2. Agenda
The Biggest Hack in History
How the Cookie Crumbles?
Answers!
www.niiconsulting.com
3. Speaker Introduction
Founder & Principal Consultant, Network
Intelligence
Speaker at Blackhat 2004, Interop 2005, IT
Underground 2005, OWASP Asia 2008,2009
Co-author of book on Metasploit Framework
(Syngress), Linux Security & Controls (ISACA)
Author of numerous articles on SecurityFocus,
IT Audit, IS Controls (ISACA)
Conducted numerous pen-tests, application
security assessments, forensics, etc.
www.niiconsulting.com
5. Gonzalez, TJX and Heart-break-land
>200 million credit card number stolen
Heartland Payment Systems, TJX, and 2 US
national retailers hacked
Modus operandi
Visit retail stores to understand workings
Analyze websites for vulnerabilities
Hack in using SQL injection
Inject malware
Sniff for card numbers and details
Hide tracks
www.niiconsulting.com
6. The hacker underground
Albert Gonzalez
a/k/a “segvec,”
a/k/a “soupnazi,”
a/k/a “j4guar17”
Malware, scripts and hacked data hosted on servers in:
Latvia Ukraine
New Jersey
Netherlands
California
IRC chats
March 2007: Gonzalez “planning my second phase against
Hannaford”
December 2007: Hacker P.T. “that’s how [HACKER 2]
hacked Hannaford.”
www.niiconsulting.com
7. Where does all this end up?
IRC Channels
#cc
#ccards
#ccinfo
#ccpower
#ccs
#masterccs
#thacc
#thecc
#virgincc
Commands used on IRC
!cardable
!cc, !cclimit, !chk, !cvv2, !exploit, !order.log,
!proxychk
www.niiconsulting.com
8. TJX direct costs $200 million in
fines/penalties
$41 million to
Visa
$24 million to
Mastercard
www.niiconsulting.com
9. Cost of an incident
$6.6 million average cost of a data breach
From this, cost of lost business is $4.6
million
More than $200 per compromised record
On the other hand:
Fixing a bug costs $400 to $4000
Cost increases exponentially as time lapses
www.niiconsulting.com
24. App2App Communication
• App2App interaction requires an authentication process
– Calling application needs to send credentials to target
application
• Common use cases
– Applications and Scripts connecting to databases
– 3rd Party Products accessing network resources
– Job Scheduling
– Application Server Connection Pools
– Distributed Computing Centers
– Application Encryption Key Management
– ATM, Kiosks, etc.
www.niiconsulting.com
31. Secure Coding Overview
Secure coding isn’t taught in school
Homeland Security's Build Security In
Maturity Model (BSIMM)
Microsoft's Security Development Lifecycle
(SDL)
OpenSAMM (Software Assurance Maturity
Model)
OWASP Secure Coding Guides
www.niiconsulting.com
32. Secure Coding Principles
1. Minimize attack surface area
2. Establish secure defaults
3. Principle of least privilege
4. Principle of defense in depth
5. Fail securely
6. Don’t trust input – user or services
7. Separation of duties
8. Avoid security by obscurity
9. Keep security simple
10.Fix security issues correctly
www.niiconsulting.com
33. Vendor Management
Big names != Good security
Contractual weaknesses
Lack of vendor oversight
No penalties for blatantly buggy code!
www.niiconsulting.com
34. Secure Hosting
Web Security OS Security
Secured web server Security Patches
Secured application server – Users and Groups
all components Access Control
Web application firewalls Security Policies
Database Security Secured Login
Security Patches Logging
Users and Roles
Access Control
Logging
Password Security
Database Table Encryption
Data Masking
www.niiconsulting.com
35. Secure Testing
Security testing options
Blackbox
Greybox
Whitebox
Source Code Review
OWASP Top Ten
(www.owasp.org)
OWASP Testing Guide
Tools of the trade
Open source – Wikto, Paros, Webscarab, Firefox plugins
Commercial – Acunetix, Cenzic, Netsparker, Burpsuite
www.niiconsulting.com
36. Training
Back to basics
Natural thought process
Look at larger picture
Make it fun
Giving back to the community
www.niiconsulting.com