Notes from YOW! 2014: Troy Hunt on Security: ‘Hack Yourself First’

Share Button

I attended YOW! Sydney 2014 and thought some people might get something useful out of my notes. These aren’t my complete reinterpretations of every slide, but just things I jotted down that I thought were interesting enough to remember or look into further.

Troy Hunt (@troyhunt) spoke about “developers building up cyber-offence skills and proactively seeking out security vulnerabilities in their own websites before an attacker does”. (Slides, Video)

Hackers Are Security Experts

A stereotypical security hacker, using a computer in a dark room while wearing a guy flakes mask and a black hat.He started out with the obvious but perhaps too often forgotten observation: “You can’t defend your app unless you actually understand how the hacker’s technology works.”

He described how hackers only need to “get it right” once. Those developing and deploying the system need to get it right every time. (This is sometimes called the “Fortification Principle”. Apparently DARPA are working on evening out the playing field.)

Know Where Security Applies

He asked: If your company has a Twitter account, who chose the password? The marketing intern, or the Security team?There's SO MUCH CODE. You need help. Now! All you want to know is: "Who's the Expert?!" Get the Atlassian Stash plugin that tells you.

He showed how to proxy HTTP/S traffic from a mobile into the Fiddler web debugger and showed an example of how an app was returning data to the app that the user isn’t authorised to see. The developers had failed to understand that the client wasn’t part of their system and they didn’t control access to all data beyond the screens.

He described how he hound a banking app that had disabled SSL validation, so it was accepting an invalid certificate and could in fact be forced into a man in the middle attack with any certificate.

Password Storage Security

He talked about password storage and how simple salted hashes are not good enough anymore. It’s just too fast to crack them with modern GPUs. (You can read all about the gory detail of this, and what to do about it, on Troy’s excellent blog.)

SQL Injection

He showed how to use penetration testing tool Havij. Within seconds he had got the database name, table names, column names and data from a (deliberately vulnerable) website simply by copying a URL in from a browser and pressing a few buttons.

He described a really simple way to think about, and remember to defend against, SQL injection: everything in your application’s static query text is trusted. Everything that comes from somewhere else is not.

Other Security Tools for Hacking

He also pointed at LOIC, a tool that even kids can download and use to launch DoS attacks.

As well as showing developers tools they could use to test their own systems, I think he was also making the point that you can’t just hope that skilled attackers don’t target you because you’re small. There are literally thousands of people just playing around with hacking tools against websites they use to see what happens.

He said that he thinks many people, even educated software developers, don’t take the threat of a man-in-the-middle attack seriously. He showed a device called a WiFi Pineapple, which reads the names of SSIDs that phones broadcast when searching for an access point and then changes its own SSID to match those SSIDs. It basically suckers your device into connecting by pretending to be a network that you’ve “trusted” in the past. He showed the list of about 100 devices in the room that the device had read SSIDs from, including a few that had connected to it. Once you’re connected, any unencrypted traffic between you and the internet is easily pulled out of the air. What does this mean? It means you need to ensure your device is using TLS for EVERYTHING that shouldn’t be seen by other people.

Internet of Things Security

Graphic showing a person being launched off an exploding bidet on an internet-connected IoT toiletHe finished off by highlighting emerging problems with security and the Internet of Things. e.g. LifX, an internet-connected lightbulb, found a vulnerability that allowed people both to gain access to the lightbulb AND to access the Wifi password!

Finally he left us with the mental image of a Japanese internet-connected toilet which had a vulnerability that allowed bidet to be turned on.

Want to learn more?

 Image credits: ‘Anonymous Hacker‘ by Brian Klug
Toilet/bidet graphic via Observation Deck

Share Button

1 thought on “Notes from YOW! 2014: Troy Hunt on Security: ‘Hack Yourself First’

  1. Good notes Graham. Certainly highlights the fact that there are still plenty of vulnerabilities out there! The WiFi pineapple is quite an interesting concept.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.