Sie sind auf Seite 1von 8

Skinhub.

com Application
Assessment Summary

Prepared for:

Skinhub

Prepared by:

July 5, 2018 Denny Deaton, Managing Director


Jordan Parkin, Senior Engineer

Risk Resilience Cyber Diligence + Compliance Intellectual Property Discovery


Prepared for: Skinhub (skinhub.com)

TABLE OF CONTENTS

I. INTRODUCTION & PROJECT SUMMARY..................................................................................... 1

II. PROCESS ..................................................................................................................................... 1

III. SUMMARY..................................................................................................................................... 2

IV. STROZ FRIEDBERG BIOGRAPHIES............................................................................................. 3

© 2018 Stroz Friedberg. All rights reserved.


I. INTRODUCTION & PROJECT SUMMARY

Stroz Friedberg LLC, an Aon company, is a specialized risk management firm built to help clients solve
the complex challenges prevalent in today’s digital, connected, and regulated business world. The firms
focus is on cybersecurity, with leading experts in digital forensics, incident response, and security
science; investigation; eDiscovery; intellectual property; and due diligence.

Stroz Friedberg, LLC, an Aon Company (“Stroz Friedberg”)1 was engaged by Skinhub (skinhub.com), to
conduct application security testing and source code analysis for the Skinhub (skinhub.com) application.
The fieldwork was conducted between March 14th through March 27th, 2018. The purpose of this
verification was to certify the data, codebase and audit logs of production, and that there has been no
tampering of outcomes by Skinhub (skinhub.com). Additionally, the platform was tested for both common
and sophisticated vulnerabilities using the standard Stroz Friedberg application testing methodology. The
engagement was time-boxed to 10 days.

During the engagement, Stroz Friedberg did not identify any evidence of tampering on behalf of Skinhub
(skinhub.com) employees that would lead to unfair outcomes for Skinhub (skinhub.com) users. Any
specific details related to security issues identified during the assessment, along with suggested steps to
correct each issue, have been communicated directly to Skinhub (skinhub.com) personnel.

II. PROCESS

Stroz Friedberg uses a combination of automated tools and manual penetration testing to search for
missing, broken, and improperly implemented application security controls. The verification targets both
sophisticated and common vulnerabilities, including the OWASP Top Ten (http://www.owasp.org) and
other flaws typical of similar applications. As part of the service, the assessment approach was reviewed
with appropriate Skinhub (skinhub.com) personnel and the scope, goals and objectives were confirmed
by Skinhub (skinhub.com).

Artifacts provided by Skinhub (skinhub.com) were manually analyzed for any indication of tampering,
including backdoor code, unauthorized modification of database entries, unauthorized modification of
code. Additionally, the code-base was analyzed to determine if the randomness used by the application is
sufficient to produce fair outcomes for all Skinhub (skinhub.com) users.

1
Stroz Friedberg, LLC, an Aon Company and its subsidiary Gotham Digital Science, collectively referred to as “Stroz
Friedberg,” were actively engaged in efforts required by this matter.

© 2018 Stroz Friedberg. All rights reserved. 1


The following artifacts were reviewed:
1. Skinhub API and Frontend Github commit history logs
2. Skinhub API and Frontend code-base
• API commit a8b67a99e4f21d394714a766c06287c89fe3d159
• Frontend commit 44f5c68a072871fc7771fa1534022dd148a20cad
3. Skinhub API and Frontend documentation specific to code that determines outcomes
4. Staging and Production Skinhub application environments
5. Production data through Heroku

Code Analysis & Dynamic Testing


Documentation provided by Skinhub (skinhub.com) was used as a guide to trace Skinhub application
“Case Opening” and “Item Upgrade” functionality from sources to sinks to analyze the use of
cryptographically secure pseudorandom number generators in determining outcomes. This functionality
was tested on the staging and production versions of the applications as well as replicated locally in order
to determine its effectiveness.

Commit History Analysis


The history of code commits to the API and Frontend Github repositories was analyzed for any evidence
that unauthorized code had been added that can lead to backdoor access or affect outcomes for users.
In summary, based on observations made by Stroz Friedberg at the time of this engagement, the
Provably Fair was untampered with, and random and wagers produced by Skinhub appeared to be
provably fair.

Back-End Database Analysis


Access to the application environment through Heroku was used to interact with the back-end Postgres
database that holds application data. This data was manually searched for evidence of unauthorized
changes that might lead to unfair outcomes.

III. SUMMARY

During the review of artifacts provided by Skinhub (skinhub.com), Stroz Friedberg did not identify any
indication that Skinhub (skinhub.com) employees has tampered with back-end data or application code in
order to produce unfair outcomes for users. Based on observations made by Stroz Friedberg at the time
of this engagement, the outcomes of Case Opening and Item Upgrades functionality appear to be fair and
random according to the odds listed on the Skinhub website.

© 2018 Stroz Friedberg. All rights reserved. 2


Sincerely,

Eric Friedberg
Co-President, Stroz Friedberg

IV. STROZ FRIEDBERG BIOGRAPHIES

The following individuals from Stroz Friedberg conducted the Skinhub engagement.

DENNY DEATON – Managing Director, Stroz Friedberg


Denny Deaton is a Director with Stroz Friedberg, located in Charlotte, NC. Denny has 13 years
experience working in the security industry performing security testing and delivering security consulting
services in various industries. Prior to joining Stroz Friedberg, Denny worked at another global consulting
firm and as a security engineer at Bank of America.

EXPERIENCE § Account management of security consulting services and delivery for


Fortune 500 companies including the financial, healthcare, retail,
insurance, manufacturing and software / technology industries
§ Dynamic application security testing assessments for Fortune 500
companies
§ Applications tested include Internet banking, financial trading, human
resources, insurance support, and customer service applications
§ Internet, intranet, and wireless penetration testing for Fortune 500
companies in the financial services and technology industries
§ Performed social engineering assessments including voice phishing,
spear phishing, and physical security for Fortune 500 companies
§ Works with clients to develop custom remediation plans following the
completion of penetration tests and application security assessments
§ Develops software components in PHP, Python and Perl for internal
company applications and security assessment tools
§ Assists with management of internal testing methodologies and internal
team development and training at Stroz Friedberg
§ Mentoring of other security engineers on vulnerability assessment and

© 2018 Stroz Friedberg. All rights reserved. 3


penetration testing practices as well as regulatory, mandate, and policy
compliance

SKILLS § Network and Infrastructure-layer penetration testing


§ Application-layer penetration testing (web & mobile)
§ Experience with commercial security tools to include Burp Suite Pro, IBM
AppScan, HP WebInspect, Nessus, and Qualys
§ Development in PHP, Java, Python and Perl, SQL
§ Security administration of Linux and Windows operating systems as well
as IIS, Apache, MS SQL Server, and MySQL
§ Excellent written, public speaking, and presentation skills

EDUCATION/ § Bachelor of Science in Computer Information Systems from University of


CERTIFICATIONS North Carolina at Wilmington

THOUGHT § Delivered conference presentations focused on network penetration


LEADERSHIP testing at Charlotte ISSA, BSides Charlotte and BSides Raleigh

JORDAN PARKIN - Senior Security Engineer


Jordan Parkin is a Senior Security Engineer and Researcher. Jordan has experience performing internal,
external and wireless network penetration tests focused on SCADA systems, and application security
assessments for clients in the utilities, chemical engineering, manufacturing and oil, gas & energy
industries. Prior to joining Stroz Friedberg, Jordan served as a primary resource for SCADA-related
security assessments within the Advanced Security Center at Ernst & Young.

EXPERIENCE § Web and mobile application security assessments for clients in a wide range
of industries including the financial, technology, and heavy industry /
manufacturing sectors
§ Internal, external and wireless network penetration tests for fortune 500 clients
including some of the largest companies in the oil, gas & energy industry
§ Performed social engineering assessments including voice phishing, spear
phishing, and physical security for Fortune 500 companies
§ Conducted SCADA network segmentation assessments to identify potential
attack paths to restricted process control networks
§ Security testing for process control devices such as programmable logic
controllers and remote terminal units

© 2018 Stroz Friedberg. All rights reserved. 4


§ NERC-CIP-related network scanning and vulnerability analysis on critical
systems for power providers in the US and Canada
§ Reviewed firewall and other network device configurations as a part of
network segmentation assessments

SKILLS § Common network penetration testing and vulnerability analysis tools and
techniques
§ Application security assessments using industry standard tools such as Burp
Suite and OWASP ZAP
§ Experience with industry standards such as NERC-CIP
§ Understanding of SCADA network components and designs as well as
industrial control system protocols
§ Common security issues in control system implementations for a wide range
of industries
§ Threat modeling specific to the utilities and oil, gas & energy industries
§ Excellent written, public speaking, and presentation skills

EDUCATION/ § Offensive Security Certified Professional (OSCP)


CERTS
§ SANS Assessing and Exploiting Control Systems training
§ Bachelors of Science in Security & Risk Analysis from the Pennsylvania State
University with a concentration in Information and Cyber Security (NSA
Center of Excellence in Information Education and Research)

THOUGHT § Contributions to open source security tools


LEADERSHIP § Development of internal security testing methodologies

© 2018 Stroz Friedberg. All rights reserved. 5


About Stroz Friedberg

Stroz Friedberg, an Aon company, is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital,
connected, and regulated business world. A global leader in the fields of cybersecurity, with leading experts in digital forensics, incident response, and
security science; investigation; eDiscovery; and due diligence, Stroz Friedberg works to maximize the health of an organization, ensuring its longevity,
protection, and resilience. Founded in 2000 and acquired by Aon in 2016, Stroz Friedberg has thirteen offices across nine U.S. cities, London, Zurich,
Dubai, and Hong Kong. Stroz Friedberg serves Fortune 100 companies, 80% of the AmLaw 100, and the Top 20 UK law firms. Learn more at
https://www.strozfriedberg.com/.
This document and/or its attachments may contain information that is confidential and/or protected by privilege from disclosure. If you have reason to
believe you are not the intended recipient, please immediately notify the sender by reply e-mail or by telephone, then destroy this document, as well as all
copies, including any printed copies. Thank you.

© 2017 Stroz Friedberg. All rights reserved.