The Hardcore Shit I Hack

www.vantagepoint.sg | office@vantagepoint.sg

1

• Hi everyone my name is Paul Craig.

• My entire career has been hacking.

• Originally from New Zealand

• Stolen three times the net worth of Bill Gates.

• Now I lead the penetration testing team at Vantage Point.

• Boutique Singaporean Security Consultancy

• Strongest technical team in Singapore!

• We have Published Works, Referenced

Research, Accolades, Hall Of Fames, in SG

TV/Radio.

• Hackers who are passionate about hacking.

2

You told me you wanted hard-core hacking…

Today I want to share my most memorable jobs.

• Some are simple, some are hard-core.

• Some are subtle tweaks that produce real money.

• Some just took balls of steel….

3

• We break things at VP.

“We hack everything with a flashing light”

• A level above most “pen-testing” companies.

• We tackle jobs most companies shy away from.

• ATMs, Wireless, Reverse Engineering, Hardware, Software,

Mobile.

• Bleeding Edge technology

• FIPS3 Military compliant solutions.

• Polymorphic, cryptographically secure, virtualized..

I started pen-testing at 22, boy was my job was stressful.

4

For the last three years the client has been developing a new

“secure” banking application.

Development team 10+ years experience.

Developers size me up..

They have spent 3 years making sure I fail today.

I have 1 week to prove myself, win, defeat the product.

No one thinks I will accomplish anything.

5

“If your enemy is secure at all points, be prepared for him.”

First understand implicitly how the technology works.

I go very quiet… and I just play.

Click, Click, Click, Watch.

Commit the technology to memory.

Understand the risk profile.

“what am I not allowed to do”

“what do you care most about?”

Understand the developers and how they work.

6

Hacking gets personal, fast.

• Developer 1 wrote this, Developer 2 wrote that..

• 10 year coding veteran• Old school Java developer• No knowledge of new technology• “Phones call people”

• 3 years professional exp.• Understands modern security

threats.• Lacks experience.

7

• Understand the development style.

• Consistency:

• Does Developer 1 & Developer 2 write code

the same way.

• Work out who wrote what.

• Standardised:

• Do they follow security guidelines ?

• Are these guidelines up to date ?

8

Developers are the key.

People make vulnerabilities, not code.

People are very predictable…

Vulnerabilities occur in knowledge or skill gaps

These gaps often stem from education and culture.

Developers from China make different mistakes to those from India.

Two developers from India make similar mistakes.

Similar education, similar experience, similar mistakes.

9

Knowing is power.

Once you understand

• How the Technology works.

• How the Environment works.

• How the Developers work.

• You can hack anything, really, anything.

10

Mobile Applications• Mobile has changed everything..

• Mobile apps are fundamentally differently to web applications

• Different risks, attack vectors and concerns.

• Web and Mobile may look similar - They are worlds apart.

11

Application Programmable Interfaces (APIs)

• Developers who wrote API’s in the past had more trust in

requests sent from Web Servers.

• The didn’t need to perform much validation or security.

• API’s now communicate directly to phones.

12

Web App Developers are now Mobile Developers

• In 2007, the job title “mobile app developer” didn’t exist. In 2012, there are

approximately 466,000 jobs in the growing “app economy” in the United States

alone.

• Mobile Application Developer Named “Best Computer Job For The Future”

• The job market for mobile application developers is expected to skyrocket by

32% from 2010 through 2020, creating close to 300,000 new positions and

heralding one of the decade’s largest increases for any occupation.

• Web Application developers just started coding Mobile.

• More work, better pay.

• They don’t go back to school to learn Mobile Development.

• Mobile applications are developed like Web Applications.

13

• Testing Mobile Communications.

• VP Laptop creates an access point

• Mobile Device VPN’s to VP laptop via WiFi

• Laptop Bridges WiFi VPN to Eth0

• iptables Pre-Route NAT requests to a Proxy

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j REDIRECT --to-ports 8080 192.168.1.1

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 443 -j REDIRECT --to-ports 8080 192.168.1.1

14

• Developers don’t seem to take Mobile Application security seriously.

• Usernames and Passwords stored in text files (plist)

• Encryption keys kept in local databases

• Hard coded passwords kept in binaries

• Lazy, sloppy, very hackable.

• At best a developer will use the Apple Key-Chain, albeit badly..

CFTypeRef kSecAttrAccessibleWhenUnlocked;

CFTypeRef kSecAttrAccessibleAfterFirstUnlock;

CFTypeRef kSecAttrAccessibleAlways;

CFTypeRef kSecAttrAccessibleWhenUnlockedThisDeviceOnly;

CFTypeRef kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly;

CFTypeRef kSecAttrAccessibleAlwaysThisDeviceOnly;

Most permissive option

The option most developers pick.

15

Developers think you cant change what is on the screen.

• Drop down menu - How many options do you see?

• A: Five? B: One? C: Options? Hackers don’t care about options!

155

158

Change verb to any customer ID- Direct Object Reference- 1-200 = All customers

“Really? Really?? Cant you just play a little hard to get?

138

16

Symmetric vs. Asymmetric Cryptography

• Developers like to use cryptography as a method of

keeping secrets safe.

• Cryptography is often implemented incorrectly.

• Often it’s the only security implemented.

• This developer has made it hard! Encryption!

17

Mobile Technology Supports Asymmetric and Symmetric Cryptography

• When using Symmetric Algorithms, both parties share the same

key for encryption and decryption.

• Asymmetric algorithms use pairs of keys. One is used for

encryption and the other one for decryption.

• Developers in this case used symmetric cryptography.

AES128 Encrypted using CCCrypt and a Preshared key.Thx for the AES Key..

18

Encryption Used Foolishly

/process = Process Payment

• GET /process?=F5D82E4AD10287EF71B27C28D881FEA

GET /process?s=5191&t=2&a=100

• GET /process?=16A5CDE830F0638E530C8912F6231A

• GET /process?= EF5A98230FE152E6348D671A728C0320F

s = UserIDt = Transaction Typea = Amount Transfer

GET /process?s=5190&t=2&a=100.

User 5190 just purchased $100

GET /process?s=5191&t=2&a=-100

User 5191 just purchased -$100 worth..

Double Negative = Positive.. Account credited

Hi Singapore!I'm in your banks, stealing your cash...

谢谢

Paul

19

Mobile API End Points

There is a huge list of crazy things we see:

CreateMoney(“ToAccount”, “Amount”) – You are kidding me right.?.”

• Extra API function left over from the testing period.

• Migrated to production, IM RICH!!!

ExportSales(“AccountID”,”format”)

ExportSales(“00001”,”csv”)

ExportSales(“00002”,”csv”)

ExportSales(“00003”,”csv”) …

ResetPassword(“username”, “newpassword”)

20

You probably know this App!

• Popular apps are still written by developers.

• Developers make the same mistakes, world-wide.

• “Status: Hacked by Vantage Point”

21

• Web Applications

• I have 15+ years of hacking web applications.

• Like Mobile applications the exploits are many.

• Stealing money / access / information

• Web is now mature, most developers know our tricks.

• OWASP, PCIDSS, MAS TRM

• Web applications use to take minutes to hack.

• Now they can take hours, even days in some cases.

22

• Our Setup:

• Web application – Burp - Internet

• Intercept and modify the traffic.

• HSTS: Strict HTTPS Transport Security

• Certificate is not trusted, thou shall not pass!

• No traffic intercept.

23

Install Burp Proxy Certificate in Laptop

• Proxy now Trusted CA

• Now we see data right?

24

End-To-End Encryption for FI’s Part of the MAS TRM is that all FI’s should implement application layer level

end-to-end encryption.5.5.2 E2E encryption is required for online financial services, whether the systems are managed by the FI or outsourced to intra-group

or third party service providers. Sensitive information such as customer PINs and passwords should be protected with E2E encryption.

JavaScript in the browser encrypts all POST values.

Designed for only “Sensitive Information”

Most developers simply encrypt everything.

Using asymmetric encryption (Private / Public Keys)

Another hoop we must jump through 9am Monday morning.

25

They love to make it harder… We must now replace the Public Key during the Crypto Initiation

Decrypt subsequent data with our own matching Private Key

26

Security Stops when Developers Feel Safe.

And we Find Amazing Vulnerabilities!

• Control every aspect of an application.

• Steal billions of dollars!!!

• Thousands of Cross Site Scripting (over 6000)

• Hundreds of SQL Injection (over 200)

• E2E encryption actually lowers the security posture.

27

My most satisfying job was a Web Application.• Insurance company in NZ

• Remote penetration test of the environment

• Discovered the HR/payroll system is exposed

• SQL Injection in the Authentication

• Very simple bug, easily exploited.

• It took seconds.

• Once inside I called the client.

• One problem, he didn’t believe me.

28

Pffttt.. Mobile is not hard core Paul.

I thought you were hard core, wtf do you got?

How about an ATM ?

29

The Job: Test if you can hack an ATM

Attack Vector:• Service maintenance staff install a Trojan on the ATM.

• Attacker gains physical access to the ATM computer & installs Trojan.

• Platform:

• Hardened Windows 7 – already logged on.

• Running full screen ATM Software

• New USB devices disabled

• Running McAfee Solidcore (McAfee Application Control)

30

• File System Filter Driver – Ring 0

• Swin

• All binaries on the system are white-listed

• Once locked down, only white-listed binaries can run.

• Even if you get access to the ATM, you cant run anything.

• You can copy your Trojan to the ATM, you cannot run it.

31

McAfee Task Scheduler.

• C:/users/all users/McAfee/Scheduler

• Scheduling files for automated tasks

• “Run this command”

• “Unlock / Relock the System”

• Custom “INI” Style files.

• Writeable to all users.

32

Mass Pwnage – Hacking Indonesia

• Our Indonesian neighbours need some help

• Engaged to pen-test a local bank in Jakarta

• “Anything goes” Penetration Test.

• Internal / External Network

• Wireless

• ATM’s

• Physical, Social, anything.

33

34

• No firewalls within the network

• Desktop users can talk to anything / everything

• Including other offices, servers, even the ATM’s!

• Windows 2000 and XP still in use.

• Wireless only for executives.

• WEP Security, only accessible from 6th floor.

• Employees relativity annoyed by this

• No reception at the kopitiam!

• Installed their own Access Point with big antenna.

• Soto Betawi & Wireless.

35

• I wanted impact, so we sat outside at the Kopitiam

• Dressed very formally at the road side on the little chairs.

• Everyone stared at us.

• My colleague busted the WEP in minutes.

• We had an Internal IP address

• Nmap for servers, services, devices.

• NBT (NetBios) names began to appear

• MailServer, ProxyServer, ATM21, ATM11..

• “The ATM, we must hack the ATM”

36

• “We are not the first people here.”

• ATM’s were already running Russian Malware

• Sending external information to host in Russia

• Dang, that’s a first….

• We continued hacking for two weeks:

• Domain Administrator

• root@ on all servers (shared SSH keys)

• Payroll, Audit, Commercial Banking, Retail Banking

• All ATM’s

• Routers

• All common passwords on all servers

• “12345password”, ‘bankname’, ‘password’, ‘passw0rd’

37

In Conclusion: We hack way too many things!

• At Vantage Point we live IT Security, it is our passion.

• I could spend hours talking about hacking.

• Its a passion, and we take it very seriously.

• We don’t just run 10 tools and ‘scan’ technology.

• We hack, using the most powerful tool – our minds.

If you also feel the same way, we are always hiring.

paul@vantagepoint.sg

38

Thank you

Paul @ vantagepoint.sg

Are there any questions ?