In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviours you must change) to create a more secure Java application for the cloud. The world of the cybercriminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
How Developers Can Start Defending Against Cybercrime
1. Cybercrime and the Developer: How to Start
Defending against the Dark Side
Code Europe 2017
2. About me
Steve Poole
IBM Lead Engineer /
Developer advocate
@spoole167 Making Java Real Since Version 0.9
Open Source Advocate
DevOps Practitioner (whatever that means!)
Driving Change
3. Outline
Cybercrime realities
Our perception, The bitter truth & why the future looks bleak
How our behavior makes cybercrime even easier
How we perceive ourselves and how we act
Vulnerabilities
The ammunition of choice: Hardware & Software
why talking about vulnerabilities is good and bad
What can we do better
Changing behavior, Architecture and systems, Coding and developing
Summary
The situation is going to get worse before it gets better
We as a community need to take this seriously
Next steps. Education, risk assessment and active defense
@spoole167
4. Take away one thing
As a developer, security is your
problem
@spoole167
5. This talk
• I’m a developer – not a security expert.
• Arose because of “compliance”: what does that mean? How do I find out more?
• Arose because I didn’t understand what the fuss was all about
• Arose because giving uneducated developers access to cloud resources generally has
unfortunate consequences
• Is about how and why we need to behave differently.
• Here’s what I’ve learnt so far…
@spoole167
6. Do you know how strong your system is?
@spoole167
13. Dear Winner,
This is to inform you that you have been selected for a prize of a brand
new 2016 Model BMW Hydrogen 7 Series Car, a Check of $500,000.00
USD and an Apple laptop from the international balloting programs
held on the 27th, section of the 2016 annual award promo in the
UNITED STATE OF AMERICA.
Think you’re too smart to be suckered?
@spoole167
15. “Organized Cybercrime is the most profitable type of crime”
• In 2016 Cybercrime was estimated to be worth 445 Billion Dollars a Year
• In 2013 the United Nations Office on Drugs and Crime (UNODC) estimated
globally the illicit drug trade was worth 435 Billion Dollars
• Guess which one has the least risk to the criminal?
• Guess which is growing the fastest?
• Guess which one is the hardest to prosecute?
• Guess which one is predicted to reach 2100 Billion Dollars by 2019?
@spoole167
18. @spoole167
Wanna Cry
• Friday, 12 May 2017
• Has infected 250K computers in 150+ countries
• It encrypts data and holds it for ransom
• The computer owner has a limited time to pay (in bitcoin) about $500
• So far the bitcoin owners have received about 50 bitcoins ~= $85K ($3/infected
machine)
UK: National Health Service impacted:
India: All ATMs closed
Nissan: Halted all production
Renault: Halted some production
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
Think how much disruption was caused for $85K
What about the other $449,915,000 ? @spoole167
19. So who are the
bad guys?
https://www.flickr.com/photos/monsieurlui/
20. A mirror of you?
• Organized and methodical
• organized like startup companies.
• “employ” highly experienced developers with deep knowledge
• Constantly innovating malware, seeking out vulnerabilities
• Sharing what they find with each other (for $ of course)
• Goal focused
• the average age of a cybercriminal is 35 years old.
@spoole167
21. Already into crime
• Commissioner of the City of London Police:
• “We estimate that around 25 per cent of the organized crime groups in this
country are now involved in financial crime in one shape or another…”
• University of Cambridge:
• 60% of cyber-criminals had criminal records which were completely unrelated
to cyber-crime
• “those traditional offenders are changing their behavior and moving to the
internet”.
Cybercriminals mostly get caught for something other than cybercrime
@spoole167
22. What data are they after?
• Moving beyond credit card numbers
• Long term identify theft
• Medical data, Sensitive Personal
Information, insurance information, Social
Security numbers
• Information that gives insight into behavior
• Information that give access
Quiet and repeated Infiltration
Ransomware instead of cyber-graffiti
All personal data is useful and worth
$$$
http://www.darkreading.com/attacks-
breaches/stolen-health-record-databases-sell-
for-$500000-in-the-deep-web/d/d-
id/1328225?
@spoole167
23. They want facts about you and colleagues
• Any piece of personal information about YOU is useful. It get’s sold on and
somewhere someone brings it all together.
• Can I connect your email address to your date of birth?
• Can I find out where you live?
• Can I find out who you work for?
• Can I find out what you think about your boss?
• Can I find out what sites you’ve visited?
• The more I know about you – the more I can refine the attack.
• The more I know about you – the more $$ I can make
• And attacks are more than “technical”
@spoole167
25. DEAR SIR/MA'AM.
YOUR ATM CARD OF $10.5MILLION DOLLARS WAS RETURNED TODAY BY OUR COURIER
DELIVERY COMPANY, AND WE ARE GOING TO CANCEL THE ATM CARD IF YOU FAILS TO
ACKNOWLEDGE THIS MESSAGE, WE SHALL ALSO ASSUME THAT WHAT OUR COURIER
DELIVERY COMPANY TOLD US IS NOTHING BUT THE TRUTH THAT YOU DON'T NEED YOUR
ATM CARD OF $10.5 MILLION DOLLARS ANY LONGER.
DO ACKNOWLEDGE THIS MESSAGE AS SOON AS POSSIBLE.
YOURS FAITHFULLY.
YOURS SINCERELY,
MR MARK WRIGHT,
DIRECTOR FOREIGN REMITTANCE
ATM CARD SWIFT PAYMENT DEPARTMENT
ZENITH BANK OF NIGERIA.
@spoole167
26. Federal Bureau of Investigation (FBI)
Anti-Terrorist And Monitory Crime Division.
Federal Bureau Of Investigation.
J.Edgar.Hoover Building Washington Dc
Customers Service Hours / Monday To Saturday
Office Hours Monday To Saturday:
Dear Beneficiary,
Series of meetings have been held over the past 7 months with the secretary general of
the United Nations Organization. This ended 3 days ago. It is obvious that you have not
received your fund which is to the tune of $16.5million due to past corrupt Governmental
Officials who almost held the fund to themselves for their selfish reason and some
individuals who have taken advantage of your fund all in an attempt to swindle your fund
which has led to so many losses from your end and unnecessary delay in the receipt of
your fund.for more information do get back to us.
….
Upon receipt of payment the delivery officer will ensure that your package is sent within
24 working hours.
@spoole167
27. From <your boss>
I’ve spoken to the Italians and they will send us the goods if we pay
$3M immediately. Details below.
I’m off to the golf course – no distractions -period.
28. an email from an international
transport company urging
recipients to open a waybill in
a zip
(The Zip content launches a
downloader)
The targets are busy and not IT
savy. The criminals are IT savy
and industry savy
☹️ ☹️
29. Phishing -> Spear Phishing -> Personalised
Attacks
The move is towards more organised and long term attacks that are
hidden from view.
Think about this – when you’re trawling the net for gullible people you
set the bar low.
With personalised attacks you invest more and make it compelling.
You victims views on Facebook about their boss, how busy they are, important
deals coming up. It all helps to craft that million dollar scam…
@spoole167
30. Who’s being targeted?
• Middle level executives – afraid of their bosses?
• New joiners – easy to make a mistake?
• Busy and harassed key individuals – too busy to take time to consider?
• Disgruntled employees – want to hurt the company? Make some $?
• And Developers – the golden goose.
The bad guys prey on the weak, vulnerable and ignorant
31. Developers – why?
We know the inside story
We write the code
We have elevated privileges
We are over trusting
We use other peoples code and tools without inspection
We are ignorant of security matters
The bad guys prey on the weak, vulnerable and ignorant
32. Don’t agree?
“The bad guys prey on the weak, vulnerable and ignorant”
That’s you
@spoole167
33. Ever googled for:
“very trusting trust manager”
“Getting Java to accept all certs over HTTPS”
“How to Trust Any SSL Certificate”
“Disable Certificate Validation in Java”
@spoole167
34. TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
X509Certificate[] certs, String authType) {
}
public boolean isClientTrusted( X509Certificate[] cert) {
return true;
}
public boolean isServerTrusted( X509Certificate[] cert) {
return true;
}
}}
Ever written
something
like this?
@spoole167
36. We’ve all done something like that
We do it all the time
@spoole167
37. We’ve all done something like that
We do it all the time
The whole world does it
How bad can it be?
@spoole167
38. We’ve all done something like that
We do it all the time
The whole world does it
Github search “implements TrustManager” ….
@spoole167
39. We’ve found 72,609 code results
AlwaysValidTrustManager
TrustAllServersWrappingTrustManager
A very friendly, accepting trust
manager factory. Allows anything
through. all kind of certificates are
accepted and trusted.
A very trusting trust manager that
accepts anything
// Install the all-trusting trust
manager
OverTrustingTrustProvider
AllTrustingSecurityManagerPlugin.java
AcceptingTrustManagerFactory.java
AllTrustingCertHttpRequester.java
40. Developers are too trusting.
Linux Repos
npm
“npm is the package manager for
JavaScript. Find, share, and reuse
packages of code from hundreds of
thousands of developers — and
assemble them in powerful new
ways.”
Great sentiments. “But Caveat Emptor”
44. Basic ways in: The old fashioned set
• Social engineering – convince you to open the door
• Vulnerability exploits – find doors already open
• Inside information – you tell them where the keys are for gain
The bad guys can already get
into your systems easier than
you ever thought possible.
@spoole167
45. The new attack vectors
• Devices, Devices, Devices
• Eavesdropping, network devices with default passwords
• Drive-by gateways
• Ransomware
• Blackmail and extortion
• Extending Malware into real products.
• Helpful free stuff – like docker images
• Dangerous paid stuff - like game trainers
• Actual ’at the source’ injections - like pull requests!
• Like unknown helpful people – do you know what can happen in a
git merge?
https://www.flickr.com/photos/famzoo/
46. Devices inside your network
What’s CPU’s are connected to your network?
• Smart printers?
• Smart TV’s?
• BYODs?
How many devices have default passwords?
How many have passwords that everyone knows?
How many are running older unpatched software?
You cannot ever assume your internal network is safe and
uncompromised
ByKonstantinLanzet-CPUcollectionKonstantinLanzet,CCBY-SA3.0,
https://commons.wikimedia.org/w/index.php?curid=6834217
50. Simple hijacked https case 2: You have a bogus
certificate authority locally – and you didn’t even
know it was there
It might even have been issued by your company
and been stolen and used against you
@spoole167
51. It can be even easier/worse
If your initial request to a server is http (ie unencrypted)
• A MITM can replace all inline https references with http
• Then when your form is submitted it’s sent unencrypted
• Maybe the server will bounce the request. But it’s too late- your private data is gone.
@spoole167
52. Internet
websitegateway
Stealing your data with http
http
browser
post to https://foo.com
http
post to
http://foo.com
http post
Server unavailable
RELOAD http
https post
post to https://foo.com
switched
53. Typical Pattern
1. MITM tracks a single important server target. The thieves know
how the flows work. They track your usage
2. When your userid / password is requested the https is already
forced to http.
3. Your data is sent in the clear. The MITM sends you a ‘there was a
problem’ msg and gets out of your way.
4. You refresh and resubmit.
5. None the wiser…
@spoole167
54. What – you’d never connect to a bogus wifi?
@spoole167
55. Wifi Gateways
Are everywhere
How do you know that a SSID you see is not fake?
In your office?
In your home?
In a Coffee Shop?
At a conference in Poland?
@spoole167
59. Q: So given how important using encryption
correctly is…
@spoole167
60. Why do we turn it off?
curl –insecure
wget --no-check-certificate
sudo apt-get --allow-unauthenticated
@spoole167
61. For reasonable reasons?
• “The server I access is self-signed”
• “I want to access multiple servers “
Unexpectedly?
• “I thought I was using the tool correctly”
• “I didn’t realize what the default setting was”
• “I trusted the tool to do the right thing”
Maliciously?
• “Someone changed the script and I don’t know why”
@spoole167
62. And…
• Developers download code, tools, certificates etc without considering
the consequences.
• We believe implicitly that other developers are trustworthy.
How one developer just broke Node, Babel and
thousands of projects in 11 lines of JavaScript
Code pulled from NPM – which everyone was using
http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/
What if he’d added
malware instead?
63. Why aren’t we taking this seriously?
Cyber criminal
@spoole167
64. Would help if we used a different name?
Cyber criminal
Advanced Persistent Threat
@spoole167
65. Innovative
Imaginative
Without boundaries
Well funded
Ruthless
Uncaring
Advanced Persistent Threat
And more
@spoole167
66. Remember that scene from Oceans 13?
https://www.flickr.com/photos/andereri/
Where they went to
Mexico to fix the dice?
67. Suppose they had to get into a Smart TV factory
And they had to ’fix’ the
SoC chips
ByKonstantinLanzet-CPUcollectionKonstantinLanzet,CCBY-SA3.0,
https://commons.wikimedia.org/w/index.php?curid=6834217
@spoole167
68. It’s already happened
Any device you buy may have already been compromised at the factory
@spoole167
69.
70. Vulnerabilities
• Bugs and design flaws in your software
and the software you use.
• Everyone has them.
• Researchers are looking for them all the
time.
• So are the bad guys
https://www.flickr.com/photos/electronicfrontierfoundation/
72. Vulnerabilities
The bad news is that talking about the specifics of a vulnerability is not
something anyone wants to do.
The relationship between CVE’s and bug fixes is kept tenuous
So how do you assess the impact of vulnerability or even where its fixed?
Using CVSS (Common Vulnerability Scoring System) an agreed open process
vulnerabilities are scored.
Scores and ship vehicles are published
https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19117/Oracle-JRE.html
https://developer.ibm.com/javasdk/support/security-vulnerabilities/
Struts-Shock
March: Apache Struts fix high impact vulnerability
Hours later: exploit published on Chinese-language
website & real attacks start
@spoole167
74. Checkpoint: The fundamentals
• Strong access controls and access management
• Accountability
• Validation
• Effective compartmentalisation
• Ability to detect intrusions
• Encrypted data
As developers we are all guilty of weakening or bypassing
the efforts of our IT organizations to keep our systems safe
@spoole167
76. First steps
Keep current. Every vulnerability fix you apply is one less way in.
Compartmentalise. Separate data, code, access controls etc.
Just like bulkhead doors in a ship: ensure one compromise doesn’t sink your
boat.
Design for intrusion. Review you levels of ‘helpfulness’ and flexibility
Learn about Penetration Testing
Understand that making your development life easier makes the
hackers job easier
@spoole167
77. Next steps
Take control of your dependencies.
Build your own internal caches and repositories. Scan them for known vulnerabilities and
change all those embedded default passwords
OR buy the service from someone you trust.
Don’t download or depend on random code. Ensure you trust the providers and you
understand what they are doing to earn and keep your trust. Examine the processes they
have to ensure that the code / binaries / certificates being hosted are legitimate
Educate yourself
Learn about secure engineering techniques
Learn about how to assess security risks @spoole167
80. 1. Input Validation and Representation
2. API Abuse
3. Security Features
4. Time and State
5. Error Handling
6. Code Quality
7. Encapsulation
* Environment
The Seven Pernicious Kingdoms
84. Secure by Design - Security Design Principles for the
Rest of Us
https://www.slideshare.net/EoinWoods1/secure-by-design-security-design-principles-
for-the-rest-of-us
Online
Guides
86. This isn’t as challenging or costly as it seems
@spoole167
87. We’re already starting to do this
Microservices is helping with compartmentatisation
Continuous Delivery is helping with frequent patching
Containers are helping with dependency management
Infrastructure As Code is helping with locking down environments
DevOps is bringing IT practices and awareness to the developer
Moving to the cloud allows us to have industry leading security like firewalls,
advanced intrusion detection, vulnerability assessments etc
Does your cloud provider offer these services ?
@spoole167
88. Recap
• The simple truth is that we are going to be engaged in an arms race
over security for the foreseeable future
• We’ve on the back foot right now.
• Our behavior makes cybercrime even easier
• How we perceive ourselves and how we act has got to change
• Vulnerabilities, Compromised devices etc
• We have to behave as if every server we have is publically
addressable
• We have to focus on reducing our exposure
@spoole167
89. But maybe there is some light at the end of the tunnel
https://www.flickr.com/photos/bovinity/
Remember: Security is your problem
@spoole167