"It's Just a Web Site": How Poor Web Programming is Ruining Information Security

“It’s Just a Web Site...” How Poor Web Programming is Ruining Information Security Mark Stanislav <mark.stanislav@gmail.com>

Me Senior Consultant for NetWorks Group A decade of web application programming and systems administration Responsible disclosure of web application software vulnerabilities in ~15 products and sites over the last year

2011; Let’s Review!

March 2011“...posted a dump of information extractedfrom MySQL, including the crackedpasswords of users...” http://www.scmagazineus.com/oracles-mysqlcom-hacked-via-sql-injection/article/199419/

April 2011“The attacker uncovered email addresses ofselect Barracuda employees with theirpasswords as well as name, email address,company affiliations and phone numbers ofsales leads generated by the company’schannel partners...” http://www.eweek.com/c/a/Security/Security-Firm-Barracuda-Networks-Embarrassed-by-Hacker-Database-Breakin-729619/

May 2011“During the incident, parts of the companysdatabase, including customer data andsubmitted certificate requests, wereaccessed...” http://www.h-online.com/security/news/item/Another-Comodo-SSL-registrar-hacked-1250283.html

May 2011“...it [LulzSec] posted information for staffers,the PBS network, and password info for PBSstations.” June 2011“...a ‘very small number’ of administrativeuser names and encrypted passwords werestolen.” http://www.hufﬁngtonpost.com/2011/05/30/pbs-hacked-tupac-alive_n_868673.html http://www.hufﬁngtonpost.com/2011/06/25/pbs-hacked-again-some-dat_n_884472.html

June 2011“Citigroup admitted on Wednesday that anattack on its website allowed hackers to viewcustomers names, account numbers andcontact information such as e-mail addressesfor about 210,000 of its cardholders.” http://www.pcworld.com/businesscenter/article/229868/citigroup_breach_exposed_data_on_210000_customers.html

June 2011“...that they [LulzSec] have broken intoSonyPictures.com and compromised morethan 1 million user accounts. An additional75,000 music codes and 3.5 million couponswere also uncovered.” http://www.cnn.com/2011/TECH/web/06/03/sony.pictures.hacked.mashable/index.html

You’ve been scared of...

You’ve been scared of...APT

You’ve been scared of...APTPeople’s Liberation Army

You’ve been scared of...APTPeople’s Liberation ArmyAl-Qaeda

You’ve been scared of...APTPeople’s Liberation ArmyAl-QaedaThe Malicious Insider

But you got owned by...

But you got owned by... LulzSec

So what gives...?

Poor Web Programming!

Want to be a hacker?

Want to be a hacker? 08/21/2011 Mark Stanislav 100One Hundred `ç axã Uxáà YÜ|xÇw

Want to be a hacker? 08/21/2011 Mark Stanislav 100 One Hundred `ç axã Uxáà YÜ|xÇwWhat did they do wrong?

They let me control...

They let me control... 08/21/2011 Mark Stanislav 100,000.00One Hundred Thousand and 00/100-- `ç axã Uxáà YÜ|xÇw

They let me control... 08/21/2011 Mark Stanislav 100,000.00One Hundred Thousand and 00/100-- `ç axã Uxáà YÜ|xÇw...the important details.

But everyone knows not to do that!

What about now?http://test.com/news.php?id=11

What about now? http://test.com/news.php?id=11An attacker can control these details too....http://test.com/news.php?id=’ UNION SELECT password FROM Users

Checks and Web Sites

Checks and Web SitesBoth accept certain kinds of input Checks: Name. Value. Memo. Signature. URL: Site. Page. Parameters.

Checks and Web SitesBoth accept certain kinds of input Checks: Name. Value. Memo. Signature. URL: Site. Page. Parameters.Both can be compromised if you aren’t careful Checks: Additional numbers or commas URL: Additional ﬁle or database queries

Checks and Web SitesBoth accept certain kinds of input Checks: Name. Value. Memo. Signature. URL: Site. Page. Parameters.Both can be compromised if you aren’t careful Checks: Additional numbers or commas URL: Additional ﬁle or database queries Both problems are easily ﬁxed...

So what was that?

So what was that? Most high-proﬁle web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’

So what was that? Most high-proﬁle web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’ SQL injection simply means passing extra database instructions to a web application which was never intended to allow such a thing

So what was that? Most high-proﬁle web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’ SQL injection simply means passing extra database instructions to a web application which was never intended to allow such a thing Example: You view a web site to read a news article and can pass extra database requests to steal user passwords

So what was that? Most high-proﬁle web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’ SQL injection simply means passing extra database instructions to a web application which was never intended to allow such a thing Example: You view a web site to read a news article and can pass extra database requests to steal user passwords In many cases, the attack can be fully automated to look for “the check not properly ﬁlled-out” and compromise can occur without a human doing any work...

Other ‘Bad Things’

Other ‘Bad Things’ Local File Inclusion: I can pick which ﬁles off of your web server I want to view

Other ‘Bad Things’ Local File Inclusion: I can pick which ﬁles off of your web server I want to view Local File Deletion: I can pick which ﬁles off of your web server I want to delete

Other ‘Bad Things’ Local File Inclusion: I can pick which ﬁles off of your web server I want to view Local File Deletion: I can pick which ﬁles off of your web server I want to delete Authentication Bypass: I don’t need to even steal your username and/or password

Other ‘Bad Things’ Local File Inclusion: I can pick which ﬁles off of your web server I want to view Local File Deletion: I can pick which ﬁles off of your web server I want to delete Authentication Bypass: I don’t need to even steal your username and/or password Lack of Cryptography: As if bad passwords weren’t easy enough to brute-force, we can just steal plaintext passwords for all of your users

Defending Sites in Two Easy Steps

Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept

Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept  Example: If a news web site accepts an article ‘ID’ which should be a number, why would we allow a user to enter quotes or semi-colons?

Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept  Example: If a news web site accepts an article ‘ID’ which should be a number, why would we allow a user to enter quotes or semi-colons? Usage of third-party products which identify common ‘attacks’ and prevent them from being executed -- both free and commercial options!

Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept  Example: If a news web site accepts an article ‘ID’ which should be a number, why would we allow a user to enter quotes or semi-colons? Usage of third-party products which identify common ‘attacks’ and prevent them from being executed -- both free and commercial options!  Oh, Barracuda Networks sells one to do that...

We’re Past Passwords

We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication

We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication Supported Languages: Python, Ruby, PHP, Java, ASP.NET, Node.js, Cold Fusion, Classic ASP

We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication Supported Languages: Python, Ruby, PHP, Java, ASP.NET, Node.js, Cold Fusion, Classic ASP WordPress and Drupal integrations provided

We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication Supported Languages: Python, Ruby, PHP, Java, ASP.NET, Node.js, Cold Fusion, Classic ASP WordPress and Drupal integrations provided Provide users with at least a choice of if they want to protect their web accounts with layered & sensible authentication

But there’s a larger problem Years of School License Medical Doctor 11 O Pharmacist 8 O Lawyer 7 O Psychiatrist 10 O Web Programmer 0 X

Apples and Oranges?

Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, ﬁnancially, or otherwise

Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, ﬁnancially, or otherwise Each profession requires extensive knowledge of the given craft to properly handle their clients

Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, ﬁnancially, or otherwise Each profession requires extensive knowledge of the given craft to properly handle their clients A professional for each career should be expected to adhere to ethical standards relating to the information they deal with

Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, ﬁnancially, or otherwise Each profession requires extensive knowledge of the given craft to properly handle their clients A professional for each career should be expected to adhere to ethical standards relating to the information they deal with Everyone makes mistakes, but there are consequences for each profession... except web programming!

Web Programmers

Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons

Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless

Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless Likely don’t have to document what, why, or how they did what they did in a given situation

Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless Likely don’t have to document what, why, or how they did what they did in a given situation Can determine how information ﬂows, how it’s protected, and who can access it from around the globe at any time

Web Programmers  Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons  Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless  Likely don’t have to document what, why, or how they did what they did in a given situation  Can determine how information ﬂows, how it’s protected, and who can access it from around the globe at any timeand they’ve probably never been taught to do any of it...

Education and the Web

Education and the Web The majority of schools offering web application development programs are ‘certiﬁcates of achievement’ or similar from community colleges/online for-proﬁts

Education and the Web The majority of schools offering web application development programs are ‘certiﬁcates of achievement’ or similar from community colleges/online for-proﬁts Courses for web application development rarely focus on information security concepts as a core tenant to curriculum

Education and the Web The majority of schools offering web application development programs are ‘certificates of achievement’ or similar from community colleges/online for-profits Courses for web application development rarely focus on information security concepts as a core tenant to curriculum You aren’t going to find many Bachelor degrees in web application development; it will be lumped-in with a Computer Science degree... if at all

Education and the Web The majority of schools offering web application development programs are ‘certificates of achievement’ or similar from community colleges/online for-profits Courses for web application development rarely focus on information security concepts as a core tenant to curriculum You aren’t going to find many Bachelor degrees in web application development; it will be lumped-in with a Computer Science degree... if at all Even then, the problem isn’t just ‘web applications’

Framing Things

Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately)

Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise

Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise There were no questions asked of my credentials (or lack of) to be a web application developer

Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise There were no questions asked of my credentials (or lack of) to be a web application developer I’ve never taken a web programming course

Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise There were no questions asked of my credentials (or lack of) to be a web application developer I’ve never taken a web programming course I am not the exception, I am the every-day reality

Smoke and Mirrors

Smoke and Mirrors Most people don’t know what a web application does, they just see the end result

Smoke and Mirrors Most people don’t know what a web application does, they just see the end result  Cool graphics, nice color schemes, impressive animations, navigations links, and lots of text

Smoke and Mirrors Most people don’t know what a web application does, they just see the end result  Cool graphics, nice color schemes, impressive animations, navigations links, and lots of text Experienced programmers will make bad decisions to push out code faster to appease their employers or reduce the time & effort it takes for them to do work

Smoke and Mirrors Most people don’t know what a web application does, they just see the end result  Cool graphics, nice color schemes, impressive animations, navigations links, and lots of text Experienced programmers will make bad decisions to push out code faster to appease their employers or reduce the time & effort it takes for them to do work Inexperienced programmers will make bad decisions because they have no idea they are making bad decisions

Let’s Change Things

Everyone Plays a Role

Everyone Plays a Role Managers: Establish essential standards for your developers to adhere to; these must be mandatory and likely audited by a third-party quarterly

Everyone Plays a Role Managers: Establish essential standards for your developers to adhere to; these must be mandatory and likely audited by a third-party quarterly Developers: Create a mentality that information security is a core focus of any code you write; make a game out of ﬁnding teammates’ vulnerabilities and review as a team why that failure occurred and update code tests

Everyone Plays a Role Managers: Establish essential standards for your developers to adhere to; these must be mandatory and likely audited by a third-party quarterly Developers: Create a mentality that information security is a core focus of any code you write; make a game out of ﬁnding teammates’ vulnerabilities and review as a team why that failure occurred and update code tests Educators: Establish a proper, accredited Bachelor’s program at your university for web development and ensure that curriculum or entire courses are devoted to information security for programmers

LegislatorsThe Personal Data Protection and Breach Accountability Act of 2011http://thehill.com/blogs/hillicon-valley/technology/180325-new-bill-from-blumenthal-would-require-ﬁrms-to-beef-up-security-and-privacy-practices

LegislatorsThe Personal Data Protection and Breach Accountability Act of 2011 “require businesses with the personal information of more than 10,000 customers to implement privacy and security programs to ensure the safety of pertinent data.”http://thehill.com/blogs/hillicon-valley/technology/180325-new-bill-from-blumenthal-would-require-ﬁrms-to-beef-up-security-and-privacy-practices

LegislatorsThe Personal Data Protection and Breach Accountability Act of 2011 “require businesses with the personal information of more than 10,000 customers to implement privacy and security programs to ensure the safety of pertinent data.” “The Justice Department will be able to fine firms that violate the law $5,000 per violation per day, with a maximum of $20 million per violation. Individuals affected by violations of the law will also have the ability to bring civil actions against the businesses involved.”http://thehill.com/blogs/hillicon-valley/technology/180325-new-bill-from-blumenthal-would-require-firms-to-beef-up-security-and-privacy-practices

The Industry

The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce

The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work

The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work Establish a basic certiﬁcation for information security competence for the language(s) a developer programs in

The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work Establish a basic certiﬁcation for information security competence for the language(s) a developer programs in These are not popular ideas but things have gotten out of hand and there’s nothing to stop it from getting worse

The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work Establish a basic certiﬁcation for information security competence for the language(s) a developer programs in These are not popular ideas but things have gotten out of hand and there’s nothing to stop it from getting worse There’s too much at stake not to

An Offer of Help

An Offer of Help Washtenaw County Cyber Citizenship Coalition (WC4)  “The Washtenaw County Cyber Citizenship Coalition empowers community members through awareness and education to use the Internet and related technology safely and securely.”

An Offer of Help Washtenaw County Cyber Citizenship Coalition (WC4)  “The Washtenaw County Cyber Citizenship Coalition empowers community members through awareness and education to use the Internet and related technology safely and securely.” Coordinate with me to provide your business guidance for secure programming practices and basic code security audits for your business or organization  Free of charge!

Other Resources

Other Resources OWASP (https://www.owasp.org/)  “The Open Web Application Security Project (OWASP) is a 501c3 not-for-proﬁt worldwide charitable organization focused on improving the security of application software.”

Other Resources OWASP (https://www.owasp.org/)  “The Open Web Application Security Project (OWASP) is a 501c3 not-for-proﬁt worldwide charitable organization focused on improving the security of application software.” Book: Pro PHP Security  http://www.apress.com/open-source/programming/9781430233183

Other Resources OWASP (https://www.owasp.org/)  “The Open Web Application Security Project (OWASP) is a 501c3 not-for-proﬁt worldwide charitable organization focused on improving the security of application software.” Book: Pro PHP Security  http://www.apress.com/open-source/programming/9781430233183 “Five common Web application vulnerabilities”  http://www.symantec.com/connect/articles/ﬁve-common-web- application-vulnerabilities

Thanks! Questions? Contact  mark.stanislav@gmail.com  @markstanislav  http://www.uncompiled.com/mark-stanislav/

"It's Just a Web Site": How Poor Web Programming is Ruining Information Security

by Mark Stanislav on Sep 14, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 7

Statistics

"It’s Just a Web Site": How Poor Web Programming is Ruining Information Security — Presentation Transcript

http://arigoldstein.wordpress.com	5
http://mstanislav.posterous.com	2