April 2, 2019

Carl Herberger

Targeting the Hidden Attack Surface of Automation

Davos Risk to World 2019

5

OWASP Top-21 Automated Threats

Credential Cracking

Credential Stuffing

Account Creation

Account Aggregation

Token Cracking

Denial of Inventory

Scalping

Sniping

Data Scraping

Skewing

Spamming

CAPTCHA Defeat

Ad Fraud

Expediting

Carding

Card Cracking

Cashing Out

Fingerprinting

Footprinting

Vulnerability Scanning

Denial of Service

Account Takeover Availability of Inventory Abuse of Functionality

Payment Data Abuse Vulnerability Identification Resource Depletion

Targeting the Hidden Attack Surface of Automation

Chapter A

API

Chapter B

Watering Holes

Chapter C

May the Best Bot Win

Chapter E

AI vs. AIChapter D

The Human on Speed

Targeting the Hidden Attack Surface of Automation

Chapter A

APIs

The Hidden Surface of

Attacking APIs

The API Economy

WEBSITES MOBILE APPS

API

Drivers for API Growth

DevOps Fog ComputingSDN

Dependencies Increase the Blast Radius of the attack

API Parameter Tampering - Hackers are often use this

technique to either reverse engineer an API or gain further access to sensitive data.

Session Cookie Tampering - These attacks attempt to exploit cookies in

order to bypass security mechanisms or send false data to application servers.

Man-in-the-Middle Attacks -Eavesdropping on an unencrypted connection between an API client and server, hackers can access sensitive data

DDoS Attacks -Poorly written code can be used to consume computer resources by sending invalid input parameters, subsequently causing a disruption to the API-supported Web application.

Content Manipulation - By

injecting malicious content (e.g., poisoning JSON Web tokens), exploits can be distributed and executed in the background.

Targeting the Hidden Attack Surface of Automation

Chapter B

Watering Holes

Attacking

Proxies

The Watering Hole Examples

App Stores Security Update Services

Public Code Repositories

Web Analytics Platforms

Identity and Access Single Sign

On Platforms

Open Source Code

3rd Party Vendors in

Website

16

Watering Hole Attacks

Attacking the Side Channels

• DDoS the Analytics company

• Brute force attack ALL users

• Port Admin’s Phone and steal logins

• Massive load on “page dotting”

• Brute force all 3rd party companies of site

• Use large Botnets to “learn” ins and outs

Targeting the Hidden Attack Surface of Automation

Chapter C

May the Best Bot

WinBot vs. Bot

Bot Management is YOUR future

What do good bots do?

• Search Engines• Pricing Services• Fulfillment

Bad Bots29%

Good Bots23%

Humans 48%

~30% of the internet traffic is generated by bad bots

4 in 5 organizations cannot distinguish between ‘good’ & ‘bad’ bots

The Rise of the IoT Botnets

23

The Rise of Automated HTTP Bot Threats

75%

For some organizations,bots represent more than 75% of their total traffic

79%

79% organizations cannot distinguish between ‘good’

bots and ‘bad’ ones

WHAT CAN BOTS DO?

1. DDOS ATTACKS

2. ACCOUNT TAKEOVER

3. DATA THEFT

4. WEBSCRAPING

5. BRUTEFORCE

Targeting the Hidden Attack Surface of Automation

Chapter D

The Human

on Speed

When User Error or People Attack

Automation

DevOps and User Error

Automated Social Engineering (ASE)

Automated Social Engineering (ASE)

SNAP_R – Automated Spear-Phishing

• Man vs Machine – 2 hour bake off

• SNAP_R

– 819 tweets

– 6.85 simulated spear-phishing tweets/minute

– 275 victims

• Forbes staff writer Thomas Fox-Brewster

– 200 tweets

– 1.67 copy/pasted tweets/minute

– 49 victims

Automated Social Engineering (ASE) Breaking CAPTCHA

2012: Support Vector Machines (SVM) to break reCAPTCHA

82% accuracy Cruz, Uceda, Reyes

2016: Breaking simple-captcha using Deep Learning92% accuracy How to break a captcha system using Torch

2016: I’m not Human - breaking the Google reCAPTCHA

Targeting the Hidden Attack Surface of Automation

Chapter E

AI vs. AI

“If you're not concerned about AI safety, you should be. Vastly more risk than North Korea”Elon Musk, August 2017

The Evolution of AI

Neural Networks | Machine Learning | Deep Learning

32

Poisoning AttackMarch 2016 – Microsoft unveiled TayAn innocent chatbot (twitterbot)An experiment in conversational understanding

It took less than 24 hours before the community corrupted an innocent AI chatbot

https://i.kym-cdn.com/photos/images/original/001/096/674/ef9.jpg

Fooling AI

Targeting the Hidden Attack Surface of Automation

Chapter A

APIsChapter B

Watering Holes

Chapter C

May the Best Bot

Win

Chapter E

AI vs. AIChapter D

The Human on Speed

Automation is already changing our world. We should change the way we think about security accordingly.

Thank you