We hired hackers to hack us; A case study about cloud-based authentication and security in IBM Connections

Vienna, October 16-17 2017
We hired hackers to hack us;
A case study about cloud-based authentication and
security in IBM Connections
Robert Farstad
@robertfarstad

Social Connections 11 Chicago, June 1-2 2017Social Connections 12 Vienna, October 16-17 2017

PLATINUM SPONSORS
GOLD SPONSORS
SILVER SPONSORS
BRONZE SPONSORS

This session…
…is mainly for you tech-people.
But very useful for everyone to see. Might be an eye-
opener.
No talk about:
•  What IBM Connections is…
•  What IBM Cnx can give you…
•  No ROI talk, what so ever!
•  How to use IBM Cnx!!

This session…
…is a case study where I will show you
•  an integration with Auth0.
•  how we hired hackers to hack us.

The customer

The customer -
•  Political party, won the election 2017, second time in a row.
•  Norways Prime Minister is Høyres leader.
•  60.000 members
•  Was a white-space customer.
•  Now: Connections + Docs + Sametime
•  IBM Reference Customer.
•  Security is a priority, more and more.
•  Election year = hacking attempts.
•  We hacked them first!

- cloud based authentication
Høyre used Auth0 for all websites.
Requirement for them to become a Connections
customer was:
•  Authentication integration with Auth0!
•  è POC – Item Consulting developed a TAI
mechanism towards Auth0.

What is Auth0?

You can connect any application.
•  Custom credentials: username + passwords
•  Social network logins:
•  Google, Facebook, Twitter, and any OAuth2, OAuth1 or OpenID
Connect provider.
•  Enterprise directories:
•  LDAP, Google Apps, Office 365, ADFS, AD, SAML-P, WS-
Federation, etc.
•  Passwordless systems:
•  Touch ID, one time codes on SMS, or email.
•  Supports several 2-factor solutions.

•  JSON Web Token
•  Secure API: (TLS v1.2, AES_128_GCM and uses
ECDHE_RSA as the key exchange mechanism. )
•  Extensible admin tool.
•  Monitoring, (#logins, where from, who fails, hack
attempts, alarms.)
•  Blocking
•  Logs
•  Synced with Høyres back-end member system via
MSSQL DB, securely!

+ TAI
•  Item developed a WebSphere Application
•  TAI – Trust Association Interceptors.
•  èLTPA after authenticated
•  New Auth0 login page.
•  Logout pages are modified
•  Logs out of Auth0
•  Logs out of Websphere

Devices used
Login occurs from:
•  Browsers
•  Apps
•  Desktop plugins.

Technically, the login procedures are
quite different.

Web-browsers

Apps + Plugins

Tivoli Directory server - TDS
◘  FREE/Bundled LDAP server for IBM Connections
◘  Standard setup between WebSphere and TDS
◘  Import of users via TDI/SDI to TDS.
◘  From MSSQL Database – over site2site vpn.
◘  Imports only the most relevant fields
Name, email, mobile, position, company, department

Tivoli Directory server – TDS + PTA
◘  Password field in TDS is blank!
◘  PTA is triggered.
◘  What is PTA?
◘  Pass Through Authentication
◘  PTA is configured to search in
alternative LDAP source.
◘  The password is stored in Auth0
◘  Our PTA source is TDI / SDI
◘  TDI calls the TAI application – gets
response code 200 if OK.
◘  è logged in

What is TDI/SDI?
◘ Tivoli Directory Integrator / Security Directory Integrator
◘ Data manipulation system, limitless possibilities.
◘ Eclipse based – Javascript coding.
◘ Used to move, consolidate, manipulate data.
◘ Used in Connections for profile data import.
◘ Best tool ever, once you´ve learned the jift of the gui and
debugger.

TDI – acting as an LDAP server.
◘ Simulates an LDAP server
◘ Gets attempted username and password from TDS PTA.
◘ Credentials è WebSphere Auth0login app.
◘ WAS app è REST lookup to Auth0 API.
◘ Gets return code OK or NOT_OK.
◘ TDI receives same code from the WAS app.
◘ TDS PTA receives same code from TDI.
◘ TDI runs multiple instances – Can handle large load.

Simple code – extremely powerful!

Did they get in?
We hired hackers

What they tested
Login
attempts
SSL +
headers
Apps
Stolen
laptop
Me! Sensitive
information

SSL tests
www.ssllabs.com Grade was bad After hardening
SSLChipersSuite, honorChipersOrder and SSLV2
+V3 disabling. TLS only

SSL tests – http config for Grade A
SSLEnable
SSLProtocolEnable TLS
SSLProtocolDisable SSLv2 SSLv3
# Disable SSLCompression -> CRIME ATTACK
SSLCompression off
#Prefer ECDHE-RSA ciphers
SSLCipherSpec ALL NONE
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA256
# Enabling this 3 ciphers mean A- rating on ssllabs
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSpec ALL SSL_RSA_WITH_3DES_EDE_CBC_SHA

Headers
securityheaders.io Grade was bad After hardening
HTTP config to achieve Grade A:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload”
Header set Referrer-Policy "same-origin”
Header set X-Content-Type-Options "nosniff”
Header set X-XSS-Protection "1; mode=block”
Header set X-Frame-Options "DENY”
Header set X-Frame-Options SAMEORIGIN

The Mobile App
Decompile
• Android app is decompilable
• Broken down to study code
Test
• Tried every url found in code
Result
• Found no insecurities!
• But MITM attacks were possible!

MITM - Man-in-the-middle attack
An employee is out traveling and
connects to a public network such as
a hotel or airport WIFI.

But instead, connects to a hackers
wifi hotspot.
Then clicks on “Continue”….

He/she will give the hacker running a
MITM attack, full visibility over the
traffic.

mobile-config.xml has the solution for
the connections app.

Don´t press “Continue”!. Tell your
admins to fix it.

Demo time
The demo consisted of showing a
MITM attack + username/password
“cluster bomb” attack using free tool
Burp Suite.

Accident waiting to happen

What did they find when they got in?
Stolen Laptop Scenario

Stolen Laptop Scenario
•  Not hard to find password on PC
•  Once in, passwords to sites are
normally stored in browser.
•  Saved wifi hotspots gives hackers
GPS coordinates => can drive up
alongside your company's building
and connect.
•  Hackers found sensitive
information open to all of the IBM
Connections users.
Don´t expose login information
available to everyone!

They hacked me!
Or at least, they tried to…

They hacked me!
•  They knew who I was.
•  Googled me, found my blog.
•  In one of the screenshots, a
password was censored.

They hacked me!
I was a weak link…
How hard is it for hackers to find IT
staff at your company?
LinkedIn search… Google search…

Google is both your friend and your
enemy.
•  Bad censoring!!
•  Found 6 out of 9 chars by
matching font, size and studied
curves.

Avoid stress

•  Mask/hide better!
•  Hackers are clever
bastards.
•  Hackers has A LOT of
free time.
•  Implement 2-factor
authorization
mechanism, like Auth0
•  Hide your stuff.
•  Once again: Hackers are
clever bastards.
•  Lockout policy – i.e. 5
attempts => locked out…
Hackers has tools for that!
•  Train your users!

Useful links:
Check SSL: https://ssllabs.com
Check Headers: https://securityheaders.io
Analyze CSP: https://report-uri.io/home/analyse
What can your browser support? http://caniuse.com/#search=referrer%20policy

Auth0 multi-factor authentication: https://auth0.com/docs/multifactor-authentication

Burp Suite: https://portswigger.net/burp

Ethical Hacker Certification: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/

My blog: http://blog.robertfarstad.com
Twitter: https://www.twitter.com/robertfarstad
Item Consulting: https://www.item.no

We hired hackers to hack us; A case study about cloud-based authentication and security in IBM Connections

PLATINUM SPONSORS
GOLD SPONSORS
SILVER SPONSORS
BRONZE SPONSORS

We hired hackers to hack us; A case study about cloud-based authentication and security in IBM Connections

More Related Content

What's hot (20)

Similar to We hired hackers to hack us; A case study about cloud-based authentication and security in IBM Connections (15)

More from LetsConnect (20)

Recently uploaded (20)

We hired hackers to hack us; A case study about cloud-based authentication and security in IBM Connections