SlideShare a Scribd company logo
1 of 39
Download to read offline
The Hardcore Shit I Hack
www.vantagepoint.sg | office@vantagepoint.sg
1
• Hi everyone my name is Paul Craig.
• My entire career has been hacking.
• Originally from New Zealand
• Stolen three times the net worth of Bill Gates.
• Now I lead the penetration testing team at Vantage Point.
• Boutique Singaporean Security Consultancy
• Strongest technical team in Singapore!
• We have Published Works, Referenced
Research, Accolades, Hall Of Fames, in SG
TV/Radio.
• Hackers who are passionate about hacking.
2
You told me you wanted hard-core hacking…
Today I want to share my most memorable jobs.
• Some are simple, some are hard-core.
• Some are subtle tweaks that produce real money.
• Some just took balls of steel….
3
• We break things at VP.
“We hack everything with a flashing light”
• A level above most “pen-testing” companies.
• We tackle jobs most companies shy away from.
• ATMs, Wireless, Reverse Engineering, Hardware, Software,
Mobile.
• Bleeding Edge technology
• FIPS3 Military compliant solutions.
• Polymorphic, cryptographically secure, virtualized..
I started pen-testing at 22, boy was my job was stressful.
4
 For the last three years the client has been developing a new
“secure” banking application.
 Development team 10+ years experience.
 Developers size me up..
 They have spent 3 years making sure I fail today.
 I have 1 week to prove myself, win, defeat the product.
 No one thinks I will accomplish anything.
5
“If your enemy is secure at all points, be prepared for him.”
 First understand implicitly how the technology works.
 I go very quiet… and I just play.
 Click, Click, Click, Watch.
 Commit the technology to memory.
 Understand the risk profile.
 “what am I not allowed to do”
 “what do you care most about?”
 Understand the developers and how they work.
6
Hacking gets personal, fast.
• Developer 1 wrote this, Developer 2 wrote that..
• 10 year coding veteran
• Old school Java developer
• No knowledge of new technology
• “Phones call people”
• 3 years professional exp.
• Understands modern security
threats.
• Lacks experience.
7
• Understand the development style.
• Consistency:
• Does Developer 1 & Developer 2 write code
the same way.
• Work out who wrote what.
• Standardised:
• Do they follow security guidelines ?
• Are these guidelines up to date ?
8
 Developers are the key.
 People make vulnerabilities, not code.
 People are very predictable…
 Vulnerabilities occur in knowledge or skill gaps
 These gaps often stem from education and culture.
 Developers from China make different mistakes to those from India.
 Two developers from India make similar mistakes.
 Similar education, similar experience, similar mistakes.
9
Knowing is power.
Once you understand
• How the Technology works.
• How the Environment works.
• How the Developers work.
• You can hack anything, really, anything.
10
Mobile Applications
• Mobile has changed everything..
• Mobile apps are fundamentally differently to web applications
• Different risks, attack vectors and concerns.
• Web and Mobile may look similar - They are worlds apart.
11
Application Programmable Interfaces (APIs)
• Developers who wrote API’s in the past had more trust in
requests sent from Web Servers.
• The didn’t need to perform much validation or security.
• API’s now communicate directly to phones.
12
Web App Developers are now Mobile Developers
• In 2007, the job title “mobile app developer” didn’t exist. In 2012, there are
approximately 466,000 jobs in the growing “app economy” in the United States
alone.
• Mobile Application Developer Named “Best Computer Job For The Future”
• The job market for mobile application developers is expected to skyrocket by
32% from 2010 through 2020, creating close to 300,000 new positions and
heralding one of the decade’s largest increases for any occupation.
• Web Application developers just started coding Mobile.
• More work, better pay.
• They don’t go back to school to learn Mobile Development.
• Mobile applications are developed like Web Applications.
13
• Testing Mobile Communications.
• VP Laptop creates an access point
• Mobile Device VPN’s to VP laptop via WiFi
• Laptop Bridges WiFi VPN to Eth0
• iptables Pre-Route NAT requests to a Proxy
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j REDIRECT --to-ports 8080 192.168.1.1
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 443 -j REDIRECT --to-ports 8080 192.168.1.1
14
• Developers don’t seem to take Mobile Application security seriously.
• Usernames and Passwords stored in text files (plist)
• Encryption keys kept in local databases
• Hard coded passwords kept in binaries
• Lazy, sloppy, very hackable.
• At best a developer will use the Apple Key-Chain, albeit badly..
CFTypeRef kSecAttrAccessibleWhenUnlocked;
CFTypeRef kSecAttrAccessibleAfterFirstUnlock;
CFTypeRef kSecAttrAccessibleAlways;
CFTypeRef kSecAttrAccessibleWhenUnlockedThisDeviceOnly;
CFTypeRef kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly;
CFTypeRef kSecAttrAccessibleAlwaysThisDeviceOnly;
Most permissive
option
The option most
developers pick.
15
Developers think you cant change what is on the screen.
• Drop down menu - How many options do you see?
• A: Five? B: One? C: Options? Hackers don’t care about options!
155
158
Change verb to any customer ID
- Direct Object Reference
- 1-200 = All customers
“Really? Really?? Cant you just play a little hard to get?
138
16
Symmetric vs. Asymmetric Cryptography
• Developers like to use cryptography as a method of
keeping secrets safe.
• Cryptography is often implemented incorrectly.
• Often it’s the only security implemented.
• This developer has made it hard! Encryption!
17
Mobile Technology Supports Asymmetric and Symmetric Cryptography
• When using Symmetric Algorithms, both parties share the same
key for encryption and decryption.
• Asymmetric algorithms use pairs of keys. One is used for
encryption and the other one for decryption.
• Developers in this case used symmetric cryptography.
AES128 Encrypted using
CCCrypt and a Preshared key.
Thx for the AES Key..
18
Encryption Used Foolishly
/process = Process Payment
• GET /process?=F5D82E4AD10287EF71B27C28D881FEA
GET /process?s=5191&t=2&a=100
• GET /process?=16A5CDE830F0638E530C8912F6231A
• GET /process?= EF5A98230FE152E6348D671A728C0320F
s = UserID
t = Transaction Type
a = Amount Transfer
GET /process?s=5190&t=2&a=100.
User 5190 just purchased $100
GET /process?s=5191&t=2&a=-100
User 5191 just purchased -$100 worth..
Double Negative = Positive.. Account credited
Hi Singapore!
I'm in your banks,
stealing your cash...
谢谢
Paul
19
Mobile API End Points
There is a huge list of crazy things we see:
CreateMoney(“ToAccount”, “Amount”) – You are kidding me right.?.”
• Extra API function left over from the testing period.
• Migrated to production, IM RICH!!!
ExportSales(“AccountID”,”format”)
ExportSales(“00001”,”csv”)
ExportSales(“00002”,”csv”)
ExportSales(“00003”,”csv”) …
ResetPassword(“username”, “newpassword”)
20
You probably know this App!
• Popular apps are still written by developers.
• Developers make the same mistakes, world-wide.
• “Status: Hacked by Vantage Point”
21
• Web Applications
• I have 15+ years of hacking web applications.
• Like Mobile applications the exploits are many.
• Stealing money / access / information
• Web is now mature, most developers know our tricks.
• OWASP, PCIDSS, MAS TRM
• Web applications use to take minutes to hack.
• Now they can take hours, even days in some cases.
22
• Our Setup:
• Web application – Burp - Internet
• Intercept and modify the traffic.
• HSTS: Strict HTTPS Transport Security
• Certificate is not trusted, thou shall not pass!
• No traffic intercept.
23
Install Burp Proxy Certificate in Laptop
• Proxy now Trusted CA
• Now we see data right?
24
End-To-End Encryption for FI’s
 Part of the MAS TRM is that all FI’s should implement application layer level
end-to-end encryption.
5.5.2 E2E encryption is required for online financial services, whether the systems are managed by the FI or outsourced to intra-group
or third party service providers. Sensitive information such as customer PINs and passwords should be protected with E2E encryption.
 JavaScript in the browser encrypts all POST values.
 Designed for only “Sensitive Information”
 Most developers simply encrypt everything.
 Using asymmetric encryption (Private / Public Keys)
 Another hoop we must jump through 9am Monday morning.
25
They love to make it harder…
 We must now replace the Public Key during the Crypto Initiation
 Decrypt subsequent data with our own matching Private Key
26
Security Stops when Developers Feel Safe.
And we Find Amazing Vulnerabilities!
• Control every aspect of an application.
• Steal billions of dollars!!!
• Thousands of Cross Site Scripting (over 6000)
• Hundreds of SQL Injection (over 200)
• E2E encryption actually lowers the security posture.
27
My most satisfying job was a Web Application.
• Insurance company in NZ
• Remote penetration test of the environment
• Discovered the HR/payroll system is exposed
• SQL Injection in the Authentication
• Very simple bug, easily exploited.
• It took seconds.
• Once inside I called the client.
• One problem, he didn’t believe me.
28
Pffttt.. Mobile is not hard core Paul.
I thought you were hard core, wtf do you got?
How about an ATM ?
29
The Job: Test if you can hack an ATM
Attack Vector:
• Service maintenance staff install a Trojan on the ATM.
• Attacker gains physical access to the ATM computer & installs Trojan.
• Platform:
• Hardened Windows 7 – already logged on.
• Running full screen ATM Software
• New USB devices disabled
• Running McAfee Solidcore (McAfee Application Control)
30
• File System Filter Driver – Ring 0
• Swin
• All binaries on the system are white-listed
• Once locked down, only white-listed binaries can run.
• Even if you get access to the ATM, you cant run anything.
• You can copy your Trojan to the ATM, you cannot run it.
31
McAfee Task Scheduler.
• C:/users/all users/McAfee/Scheduler
• Scheduling files for automated tasks
• “Run this command”
• “Unlock / Relock the System”
• Custom “INI” Style files.
• Writeable to all users.
32
Mass Pwnage – Hacking Indonesia
• Our Indonesian neighbours need some help 
• Engaged to pen-test a local bank in Jakarta
• “Anything goes” Penetration Test.
• Internal / External Network
• Wireless
• ATM’s
• Physical, Social, anything.
33
34
• No firewalls within the network
• Desktop users can talk to anything / everything
• Including other offices, servers, even the ATM’s!
• Windows 2000 and XP still in use.
• Wireless only for executives.
• WEP Security, only accessible from 6th floor.
• Employees relativity annoyed by this
• No reception at the kopitiam!
• Installed their own Access Point with big antenna.
• Soto Betawi & Wireless.
35
• I wanted impact, so we sat outside at the Kopitiam
• Dressed very formally at the road side on the little chairs.
• Everyone stared at us.
• My colleague busted the WEP in minutes.
• We had an Internal IP address
• Nmap for servers, services, devices.
• NBT (NetBios) names began to appear
• MailServer, ProxyServer, ATM21, ATM11..
• “The ATM, we must hack the ATM”
36
• “We are not the first people here.”
• ATM’s were already running Russian Malware
• Sending external information to host in Russia
• Dang, that’s a first….
• We continued hacking for two weeks:
• Domain Administrator
• root@ on all servers (shared SSH keys)
• Payroll, Audit, Commercial Banking, Retail Banking
• All ATM’s
• Routers
• All common passwords on all servers
• “12345password”, ‘bankname’, ‘password’, ‘passw0rd’
37
In Conclusion: We hack way too many things!
• At Vantage Point we live IT Security, it is our passion.
• I could spend hours talking about hacking.
• Its a passion, and we take it very seriously.
• We don’t just run 10 tools and ‘scan’ technology.
• We hack, using the most powerful tool – our minds.
If you also feel the same way, we are always hiring.
paul@vantagepoint.sg
38
Thank you
Paul @ vantagepoint.sg
Are there any questions ?

More Related Content

What's hot

AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applicationseightbit
 
The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyTEST Huddle
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSignalSEC Ltd.
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooAlex Stamos
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)Dinis Cruz
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset  Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Denim Group
 

What's hot (15)

AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a Proxy
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
 
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at Yahoo
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset  Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 

Similar to The hardcore stuff i hack, experiences from past VAPT assignments

6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservices6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservicesDynatrace
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013Petr Dvorak
 
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas North Texas Chapter of the ISSA
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
Programming for the Internet of Things
Programming for the Internet of ThingsProgramming for the Internet of Things
Programming for the Internet of ThingsKinoma
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgerymorisson
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillOllie Whitehouse
 
Login cat tekmonks - v3
Login cat   tekmonks - v3Login cat   tekmonks - v3
Login cat tekmonks - v3TEKMONKS
 
Building Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouBuilding Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouSBWebinars
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleJAXLondon_Conference
 
Man in the Binder
Man in the BinderMan in the Binder
Man in the Bindernitayart
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"Daniel Bryant
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Advanced monitoring
 
The cyber security hype cycle is upon us
The cyber security hype cycle is upon usThe cyber security hype cycle is upon us
The cyber security hype cycle is upon usJonathan Sinclair
 
Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...LINE Corporation
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonksRohit Kapoor
 

Similar to The hardcore stuff i hack, experiences from past VAPT assignments (20)

6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservices6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservices
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
Programming for the Internet of Things
Programming for the Internet of ThingsProgramming for the Internet of Things
Programming for the Internet of Things
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
 
Login cat tekmonks - v3
Login cat   tekmonks - v3Login cat   tekmonks - v3
Login cat tekmonks - v3
 
Building Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouBuilding Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for You
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
 
Man in the Binder
Man in the BinderMan in the Binder
Man in the Binder
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
 
The cyber security hype cycle is upon us
The cyber security hype cycle is upon usThe cyber security hype cycle is upon us
The cyber security hype cycle is upon us
 
Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonks
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...Daniel Zivkovic
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementNuwan Dias
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"DianaGray10
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 

Recently uploaded (20)

UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API Management
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 

The hardcore stuff i hack, experiences from past VAPT assignments

  • 1. The Hardcore Shit I Hack www.vantagepoint.sg | office@vantagepoint.sg
  • 2. 1 • Hi everyone my name is Paul Craig. • My entire career has been hacking. • Originally from New Zealand • Stolen three times the net worth of Bill Gates. • Now I lead the penetration testing team at Vantage Point. • Boutique Singaporean Security Consultancy • Strongest technical team in Singapore! • We have Published Works, Referenced Research, Accolades, Hall Of Fames, in SG TV/Radio. • Hackers who are passionate about hacking.
  • 3. 2 You told me you wanted hard-core hacking… Today I want to share my most memorable jobs. • Some are simple, some are hard-core. • Some are subtle tweaks that produce real money. • Some just took balls of steel….
  • 4. 3 • We break things at VP. “We hack everything with a flashing light” • A level above most “pen-testing” companies. • We tackle jobs most companies shy away from. • ATMs, Wireless, Reverse Engineering, Hardware, Software, Mobile. • Bleeding Edge technology • FIPS3 Military compliant solutions. • Polymorphic, cryptographically secure, virtualized.. I started pen-testing at 22, boy was my job was stressful.
  • 5. 4  For the last three years the client has been developing a new “secure” banking application.  Development team 10+ years experience.  Developers size me up..  They have spent 3 years making sure I fail today.  I have 1 week to prove myself, win, defeat the product.  No one thinks I will accomplish anything.
  • 6. 5 “If your enemy is secure at all points, be prepared for him.”  First understand implicitly how the technology works.  I go very quiet… and I just play.  Click, Click, Click, Watch.  Commit the technology to memory.  Understand the risk profile.  “what am I not allowed to do”  “what do you care most about?”  Understand the developers and how they work.
  • 7. 6 Hacking gets personal, fast. • Developer 1 wrote this, Developer 2 wrote that.. • 10 year coding veteran • Old school Java developer • No knowledge of new technology • “Phones call people” • 3 years professional exp. • Understands modern security threats. • Lacks experience.
  • 8. 7 • Understand the development style. • Consistency: • Does Developer 1 & Developer 2 write code the same way. • Work out who wrote what. • Standardised: • Do they follow security guidelines ? • Are these guidelines up to date ?
  • 9. 8  Developers are the key.  People make vulnerabilities, not code.  People are very predictable…  Vulnerabilities occur in knowledge or skill gaps  These gaps often stem from education and culture.  Developers from China make different mistakes to those from India.  Two developers from India make similar mistakes.  Similar education, similar experience, similar mistakes.
  • 10. 9 Knowing is power. Once you understand • How the Technology works. • How the Environment works. • How the Developers work. • You can hack anything, really, anything.
  • 11. 10 Mobile Applications • Mobile has changed everything.. • Mobile apps are fundamentally differently to web applications • Different risks, attack vectors and concerns. • Web and Mobile may look similar - They are worlds apart.
  • 12. 11 Application Programmable Interfaces (APIs) • Developers who wrote API’s in the past had more trust in requests sent from Web Servers. • The didn’t need to perform much validation or security. • API’s now communicate directly to phones.
  • 13. 12 Web App Developers are now Mobile Developers • In 2007, the job title “mobile app developer” didn’t exist. In 2012, there are approximately 466,000 jobs in the growing “app economy” in the United States alone. • Mobile Application Developer Named “Best Computer Job For The Future” • The job market for mobile application developers is expected to skyrocket by 32% from 2010 through 2020, creating close to 300,000 new positions and heralding one of the decade’s largest increases for any occupation. • Web Application developers just started coding Mobile. • More work, better pay. • They don’t go back to school to learn Mobile Development. • Mobile applications are developed like Web Applications.
  • 14. 13 • Testing Mobile Communications. • VP Laptop creates an access point • Mobile Device VPN’s to VP laptop via WiFi • Laptop Bridges WiFi VPN to Eth0 • iptables Pre-Route NAT requests to a Proxy iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j REDIRECT --to-ports 8080 192.168.1.1 iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 443 -j REDIRECT --to-ports 8080 192.168.1.1
  • 15. 14 • Developers don’t seem to take Mobile Application security seriously. • Usernames and Passwords stored in text files (plist) • Encryption keys kept in local databases • Hard coded passwords kept in binaries • Lazy, sloppy, very hackable. • At best a developer will use the Apple Key-Chain, albeit badly.. CFTypeRef kSecAttrAccessibleWhenUnlocked; CFTypeRef kSecAttrAccessibleAfterFirstUnlock; CFTypeRef kSecAttrAccessibleAlways; CFTypeRef kSecAttrAccessibleWhenUnlockedThisDeviceOnly; CFTypeRef kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly; CFTypeRef kSecAttrAccessibleAlwaysThisDeviceOnly; Most permissive option The option most developers pick.
  • 16. 15 Developers think you cant change what is on the screen. • Drop down menu - How many options do you see? • A: Five? B: One? C: Options? Hackers don’t care about options! 155 158 Change verb to any customer ID - Direct Object Reference - 1-200 = All customers “Really? Really?? Cant you just play a little hard to get? 138
  • 17. 16 Symmetric vs. Asymmetric Cryptography • Developers like to use cryptography as a method of keeping secrets safe. • Cryptography is often implemented incorrectly. • Often it’s the only security implemented. • This developer has made it hard! Encryption!
  • 18. 17 Mobile Technology Supports Asymmetric and Symmetric Cryptography • When using Symmetric Algorithms, both parties share the same key for encryption and decryption. • Asymmetric algorithms use pairs of keys. One is used for encryption and the other one for decryption. • Developers in this case used symmetric cryptography. AES128 Encrypted using CCCrypt and a Preshared key. Thx for the AES Key..
  • 19. 18 Encryption Used Foolishly /process = Process Payment • GET /process?=F5D82E4AD10287EF71B27C28D881FEA GET /process?s=5191&t=2&a=100 • GET /process?=16A5CDE830F0638E530C8912F6231A • GET /process?= EF5A98230FE152E6348D671A728C0320F s = UserID t = Transaction Type a = Amount Transfer GET /process?s=5190&t=2&a=100. User 5190 just purchased $100 GET /process?s=5191&t=2&a=-100 User 5191 just purchased -$100 worth.. Double Negative = Positive.. Account credited Hi Singapore! I'm in your banks, stealing your cash... 谢谢 Paul
  • 20. 19 Mobile API End Points There is a huge list of crazy things we see: CreateMoney(“ToAccount”, “Amount”) – You are kidding me right.?.” • Extra API function left over from the testing period. • Migrated to production, IM RICH!!! ExportSales(“AccountID”,”format”) ExportSales(“00001”,”csv”) ExportSales(“00002”,”csv”) ExportSales(“00003”,”csv”) … ResetPassword(“username”, “newpassword”)
  • 21. 20 You probably know this App! • Popular apps are still written by developers. • Developers make the same mistakes, world-wide. • “Status: Hacked by Vantage Point”
  • 22. 21 • Web Applications • I have 15+ years of hacking web applications. • Like Mobile applications the exploits are many. • Stealing money / access / information • Web is now mature, most developers know our tricks. • OWASP, PCIDSS, MAS TRM • Web applications use to take minutes to hack. • Now they can take hours, even days in some cases.
  • 23. 22 • Our Setup: • Web application – Burp - Internet • Intercept and modify the traffic. • HSTS: Strict HTTPS Transport Security • Certificate is not trusted, thou shall not pass! • No traffic intercept.
  • 24. 23 Install Burp Proxy Certificate in Laptop • Proxy now Trusted CA • Now we see data right?
  • 25. 24 End-To-End Encryption for FI’s  Part of the MAS TRM is that all FI’s should implement application layer level end-to-end encryption. 5.5.2 E2E encryption is required for online financial services, whether the systems are managed by the FI or outsourced to intra-group or third party service providers. Sensitive information such as customer PINs and passwords should be protected with E2E encryption.  JavaScript in the browser encrypts all POST values.  Designed for only “Sensitive Information”  Most developers simply encrypt everything.  Using asymmetric encryption (Private / Public Keys)  Another hoop we must jump through 9am Monday morning.
  • 26. 25 They love to make it harder…  We must now replace the Public Key during the Crypto Initiation  Decrypt subsequent data with our own matching Private Key
  • 27. 26 Security Stops when Developers Feel Safe. And we Find Amazing Vulnerabilities! • Control every aspect of an application. • Steal billions of dollars!!! • Thousands of Cross Site Scripting (over 6000) • Hundreds of SQL Injection (over 200) • E2E encryption actually lowers the security posture.
  • 28. 27 My most satisfying job was a Web Application. • Insurance company in NZ • Remote penetration test of the environment • Discovered the HR/payroll system is exposed • SQL Injection in the Authentication • Very simple bug, easily exploited. • It took seconds. • Once inside I called the client. • One problem, he didn’t believe me.
  • 29. 28 Pffttt.. Mobile is not hard core Paul. I thought you were hard core, wtf do you got? How about an ATM ?
  • 30. 29 The Job: Test if you can hack an ATM Attack Vector: • Service maintenance staff install a Trojan on the ATM. • Attacker gains physical access to the ATM computer & installs Trojan. • Platform: • Hardened Windows 7 – already logged on. • Running full screen ATM Software • New USB devices disabled • Running McAfee Solidcore (McAfee Application Control)
  • 31. 30 • File System Filter Driver – Ring 0 • Swin • All binaries on the system are white-listed • Once locked down, only white-listed binaries can run. • Even if you get access to the ATM, you cant run anything. • You can copy your Trojan to the ATM, you cannot run it.
  • 32. 31 McAfee Task Scheduler. • C:/users/all users/McAfee/Scheduler • Scheduling files for automated tasks • “Run this command” • “Unlock / Relock the System” • Custom “INI” Style files. • Writeable to all users.
  • 33. 32 Mass Pwnage – Hacking Indonesia • Our Indonesian neighbours need some help  • Engaged to pen-test a local bank in Jakarta • “Anything goes” Penetration Test. • Internal / External Network • Wireless • ATM’s • Physical, Social, anything.
  • 34. 33
  • 35. 34 • No firewalls within the network • Desktop users can talk to anything / everything • Including other offices, servers, even the ATM’s! • Windows 2000 and XP still in use. • Wireless only for executives. • WEP Security, only accessible from 6th floor. • Employees relativity annoyed by this • No reception at the kopitiam! • Installed their own Access Point with big antenna. • Soto Betawi & Wireless.
  • 36. 35 • I wanted impact, so we sat outside at the Kopitiam • Dressed very formally at the road side on the little chairs. • Everyone stared at us. • My colleague busted the WEP in minutes. • We had an Internal IP address • Nmap for servers, services, devices. • NBT (NetBios) names began to appear • MailServer, ProxyServer, ATM21, ATM11.. • “The ATM, we must hack the ATM”
  • 37. 36 • “We are not the first people here.” • ATM’s were already running Russian Malware • Sending external information to host in Russia • Dang, that’s a first…. • We continued hacking for two weeks: • Domain Administrator • root@ on all servers (shared SSH keys) • Payroll, Audit, Commercial Banking, Retail Banking • All ATM’s • Routers • All common passwords on all servers • “12345password”, ‘bankname’, ‘password’, ‘passw0rd’
  • 38. 37 In Conclusion: We hack way too many things! • At Vantage Point we live IT Security, it is our passion. • I could spend hours talking about hacking. • Its a passion, and we take it very seriously. • We don’t just run 10 tools and ‘scan’ technology. • We hack, using the most powerful tool – our minds. If you also feel the same way, we are always hiring. paul@vantagepoint.sg
  • 39. 38 Thank you Paul @ vantagepoint.sg Are there any questions ?