Net security 101 Internet is hostile network        Kristaps Kūlis
“Real” security●   Security trough security, not obscurity      House secured by door keys, not by putting doors      on r...
Web applicationsBe conservative in what you do; be liberal in what            you accept from others                      ...
SQL injection
SQL injections●   Creating queries by string concatenation is “the    wrong way”●   MySQL dont do multiple queries.●   Let...
XSS
XSS●   Escape HTML/JS/XML special characters on    output●   Vulnerability can exist on client side (JS).    ●   It can ge...
CSRF    <img src=”http://www.bank.lv/pay?to=kristaps&amount=100” />●   Third party unauthorized request to web site●   Inc...
Storing passwords●   Do not expose DB / other credentials●   MD5 is too “cheap”. SHA1 is not “expensive    enough”●   Make...
Authorization vs AuthenticationAutentication: authenticating user credentials.            Usually done once per session.Au...
Session fixation●   Session cookie stealing / guessing    ●   Initialize sessions    ●   Tie sessions to IP address / User...
PHP specific problems
register_globals~50% of open source PHP app vulnerabilities  works only when register_globals are on
safe_modeWrong place, wrong solution
magic_quotesGives false sense of security and        no real protection
display_errors Gives away too much informationLog your errors, do not display them
One .php file as one script     PHP engine has no “application” concept. Class files, configuration files, etc should not ...
include and require accepts URLs as              parameters    Remote code injection made dead easyIf you disable remote_u...
All these settings should be disabled by default      On most hosting servers they are not
Server security  enviroment matters
TLS (SSL)●   Public-Private key infrastructure●   Server verification and data encryption●   Ultimate trust to Certificate...
Secure / insecure protocols●   HTTP sends all information in plaintext●   So does FTP/IMAP/POP3/STMP●   Use HTTPS / SFTP /...
[D]DoS●   DoS – “million” requests from one client●   DDoS – “zillion” requests from “million” clients●   Handle DoS at fi...
Shared hosting●   Easy, fast, secure – pick two●   “Jail” each site●   Selinux / AppArmor to rescue●   IDS / mod_security ...
Real life 100% secure system       Slide intentionally left blank
Personal security   weakest chain link
Passwords         Passwords are like underwear.You dont share them and you change them often.                  KeepassX
Think●   Dont use plaintext protocols over open WiFi●   Secure your home router●   Check URLs and filenames●   Malware doe...
Securing digital communication●   Skype is sort-of secure●   PGP●   S/MIME
Handling incidents●   Not all hackers all bad●   Preserve evidence●   Presume that attacker obtained maximum    informatio...
Questions ?
Futher reading●   www.owasp.org – knowledge●   www.cert.lv – Latvia netsecurity team                        Books●   Steal...
Upcoming SlideShare
Loading in...5
×

Websec

369

Published on

Web security presentation delivered @ True-Vision

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
369
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Websec

  1. 1. Net security 101 Internet is hostile network Kristaps Kūlis
  2. 2. “Real” security● Security trough security, not obscurity House secured by door keys, not by putting doors on roof.● Ongoing process
  3. 3. Web applicationsBe conservative in what you do; be liberal in what you accept from others /Postels law/
  4. 4. SQL injection
  5. 5. SQL injections● Creating queries by string concatenation is “the wrong way”● MySQL dont do multiple queries.● Let DB do validation - use parametrized queries● ORM frameworks lift the burden ● It is easy to forget to validate inline SQL somewhere
  6. 6. XSS
  7. 7. XSS● Escape HTML/JS/XML special characters on output● Vulnerability can exist on client side (JS). ● It can get hairy with JS, AJAX, JSONP etc ...
  8. 8. CSRF <img src=”http://www.bank.lv/pay?to=kristaps&amount=100” />● Third party unauthorized request to web site● Include unique token into each response and validate on request.● Never update data with GET
  9. 9. Storing passwords● Do not expose DB / other credentials● MD5 is too “cheap”. SHA1 is not “expensive enough”● Make hash functions slow. ● Multiple iterations ● Bcrypt
  10. 10. Authorization vs AuthenticationAutentication: authenticating user credentials. Usually done once per session.Authorization: checks that user is authorized to do particular action. Must be done on every request.
  11. 11. Session fixation● Session cookie stealing / guessing ● Initialize sessions ● Tie sessions to IP address / User Agent ● Expire / invalidate sessions.
  12. 12. PHP specific problems
  13. 13. register_globals~50% of open source PHP app vulnerabilities works only when register_globals are on
  14. 14. safe_modeWrong place, wrong solution
  15. 15. magic_quotesGives false sense of security and no real protection
  16. 16. display_errors Gives away too much informationLog your errors, do not display them
  17. 17. One .php file as one script PHP engine has no “application” concept. Class files, configuration files, etc should not be executable …...everything that is not .php by default is dumped as plaintext in browser
  18. 18. include and require accepts URLs as parameters Remote code injection made dead easyIf you disable remote_url_fopen, you cannot open any URL (without CURL)
  19. 19. All these settings should be disabled by default On most hosting servers they are not
  20. 20. Server security enviroment matters
  21. 21. TLS (SSL)● Public-Private key infrastructure● Server verification and data encryption● Ultimate trust to Certificate Authorities (CA)● Dont use self-signed certificates. Roll out your own CA .
  22. 22. Secure / insecure protocols● HTTP sends all information in plaintext● So does FTP/IMAP/POP3/STMP● Use HTTPS / SFTP / IMAPs / POP3s / STMP over TLS● DNS is built on trust. DNSSEC is not (yet) working.
  23. 23. [D]DoS● DoS – “million” requests from one client● DDoS – “zillion” requests from “million” clients● Handle DoS at firewall level.● Try to survive DDoS at router level.
  24. 24. Shared hosting● Easy, fast, secure – pick two● “Jail” each site● Selinux / AppArmor to rescue● IDS / mod_security is slow● Test backups.
  25. 25. Real life 100% secure system Slide intentionally left blank
  26. 26. Personal security weakest chain link
  27. 27. Passwords Passwords are like underwear.You dont share them and you change them often. KeepassX
  28. 28. Think● Dont use plaintext protocols over open WiFi● Secure your home router● Check URLs and filenames● Malware doesnt expose itself anymore ● Botnet ● Information stealing● Avoid buggy and insecure software (flash and acrobat reader).
  29. 29. Securing digital communication● Skype is sort-of secure● PGP● S/MIME
  30. 30. Handling incidents● Not all hackers all bad● Preserve evidence● Presume that attacker obtained maximum information.● System is compromised● Eliminate attack vectors● Offline backups help.
  31. 31. Questions ?
  32. 32. Futher reading● www.owasp.org – knowledge● www.cert.lv – Latvia netsecurity team Books● Stealing the Network: How to Own the Box by R. Russel – hacking “fiction” book.● Art of Deception by Kevin Mitnick – hacker “memoirs”
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×