Slides

Transcription

Slides
TalesofInsecurity
Evergreens,developments,andinsights
forintegratorsandserviceproviders
Dr.DominikHerrmann
UniversityofHamburg
UniversityofSiegen
Downloadslidesat
https://dhgo.to/tales
researchonsecurity,privacy,onlinetracking,forensics
PhDandPostdoc
@UniversityofHamburg
Temporaryprofessorship @UniversityofSiegen
JuniorFellowofGermanInformaticsSociety
Dr.DominikHerrmann
For common Internet Crime Schemes see http://www.ic3.gov/crimeschemes.aspx
2
DAILYNEWS:THEGENIEISOUTOFTHEBOTTLE– WEAREDOOMED
3
Cloud
Services
Attackson
CriticalInfrastructure
Big
Data
Data
Leaks
Mobile
Apps
Ransomware
andFraud
NEW
OPPORTUNITIES
NEW
THREATS
4
datawillbecome
theoilofthe21st century
datahasbecome
atoxicasset,aliability
Big
Data
Data
Leaks
Meglena Kuneva
EUConsumerCommissioner
BruceSchneier
https://www.schneier.com/blog/archives/2016/03/data_is_a_toxic.html
5
www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Inthelastdecadewehavewitnessedmanyhigh-profiledataleaks.
Largenumberofhigh-profiledataleaks
6
Dataleakshaveaninterestingproperty:collateraldamagethataffects
(1)citizensand(2)contractorsofthevictim.
http://futurezone.at/digital-life/datenleck-20-000-wiener-linien-kunden-betroffen/158.677.940
7
Collateraldamageallowsdataleakstobemonetized.
2015
“forthelulz”
THEN
HACKING
http://www.csoonline.com/article/2996883/data-breach/talktalk-hit-by-data-breach-and-ransom-demand.html
forprofit
NOW
8
Tworecentdevelopmentshelpadversaries getawaywiththeirdemands.
cryptocurrencies
anonymized
communications
collateral
damage
leverage
forprofit
https://bitcoin.org,https://torproject.org
9
Howdidthegeniegetofoutthebottle?
FIVEWEAKNESSES
10
Weakness1: Outofsight,outofmind
11
Exploitingknownvulnerabilitiesisstillaverysuccessfulattackvector.
Vendorsandusersfailtopatchtheirsoftwareinatimelymanner.
Mossack Fonsecaranold
Outlook WebAccess(2009),
Drupal(2013, 25vulns)
http://www.wired.co.uk/news/archive/2016-04/06/panama-papers-mossack-fonseca-website-security-problems
12
UltraReset attackonMiFare Ultralight(NewJersey&SanFrancisco,2012)
…stillworksin2016(Vancouver)
http://bc.ctvnews.ca/security-flaw-lets-smartphone-users-hack-transit-gates-1.2852464
13
Weakness2: Foolswithtools…don’tknowtheirtrade
14
Duetounawareness,carelessness,andhaste,vendorsshipproductswith
embarrassingsecurityholes,forinstanceinuserauthentication.
Maginon webcams (2015)
1.
2.
bypassesfirewallof
DSLrouterviaUPnP
comeswithempty
defaultpassword
thousandsofcameras soldatALDIandHofer
15
Insecuredevicescannowbediscoveredbyeveryonewithinshorttimeby
queryingspecializedsearchengineslikeshodan.io.
Maginon webcams (2015)
1.
2.
bypassesfirewallofDSL
routerviaUPnP
comeswithempty
defaultpassword
16
Manyindustriesarecurrentlylearninghowtodosecurityproperly.
Vaillant heatings (2015):
authenticationandpassword
checkperformedbyaJava
appletintheuser’sbrowser
http://www.hotforsecurity.com/blog/vulnerability-in-vaillant-heating-systems-allows-unauthorize d-access-5926.htm l
17
Weakness3: Underestimatingtheadversary
18
Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisions
becauseofwrongassumptions.
BMWConnectedDrive (2015)
– allcarsusedthesame
cryptographickey
– communicationwithBMW
serverswasnot protected
Impact: cardoorscouldbe
unlockedbysendingafaked
SMStothecar
19
Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisions
becauseofwrongassumptions.
BMWConnectedDrive (2015)
– allcarsusedthesame
cryptographickey
– communicationwithBMW
serverswasnotprotected
“Nooneisableto…”
– reverseengineerthehardwarewherethekeyisstored
– setupafakeGSMnetwork
tosendanSMStothecar
Impact: cardoorscouldbe
unlockedbysendingafaked
SMStothecar
20
Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisions
becauseofwrongassumptions.
BMWConnectedDrive (2015)
– allcarsusedthesame
cryptographickey
– communicationwithBMW
serverswasnotprotected
Researchersjustdidit.
– reverseengineerthehardwarewherethekeyisstored
– setupafakeGSMnetwork
tosendanSMStothecar
Impact: cardoorscouldbe
unlockedbysendingafaked
SMStothecar
21
proposaltousesamecryptographickeyon53mn.devices
https://www.fau.eu/2015/11/03/news/research/an-easy-target-for-hackers, http://www.theinquirer.net/inquirer/news/2451793/gchq-intervenes-to-prevent-catastrophically-insecure-uk-smart-meter-plan
22
Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisions
becauseofwrongassumptions.
proposaltorunbankingapp
andTANapponthesamephone
proposaltousesamecryptographickeyon53mn.devices
https://www.fau.eu/2015/11/03/news/research/an-easy-target-for-hackers, http://www.theinquirer.net/inquirer/news/2451793/gchq-intervenes-to-prevent-catastrophically-insecure-uk-smart-meter-plan
23
Weakness4: Relyingonsoftwarelibraries…
…cangetoutofhandquickly
24
Thesecurityofcloud-basedandmobileapplicationsreliesonencrypted
communications thatisoftenhandledby/inthird-partysoftwarelibraries.
Recurrenttheme: failuretovalidateSSLcertificates
2012
Foundtobevulnerable:
Amazon’sEC2Javalibrary,Amazon’s
andPayPal’smerchantSDKs,
osCommerce,ZenCart,Ubercart,and
PrestaShop,Chasemobilebanking,
ApacheAxis,Axis2,Codehaus XFire,
andPushermiddleware
25
Vulnerabilitiesinsoftwarelibrariesareconcerningdueto(1)theirlargeimpact
and(2)thefactthatittakeslongeruntilthepatchreachesendusers.
AFNetworking
(2015)
SparkleUpdater
(2016)
26
Weakness5: Withbigdatacomesbigresponsibility
27
Problem1:Consumershaveprivacyrights,e.g.toaccessanddeletetheir
personaldata.Handlingrequestsisveryfrustratingforconsumersandvendors.
Weconductedafieldstudywith
150appsand120websites.
Evenafterthesecondmail
only 1in2vendorscomplied.
1in4websiteownerscouldbe
trickedintosendingthedata
toadifferent e-mailaddress.
Mostvendorsdeletedour
accountswithoutprior
confirmation.
http://arxiv.org/abs/1602.01804
28
Problem1:Consumershaveprivacyrights,e.g.toaccessanddeletetheir
personaldata.Handlingrequestsisveryfrustratingforconsumersandvendors.
Weconductedafieldstudywith
150appsand120websites.
Evenafterthesecondmail
only1in2 vendorscomplied.
Compliancewillbecomeimportant
withupcomingEUGeneralData
ProtectionRegulation (highfees)
1in4websiteownerscouldbe
trickedintosendingthedata
toadifferent e-mailaddress.
Opportunity:operatorscould
delegatethe processofhandling
privacy-relatedrequeststo(cloud)
serviceproviders inthefuture.
Mostvendorsdeletedour
accountswithoutprior
confirmation.
29
Problem2:Misconceptionsabouttheeffectivenessofanonymization and
pseudonymi-zation resultsininadvertentdisclosureofsensitivepersonaldata.
Famouscase:
Thepseudonymized NewYorkTaxiDataset
Pseudonymization oflicenseplateandTaxiIDwithhashfunction(noteffective)
MD5(9Y99)
MD5(5296319)
71B9C3F3EE5EFB81CA05E9B90C91C88F, 98C2B1AEB8D40FF826C6F1580A600853,
VTS,5,, 2013-12-0315:46:00,2013-12-0316:47:00,1,3660,22.71,
-73.813927,40.698135,
GPScoords
-74.093307,40.829346
30
Problem2:Anonymization andpseudonymization aredifficultandmayresult
ininadvertentdisclosureofsensitivepersonaldata.
31
Implications forvendorsandintegrators
32
Manyvulnerabilitiescouldbeavoided,Ifvendorsfollowedbestpracticesand
securitymanagementstandards.
https://www.enisa.europa.eu/activities/Resilience-and-CIIP/smart-infrastructures/intelligent-public-transport/goodpractices-recommendations/at_download/fullReport
33
Problem:Bestpracticesareoftenabstractandoforganizationalnature.
OPERATORS
integratecybersecurityincorporate
governance
implement astrategy addressing holistically cybersecurity&safetyrisks
implementriskmgmt. forcybersecurity inmulti-stakeholder environments
incl.contractorsanddependencies
clearlyandroutinely specifytheir
cybersecurityrequirements
annuallyreviewcybersecurityprocesses,practicesandinfrastructures
MANUFACTURERS
createproducts/solutions thatmatch
thecybersecurityrequirements ofendusers
collaborateinthedevelopment ofIPTspecificstandards andapplythemtoIPT
solutions
develop atrustedinformationsharing
platform onrisksandvulnerabilities
provide securityguidance forsystems,
products andsolutions
https://www.enisa.europa.eu/activities/Resilience-and-CIIP/smart-infrastructures/intelligent-public-transport/goodpractices-recommendations/at_download/fullReport
34
Furthermore,itischallengingtodeterminewhichsecuritymeasuresto
implementwithwhatpriority.Theutilityofmeasuresisdifficulttoassess.
Popularmetric:
ReturnonSecurityInvestment(ROSI)
Calculationreliesongoodestimates for
– annuallossexpectancy
– mitigationratio
https://www.enisa.europa.eu/activities/cert/other-work/introduction-to-return-on-security-investment/at_download/fullReport
35
Intoomuchdiscourse,truthislost:Statistics,organizationalmeasuresand
paperauditsdistractfromthesourceofvulnerabilities:thesourcecode.
opportunityforvendors
bugsuncoveredbythe
securitycommunity
internalcodereviews
expensiveand
limitedcoverage
penetrationtesting
36
Vendorsoftenmisstheopportunitytocollaboratewithsecurityresearchers.
opportunityforvendors
bugsuncoveredbythe
securitycommunity
internalcodereviews
expensiveand
limitedcoverage
penetrationtesting
37
Asaresultthereisaflourishingblackmarketforsecurityvulnerabilities.
Inresponsevendorsinthesoftwareindustryhavesetupbugbountyprograms.
blackmarket
forzero-dayexploits
whitemarket
bugbountyprograms
opportunityforvendors
bugsuncoveredbythe
securitycommunity
internalcodereviews
expensiveand
limitedcoverage
penetrationtesting
38
TalesofInsecurity
TAKE-AWAYMESSAGES
Cloudcomputing,mobileapps,andbig
1 dataincreasetheimpactofattacks
2
Wewillseemorehigh-profileattacks
untilindustrytakessecurityseriously.
Vendorsshouldacceptthehelpofthe
3 securitycommunity.
Dr.DominikHerrmann
dh@exomail.to
Slides:https://dhgo.to/tales
"campfire"byMarkRoy islicensedunder
CreativeCommonsAttribution 2.0.