Review and video of reports on information security from the conference SECR-2014
Last year, at the SECR-2014 conference (Software Engineering Conference Russia) there were 140 reports in all areas of software engineering - from Computer Science to modern IT management, from the subtleties of Linux-driver verification to business analysis and even legal issues. There was also a section of information security reports.
I shot and published videos, and now, in a boring summer season, I offer my brief overview of SECR reports on various aspects of information security, both from industry experts and university researchers. I would be glad if I motivate you to watch and review, or even speak at a conference this year.
')
Slides, additional materials, contacts for the report “Mobile banking - theft by air”
The speaker’s team focused exclusively on the Man-in-the-middle attack, because in mobile banking, no one will connect a shielded cable in the gas channel, and it is easy to forge a WiFi point. It is a little more difficult, but more than realistic (for $ 3000 iron) to fake even a base station. Not to mention the infected corporate networks, where DNS-settings are changed and all traffic can merge to the outside.
We watched more than a hundred applications for iOS and Android (Winphone and BlackBerry were postponed for a little) and dug in at one point - the security of the transport layer, the correctness of checking SSL certificates, and the non-use of SSL-Pinning. And what did they not see there.
And fortunately, an endangered set of home-made products - self-encryption on XORs, etc. And trendy multiplatform frameworks (Titanium, Apache Cordova) that facilitate cross-platform development, but because of their monstrosity, are inevitably holey, at the level “does not check SSL -certificate".
And we must remember the legal tabs in every browser and phone - a couple of hundreds of completely unnecessary root certificates (including certificates of foreign governments), which, by the way, in iOS cannot be thrown out, and you should add “fake” by elementary social engineering.
Hemorrhoids of development for banks by external teams lead to a bunch of architectural pads-Mocks, unnecessary debugging information ... all this of course ends up in production. As a result, FakeSSLCheck classes work in the application, and when falling, a gigabyte stack falls out with the full structure of the domestic banking system ...
In short, they definitely broke a quarter of android applications, and almost every fifth iOS.
What to do? Two-level identification is also not a panacea, because both confirmation channels are often intercepted. Biometrics are still sucks - the speaker’s team broke some pontovye systems at the architecture level, not reaching the verification algorithms, and where they reached, the “biometric resolution” level was still completely nonexistent - so the system of graphological checking of the list was completely broken by making a universal painting ...
See the report, at the end there will be recommendations of “what to do,” so that there is no “how terrible it is to live.”
Slides, additional materials, contacts for the report “End-to-end security process integrated into the software development life cycle”
Best practices, most of which boil down to fairly trivial, everywhere-sounding mantras, that “Application security is primarily a process,” but the details are not without interest.
Tight integration with a full development cycle. For there is not only a pre-release security audit, but even "it is necessary to change not only the design, but also the initial business requirements." End-to-end process starting with business requirements, manual and semi-automatic analysis, positional battles for security with contract managers (fortunately not).
For, as in a truly British company, there is only British management. Both development and security auditing are all outsourcing or offshoring. And if in the case of products, it is an outsourcing (“product purchase”), where managers, yes, can try to score on security in favor of terms and functionality, then security team is offshoring (“people purchase”). For here we need long and dense relationships with specific people. And given that the security type consists in half of the Russian and Chinese experts, it turns out in two ways. On the one hand, it is scaring away for political reasons (“Russia-China? Enemies! Hackers!”), On the other hand, this is a clear calculation, because Europeans do not have a residence permit and all that, and nothing prevents them from suddenly getting rid of secrets. And in countries with elements of totalitarian control (passport-registration) it is much safer to build long-term relationships with employees.
So in general, all this seems to be both beneficial and effective. Of course, it is very difficult to measure the effectiveness of non-functional departments, especially those where risk assessments are played with huge amounts and unpredictable probabilities (the speaker mentioned the St. Petersburg paradox ). But if briefly, it is cheaper than functional testing, releases do not slow down, the package of services includes a report with recommendations, training, and setting up processes, OWASP recommendations ... and, in general, it’s done so that any certification is obtained "on delivery" from real project work. But in general, there is no need to starve, the budget in telecoms is allocated significant, through internal cost accounting it all falls into the security team, where the task is to achieve the maximum for the allocated money.
And in general, the position of security staff is excellent - they are not responsible for the final security, do not block releases (even with critical vulnerabilities, release is possible if the risk management team takes responsibility or someone above), do not extinguish fires during security -fakapah (there are separate people, and there are fakapy - I just googled, immediately got out [1] ), that is, like lazy QA, the same mantra "we are not responsible for quality / safety, we only explore it", and even in general I recall the "Office" with "how do I do? “I'm a professional, I work with these damn people!”
Well, of course, there is real work - HP Fortify is deeply used in the team, with a custom base of rules and settings, a vendor recall is “one of the last places in the world where they can configure Fortify rules”, moreover, some experts grew and moved to command fortify. And by the way, the speaker strongly warned against using the cloud service fortify on demand - “this is the case for extremely incompetent people in the Philippines.”
In general, the position of the speaker is positive and convincing - "it works, even if you do not believe," although I honestly admitted that they have a developer who, at the time of certification, is better kept on sick leave so that he will not break everything with his pessimism.
Of course, at the end they complained that it was difficult to look for good specialists - because we really need experienced architects who suddenly decided for some reason to engage in programming.
Slides, additional materials, contacts for the report "Technology of virtualization of hardware security modules in Linux containers"
Let's accept the hypothesis of theexistence of one-sided functions of unbreakable host machine, and shove all the cryptography into a separate container, we will do a special bus, the API is as compatible as possible and all that. PROFIT.
An academic Proof-of-concept was made on OpenVZ containers, even the performance under pressure was measured - even not quite bad (in the middle, but on a logarithmic scale). With scalability is not at all OK. Fly or not - who knows, the very page of the project , alas, for a long time without movement.
Slides, additional materials, contacts for the report “Development of a protocol with a jumping IP address”
If in a nutshell - this is the development of the classical paradigm "Frequency hopping", invented during WWII by one actress of erotic scenes (ed.). Only here it is a kind of supermaskarading with an individual IP-address for each packet of each client session (!).
That is, DNS redirects all requests to some input "authorization server", which operates with a healthy pool of IP addresses and changes them in time according to tricky rules. On client machines, there must also be a special software that can play these games and change everything simultaneously.
All this has been implemented so far only for the TCP protocol, by adding the kernel module netfilter.
The heap of minuses of this approach are also obvious:
Slides, additional materials, contacts for the report "DIY programming and fraud protection"
The bottom line is that fraud fraud schemes are quickly replicated, they need to be extinguished and counteracted in a matter of hours - if all business processes were hard-coded, then even with agile, by the end of the iteration, everyone would have . Of course, you need to use the BRE - Business Rule Engine , that is, separately separated high-level business logic, spinning over a competent architecture with a dedicated domain model.
The rules should be written in human-readable high-level languages, such as Drools (WebRule, BizTalk), you need to log everything and accumulate a bigdata of knowledge in a special non-relational repository for quick access.
But in any case - the code is the code, and again, for this “high-level programming”, there are problems of reviewing, testing, ... and part of the testing, no matter how scary it sounds, again goes oncats of users - that is, gradual deployment with A / B testing ... I did not think that even in monetary services they do this.
Quoting the speaker - “Many, many straws that need to be spread from all sides” (c).
Slides, dopmateriala, contacts for the report "Self-healing systems"
original video "Self-healing Systems" in English
Obvious enough observations that the modern highload architecture is all about duplication and availability at any cost (examples are Google File System, IBM MAPE-K), and enterprise technologies with microservice architecture are also there.
The speaker also promoted a certain range of models and formalisms for adaptive restoration, where there was a somehow trivially clear architecture with a separate control loop and aPlan-Do-Check-Act Level Monitor-Analyze-Plan-Execute strategy, at a more detailed level, all this disintegrated into separate processes of model and adaptation management, strategy execution, architecture assessment ... (collectively, this was called Rainbow-architecture).
There is a specialized domain-oriented Stitch language for specifying randomized adaptation strategies, and a clever system of “spectral error localization” ... and all this was tested even on Samsung production control systems.
Slides, additional materials, contacts for the report “Intentional Safety”
original video "Security by design" in English
Soft gobbled up the whole world, are we safe? Is there security that is paid attention to only after functional requirements and usability? How to calculate the balance of security and usability?
Yes, this whole area of ​​information security is full of “Black Swans” with low probabilities and dire consequences - which is difficult to honestly count. Everything is counterintuitive there, figs can also be explained by ordinary employees to the value of regulations written in blood, and to the authorities - the value of investments in security, especially if the management is completely efficient, and does not know the fundamentals of the theorem.
What to do with Legacy systems in which it is difficult to bleed security without changing a little more than everything? "Digital security ... it is often invisible,this gopher is this danger, but it is ...
The author of the report on adaptive systems promoted his ideas about the lesser vulnerability of dynamic systems, reaching, however, quite strange ideas that multi-stack applications (implemented, conditionally, under Linux, and under Windows, and under ... - and running in parallel) - are less vulnerable. From the point of view of reliability, it may be so, but here there will obviously be proportionally more vulnerabilities if you don’t think about “security by obscurity and insanity”. There were other stubborn ideas, for example, “attacking viruses”.
The endless race of safety was discussed a lot, from “how much does it cost to add nine to reliability?” To, and maybe, well, can you spend more than your neighbor? (in the spirit of the international anecdote "I do not need to run faster than the tiger ...").
Feedback comments are welcome, I hope you either find something useful in the reports, or if you think this is not great, then you are clearly ripe for a report - please register .
A professional from the industry, a researcher from the university, gloomy turing from an underground data center - the conference is waiting for you.
Yes, the official deadlines ended there, but in my experience of participating in the Program Committee, if you have something to say, the report on a strong topic will have time to pass a review.
I shot and published videos, and now, in a boring summer season, I offer my brief overview of SECR reports on various aspects of information security, both from industry experts and university researchers. I would be glad if I motivate you to watch and review, or even speak at a conference this year.
')
“Mobile banking - theft over the air”
Slides, additional materials, contacts for the report “Mobile banking - theft by air”
A new independent study of the security of mobile applications for mobile banking for 2 platforms (iOS, Android), about 120 applications from more than 70 banks will be presented.There are times when only unimportant micropayments have passed through mobile phones - now there is plenty of money in mobile banking, the vulnerability can lead to the loss of the client’s account and reputation of the bank, and from the point of view of the Central Bank - the client bank from the mobile phone with the application is the same thing.
The focus of the study is a vulnerability, the use of which can lead to the realization of the MiTM attack (Man-in-The-Middle) and the theft of funds from customer accounts.
The speaker’s team focused exclusively on the Man-in-the-middle attack, because in mobile banking, no one will connect a shielded cable in the gas channel, and it is easy to forge a WiFi point. It is a little more difficult, but more than realistic (for $ 3000 iron) to fake even a base station. Not to mention the infected corporate networks, where DNS-settings are changed and all traffic can merge to the outside.
We watched more than a hundred applications for iOS and Android (Winphone and BlackBerry were postponed for a little) and dug in at one point - the security of the transport layer, the correctness of checking SSL certificates, and the non-use of SSL-Pinning. And what did they not see there.
And fortunately, an endangered set of home-made products - self-encryption on XORs, etc. And trendy multiplatform frameworks (Titanium, Apache Cordova) that facilitate cross-platform development, but because of their monstrosity, are inevitably holey, at the level “does not check SSL -certificate".
And we must remember the legal tabs in every browser and phone - a couple of hundreds of completely unnecessary root certificates (including certificates of foreign governments), which, by the way, in iOS cannot be thrown out, and you should add “fake” by elementary social engineering.
Hemorrhoids of development for banks by external teams lead to a bunch of architectural pads-Mocks, unnecessary debugging information ... all this of course ends up in production. As a result, FakeSSLCheck classes work in the application, and when falling, a gigabyte stack falls out with the full structure of the domestic banking system ...
In short, they definitely broke a quarter of android applications, and almost every fifth iOS.
What to do? Two-level identification is also not a panacea, because both confirmation channels are often intercepted. Biometrics are still sucks - the speaker’s team broke some pontovye systems at the architecture level, not reaching the verification algorithms, and where they reached, the “biometric resolution” level was still completely nonexistent - so the system of graphological checking of the list was completely broken by making a universal painting ...
See the report, at the end there will be recommendations of “what to do,” so that there is no “how terrible it is to live.”
"End-to-end security process integrated into the software development life cycle"
Slides, additional materials, contacts for the report “End-to-end security process integrated into the software development life cycle”
The report describes an approach to ensuring application security at EE, the UK’s largest telecommunications operator.Security department, which is engaged not only in glossing in telecom products before a PCI DSS audit, but also in the opinion of auditors, the most successful and useful of such departments in Europe. All this in the large telecom EE, the fruit of the recent integration of the more well-known T-Mobile and Orange.
It discusses the key aspects of the end-to-end security process, covering the full development cycle, and its advantages over the more common practice of “safety testing”.
Compromises are discussed to reduce the costs of such a process to an acceptable level.
Best practices, most of which boil down to fairly trivial, everywhere-sounding mantras, that “Application security is primarily a process,” but the details are not without interest.
Tight integration with a full development cycle. For there is not only a pre-release security audit, but even "it is necessary to change not only the design, but also the initial business requirements." End-to-end process starting with business requirements, manual and semi-automatic analysis, positional battles for security with contract managers (fortunately not).
For, as in a truly British company, there is only British management. Both development and security auditing are all outsourcing or offshoring. And if in the case of products, it is an outsourcing (“product purchase”), where managers, yes, can try to score on security in favor of terms and functionality, then security team is offshoring (“people purchase”). For here we need long and dense relationships with specific people. And given that the security type consists in half of the Russian and Chinese experts, it turns out in two ways. On the one hand, it is scaring away for political reasons (“Russia-China? Enemies! Hackers!”), On the other hand, this is a clear calculation, because Europeans do not have a residence permit and all that, and nothing prevents them from suddenly getting rid of secrets. And in countries with elements of totalitarian control (passport-registration) it is much safer to build long-term relationships with employees.
So in general, all this seems to be both beneficial and effective. Of course, it is very difficult to measure the effectiveness of non-functional departments, especially those where risk assessments are played with huge amounts and unpredictable probabilities (the speaker mentioned the St. Petersburg paradox ). But if briefly, it is cheaper than functional testing, releases do not slow down, the package of services includes a report with recommendations, training, and setting up processes, OWASP recommendations ... and, in general, it’s done so that any certification is obtained "on delivery" from real project work. But in general, there is no need to starve, the budget in telecoms is allocated significant, through internal cost accounting it all falls into the security team, where the task is to achieve the maximum for the allocated money.
And in general, the position of security staff is excellent - they are not responsible for the final security, do not block releases (even with critical vulnerabilities, release is possible if the risk management team takes responsibility or someone above), do not extinguish fires during security -fakapah (there are separate people, and there are fakapy - I just googled, immediately got out [1] ), that is, like lazy QA, the same mantra "we are not responsible for quality / safety, we only explore it", and even in general I recall the "Office" with "how do I do? “I'm a professional, I work with these damn people!”
Well, of course, there is real work - HP Fortify is deeply used in the team, with a custom base of rules and settings, a vendor recall is “one of the last places in the world where they can configure Fortify rules”, moreover, some experts grew and moved to command fortify. And by the way, the speaker strongly warned against using the cloud service fortify on demand - “this is the case for extremely incompetent people in the Philippines.”
In general, the position of the speaker is positive and convincing - "it works, even if you do not believe," although I honestly admitted that they have a developer who, at the time of certification, is better kept on sick leave so that he will not break everything with his pessimism.
Of course, at the end they complained that it was difficult to look for good specialists - because we really need experienced architects who suddenly decided for some reason to engage in programming.
"Technology of virtualization of hardware security modules in Linux containers"
Slides, additional materials, contacts for the report "Technology of virtualization of hardware security modules in Linux containers"
The report describes the technology of building a virtual security module, based on the use of containers in Linux. This solution may be interesting to those who are planning or are already using cloud services to build IT infrastructure.Lowering the standard words about the importance of security and the bugbugs of hacks and leaks, the idea is as follows:
- OpenSSL is a standard security library, the number of OpenSSL ports is 10 times the number of systems on which you can run Linux. And she has repeatedly shown great holes that could not be found over the years. Yes, forks are being made now (BoringSSL / LibreSSL), but the person is weak, there will always be mistakes.
- Hardware encryption modules - right and cool. But damn, how expensive. Hellish What we have, what they have.
Let's accept the hypothesis of the
An academic Proof-of-concept was made on OpenVZ containers, even the performance under pressure was measured - even not quite bad (in the middle, but on a logarithmic scale). With scalability is not at all OK. Fly or not - who knows, the very page of the project , alas, for a long time without movement.
“Developing a protocol with a bouncing IP address”
Slides, additional materials, contacts for the report “Development of a protocol with a jumping IP address”
DDoS attacks remain one of the main threats to Internet north. The report proposes a software solution that increases the resistance of servers to DDoS attacks and interception of traffic based on a pseudo-random change of the real IP address of the protected server to addresses from a large set of IP addresses.The good old problem of DDOS attacks, to which, according to the author, for some reason, the trunk providers are indifferent, and it is proposed to solve it not by filtering superproteins, such as Tilera, but by a purely software method.
If in a nutshell - this is the development of the classical paradigm "Frequency hopping", invented during WWII by one actress of erotic scenes (ed.). Only here it is a kind of supermaskarading with an individual IP-address for each packet of each client session (!).
That is, DNS redirects all requests to some input "authorization server", which operates with a healthy pool of IP addresses and changes them in time according to tricky rules. On client machines, there must also be a special software that can play these games and change everything simultaneously.
All this has been implemented so far only for the TCP protocol, by adding the kernel module netfilter.
The heap of minuses of this approach are also obvious:
- The authorization server becomes Single Point of Failure and a new point of attack and must be separately protected.
- Public IP addresses are a wildly rare resource, like IPv4, so by the way, IPv6 addresses are also given for free.
- All this is not suitable for public services (we need a special client), only for corporate work, and in this case, it is not clear why not to use a good VPN gateway.
"DIY programming and fraud protection"
Slides, additional materials, contacts for the report "DIY programming and fraud protection"
The story will talk about our experience in using BRE ( business rules engine ) systems - a way to let non-developers write code and, if necessary, quickly change the logic of the application.Although the title of the report is hacker - here it is Do It Youself, and the antifraud ... but in fact, it’s more about the architecture and processes in YandexMoney.
Using the example of one of the components of the fraud monitoring system, we will consider the specifics of the development, the advantages of this approach, the problems encountered, and the important points that need to be considered during implementation.
The bottom line is that fraud fraud schemes are quickly replicated, they need to be extinguished and counteracted in a matter of hours - if all business processes were hard-coded, then even with agile, by the end of the iteration, everyone would have . Of course, you need to use the BRE - Business Rule Engine , that is, separately separated high-level business logic, spinning over a competent architecture with a dedicated domain model.
The rules should be written in human-readable high-level languages, such as Drools (WebRule, BizTalk), you need to log everything and accumulate a bigdata of knowledge in a special non-relational repository for quick access.
But in any case - the code is the code, and again, for this “high-level programming”, there are problems of reviewing, testing, ... and part of the testing, no matter how scary it sounds, again goes on
Quoting the speaker - “Many, many straws that need to be spread from all sides” (c).
"Self-healing systems"
Slides, dopmateriala, contacts for the report "Self-healing systems"
original video "Self-healing Systems" in English
The use of computing systems in every aspect of our daily life causes a number of problems for software engineering. In particular, one of the most important requirements for today's systems is high availability — despite the danger of malfunctions, attacks, and changing environments. To solve these problems, we must be able to build systems that more control their own reliability, safety and utility, automate tasks that currently lead to system failures and require the attention of experts and administrators. This leads to the emergence of new sections in the field of software development and design, including: Autonomous computer systems ( Autonomic Computing ), Self-healing systems ( Self-healing Systems ) or Self- adaptive systems ( Self-Adaptive Systems ).This is not about the arms race with hackers, but about “accessibility” - a frequently forgotten component of information security. Indeed, what difference does the system fall under the hacker DDOS or under the Christmas / Habr / Reddit effect. Information systems need to be designed so that operating conditions deviations or unlikely black swans cannot turn them off. In general, "stop thinking about hackers, think about your own IT specialists."
In this report, I describe the latest achievements in this area, which allow us to solve a number of engineering problems, including:
- (a) the ability to support self-healing through architectural models and recovery automation,
- (b) new fault diagnosis technologies during the operation of applications and the creation of control systems;
- (c) self-securing systems support capabilities.
Obvious enough observations that the modern highload architecture is all about duplication and availability at any cost (examples are Google File System, IBM MAPE-K), and enterprise technologies with microservice architecture are also there.
The speaker also promoted a certain range of models and formalisms for adaptive restoration, where there was a somehow trivially clear architecture with a separate control loop and a
There is a specialized domain-oriented Stitch language for specifying randomized adaptation strategies, and a clever system of “spectral error localization” ... and all this was tested even on Samsung production control systems.
"Intentional Security"
Slides, additional materials, contacts for the report “Intentional Safety”
original video "Security by design" in English
Security requirements and trends in the design and development of programs, including at the corporate level. How we can achieve security and sustainability of IT systems and services in our organizations.The format of the "Discussion Panel" - a little messy discussion of four English-speaking speakers, with questions from the floor.
What we want:How can we achieve this:
- The point of view of the client and the user - can we create secure software with “foolproof”?
- Do modern requirements and security standards help or do they only create a new type of vulnerability common to all software?
How many:
- How to develop secure software - design principles, special utilities, security testing?
- What key security-related skills should be required from the development team?
- What to do with the influx of “big data” in cyber security - to combine and respond to information from many sources about attacks and threats?
- How much is security, and how to make its cost affordable and controllable?
- Comparing the price of prevention with the price of rectification
Soft gobbled up the whole world, are we safe? Is there security that is paid attention to only after functional requirements and usability? How to calculate the balance of security and usability?
Yes, this whole area of ​​information security is full of “Black Swans” with low probabilities and dire consequences - which is difficult to honestly count. Everything is counterintuitive there, figs can also be explained by ordinary employees to the value of regulations written in blood, and to the authorities - the value of investments in security, especially if the management is completely efficient, and does not know the fundamentals of the theorem.
What to do with Legacy systems in which it is difficult to bleed security without changing a little more than everything? "Digital security ... it is often invisible,
The author of the report on adaptive systems promoted his ideas about the lesser vulnerability of dynamic systems, reaching, however, quite strange ideas that multi-stack applications (implemented, conditionally, under Linux, and under Windows, and under ... - and running in parallel) - are less vulnerable. From the point of view of reliability, it may be so, but here there will obviously be proportionally more vulnerabilities if you don’t think about “security by obscurity and insanity”. There were other stubborn ideas, for example, “attacking viruses”.
The endless race of safety was discussed a lot, from “how much does it cost to add nine to reliability?” To, and maybe, well, can you spend more than your neighbor? (in the spirit of the international anecdote "I do not need to run faster than the tiger ...").
Feedback comments are welcome, I hope you either find something useful in the reports, or if you think this is not great, then you are clearly ripe for a report - please register .
A professional from the industry, a researcher from the university, gloomy turing from an underground data center - the conference is waiting for you.
Yes, the official deadlines ended there, but in my experience of participating in the Program Committee, if you have something to say, the report on a strong topic will have time to pass a review.
Source: https://habr.com/ru/post/263591/
All Articles