Slides for a talk at the Pacific Hackers conference in Santa Clara, California Given on Nov 11, 2018 By Sam Bowne

1. Beyond Cryptography
Theater
Hacker Dojo, Santa Clara California
November 11, 2018
Sam Bowne
PhD, CISSP
like, really smart

2. Me
All materials freely available
at samsclass.info

3. Security Theater

5. Cisco VPN
"Encrypted" Password

6. Public Exposure

7. Not So Encrypted

8. Kaiser Permanente
•I found their Cisco password this way
•Disclosure was difficult, but I managed it
privately
•A journalist's consultant told me it didn't
matter, because
"that password is not a security boundary"

9. Cryptography Theater

10. PROTECTED BY
ATTACK KITTENS

11. Cryptography Theater
•Obfuscation
•Makes data difficult to read
•But doesn't prevent a serious attacker from
reading it

12. Windows Registry

13. USERASSIST
• Records programs you launch on Windows
• Protects your privacy by storing them in an
obfuscated form

14. ROT13
• Puebzr
• Chrome
• Q:frghc64.rkr
• D:setup64.exe

15. Android Apps

16. TD Ameritrade App

17. TD Ameritrade App
• Puts password in syslog
• Visible to all apps on the device
• (Fixed in later versions)

18. Mayo Clinic
Medical Transport

19. Mayo Clinic Medical Transport
• Pull app from phone with adb
• Unpack with apktool

20. Mayo Clinic Medical Transport
• grep for secretpassword
• Disclosure
• I notified the developer about this in June
of 2015. He told me to get lost.

21. GenieMd
Current versions on Nov 9, 2018

22. GenieMd
• Does not validate
TLS certificates
• Allows MITM attack

23. GenieMd

24. GenieMd
• Notified by CERT in 2014, and by
me in 2015

25. FTC Lawsuit Settlement

26. Passwords on a Phone

27. Persistent Login
•Users remain logged in even after shutting off
their phone
•How does the app remember who you are?

28. Target == GOOD

29. Target AU Android App

30. User Login

31. Server Response
Random Number, stored in a cookie
THIS IS THE RIGHT WAY

32. Staples == BAD

33. Tested in Jan 2017

34. Locally Stored Password
• Right away this shows a problem
• WHY store the password?
<string name="encryptedPassword">
CT9SVzhhRaufBzCvmwENWQ==
</string>

35. 1. Best way: Don't. Use a cookie
2. Use Android KeyChain
3. Encrypt with with a public key
• Private key is kept secret on a server
4. Encrypt with with a private key
• Private key is "hidden" on the phone (under the mat)
5. Store data unencrypted on the phone

36. Special Password
• aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaA123
• 32 identical characters at beginning
<string name="encryptedPassword">
5V/uOkjK/Pxnb8yo7OdXzuVf7jpIyvz8Z2/
MqOznV84Chyt5lFv9LDpXXmJq9fUx
</string>

37. Decode
p = '5V/uOkjK/Pxnb8yo7OdXzuVf7jpIyvz8Z2/
MqOznV84Chyt5lFv9LDpXXmJq9fUx'
>>> p.decode("base64").encode("hex")
'e55fee3a48cafcfc676fcca8ece757cee55fee3a4
8cafcfc676fcca8ece757ce02872b79945bfd2c3a5
75e626af5f531'
e55fee3a48cafcfc676fcca8ece757ce
e55fee3a48cafcfc676fcca8ece757ce
02872b79945bfd2c3a575e626af5f531

38. Read Smali Code

39. Constructing the Key

40. Final Key

41. Encryption
Test

42. Notification
• Notified Jan 2, 2017
• Automated response said it would be fixed
• No response to follow-up email
• April 13 -- Staples became homework

44. Notification
• Fixed by May 9, 2017

46. Plaintext Password Storage

47. Plaintext Login

49. Broken SSL

50. A Feature, Not a Bug

51. Password Stored with
Reversible Encryption

52. Home Depot
Locally stored password is encrypted

53. Unpack APK

57. Salt -> Key

58. Complete Decryption

61. Kroger

62. Kroger

63. Safeway

64. Safeway

65. Walgreens

66. Walgreens

67. Multiple Vulnerabilities

68. Fixed

69. Analysis of Stolen Data Dumped by
TEAMGHOSTSHELL on Aug 25, 2012

72. Password Storage:
Awful Beyond Belief
Plaintext, obvious, all the same

73. Plaintext Passwords, Easily Guessed

75. Sparklan Passwords

76. Beforward Transactions with PII

77. Plaintext Passwords

78. Password Storage:
BASE64
Obfuscated, not hashed

79. Beforward.jp

80. BASE64 Encoding

81. Password Storage:
Unsalted MD5 or SHA-1
Real hashing, but very easy to
crack

82. MIT – MD5 Password Hashes

85. MySQL323 Password Hashes

86. Cracking Hashes with Cain

87. SHA-1 Hash

88. Cracked!

89. MySQL 5 Password Hashes

90. Wordpress Password Hashes

91. Relative Space

92. Cracked!

95. Password Hashing Algorithms

97. The Right Way

98. Basic Logic Errors

99. San Francisco
Parking Meters

102. Wut?
https://www.wired.com/2009/07/parking-meters/
https://www.pcworld.com/article/169376/meter_hackers.html

103. Encrypted Storage

104. •https://www.theguardian.com/politics/2016/dec/21/at-
least-1000-government-laptops-and-flash-drives-reported-
missing-since-2015

106. • https://www.syss.de/fileadmin/dokumente/Publikationen/2009/
SySS_Cracks_SanDisk_USB_Flash_Drive.pdf

107. "Secure cryptographic algorithms, like AES... are used in an insecure
way."

108. https://www.theregister.co.uk/2015/10/20/western_digital_bad_hard_drive_encryption/

109. • https://www.engadget.com/2018/11/06/microsofts-bitlocker-
compromised-by-bad-ssd-encryption/
• https://www.theregister.co.uk/2018/11/05/busted_ssd_encryption/

110. Math
Learn It

111. • Management Review
• Do you need this data?
• Is it encrypted?
• What algorithm?
• Where is the key?
All materials freely available at samsclass.info