cybercrime and the developer: how to start defending against the darker side [con3328]

Cybercrime and the Developer: How to Start Defending Against the Darker Side

Steve Poole

CON3328

About meSteve PooleIBM Lead Engineer

@spoole167

Making Java Real Since Version 0.9

Open Source Advocate

DevOps Practitioner (whatever that means!)

Driving Change

Currently creating Development Pipeline tool chains for IBM cloud products

This talk• I’m a DevOps practitioner – not a security expert.

• Arose because of “compliance” • What does that mean?• How do I find out more?

• Arose because I didn’t understand what the fuss was all about

• Arose because giving uneducated developers access to cloud resources generally has unfortunate consequences

• Is not about Application Design• It’s about how and why we need to behave differently.

• Here’s what I’ve learnt so far…

But I know quite a few now

Outline• What’s the problem – why does this all matter?• Who is at risk?• Who are the bad guys?• How do they get in?• How you need to change?• What you need to change?• Going forward..

@spoole167https://www.flickr.com/photos/karen_roe/

Is this your system?

@spoole167https://www.flickr.com/photos/77278206@N02/

Maybe its more like this?

@spoole167https://www.flickr.com/photos/bambe1964/

Unless you pay attention it’s soon going to be like this

Cybercrime realities

“Organized Cybercrime is the most profitable type of crime” • Cybercrime is estimated to be worth 445 Billion Dollars a Year

• In 2013 the United Nations Office on Drugs and Crime (UNODC) estimated globally the illicit drug trade was worth 435 Billion Dollars

• Guess which one has the least risk to the criminal?• Guess which is growing the fastest?• Guess which one is the hardest to prosecute?

• Guess which one is predicted to reach 2100 Billion Dollars by 2019?

Lesson 0

Wake Up!This is real.

You have a key role

What data are they after?• Moving beyond credit card numbers

• Long term identify theft

• That means quiet and repeated infiltration • no more cyber-graffiti “Thiz Site belonz to uz”• Though any personal data is useful and worth $$$

• Medical data, Sensitive Personal Information etc

• Information that gives insight into behavior• Access to your systems

Lesson 1Protect all data

Its about Facts about you• Any piece of personal information about YOU is useful. It get’s sold on and somewhere

someone brings it all together.• Can I connect your email address to your data of birth?• Can I find out where you live?• Can I find out who you work for?• Can I find out what you think about your boss?• Can I find out what sites you’ve visited?

• The more I know about you – the more I can refine the attack. • The more I know about you – the more $$ I can make

• And attacks are more than “technical”

Lesson 2All your data is

valuable

• DEAR SIR/MA'AM.

• YOUR ATM CARD OF $10.5MILLION DOLLARS WAS RETURNED TODAY BY OUR COURIER DELIVERY COMPANY, AND WE ARE GOING TO CANCEL THE ATM CARD IF YOU FAILS TO ACKNOWLEDGE THIS MESSAGE, WE SHALL ALSO ASSUME THAT WHAT OUR COURIER DELIVERY COMPANY TOLD US IS NOTHING BUT THE TRUTH THAT YOU DON'T NEED YOUR ATM CARD OF $10.5 MILLION DOLLARS ANY LONGER.

• DO ACKNOWLEDGE THIS MESSAGE AS SOON AS POSSIBLE.

• YOURS FAITHFULLY.

• YOURS SINCERELY,• MR MARK WRIGHT,• DIRECTOR FOREIGN REMITTANCE• ATM CARD SWIFT PAYMENT DEPARTMENT• ZENITH BANK OF NIGERIA. 😀

Federal Bureau of Investigation (FBI)Anti-Terrorist And Monitory Crime Division.Federal Bureau Of Investigation.J.Edgar.Hoover Building Washington DcCustomers Service Hours / Monday To SaturdayOffice Hours Monday To Saturday: Dear Beneficiary, Series of meetings have been held over the past 7 months with the secretary general of the United Nations Organization. This ended 3 days ago. It is obvious that you have not received your fund which is to the tune of $16.5million due to past corrupt Governmental Officials who almost held the fund to themselves for their selfish reason and some individuals who have taken advantage of your fund all in an attempt to swindle your fund which has led to so many losses from your end and unnecessary delay in the receipt of your fund.for more information do get back to us.….Upon receipt of payment the delivery officer will ensure that your package is sent within 24 working hours. 😀

Dear Winner,

This is to inform you that you have been selected for a prize of a brand new 2016 Model BMW Hydrogen 7 Series Car, a Check of $500,000.00 USD and an Apple laptop from the international balloting programs held on the 27th, section of the 2016 annual award promo in the UNITED STATE OF AMERICA.

😀

No-one falls for those sort of things do they?

From <your boss>

I’ve spoken to the Italians and they will send us the goods if we pay $3M immediately. Details below.

I’m off to the golf course – no distractions please.

☹️Lesson 3

If something is suspicious or unusual – double check. You think all the bad guys are stupid?

an email from an international transport company urging recipients to open a waybill in a zip

(The Zip content launches a downloader)

The targets are busy and not IT savy. The criminals are IT savy and industry savy ☹️☹️

Even moreEmail Instructions to victims to download an Android app onto a mobile device. That app contains a SMS hijacker.

The app listens for incoming SMS messages containing transaction authorization codes from the bank.

Lesson 4Never install software without checking

it’s providence

Phishing -> Spear Phishing -> Personalised Attacks• The move is towards more organised and long term attacks that are

hidden from view.

• Think about this – when you’re trawling the net for gullible people you set the bar low.

• With personalised attacks you invest more and make it compelling.• You victims views on Facebook about their boss, how busy they are,

important deals coming up. It all helps to craft that million dollar scam…

Who’s being targeted?• Middle level executives – afraid of their bosses?• New joiners – easy to make a mistake?• Busy and harassed key individuals – too busy to take time to consider?• Disgruntled employees – want to hurt the company? Make some $?

• And Developers – the golden goose.

Lesson 5The bad guys prey on the weak,

vulnerable and ignorant

Developers• Why ?

• We know the inside story• We write the code• We have elevated privileges• We are over trusting• We use other peoples code and tools without inspection• we are ignorant of security matters

Lesson 6The bad guys prey on the weak,

vulnerable and ignorant:That’s you

Don’t agree?

“The bad guys prey on the weak, vulnerable and ignorant: That’s you”

Every googled for:

“very trusting trust manager”

“Getting Java to accept all certs over HTTPS”

“How to Trust Any SSL Certificate”

“Disable Certificate Validation in Java”

TrustManager[] trustAllCerts = new TrustManager[]{

new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( X509Certificate[] certs, String authType) { } public void checkServerTrusted( X509Certificate[] certs, String authType) { } public boolean isClientTrusted( X509Certificate[] cert) { return true; } public boolean isServerTrusted( X509Certificate[] cert) { return true; } } };

Ever written something

like this?

curl –insecure

wget --no-check-certificate

sudo apt-get --allow-unauthenticated

Or this?

We’ve all done something like that


We do it all the time



The whole world does it

How bad can it be?



The whole world does it

Github search “implements TrustManager” ….

We’ve found 72,609 code results

AlwaysValidTrustManager

TrustAllServersWrappingTrustManager

A very friendly, accepting trust manager factory. Allows anything through. all kind of certificates are

accepted and trusted.

A very trusting trust manager that accepts anything

// Install the all-trusting trust manager

OverTrustingTrustProvider

AllTrustingSecurityManagerPlugin.java

AcceptingTrustManagerFactory.java AllTrustingCertHttpRequester.java

Developers are too trusting.

Linux Repos

npm

npm is the package manager for JavaScript. Find, share, and reuse packages of code from hundreds of thousands of developers — and assemble them in powerful new ways.

Great sentiments. “But Caveat Emptor”

@spoole167https://www.flickr.com/photos/bambe1964/

Are you still paying attention?

So who are the bad guys?

https://www.flickr.com/photos/monsieurlui/

A mirror of you?• Organized and methodical

• organized like startup companies. • “employ” highly experienced developers with deep knowledge • Constantly innovating malware, seeking out vulnerabilities• Sharing what they find with each other (for $ of course)

• Goal focused• the average age of a cybercriminal is 35 years old.

Already into crime• Adrian Leppard, the Commissioner of the City of London Police:

• “We estimate that around 25 per cent of the organized crime groups in this country are now involved in financial crime in one shape or another…”

• University of Cambridge researchers report that 60% of cyber-criminals had criminal records which were completely unrelated to cyber-crime

• “those traditional offenders are changing their behavior and moving to the internet”.

Lesson 7Cybercriminals mostly get caught for something other than

cybercrime

Cybercrime: Expanding the attack vector

Basic ways in: The old fashioned set• Social engineering – convince you to open the door• Vulnerability exploits – find doors already open• Inside information – you tell them where the keys are for gain

Lesson 8The bad guys can already get into your systems easier than you

ever thought possible.

Vulnerabilities• Bugs and design flaws in your software and

the software you use.• Everyone has them.

• Researchers are looking for them all the time.

• So are the bad guys

https://www.flickr.com/photos/electronicfrontierfoundation/

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=java

Vulnerabilities

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=serialization

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=javascript

• It’s usually a combination of software weaknesses that get exploited

• Sometimes a BIG exploit appears

• Zero Day exploits are just that.

• Shame we don’t give them much attention

• Someone elses problem?

Vulnerabilities Lesson 9Vulnerabilities are everywhere

Lesson 10Keeping up-to-date with critical

patches is one of the most important things you can do

Lesson 11Ignoring this side of Software

Engineering is criminal

The new attack vectors• Devices, Devices, Devices

• Eavesdropping, network devices with default passwords• Drive-by gateways

• Ransomware• Blackmail and extortion• Extending Malware into real products.

• Helpful free stuff – like docker images• Dangerous paid stuff - like game trainers• Actual ’at the source’ injections - like pull requests!• Like unknown helpful people – do you know what can happen in a

git merge?

https://www.flickr.com/photos/famzoo/

Devices inside your network• What’s CPU’s are connected to your network?

• Smart printers?• Smart TV’s?• BYODs?

• How many devices have default passwords?• How many computers have passwords that everyone knows?• How many are running older unpatched software?

Lesson 12You cannot ever assume your internal network is safe

and uncompromised

Lesson 13Really Strong

authentication is an

imperative.

Personal Passwords• What can I say: use keys wherever you can• Treat passwords and private keys like the crown jewels.• Have as many different passwords/keys as you can for different functions and activities• Use a good password safe• Never divulge your password to anyone or write it down. • Once it’s out of your hands treat it as hacked

Lesson 14Understand just how easily (or not) passwords can be cracked

https://en.wikipedia.org/wiki/Password_cracking

Wifi Gateways

Are everywhere

How do you know that a SSID you see is not fake?

In your office.

In your home.

At a conference

In a Coffee Shop.

Wifi Gateways

Are everywhere

Many legitimate ones encourage bad practices

Wifi Gateways

Pi Zero

WIFI Dongle

USB Power

Would you notice this stuck to the wall?

https://www.flickr.com/photos/yodelanecdotal/

Spoofing Wifi gateways is really, really easy

Millennials and Developers fall for it every time

Here‘s how it works

Internet😀websitegateway

The normal (simplified) flow for http

Give me data

browser

Here is data


Man in the middle attack for http

Give me data

browser

Here is data

Give me data

Do bad things with data

Here is data

SSID: OpenConferencePassword: easy


The normal (simplfied) flow for https

Client Hello (max SSL version supported)

browser

Server Hello (what SSL version to be used)

Server SSL CertificateCheckCertificate

Send random local key encoded using Server SSL certificate

Secure, two way encrypted communications

CertificateAuthorities


Man in the middle attack for https – version 1

Client Hello

browser

Server Hello

Server SSL CertificateCheck

Certificate

Send different random local key

Secure communications

Client Hello

Server Hello

Gateway SSL Certificate

Send random local key

Secure, two way communications Do bad things with

data

CertificateAuthorities



Client Hello

browser

Server Hello


Certificate



Client Hello

Server Hello




data

Bogus Certificate Authority



Client Hello

browser

Server Hello


Certificate



Client Hello

Server Hello




data

Internal CA

It gets worse• If your initial request to a server is http (ie unencrypted) • A MITM can replace all inline https references with http• Then when your form is submitted it’s sent unencrypted • Maybe the server will bounce the request. But it’s too late- your private data is gone.

• Typical pattern: 1. MITM tracks a single important server target. The thieves now how the flows work. They track

your usage2. When your userid / password is requested the https is already forced to http. 3. Your data is sent in the clear. The MITM sends you a ‘there was a problem’ msg and gets out of your

way.4. You refresh and resubmit. 5. None the wiser…


Stealing your data with http

http

browser

post to https://foo.com

http

post to http://foo.com

http post

Server unavailable

Steal your data

RELOAD http

https post

post to https://foo.com

Wifi gateways

Lesson 15There are so many ways your data is at risk.

Use a VPN to get to a gateway you trust. Be very wary of http urls in general

Man in the middle attacksLesson 16

You cannot assume the data you have accessed is valid unless you have a secure connection at all times.

Otherwise you could download modified or copied files:Docker Images, ISO’s, exes, RPMs, PowerPoint, Text files

Anything.

Lesson 17Assertions and assumptions don’t “cut the mustard”

Deep dive into the communications processes and prove it

More bad news• Our use of tools that interact over ssl tend to have the certificate

checking turned off!• For reasonable reasons?

• “The server I access is self-signed”• “I want to access multiple servers “

• Unexpectedly?• “I thought I was using the tool correctly”• “I didn’t realize what the default setting was”• “I trusted the tool to do the right thing”

• Maliciously?• “Someone changed the script and I don’t know why”

Lesson 18 – sloppy use of tools will bite you big time

Lesson 19 – Don’t make assumptionsProve the tools do what you expect. Build “fake / compromised” target

servers etc and add to your testsuites

Lesson 20 – Reduce opportunities for unaccountable process changes by adopting DevOps principles for Infrastructure-as-Code etc

And even worse…• Developers download code, tools, certificates etc without considering

the consequences.

• We believe implicitly that other developers are trustworthy.

How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScriptCode pulled from NPM – which everyone was usinghttp://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

What if he’d added malware instead?

Lesson 21 – Don’t download or depend on random code. Ensure you trust the providers and you undersand what they are doing to earn and keep your trust. Examine the processes they have to ensure that the code / binaries /

certificates being hosted are legitimate

Lesson 22 – Build your own internal caches and repositories. Scan them for known vulnerabilities AND change all those embedded default passwords

OR buy the service from someone you trust.

Recap• Cybercrime is set to become the largest form of crime ever• Developers are key to preventing this• We’re one of the worst adaptors of security protocols and practises

With great power comes great responsibility

• “Developers are overly-focused on testing and scanning for known vulnerabilities in software after it’s been released, and under-focused on poor software development practices that lead to vulnerable applications that hackers can exploit. This may be the biggest cyber threat of all.”

• Frank Zinghini, CEO of Applied Visions

Developers to the rescue?• What we all have to do differently from now on

• Be much more security conscious• Become intimately aware of how the bad guys get in• Reduce our blind trust levels• Learn how authentication and encryption actually works• Make security a part of our psyche• Bring Security Architects into the development process

More snippets of advice

• Don’t allow any admin access from outsite your firewall except via a VPN• Don’t allow admin / critical functions to be executed on arbitrary developer m/cs• Use strong firewalls on every system • Whitelist outgoing connections. • Hack your own systems…• Change ALL default passwords• Docker –if the is no Dockerfile run away. If there is a dockerfile read it and build

your own image. (How do you know the image and the docker file match)• Reduce likelihood of exploits etc escaping by using separate Virtual Machines for

different actives. • Don’t add developer backdoors!

https://www.flickr.com/photos/schill/

Why do you need a blanket “god” mode?

Why would you deploy a server or application with default passwords unchanged?

Why would you share this power? Why would you

remain ignorant of how your system or home is kept secure?

Would you have one key for every lock at home?

Would you give your colleagues power of attorney over you?

Would you have a front door with a lock that every one in th world had a key to?

Defense against CybercrimeThere is no magic wand.

It’s completely in your hands.https://www.flickr.com/photos/byaka/