Covering a wide selection of security best practice, from OWASP through NIST each point is explored, explained and demonstrated by exploring a classic failure in the wide world of Web Dev.
With more SQL Injections than SQL flu season, Lax Permissions on a global scale, buffer overflows, stack overflows and actual overflows, this talk is for anyone who wants to learn more about securing their applications … but doesn’t want to be lulled to sleep as a result.
14. July 2017 - Equifax
• Attackers breached Equifax’s web application and gained access to their
core databases
• Impacted as many as 143 million consumers
• Social Security numbers, birth dates, addresses, driver's license numbers,
and ~209,000 credit card numbers
• Equifax offered $125 to each affected user
• Equifax stock dropped over 30%
15. How did it happen?
• They didn’t update their software (OWASP A9:29017)
• Apache Struts vulnerability (known and patched for TWO MONTHS!)
• Actual bug was an XML deserialisation error (OWASP A8:2017)
16. How could it be prevented?
• Patch your sh*t!
• Subscribe to security announce lists for frameworks / modules
• Run app vuln scanner (and act on the results)
20. September 2019 - Equador
• Records of more than 20 million people found by security firm during a
sweep
• Equador’s population is 16 million
• Contained full names, gender, dates and places of birth, phone numbers
and addresses, to marital statuses, national identification numbers (similar
to social security numbers), employment information, and details of
education as well as bank account statuses, current balances and credit
type, along with detailed information about individuals' family members
21. September 2019 - Equador
• This included data on the president Lenín Moreno
• The general manager of IT consulting firm was arrested
22. How did it happen?
• A marketing agency had put the data in an ElasticSearch server
• Which was exposed to the web (OWASP A3:2017)
• And had no authentication (OWASP A6:2017)
23. How could it be prevented?
• Firewall your servers
• Change default or apply credentials and rotate passwords
• Scope data retention requirements
26. September 2017 - The Pentagon
• U.S. Department of Defense announced a series of unsecured S3 buckets
• Containing:
• Archive of over 1.8 billion social media posts scraped for “analytics"
purposes
• Private encryption keys used to hash passwords for an intelligence
sharing platform
• Thousands of resumes for job applicants seeking intelligence positions
27. How did it happen?
• Systems were built and operated by a now defunct private-sector
government contractor
• They left the S3 buckets publicly accessible (OWASP A3:2017)
• DOH!
28. How could it be prevented?
• Third party vendor risk
• Secure your cloud resources
• Least privilege
31. August 2018 - British Airways
• Between 21st August and 5th September, ba.com was running malicious
code
• Financial and personal details of 380,000 customers stolen
(that means credit card data)
32. How did it happen?
• no <iframe> isolation of the payment card fields leading to
• Cross Site Scripting XSS (OWASP A7:2017)
33. How could it be prevented?
• Validating, filtering, encoding and escaping methods
• Use a Security Encoding Library!
• Enforce secure headers
36. October 2015 - TalkTalk
• Names, addresses, dates of birth, and credit card/bank details of 157,000
TalkTalk customers stolen
• Data then sold on the dark web and used to take money from credit
cards, phish users and blackmail company execs
• Cost the company £77m
37. How did it happen?
• The hackers identified an SQL injection attack on the TalkTalk website
(OWASP A1:2017)
38. How could it be prevented?
• Don’t trust user input (ever)
• Parameterise your queries
• Use an abstraction layer (DBAL / ORM)
• Use a SQL proxy
43. November 2018 - The Marriott
• 500 million customers of its Starwood hotels had their data stolen
• One of the largest breaches at the time … until Equador
44. How did it happen?
• Various!
• SQL injection on the website
• Internal machines compromised with malware likely due to phishing
• But more critically, the hackers had been in place since 2014
45. How could it be prevented?
• Systemic failures in the systems hard to address without significant
culture change
• Monitoring should have picked up a breach … they had 4 years to spot it!
• Check your logs, monitor traffic & connections, review processes on
servers