Slides
Transcription
Slides
TalesofInsecurity Evergreens,developments,andinsights forintegratorsandserviceproviders Dr.DominikHerrmann UniversityofHamburg UniversityofSiegen Downloadslidesat https://dhgo.to/tales researchonsecurity,privacy,onlinetracking,forensics PhDandPostdoc @UniversityofHamburg Temporaryprofessorship @UniversityofSiegen JuniorFellowofGermanInformaticsSociety Dr.DominikHerrmann For common Internet Crime Schemes see http://www.ic3.gov/crimeschemes.aspx 2 DAILYNEWS:THEGENIEISOUTOFTHEBOTTLE– WEAREDOOMED 3 Cloud Services Attackson CriticalInfrastructure Big Data Data Leaks Mobile Apps Ransomware andFraud NEW OPPORTUNITIES NEW THREATS 4 datawillbecome theoilofthe21st century datahasbecome atoxicasset,aliability Big Data Data Leaks Meglena Kuneva EUConsumerCommissioner BruceSchneier https://www.schneier.com/blog/archives/2016/03/data_is_a_toxic.html 5 www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ Inthelastdecadewehavewitnessedmanyhigh-profiledataleaks. Largenumberofhigh-profiledataleaks 6 Dataleakshaveaninterestingproperty:collateraldamagethataffects (1)citizensand(2)contractorsofthevictim. http://futurezone.at/digital-life/datenleck-20-000-wiener-linien-kunden-betroffen/158.677.940 7 Collateraldamageallowsdataleakstobemonetized. 2015 “forthelulz” THEN HACKING http://www.csoonline.com/article/2996883/data-breach/talktalk-hit-by-data-breach-and-ransom-demand.html forprofit NOW 8 Tworecentdevelopmentshelpadversaries getawaywiththeirdemands. cryptocurrencies anonymized communications collateral damage leverage forprofit https://bitcoin.org,https://torproject.org 9 Howdidthegeniegetofoutthebottle? FIVEWEAKNESSES 10 Weakness1: Outofsight,outofmind 11 Exploitingknownvulnerabilitiesisstillaverysuccessfulattackvector. Vendorsandusersfailtopatchtheirsoftwareinatimelymanner. Mossack Fonsecaranold Outlook WebAccess(2009), Drupal(2013, 25vulns) http://www.wired.co.uk/news/archive/2016-04/06/panama-papers-mossack-fonseca-website-security-problems 12 UltraReset attackonMiFare Ultralight(NewJersey&SanFrancisco,2012) …stillworksin2016(Vancouver) http://bc.ctvnews.ca/security-flaw-lets-smartphone-users-hack-transit-gates-1.2852464 13 Weakness2: Foolswithtools…don’tknowtheirtrade 14 Duetounawareness,carelessness,andhaste,vendorsshipproductswith embarrassingsecurityholes,forinstanceinuserauthentication. Maginon webcams (2015) 1. 2. bypassesfirewallof DSLrouterviaUPnP comeswithempty defaultpassword thousandsofcameras soldatALDIandHofer 15 Insecuredevicescannowbediscoveredbyeveryonewithinshorttimeby queryingspecializedsearchengineslikeshodan.io. Maginon webcams (2015) 1. 2. bypassesfirewallofDSL routerviaUPnP comeswithempty defaultpassword 16 Manyindustriesarecurrentlylearninghowtodosecurityproperly. Vaillant heatings (2015): authenticationandpassword checkperformedbyaJava appletintheuser’sbrowser http://www.hotforsecurity.com/blog/vulnerability-in-vaillant-heating-systems-allows-unauthorize d-access-5926.htm l 17 Weakness3: Underestimatingtheadversary 18 Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisions becauseofwrongassumptions. BMWConnectedDrive (2015) – allcarsusedthesame cryptographickey – communicationwithBMW serverswasnot protected Impact: cardoorscouldbe unlockedbysendingafaked SMStothecar 19 Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisions becauseofwrongassumptions. BMWConnectedDrive (2015) – allcarsusedthesame cryptographickey – communicationwithBMW serverswasnotprotected “Nooneisableto…” – reverseengineerthehardwarewherethekeyisstored – setupafakeGSMnetwork tosendanSMStothecar Impact: cardoorscouldbe unlockedbysendingafaked SMStothecar 20 Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisions becauseofwrongassumptions. BMWConnectedDrive (2015) – allcarsusedthesame cryptographickey – communicationwithBMW serverswasnotprotected Researchersjustdidit. – reverseengineerthehardwarewherethekeyisstored – setupafakeGSMnetwork tosendanSMStothecar Impact: cardoorscouldbe unlockedbysendingafaked SMStothecar 21 proposaltousesamecryptographickeyon53mn.devices https://www.fau.eu/2015/11/03/news/research/an-easy-target-for-hackers, http://www.theinquirer.net/inquirer/news/2451793/gchq-intervenes-to-prevent-catastrophically-insecure-uk-smart-meter-plan 22 Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisions becauseofwrongassumptions. proposaltorunbankingapp andTANapponthesamephone proposaltousesamecryptographickeyon53mn.devices https://www.fau.eu/2015/11/03/news/research/an-easy-target-for-hackers, http://www.theinquirer.net/inquirer/news/2451793/gchq-intervenes-to-prevent-catastrophically-insecure-uk-smart-meter-plan 23 Weakness4: Relyingonsoftwarelibraries… …cangetoutofhandquickly 24 Thesecurityofcloud-basedandmobileapplicationsreliesonencrypted communications thatisoftenhandledby/inthird-partysoftwarelibraries. Recurrenttheme: failuretovalidateSSLcertificates 2012 Foundtobevulnerable: Amazon’sEC2Javalibrary,Amazon’s andPayPal’smerchantSDKs, osCommerce,ZenCart,Ubercart,and PrestaShop,Chasemobilebanking, ApacheAxis,Axis2,Codehaus XFire, andPushermiddleware 25 Vulnerabilitiesinsoftwarelibrariesareconcerningdueto(1)theirlargeimpact and(2)thefactthatittakeslongeruntilthepatchreachesendusers. AFNetworking (2015) SparkleUpdater (2016) 26 Weakness5: Withbigdatacomesbigresponsibility 27 Problem1:Consumershaveprivacyrights,e.g.toaccessanddeletetheir personaldata.Handlingrequestsisveryfrustratingforconsumersandvendors. Weconductedafieldstudywith 150appsand120websites. Evenafterthesecondmail only 1in2vendorscomplied. 1in4websiteownerscouldbe trickedintosendingthedata toadifferent e-mailaddress. Mostvendorsdeletedour accountswithoutprior confirmation. http://arxiv.org/abs/1602.01804 28 Problem1:Consumershaveprivacyrights,e.g.toaccessanddeletetheir personaldata.Handlingrequestsisveryfrustratingforconsumersandvendors. Weconductedafieldstudywith 150appsand120websites. Evenafterthesecondmail only1in2 vendorscomplied. Compliancewillbecomeimportant withupcomingEUGeneralData ProtectionRegulation (highfees) 1in4websiteownerscouldbe trickedintosendingthedata toadifferent e-mailaddress. Opportunity:operatorscould delegatethe processofhandling privacy-relatedrequeststo(cloud) serviceproviders inthefuture. Mostvendorsdeletedour accountswithoutprior confirmation. 29 Problem2:Misconceptionsabouttheeffectivenessofanonymization and pseudonymi-zation resultsininadvertentdisclosureofsensitivepersonaldata. Famouscase: Thepseudonymized NewYorkTaxiDataset Pseudonymization oflicenseplateandTaxiIDwithhashfunction(noteffective) MD5(9Y99) MD5(5296319) 71B9C3F3EE5EFB81CA05E9B90C91C88F, 98C2B1AEB8D40FF826C6F1580A600853, VTS,5,, 2013-12-0315:46:00,2013-12-0316:47:00,1,3660,22.71, -73.813927,40.698135, GPScoords -74.093307,40.829346 30 Problem2:Anonymization andpseudonymization aredifficultandmayresult ininadvertentdisclosureofsensitivepersonaldata. 31 Implications forvendorsandintegrators 32 Manyvulnerabilitiescouldbeavoided,Ifvendorsfollowedbestpracticesand securitymanagementstandards. https://www.enisa.europa.eu/activities/Resilience-and-CIIP/smart-infrastructures/intelligent-public-transport/goodpractices-recommendations/at_download/fullReport 33 Problem:Bestpracticesareoftenabstractandoforganizationalnature. OPERATORS integratecybersecurityincorporate governance implement astrategy addressing holistically cybersecurity&safetyrisks implementriskmgmt. forcybersecurity inmulti-stakeholder environments incl.contractorsanddependencies clearlyandroutinely specifytheir cybersecurityrequirements annuallyreviewcybersecurityprocesses,practicesandinfrastructures MANUFACTURERS createproducts/solutions thatmatch thecybersecurityrequirements ofendusers collaborateinthedevelopment ofIPTspecificstandards andapplythemtoIPT solutions develop atrustedinformationsharing platform onrisksandvulnerabilities provide securityguidance forsystems, products andsolutions https://www.enisa.europa.eu/activities/Resilience-and-CIIP/smart-infrastructures/intelligent-public-transport/goodpractices-recommendations/at_download/fullReport 34 Furthermore,itischallengingtodeterminewhichsecuritymeasuresto implementwithwhatpriority.Theutilityofmeasuresisdifficulttoassess. Popularmetric: ReturnonSecurityInvestment(ROSI) Calculationreliesongoodestimates for – annuallossexpectancy – mitigationratio https://www.enisa.europa.eu/activities/cert/other-work/introduction-to-return-on-security-investment/at_download/fullReport 35 Intoomuchdiscourse,truthislost:Statistics,organizationalmeasuresand paperauditsdistractfromthesourceofvulnerabilities:thesourcecode. opportunityforvendors bugsuncoveredbythe securitycommunity internalcodereviews expensiveand limitedcoverage penetrationtesting 36 Vendorsoftenmisstheopportunitytocollaboratewithsecurityresearchers. opportunityforvendors bugsuncoveredbythe securitycommunity internalcodereviews expensiveand limitedcoverage penetrationtesting 37 Asaresultthereisaflourishingblackmarketforsecurityvulnerabilities. Inresponsevendorsinthesoftwareindustryhavesetupbugbountyprograms. blackmarket forzero-dayexploits whitemarket bugbountyprograms opportunityforvendors bugsuncoveredbythe securitycommunity internalcodereviews expensiveand limitedcoverage penetrationtesting 38 TalesofInsecurity TAKE-AWAYMESSAGES Cloudcomputing,mobileapps,andbig 1 dataincreasetheimpactofattacks 2 Wewillseemorehigh-profileattacks untilindustrytakessecurityseriously. Vendorsshouldacceptthehelpofthe 3 securitycommunity. Dr.DominikHerrmann dh@exomail.to Slides:https://dhgo.to/tales "campfire"byMarkRoy islicensedunder CreativeCommonsAttribution 2.0.