targeting the hidden attack surface of automation · targeting the hidden attack surface of...
TRANSCRIPT
April 2, 2019
Carl Herberger
Targeting the Hidden Attack Surface of Automation
Davos Risk to World 2019
5
OWASP Top-21 Automated Threats
Credential Cracking
Credential Stuffing
Account Creation
Account Aggregation
Token Cracking
Denial of Inventory
Scalping
Sniping
Data Scraping
Skewing
Spamming
CAPTCHA Defeat
Ad Fraud
Expediting
Carding
Card Cracking
Cashing Out
Fingerprinting
Footprinting
Vulnerability Scanning
Denial of Service
Account Takeover Availability of Inventory Abuse of Functionality
Payment Data Abuse Vulnerability Identification Resource Depletion
Targeting the Hidden Attack Surface of Automation
Chapter A
API
Chapter B
Watering Holes
Chapter C
May the Best Bot Win
Chapter E
AI vs. AIChapter D
The Human on Speed
Targeting the Hidden Attack Surface of Automation
Chapter A
APIs
The Hidden Surface of
Attacking APIs
The API Economy
WEBSITES MOBILE APPS
API
Drivers for API Growth
DevOps Fog ComputingSDN
Dependencies Increase the Blast Radius of the attack
API Parameter Tampering - Hackers are often use this
technique to either reverse engineer an API or gain further access to sensitive data.
Session Cookie Tampering - These attacks attempt to exploit cookies in
order to bypass security mechanisms or send false data to application servers.
Man-in-the-Middle Attacks -Eavesdropping on an unencrypted connection between an API client and server, hackers can access sensitive data
DDoS Attacks -Poorly written code can be used to consume computer resources by sending invalid input parameters, subsequently causing a disruption to the API-supported Web application.
Content Manipulation - By
injecting malicious content (e.g., poisoning JSON Web tokens), exploits can be distributed and executed in the background.
Targeting the Hidden Attack Surface of Automation
Chapter B
Watering Holes
Attacking
Proxies
The Watering Hole Examples
App Stores Security Update Services
Public Code Repositories
Web Analytics Platforms
Identity and Access Single Sign
On Platforms
Open Source Code
3rd Party Vendors in
Website
16
Watering Hole Attacks
Attacking the Side Channels
• DDoS the Analytics company
• Brute force attack ALL users
• Port Admin’s Phone and steal logins
• Massive load on “page dotting”
• Brute force all 3rd party companies of site
• Use large Botnets to “learn” ins and outs
Targeting the Hidden Attack Surface of Automation
Chapter C
May the Best Bot
WinBot vs. Bot
Bot Management is YOUR future
What do good bots do?
• Search Engines• Pricing Services• Fulfillment
Bad Bots29%
Good Bots23%
Humans 48%
~30% of the internet traffic is generated by bad bots
4 in 5 organizations cannot distinguish between ‘good’ & ‘bad’ bots
The Rise of the IoT Botnets
23
The Rise of Automated HTTP Bot Threats
75%
For some organizations,bots represent more than 75% of their total traffic
79%
79% organizations cannot distinguish between ‘good’
bots and ‘bad’ ones
WHAT CAN BOTS DO?
1. DDOS ATTACKS
2. ACCOUNT TAKEOVER
3. DATA THEFT
4. WEBSCRAPING
5. BRUTEFORCE
Targeting the Hidden Attack Surface of Automation
Chapter D
The Human
on Speed
When User Error or People Attack
Automation
DevOps and User Error
Automated Social Engineering (ASE)
Automated Social Engineering (ASE)
SNAP_R – Automated Spear-Phishing
• Man vs Machine – 2 hour bake off
• SNAP_R
– 819 tweets
– 6.85 simulated spear-phishing tweets/minute
– 275 victims
• Forbes staff writer Thomas Fox-Brewster
– 200 tweets
– 1.67 copy/pasted tweets/minute
– 49 victims
Automated Social Engineering (ASE) Breaking CAPTCHA
2012: Support Vector Machines (SVM) to break reCAPTCHA
82% accuracy Cruz, Uceda, Reyes
2016: Breaking simple-captcha using Deep Learning92% accuracy How to break a captcha system using Torch
2016: I’m not Human - breaking the Google reCAPTCHA
Targeting the Hidden Attack Surface of Automation
Chapter E
AI vs. AI
“If you're not concerned about AI safety, you should be. Vastly more risk than North Korea”Elon Musk, August 2017
The Evolution of AI
Neural Networks | Machine Learning | Deep Learning
32
Poisoning AttackMarch 2016 – Microsoft unveiled TayAn innocent chatbot (twitterbot)An experiment in conversational understanding
It took less than 24 hours before the community corrupted an innocent AI chatbot
https://i.kym-cdn.com/photos/images/original/001/096/674/ef9.jpg
Fooling AI
Targeting the Hidden Attack Surface of Automation
Chapter A
APIsChapter B
Watering Holes
Chapter C
May the Best Bot
Win
Chapter E
AI vs. AIChapter D
The Human on Speed
Automation is already changing our world. We should change the way we think about security accordingly.
Thank you