Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Armorizing Applications Iftach Ian Amit Director of Services Friday, October 11, 13
Hi! Friday, October 11, 13
I’m not an application guy :-| Friday, October 11, 13
I’m a security guy Who actually used to do some application stuff Friday, October 11, 13
whoami? $ id uid=501(iamit) gid=20(ioactive) groups=12(hack), 33(research),61(dev),79(red_team),80(sexy_defense), 81(exil)...
Attack? Defense! Friday, October 11, 13
So, I’ve been dealing with defense a lot Friday, October 11, 13
As in - helping defenders get a head start Friday, October 11, 13
Guess what? We are still failing on the basics... Friday, October 11, 13
Logs... Friday, October 11, 13
Logs... Firewall Friday, October 11, 13
Logs... Firewall IDS Friday, October 11, 13
Logs... Firewall IDS IPS Friday, October 11, 13
Logs... Firewall IDS IPS Network Friday, October 11, 13
Logs... Firewall IDS IPS Network HTTPD Friday, October 11, 13
Logs... Firewall IDS IPS Network HTTPD DBMS Friday, October 11, 13
Logs... Firewall IDS IPS Network HTTPD DBMS DNS Friday, October 11, 13
Logs... Firewall IDS IPS Network HTTPD DBMS DNS Application? Friday, October 11, 13
We still have sucky application logs :-( Friday, October 11, 13
Friday, October 11, 13
I mean, we came a long way since web-app coding in the 90’s I know. I’ve lived through it :-( Friday, October 11, 13
Example: Friday, October 11, 13
Example: Friday, October 11, 13
Example: Uses MVC. Actually very nicely architected... Friday, October 11, 13
Example: Uses MVC. Actually very nicely architected... Friday, October 11, 13
Example: Uses MVC. Actually very nicely architected... Good start.At least we can haz data. Friday, October 11, 13
Example: Uses MVC. Actually very nicely architected... Good start.At least we can haz data. This is pretty much useless* F...
Example: Uses MVC. Actually very nicely architected... Good start.At least we can haz data. This is pretty much useless* *...
Let’s get back to basics for a sec here Friday, October 11, 13
time=2013-03-02 23:59:57 action=drop orig=192.168.1.103 i/ f_dir=inbound i/ f_name=eth1c0 has_accounting=0 product=VPN-1 &...
Friday, October 11, 13
but wait, how about them HTTPD? Friday, October 11, 13
193.205.210.42 - - [09/Oct/2013:00:57:17 -0700] "GET /blog/2013/07/mail-encryption-for-android/ HTTP/1.1" 200 32064 "https...
Don’t get me started... Friday, October 11, 13
And that’s AFTER taking into account “log analyzers” Friday, October 11, 13
“But you security guys have all these fancy SIEM stuff, right?” Friday, October 11, 13
Friday, October 11, 13
Friday, October 11, 13
Friday, October 11, 13
Yes, we have fancy dashboards and graphs and sometimes synchronized logs from multiple sources But it’s still a pain in th...
WHY? Friday, October 11, 13
Friday, October 11, 13
The application has ALL THE CONTEXT Friday, October 11, 13
Friday, October 11, 13
Friday, October 11, 13
Friday, October 11, 13
Yet you keep it to yourself Friday, October 11, 13
This made me cry in joy: Friday, October 11, 13
Friday, October 11, 13
Firewall Web Server Client X Client X ClientY Client X ClientY ClientY Client X Client X Client X ClientY ClientY index it...
Firewall Web ServerApplication Client X Client X ClientY Client X ClientY ClientY Client X Client X Client X ClientY Clien...
Friday, October 11, 13
Friday, October 11, 13
Friday, October 11, 13
Rinse, Lather, Repeat Friday, October 11, 13
Everywhere! DB Access Session Management State Management User Management ... Friday, October 11, 13
Be a dot connector! Friday, October 11, 13
Counter Intelligence use-case Problem dormant accounts used for fraud (and/or money laundering) Friday, October 11, 13
Counter Intelligence use-case Problem dormant accounts used for fraud (and/or money laundering) Account Friday, October 11...
Counter Intelligence use-case Problem dormant accounts used for fraud (and/or money laundering) Account Friday, October 11...
Counter Intelligence use-case Problem dormant accounts used for fraud (and/or money laundering) Account >1yr dormant Frida...
Counter Intelligence use-case Problem dormant accounts used for fraud (and/or money laundering) Account >1yr dormant laund...
Counter Intelligence use-case Problem dormant accounts used for fraud (and/or money laundering) Account >1yr dormant laund...
Counter Intelligence use-case Problem dormant accounts used for fraud (and/or money laundering) Account >1yr dormant laund...
Account Friday, October 11, 13
AccountAccountAccountAccountAccount Friday, October 11, 13
List AccountAccountAccountAccountAccount Friday, October 11, 13
Marketing Accounting Branch mgmt. List AccountAccountAccountAccountAccount Friday, October 11, 13
Marketing Accounting Branch mgmt. List AccountAccountAccountAccountAccount Friday, October 11, 13
Marketing Accounting Branch mgmt. List AccountAccountAccountAccountAccount List AccountAccountAccountAccountAccount Friday...
Marketing Accounting Branch mgmt. List AccountAccountAccountAccountAccount List AccountAccountAccountAccountAccount List A...
Marketing Accounting Branch mgmt. List AccountAccountAccountAccountAccount List AccountAccountAccountAccountAccount List A...
Marketing Accounting Branch mgmt. List AccountAccountAccountAccountAccount List AccountAccountAccountAccountAccount List A...
Marketing Accounting Branch mgmt. List AccountAccountAccountAccountAccount List AccountAccountAccountAccountAccount List A...
Internal user Friday, October 11, 13
Internal user PC Friday, October 11, 13
Internal user PC Friday, October 11, 13
Internal user PC Trojan Friday, October 11, 13
Internal user PC Trojan Friday, October 11, 13
Internal user PC Trojan Friday, October 11, 13
Internal user PC Trojan C&C Friday, October 11, 13
Internal user PC Trojan C&C Bad Guys(tm) Friday, October 11, 13
Log on context Weird state changes Repeatable expectable actions Who, what, why Help me get the story right! Friday, Octob...
Questions? Comments! Ian Amit @iiamit ian.amit@ioactive.com Friday, October 11, 13
Upcoming SlideShare
Loading in …5
×

Armorizing applications

746 views

Published on

In this talk from Ian Amit, he will try to address things from a more tactical (read: practical) perspective for application development. What 'we' see, or want, from a security practitioner perspective is nice, but enabling it from an application view isn't trivial. He'll cover the aspects that the attendees can gain from having applications designed and implemented in certain manners, while of course not changing the way things are being practiced these days (too much). He will also show how logging (yes… plain old boring logging) can go a long way, and how applications that are a bit more self conscience to their state can be utilised to detect attacks before they actually happen.

Published in: Technology
no profile picture user

  • Be the first to comment

Armorizing applications

  1. 1. Armorizing Applications Iftach Ian Amit Director of Services Friday, October 11, 13
  2. 2. Hi! Friday, October 11, 13
  3. 3. I’m not an application guy :-| Friday, October 11, 13
  4. 4. I’m a security guy Who actually used to do some application stuff Friday, October 11, 13
  5. 5. whoami? $ id uid=501(iamit) gid=20(ioactive) groups=12(hack), 33(research),61(dev),79(red_team),80(sexy_defense), 81(exil),98(idf),100(dc9723),204(/dev/null) Friday, October 11, 13
  6. 6. Attack? Defense! Friday, October 11, 13
  7. 7. So, I’ve been dealing with defense a lot Friday, October 11, 13
  8. 8. As in - helping defenders get a head start Friday, October 11, 13
  9. 9. Guess what? We are still failing on the basics... Friday, October 11, 13
  10. 10. Logs... Friday, October 11, 13
  11. 11. Logs... Firewall Friday, October 11, 13
  12. 12. Logs... Firewall IDS Friday, October 11, 13
  13. 13. Logs... Firewall IDS IPS Friday, October 11, 13
  14. 14. Logs... Firewall IDS IPS Network Friday, October 11, 13
  15. 15. Logs... Firewall IDS IPS Network HTTPD Friday, October 11, 13
  16. 16. Logs... Firewall IDS IPS Network HTTPD DBMS Friday, October 11, 13
  17. 17. Logs... Firewall IDS IPS Network HTTPD DBMS DNS Friday, October 11, 13
  18. 18. Logs... Firewall IDS IPS Network HTTPD DBMS DNS Application? Friday, October 11, 13
  19. 19. We still have sucky application logs :-( Friday, October 11, 13
  20. 20. Friday, October 11, 13
  21. 21. I mean, we came a long way since web-app coding in the 90’s I know. I’ve lived through it :-( Friday, October 11, 13
  22. 22. Example: Friday, October 11, 13
  23. 23. Example: Friday, October 11, 13
  24. 24. Example: Uses MVC. Actually very nicely architected... Friday, October 11, 13
  25. 25. Example: Uses MVC. Actually very nicely architected... Friday, October 11, 13
  26. 26. Example: Uses MVC. Actually very nicely architected... Good start.At least we can haz data. Friday, October 11, 13
  27. 27. Example: Uses MVC. Actually very nicely architected... Good start.At least we can haz data. This is pretty much useless* Friday, October 11, 13
  28. 28. Example: Uses MVC. Actually very nicely architected... Good start.At least we can haz data. This is pretty much useless* * from a security perspective. no doubt that when this breaks you’ll need it Friday, October 11, 13
  29. 29. Let’s get back to basics for a sec here Friday, October 11, 13
  30. 30. time=2013-03-02 23:59:57 action=drop orig=192.168.1.103 i/ f_dir=inbound i/ f_name=eth1c0 has_accounting=0 product=VPN-1 & FireWall-1 policy_name=INTERNET src=1.2.3.4 s_port=37586 dst=3.4.5.6 service=80 proto=tcp rule=16 xlatesrc=8.9.10.11 xlatesport=57517 xlatedport=0 NAT_rulenum=4 NAT_addtnl_rulenum=internal Friday, October 11, 13
  31. 31. Friday, October 11, 13
  32. 32. but wait, how about them HTTPD? Friday, October 11, 13
  33. 33. 193.205.210.42 - - [09/Oct/2013:00:57:17 -0700] "GET /blog/2013/07/mail-encryption-for-android/ HTTP/1.1" 200 32064 "https:// www.google.it/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/ 537.36" 193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-includes/js/comment-reply.min.js?ver=3.6.1 HTTP/1.1" 200 1068 "http:// www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-content/plugins/podpress/js/podpress.js?ver=3.6.1 HTTP/1.1" 200 40786 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-content/plugins/jetpack/modules/sharedaddy/sharing.css?ver=2.5 HTTP/ 1.1" 200 11641 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-content/plugins/lightbox-2/lightbox.js?ver=1.8 HTTP/1.1" 200 21623 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1 HTTP/1.1" 200 7484 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 193.205.210.42 - - [09/Oct/2013:00:57:20 -0700] "GET /blog/wp-content/plugins/podpress/players/1pixelout/1pixelout_audio-player.js HTTP/1.1" 200 12305 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 193.205.210.42 - - [09/Oct/2013:00:57:20 -0700] "GET /blog/wp-content/plugins/jetpack/modules/wpgroho.js?ver=3.6.1 HTTP/1.1" 200 1212 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 193.205.210.42 - - [09/Oct/2013:00:57:20 -0700] "GET /blog/wp-content/plugins/jetpack/modules/sharedaddy/sharing.js?ver=20121205 HTTP/1.1" 200 39040 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 193.205.210.42 - - [09/Oct/2013:00:57:21 -0700] "GET /blog/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=3.5.2 HTTP/1.1" 200 8610 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 193.205.210.42 - - [09/Oct/2013:00:57:21 -0700] "GET /blog/wp-content/plugins/contact-form-7/includes/js/jquery.form.min.js? ver=3.40.0-2013.08.13 HTTP/1.1" 200 14910 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 193.205.210.42 - - [09/Oct/2013:00:57:23 -0700] "GET /favicon.ico HTTP/1.1" 200 1351 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 193.205.210.42 - - [09/Oct/2013:00:57:23 -0700] "GET /blog/wp-includes/js/jquery/jquery.js?ver=1.10.2 HTTP/1.1" 200 93371 "http:// www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36Friday, October 11, 13
  34. 34. Don’t get me started... Friday, October 11, 13
  35. 35. And that’s AFTER taking into account “log analyzers” Friday, October 11, 13
  36. 36. “But you security guys have all these fancy SIEM stuff, right?” Friday, October 11, 13
  37. 37. Friday, October 11, 13
  38. 38. Friday, October 11, 13
  39. 39. Friday, October 11, 13
  40. 40. Yes, we have fancy dashboards and graphs and sometimes synchronized logs from multiple sources But it’s still a pain in the tuches Friday, October 11, 13
  41. 41. WHY? Friday, October 11, 13
  42. 42. Friday, October 11, 13
  43. 43. The application has ALL THE CONTEXT Friday, October 11, 13
  44. 44. Friday, October 11, 13
  45. 45. Friday, October 11, 13
  46. 46. Friday, October 11, 13
  47. 47. Yet you keep it to yourself Friday, October 11, 13
  48. 48. This made me cry in joy: Friday, October 11, 13
  49. 49. Friday, October 11, 13
  50. 50. Firewall Web Server Client X Client X ClientY Client X ClientY ClientY Client X Client X Client X ClientY ClientY index items index items+a items items+c checkout login confirm checkout confirm Friday, October 11, 13
  51. 51. Firewall Web ServerApplication Client X Client X ClientY Client X ClientY ClientY Client X Client X Client X ClientY ClientY index items index items+a items items+c checkout login confirm checkout confirm - John, from X, just bought A and shipped it paying with CC - Client fromY tried to bypass app logic and avoid payment/auth Friday, October 11, 13
  52. 52. Friday, October 11, 13
  53. 53. Friday, October 11, 13
  54. 54. Friday, October 11, 13
  55. 55. Rinse, Lather, Repeat Friday, October 11, 13
  56. 56. Everywhere! DB Access Session Management State Management User Management ... Friday, October 11, 13
  57. 57. Be a dot connector! Friday, October 11, 13
  58. 58. Counter Intelligence use-case Problem dormant accounts used for fraud (and/or money laundering) Friday, October 11, 13
  59. 59. Counter Intelligence use-case Problem dormant accounts used for fraud (and/or money laundering) Account Friday, October 11, 13
  60. 60. Counter Intelligence use-case Problem dormant accounts used for fraud (and/or money laundering) Account Friday, October 11, 13
  61. 61. Counter Intelligence use-case Problem dormant accounts used for fraud (and/or money laundering) Account >1yr dormant Friday, October 11, 13
  62. 62. Counter Intelligence use-case Problem dormant accounts used for fraud (and/or money laundering) Account >1yr dormant laundering Friday, October 11, 13
  63. 63. Counter Intelligence use-case Problem dormant accounts used for fraud (and/or money laundering) Account >1yr dormant laundering Intl. transfers Friday, October 11, 13
  64. 64. Counter Intelligence use-case Problem dormant accounts used for fraud (and/or money laundering) Account >1yr dormant laundering Intl. transfersInternal/ External??? Friday, October 11, 13
  65. 65. Account Friday, October 11, 13
  66. 66. AccountAccountAccountAccountAccount Friday, October 11, 13
  67. 67. List AccountAccountAccountAccountAccount Friday, October 11, 13
  68. 68. Marketing Accounting Branch mgmt. List AccountAccountAccountAccountAccount Friday, October 11, 13
  69. 69. Marketing Accounting Branch mgmt. List AccountAccountAccountAccountAccount Friday, October 11, 13
  70. 70. Marketing Accounting Branch mgmt. List AccountAccountAccountAccountAccount List AccountAccountAccountAccountAccount Friday, October 11, 13
  71. 71. Marketing Accounting Branch mgmt. List AccountAccountAccountAccountAccount List AccountAccountAccountAccountAccount List AccountAccountAccountAccountAccount Friday, October 11, 13
  72. 72. Marketing Accounting Branch mgmt. List AccountAccountAccountAccountAccount List AccountAccountAccountAccountAccount List AccountAccountAccountAccountAccount Internal user Friday, October 11, 13
  73. 73. Marketing Accounting Branch mgmt. List AccountAccountAccountAccountAccount List AccountAccountAccountAccountAccount List AccountAccountAccountAccountAccount Internal user Friday, October 11, 13
  74. 74. Marketing Accounting Branch mgmt. List AccountAccountAccountAccountAccount List AccountAccountAccountAccountAccount List AccountAccountAccountAccountAccount Internal user Friday, October 11, 13
  75. 75. Internal user Friday, October 11, 13
  76. 76. Internal user PC Friday, October 11, 13
  77. 77. Internal user PC Friday, October 11, 13
  78. 78. Internal user PC Trojan Friday, October 11, 13
  79. 79. Internal user PC Trojan Friday, October 11, 13
  80. 80. Internal user PC Trojan Friday, October 11, 13
  81. 81. Internal user PC Trojan C&C Friday, October 11, 13
  82. 82. Internal user PC Trojan C&C Bad Guys(tm) Friday, October 11, 13
  83. 83. Log on context Weird state changes Repeatable expectable actions Who, what, why Help me get the story right! Friday, October 11, 13
  84. 84. Questions? Comments! Ian Amit @iiamit ian.amit@ioactive.com Friday, October 11, 13

×