Social Connections 12. We hired hackers to hack us

Vienna, October 16-17 2017

We hired hackers to hack us; A case study about cloud-based authentication and security in IBM Connections

Robert Farstad @robertfarstad

Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017

PLATINUMSPONSORS

GOLDSPONSORS

SILVERSPONSORS

BRONZESPONSORS


This session… …is mainly for you tech-people. But very useful for everyone to see. Might be an eye-opener. No talk about: •  What IBM Connections is… •  What IBM Cnx can give you… •  No ROI talk, what so ever! •  How to use IBM Cnx!!


This session…

…is a case study where I will show you •  an integration with Auth0. •  how we hired hackers to hack us.

Social Connections 11 Chicago, June 1-2 2017 Social Connections 12 Vienna, October 16-17 2017 Vienna, October 16-17 2017


The customer


The customer - •  Political party, won the election 2017, second time in a row. •  Norways Prime Minister is Høyres leader. •  60.000 members

•  Was a white-space customer.

•  Now: Connections + Docs + Sametime •  IBM Reference Customer.

•  Security is a priority, more and more. •  Election year = hacking attempts. •  We hacked them first!


- cloud based authentication

Høyre used Auth0 for all websites. Requirement for them to become a Connections customer was: •  Authentication integration with Auth0! •  è POC – Item Consulting developed a TAI

mechanism towards Auth0.


What is Auth0?


- cloud based authentication You can connect any application. •  Custom credentials: username + passwords •  Social network logins:

•  Google, Facebook, Twitter, and any OAuth2, OAuth1 or OpenID Connect provider.

•  Enterprise directories: •  LDAP, Google Apps, Office 365, ADFS, AD, SAML-P, WS-

Federation, etc. •  Passwordless systems:

•  Touch ID, one time codes on SMS, or email. •  Supports several 2-factor solutions.


•  JSON Web Token •  Secure API: (TLS v1.2, AES_128_GCM and uses

ECDHE_RSA as the key exchange mechanism. ) •  Extensible admin tool.

•  Monitoring, (#logins, where from, who fails, hack attempts, alarms.)

•  Blocking •  Logs •  Synced with Høyres back-end member system via

MSSQL DB, securely!







+ TAI

•  Item developed a WebSphere Application •  TAI – Trust Association Interceptors.

•  èLTPA after authenticated •  New Auth0 login page. •  Logout pages are modified

•  Logs out of Auth0 •  Logs out of Websphere


Devices used Loginoccursfrom:•  Browsers•  Apps•  Desktopplugins.Technically,theloginproceduresarequitedifferent.


Web-browsers


Apps + Plugins


Tivoli Directory server - TDS ◘  FREE/BundledLDAPserverforIBMConnections◘  StandardsetupbetweenWebSphereandTDS◘  ImportofusersviaTDI/SDItoTDS.

◘  FromMSSQLDatabase–oversite2sitevpn.◘  Importsonlythemostrelevantfields

Name,email,mobile,position,company,department


Tivoli Directory server – TDS + PTA ◘  PasswordfieldinTDSisblank!

◘  PTAistriggered.◘  WhatisPTA?

◘  PassThroughAuthentication◘  PTAisconfiguredtosearchin

alternativeLDAPsource.◘  ThepasswordisstoredinAuth0◘  OurPTAsourceisTDI/SDI

◘  TDIcallstheTAIapplication–getsresponsecode200ifOK.

◘  èloggedin


What is TDI/SDI? ◘ TivoliDirectoryIntegrator/SecurityDirectoryIntegrator◘ Datamanipulationsystem,limitlesspossibilities.◘ Eclipsebased– Javascriptcoding.◘ Usedtomove,consolidate,manipulatedata.◘ UsedinConnectionsforprofiledataimport.◘ Besttoolever,onceyou´velearnedthejiftoftheguianddebugger.


TDI – acting as an LDAP server. ◘ SimulatesanLDAPserver◘ GetsattemptedusernameandpasswordfromTDSPTA.◘ CredentialsèWebSphereAuth0loginapp.◘ WASappèRESTlookuptoAuth0API.◘ GetsreturncodeOKorNOT_OK.◘ TDIreceivessamecodefromtheWASapp.◘ TDSPTAreceivessamecodefromTDI.

◘ TDIrunsmultipleinstances–Canhandlelargeload.


TDI – acting as an LDAP server.

Simplecode–extremelypowerful!


TDI – acting as an LDAP server.


Didtheygetin?

Wehiredhackers


Whattheytested

Loginattempts

SSL+headers

AppsStolenlaptop

Me!Sensitiveinformation


SSLtests

www.ssllabs.com Gradewasbad Afterhardening

SSLChipersSuite,honorChipersOrderandSSLV2+V3disabling.TLSonly


SSLtests–httpconfigforGradeASSLEnableSSLProtocolEnableTLSSSLProtocolDisableSSLv2SSLv3#DisableSSLCompression->CRIMEATTACKSSLCompressionoff#PreferECDHE-RSAciphersSSLCipherSpecALLNONESSLCipherSpecTLSv12TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256SSLCipherSpecTLSv12TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256SSLCipherSpecTLSv12TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384SSLCipherSpecTLSv12TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384SSLCipherSpecALLTLS_RSA_WITH_AES_128_GCM_SHA256SSLCipherSpecALLTLS_RSA_WITH_AES_256_GCM_SHA384SSLCipherSpecALLTLS_RSA_WITH_AES_128_CBC_SHA256SSLCipherSpecALLTLS_RSA_WITH_AES_256_CBC_SHA256#Enablingthis3ciphersmeanA-ratingonssllabsSSLCipherSpecALLTLS_RSA_WITH_AES_128_CBC_SHASSLCipherSpecALLTLS_RSA_WITH_AES_256_CBC_SHASSLCipherSpecALLSSL_RSA_WITH_3DES_EDE_CBC_SHA


Headers

securityheaders.io Gradewasbad Afterhardening

HTTPconfigtoachieveGradeA:HeaderalwayssetStrict-Transport-Security"max-age=31536000;includeSubDomains;preload”HeadersetReferrer-Policy"same-origin”HeadersetX-Content-Type-Options"nosniff”HeadersetX-XSS-Protection"1;mode=block”HeadersetX-Frame-Options"DENY”HeadersetX-Frame-OptionsSAMEORIGIN


TheMobileApp

Decompile

• Androidappisdecompilable• Brokendowntostudycode

Test• Triedeveryurlfoundincode

Result

• Foundnoinsecurities!• ButMITMattackswerepossible!


MITM-Man-in-the-middleattackAnemployeeisouttravelingandconnectstoapublicnetworksuchasahotelorairportWIFI.Butinstead,connectstoahackerswifihotspot.Thenclickson“Continue”….He/shewillgivethehackerrunningaMITMattack,fullvisibilityoverthetraffic.


MITM-Man-in-the-middleattack


MITM-Man-in-the-middleattackmobile-config.xmlhasthesolutionfortheconnectionsapp.Don´tpress“Continue”!.Tellyouradminstofixit.


Demotime

ThedemoconsistedofshowingaMITMattack+username/password“clusterbomb”attackusingfreetool

BurpSuite.


Accidentwaitingtohappen


Whatdidtheyfindwhentheygotin?

StolenLaptopScenario


StolenLaptopScenario•  NothardtofindpasswordonPC•  Oncein,passwordstositesare

normallystoredinbrowser.•  Savedwifihotspotsgiveshackers

GPScoordinates=>candriveupalongsideyourcompany'sbuildingandconnect.

•  HackersfoundsensitiveinformationopentoalloftheIBMConnectionsusers.

Don´texposelogininformationavailabletoeveryone!


Theyhackedme!

Oratleast,theytriedto…


Theyhackedme!•  TheyknewwhoIwas.•  Googledme,foundmyblog.•  Inoneofthescreenshots,a

passwordwascensored.


Theyhackedme!

Iwasaweaklink…

HowhardisitforhackerstofindITstaffatyourcompany?LinkedInsearch…Googlesearch…Googleisbothyourfriendandyourenemy.

•  Badcensoring!!•  Found6outof9charsby

matchingfont,sizeandstudiedcurves.


Avoidstress


•  Mask/hidebetter!•  Hackersarecleverbastards.

•  HackershasALOToffreetime.

•  Implement2-factorauthorizationmechanism,likeAuth0

•  Hideyourstuff.•  Onceagain:Hackersarecleverbastards.

•  Lockoutpolicy–i.e.5attempts=>lockedout…Hackershastoolsforthat!

•  Trainyourusers!



Usefullinks:CheckSSL:https://ssllabs.comCheckHeaders:https://securityheaders.ioAnalyzeCSP:https://report-uri.io/home/analyseWhatcanyourbrowsersupport?http://caniuse.com/#search=referrer%20policyAuth0multi-factorauthentication:https://auth0.com/docs/multifactor-authenticationBurpSuite:https://portswigger.net/burpEthicalHackerCertification:https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/Myblog:http://blog.robertfarstad.comTwitter:https://www.twitter.com/robertfarstadItemConsulting:https://www.item.no


PLATINUMSPONSORS

GOLDSPONSORS

SILVERSPONSORS

BRONZESPONSORS

Presentations & Public Speaking

Social Connections 12. We hired hackers to hack us