swiss cheese security or the real challenges faced by
play

Swiss cheese security or the real challenges faced by internet - PowerPoint PPT Presentation

Jan 13, 2024 •193 likes •691 views

Swiss cheese security or the real challenges faced by internet facing companies About me Almost 20 years in information security / hacking OWASP Project leader Latest research interests: Large scale RSA crypto survey

  1. Swiss cheese security or the real challenges faced by internet facing companies

  2. About me ● Almost 20 years in information security / hacking ● OWASP Project leader ● Latest research interests: − Large scale RSA crypto survey − Testing/Crashing version control systems − High precision-low detection network scanning tools − Data analysis and correlation Enrico Branca - 2017 2

  3. mainstream news and cyber security Business leaders see new risks tied to emerging technologies • Cyber crime damage costs to hit $6 trillion annually by 2021 • Cybersecurity spending to exceed $1 trillion from 2017 to 2021 • Cyber crime will more than triple the number of unfilled cybersecurity jobs, which is predicted to reach 3.5 million by 2021 https://www.csoonline.com/article/3153707/security/top-5-cybersecurity-facts-figures-and-statistics-for-2017.html https://www.pwc.com/us/en/cybersecurity/information-security-survey.html Enrico Branca - 2017 3

  4. What industry says about cyber security Raj Samani, CTO EMEA Intel Security said: “To overcome the designs of cyber-criminals, we need to go beyond understanding the threat landscape to changing the defender- attacker dynamic. This means focusing on six key areas: We need to make it harder for hackers to obtain information and more expensive for them to launch an attack. Meanwhile on the corporate side we must improve visibility, better identify exploitation of legitimacy, improve protection for decentralised data, and detect and protect in agentless environments.” https://www.scmagazineuk.com/cyber-security-industry-2017-predictions-reaching-the-tipping-point/article/628904/ Enrico Branca - 2017 4

  5. How can we dispute the claims with a reality check Companies can claim to have team of consultant testing their network and their servers, some may claim to be PCI DSS compliant and that they execute pentests regularly. The only problem with this kind of statements is that tests are defined by a the tested company therefore we have a bias. Companies claiming to be PCI DSS compliant can limit the test to only a portion of the services and still claim all is good. To avoid biases, nothing beats a test executed at random from a random location using well configured tools. Enrico Branca - 2017 5

  6. Before testing As time passes libraries gets updated and to ensure that software that depends on them is operating securely, many functions and protocols related to old and insecure technologies are removed. This is common practice for many software libraries but it is not good for security testing, as we want to see if bad/old stuff are there. From the OpenSSL changelog: • SSLv2 support has been removed. • GOST engine has been removed. • Heartbeat for TLS has been removed. • Remove support for all 40 and 56 bit ciphers. • Disabled compression by default https://www.openssl.org/news/changelog.txt Enrico Branca - 2017 6

  7. Custom libraries To get real statistics data has been collected from 50 million IP at random and from 100 financial institutions. As a client I have used a modified OpenSSL with a custom config. • openssl-chacha : https://github.com/PeterMosmans/openssl Compiled it from source to enable ALL protocols and ALL ciphers. • Standard OpenSSL: ~158 ciphers • Custom OpenSSL: ~ 201 ciphers (+27 %) Without the custom OpenSSL ( like default OpenSSL in KALI linux.. ): • no SSLv2 would have been detected • we would have not been able to connect to ~50.000 servers • we would have missed ~150.000 servers using weak ciphers. Enrico Branca - 2017 7

  8. Test results Rand 50M Bank/Fin. Bank/Fin. IP 2017 2017 2013 Supporting SSLv2 2% 2% 23% Supporting SSLv3 13% 13% 97% Using RC4 ciphers 18% 20% 89% Using weak ciphers 56% 70% 43% POODLE TLS 16% 14% x Padding Oracle (CVE-2016-2107) 4% 2% x Protocol Downgrade 26% 18% 48% TLS Compression / CRIME 9% 2% 30% HTTP Redirect (MITM) 28% 3% 48% PCI DSS (all claim to be ok..) x 21% 13% Enrico Branca - 2017 8

  9. Web encryption with SSL/TLS, defending from unknown attacks From a random test on some financial institutions we can see that not all is good, especially regarding secure communications and client privacy. To better understand the implications related to web encryption we can analyse some of traffic previously collected and look for issues. As usual the problem with encrypted stuff is that people want to break encryption to see what is protected, but what can happen if we ignore that part and we test how encryption is applied? Enrico Branca - 2017 9

  10. What to look for RSA keys can be considered insecure when: - exponent is equal 1 - modulus length in bits is smaller than 1024 - modulus shares a prime with other moduli - modulus is divisible by small primes - modulus is not unique - key (modulus, exponent) is not unique small primes --> first 10.000 prime numbers Enrico Branca - 2017 10

  11. Exponent is equal to 1 No crypto key using RSA algorithm should use exponent 1. Not only is possible to recover the private key, but the encrypted data is equal to the plain text data. If exponent 1 is used, “Ciphertext == Plaintext” Plaintext=[2374623765656] -> Ciphertext=[2374623765656] 73.560.467 keys tested —> found 28 (0.00004 %) Enrico Branca - 2017 11

  12. Modulus shares a prime factor In theory, this should NEVER happen: A key X has a modulus created from prime A and B . A key Y has a modulus created from prime A and C . If any two keys share any prime, the secret private key can be found and regenerated for both. 73.560.467 keys tested —> found 758.912 (1.03 %) Enrico Branca - 2017 12

  13. Modulus is divisible by small primes A modulus should be the product of two large primes. If it can divided by any of the first 10.000 primes (small primes) this suggests the presence of a poorly designed or malfunctioning RSA implementations. 73.560.467 keys tested —> found 9.098 (0.012 %) Enrico Branca - 2017 13

  14. Modulus is not unique No two distinct RSA public keys should have the same modulus, ever. If two or more keys have the same modulus, then they have the same private key therefore both are to be considered insecure. 73.560.467 keys tested —> found 2.530.870 (3.44 %) If any entity becomes aware of the modulus collision then it is possible for them to decrypt the traffic encrypted by all other entities using the same key. Enrico Branca - 2017 14

  15. Key is not unique No two distinct RSA public keys should have the exact same public key, but there are exceptions. It is allowed to "update" certificates by keeping the key (modulus, exponent) and changing metadata. This creates key duplication as keys are reused. 73.560.467 keys tested —> found 25.834.758 (35.12 %) Sites can also use only one key for all their domains, so not all duplicated keys are implicitly bad. Enrico Branca - 2017 15

  16. Key is not unique Attacks: CVE-2016-0800 ( DROWN ), CVE-2016-0703 A server that has SSLv2 enabled and uses a vulnerable version of OpenSSL, can be used to attack all other hostnames that appear in its certificate. Because the security of a server cannot be assessed by just looking at its configuration, we must look for servers that use the same RSA keys and/or certificate hostname ( NOT EASY … https://censys.io/ can help). Enrico Branca - 2017 16

  17. Insecure protocols POODLE attack ( protocol vulnerability ) Problem in CBC encryption scheme as implemented in the SSLv3 protocol. An active MITM attacker can force to downgrade a connection from TLS to SSLv3, which can be exploited. A solution to this problem exists, client and server must both implement the TLS_FALLBACK_SCSV indicator. TLS_FALLBACK_SCSV (RFC 7507): TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks Enrico Branca - 2017 17

  18. Insecure protocols FREAK attack ( downgrade attack ) An active attacker performing MITM can force a downgrade of the connection to 512 bit encryption, by forcing the use of RSA_EXPORT cipher suites (CVE-2015-0204). The intercepted traffic, even if encrypted, can then be analysed to extract the 512 bit key, that once factored will allow the decryption of the encrypted traffic. Software released after mid 2015 “should not” be vulnerable to this form of downgrade attacks. Enrico Branca - 2017 18

  19. TLS Interception It is possible to “legally” intercept SSL/TLS traffic and have a software and/or an appliance act as a valid endpoint. Communication is intercepted, certificate/keys are replaced/swapped, traffic is decrypted for inspection with: • open source tools like “mitmproxy + SSLsplit” • commercial HTTPS middlebox (Cisco, BlueCoat, Fortinet, Symantec, Microsoft, McAfee, etc..) Tools and appliances can use a valid certificate intercept traffic but in MANY cases vulnerabilities are introduced. Enrico Branca - 2017 19

  20. TLS Interception US-CERT, Alert TA17-075A , March 16, 2017 HTTPS Interception Weakens TLS Security • “All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected.” Research: The Security Impact of HTTPS Interception • “..62% of traffic that traverses a network middlebox has reduced security and 58% of middlebox connections have severe vulnerabilities.” Enrico Branca - 2017 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Swiss-Cheese operad and Drinfeld center Najib Idrissi June 3rd, 2016 @ ETH Zrich Little disks

Swiss-Cheese operad and Drinfeld center Najib Idrissi June 3rd, 2016 @ ETH Zrich Little disks

Little disks and braids The Swiss-Cheese operad Chord diagrams Swiss-Cheese operad and Drinfeld center Najib Idrissi June 3rd, 2016 @ ETH Zrich Little disks and braids The Swiss-Cheese operad Chord diagrams Outline 1 Background: Little

620 views • 51 slides
racial- apartheid Swiss cheese geography of white (and Indian and Indian

racial- apartheid Swiss cheese geography of white (and Indian and Indian

racial- apartheid Swiss cheese geography of white (and Indian and Indian and coloured) areas, with bantustans for rural black Africans class- apartheid Swiss cheese geography of formerly white areas

1.02k views • 55 slides
SEM CH It is true... vs. Emmental is a good cheese. Even the famous holes are attractive. SEM

SEM CH It is true... vs. Emmental is a good cheese. Even the famous holes are attractive. SEM

Gifted Education beyond Swiss Emmental Models? SEM CH It is true... vs. Emmental is a good cheese. Even the famous holes are attractive. SEM US This Swiss cheese is excellent! But the holes themselves are just nothing with something

538 views • 12 slides
Challenges faced by lenders to UK retail property Click here UK retail is going through tough

Challenges faced by lenders to UK retail property Click here UK retail is going through tough

UK RETAIL REAL ESTATE LENDING IN 12 SLIDES Challenges faced by lenders to UK retail property Click here UK retail is going through tough times to read about whether retail real estate is set to turn a corner -9% Overall consumer

458 views • 12 slides
Final Assignment Problem: Cheese Delivery Swiss cities (the Chosen Cities ) with access to the

Final Assignment Problem: Cheese Delivery Swiss cities (the Chosen Cities ) with access to the

Hands-on Tutorial on Optimization F. Eberle, R. Hoeksma, and N. Megow September 27, 2019 Final Assignment Problem: Cheese Delivery Swiss cities (the Chosen Cities ) with access to the K aMaPis Restaurant locations in each city

561 views • 7 slides
THE SWISS CHEESE EFFECT OR RISK MANAGEMENT Lynn Randall Clinical Risk & Quality

THE SWISS CHEESE EFFECT OR RISK MANAGEMENT Lynn Randall Clinical Risk & Quality

THE SWISS CHEESE EFFECT OR RISK MANAGEMENT Lynn Randall Clinical Risk & Quality Co-ordinator Childrens Hospital University Hospitals of Leicester NHS Trust Where do we find risks? Risks are all around, but often we fail to

488 views • 31 slides
Swiss-Cheese action on the totalization of operads under the monoid actions operad Julien

Swiss-Cheese action on the totalization of operads under the monoid actions operad Julien

Bimodules and Ibimodules Model Structures Main result and applications Swiss-Cheese action on the totalization of operads under the monoid actions operad Julien Ducoulombier Universit e paris 13 22/01/2015 Bimodules and Ibimodules Model

1.43k views • 115 slides
Swiss-Cheese action on the totalization of operads under the monoid actions operad Julien

Swiss-Cheese action on the totalization of operads under the monoid actions operad Julien

Bimodules and Ibimodules Model Structures Main result and applications Swiss-Cheese action on the totalization of operads under the monoid actions operad Julien Ducoulombier Universit e paris 13 23/04/2015 Bimodules and Ibimodules Model

1.38k views • 127 slides
Real Vegan Cheese Team SF BAY AREA DIY BIO A project by Biohackers from Counter Culture Labs and

Real Vegan Cheese Team SF BAY AREA DIY BIO A project by Biohackers from Counter Culture Labs and

Real Vegan Cheese Team SF BAY AREA DIY BIO A project by Biohackers from Counter Culture Labs and BioCurious The Team S Process e a We can make cheese from *any* sequenced mammal! r c h f o r g e n e s Synthesize DNA o f No

359 views • 32 slides
HISTORY OF CHEESE Presentation by Marci Richards February 2019 Did cheese exist before humans

HISTORY OF CHEESE Presentation by Marci Richards February 2019 Did cheese exist before humans

HISTORY OF CHEESE Presentation by Marci Richards February 2019 Did cheese exist before humans started making it? Yes, indeed it existed, infant mammal is a ready-made cheese factory, with everything, needed to make cheese. The production of

525 views • 35 slides
Sniff the Cheese Jim Hornell March 1, 2013 Handwriting on the wall They keep moving the

Sniff the Cheese Jim Hornell March 1, 2013 Handwriting on the wall They keep moving the

Sniff the Cheese Jim Hornell March 1, 2013 Handwriting on the wall They keep moving the cheese Get ready for the cheese to move Smell the cheese often so you know if it is getting old Quicker you let go of old cheese, the sooner

750 views • 45 slides
Cheese in Denmark NordOst NordOst Copenhagen Copenhagen 3000 BC: Acid cheese production may

Cheese in Denmark NordOst NordOst Copenhagen Copenhagen 3000 BC: Acid cheese production may

Cheese history of Denmark Cheese in Denmark NordOst NordOst Copenhagen Copenhagen 3000 BC: Acid cheese production may have started with framing 7-8/11 2005 7-8/11 2005 500 - 1100: The Vikings made rennet cheese; exported and imported

167 views • 4 slides
Ariza , The Artisan Taste Of Mexico since 1970.. History of Ariza Cheese Company. Since 1972,

Ariza , The Artisan Taste Of Mexico since 1970.. History of Ariza Cheese Company. Since 1972,

Ariza , The Artisan Taste Of Mexico since 1970.. History of Ariza Cheese Company. Since 1972, Ariza Cheese Company has been producing Mexican cheese with a taste so real you'll believe your in Mexico. From Old family recipes handed down from

157 views • 5 slides
2015 Regional challenges call for Regional solutions 2015: The Mediterranean faced

2015 Regional challenges call for Regional solutions 2015: The Mediterranean faced

2015 Regional challenges call for Regional solutions 2015: The Mediterranean faced challenges on an unprecedented scale. Those challenges have underlined the need for a reinforced regional framework. Revised ENP (18 November & EU

376 views • 22 slides
Challenges faced by operators in Humanitarian Aviation Operation 1 2 Remote locations

Challenges faced by operators in Humanitarian Aviation Operation 1 2 Remote locations

Challenges faced by operators in Humanitarian Aviation Operation 1 2 Remote locations RWY incursions RWY condition RWY excursions Maintenance facilities Quick senior management risk demonstration SAR resources Crew

593 views • 31 slides
Energy challenges faced by the vulnerable Energy challenges faced by the vulnerable communities

Energy challenges faced by the vulnerable Energy challenges faced by the vulnerable communities

Energy challenges faced by the vulnerable Energy challenges faced by the vulnerable communities in the new unified eThekwini communities in the new unified eThekwini Municipality Municipality - Ntokozo Mthembu Ntokozo Mthembu -

520 views • 23 slides
The Tor Project, Inc. Our mission is to be the global resource for technology, advocacy, research

The Tor Project, Inc. Our mission is to be the global resource for technology, advocacy, research

The Tor Project, Inc. Our mission is to be the global resource for technology, advocacy, research and education in the ongoing pursuit of freedom of speech, privacy rights online, and censorship circumvention. 1 Alice makes a session key with

741 views • 37 slides
Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno Direct-to-Consumer (DTC) Genetic Testing and Analysis DTC Testing Company Genetic Interpretation 23andMe Health, Ethnicity, Relative Prediction,

620 views • 34 slides
CSE 127: Introduction to Security Lecture 17: Privacy and Anonymity Nadia Heninger and Deian

CSE 127: Introduction to Security Lecture 17: Privacy and Anonymity Nadia Heninger and Deian

CSE 127: Introduction to Security Lecture 17: Privacy and Anonymity Nadia Heninger and Deian Stefan UCSD Fall 2019 Lecture outline Foundations of privacy Historical and current crypto wars in the US Privacy-enhancing

611 views • 50 slides
ReAssert: Suggesting Repairs for Broken Unit Tests Brett Daniel Tihomir Gvero Danny Dig Vilas

ReAssert: Suggesting Repairs for Broken Unit Tests Brett Daniel Tihomir Gvero Danny Dig Vilas

ReAssert: Suggesting Repairs for Broken Unit Tests Brett Daniel Tihomir Gvero Danny Dig Vilas Jagannath Darko Marinov IBM Research Almaden. San Jose, CA. August 10, 2010 Google. Mountain View, CA. August 11, 2010 Passing Unit Tests

702 views • 58 slides
Whistle-Blowing 1 Whistleblowing Disclosure, using other than approved organizational

Whistle-Blowing 1 Whistleblowing Disclosure, using other than approved organizational

Whistle-Blowing 1 Whistleblowing Disclosure, using other than approved organizational channels, of wrongdoing to someone in a position to take action. disclosure: information intentionally conveyed channels: chain of command,

429 views • 12 slides
DELEGA TE TEE : Brokered Delegation DELE Using Trusted Execution Environments Sinisa Matetic and

DELEGA TE TEE : Brokered Delegation DELE Using Trusted Execution Environments Sinisa Matetic and

DELEGA TE TEE : Brokered Delegation DELE Using Trusted Execution Environments Sinisa Matetic and Moritz Schneider, ETH Zurich ; Andrew Miller, UIUC ; Ari Juels, Cornell Tech ; Srdjan Capkun, ETH Zurich CSC 6991 Presented by: Shikha Sikligar

596 views • 18 slides
Anonymous Personalization Without Leaving Drupal by Mike Lander Michael Lander Technical

Anonymous Personalization Without Leaving Drupal by Mike Lander Michael Lander Technical

DrupalCon Seattle 2019 Anonymous Personalization Without Leaving Drupal by Mike Lander Michael Lander Technical Director @ Elevated Third D.O.: @michaellander Twitter: @MikeLand3r Drupal Slack: @michaellander What is personalization?

458 views • 32 slides
Drug Testing and Marijuana in the New England Workplace Presented by: Charlie Einsiedler and

Drug Testing and Marijuana in the New England Workplace Presented by: Charlie Einsiedler and

Drug Testing and Marijuana in the New England Workplace Presented by: Charlie Einsiedler and Dan Strader October 11, 2018 Overview of Presentation What laws apply in each state? May employers prohibit use in and/ or outside

659 views • 41 slides

More recommend