Updated version of Cybercrime talk for Java2days conf in Sofia, Bulgaria

1. Cybercrime and the Developer

2. About me
Steve Poole
IBM Lead Engineer
@spoole167
Making Java Real Since Version 0.9
Open Source Advocate
Mad Scientist
DevOps Practitioner (whatever that means!)
Driving Change

3. This talk
• I’m a DevOps practitioner – not a security expert.
• Arose
• because of “compliance”. What does that mean? How do I find out more?
• because I didn’t understand what the cybersecurity fuss was all about
• because giving uneducated developers access to cloud resources generally
has unfortunate consequences
• is about understanding the risks, and & how and why we need to
behave differently.
• Is the talk before you learn how to write secure Java
• Here’s what I’ve learnt so far…

4. what I want you to remember
• The scale of the challenge with security and the ‘net’ and know its
not going to get fixed quickly.
• you as a developer have the most important job to fix this.
• you need to learn about ‘security’ and become an advocate and
shameless promoter of best practices

5. Outline
• What’s the problem – why does this all matter?
• Who is at risk?
• Who are the bad guys?
• How do they get in?
• How you need to change?
• What you need to change?
• Going forward..

6. https://www.flickr.com/photos/erikkristensen/
Is this your system?

7. @spoole167
https://www.flickr.com/photos/77278206@N02/
Maybe its more like this?

8. https://www.flickr.com/photos/38314728@N08/
Chances are it’s more like this

9. Unless you pay attention it’s soon going to be like this

10. https://www.flickr.com/photos/marcelograciolli/

11. Friday, October 21st 2016 Dyn cyberattack
https://en.wikipedia.org/wiki/2016_Dyn_cyberattack
Dyn (a major DNS provider) networks were attacked
three times by hackers using a DDOS attack
The attack was the largest ever recorded
10s of millions of IP addresses
1.2 terabits per second
Various groups have claimed responsibility
http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/

12. Friday, October 21st 2016 Dyn cyberattack
https://en.wikipedia.org/wiki/2016_Dyn_cyberattack

13. • Behind the attack was a large botnet
• printers, IP cameras, residential gateways , baby monitors, desktops, laptops
• Even medical equipment…
• Whether politically motivated or not the attack shows the porous
nature of both the internet and our private networks
• The rise of the “system on a chip”
• The rise of the Internet of Things
Friday, October 21st 2016 Dyn cyberattack

14. Internet of Things
”The S in IoT stands for Security”

15. Unfortunately
”The S in Developer stands for Security”

16. Cybercrime
realities

17. “Organized Cybercrime is the most profitable type of crime”
• Cybercrime is estimated to be worth 445 Billion Dollars a Year
• In 2013 the United Nations Office on Drugs and Crime (UNODC) estimated
globally the illicit drug trade was worth 435 Billion Dollars
• Guess which one has the least risk to the criminal?
• Guess which is growing the fastest?
• Guess which one is the hardest to prosecute?
• Guess which one is predicted to reach 2100 Billion Dollars by 2019?

19. Lesson 0
Wake Up!
This is real.
You have a key role

20. What data are they after?
• Moving beyond credit card numbers
• Long term identify theft
• That means quiet and repeated infiltration
• no more cyber-graffiti “Thiz Site belonz to uz”
• Though any personal data is useful and worth $$$
• Medical data, Sensitive Personal Information etc
• Information that gives insight into behavior
• Access to your systems
Lesson 1
Protect all data

21. Its about Facts about you
• Any piece of personal information about YOU is useful. It get’s sold on and
somewhere someone brings it all together.
• Can I connect your email address to your data of birth?
• Can I find out where you live?
• Can I find out who you work for?
• Can I find out what you think about your boss?
• Can I find out what sites you’ve visited?
• The more I know about you – the more I can refine the attack.
• The more I know about you – the more $$ I can make
• And attacks are more than “technical”
Lesson 2
All your data is
valuable

22. DEAR SIR/MA'AM.
YOUR ATM CARD OF $10.5MILLION DOLLARS WAS RETURNED TODAY BY OUR COURIER
DELIVERY COMPANY, AND WE ARE GOING TO CANCEL THE ATM CARD IF YOU FAILS TO
ACKNOWLEDGE THIS MESSAGE, WE SHALL ALSO ASSUME THAT WHAT OUR COURIER
DELIVERY COMPANY TOLD US IS NOTHING BUT THE TRUTH THAT YOU DON'T NEED YOUR
ATM CARD OF $10.5 MILLION DOLLARS ANY LONGER.
DO ACKNOWLEDGE THIS MESSAGE AS SOON AS POSSIBLE.
YOURS FAITHFULLY.
YOURS SINCERELY,
MR MARK WRIGHT,
DIRECTOR FOREIGN REMITTANCE
ATM CARD SWIFT PAYMENT DEPARTMENT
ZENITH BANK OF NIGERIA.

23. Federal Bureau of Investigation (FBI)
Anti-Terrorist And Monitory Crime Division.
Federal Bureau Of Investigation.
J.Edgar.Hoover Building Washington Dc
Customers Service Hours / Monday To Saturday
Office Hours Monday To Saturday:
Dear Beneficiary,
Series of meetings have been held over the past 7 months with the secretary general of
the United Nations Organization. This ended 3 days ago. It is obvious that you have not
received your fund which is to the tune of $16.5million due to past corrupt Governmental
Officials who almost held the fund to themselves for their selfish reason and some
individuals who have taken advantage of your fund all in an attempt to swindle your fund
which has led to so many losses from your end and unnecessary delay in the receipt of
your fund.for more information do get back to us.
….
Upon receipt of payment the delivery officer will ensure that your package is sent within
24 working hours.

24. Dear Winner,
This is to inform you that you have been selected for a prize of a brand
new 2016 Model BMW Hydrogen 7 Series Car, a Check of $500,000.00
USD and an Apple laptop from the international balloting programs
held on the 27th, section of the 2016 annual award promo in the
UNITED STATE OF AMERICA.

25. No-one falls for those sort of things do they?

26. From <your boss>
I’ve spoken to the Italians and they will send us the goods if we pay
$3M immediately. Details below.
I’m off to the golf course – no distractions please.
Lesson 3
If something is suspicious or unusual – double
check. You think all the bad guys are stupid?

27. an email from an international
transport company urging
recipients to open a waybill in
a zip
(The Zip content launches a
downloader)
The targets are busy and not IT
savy. The criminals are IT savy
and industry savy
☹️ ☹️

28. Even more
Email Instructions to victims to download an Android app onto a
mobile device.
That app contains a SMS hijacker.
The app listens for incoming SMS messages containing transaction
authorization codes from the bank.
Lesson 4
Never install software without checking
it’s providence

29. Phishing -> Spear Phishing -> Personalised
Attacks
• The move is towards more organised and long term attacks that are
hidden from view.
• Think about this – when you’re trawling the net for gullible people
you set the bar low.
• With personalised attacks you invest more and make it compelling.
• You victims views on Facebook about their boss, how busy they are,
important deals coming up. It all helps to craft that million dollar scam…

30. Who’s being targeted?
• Middle level executives – afraid of their bosses?
• New joiners – easy to make a mistake?
• Busy and harassed key individuals – too busy to take time to
consider?
• Disgruntled employees – want to hurt the company? Make some $?
• And Developers – the golden goose.
Lesson 5
The bad guys prey on the weak,
vulnerable and ignorant

31. Developers
• Why ?
• We know the inside story
• We write the code
• We have elevated privileges
• We are over trusting
• We use other peoples code and tools without inspection
• we are ignorant of security matters
Lesson 6
The bad guys prey on the weak,
vulnerable and ignorant:
That’s you

32. Don’t agree?
“The bad guys prey on the weak, vulnerable and ignorant: That’s you”

33. Ever googled for:
“very trusting trust manager”
“Getting Java to accept all certs over HTTPS”
“How to Trust Any SSL Certificate”
“Disable Certificate Validation in Java”

34. TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
X509Certificate[] certs, String authType) {
}
public boolean isClientTrusted( X509Certificate[] cert) {
return true;
}
public boolean isServerTrusted( X509Certificate[] cert) {
return true;
}
}
};
Ever written something
like this?

35. curl –insecure
wget --no-check-certificate
sudo apt-get --allow-unauthenticated
Or this?

36. We’ve all done something like that

37. We’ve all done something like that
We do it all the time

38. We’ve all done something like that
We do it all the time
The whole world does it
How bad can it be?

39. We’ve all done something like that
We do it all the time
The whole world does it
Github search “implements TrustManager” ….

40. We’ve found 72,609 code results
AlwaysValidTrustManager
TrustAllServersWrappingTrustManager
A very friendly, accepting trust
manager factory. Allows anything
through. all kind of certificates are
accepted and trusted.
A very trusting trust manager that
accepts anything
// Install the all-trusting trust
manager
OverTrustingTrustProvider
AllTrustingSecurityManagerPlugin.java
AcceptingTrustManagerFactory.java
AllTrustingCertHttpRequester.java

41. Developers are too trusting.
Linux Repos
npm
npm is the package manager for JavaScript. Find, share,
and reuse packages of code from hundreds of thousands
of developers — and assemble them in powerful new
ways.
Great sentiments. “But Caveat Emptor”

42. @spoole167https://www.flickr.com/photos/bambe1964/
Are you still
paying
attention?

43. So who are the
bad guys?
https://www.flickr.com/photos/monsieurlui/

44. A mirror of you?
• Organized and methodical
• organized like startup companies.
• “employ” highly experienced developers with deep knowledge
• Constantly innovating malware, seeking out vulnerabilities
• Sharing what they find with each other (for $ of course)
• Goal focused
• the average age of a cybercriminal is 35 years old.

45. Already into crime
• Adrian Leppard, the Commissioner of the City of London Police:
• “We estimate that around 25 per cent of the organized crime groups in this
country are now involved in financial crime in one shape or another…”
• University of Cambridge researchers report that 60% of cyber-criminals had
criminal records which were completely unrelated to cyber-crime
• “those traditional offenders are changing their behavior and moving to the
internet”.
Lesson 7
Cybercriminals mostly get caught for something other than
cybercrime

46. Cybercrime: Expanding the attack vector

47. Basic ways in: The old fashioned set
• Social engineering – convince you to open the door
• Vulnerability exploits – find doors already open
• Inside information – you tell them where the keys are for gain
Lesson 8
The bad guys can already get into your systems easier than you
ever thought possible.

48. Vulnerabilities
• Bugs and design flaws in your software
and the software you use.
• Everyone has them.
• Researchers are looking for them all the
time.
• So are the bad guys
https://www.flickr.com/photos/electronicfrontierfoundation/

49. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=java
Vulnerabilities
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=serialization
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=javascript

50. Even More
http://www.cvedetails.com/vendor/14133/Hibernate.html
http://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-
24966/year-2013/Apache-Maven.html
http://www.cvedetails.com/product/887/Apache-
Tomcat.html?vendor_id=45
https://www.upguard.com/articles/top-10-java-technology-/-tooling-
vulnerabilities-and-how-to-fix-them
https://www.infoq.com/news/2016/04/java-reflection-vulnerability

51. • It’s usually a combination of
software weaknesses that
get exploited
• Sometimes a BIG exploit
appears
• Zero Day exploits are just
that.
• Shame we don’t give them
much attention
• Someone elses problem?
Vulnerabilities Lesson 9
Vulnerabilities are everywhere
Lesson 10
Keeping up-to-date with critical
patches is one of the most important
things you can do
Lesson 11
Ignoring this side of Software
Engineering is criminal

52. Deep breath
• To minimize the potential impact of vulnerabilities you need to keep
your software up-to-date all-the-time
• Almost all technical breaches come from exploiting known
vulnerabilities
• Keeping current means only zero-day exploits can be used.
• Do that and the bad guys will move on to someone more vulnerable
• Use DevOps techniques and tools to help make this much easier.

53. The new attack vectors
• Devices, Devices, Devices
• Eavesdropping, network devices with default passwords
• Drive-by gateways
• Poorly secured new deployments on a cloud
• New devices on the internet get found in 15 mins. Get tailored
attack in 45
• Ransomware
• Blackmail and extortion
• Extending Malware into real products.
• Helpful free stuff – like docker images
• Dangerous paid stuff - like game trainers
• Actual ’at the source’ injections - like pull requests!
• Like unknown helpful people – do you know what can happen in a git
merge?
https://www.flickr.com/photos/famzoo/

54. Devices inside your network
• What’s CPU’s are connected to your network?
• Smart printers?
• Smart TV’s?
• BYODs?
• How many devices have default passwords?
• How many computers have passwords that everyone knows?
• How many are running older unpatched software?
Lesson 12
You cannot ever assume your internal network is safe
and uncompromised
Lesson 13
Really Strong
authentication
is an
imperative.

55. Personal Passwords
• What can I say: use keys wherever you can
• Treat passwords and private keys like the crown jewels.
• Have as many different passwords/keys as you can for different functions and activities
• Use a good password safe
• Never divulge your password to anyone or write it down.
• Once it’s out of your hands treat it as hacked
Lesson 14
Understand just how easily (or not) passwords can be cracked
https://en.wikipedia.org/wiki/Password_cracking

56. Wifi Gateways
Are everywhere
How do you know that a SSID you see is not fake?
In your office.
In your home.
At a conference
In a Coffee Shop.

57. Wifi Gateways
Are everywhere
Many legitimate ones encourage bad practices

58. Wifi Gateways
Pi Zero
WIFI Dongle
USB Power
Would you notice this stuck to the wall?

59. https://www.flickr.com/photos/yodelanecdotal/
Spoofing Wifi gateways is really,
really easy
Millennials and Developers fall
for it every time
Here‘s how it
works

60. Simple http case

61. Internet
websitegateway
The normal (simplified) flow for http
Give me data
browser
Here is data

62. Simple hijacked http case

63. Internet
websitegateway
Man in the middle attack for http
Give me data
browser
Here is data
Give me data
Do bad things with
data
Here is data
SSID: OpenConference
Password: easy

64. 1) Simple https case

65. Internet
websitegateway
The normal (simplfied) flow for https
Client Hello (max SSL version supported)
browser
Server Hello (what SSL version to be used)
Server SSL CertificateCheck
Certificate
Send random local key encoded using Server SSL certificate
Secure, two way encrypted communications
Certificate
Authorities

66. 1) Simple hijacked https case – you accept the
certificate

67. Internet
websitegateway
Man in the middle attack for https – you accept the certificate
Client Hello
browser
Server Hello
Server SSL Certificate
Check
Certificate
Send different random local key
Secure
communications
Client Hello
Server Hello
Gateway SSL Certificate
Send random local key
Secure, two way communications
Certificate
Authorities
switched

68. 1) Simple hijacked https case – you accepted
the certificate – but at least you saw it

69. 2) Simple hijacked https case – you have a
bogus certificate authority locally

70. Internet
websitegateway
Man in the middle attack for https – version 2
Client Hello
browser
Server Hello
Server SSL Certificate
Check
Certificate
Send different random local key
Secure
communications
Client Hello
Server Hello
Gateway SSL Certificate
Send random local key
Secure, two way communications
Bogus Certificate
Authority switched

71. 2) Simple hijacked https case – you have a bogus
certificate authority locally – and you didn’t even
know it was there
It might even have been issued by your company
and been stolen and used against you

72. It can be even easier/worse
• If your initial request to a server is http (ie unencrypted)
• A MITM can replace all inline https references with http
• Then when your form is submitted it’s sent unencrypted
• Maybe the server will bounce the request. But it’s too late- your private data is gone.
• Typical pattern:
1. MITM tracks a single important server target. The thieves now how the flows work. They
track your usage
2. When your userid / password is requested the https is already forced to http.
3. Your data is sent in the clear. The MITM sends you a ‘there was a problem’ msg and gets out of
your way.
4. You refresh and resubmit.
5. None the wiser…

73. Internet
websitegateway
Stealing your data with http
http
browser
post to https://foo.com
http
post to
http://foo.com
http post
Server unavailable
RELOAD http
https post
post to https://foo.com
switched

74. Wifi gateways
Lesson 15
There are so many ways your data is at risk.
Use a VPN to get to a gateway you trust.
Be very wary of http urls in general

75. Man in the middle attacks
Lesson 16
You cannot assume the data you have accessed is valid unless you have a
secure connection at all times.
Otherwise you could download modified or copied files:
Docker Images, ISO’s, exes, RPMs, PowerPoint, Text files
Anything.
Lesson 17
Assertions and assumptions don’t “cut the mustard”
Deep dive into the communications processes and prove it

76. More bad news
• Our use of tools that interact over ssl tend to have the certificate
checking turned off!
• For reasonable reasons?
• “The server I access is self-signed”
• “I want to access multiple servers “
• Unexpectedly?
• “I thought I was using the tool correctly”
• “I didn’t realize what the default setting was”
• “I trusted the tool to do the right thing”
• Maliciously?
• “Someone changed the script and I don’t know why”
The default configuration of Apache
Maven 3.0.4, when using Maven Wagon
2.1, disables SSL certificate checks,
which allows remote attackers to spoof
servers via a man-in-the-middle (MITM)
attack.

77. Lesson 18 – sloppy use of tools will bite you big time
Lesson 19 – Don’t make assumptions
Prove the tools do what you expect.
Build “fake / compromised” target
servers etc and add to your testsuites
Lesson 20 – Reduce opportunities for unaccountable process changes by
adopting DevOps principles for Infrastructure-as-Code etc

78. And even worse…
• Developers download code, tools, certificates etc without considering
the consequences.
• We believe implicitly that other developers are trustworthy.
How one developer just broke Node, Babel and
thousands of projects in 11 lines of JavaScript
Code pulled from NPM – which everyone was using
http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/
What if he’d added
malware instead?

79. Lesson 21 – Don’t download or depend on random code. Ensure you trust
the providers and you understand what they are doing to earn and keep your
trust. Examine the processes they have to ensure that the code / binaries /
certificates being hosted are legitimate
Lesson 22 – Build your own internal caches and repositories. Scan them for
known vulnerabilities AND change all those embedded default passwords
OR buy the service from someone you trust.

80. Recap
• Cybercrime is set to become the largest form of crime ever
• Developers are key to preventing this
• We have the tools and techniques make reduce the problem
• We’re one of the worst adaptors of security protocols and practises
With great power comes great responsibility

81. Developers to the rescue?
• What we all have to do differently from now on
• Be much more security conscious
• Become intimately aware of how the bad guys get in
• Reduce our blind trust levels
• Learn how authentication and encryption actually works
• Make security a part of our psyche
• Bring Security Architects into the development process

82. More snippets of advice
• Don’t allow any admin access from outsite your firewall except via a VPN
• Don’t allow admin / critical functions to be executed on arbitrary developer m/cs
• Use strong firewalls on every system
• Whitelist outgoing connections.
• Hack your own systems…
• Change ALL default passwords
• Docker –if the is no Dockerfile run away. If there is a dockerfile read it and build your
own image. (How do you know the image and the docker file match)
• Reduce likelihood of exploits etc escaping by using separate Virtual Machines for
different actives.
• Don’t add developer backdoors!

83. https://www.flickr.com/photos/schill/
Why do you need
a blanket “god”
mode?
Why would you deploy a
server or application
with default passwords
unchanged?
Why would you
share this power?
Why would you
remain ignorant of
how your system
or home is kept
secure?
Would you have
one key for every
lock at home?
Would you give your
colleagues power of
attorney over you?
Would you have a front
door with a lock that every
one in the world had a key
to?

84. https://www.flickr.com/photos/tombullock/
It’s time to put the ‘S’ back into developer

85. Defense against Cybercrime
There is no magic wand.
But before you learn how to write a secure app
Learn how to build and deploy a secure app