View
29
Download
0
Category
Preview:
Citation preview
HOW NOT TO SUCK AT CYBER SECURITY
Chris Watts - Feb 2016
DON’T BE EBAY
In 2015 there were
+38%more cyber security incidents than in 2014
Global State of Information Security® Survey 2016
Proportion of companies reporting a security incident
Global State of Information Security® Survey 2016
CUSTOMER RECORDS
Global State of Information Security® Survey 2016
38.27% of compromised assets
EMPLOYEE RECORDS33.25% of compromised assets
While there is no guarantee against being breached, organizations can greatly manage their risk by becoming more vigilant in covering their bases.
- Mike Denning, Vice President for Global Security, Verizon
According to the Pareto Principle
80% of the effects are from
20% of the causes
Software bugs are not exempt from this rule
BACK TO THE RECENT EBAY HACK
JS NIGHTMARES
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+
[] + [] === ''
[] + {} === [object Object]
{} + [] === 0
{} + {} === NaN
QUIRKY!
https://www.destroyallsoftware.com/talks/wat
HOW TO MAKE A LANGUAGENAND or NOR gates will let you build anything!
With an array of NAND or NOR gates, you can build any other logic gate. Hence FPGAs!
In software, if you have a NOT expression and an OR expression, you can emulate any other logic circuit!
If you can emulate logic circuits, you can emulate a Turing machine.
Pretty much every language already has this requirement [!+]
TURING TARPITSSome people just want to watch the world burn
This is an example of Hello World in Brainfuck
++++++++[>++++
[>++>+++>+++>+<<<<-]
>+>+>->>+[<]<-]
>>.>---.+++++++..+++.>>.
<-.<.+++.------.--------.>>+.>++.
To be Turing-complete, an imperative language must:1. Allow conditional branching2. Allow read/write access to random
memory
To be Turing-complete, a functional language must:1. Allow abstraction of functions over
arguments2. Allow application of functions to
arguments
ENTER JSFUCKA Turing-complete sub-language of JavaScript that runs in the same environment as real JavaScript. And yes, it’s Turing-complete.
false => ![]
true => !![]
undefined => [][[]]
NaN => +[![]]
0 => +[]
1 => +!+[]
2 => !+[]+!+[]
Problem: Lots of people want cat pictures and illegible formatting in their listingsSolution: Let them insert HTML!Normally, one filters out everything that has the potential to do bad with user-submitted HTML
USER INPUT IS A DANGEROUS THING
In fact, the best idea is to just avoid it and say no, but customers will be customers.
LET’S LEAVE IN <SCRIPT> TAGS!
Now we can offer more features like advertising!And lawsuit-worthy user tracking!
Hey let’s just check for alphanumerics! It’s a super easy regex./<script>\w+<\/script>//ig
ALL WE NEED TO DO IS DISALLOW ALL STRINGS WITHIN <SCRIPT> TAGS SUBMITTED BY USERS
It will be fine, nobody is ever going to be able to execute JavaScript without alphanumerics despite JS being even sketchier than C++[1]
- some dev at eBay
NAILED ITNAILED IT
Two researchers by the names of Charlie Miller and Chris Valasek were able to connect to GM’s OnStar entertainment system from 2012 to 2015.
Turns out the entertainment system is connected to the ECU, braking, tire pressure monitoring and steering systems.
OF COURSE, IT’S NOT JUST EBAY
From 10 miles away, they were able to turn up the car stereo, switch on the wipers, and crash the car flat-out into a ditch.
It will be fine, nobody is ever going to control the car through the entertainment system
- some dev at GM
LET’S NOT FOLLOW SUIT
DESIGN AS THE ANTI-USER
SQL INJECTION
https://xkcd.com/327/
A SIMPLE ATTACK<?php
$page = $_GET[‘page’];
$query = “SELECT * FROM transactions LIMIT $page * 20, 20”;
...
?>
https://www.securebank.com/transactions/view/3/
https://www.securebank.com/transactions/view/3;DROP USER admin;--/
SOLUTIONNEVER trust user-supplied information. Hidden form fields and cookies are also not safe.
VALIDATE your inputs. Expecting a number? Assert that!
ALWAYS use prepared statements - don’t insert directly into SQL statements
$statement = $db->prepare(“SELECT * FROM transactions LIMIT :page, 20”);
$statement->bindParam(‘page’, $page * 20);
You would think there’s no harm in leaving the version numbers of your Wordpress installation in the headers or footers of your web page.
Some version information also appears in HTTP headers, for example: ‘X-Powered-By: My Cool CMS v3.3.6’
INFORMATION LEAKAGE
EXPLOIT-DB
REMOVE all version identifiers from everything your server sends
CHECK what happens on a server error. Does the 500 page show anything useful to a hacker?
REMOVE all debugging information, or have it sent to log files
SOLUTION
INFORMATION EXPOSURESometimes your text editors are the enemy...
Of course, Database.php~ is no longer a .php file, so will not get executed when you navigate to it.
Instead, it will just download the file to the user, containing the actual PHP code and passwords!
SOLUTIONWHITELIST rather than blacklist files that are allowed to be displayed to the user (e.g. in .htaccess)
DELETE all temporary files on the production server, edit files on a development server before pushing.
MOVE all non-static (e.g. html, jpg, css) files out of the document root. Especially configuration files.
USER UPLOADSBy performing the previous steps, you can also protect yourself from malicious uploads being executed.
This does not replace the need to check file contents though as if the file exists on the server, it’s more than likely the attacker will find a way to execute it.
Remember the Heartbleed bug of 2014?
In 2015 there were still swaths of unprotected servers due to negligence and unwillingness to update.
OUTDATED SOFTWARE
sudo apt-get update
sudo apt-get upgrade
Update any frameworks or libraries you use in your projects too to make sure you don’t appear on the Exploit DB.
SOLUTION
Just because the attacker can’t see your source code doesn’t mean they can’t brute force or guess their way in!
SECURITY THROUGH OBSCURITY
Assume they can see your source code.
SOLUTION
AUTHORIZATION BYPASSLocking the front door is useless if you left the window open.
Some companies forget to secure all of their admin pages. Sure, the admin home page is protected by a password, but what about the page where you can modify user permissions?
Storing valuable information in HTML <hidden> fields?
Users can modify and do whatever they like to those.
HIDDEN FIELDS ARE NOT HIDDEN
SOLUTIONCHECK every page, REST service, action and form to make sure only those authorized can perform actions
NEVER store internal logic in content the user sends back. This includes cookies! (Although storing this information in sessions with a session token is OK provided you’re using sessions properly)
So you’ve fixed authorization bypass and an admin is logged in.The admin checks the forums and sees this post:
CSRF CROSS-SITE REQUEST FORGERY
Hi, I’m getting harassed by the user Trump4President. I recorded a chat log here to prove that he’s being derogatory and spiteful to every user in...
Little did the admin know, the link actually goes here:
https://www.clubpenguin.com/admin/users/Trump4President/perms?admin=true
There are actually two things wrong with this example.1. A modification action was accessible with a GET request rather
than POST.2. Because the admin was logged in, clicking this link performed
the action under the admin’s account.
WHAT WENT WRONG
USE POST, PUT, PATCH, DELETE etc. for any mutable actions. Use GET only if data will not be modified by the request.
TOKENIZE all forms and actions with a random string generated as the page loads. Store this token in your database to cross-reference when the form is submitted. This token may be stored in a hidden field or cookie.
SOLUTION
REDIRECT HIJACKINGSometimes you need to show a page, such as a login page, before redirecting the user to where they wanted to go.
If the redirect URL is not sanitized, an attacker might try to use it to direct you to another site. Imagine if a user is presented with a phishing email to change their bank password and they’re presented with a legitimate link to their bank:
https://www.securebank.com/account/changepassword?redir=http://evil.com/phish
REDIRECT HIJACKINGThis attack goes hand-in-hand with CSRF. If the user can be redirected before they realize their session has been hijacked by an evil button, the incident may go completely undetected.
REDIRECT HIJACKINGIt’s not just limited to redirecting a user either. If your script accesses the server’s filesystem, don’t let this happen:
https://www.mycoolforum.com/forum/page=../../../etc/passwd
SOLUTIONUSE a URL parser on any URL arguments to make sure they’re relative to the document root.
DENY use of patterns like ‘../’, ‘~/’ or ‘PROGRA~1/’
Some content is written by the user. This could be something like eBay’s item descriptions, or even a user’s username displayed at the top of the page.
If the user can enter HTML tags that they shouldn’t, we already know what can go wrong.
XSS CROSS-SITE SCRIPTING
There are two ways XSS can be a problem.
1. Displaying unsanitized information that the user has directly given (such as in a comment post or account bio)
2. Displaying unsanitized information that the user has weaseled into the system (for example, with a database compromise)
FIRST AND SECOND ORDER
ESCAPE or encode all characters that should be illegal when displayed on a page. For HTML body, this is <anyelement>, for HTML attributes this is any single or double quote. There are pre-made sanitizers for this job.
Perform this when the data is displayed rather than when it is stored. Otherwise you can end up with multiple escaped strings and still be vulnerable to second-order XSS!
SOLUTION
How it should be done (escaping with < and >)
How it shouldn’t be done
HUMANSTHE WEAKEST LINK OF A SECURITY SYSTEM
Of the compromised respondents in the GSISS
34%said current employees were the most likely cause
Global State of Information Security® Survey 2016
29%linked attacks to former employees
Global State of Information Security® Survey 2016
PRIVILEGE MISUSEis #3 of the 9 biggest causes
Verizon Data Breach Investigations Report 2015
Still a common cause of security violations. With a convincing email, an employee can violate the security plan your business so dearly values in a matter of seconds.
Hot for 2016 - SMiShing (via SMS)
PHISHING
Yes.
23% of phishing emails are opened and 11% of attachments are downloaded according to the 2015 Verizon Data Breach Investigations Report.
PEOPLE STILL FALL FOR THAT?
Companies that have an overall security strategy
58%
Global State of Information Security® Survey 2016
Companies that have an employee training program
53%
With a suit, tie and clipboard, you can go pretty much anywhere you want.
With a tray of coffees, you can go through pretty much any door.
It’s this inherent kindness that shows that as security systems go, we are pretty poor.
SOCIAL ENGINEERING
In 2007, a mystery man walked into a Belgian bank and stole over €21 million in diamonds from high-security safety deposit boxes using only his charming personality.
He gained trust with the personnel by being a nice guy and bringing chocolates. He was able to make copies of the keys and gain information to the diamonds whereabouts.
CONFIDENCE
Hence,
TO MAKE A SECURE SYSTEM, FIRST REMOVE HUMANS
THANKS!I’ll be glad to take your criticismsChris Watts - cwatts1@us.ibm.com
Recommended