Cyber Security in the life and work of a Computer Scientist

Transcript

1. Cyber Security in the life and work of a Computer

   Scientist Christofer Fabi´ an Ch´ avez Carazas [email protected] San Agust´ ın National University October 18, 2018 Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 1 / 45

2. Ekoparty Security Conference Computer security annual event in Argentina. Christofer

   Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 2 / 45

3. Ekoparty Security Conference Computer security annual event in Argentina. A

   referent for the whole Latin America. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 2 / 45

4. Ekoparty Security Conference International speakers (USA, Mexico, Rusia, Spain and

   more). Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 3 / 45

5. Ekoparty Security Conference International speakers (USA, Mexico, Rusia, Spain and

   more). Research and application Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 3 / 45

6. Overview Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´

   ın National University) Ekoparty Security Conference October 18, 2018 4 / 45

7. Overview Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´

   ın National University) Ekoparty Security Conference October 18, 2018 5 / 45

8. Overview Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´

   ın National University) Ekoparty Security Conference October 18, 2018 6 / 45

9. Software engineering approach Nahuel S´ anchez @nahucito Mart´ ın Doyhenard

   @tincho 508 Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 7 / 45

10. Password recovery systems Why target password recovery systems? Christofer Fabi´

    an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 8 / 45

11. Password recovery systems Why target password recovery systems? Present in

    almost any modern system Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 8 / 45

12. Password recovery systems Why target password recovery systems? Present in

    almost any modern system There isn’t a good default solution. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 8 / 45

13. Password recovery systems Why target password recovery systems? Present in

    almost any modern system There isn’t a good default solution. Underrated complexity. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 8 / 45

14. Password recovery systems Why target password recovery systems? Present in

    almost any modern system There isn’t a good default solution. Underrated complexity. Vulnerabilities can have CRITICAL impact. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 8 / 45

15. Password recovery systems Present in almost any modern system Christofer

    Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 9 / 45

16. Password recovery systems Christofer Fabi´ an Ch´ avez Carazas [email protected]

    (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 10 / 45

17. Password recovery systems FACEBOOK: Password recovery PIN Bruteforce 6 digit

    PIN codes. No PIN bruteforce prevention on certain Facebook domain. Any account could be hijacked. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 11 / 45

18. Password recovery systems Christofer Fabi´ an Ch´ avez Carazas [email protected]

    (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 12 / 45

19. Recovery code/token prediction Tokens MUST be random and secret. Christofer

    Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 13 / 45

20. Recovery code/token prediction Tokens MUST be random and secret. How

    “random” is it? Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 13 / 45

21. Recovery code/token prediction Tokens MUST be random and secret. How

    “random” is it? Its value depended on the timestamp the user requested the reset password. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 13 / 45

22. Recovery code/token prediction Tokens MUST be random and secret. How

    “random” is it? Its value depended on the timestamp the user requested the reset password. Password reset tokens were predictable Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 13 / 45

23. Recovery code/token prediction Tokens are used in emails Christofer Fabi´

    an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 14 / 45

24. Recovery code/token prediction Tokens are used in emails Christofer Fabi´

    an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 14 / 45

25. Password recovery systems Christofer Fabi´ an Ch´ avez Carazas [email protected]

    (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 15 / 45

26. JSON Injection Christofer Fabi´ an Ch´ avez Carazas [email protected] (San

    Agust´ ın National University) Ekoparty Security Conference October 18, 2018 16 / 45

27. JSON Injection Christofer Fabi´ an Ch´ avez Carazas [email protected] (San

    Agust´ ın National University) Ekoparty Security Conference October 18, 2018 17 / 45

28. JSON Injection Christofer Fabi´ an Ch´ avez Carazas [email protected] (San

    Agust´ ın National University) Ekoparty Security Conference October 18, 2018 18 / 45

29. JSON Injection Christofer Fabi´ an Ch´ avez Carazas [email protected] (San

    Agust´ ın National University) Ekoparty Security Conference October 18, 2018 19 / 45

30. Password recovery systems Christofer Fabi´ an Ch´ avez Carazas [email protected]

    (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 20 / 45

31. Password recovery systems Christofer Fabi´ an Ch´ avez Carazas [email protected]

    (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 21 / 45

32. Secure password recovery mechanisms 2FA for password recovery Christofer Fabi´

    an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 22 / 45

33. Secure password recovery mechanisms 2FA for password recovery Secure method.

    Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 22 / 45

34. Secure password recovery mechanisms 2FA for password recovery Secure method.

    Hard to implement. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 22 / 45

35. Secure password recovery mechanisms 2FA for password recovery Secure method.

    Hard to implement. Hard to use for some users. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 22 / 45

36. Secure password recovery mechanisms Reset password to random value Christofer

    Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 23 / 45

37. Secure password recovery mechanisms Reset password to random value Easier

    to implement. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 23 / 45

38. Secure password recovery mechanisms Reset password to random value Easier

    to implement. Security depends on how the new password is transmitted. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 23 / 45

39. Secure password recovery mechanisms Reset password to random value Easier

    to implement. Security depends on how the new password is transmitted. Password generated must be secure. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 23 / 45

40. Secure password recovery mechanisms Christofer Fabi´ an Ch´ avez Carazas

    [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 24 / 45

41. Password recovery systems Christofer Fabi´ an Ch´ avez Carazas [email protected]

    (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 25 / 45

42. Overview Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´

    ın National University) Ekoparty Security Conference October 18, 2018 26 / 45

43. Research approach Garc´ ıa Sebasti´ an @eldracote Maria Jos´ e

    Erquiaga [email protected] @MaryJo E Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 27 / 45

44. Indicators of Commitment Christofer Fabi´ an Ch´ avez Carazas [email protected]

    (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 28 / 45

45. Behavioral Model Christofer Fabi´ an Ch´ avez Carazas [email protected] (San

    Agust´ ın National University) Ekoparty Security Conference October 18, 2018 29 / 45

46. Stratosphere Project Christofer Fabi´ an Ch´ avez Carazas [email protected] (San

    Agust´ ın National University) Ekoparty Security Conference October 18, 2018 30 / 45

47. Stratosphere Project Each flow has features that define its state.

    Each state is assigned a letter. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 31 / 45

48. Stratosphere Project They hypothesize that the relationship can be modeled.

    Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 32 / 45

49. Stratosphere Project They hypothesize that the relationship can be modeled.

    Their model produces a graph for each srcIP, where: Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 32 / 45

50. Stratosphere Project They hypothesize that the relationship can be modeled.

    Their model produces a graph for each srcIP, where: Each node is a tuple DstIP, DstPort. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 32 / 45

51. Stratosphere Project They hypothesize that the relationship can be modeled.

    Their model produces a graph for each srcIP, where: Each node is a tuple DstIP, DstPort. The sequence of flows from one node to another in the network are the edges. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 32 / 45

52. Stratosphere Project The more times an edge is found, the

    thicker it is. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 33 / 45

53. Stratosphere Project The more times an edge is found, the

    thicker it is. The more times a node is repeated, the bigger it is. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 33 / 45

54. Stratosphere Project The more times an edge is found, the

    thicker it is. The more times a node is repeated, the bigger it is. The more times a node loops with it self, the color gets darker. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 33 / 45

55. Stratosphere Project Normality Behavior Christofer Fabi´ an Ch´ avez Carazas

    [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 34 / 45

56. Stratosphere Project The Other Normality Behavior Christofer Fabi´ an Ch´

    avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 35 / 45

57. Stratosphere Project The Cerber Ransomware Christofer Fabi´ an Ch´ avez

    Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 36 / 45

58. Stratosphere Project Cerber Ransomware Nodes: 566, Edges: 702 Autolooping nodes:

    20 Repeating edges: 590 (84%) Normal I Nodes: 98, Edges: 263 Autolooping nodes: 47 Repeating edges: 6 (2.2%) Normal II Nodes: 1072, Edges: 1881 Autolooping nodes: 95 Repeating edges: 4 (0.21%) Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 37 / 45

59. Stratosphere Project The Extreme Normality Case Christofer Fabi´ an Ch´

    avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 38 / 45

60. Stratosphere Project Extreme Norma Nodes: 2499, Edges: 32023 Autolooping nodes:

    219 Repeating edges: 318 (0.99%) Other Normals 1.1%, 1%, 0.9%, 0.9% Other Malware CTU-179, Barys: 100% CTU-186, Normal+Cerber: 99.75% CTU-183, Locky: 97.95% Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 39 / 45

61. Stratosphere Project The Sality Case Christofer Fabi´ an Ch´ avez

    Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 40 / 45

62. https://www.stratosphereips.org/datasets- malware/ Christofer Fabi´ an Ch´ avez Carazas [email protected] (San

    Agust´ ın National University) Ekoparty Security Conference October 18, 2018 41 / 45

63. Cyber Security Christofer Fabi´ an Ch´ avez Carazas [email protected] (San

    Agust´ ın National University) Ekoparty Security Conference October 18, 2018 42 / 45

64. Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın

    National University) Ekoparty Security Conference October 18, 2018 43 / 45

65. Thanks! Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´

    ın National University) Ekoparty Security Conference October 18, 2018 44 / 45

66. Cyber Security in the life and work of a Computer

    Scientist Christofer Fabi´ an Ch´ avez Carazas [email protected] San Agust´ ın National University October 18, 2018 Slides: https://goo.gl/7dLWN3 Christofer Fabi´ an Ch´ avez Carazas [email protected] (San Agust´ ın National University) Ekoparty Security Conference October 18, 2018 45 / 45