Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Gary Harkin 1
Computer Security
Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand the basics of software security.
Understand the basics of computer security.
Provide minimal opportunity for performance evaluation.
Gary Harkin 2
Why Is This Funny?
Gary Harkin 3
Consider the Application
Add a new user to the databaseGet the users name and other stuffAdd the users name (and other stuff)
to the database.High-fives all around.
Gary Harkin 4
Which looks like?
$name=$_POST_VARS('name_from_form');mysql_query ( “INSERT INTO students (name) VALUES ($name)”, <some other stuff>);high_fives_all_around (“$name added”);
Gary Harkin 5
And You Get This SQL
If $name has the value 'Jimmie'
INSERT INTO students (name) VALUES ('Jimmie')';
Gary Harkin 6
SQL Injection Strikes
If name=ROBERT');DROP TABLE students;--
INSERT INTO students (name) VALUES('ROBERT');DROP TABLE students; --”)
stmt 1: INSERT INTO students (name) VALUES ('ROBERT');
stmt 2: DROP TABLE students;stmt 3: --”)
Gary Harkin 7
What's the Solution?
$name=$_POST_VARS('name_from_form');if (!ereg ('[a-zA-Z ]', $name){ print (“<B>Stop that!</B>”); exit;}mysql_query ( “INSERT INTO students (name) VALUES ($name));high_fives_all_around (“$name added”);
Gary Harkin 8
Other Web Evils?
There are roughly 20 different types ofweb attacks, but each has variations.
Buffer overflows, Cross-site Scripting, Format string exploits, Command Injection,Magic URL exploits, Race condition exploits,weak random number exploits, ...
Gary Harkin 9
But Its All For Fun
Right?
Gary Harkin 10
Gary Harkin 11
Not Really
More than 50% of attacks are now motivated by money.
There are now multiple boiler rooms that consist of teams dedicated to computer crimes.
Gary Harkin 12
Cross-site Scripting
Phishing and Pharming aren't just aboutfood.
You see a link saying “Click here to win afree Spring Break vacation.”
But the link is:http://www.stickit2em.com/sucker.php
What should you do?
Gary Harkin 13
Cross-site Scripting
The Sin:You have a web site that allows usersto post, but you don't check for dangerous code.
The Setup:A user posts a message that includes:
<A HREF=”http://www.sorry.com”>Help Here</A>
Gary Harkin 14
Cross-site Scripting
The Mistake:“I need help, I think I'll click on that!”
The Con:Enter your username and password toget help.
The Bigger Mistake:Duh, OK!
Gary Harkin 15
What To Do?
Sanitize your user inputs.Only legal values allowed?Escape dangerous stuff.
<A HREF=”http://www.sorry.com”>Help Here</A> becomes
< HREF="http://www.sorry.com">Help Here⁄<
Gary Harkin 16
Make the Illusion Good
Gary Harkin 17
The Viso-Geeks
Gary Harkin 18
How Big Is The Problem?
90% of web sites are vulnerable. 75% of hacks are the result of exploits in web
facing applications. 31% in .gov and .mil Estimated cost is $60 BILLION in U.S. Annual increase in vulnerabilities reported is
42%. Annual increase in attacks is 70%. Average cost is up to $10 M per attack.
Gary Harkin 19
Do You Have Examples?
CardSystems – 2004✔ 263,000 credit card numbers stolen✔ 40 million exposed✔ Millions in fraudulent purchases✔ SQL Injection – attackers dropped a job into the database that ran every 4 days sending records to a remote site.
Gary Harkin 20
MySpace XSS
MySpace 2006 XSS using Flash redirect embed allowscriptaccess="never" src="
http://i105.photobucket.com /albums/mff225/yrkblack/redirecft.swf"
redirect then has access to the account of the user, allowing it to make the same change on their page. It an XSS worm.
Gary Harkin 21
PayPal XSS
PayPal 2004*-2006 XSS using parameter substituion www.paypal.com/xcheck?nextpage=... nextpage should be addr or resolution page PayPal didn't bother to check if nextpage
made sense. Attackers spammed people. They followed
the link and then entered their login data and more.
Gary Harkin 22
Poker Face
Paradise Poker Site – 2005 A user notices that when the dealer shows
an Ace and has a pocket 10, there is a longer delay than if the hole card is something else.
He wins big for a while. Abuse of Functionality exploit.
Gary Harkin 23
What To Do?
You have 2.5 million lines of code and that code is constantly churned by extensions and bug fixes.
Test everything a user can do in every possible way to find vulnerabilities??
There are many things that are perniciously subtle.
You can never make it perfectly safe or prove that it is.
Gary Harkin 24
Accept the security breachor clean a litter box.
Take your pick.
Gary Harkin 25
Vulnerability Fixing Costs
Design Development QA Maintenance0
20
40
60
80
100
120
140
$ Cost
Gary Harkin 26
When Controls Fail
Gary Harkin 27
It Can Ge Expensive
TJ Maxx - $135 M and up to $ 4.5 B AICPA - $30 M ChoicePoint - $15 M + U of C (Los Alamos) - $3 M fine MSU - ?
Identity theft cost averages $32 K Average cost is $10 M Impacts nearly 25% of companies/year
Gary Harkin 28
Legals
33 states have disclosure laws Sarbanes-Oxley Health Information Portability and
Accountability Act PCI DSS ISO 17799 Gramm-Leach-Bliley Act (Financial Ind.)
Gary Harkin 29
Does Anybody Get Caught?
Gary Harkin 30
Yes, increasingly
Brian Salcedo, 9 years, cracking Lowes'. Kevin Mitnick, 5 years, $4k, “Takedown” Unamed 15-year old, 12 months prob + CS; Sinapore newspaper using news/news.
Jeanson Ancheta, 5 yrs, $15,000, installing adware on zombies.
Ken Flury, 3 years, $300K, stolen CitiBank debit card numbers.
Gary Harkin 31
I order you to wear a tie every day, take on a huge mortgage, join the local Rotary Club and act normal in public
Gary Harkin 32
Bottom Line
If you're on the Web, you have security issues.
If you allow the users to input anything, you have bigger issues.
If you store any data, you have really big issues.