This document discusses many topics related to cybersecurity including common security mistakes, the importance of trust and how it can be broken, lessons learned from security breaches, and strategies for improving security practices. It notes that most software has security issues, encryption and hashing should not be implemented without understanding, and outlines approaches like patching strategies, training, and monitoring to help build more secure systems. The overall message is that security requires a holistic, ongoing approach rather than one-time fixes.

1. @thomas_shone
Image by Matt McGee released under CC BY-ND 2.0
Security Theatre

2. Booking.com

3. Welcome to Therapy
Image by THX0477 released under CC BY 2.0

4. Denial

5. Illusion

6. I know about OWASP!

7. If you are hacked via OWASP Top
10, you’re not allowed to call it
“advanced” or “sophisticated”
@thegrugq
Reference: https://twitter.com/thegrugq/status/658991205816995840

8. But I use antivirus!

9. Crypting makes antivirus
techniques useless
Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/

11. Unsecured node.js server
TrendMicro Antivirus on Windows
Jan 2016
https://code.google.com/p/google-security-research/issues/detail?id=693

12. Remote code-executions
via Buffer Overflow
Sophos Antivirus
June 2015
https://lock.cmpxchg8b.com/sophailv2.pdf

13. Double Agent Attack
Avast, AVG, Avira, Bitdefender, TrendMicro, Comodo, ESET,
F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, Quick Heal,
and Norton - March 2017
https://www.wired.com/2017/03/clever-doubleagent-attack-turns-antivirus-malware/

15. Internet of Things

18. Reference: https://www.yahoo.com/tech/dutch-consumer-group-demands-samsung-151703102.html

19. We’re all bad at security

20. Users

21. Developers

22. Hackers

23. A study in scarlet

24. 43 applications, libraries and frameworks
over 4,800 versions
over 10 million files

25. 255,000 scans
About 6k/month from June 2012 - Nov 2015

26. Results
July 2015

27. Most popular software
It’s not what you think

31. How bad is it?

34. Why is it so bad?

39. I have seen things
Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn

41. Versioning Hell
1.3-final-beta6-pre-patch3

42. OpenX
Backdoored for almost a year

44. Lessons Learnt

45. Versioning
Projects with bad versioning also have some
of the worst security issues

46. Automatic Patching
If your software comes with automatic
upgrading, people will use it

47. Plugins and Templates
If an update needs manual changes for
plugins or template, no one updates

48. Image by Aaaron Jacobs released under CC BY-SA 2.0
Patch Fatigue Exists

49. Image by Josh Janssen released under CC BY-ND 2.0
Anger

50. Why doesn’t someone do
something about it?

51. Private industry keep
threatening security researchers
List of well referenced situations of the above: http://attrition.org/errata/legal_threats/

57. "How many Fortune 500
companies are hacked right now?
Answer, 500."
Mikko Hypponen, CRO of F-Secure
Reference: https://twitter.com/mikko/status/184329161257652227

58. Why don’t we have some form of
standard?

59. We have ISO 27001/2, ISO 15408,
RFC 2196, PCI DSS, NIST, …
Reference: https://en.wikipedia.org/wiki/Cyber_security_standards

60. Why doesn’t the government do
something about it?

61. Don’t lump
me in with
those idiots.

62. Reference: https://t.co/PA7cDQC9EIImage by Unknown released into the Public Domain

63. Fine… no backdoor in E2E
encryption.
Julian King, Security Commissioner, EU
Reference: https://www.theregister.co.uk/2017/10/19/eu_crypto_cracking/

64. Fine… no backdoor in E2E
encryption. But store everything
in plaintext.
Rod Rosenstein, Deputy Attorney General, USA
Reference: https://www.theregister.co.uk/2017/10/30/encryption_backdoors_plaintext_deputy_ag/

65. Image by Jeroen Moes released under CC BY-SA 2.0
Bargaining

66. But what if we installed
advanced IDSs, WAFs and
specialised network hardware

67. We probably only knew about
one of the two backdoors in our
system
Juniper Networks
Dec 2015
http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-governmen
t-backdoors/

68. Depression

69. Ninety percent of
everything is crap.
Sturgeon's law
Reference: https://en.wikipedia.org/wiki/Sturgeon%27s_law

70. Infosec - A profession that turns
normal people into whiskey drinking,
swearing, paranoid, disheartened
curmudgeons with no hope for the
future of computers or humanity.
@mzbat
Reference: https://www.urbandictionary.com/define.php?term=Infosec

71. Image by Stephan Brunet released under CC BY-SA 3.0
Acceptance

72. Effective?

73. Most of our security
practices are ineffective

74. We do security in
isolation

75. Holistic

76. Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
Area of Influence

77. Drivers
Services
Operating System
203.5M LoC
Area of Influence
Hardware
Disclaimer: Numbers generated using cloc (Service LoC limited to latest releases of MySQL, Apache and PHP)

78. Operating System
Area of Influence
Humans DNA
7B LoC
Source: http://www.examiner.com/article/dna-the-ultimate-source-code

79. Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
HR/Training/
LART device
System
Administrators
Downstream
Providers

80. Image by Cadw released under OGL via Commons
Layered

81. Surface Area
Image by Albert Bridge released under CC BY-SA 2.0

82. Image by MeganCollins released under CC BY-NC-ND 3.0
Alertness

83. Image by Pivari.com released under CC BY-SA 3.0
Mitigation

84. Trust

85. Trust??????

86. Be aware of what you’re
trusting

87. The hardest part of
security is not writing
secure code

88. It’s understanding
where you’re misplace
your trust

89. Trust is a chain

90. I trust my computer is not
compromised
Up-to-date patches
TR
U
ST

91. I trust that the software is
without vulnerability
Vulnerability research and security updates
TR
U
ST

92. I trust that the software is
configured properly
Automated provisioning
TR
U
ST

93. I trust that the network is
configured properly and secure
Good system administrators
TR
U
ST

94. I trust you are who you say you
are
TLS Certificate Peer Verification or
Authentication
TR
U
ST

95. I trust you are allowed to talk to
me about this topic
Authorization
TR
U
ST

96. I trust that what you send me
hasn’t been tampered with
Hashes, CRCs or signatures
TR
U
ST

97. I trust that what we talk about is
just between us
Public and private keys
TR
U
ST

98. I trust your computer is not
compromised
????
TR
U
ST

99. I trust that what we talk about
won’t be share with others
Contracts, Legalities, Terms of use, ????
TR
U
ST

100. I trust that the user won’t be the
weak link
Training and procedures
TR
U
ST

101. Turn your chain into a
mesh
Image by ineverfinishanyth released under CC BY-NC-SA 2.5

102. Common Mistakes

103. Weakening
Compromising encryption or hashing is
about reducing time to crack

104. Implementation
A bad implementation helps reduce the time
to crack

105. Authentication

106. 2 Factor Authentication
composer require pragmarx/google2fa

107. OAuth2
composer require league/oauth2-client

108. Sessions

109. Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own

110. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_close();
session_id($session_to_unset);
session_start();
$_SESSION = array();
session_write_close();
session_destroy();
exit;
}
Mistakes
Deep understanding of the language
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
C
O
D
E
SAM
PLE

111. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_close();
session_id($session_to_unset);
session_start();
$_SESSION = array();
session_write_close();
session_destroy();
exit;
}
Mistakes
Deep understanding of the language
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
Writes $_SESSION to
disk
C
O
D
E
SAM
PLE

112. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_close();
session_id($session_to_unset);
session_start();
$_SESSION = array();
session_write_close();
session_destroy();
exit;
}
Mistakes
Deep understanding of the language
C
O
D
E
SAM
PLE
Extracts URL parameters into
the namespace.
session_to_unset=a becomes
$session_to_unset = “a”;
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505

113. Encryption

114. Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own

116. Avoid old tutorials on
encryption
https://gist.github.com/paragonie-scott/e93
19254c8ecbad4f227

117. Failed: Error Number: 60. Reason: SSL certificate problem, verify that
the CA cert is OK. Details: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
// Many old tutorials and posts suggest disabling peer verifications
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
// Thankfully PHP 5.6+ handles CA certificate location automatically
// thanks to https://wiki.php.net/rfc/improved-tls-defaults and
// Daniel Lowrey
Avoid advice like this
Weakening security for convenience
C
O
D
E
SAM
PLE

118. Hashing

119. Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own

120. One way encoding
Comparisons / Integrity Checks

121. Weak hash functions
+/- 690GB rainbow tables
Reference: http://project-rainbowcrack.com/table.htm

122. 4,797,089,933
Number of accounts publicly leaked
Reference: https://haveibeenpwned.com/

123. $password = 'rasmuslerdorf';
$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Is this call safe?
if (crypt($password, $hash) === $hash) {
echo 'Password is correct';
}
// What about this one?
if (password_verify($password, $hash)) {
echo 'Password is correct';
}
Bad implementation
Where is the weakness?
C
O
D
E
SAM
PLE

124. Timing Attacks
Brute forcing cryptographic functions via
time taken to execute

125. $string1 = 'abcd';
$string2 = 'abce';
$string3 = 'acde';
for ($i=0; $i<10000; $i++) { ($string1 === $string2); }
// Time taken: 0.008344
for ($i=0; $i<10000; $i++) { ($string1 === $string3); }
// Time taken: 0.006923
Timing Attacks
How it works
C
O
D
E
SAM
PLE

126. Timing attacks can be used to
work out if an account exists [...].
@troyhunt, haveibeenpwned.com
Reference: https://t.co/5WkQ48suj7

127. Well actually
Amount of randomness matters
Reference: http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html

128. $password = 'rasmuslerdorf';
$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Check the password
if (password_verify($password, $hash)) {
echo 'Password is correct';
if (password_needs_rehash($hash, PASSWORD_DEFAULT)) {
// Rehash and store in database
$new_password = password_hash($password, PASSWORD_DEFAULT);
}
}
Rehash
Build it into your flow
C
O
D
E
SAM
PLE

129. Randomness

130. Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own

131. Non-deterministic randomness
is critical in encryption
Used for key generation and nonces

132. Non-deterministic randomness
is hard
Dual_EC_DRBG was in use for 7 years

133. // NOT cryptographically secure
rand();
// Cryptographically secure (uses OS-specific source)
random_int();
// Cryptographically secure (uses OS-specific source)
random_bytes();
// Cryptographically secure (uses OpenSSL library)
openssl_random_pseudo_bytes();
Random in code
Know the source
C
O
D
E
SAM
PLE

134. Information Disclosure

135. HEAD http://example.com/index.php
200 OK
Connection: close
Date: Sat, 26 Dec 2015 13:52:01 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Sat, 26 Dec 2015 13:52:01 GMT
Client-Peer: 192.168.0.101:80
Client-Response-Num: 1
X-Powered-By: PHP/5.5.11
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE

136. HEAD http://example.com/index.php
200 OK
Connection: close
Date: Sat, 26 Dec 2015 13:52:01 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Sat, 26 Dec 2015 13:52:01 GMT
Client-Peer: 192.168.0.101:80
Client-Response-Num: 1
X-Powered-By: PHP/5.5.11
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE

137. Warning: require(assets/includes/footer.php) [function.require]: failed
to open stream: No such file or directory in
/home/user/path/to/assets/includes/operations.php on line 38
Fatal error: require() [function.require]: Failed opening required
'assets/includes/footer.php'
(include_path='.:/usr/lib/php:/usr/local/lib/php') in
/home/user/path/to/assets/includes/operations.php on line 38
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE

138. Social Engineering

139. Weak password reset
processes
Can you Google the answer?
How do you handle customer support reset?

140. Customer support
training
Convenience vs Security

141. @N’s (Naoki Hiroshima) Story
How do you mitigate against this?

142. Image by Jenny released under CC BY-NC-ND 2.0
Hope

143. Holistic

144. A.B.C.

145. Always Be C Patching

146. Patching Strategy
If a dependency prevents updating, resolve it
now

147. Version properly
Major.Minor.Patch. How hard is that?

148. Don’t become
comfortable
Comfort breeds contempt

149. Read
Know about new threats and best practice
changes

150. Training Strategy
Have a process for dealing with account
locks and resets

151. Compromise Strategy
Have a plan before you need it

152. Information
Only store what you really need

153. Mistakes will be made
Learn from them

154. Rate limit
Built it now, or you’ll have to build it while an
incident is underway

155. Monitor everything
You’re more likely to be alerted by a graph
spiking than your IDS

156. Decouple roles
Databases, servers, domains, roles, ...

157. Image by Matt McGee released under CC BY-ND 2.0
Group Performance

158. Thank you
https://joind.in/talk/0a184
@thomas_shone