BSides DC 2018 - How online dating made me better at threat modeling

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers for making 2018 a success hello everybody thank you all for coming out to my talk I appreciate it I like talking about this stuff I'm Isaiah Sarju and today I'll be talking about how threat modeling made me better at online dating it's really focused on threat modeling which i think is a great skill for folks in security to have I think we we sometimes get caught up in like the sexy stuff you know the exploits and all that but in the end why we're doing all this is to make this world more secure and protect

people that we care about and so I thought that online dating would be a nice modern kind of context in which to talk about threat modeling and to learn what are some of the skill sets that we need to do or have to do throughout modeling effectively so first Who am I I'm a security consultant Kohner at Revit solutions I'm a red teamer I do penetration testing I also teach information security I teach penetration testing I have certain worldviews that kind of lead me to do led me to do this talk the first being kind of what I'm against so I'm against nihilism I'm against security theater I'm against waste of time I'm very much Pro risk-based

security and it's completely unrelated to this talk but I love chocolate chip cookies so if you enjoy the talk you can buy me a cookie if you hate the talk and you see me eating a cookie just like slap it out of my hand it'll be infinitely devastating for me and it will let me know that you did not like what you saw so some good things to know so who is this talk for um it's for folks who want to learn about threat modeling I'm by no means a professional edit I do use it on my day to day job I help developers do threat modeling I'm don't consider myself the best person at

threat modeling so this is for talk I did this talk to also help myself become better at it get back to the core principles so to learn what threat modeling is learn the basic steps for modeling and then how can we as developers as product owners and as in users use threat modeling so this talk is for both sides of the coin so folks who are are building these applications or any application has privacy concerns and folks who are using any application where P is involved and then hopefully you'll walk away with some tips on how to do online dating better around security I can't help you with your dating game I can barely help myself so let's just

curb expectations right now I can't help you be better at it the dating part itself so in the end you should have a basic understanding of data flow diagrams stride attack trees and the principles of nimittai and Link ability so these are the core principles around threat modeling and specifically throughout modeling for privacy and it'll be a good good place to get started and to do continuing research if it's something that you're interested in and bring into your own organization or doing in aspects of your life so I don't need to beat kind of the the the horse of why online dating is important to talk about because growing in popularity there's any number of graphs that that

show that what I found humorous and and and lighting was when you search dating software google recommends tinder bumble Grindr you know the regular ones and they also recommend post nuke and my sequel so so Google like wait dating software you must want my sequel which just demonstrates how much our dating lives are getting put into databases and the intersection of Technology and are in our personal lives so why bring threat modeling to online dating because I want to avoid promote build and protect certain things I want to avoid security nihilism it's very easy in our industry to go oh my gosh the sky is always falling there's no hope or as an end user you know you hear breach after

breach after breach after breach you like here's if I give my information at this new company they're gonna lose it anyway they're gonna mishandle it and we're all pwned all the time that's just the what why even care I don't believe it has to be that way I think that we can't promote safe interactions I believe that folks can can engage in these online communities engage in these and in these platforms and be able to do so feeling safe and in the end I want developers and folks who own these products to build more privacy and security centric applications to build that into the process and not just bolt it on it'll build user trust I believe it's also you

know if you aren't getting sued it's a good way to hold on to the money that you've made and then in the end all this is pointless like I said I'm against doing security for Security's sake I think a lot of times it's fun to point the finger catch people with their pants down say AHA you're doing this wrong but that's that's pointless that's just an exercise and like kind of propping yourself up what do you mean ah no comment on either of this I'll just avoid that one all together but yeah so in the end we have to have a point to what we do it without that it's it's just security for security sake so we

want to protect users there any number of groups you don't feel safe engaging in online dating because there hasn't been a space created for them to do that safely and feel like their privacy is is is being thought of but still allowed to engage with the platform so that's the point of doing all this and there are consequences of doing bad threat modeling there are many we've read about them we've heard the horror stories I'm only going to focus on two I'm going to talk about the checks marks research that some of you were probably familiar with or check marks research research from earlier this year and then this idea of data linking and demonstrating kind of how easy it is to

link data and and reduce nimma T of a given target so the first step to doing throughout modeling is you know the boring part the least sexy part is data flow diagrams so this is one that I put together for online dating it's simple it's definitely missing a lot of things but I want you to keep this in mind as I describe it and I'll hop back and forth so keep that in mind as we describe what a DFT is so you want to first decompose the application process and you want to understand how data is flowing then we can apply stride which some of you are probably familiar with I'll get into it for those of you who don't know what

that is and we can apply stride to each step of that data flow diagram and that's gonna help us start to think about actual threads so again what opting for so we decompose the application we see its indistinct its indistinct areas right there we have the dating application the social media that might get tied into it we have end users that's using it we have third parties that get all this data sold to them because why not monetize your customers you know in addition to how you're just monetizing them directly so we we decompose that we see how it's all connected we understand how data is flowing some data floating mana directionally sums bidirectionally and

then what we can do is we can look at each step and we can fly stride to it so stride is a great acronym it's spoofing tampering repeat agent information disclosure denial service and elevation of privilege so this is how we can start to it gives a way of thinking about it in a in a systematic way of coming up with potential risk to our application and to our environments and this doesn't just have to happen in in a data flow diagram you can do this when you're on an off of your offensive team you're trying to think about what could be some vulnerabilities in this application they're usually going to fall under stride and it gives you a good way to

brainstorm so just some examples so spoofing you could falsely claim to be Isaiah Sarju on your tinder profile and wouldn't recommend that your your your success rates would probably go down a lot but there is no way of necessary verifying folks tinder is known for having a lot of BOTS a lot of people spoofing Bumble does offer a level of verification it's an OP end not a requirement then there's tampering such as changing the presented profile photo changing a swipe let's say there's someone acting as a man-in-the-middle at a coffee shop or something like that being able to change the interaction that somebody's having on that platform repudiation being able to say I didn't swipe right on that person without the

application being able to say you absolutely did you absolutely did it so there's no like signing of a swipe like some type of digital signing of it it's not being put into anything that has has some level of non-repudiation information disclosure so disclosing who you're swiping on disclosing your matches disclosing who you're chatting with after a match that's one thing I want to focus on information disclosure it relates to the two examples that I'm going to talk about in a bit then there's something like denial of service so not being able to have the front-end talk to the clients this could be you know not being able to access tinder on a Friday or Saturday night that could

mess up a lot of people's plans and you know if you're not able to connect you kind of be screwed and not in the way that we like for online dating but like you you don't if you have if there's now service on against your application then they're going to go somewhere else and that's not ideal there's also elevation of privileges and I didn't really think about elevation of privilege until the recent Facebook breach where folks were able to impersonate a user and then use that to authenticate to third-party applications and I should have thought about that just looking at this data flow diagram like this was on me just thought about it look at the data flow diagram I see

social media has a direct connection with user data with potentially authentication systems and I didn't even think about this and then the Facebook breach happened I was like oh my goodness yes I should have thought about how those two can interplay with each other and so being able to do something like a lateral lateral elevation of privilege across one context of the user profile to that user profile in another context social media to the dating application so let's look at an actual example and what we'll do is in threat modeling when you're using data flow diagrams you want to pick one of those those those intersections that's where you want to start where data is

crossing context that's where you going to get the most risk there's definitely risk internally within each one of these internal boxes its internal context but for example the end user context they're my phone or my computer I can pretty well control that nobody's going to kind of access that if I have physical security around that I'm carrying it on my person I have a strong passcode using a fingerprint whatever it might be I can pretty much prevent people from accessing that stuff on that device but when it's crossing that boundary that's when I get exposed to risk and so this is where you want to start looking while you're doing threat modeling is where data is crossing context and that's

that's the best place to start so if we look here where you have these different potential clients connecting to the front end the folks at checks marks checkmarks I keep adding an S there excuse me folks that check marks were able to show that the images that were getting loaded on the device for someone to be presented with the swipe left or right were sent unencrypted and so they're able to see the images and then once the person made a decision the response they got so that's the top right hand corner image response they got differed in size based on if it was a no a yes or match and so that was tender disclosing information on the

decision that person made so you know we're sufficiently scared there's no hope yada-yada I don't believe that we can always manage risk and we have some choices so for those of you who do risk management these terms are pretty remedial you're used to seeing them for those of you who don't they're good to understand kind of what are our options for managing risk we can accept it okay it's gonna be that way we can avoid it remove ourselves from that context we can transfer it you know give somebody else responsibility by insurance hire security guard whatever might be we're transferring that risk or we can mitigate it and sometimes folks break up mitigation and reduction I like

to put them together because you're either mitigating it partially or mitigating it fully so you're taking a step to kind of reduce that risk where you're taking a step to get completely rid of it so I like to combine those together I see them as similar similar things there's a matter of how much how much you're handling the risk in its entirety great so let's apply this to to that specific case of check marks so like I said I want to approach this from the app developer side and from the user side because I think there's responsibility for both parties so at the app developer they could have just put HTTP on everything like there's no

reason why you shouldn't have HTTPS across every every single data interaction between a client and your infrastructure just put HTTPS just I don't know I'm not going to keep going but like it blows my mind that they don't do that because they do another parts of their application we know it doesn't slow things down just do it okay so they could standardize the response size that would prevent the information disclosure of the decision the person made so I'd be mitigating that risk or they could just don't they just don't care they just accept it and that's currently the route they've chosen to go there's also steps the user can take the user could use a VPN so they can still

exist in that environment they can still swipe at a coffee shop but they're mitigating that risk with a VPN they could avoid that risk and only do it at home so that it only be exposed to potentially their their ISP or they just don't care kind of the security nihilism around which I really don't like I think there are steps we can be taking so this has been an example of using a data flow diagram applying stride to it and then thinking about how we can handle the risk there's another thing that I want to talk about which was attack trees and this is a great tool I use this in my offensive work when I

have a target that I want to compromise I'm going to create an attack tree and I'm going to come up with the different routes I think I could get there I have when I make actual attack trees for my red teaming engagements they're much more complex and they're much longer left to right because they intersect you know if I get caught in one area but I was able to get data before that I could potentially use that for a different path so the paths can intersect and overlap and this is just a simple attack tree so let's say you wanted to stock somebody I don't Rick I don't advocate for stocking anybody actually you could also say

let's say you don't want to be stopped you can create an attack tree against yourself and say how would somebody stalk me if they wanted to so it's on both sides of the defense and the offense so let's say this lets say an attackers goal was to stalk someone and they wanted to learn where they live let's say they match with them on a dating application if their opening message was hi I really like your profile where do you live you know maybe ninety six ninety seven percent success rate with that they could get the location that way just by asking for it let's look down at learn where they work that has some examples

that I really want to get into so some folks just put their company name right on their profile they put their company they put where they work or they could put you know you could ask for it as an attacker sometimes folks disclose their profession they disclose their real name and then they also have some type of location data associated with it that can be used you know Monday through Friday nine to five having a relatively good idea of where somebody is you can also spoof your location as attacker fairly easy easily and move yourself around and get overlapping distance circles distance radiuses so you can overlap those and get an idea of where somebody is real time and that brings me

to this idea of nimma D and link ability so using those three to two to execute on the objective of learning where they work and let's talk about that so nimma D is just the amount of information that's disclosed in an interaction so anonymity we're all familiar with it's the lack of nimma T so nimma T is that information that we put out and Link ability is the ability to bring one or more records into a single record and so I call this a super record or virtual record or virtual drawing for database folks in the audience that would be like a key you'd have a key such as an email or phone number that you could find in multiple

data breaches and you could use that to link someone so if you saw their their phone number and their email associated in one breach you saw their email and their real name associated another breach you can link on that email and you have the phone number email and full name of that person and so that's a super record or virtual record and so this is an example of someone's profile I was able to just with their real name and you can't really tell but in their profile they say at some tech company that's like the only part I didn't blow her out they say at some tech company so they obviously were aware of the privacy

concern of disclosing their actual employer but just with their real name and a description of what they did I was able to find them across their LinkedIn and across their other social media profiles across their twitter across their Instagram and create a super record on this person learning about basically around where they live based on their Instagram photos they took a lot of them learning about where they worked because they explicit I found their explicit LinkedIn and so able to join from these disparate records based on single piece of information that overlap and so you'll notice that I've lured out a lot and that's because even with this person school and just their job title you'd be able to find this

person and it's very important to remember that disclosure does not equal consent you know a lot of times you see this in private research where they aren't going through a FX board or research board where they'll just disclose this information and they'll say well they put it out there on their online dating so they deserve to have it out in the world this person is choosing to share their information with folks within a specific geographical region so just because they put it out there doesn't mean that they want random folks at a conference in DC to see it so it's important you know as we're doing this it's just me taking a second on my

soapbox to say we do need to care about these privacy concerns when we're talking about research that handles real people in in the actual world so again we're not sufficiently depressed and despairing that there's no hope I want to fight against that and say there absolutely is so we can handle this risk as the app developer we could allow users to choose which information they disclose and they do this right now it's risk transference we could as an app developer not disclose their Instagram handle Bumble made that decision to not disclose Instagram handles while tinder discloses the full Instagram handle so bumble has choose to do some level of mitigation its reduction down so the

Instagram photos that are displayed in somebody's profile or only like the last five or last ten or whatever while tender you can actually go back and find that person's actual Instagram and look at years of photos if they have a public profile and so that's different levels of reduction that could be there there's fuzzier delayed location sharing this I really like this idea and I wish dating apps would use it we see OkCupid doing this they won't say like a mile away they'll say like five miles 10 miles etc and so it's it's fuzzy so it's hard to triangulate somebody's position with with just with such a broad distance categorization so that would be nice well bumble on the other hand goes

down to the tenth of a mile it's a lot easier if you're spoofing your location to hop around different locations and identify where somebody is if they're saying their 1.7 miles away it's a lot easier to do that so and that could be a way of reducing risk in this situation and then or they could give the user the ability to hide their distance tinder does this but the problem is is if you do that folks think that you're a bot and so the I I really opted for that kind of gradient where folks can have more fuzzy or delayed locations as the user we can also take steps we can avoid this Wriston just not date but online dating

is it is a modern way of doing dating and it's what a lot of people are starting to do and so instead of saying you know screw that we should just leave it behind don't do it let's find a way to do it more safely in a way that protects the privacy and safety of the users so you can use a fake name it makes it harder to do link ability if you do that don't disclose your employer I don't connect your Instagram you can prevent so one thing that I think this this part really should demonstrates well when we get to preventing real-time location sharing is if we go back to this diagram here and we look at the

lower left when you're looking at that and we say okay the context of the end-user and the context of the application are separated what is that app is the end-user client actually doing it is there to present you with photos and to share your real-time location so the real-time location is coming from the end-users client device so theoretically the end user should be responsible and have ownership over that location and so we can start to think about how do we use this application if it's not if we prevent it from running in the background so it's not sharing our real-time location if we choose when we want to use the application so that we're only you know using the

application when we're travelling between home and work so that's never being tied to our actual place of employment or our place of living where we are more static in our lives so if we think about that then we can talk about how can phone to be designed better for not just dating applications but any application that uses locations and iPhone is taking the step to say only use only share location when you are using this app or when it's running in the background or never and I really appreciate that because it puts that power in the users hand if when they want to disclose their location to that pick application Android on the other hand just like y'all know we're just

gonna scarf it up because God forbid Google doesn't pull information out of our pockets every you know three seconds so what is that oh yeah its fact I just didn't want people to be any more despaired like let's just be the spirit about online dating we can be despaired about other things in other talks so but yeah there is hope I think so we can also spoof our locations and or we can just be nihilistic and be like we don't care cool so from this talk hopefully you've had some tools of data flow data flow diagrams and attack trees and understanding you know new MIDI and Link ability so these are kind of the core

principles that I use on a day-to-day when I'm doing threat modeling modeling especially around privacy centric applications and so in the end I want developers and to be able to build better applications I want us who are acting as defenders to think about the stuff intentionally so when we do things like create data flow diagrams if not so much about the end product of having the pretty Visio diagram because they're so beautiful it's not about that it's about the process and and the intentionality of having to create that as an attacker if you're doing offensive simulations these are also great tools whenever I'm doing red teaming engagements if I can get my hand on network diagrams of any sort

that's gonna help me further my objective or if you're doing something like a web application penetration test and you can get an understanding of how the data the backend databases are connected where connections are encrypted where they aren't where data is at rest all of that can be helpful when simulating offensive attacks or doing penetration testing type activity and in the end Isis users can use these applications more safely and so I want everybody to be more intentional about the decisions they make when they're designing applications and when they're using these applications so that's all I got if there are any questions I know I was scheduled for 15 minutes but I don't I don't

thirty minutes that I have that much material but I'm happy to stick around and answer questions if anybody has them yes location what they did what they did encrypted coming back they was your foes clients go ahead yeah I remember that so I focus on the major applications but in the research that I came across there let me see I don't remember if I have so okay so some applications use HTTP HTTP consistently across the application across sending it between the client and the front end I specifically talking about tinder in that case there have also been situations where like you said they're they're sending their fording the therefore ting the location to the phone of the of the potential suitor and

they're in the phone itself is calculating the distance we saw this with Grindr than disclosing HIV status directly over that application or actually I believe those two third parties but they're like packaging a bit but it's coming directly off the client and there was lack of anonymization and again the link ability issue it was a whole net I don't remember if they had a problem with encryption also somebody else remembers that please feel free to shout it out I don't remember that what exactly happened with that but I remember that was a problem with Grindr in the last year or so any other questions right appreciate it thank you [Applause]