I attended YOW! Sydney 2014 and thought some people might get something useful out of my notes. These aren’t my complete reinterpretations of every slide, but just things I jotted down that I thought were interesting enough to remember or look into further.
Hackers Are Security Experts
He started out with the obvious but perhaps too often forgotten observation: “You can’t defend your app unless you actually understand how the hacker’s technology works.”
He described how hackers only need to “get it right” once. Those developing and deploying the system need to get it right every time. (This is sometimes called the “Fortification Principle”. Apparently DARPA are working on evening out the playing field.)
Know Where Security Applies
He showed how to proxy HTTP/S traffic from a mobile into the Fiddler web debugger and showed an example of how an app was returning data to the app that the user isn’t authorised to see. The developers had failed to understand that the client wasn’t part of their system and they didn’t control access to all data beyond the screens.
He described how he hound a banking app that had disabled SSL validation, so it was accepting an invalid certificate and could in fact be forced into a man in the middle attack with any certificate.
Password Storage Security
He talked about password storage and how simple salted hashes are not good enough anymore. It’s just too fast to crack them with modern GPUs. (You can read all about the gory detail of this, and what to do about it, on Troy’s excellent blog.)
He showed how to use penetration testing tool Havij. Within seconds he had got the database name, table names, column names and data from a (deliberately vulnerable) website simply by copying a URL in from a browser and pressing a few buttons.
He described a really simple way to think about, and remember to defend against, SQL injection: everything in your application’s static query text is trusted. Everything that comes from somewhere else is not.
Other Security Tools for Hacking
He also pointed at LOIC, a tool that even kids can download and use to launch DoS attacks.
As well as showing developers tools they could use to test their own systems, I think he was also making the point that you can’t just hope that skilled attackers don’t target you because you’re small. There are literally thousands of people just playing around with hacking tools against websites they use to see what happens.
He said that he thinks many people, even educated software developers, don’t take the threat of a man-in-the-middle attack seriously. He showed a device called a WiFi Pineapple, which reads the names of SSIDs that phones broadcast when searching for an access point and then changes its own SSID to match those SSIDs. It basically suckers your device into connecting by pretending to be a network that you’ve “trusted” in the past. He showed the list of about 100 devices in the room that the device had read SSIDs from, including a few that had connected to it. Once you’re connected, any unencrypted traffic between you and the internet is easily pulled out of the air. What does this mean? It means you need to ensure your device is using TLS for EVERYTHING that shouldn’t be seen by other people.
Internet of Things Security
He finished off by highlighting emerging problems with security and the Internet of Things. e.g. LifX, an internet-connected lightbulb, found a vulnerability that allowed people both to gain access to the lightbulb AND to access the Wifi password!
Finally he left us with the mental image of a Japanese internet-connected toilet which had a vulnerability that allowed bidet to be turned on.