One of our customers is a political party in Norway. This year is an election year, and before and during every election, hackers try to hack them, big time!
Item Consulting is the business partner who introduced them to IBM Connections, which is now used broadly within the organisation and to collaborate with the government.
So, we thought it´d be best to run a security test before the election. We hired hackers!
This case study will show how Item Consulting integrated the cloud-based third-party authentication mechanism, Auth0, into IBM Connections, and you will learn about the hack attempt and what the hackers were able to find out. Did they manage to hack IBM Connections?
We hired hackers to hack us; A case study about cloud-based authentication and security in IBM Connections
1. Vienna, October 16-17 2017
We hired hackers to hack us;
A case study about cloud-based authentication and
security in IBM Connections
Robert Farstad
@robertfarstad
2. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
PLATINUM SPONSORS
GOLD SPONSORS
SILVER SPONSORS
BRONZE SPONSORS
3. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
This session…
…is mainly for you tech-people.
But very useful for everyone to see. Might be an eye-
opener.
No talk about:
• What IBM Connections is…
• What IBM Cnx can give you…
• No ROI talk, what so ever!
• How to use IBM Cnx!!
4. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
This session…
…is a case study where I will show you
• an integration with Auth0.
• how we hired hackers to hack us.
5. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Vienna, October 16-17 2017
6. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Vienna, October 16-17 2017
The customer
7. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
The customer -
• Political party, won the election 2017, second time in a row.
• Norways Prime Minister is Høyres leader.
• 60.000 members
• Was a white-space customer.
• Now: Connections + Docs + Sametime
• IBM Reference Customer.
• Security is a priority, more and more.
• Election year = hacking attempts.
• We hacked them first!
8. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
Høyre used Auth0 for all websites.
Requirement for them to become a Connections
customer was:
• Authentication integration with Auth0!
• è POC – Item Consulting developed a TAI
mechanism towards Auth0.
9. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Vienna, October 16-17 2017
What is Auth0?
10. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
You can connect any application.
• Custom credentials: username + passwords
• Social network logins:
• Google, Facebook, Twitter, and any OAuth2, OAuth1 or OpenID
Connect provider.
• Enterprise directories:
• LDAP, Google Apps, Office 365, ADFS, AD, SAML-P, WS-
Federation, etc.
• Passwordless systems:
• Touch ID, one time codes on SMS, or email.
• Supports several 2-factor solutions.
11. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
• JSON Web Token
• Secure API: (TLS v1.2, AES_128_GCM and uses
ECDHE_RSA as the key exchange mechanism. )
• Extensible admin tool.
• Monitoring, (#logins, where from, who fails, hack
attempts, alarms.)
• Blocking
• Logs
• Synced with Høyres back-end member system via
MSSQL DB, securely!
- cloud based authentication
12. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
13. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
14. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
+ TAI
• Item developed a WebSphere Application
• TAI – Trust Association Interceptors.
• èLTPA after authenticated
• New Auth0 login page.
• Logout pages are modified
• Logs out of Auth0
• Logs out of Websphere
15. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Devices used
Login occurs from:
• Browsers
• Apps
• Desktop plugins.
Technically, the login procedures are
quite different.
16. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Web-browsers
17. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Apps + Plugins
18. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Tivoli Directory server - TDS
◘ FREE/Bundled LDAP server for IBM Connections
◘ Standard setup between WebSphere and TDS
◘ Import of users via TDI/SDI to TDS.
◘ From MSSQL Database – over site2site vpn.
◘ Imports only the most relevant fields
Name, email, mobile, position, company, department
19. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Tivoli Directory server – TDS + PTA
◘ Password field in TDS is blank!
◘ PTA is triggered.
◘ What is PTA?
◘ Pass Through Authentication
◘ PTA is configured to search in
alternative LDAP source.
◘ The password is stored in Auth0
◘ Our PTA source is TDI / SDI
◘ TDI calls the TAI application – gets
response code 200 if OK.
◘ è logged in
20. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
What is TDI/SDI?
◘ Tivoli Directory Integrator / Security Directory Integrator
◘ Data manipulation system, limitless possibilities.
◘ Eclipse based – Javascript coding.
◘ Used to move, consolidate, manipulate data.
◘ Used in Connections for profile data import.
◘ Best tool ever, once you´ve learned the jift of the gui and
debugger.
21. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
TDI – acting as an LDAP server.
◘ Simulates an LDAP server
◘ Gets attempted username and password from TDS PTA.
◘ Credentials è WebSphere Auth0login app.
◘ WAS app è REST lookup to Auth0 API.
◘ Gets return code OK or NOT_OK.
◘ TDI receives same code from the WAS app.
◘ TDS PTA receives same code from TDI.
◘ TDI runs multiple instances – Can handle large load.
22. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
TDI – acting as an LDAP server.
Simple code – extremely powerful!
23. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
TDI – acting as an LDAP server.
24. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Did they get in?
We hired hackers
25. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
What they tested
Login
attempts
SSL +
headers
Apps
Stolen
laptop
Me! Sensitive
information
26. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
SSL tests
www.ssllabs.com Grade was bad After hardening
SSLChipersSuite, honorChipersOrder and SSLV2
+V3 disabling. TLS only
27. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
SSL tests – http config for Grade A
SSLEnable
SSLProtocolEnable TLS
SSLProtocolDisable SSLv2 SSLv3
# Disable SSLCompression -> CRIME ATTACK
SSLCompression off
#Prefer ECDHE-RSA ciphers
SSLCipherSpec ALL NONE
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA256
# Enabling this 3 ciphers mean A- rating on ssllabs
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSpec ALL SSL_RSA_WITH_3DES_EDE_CBC_SHA
28. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Headers
securityheaders.io Grade was bad After hardening
HTTP config to achieve Grade A:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload”
Header set Referrer-Policy "same-origin”
Header set X-Content-Type-Options "nosniff”
Header set X-XSS-Protection "1; mode=block”
Header set X-Frame-Options "DENY”
Header set X-Frame-Options SAMEORIGIN
29. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
The Mobile App
Decompile
• Android app is decompilable
• Broken down to study code
Test
• Tried every url found in code
Result
• Found no insecurities!
• But MITM attacks were possible!
30. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
MITM - Man-in-the-middle attack
An employee is out traveling and
connects to a public network such as
a hotel or airport WIFI.
But instead, connects to a hackers
wifi hotspot.
Then clicks on “Continue”….
He/she will give the hacker running a
MITM attack, full visibility over the
traffic.
31. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
MITM - Man-in-the-middle attack
32. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
MITM - Man-in-the-middle attack
mobile-config.xml has the solution for
the connections app.
Don´t press “Continue”!. Tell your
admins to fix it.
33. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Demo time
The demo consisted of showing a
MITM attack + username/password
“cluster bomb” attack using free tool
Burp Suite.
34. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Accident waiting to happen
35. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
What did they find when they got in?
Stolen Laptop Scenario
36. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Stolen Laptop Scenario
• Not hard to find password on PC
• Once in, passwords to sites are
normally stored in browser.
• Saved wifi hotspots gives hackers
GPS coordinates => can drive up
alongside your company's building
and connect.
• Hackers found sensitive
information open to all of the IBM
Connections users.
Don´t expose login information
available to everyone!
37. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
They hacked me!
Or at least, they tried to…
38. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
They hacked me!
• They knew who I was.
• Googled me, found my blog.
• In one of the screenshots, a
password was censored.
39. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
They hacked me!
I was a weak link…
How hard is it for hackers to find IT
staff at your company?
LinkedIn search… Google search…
Google is both your friend and your
enemy.
• Bad censoring!!
• Found 6 out of 9 chars by
matching font, size and studied
curves.
40. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Avoid stress
41. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
• Mask/hide better!
• Hackers are clever
bastards.
• Hackers has A LOT of
free time.
• Implement 2-factor
authorization
mechanism, like Auth0
• Hide your stuff.
• Once again: Hackers are
clever bastards.
• Lockout policy – i.e. 5
attempts => locked out…
Hackers has tools for that!
• Train your users!
42. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
43. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
Useful links:
Check SSL: https://ssllabs.com
Check Headers: https://securityheaders.io
Analyze CSP: https://report-uri.io/home/analyse
What can your browser support? http://caniuse.com/#search=referrer%20policy
Auth0 multi-factor authentication: https://auth0.com/docs/multifactor-authentication
Burp Suite: https://portswigger.net/burp
Ethical Hacker Certification: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
My blog: http://blog.robertfarstad.com
Twitter: https://www.twitter.com/robertfarstad
Item Consulting: https://www.item.no
44.
45. Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017
PLATINUM SPONSORS
GOLD SPONSORS
SILVER SPONSORS
BRONZE SPONSORS