SlideShare a Scribd company logo

Luis Grangeia IBWAS

Luis Grangeia
Luis Grangeia
Technology
1 of 47
Download to read offline
Web Security From an Auditor's Standpoint What works, what doesn’t, what might. IBWAS „10 Luis Grangeia lgrangeia@sysvalue.com
About Me • IT Security Auditor since 2001 • First at SideStep, now at SysValue • Working mostly with Telco, Finance and Government sectors • Performed Web App Security Testing on: • Online banking • Stock brokerage • Online stores • Corporate Web sites • Internal Web apps
What will be covered today • Prologue: Web Application Security • Security Countermeasures, working or not? 1. SQL Injection 2. Cross Site Scripting 3. Virtual Keyboards • Welcome to the Social Web • Social Security, anyone? 
Prologue: Web Application Security Why are we talking about it?
Applications vs Infrastructure • Applications are the reason we go Online • Network infrastructure is just a means to that end • Infrastructure security is easy now (in comparison) Infrastructure security is now almost fully commoditized
The Web is Where it‟s At “The data used for this study shows that in 86% of all attacks, a weakness in a web interface was exploited.” UK Security Breach Investigations Report 2010 An Analysis of Data Compromise Cases, 7Safe
Web Application Security is Hard No turn key products No easy solutions Every Application is different … That‟s why it‟s fun 
Security Countermeasures What works and what doesn‟t.
1. SQL Injection We are winning the battle for eradication.
SQL Injection: Context • Still leading the OWASP Top Ten • Eight years ago it was much worse: • But the problem was not actively exploited • Not many knew how (good and bad guys alike) • There was lower hanging fruit • Now it‟s in the spotlight
SQL Injection: Analysis • Hard to detect: • Good error handling prevents confident detection by automated tools • Web Application Firewalls mask the problem (attack pattern blacklisting) • Easy to exploit: • Automated attacks are possible (SQL Injection worms) • Even Blind SQLi can be attacked easily (eg. SQL Power Injector) • This makes it a easier do make a point
SQL Injection: Countermeasures Prevention | Mitigation is easy: • Possible to easily distinguish between Data (variables) and Control (code): • Use parameterized queries / prepared statements • New Web Development platforms are already performing Database Abstraction • Makes it a Platform problem, not a Developer‟s problem
SQL Injection: Conclusions • Problems that are easy to exploit, are easy to understand by customers/developers • Problems that are understood are more likely to get solved • Especially when the solution is easy to understand and easy to implement
SQL Injection: Conclusions We will eradicate the problem, because we have understood it completely and have a working simple solution that addresses the root cause
2. Cross Site Scripting We risk losing this battle unless we address its root cause.
Cross Site Scripting: Context • Second in the OWASP Top Ten • Like SQL Injection, eight years ago it was much worse: • But the problem was not actively exploited • Not many knew how (good and bad guys alike) • There was lower hanging fruit • Now it‟s in the spotlight
Misconceptions abound (not just around Web developers, also around some parts of the security community) “Oh, it triggers an alert() box, is that it?” “The user must click on a link in order to trigger the XSS attack.” “Sure, this attack might steal our customers sessions, but we use second-level authentication for financial transactions, so we’re safe.”
Cross Site Scripting: Risks • Useful for realistic phishing attacks • Cross site request forgery “boosts” the impact of XSS instances • Web Applications are increasingly multi-domain: • Facebook “like” buttons • Google maps iframes • Google analytics • Advertising banners • Etc. • A good exploitation means total control of all aspects of the communication between victim and Application.
Cross Site Scripting: Analysis • (Somewhat) Easier to detect: • In fact, good Web App Scanners do it quite well, with low false positives and low false negatives • More complex instances are still hard to spot and may be missed • Hard to exploit effectively: • While easy to trigger, good proof of concept code can be hard to write • The attack always depends of the “anatomy” of the Web App
Proving the Impact of XSS • We‟re not doing our best • We must prove to the developers the true impact of the problem • It‟s not easy, but it pays off!
Cross Site Scripting: Countermeasures Prevention | Mitigation is hard: • Also, it is a problem of distinguishing between Data (variables) and Control (code) • But there is no way to clearly make that distinction in HTML / Javascript • Input / Output sanitization is the only way, but it is hard: • Escaping output is dependent of document context: • HTML Content Elements, Common Attributes, Javascript Data Values, HTML Style Properties, etc.
Cross Site Scripting: Countermeasures (cont.) • There is no possible way of addressing the root cause unless we change the protocol (won‟t happen): • Remember, the root cause isn‟t malicious input/output, it‟s mixing user supplied data with control code • HTML5 won‟t really help: • Actually XSS will turn into a feature in HTML5  • See HTML5‟s “Channel Messaging” and “Cross-document messaging” • In fairness, there is one thing that might help against XSS in HTML5: • Sandboxed iframes
Cross Site Scripting: Countermeasures (cont.) • The solution is complex, take it out of the hands of Developers: • Seriously, do you expect a developer to remember this? • http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet • Incorporate good, context aware output filtering in development platforms with template systems: • Google‟s “Automatic Context-Aware Escaping” • Ivan Ristić‟s “Canoe” • How long before .NET and Java adoption? • In the meantime, use Microsoft‟s Web Protection Library, AntiXSS • Consider changes to the underlying protocol to promote better distinction of Code and Data (I won‟t go there, for now )
Cross Site Scripting: Conclusions • Security Problems that are: • Somewhat easy to detect, but… • Hard to prove their real impacts, and… • Have a difficult to execute and hard to understand solution… …will be swept under the carpet! And Cross site scripting falls squarely into this category.
Cross Site Scripting: Conclusion This is a platform and protocol problem that is not well understood by developers. We are fighting a losing battle, unless we spend time developing platform-wide solutions, and at the same time, as auditors, make better proof-of-concept code, to drive research forward.
3. Virtual Keyboards We‟re doing it wrong!
Virtual Keyboards: Context • Introduced around summer 2003 in Portugal • Implemented by most major online banks • Response to a specific threat: • Malware that logged keystrokes in order to steal credentials
Virtual Keyboards are obsolete since day one. Really. We can stop the madness.
Virtual Keyboards: Problems • Mitigates only a specific instance of an attack: • “Key-logging malware” as opposed to “online credential stealing malware” • Fails to look at the big picture • Result of bad/outdated threat assessment • No “half-decent” malware uses key-logging anymore • In fact, key-logging results in a lot of useless data for the attacker
Virtual Keyboards: Threat not mitigated • Form grabbing is the method of choice for grabbing credentials; • All credentials end up in a Web form • Some banks try to mask the POST‟ed credentials using Javascript encryption • doesn‟t really work, the key is in the previous HTTP response • Typical behavior (ex. W32/Qhost.JE): • Trojan injects a DLL into Internet Explorer • The DLL hooks HttpSendRequestA • The hook grabs POST data and uploads it to a FTP server All of this works with or without SSL, with or without a virtual keyboard.
Virtual Keyboards More of a problem than a solution: • Fails to protect against current attack methods • Gives a false sense of security • Introduce new attack vectors: • Shoulder surfing • Induces the user to choose a weaker (easier to “type”) password
Virtual Keyboards: Threats Mitigated (for completeness sake) To be fair, virtual keyboards protect against this: • Wireless keyboard sniffing • Use encryption, corded keyboards • Hardware key-loggers • Look at your hardware ports, don‟t leave computer unattended in insecure locations
Virtual Keyboards: Conclusion Don‟t be afraid to remove a security countermeasure that doesn‟t work. Educate the public so that this “security theater” is exposed.
The Social Web Revolution Social Security, anyone?
The Social Revolution – Facebook • Facebook connects over 500 million users • That‟s around 30% of all Internet users worldwide It‟s more than 7% of the World‟s Population (est.)
Before talking infosec… • Before talking about possible security uses for the social graph, we must be able to decentralize it • Too much power is concentrated on a single organization • Either use Facebook‟s graph alongside other tools, or build a distributed social graph altogether: • Possible and doable: check the Diaspora Project
How can security benefit from the social graph Facebook is already showing us how: • Facebook Messages: • Spam filtering by looking at your friend connections • Has the potential to be virtually foolproof mitigating spam. • There are still possible bumps down the road, but the idea has potential
Using the Social Graph to Improve SSL Warning: crazy idea ahead.
SSL is OK, but Already Shows Age Two roles of SSL/TLS: • Authenticating the endpoints • Providing transport integrity and confidentiality through encryption • The authentication is based on the trust of organizations that are organized in a hierarchy, originating in root CA‟s that are “imposed” on us
The confidence issue “Directly or indirectly, there are more than 650 different organizations that function as trusted CA‟s for either Internet Explorer or Firefox” (source: EFF SSL Observatory) All you need is to break the security of one to break the SSL model…
SSL: What are the threats • There are reports stating that MiTM attacks against SSL are being performed using certificates generated by rogue CAs: • By governments (espionage) • By Law Enforcement • “Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL” • Christopher Soghoian and Sid Stammy, April 2010 • “Law Enforcement Appliance Subverts SSL” • Wired Threat Level, March 24, 2010
Challenge: Defeating Local MiTM Attacks “You can fool some of the people all of the time, and all of the people some of the time, but you cannot fool all of the people all of the time.” Abraham Lincoln
Defeating Local MiTM Attacks by “Friendsourcing” • Assuming no malicious entity is omnipotent on the Internet (not even governments): • SSL MiTM attacks will always be localized (to an ISP or a specific country) • So, in order to validate the authenticity of a Web site, one can request that an online friend (or a random group, or all of them) visits the same site and checks the certificate for us. • In geographically distinct locations • Using different computers and ISP‟s • We only authenticate if all (or most) our friends data matches up.
Defeating Local MiTM Attacks by “Friendsourcing” • The devil is in the details… • Just an idea for discussion, for now • Assumes we can securely authenticate friends and pass private messages along the social graph • Can be complemented by historic data: • “the certificate has changed even though the previous certificate had an expiry date well in the future” • The general idea is to create the possibility of a custom security model for authentication based on a Web of Trust, and not on a hierarchy of “Trusted Authorities” • There are endless opportunities for the social graph…
Thank You Q&A Luis Grangeia, SysValue lgrangeia@sysvalue.com

Recommended

Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Luis Grangeia
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat Security Conference
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?Adrian Sanabria
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 

Recommended

Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Luis Grangeia
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat Security Conference
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?Adrian Sanabria
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
dotSecurity2017
dotSecurity2017dotSecurity2017
dotSecurity2017Zane Lackey
 
Lets talk about bug hunting
Lets talk about bug huntingLets talk about bug hunting
Lets talk about bug huntingKirill Ermakov
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletinAdrian Sanabria
 
Security Training: Making your weakest link the strongest - CircleCityCon 2017
Security Training: Making your weakest link the strongest - CircleCityCon 2017Security Training: Making your weakest link the strongest - CircleCityCon 2017
Security Training: Making your weakest link the strongest - CircleCityCon 2017Aaron Hnatiw
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
Security is not a feature
Security is not a featureSecurity is not a feature
Security is not a featureElizabeth Smith
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A PentesterNorthBayWeb
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsAdrian Sanabria
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringAaron Rinehart
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongbryns
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering Aaron Rinehart
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)Dinis Cruz
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
CSF18 - How to Block Ransomware - Sami Laiho
CSF18 - How to Block Ransomware - Sami LaihoCSF18 - How to Block Ransomware - Sami Laiho
CSF18 - How to Block Ransomware - Sami LaihoNCCOMMS
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloudPeter Wood
 
New Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersNew Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersEric Vétillard
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAaron Rinehart
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 

More Related Content

What's hot

How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
Lets talk about bug hunting
Lets talk about bug huntingLets talk about bug hunting
Lets talk about bug huntingKirill Ermakov
 
Security Training: Making your weakest link the strongest - CircleCityCon 2017
Security Training: Making your weakest link the strongest - CircleCityCon 2017Security Training: Making your weakest link the strongest - CircleCityCon 2017
Security Training: Making your weakest link the strongest - CircleCityCon 2017Aaron Hnatiw
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
Security is not a feature
Security is not a featureSecurity is not a feature
Security is not a featureElizabeth Smith
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A PentesterNorthBayWeb
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsAdrian Sanabria
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringAaron Rinehart
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongbryns
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering Aaron Rinehart
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)Dinis Cruz
 
CSF18 - How to Block Ransomware - Sami Laiho
CSF18 - How to Block Ransomware - Sami LaihoCSF18 - How to Block Ransomware - Sami Laiho
CSF18 - How to Block Ransomware - Sami LaihoNCCOMMS
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloudPeter Wood
 
New Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersNew Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersEric Vétillard
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAaron Rinehart
 

What's hot (20)

How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
dotSecurity2017
dotSecurity2017dotSecurity2017
dotSecurity2017
 
Lets talk about bug hunting
Lets talk about bug huntingLets talk about bug hunting
Lets talk about bug hunting
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletin
 
Security Training: Making your weakest link the strongest - CircleCityCon 2017
Security Training: Making your weakest link the strongest - CircleCityCon 2017Security Training: Making your weakest link the strongest - CircleCityCon 2017
Security Training: Making your weakest link the strongest - CircleCityCon 2017
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
Security is not a feature
Security is not a featureSecurity is not a feature
Security is not a feature
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A Pentester
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to Startups
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos Engineering
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrong
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
CSF18 - How to Block Ransomware - Sami Laiho
CSF18 - How to Block Ransomware - Sami LaihoCSF18 - How to Block Ransomware - Sami Laiho
CSF18 - How to Block Ransomware - Sami Laiho
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloud
 
New Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersNew Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web Servers
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security Differently
 

Similar to Luis Grangeia IBWAS

The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgerymorisson
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Web security
Web securityWeb security
Web securitydogangcr
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Supercharged graph visualization for cyber security
Supercharged graph visualization for cyber securitySupercharged graph visualization for cyber security
Supercharged graph visualization for cyber securityCambridge Intelligence
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptxDedy Hariyadi
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event 21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event Kyos
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile SecurityMichalis Kamprianis
 
Uncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a HackerUncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a HackerIBM Security
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Eoin Keary
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 

Similar to Luis Grangeia IBWAS (20)

The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Web security
Web securityWeb security
Web security
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Confidence web
Confidence webConfidence web
Confidence web
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
Supercharged graph visualization for cyber security
Supercharged graph visualization for cyber securitySupercharged graph visualization for cyber security
Supercharged graph visualization for cyber security
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event 21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security
 
Uncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a HackerUncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a Hacker
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 

Recently uploaded

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

Recently uploaded (20)

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Luis Grangeia IBWAS

  • 1. Web Security From an Auditor's Standpoint What works, what doesn’t, what might. IBWAS „10 Luis Grangeia lgrangeia@sysvalue.com
  • 2. About Me • IT Security Auditor since 2001 • First at SideStep, now at SysValue • Working mostly with Telco, Finance and Government sectors • Performed Web App Security Testing on: • Online banking • Stock brokerage • Online stores • Corporate Web sites • Internal Web apps
  • 3. What will be covered today • Prologue: Web Application Security • Security Countermeasures, working or not? 1. SQL Injection 2. Cross Site Scripting 3. Virtual Keyboards • Welcome to the Social Web • Social Security, anyone? 
  • 4. Prologue: Web Application Security Why are we talking about it?
  • 5. Applications vs Infrastructure • Applications are the reason we go Online • Network infrastructure is just a means to that end • Infrastructure security is easy now (in comparison) Infrastructure security is now almost fully commoditized
  • 6.
  • 7. The Web is Where it‟s At “The data used for this study shows that in 86% of all attacks, a weakness in a web interface was exploited.” UK Security Breach Investigations Report 2010 An Analysis of Data Compromise Cases, 7Safe
  • 8. Web Application Security is Hard No turn key products No easy solutions Every Application is different … That‟s why it‟s fun 
  • 9. Security Countermeasures What works and what doesn‟t.
  • 10. 1. SQL Injection We are winning the battle for eradication.
  • 11. SQL Injection: Context • Still leading the OWASP Top Ten • Eight years ago it was much worse: • But the problem was not actively exploited • Not many knew how (good and bad guys alike) • There was lower hanging fruit • Now it‟s in the spotlight
  • 12. SQL Injection: Analysis • Hard to detect: • Good error handling prevents confident detection by automated tools • Web Application Firewalls mask the problem (attack pattern blacklisting) • Easy to exploit: • Automated attacks are possible (SQL Injection worms) • Even Blind SQLi can be attacked easily (eg. SQL Power Injector) • This makes it a easier do make a point
  • 13. SQL Injection: Countermeasures Prevention | Mitigation is easy: • Possible to easily distinguish between Data (variables) and Control (code): • Use parameterized queries / prepared statements • New Web Development platforms are already performing Database Abstraction • Makes it a Platform problem, not a Developer‟s problem
  • 14. SQL Injection: Conclusions • Problems that are easy to exploit, are easy to understand by customers/developers • Problems that are understood are more likely to get solved • Especially when the solution is easy to understand and easy to implement
  • 15. SQL Injection: Conclusions We will eradicate the problem, because we have understood it completely and have a working simple solution that addresses the root cause
  • 16. 2. Cross Site Scripting We risk losing this battle unless we address its root cause.
  • 17. Cross Site Scripting: Context • Second in the OWASP Top Ten • Like SQL Injection, eight years ago it was much worse: • But the problem was not actively exploited • Not many knew how (good and bad guys alike) • There was lower hanging fruit • Now it‟s in the spotlight
  • 18. Misconceptions abound (not just around Web developers, also around some parts of the security community) “Oh, it triggers an alert() box, is that it?” “The user must click on a link in order to trigger the XSS attack.” “Sure, this attack might steal our customers sessions, but we use second-level authentication for financial transactions, so we’re safe.”
  • 19. Cross Site Scripting: Risks • Useful for realistic phishing attacks • Cross site request forgery “boosts” the impact of XSS instances • Web Applications are increasingly multi-domain: • Facebook “like” buttons • Google maps iframes • Google analytics • Advertising banners • Etc. • A good exploitation means total control of all aspects of the communication between victim and Application.
  • 20. Cross Site Scripting: Analysis • (Somewhat) Easier to detect: • In fact, good Web App Scanners do it quite well, with low false positives and low false negatives • More complex instances are still hard to spot and may be missed • Hard to exploit effectively: • While easy to trigger, good proof of concept code can be hard to write • The attack always depends of the “anatomy” of the Web App
  • 21. Proving the Impact of XSS • We‟re not doing our best • We must prove to the developers the true impact of the problem • It‟s not easy, but it pays off!
  • 22. Cross Site Scripting: Countermeasures Prevention | Mitigation is hard: • Also, it is a problem of distinguishing between Data (variables) and Control (code) • But there is no way to clearly make that distinction in HTML / Javascript • Input / Output sanitization is the only way, but it is hard: • Escaping output is dependent of document context: • HTML Content Elements, Common Attributes, Javascript Data Values, HTML Style Properties, etc.
  • 23. Cross Site Scripting: Countermeasures (cont.) • There is no possible way of addressing the root cause unless we change the protocol (won‟t happen): • Remember, the root cause isn‟t malicious input/output, it‟s mixing user supplied data with control code • HTML5 won‟t really help: • Actually XSS will turn into a feature in HTML5  • See HTML5‟s “Channel Messaging” and “Cross-document messaging” • In fairness, there is one thing that might help against XSS in HTML5: • Sandboxed iframes
  • 24. Cross Site Scripting: Countermeasures (cont.) • The solution is complex, take it out of the hands of Developers: • Seriously, do you expect a developer to remember this? • http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet • Incorporate good, context aware output filtering in development platforms with template systems: • Google‟s “Automatic Context-Aware Escaping” • Ivan Ristić‟s “Canoe” • How long before .NET and Java adoption? • In the meantime, use Microsoft‟s Web Protection Library, AntiXSS • Consider changes to the underlying protocol to promote better distinction of Code and Data (I won‟t go there, for now )
  • 25. Cross Site Scripting: Conclusions • Security Problems that are: • Somewhat easy to detect, but… • Hard to prove their real impacts, and… • Have a difficult to execute and hard to understand solution… …will be swept under the carpet! And Cross site scripting falls squarely into this category.
  • 26. Cross Site Scripting: Conclusion This is a platform and protocol problem that is not well understood by developers. We are fighting a losing battle, unless we spend time developing platform-wide solutions, and at the same time, as auditors, make better proof-of-concept code, to drive research forward.
  • 27. 3. Virtual Keyboards We‟re doing it wrong!
  • 28. Virtual Keyboards: Context • Introduced around summer 2003 in Portugal • Implemented by most major online banks • Response to a specific threat: • Malware that logged keystrokes in order to steal credentials
  • 29. Virtual Keyboards are obsolete since day one. Really. We can stop the madness.
  • 30. Virtual Keyboards: Problems • Mitigates only a specific instance of an attack: • “Key-logging malware” as opposed to “online credential stealing malware” • Fails to look at the big picture • Result of bad/outdated threat assessment • No “half-decent” malware uses key-logging anymore • In fact, key-logging results in a lot of useless data for the attacker
  • 31. Virtual Keyboards: Threat not mitigated • Form grabbing is the method of choice for grabbing credentials; • All credentials end up in a Web form • Some banks try to mask the POST‟ed credentials using Javascript encryption • doesn‟t really work, the key is in the previous HTTP response • Typical behavior (ex. W32/Qhost.JE): • Trojan injects a DLL into Internet Explorer • The DLL hooks HttpSendRequestA • The hook grabs POST data and uploads it to a FTP server All of this works with or without SSL, with or without a virtual keyboard.
  • 32. Virtual Keyboards More of a problem than a solution: • Fails to protect against current attack methods • Gives a false sense of security • Introduce new attack vectors: • Shoulder surfing • Induces the user to choose a weaker (easier to “type”) password
  • 33. Virtual Keyboards: Threats Mitigated (for completeness sake) To be fair, virtual keyboards protect against this: • Wireless keyboard sniffing • Use encryption, corded keyboards • Hardware key-loggers • Look at your hardware ports, don‟t leave computer unattended in insecure locations
  • 34. Virtual Keyboards: Conclusion Don‟t be afraid to remove a security countermeasure that doesn‟t work. Educate the public so that this “security theater” is exposed.
  • 35. The Social Web Revolution Social Security, anyone?
  • 36.
  • 37. The Social Revolution – Facebook • Facebook connects over 500 million users • That‟s around 30% of all Internet users worldwide It‟s more than 7% of the World‟s Population (est.)
  • 38. Before talking infosec… • Before talking about possible security uses for the social graph, we must be able to decentralize it • Too much power is concentrated on a single organization • Either use Facebook‟s graph alongside other tools, or build a distributed social graph altogether: • Possible and doable: check the Diaspora Project
  • 39. How can security benefit from the social graph Facebook is already showing us how: • Facebook Messages: • Spam filtering by looking at your friend connections • Has the potential to be virtually foolproof mitigating spam. • There are still possible bumps down the road, but the idea has potential
  • 40. Using the Social Graph to Improve SSL Warning: crazy idea ahead.
  • 41. SSL is OK, but Already Shows Age Two roles of SSL/TLS: • Authenticating the endpoints • Providing transport integrity and confidentiality through encryption • The authentication is based on the trust of organizations that are organized in a hierarchy, originating in root CA‟s that are “imposed” on us
  • 42. The confidence issue “Directly or indirectly, there are more than 650 different organizations that function as trusted CA‟s for either Internet Explorer or Firefox” (source: EFF SSL Observatory) All you need is to break the security of one to break the SSL model…
  • 43. SSL: What are the threats • There are reports stating that MiTM attacks against SSL are being performed using certificates generated by rogue CAs: • By governments (espionage) • By Law Enforcement • “Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL” • Christopher Soghoian and Sid Stammy, April 2010 • “Law Enforcement Appliance Subverts SSL” • Wired Threat Level, March 24, 2010
  • 44. Challenge: Defeating Local MiTM Attacks “You can fool some of the people all of the time, and all of the people some of the time, but you cannot fool all of the people all of the time.” Abraham Lincoln
  • 45. Defeating Local MiTM Attacks by “Friendsourcing” • Assuming no malicious entity is omnipotent on the Internet (not even governments): • SSL MiTM attacks will always be localized (to an ISP or a specific country) • So, in order to validate the authenticity of a Web site, one can request that an online friend (or a random group, or all of them) visits the same site and checks the certificate for us. • In geographically distinct locations • Using different computers and ISP‟s • We only authenticate if all (or most) our friends data matches up.
  • 46. Defeating Local MiTM Attacks by “Friendsourcing” • The devil is in the details… • Just an idea for discussion, for now • Assumes we can securely authenticate friends and pass private messages along the social graph • Can be complemented by historic data: • “the certificate has changed even though the previous certificate had an expiry date well in the future” • The general idea is to create the possibility of a custom security model for authentication based on a Web of Trust, and not on a hierarchy of “Trusted Authorities” • There are endless opportunities for the social graph…
  • 47. Thank You Q&A Luis Grangeia, SysValue lgrangeia@sysvalue.com