Your SlideShare is downloading. ×
"It's Just a Web Site": How Poor Web Programming is Ruining Information Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

"It's Just a Web Site": How Poor Web Programming is Ruining Information Security

1,284

Published on

Published in: Technology, Design
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,284
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Transcript

    • 1. “It’s Just a Web Site...” How Poor Web Programming is Ruining Information Security Mark Stanislav <mark.stanislav@gmail.com>
    • 2. Me Senior Consultant for NetWorks Group A decade of web application programming and systems administration Responsible disclosure of web application software vulnerabilities in ~15 products and sites over the last year
    • 3. 2011; Let’s Review!
    • 4. March 2011“...posted a dump of information extractedfrom MySQL, including the crackedpasswords of users...” http://www.scmagazineus.com/oracles-mysqlcom-hacked-via-sql-injection/article/199419/
    • 5. April 2011“The attacker uncovered email addresses ofselect Barracuda employees with theirpasswords as well as name, email address,company affiliations and phone numbers ofsales leads generated by the company’schannel partners...” http://www.eweek.com/c/a/Security/Security-Firm-Barracuda-Networks-Embarrassed-by-Hacker-Database-Breakin-729619/
    • 6. May 2011“During the incident, parts of the companysdatabase, including customer data andsubmitted certificate requests, wereaccessed...” http://www.h-online.com/security/news/item/Another-Comodo-SSL-registrar-hacked-1250283.html
    • 7. May 2011“...it [LulzSec] posted information for staffers,the PBS network, and password info for PBSstations.” June 2011“...a ‘very small number’ of administrativeuser names and encrypted passwords werestolen.” http://www.huffingtonpost.com/2011/05/30/pbs-hacked-tupac-alive_n_868673.html http://www.huffingtonpost.com/2011/06/25/pbs-hacked-again-some-dat_n_884472.html
    • 8. June 2011“Citigroup admitted on Wednesday that anattack on its website allowed hackers to viewcustomers names, account numbers andcontact information such as e-mail addressesfor about 210,000 of its cardholders.” http://www.pcworld.com/businesscenter/article/229868/citigroup_breach_exposed_data_on_210000_customers.html
    • 9. June 2011“...that they [LulzSec] have broken intoSonyPictures.com and compromised morethan 1 million user accounts. An additional75,000 music codes and 3.5 million couponswere also uncovered.” http://www.cnn.com/2011/TECH/web/06/03/sony.pictures.hacked.mashable/index.html
    • 10. You’ve been scared of...
    • 11. You’ve been scared of...APT
    • 12. You’ve been scared of...APTPeople’s Liberation Army
    • 13. You’ve been scared of...APTPeople’s Liberation ArmyAl-Qaeda
    • 14. You’ve been scared of...APTPeople’s Liberation ArmyAl-QaedaThe Malicious Insider
    • 15. But you got owned by...
    • 16. But you got owned by... LulzSec
    • 17. So what gives...?
    • 18. Poor Web Programming!
    • 19. Want to be a hacker?
    • 20. Want to be a hacker? 08/21/2011 Mark Stanislav 100One Hundred `ç axã Uxáà YÜ|xÇw
    • 21. Want to be a hacker? 08/21/2011 Mark Stanislav 100 One Hundred `ç axã Uxáà YÜ|xÇwWhat did they do wrong?
    • 22. They let me control...
    • 23. They let me control... 08/21/2011 Mark Stanislav 100,000.00One Hundred Thousand and 00/100-- `ç axã Uxáà YÜ|xÇw
    • 24. They let me control... 08/21/2011 Mark Stanislav 100,000.00One Hundred Thousand and 00/100-- `ç axã Uxáà YÜ|xÇw...the important details.
    • 25. But everyone knows not to do that!
    • 26. What about now?http://test.com/news.php?id=11
    • 27. What about now? http://test.com/news.php?id=11An attacker can control these details too....http://test.com/news.php?id=’ UNION SELECT password FROM Users
    • 28. Checks and Web Sites
    • 29. Checks and Web SitesBoth accept certain kinds of input Checks: Name. Value. Memo. Signature. URL: Site. Page. Parameters.
    • 30. Checks and Web SitesBoth accept certain kinds of input Checks: Name. Value. Memo. Signature. URL: Site. Page. Parameters.Both can be compromised if you aren’t careful Checks: Additional numbers or commas URL: Additional file or database queries
    • 31. Checks and Web SitesBoth accept certain kinds of input Checks: Name. Value. Memo. Signature. URL: Site. Page. Parameters.Both can be compromised if you aren’t careful Checks: Additional numbers or commas URL: Additional file or database queries Both problems are easily fixed...
    • 32. So what was that?
    • 33. So what was that? Most high-profile web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’
    • 34. So what was that? Most high-profile web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’ SQL injection simply means passing extra database instructions to a web application which was never intended to allow such a thing
    • 35. So what was that? Most high-profile web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’ SQL injection simply means passing extra database instructions to a web application which was never intended to allow such a thing Example: You view a web site to read a news article and can pass extra database requests to steal user passwords
    • 36. So what was that? Most high-profile web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’ SQL injection simply means passing extra database instructions to a web application which was never intended to allow such a thing Example: You view a web site to read a news article and can pass extra database requests to steal user passwords In many cases, the attack can be fully automated to look for “the check not properly filled-out” and compromise can occur without a human doing any work...
    • 37. Other ‘Bad Things’
    • 38. Other ‘Bad Things’ Local File Inclusion: I can pick which files off of your web server I want to view
    • 39. Other ‘Bad Things’ Local File Inclusion: I can pick which files off of your web server I want to view Local File Deletion: I can pick which files off of your web server I want to delete
    • 40. Other ‘Bad Things’ Local File Inclusion: I can pick which files off of your web server I want to view Local File Deletion: I can pick which files off of your web server I want to delete Authentication Bypass: I don’t need to even steal your username and/or password
    • 41. Other ‘Bad Things’ Local File Inclusion: I can pick which files off of your web server I want to view Local File Deletion: I can pick which files off of your web server I want to delete Authentication Bypass: I don’t need to even steal your username and/or password Lack of Cryptography: As if bad passwords weren’t easy enough to brute-force, we can just steal plaintext passwords for all of your users
    • 42. Defending Sites in Two Easy Steps
    • 43. Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept
    • 44. Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept  Example: If a news web site accepts an article ‘ID’ which should be a number, why would we allow a user to enter quotes or semi-colons?
    • 45. Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept  Example: If a news web site accepts an article ‘ID’ which should be a number, why would we allow a user to enter quotes or semi-colons? Usage of third-party products which identify common ‘attacks’ and prevent them from being executed -- both free and commercial options!
    • 46. Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept  Example: If a news web site accepts an article ‘ID’ which should be a number, why would we allow a user to enter quotes or semi-colons? Usage of third-party products which identify common ‘attacks’ and prevent them from being executed -- both free and commercial options!  Oh, Barracuda Networks sells one to do that...
    • 47. We’re Past Passwords
    • 48. We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication
    • 49. We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication Supported Languages: Python, Ruby, PHP, Java, ASP.NET, Node.js, Cold Fusion, Classic ASP
    • 50. We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication Supported Languages: Python, Ruby, PHP, Java, ASP.NET, Node.js, Cold Fusion, Classic ASP WordPress and Drupal integrations provided
    • 51. We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication Supported Languages: Python, Ruby, PHP, Java, ASP.NET, Node.js, Cold Fusion, Classic ASP WordPress and Drupal integrations provided Provide users with at least a choice of if they want to protect their web accounts with layered & sensible authentication
    • 52. But there’s a larger problem Years of School License Medical Doctor 11 O Pharmacist 8 O Lawyer 7 O Psychiatrist 10 O Web Programmer 0 X
    • 53. Apples and Oranges?
    • 54. Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, financially, or otherwise
    • 55. Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, financially, or otherwise Each profession requires extensive knowledge of the given craft to properly handle their clients
    • 56. Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, financially, or otherwise Each profession requires extensive knowledge of the given craft to properly handle their clients A professional for each career should be expected to adhere to ethical standards relating to the information they deal with
    • 57. Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, financially, or otherwise Each profession requires extensive knowledge of the given craft to properly handle their clients A professional for each career should be expected to adhere to ethical standards relating to the information they deal with Everyone makes mistakes, but there are consequences for each profession... except web programming!
    • 58. Web Programmers
    • 59. Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons
    • 60. Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless
    • 61. Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless Likely don’t have to document what, why, or how they did what they did in a given situation
    • 62. Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless Likely don’t have to document what, why, or how they did what they did in a given situation Can determine how information flows, how it’s protected, and who can access it from around the globe at any time
    • 63. Web Programmers  Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons  Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless  Likely don’t have to document what, why, or how they did what they did in a given situation  Can determine how information flows, how it’s protected, and who can access it from around the globe at any timeand they’ve probably never been taught to do any of it...
    • 64. Education and the Web
    • 65. Education and the Web The majority of schools offering web application development programs are ‘certificates of achievement’ or similar from community colleges/online for-profits
    • 66. Education and the Web The majority of schools offering web application development programs are ‘certificates of achievement’ or similar from community colleges/online for-profits Courses for web application development rarely focus on information security concepts as a core tenant to curriculum
    • 67. Education and the Web The majority of schools offering web application development programs are ‘certificates of achievement’ or similar from community colleges/online for-profits Courses for web application development rarely focus on information security concepts as a core tenant to curriculum You aren’t going to find many Bachelor degrees in web application development; it will be lumped-in with a Computer Science degree... if at all
    • 68. Education and the Web The majority of schools offering web application development programs are ‘certificates of achievement’ or similar from community colleges/online for-profits Courses for web application development rarely focus on information security concepts as a core tenant to curriculum You aren’t going to find many Bachelor degrees in web application development; it will be lumped-in with a Computer Science degree... if at all Even then, the problem isn’t just ‘web applications’
    • 69. Framing Things
    • 70. Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately)
    • 71. Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise
    • 72. Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise There were no questions asked of my credentials (or lack of) to be a web application developer
    • 73. Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise There were no questions asked of my credentials (or lack of) to be a web application developer I’ve never taken a web programming course
    • 74. Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise There were no questions asked of my credentials (or lack of) to be a web application developer I’ve never taken a web programming course I am not the exception, I am the every-day reality
    • 75. Smoke and Mirrors
    • 76. Smoke and Mirrors Most people don’t know what a web application does, they just see the end result
    • 77. Smoke and Mirrors Most people don’t know what a web application does, they just see the end result  Cool graphics, nice color schemes, impressive animations, navigations links, and lots of text
    • 78. Smoke and Mirrors Most people don’t know what a web application does, they just see the end result  Cool graphics, nice color schemes, impressive animations, navigations links, and lots of text Experienced programmers will make bad decisions to push out code faster to appease their employers or reduce the time & effort it takes for them to do work
    • 79. Smoke and Mirrors Most people don’t know what a web application does, they just see the end result  Cool graphics, nice color schemes, impressive animations, navigations links, and lots of text Experienced programmers will make bad decisions to push out code faster to appease their employers or reduce the time & effort it takes for them to do work Inexperienced programmers will make bad decisions because they have no idea they are making bad decisions
    • 80. Let’s Change Things
    • 81. Everyone Plays a Role
    • 82. Everyone Plays a Role Managers: Establish essential standards for your developers to adhere to; these must be mandatory and likely audited by a third-party quarterly
    • 83. Everyone Plays a Role Managers: Establish essential standards for your developers to adhere to; these must be mandatory and likely audited by a third-party quarterly Developers: Create a mentality that information security is a core focus of any code you write; make a game out of finding teammates’ vulnerabilities and review as a team why that failure occurred and update code tests
    • 84. Everyone Plays a Role Managers: Establish essential standards for your developers to adhere to; these must be mandatory and likely audited by a third-party quarterly Developers: Create a mentality that information security is a core focus of any code you write; make a game out of finding teammates’ vulnerabilities and review as a team why that failure occurred and update code tests Educators: Establish a proper, accredited Bachelor’s program at your university for web development and ensure that curriculum or entire courses are devoted to information security for programmers
    • 85. LegislatorsThe Personal Data Protection and Breach Accountability Act of 2011http://thehill.com/blogs/hillicon-valley/technology/180325-new-bill-from-blumenthal-would-require-firms-to-beef-up-security-and-privacy-practices
    • 86. LegislatorsThe Personal Data Protection and Breach Accountability Act of 2011 “require businesses with the personal information of more than 10,000 customers to implement privacy and security programs to ensure the safety of pertinent data.”http://thehill.com/blogs/hillicon-valley/technology/180325-new-bill-from-blumenthal-would-require-firms-to-beef-up-security-and-privacy-practices
    • 87. LegislatorsThe Personal Data Protection and Breach Accountability Act of 2011 “require businesses with the personal information of more than 10,000 customers to implement privacy and security programs to ensure the safety of pertinent data.” “The Justice Department will be able to fine firms that violate the law $5,000 per violation per day, with a maximum of $20 million per violation. Individuals affected by violations of the law will also have the ability to bring civil actions against the businesses involved.”http://thehill.com/blogs/hillicon-valley/technology/180325-new-bill-from-blumenthal-would-require-firms-to-beef-up-security-and-privacy-practices
    • 88. The Industry
    • 89. The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce
    • 90. The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work
    • 91. The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work Establish a basic certification for information security competence for the language(s) a developer programs in
    • 92. The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work Establish a basic certification for information security competence for the language(s) a developer programs in These are not popular ideas but things have gotten out of hand and there’s nothing to stop it from getting worse
    • 93. The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work Establish a basic certification for information security competence for the language(s) a developer programs in These are not popular ideas but things have gotten out of hand and there’s nothing to stop it from getting worse There’s too much at stake not to
    • 94. An Offer of Help
    • 95. An Offer of Help Washtenaw County Cyber Citizenship Coalition (WC4)  “The Washtenaw County Cyber Citizenship Coalition empowers community members through awareness and education to use the Internet and related technology safely and securely.”
    • 96. An Offer of Help Washtenaw County Cyber Citizenship Coalition (WC4)  “The Washtenaw County Cyber Citizenship Coalition empowers community members through awareness and education to use the Internet and related technology safely and securely.” Coordinate with me to provide your business guidance for secure programming practices and basic code security audits for your business or organization  Free of charge!
    • 97. Other Resources
    • 98. Other Resources OWASP (https://www.owasp.org/)  “The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.”
    • 99. Other Resources OWASP (https://www.owasp.org/)  “The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.” Book: Pro PHP Security  http://www.apress.com/open-source/programming/9781430233183
    • 100. Other Resources OWASP (https://www.owasp.org/)  “The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.” Book: Pro PHP Security  http://www.apress.com/open-source/programming/9781430233183 “Five common Web application vulnerabilities”  http://www.symantec.com/connect/articles/five-common-web- application-vulnerabilities
    • 101. Thanks! Questions? Contact  mark.stanislav@gmail.com  @markstanislav  http://www.uncompiled.com/mark-stanislav/

    ×