How not to suck at Cyber Security

HOW NOT TO SUCK AT CYBER SECURITY

Chris Watts - Feb 2016

DON’T BE EBAY

In 2015 there were

+38%more cyber security incidents than in 2014

Global State of Information Security® Survey 2016

Proportion of companies reporting a security incident


CUSTOMER RECORDS


38.27% of compromised assets

EMPLOYEE RECORDS33.25% of compromised assets

While there is no guarantee against being breached, organizations can greatly manage their risk by becoming more vigilant in covering their bases.

- Mike Denning, Vice President for Global Security, Verizon

According to the Pareto Principle

80% of the effects are from

20% of the causes

Software bugs are not exempt from this rule

BACK TO THE RECENT EBAY HACK

JS NIGHTMARES

[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+

[] + [] === ''

[] + {} === [object Object]

{} + [] === 0

{} + {} === NaN

QUIRKY!

https://www.destroyallsoftware.com/talks/wat

HOW TO MAKE A LANGUAGENAND or NOR gates will let you build anything!

With an array of NAND or NOR gates, you can build any other logic gate. Hence FPGAs!

In software, if you have a NOT expression and an OR expression, you can emulate any other logic circuit!

If you can emulate logic circuits, you can emulate a Turing machine.

Pretty much every language already has this requirement [!+]

TURING TARPITSSome people just want to watch the world burn

This is an example of Hello World in Brainfuck

++++++++[>++++

[>++>+++>+++>+<<<<-]

>+>+>->>+[<]<-]

>>.>---.+++++++..+++.>>.

<-.<.+++.------.--------.>>+.>++.

To be Turing-complete, an imperative language must:1. Allow conditional branching2. Allow read/write access to random

memory

To be Turing-complete, a functional language must:1. Allow abstraction of functions over

arguments2. Allow application of functions to

arguments

ENTER JSFUCKA Turing-complete sub-language of JavaScript that runs in the same environment as real JavaScript. And yes, it’s Turing-complete.

false => ![]

true => !![]

undefined => [][[]]

NaN => +[![]]

0 => +[]

1 => +!+[]

2 => !+[]+!+[]

Problem: Lots of people want cat pictures and illegible formatting in their listingsSolution: Let them insert HTML!Normally, one filters out everything that has the potential to do bad with user-submitted HTML

USER INPUT IS A DANGEROUS THING

In fact, the best idea is to just avoid it and say no, but customers will be customers.

LET’S LEAVE IN <SCRIPT> TAGS!

Now we can offer more features like advertising!And lawsuit-worthy user tracking!

Hey let’s just check for alphanumerics! It’s a super easy regex./<script>\w+<\/script>//ig

ALL WE NEED TO DO IS DISALLOW ALL STRINGS WITHIN <SCRIPT> TAGS SUBMITTED BY USERS

It will be fine, nobody is ever going to be able to execute JavaScript without alphanumerics despite JS being even sketchier than C++[1]

- some dev at eBay

NAILED ITNAILED IT

Two researchers by the names of Charlie Miller and Chris Valasek were able to connect to GM’s OnStar entertainment system from 2012 to 2015.

Turns out the entertainment system is connected to the ECU, braking, tire pressure monitoring and steering systems.

OF COURSE, IT’S NOT JUST EBAY

From 10 miles away, they were able to turn up the car stereo, switch on the wipers, and crash the car flat-out into a ditch.

It will be fine, nobody is ever going to control the car through the entertainment system

- some dev at GM

LET’S NOT FOLLOW SUIT

DESIGN AS THE ANTI-USER

SQL INJECTION

https://xkcd.com/327/

A SIMPLE ATTACK<?php

$page = $_GET[‘page’];

$query = “SELECT * FROM transactions LIMIT $page * 20, 20”;

...

?>

https://www.securebank.com/transactions/view/3/

https://www.securebank.com/transactions/view/3;DROP USER admin;--/

SOLUTIONNEVER trust user-supplied information. Hidden form fields and cookies are also not safe.

VALIDATE your inputs. Expecting a number? Assert that!

ALWAYS use prepared statements - don’t insert directly into SQL statements

$statement = $db->prepare(“SELECT * FROM transactions LIMIT :page, 20”);

$statement->bindParam(‘page’, $page * 20);

You would think there’s no harm in leaving the version numbers of your Wordpress installation in the headers or footers of your web page.

Some version information also appears in HTTP headers, for example: ‘X-Powered-By: My Cool CMS v3.3.6’

INFORMATION LEAKAGE

EXPLOIT-DB

REMOVE all version identifiers from everything your server sends

CHECK what happens on a server error. Does the 500 page show anything useful to a hacker?

REMOVE all debugging information, or have it sent to log files

SOLUTION

INFORMATION EXPOSURESometimes your text editors are the enemy...

Of course, Database.php~ is no longer a .php file, so will not get executed when you navigate to it.

Instead, it will just download the file to the user, containing the actual PHP code and passwords!

SOLUTIONWHITELIST rather than blacklist files that are allowed to be displayed to the user (e.g. in .htaccess)

DELETE all temporary files on the production server, edit files on a development server before pushing.

MOVE all non-static (e.g. html, jpg, css) files out of the document root. Especially configuration files.

USER UPLOADSBy performing the previous steps, you can also protect yourself from malicious uploads being executed.

This does not replace the need to check file contents though as if the file exists on the server, it’s more than likely the attacker will find a way to execute it.

Remember the Heartbleed bug of 2014?

In 2015 there were still swaths of unprotected servers due to negligence and unwillingness to update.

OUTDATED SOFTWARE

sudo apt-get update

sudo apt-get upgrade

Update any frameworks or libraries you use in your projects too to make sure you don’t appear on the Exploit DB.

SOLUTION

Just because the attacker can’t see your source code doesn’t mean they can’t brute force or guess their way in!

SECURITY THROUGH OBSCURITY

Assume they can see your source code.

SOLUTION

AUTHORIZATION BYPASSLocking the front door is useless if you left the window open.

Some companies forget to secure all of their admin pages. Sure, the admin home page is protected by a password, but what about the page where you can modify user permissions?

Storing valuable information in HTML <hidden> fields?

Users can modify and do whatever they like to those.

HIDDEN FIELDS ARE NOT HIDDEN

SOLUTIONCHECK every page, REST service, action and form to make sure only those authorized can perform actions

NEVER store internal logic in content the user sends back. This includes cookies! (Although storing this information in sessions with a session token is OK provided you’re using sessions properly)

So you’ve fixed authorization bypass and an admin is logged in.The admin checks the forums and sees this post:

CSRF CROSS-SITE REQUEST FORGERY

Hi, I’m getting harassed by the user Trump4President. I recorded a chat log here to prove that he’s being derogatory and spiteful to every user in...

Little did the admin know, the link actually goes here:

https://www.clubpenguin.com/admin/users/Trump4President/perms?admin=true

There are actually two things wrong with this example.1. A modification action was accessible with a GET request rather

than POST.2. Because the admin was logged in, clicking this link performed

the action under the admin’s account.

WHAT WENT WRONG

USE POST, PUT, PATCH, DELETE etc. for any mutable actions. Use GET only if data will not be modified by the request.

TOKENIZE all forms and actions with a random string generated as the page loads. Store this token in your database to cross-reference when the form is submitted. This token may be stored in a hidden field or cookie.

SOLUTION

REDIRECT HIJACKINGSometimes you need to show a page, such as a login page, before redirecting the user to where they wanted to go.

If the redirect URL is not sanitized, an attacker might try to use it to direct you to another site. Imagine if a user is presented with a phishing email to change their bank password and they’re presented with a legitimate link to their bank:

https://www.securebank.com/account/changepassword?redir=http://evil.com/phish

REDIRECT HIJACKINGThis attack goes hand-in-hand with CSRF. If the user can be redirected before they realize their session has been hijacked by an evil button, the incident may go completely undetected.

REDIRECT HIJACKINGIt’s not just limited to redirecting a user either. If your script accesses the server’s filesystem, don’t let this happen:

https://www.mycoolforum.com/forum/page=../../../etc/passwd

SOLUTIONUSE a URL parser on any URL arguments to make sure they’re relative to the document root.

DENY use of patterns like ‘../’, ‘~/’ or ‘PROGRA~1/’

Some content is written by the user. This could be something like eBay’s item descriptions, or even a user’s username displayed at the top of the page.

If the user can enter HTML tags that they shouldn’t, we already know what can go wrong.

XSS CROSS-SITE SCRIPTING

There are two ways XSS can be a problem.

1. Displaying unsanitized information that the user has directly given (such as in a comment post or account bio)

2. Displaying unsanitized information that the user has weaseled into the system (for example, with a database compromise)

FIRST AND SECOND ORDER

ESCAPE or encode all characters that should be illegal when displayed on a page. For HTML body, this is <anyelement>, for HTML attributes this is any single or double quote. There are pre-made sanitizers for this job.

Perform this when the data is displayed rather than when it is stored. Otherwise you can end up with multiple escaped strings and still be vulnerable to second-order XSS!

SOLUTION

How it should be done (escaping with < and >)

How it shouldn’t be done

HUMANSTHE WEAKEST LINK OF A SECURITY SYSTEM

Of the compromised respondents in the GSISS

34%said current employees were the most likely cause


29%linked attacks to former employees


PRIVILEGE MISUSEis #3 of the 9 biggest causes

Verizon Data Breach Investigations Report 2015

Still a common cause of security violations. With a convincing email, an employee can violate the security plan your business so dearly values in a matter of seconds.

Hot for 2016 - SMiShing (via SMS)

PHISHING

Yes.

23% of phishing emails are opened and 11% of attachments are downloaded according to the 2015 Verizon Data Breach Investigations Report.

PEOPLE STILL FALL FOR THAT?

Companies that have an overall security strategy

58%


Companies that have an employee training program

53%

With a suit, tie and clipboard, you can go pretty much anywhere you want.

With a tray of coffees, you can go through pretty much any door.

It’s this inherent kindness that shows that as security systems go, we are pretty poor.

SOCIAL ENGINEERING

In 2007, a mystery man walked into a Belgian bank and stole over €21 million in diamonds from high-security safety deposit boxes using only his charming personality.

He gained trust with the personnel by being a nice guy and bringing chocolates. He was able to make copies of the keys and gain information to the diamonds whereabouts.

CONFIDENCE

Hence,

TO MAKE A SECURE SYSTEM, FIRST REMOVE HUMANS

THANKS!I’ll be glad to take your criticismsChris Watts - [email protected]

Documents

How not to suck at Cyber Security