Crash Course In Brain Surgery

1,366 views
1,241 views

Published on

Crash Course in Brain Surgery (by "brain" I mean "application", and by "surgery" I mean "security").

More Info: http://codebits.eu/intra/s/session/70

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
  • Primus Super Speciality Hospital, extends Advanced Treatments for Brain Disorders and compassionate care for your loved one. And this is exactly what our team of doctors excels at Primus. This fact is reflected at our Neurology & Neurosurgery OPD department where one can see the smiles on the faces of satisfied patients. This is what separates neurosurgery services at Primus with others in the league. Bringing smiles on the faces of patients leaving our premises gives us immense satisfaction and this is what we all at Primus strive for. By offering patent –Focused World Class Medical Care, the team of Primus Neurology & Neurosurgery - Brain Center aim to deliver the best surgical and clinical outcomes for patients with disorders relating to the brain. The Department Of Neurosurgery At Primus uses advanced techniques and innovative procedures to treat chronic ailments like Parkinson’s disease, Headaches and tumors of the brain and spine. Our teams of doctors are fully trained in conducting minimally invasive skull based surgery, using a purely endoscopic approach. Besides this, we offer surgical treatment of conditions involving the nervous system: the brain, spinal cord and the peripheral nervous system. Primus Super Speciality Hospital 2, chandragupt Marg Chanakyapuri New Delhi- 110021, India 011 - 66206620, 9953722892 info@primushospital.com http://www.primushospital.com/brain-center.html
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
1,366
On SlideShare
0
From Embeds
0
Number of Embeds
55
Actions
Shares
0
Downloads
0
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Crash Course In Brain Surgery

  1. 1. Crash Course in Brain Surgery* A Primer for Developers * By “brain” I mean application and by “surgery” I mean security Bruno Morisson <morisson@genhex.org> Codebits 2009
  2. 2. About me •  InfoSec Consultant & IT Security Operations Manager @ Commet (Oni Telecom) •  ~10 years in InfoSec •  CISSP/CISA/ISO27001 Lead Auditor •  Background as a Linux/Unix sysadmin •  Background as a C developer •  Know enough Perl/Python for my needs •  Not a developer!!! 2
  3. 3. Why ? Buffer Overflows OS Command Injection Null Pointer Deref. Business Logic Format Strings User Authentication XSS Session Management CSRF Password Management SQL Injection Encra^Hyption RFI Access Control LDAP Injection … 3
  4. 4. Brain Surgery ?!? •  You can’t expect to learn brain surgery in ~40 minutes •  You shouldn’t expect to learn application security in ~40 minutes 4
  5. 5. Status Source: Cenzic 5
  6. 6. Status (II) Source: Verizon Business 6
  7. 7. OWASP Top Ten (2010 rc1) •  Injection Flaws •  Cross Site Scripting (XSS) •  Broken Authentication and Session Management •  Insecure Direct Object Reference •  CSRF •  Security Misconfiguration •  Failure to Restrict URL Access •  Invalidated Redirects and Forwards •  Insecure Cryptographic Storage •  Insufficient Transport Layer Protection 7
  8. 8. 8
  9. 9. Objective •  Raise awareness on application security (and security in general) • Think like an attacker • Understand to those who do 9
  10. 10. Security Mindset “Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.” Bruce Schneier 10
  11. 11. Security •  Security is about Managing Risks Risk = P(Threat x Vulnerability x Impact) 11
  12. 12. How secure are your apps ? •  How do you measure your apps’ security ? # of bugs ? # of bugs per line of code ?? # of bugs per code ??? … •  More important, how do you avoid security bugs in your apps!!! 12
  13. 13. “Security Is a Process not a Product” Bruce Schneier 13
  14. 14. 14
  15. 15. So you think you’re secure? •  Just because you develop in {C,Perl,Python,Ruby,PHP,Java,<insert favorite language here>} it doesn’t mean your app is secure! •  Understand and know that you will fail •  Assess risks, and define controls 15
  16. 16. User Input Validation •  Buffer Overflows / XSS / SQLi /… •  Applications don’t correctly validate what the user inputs •  Trust but verify 16
  17. 17. Cross Site Scripting ....is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. Source: Wikipedia 17
  18. 18. Cross Site Scripting •  Example app code (pseudo code): ... $search = $_GET[‘search’]; $query = ‘SELECT * FROM DOCS where BODY LIKE “%$search%”; $result = sql_query($query); print “Here are the results to your query $search”; print_results($result); … 18
  19. 19. Cross Site Scripting •  Application use: http://secureserver/?search=application+security 19
  20. 20. Cross Site Scripting •  Application abuse: –  What if the user inputs some JavaScript ?? •  The attacker can potentially own the user’s browser… but how ? •  Typically through social engineering or your own web app 20
  21. 21. Cross Site Scripting •  Back in 2002... “Multiple XSS Vulnerabilities in PHPNuke 6.0” •  In aprox. 1 hour “audit” 7 XSS vulnerabilities discovered (in 22 different input fields) •  All allowed any user to hijack other users’ sessions 21
  22. 22. Cross Site Scripting •  In 2009… StrongWebMail Contest. US $10.000 Prize •  Everyone had the login and password. •  “Ultra” secure webmail system, confirmation of login using a cellphone. •  Owned by XSS. 22
  23. 23. Cross Site Scripting Source: http://www.securescience.net/blog/ 23
  24. 24. Cross Site Scripting •  What can you do ? –  Filter the input… …and the output •  Ask yourself: –  Do we really need to use HTML ? –  What is the intended input ? –  Are we outputting what we expect ? Unfortunately developers tend to blacklist… 24
  25. 25. Cross Site Scripting •  But blacklist what ? <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> <IMG SRC=javascript:&# 97;lert('XSS')> <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#000 0114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000 101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#00000 83&#0000039&#0000041> … 25
  26. 26. Cross Site Scripting •  Use a positive security model –  If you expect a name, why accept numbers or punctuation ? –  If you expect a date, why accept “<“ or “>” ? –  If you do expect HTML, make sure it is well filtered (that’s the hard part…) 26
  27. 27. Injection •  Not only SQL. •  Technique first mentioned in 1998 by rain forest puppy in Phrack 54 •  OS injection is possibly older. •  LDAP is another target for injection. 27
  28. 28. Injection ... $search = $_GET[‘search’]; $query = ‘SELECT * FROM DOCS where BODY LIKE “%$search%”’; $result = sql_query($query); print “Here are the results to your query $search”; print_results($result); … 28
  29. 29. Injection •  Impact ? –  Heartland Security Breach: 130 million credit and debit cards –  Cost of the breach: US$12.6 Million 29
  30. 30. Injection Source: http://www.nosec.org 30
  31. 31. Injection Source: http://unu123456.baywords.com/ 31
  32. 32. Injection •  How do we protect ? –  Not so different from XSS. Same principles: –  Filter user input –  Whitelist what you know it’s safe –  Use stored procedures and views –  More ideas in a couple of slides… 32
  33. 33. More Input Validation •  Cookies •  Headers (Referrer!) •  Any variables! –  There’s no such thing as hidden fields! –  User IDs ? –  Application flow –  Etc.. 33
  34. 34. More Input Validation •  Example: –  Application checks the “Referrer” to ensure the user comes from an allowed origin. –  Who sets the Referrer ? Oooops… 34
  35. 35. More Input Validation •  Example: –  If you trust the “hidden” field UserID, and the user sends it as “admin”, shouldn’t you verify it ? –  Use HMACs. –  More on this in a few slides 35
  36. 36. Identification, Authentication and Authorization •  Most people don’t know the difference! •  Identification is easy! •  The hard part is authenticating and authorizing… 36
  37. 37. Passwords & Login •  Lots of problems: –  Storage / Encryption ? –  Recovery ? –  Quality ? –  Bots / CAPTCHAs •  Why not outsource it ? 37
  38. 38. Sessions •  Lots of problems: –  Unique –  Unreplayable –  Unpredictable –  Logging user off •  Use a proven framework 38
  39. 39. Access Control •  How many apps use more than one database user ? •  If in certain parts of the app the user just needs to read (SELECT), why should it be able to write (INSERT/UPDATE) ? •  Does every part of the app need to read every table in the database ? 39
  40. 40. Access Control •  The same applies to any object (on a database or not) •  If in certain parts of the app the user just needs to read information, why should it be able to write or change information? •  Does every part of the app need to access every piece of information ? 40
  41. 41. Access Control •  Security Models to the rescue! 41
  42. 42. Access Control •  Not those models… –  Biba (integrity) –  Bell-LaPadula (Confidentiality) –  Chinese-Wall (Brewer-Nash) (Conflicts of interest) •  Don’t reinvent the wheel… 42
  43. 43. Access Control •  Define a security model for your app. •  How many profiles should you need ? •  Which are the access needs for each profile ? •  Implement the model with the controls you have. •  Implement controls you don’t have, but can. 43
  44. 44. Access Control •  Ensure each subject has access to and only to the objects it is allowed to access!!! 44
  45. 45. Encraption •  Encryption is hard •  Don’t come up with new algorithms. They’ll suck. •  Don’t come up with new implementations. See previous point. 45
  46. 46. Encraption •  Debian OpenSSL •  Google KeyCzar •  SSL/TLS Renegotiation bug 46
  47. 47. You’ve done all of the previous things, now you’re secure! 47
  48. 48. 48
  49. 49. Business Logic •  If the logic is flawed, the app is flawed •  Example: –  In a homebanking system, the user can transfer -€2000 to a different account. –  Oooops… 49
  50. 50. Business Logic •  More examples –  On a site that sells electronics, the user bought 10 TV sets for €1000 each, and bought -20 Stereos for €500 each. –  Oooops… 50
  51. 51. Business Logic •  And more… –  On a site that sells movie tickets, the user can choose the sit, and it stays locked until the payment is done, for a max. of 10 minutes. –  The user automates this, for every sit in the room, every 10 minutes. –  Oooops… 51
  52. 52. Business Logic •  Still more… –  A company made a promotion, where you had to play a game (flash), using a special ID from their soda bottles. –  The top user had about 10x more points than the 2nd place. –  Results from each game were submitted from the flash application… –  Oooops… 52
  53. 53. Business Logic •  Ok, Last one: –  An E-Commerce site had special discount coupons they sent their customers. –  Someone discovered the coupons codes where predictable. –  Oooops… 53
  54. 54. Wrap-Up •  Always expect the worse •  Start thinking about security ASAP in the SDL •  Define a security model •  Analyze data flows and entry points •  Test the security of your app before the bad guys do •  Rinse & Repeat 54
  55. 55. Community •  InfoSec-Pros-PT – Mailing-List and LinkedIn Group (~377 members) •  http://groups.google.com/group/InfoSec-Pros-PT •  http://www.linkedin.com/groups?gid=112919 •  Confraria Security&IT (Networking) •  Monthly informal meetings & dinner •  Free •  http://www.linkedin.com/groups?gid=1859900 55
  56. 56. Thank You!" Q&A? Bruno Morisson CISSP, CISA, ISO27001LA morisson@genhex.org http://genhex.org/~mori/ 56
  57. 57. References •  http://www.owasp.org •  http://www.webappsec.org •  http://jeremiahgrossman.blogspot.com/ •  http://ha.ckers.org/blog/ •  http://www.cl.cam.ac.uk/~rja14/book.html •  http://www.schneier.com/blog/ •  http://chargen.matasano.com/ •  http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf •  http://www.verizonbusiness.com/resources/security/reports/ 2009_databreach_rp.pdf •  http://sqlmap.sourceforge.net/ •  http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project •  http://portswigger.net/proxy/ •  http://www.parosproxy.org/ •  http://livehttpheaders.mozdev.org/ •  https://addons.mozilla.org/en-US/firefox/addon/966 (tamper data) 57

×