2018/04/05: LocoMoco Security Conference: Day 1b

by Gene Kim on

#Locomoco

2018/04/05: LocoMoco Security Conference: Day 1

Up: Troy Hunt: @troyhunt: who runs

@troyhunt: runs haveibeenpwned.com
- @troyhunt: breaches cause people’s credentials: in 4 yrs I’ve been running HaveIBeenPwned,
- @troyhunt: 1980s: remotely accessible systems; complexity rules prevent people from creating an acceptable password; people circumvent it: MySafeP@ssw0rd!
- @troyhunt: I know people are making passwords like this, because I’ve seen it; in fact, MySafeP@ssword5! <<—- we can estimate how long they’ve been at company! (Haha)
- they mathematically are acceptable passwords, but they’re not good passwords
- NCSC: National Cyber Security Center: only ask users to change passwords on indication of suspicion of compromise
- @RealGeneKim: #locomoco: @troyhunt showing stats on the amazing service he runs: have I been pwned? https://t.co/6CqEp8JiR5
- @RealGeneKim: #locomoco: @troyhunt showing footage from Hawaii civil defense accident: password is on monitor https://t.co/sK5sZ4tvS6
- @troyhunt: haveibeenp0wned now offers free list of pwned passwords (API & download), so these can’t be used in new passwords

- @RealGeneKim: #locomoco @troyhunt: haveibeenp0wned now offers free list of pwned passwords (API & download), so these can’t be us… https://t.co/uHF2jM2zkf

  • @gattaca: New feature on @haveibeenpwned, “Pwned Passwords” has half a billion passwords from previous data breaches (not as… https://t.co/ptEVGmkfk0
  • @troyhunt: “in Mozilla focus groups, most people think the green lock indicating SSL connection is a handbag.” Haha.
  • @troyhunt: “Let’s Encrypt is a free, automated and open way to get CA, which has enabled phishing sites to get that green pretty lock
  • @troyhunt:
  • @RealGeneKim: #locomoco @troyhunt showing sources of blocked phishing certifications: “should the CA be responsible for whether y… https://t.co/BnnLNiip82
  • @troyhunt: “Free certificates has changed phishing economics: used to cost $70, now free/completely automatable
  • @RealGeneKim: #locomoco @troyhunt: “what do you do when Unicode can spoof domain names so easily: at least Chrome (unlike Firefox… https://t.co/3LEKzfXurZ
  • @troyhunt showing Facebook, eBay not using EV (Extended Validation): Twitter does:
  • @RealGeneKim: #locomoco: @troyhunt showing Facebook, eBay not using EV (Extended Validation): Twitter does: “absence of EV indica… https://t.co/LjK5OpgO4p
  • if I understood @troyhunt correctly, getting EV usually requires photo of person applying w/their passport, putatively incr cost/effort
  • @troyhunt on EV: “security controls that rely on ABSENCE of positive visual indicators don’t work”
  • @troyhunt: showing commercial using hackertyper.net: haha. Type type type, “access denied”, type type type, “access granted”
  • @troyhunt: “my point: how can we give ppl a way to distinguish real Netflix vs. phishing site; padlock/icons don’t work [EV]

Up: “How I Learnt To Stop W?orrying & Play In The Sandbox”: Dr. Devdatta Akwhawe, Dir Engr, Dropbox

  • @RealGeneKim: #locomoco: “Dropbox has one of the highest paying bug bounty programs in industry” https://t.co/m2DKVzVQ1l
  • @frgx: “Drupal has history of security issues; could we engineer a way to run this CMS securely? If we strip all sensitive cookies, put it in AWS VPC, etc? If it burned down, no real damage?”
  • @frgx: “50% of all Drupal vulns are [still] XSS; can see passwords, etc. that’s why $12K bounty for XSS at Dropbox
  • @frgx: “Easiest way to deal with Same Origin is create diff domain: but not great for SEO, not what biz wanted
  • @frgx: “The problem: can we serve a page that could have an XSS from www.dropbox.com?
  • @frgx: “CSP Sandbox is like IFrame sandbox
  • @frgx: I think he said, “of course, JavaScript in an IFrame can modify JavaScript anywhere on page” (maybe I knew that, but still startling)
  • @RealGeneKim: #locomoco: @frgx: “Use CSP Sandbox to run safely in IFrame” https://t.co/akkNzNtCMy
  • @frgx: “to see CSP Sandbox in action, see how we run Drupal safely at http://dropbox.com/enterprise” (demoing how they did it!)
  • @frgx: errors: can’t read cookies, can’t get sessionstorage; XMLHttpRequest stops working because cross-origin request don’t work
  • @frgx: XMLHttpRequest: use withCredentials=True; server needs Access-Control-Allow-Origin:null for client to read response (no, bad idea! Destroys web security model completely)
  • @frgx: “then add CSRF token / secret implicitly”
  • Note to self: I need to update TweetScriber to handle 280 characters... 140 chars so much more difficult to write within!
  • next, had to change all document.cookie to XML XMLHttpRequest/set_cookie?name=a&Value=b; using JS setter/getter
  • @frgx: “somethings don’t work: YouTube embeds (YouTube wants a privileged IFrame), but video tag works fine”
  • @frgx: “You may think this was insane amount of work to get isolate Drupal, or any content. You are right. So I’m working on suborigins; no JS hacks needed”
  • @frgx: “I love Drupal and the impact it’s had on the world; but we use Adobe AEM, which has been rock solid”

  • @manicode:

Up: Mike Arpaia: Founder, Kolide.co; former Etsy, Facebook, created osquery project @mikearpaia: “Starting/growing/scaling your host intrusion detection”

  • osquery alternatives: sergeant, doorman, etc...
  • @mikearpaia:
  • @RealGeneKim: #locomoco Up: Mike Arpaia: Founder, https://t.co/AqhEKkniC0; former Etsy, Facebook, created osquery project… https://t.co/FQ2RoPwlbt
  • @RealGeneKim: #locomoco @mikarpaia showing some assumptions: startling that this is increasingly like most orgs these days, even… https://t.co/UfyJp7VqNM
  • @mikearpaia: “..when you’re in large org, you have days where you learn that you’re acquiring company next week, and they’re [crazy, out of control, need to be integrated]
  • @RealGeneKim: #locomoco @mikearpaia: “..when you’re in large org, you have days where you learn that you’re acquiring company nex… https://t.co/gba4NiRB9U
  • @mikearpaia: OS query introduction
  • @mikearpaia: “most MacOS malware uses launchd (pid 1) to persist; most monitor this”
  • @mikearpaia: “Chef, Monki, MDM
  • @mikearpaia: “Facebook runs CentOS for all production environments
  • @mikearpaia: Kollide uses GCP pub/sub; Facebook has Scribe; you may have Kafka: use it, these are awesome
  • @mikearpaia: “at facebook, goal was 100% production use of osquery: supervisor process strictly enforces CPU/memory/limits; laptops, too, b/c people hate their fan turning on” (ha!)
  • @mikearpaia: did he just say that /proc can be NFS mounted?!? And that Facebook does this in production?
  • @mikearpaia: ”and b/c my last employer acq companies that ran entirely on FreeBSD, we had to port everything to run on FreeBSD.” (Hahaha)
  • @mikearpaia: use labels to categorize: all MySQL hosts, all hosts that bind to a TCP port, org boundaries

Up: Dr.Ing. Mario Heiderich: “XSS is Dead! We Just Don’t Get It”

  • Act 1-4: onboarding, historic overview, problem statement, solutions
  • Heiderich: 4 types of XSS: reflected, persistent, DOM-based, Mutation XSS
  • Heiderich: “First XSS was in 1999; Microsoft coined the term Cross-Site Scripting; here were the other terms that they considered.. I like ‘fraudulent scripting’”
  • @RealGeneKim: #locomoco: Heiderich: “First XSS was in 1999; Microsoft coined the term Cross-Site Scripting; here were the other t… https://t.co/FcGRtH95XE
  • #locomoco: Heiderich: “First XSS was in 1999; Microsoft coined the term Cross-Site Scripting; here were the other terms that they considered.. I like ‘fraudulent scripting’”
  • “Problem: Acronym of Cross-Site Scripting is CSS, so thus XSS was born” https://twitter.com/RealGeneKim/status/982044355446784000/photo/1
  • Heiderich: “Tools we have: content transformation (escape before process, encode before output)
  • Heiderich: “Content restriction: like restricted frames”
  • Heiderich: “First XSS Worm: 2002: Advogado; 2005: ??”; Google ‘The Cross Site Scripting Virus’” (despite escaping/encoding/restricted IFrame)
  • Heiderich: “Emerge the sanitizer: HTML Purify, anti-Samy; htmLawed; Washtml; Kessi; SafeHTML; Google Cajha; DOMPurify”
  • @RealGeneKim: #Locomoco @KseniaDmitrieva: “React escapes HTML code, helping prevent XSS: req using dangerouslySetInnerHTML (Angular orig called it TrustAs

  • Heiderich: “Content sanitization: tell bard apart from the good”

  • Heiderich: “2008: 1930 academic papers published on XSS

  • Heiderich: “My fave XSS vuln: Adobe PDF plug-in: could put JavaScript into any URL pointing to PDF file; only countermeasure: ‘don’t host PDF files’

  • @RealGeneKim: #locomoco: Heiderich: “My fave XSS vuln: in the Adobe PDF plug-in, one could put JavaScript into any URL pointing t… https://t.co/fJuTcdAljB

  • locomoco: Heiderich: “My fave XSS vuln: in the Adobe PDF plug-in, one could put JavaScript into any URL pointing to PDF file

“For long time, Adobe’s only recommended countermeasure: ‘don’t host PDF files’ on your website
- Heiderich: “we’re not 20 years after first XSS; why?
- Heiderich: “We just forgot to escape one time; this is a legacy system, the new one is safe; we can’t afford to add security right now; our custom code is faster than any other framework; our advertisers don’t like CSP; the dev who wrote this now sells used cars”
- Heiderich: “We have excuses; or we delegate guilt or responsibility;
- Heiderich: “The fish rots from the head down
- Heiderich: “If XSS got solved, who here would suffer financially?”
- Heiderich: “What do we do now? 19,500 academic papers in 2017; how about punishment? Gratification (praise)?
- Heiderich: “Let’s start tracking who introduced security bug? Who reviewed/green-lit it? How about “fix of month” award? Sustainability instead of complexity?
- Heiderich: “Let’s start with us: fix ourselves first, then others
- Heiderich: “Let’s stop with the bug fetish; we praise bug hunters like Spectre/Meltdown, but ignore people do necessary dirty work afterwards”
- @RealGeneKim: #locomoco @KseniaDmitrieva: client side JavaScript concerns: oof. I have new appreciation of amazingness of JavaSc… https://t.co/gS4mNL9GrZ

Up: Keshia Dmitrieva: Sr Research Lead, Synopsys, PhD candidate GWU: @KseniaDmitrieva

  • @KseniaDmitrieva: “agenda: state of JavaScript today, common JS vulns, frameworks, React vulns/quirks, demos
  • @KseniaDmitrieva: “Frameworks: as securty person, it is helpful, even necessary, that you know the framework, know the idioms, etc.” (not just devs!)
  • @KseniaDmitrieva: https://twitter.com/RealGeneKim/status/982062223307583488
  • #locomoco: @KseniaDmitrieva: “server-side JS (eg, NPM) less exciting, because it’s almost the same as most other languages.” https://twitter.com/RealGeneKim/status/982062223307583488/photo/1
  • #locomoco @KseniaDmitrieva: client side JavaScript concerns: oof. I have new appreciation of amazingness of JavaScript, b/c of TypeScript and ClojureScript…

But, wow, lots of inherent baggage comes with it… https://twitter.com/RealGeneKim/status/982061987893936130/photo/1
- @KseniaDmitrieva: “Why React? By far the top UI framework, as measured by npm downloads” (React on top, next Angular and new Vue)
- @RealGeneKim: #locomoco @KseniaDmitrieva: “Why React? By far the top UI framework, as measured by npm downloads” (React on top, n… https://t.co/ikkZLDeNE0
- @KseniaDmitrieva: “Another possible reason for React popularity: Angular 2 not backward compatible; 2 years from announce to release
- @KseniaDmitrieva: “React automatically escapes HTML code, helping prevent XSS: req using dangerouslySetInnerHTML
- @KseniaDmitrieva: “React does not have an expression language, so no expression injection; has components
- @KseniaDmitrieva showing injecting JS via URL field in form
- @KseniaDmitrieva: Markdown/Showdown; solution: sanitize Markdown with DOMPurify; love this demo of showing injecting alert() into tag
- @KseniaDmitrieva: “the problem is that the Showdown library doesn’t purify the untrusted Markdown”: use DOMPurify on generated HTML
- @KseniaDmitrieva: commonmark.js; https://github.com/commonmark/CommonMark
- @KseniaDmitrieva: server side rendering: problem was the client loading got longer and longer; so
- @KseniaDmitrieva:
- @RealGeneKim: #locomoco @KseniaDmitrieva is showing this example of injecting JS into server side script React, causing lots of d… https://t.co/R4Q2P26YhZ
- Interesting observing what editors/IDEs are being used here at #locomoco. Lots of Sublime, Atom. Want to show off Visual Studio Code and IntelliJ. :)
- @KseniaDmitrieva: Use of eval in JavaScript deserialization:
- @KseniaDmitrieva: Don’t use GET to change stage; use POST (which doesn’t disclose cookies, doesn’t reveal data to proxies)

Up: Kevin Gosschalk: “How bots decide what you can buy and how much you’ll pay”

  • Kevin Gosschalk is CEO of FunCaptcha.
  • Gosschalk: “
  • Gosschalk: “Now, airlines very price sensitive; airfares going up, lots of special deals”
  • @RealGeneKim: #locomoco Gosschalk: “this is what flying airlines used to look like, circa 1970-1972” https://t.co/atQToJdLLj
  • Gosschalk: “Hackers are now working w/competitive airlines and airfare aggregators; limits ppl to buy cheap seats
  • Gosschalk: “HK Express: their seats were vanishing: bots bought/blocked seats for humans to drive up price
  • Gosschalk: “Bot reserves seat; uses payments; uses invalid credit card or PayPal, holding transaction; human can’t buy seat
  • Gosschalk: “Currently, 100Ks of bots doing this every second; able to bypass typical bot defenses (captchas); all seats for 7 days blocked
  • Gosschalk: “Attackers using unique IP address, never re-using; often using IoT devices (lightbulbs);
  • Gosschalk: “
  • @RealGeneKim: #Locomoco Gosschalk: “Attackers using unique IP address, never re-using; often using IoT devices (lightbulbs); lightbulbs attacking airlines
  • Gosschalk: “Typical defense fingerprints (time zone, # browser plugins, touch support, fonts installed, WebGL, audio support): all these are being spoofed/overrided
  • Gosschalk: “Attackers using Chromium, PhantomJS, custom browsers to override user agent, defeating fingerprinting
  • Gosschalk: “Hacker News article on defeating fingerprinting
  • Gosschalk: “Chromium is better than PhantomJS for attacking, b/c it doesn’t have quirks, is based on Chrome
  • Gosschalk: “Google released SafetyNet to validate that Android client was real; but that’s been recompiled to successfully spoof
  • Gosschalk: “OCR technology: Google found that it can solve 99% of their most difficult reCAPTCHA; now 33% of humans get them wrong” (!!)
  • Gosschalk: “We used Amazon Rekognition to defeat Google reCAPTCHA” “XEvil is Russian prod to break CAPTCHA, we bought it
  • Gosschalk: “We found XEvil has a 95% solve rate for reCAPTCHA, no network connection needed ” (showing video of it running)
  • Gosschalk: “Bots causing airline sellout conditions in 3m, which normally would be 6h; $900 Ticket Bot buys up tickets for you: http://ticketbots.net
  • Gosschalk: “Next up: gift cards, eCommerce”
  • Gosschalk: showing bot that brute forces gift card #s;
  • Gosschalk: “Sneaker Bot: Yeezy Mafia: cheat to get shoes; ‘don’t pay shoes from inflated resellers; AIO Bot
  • Gosschalk: “Pokemon Go Bot; trusts client side info: GPS, etc. unlike MMO, which never trusts client; 300+ contributors
  • Gosschalk: blowing my mind:
  • Gosschalk: “Deceased Voting: everyone who dies is in govt database along w/their SSN; can spoof their votes” (Equifax)
  • Gosschalk: “In US Net Neutrality comment period, many people found dead relatives writing letters in favor/against proposed regulation
  • Gosschalk: “For ticketor/retailer, sometimes not motivated to solve bot problem (it’s still revenue); airline/gift card, it’s stolen revenue
  • Gosschalk: “Countermeasures: focus on things bot can’t fake: PayPal ID, limit holds by account type, limit concurrent sessions by IP
  • Gosschalk: @kgosschalk

TODO:

  • when using in split screen mode on ipad: header should be hamburgered: make all the choices go away: take notes, view scribes, test, logout; leave Socket/Session there
  • split screen: gutters too big: should be no gutter
  • Add TwitterJS to render t.co links!!!
  • when pulling or display tweet, get the full length tweet that is not truncated:

```
- @RealGeneKim: #locomoco @KseniaDmitrieva is showing this example of injecting JS into server side script React, causing lots of d… https://t.co/R4Q2P26YhZ

```