is#security#an#a/erthoughtwhen# designingapps? · 12/18/12 16 friendsinsthesmiddle#(fitm)#aacks#...
TRANSCRIPT
12/18/12
1
Is Security an A/erthought when Designing Apps?
SBA Research – Vienna University of Technology Edgar R. Weippl
Apps, Mobile Devices, Cloud Services
• So many new opportuniIes • Building on experience of previous decades • Things can only get beKer • Really?
12/18/12
2
Data Storage
Simple systems • FTP, WebDAV, NFS
A liKle more complex • Delta sync • P2P
More complex systems
Data DeduplicaIon
• At the server – Same file only stored once – Save storage space at server
• At the client – Calculate hash or other digest
– Reduce communicaIon
12/18/12
3
AKacks
• Hash manipulaIon • Stolen Host ID • Direct Up-‐/Download
– Uploading without linking
– Simple HTTPS request hKps://dl-‐clientXX.dropbox.com/store
EvaluaIon Time unIl (hidden) chunks get deleted: • Random data in mulIple
files • Hidden upload: at least 4
weeks • Regular upload: unlimited
undelete possible (> 6 months)
Popular files on Dropbox: • thepiratebay.org
Top 100 Torrent files • Downloaded copyright-‐free
content (.sfv, .nfo, ...) • 97 % (n = 368) were
retrievable • 20 % of torrents were less
than 24 hours old
Interpreta:on: • At least one of the seeders
uses Dropbox
12/18/12
4
SoluIons
• A/ermath – Dropbox fixed the flaws – HTTPS Up-‐/Download AKack
– Host ID is now encrypted – No more client-‐side deduplicaIon
• Proof of ownership • Take down noIce
Victim using Dropbox
Attackers PC
1. Steal hashes 2. Send hashes to Attacker
3. Link hashes with
fake client
4. Download all files
of the victim
12/18/12
5
Man-‐in-‐the-‐Middle
Certificates?
12/18/12
6
AuthenIcaIon
12/18/12
7
12/18/12
8
In Reality
Even Worse
Code = “Hi!”
12/18/12
9
Completely Stealthy
WowTalk
12/18/12
10
Status Messages
12/18/12
11
https://s.whatsapp.net/client/iphone/u.php?cc=countrycode&me=phonenumber&s=statusmessage
EnumeraIon AKack
12/18/12
12
EnumeraIon AKack
EnumeraIon AKack
12/18/12
13
On vacation
Sleeping
at work but not doing shit
Nicaragua in 4 days!!
Heartbroken
Missing my love!
At work ... Bleh.
On my way to Ireland!
I’m never drinking again
12/18/12
14
WhatsApp WowTalk
Viber Forfone
Tango EasyTalk Voypi
eBuddy XMS
HeyTell
Results
12/18/12
15
Summary
• AuthenIcaIon protocols: 6 out of 9 similar applicaIons had the same problems
• Unintended use (reverse hash in Dropbox) • Trust in client applicaIon • Missing input validaIon • Everything you should learn in Security 101
Contact InformaIon MarIn Mulazzani, SebasIan SchriKwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as aKack vector and online slack space. In USENIX Security, 8 2011. Markus Huber, MarIn Mulazzani, Manuel Leithner, SebasIan SchriKwieser, Gilbert Wondracek, and Edgar R. Weippl. Social snapshots: Digital forensics for online social networks. In Annual Computer Security ApplicaIons Conference (ACSAC), 12 2011. SebasIan SchriKwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, MarIn Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is tex:ng you? evaluaIng the security of smartphone messaging applicaIons. In Network and Distributed System Security Symposium (NDSS 2012), 2 2012.
Edgar Weippl www.sba-‐research.org
12/18/12
16
Friend-‐in-‐the-‐middle (FITM) aKacks
SNS provider
Social networking session
Friend in the Middle
1Sniff active session
SNS user
Friend
FriendFriend
Friend
Friend
Friend
2
34 Spam & phishing emails
Cloned HTTP session
Extract account content
• Hijack social networking sessions • AKack surface: unencrypted WLAN traffic, LAN, router etc.
• User impersonaIon
AKack scenario
Friend
Friend
Phishedfriend
Spammedfriend
Spam
Attackseed
Spammedfriend
Spam
Spammedfriend
Spam
Spammedfriend
Spam
Phishing
Phishedfriend
SpammedfriendSpam
Spammedfriend
Spam
Spammedfriend
Spam
Spammedfriend
Spam
Phishing
Friend
Friend
Friend
Friend
Friend
Friend
Friend
Friend
Friend
Friend
FriendFriend
'1st'Iteration ''''''2nd'Iteration '''''''3rd'Iteration'...
12/18/12
17
Fast Access to Data