1 / 14

Fintech Crypto Platform Penetration Testing Case Study Komodo Consulting

A Fintech startup is developing a crypto exchange. As part of the product development, they wanted to ensure they implemented the system securely with the proper mechanisms and best practices.<br>

Stassy
Download Presentation

Fintech Crypto Platform Penetration Testing Case Study Komodo Consulting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FINTECH CRYPTO PLATFORM PENETRATION TESTING

  2. EXECUTIVE SUMMARY FINTECH CRYPTO PLATFORM PENETRATION TESTING CASE STUDY Cyber Security is an Exponential Problem Red team assessments help you understand your organization’s detection and investigative capabilities. Not setting the right rules and expectations when starting a Red team or Penetration Testing exercise may lead to less-than-great outcomes. A Fintech company is developing a crypto exchange. As part of the product development, they wanted to ensure they implemented the system securely with the proper mechanisms and best practices. Robbing crypto wallets through business logic and race conditions This document is an example of the rules of engagement between the Komodo Consulting Team and the Customer Teams for the Red team and Pentest exercises which will help you understand the rules of engagement for Red team exercise.

  3. FRAMEWORK The Fintech company asked the Komodo team to perform a Design • Contacts Review, a Cloud Security review, and Penetration Testing. As this was an extensive and lengthy activity spanning four months, we will not go into the entire assessment in depth. That said, we will highlight a specific vulnerability in financial systems, whether traditional banking systems or high-end sophisticated crypto and Fintech companies. The precursor to this vulnerability is called a race condition. • Timeline • Activity Start Date: • Activity End-Date: • A red-team activity usually takes about 60 days start to end. company of its crypto funds and get these into our account. Exploiting this race condition allowed us to “rob” the fintech • Locations Komodo Offices Customer Europe Site Customer US Site A race condition in software is an undesirable event that occurs when multiple attempts to access or modify a shared resource are performed at the same time. Usually, when an application behaves correctly, different entities share resources as expected. What is a race condition? • Status Updates Weekly conference will take place on Mondays &, Thursdays OR specify the days you want the status updates However, in uncontrollable network delays, multi-threading, or specific business logic, the sequence of operations may change due to the relative timing of events. This change can result in an undesigned state for the application and hence fail. In this case, the “race” depends on which entity or operation gains access to the shared resource first. Critical findings will be notified on a daily basis. • Testing Time Frame During Business Hours? After Business Hours? E.g. Israeli GMT+2 daytime hours (PST night time)

  4. An example of a race condition can be seen even in simple codes that add or subtract a variable: On Weekends? Doesn’t Matter • Our assumptions are that 90% of testing will be performed on Israeli daytime hours • Stealth/Shunning Testing should be performed in stealth mode • Note that this limits the pentesters capabilities but reflects a closer to ‘real life’ attack simulation. Due to thread A and thread B sending the requests simultaneously, Thread A and B both access the variable with the value 10. While thread A increments it to 11, thread B overwrites the value to 9 due to using the old value of 10 before thread A returned the new value. • Permission To Test The Customer hereby acknowledges that Komodo’s team will perform penetration testing on systems in scope (see IP range and domain lists below). Testing may lead to system instability and all due care will be given by the tester to not crash systems in the process. However, because testing can lead to instability, and the connection between testing and system instability is sometimes loosely coupled and wrongly connected, The Customer shall not hold the tester liable for any system instability or crashes. The tested system The fintech platform assessed was a financial B2B platform that allows bank users to trade between crypto funds and Fiat currencies. • Legal Approval The Customer hereby approves that testing the systems in scope is approved to be legal in the state they are performed.

  5. Business logic / flow The following flow-chart shows the coin exchange process on the PROJECT SPECIFIC platform: • LIST IP RANGE AND DOMAINS IN SCOPE Here follows is the list of IP ranges identified by Komodo at the preliminary information gathering stage. These IP addresses will define the scope for the project. Each range is attached with its Physical GEO location. Check current balance Remove the exchanged amount • LEVERAGE In the case that a system is penetrated, how should the testing team proceed? (Check all that apply) Perform a local vulnerability assessment on the compromised machine? Attempt to gain the highest privileges (root on UNIX machines, SYSTEM or Administrator on Windows machines) on the compromised machine? Attempt to proceed with the attack towards internal reachable servers Stop and notify Verify the amount in the relevant crypto wallet Request approved, crypto currency balance is incremented Request denied, refund is given to current balance

  6. Explanation of the flowchart 1.–Checking current balance. 2.–Removing the exchanged amount. 3.–Verifying that there is enough cryptocurrency in the wallet for —–the exchange. • Available Testing Environment (Check All That Apply) Production Environment Staging Environment Test Environment Development Environment enough balance in the organization's crypto wallet. The request is approved if there is enough balance in the organization's crypto wallet and the private cryptocurrency balance increments with the amount bought. The request is denied, and a refund is provided if there isn't • EFFECTIVENESS OF DEFENSE Can be defined as required • EXCEPTIONS d o M the scope. 1. 2. 3. Tests to exclude, e.g. Do not run RCE exploits in production. 1. 2. 3. Tools to exclude 1. 2. 3. subtracted or incremented the value. Due to the usage of multiple simultaneous requests, three requests saw the balance as “100” and The exploitation process During an assessment made by Komodo's team on the fintech platform, we uncovered a race condition that allowed us to increase our assets in our wallet, with the only limit being the amount in the organization’s crypto wallet. e l u t s o l c x e u , e d . g . e M i a r f n a m e s e r v e s i r n o t t r a p o f The team found that by sending multiple simultaneous requests to the platform and abusing the race condition every three requests, on average, were sent together and abused the race condition. So, for example, making 30 requests to exchange 10 USD to BTC (Bitcoin) would decrease the USD in the account by approximately 100, and give around 300 USD worth in BTC. We achieved the exploitation by abusing the race condition. During the transfer, the application checked our total balance and

  7. then lowered the value to “90.” Because the balance was 100 for all three requests, it was written and overwritten as 90 three times. After decreasing the amount in our balance, the system waited for a successful response from the database to see that there was enough BTC in the wallet, and then after a successful reply, made the transfer. Due to the delay, while waiting for a positive response from the application’s server regarding the BTC wallet, all requests to increment the BTC wallet were accepted, thus increasing the amount for each request, totaling requests worth 300 USD. By using 100 USD, we stole 300 USD worth of BTC in one exploitation cycle from the platform. Performing the same operation in a recurring manner allowed us to steal all funds from the crypto exchange account to our private account.

  8. ABOUT US • Cyber Security Consulting since 2011 • Founded by leading consulting experts with decades of experience • Team consists of: • Seasoned security specialists with worldwide information security experience • Military intelligence experts • Provide services across multiple verticals – banking, insurance, hi-tech, automotive, energy, communication, critical infrastructures, healthcare, and international mega- brands

  9. VALUES Challenge the Status Quo and Drive Innovation Dive into complicated problems and solve them Combine work and fun CORE VALUES Learn new stuff, teach and share our knowledge Keep our customers happy

  10. SERVICES We Help Our Clients Identify Their Weaknesses We Help Our Clients Identify their Weaknesses Infrastructure and Application Security

  11. OUR EXPERTISE Help large organization reach maturity in their security posture Work with startups and developers on cutting edge modern technologies Help organizations with compliance requirements in the security domain Understand our clients needs and provide tailor-made services if needed

  12. OUR CLIENTS We are Trusted by The World's Best Companies We are Trusted by the World’s Best Companies

  13. WHAT OUR CLIENTS SAY Komodo provides us with peace of mind As an organisation constantly targeted by malicious attacks, Komodo provides us with peace of mind both by securing our applications before they go into production and by acting as our incident response team at the most critical moments when we need them. Amnon Cohen, CIO, Safecharge First-class application and cyber security services We've been working with Komodo, our trusted advisers on application security and penetration testing, for over six years now. They consistently provide us with invaluable insights, briefings, and value. I wholeheartedly recommend them to any company in need of first-class application and cyber security services. Amir Levi, CTO, Harel Insurance Komodo presents valuable insights and advice Work with Komodo Consulting has always been a streamlined, efficient process. Results are always to the point and right on time, accompanied by valuable insights and advice. Eldan Ben-Haim, CTO, Trusteer (IBM)

  14. Most companies take nearly 6 months to detect a data breach, even major ones. Are your IT systems strong enough to withstand an attack and/or detect a data breach? We help you identify critical vulnerabilities, map security vulnerabilities and suggest effective countermeasures. https://www.komodosec.com/contact USA: +1 800 409-0472 UK: +44 20 8089 5205 ISR: +972 9 955 5565 Delaware, USA Givatayim, Israel London, UK https://www.komodosec.com/ info@komodosec.com www.komodosec.com

More Related