Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1Ny23E3.
Michael Coates explores how attackers target, analyze and compromise applications. Coates discusses recent high profile compromises and deconstructs them to understand exactly what went wrong and how to prevent these weaknesses in your applications. Filmed at qconsf.com.
Michael Coates is the Trust & Information Security Officer at Twitter and also a member of the global board of directors for OWASP, a nonprofit organization providing resources and communities to increase application security.
WordPress Websites for Engineers: Elevate Your Brand
Applications Through an Attacker’s Lens
1. M I C H A E L C O AT E S , T R U S T & I N F O R M AT I O N S E C U R I T Y O F F I C E R
@ _ M W C
A P P L I C AT I O N S T H R O U G H
A N AT TA C K E R ’ S L E N S
2. InfoQ.com: News & Community Site
• 750,000 unique visitors/month
• Published in 4 languages (English, Chinese, Japanese and Brazilian
Portuguese)
• Post content from our QCon conferences
• News 15-20 / week
• Articles 3-4 / week
• Presentations (videos) 12-15 / week
• Interviews 2-3 / week
• Books 1 / month
Watch the video with slide
synchronization on InfoQ.com!
http://www.infoq.com/presentations
/security-attacker-mind
3. Purpose of QCon
- to empower software development by facilitating the spread of
knowledge and innovation
Strategy
- practitioner-driven conference designed for YOU: influencers of
change and innovation in your teams
- speakers and topics driving the evolution and innovation
- connecting and catalyzing the influencers and innovators
Highlights
- attended by more than 12,000 delegates since 2007
- held in 9 cities worldwide
Presented at QCon San Francisco
www.qconsf.com
9. One security expert familiar with the investigation wondered how the hackers could have
known to breach security by focusing on the vulnerability in the browser. “It would have
been hard to prepare for this type of vulnerability,” he said. The security expert insisted
on anonymity because the inquiry was at an early stage.
6/14/2011 nytimes.com
11. "When you look at how the breaches are occurring, it's like penetration testing 101"
Alex Cox, principal research analyst at NetWitness
6/15/2011 DarkReading.com
12. APPLE & AT&T
114,000 RECORDS EXPOSED - MILITARY, TOP EXECS
BREACHED
subscribers' email addresses
Phone ICC-ID
NOVEMBER, 2012
DETAILS
• No password or token required
• XHR Request w/ User Agent for iPhone
• Predictable ICC-ID within HTTP Request —> Associated email address
14. Source | “Data Breach Report”, Verizon, 2015
BREACHES & SQL VULNS
• Joomla
• Patreon
• Planned ParentHood
• Gaana Music Service
• Telstra corporate network
• World Trade Organization
• SAP - Medical App
•& more
SQL INJECTION & 2015
15. DETAILS
• Used user information gathered from multiple sources
• Automated completion of user questions through IRS Get Transcript
application
• Return: “nearly $50 million in refunds stolen before the agency spotted the
problem"
IRS
220,000+ RECORDS BREACHED
BREACHED
Taxpayer Past Returns
MAY, 2015
19. ATTACKING THE FRONT DOOR
steve@gmail.com password1
steve@gmail.com password2
steve@gmail.com password3
20. ATTACKING THE FRONT DOOR
1 User
Many Users
Single Password Guess Many Passwords Guessed
Traditional Brute Force
Easy to Detect
Password Reuse Attack
Hard to Detect
Widespread
Easy to Detect
Targeted
Hard to Detect
21. ATTACKING THE FRONT DOOR
1 User
Targeted
Many Users
Targeted
Single Password Guess Many Passwords Guessed
Traditional Brute Force
Easy to Detect
Widespread
Easy to Detect
Targeted
Hard to Detect
Password Reuse Attack
Hard to Detect
25. ATTACKING THE SIDE DOOR
We ask you to type the answer twice because we don't display what you are typing -
that's so that someone can't read your question and answer over your shoulder.
26. ATTACKING THE SIDE DOOR
“secret questions are neither secure nor reliable enough to be used as a
standalone account recovery mechanism”
English Speakers: “What is your favorite food?” - 19.7% with 1 guess
Arabic Speakers: ”What’s your first teacher’s name?” - 24% with 10 guesses
Spanish Speakers: "What is your father’s middle name?” - 21% with 10 guesses
Korean Speakers: "What is your city of birth?” - 39% with 10 guesses
Korean Speakers: "What is your favorite food?” - 43% with 10 guesses
googleonlinesecurity.blogspot.com
39. name
ACCESS CONTROL
PRESENTATION | BUSINESS | DATA
site/com/editUser?ID=551234
POST /editUser HTTP/1.1
Host: site.com
ID=551234&name=Bob
Enter New Name
EDIT USER
40. name
ACCESS CONTROL
PRESENTATION | BUSINESS | DATA
site/com/editUser?ID=551234
POST /editUser HTTP/1.1
Host: site.com
ID=551235&name=Bob
Enter New Name
EDIT USER
44. APP VECTORS FOR DATA BREACHES
Source | “Data Breach Report”, Verizon, 2015
45. “Paunch had more than 1,000
customers and was earning
$50,000 per month from his
illegal activity”
Source | krebsonsecurity,.com 2013
SCALABLE BLACKMARKET BUSINESSES