis
The process of assessing code without executing it.
“No single technique is a Silver Bullet. The best
that a code review can uncover is about 50% of
the security problems”
Gary McGraw, Ph.D
Cigital
36. SAST
The Good, The Bad and The Ugly
• Thorough, consistent analysis
• Finds root cause much of the time
• Can catch security flaws early
• Great for checking lots of lines of code and branches
But..
• Signal to noise ratio can dull the effectiveness
• Can interrupt creativity and workflow
• Can’t analyze architectural problems
And…
• Algorithms cannot cannot completely analyze algorithms
• Writing for language parsers is hard – dialects make it worse
37. Static Code Analysis
What to look for. . .
• Alignment with workflow, creativity, culture
• Ultimate cost savings and revenue generation
• Source code versus compiled code
• Simultaneous analysis, multi-branch, languages
• Dependency injection
• Configuration files
• Service-oriented architecture (SOA)
• Trade off between speed and depth/accuracy
• Can code be developed while under analysis?
38. Static Code Analysis
What to do with the output…
• Must be vetted by a human analyst
– Bug filing, reporting, taint analysis, training
• Compliance officer can be very helpful
• Most effective and least costly during development
• Should drive education, training and coaching
39. Call-to-Action
Institutional
Integrate a Web Application Firewall into the SDLC
• WAF in this case is a network-based proxy
• Usually an appliance but can be Cloud or SW
• PCI standards considered WAF as an
acceptable alternative to securing the code
• Often run by network engineers or network
security practitioners, not developers
40. WAF
The Good, The Bad and The Ugly
• Web apps are accessed by legitimate traffic only
• Reconnaissance, application behavior and forensics
• Excellent for compliance and information assurance
But..
• Legitimate traffic can be malicious
• Susceptible to protocol-level evasions of many types and classes
• Automated vulnerability scanning alone is not enough
• Manual analysis is required to ensure accuracy
• APT and Business Logic often require human intervention
And…
• Continuous & accurate tuning is hard
41. Call-to-Action
Institutional
Employ Mobile Device Management
• Data containers
• Black listing
• Remote wipe
• Find a device
• Secure provisioning
• Corporate app store
• Compliance reporting
• Jailbreak detection
• Patch management
• Crypto libraries
• Authentication
• CA integration
• Firewall
• Anti-virus
42. MDM
The Good, The Bad and The Ugly
• MDM evolved from mobile network operators
• Agent-based with a control server
• Audit for compliance
• Provisioning is key, including bricking, wiping
But..
• BYOD means anything goes
• Users are a very big problem
And…
• Variances between vendors are wildly different
• User behavior is usually tracked
43. Call-to-Action
Personally, what can you do for yourself?
Choose the source of your application carefully
Question the app’s need to share location/contact
Why does this app want to login with FB, et. al.?
Don’t: Keep me logged in OR remember me
Don’t save passwords
Do: use a secure browser – WhiteHat Aviator
Don’t click on the dancing pig…
44. Click on the
Dancing Pig!
"The applet DANCING PIGS
could contain malicious code that might do permanent damage
to your computer, steal your life's savings, and impair your ability
to have children.”
46. Bibliograhpy
• Secure Programming with Static Analysis – Chess and West
• The Tangled Web - A guide to securing modern web applications –
Michael Zalewski
• Threat Modeling – Designing for Security – Adam Shostack
• Mobile Hacking Exposed – Bergman, Stanfield, Rouse, Scambray
• Application Security for the Android Platform – Jeff Six
• Hacking and Securing iOS Applications – Jonathan Zdziarski
• Mobile Application Security – Dwivedi, Clark, Thiel
• The Art of War – Sun Tzu
• The Art of Peace – Morihei Ushiba
• The Book of Five Rings - Myyamoto Musashi
• Chinese Industrial Espionage: Technology Acquisition and Military
Modernisation – Hannas, Mulvenon, Puglisi
Welcome to today’s broadcast: Keeping Secrets in the vast Internet of Things. I’m Kelly Robertson with Zisher Mob:Web:Sec in the Silicon Valley and this presentation is brought to you in collaboration with the Ipsilon Group in Frankfurt, Germany. In part one, we will be discussing security issues relative to the Mobile Revolution that is sweeping the planet. In part two, we will explore end-to-end countermeasures from the Software Development LifeCycle to Application Firewalls and Mobile Device Management tools.
In the first place, we’ll take a look at the landscape today in terms of research, theory and actual exploits. We’ll then take a look at a novel approach to developing applications for mobile platforms more securely. Finally, we’ll briefly talk about solutions that organizations are using today, and some of the considerations that are important when choosing your tactics for defending information assets.
Brightest Flashlight Free:
December 2013 Goldenshores Technology, creator of a tens-of-millions-plus downloaded app collected private information and passed it off to third parties, and deceived the customer about it – the Federal Trade Commission stepped in
Jekyll on iOS - Georgia Tech Attack that evaded mandatory app signing and code signing mechanisms in the AppStore – by rearranging the signed code. Successful
PinsKimmer - Two guys from the University of Cambridge created a a side-channel attack that makes use of the video camera and microphone to infer PINs entered on a number-only soft key- board on a smartphone. The microphone is used to detect touch events, while the camera is used to estimate the smart- phone’s orientation, and correlate it to the position of the digit tapped by the user. It is undetectable by the end user and had both a mobile app and a server component.
Firesheep and Faceniff – packet surfing extension to Mozilla Firefox that wasn’t blacklisted because it was intended to be used for good: to illustrate security risks in encryption during login, but had nothing to do with cookies. When used with a tool such as Ettercap, Firesheep was used to compromise a wi-fi environment, like an Internet cafe and harvest sensitive information all day long…examples were unencrypted cookies from Twitter and FaceBook, who have since addressed the issue.
Brightest Flashlight Free:
Heartbleed bug, so called because it relates to the heartbeat extension of the SSL/TLS protocol, is an implementation problem that has left large numbers of secrets on the Internet exposed…it actually leaks the secret keys that are used to secure transactions.
The Heartbleed Bug is a serious, leave-no-trace vulnerability in the popular OpenSSL cryptographic software library that ships with over 14 popular operating systems and is very widely used across the Internet to provide privacy for financial transactions. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
How bad is it? You are likely affected somehow…governments, banks, entertainment and social sites often use encryption to keep your secrets.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.
Fixed OpenSSL has been released and now it has to be deployed, and it’s not trivial as one can imagine.
1/1/14
Snapchat –the disappearing message service… Twice last year, Gibson Security advised Snapchat that usernames and sensitive information were vulnerable to leakage…eek!
On January 1st of this year, Anonymous hackers posted a file on Snapchatdb.info with 4.6 million SnapChat usernames and phone numbers
Instructions on the pages say, “You are downloading 4.6 million users’ phone number information, along with their usernames. People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with.”
It is clear that the hackers are trying to prod Snapchat to acknowledge the severity of their security holes and make the needed patches. They claim that the database “contains username and phone number pairs of a vast majority of the Snapchat users.” They used the security exploits documented last week by Gibson Security that Snapchat “dismissed.” SnapchatDB claims that this information “is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”
Facebook, which had made an offer on SnapChat previously, turned around and bought Whatsapp – for $19B. SnapChat has no source of revenue so acquisition was the likely exit strategy.
The very scary Placeraider Smartphone malware
The Naval Surface Warfare Center in Crane, Indiana, and a few pals at Indiana University reveal an entirely new class of ‘visual malware’ capable of recording and reconstructing a user’s environment in 3D by running in the background of just about any smartphone. This then allows the theft of virtual objects such as financial information, data on computer screens and identity-related information.
In theory, it goes something like this: The user downloads an app which grants the malware access to the camera, and the malware suppresses the shound of the shutter while it takes random pictures and records the position of the phone and the time and location. Pictures are filtered and stitched together to give a 3D model of the user’s environment. The theory was tested on 20 unsuspecting people and then other random people were asked to harvest data from the images: Checks, calendars, QR codes and personal information were among the booty.
Today Robert Templeman at the Naval Surface Warfare Center in Crane, Indiana, and a few pals at Indiana University reveal an entirely new class of ‘visual malware’ capable of recording and reconstructing a user’s environment in 3D. This then allows the theft of virtual objects such as financial information, data on computer screens and identity-related information.
Templeman and co call their visual malware PlaceRaider and have created it as an app capable of running in the background of any smartphone using the Android 2.3 operating system.
Their idea is that the malware would be embedded in a camera app that the user would download and run, a process that would give the malware the permissions it needs to take photos and send them.
PlaceRaider then runs in the background taking photos at random while recording the time, location and orientation of the phone. (The malware mutes the phone as the photos are taken to hide the shutter sound, which would otherwise alert the user.)
The malware then performs some simple image filtering to get rid of blurred or dark images taken inside a pocket for example, and sends the rest to a central server. Here they are reconstructed into a 3D model of the user’s space, using additional details such as the orientation and location of the camera.
A malicious user can then browse this space looking for objects worth stealing and sensitive data such as credit card details, identity data or calender details that reveal when the user might be away.
Templeman and co have carried out detailed tests of the app to see how well it works in realistic situations. They gave their infected phone to 20 individuals who were unaware of the malware and asked them to use it for various ordinary purposes in an office environment.
They then evaluated the resulting photos by asking a group of other users to see how much information they could glean from them. Some of these users studied the raw images while the others studied the 3D models, both groups looking for basic information such as the number of walls in the room as well as more detailed info such as QR codes and personal checks lying around.
Templeman and co say the tests went well. They were able to build detailed models of the room from all the data sets. What’s more, the 3D models made it vastly easier for malicious users to steal information from the personal office space than from the raw photos alone.
That’s an impressive piece of work that reveals some of the vulnerabilities of these powerful devices.And although the current version of the malware runs only on the Android platform, there is no reason why it couldn’t be adapted for other systems. “We implemented on Android for practical reasons, but we expect such malware to generalize to other platforms such as iOS and Windows Phone,” say Templeman and co.
They go on to point out various ways that the operating systems could be made more secure. Perhaps the simplest would be to ensure that the shutter sound cannot be muted, so that the user is always aware when the camera is taking a picture.
However that wouldn’t prevent the use of video to record data in silence. Templeman and co avoid this because of the huge amount of data it would produce but it’s not hard to imagine that this would be less of a problem in the near future.
Another option would be a kind of antivirus app for smartphones which actively looks for potential malware and alerts the user.
The message is clear–this kind of malware is a clear and present danger. It’s only a matter of time before this game of cat and mouse becomes more serious.
Careto, the ugly mask is a really, really interesting Advanced Persistent Threat for a number of reasons.
It is really sophisticated and long term cyber-espionage with outstanding tools
It was caught by Kaspersky researchers as they observed five year old evasion techniques being used that they had already mitigated.
It is a Spanish-language assault
380+ Targets in 31 countries over 7 years
One of the most sophisticated attacks ever
Intercepts network traffic, Skype, PGP Keys, Wi-Fi traffic, keystrokes, screen captures, encryption keys, and more
Three separate backdoors in Win 32/64 + Mac OS using sophisticated Malware, a bootkit and a rootkit
The impact on mobility platforms is yet unknown…
What do legacy infosec tools provide to combat the mobility threats?
Well,
Next generation firewalls do put unknown applications into a sandbox and analyze them.
Intrusion detection can pick up some anomalous behaviors, but usually just known problems as compared to zero –day attacks.
Threat feeds are services that provide tsunami warnings from the larger Internet community, think Security Data Warehouse and big data analytics, to predict problems.
The top tier security vendors all have threat research centers with some type of incident response and early warning for customers.
And, after the fact, improvements in the ease-of-use for forensics tools helps to determine if advanced persistent threats or insider-driven attacks are present.
All are necessary, but not sufficient. So, let’s take a look at Mobile Web Applications and see how they are fundamentally different even from web applications and discuss what can be done about securing the Mobility Revolution.
Information disclosure – leaking data can come from any layer, but can be error codes that tell the attacker versions of components, file names that can be guessed, data flow that reveals trust boundaries
Data flow is particularly vulnerable over radio networks,
DoS is a threat to availability.
EoP is literally the keys to the kingdom
Containers, buffers,
Mitigate
Eliminate
Transfer
Accept
How do we learn this stuff?
CBTs are good, try to get one that works with SCORM which is a spec for distributed learning – it helps to keep track of progress across lots of people and may help with compliance requirements
There’s lots of self-help, but that takes discipline and it’s hard to maintain cohesion unless the team attends them together. Of course, a team may train a trainer
Uni’s are lighter than one would think still
Vendors and organizations such as SANS have very specific training
Conferences are usually expensive in that there is travel and expense, time out of office (and usually not convenient to the development cycle) and a pretty hefty fee…but go through the syllabus and it it’s right up your alley, it’s probably invaluable
Smaller specialists are more likely to come to you, develop a curricula for your environment, coach you through labs that really make it all stick and tend to be cost effective –you are paying one person’s T&E and at your convenience. Quality may vary.
Sharable Content Object Reference Model
Southern New Hampshire Universtity but not Southern Utah, Saitn Louis U, Stanford
McAfee, Akamai,
RSA Security, Infosec, SANS
Denim Group, Manico
How can you keep the dialog going and make it stick?
Building a culture of communication for secure coding can definitely be helped along by having our team play a game of EoP once a week. This tricks-and-trumps card game is available for download free and was developed by Adam Shostack and his team at Microsoft. EoP illuminates, inspires and builds an organization’s skills…and it aligns directly with STRIDE
Let’s talk about solutions for analyzing the code. Static Code Analysis, also known as SAST, is an automated software program that analyzes source code or object code ,usually after the code has been compiled. Code review is the same process done by humans. In either case, as Dr. McGraw states here, a program can only catch so much. We’ll examine just why that is in a moment, but for now let’s just say that we want to develop the best process that we can that aligns with our business goals and our culture.
Prone to false positives – the developers or independent analysts are the only thing that really works here
The Turing halting problem and Rice’s Theorom – static analysis cannot be perfect
In the first place, we need to consider how the team works together and make a decision based in part on how much overhead SAST may involve.
Alignment with worklow, creativity, culture
Ultimate cost savings and revenue generation – SAST should be less expensive than the alternative. For example, an open-source SAST set on default may be way too noisy to be useful as developers may begin to ignore results after a short time. A commercial offering with professional services or a manned NOC may cost more up front yet save money due to risk.
Source code versus compiled code. Compiled code may need to be sent off-site and this may not be acceptable for some development teams. If just snippets of the source code are sent off site, then reverse engineering by someone trying to steal intellectual property is unrealistic.
Simultaneous analysis, multi-branch, languages. A boutique or in-house SAST service may not be able to analyze more that a single application at a time which may not be in the best interests of the team. Also, some SAST offerings charge by the branch, which can become a bit pricey. And, some SASTs are limited in their language coverage. Remember, too, that dialects can be difficult and time consuming if a language has been forked.
Dependency injection is a method of making a service part of an object’s state, which can make testing easier and makes the code a bit more modular and easier to work with. It also allows multiple teams to work in parallel. DI also helps with configuration management using external config files, but sometimes it also makes tracing behavior a little more complicated. Not all application frameworks support support DI but the SAST should.
Configuration files – the SAST may need to trace the dependency back to the external configuration files and the question should be brought up to the SAST vendor.
Service-oriented architecture – SOA broadly defines how two programs can communicate so that one program can perform operations for another. Think SOAP. Because there is a lot of flexibility in how SOA is implemented, a SAST data sheet won’t likely have a check box stating that SOA is supported, but SOA is sufficiently popular to be something to ask about from a SAST, and especially a SAST service.
The question of how deep to go into security analytics really should be answered by the threat modeling exercises but there is a fair amount of common sense involved as well. It’s best that business pressures don’t unduly affect this decision just as the hard cost of analysis should be justified with regard to the risk.
Can code be developed while under analysis? If the code has to be compiled and development halted while the analysis is undertaken, it will likely disrupt the creative flow and, if coders are idle, may cost a fair amount of money. Sure, the coders can study or work on other projects, but when the results of the scan come back, they will likely need to go back to the analyzed code to fix security-related flaws so the disruption happens twice. Fortunately, many SAST vendors will analyze while the product is under development, think spell checkers advising you along the way of potential mistakes that you may be making. Another consideration that is very important has to do with the dependencies of code as it is built. If code from three weeks ago needs to have a fundamental flaw fixed, it may require re-engineering many other parts of the code that have been built since based on assumptions that the flawed code was, in fact, not flawed. So it’s wise to insist on a SAST Tool that allows analysis while code is being built.
SAST Solutions are good and getting better all the time. SAST will quickly go through all of the lines of code and usually make tracing problems back to the cause in the tree quick work. Patterns that come up usually are propagated on several branches and much can be learned by the development team by seeing the results. But, false positive abound in any automatic scanner at default settings and tuning is a black art. Also, SAST does not deal with architectural issues or business logic flaws, generally. These need to be addresses by human analysts. Let’s look at some suggestion of what to look for in a SAST product or service.
Configuration files really help to perform behavior modeling
Source code is more clear, can be faster, may lack reality like an emulator does
System-oriented – binding between URI and code will help to determine which input parameters are associated with each vuln
Speed and depth could be the difference between professional service/research and automation, so be very clear on your ideals
Binary analysis has to be mapped into useful code for developers to work with it
Very diffiicult to decode once you’ve built on top of vulns