Tag Archives: security

JavaOne – The Hacker’s Guide to Session Hijacking

Posted on by
Reply

“The Hacker’s Guide to Session Hijacking”

Speaker: Patrycja Wegrzynowicz

For more blog posts from JavaOne, see the table of contents

Dropbox and Yahoo passwords sold on black market last year

HTTP

  • stateless
  • JSessionId – cookie, header, parameter, hidden field
  • OWASP top 10 – A2 – Broken Authentication and Session Management

Session Hijacking

  • Easy targets
  • Session theft – steal session id from URL, sniffling, logs, XSS.
  • Session fixation – trick user into using the (fixed) session id of the hacker’s choosing
  • Session prediction – server uses weak algorithm so hacker cn guess session id. Least common in Java world. About 5 years ago, Jetty had this issue

How protect

  • Need to disable URL rewriting in an app server.
  • Alternatively can set up tracking mode in the web.xml: <tracking-mode>COOKIE</tracking-mode> starting Java EE 6/Servlet 3
  • Use HTTPS to avoid session exposure during transport
  • Set &ltsecure>true&lt/secure> under cookie-config in web.xml so only sent over https. Also added in Java EE 6/Servlet 3
  • Set &lthttp-only>true&lt/http-only> under cookie-config in web.xml so only sent over https.
  • Java EE 7/Servlet 4 has request.changeSessionId() so can have diferent id
  • Shorter timeouts – 2-5 minutes for critical apps; 15-30 minutes for typical apps. By default they aren’t supposed to timeout
  • Write logic to see if IP/user agent changes during session and invalidate session if does
  • CSRF token, double submit cookie (if no server side session), SameSite cookie flag in Chrome (not yet upported by Java EE)

Session created when call requeest.getSession(true) explicitly or implicity (ex: when visit JSP page)

How attack

  • Get session id from log
  • Use JavaScript to get cookie
  • Get user to click link with URL
  • Go to site anonymously and close tab so user gets that session id [requires physical access]
  • XSS
  • CSRF

My take:
She did interative demos of the issues. She posted a URL with session id on twitter and a bunch of people clicked real time; fun to see. Then she did the opposite where she got into our session. Then she stole the cookie with JavaScript using an image to bypass same source policy. [That I’m not doing. Intentionally sharing all my cookies; no thanks! She only displayed the cookie with the jsession id for her site which is good]. Finally she did an interactive CSRF demo

lessons learned from fighting nation states in cyberspace – live blogging from qcon

Posted on by
Reply

Lessons Learned from Fighting Nation States in Cyberspace
Speaker: Dmitri Alperovitch

See the list of all blog posts from the conference

Dmitri and his team uncovered 2016 DNC hack – not focus of talk because not that technically interesting
Focus on collecting a lot of data and applying AI to big data
Store data in ThreatGraph (their product) and Apollo/Hadoop

Today’s threatscape

  • Whatever business you think you’re in, you’re in the security business – hacktivists, money, etc. If have nothing of value, why in business?
  • In past, only government entities had to worry about nation state attack. Now commercial entities have to protect IP and info.
  • Examples of China stole weapons design from United States.
  • North Korea using random ware attacks – largely in South Korea – to fund weapons
  • Once you use a cyberweapon, others can use it. Ex: WannaCry is good example of reuse.
  • Inserting fake data in real data makes it hard to determine what is true.
  • Track over 40 different threat entities in China, over 10 criminal entities worldwide, 6 activitist groups worldwide, 8 in Russia and a few others around the world. Code names have animal last name – Chinese panda, criminal spiders, etc. The analyst who discovers it picks the first name.
  • Criminal actors are opportunistic. Will move on if costs too much to atack you. Nation states are more like a dog with a bone. They aren’t giving up because only one source has the information.

War stories

  • Hurricane Panda (China) – Focus on telecom for economic esponiage to benefit China.
    • webshells – web scripts to get control of webservers. They get it on the web server and then can use a browser to run any command via get requests. Typically password protect script so doesn’t return anything unless supply right password – prevents scans from finding. Attack went undetected for a year. Stole credentials and tried to remove evidence. Persisted after attack remediated.
    • Sticky keys – modify Windows registry key and then can get in without admin password. Ex: on screen keyboard runs before login. If tell Windows to run debugger first, get command prompt with full admin privilege
    • Only need a PowerShell command to steal credentials.
    • Once fixed, got thrown out in minutes. Started making typos as rushed. Continued trying to get in for four months.
    • Then they found a zero day to get admin access to machine
    • Then they finally went away and found a new victim. Dmitri’s company repeated the pattern.
    • Crowdstrike won. (article) – hackers moved on if saw CrowdStrike software on server
  • Large defense company noticed problem but couldn’t figure out how got in. CrowdStrike asked to find malware, but wasn’t one. The problem was the RSA SecurID two factor keys were compromised. Chinese thread actors stole the seeds for the token. RSA said would send seeds to company rather than storing them. However, the Chinese stole the seeds from the company directly and could VPN in using two factor.
  • Cloud VM data theft. Again no malware. Adversary had stolen API keys.
  • Other attack method to get into environment: phishing, embed powershell in a .lnk (windows shortcut files) and make .lnk file look like word doc or pdf
  • Bypassing Windows Access Control is a bunch of steps. But there is an open source tool to do all of it
  • Anti-forensic methods – delete log files, wipe data to obsfucate their activity.

Lessons learned

  • Windows is scary 🙂 [seriously though; the talk focused on Windows – presumably their expertise]. Someone asked about this and Dmitri said 95% of intrusions occur on Windows.
  • Embrace visibility/logging and AI – you will always be behind if trying to find last attack. Aggressive logging for all system help. Anonomoly based algorithms help find the unknown
  • Leverage peers – work with other entities and share information
  • Hunt for the adversary – think what you would do if you were the adversary

the relative in trouble scam

Posted on by
Reply

The most recent AARP newsletter has an article about the “grandparent scam.” A retired person asked me about it and we had a good discussion about potential future variants of it. First of all, this isn’t new. In fact, AARP wrote about it four years ago. Some thoughts beyond what is in the article:

  • Never give any personal information or financial information if you didn’t initiate the phone call in the first place.  I’d say banks and such don’t call and ask for personal information except that one did. The solution was to call back to the known number of the branch.
  • Don’t rely on caller id. It can be spoofed with your child/grandchild’s phone number.
  • I’d like to think a grandparent/parent would recognize their child’s voice. But if not, ask questions. And not questions like your pets name or mother’s birth date. The former is likely on Twitter/Facebook. And mother’s birth date is in the public record so a horrible security question in any case.  I’m talking questions that are hard to search for an answer to if you don’t already know them like “remember when I visited you in Arizona two years ago” and see if they know that never happened. Or “what’s the last injury you had” since that is hard to search for.
  • Verify using another channel. Ask for a number to call back. The police or hospital or any legit emergency would give you one. (and verify this is the right number; don’t just call back.) Then call the person on their known telephone numbers. Call their relatives. Send a text. Odds are the person really is ok.
  • Don’t wire money or buy a pre-paid cash card or buy BitCoin to pay someone who called you. Hospitals take this lovely thing called a credit card. Even if someone is arrested, you can call a local bail bondsman and pay them and they will pay the local jail. (At least that’s what the internet says; I’ve never been in a position to find out if that is true!). Which goes back to you initiating the transaction.

The point that a lot of information is online is a good one. And that’s just what we know about. Think about how many websites have been hacked in the last five years. That means your “security questions” aren’t safe. Also, the “bad guys” don’t limit themselves to google. Paying for a background check would yield more info if someone wants to target you. And the dark web probably has all sorts of information.