David Wong

cryptologie.net

cryptography, security, and random thoughts

Hey! I'm David, cofounder of zkSecurity, research advisor at Archetype, and author of the Real-World Cryptography book. I was previously a cryptography architect of Mina at O(1) Labs, the security lead for Libra/Diem at Facebook, and a security engineer at the Cryptography Services of NCC Group. Welcome to my blog about cryptography, security, and other related topics.

← back to all posts

OWASP Chicago

blog

This evening I was at Braintree’s office in Chicago for the new edition of the Owasp meeting. The offices were amazing and huge!

braintree

They had beer pong tables, ping pong tables, a mini-arcade and a bar! (all that right next to the workspace)

beerpong

Plenty of nice conference rooms

conf room

Some had whiteboard tables!

whiteboard table

And in the largest building of Chicago!

building

1 Trojaned Gems - You can’t tell you’re using one!

Brandon Myers, a security researcher at Trustwave, was the first one to talk. He found out that when you executed gem fetch or gem install, the ruby package manager, it would allow a Man In The Middle to do a DNS poisoning attack to redirect you to his servers. Even though everything happens over TLS! This is because gem doesn’t check for the domain in the certificate of rubygems.org: it just checks that the server has a valid certificate and that’s all. You would then download the gem on his server and… game over.

He said that the same thing was happening when developers were pushing their gems to rubygems.org …

That’s a shame, and way worse than the downgrade https attack of go.

One way of mitigating the first MITM would be to just use curl or wget directly with https://www.rubygems.org and do whatever the gem fetch does to get the gems. Because curl or wget should have a correct implementation of TLS that dodge fake DNS responses (that’s why DNSSEC is useless if you query a https webpage with a correctly signed certificate).

To mitigate the second attack Brandon talked about signed gems, and that it was far from being efficient since none of the top gems are signed.

Two other problem were that if a fix comes around, gem update --system is vulnerable to the attack (since gem is itself a gem) and not using the fully secure gem signing allows some dependencies of not being signed (and thus a MITM would be able to modify those).

2 Attacking and Defending DevOps

Patrick Thomas and Alec Gleason followed by explaining how much they pwned their client with heartbleed, passwords in clear and github hooks. They then explained how you could get more information out of a pwned machine if there was git, vagrant, chef, docker and other non-crypto stuff installed on the machine.

All of this was facilitated by Devops,

a software development method that emphasizes communication, collaboration (information sharing and web service usage), integration, automation, and measurement of cooperation between software developers and other IT professionals.

https://en.wikipedia.org/wiki/DevOps

devops

They said it was still a good thing but if done correctly.

After that I went to Chisec meet some people of the security community!

← back to all posts blog • 2015-06-18
currently reading:
OWASP Chicago
06-18 blog
📖 my book
Real-World Cryptography is available from Manning Publications.
A practical guide to applied cryptography for developers and security professionals.
🎙️ my podcast
Two And A Half Coins on Spotify.
Discussing cryptocurrencies, databases, banking, and distributed systems.
📺 my youtube
Cryptography videos on YouTube.
Video explanations of cryptographic concepts and security topics.