NDC Oslo 15 – Takeaways from “50 Shades of AppSec”

This year’s ver­sion of NDC Oslo has a strong secu­ri­ty theme throughout,and one of Troy Hunt’s talks — 50 Shades of AppSec — was one of the top-rat­ed talks at the con­fer­ence based on attendee feed­backs.

Sad­ly I missed the talk whilst at the con­fer­ence but hav­ing just watched it on Vimeo it left me amused and scared in equal mea­sures, and won­der­ing if I should ever trust any­one with my per­son­al infor­ma­tion ever again…

 

Troy start­ed by talk­ing about the democ­ra­ti­sa­tion of hack­ing, that any­body can become a hack­er nowa­days, e.g.:

  • a 5-year boy that hacked the XBox;
  • Chrome exten­sion such as Bish­op that scans web­sites for vul­ner­a­bil­i­ty as you browse;
  • online tuto­ri­als on how to find a site with SQL Injec­tion risk and paste a link into tools like Hav­ij to down­load its data;
  • or you can go to hack­erlist and hire some­one to hack for you

The fact that hack­ing is so acces­si­ble these days has giv­en rise to the cul­ture of hack­tivism.

image

When it comes to hack­tivism, besides the kids (or young adults) you keep hear­ing about on the news, there’s a dark­er side to the sto­ry – crim­i­nal hack­ing.

Crim­i­nals are now tak­ing black­mail­ing and extor­tion to the dig­i­tal age and demand­ing bit­coins to:

  • remove your (sup­pos­ed­ly com­pro­mised) data from the inter­net;
  • to expose more (sup­pos­ed­ly com­pro­mised) data;
  • stop them from com­pro­mis­ing a busi­ness’ rep­u­ta­tion and online pres­ence

And it’s not just your com­put­er that’s at risk – routers can be hacked to ini­ti­ate spoof attacks too. This is why encryp­tion and HTTPS is so impor­tant.

 

The good news is that even smart crim­i­nals are still fal­li­ble and some­times they get tripped up by the sim­plest things.

For exam­ple, Ross Ulbricht (cre­ator of Silk Road) was caught par­tial­ly because he used his real name on Stack Over­flow where he post­ed a ques­tion on how to con­nect to a hid­den Tor site using curl.

Or how Jiha­di John was iden­ti­fied because he used his UK stu­dent ID to qual­i­fy for a dis­count on a Web Devel­op­ment soft­ware, that he was try­ing to pur­chase from a com­put­er in Syr­ia with a Syr­i­an IP address.

 

Are we devel­op­ers mak­ing it too easy for  crim­i­nals? Judg­ing by the hor­ror exam­ples (which, ok, might be a bit extreme) Troy demon­strat­ed, per­haps we are.

From the hor­ri­fy­ing­ly obvi­ous…

image

image

image

to per­haps some­thing a bit more sub­tle (any­one who knows your email and DOB could reset your bet­fair pass­word, until they fixed it after Troy wrote a post about it)…

image

 

Some­times we also make it too easy for our users to be inse­cure. Again, from the obvi­ous…

image

image

To some­thing more sub­tle (the fol­low­ing makes you won­der if pass­words are vis­i­ble in plain text to a human oper­a­tor who is offend­ed by cer­tain words)…

image

 

Notice that a recur­ring theme seems to be this ten­sion between secu­ri­ty and usabil­i­ty – e.g. how to make login and pass­word recov­ery sim­pler.

 

Per­haps the prob­lem is that we’re not edu­cat­ing devel­op­ers cor­rect­ly.

For instance, how is it that in 2015 we’re still teach­ing devel­op­ers to do pass­word reset like this and leav­ing them wide open to SQL Injec­tion attacks?

image

or that base 64 encod­ing and ROT13 (or 5 in this case..) is a suf­fi­cient form of encryp­tion…

image

image

 

But it’s not just the devel­op­ers that are at fault, some­times even secu­ri­ty audi­tors are account­able too.

image

 

And of course, let’s not for­get the users.

For exam­ple, you might not want to have your pass­words broad­cast­ed on nation­al TV…

image

image

 

But we are also at fault for giv­ing mixed mes­sages to our users.

For exam­ple, why would a QR code scan­ner need access to your cal­en­dar and con­tacts? But with the design of this UI, all the user will see is the big green ACCEPT but­ton that stands in the way of get­ting done what they need to do.

image

And social media is par­tic­u­lar­ly bad when it comes to giv­ing con­fus­ing mes­sages.

Some­times they aren’t even try­ing…

image

oth­er times they make up things such as “secu­ri­ty cer­tifi­cates” and throw scary words like “brute force attack” at users (how you are left open to one if you allow peo­ple to paste pass­words in the text box is beyond me)…

image

and some­times we leave users vul­ner­a­ble to crim­i­nals (e.g. what if a crim­i­nal were to look for sim­i­lar respons­es on EE’s twit­ter account and then con­tact these users from a legit­i­mate look­ing account such as @EE_CustomerService with the same EE logo)…

image

 

And you can’t talk about secu­ri­ty with­out talk­ing about gov­ern­ments and sur­veil­lance (and Bruce Schneier talked about this in great detail in his open­ing keynote too).

For exam­ple, the US gov­ern­ment has tech­nol­o­gy that can wire­tap your VGA cable and see exact­ly what’s on your mon­i­tor.

image

Snowden’s leaks also showed that the US gov­ern­ment was look­ing at Google’s infra­struc­ture to find oppor­tu­ni­ties where they can siphon up all your data.

image

And UK’s prime min­is­ter David Cameron was recent­ly call­ing for an end to any form of dig­i­tal com­mu­ni­ca­tion that can­not be inter­cept­ed by the government’s intel­li­gence agen­cies!

image

 

Final­ly, appsec gets real­ly inter­est­ing when it inter­sects with the phys­i­cal world.

For exam­ple, when we blind­ly apply prac­tices in the dig­i­tal world in the phys­i­cal world, some­times we for­get sim­ple truths about this world such as let­ters are deliv­ered in envelops with large win­dows on them…

image

and the phys­i­cal world has a way of cir­cum­vent­ing secu­ri­ty mea­sures designed for the dig­i­tal world…

image

 

As the dig­i­tal and phys­i­cal become ever more inter­twined in IoT, secu­ri­ty is going to be very inter­est­ing.

For exam­ple, a vul­ner­a­bil­i­ty was found in LIFX light bulbs which leaked cre­den­tials for the wire­less net­work, allow­ing an attack­er to com­pro­mise your home net­work.

Whilst LIFX has since fixed the vul­ner­a­bil­i­ty, the con­cern remains that any wifi-con­nect­ed devices is ulti­mate­ly vul­ner­a­ble and may be hacked.

How do we edu­cate devel­op­ers to defend against these attacks when so many of them are start ups in a hur­ry to hit the mar­ket just to sur­vive? How do we detect these vul­ner­a­bil­i­ties and inves­ti­gate them? If your net­work is com­pro­mised would you look to your light bulb as the entry point of the attack?

There are many ques­tions we don’t even know to ask yet…

As for the users, if they’re strug­gling with keep­ing their pass­words under con­trol, how do we begin to edu­cate them on the dan­gers they’re expos­ing them­selves to when they pur­chase these “smart” house appli­ances?

 

For any­one who has played Watch Dogs, remem­ber at the end of the game Aiden Pearce kills Lucky Quinn by hack­ing his Pace­mak­er? This is the real­i­ty of the world that we are head­ed, and these kind of risks will be (are?) very real and would impact all of us. Based on the evi­dence Troy has shown, it’s a world that many of us are not ready for…

 

 

Links