"It's Just a Web Site": How Poor Web Programming is Ruining Information Security

1,657 views

Published on

Published in: Technology, Design
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,657
On SlideShare
0
From Embeds
0
Number of Embeds
70
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • "It's Just a Web Site": How Poor Web Programming is Ruining Information Security

    1. 1. “It’s Just a Web Site...” How Poor Web Programming is Ruining Information Security Mark Stanislav <mark.stanislav@gmail.com>
    2. 2. Me Senior Consultant for NetWorks Group A decade of web application programming and systems administration Responsible disclosure of web application software vulnerabilities in ~15 products and sites over the last year
    3. 3. 2011; Let’s Review!
    4. 4. March 2011“...posted a dump of information extractedfrom MySQL, including the crackedpasswords of users...” http://www.scmagazineus.com/oracles-mysqlcom-hacked-via-sql-injection/article/199419/
    5. 5. April 2011“The attacker uncovered email addresses ofselect Barracuda employees with theirpasswords as well as name, email address,company affiliations and phone numbers ofsales leads generated by the company’schannel partners...” http://www.eweek.com/c/a/Security/Security-Firm-Barracuda-Networks-Embarrassed-by-Hacker-Database-Breakin-729619/
    6. 6. May 2011“During the incident, parts of the companysdatabase, including customer data andsubmitted certificate requests, wereaccessed...” http://www.h-online.com/security/news/item/Another-Comodo-SSL-registrar-hacked-1250283.html
    7. 7. May 2011“...it [LulzSec] posted information for staffers,the PBS network, and password info for PBSstations.” June 2011“...a ‘very small number’ of administrativeuser names and encrypted passwords werestolen.” http://www.huffingtonpost.com/2011/05/30/pbs-hacked-tupac-alive_n_868673.html http://www.huffingtonpost.com/2011/06/25/pbs-hacked-again-some-dat_n_884472.html
    8. 8. June 2011“Citigroup admitted on Wednesday that anattack on its website allowed hackers to viewcustomers names, account numbers andcontact information such as e-mail addressesfor about 210,000 of its cardholders.” http://www.pcworld.com/businesscenter/article/229868/citigroup_breach_exposed_data_on_210000_customers.html
    9. 9. June 2011“...that they [LulzSec] have broken intoSonyPictures.com and compromised morethan 1 million user accounts. An additional75,000 music codes and 3.5 million couponswere also uncovered.” http://www.cnn.com/2011/TECH/web/06/03/sony.pictures.hacked.mashable/index.html
    10. 10. You’ve been scared of...
    11. 11. You’ve been scared of...APT
    12. 12. You’ve been scared of...APTPeople’s Liberation Army
    13. 13. You’ve been scared of...APTPeople’s Liberation ArmyAl-Qaeda
    14. 14. You’ve been scared of...APTPeople’s Liberation ArmyAl-QaedaThe Malicious Insider
    15. 15. But you got owned by...
    16. 16. But you got owned by... LulzSec
    17. 17. So what gives...?
    18. 18. Poor Web Programming!
    19. 19. Want to be a hacker?
    20. 20. Want to be a hacker? 08/21/2011 Mark Stanislav 100One Hundred `ç axã Uxáà YÜ|xÇw
    21. 21. Want to be a hacker? 08/21/2011 Mark Stanislav 100 One Hundred `ç axã Uxáà YÜ|xÇwWhat did they do wrong?
    22. 22. They let me control...
    23. 23. They let me control... 08/21/2011 Mark Stanislav 100,000.00One Hundred Thousand and 00/100-- `ç axã Uxáà YÜ|xÇw
    24. 24. They let me control... 08/21/2011 Mark Stanislav 100,000.00One Hundred Thousand and 00/100-- `ç axã Uxáà YÜ|xÇw...the important details.
    25. 25. But everyone knows not to do that!
    26. 26. What about now?http://test.com/news.php?id=11
    27. 27. What about now? http://test.com/news.php?id=11An attacker can control these details too....http://test.com/news.php?id=’ UNION SELECT password FROM Users
    28. 28. Checks and Web Sites
    29. 29. Checks and Web SitesBoth accept certain kinds of input Checks: Name. Value. Memo. Signature. URL: Site. Page. Parameters.
    30. 30. Checks and Web SitesBoth accept certain kinds of input Checks: Name. Value. Memo. Signature. URL: Site. Page. Parameters.Both can be compromised if you aren’t careful Checks: Additional numbers or commas URL: Additional file or database queries
    31. 31. Checks and Web SitesBoth accept certain kinds of input Checks: Name. Value. Memo. Signature. URL: Site. Page. Parameters.Both can be compromised if you aren’t careful Checks: Additional numbers or commas URL: Additional file or database queries Both problems are easily fixed...
    32. 32. So what was that?
    33. 33. So what was that? Most high-profile web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’
    34. 34. So what was that? Most high-profile web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’ SQL injection simply means passing extra database instructions to a web application which was never intended to allow such a thing
    35. 35. So what was that? Most high-profile web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’ SQL injection simply means passing extra database instructions to a web application which was never intended to allow such a thing Example: You view a web site to read a news article and can pass extra database requests to steal user passwords
    36. 36. So what was that? Most high-profile web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’ SQL injection simply means passing extra database instructions to a web application which was never intended to allow such a thing Example: You view a web site to read a news article and can pass extra database requests to steal user passwords In many cases, the attack can be fully automated to look for “the check not properly filled-out” and compromise can occur without a human doing any work...
    37. 37. Other ‘Bad Things’
    38. 38. Other ‘Bad Things’ Local File Inclusion: I can pick which files off of your web server I want to view
    39. 39. Other ‘Bad Things’ Local File Inclusion: I can pick which files off of your web server I want to view Local File Deletion: I can pick which files off of your web server I want to delete
    40. 40. Other ‘Bad Things’ Local File Inclusion: I can pick which files off of your web server I want to view Local File Deletion: I can pick which files off of your web server I want to delete Authentication Bypass: I don’t need to even steal your username and/or password
    41. 41. Other ‘Bad Things’ Local File Inclusion: I can pick which files off of your web server I want to view Local File Deletion: I can pick which files off of your web server I want to delete Authentication Bypass: I don’t need to even steal your username and/or password Lack of Cryptography: As if bad passwords weren’t easy enough to brute-force, we can just steal plaintext passwords for all of your users
    42. 42. Defending Sites in Two Easy Steps
    43. 43. Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept
    44. 44. Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept  Example: If a news web site accepts an article ‘ID’ which should be a number, why would we allow a user to enter quotes or semi-colons?
    45. 45. Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept  Example: If a news web site accepts an article ‘ID’ which should be a number, why would we allow a user to enter quotes or semi-colons? Usage of third-party products which identify common ‘attacks’ and prevent them from being executed -- both free and commercial options!
    46. 46. Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept  Example: If a news web site accepts an article ‘ID’ which should be a number, why would we allow a user to enter quotes or semi-colons? Usage of third-party products which identify common ‘attacks’ and prevent them from being executed -- both free and commercial options!  Oh, Barracuda Networks sells one to do that...
    47. 47. We’re Past Passwords
    48. 48. We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication
    49. 49. We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication Supported Languages: Python, Ruby, PHP, Java, ASP.NET, Node.js, Cold Fusion, Classic ASP
    50. 50. We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication Supported Languages: Python, Ruby, PHP, Java, ASP.NET, Node.js, Cold Fusion, Classic ASP WordPress and Drupal integrations provided
    51. 51. We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication Supported Languages: Python, Ruby, PHP, Java, ASP.NET, Node.js, Cold Fusion, Classic ASP WordPress and Drupal integrations provided Provide users with at least a choice of if they want to protect their web accounts with layered & sensible authentication
    52. 52. But there’s a larger problem Years of School License Medical Doctor 11 O Pharmacist 8 O Lawyer 7 O Psychiatrist 10 O Web Programmer 0 X
    53. 53. Apples and Oranges?
    54. 54. Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, financially, or otherwise
    55. 55. Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, financially, or otherwise Each profession requires extensive knowledge of the given craft to properly handle their clients
    56. 56. Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, financially, or otherwise Each profession requires extensive knowledge of the given craft to properly handle their clients A professional for each career should be expected to adhere to ethical standards relating to the information they deal with
    57. 57. Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, financially, or otherwise Each profession requires extensive knowledge of the given craft to properly handle their clients A professional for each career should be expected to adhere to ethical standards relating to the information they deal with Everyone makes mistakes, but there are consequences for each profession... except web programming!
    58. 58. Web Programmers
    59. 59. Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons
    60. 60. Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless
    61. 61. Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless Likely don’t have to document what, why, or how they did what they did in a given situation
    62. 62. Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless Likely don’t have to document what, why, or how they did what they did in a given situation Can determine how information flows, how it’s protected, and who can access it from around the globe at any time
    63. 63. Web Programmers  Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons  Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless  Likely don’t have to document what, why, or how they did what they did in a given situation  Can determine how information flows, how it’s protected, and who can access it from around the globe at any timeand they’ve probably never been taught to do any of it...
    64. 64. Education and the Web
    65. 65. Education and the Web The majority of schools offering web application development programs are ‘certificates of achievement’ or similar from community colleges/online for-profits
    66. 66. Education and the Web The majority of schools offering web application development programs are ‘certificates of achievement’ or similar from community colleges/online for-profits Courses for web application development rarely focus on information security concepts as a core tenant to curriculum
    67. 67. Education and the Web The majority of schools offering web application development programs are ‘certificates of achievement’ or similar from community colleges/online for-profits Courses for web application development rarely focus on information security concepts as a core tenant to curriculum You aren’t going to find many Bachelor degrees in web application development; it will be lumped-in with a Computer Science degree... if at all
    68. 68. Education and the Web The majority of schools offering web application development programs are ‘certificates of achievement’ or similar from community colleges/online for-profits Courses for web application development rarely focus on information security concepts as a core tenant to curriculum You aren’t going to find many Bachelor degrees in web application development; it will be lumped-in with a Computer Science degree... if at all Even then, the problem isn’t just ‘web applications’
    69. 69. Framing Things
    70. 70. Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately)
    71. 71. Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise
    72. 72. Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise There were no questions asked of my credentials (or lack of) to be a web application developer
    73. 73. Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise There were no questions asked of my credentials (or lack of) to be a web application developer I’ve never taken a web programming course
    74. 74. Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise There were no questions asked of my credentials (or lack of) to be a web application developer I’ve never taken a web programming course I am not the exception, I am the every-day reality
    75. 75. Smoke and Mirrors
    76. 76. Smoke and Mirrors Most people don’t know what a web application does, they just see the end result
    77. 77. Smoke and Mirrors Most people don’t know what a web application does, they just see the end result  Cool graphics, nice color schemes, impressive animations, navigations links, and lots of text
    78. 78. Smoke and Mirrors Most people don’t know what a web application does, they just see the end result  Cool graphics, nice color schemes, impressive animations, navigations links, and lots of text Experienced programmers will make bad decisions to push out code faster to appease their employers or reduce the time & effort it takes for them to do work
    79. 79. Smoke and Mirrors Most people don’t know what a web application does, they just see the end result  Cool graphics, nice color schemes, impressive animations, navigations links, and lots of text Experienced programmers will make bad decisions to push out code faster to appease their employers or reduce the time & effort it takes for them to do work Inexperienced programmers will make bad decisions because they have no idea they are making bad decisions
    80. 80. Let’s Change Things
    81. 81. Everyone Plays a Role
    82. 82. Everyone Plays a Role Managers: Establish essential standards for your developers to adhere to; these must be mandatory and likely audited by a third-party quarterly
    83. 83. Everyone Plays a Role Managers: Establish essential standards for your developers to adhere to; these must be mandatory and likely audited by a third-party quarterly Developers: Create a mentality that information security is a core focus of any code you write; make a game out of finding teammates’ vulnerabilities and review as a team why that failure occurred and update code tests
    84. 84. Everyone Plays a Role Managers: Establish essential standards for your developers to adhere to; these must be mandatory and likely audited by a third-party quarterly Developers: Create a mentality that information security is a core focus of any code you write; make a game out of finding teammates’ vulnerabilities and review as a team why that failure occurred and update code tests Educators: Establish a proper, accredited Bachelor’s program at your university for web development and ensure that curriculum or entire courses are devoted to information security for programmers
    85. 85. LegislatorsThe Personal Data Protection and Breach Accountability Act of 2011http://thehill.com/blogs/hillicon-valley/technology/180325-new-bill-from-blumenthal-would-require-firms-to-beef-up-security-and-privacy-practices
    86. 86. LegislatorsThe Personal Data Protection and Breach Accountability Act of 2011 “require businesses with the personal information of more than 10,000 customers to implement privacy and security programs to ensure the safety of pertinent data.”http://thehill.com/blogs/hillicon-valley/technology/180325-new-bill-from-blumenthal-would-require-firms-to-beef-up-security-and-privacy-practices
    87. 87. LegislatorsThe Personal Data Protection and Breach Accountability Act of 2011 “require businesses with the personal information of more than 10,000 customers to implement privacy and security programs to ensure the safety of pertinent data.” “The Justice Department will be able to fine firms that violate the law $5,000 per violation per day, with a maximum of $20 million per violation. Individuals affected by violations of the law will also have the ability to bring civil actions against the businesses involved.”http://thehill.com/blogs/hillicon-valley/technology/180325-new-bill-from-blumenthal-would-require-firms-to-beef-up-security-and-privacy-practices
    88. 88. The Industry
    89. 89. The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce
    90. 90. The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work
    91. 91. The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work Establish a basic certification for information security competence for the language(s) a developer programs in
    92. 92. The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work Establish a basic certification for information security competence for the language(s) a developer programs in These are not popular ideas but things have gotten out of hand and there’s nothing to stop it from getting worse
    93. 93. The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work Establish a basic certification for information security competence for the language(s) a developer programs in These are not popular ideas but things have gotten out of hand and there’s nothing to stop it from getting worse There’s too much at stake not to
    94. 94. An Offer of Help
    95. 95. An Offer of Help Washtenaw County Cyber Citizenship Coalition (WC4)  “The Washtenaw County Cyber Citizenship Coalition empowers community members through awareness and education to use the Internet and related technology safely and securely.”
    96. 96. An Offer of Help Washtenaw County Cyber Citizenship Coalition (WC4)  “The Washtenaw County Cyber Citizenship Coalition empowers community members through awareness and education to use the Internet and related technology safely and securely.” Coordinate with me to provide your business guidance for secure programming practices and basic code security audits for your business or organization  Free of charge!
    97. 97. Other Resources
    98. 98. Other Resources OWASP (https://www.owasp.org/)  “The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.”
    99. 99. Other Resources OWASP (https://www.owasp.org/)  “The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.” Book: Pro PHP Security  http://www.apress.com/open-source/programming/9781430233183
    100. 100. Other Resources OWASP (https://www.owasp.org/)  “The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.” Book: Pro PHP Security  http://www.apress.com/open-source/programming/9781430233183 “Five common Web application vulnerabilities”  http://www.symantec.com/connect/articles/five-common-web- application-vulnerabilities
    101. 101. Thanks! Questions? Contact  mark.stanislav@gmail.com  @markstanislav  http://www.uncompiled.com/mark-stanislav/

    ×