Slides for the AmsterdamPHP January 2016 Meetup: https://joind.in/event/amsterdamphp-january2016

1. Booking.com
W
E
AR
E
H
IR
IN
G

2. Security Theatre
@thomas_shone
Image by Matt McGee released under CC BY-ND 2.0
https://joind.in/talk/7f231

3. Illusion

4. Denial

5. I know about OWASP!

6. If you are hacked via OWASP Top
10, you’re not allowed to call it
“advanced” or “sophisticated”
@thegrugq
Reference: https://twitter.com/thegrugq/status/658991205816995840

7. But I use antivirus!

8. Crypting services makes most
antivirus techniques useless
Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/

10. Let us put an unsecured node.js
server on your personal
computer
TrendMicro Antivirus on Windows
Jan 2016
https://code.google.com/p/google-security-research/issues/detail?id=693

11. Remote code-executions via your
mail client downloading an email
Sophos Antivirus
June 2015
https://lock.cmpxchg8b.com/sophailv2.pdf

13. We’re all bad at security

14. Users are bad at security
➢ Weak passwords
➢ Password reset questions
➢ Human verification sucks
➢ Clickbait and phishing
➢ Attachments
➢ URL mistype
➢ Routine and workarounds
➢ Convenience trumps security

15. Developers are bad at security
Reference: https://github.com/

16. Hackers are bad at security

17. A study in scarlet

18. 43 applications, libraries or frameworks
over 4,800 versions
over 10 million files

19. 255,000 scans
About 6k/month from June 2012 till now

20. Results
July 2015

21. Most popular software
It’s not what you think

25. How bad is it?

29. Why is it so bad?

33. I have seen things
Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn

35. Versioning Hell
1.3-final-beta6-pre-patch3

36. OpenX
Backdoored for almost a year

38. Lessons Learnt

39. Versioning
Projects with bad versioning also have some
of the worst security issues

40. Automatic Patching
If your software comes with automatic
upgrading, people will use it

41. Plugins and Templates
If an update needs manual changes for
plugins or template, no one updates

42. Patch Fatigue Exists
Image by Aaaron Jacobs released under CC BY-SA 2.0

43. Anger
Image by Josh Janssen released under CC BY-ND 2.0

44. Why doesn’t someone do
something about it?

45. Private industry keep
threatening security researchers

46. "How many Fortune 500
companies are hacked right now?
Answer, 500."
Mikko Hypponen, CRO of F-Secure
Reference: https://twitter.com/mikko/status/184329161257652227

47. Why don’t we have some form of
standard?

48. We have ISO 27001/2, ISO 15408,
RFC 2196, PCI DSS, NIST, …
Reference: https://en.wikipedia.org/wiki/Cyber_security_standards

49. Why doesn’t the government do
something about it?

50. A Ukrainian power plant was
hacked & shutdown because
someone had macros enabled in
Excel
Reference: https://t.co/PA7cDQC9EI

52. NSA: We’re just upgrading your
megaflops, promise.

53. Reference: https://t.co/PA7cDQC9EIImage by Unknown released into the Public Domain

54. Bargaining
Image by Jeroen Moes released under CC BY-SA 2.0

55. But what if we installed advanced
IDSs, WAFs and specialised
network hardware

56. We probably only knew about
one of the two backdoors in our
system
Juniper Networks
Dec 2015
http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-
government-backdoors/

57. IDSs produce reports. Managers
likes reports: it helps them feel
like they can "manage" security
http://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted-
attacks

58. We’ll start following prescribed
security standards

59. That’s great for your insurance
premiums

60. Depression

61. Ninety percent of
everything is crap.
Sturgeon's law
Reference: https://en.wikipedia.org/wiki/Sturgeon%27s_law

62. Acceptance
Image by Stephan Brunet released under CC BY-SA 3.0

63. Effective?

64. Most of our security
practices are ineffective

65. We do security in
isolation

66. Holistic

67. Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
Area of Influence

68. Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
HR/Training
System
Administrators
Downstream
Providers

69. Layered
Image by Cadw released under OGL via Commons

70. Image by Albert Bridge released under CC BY-SA 2.0
Surface Area

71. Alertness
Image by MeganCollins released under CC BY-NC-ND 3.0

72. Mitigation
Image by Pivari.com released under CC BY-SA 3.0

73. Trust

74. Trust?

75. Be aware of what you’re
trusting

76. The hardest part of
security is not writing
secure code

77. It’s understanding
where you misplace your
trust

78. Trust is a chain

79. I trust my computer is not
compromised
Up-to-date patches
TR
U
ST

80. I trust that the software is
without vulnerability
Vulnerability research and security updates
TR
U
ST

81. I trust that the software is
configured properly
Automated provisioning
TR
U
ST

82. I trust that the network is
configured properly and secure
Good system administrators
TR
U
ST

83. I trust you are who you say you
are
TLS Certificate Peer Verification or
Authentication
TR
U
ST

84. I trust you are allowed to talk to
me about this topic
Authorization
TR
U
ST

85. I trust that what you send me
hasn’t been tampered with
Hashes or signatures
TR
U
ST

86. I trust that what we talk about
is just between us
Public and private keys
TR
U
ST

87. I trust your computer is not
compromised
????
TR
U
ST

88. I trust that what we talk about
won’t be share with others
Contracts, Legalities, Terms of use, ????
TR
U
ST

89. I trust that the user won’t be
the weak link
Training and procedures
TR
U
ST

90. Turn your chain into a
mesh
Image by ineverfinishanyth released under CC BY-NC-SA 2.5

91. Common Mistakes

92. Weakening
Compromising encryption or hashing is
about reducing time to crack

93. Implementation
A bad implementation helps reduce the time
to crack

94. Unknown unknowns
You don’t know what you’re getting wrong

95. Authentication

96. 2 Factor Authentication
composer require pragmarx/google2fa

97. OAuth2
composer require league/oauth2-client

98. Encryption

99. Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own

101. Avoid old tutorials on
encryption
https://gist.github.com/paragonie-
scott/e9319254c8ecbad4f227

102. Failed: Error Number: 60. Reason: SSL certificate problem, verify that
the CA cert is OK. Details: error:14090086:SSL routines:
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
// Many old tutorials and posts suggest disabling peer verifications
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
// Thankfully PHP 5.6+ handles CA certificate location automatically
// now thanks to https://wiki.php.net/rfc/improved-tls-defaults and
// Daniel Lowrey
Avoid advice like this
Weakening security for convenience
C
O
D
E
SAM
PLE

103. Hashing

104. Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own

105. One way encoding
Comparisons / Integrity Checks

106. Weak hash functions
+/- 690GB rainbow tables

107. $password = 'rasmuslerdorf';
$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Is this call safe?
if (crypt($password, $hash) === $hash) {
echo 'Password is correct';
}
// What about this one?
if (password_verify($password, $hash)) {
echo 'Password is correct';
}
Bad implementation
Where is the weakness?
C
O
D
E
SAM
PLE

108. Timing Attacks
Brute forcing cryptographic functions via
time taken to execute

109. $string1 = 'abcd';
$string2 = 'abce';
$string3 = 'acde';
for ($i=0; $i<10000; $i++) { ($string1 === $string2); }
// Time taken: 0.006923
for ($i=0; $i<10000; $i++) { ($string1 === $string3); }
// Time taken: 0.008344
Timing Attacks
How it works
C
O
D
E
SAM
PLE

110. Timing attacks can be used to
work out if an account exists,
even if the UI doesn't say so.
@troyhunt, haveibeenpwned.com
Reference: https://t.co/5WkQ48suj7

111. Sessions

112. Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own

113. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_close();
session_id($session_to_unset);
session_start();
$_SESSION = array();
session_write_close();
session_destroy();
exit;
}
Mistakes
Deep understanding of the language
C
O
D
E
SAM
PLE
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505

114. Randomness

115. Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own

116. Non-deterministic randomness
is critical in encryption
Used for key generation and nonces

117. Non-deterministic randomness
is hard
Dual_EC_DRBG was in use for 7 years

118. // NOT cryptographically secure
rand();
// Cryptographically secure (uses OS-specific source)
random_int();
// Cryptographically secure (uses OS-specific source)
random_bytes();
// Cryptographically secure (uses OpenSSL library)
openssl_random_pseudo_bytes();
Random in code
Know the source
C
O
D
E
SAM
PLE

119. Information Disclosure

120. HEAD http://example.com/index.php
200 OK
Connection: close
Date: Sat, 26 Dec 2015 13:52:01 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Sat, 26 Dec 2015 13:52:01 GMT
Client-Peer: 192.168.0.101:80
Client-Response-Num: 1
X-Powered-By: PHP/5.5.11
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE

121. HEAD http://example.com/index.php
200 OK
Connection: close
Date: Sat, 26 Dec 2015 13:52:01 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Sat, 26 Dec 2015 13:52:01 GMT
Client-Peer: 192.168.0.101:80
Client-Response-Num: 1
X-Powered-By: PHP/5.5.11
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE

122. Warning: require(assets/includes/footer.php) [function.require]: failed
to open stream: No such file or directory in
/home/user/path/to/assets/includes/operations.php on line 38
Fatal error: require() [function.require]: Failed opening required
'assets/includes/footer.php' (include_path='.:/usr/lib/php:
/usr/local/lib/php') in /home/user/path/to/assets/includes/operations.
php on line 38
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE

123. Social Engineering

124. Weak password reset
processes
Can you Google the answer?
How do you handle customer support reset?

125. Customer support
training
Convenience vs Security

126. @N’s (Naoki Hiroshima) Story
How do you mitigate against this?

127. Hope
Image by Jenny released under CC BY-NC-ND 2.0

128. Holistic

129. Read
Know about new threats and best practice
changes

130. OWASP ASVS Project
Application Security Verification Standard
Reference: https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

131. Information
Only store what you really need

132. Patching Strategy
If a dependency prevents updating, resolve it
now

133. Don’t become
comfortable
Comfort breeds contempt

134. Training Strategy
Have a process for dealing with account
locks and resets

135. Compromise Strategy
Have a plan before you need it

136. Mistakes will be made
Learn from them

137. Rate limit
Built it now, or you’ll have to build it while an
incident is underway

138. Monitor everything
You’re more likely to be alerted by a graph
spiking than your IDS

139. Decouple roles
Databases, servers, domains, roles, ...

140. Version properly
Major.Minor.Patch. How hard is that?

141. Composer everything
There is no excuse anymore

142. Decouple
plugins/templates
Updates should be simple

143. Get behind PSR-9 & 10
http://www.php-fig.org/psr/

144. Group
Performance
Image by Matt McGee released under CC BY-ND 2.0

145. Thank you
https://joind.in/talk/7f231
@thomas_shone