Social Connections 12. We hired hackers to hack us
-
Upload
robert-farstad -
Category
Presentations & Public Speaking
-
view
1.106 -
download
0
Transcript of Social Connections 12. We hired hackers to hack us
![Page 1: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/1.jpg)
Vienna, October 16-17 2017
We hired hackers to hack us; A case study about cloud-based authentication and security in IBM Connections
Robert Farstad @robertfarstad
![Page 2: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/2.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
PLATINUMSPONSORS
GOLDSPONSORS
SILVERSPONSORS
BRONZESPONSORS
![Page 3: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/3.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
This session… …is mainly for you tech-people. But very useful for everyone to see. Might be an eye-opener. No talk about: • What IBM Connections is… • What IBM Cnx can give you… • No ROI talk, what so ever! • How to use IBM Cnx!!
![Page 4: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/4.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
This session…
…is a case study where I will show you • an integration with Auth0. • how we hired hackers to hack us.
![Page 5: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/5.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017 Vienna, October 16-17 2017
![Page 6: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/6.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017 Vienna, October 16-17 2017
The customer
![Page 7: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/7.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
The customer - • Political party, won the election 2017, second time in a row. • Norways Prime Minister is Høyres leader. • 60.000 members
• Was a white-space customer.
• Now: Connections + Docs + Sametime • IBM Reference Customer.
• Security is a priority, more and more. • Election year = hacking attempts. • We hacked them first!
![Page 8: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/8.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
Høyre used Auth0 for all websites. Requirement for them to become a Connections customer was: • Authentication integration with Auth0! • è POC – Item Consulting developed a TAI
mechanism towards Auth0.
![Page 9: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/9.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017 Vienna, October 16-17 2017
What is Auth0?
![Page 10: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/10.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication You can connect any application. • Custom credentials: username + passwords • Social network logins:
• Google, Facebook, Twitter, and any OAuth2, OAuth1 or OpenID Connect provider.
• Enterprise directories: • LDAP, Google Apps, Office 365, ADFS, AD, SAML-P, WS-
Federation, etc. • Passwordless systems:
• Touch ID, one time codes on SMS, or email. • Supports several 2-factor solutions.
![Page 11: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/11.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
• JSON Web Token • Secure API: (TLS v1.2, AES_128_GCM and uses
ECDHE_RSA as the key exchange mechanism. ) • Extensible admin tool.
• Monitoring, (#logins, where from, who fails, hack attempts, alarms.)
• Blocking • Logs • Synced with Høyres back-end member system via
MSSQL DB, securely!
- cloud based authentication
![Page 12: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/12.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
![Page 13: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/13.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
- cloud based authentication
![Page 14: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/14.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
+ TAI
• Item developed a WebSphere Application • TAI – Trust Association Interceptors.
• èLTPA after authenticated • New Auth0 login page. • Logout pages are modified
• Logs out of Auth0 • Logs out of Websphere
![Page 15: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/15.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Devices used Loginoccursfrom:• Browsers• Apps• Desktopplugins.Technically,theloginproceduresarequitedifferent.
![Page 16: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/16.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Web-browsers
![Page 17: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/17.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Apps + Plugins
![Page 18: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/18.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Tivoli Directory server - TDS ◘ FREE/BundledLDAPserverforIBMConnections◘ StandardsetupbetweenWebSphereandTDS◘ ImportofusersviaTDI/SDItoTDS.
◘ FromMSSQLDatabase–oversite2sitevpn.◘ Importsonlythemostrelevantfields
Name,email,mobile,position,company,department
![Page 19: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/19.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Tivoli Directory server – TDS + PTA ◘ PasswordfieldinTDSisblank!
◘ PTAistriggered.◘ WhatisPTA?
◘ PassThroughAuthentication◘ PTAisconfiguredtosearchin
alternativeLDAPsource.◘ ThepasswordisstoredinAuth0◘ OurPTAsourceisTDI/SDI
◘ TDIcallstheTAIapplication–getsresponsecode200ifOK.
◘ èloggedin
![Page 20: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/20.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
What is TDI/SDI? ◘ TivoliDirectoryIntegrator/SecurityDirectoryIntegrator◘ Datamanipulationsystem,limitlesspossibilities.◘ Eclipsebased– Javascriptcoding.◘ Usedtomove,consolidate,manipulatedata.◘ UsedinConnectionsforprofiledataimport.◘ Besttoolever,onceyou´velearnedthejiftoftheguianddebugger.
![Page 21: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/21.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
TDI – acting as an LDAP server. ◘ SimulatesanLDAPserver◘ GetsattemptedusernameandpasswordfromTDSPTA.◘ CredentialsèWebSphereAuth0loginapp.◘ WASappèRESTlookuptoAuth0API.◘ GetsreturncodeOKorNOT_OK.◘ TDIreceivessamecodefromtheWASapp.◘ TDSPTAreceivessamecodefromTDI.
◘ TDIrunsmultipleinstances–Canhandlelargeload.
![Page 22: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/22.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
TDI – acting as an LDAP server.
Simplecode–extremelypowerful!
![Page 23: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/23.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
TDI – acting as an LDAP server.
![Page 24: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/24.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Didtheygetin?
Wehiredhackers
![Page 25: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/25.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Whattheytested
Loginattempts
SSL+headers
AppsStolenlaptop
Me!Sensitiveinformation
![Page 26: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/26.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
SSLtests
www.ssllabs.com Gradewasbad Afterhardening
SSLChipersSuite,honorChipersOrderandSSLV2+V3disabling.TLSonly
![Page 27: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/27.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
SSLtests–httpconfigforGradeASSLEnableSSLProtocolEnableTLSSSLProtocolDisableSSLv2SSLv3#DisableSSLCompression->CRIMEATTACKSSLCompressionoff#PreferECDHE-RSAciphersSSLCipherSpecALLNONESSLCipherSpecTLSv12TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256SSLCipherSpecTLSv12TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256SSLCipherSpecTLSv12TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384SSLCipherSpecTLSv12TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384SSLCipherSpecALLTLS_RSA_WITH_AES_128_GCM_SHA256SSLCipherSpecALLTLS_RSA_WITH_AES_256_GCM_SHA384SSLCipherSpecALLTLS_RSA_WITH_AES_128_CBC_SHA256SSLCipherSpecALLTLS_RSA_WITH_AES_256_CBC_SHA256#Enablingthis3ciphersmeanA-ratingonssllabsSSLCipherSpecALLTLS_RSA_WITH_AES_128_CBC_SHASSLCipherSpecALLTLS_RSA_WITH_AES_256_CBC_SHASSLCipherSpecALLSSL_RSA_WITH_3DES_EDE_CBC_SHA
![Page 28: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/28.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Headers
securityheaders.io Gradewasbad Afterhardening
HTTPconfigtoachieveGradeA:HeaderalwayssetStrict-Transport-Security"max-age=31536000;includeSubDomains;preload”HeadersetReferrer-Policy"same-origin”HeadersetX-Content-Type-Options"nosniff”HeadersetX-XSS-Protection"1;mode=block”HeadersetX-Frame-Options"DENY”HeadersetX-Frame-OptionsSAMEORIGIN
![Page 29: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/29.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
TheMobileApp
Decompile
• Androidappisdecompilable• Brokendowntostudycode
Test• Triedeveryurlfoundincode
Result
• Foundnoinsecurities!• ButMITMattackswerepossible!
![Page 30: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/30.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
MITM-Man-in-the-middleattackAnemployeeisouttravelingandconnectstoapublicnetworksuchasahotelorairportWIFI.Butinstead,connectstoahackerswifihotspot.Thenclickson“Continue”….He/shewillgivethehackerrunningaMITMattack,fullvisibilityoverthetraffic.
![Page 31: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/31.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
MITM-Man-in-the-middleattack
![Page 32: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/32.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
MITM-Man-in-the-middleattackmobile-config.xmlhasthesolutionfortheconnectionsapp.Don´tpress“Continue”!.Tellyouradminstofixit.
![Page 33: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/33.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Demotime
ThedemoconsistedofshowingaMITMattack+username/password“clusterbomb”attackusingfreetool
BurpSuite.
![Page 34: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/34.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Accidentwaitingtohappen
![Page 35: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/35.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Whatdidtheyfindwhentheygotin?
StolenLaptopScenario
![Page 36: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/36.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
StolenLaptopScenario• NothardtofindpasswordonPC• Oncein,passwordstositesare
normallystoredinbrowser.• Savedwifihotspotsgiveshackers
GPScoordinates=>candriveupalongsideyourcompany'sbuildingandconnect.
• HackersfoundsensitiveinformationopentoalloftheIBMConnectionsusers.
Don´texposelogininformationavailabletoeveryone!
![Page 37: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/37.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Theyhackedme!
Oratleast,theytriedto…
![Page 38: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/38.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Theyhackedme!• TheyknewwhoIwas.• Googledme,foundmyblog.• Inoneofthescreenshots,a
passwordwascensored.
![Page 39: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/39.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Theyhackedme!
Iwasaweaklink…
HowhardisitforhackerstofindITstaffatyourcompany?LinkedInsearch…Googlesearch…Googleisbothyourfriendandyourenemy.
• Badcensoring!!• Found6outof9charsby
matchingfont,sizeandstudiedcurves.
![Page 40: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/40.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Avoidstress
![Page 41: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/41.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
• Mask/hidebetter!• Hackersarecleverbastards.
• HackershasALOToffreetime.
• Implement2-factorauthorizationmechanism,likeAuth0
• Hideyourstuff.• Onceagain:Hackersarecleverbastards.
• Lockoutpolicy–i.e.5attempts=>lockedout…Hackershastoolsforthat!
• Trainyourusers!
![Page 42: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/42.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
![Page 43: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/43.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
Usefullinks:CheckSSL:https://ssllabs.comCheckHeaders:https://securityheaders.ioAnalyzeCSP:https://report-uri.io/home/analyseWhatcanyourbrowsersupport?http://caniuse.com/#search=referrer%20policyAuth0multi-factorauthentication:https://auth0.com/docs/multifactor-authenticationBurpSuite:https://portswigger.net/burpEthicalHackerCertification:https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/Myblog:http://blog.robertfarstad.comTwitter:https://www.twitter.com/robertfarstadItemConsulting:https://www.item.no
![Page 44: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/44.jpg)
![Page 45: Social Connections 12. We hired hackers to hack us](https://reader031.fdocuments.us/reader031/viewer/2022031519/5a6d97a77f8b9ab3418b8077/html5/thumbnails/45.jpg)
Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017
PLATINUMSPONSORS
GOLDSPONSORS
SILVERSPONSORS
BRONZESPONSORS