Blackhat US 2014** Now with bonus Defcon 22 content

Presented by Michael Gorman, Lipika Kumar and Neil Rhine

BlackHat Vs Defcon

Blackhat

Defcon

Top talks● Keynote● How to wear your Password● Web and Mail Filtering● Hack all the Things● Deception in Cyber● Pivoting in Amazon Clouds● Call to arms a tale of weakness of current client side XSS filtering● Survey-of-Remote-Attack-Surfaces● Panel: API Security● Third Party Libraries and Dependencies● Security in CI● Memcached Injections

What happens if you abandon your car on the side of the road?

- Someone else will eventually take ownership, why shouldn’t the same be true of software?

Keynote

Dan Geer● Source code Liability● Resiliency● Software Abandonment● Bug Bounties● Convergence

How secure is the average password?- 8 bits of security, very quick to crack- biometric fingerprint is 30 bits of data, but even less of security due to similarities between people’s prints

Wear Your Password

● Computational power● Increase authentication difficulty, but

limit its use● A device to represent you

Do we have web and email filtering?- Yes and Yes

Does it protect us from phishing?

Enumeration of Web/Mail Filter Policy

● Using non existent emails you can learn a lot about email servers

● Client side javascript can be used to test any number of policy options

In what ways can a system be compromised?- Physically (UART, EMMC readers)- Software Vulnerabilities (XSS, Command Injection)

Hack All the Things

Three main vectors of attack generally used● Software Vulnerability (XSS, command

injection)● Emmcs/Memory dumps● UART - onboard serial connectionDon’t ever give physical access to anything!

What countries are the most practiced in deception?- China- Russia- Ukrain

Deception in Cyber

● Strength in words, developing a lexicon● History of deception

Question TimeName some well known companies that are already on the cloud Amazon AT&T Google Microsoft Salesforce.com

What are some security vulnerabilities with cloud based services?

Losing security keys. Don’t share keys with anyone! even your provider

Techniques on preventing attacks?

split key encryptions.

provider will give you the infrastructure but you are responsible for security

knowing your application inside and out and not simply

Lessons

Providers give you the infrastructure but you are responsible for making sure you dont lose your secrets!

“The specific challenges differ for the three cloud delivery models, but in all cases the difficulties are created by the very nature of utility computing, which is based on resource sharing and resource virtualization and requires a different trust model than the ubiquitous user-centric model that has been the standard for a long time.”

Pivoting in Amazon Clouds

● AWS credentials stored in meta-data servers for each instance server

● IAM profile management strategieso divide up

● code demo for nimbostratuso includes hacking into AWS for credentialso provides a sample environment AWS setup to

hack

Question TimeWhat is XSS?cross site scripting

What are the different types of XSS attacks?reflected and stored

What are some techniques to prevent XSS attacks?Regular-expression-based Approaches: NoScript Internet Explorer

Call to Arms XSS

● basics of XSS: reflected and stored● Ways to prevent attacks:

o Chrome XSS Auditoro librarieso choice of framework

● Demo of hacking through Chrome XSS Auditor

Question Time

What kinds of cars can be hacked?any car that relies on software to control parts of the car. “if you can write a web based exploit you can hack into a car!” quote from talk

Define cyber physical attacksattacks that result in physical control of various aspects of the automobile

A Survey of Remote Automotive Attack Surfaces

A Survey of Remote Automotive Attack SurfacesMost hackable:

1. 2014 Jeep Cherokee2. 2015 Cadillac

Escalade3. 2014 Infiniti Q50

Least hackable:

1. 2014 Dodge Viper2. 2014 Audi A83. 2014 Honda Accord

Demo Time!

Attack against test env

Bonus Question:What does CVSS stand for?

Third Party Library and Dependencies

CVSS - Common Vulnerability Scoring System

OpenSSL - Heartbleed

Destroyed the idea of security for the average person

Question Time!

Name two of the most common types of attacks

⅔ - XSS, DDoS, SqlInjection

Name the open source Linux Distro that helps you test vulnerabilities

Kali Linux

Security in CI

Can’t wait for something to happenTechnologies that test for external dependency vulnerabilities - SensioLabs, OWASP

Request for Security Minded people

Rugged ManifestoI am rugged and, more importantly, my code is rugged.

I recognize that software has become a foundation of our modern world.

I recognize the awesome responsibility that comes with this foundational role.

I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.

I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.

I recognize these things - and I choose to be rugged.

I am rugged because I refuse to be a source of vulnerability or weakness.

I am rugged because I assure my code will support its mission.

I am rugged because my code can face these challenges and persist in spite of them.

I am rugged, not because it is easy, but because it is necessary and I am up for the challenge.

Start Doing...

● hackweek projects that involve hacking and prevention improvements

● considering possible security breaches when looking at teammates pull requests

● security lunch and learns ● capture the flag● Monthly Security Hacking sessions (front end,

back end)

Stop Doing...

Waiting for a problem to ariseTrusting security to other people

What do you see wrong?

Thoughts Provoked by Talks at the Conference

We are responsible for our security even if we are using third party services

Links to Blackhat Material

List of Blackhat Talks 2014 Slides, Whitepapers and Source Code

Call to arms XSS WhitepaperCall to arms XSS SlidesPivoting in Amazon Clouds WhitepaperPivoting in Amazon Clouds SlidesSurvey of Remote Attack Surfaces

Thank You