Solving for Somebody Else's Problem: Hacking Devs for Better Security

hi everyone thanks thanks for showing up my name is so Gibson apiary on the Internet okay try not to eat this alright so hi I work at CA Barracuda I talked to people about the security findings and their applications it is what I do I talk to developers all day long I've been doing this for two years I've been working an application security at very code for six years so of those who have been talking to developers the rest has been other things the rest of my life working has also been spent talking to people so that's what I do and now I talk to people about their code so we're gonna do that we're gonna go through and we're

gonna talk about talking to you devs above all so there's a this is non-scientific in case you're wondering but it feels like there's a 50-50 chance independent of the actual validity of a finding the developers gonna tell you it's false positive sometimes they'll care really hard about something that is they'll freak out about fixing anything there's no problem and sometimes they'll tell you that something super that something is super real it's just not not a thing so it's not always fun and it's certainly not as much fun as finding them in the first place the actual problem solving and going in and finding bugs can be great talking about them less so okay so security is somebody

else's problem so this ends up being one of the issues there's a different department right there's a security department they do all that stuff they do the laughs they do the firewall controls the access controls your file system controls they do that why do I have to care about it somebody else is doing it already it's covered

sorry yep nope yeah so it's not usually funded for anybody security gets told the findings are false positive and developers get told that they can't release they get stuck they're not able to do what they need to do and security just gets in the way and it doesn't make sense it becomes a really strong adversarial relationship and no one's having any fun this is partly because developers are under pressure you know there's tight schedules especially the security does not conform to them what a bug can come up a couple days before release there's and they need to meet those customer deadlines they need to be able to to send that out and to be able to get that get that out

there and their management probably doesn't have a full understanding of what it's gonna take to fix it they don't understand it either and so it's a lot of pressure it's much easier to just dismiss them entirely so yeah so it's a difficult conversation it's an adversarial relationship just super not fun but we have some tools in our toolbox they're invisible but it's okay we have social engineering we have you know as hacker folks we have these ways of codifying talking to people so that we can influence them to do certain things so we can elicit certain information why don't we use them why don't we fall back on that playbook back on those tools to be able to do

something for good to be able to get in there and fix stuff yes I'm screaming we're gonna have some fun hopefully one of the things we're going to do is are gonna rely on my good friend Dale Carnegie and his book had win friends and influence people I had thought that this was going to be total and never touched it sorry mom but it turns out that all the stuff that I always tell people to do is in this book so we're going for it and we're gonna use them as jumping-off points you'll see Dale's up next and we're gonna go throughout this talk we're gonna keep relying on these quick wins these quick tips for being able to

talk to people convincingly able to bring them onto our side because a friend said human firmware hasn't changed much in the last hundred years and so we can still mostly rely on these so the first one this began in a friendly way and I've taken this to mean the begin with something good so if you have bad news if you're gonna say no to something you don't just say no you don't start there you're gonna start with I understand what you're coming from or here's something that's good or here are some options for you and then actually that's an awful idea please don't ever do that again because if you start with No if you start with shutting

things down that's all people hear they hear no and they shut down they're not going to listen to your solution they're not gonna listen to why it's an issue or what to do next so starting with no tends not to be great it tends to be a way of shutting down a conversation we're gonna try not to do that alright so this is my bad news no one can make you do anything my mom she's great and she's right people are non-deterministic right there they're not predictable in all cases they're gonna do things even though you're trying really hard for them not there's gonna be times where the stuff fails where somebody no matter what you say is not going to listen to

you that's okay it's not your fault right so these are not foolproof methods but I do work most of the time and they work often enough to be worth it alright part of this is because I like to think of people as emotional state machines with a lot of quantum randomness thrown in for fun but we have emotions and they modulate and regulate our behavior there's some really cool cellular reasons for this and there's lots of chemicals that do that and I did not have time to put them in but I'll be around and if you want to talk about it I love behavior modifications or hormones and dopamine but yeah anyway so it doesn't fit in this time slot but our

behaviors tend to be predictable when you know what emotional state people are in because there tends to be common ways that people behave in those states which is so it's worth observing other people and trying to figure out what state that is right some social engineers they will manipulate that state try and get you into a particular emotional mindset this is a way to be able to make you predictable to be able to influence your behavior I'm gonna call that not a superhero move so maybe don't do that one but you can try and foster a positive emotional state you can try and make sure things stay cool that you're never going into the negative that

you're not making somebody angry when you can help it or getting them to be upset because those predictable behaviors aren't ones that absorb information they aren't ones that that take you seriously you get seen as a threat and that's something to avoid so we're gonna try and not do that we're gonna try and keep people happy ish we're gonna try and keep them on a fairly emotional positive emotional state all right so we have these emotional state machines and we talk to them and the most important thing to remember when we're doing this is that they are not you right other people are not yourself which is seems obvious that other people or have a different

background a different experience completely different internal world but humans are really bad really atrociously bad at acting on that information we don't even recognize it until we're four by four years old humans tend to recognize that other humans are individuals and I in my mid-30s still sometimes have that problem um where I think that my husband has been with me all day when he is definitely not and I'm like you remember that because like you know I don't cuz I'm an individual who has their own life mostly okay so so this is worth knowing because this is gonna be a tool right because everybody's bad at this if you're not you have a huge advantage no one's

expecting you to be good at it so if you don't take their actions at face value and you observe their behavior and you get that idea of okay this is where you're coming from this is what your actual motivation is you can kind of act as sort of with them and they tend to think of you as being on their side and there's a bit of trust and familiarity that you can get almost for free which is great because that's what you want you want people to trust your fix to trust your solution to trust your information and not just dismiss you um one way to do this is just to figure out okay you're doing

this action which is telling me all these things are false positive there's probably a reason for that there's probably not they're false positive because they're not I know they're not it's probably you have a deadline you don't know how to fix it you don't want to admit that you're deficient you don't know how to do this and so this is a way to get around that you can go okay it's not that they think this is false positive is that there's some other pressure causing that that behavior and that can be handy and we'll use that and we're gonna talk in terms of other people's interests Thank You Dale when you do that again you get that huge

advantage you get that trust you get that familiarity right away the other book we're gonna use but very loosely it turns out it's Chris hack Maggie's book we're gonna use a little bit of his framework on social engineering we're gonna jump through an engagement somewhat similar to what I do for work talking through people talking through as a developer their security finding we're gonna use this there's a rough guide I've made some it's not going to exactly map up but this is handy if you you haven't read it yet probably have since you're here but it's useful it's got some great information in it and it's a good place to start all right so we found a bug that's what we're gonna

start with we found sequel injection and we're gonna talk the developers that web goats are us this is pretty straightforward sequel injection it's in this drop down menu it turns out they're really really nice and they're printing out the sequel statement for us so we can see exactly what we're doing it's expecting an integer but we can give it a string great and we can dump their table and do other things but in this particular case we've dumped the table so handy thank you so we're gonna talk to some people about it so our recon so there's our information gathering step we're gonna get some information about things in two phases so the first things we need to know something and

we're gonna start with who we're planning on talking to you so who's our developer get some light recon on this person but we're not gonna be creepy about it this is creepy by the way I was trying to find Superman being good like using his x-ray vision to like be a nice guy and then this is what are you doing how many people's chests have you looked at today I want to find this one guy alright so we're not going to do that we're not gonna find passwords we're not gonna find mother's maiden name we're not gonna find street address we don't need that right you know it's not required the kind of things we do need

for for prefect is we need to know that he's looking for food and there's a software developer at Web Filter us so job titles you me you're not always gonna get the developer you might get someone who's not familiar with the code that can be harder when you're focusing on fixing it can be easier in other ways if you're just demonstrating something someone who isn't the developer is more likely to just take your your demonstration at face value because they've got less invested in the code itself but we're gonna talk to the software developer so a little bit we found a little bit about him through a public internet search juice right look he's not on Twitter but we know that he

hosts a local to have a meet-up which gives us a clue about what the application is written in which is handy cuz we're gonna need to know that later alright so this is the name thing using someone's name when you're talking to them this doesn't always work because everybody knows about it right so when you're obvious about it it kind of seems like you're trying to get something but it mostly works it works really well if someone gives you their name they introduce themselves you then you say their name back to them either right away or a little bit later again it is another way of bringing yourself into their circle of getting that trust

getting that familiarity with it a lot of work that's handy and when people use the name thing on me I'm very suspicious so it's you know it's a 50/50 all right so there's a technical part of this we know that we have a sequel injection but we get that for free we already figured that part out but how are you gonna fix it you're talking to developer you know they don't just want to know how you exploit it they have to fix this thing you're gonna want to know what language is running on and maybe a little bit about it so so what do we know what can we learn from this information well we already

know that he hosts a jab meetup so it's probably written in Java we can confirm that with the server banner this is from Tomcat so we know it's okay cool it's Java it's probably got say ESPYs excellent we know that it expects an integer and it's not validating it because there's no error message it's just passing it right through we know that there are only six possible values and it's not checking against those either and we also know it's not using a prepared statement which is usually the standard recommendation for sequel injection you're usually just gonna say use a prepared statement all this will go away but you at least up now you have three different tactics you know three

different things you know it's Java so you know that there are prepared statements and they're not hard to do you know that it's strongly typed language so you can easily do an int ballad ation and you know that a whitelist is probably possible if somebody wanted to do that so you have some avenues to explore okay so this is my favorite part when watching people through social engineering engagements as their pretext is why they're doing this set up there lies that they tell to get away with things we're gonna do something that's only kind of pretext so most devs want to write good code and even if they don't it probably aren't gonna admit that they don't want to

write good code so it's a safe thing to assume because there's probably just gonna go along with it and get coming to fix bugs so if we can frame this as a bug if we can go hey we want to help you make good code instead of hey we really care about our security finding we care about you writing good code we can probably make some headway and most security issues when we're talking about kokum can really come down to you hey this is a bug just like other functional bugs we know the code fails to validate its input right and it's a situation where validating it isn't hard and it'll make sure it's always

following the happy path probably should be validating it we also know that it's concatenated it directly into the sequel string and running that raw sequel query which is another not great thing to do right so that's not great that's not best practices so we can frame this in that way and we can use it to get further this is a hard part don't criticize condemn or complain this is going to be about the code right shucks there's gonna be with the code this is gonna be about their manager who's on their back about it this is going to be about them who are driving you crazy trying to tell you that everything is fine so this is hard but it's really

important if you can focus on the positive you can get much further again but some of the same reasons we saw before all right so we're gonna do the fungal we're gonna talk to Ford and we're gonna explain the findings and we're gonna talk to him about why he does not think they are valid right and how do you stay positive when talking about a vulnerability or bug we guys focus on helping which is maybe not what you were hoping to do but it works you're gonna focus on fixing and not in exploiting and this is super counterintuitive because the whole reason you're talking to them is because you can exploit it yeah but they don't

care and they shouldn't have to you because they can probably think about it in other terms this idea of having developers think like an attacker isn't always going to work so maybe sometimes go the other way and think like a maker we do get to being able to explain the exploit eventually it is important to know how it works and be able to to demonstrate it but we're gonna actually we're not gonna make it the star so forth does is finding his FP he says he's validating the data that's his drop-down menu by the way his drop-down menu is validation and your security finding much be wrong and if you think this never happens I had something very similar to

this almost identical three weeks ago okay so how do we start with something other than know how do we start with something other than oh my goodness what are you doing stop it which is hard maybe that's what you want to do and started this job is like I just want to tell them to stop it right like that's not validation but that's not a great place to start what we want to do is be able to avoid negative reinforcement right we want to be able to to avoid just saying stop it negative reinforcement this is the thing that people study so it's worth knowing exists so it's when undesirable behavior is punished right makes sense it tends

to to lead to avoidance of the punishment and avoidance of the behavior it does not necessarily lead to at the desirable behavior which in this case would be fixed code right it will mean they'll pass a test some other way they'll remove it from the staging server so you can't get to this page but still be in production but you're not testing production you're just some staging or if it's a static scandal remove the code or real-life example and this one was exciting so there's cross-site scripting findings there was a whole lot of them static findings they didn't know how to fix them they tried fixing them and have broken the application they found out

that using the supported cleanser they could just move their code into the effect class into that package and we wouldn't find it anymore so it fixed it sort of still valid it's still out there still exploitable but we weren't finding it for those static scanner it was at least as much work as actually fixing it there are no more findings but eventually there were because we fix their engine we changed how we were looking at these packages that these approved cleansing packages and we found all the findings again this team came to me and told me that all the findings were false positive and that we were flagging and finding in the cleansing library and that why

would we ever do that and then it was actually their code and they had to go through remove it from that package rewrite it and fix it again probably tripling their work and it was because no one took the effort to go through how will you would fix this how would you actually make this not stock it and it was just punishment right it was just this has to be fixed you can't do this so pretexts the one we set up earlier that provides a guide for positive reinforcement the goal is good code right we're gonna fix the security bug and we're gonna roll that into that positive reinforcement so we're going to go towards that goal of things working

and being great all right so Ford we're gonna go and take a look at his drop-down menu he's gonna show me his validation that's gonna be great and while he's there we're gonna open up chrome dev tools free hey how would you this right-click or control I let's take a look hey can you a double click on the value in that and that tag and change it to whatever you want and then press send oh no look it sends so we can give him that ability to figure it out himself right we can show him people he walk through and again this is actually what happened three weeks ago he was very proud of his validation of his drop-down

menu we went through and we changed it we didn't exploit it on the phone that wasn't at the point it was just this isn't enough right sometimes it's fun to go through and teach them to exploit it sometimes if this isn't the right time this is a time to be able to show the this thing doesn't work but we can do more then let's empower you to be able to figure that out and then once we frame that issue and we say okay that's not enough validation you want him to validate great we can do that we're gonna do it on the server side right we're gonna do it where it does something and all of a sudden this isn't

just something else we're does care about right this isn't just hey you people think differently than me you do things that I don't do this is validation and this is validation the right play making sure your code works all right so another thing that works in social engineering is priming it doesn't work like this so this is the subliminal images that they used to show to get you to go buy popcorn during the movie that doesn't work the way that priming does work is that things that you've seen before things that you've encountered before are familiar they're usually in a good way although not always but you have prior reactions and prying feelings about different things and you rely on

them and you use them again even if you only see those things quickly even if it's only in sort of tangential and because of that we're fighting against it right so for førde interactions with security they've never been good is always been bad security comes up we're not happy about it he's never been able to see how it really relates to his job it's never been able to come home and be something that he does and it's responsible for except for when people are yelling at him fix it and make it go away but there are available resources and that's why we chose that pretext of carrying about quality code because there are pressures to care about what

you do and to care about making sure that things are good he runs a meet-up probably does care about those things and we can use those prior experiences with good coding practices and good engineering practices to be able to piggyback on them and get things fixed so this is I'm leading questions so Dale says start with questions to which the other person will always answer yes this is again these are all about trust and familiarity that's sort of a secret for Dale Carnegie when you start to say yes there's pressure to continue to agree there's pressure to continue you've already said yes to one thing everything else your mind sort of shortcuts it's part of the same package

so yes become sort of what you do it makes sense that the next question would be related to the first one in a way that it would also be I agree with you or it makes the next question easier to answer it makes it more familiar this is a dirty rotten trick that your brain plays on you but it does work leading questions can get you to to getting a yes and you'll see salespeople do it all the time so there are two type of questions there is closed and open closes yes now open is when you're going to tell me a story because I'm gonna ask you a question about your code what does this do

where does this come from and we can go on a journey and we're gonna let you do all the talking board so when you leave those questions you get them go okay we're gonna talk to your Co we're gonna go to that validation we ran out um see what's going on and then we get them to explain it and if we're gonna get them to salt it right they're gonna come up with their own validation cuz I know how to do that they know how to make good code they just aren't doing it right here because I didn't know they had to just fine cuz we're here for these superheroes all right so we've shown him

how to bypass his validation we can talk to him about what does work and at this point we can we can talk about the exploit finally we can finally talk about why why we're here and we're gonna talk about validation so when we're talking with the exploit we're gonna talk about what we're doing with sequel injection why in a specular case it's an integer so we don't even need quotes so if he said I've got a cleansing function and I make sure there's no quotes it doesn't matter because I don't need them so it's important at this point you get to say okay what is the injection why does it matter what is it you actually have to

validate you can do validations that does nothing right you can validate all possible characters that's not useful in this particular case an integer is not going to cost equal injection so you could just validate your expected valid input is an energy check check to make sure it's an injury but this is when you talk about the specifics because this is where for the fix in this case we're gonna go with validation it matters it matters what what actually is is happening and what the exploit actually is all right so sequel injection is not always so straightforward it's not always just an integer that comes in directly and and you can go for it when the code path is

more complicated that's what the questions become really useful and when getting them to tell you the story about what's going on is is the a one strategy I have a co-worker whose ability to bring someone through their code to fight figure out where the problem is is is majestic the Runkle he knows everything right look he knows what the code path is he knows what the exploit is he knows what they would have to do to fix it but he doesn't tell them the answer right away because that's not useful just saying hey do this doesn't give them understanding it doesn't give them the the power to own it to feel like they're the ones that are that are

taking this action and are responsible for it that's what you want right you want them to be able to do this again to have that positive experience and to own this time from beginning to end so what he does is he he knows what's going to go on he understands everything and he knows okay where does this come from all right can you tell me if this is this or this okay so it's an integer you think you're validating it great when this comes through is this a string yes okay great so we've got our leading question we've already agreed to us we have somebody who's going to listen probably to the next thing we have to say

hopefully okay it comes in as a string from the request where does that string go does it go through a validator oh it does okay great what does that validator do and we can go through and we can see that it's just checking to see four single quotes all right it's expecting this to be regular sequel injections somebody it already tried to fix it and they check for single quotes all right cool so when we take a look at where this is added into the sequel string are there any quotes around the variable no there are not any quotes around the variables and it's an integer right it's it's going into the sequel statement as

an integer even though it's a string okay so that's probably is would that solve this issue if it's removing quotes and there aren't any quotes there is that going to be able to limit us from adding extra characters and all of a sudden they get it right just through questioning through them being able to walk through that process it is so much more effective than being able to tell them when you just tell them they're not I'm thinking about it in the same way it's not the same kind of personal experience and so being able to go through and have that that question and answer and those leading questions is really important all right I need to

remember that I talk fast when I'm nervous so I'm almost at the end but all right so ending the call when we go through this and we go through the questions and we let them really own it and we talk about it in terms of code quality it's really easy Vande it for you because they're happy and they tell you thank you it doesn't happen every time there are times when obviously it's more of a fight but when this goes well which is the most most of the time they understand they know their next actions they have a path forward its term its phrasing in ways that they already understand they don't have to come up with a new full understanding of

the world and they're good to go they're gonna go and they'll fix their code and maybe even do better better next time yeah and I really did get through those so um I I await your question thank you [Applause] yeah good point so have you ever had the experience where you've tried this technique and gone through it over a period of time and you're not getting through and you got so frustrated you went through the negative reinforcement and how did that how did that turn out for you because I've done this and it did not turn over

so there are times when I will I will go through it multiple times right if it doesn't work first time I'm gonna go again eventually it's just like no this doesn't work this doesn't work for this reason this reading this reason we have an advantage at merica this is not we're just doing very short engagements and I'm not their security person so eventually I can just be like look this is someone else's problem but eventually after trying several times but yeah it can't get really difficult because sometimes it is just look this is the way it works I understand you don't want it to work this way but but it does and it doesn't always work

I suspect that they're not gonna fix their code then yeah I mean no can you go back to a few slow go back for a few slides I still read something about developer being real cold or whatever you want to call them um no no yeah right go yeah what do you mean by negative three and negative incentives I mean in this real life example what are they so only no positive ones right so there's like if you do things good there's no celebration there's no congratulations there's no even checking to make sure you did it the right way it's just if you do it wrong there's punishment that's it we don't work well that way as humans

right you don't like being told over and over again that you're awful I don't yeah I mean there there are people who I talked to who definitely have like their job they're concerned with their job because of the security of their application yeah absolutely like they can't release and then that becomes a problem it's not security that's going to put their job in danger but the fact they can't release it is definitely going to cause problems with their own management yeah anybody else I'm sorry I went too fast yeah this is a great I don't think it's working something oh there we go this is great like catalogue of how you respond to the defense mechanism of the

developer yeah how does one of the most common ways that you see this sort of behavior on the developers side and manifest like you know is there a top five like ways that developers tell you that it's not their problem yeah so sometimes literally with those words there was one time we were talking about flaws like hey let's take a look at your code take a look at what your code is actually doing well look at how its functioning and his response to me was this is about a security issue not the functionality of a code I was like actually I think it might be about your code let's take a look and then we're

able to go through and we were able to use ticking that one did not end in tears that was okay yeah but it started off a little shaky so there's other ones especially if you're looking at file issues file access issues inclusion or pass traversal especially with Windows systems they'll say this is taken care of right we've got strong user controls we're good without well your application is it you these that use the same user like are you using the ad permissions of the the person who's logged in no well then how how is that taken care of your application is different different abilities in an individual so if your application has yes it's good to have these user

controls there your ad permissions are good but it's not solving this problem and that and that acknowledging that the controls are good for certain things is the way that you get around that just saying no first you're like yeah good job that's great but otherwise it sucks

you know I'm on questions but you can ask me a question if you just showed up it'd be cool I was really fast

it's not I've been then thanks everybody I'll be around for like a while if you have any other questions so thank you [Applause]