Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

"It's Just a Web Site": How Poor Web Programming is Ruining Information Security

1,799 views

Published on

Published in: Technology, Design
  • Be the first to comment

  • Be the first to like this

"It's Just a Web Site": How Poor Web Programming is Ruining Information Security

  1. 1. “It’s Just a Web Site...” How Poor Web Programming is Ruining Information Security Mark Stanislav <mark.stanislav@gmail.com>
  2. 2. Me Senior Consultant for NetWorks Group A decade of web application programming and systems administration Responsible disclosure of web application software vulnerabilities in ~15 products and sites over the last year
  3. 3. 2011; Let’s Review!
  4. 4. March 2011“...posted a dump of information extractedfrom MySQL, including the crackedpasswords of users...” http://www.scmagazineus.com/oracles-mysqlcom-hacked-via-sql-injection/article/199419/
  5. 5. April 2011“The attacker uncovered email addresses ofselect Barracuda employees with theirpasswords as well as name, email address,company affiliations and phone numbers ofsales leads generated by the company’schannel partners...” http://www.eweek.com/c/a/Security/Security-Firm-Barracuda-Networks-Embarrassed-by-Hacker-Database-Breakin-729619/
  6. 6. May 2011“During the incident, parts of the companysdatabase, including customer data andsubmitted certificate requests, wereaccessed...” http://www.h-online.com/security/news/item/Another-Comodo-SSL-registrar-hacked-1250283.html
  7. 7. May 2011“...it [LulzSec] posted information for staffers,the PBS network, and password info for PBSstations.” June 2011“...a ‘very small number’ of administrativeuser names and encrypted passwords werestolen.” http://www.huffingtonpost.com/2011/05/30/pbs-hacked-tupac-alive_n_868673.html http://www.huffingtonpost.com/2011/06/25/pbs-hacked-again-some-dat_n_884472.html
  8. 8. June 2011“Citigroup admitted on Wednesday that anattack on its website allowed hackers to viewcustomers names, account numbers andcontact information such as e-mail addressesfor about 210,000 of its cardholders.” http://www.pcworld.com/businesscenter/article/229868/citigroup_breach_exposed_data_on_210000_customers.html
  9. 9. June 2011“...that they [LulzSec] have broken intoSonyPictures.com and compromised morethan 1 million user accounts. An additional75,000 music codes and 3.5 million couponswere also uncovered.” http://www.cnn.com/2011/TECH/web/06/03/sony.pictures.hacked.mashable/index.html
  10. 10. You’ve been scared of...
  11. 11. You’ve been scared of...APT
  12. 12. You’ve been scared of...APTPeople’s Liberation Army
  13. 13. You’ve been scared of...APTPeople’s Liberation ArmyAl-Qaeda
  14. 14. You’ve been scared of...APTPeople’s Liberation ArmyAl-QaedaThe Malicious Insider
  15. 15. But you got owned by...
  16. 16. But you got owned by... LulzSec
  17. 17. So what gives...?
  18. 18. Poor Web Programming!
  19. 19. Want to be a hacker?
  20. 20. Want to be a hacker? 08/21/2011 Mark Stanislav 100One Hundred `ç axã Uxáà YÜ|xÇw
  21. 21. Want to be a hacker? 08/21/2011 Mark Stanislav 100 One Hundred `ç axã Uxáà YÜ|xÇwWhat did they do wrong?
  22. 22. They let me control...
  23. 23. They let me control... 08/21/2011 Mark Stanislav 100,000.00One Hundred Thousand and 00/100-- `ç axã Uxáà YÜ|xÇw
  24. 24. They let me control... 08/21/2011 Mark Stanislav 100,000.00One Hundred Thousand and 00/100-- `ç axã Uxáà YÜ|xÇw...the important details.
  25. 25. But everyone knows not to do that!
  26. 26. What about now?http://test.com/news.php?id=11
  27. 27. What about now? http://test.com/news.php?id=11An attacker can control these details too....http://test.com/news.php?id=’ UNION SELECT password FROM Users
  28. 28. Checks and Web Sites
  29. 29. Checks and Web SitesBoth accept certain kinds of input Checks: Name. Value. Memo. Signature. URL: Site. Page. Parameters.
  30. 30. Checks and Web SitesBoth accept certain kinds of input Checks: Name. Value. Memo. Signature. URL: Site. Page. Parameters.Both can be compromised if you aren’t careful Checks: Additional numbers or commas URL: Additional file or database queries
  31. 31. Checks and Web SitesBoth accept certain kinds of input Checks: Name. Value. Memo. Signature. URL: Site. Page. Parameters.Both can be compromised if you aren’t careful Checks: Additional numbers or commas URL: Additional file or database queries Both problems are easily fixed...
  32. 32. So what was that?
  33. 33. So what was that? Most high-profile web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’
  34. 34. So what was that? Most high-profile web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’ SQL injection simply means passing extra database instructions to a web application which was never intended to allow such a thing
  35. 35. So what was that? Most high-profile web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’ SQL injection simply means passing extra database instructions to a web application which was never intended to allow such a thing Example: You view a web site to read a news article and can pass extra database requests to steal user passwords
  36. 36. So what was that? Most high-profile web site attacks this year (and many, many years past) were due to what’s called ‘SQL Injection’ SQL injection simply means passing extra database instructions to a web application which was never intended to allow such a thing Example: You view a web site to read a news article and can pass extra database requests to steal user passwords In many cases, the attack can be fully automated to look for “the check not properly filled-out” and compromise can occur without a human doing any work...
  37. 37. Other ‘Bad Things’
  38. 38. Other ‘Bad Things’ Local File Inclusion: I can pick which files off of your web server I want to view
  39. 39. Other ‘Bad Things’ Local File Inclusion: I can pick which files off of your web server I want to view Local File Deletion: I can pick which files off of your web server I want to delete
  40. 40. Other ‘Bad Things’ Local File Inclusion: I can pick which files off of your web server I want to view Local File Deletion: I can pick which files off of your web server I want to delete Authentication Bypass: I don’t need to even steal your username and/or password
  41. 41. Other ‘Bad Things’ Local File Inclusion: I can pick which files off of your web server I want to view Local File Deletion: I can pick which files off of your web server I want to delete Authentication Bypass: I don’t need to even steal your username and/or password Lack of Cryptography: As if bad passwords weren’t easy enough to brute-force, we can just steal plaintext passwords for all of your users
  42. 42. Defending Sites in Two Easy Steps
  43. 43. Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept
  44. 44. Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept  Example: If a news web site accepts an article ‘ID’ which should be a number, why would we allow a user to enter quotes or semi-colons?
  45. 45. Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept  Example: If a news web site accepts an article ‘ID’ which should be a number, why would we allow a user to enter quotes or semi-colons? Usage of third-party products which identify common ‘attacks’ and prevent them from being executed -- both free and commercial options!
  46. 46. Defending Sites in Two Easy Steps All input accepted from users should be validated and/or sanitized for things we don’t want to accept  Example: If a news web site accepts an article ‘ID’ which should be a number, why would we allow a user to enter quotes or semi-colons? Usage of third-party products which identify common ‘attacks’ and prevent them from being executed -- both free and commercial options!  Oh, Barracuda Networks sells one to do that...
  47. 47. We’re Past Passwords
  48. 48. We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication
  49. 49. We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication Supported Languages: Python, Ruby, PHP, Java, ASP.NET, Node.js, Cold Fusion, Classic ASP
  50. 50. We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication Supported Languages: Python, Ruby, PHP, Java, ASP.NET, Node.js, Cold Fusion, Classic ASP WordPress and Drupal integrations provided
  51. 51. We’re Past Passwords Duo Security (Ann Arbor-based) provides easy to use, low- cost, quick to integrate two-factor authentication Supported Languages: Python, Ruby, PHP, Java, ASP.NET, Node.js, Cold Fusion, Classic ASP WordPress and Drupal integrations provided Provide users with at least a choice of if they want to protect their web accounts with layered & sensible authentication
  52. 52. But there’s a larger problem Years of School License Medical Doctor 11 O Pharmacist 8 O Lawyer 7 O Psychiatrist 10 O Web Programmer 0 X
  53. 53. Apples and Oranges?
  54. 54. Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, financially, or otherwise
  55. 55. Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, financially, or otherwise Each profession requires extensive knowledge of the given craft to properly handle their clients
  56. 56. Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, financially, or otherwise Each profession requires extensive knowledge of the given craft to properly handle their clients A professional for each career should be expected to adhere to ethical standards relating to the information they deal with
  57. 57. Apples and Oranges? All of the aforementioned professions deal with people’s personal data; medically, financially, or otherwise Each profession requires extensive knowledge of the given craft to properly handle their clients A professional for each career should be expected to adhere to ethical standards relating to the information they deal with Everyone makes mistakes, but there are consequences for each profession... except web programming!
  58. 58. Web Programmers
  59. 59. Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons
  60. 60. Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless
  61. 61. Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless Likely don’t have to document what, why, or how they did what they did in a given situation
  62. 62. Web Programmers Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless Likely don’t have to document what, why, or how they did what they did in a given situation Can determine how information flows, how it’s protected, and who can access it from around the globe at any time
  63. 63. Web Programmers  Generally unrestricted access to customer databases with the ability to provide interaction with that data for patrons  Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless  Likely don’t have to document what, why, or how they did what they did in a given situation  Can determine how information flows, how it’s protected, and who can access it from around the globe at any timeand they’ve probably never been taught to do any of it...
  64. 64. Education and the Web
  65. 65. Education and the Web The majority of schools offering web application development programs are ‘certificates of achievement’ or similar from community colleges/online for-profits
  66. 66. Education and the Web The majority of schools offering web application development programs are ‘certificates of achievement’ or similar from community colleges/online for-profits Courses for web application development rarely focus on information security concepts as a core tenant to curriculum
  67. 67. Education and the Web The majority of schools offering web application development programs are ‘certificates of achievement’ or similar from community colleges/online for-profits Courses for web application development rarely focus on information security concepts as a core tenant to curriculum You aren’t going to find many Bachelor degrees in web application development; it will be lumped-in with a Computer Science degree... if at all
  68. 68. Education and the Web The majority of schools offering web application development programs are ‘certificates of achievement’ or similar from community colleges/online for-profits Courses for web application development rarely focus on information security concepts as a core tenant to curriculum You aren’t going to find many Bachelor degrees in web application development; it will be lumped-in with a Computer Science degree... if at all Even then, the problem isn’t just ‘web applications’
  69. 69. Framing Things
  70. 70. Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately)
  71. 71. Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise
  72. 72. Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise There were no questions asked of my credentials (or lack of) to be a web application developer
  73. 73. Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise There were no questions asked of my credentials (or lack of) to be a web application developer I’ve never taken a web programming course
  74. 74. Framing Things By the age of 22, I had publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise There were no questions asked of my credentials (or lack of) to be a web application developer I’ve never taken a web programming course I am not the exception, I am the every-day reality
  75. 75. Smoke and Mirrors
  76. 76. Smoke and Mirrors Most people don’t know what a web application does, they just see the end result
  77. 77. Smoke and Mirrors Most people don’t know what a web application does, they just see the end result  Cool graphics, nice color schemes, impressive animations, navigations links, and lots of text
  78. 78. Smoke and Mirrors Most people don’t know what a web application does, they just see the end result  Cool graphics, nice color schemes, impressive animations, navigations links, and lots of text Experienced programmers will make bad decisions to push out code faster to appease their employers or reduce the time & effort it takes for them to do work
  79. 79. Smoke and Mirrors Most people don’t know what a web application does, they just see the end result  Cool graphics, nice color schemes, impressive animations, navigations links, and lots of text Experienced programmers will make bad decisions to push out code faster to appease their employers or reduce the time & effort it takes for them to do work Inexperienced programmers will make bad decisions because they have no idea they are making bad decisions
  80. 80. Let’s Change Things
  81. 81. Everyone Plays a Role
  82. 82. Everyone Plays a Role Managers: Establish essential standards for your developers to adhere to; these must be mandatory and likely audited by a third-party quarterly
  83. 83. Everyone Plays a Role Managers: Establish essential standards for your developers to adhere to; these must be mandatory and likely audited by a third-party quarterly Developers: Create a mentality that information security is a core focus of any code you write; make a game out of finding teammates’ vulnerabilities and review as a team why that failure occurred and update code tests
  84. 84. Everyone Plays a Role Managers: Establish essential standards for your developers to adhere to; these must be mandatory and likely audited by a third-party quarterly Developers: Create a mentality that information security is a core focus of any code you write; make a game out of finding teammates’ vulnerabilities and review as a team why that failure occurred and update code tests Educators: Establish a proper, accredited Bachelor’s program at your university for web development and ensure that curriculum or entire courses are devoted to information security for programmers
  85. 85. LegislatorsThe Personal Data Protection and Breach Accountability Act of 2011http://thehill.com/blogs/hillicon-valley/technology/180325-new-bill-from-blumenthal-would-require-firms-to-beef-up-security-and-privacy-practices
  86. 86. LegislatorsThe Personal Data Protection and Breach Accountability Act of 2011 “require businesses with the personal information of more than 10,000 customers to implement privacy and security programs to ensure the safety of pertinent data.”http://thehill.com/blogs/hillicon-valley/technology/180325-new-bill-from-blumenthal-would-require-firms-to-beef-up-security-and-privacy-practices
  87. 87. LegislatorsThe Personal Data Protection and Breach Accountability Act of 2011 “require businesses with the personal information of more than 10,000 customers to implement privacy and security programs to ensure the safety of pertinent data.” “The Justice Department will be able to fine firms that violate the law $5,000 per violation per day, with a maximum of $20 million per violation. Individuals affected by violations of the law will also have the ability to bring civil actions against the businesses involved.”http://thehill.com/blogs/hillicon-valley/technology/180325-new-bill-from-blumenthal-would-require-firms-to-beef-up-security-and-privacy-practices
  88. 88. The Industry
  89. 89. The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce
  90. 90. The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work
  91. 91. The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work Establish a basic certification for information security competence for the language(s) a developer programs in
  92. 92. The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work Establish a basic certification for information security competence for the language(s) a developer programs in These are not popular ideas but things have gotten out of hand and there’s nothing to stop it from getting worse
  93. 93. The Industry It’s time to create a licensing board with regulation for developers that are involved in certain industries  Medical, Financial, Governmental, Commerce Track ethics violations and negligent/careless work Establish a basic certification for information security competence for the language(s) a developer programs in These are not popular ideas but things have gotten out of hand and there’s nothing to stop it from getting worse There’s too much at stake not to
  94. 94. An Offer of Help
  95. 95. An Offer of Help Washtenaw County Cyber Citizenship Coalition (WC4)  “The Washtenaw County Cyber Citizenship Coalition empowers community members through awareness and education to use the Internet and related technology safely and securely.”
  96. 96. An Offer of Help Washtenaw County Cyber Citizenship Coalition (WC4)  “The Washtenaw County Cyber Citizenship Coalition empowers community members through awareness and education to use the Internet and related technology safely and securely.” Coordinate with me to provide your business guidance for secure programming practices and basic code security audits for your business or organization  Free of charge!
  97. 97. Other Resources
  98. 98. Other Resources OWASP (https://www.owasp.org/)  “The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.”
  99. 99. Other Resources OWASP (https://www.owasp.org/)  “The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.” Book: Pro PHP Security  http://www.apress.com/open-source/programming/9781430233183
  100. 100. Other Resources OWASP (https://www.owasp.org/)  “The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.” Book: Pro PHP Security  http://www.apress.com/open-source/programming/9781430233183 “Five common Web application vulnerabilities”  http://www.symantec.com/connect/articles/five-common-web- application-vulnerabilities
  101. 101. Thanks! Questions? Contact  mark.stanislav@gmail.com  @markstanislav  http://www.uncompiled.com/mark-stanislav/

×