Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Theatre - Benelux

583 views

Published on

The Benelux presentation of Security Theatre which talks about just how bad our security is and what we can do about it.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security Theatre - Benelux

  1. 1. Booking.com W E AR E H IR IN G Work @ Booking: http://grnh.se/seomt7
  2. 2. Security Theatre @thomas_shone Image by Matt McGee released under CC BY-ND 2.0 https://joind.in/talk/7c669
  3. 3. Illusion
  4. 4. Denial
  5. 5. I know about OWASP!
  6. 6. If you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated” @thegrugq Reference: https://twitter.com/thegrugq/status/658991205816995840
  7. 7. But I use antivirus!
  8. 8. Crypting services makes most antivirus techniques useless Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/
  9. 9. Let us put an unsecured node.js server on your personal computer TrendMicro Antivirus on Windows Jan 2016 https://code.google.com/p/google-security-research/issues/detail?id=693
  10. 10. Remote code-executions via your mail client downloading an email Sophos Antivirus June 2015 https://lock.cmpxchg8b.com/sophailv2.pdf
  11. 11. We’re all bad at security
  12. 12. Users are bad at security ➢ Weak passwords ➢ Password reset questions ➢ Human verification sucks ➢ Clickbait and phishing ➢ Attachments ➢ URL mistype ➢ Routine and workarounds ➢ Convenience trumps security
  13. 13. Developers are bad at security Reference: https://github.com/
  14. 14. Hackers are bad at security
  15. 15. A study in scarlet
  16. 16. 43 applications, libraries or frameworks over 4,800 versions over 10 million files
  17. 17. 255,000 scans About 6k/month from June 2012 till now
  18. 18. Results July 2015
  19. 19. Most popular software It’s not what you think
  20. 20. How bad is it?
  21. 21. Why is it so bad?
  22. 22. I have seen things Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn
  23. 23. Versioning Hell 1.3-final-beta6-pre-patch3
  24. 24. OpenX Backdoored for almost a year
  25. 25. Lessons Learnt
  26. 26. Versioning Projects with bad versioning also have some of the worst security issues
  27. 27. Automatic Patching If your software comes with automatic upgrading, people will use it
  28. 28. Plugins and Templates If an update needs manual changes for plugins or template, no one updates
  29. 29. Patch Fatigue Exists Image by Aaaron Jacobs released under CC BY-SA 2.0
  30. 30. Anger Image by Josh Janssen released under CC BY-ND 2.0
  31. 31. Why doesn’t someone do something about it?
  32. 32. Private industry keep threatening security researchers
  33. 33. "How many Fortune 500 companies are hacked right now? Answer, 500." Mikko Hypponen, CRO of F-Secure Reference: https://twitter.com/mikko/status/184329161257652227
  34. 34. Why don’t we have some form of standard?
  35. 35. We have ISO 27001/2, ISO 15408, RFC 2196, PCI DSS, NIST, … Reference: https://en.wikipedia.org/wiki/Cyber_security_standards
  36. 36. Why doesn’t the government do something about it?
  37. 37. A Ukrainian power plant was hacked & shutdown because someone had macros enabled in Excel Reference: https://t.co/PA7cDQC9EI
  38. 38. NSA: We’re just upgrading your megaflops, promise.
  39. 39. Reference: https://t.co/PA7cDQC9EIImage by Unknown released into the Public Domain
  40. 40. Bargaining Image by Jeroen Moes released under CC BY-SA 2.0
  41. 41. But what if we installed advanced IDSs, WAFs and specialised network hardware
  42. 42. We probably only knew about one of the two backdoors in our system Juniper Networks Dec 2015 http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of- government-backdoors/
  43. 43. IDSs produce reports. Managers likes reports: it helps them feel like they can "manage" security http://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted- attacks
  44. 44. We’ll start following prescribed security standards
  45. 45. That’s great for your insurance premiums
  46. 46. Depression
  47. 47. Ninety percent of everything is crap. Sturgeon's law Reference: https://en.wikipedia.org/wiki/Sturgeon%27s_law
  48. 48. Acceptance Image by Stephan Brunet released under CC BY-SA 3.0
  49. 49. Effective?
  50. 50. Most of our security practices are ineffective
  51. 51. We do security in isolation
  52. 52. Holistic
  53. 53. Hardware Drivers Services Your Dependencies Operating System Your Software Humans Network / Internet Area of Influence
  54. 54. Hardware Drivers Services Your Dependencies Operating System Your Software Humans Network / Internet HR/Training System Administrators Downstream Providers
  55. 55. Layered Image by Cadw released under OGL via Commons
  56. 56. Image by Albert Bridge released under CC BY-SA 2.0 Surface Area
  57. 57. Alertness Image by MeganCollins released under CC BY-NC-ND 3.0
  58. 58. Mitigation Image by Pivari.com released under CC BY-SA 3.0
  59. 59. Trust
  60. 60. Trust?
  61. 61. Be aware of what you’re trusting
  62. 62. The hardest part of security is not writing secure code
  63. 63. It’s understanding where you misplace your trust
  64. 64. Trust is a chain
  65. 65. I trust my computer is not compromised Up-to-date patches TR U ST
  66. 66. I trust that the software is without vulnerability Vulnerability research and security updates TR U ST
  67. 67. I trust that the software is configured properly Automated provisioning TR U ST
  68. 68. I trust that the network is configured properly and secure Good system administrators TR U ST
  69. 69. I trust you are who you say you are TLS Certificate Peer Verification or Authentication TR U ST
  70. 70. I trust you are allowed to talk to me about this topic Authorization TR U ST
  71. 71. I trust that what you send me hasn’t been tampered with Hashes or signatures TR U ST
  72. 72. I trust that what we talk about is just between us Public and private keys TR U ST
  73. 73. I trust your computer is not compromised ???? TR U ST
  74. 74. I trust that what we talk about won’t be share with others Contracts, Legalities, Terms of use, ???? TR U ST
  75. 75. I trust that the user won’t be the weak link Training and procedures TR U ST
  76. 76. Turn your chain into a mesh Image by ineverfinishanyth released under CC BY-NC-SA 2.5
  77. 77. Common Mistakes
  78. 78. Weakening Compromising encryption or hashing is about reducing time to crack
  79. 79. Implementation A bad implementation helps reduce the time to crack
  80. 80. Authentication
  81. 81. 2 Factor Authentication composer require pragmarx/google2fa
  82. 82. OAuth2 composer require league/oauth2-client
  83. 83. Sessions
  84. 84. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own
  85. 85. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) { parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit; } Mistakes Deep understanding of the language C O D E SAM PLE Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
  86. 86. Encryption
  87. 87. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own
  88. 88. Avoid old tutorials on encryption https://gist.github.com/paragonie- scott/e9319254c8ecbad4f227
  89. 89. Failed: Error Number: 60. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed // Many old tutorials and posts suggest disabling peer verifications curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // Thankfully PHP 5.6+ handles CA certificate location automatically // now thanks to https://wiki.php.net/rfc/improved-tls-defaults and // Daniel Lowrey Avoid advice like this Weakening security for convenience C O D E SAM PLE
  90. 90. Hashing
  91. 91. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own
  92. 92. One way encoding Comparisons / Integrity Checks
  93. 93. 278,362,281 Number of accounts publicly leaked Reference: https://haveibeenpwned.com/
  94. 94. Weak hash functions +/- 690GB rainbow tables
  95. 95. $password = 'rasmuslerdorf'; $hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a'; // Is this call safe? if (crypt($password, $hash) === $hash) { echo 'Password is correct'; } // What about this one? if (password_verify($password, $hash)) { echo 'Password is correct'; } Bad implementation Where is the weakness? C O D E SAM PLE
  96. 96. Timing Attacks Brute forcing cryptographic functions via time taken to execute
  97. 97. $string1 = 'abcd'; $string2 = 'abce'; $string3 = 'acde'; for ($i=0; $i<10000; $i++) { ($string1 === $string2); } // Time taken: 0.006923 for ($i=0; $i<10000; $i++) { ($string1 === $string3); } // Time taken: 0.008344 Timing Attacks How it works C O D E SAM PLE
  98. 98. Timing attacks can be used to work out if an account exists, even if the UI doesn't say so. @troyhunt, haveibeenpwned.com Reference: https://t.co/5WkQ48suj7
  99. 99. Well actually Amount of randomness matters Reference: http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html
  100. 100. $password = 'rasmuslerdorf'; $hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a'; // Check the password if (password_verify($password, $hash)) { echo 'Password is correct'; if (password_needs_rehash($hash, PASSWORD_DEFAULT)) { // Rehash and store in database $newPassword = password_hash($password, PASSWORD_DEFAULT); } } Rehash Build it into your flow C O D E SAM PLE
  101. 101. Randomness
  102. 102. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own
  103. 103. Non-deterministic randomness is critical in encryption Used for key generation and nonces
  104. 104. Non-deterministic randomness is hard Dual_EC_DRBG was in use for 7 years
  105. 105. // NOT cryptographically secure rand(); // Cryptographically secure (uses OS-specific source) random_int(); // Cryptographically secure (uses OS-specific source) random_bytes(); // Cryptographically secure (uses OpenSSL library) openssl_random_pseudo_bytes(); Random in code Know the source C O D E SAM PLE
  106. 106. Information Disclosure
  107. 107. HEAD http://example.com/index.php 200 OK Connection: close Date: Sat, 26 Dec 2015 13:52:01 GMT Server: Apache Content-Type: text/html; charset=UTF-8 Client-Date: Sat, 26 Dec 2015 13:52:01 GMT Client-Peer: 192.168.0.101:80 Client-Response-Num: 1 X-Powered-By: PHP/5.5.11 Information Disclosure Every piece of information can be leveraged LO G SAM PLE
  108. 108. HEAD http://example.com/index.php 200 OK Connection: close Date: Sat, 26 Dec 2015 13:52:01 GMT Server: Apache Content-Type: text/html; charset=UTF-8 Client-Date: Sat, 26 Dec 2015 13:52:01 GMT Client-Peer: 192.168.0.101:80 Client-Response-Num: 1 X-Powered-By: PHP/5.5.11 Information Disclosure Every piece of information can be leveraged LO G SAM PLE
  109. 109. Warning: require(assets/includes/footer.php) [function.require]: failed to open stream: No such file or directory in /home/user/path/to/assets/includes/operations.php on line 38 Fatal error: require() [function.require]: Failed opening required 'assets/includes/footer.php' (include_path='.:/usr/lib/php: /usr/local/lib/php') in /home/user/path/to/assets/includes/operations. php on line 38 Information Disclosure Every piece of information can be leveraged LO G SAM PLE
  110. 110. Social Engineering
  111. 111. Weak password reset processes Can you Google the answer? How do you handle customer support reset?
  112. 112. Customer support training Convenience vs Security
  113. 113. @N’s (Naoki Hiroshima) Story How do you mitigate against this?
  114. 114. Hope Image by Jenny released under CC BY-NC-ND 2.0
  115. 115. Holistic
  116. 116. Read Know about new threats and best practice changes
  117. 117. Information Only store what you really need
  118. 118. Patching Strategy If a dependency prevents updating, resolve it now
  119. 119. Don’t become comfortable Comfort breeds contempt
  120. 120. Training Strategy Have a process for dealing with account locks and resets
  121. 121. Compromise Strategy Have a plan before you need it
  122. 122. Mistakes will be made Learn from them
  123. 123. Rate limit Built it now, or you’ll have to build it while an incident is underway
  124. 124. Monitor everything You’re more likely to be alerted by a graph spiking than your IDS
  125. 125. Decouple roles Databases, servers, domains, roles, ...
  126. 126. Version properly Major.Minor.Patch. How hard is that?
  127. 127. Composer everything There is no excuse anymore
  128. 128. Decouple plugins/templates Updates should be simple
  129. 129. Get behind PSR-9 & 10 http://www.php-fig.org/psr/
  130. 130. Group Performance Image by Matt McGee released under CC BY-ND 2.0
  131. 131. Thank you https://joind.in/talk/7c669 @thomas_shone

×