Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How not to suck at Cyber Security

55 views

Published on

  • Be the first to comment

  • Be the first to like this

How not to suck at Cyber Security

  1. 1. HOW NOT TO SUCK AT CYBER SECURITY Chris Watts - Feb 2016
  2. 2. DON’T BE EBAY
  3. 3. In 2015 there were +38%more cyber security incidents than in 2014 Global State of Information Security® Survey 2016
  4. 4. Proportion of companies reporting a security incident Global State of Information Security® Survey 2016
  5. 5. CUSTOMER RECORDS Global State of Information Security® Survey 2016 38.27% of compromised assets EMPLOYEE RECORDS 33.25% of compromised assets
  6. 6. While there is no guarantee against being breached, organizations can greatly manage their risk by becoming more vigilant in covering their bases. - Mike Denning, Vice President for Global Security, Verizon
  7. 7. According to the Pareto Principle 80%of the effects are from 20%of the causes Software bugs are not exempt from this rule
  8. 8. BACK TO THE RECENT EBAY HACK
  9. 9. JS NIGHTMARES [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+
  10. 10. [] + [] === '' [] + {} === [object Object] {} + [] === 0 {} + {} === NaN QUIRKY! https://www.destroyallsoftware.com/talks/wat
  11. 11. HOW TO MAKE A LANGUAGE NAND or NOR gates will let you build anything!
  12. 12. With an array of NAND or NOR gates, you can build any other logic gate. Hence FPGAs! In software, if you have a NOT expression and an OR expression, you can emulate any other logic circuit! If you can emulate logic circuits, you can emulate a Turing machine. Pretty much every language already has this requirement [!+]
  13. 13. TURING TARPITS Some people just want to watch the world burn This is an example of Hello World in Brainfuck ++++++++[>++++ [>++>+++>+++>+<<<<-] >+>+>->>+[<]<-] >>.>---.+++++++..+++.>>. <-.<.+++.------.--------.>>+.>++.
  14. 14. To be Turing-complete, an imperative language must: 1. Allow conditional branching 2. Allow read/write access to random memory
  15. 15. To be Turing-complete, a functional language must: 1. Allow abstraction of functions over arguments 2. Allow application of functions to arguments
  16. 16. ENTER JSFUCK A Turing-complete sub-language of JavaScript that runs in the same environment as real JavaScript. And yes, it’s Turing-complete. false => ![] true => !![] undefined => [][[]] NaN => +[![]] 0 => +[] 1 => +!+[] 2 => !+[]+!+[]
  17. 17. Problem: Lots of people want cat pictures and illegible formatting in their listings Solution: Let them insert HTML! Normally, one filters out everything that has the potential to do bad with user-submitted HTML USER INPUT IS A DANGEROUS THING In fact, the best idea is to just avoid it and say no, but customers will be customers.
  18. 18. LET’S LEAVE IN <SCRIPT> TAGS! Now we can offer more features like advertising! And lawsuit-worthy user tracking!
  19. 19. Hey let’s just check for alphanumerics! It’s a super easy regex. /<script>w+</script>//ig ALL WE NEED TO DO IS DISALLOW ALL STRINGS WITHIN <SCRIPT> TAGS SUBMITTED BY USERS
  20. 20. It will be fine, nobody is ever going to be able to execute JavaScript without alphanumerics despite JS being even sketchier than C++[1] - some dev at eBay
  21. 21. NAILED ITNAILED IT
  22. 22. Two researchers by the names of Charlie Miller and Chris Valasek were able to connect to GM’s OnStar entertainment system from 2012 to 2015. Turns out the entertainment system is connected to the ECU, braking, tire pressure monitoring and steering systems. OF COURSE, IT’S NOT JUST EBAY From 10 miles away, they were able to turn up the car stereo, switch on the wipers, and crash the car flat-out into a ditch.
  23. 23. It will be fine, nobody is ever going to control the car through the entertainment system - some dev at GM
  24. 24. LET’S NOT FOLLOW SUIT DESIGN AS THE ANTI-USER
  25. 25. SQL INJECTION https://xkcd.com/327/
  26. 26. A SIMPLE ATTACK <?php $page = $_GET[‘page’]; $query = “SELECT * FROM transactions LIMIT $page * 20, 20”; ... ?> https://www.securebank.com/transactions/view/3/ https://www.securebank.com/transactions/view/3;DROP USER admin;--/
  27. 27. SOLUTION NEVER trust user-supplied information. Hidden form fields and cookies are also not safe. VALIDATE your inputs. Expecting a number? Assert that! ALWAYS use prepared statements - don’t insert directly into SQL statements $statement = $db->prepare(“SELECT * FROM transactions LIMIT :page, 20”); $statement->bindParam(‘page’, $page * 20);
  28. 28. You would think there’s no harm in leaving the version numbers of your Wordpress installation in the headers or footers of your web page. Some version information also appears in HTTP headers, for example: ‘X-Powered-By: My Cool CMS v3.3.6’ INFORMATION LEAKAGE
  29. 29. EXPLOIT-DB
  30. 30. REMOVE all version identifiers from everything your server sends CHECK what happens on a server error. Does the 500 page show anything useful to a hacker? REMOVE all debugging information, or have it sent to log files SOLUTION
  31. 31. INFORMATION EXPOSURE Sometimes your text editors are the enemy... Of course, Database.php~ is no longer a .php file, so will not get executed when you navigate to it. Instead, it will just download the file to the user, containing the actual PHP code and passwords!
  32. 32. SOLUTION WHITELIST rather than blacklist files that are allowed to be displayed to the user (e.g. in .htaccess) DELETE all temporary files on the production server, edit files on a development server before pushing. MOVE all non-static (e.g. html, jpg, css) files out of the document root. Especially configuration files.
  33. 33. USER UPLOADS By performing the previous steps, you can also protect yourself from malicious uploads being executed. This does not replace the need to check file contents though as if the file exists on the server, it’s more than likely the attacker will find a way to execute it.
  34. 34. Remember the Heartbleed bug of 2014? In 2015 there were still swaths of unprotected servers due to negligence and unwillingness to update. OUTDATED SOFTWARE
  35. 35. sudo apt-get update sudo apt-get upgrade Update any frameworks or libraries you use in your projects too to make sure you don’t appear on the Exploit DB. SOLUTION
  36. 36. Just because the attacker can’t see your source code doesn’t mean they can’t brute force or guess their way in! SECURITY THROUGH OBSCURITY
  37. 37. Assume they can see your source code. SOLUTION
  38. 38. AUTHORIZATION BYPASS Locking the front door is useless if you left the window open. Some companies forget to secure all of their admin pages. Sure, the admin home page is protected by a password, but what about the page where you can modify user permissions?
  39. 39. Storing valuable information in HTML <hidden> fields? Users can modify and do whatever they like to those. HIDDEN FIELDS ARE NOT HIDDEN
  40. 40. SOLUTION CHECK every page, REST service, action and form to make sure only those authorized can perform actions NEVER store internal logic in content the user sends back. This includes cookies! (Although storing this information in sessions with a session token is OK provided you’re using sessions properly)
  41. 41. So you’ve fixed authorization bypass and an admin is logged in. The admin checks the forums and sees this post: CSRF CROSS-SITE REQUEST FORGERY Hi, I’m getting harassed by the user Trump4President. I recorded a chat log here to prove that he’s being derogatory and spiteful to every user in... Little did the admin know, the link actually goes here: https://www.clubpenguin.com/admin/users/Trump4President/perms?admin=true
  42. 42. There are actually two things wrong with this example. 1. A modification action was accessible with a GET request rather than POST. 2. Because the admin was logged in, clicking this link performed the action under the admin’s account. WHAT WENT WRONG
  43. 43. USE POST, PUT, PATCH, DELETE etc. for any mutable actions. Use GET only if data will not be modified by the request. TOKENIZE all forms and actions with a random string generated as the page loads. Store this token in your database to cross-reference when the form is submitted. This token may be stored in a hidden field or cookie. SOLUTION
  44. 44. REDIRECT HIJACKING Sometimes you need to show a page, such as a login page, before redirecting the user to where they wanted to go. If the redirect URL is not sanitized, an attacker might try to use it to direct you to another site. Imagine if a user is presented with a phishing email to change their bank password and they’re presented with a legitimate link to their bank: https://www.securebank.com/account/changepassword?redir=http://evil.com/phish
  45. 45. REDIRECT HIJACKING This attack goes hand-in-hand with CSRF. If the user can be redirected before they realize their session has been hijacked by an evil button, the incident may go completely undetected.
  46. 46. REDIRECT HIJACKING It’s not just limited to redirecting a user either. If your script accesses the server’s filesystem, don’t let this happen: https://www.mycoolforum.com/forum/page=../../../etc/passwd
  47. 47. SOLUTION USE a URL parser on any URL arguments to make sure they’re relative to the document root. DENY use of patterns like ‘../’, ‘~/’ or ‘PROGRA~1/’
  48. 48. Some content is written by the user. This could be something like eBay’s item descriptions, or even a user’s username displayed at the top of the page. If the user can enter HTML tags that they shouldn’t, we already know what can go wrong. XSS CROSS-SITE SCRIPTING
  49. 49. There are two ways XSS can be a problem. 1. Displaying unsanitized information that the user has directly given (such as in a comment post or account bio) 2. Displaying unsanitized information that the user has weaseled into the system (for example, with a database compromise) FIRST AND SECOND ORDER
  50. 50. ESCAPE or encode all characters that should be illegal when displayed on a page. For HTML body, this is <anyelement>, for HTML attributes this is any single or double quote. There are pre-made sanitizers for this job. Perform this when the data is displayed rather than when it is stored. Otherwise you can end up with multiple escaped strings and still be vulnerable to second-order XSS! SOLUTION
  51. 51. How it should be done (escaping with &lt; and &gt;) How it shouldn’t be done
  52. 52. HUMANS THE WEAKEST LINK OF A SECURITY SYSTEM
  53. 53. Of the compromised respondents in the GSISS 34%said current employees were the most likely cause Global State of Information Security® Survey 2016
  54. 54. 29%linked attacks to former employees Global State of Information Security® Survey 2016
  55. 55. PRIVILEGE MISUSE is #3 of the 9 biggest causes Verizon Data Breach Investigations Report 2015
  56. 56. Still a common cause of security violations. With a convincing email, an employee can violate the security plan your business so dearly values in a matter of seconds. Hot for 2016 - SMiShing (via SMS) PHISHING
  57. 57. Yes. 23% of phishing emails are opened and 11% of attachments are downloaded according to the 2015 Verizon Data Breach Investigations Report. PEOPLE STILL FALL FOR THAT?
  58. 58. Companies that have an overall security strategy 58% Global State of Information Security® Survey 2016 Companies that have an employee training program 53%
  59. 59. With a suit, tie and clipboard, you can go pretty much anywhere you want. With a tray of coffees, you can go through pretty much any door. It’s this inherent kindness that shows that as security systems go, we are pretty poor. SOCIAL ENGINEERING
  60. 60. In 2007, a mystery man walked into a Belgian bank and stole over €21 million in diamonds from high-security safety deposit boxes using only his charming personality. He gained trust with the personnel by being a nice guy and bringing chocolates. He was able to make copies of the keys and gain information to the diamonds whereabouts. CONFIDENCE
  61. 61. Hence, TO MAKE A SECURE SYSTEM, FIRST REMOVE HUMANS
  62. 62. THANKS! I’ll be glad to take your criticisms Chris Watts - cwatts1@us.ibm.com

×