This talk, originally given at WellRailed, dives in to what timing attacks are, some examples, and how to defend against them.
A timing attack is when an attacker can figure out stuff they shouldn’t by asking questions and measuring how long it takes for you to respond.
Originally presented on 26 May 2016: www.meetup.com/wellrailed/events/231113047/
This presentation is one of the best presentations from our study material for our weekly workshops which ADMEC conducts every week at the center. This presentation contains very good information for “Use of Shapes in Graphic Design”.
The grammar of visual communication, a communication that speaks with no words but shapes and images, with inner primitive shapes, where the text itself is primarily a shape.
Traditionally Graphic Design focused on design for print including brand and identity systems, books, maps, icons, advertising campaigns, posters etc. Today, it is a part of the Communication Design discipline, an umbrella term which explores designing strategic messages, creating functional solutions and engaging with the target audience through the use of appropriate language, visuals, moving images and digital experiences. The presentation explores basic principles and key trends of basic design.
This presentation is one of the best presentations from our study material for our weekly workshops which ADMEC conducts every week at the center. This presentation contains very good information for “Use of Shapes in Graphic Design”.
The grammar of visual communication, a communication that speaks with no words but shapes and images, with inner primitive shapes, where the text itself is primarily a shape.
Traditionally Graphic Design focused on design for print including brand and identity systems, books, maps, icons, advertising campaigns, posters etc. Today, it is a part of the Communication Design discipline, an umbrella term which explores designing strategic messages, creating functional solutions and engaging with the target audience through the use of appropriate language, visuals, moving images and digital experiences. The presentation explores basic principles and key trends of basic design.
The beauty, power, creativity, and versatility of 2D animation have made it a treasured art form for
many decades. Understanding its history, tools, styles, and potential can help you to gain a better grasp of how the 2D animation studio can assist your own project. For more information, visit http://www.powerhouseanimation.com/
Graphic Design is a visual problem solving using text & graphical elements to create something that gets the viewer
attention and communicates in an easy effective manner.
One should know basic elements and principles of design to be a good designer. Avantika University offers BDes and MDes courses with design centered approach. Apply now and boost your career in the field.
To know more details, visit us at : https://www.avantikauniversity.edu.in/design-colleges/elements-and-principles-of-design.php
This slideshow provides an introduction to graphic design.
The slideshow uses images and examples from external sources. The respective owners hold the copyright.
Presentation into the principles of design within the context of visual design. This is intended to be delivered to year one degree students.
The principles of design are rules to help guide a designer how to arrange the various elements of a composition in relation to each other and the overall design. By considering, applying and understanding the various Principles of Design throughout the design process you will help ensure a more positive outcome
The beauty, power, creativity, and versatility of 2D animation have made it a treasured art form for
many decades. Understanding its history, tools, styles, and potential can help you to gain a better grasp of how the 2D animation studio can assist your own project. For more information, visit http://www.powerhouseanimation.com/
Graphic Design is a visual problem solving using text & graphical elements to create something that gets the viewer
attention and communicates in an easy effective manner.
One should know basic elements and principles of design to be a good designer. Avantika University offers BDes and MDes courses with design centered approach. Apply now and boost your career in the field.
To know more details, visit us at : https://www.avantikauniversity.edu.in/design-colleges/elements-and-principles-of-design.php
This slideshow provides an introduction to graphic design.
The slideshow uses images and examples from external sources. The respective owners hold the copyright.
Presentation into the principles of design within the context of visual design. This is intended to be delivered to year one degree students.
The principles of design are rules to help guide a designer how to arrange the various elements of a composition in relation to each other and the overall design. By considering, applying and understanding the various Principles of Design throughout the design process you will help ensure a more positive outcome
Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.
Having a reliable test suite is incredibly useful when making changes to an existing codebase, both big and small. Mutation testing frameworks run tests against slightly-changed source code in order to detect whether the tests are actually checking the different paths of logic through the application. The aim is to improve the robustness of your test suite, and give you confidence that you aren't introducing any unintended changes.
This presentation gives an overview of mutation testing, along with worked examples in JavaScript of how it catches gaps and improves test coverage.
How "·$% developers defeat the web vulnerability scannersChema Alonso
Share Favorite
Favorited X
Download More...
Favorited! Want to add tags? Have an opinion? Make a quick comment as well. Cancel
Edit your favorites Cancel
Send to your Group / Event Select Group / Event
Add your message Cancel
Post toBlogger WordPress Twitter Facebook Deliciousmore share options .Embed For WordPress.com
Without related presentations
0 commentsPost a comment
Post a comment
..
Embed Video Subscribe to follow-up comments Unsubscribe from followup comments .
Edit your comment Cancel .Notes on slide 1
no notes for slide #1
no notes for slide #1
..Favorites, Groups & Events
more
How "·$% developers defeat the web vulnerability scanners - Presentation Transcript
1.How ?¿$·& developers defeat the most famous web vulnerability scanners …or how to recognize old friends Chema Alonso Informática64 José Parada Microsoft Ibérica
2.Agenda
1.- Introduction
2.- Inverted Queries
3.- Arithmetic Blind SQL Injection
4.- Time-Based Blind SQL Injection using Heavey Queries
5.- Conclusions
3.1.-Introduction
4.SQL Injection is still here among us
5.Web Application Security Consortium: Comparision http://projects.webappsec.org/Web-Application-Security-Statistics 12.186 sites 97.554 bugs
6.Need to Improve Automatic Scanning
Not always a manual scanning is possible
Time
Confidentiality
Money, money, money…
Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools.
7.2.-Inverted Queries
8.
9.Homers, how are they?
Lazy
Bad trainined
Poor Experience in security stuff
Don´t like working
Don´t like computing
Don´t like coding
Don´t like you!
10.Flanders are Left-handed
11.Right
SELECT UID
FROM USERS
WHERE NAME=‘V_NAME’
AND
PASSWORD=‘V_PASSW’;
12.Wrong?
SELECT UID
FROM USERS
WHERE ‘V_NAME’=NAME AND
‘ V_PASSW’=PASSWORD
13.Login Inverted Query
Select uid
From users where ‘v_name’=name and ‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or '1'='1
Select uid
From users where ‘Robert’=name and ‘Kubica’ or ‘1’=‘1’=password
FAIL
14.Login Inverted SQL Injection an example
Select uid
From users where ‘v_name’=name and ‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica
Select uid
From users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or ‘Kubica’=password
Success
15.Blind Attacks
Attacker injects code but can´t access directly to the data.
However this injection changes the behavior of the web application.
Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data.
Blind SQL Injection
Biind Xpath Injection
Blind LDAP Injection
16.Blind SQL Injection Attacks
Attacker injects:
“ True where clauses”
“ False where clauses“
Ex:
Program.php?id=1 and 1=1
Program.php?id=1 and 1=2
Program doesn’t return any visible data from database or data in error messages.
The attacker can´t see any data extracted from the database.
17.Blind SQL Injection Attacks
Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”:
Different hashes
Different html structure
Different patterns (keywords)
Different linear ASCII sums
“ Different behavior”
By example: Response Time
18.Blind SQL Injection Attacks
If any difference exists, then:
Attacker can extract all information from database
How? Using “booleanization”
MySQL:
Program.php?id=1 and 100>(ASCII(Substring(user(),1,1)))
“ True-Answer Page” or “False-Answer Page”?
MSSQL:
Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers)
Oracle:
Program.php?id=1 and 100>(Select ASCII(Sub
A Recipe for Password Storage: Add Salt to TasteNick Malcolm
First presented at OWASP NZ 2020.
https://owasp.org/www-event-2020-NewZealandDay/
Storing passwords is as simple as following a recipe when developers use their frameworks, but there are sometimes choices to make when it comes to ingredients and amounts. Argon, PBKDF2? What’s a Salt? How many rounds?
Join me on this cooking-themed presentation on password storage!
Every time a website gets breached you hope to hear “your password was salted and hashed” instead of “your passwords were stored in plain text” - but what does that actually mean, and why is it a good thing?
Wash your hands, don your apron, and join me for as we follow the recipe for storing passwords safely. We’ll learn a bit about cryptography and one-way functions (that’s the hash!), how to source good ingredients (bcrypt, scrypt, argon, oh my!), why adding a pinch of salt helps, how many times must we stir the mix, and what happens if we miss a step? In the face of an attacker, will our delicious password loaf rise to the occasion, or will it fall flat in disappointment and despair?!
First presented at AISA Cyber Conference AU in 2018. How to “Speak Developer” and Create a Winning Security Culture in Your Software Development Teams.
There aren’t enough security people in the workforce to scale to the demands of our business needs, but there’s an untapped resource already sitting within our organisations: developers and testers. In this session we’ll learn how to speak their language and create a security culture which will support secure development and ultimately enable innovative practices within the business.
As security professionals we often battle to make ourselves understood with developers. Maybe we’re too risk oriented. Perhaps we’re only confident talking at a network level. Or our business has adopted an agile methodology and our old practices are being seen as road blockers. Whatever the reason, we need to change the way we interact with development teams.
By understanding their context, speaking their language, enabling them with tools, and being seen as a trusted advisor – not the enemy – we can move at a pace and scale where security is baked in to our development culture across the organisation.
If you’re a security professional working within an organisation that does software development, or an IT manager looking to make the most of limited resources, this session is for you.
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)Nick Malcolm
Almost two thirds of confirmed breaches involve using weak or stolen passwords - it’s not a new threat, but it works. By the end of this talk you will understand the Account Takeover threat, and walk away with some techniques & tools for detection and response within your own web applications.
All aboard the Cyber Security Rollercoaster!Nick Malcolm
Originally presented at ITx 2016: https://itx.nz/Programme/68/All-aboard-the-Cyber-Security-Rollercoaster
Not a day goes by where we don't hear of a website being hacked, a few hundred thousand user details being exposed, or another organisation scammed out of a pretty penny. The world of cyber security is hurtling along at break neck pace.
Nick Malcolm will push the pause button and look back at the highs and lows of the last year's major security incidents, and see what we can learn from them.
He will look at our current position, and in to the future. What are the threat trends and emerging risks we face awaiting us around the bend?
He will then show some of technologies and innovations which are helping to keep the web secure, educate the public, and empower IT professionals.
It's a rollercoaster, but it doesn't have to be scary - climb aboard and learn how to enjoy the ride!
We can do a lot to secure our web-app backends, but ultimately our users email and password are the front door, and they're notoriously insecure. This talk quickly shows you how to mitigate this attack vector by detecting and responding to login anomalies using ThisData's Login Intelligence API.
This talk was originally presented as at Ruby Nights Auckland on March 24 2016: http://www.meetup.com/aucklandruby/events/228852539/
Adding Two Factor Authentication to your App with AuthyNick Malcolm
This talk explains what two factor authentication is, and how to implement it in a Ruby on Rails app with Authy.
Originally presented at Auckland Ruby Nights on April 23 2015: http://www.meetup.com/aucklandruby/events/221958178/
A short overview of why ThisData uses CloudFlare, and what web app developers can get if they too use CloudFlare.
This was originally presented at Auckland Ruby Nights on Dec 16 2015: http://www.meetup.com/aucklandruby/events/227131243/
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Your Digital Assistant.
Making complex approach simple. Straightforward process saves time. No more waiting to connect with people that matter to you. Safety first is not a cliché - Securely protect information in cloud storage to prevent any third party from accessing data.
Would you rather make your visitors feel burdened by making them wait? Or choose VizMan for a stress-free experience? VizMan is an automated visitor management system that works for any industries not limited to factories, societies, government institutes, and warehouses. A new age contactless way of logging information of visitors, employees, packages, and vehicles. VizMan is a digital logbook so it deters unnecessary use of paper or space since there is no requirement of bundles of registers that is left to collect dust in a corner of a room. Visitor’s essential details, helps in scheduling meetings for visitors and employees, and assists in supervising the attendance of the employees. With VizMan, visitors don’t need to wait for hours in long queues. VizMan handles visitors with the value they deserve because we know time is important to you.
Feasible Features
One Subscription, Four Modules – Admin, Employee, Receptionist, and Gatekeeper ensures confidentiality and prevents data from being manipulated
User Friendly – can be easily used on Android, iOS, and Web Interface
Multiple Accessibility – Log in through any device from any place at any time
One app for all industries – a Visitor Management System that works for any organisation.
Stress-free Sign-up
Visitor is registered and checked-in by the Receptionist
Host gets a notification, where they opt to Approve the meeting
Host notifies the Receptionist of the end of the meeting
Visitor is checked-out by the Receptionist
Host enters notes and remarks of the meeting
Customizable Components
Scheduling Meetings – Host can invite visitors for meetings and also approve, reject and reschedule meetings
Single/Bulk invites – Invitations can be sent individually to a visitor or collectively to many visitors
VIP Visitors – Additional security of data for VIP visitors to avoid misuse of information
Courier Management – Keeps a check on deliveries like commodities being delivered in and out of establishments
Alerts & Notifications – Get notified on SMS, email, and application
Parking Management – Manage availability of parking space
Individual log-in – Every user has their own log-in id
Visitor/Meeting Analytics – Evaluate notes and remarks of the meeting stored in the system
Visitor Management System is a secure and user friendly database manager that records, filters, tracks the visitors to your organization.
"Secure Your Premises with VizMan (VMS) – Get It Now"
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
Strategies for Successful Data Migration Tools.pptxvarshanayak241
Data migration is a complex but essential task for organizations aiming to modernize their IT infrastructure and leverage new technologies. By understanding common challenges and implementing these strategies, businesses can achieve a successful migration with minimal disruption. Data Migration Tool like Ask On Data play a pivotal role in this journey, offering features that streamline the process, ensure data integrity, and maintain security. With the right approach and tools, organizations can turn the challenge of data migration into an opportunity for growth and innovation.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Why React Native as a Strategic Advantage for Startup Innovation.pdfayushiqss
Do you know that React Native is being increasingly adopted by startups as well as big companies in the mobile app development industry? Big names like Facebook, Instagram, and Pinterest have already integrated this robust open-source framework.
In fact, according to a report by Statista, the number of React Native developers has been steadily increasing over the years, reaching an estimated 1.9 million by the end of 2024. This means that the demand for this framework in the job market has been growing making it a valuable skill.
But what makes React Native so popular for mobile application development? It offers excellent cross-platform capabilities among other benefits. This way, with React Native, developers can write code once and run it on both iOS and Android devices thus saving time and resources leading to shorter development cycles hence faster time-to-market for your app.
Let’s take the example of a startup, which wanted to release their app on both iOS and Android at once. Through the use of React Native they managed to create an app and bring it into the market within a very short period. This helped them gain an advantage over their competitors because they had access to a large user base who were able to generate revenue quickly for them.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
Tim Combridge from Sensible Giraffe and Salesforce Ben presents some important tips that all developers should know when dealing with Flows in Salesforce.
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
Worried about document security while sharing them in Salesforce? Fret no more! Here are the top-notch security standards XfilesPro upholds to ensure strong security for your Salesforce documents while sharing with internal or external people.
To learn more, read the blog: https://www.xfilespro.com/how-does-xfilespro-make-document-sharing-secure-and-seamless-in-salesforce/
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
3. What are we going to talk about?
What are timing attacks?
Some examples
Defense!
4. What are timing attacks?
When an attacker can figure out stuff they
shouldn’t by asking questions
and measuring how long it takes for you
to respond
5. Example 1: String Comparison
Many string equality operators work left to right
If a user controls the input, they can execute a
timing attack
if params[:password] == “SECRET_PASSWORD”
user.do_cool_thing!
6. S E C R E T
“A”
“B”
… “S”
“SA”
“SB”
… “SE”
SS EE C
10. How it worked
I start with an empty string
I make 1000 guesses for chars ‘a’...‘z’
I measure how long each guess takes
I look at how the different characters compare to
one another
The likely char sticks out, so I choose that
12. Is this practical in real life?
“We present the design of filters to significantly reduce the effects of jitter,
allowing an attacker to measure events with
15-100µs accuracy
across the Internet, and as good as 100ns over a local network.”
Opportunities and Limits of Remote Timing Attacks
SCOTT A. CROSBY, DAN S. WALLACH and RUDOLF H. RIEDI. May 2007
13. Am I vulnerable?
When checking password equality
“Forgot my password” tokens
“Security Questions”
API key validation, or HMAC validation
20. Secure Compare* - why it works
It transforms both inputs into Hashes*
Hashes are EQUAL LENGTH
It checks EVERY character, even if you’re
already wrong
This makes it CONSTANT TIME
*variable_length_secure_compare
25. Example 2: Password Reset Page
Someone submits “foo@bar.com”
We know not to say “this account did / did not
exist”
But when account exists, we send an email.
That takes time.
26. Example 2: Password Reset Page
def forgot_password
if user = User.find_by(email: params[:email)
Mailer.send_forgot_pwd(user)
end
render html: “<h1>If you have an account, we’ve
sent you an email. Chur</h1>”
end
28. Example 2: Password Reset Page
def forgot_password
Resque.enqueue(ForgotPasswordSender, email:
params[:email])
render html: “<h1>If you have an account, we’ve
sent you an email. Chur</h1>”
end
ThisData is a startup based out of Auckland. We are a cyber security service provider, focusing on detecting when bad guys log in to your website, pretending to be your users.
Like how Facebook, Google, and others email you when someone accesses your account from a weird location.
I’m @nickmalcolm on twitter, and I’m also @nickmalcolm on the Ruby NZ Slack group
First off, thanks for letting me present to you over the interwebs! I moved up here from Wellington in October, so it’s nice to be back at WellRailed. It’s my first time doing a presentation over the internet, so yell at the laptop if you can’t see something, or I go too fast, or if the quality drops out.
I’ll put the slides and example code up afterwards, and there’ll hopefully be some time for questions at the end.
So! We’re going to cover three main points:
what are timing attacks?
We’re going to look at some examples; a really close look at timing attacks with string comparison and ruby, also timing attacks in other parts of your rails apps, and then briefly if we have time at applications in other places.
After each of the examples we’ll look at a couple ways to defend against that attack.
So let’s get started!
What are timing attacks?
A simple way of putting it is that a Timing Attack is when an attacker can learn information that’s supposed to be a secret, and doing that by asking lots of questions over and over, and measuring how long it takes for the computer to respond.
Every computation in a computer takes some amount of time to execute, and the time can differ based on the input; with precise measurements of the time for each operation, an attacker can work backwards to figure out the input.
In cryptography jargon, it’s called a side channel attack. We’re learning information without smashing our way through, or by brute force, or by using a weakness in an encryption algorithm.
We’re being sly - doing on the side, in a way that might not usually get thought about.
So the most common place you’ll find timing attacks is when you’re doing String Comparison.
Many string equality operators work left to right
This includes Ruby’s == operator
They put the two strings side by side, and check each character one at a time
If the characters in both strings match, it moves to the next character, and checks that one.
As soon as two characters don’t match, it returns false
The more characters you have right, the more characters it has to look at, as it moves from left to right.
The longer it takes to return false.
I have mastered powerpoint to bring you a slide of wonderousness!
Your app has a password called secret.
And we’re going to send a bunch of guesses at your app.
First we guess just the letter “a”. Nothing else. “A” is not “s”, so it returns false straight away.
So we move on.
We guess just the letter “b”. Nothing else. “B” is not “s” either, so it returns false straight away.
Eventually we get to the letter “S”.
We guess “S”, and lo and behold, “S” does equal “S”. So we need to ask “is the next character right?”. Well, there is no next character. We guessed just “S”. So since blank does not equal “E”, we return false.
Let’s say that now we’re guessing a string with two characters, s and a. Does “S” == “S”? Yes. OK, next character. Does “a” == “E”? No.
And again.
Eventually we get to “SE”. Does “S” == “S”. Yes. OK, next character. Does “E” == “E”? Yes. OK, next character. Does blank equal “C”? No. return.
For every character we get right, we need to then go and look at the next character. It takes a really really small amount of extra time to do this.
OK so I’ve written a script which will using a timing attack to figure out a password locally. It would be very naughty to use this against someone’s website.
It would also take a lot longer, which I’ll explain in a bit.
This is what my little password guesser will output to the console.
It’s a bar graph where the x axis is an a-z character it’s guessing, and the y axis is the result of analyzing the time differences between guesses.
You can see in this graph that the ‘x’ bar is an outlier; it’s much higher than all the rest. So my guesser will look at that, and decide that x must have been the correct character. It’s figured out the password starts with khx. It’s partway through figuring out the next character.
Switch to showing console
The basic idea is to make enough guesses that you see a pattern emerging.
Computers are predictable. There’s a really good chance if you ask it to do the same thing twice, it’ll take almost the same amount of time. And if you ask it enough times, any random noise can be smoothed out.
I’ll show you the code for my timing attacker, but it’s also just a proof of concept.
I’ve crafted the example code so that it will figure the password out in a shorter amount of time. A minute instead of a week.
I’ve changed the equality operator to be much slower than it would be in real life
This means I only have to do 1000 guesses to pretty well accurately figure out what the next character in the password is
In real life, you have to do more measurements over a longer period of time, but the principle remains the same
If you just look at which character took the longest, the differences are really really small.
To make it easier to see, I calculate the average across all of the guessed characters. So say, on average a character takes 1 millisecond to execute a guess. Then I compare each character against that average. Most characters stay really close to the average, because they’re … well, average! But IF there is a difference in any of the characters, they’ll stick out like a sore thumb.
So it seems like you have to make a lot of requests, and have really sensitive timing measurements, to accurately guess a password. Also, to do this against a rails app would mean doing it across the internet. This creates latency, and gremlins in the networks can speed up or slow down requests arbitrarily.
This is true, but research from 2007 has shown that a difference of as little as 15 microseconds between requests can be detected over the internet. The key is that _if_ there is a difference, you only need to do lots of experiments to figure out what that difference is.
http://www.cs.rice.edu/~dwallach/pub/crosby-timing2009.pdf
https://codahale.com/a-lesson-in-timing-attacks/
A worst-case scenario for guessing an SHA1 hash would require 20×256×n measurements (20 bytes long, 256 possible options), where n is the number of measurements required to pin down a single byte. So if it took 1000 requests to guess correctly, it’d be around 5,000,000 requests. You could do that in less than a week at a barely-perceptible 10 req/s.
Depending on how the rate limiting works, you could add another machine in another country, and halve that.
The short answer is: hopefully not.
Rails was leaking information in their Basic HTTP Auth library until January this year! So if you haven’t updated since then, then perhaps you are.
http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/
But there are some other places we’ll commonly do vulnerable string equality checks.
A really common place is if you have a simple webhook controller for some third party service you use, and you have a hardcoded token, and use == to check if it’s right.
Security Questions might be another spot. If you have a really poor captcha implementation, perhaps that?
Forgotten password tokens when people are resetting their password.
Anywhere you have some secret, and use .eql? Or ==.
Going back to that webook controller example, let’s take a look at the current rails docs.
This is a Posts controller, and the edit action is protected by a password. Can we spot the vulnerability?
Yes! ==If you copied this code, then this controller is suceptible to a timing attack, and you should go and fix it.
I’ve had a PR accepted which updated the docs, but it doesn’t seem to have made it live yet… :(
So! Some of you might be feeling like this right now. Hopefully not too many. But let’s learn about how to defend against this.
As I’ve said, rate limiting works to an extent, but it’s really just slowing the attacker down. If you have good rate limiting, and a really long password, then you’re probably putting it out of feasible reach.
If you don’t have rate limiting, there is a gem called rack_attack which is super easy to use.
But the real solution is to not use == or .eql?. Instead use a method called secure compare!
This is secure_compare, and it’s sister method, variable_size_secure_compare. There are similar implementations in most languages, but this is the one Rails provides in ActiveSupport.
I really think the variable_size method should’ve been the “default”, because unless you read the docs you might still use secure_compare wrong. So if you have to choose one, choose variable_size_secure_compare.
I’m going to spend a couple minutes talking about why this works.
Variable_size_secure_compare will turn both your guess, and the real secret, in to hashes.This makes them of equal size. It also has another property where a change in a guess will return a completely different string for comparison.
So here’s an example of what hashing does. The guess and the secret are equal length.
A cool side effect is that
If you guess the letter a, it will turn your guess in to ‘ca 978 112...’
If you guess the letter c, it will turn your guess in to ‘2e7d2…’
Even though the hash of “secret” and your guess “c” start with a 2, the character is completely wrong. It starts with an s, not an c.
There’s no feasible way to detect a pattern.
The reason we hash is so that strings have equal length, but I think the way that the guess changes each time is really cool too.
Again, the real important bit is to check every character. Doing this is what makes the equality operation take a constant amount of time. No matter how early you get a mismatch, it takes the same amount of time to return false.
Once you’ve generated your strings of equal length, like the hashes, it will iterate over each character’s byte (which is a number) and exclusive OR them. That value is assigned to a variable called res using OR EQUAL. As res is assigned a truthy value, like the result of a mismatching XOR, it won’t get reassigned.
Here’s what XORing two bytes looks like.
115 XOR 112 is 3.
101 XOR 101 is zero, because they’re the same.
But that value is discarded anyway, because res is already truthy.
2.2.0 :024 > secret.unpack "C#{secret.bytesize}"
=> [115, 101, 99, 114, 101, 116]
2.2.0 :025 > guess = "pecret"
=> "pecret"
2.2.0 :026 > guess.unpack "C#{guess.bytesize}"
=> [112, 101, 99, 114, 101, 116]
2.2.0 :027 > res = 0
=> 0
2.2.0 :028 > res |= 115 ^ 112
=> 3
Importantly, each character is subject to the XOR operation. The truthiness of res is checked for each character. And the result of each XOR is only written to res once during the execution of the method.
When you get to the characters which don’t match, setting res might take a teensy bit longer. But you’ll never know which character it was that caused res to become non zero, because the whole operation continues until all characters are checked.
So to reiterate, whether the characters match or don’t match, the operation still takes the same amount of time. And that’s what stops it from leaking information via timing attacks! Nifty.
CHECK THE TIME
So now we’re gonna look at a different form of information leakage via a timing attack. It has nothing to do with strings or equality operators.
We know it’s good practice to not say whether or not an email address has an associated account on your website. Otherwise you could find out that johnkey@parliament.govt.nz has an account on adultfuntimes.co.nz.
A common place to defend against this leak is on a password reset page.
After they submit the form, we don’t say whether the account existed or not. We just say if an account existed with that address, we’ll send you a password reset email
You might think that’s enough to stop information leakage.
Even if we don’t give away whether the account existed in the response page, it takes longer for the response to return when there is a call to a third party email service in there.
This is a timing attack caused by different code executing when a condition is met, or not met.
Here’s the problem code. We do something which takes extra time when an account exists.
Sending an email in a background job will make both responses really fast, but unless the “account does not exist” scenario also makes a request to a background job, then there will be perceptible differences.
The background job shouldn’t send the email; it should find the account and send the email. I.e. use the background job regardless of whether the account exists or not.
Some companies opt to email anyone who requests a password reset. If the account exists, the email has a link.
If not it has a message like “Hey, someone asked to reset a password, but we don’t think you’re actually signed up. If it was you, you probably signed up with a different email address. Have a nice day”.
I imagine that would be safe against timing attacks, but you also want to avoid spamming people - so rate limit that shiz.
Here’s an example where we use a background job regardless of whether the account exists or not.The operation is TIME CONSTANT regardless of input.
There is a REALLY interesting talk by Mathias Bynens of Opera, where he can accurately figure out the age of visitors to his website, using Facebook. The gist of it is:
There is a REALLY interesting talk by Mathias Bynens of Opera, where he can accurately figure out the age of visitors to his website, using Facebook. The gist of it is:
Create a whole bunch of demographic-restricted Facebook pages
Use Javascript, and browser preloading, to make your website visitor access those pages over and over again
If the response is really fast, Facebook is showing them an “Unauthorized” response.
If the response is slow, then the page is accessible and the resources are being downloaded.
Well worth a watch:
https://dev.opera.com/blog/timing-attacks/
https://dev.opera.com/blog/timing-attacks/
I haven’t done any research, but my gut tells me that there are an increasing number of internet connected devices out there which probably aren’t defending against timing attacks.
If you have a public webcam with simple HTTP auth, what are the chances that it’s using a non-time-constant string comparison when checking the password?
So to reiterate, a timing attack is where you can learn things because changing the input makes it take a longer or shorter amount of time. You need to do things in a time constant manner to defend against them.
Key takeaway: try and wear your security hat every day. The more you do it, the more you’ll be able to spot problem areas in your code, or the code of your colleagues.
ruby/string.c
ruby/string.c
Also checks string length first, which I skipped in my example
ruby/missing/memcmp.c
This iterates over each character.
If two characters match, they will have the same bytecode, and minusing them will equal zero. Zero is not truthy, so it keeps going.
If two characters don’t match, tmp will be non-zero, and that non-zero value is returned.
In the ruby code, if memcmp returns 0, it returns true (the strings are the same).