Steven Danneman

About Me

Steven in Macao

        I'm currently working as a Security Engineer at Security Innovation in Seattle, WA, making application software more secure through targeted penetration testing. Previously, I lead the team responsible for all authentication and identity services development within the OneFS operating system in the Isilon Storage Division of EMC. I received my B.S. in Computer Science from the University of Washington.

        In the time that's left over I enjoy cinema, traveling, and reading non-fiction.

Writings

A list of writings not directly on my blog.

Your Bank's Digital Side Door: Is It Opening You Up to Risks? - November, 2018
        An overview of the legacy banking protocol OFX, still used at 3000 North American financial institutions
Automating TLS Configuration Verification - September, 2017
        Instructions for testing TLS configuration against open source RDBM systems.

Presentations

Your Bank's Digital Side Door YouTube - DEF CON 26 - 2018, Hackfest 10 - 2018
        Why does my bank's website require my MFA token but Quicken sync does not? How is using Quicken or any personal financial software different from using my bank's website? How are they communicating with my bank? These questions ran through my head when balancing the family checkbook every month. Answering these questions led me to deeply explore the 20 year old Open Financial Exchange (OFX) protocol and the over 3000 North American banks that support it. They led me to the over 30 different implementations running in the wild and to a broad and inviting attack surface presented by these banks' digital side doors. Now I'd like to guide you through how your Quicken, QuickBooks, Mint.com, or even GnuCash applications are gathering your checking account transactions, credit card purchases, stock portfolio, and tax documents. We'll watch them flow over the wire and learn about the jumble of software your bank's IT department deploys to provide them. We'll discuss how secure these systems are, that keep track of your money, and we'll send a few simple packets at several banks and count the number of security WTFs along the way.
Automating TLS Configuration Verification on the Back-End of the Web Application Stack YouTube - AppSec USA - 2017
        Best practices for HTTPS deployment have been steadily improving over the past decade. TLS usage on web servers has been steadily increasing and there are dozens of tools (O-Saft being the most popular) now available to test the correctness of the TLS configuration of a front-end web server. All good news. But what about the other services and protocols used in a web application stack? What about the connection between the web application server and the backing data store? This talk looks at the current TLS capabilities of popular web application data stores (MySQL, PostgreSQL, and MongoDB), including both the most recent versions as well as the most widely deployed versions. We'll discuss best practices for defining TLS configuration within these data stores, which are somewhat different from HTTPS, and improvements in tools made by the presenter, to help verify proper server configuration of TLS.
Identity Mapping in the OneFS Clustered File System - SDC - 2012
        Building a NAS appliance, which seamlessly provides both SMB and NFS file sharing protocols, requires supporting both the authentication and access control semantics of Windows and Unix. In a unified file system like this, between the authentication and authorization steps, arises a requirement for identity mapping. ID mapping is a unique third step that equates security identifiers from both domains, in order to provide an authenticated ID that can be used in access control checks. This talk will cover the design and implementation of the Isilon OneFS identity mapping system.
Adding Role Based Access Controls onto a Unix Storage Platform - SDC - 2011
        The traditional Unix authorization model defines an all powerful root user who can perform any system task, modify any file, and change any system configuration. This simple model produces several fundamental problems for a storage platform. The root user, whether maliciously or accidentally, can cause catastrophic data loss. They can also view and undetectably modify the contents of any file and thus need to be an extremely trusted individual. Solving these problems requires partitioning the traditional root administrative rights among many different users and limiting within the file system the ability of any one user to view and modify all files. This can be accomplished with Role Based Access Control.
A Comparison Between the Samba 3 and Likewise Lwiod SMB File Servers - SDC - 2010, SambaXP - 2010
        The Samba 3 smbd file server is the most predominantly deployed open source SMB server in the world. Lwiod is an open source SMB file server developed by Likewise Software. Both provide Windows file sharing functionality on Unix operating systems. In this presentation I compare and contrast the overall architecture and feature sets of these two servers from both an administrator and developer's perspective. Viewers should gain an understanding of the primary benefits and drawbacks of each implementation.
Permissions Mapping in the Isilon OneFS File System - SDC - 2009
        There are a few authorization domains used widely today: POSIX mode bits and CIFS/NFSv4 Access Control Lists. Creating a file system which intelligently maps between different sets of file permissions is tricky. I explain how Isilon accomplishes this in its OneFS operating system. By mapping ACLs from one authorization domain to the other, our clustered file server provides one unified permissions model for CIFS, NFSv3 and NFSv4 clients.
Improvements in Samba to Take Advantage of OneFS - SambaXP - 2009
        The Samba networking stack provides a modular framework for file system developers to optimally integrate their features with those expected from the SMB protocol. This presentation discusses how Isilon used this VFS framework to expose the NTFS equivalent functionality of OneFS to its Windows clients.
Using Samba with a Commercial Clustered Filesystem - CIFS Workshop - 2007
        An overview of Isilon's distributed file system design and SMB networking stack utilizing Samba.

Software

ofxpostern
        Vulnerability scanner for OFX servers.