Security for Digital Companies

Observations, lessons, and advice from a hacker

Presented by Justin Bull!September 9th, 2014

Who am I

Who am I• Justin Bull

• Software developer at

• Security nutbar

• Ethically curious

• @f3ndot on Twitter

Outline

• Canada Revenue Agency: A Case Study

• Responsible disclosure

• Security 101 for a digital company

• Q & A, time permitting

–Quinn Norton, 2014

“Everything is broken.”

–Quinn Norton, 2014

“Everything is broken.”

It's all about risk management & incident response

Canada Revenue Agency:A case study

Canada Revenue Agency:A tale of woe

Think of the word “Government”

Think of the word “Government”

What comes to mind?

Think of the word “Government”

• Slow

What comes to mind?

Think of the word “Government”

• Slow

• Inefficient

What comes to mind?

Think of the word “Government”

• Slow

• Inefficient

• Lots of red tape

What comes to mind?

Think of the word “Government”

• Slow

• Inefficient

• Lots of red tape

• Bureaucratic

What comes to mind?

Yeah…

We have a problem

The heartbleed bug affected 17.5% of all

website servers.

–Netcraft, 2014

That’s around half a million websites

–Netcraft, 2014

Who was affected

Who was affected

• My personal servers

Who was affected

• My personal servers

• Banks

Who was affected

• My personal servers

• Banks

• Almost every, single digital company

Who was affected

• My personal servers

• Banks

• Almost every, single digital company

• …and the Government of Canada

Was CRA self aware?

Was CRA self aware?Nope.

Was CRA self aware?F A I LNope.

Could CRA be notified?

Could CRA be notified?

Nope, nope, nope!

Could CRA be notified?

Nope, nope, nope!

Could CRA be notified?F A I LNope, nope, nope!

Was CRA at least quick when they did know?

Was CRA at least quick when they did know?

Sorta, not really

Was CRA at least quick when they did know?

Sorta, not really

Was CRA at least quick when they did know?

Sorta, not reallyF A I L

We all know about the 900 SIN’s !

But were there other attacks? !

We all know about the 900 SIN’s !

But were there other attacks? !

We will never know

What could CRA have done?

What could CRA have done?

• Have a competent security officer or sysadmin

What could CRA have done?

• Have a competent security officer or sysadmin

• Inter-department cooperation with CSEC (they knew 1 day before Heartbleed went public)

What could CRA have done?

• Have a competent security officer or sysadmin

• Inter-department cooperation with CSEC (they knew 1 day before Heartbleed went public)

• A way for people to tell them security issues

What could CRA have done?

• Have a competent security officer or sysadmin

• Inter-department cooperation with CSEC (they knew 1 day before Heartbleed went public)

• A way for people to tell them security issues

• Be quick!

–Almost any company

“We don’t have time or money to think about security right now.”

Responsible Disclosure The bare minimum for security

Responsible Disclosure

• Officially allows users/hackers/researchers to contact you about security issues

• Basically just a webpage

• Cheapest security investment you can make*

*depending who you talk you

Who has a RD policy?•

• Microsoft

• GitHub

• Apple

• Tesla Motors… Yes, really

Danger, Will Robinson!It’s surprisingly hard to get right

Danger, Will Robinson!It’s surprisingly hard to get right

You need to set up proper encryption and decide on how to communicate with

researchers.

Lessons learned

Lessons learned

• It’s pesky and time consuming if you have security debt

Lessons learned

• It’s pesky and time consuming if you have security debt

• Expect a lot of bullshit, entitlement, and comedy (See @CluelessSec)

Lessons learned

• It’s pesky and time consuming if you have security debt

• Expect a lot of bullshit, entitlement, and comedy (See @CluelessSec)

• Expect to be humbled

Responsible Disclosure: you should have it

The bare minimum:

Responsible Disclosure: you should have it

• Offer no reward or swag

The bare minimum:

Responsible Disclosure: you should have it

• Offer no reward or swag

• Tell people what’s acceptable, what’s not

The bare minimum:

Responsible Disclosure: you should have it

• Offer no reward or swag

• Tell people what’s acceptable, what’s not

• Provide a special email or a direct phone number

The bare minimum:

Security 101 for Digital Companiesaka “How to not get hacked within a year”*

* no promises 😜

Encrypt your passwords!

No excuses.

Encrypt your passwords!

No excuses.None.

Encrypt your passwords!

Encrypt your passwords!The consequences

Encrypt your passwords!

• Domino effect with other customer’s accounts

The consequences

Encrypt your passwords!

• Domino effect with other customer’s accounts

• Permanent black mark on your company record

The consequences

Encrypt your passwords!

• Domino effect with other customer’s accounts

• Permanent black mark on your company record

• You could be sued. Maybe even class-action

The consequences

Encrypt your passwords!

• Domino effect with other customer’s accounts

• Permanent black mark on your company record

• You could be sued. Maybe even class-action

• It’s so cheap and easy to do now. Why not?

The consequences

Encrypt your passwords!But, don’t roll your own crypto

Encrypt your passwords!

• MD5, SHA1, etc. were not designed for passwords

But, don’t roll your own crypto

Encrypt your passwords!

• MD5, SHA1, etc. were not designed for passwords

• Use a password hashing library for your language

But, don’t roll your own crypto

Encrypt your passwords!

• MD5, SHA1, etc. were not designed for passwords

• Use a password hashing library for your language

• It should use bcrypt, scrypt, PBKDF2, or an algorithm designed for passwords

But, don’t roll your own crypto

Encrypt your passwords!

• MD5, SHA1, etc. were not designed for passwords

• Use a password hashing library for your language

• It should use bcrypt, scrypt, PBKDF2, or an algorithm designed for passwords

• You want it to be slow to hash, maybe 1 second

But, don’t roll your own crypto

Wat.

You want something to run slowly? !

Why on earth…?

Wat.

It’s a numbers gameMake it expensive for attackers to brute force your

passwords

–Colin Percival (scrypt), 2009

Password Specifics

Password Specifics• You’re gonna encrypt ‘em, right?

Password Specifics• You’re gonna encrypt ‘em, right?

• Enforce password minimums (min. 8 chars, etc.)

Password Specifics• You’re gonna encrypt ‘em, right?

• Enforce password minimums (min. 8 chars, etc.)

• Expire a login after 8 hours? a day? 2 months?

Password Specifics• You’re gonna encrypt ‘em, right?

• Enforce password minimums (min. 8 chars, etc.)

• Expire a login after 8 hours? a day? 2 months?

• Changing/resetting password patterns

Password Specifics• You’re gonna encrypt ‘em, right?

• Enforce password minimums (min. 8 chars, etc.)

• Expire a login after 8 hours? a day? 2 months?

• Changing/resetting password patterns

• Beware of bad security questions!See goodsecurityquestions.com

Lock ‘em out.Guessed wrong too many times?

Wait 5 minutes, or longer.

SSL/TLS aka

HTTPS aka

SSL/TLS aka

HTTPS aka

Why SSL/TLS, !

no matter what?

• Foreign & domestic governments

• Foreign & domestic governments

• Them nasty hackers

• Foreign & domestic governments

• Them nasty hackers

• Even that “innocent” person at the café

• Foreign & domestic governments

• Them nasty hackers

• Even that “innocent” person at the café

• Your competitor?

• Foreign & domestic governments

• Them nasty hackers

• Even that “innocent” person at the café

• Your competitor?

• Users find comfort in green padlocks…

Get Auth & Auth Right!

Get Auth & Auth Right!

• Research latest Authorization & Authentication practices or libraries

Get Auth & Auth Right!

• Research latest Authorization & Authentication practices or libraries

• The most common languages or frameworks already have libraries available

Get Auth & Auth Right!

• Research latest Authorization & Authentication practices or libraries

• The most common languages or frameworks already have libraries available

• A rock solid login mechanism is your foundation

Have multi-level access?

Have multi-level access?

Guest, User, Moderator, Admin?

Have multi-level access?

Guest, User, Moderator, Admin?

Research or build ACL into foundations of your code.

Got money, but no time? !

Don’t know how screwed you are?

Got money, but no time? !

Don’t know how screwed you are?

Hire a pen tester!

Got money, but no time? !

Don’t know how screwed you are?

Hire a pen tester!

Beware the snakeoil.

Top 10

Top 10

• Get every dev into it, until they dream about it

Top 10

• Get every dev into it, until they dream about it

• Covers most common & most dangerous web app security issues(XSS, CSRF, SQLi, etc.)

Top 10

• Get every dev into it, until they dream about it

• Covers most common & most dangerous web app security issues(XSS, CSRF, SQLi, etc.)

• Print out OWASP’s guide books too. (They’re tomes, but good desk references)

Operational Security

Operational Security• Don’t email passwords

Operational Security• Don’t email passwords

• Don’t email passwords

Operational Security• Don’t email passwords

• Don’t email passwords

• Use a password management application

✦ 1Password

✦ KeePass

✦ LastPass

Operational Security• Don’t email passwords

• Don’t email passwords

• Use a password management application

✦ 1Password

✦ KeePass

✦ LastPassHell, even use sticky notes

Just don’t email passwords.

Some security is about good PR…

Public Relations

• Got social? Use it."

• Got blog? Use it."

• Got email base? Use it."

• Got media attention? Use it.

Public Relations

• Got social? Use it."

• Got blog? Use it."

• Got email base? Use it."

• Got media attention? Use it.

See a pattern?

Public Relations

• Give the facts & truth

• Try not to spin too much

• Transparency & honesty is key

Do it right, !

and you might escape unscathed

That’s all folks!

This presentation has been a

Attribution–ShareAlike 4.0 International licensed work.C

Questions?

C Credits• “Anonymous Hacker” by Brian Klug (CC BY-NC 2.0) (Slide 1, 43)

• “Heartbleed” by Leena Snidate/Codenomicon (CC0 1.0) (Slide 9)

• “The Secret” by Cedward Brice (CC BY-NC 2.0) (Slide 24)

• “Pure Mathematics” by Ed Brambley (CC BY-SA 2.0) (Slide 31)

• “Widget, confused as ever” by Anna Pickard (CC BY-NC-SA 2.0) (Slide 36, 37)

• “The Big E Day 2 2011” by RustyClark (CC BY 2.0) (Slide 40)

• “EFF version of NSA logo” by EFF (CC BY 2.0) (Slide 43)

• “Bryant Park, Nov 2009 - 52” by Ed Yourdon (CC BY 2.0) (Slide 43)

• “Owasp logo” by OWASP (CC BY-SA 3.0) (Slide 47, 48)

• “Day 342 - Hacker” by Christophe Verdier (CC BY-NC 2.0) (Slide 54)

• “Question Box” by Raymond Bryson (CC BY 2.0) (Slide 55)