State of the information security nation

669 views

Published on

Presentation by Marco Slaviero at the University of Pretoria to their masters class of 2008.

This presentation is an introduction to information security. The presentation starts with a look at the past and current state of network security. Penetration testing is discussed. SQL injection and XSS demonstrations are given

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
669
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

State of the information security nation

  1. 1. marcoslaviero SensePost May 2008
  2. 2. Company ◦ Infosec specialists ◦ SensePost turned 8! ◦ .pta.za company of +-20 ◦ Services  Assessments  Automated services  Training  Technology ◦ Published papers + books. Presented at many international conferences. ◦ Tool agnosticMe ◦ senior analyst ◦ UP graduate
  3. 3.  Some facts Some info Quick hacks Trends What is penetration testing? How do we do it? Why is software insecure? Demos Observations Conclusion
  4. 4. 9000 958000 967000 976000 985000 99 004000 013000 022000 031000 04 0 05 06 Public Vulns 07 08 www.cert.org/stats
  5. 5. 88140000 89120000 90 91100000 92 9380000 94 9560000 96 9740000 98 9920000 00 0 01 02 Reported Incidents 03 www.cert.org/stats
  6. 6. www.secunia.com
  7. 7. www.secunia.com
  8. 8. Networks last century ◦ Sometimes protected by means of a firewall at the ingress/egress points ◦ Hard crunchy shell ◦ Completely 0wnable internal networks (the soft, chewy centre) ◦ Many weak external facing standard services ◦ Servers sat on internal network ◦ Business services used variety of protocols ◦ Security was secondary to function
  9. 9. Current networks ◦ Virtually every network has some kind of firewall in front ◦ Internal networks auto-updated ◦ Few external facing (hardened) services ◦ Servers isolated ◦ Business services migrated to HTTP ◦ Custom applications abound ◦ Security seen as important ◦ Major focus on user-content
  10. 10.  Increasing criminal element Client-side attacks Other platforms receiving more attention l33t 0wns no longer acceptable to corporates without mature recommendations Mobile focus Value moving Vulns are marketable
  11. 11.  Site scanned ◦ port 80 open ◦ website appears clean ◦ run directory/file brute-forcer on website  /webstats/stats/default.asp Login Page Sql injectible
  12. 12. ◦ Internal search field also SQL injectible  returns errors • used sql-injector.pl • sql user a domain administrator • changed password of domain admin user with term service access • found external term services box • login to internal network as domain administrator
  13. 13.  Metasploit - Open Source Platform for: ◦ Developing, Testing and Using Exploit Code ◦ Written in Perl/Ruby with components in C, Python and Assembly Supports *nix as well as Windows (Cygwin) Makes running exploits trivial, requires no underlying knowledge
  14. 14.  Hacking is not a black art – it can be structured One hole is all we need It’s OK to be hacked (by us :)
  15. 15. The practical verification of security mechanisms ◦ Offensive ◦ BlackboxRequirements ◦ Knowledge  tools  platforms  protocols ◦ Puzzle solving abilities ◦ TenacityTargets ◦ networks ◦ machines ◦ applications  web  thick ◦ information
  16. 16. Typical pen-testing Goals ◦ enumerate users ◦ bypass authentication mechanisms ◦ access user data ◦ perform administrative actions ◦ deny service ◦ compromise underlying platform ◦ use target to hop further into the networkEthics ◦ only done with mandate ◦ customer informed of  targets  testing times ◦ NDAs ◦ user data kept confidential (or redacted)
  17. 17. 1. There’s no madness in our method2. Learn the trade, not the trick3. It’s not about the what, it’s about the where4. Everything’s easy in bite-sized chunks5. Don’t worry about knowing the answers, it’s figuring the questions that’s hard6. The more you know, the luckier you’ll get
  18. 18.  Discover the possible set of targets Test whether targets are reachable Determine the services being offered Vulnerability detection & analysis Vulnerability exploitationMethodology varies according to objectiveThreat modelling useful for discovering possible weak points in complex applications
  19. 19. Network layer ◦ Attacks are mostly canned ◦ Testing is automated ◦ Software is mature – hence slightly more secureApplication layer ◦ Most business apps run over HTTP ◦ Custom apps mean custom vulns ◦ Custom software is less mature, fewer security protections ◦ Labour intensive testing ◦ Basic tasks are automated ◦ Web threats not fully understood  Web 2.0 world changes that further
  20. 20.  On the Internet today, we hack web servers ◦ 13 Million unique web servers ◦ 70% of all open ports are HTTP Frameworks, code-sharing and thin clients make developing for the web quick and easy ◦ Yet its much harder to develop securely than many think Web applications are attractive targets ◦ Internet facing ◦ Wide spread ◦ Encapsulate complex business logic ◦ Offer windows into the private network Responsibility lies largely with the developer ◦ Naivety increases our chances of success
  21. 21. Statement: If we can build skyscrapers and bridges that last 80 years and more without falling down, why is software broken before it is deployed?
  22. 22. Buildings do fall down ◦ Environmental factors not accounted for (Tacoma Narrows) ◦ Security threats (9/11?)Security in general is always defeatable ◦ How much is the attacker willing to spend? ◦ Security is a human vs. human game – boundaries are limited only by the attacker’s imagination ◦ Security is not limited to software (how secure is your house?) ◦ How well do defenders understand the attackers? ◦ As tech evolves, so the threat landscape changes (pace of change)
  23. 23. Developers are front-line software defenders. What about them? ◦ Devs are not taught security fundamentals  Input validation (whitelist/blacklist)  Assertion checking  Return status  Unsafe functions/mechanisms ◦ Security is often seen as secondary on software projects (features are king!) ◦ Often they only learn about threats when their applications are compromised ◦ As new attacks emerge, the gap between the protected and the exposed grows ◦ Spot fixing
  24. 24. How to fix? ◦ Cheques made out to ML Slaviero. CC also accepted. ◦ Developer education (coding against threats) ◦ Tighter integration between application components ◦ Abstraction of security code ◦ New architectures?!?
  25. 25. 1. SQL Injection2. Cross Site Scripting
  26. 26. What is it? ◦ Most web applications interact with a database ◦ Users enter data which is passed into database queries ◦ Certain chars have special meaning in DBs  eg ‘ for SQL ◦ Data is not escaped sufficiently, allowing the alteration of the queryEffects? ◦ Data extraction ◦ Data modification ◦ Command execution?
  27. 27. x‘ OR 1=1-- 5555@result = “select * from Users whereCard = ‘$cardnumber’AndPin = ‘$customerpin’;”@result = “select * from Users whereCard = ‘x‘ OR 1=1--‘ AndPin = ‘5555’;”
  28. 28. Solutions ◦ Input sanitisation  whitelist/blacklist ◦ Prepared statements/parameterized queries ◦ Stored procedures
  29. 29. What is it? ◦ Web apps output their stored data as HTML to browsers ◦ If data contains HTML, then the interface is altered ◦ Caused by insufficient escaping of user supplied data (input validation… sound familiar?) ◦ New exploits emerging all the timeEffects? ◦ Malicious HTML can be used to perform a variety of attacks  cookie theft  internal port scanners  perform actions on your behalf
  30. 30. Solutions ◦ Input sanitisation  whitelist/blacklist ◦ Output sanitisation ◦ Cookie magic
  31. 31.  Old attacks don’t disappear Dev mistakes are repeated Development frameworks evolve to mitigate some threats leading to over-reliance on framework ◦ Authentication/input validation understood fairly well ◦ .Net input validation vuln Passwords are an attacker’s friend Authorisation issues widespread Users are gullible Value is moving Increasing complexity of attacks
  32. 32.  Hacking is learnable Education is key Know where you stand

×