7. Stolen Vendors Credentials
Improper Configurations
Important Anti-Virus Feature Turned Off
POS Systems Running on Windows XP
Unencrypted Data In Transit
Non-Segmented Network
Inadequate Monitoring
Home Depot
8
29. A talisman is an object which is
believed to contain certain
magical or sacramental
properties which would provide
good luck for the possessor or
possibly offer protection from
evil or harm.
Exposing Secrets - The Tools
31
https://en.wikipedia.org/wiki/Talisman
31. Exposing Secrets - Tool Integration
33
19:54:42.329 :findSecrets FAILED
19:54:42.336
19:54:42.336 BUILD FAILED
19:54:42.336
19:54:42.336 Total time: 3.085 secs
19:54:42.339
19:54:42.339 FAILURE: Build failed with an exception.
19:54:42.339
19:54:42.339 * What went wrong:
19:54:42.339 Execution failed for task ':findSecrets'.
java/build.gradle
java/gradle/wrapper/gradle-wrapper.jar
java/gradle/wrapper/gradle-wrapper.properties
java/gradlew
java/gradlew.bat
java/notReallyAn._rsa
…
java/src/vulnerableCheckSuppression.xml
The following errors were detected in
java/notReallyAn._rsa
The file name "java/notReallyAn._rsa" failed checks
against the pattern ^.+_rsa$
32. If searching for
possible attack vectors
for our web sites
is good,
we will
automate this search.
to our version control system.
34
38. Attack Tie Backs - Target
Secrets may not have been
discovered
Up to date vendor system may
have eliminated vulnerabilities
ZAP testing might have
highlighted network navigability
40
39. Attack Tie Backs - Home Depot
41
Up to date POS OS may have
eliminated vulnerabilities
ZAP testing might have
highlighted network navigability
40. Attack Tie Backs - Sally Beauty
Secrets may not have been
discovered
42
42. Next Steps
Finish Wiring Up Existing Checks
Contribute Talisman Changes
Finish End to End Code
Wire Up ZAP
Set Up Canary Builds
Find Other Tools to Include
44
exposed data
phishing
out of date software
non-segmented network
secrets
in memory data
2000 stores
40 million credit cards
private data for 70 million customers
2000 stores
40 million credit cards
private data for 70 million customers
switch to hidden slide with images
Lacked proper segmentation between corporate network and POS network.
switch to slide with images
260,000 credit cards
2600 locations
switch to hidden slide with images
Apache CXF Authentication Bypass – By failing to provide an identity token, attackers could invoke any web service with full permission. (Apache CXF is a services framework, not to be confused with the Apache Application Server.)
Spring Remote Code Execution – Abuse of the Expression Language implementation in Spring allowed attackers to execute arbitrary code, effectively taking over the server.
Checkmarx CxSAST (formerly CxSuite) before 7.1.8 allows remote authenticated users to bypass the CxQL sandbox protection mechanism and execute arbitrary C# code by asserting the (1) System.Security.Permissions.PermissionState.Unrestricted or (2) System.Security.Permissions.SecurityPermissionFlag.AllFlags permission.
Add Ruby/Rails Example
Canary Builds
Zed Attack Proxy
ZAP passively scans all of the requests and responses that it discovers via the spiders or that are proxied through it from your browser. Passive scanning does not change the responses in any way and is therefore always safe to use. Scanned is performed in a background thread to ensure that it does not slow down the exploration of an application. Passive scanning is good for finding a limited number of potential vulnerabilities, such as missing security related HTTP headers. It can be an effective way to get a sense of the state of security in a given web application, and clues for where to focus more invasive manual testing.
Active scanning attempts to find potential vulnerabilities by using known attacks against the selected targets. As active scanning is an attack on those targets it is completely under user control and should only be used against applications that you have permission to test. Active scanning can be started via the Active Scan tab or the right click ‘Attack’ menu.
Change to Symbols to Represent These
Additionally
- Exposed private data on vendor web site & Microsoft web site
- Did not use 2-factor authentication
- Used default user names & passwords
- Unencrypted card data in memory
- Logs could have been monitored more closely
- Missed initial alerts