Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

10 Mistakes Hackers Want You to Make

176 views

Published on

Slides from my talk at DevoxxBE 2018

Published in: Internet
  • Be the first to comment

10 Mistakes Hackers Want You to Make

  1. 1. 10 MISTAKES HACKERS WANT YOU TO MAKE JOE KUTNER
  2. 2. HELLO JOE KUTNER ▸ @codefinger ▸ Java Language Owner
  3. 3. Security is hard
  4. 4. Security is an asymmetric problem
  5. 5. SECURITY IS LIKE A RUBIK'S CUBE
  6. 6. #1 #2 #3 #4 #5 #6 #7 #8 #9 #10
  7. 7. USING DEPENDENCIES WITH KNOWN VULNERABILITIES MISTAKE #1
  8. 8. USING DEPENDENCIES WITH KNOWN VULNERABILITIES ▸ More than 70% of real-world attacks exploit a known vulnerability for which a fix is available but has not yet been applied http://www.verizonenterprise.com/verizon-insights-lab/dbir/
  9. 9. Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement. Equifax Statement IT WAS CVE-2017-5638 https://help.equifax.com/s/article/What-was-the-vulnerability
  10. 10. MARCH 10, 2017 https://nvd.nist.gov/vuln/detail/CVE-2017-5638
  11. 11. HOW IT HAPPENED... TIMELINE (2017) ▸ March 6: 
 CVE-2017-5638 (S2-045) discovered ▸ March 7: 
 Struts 2.3.32 and 2.5.10.1 released with a fix ▸ May to July: 
 Equifax says hackers gained unauthorized access to its data ▸ July 29: 
 Equifax discovers the hack and immediately stops the intrusion ▸ September 7: 
 Equifax officially alerts the public
  12. 12. USING DEPENDENCIES WITH KNOWN VULNERABILITIES THE EQUIFAX HACK WAS A WAKE-UP CALL! ▸ If a vulnerability was discovered in one of the frameworks you use, would you know about it?
  13. 13. CVE-2017-8046 "SPRING BREAK"
  14. 14. USING DEPENDENCIES WITH KNOWN VULNERABILITIES AUTOMATE DEPENDENCY MANAGEMENT Versions Plugin
  15. 15. USING DEPENDENCIES WITH KNOWN VULNERABILITIES $ mvn versions:display-parent-updates
 ...
 [INFO] The parent project has a newer version:
 [INFO] org.springframework.boot:spring-boot-starter-parent 1.5.6.RELEASE -> 2.0.1.RELEASE $ mvn versions:update-parent
 ...
 [INFO] Updating parent from 1.5.6.RELEASE to 2.0.1.RELEASE
  16. 16. NOT GOOD ENOUGH
  17. 17. USING DEPENDENCIES WITH KNOWN VULNERABILITIES
  18. 18. STILL NOT GOOD ENOUGH
  19. 19. https://snyk.io Continuous Vulnerability 
 Detection & Resolution
  20. 20. THIS IS GOOD
  21. 21. KNOW YOUR DEPENDENCIES TAKE ACTION! 1. Automate: mvn versions:update-parent 2. Generate dependency reports 3. Use dependency monitoring: https://snyk.io 4. Watch NVD feeds: https://nvd.nist.gov/
  22. 22. UNSANITIZED USER INPUT MISTAKE #2
  23. 23. UNSANITIZED USER INPUT SIZE MATTERS
  24. 24. UNSANITIZED USER INPUT TYPES OF INPUT ▸ Username and Password ▸ Request body ▸ Request headers ▸ Query params
  25. 25. UNSANITIZED USER INPUT SOLUTIONS: ▸ Prepared Statements ▸ JSR 303 Annotations ▸ @Size ▸ @Max ▸ @NotBlank
  26. 26. UNSANITIZED USER INPUT {   "name" : "Bob", "age" : 13,   "other" : {    "type" : "student"   } }
  27. 27. UNSANITIZED USER INPUT { "id": 124, "obj" : [ "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",    {      "transletBytecodes" : [ "AAIAZQ==" ],      "transletName" : "a.b",      "outputProperties" : { }    } ] }
  28. 28. UNSANITIZED USER INPUT SOLUTIONS: ▸ JSON Schema Validation ▸ https://github.com/everit-org/json-schema ▸ https://github.com/java-json-tools/json-schema-validator
  29. 29. UNSANITIZED USER INPUT
  30. 30. UNSANITIZED USER INPUT TAKE ACTION! 1. Treat user input like a nuclear bomb 2. Use JSON Schema for your inputs 3. Validate JSON payloads with a Filter
  31. 31. UNSANITIZED USER INPUT BUT REMEMBER... ▸ Input validation is a defensive layer to limit what input a user may submit into an application, it’s often not a layer you can depend on. ▸ You can build a completely secure web application and skip all input validation... but I don't recommend it.
  32. 32. UNSAFE REGEX MISTAKE #3
  33. 33. UNSAFE REGEX (a|aa)+ "aaaaaaaaaaaaaaaaaaaaaaaa!"
  34. 34. UNSANITIZED USER INPUT REGEX DENIAL-OF-SERVICE ▸ Occurs when regular expressions are authored in such a way that the time it takes to compute the regular expression grows exponentially related to input size. ▸ Attackers can exploit such a vulnerability to cause a denial of service in your application by sending a relatively tiny amount of data and forcing your application to consume a huge number of server cycles in validating it.
  35. 35. KNOW YOUR DEPENDENCIES TAKE ACTION!
  36. 36. UNSAFE REGEX $ java -jar saferegex.jar "(a|aa)+" Testing: (a|aa)+ More than 10000 samples found. *** This expression is vulnerable. Sample input: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab
  37. 37. FAILURE TO PREVENT ABUSIVE REQUESTS MISTAKE #4
  38. 38. ABUSIVE REQUESTS SOLUTIONS: ▸ Throttle by IP ▸ Sometimes by user-agent, and other headers ▸ Blacklist
  39. 39. RATE-LIMITING Bucket4j ▸ Use token bucket algorithm for rate-limiting ▸ Support for clustering (via JSR 107) ▸ Highly configurable bandwidths ▸ Both synchronous and asynchronous API ▸ Use by JHipster API Gateway
  40. 40. pom.xml RATE-LIMITING Bucket4j
  41. 41. application.yml RATE-LIMITING Bucket4j
  42. 42. MISCONFIGURING SPRING-SECURITY MISTAKE #5
  43. 43. "We identified security vulnerabilities in the suggested code 
 of accepted answers 
 [on Stackoverflow.com]"
  44. 44. MISCONFIGURING SPRING-SECURITY COMMON CHALLENGES ▸ Overzealous antMatchers with permitAll ▸ Invocation order between HttpSecurity methods ▸ Converting from XML-based to Java-based configurations ▸ Implicit constraints are not documented
  45. 45. MISCONFIGURING SPRING-SECURITY SUB-TEXT ▸ Don't trust people on the Internet
  46. 46. SECRETS IN YOUR SOURCE CODE MISTAKE #6
  47. 47. "...the codebase could be made open source at any moment, without compromising any credentials."
  48. 48. SECRETS IN YOUR SOURCE CODE TAKE ACTION! ▸ Environment variables ▸ Spring Cloud Config ▸ Hashicorp Vault
  49. 49. ALLOWING HTTP REQUESTS MISTAKE #7
  50. 50. ALLOWING HTTP REQUESTS DISABLE HTTP IN SPRING
  51. 51. ALLOWING HTTP REQUESTS
  52. 52. DISABLING CERTIFICATE CHECKING MISTAKE #8
  53. 53. DISABLING CERTIFICATE CHECKING HAVE YOU SEEN THIS EXCEPTION? Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ... 20 more Caused by: java.security.cert.CertPathValidatorException: signature check faile at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMa at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPath at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPath ... 26 more Caused by: java.security.SignatureException: Signature does not match. at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:449) at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.j at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147) ... 31 more
  54. 54. DISABLING CERTIFICATE CHECKING ADD THE CERT TO YOUR TRUSTSTORE $ keytool -keystore <truststore file> -alias <alias> -import -file <certfilename>.cert
  55. 55. DISABLING CERTIFICATE CHECKING TAKE ACTION ▸ Don't trust people on the Internet ▸ Use HTTPS everywhere ▸ Validate certificates with EnvKeyStore
  56. 56. LACK OF INTRUSION DETECTION MISTAKE #9
  57. 57. LOGGING
  58. 58. WHAT TO LOG? ▸ Logins (Successful and Failed) ▸ Logouts ▸ Password changes ▸ User profile changes ▸ Password reset ▸ User de-registration ▸ Authorization failures ▸ Changes to access levels ▸ Operational activities (backups) ▸ Input validation failures ▸ Any sensitive operation
  59. 59. WHAT NOT TO LOG ▸ Session ID (hash instead) ▸ Passwords ▸ Anything sensitive
  60. 60. WHAT NOT TO LOG ▸ In 2012, Radu Dragusin discovered a log file on a public IEEE FTP server that contained more than 100,000 usernames and passwords ▸ Google, Apple, Microsoft, Oracle, IBM
  61. 61. IN ADDITION TO INFO, WARN, DEBUG, ETC HOW TO LOG ▸ SECURITY_SUCCESS ▸ SECURITY_FAILURE ▸ SECURITY_AUDIT
  62. 62. USE CUSTOM MARKERS LOGBACK log.warn(SecurityMarkers.SECURITY_AUDIT, 
 "Anonymous account access. Forwarding to login"); log.error(SecurityMarkers.SECURITY_FAILURE, 
 "Unauthorized user {} attempted admin access",
 user.getUsername());
  63. 63. DETECTION
  64. 64. APP LAYER INTRUSION DETECTION ▸ Traditional intrusion detection systems focus on attacks below the HTTP layer ▸ They do not provide context within the application environment
  65. 65. OWASP APP SENSOR PROJECT ▸ Detect and respond to attacks from within the application
  66. 66. http://www.appsensor.org/
  67. 67. WEB APP APPSENSOR Events Response
  68. 68. WEB APP APPSENSOR HEY, THIS LOOKS WEIRD NAH, IT'S 
 COOL
  69. 69. WEB APP APPSENSOR LOOKS LIKE AN ATTACK! OK, I'LL BLOCK THAT USER HEY, THIS LOOKS WEIRD
  70. 70. WEB APP APPSENSOR Event Event Event Attack! Response Action
  71. 71. @Path("/accounts") public class AccountViewHandler { @Inject AppSensorClient ids; @GET @Path("/view") Account findAccount(@QueryParam("id") String id) throws NotAuthorizedException { User user = UserContext.getCurrentUser(); if (!user.isAuthorized(Data.Account, id)) { Event event = new Event( new User( user.getUsername()), DetectionPoints.BRUTE_FORCE_ACCOUNT); ids.addEvent(event); throw new NotAuthorizedException( "Not authorized to access this account."); } Account account = accountDao.find(id); return account; } }
  72. 72. TAKE ACTION INTRUSION DETECTION ▸ Log all security related actions ▸ Except secrets ▸ Monitor your logs ▸ Add Detection Points ▸ React to Detection Point Triggers
  73. 73. YOU! MISTAKE #10
  74. 74. YOU HUMAN ERROR ▸ Not using Two-Factor Auth ▸ Leaving Your Laptop Unlocked ▸ Reusing Passwords
  75. 75. REVIEW 10 MISTAKES HACKERS WANT YOU TO MAKE ▸ Using dependencies with known vulnerabilities ▸ Unsanitized user input ▸ Unsafe regex ▸ Failure to prevent abusive requests ▸ Misconfigure Spring Security? ▸ Allowing HTTP requests ▸ Disabling certificate checking ▸ Secrets in source code ▸ Lack of intrusion detection ▸ You!
  76. 76. GOODBYE THANK YOU ▸ @codefinger

×