Securing your App and the History of Guerilla Warfare

by Scott Feinberg

In the video titled Securing your App and the History of Guerilla Warfare, presented by Scott Feinberg at RubyConf AU 2015, the discussion revolves around the challenges of security in financial services and how hackers employ guerrilla tactics to exploit vulnerabilities. Feinberg emphasizes the ongoing battle to protect users from potential threats.

Key points covered in the presentation include:

- Introduction to Guerrilla Warfare: Feinberg begins by discussing the origins of guerrilla warfare and parallels it to modern hacking tactics. He highlights that hackers, like guerrilla fighters, operate in a decentralized manner and often change tactics to evade detection.

- Historical Context: Using examples like the Xiong Nu and their tactics against the Chinese Empire, Feinberg illustrates how these strategies are reminiscent of hacker techniques today, as they focus on quick raids rather than holding territory.

- Patterns of Attack: He outlines the necessity for developers to understand potential vulnerabilities and encourages thinking like a hacker to identify these weak points.

- Types of Patterns: Feinberg categorizes patterns as essential (criteria that must be met for transactions) and non-essential (indicators that require further investigation but are not definitive).

- Example of a Password Attack: He discusses the implications of horizontal password attacks, highlighting the importance of strong password policies and adequate monitoring for unusual login attempts.

- Data Collection: The importance of collecting data to track typical user behavior and identify anomalies is stressed multiple times.

- Involving the Community: Feinberg mentions platforms like HackerOne and Bugcrowd, which allow companies to pay ethical hackers for identifying vulnerabilities, thus promoting proactive security measures.

- Engaging with Security: Security should not be viewed as a burden but rather an engaging challenge similar to the detective work of Sherlock Holmes.

In conclusion, the talk advises developers to be proactive in understanding their applications' vulnerabilities and to thematically approach security not just as a legal obligation but as a critical engagement with their user base. The essential lessons emphasize understanding patterns of behavior, proactive vulnerability testing, and maintaining a continuous dialogue about security within development teams.

00:00:00 Awesome! So this is my second RubyConf from Australia. I'm super excited to be here for a second time, so thank you all.

00:00:05 My title isn’t quite right. Normally, when I do this talk, I cover a lot of the basics. However, given that you are an advanced group, despite my impostor syndrome, I’m going to assume we don’t need to cover all of those basics.

00:00:18 So, the title should be something more like 'Hackers, Fraud, and the History of Guerilla Warfare.' My name is Scott Feinberg, and I am the developer evangelist at TweetA, a payment processor in the States.

00:00:30 I live in Denver, Colorado—that's in America—and we don’t believe that we are impostors, nor is anyone else. Despite being a member of the US, I am also a member of Ruby MN Zed. Turns out, all I had to do to get in was write my name on a form along with my email address, and now I’m a member! I’m really excited.

00:00:49 I hope they have cards, because I'm going to a conference called Happiness Com. It's in Boston, also in America, and it's a conference about developer happiness. Our CFP is open, so if you go to paper.camp.io/happiness, you should submit a talk so that we can send lots of money and fly you to America!

00:01:07 What we’re going to learn today is the lineage of hackers and strategies to identify fraud in your app. But first, I have a story. I promised you this would be about guerilla warfare, so let's start with the origins of that.

00:01:19 The term 'guerrilla' comes from a French term, 'la petite guerre,' which means 'small war.' The term 'guerrilla' actually refers to Spanish irregulars who fought against Napoleon in the early 1800s. Who were some of the first guerrilla fighters that we know of?

00:01:36 We had Mel Brooks, who defeated the English in the Tartan Reom Bel Yin. In fact, Robert the Bruce never fought a battle where he didn’t have the higher ground, which is why he is known as the Gorilla King. And of course, we have Judas Maccabee and the story of the Maccabees retaking Judea.

00:01:56 This is the Hebrew Hammer—it’s actually a really great movie, but you'll only see it late at night. They had a great strategy where they would lure people into a small mountain path and then shoot down at them, which is how they defeated the Romans.

00:02:15 Today, we're going to talk about a group that, despite being overlooked in Western culture, played a significant role in guerrilla warfare: the Xiong Nu. I Googled how to pronounce it, and we’re going to go with 'Chung Mu'. Apologies if that’s incorrect.

00:02:34 You’ve probably never heard of them. Who here has seen the movie Mulan? It’s a Disney movie with the song 'I’ll Make a Man Out of You.' It’s really good; you should watch it even if you don’t have kids. Interestingly, that character is loosely based on the Cheung Mu.

00:02:51 The Xiong Nu were known as 'mountain barbarians.' They were incredible horsemen who frequently humiliated the Ummah Chinese, who at the time were known as the Celestial Empire. In battle, they were a nomadic tribe that moved from place to place, plundering and raiding as they went.

00:03:07 They had to be tracked down in order to attack them. As a quote suggests, like Robert the Bruce, they never fought a fair fight, and when they saw one, they ran. The Chinese established this policy called 'Heqin,' which essentially involved marrying off a Chinese princess to the Xiong Nu in order to pacify them.

00:03:22 The Chinese would pay ever-increasing bribes to the Xiong Nu to keep them from plundering. This strategy only lasted so long because the Xiong Nu continued to raid regardless of being paid.

00:03:39 The Xiong Nu were a loose federation of tribes with no real leadership, so the Chinese established a professional army dispatched to the frontier to fight the Xiong Nu in a similar nomadic manner.

00:03:49 At first, this worked out well, and they were able to track them down. However, no one really wanted this job because it essentially meant becoming a nomad chasing a nomadic tribe across the desert. So, the adventurers just went back to paying them off.

00:04:08 The challenge with the Xiong Nu was that they were never concerned with occupying lands or overthrowing the BDM dynasty; they just wanted to raid. This makes them quite hard to fight. In modern times, the tactics of the Xiong Nu are very similar to how hackers operate.

00:04:30 Hackers often work independently, sharing information among themselves and sometimes joining hacker collectives to take on larger challenges—similar to groups like Anonymous. These hacker groups are loosely bonded and have constantly changing allegiances.

00:04:49 In a world where guerrilla tactics work so well, why would anyone ever employ a conventional army? Why would you give up the light footprint that groups like the Vietcong used to fight far beyond their weight class?

00:05:03 Two armies, like these, which are notoriously inefficient and easy to pick off, seem rather wasteful. Just consider their appearances! The Turks were a raiding tribe that eventually created a conventional army when they became the Ottoman Empire.

00:05:22 The raiders would never have stood a chance taking on Constantinople. This battle required 69 cannons, with 27-foot guns firing half-ton stone balls. Small raider tribes could never handle that.

00:05:40 Ultimately, when people get greedy and wish to acquire land, assets, and power, they can’t just raid; they must build a conventional army. This sounds like our hacker friends. They share a cultural affinity for a raiding style of warfare, attacking weak, easily conquered targets.

00:06:02 They are willing to retreat and change their targets at a moment's notice, holding no fixed positions. So, there’s no point in countering when faced with a specific challenge.

00:06:16 When they band together, they can disperse just as quickly. So, what are hackers looking for? Well, they are going to look for vulnerabilities on your site and, when they find one, they're going to exploit it as quickly and as often as possible.

00:06:37 There’s no slow ramp-up; one day you’re not being attacked, and the next day they’re going after you as hard as they can. This is because when hackers find a problem on your site, they will often boast about it on the dark web or even on public forums.

00:06:57 They encourage others to try their hacks too. This means you can become inundated with attacks. Once a vulnerability is fixed, however, they’re smart; they will retreat and regroup to find a new way to go after you.

00:07:13 Eventually, they will reach a point where the effort needed to exploit your site is worth less than the time it takes to find a new vulnerability. So, how do you even know if you’re being raided? You must determine what patterns to look for.

00:07:34 These patterns will be specific to your app. Every app has its own unique traits. To start, think like a hacker—what would they consider vulnerable? What strategies would they use? Once you establish what to look for, you can start tracking these specific aspects of your app.

00:07:56 You will want to be notified if someone is trying to break in. And remember to record as many data points as you can; you'll never regret having too much data about what's going on in your system.

00:08:14 There are two types of patterns we’re going to talk about. Essential patterns are those that you cannot get around; they are binary—someone must meet certain criteria. For example, when withdrawing money, you need a login and should provide your social security number.

00:08:33 We must have enough information about you from the internet to verify you are a legitimate person. Databases like Equifax or Credit Check help confirm this information.

00:08:53 Also, you need a bank account which must be one we haven't already flagged. This is an essential pattern—without all of these pieces of data, there’s no way we’re sending you any funds.

00:09:11 And with these patterns, you can block access firmly. If someone doesn’t have this data, that’s a clear sign that you do not need to send funds or perform any action within your app that gives them something of value.

00:09:27 The other types of patterns are non-essential, which are things you cannot block on. While they may be associated with fraud, they can also be entirely legitimate. It's rare that you can just block individuals outright.

00:09:50 Usually, you’ll look at a series of patterns together. If multiple suspicious activities coincide, you should investigate further. These patterns will differ for you, but some may help highlight unusual activity.

00:10:07 For instance, if your account was recently hacked, the first things they are likely to do are change the password and the email address. They may also log in from a new IP address.

00:10:25 You have all this metadata that showcases how this person's activity differs from before. There may also be significant changes in how they use the app. If someone who typically transacts $20 suddenly makes a $20,000 transaction, that’s a red flag.

00:10:45 Here’s an example of an attack. If anyone here wants to break into websites, the following method is a great way to start: 99 percent of the sites out there probably have no defense against this.

00:11:19 The reason this is such a hard problem is that there are no essential patterns to block against. An attack of this nature targets all accounts in the system; there’s no retry limit that can be reached.

00:11:37 Eventually, they will start breaking in. Your only hope is to have strong password requirements, and that users are actually using them. For instance, there’s a bank in the US where the password limit is a maximum of 8 characters. You don’t want to be that person!

00:12:02 Let people have passwords as long as they want. When looking at these horizontal password attacks, you can analyze the traffic that is coming in and how fast people are trying to log in from various IPs.

00:12:29 These are non-essential patterns. They don't necessarily suggest wrongdoing but may indicate unusual traffic. One strategy to determine if you’re under attack is to record everything happening during login attempts.

00:12:56 You need a way to be notified. If all you know is that your traffic spikes one day, you might think, 'Great! People are using our site!' But for me, it’s often because a bot is hammering away at me, not because we made headlines on Hacker News.

00:13:17 Thus, we must record this information to identify any problems. We need a way to form a fingerprint of what a bot attempting to break in looks like. While the IPs can change, metadata is often consistent.

00:13:38 Now, if they are smart, they will change up a lot of this but you can often develop a fingerprint to identify when someone is trying to break in.

00:14:00 A classic example is Twitter. Let’s say there are spam bots that used to be a huge problem. How do we stop a bot that compromised someone’s account? Likely, they will change the password and hook up a third-party API.

00:14:21 They aren't doing this action themselves; they’ll have a bot do it. They may start following a lot of new accounts, and they could tweet out links at a rate far beyond what is normal.

00:14:41 All of these activities change what the user would typically do. One way to identify suspicious activity is when someone changes their password and adds a third-party API.

00:15:02 If they trigger a sudden increase in tweets, that’s a signal. While this approach may not be foolproof, it can provide strong indicators that something is amiss.

00:15:23 There are of course more advanced patterns. The quality or content of tweets could change, or there may be unusual login patterns. It’s crucial to collect data initially so you can analyze it and identify what's happening.

00:15:45 So, what do we learn? We learn that we need to identify our essential patterns—these are the ones we can block against and be strict about. We also need to identify our non-essential patterns.

00:16:04 How we want to track them is important as well, and as with the Celestial Empire, we too have ways to pay our hoards. Websites like HackerOne and Bugcrowd allow us to pay people to hack our sites for us.

00:16:29 Rather than stealing things, we pay them to report vulnerabilities they find. This is a fantastic way to prevent risks because instead of breaking into your site, they look for bugs and can alert you.

00:16:54 This might yield $500 or something less, but all the major websites today—Twitter, LinkedIn, Facebook—employ strategies like this. It costs nothing to get started until vulnerability reports come in.

00:17:15 You should cover the basics. Reading the Rails Security Guide is typically all you need to understand. However, when dealing with security issues, remember that you have a constituency to protect—your users.

00:17:39 When thinking about fraud and security risks, don't consider it a chore. Security should be engaging and enjoyable. Think of it as being like Sherlock Holmes, figuring out how to get into the mind of a hacker.

00:18:03 I want you all to go home and think: How do you track down those raiding hordes? How do you become the Sherlock Holmes of your application to keep your users safe? Thank you!

RubyConf AU 2015