Hacking for Good: The Scary State of AppSec

[Music] get after you guys how we doing everybody still awake three o'clock Friday hopefully yawns my name is Randy Western today we're gonna talk about hacking for good I do have a little bit of disclosure this I did for my fiance's laptop so if interest pops up doing the presentation at some point not my fault I am a developer in a tech company called more like funding any developers in the room at all yeah okay one that's kind of the problem right I also have a history of sysadmin work prior to my development life and abstract is kind of a hobby and passion of mine so I bring that to work every day and sometimes at home at night

I want to start off with talking about what hacking is or what we think of hacking has and I really love this image so many great things about it first off it's probably what everyone thinks of when they think of hacker you've got all the classics in there the hood of course that goes with it it's very dark terminals open notice there's two keyboards at this guy's typing off and he'll says gloves in case you know to be careful all right a lot of interesting things about that picture but if that's what we think of hackers as it's not extremely uncommon if you do a google image image search search for hacker they come across the lines images

even that guy in the third row that doesn't look like he fits there but hacking isn't everything that doesn't necessarily mean even accessing computers or digital hardware illegally in the traditional sense in the old days hacking meant you were coming up with a novel solution to an engineering problem in a creative way so this is a message from the early days of the Linux mailing list this is Linus Torvalds message to everyone and he's kind of just saying hey guys this is a new code base I'm working on little pet project this is a program for hackers by a hacker I clearly - later turn this project into Linux wasn't talking about breaking into software he was talking about coming up

with an interest interesting project that solved a lot of problems all over the world and given the success of Linux I think he met that goal so what do we talk about what do I gain by hacking for good all right you look at this image I think this is always a good analogy if you don't know what this guy is doing as far as motivation whether he was paid or not this might not look much different if he was a locksmith or somebody breaking into a house right he's even got a black hat on there we don't see any company that could be a misleading factor in the process this guy who looks a little bit

more innocent he couldn't even be working on his own house right he's in the process of using legitimate techniques to break into his house or that give him room but they're the same techniques that a bad guy could be using right to to enter into software that he's not supposed to be accessed another example of a good guy that kind of looks like a locksmith being paid to do bad things or typically bad things if you don't know what his motivations or or our pentesters any customer there today no well you already be wearing that shirt but altogether these are grouped under a term called hacking we've all probably heard this term before it's a

it's a term used to describe anybody that's hacking in an ethical way and trying not to break laws this guy is a white hat hacker right this was a five-year-old who escalated privileges in his Xbox account by switching to his dad's account and found a vulnerability in Microsoft's Xbox right he ended up on the Hall of Fame of Xbox or Microsoft's website and I think he even got a $50 credit for his Xbox story so that that's what a little bit different than the guy in the black hoodie at the first start of it so traditionally we have a little bit of a variance here from from two extremes and then one guy in the middle

right black hats white hats and this grey hat in the middle so what's a grey hat I think a good example this is something recent so mikrotik had routers that were had a zero day and very high number of them accessible across the Internet somebody was scanning them with a tool like show de amor masks and across the internet identifying these routers and although illegally accessing them the motive wasn't bad right it was to patch the router so that nobody could abuse them this is what we referred to as great hacking the person who was doing this had good motivations but they were still breaking along in the process today I'm going to focus mostly on white hat end

of the spectrum and we're going to talk about examples of abstract research that has benefited the community as a whole so what do I mean about when I say security research is essentially hacking for good right this is also to the umbrella of white hat but it may not may or may not be something that's paid for or rewarded or has some financial motivation in the first place right we do a similar image search or security researcher results a little bit different right really all over the place yeah kim jeong-hoon there on the first first row we've got just a lot of weird stuff going on there so but the reason I present this is because it gives it

gives us an idea of how galvanizing the term is outside of our community right it doesn't necessarily show that this term security researcher is understood outside of our industry I'll talk a little bit about responsible disclosure anyone ever heard of responsible disclosure before and anybody used it or have to use it good so Walmart has a responsible disclosure policy surprising to me as I as a camera process basically it's a process by which a organization or a vendor can publish ways for researchers who come across vulnerabilities and their software properties to be notified in a process by which they agree to with you in a peaceful manner right there used to be a lot more consensus on

or I shouldn't say consensus there is a new consensus around the term it's that it doesn't work right can mean a lot of different things to a lot of different people it turns out not everyone agrees on what responsible means so that term is being kind of discarded in favor of coordinated disclosure meaning the same thing on the opposite end of the spectrum we have what's called full disclosure which is quite the opposite of coordinated disclosure being working with the vendor and waiting til there is some kind of patch released and agreeing on a timeline to release the details publicly full disclosure is on the other end of the spectrum where a researcher comes across a bone or building decides

that the best way to get that patch is to drop it publicly to everyone the argument there being that the more people that know about it but it puts more pressure on the company to fix it quickly which tends to be a critique of coordinated disclosure and it lets the users know their risks up front and this is a picture of the screenshot of the full disclosure mailing list used to be a hotbed of full disclosure vulnerabilities being dropped day to day I think you see a little bit less of this now just because the industry has come a long way in in coordinating the disclosure we're going to talk a little bit more about that one

way it's coming forward it's about bad programs right hacker one is one such program where companies can also operate their own individual programs but hacker one is a centralized program management platform for hosting bug bounty programs so organizations kind of especially larger organizations can take the load off and have somebody else manage various aspects of that program here's a good example of what you might come across as a reward for working with a bug bounty program it looks like the Dutch government has operates one if you happen to find a vulnerability in their platform you get a little shirt that says this is this level teacher what is in security research I think this this line is

appropriate to draw very important anybody remember this logo yeah you don't hear much about from anonymous anymore but this is kind of genera of hacking we call hacktivism that the idea behind this is somebody attacking with an agenda they have some reason to hack and sometimes those reasons even come later after they've done they've found a vulnerability in some organizations software you've also got things like this I'm not gonna read the whole thing but it's it's an email sent to a business owner I essentially extorting him and saying we're going to DDoS your site or we're going to exploit a vulnerability until you pay us Bitcoin right these things are not legitimate security research these side of the

things on the black hat side of things security researcher or white hat hacking also has a dark past many of you probably know about the Computer Fraud and Abuse Act been used to prosecute legitimate crimes in Computer Fraud and Abuse it's also been used to the language as in the in the act itself as they've leveraged to prosecute what you might consider re arguable offenses where in was not considered or just just things that we as as researchers might come across very often that have no criminal intent or action behind them right you also see stuff like this all the time or not so much anymore but more so in the past where somebody operates a

cryptocurrency project some security researcher find some very serious flaws on it and then you have somebody that critiques the critique er rather than accepting the the feedback and scariness of the vulnerabilities in their software so in here you know this guy's threatening lawyers to come after this person same thing deal with this this is just a recent email of somebody also operates another cryptocurrency project he wrote up a blog about how there were various vulnerabilities in the platform different pieces of the software he gets a reply back that attacking his character his the fact that they're not real vulnerability that there's no way he could ask anything and all kinds of names so this stuff is still still

happens today but I think my sense is that less and less frequent these days you also see some things like this on occasion where there's legitimate research being presented at a large con like blackhat in this case it was some RFID research some company didn't like that that research was being disclosed at blackhat and they sent lawyers after this guy that was going to present in it and it resulted in him not being able to present that research so these are some some a little bit of background on knapsack I want to talk more about the current state and how things are going in the future anybody remember Equifax the largest of exploitations of a

vulnerability in a long time not just the the scale of the breach itself 140 million million plus people but the type of data that was breached you know things that we're not going to be able to change names you could arguably change that but Social Security numbers birth days particularly we're not changing that kind of stuff after a breach it's easy to change your password after a breach but some of this information sticks with us for our life this was caused by or leveraged through the use of patchy struts anyway heard of stretch before a very large NBC Java framework used by developers to more rapidly put together and prototype a web application without having to worry

about all the basics the problem with these large frameworks is and especially when they're adopted by so many installs is you come across very very serious mauler abilities like this one this is a CBE that was responsible for the hack in this case as you can tell it's a of the highest severity it was disclosed publicly March 10 2017 and Equifax was not able to patch it in a time and quick enough because it obviously was the cause that there there massive breach talk a little bit about the I won't go into a huge amount of detail about the proof of concept let's go over it a little bit this is an example of just a

regular vanilla web request all right you've got normal-looking headers there nothing special about it but to to differentiate that from the actual proof of concept that exploited this vulnerability as you can tell in the content type header there's a little bit of variable parsing that goes into there even all the way down to you can find payload mixed in there and it's even checking whether it's across cross-platform right it also checks whether it's Windows or it's a linux command prompt that they're going going to be hitting ensuring a lot more success at higher success rate for the person exploiting the vulnerability so here's kind of a look at the timeline of the attack across the internet or

attempts at attacks exploiting this vulnerability it's it is thought that March 10th is when Equifax was actually breached and there's some there's some discrepancy here a couple different sources say 14th 10th there was some knowledge about the attack as early as the 6th as the struts the release to fixed without any announcement of vulnerabilities and included at the time although they reserved the CBD at that time another big one of recent news is Drupal anybody experienced with Drupal at all PHP framework content management system up there with the likes of WordPress Joomla these frameworks operate a significant chunk of the internet in the top million websites as Akito Drupal doesn't have as as large of

market share as WordPress but it's up there and the vulnerability called triple gettin kind of had the same situation as Equifax where there was a race to exploit this across the internet by bad guys who wanted to weaponize the the ability so another classic case of remote code execution unauthenticated you can see that this was what March 28th this year quickly after that exploitation took right off a quick look at the actual code responsible for so this is a web request to update and some form elements on the backend of Drupal there are some markup languages that there's some inputs that Drupal uses on the backend so that they can build forms dynamically here's an example of what

legitimate form would have been built like you can notice that the hashtag get that started those keys and those arrays are kind of where the input is used here's a look at the exploitation of that vulnerability so there's an exec command there this is very benign attempted exploitation but it kind of just demonstrates a proof of concept and then you've got a smaller time span zoomed in a little bit here but as you can see as as the vulnerability was released exploitation took off it settled down a little bit probably because some patches were going out and I kicked back up again and these are attempts at exploitation not necessarily successful when it sucked one so those

are two open-source projects I wanted to touch on other software properties things that are developed in-house by other by companies themselves and some some research that I've done personally epazote didn't similar disclosure pass so one of the big ones I found was with Verizon I add Verizon FiOS at home they have a my FiOS app so I downloaded this from the Google Play Store and decided to take a look at it here's kind of what we're looking at I'm sold the app all the way on the Left I've got my phone I put a proxy between the requests and responses over the Internet watch those api's as they interact with the web servers and database on the

backend for right and that's kind of just a classic man-in-the-middle but it's a selfie in the middle so I can view the traffic itself right viewing that traffic I was able to see a number of legitimate requests I went across the wire only thing to note here this is a this was over HTTP but that was not the source of vulnerability itself this is a look at the main widgets for my close app as it loads as you can see the third widget has looked a mail preview functionality within the application the request on the right is actually fetching the contents of the mailbox so this is a legitimate API used by Verizon to fetch actual verizon emails and put

them into the widget to show the preview on the left and also the full functionality what you on that widget here's an example response from them as you can see one of the last keys in that JSON array our object is the title for the actual widget on the left it says you know import important changes to your US and account but I wanted to cover real quick that if you zoom in it's hard to see it over here but if you look at some of the parameters in that case of the URL you see direct reference to UID equals you know my username our Wester brand-new 0 5 this threw up a red flag to me just

because if if you're writing these kind of back-end API as you know that authentication is passed in through the cookies or even maybe the user info header down at the bottom it should be inferred who the user is they shouldn't need to be provided the username so the same case with this an email request you'll notice the in the payload at the bottom there's a reference to a UID of who is sending the email all cases of this all users of this API within this application were identified as insecure direct object references right so I put in my friends email to see if I could get his email INBOX with his permission and it worked

perfectly so I could have plugged in anybody's email address gotten their emails and send email on their behalf here's a quick proof of concept I put together for Verizon too so I could send it to him the first line is just establishing with valid credentials the username and password of my verizon account any any valve verizon account will have worked for this exploit and then I'm building the same request that I showed you earlier right instead of a UID as mine whatever the target username I put in right anybody that we want to fetch their emails we've could have done this and then it just looks through the Jase the Python script just loops through the the response and

prints out the headers in them I sent this to Verizon and I've talked about it and talked about my experience and the technical details of the book it did get some press as you can tell the journalists mainly focus on negative right the fact that there was a vulnerable in the first place the fact that anybody could have accessed these emails well that's scary and and true I like to highlight this part right I had a great working relationship with Verizon I'm not gonna redo the whole message that they wrote to me but the last two lines are fairly I appreciated them I thought there was a better father we appreciated constructive and collaborative approach we took with us

all the security challenge that working to go together for everyone's benefit finally we arranged for you a receivable one year Verizon service right so they didn't have to do that and they didn't have to write a nice email I thought that was a good example of collaboration across the industry where there previously wasn't any Verizon didn't exactly have a published response to disclosure program in a bounty program but they still took the feedback and they didn't take offense at it they they took it seriously another example I want to use as a networks everyone hates ad networks right because they look at their web pages look like this all right hard to even get to the

content these days another guy ran an example called the million dollar web page he's selling every pixel to make a piece of history I guess this is goal but yeah the ad network world is very interesting and I still fully understand and I think I don't know if anybody truly understands it but the way it works at a high level is you open a browser and you're going to a new site and you don't have an ID blocker on or anything you're rendering as you are the client in the green right now you're hitting the website cnn.com or whatever and it goes there web provide there a provider goes to a series of steps to bid the

available inventory on their website at the moment right they take all kinds of nasty data that we know about today but including super cookies things like that but as you look it goes through it and exchange demand services and different ads that actually want to end up and buy the inventory on the website to land the ads so I started playing with learning more about the ads and how they work themselves alright so if you're hosting if you're a publisher on your website your ad company may ask you to put a snippet of Java JavaScript on your website okay this is usually encompasses the the bidding logic that we saw a couple slides earlier and facilitates the

actual ad rendering on the website I went through and started playing a little bit with an Network and started just by inserting hash at the end as we know this anything after the hash isn't sent to the server when you make a request so I thought there was a good place to start since it wouldn't interfere with anybody servers turns out a lot of ad networks use the main website as a refer on the on the page and this is passed through all those various networks before they end up rendering an ad on your site of course this is cross-site scripting I'm going to show you how this happened but on a New York Post I'm sure they didn't

want arbitrary JavaScript running on there on enya would be run on their site this is kind of where that that exploit came from I don't know if you can see that it's a lot of code there but there is a lot of red and then you see an escape out of that red and there's a document right that's actually trying to write and render to add the string is ended with a single quotation and then arbitrary script can be run from there right it's a classic lack of sanity standardization same was true of Walmart you know this was not Walmart's fall it was not their problem exactly but because they depended on ad providers who rendered

ads on me on their behalf it was a problem right I'm executing arbitrary JavaScript on this users ad experience and I can I can do whatever I want on that page now alright so I can collect cookies I can see if they happen to be logged in taking a complete hijack of their account just another example how this happened very similar right document writes all over the place very nasty JavaScript but you can see the the main screen and the main payload was escaped by a single quote and then arbitrary JavaScript that could be inserted so I inserted and alert but a bad guy could have embed design script to randomly run whatever kind of script he wanted on on those

sites disgust was another example where I came across this they have a native ad another ad system within disgust to kind of see like sponsored posts and things like that very similar requests here again these these server-side scripts or engines that were rendering these ads were not correctly parsing payloads after the hash which are typically not sent to the server and then not escaping single quotes in this case in some cases double quotes but in this case single quotes so we go back to this screen and this kind of shows the fragmentation of the ad industry now a few guys came across this this situation with random ad providers being on a unable to trace exactly where

a payload came from you might think that it's kind of like trying to disclose in a tornado right you just don't know where the requests are coming from who rendered it who's responsible for it it's really tough so what I did is I just wrote a blog post about it and it was picked up and and I was contacted by a couple of the top ad networks at Nexus is one of them Brenda Kiely or O'Kelly contacted me and we worked together on trying to solve this industry-wide right he knew a lot more about the ad industry I knew about the security issues that were going on across the ad industry he emailed me directly we we talked about

it and he helped me get this issue solved industry-wide right like I don't I don't know all the contacts in the various ad networks he was able to push that and get it fixed for me so another example I bring this up this is a blog post he wrote after after the situation and he's mainly just discussing the issue itself and how working together the end in the ad industry can be improved from a security standpoint so another example public sector apps this is a local example I'd like to bring up New Castle County here [Music] Brod started a or purchase a subscription to a button called a panic button called rapid rate rate brick

right rate panic button very interesting because this app was resold to many municipalities across the u.s. and not just used by or developed by New Castle County so it kind of works like this on-site premises hospitals schools are able to presumably interact with 9-1-1 much faster they share floor plans they share phone numbers personnel things like that they securely provide critical site information for responders is their is their main mission so I did the same thing I download the app I I wasn't the usual user of that app simply because I'm not a school or a hospital or or anything like that but I did sit in the middle of the traffic and try to proxy

it also as soon as I spun it up I saw requests like this this stuck out as a red flag immediately just because you can see the authorization header that was global alright so there's that there was once one username and password for the app globally this was static in the app and all requests were made this way so you can probably guess if everyone in this room downloaded it and put in their own information you could mimic these requests and access all those information Oh all the information within the entire system right here's an example of some of the data that was returned from the previous request this was just just happened to be a ping

reset the app didn't look particularly heavily used at that point I think it was still new but again I worked with the industry on that and that contacted them and I let them know that I didn't write that but I blogged about it and I interacted with the company I told them my concerns they took it seriously and I thought it was another good story right I also put together the technical description of the problem blogged about it and it got some some attention that I think was well deserved right even though it's a joke that this happened in the first place it's good that it was taken seriously and it was remediated Internet of Things I like this one

access link is a developer of outdoor lighting system alright so think no words on the highway and they have lighting systems these aren't two digital billboards that are actually LED or anything like that day static billboards with retrofitted with these outdoor lights and actually have remote control systems built into them they had an app I drove by billboard one night I had this idea I wonder how those are controlled right turns out smartly develops a solution just for that but I didn't have a login or password I still wanted to poke around so ID compiled the app itself right looked around the API requests and what did I find them right if you can see the get customer list

method in that in that Java there Android applications you don't see any hint of authentication whatsoever right there's just a generic request to make this and I find this pretty often just because I think what happens is developers developers don't think that these requests will be seen right simply because they're made by the phone they they're not very public you have to do a little digging to see him sometimes install your own certificate to proxy the requests but in general they're not seen by the everyday user so I opened up a shelf or on Android and I set a breakpoint in the do volume process I attempted to log in and I sold this request go across the wire right

actually I saw once I stopped it I manually ran to get customer list and all the customers were returned without any authentication whatsoever so you can see there's a lot of interesting information that could have been abused in this system this is one when I think this was a demo account but all the structures that were managed by this account and so any any user could have manually gone through the system and taking ownership of all these structures any company's billboard and really turned off all the lights right I presume billing information and other things would have been in there also in the web server of the the main web server for the api's directory listing

was enabled kinds of logs on there and you can see the logs were open they were literally username and passwords within the log files on the public web server sitting with directory listing enabled so once again I contacted outdoor link and we work together on it right security stuff happens and working with these guys instead of debating them on Twitter or something ended up to be a more positive experience right I won't go through the entire process but what ended up happening was the vendor turned off the old API they were creating a new one anyway and they phase that out and went with a properly authenticated and authors a author authorization framework so looking forward the industry I think

it tends to be improving right you're seeing wider acceptance of bug bounty programs all over the place I showed you a few examples where even those that don't have bug bounty programs or coordinated disclosure processes publicly established they're they're still willing to work on security problems right Department of Defense is expanding their bug bounty program I mean this is huge stuff right few facts figures from bugcrowd one of the larger both bounty programs you can see just year-over-year rapid increase in adoption and researcher payouts again this is a breakdown weight industry I find this very interesting just the amount of industries that are outside of technology that are adopting these programs I mean healthcare government these are

areas that we particularly thought that security was not a power and maybe it still needs a lot of work but trending well right these guys are starting to start banning programs it's unheard of another good example of moving forward is security txt this is an RFC still in draft the goal is to standardize coordinated disclosure programs so if you don't want to operate a bug bounty program that's fine the idea is that all organizations should have a published security contact right and this just kind of codifies that as you can see the main goal here is to define a standard by which organizations will describe the process to interact with independent security researchers here's an example

of security txt file very simple right just to contact this happens to be they haven't hacker one profile but PGP key anything that would be relevant and you can go through our RC to find more details about that standard still room for improvement I think that developers need to continue to get better about security I think it starts with developers and they need to be concerned about this guy right not the gloves or the two keyboards a stipend home but the the active attempt at exploiting whatever he builds right because in the end it's all of us that are responsible I'm

well I think they're the same term that's what I was trying to say responsible disclosure is an older term I think they mean the same thing in my view responsible just being replaced with coordinated means you're responsible isn't different than mine right we don't have to argue about what responsible means some people think if vendor hazard was resolved a for mobility in 90 days that it's automatically full disclosure no ifs ands right there may be edge cases where ninety days doesn't exactly make sense or it's hard to update product there's a million reasons out there

I think that's where the agreement every situation is different I've had to get in situations that are a little bit nasty where I've had the threatening cool disclosure I never really wanted to but I've had to threaten it a little bit the situation was different I think I find that deeply cuz I'm a developer I can argue with developers because I know what it takes to fix an issue it's a little bit harder if you're if you're not familiar with the back-end engineering that goes into giving Molnar ability but in general I think that you can't pressure you know either extreme is unacceptable right you can't not patch a vulnerability in a year or you can't expect that a couple

business days is enough for the development cycle so I think each situation is different do you think that each organization that

I think again I think that's between the researcher and and that company so you usually agree that there should be a conversation had beforehand to say if it's patched I don't think that it again depends on how what kind of software this is if it's just like a solution or something like that I think once there's been a good conversation about the valve miss or the patch I think there's been many instances where I've written a blog about the technical details of the blog or an issue but not necessarily said are you okay with me disclosing this issue I think that's one of the advantages of being independent you're not exactly looking for their approval all the time

all right you're you're working with them but I don't think it's fair to say don't tell anyone that you did this because I didn't enter into any agreement with you up to you and how the how the process went right I I think I did I can't remember exactly but I think I did mention to Verizon hey I'm publishing this I didn't ask but I said you know I'm reading a blog about it morally folk not to really cool ridicule you but more to document the technical details behind it I will talk about and I did like experience with them things like that

sometimes people publish walls online the force the companies hand picks it full disclosure you do you walk about it the technical technical documents after it's all been patched so yeah that's what I view as the responsible or coordinated approach I've never done full disclosure I understand people that do I'm not knocking it everyone has their reasons I may not agree all the time again it's a researcher by researcher vulnerability about vulnerability kind of situation I think that sir you mentioned one of the services I've used both I like them both I don't I think hacker one is a little bit more incentivizing in that they they have some leaderboards maybe about the crowd is doing this too but a Kerwin has

some interesting like when a company is not just they're not giving it away swag or they're not get them giving away monetary prizes they have a unique system that looks like gives points to developers and they kind of fight each other for rank and it kind of puts a game around it instead of doing it for you know a t-shirt sure I saw your presentation on the horizon weather don't worry oh oh right okay yeah and I know it is [Music] five and I was just flabbergasted at how best we could find it yet these kind of apps get out there into production where it seems like if you did find in that class why can't the

you know the security environment the yeah the private fund yeah and then maybe two months after your presentation it hit the newspaper about an app from the police department or the homeowner that something they could record their valuables oh yeah I remember that one too yeah that had the same over abilities yes it's just my father yeah security is hard I think everyone in this room knows that it's it's easy to get wrong some of the stuff I find I agree with you is surprising it's kind of low-hanging fruit the first thing you would look at as an adversary so it is surprising I think all we can do is work on it and work on develop our education

thanks guys