security pitfalls - home : security and privacylistically cyber security & safety risks...
TRANSCRIPT
SecurityPitfallsAreviewofrecurringfailures
Dr.DominikHerrmann
Downloadslidesathttps://dhgo.to/pitfalls
For common Internet Crime Schemes see http://www.ic3.gov/crimeschemes.aspx 2
Researchonsecurity,privacy,onlinetracking,forensics.
Postdocresearcher UniversityofHamburg
Temporaryprofessor UniversityofSiegen
JuniorFellow GermanInformaticsSociety
Mediareportsaboutsecurityrevolvearoundfear,uncertainty,anddoubt.
3
Manyvulnerabilitiescouldbeavoided,ifvendorsfollowedbestpracticesandsecuritymanagementstandards.
4https://www.enisa.europa.eu/activities/Resilience-and-CIIP/smart-infrastructures/intelligent-public-transport/good-practices-recommendations/at_download/fullReport
Problem:Bestpracticesareoftenabstractandoforganizationalnature.
5https://www.enisa.europa.eu/activities/Resilience-and-CIIP/smart-infrastructures/intelligent-public-transport/good-practices-recommendations/at_download/fullReport
integratecybersecurityincorporategovernance
implementastrategy addressingho-listically cybersecurity&safetyrisks
implementriskmgmt. forcybersecu-rity inmulti-stakeholderenvironmentsincl.contractorsanddependencies
clearlyandroutinelyspecifytheircybersecurityrequirements
annuallyreviewcybersecurityprocess-es,practicesandinfrastructures
createproducts/solutions thatmatchthecybersecurityrequirements ofend-users
collaborateinthedevelopmentofIPT-specificstandards andapplythemtoIPTsolutions
developatrustedinformationsharingplatform onrisksandvulnerabilities
providesecurityguidance forsystems,productsandsolutions
OPERATORS MANUFACTURERS
Asmoreandmoredataisstoredandprocessed,securingdataagainstattacksbecomesmoreimportant.
https://www.schneier.com/blog/archives/2016/09/organizational_1.html 6
availabilityconfidentiality
integrity
RANSOMWAREDATALEAKS
ORGANIZATIONALDOXING
DATAMANIPULATION
7
TheClassicalEngineeringPerspective
PROACTIVESECURITY
8
Weakness1: Outofsight,outofmind
Exploitingknownvulnerabilitiesisstillaverysuccessfulattackvector.Vendorsandusersfailtopatchtheirsoftwareinatimelymanner.
http://www.wired.co.uk/news/archive/2016-04/06/panama-papers-mossack-fonseca-website-security-problems 9
Mossack FonsecaranoldOutlookWebAccess(2009),Drupal(2013,25vulns)
Heartbleed (2014)128kvulnerabledevicesin9/2016
http://bc.ctvnews.ca/security-flaw-lets-smartphone-users-hack-transit-gates-1.2852464 10
UltraReset attackonMiFare Ultralight(NewJersey&SanFrancisco,2012)…stillworksin2016(Vancouver)
11Weakness2: Foolswithtools…don’tknowtheirtrade
Duetounawareness,carelessness,andhaste,vendorsshipproductswithembarrassingsecurityholes,forinstanceinuserauthentication.
http://heise.de/-3248831and http://heise.de/-3308004 12
ABUS,Blaupunkt,Lupusalarmsystems(2016):
insecuredefaultpasswordscanbedisabledwithoutthePIN
also:Loxone SmartHome (2016)
Manyindustriesarecurrentlylearninghowtodosecurityproperly.
http://www.hotforsecurity.com/blog/vulnerability-in-vaillant-heating-systems-allows-unauthorized-access-5926.html 13
Vaillant heatings (2015):
authenticationandpasswordcheckperformedbyaJavaappletintheuser’sbrowser
14Weakness3: Underestimatingtheadversary
Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisionsbecauseofwrongassumptions.
http://www.forbes.com/sites/thomasbrewster/2015/02/02/bmw-door-hacking/ 15
BMWConnectedDrive (2015)
– allcarsusedthesamecryptographickey
– communicationwithBMWserverswasnot protected
Impact: cardoorscouldbeunlockedbysendingafakedSMStothecar
Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisionsbecauseofwrongassumptions.
16
BMWConnectedDrive (2015)
– allcarsusedthesamecryptographickey
– communicationwithBMWserverswasnotprotected
Impact: cardoorscouldbeunlockedbysendingafakedSMStothecar
“Nooneisableto…”– reverseengineerthehard-warewherethekeyisstored
– setupafakeGSMnetworktosendanSMStothecar
Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisionsbecauseofwrongassumptions.
17
BMWConnectedDrive (2015)
– allcarsusedthesamecryptographickey
– communicationwithBMWserverswasnotprotected
Impact: cardoorscouldbeunlockedbysendingafakedSMStothecar
Researchersjustdidit.– reverseengineerthehard-warewherethekeyisstored
– setupafakeGSMnetworktosendanSMStothecar
Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisionsbecauseofwrongassumptions.
http://fortune.com/2016/08/11/volkswagen-car-remote-warning/ 18
19
Weakness4: Outsourcingsecuritytovendors……cangetoutofhandquickly
TheRFIDticketsusedforpublictransportinBerlinstoredthelast10waypoints,whichcouldbeusedtocreatepersonallocationprofilesofcommuters.
http://glm.io/118226 20
– operatorsdeniedtheleakuntilprovenwrong– claimedthattrackingwasenabledbyvendor
withouttheirknowledge
21
Weakness5: SocialEngineering
High-profilefraudsheavilyrelyonsocialengineering.
http://www.securityweek.com/austrian-firm-fires-ceo-after-56-million-cyber-scamhttps://www.leoni.com/en/press/releases/details/leoni-targeted-by-criminals/ 22
“FakePresidentFraud”
also:“SpearPhishing”
Consumershaveprivacyrights,e.g.toaccessanddeletetheirpersonaldata.Handlingrequestsisveryfrustratingforconsumersandvendors.
http://arxiv.org/abs/1602.01804 23
Weconductedafieldstudywith150appsand120websites.
Evenafterthesecondmailonly 1in2vendorscomplied.
1in4websiteownerscouldbetrickedintosendingthedatatoadifferent e-mailaddress.
Mostvendorsdeletedouraccountswithoutpriorconfirmation.
24
AMoreRecentApproach
REACTIVESECURITY
TheClassicalEngineeringPerspective
PROACTIVESECURITY
Itisdifficulttotrackdownproficientadversaries.
https://bitcoin.org,https://torproject.org 25
anonymizedcommunications
cryptographiccurrencies
26
notallhackersareequal
intrusiondetection
emergencyprotocols
3CONSIDERATIONSFORREACTIVESECURITY
findanomalies(logging&audits)
operationsandcommunications
blackhats vs.whitehats
Vendorsoftenmisstheopportunitytocollaboratewithsecurityresearchers.
https://www.schneier.com/blog/archives/2013/08/scientists_bann.html 27
opportunityforvendorsbugsuncoveredbythesecuritycommunity
Vendorsoftenmisstheopportunitytocollaboratewithsecurityresearchers.
https://www.cnet.com/news/judge-orders-halt-to-defcon-speech-on-subway-card-hacking/ 28
opportunityforvendorsbugsuncoveredbythesecuritycommunity
Asaresultthereisaflourishingblackmarketforsecurityvulnerabilities.Inresponse,thesoftwareindustryhasstartedtosetupbugbountyprograms.
29
opportunityforvendorsbugsuncoveredbythesecuritycommunity
blackmarketforzero-dayexploits
whitemarketbugbountyprograms
Considerattacksonconfidentiality,integrity,andavailableofyour(customers’)data.
Learnfromattacksonothersandavoidcommonmistakesinproactivemeasures.
Preparetoreacttosecurityincidentsandcollaboratewiththesecuritycommunity.
1
2
3
TAKE-AWAYMESSAGES
SecurityPitfalls
[email protected]:https://dhgo.to/pitfalls