INSECURE-Mag-39.pdf

8/13/2019 INSECURE-Mag-39.pdf

1/78


2/78


3/78


4/78

Hot topics and industry buzzwords come and go, but there are certain aspects of informationsecurity that, with time, have become essential. Many considered Web 2.0 to be just a wave ofweird project names and mostly useless services. However, with time, some small websitesbecame huge and big software players started offering their own web apps. Here we are a decade

later, and we can't even imagine using the Internet without accessing many of these services.

For today's Internet, web application security is not only important, it's essential, and that's whywe decided to cover it in this issue.

Mirko ZorzEditor in Chief

Visit the magazine website at www.insecuremag.com

(IN)SECURE Magazine contacts

Feedback and contributions: Mirko Zorz, Editor in Chief - [email protected]: Zeljka Zorz, Managing Editor - [email protected]: Berislav Kucan, Director of Operations - [email protected]

Distribution

(IN)SECURE Magazine can be freely distributed in the form of the original, non-modified PDFdocument. Distribution of modified versions of (IN)SECURE Magazine content is prohibitedwithout the explicit permission from the editor.

Copyright (IN)SECURE Magazine 2013.

www.insecuremag.com


5/78

Exploring attacks against PHP

applications

Imperva released its September HackerIntelligence Initiative report which presents anin-depth view of recent attacks against PHPapplications. The report also finds that

hackers are increasingly capable ofpackaging higher levels of sophistication intosimpler scripts, and identifies PHPSuperGlobals as a prime target that yields ahigh return on investment.

The PHP SuperGlobal parameters are gainingpopularity within the hacking communitybecause they incorporate multiple securityproblems into an advanced web threat thatcan break application logic, compromiseservers, and result in fraudulent transactionsand data theft.

In one month, Impervas research team notedan average of 144 attacks per application thatcontained attack vectors related toSuperGlobal parameters. Furthermore,researchers witnessed attack campaignslasting more than five months with requestburst floods of up to 90 hits per minute on asingle application.

Imperva researchers observed that attackersare capable of mounting complex attacks andpackaging them into simple-to-use tools.

However, while an impressive demonstrationof attack strength, the PHP method haspitfalls. An application security solution thatcan detect and mitigate a single stage of theattack can render the entire attack useless.

www.insecuremag.com 5


6/78

NSA's quest to subvert encryption,

install backdoors

Journalists from theNYT and ProPublicahave joined effortsand have published

the most explosivearticle to datedealing withrevelations aboutNSA spying efforts.

Backed by the documents shared by NSAwhistleblower Edward Snowden, they statethat the US National Security agency hasactively and for years now concentrated onthwarting or subverting encryption efforts via a

number of ways, and that their endeavorshave largely been successful.

"The agency has circumvented or crackedmuch of the encryption, or digital scrambling,that guards global commerce and bankingsystems, protects sensitive data like tradesecrets and medical records, andautomatically secures the e-mails, Websearches, Internet chats and phone calls ofAmericans and others around the world, thedocuments show," they claim.

"Many users assume or have beenassured by Internet companies that theirdata is safe from prying eyes, including thoseof the government, and the NSA wants tokeep it that way. The agency treats its recentsuccesses in deciphering protectedinformation as among its most closelyguarded secrets, restricted to those cleared

for a highly classified program code-namedBullrun."

They pointed out that after the NSA lost thevery public dispute in 1994 about whether itshould be allowed to fit a backdoor into allencryption, they decided they won't going tobe stymied by this setback and opted tosimply continued their efforts - this time insecret.

They did not concentrate on breakingencryption as much as making its useirrelevant. They did start using faster andfaster supercomputers for breaking

cryptographic keys, but they also, amongother things:

Secured the collaboration - either voluntaryor legally forced - from US and foreignInternet and telecom companies to gain theneeded access to the communications theywanted to review before they were encrypted.

Alternatively, when neither of those twoapproaches worked, they would steal thecompanies' encryption keys or secretly altertheir products to contain a backdoor onlyknown to the NSA.

Hacked into computers / endpoints beforethe messages were encrypted.

Influenced the US National Institute of

Standards and Technology (NIST) and theInternational Organization for Standardizationto adopt an encryption standard that has beenmade by the NSA to include a weaknessknown only to them.

All these things were, of course, done insecrecy. "The full extent of the NSAsdecoding capabilities is known only to alimited group of top analysts from the so-called Five Eyes: the N.S.A. and its

counterparts in Britain, Canada, Australia andNew Zealand," the reporters shared.

"The NSA has turned the fabric of the internetinto a vast surveillance platform, but they arenot magical. They're limited by the sameeconomic realities as the rest of us, and ourbest defense is to make surveillance of us asexpensive as possible," Bruce Schneierpointed out. "Trust the math. Encryption isyour friend. Use it well, and do your best toensure that nothing can compromise it. That'show you can remain secure even in the faceof the NSA."

It's interesting to note that both the NYT andProPublica have been asked by USintelligence officials not to publish this lastarticle, saying that "it might prompt foreigntargets to switch to new forms of encryption orcommunications that would be harder to

collect or read."

However, both publications have declined tocomply with that request.



7/78

New discovery will allow large-scale

quantum cryptography networks

Researchers from Toshibahave discovered a methodto build quantumcryptographycommunication networkswith a far greater scale thanever before. It will allowquantum cryptography to be

used beyond its current niche applications, forexample as part of the Smart CommunityNetworks that will manage and control energygeneration and consumption in the future.

Quantum cryptography shows great potentialto revolutionize the way sensitive data is

protected. It can be used to distribute secretdigital keys with a security that is notvulnerable to advances in computing,mathematics or engineering, and means any

hacker that "taps" an optical fiber will bedetected. At the same time, it could becomethe first prevailing technology to harness thepeculiar laws of quantum physics.

However, major obstacles still have to beovercome in order to make quantumcryptography viable for widespread use,

particularly regarding the number of usersthan can be connected to a single network.Up until now, implementing a quantumcryptography network has required anelaborate photon detector for each additionaluser.

The Toshiba team has discovered a techniqueto allow many users to share a single detectorand thereby greatly reduce the complexity ofthe network. The breakthrough means thatwith current technology, it would be possiblefor 64 users to connect to a single detector ina Quantum Access Network.

Barracuda WAF now on Windows

Azure

An Intel study, Whats Holding Back theCloud, (May 2012), reported that 87 percentof the IT professionals surveyed wereconcerned about security and data protectionand 28 percent have experienced a publiccloudrelated security breach, an increaseover the number of breaches experienced intheir traditional IT security infrastructure.

With the new cloud edition of the Barracuda

Web Application Firewall(www.barracuda.com/WAF) that can bedeployed on Microsoft Azure(www.barracuda.com/WAFonAzure),organizations now have the flexibility to

deploy the same strong protection in the cloudor on premise.

The Barracuda Web Application Firewall has

blocked over 11 billion real world attacks since2007. Organizations using the Barracuda WebApplication Firewall get a strong securityplatform that performs deep inspection of allWeb traffic, enabling it to provide a widerange of attack prevention capabilities at boththe network and application layers. Theseinclude SQL injections, XSS attacks, sessiontampering and buffer overflows as well asvolumetric and application-based DDoSprotection.

As a full proxy, the Barracuda Web ApplicationFirewall blocks or cloaks attacks, whilepreventing outbound data leaks of informationsuch as credit card or Social Securitynumbers. In addition, the Barracuda WebApplication Firewall mitigates broken accesscontrol to applications by preventing cookietampering and corruption of an applicationsaccess control system. With the most flexible

range of deployment options that spanhardware, virtual and cloud, the BarracudaWeb Application Firewall provides a completesecurity solution for all of your applications inany environment.



8/78

61% of IT pros dont report security

risks to executives

A new Ponemon Institute study examined thedisconnect between an organizationscommitments to risk-based security

management and its ability to develop thecollaboration, communication styles and

culture necessary to security programseffective across the organization.Key findings from the survey include:

61 percent said they dont communicatesecurity risk with senior executives or onlycommunicate when a serious security risk isrevealed

38 percent said that collaboration betweensecurity risk management and business ispoor, non-existent or adversarial. 47 percentrated their communication of relevant securityrisks to executives as not effective.

Dr. Larry Ponemon, chairman and founder ofthe Ponemon Institute said: "Even the mostsecure and sophisticated organizationsexperience risk because there are too many

variables in play. Effective communication andcollaboration across the organization arecrucial in mitigating this risk.

Arbor Networks acquires Packetloop

Arbor Networks has acquiredPacketloop, an innovator andprovider of Security Analytics.

Terms of the deal were notdisclosed. Packetloop's solutiondelivers real-time, network-wide

situational awareness through a combinationof packet capture, big data analytics, securityforensics and visualizations that helpenterprises identify malware, targeted attacksand attackers. Their capabilities complement

Arbor's NetFlow visibility, anomaly detection,application intelligence and identity tracking.

Are you nomophobic?

Nomophobia the fear ofbeing out of mobile phonecontact is still a very real

problem for the majority ofthe population. Over 54%admit to suffering from thecondition with women 17%more likely to suffer from it

than men. The study of 1000 people inemployment, sponsored by AppRiver andconducted by OnePoll, found people are soobsessed with the need to be connected totheir phones that even when away on annualleave, 42% will take them down to the beach.While it might seem harmless, there is aserious aspect of these habits. FredTouchette, security analyst at AppRiver

explains, Its clear that were a society totallyreliant on our phones not only for personaluse but business too. Even when on holiday,lying in bed or on a dinner date the studyrevealed many of us just cant help looking at

our emails, no matter the time or situation.What is worrying is that, with so muchinformation stored on them - from confidentialoffice information, contact details, emails,photos, bank details, etc., when they get lostor stolen and end up in the wrong hands theinformation can easily be exploited.Just 50% of people bother to secure phoneswith a password, or any other form of security,and 70% have no way to remotely wipe the

device. Fred concludes, Our advice is alwaysprotect your phone, at the very least with apassword, and if youre using it for work getyour IT department to secure them with a littlemore, such as encryption.



9/78

Persistent adversaries can identify

Tor users

Using the Tor network will not you grantperfect anonymity - in fact, a group ofresearchers from the US Naval ResearchLaboratory and Georgetown University saythat "Tor users are far more susceptible tocompromise than indicated by prior work."

"Tor is known to be insecure against anadversary that can observe a users trafficentering and exiting the anonymity network,"the researchers shared in their paper. "Quitesimple and efficient techniques can correlatetraffic at these separate locations by takingadvantage of identifying traffic patterns. As aresult, the user and his destination may beidentified, completely subverting the protocolssecurity goals."

They pointed out that prior research didn'ttake in account indications of how secure atype of behavior is, nor the fact that a singleorganization often controls severalgeographically diverse autonomous systems(AS) or Internet exchange points (IXP). "Thatorganization may have malicious intent orundergo coercion, threatening users of all

network components under its control," theysuggest.

In order to get to an accurate assessment ofthe peril Tor users are under when using it,they have developed an analysis frameworkfor evaluating the security of various userbehaviors on the live Tor network, a model ofa network adversary that includes an accuratesystem for AS path inference and an analysisof the threat of IXPs and IXP coalitions, and arealistic Tor path simulator.

"Our analysis shows that 80% of all types ofusers may be de-anonymized by a relativelymoderate Tor-relay adversary within sixmonths. Our results also show that against asingle AS adversary roughly 100% of users insome common locations are de-anonymizedwithin three months (95% in three months fora single IXP)," they shared.

Most security managers don't trust

their apps

Application vulnerabilities are a major factor inthe cybercrime game. More than 500 CISOs

and Security managers have beeninterviewed by Quotium about the securitystate of their applications, the frequency ofattacks in their organizations and thesolutions in place to mitigate these securitythreats.

The first fact that arises from the study is that

most of the big organizations interviewedcurrently have processes in place to test theirweb applications vulnerabilities. Most of themuse penetration testing services, automatedtesting tools - mostly applications scanners orstatic code analyzers or web applicationfirewalls to secure their assets.

However, a majority of security managers areunsure of the current level of their applicationsecurity state and do believe that a hackercould manage to exploit their applications.



10/78

NSA internal audit reveals

thousands of privacy violations

An internal NSA auditdocument and severalother seen by TheWashington Postjournalists prove thatthere have been overa 1,000 violations ofFISA and presidentialexecutive orders eachyear since the agency

was granted broader surveillance powers in2008.

Some of the violations were caused bycomputer errors and other by operators. For

example, in 2008, a computer mistake hasresulted in the interceptions of calls madefrom Washington D.C. (US area code 202)instead of those made from Egypt(international dialing code 20). As a reminder:2008 was an election year.

In a statement reacting to the piece, a NSAofficial stated on the record that the NSA is "ahuman-run agency operating in a complexenvironment with a number of different

regulatory regimes, so at times we findourselves on the wrong side of the line.

And they are right. The problem is not in thefact that errors are made, but that they areswept under "statistical addendum" rugs andreports of this kind are often not shared withpeople who should decide whether the NSAshould be allowed to continue with thepractices or not. If they are, they often don't

include the actual number of innocentAmerican citizens that have been affected.

"The NSA uses the term 'incidental' when itsweeps up the records of an American whiletargeting a foreigner or a U.S. person who isbelieved to be involved in terrorism. Officialguidelines for NSA personnel say that kind of

incident, pervasive under current practices,'does not constitute a ... violation' and 'doesnot have to be reported' to the NSA inspectorgeneral for inclusion in quarterly reports toCongress," writes Gellman, and points outthat once added to the databases thecommunications of Americans may besearched freely if there are not otherrestrictions in place.

In addition to this, Carol Leonnig reports thatthe Foreign Intelligence Surveillance Courtdoes not have the means to verify whethergovernment reports regarding the spyingprograms are accurate and whether theincluded mistakes are actually unintentional,and is, therefore, forced to take theinformation at face value.

"The courts description of its practicallimitations contrasts with repeated assurances

from the Obama administration andintelligence agency leaders that the courtprovides central checks and balances on thegovernments broad spying efforts," shewrites, adding that several US legislators whoare members of the House and Senateintelligence committees have said that theyare limited in their efforts to question NSAofficials about the work they do.

Facebook spamming is a hugely

lucrative business

Italian researchers thathave previously unearthedthe big business behindfake Twitter followers havenow calculated that

Facebook spammers areraking in as much as$200m every year. Theteam headed by Andrea

Stroppa and Carlo De Micheli has beensearching for and analyzing Facebook spam,the fake fan pages that serve it, and the third-party scam sites to which the spammy linkslead to.

They have discovered that creating fake fanpages is a thriving business. "The spam

posters get paid an average of $13 per postfor pages that have around 30,000 fans, up toan average of $58 to post on pages with morethan 100,000 fans," De Micheli shared.



11/78

Would you publicly report a security

breach?

Research by AlienVault revealed that only 2%of surveyed EU companies would be willing togo public should they suffer a security breach.38% opted to inform the relevant authoritiesand 31% said they would tell their employees.

A mere 11% said they would share theinformation with the security community.

Organizations who suffer a security breachface a Catch 22, said Barmak Meftah,President and CEO of AlienVault. "On the onehand, publicising a breach would help otherbusinesses avoid falling prey to attacks. On

the other, damage to your brand andreputation could be significant."

He says this is even more pertinent whenconsidering the European Commission'sproposed overhaul of its data protection laws,that will see companies face fines of up to 2%of their global annual turnover should theysuffer a breach. "This would see the falloutfrom a breach being potentially disastrous not

only for a company's good name, but also fortheir bottom line.

Windows 8 shouldn't be used on

government computers, say IT

experts

Internal documents of the German Ministry ofEconomic Affairs perused by a reporter ofnews outlet Zeit Online show that ITprofessionals working for the governmentdon't consider computers running Windows 8secure enough for government and business

use.

Given the latest news about Microsoftcollaborating with US intelligence agencies,the German Ministry of Economic Affairsbelieves that the company can ultimately beforced to allow the agency direct access toforeign computers.

Secure enterprise file sharing from

SolarWinds

SolarWinds announced new secure filesharing capabilities to its managed file

transfer solution, SolarWinds Serv-UManaged File Transfer (MFT) Server.

Serv-U MFT Server (www.serv-u.com)provides secure file transfer and now filesharing hosted on Windows and Linuxmachines. It enables users to support fileuploads and downloads using FTP, FTPS,SFTP, HTTP and HTTPS over IPv4 or IPv6networks. Administrators can control access

to files, monitor activity, automatenotifications, and configure from any locationthrough a secure Web management console.



12/78

What do you really know about security culture? I am going out on a limb here and

claim you know very little, if anything at all.

Your day job is about security, and like mostCSOs out there, you have an IT background.Most likely, you are still quite handy with thetech, and if forced to, you are able to set somefirewall rules, and possibly even change arouting table or two.

You are likely to have picked up on the trendthat people are the weakest link in your secu-rity chain, and you most probably have some

sort of user awareness training in place. Youknow it is important, and everybody does it, atleast that is what your training supplier tellsyou. And you can tick that box off on yourcompliance sheet.

Like many other CSOs, you are also likely tonot have reached the level of user awarenessyou imagined and hoped for, and you mayhave reached the level of frustration of DaveAitel, who last year went all out and said that

"You should not train employees for securityawareness".

The human mind has many flaws. Yours does,and mine does too. We are jumping to conclu-

sions without considering all the relevant in-formation. We are constructing facts from fic-tion, because it makes us able to do what wewant, not what is right. We are extremely vul-nerable to peer pressure. We are blind tothings we do not know about.

This implies that even if you know a lot aboutsecurity, you are likely not to know a lot aboutpeople, how they function, and how groups

form and interact. You may (and probably do)think that you know a lot about people. Con-sider this, then: do you have a minor, or a ma-jor, in a social science? Do you know what so-cial science is, anyway?

Social sciences is a collective term describingthe different sciences about humans, humaninteraction and groups, including (but not lim-ited to):

PsychologySociologySocial anthropologyOrganizational theory.



13/78

One of the things we have learned from socialsciences and their research is that humanscome pre-wired with biases. These biases im-pact how we see and perceive the world, howwe respond to it, and how we interact with it.Lets take a look at the blind spot bias which Imentioned above.

The blind spot bias works to help you focus onwhat you have to focus on, and avoid beinginterrupted by thoughts that are not relevant.The flip-side of the blind spot bias is that it isvery hard to accept things you do not know.For example, if you have grown up in thewestern world, you are likely to consider in-sects in any form to be inedible. Traveling to a

part of the world where insects are part of thehuman diet, blind spot bias may have you re-spond with disbelief and decide that locals arecrazy, wrong and plain stupid. If, however, yougrew up in an environment where insects area regular part of the diet, you would considersuch a response from a visitor strange andstupid.

The blind spot bias works against you by mak-ing it very hard for you to accept and realizeother possible solutions, and the further awaythe solution is from your "known environment",the harder the blind spot bias will oppose suchsolutions.

Setting out to create and maintain security culturein your organization is not a job you should bedoing alone.

Another interesting bias is the confirmationbias: the need to find evidence that confirmsour theories and beliefs, which makes us dis-regard information that contradicts them. If we

use Dave Aitel as an example (sorry, Dave),the confirmation bias made him see only thefaults of and problems with user awarenesstrainings. The more proof he found that hewas right, the less likely he was to look forcontradictory evidence.

By theorizing that you have no knowledgeabout culture and social sciences, I'm makingthe same mistake right now. Instead of doingserious research, I just look at the CSOs Iknow to confirm my theory. Then I apply an-other bias to my somewhat limited sample ofevidence - I generalize. By generalizing, I takewhatever information I have, and scale it up tomake it applicable to what I have set out toprove.

As a writer, I'm allowed to make such errors tomake a point. As a scientist, doing the sameshould be and is a deadly sin. As a human,

I'm always going to make these errors. It is,according to science, hardwired in our brains.My responsibility is to exercise strong self-

control, and to be humbled for and by the er-rors I make.

"What does this have to do with security cul-

ture?," you may ask. Let us define culture. Ac-cording to the Oxford dictionary, culture is "theideas, customs and social behaviors of a par-ticular people or society". By this definition, wesee that culture is about the things we all do ina group of people. Security culture may thenbe the "ideas, customs and behaviors that im-pact security, both positive and negative, in aparticular group of people".

In that definition, security is only a part of thewhole, just like security is in most organiza-tions around the world. It is your part, that isright. As I demonstrated above, you are likelythe expert on security, but not on human be-havior. Setting out to create and maintain se-curity culture in your organization is not a jobyou should be doing alone.

Consider this instead: If you know security,who knows culture in your organization? And

this: why don't you work to build your securityculture with those who know culture and hu-man behavior?

Kai Roer is a Senior Partner at The Roer Group (www.roer.com).



14/78

Suppose you have a company - lets call it WorldSoft - that is planning to do a big

part of its software development in China. A fairly new and growing economy, ac-

cess to inexpensive but highly educated development resources from local

universities, one of the most important future Asian markets and similarmotivations might be the reasons for that. Given the multiple and complex chal-

lenges, how would it be possible to secure that from a corporate perspective?

We will go first through a couple of basic as-sumptions, define the known facts, and picturethe assumed risk profile before diving into theplethora of counter measures that are bothpossible and (most likely) necessary at the

various levels (organizational, process, tech-nological) of the organization.

The shown options are prioritized already (notwithstanding there are always reasons youcould prioritize differently), and suggest thatyou start at the organizational level, go theninto the process level, and finally support allthis with the technology level (not vice versaas far too many organizations do) in a com-bined fashion as shown in the summary sec-

tion of this concept study.

WorldSoft uses a globally distributed devel-opment environment using scrum and similar

methods. IP laws are enacted based on WTOand World Intellectual Property Organization(WIPO) memberships and also China hassigned a Trade Related Intellectual PropertyAgreement (TRIP) - but these are not en-

forced.

WorldSofts products and solutions address ahighly competitive market, major other players/ competitors compete both for market shareand the most comprehensive product solutionin WorldSofts product space. The companyhas worldwide customers in all industries,governments, and security relevant organiza-tions such as military or critical infrastructure.

The global economy is in a weak phase whererecession and rebound are alternating, thelevel of uncertainty is very high and competi-tive advantage can make the difference for a



15/78

company to succeed or fail entirely. Prevent-ing industrial espionage or unauthorized ac-cess to IP data is therefore critical. Further-more, the built trust with the existing customerbase about code quality, stability, integrity andintegration is very important to defend thecompanys reputation.

Acquired companies or third parties such asservice or outsourcing partners must also beintegrated into the security environment with-out changing the risk profile in an uncontrolledfashion. Currently software companies tend toallow administrative rights for developers, andoften have no general blocking mechanism inplace for mobile data storage such as thumb /USB drives, DVD, and other such items.

Foundational assumptions / known facts

Security is complex and cannot always besolved with a one-size fits all approach, es-pecially when business requirements must beconsidered / given preference.

Concepts such as defense-in-depth, need-to-know, minimum privileges, standards wherepossible, risk-aligned controls, re-use of certi-fied solutions, attack-surface-reduction, in-

crease attack-costs, security-by-design(www.createspace.com/4043003) (not by ob-scurity), etc., should be applied entirely. Still,the weakest link most likely will get exploited,security is not 100% and instead an agreedupon risk profile.

To reach this aspired level of security, it mustbe addressed at all structural levels: organiza-tional (people and policies), process (end-to-end), and technological (automated vs. man-

ual; physical and logical). Prioritization is al-ways required to maximize benefit and mini-mize necessary expenses, and also to focuson the most important assets / risks / issuesfirst. Potential solutions shall be created tominimize business impact and inconveniencefor employees / third parties, etc. This will re-duce the risk that they will be objecting to /bypassing security measures. Proactive solu-tions are way more efficient and effective than

reactive ones, and are to be preferred. How-ever, in some cases a reactive approach ischeaper, and also still necessary (IncidentResponse).

Risk potential

High level risks:

Loss of integrity: trust / brand reputation ifbreached / hacked, corrupted data (code orconfiguration data), corrupted cloud servicesor business intelligence data -> could impact

decision-making. If WorldSoft locations / infra-structure are used in another (external) attack(i.e. against critical infrastructures), also po-tential liability.

Loss of confidentiality: Intellectual Property(IP), strategic business plans, designs, sensi-tive customer data, specific know-how, wire-tapped communications. Industrial and stateespionage. Potential liabilities (customers,third parties, joint ventures, shareholders).

Loss of availability: either at the networklevel (Great Firewall of China), or the datacenters (non-reliable infrastructure, regionalconflict, counter-attack on critical infrastruc-ture such as energy / power plants). Potentialliabilities (customers, shareholders).

External threat actors:

People (competitors, nation state, hacktiv-ists, former employees) or elementary (naturaldisasters), power outage, etc.

Internal threat actors:

People (non-intentional errors [employees or3rd parties], disgruntled employees, infiltratedspies [competitors or state sponsored]).

Based on publicized research, the vast ma-jority of man-made attacks are happening via(automated) malware and hacking on bothservers and clients / user devices (endpoints), followed by some physical attacks,some social engineering and finally misuse(by authorized people).

Hacking by an APT is currently the highestpotential man-made threat and risk.

After having shown the risk potential, we nowlook into the various countermeasures at thedifferent levels of any organization.



16/78

Potential countermeasures at theorganizational level

At the organizational level (that is people andpolicies), we can do the following:

1. Global multi-level policy structure that de-fines clear objectives and acceptable risk

levels (incl. BCP), and provides for regionalor local additions / changes. Standards andprocedures, ITIL and similar change con-trols prevent errors (unintentional wrongdo-ing).

2. Contracts with employees and third partiesthat will specify clearly the duties to protectIP, copyrighted material, internal and confi-dential information handling, access andchange of information, need to know andthe other principles such as not lendingpasswords, physical access cards, smart-cards, etc., to others. The contracts shouldspell out clear fines and enforce those withpre-paid escrow accounts (for third parties),or choose third parties with compensatingassets in other countries such as EU / US.

3. Have NDAs / CAs (Confidentiality Agree-ments) signed by all employees, contrac-tors, subcontractors, etc., as part of theiremployment relationship. Prefer contractors

with (indirect) assets in EU / US where liti-gation is enforced and binding.

4. Require a Certificate of No Criminal Convic-tion (CNCC) from the potential employee(especially for leadership positions), usethese both before hire and during tenure.Observe and act upon changes in behavior a disgruntled employee will often showwarning signs.

5. Regularly educate all employees, contrac-tors, third parties about their expected be-

havior, let them sign their agreement andparticipation of those trainings. Awarenessprograms that are positive and contain in-teresting and professionally made materialwill change behavior (IP and security ingeneral). Top management must adhere toall measures to set the tone at the top. In-centivize positive behavior, (aggressive)profit sharing schemes and leverage localJVs to prevent their need for infringement.

6. Use detectives / trusted parties (non-government) to identify misuse or illegalcopies. Adhere and enforce the proceduresin case of wrongdoing to deter others.

7. Protect IP rights before enforcement isneeded. To reduce trademark squatting,register early.

8. Job rotations could also help find fraud andreduce collusion.

9. Acquisition of other companies: do risk as-sessments of their environment (at the or-ganization, process, and technology levels)

before connection to infrastructure.

The next organizational level is the processlevel where is defined how things shall work,and how a company runs its business. At thislevel, a lot of improvements should be made,this is part of the secret sauce of any organi-zation, and those most sustainable will havehighly efficient and effective processes. Onecould argue that this still is all organizational,but on the other hand we strive to structurethe approach in the best way and that is why Ipresent it this way.

Potential countermeasures at the processlevel

Design all security measures into the rightchain link within the process (efficient, effec-tive, easy).

(Document and) automate processes to re-duce error and unintentional wrongdoing.

Ingrain security requirements in the SDLC(from the beginning to the end) and approveonly those solutions where the security re-quirements are reached.

Split code development such that no onehas access to the entire code / product basebut only those snippets that are needed (see

technology: source code vault, Access Con-trol).

Separate development, testing, piloting, andproduction and adhere to strict change controlfor transfers.

Design and operate a development envi-ronment that doesnt need local storage andinstallations (see VDI on next page).

Digitally sign, fingerprint, and watermarkcode that has been verified and is secure. In-tegrate those used technologies.



17/78

Verify customer licenses and proper codeuse when doing support for that customer.

Classify all documents upon creation andadhere to the processes accordingly through-out their lifecycle.

Define and optimize the entire Incident Re-

sponse process.

Provide employees who need to access se-cure areas a locker room to prevent mobiledevices in those areas.

Before entering into partnerships with thirdparties (providers, etc.), assess the potentialrisks and do security process verification.

Now I will describe how to best support theseabove organizational and process securitycontrols by leveraging technology solutions intheir best potential ways. It is again importantto note that not one single technical solutionwill solve all problems. Instead, the useful in-tegration of the various products with a well-thought-through architecture will support theintended security level.

Potential countermeasures at the

technological level

Technological (automated vs. manual; physi-cal and logical):

Physical controls such as fences / gates,cameras, AC, secure zones, no cell phonesand flash drives, etc., tracking of people withinthe data centers or other secure zones, as-signed accompanying guards for third partyaccess to sensitive areas. Compartmentaliza-

tion approach for important assets.

Create different user profiles (classes) withaccess accordingly to their roles (sales not indeveloper area / network segment, etc.)

Leverage smartcards with biometry wherepossible and integrate physical and logicalcontexts.

Use a VDI (Virtual Development Infrastruc-ture) in trusted locations with VPN and otherencrypted connections.

Use network segmentation (Development /Test / Production), NGFW, VPNs, VLANs,NAC, DLP, SIEM, WAF, etc. with an integrateddesign architecture.

Use static and dynamic code analysis tools,black-box and white-box scanners.

Secure servers in data centers, antimalware,antivirus, firewalls, strong authentication andAC, backup, DR (also against the naturalthreats).

Secure storage networks (SAN / NAS etc. /encryption / AC / separation, [AV / AM]) incl.DR.

Secure endpoints with antimalware, AV, per-sonal (endpoint) firewalls, PKI / encryption /signature / hash, proper SW installs, backup-tools.

Track local port usage, data flow, DLP, findcode signatures, leverage RMS, SIEM, etc.dashboard, use a strict code-tracing techniqueto monitor copying.

So far the potential solution options as youcan see they are manifold.

Differentiated but also integrated approach

Based on the aforementioned options, it isbest to prioritize the risks and compare thevalue at risk with the associated costs of miti-gating controls. The combination of countermeasures at the three different layers (people,process, technology) is best, therefore an in-tegrated approach between risk and corporatesecurity, legal, IT security, product security,

cloud security, service and other units shouldbe used.

What you dont measure you cant really man-age, so a few KPI examples here:

Percentage of employees that have theirbackground verified (with a CNCC, prior em-ployment, claimed education).

Percentage of contracts with third partieswith NDA / CA signed thats enforceable (s.a.)

Number of performed and validated aware-ness educations and signed records.



18/78

Percentage of registered IP items (of all as-sets) in China vs. other locations or global av-erage.

Percentage of customers found with unregis-tered / counterfeited WorldSoft products orpieces in China.

Percentage of unsecured ports / thumbdrives seen in the environment.

Percentage of solved incidents from IR andany further details on that.

Finally, the business aligned security strategyshould be adapted based on the success ofthe measures and seen change in measure-ments.

Hint:To get the necessary active support frommanagement and employees, incorporate se-curity into the(ir) annual performance goals.

Michael S. Oberlaender (www.linkedin.com/in/mymso) is a world-renowned security executive, thought leader,author and subject matter expert and has worked in executive level security roles (CSO / CISO) and in IT bothin the US and EU for over two decades. He holds a Master of Science (Physics) from the University of Heidel-berg, Germany and is CISSP, CISM, CISA, CRISC, GSNA, ACSE certified. His new book - "C(I)SO - And NowWhat?" - is available at www.createspace.com/4043003.



19/78


20/78

Stephen Pao serves as General Manager, Security Business, at Barracuda Net-

works, where he is responsible for strategic product direction, definition, programmanagement, and development for all of the company's security products. In this

interview he talks about web application security threats, offers tips for securing

applications in the cloud, and much more.

What are some of the most overlookedweb application security threats at themoment?

When it comes to web application security, themedia likes to focus on new and exotic at-tacks. You read articles about APTs, DDoS,BEAST TLS attacks, and other high publicityexploits. However, in regard to web applica-tions, its the same old attacks that are caus-ing the most problems. These are the tried-and-true SQL injections that have been an is-sue for more than a decade, yet they are stillin the OWASP Top 10. This is mainly due tothe huge amount of sensitive data stored in

databases that are accessed by web applica-tions, and therefore prime targets for crimi-nals. All it takes is a simple coding error or anunescaped input to open the door to a serious

breach. It is not sexy stuff but it is critically im-portant to secure against these old but effec-tive attacks.

The problem is compounded with the movefrom hardware to virtualand now to clouddeployments. Often security is forgotten whenthe focus shifts to deployment modes and howto leverage new deployments for cost savingsand efficiency. The biggest threat in this con-text isnt new and exotic attacks, but the intro-duction of gaps or blind spots when organiza-tions move applications to different deploy-ment modes. Fortunately, what works in theon-premises hardware server world is easily

transferable to virtual and cloud worlds. Aslong as organizations remember to deploy thesame security processes that have worked forthem previously, there is a good chance that



21/78

the same security will continue to protect theirapplications.

What advice would you give to securityprofessionals who want to make sure theirapplications in the cloud have the samelevel of security as traditional on-premisesapplications?

Conceptually, the way to look at the cloud issimply as a new way to deploy an application.Weve already seen the migration of applica-tions from physical to virtual servers. Cloudmigration is simply the next step. With clouddeployments, there may be substantial im-plementation and economic differences. Theremay also be differences in ownership of as-sets and distribution of tasks within organiza-tions. However from an application securityperspective much remains the same.

In a cloud environment, applications are stillvulnerable to the same SQL injections, DDoS,and other attacks experienced by on-premisesapplications. This is because the underlyingprotocol, source code, and business logic as-sociated with the applications are the same,regardless of deployment mechanism.

Consequently, things like form input fields,cookies, HTTP/S protocol, and SSL encryp-tion have the same potential vulnerabilities.Consequently developers need to use securecoding practices as well as deploying a devicelike a web application firewall (WAF) for cloudapplications. The good news is that securityexpertise and best practices are readily trans-ferable once the operational and deploymentaspects are figured out.

The primary challenge is that sometimes thecurrent WAF vendor does not have a modelthat can run on the cloud platform of choice.This is especially the case with vendors thatprovide WAF as part of their application deliv-ery controller (ADC) platforms. Organizationscould wait for their existing vendor to catch up,but given the rapid adoption of the cloud, itmay be better to consider products that arereadily available today. There are a few lead-

ing vendors (including Barracuda) that havemade the investment in delivering WAFs inthe cloud that can be readily plugged intocloud platforms today.

What are the challenges involved in pro-tecting large web applications that areconcurrently used by a vast number ofconsumers?

Coding for small applications is not differentthan coding for large applications. But thesheer scale and complexity of organizations

can create challenges. Simply put, organiza-tions must manage all of the moving parts andthe changes to the website without introducingany issues.

The more people and different technologiesinvolved, the higher the risk of security mis-configurations, code errors, or becoming thetarget of hacktivists or criminals. For this rea-son, we stress that the best way to addressthe issue is to take a systematic approach andanalyze the people, processes, and technolo-gies involved. It is only with a coordination ofall three aspects that we can hope to mitigateexisting and future risks.

Earlier this year we've seen automatedbotnet attacks targeting WordPress. Whattype of advanced protection would yourecommend to the users of similar webplatforms?

At Barracuda, weve dealt with botnets formore than 10 years. Many of the botnets wesee today were yesterdays spam-bots. As anindustry, weve made excellent progress indecreasing the efficacy of spam and virusesover email. The bad news is that these samebots are now being repurposed for other ac-tivities like DDoS against WordPress, bankingwebsites, and other valuable web assets.

When dealing with bots and in particularDDoS, there are two types of attacks to con-sider. The first are volumetric attacks wherebots overwhelm an application with a flood oftraffic. Fortunately there are a number of solu-tions to handle a volumetric DDoS attack to-day:

1. Content delivery networks (CDN) can pro-vide the volume and scale against simple

volumetric attacks.2. Network firewalls and WAFs can provideon-premises protection against volumetric at-tacks.



22/78

The second category is application DDoS at-tacks that are best handled by WAFs becauseof their abilities to inspect traffic at the applica-tion layer. The ability to control applicationprotocols and application logic enables WAFsto throttle asymmetric application DDoS at-tacks like Slowloris. In short a good WAF can:

Fingerprint client requests to detect bots ormalicious clients

Inject CAPTCHA or other automated chal-lenges to slow down DDoS

Limit client access based on GeoIPProtect against HTTP or SSL protocol-basedattacks

Rate control or cut off client based on riskprofile or IP reputation

Block access form anonymous proxies orTOR network nodes.

It is equally important to select a good WAFvendor with flexible deployment options thatgive you the ability to deploy WAF technology

to secure on-premises or cloud applications.Ideally the vendor should provide hardware,virtual, and cloud-deployable models, givingorganizations the ability to scale and/or re-architect their deployments to meet the or-ganizations needs.

It is equally important to select a good WAF vendor with flexible

deployment options that give you the ability to deploy WAFtechnology to secure on-premises or cloud applications.

Securing applications against automatedattacks can be very time consuming. Whatsteps can an organization take to makesure their web applications are secure atall times?

Application threats are dynamic and conse-quently, defenses against automatic attacksshould be dynamic as well. While there are nosilver bullets, using a systematic approachcan greatly mitigate risk. This does not meansimply chaining security devices. Its more ef-fective to implement both a technological anda people/process solution.

A good example is the process a large For-tune 100 company that we are working with

today follows. For every application, theycategorize and assign a risk profile prior todeployment. For example, if it is an Internetfacing application handling sensitive data,there is a stringent security assessment thatincludes both a vulnerability scan, a penetra-tion test by a third party, and a web applicationfirewall deployed in front of the application.

On the other end of the spectrum are the in-

ternal only applications with static informa-tion. These only need to go through a basicaudit and a basic vulnerability scan. The pointhere is that there are processes based on risk

profile in addition to technology that greatlyreduce risk.

Finally, one of the under-appreciated proc-esses in place is the segmentation of respon-sibility between the development, security,

and infrastructure teams.

The development team does not have any in-put into the security process and cannot mod-ify procedures or configure the security tools.The security team has full responsibility forkeeping the applications safe and has theauthority to block applications from being de-ployed. The infrastructure team deploys theapplication and enforces firewalls, WAFs, andrules on available ports and protocols.

While some may argue that this may slowdown the development process, it need not bethe case. In this organization, because of theclear communication of corporate policy andsecurity standards ahead of time, the devel-opment team builds the testing into its releaseschedule.

More importantly, it forces the team to think

about security and implement the secure cod-ing best practices upstream during the devel-opment cycle.



23/78

How has the cloud impacted web applica-tion security?

The cloud has been a great benefit to organi-zations looking to optimize and scale applica-tions:

Organizations no longer have to over-

provision capacity just to handle high trafficloads that only occur for short periods of time.A classic example is in retail when organiza-tions have to buy equipment that is way overcapacity just to handle the few days aroundBlack Friday when sales typically hit an an-nual peak.

The network and physical security for lead-ing providers are often as good or better thanthe organizations own data centers.

The cloud can also help solve the issue of

finding experienced IT professionals that arecapable of implementing and maintaining asecure data center.

The biggest downside to the cloud, however isthat in the rush to migrate, security is often

relegated to a secondary consideration ascompanies accelerate the adoption of thecloud for their own financial and commercialbenefits. Developers of new cloud applicationsand IT administrators tasked with migratingexisting applications to the cloud are underenormous cost and time pressure to get itdone.

Often, established guidelines for safe applica-tion programming or deployment are notheeded or the tools needed to successfullymigrate are not yet available. In the end, thisresults in programming errors because majorsecurity aspects are deliberately disregardedor are simply forgotten.

As a result, critical business processes thatseemed secure within the corporate perimeterare suddenly freely accessible in the cloud.Conventional security strategies such as net-work firewalls, WAFs, code scanners, or otherstandard security tools may no longer beavailable or expedient, depending on thechoice of cloud provider.

Having the ability to terminate and control traffic is critical to

providing the necessary security and application accelerationcapabilities necessary for todays web applications.

What makes a WAF truly great? What fea-tures should IT professionals be on thelookout for?

We are starting to see more and more ven-dors offering WAF-type solutions. Unfortu-nately, many of the new solutions are boltedonto unrelated technology like network fire-wall, IDS/IPS, or even SSL VPN platforms.This is not optimal because these solutions donot provide the ability to control and secure allelements of their WAF. We at Barracuda rec-ommend organizations choose a platform that:

Is built ground up as a reverse proxy WAFproduct.Having the ability to terminate andcontrol traffic is critical to providing the neces-

sary security and application acceleration ca-pabilities necessary for todays web applica-tions.

Includes an easy-to-manage interface. Oneof the most common but under-appreciatedrisks is misconfiguration of the security solu-tion. Consequently, it is advantageous to usea WAF solution that is intuitive and easy tomanage.

Provides pre-built templates to enablequick deployment.Too many solutions re-quire constant tuning or learning, which re-sults in an inability to deploy active protectionor keep up with changes to applications.

Is a mature product with a long history ofcustomer success.Many solutions can pro-vide simple signature-based protectionagainst things like SQL injections, but few

have the layered defense architecture to se-cure against advanced attacks without affect-ing application performance.



24/78

What's the difference between using a vir-tual appliance and a physical appliance forprotecting web applications?

Given sufficient hardware resources, in theoryvirtual WAFs are just as effective as physicalWAFs from a technical standpoint for mostuse cases. In practice however, it depends on

the deployment scenario and the organiza-tions IT groups structure.

In an enterprise scenario there are often threegroups involved with application security:

1. Infrastructure group2. Security / compliance group3. Application development group.

Depending on the process and ownership, aWAF could be deployed or managed by a sin-gle group or co-managed by a few groups. Ifthe infrastructure group controls deploymentand has to manage the WAF, then it is possi-ble to design a process to virtualize both thedeployment of the application and a virtualWAF to protect it.

However, if the WAF is owned by the securityteam that does not own the deployment of theapplications, then it might be difficult to con-solidate servers using a virtual appliancewithout first redefining the ownership bounda-ries.

In smaller organizations, the roles are not as

distinct and often the same group completessome, if not all of the tasks. In this situation,the decision is primarily a deployment sce-nario and depends on how the organizationwants to architect its network.

If the decision is to put the WAF close to theend servers, then it is possible to consolidateand virtualize both the WAF and applicationservers. If the decision is to deploy the WAFas part of an ADC platform that needs to sup-port a number of application delivery and ac-celeration tasks, or is located in the DMZ, thenit is easier to keep the existing network con-figuration than re-architect the network.

Mirko Zorz is the Editor in Chief of (IN)SECURE Magazine and Help Net Security (www.net-security.org).



25/78


26/78

Serious website vulnerabilities

continue to decrease

The 2013 edition of the WhiteHat SecurityWebsite Security Statistics Report correlatedvulnerability data from tens of thousands of

websites from more than 650 organizations,with software development lifecycle (SDLC)activity data obtained from 76 surveyrespondents.

In 2012, the average number of serious vul-nerabilities per website continued to decline,going from 79 in 2011 down to 56 in 2012.

Of the serious vulnerabilities found, on aver-age 61 percent were resolved and only 18percent of websites were vulnerable for fewerthan 30 days in 2012. On average, resolvingthese vulnerabilities took 193 days from thefirst notification.



27/78

Website security is an ever-moving target,and organizations need to better understandhow various parts of the SDLC affect the in-troduction of vulnerabilities, which leave thedoor open to breaches, said JeremiahGrossman, co-founder and CTO of WhiteHatSecurity.

A closer look revealed that:

With the exception of sites in the IT and en-ergy sectors, all industries found fewer vulner-abilities in 2012 than in past years.

The IT industry experienced the highestnumber of vulnerabilities per website at 114.

Government websites had the fewest seriousvulnerabilities with eight detected on averageper website, followed by banking websiteswith 11 on average per website.

Entertainment and media websites had thehighest remediation rate (the average per-centage of serious vulnerabilities resolved) at81 percent.

In years past, the banking industry had thefewest vulnerabilities and fixed the most vul-nerabilities of any industry. This year, banking

came in second with 11 average serious vul-nerabilities found per website and a below av-erage remediation rate of 54 percent (averageis 61 percent across all industries).

Top ten vulnerability classes

The most prevalent vulnerabilities classes arecalculated based upon their percentage likeli-hood of at least one instance being foundwithin any given website. This approach mini-mizes data skewing in websites that are eitherhighly secure or extremely risk-prone.

Best practices may not result in bettersecurity

In correlating the survey results with vulner-ability data, WhiteHat Security could see how

software security controls, or best practicesimpacted the actual security of organizations.

Some of the findings include:

57 percent of organizations surveyed providesome amount of instructor-led or computer-based software security training for their pro-grammers.

These organizations experienced 40 percentfewer vulnerabilities, resolved them 59 percentfaster, but exhibited a 12 percent lower reme-diation rate.



28/78

39 percent of organizations said they per-form some amount of Static Code Analysis ontheir websites underlying applications. Theseorganizations experienced 15 percent morevulnerabilities, resolved them 26 percentslower, and had a 4 percent lower remediationrate.

55 percent of organizations said they have aWAF in some state of deployment. These or-ganizations experienced 11 percent more vul-nerabilities, resolved them 8 percent slower,and had a 7 percent lower remediation rate.

Some of this data implies that best practicessuch as software security training are effec-tive, yet some of the statistics clearly showthat following best practices does not neces-sarily lead to better security.

Accountability and compliance

In the event an organization experiences awebsite or system breach, WhiteHat Securityfound that 27 percent said the Board of Direc-tors would be accountable.

Additionally, 24 percent said Software Devel-opment, 19 percent Security Department, and18 percent Executive Management.

Should the organizations also provide soft-ware security training to its programmers andalso perform static code analysis, Software

Development was held most accountable inthe event of a breach.

Additionally, the correlated data revealed thatcompliance is the primary driver for organiza-tions to resolve vulnerabilities, but also thenumber one reason organizations do not re-solve vulnerabilities. In other words, vulner-

abilities are fixed if required by compliancemandates; however, if compliance does notrequire a fix, the vulnerability remains, despitepossible implications to the overall securityposture of the site.

This collective data has shown that many or-ganizations do not yet consider they need toproactively do something about software secu-rity. It is apparent that these organizations takethe approach of wait-until-something-goes-wrong before kicking into gear unless there issome sense of accountability," said Gross-man.

"This needs to change, and we believe thereis now an opportunity for a new generation ofsecurity leaders to emerge and distinguishthemselves with an understanding of realbusiness and security challenges. Our hope isthat they will address these issues we have

identified and base their decisions on a foun-dation of data to improve the state of Web se-curity over time, added Grossman.

OWASP top 10 web application risks

for 2013

Since 2003, application security researchersand experts from all over the world at the

Open Web Application Security Project(OWASP) have carefully monitored the stateof web application security and produced anawareness document that is acknowledgedand relied on by organizations worldwide, in-cluding the PCI Council, US DoD, FTC, andcountless others.

OWASP has released its 2013 top 10 list ofrisks associated with the use of web applica-tions in an enterprise, and they are illustrated

and explained on the following page.



29/78

Injection- Injection flaws, such as SQL, OS,and LDAP injection occur when untrusted datais sent to an interpreter as part of a commandor query. The attackers hostile data can trickthe interpreter into executing unintendedcommands or accessing data without properauthorization.

Broken Authentication and Session Man-

agement - Application functions related toauthentication and session management areoften not implemented correctly, allowing at-tackers to compromise passwords, keys, orsession tokens, or to exploit other implemen-tation flaws to assume other users identities.

Cross-Site Scripting (XSS)- XSS flaws oc-cur whenever an application takes untrusteddata and sends it to a web browser without

proper validation or escaping. XSS allows at-tackers to execute scripts in the victimsbrowser which can hijack user sessions, de-face web sites, or redirect the user to mali-cious sites.

Insecure Direct Object References - A directobject reference occurs when a developer ex-poses a reference to an internal implementa-tion object, such as a file, directory, or data-base key. Without an access control check orother protection, attackers can manipulatethese references to access unauthorized data.

Security Misconfiguration- Good security

requires having a secure configuration definedand deployed for the application, frameworks,application server, web server, databaseserver, and platform. Secure settings shouldbe defined, implemented, and maintained, asdefaults are often insecure. Additionally, soft-ware should be kept up to date.

Sensitive Data Exposure- Many web appli-cations do not properly protect sensitive data,

such as credit cards, tax IDs, and authentica-tion credentials. Attackers may steal or modifysuch weakly protected data to conduct creditcard fraud, identity theft, or other crimes.



30/78

Sensitive data deserves extra protection suchas encryption at rest or in transit, as well asspecial precautions when exchanged with thebrowser.

Missing Function Level Access Control-Most web applications verify function level ac-cess rights before making that functionality

visible in the UI. However, applications needto perform the same access control checks onthe server when each function is accessed. Ifrequests are not verified, attackers will be able

to forge requests in order to access functional-ity without proper authorization.

Cross-Site Request Forgery (CSRF)- ACSRF attack forces a logged-on victimsbrowser to send a forged HTTP request, in-cluding the victims session cookie and anyother automatically included authentication

information, to a vulnerable web application.This allows the attacker to force the victimsbrowser to generate requests the vulnerableapplication thinks are legitimate requests fromthe victim.

Using Components with Known Vulner-abilities- Components, such as libraries,frameworks, and other software modules, al-most always run with full privileges. If a vul-nerable component is exploited, such an at-tack can facilitate serious data loss or servertakeover. Applications using components with

known vulnerabilities may undermine applica-tion defenses and enable a range of possibleattacks and impacts.

Unvalidated Redirects and Forwards- Webapplications frequently redirect and forwardusers to other pages and websites, and useuntrusted data to determine the destinationpages. Without proper validation, attackerscan redirect victims to phishing or malwaresites, or use forwards to access unauthorized

pages.



31/78

This article covers a combination of very important vulnerabilities that affect almost

every single web application: broken authentication mechanisms, poor handling of

sessions, and the ability for hackers to browse the operating system of the web

server via path traversal.

Authentication allows us to sign in to a webapplication so we have a personalized brows-

ing experience, while session managementkeeps tracks of the requests and responsesso we can perform multi-step actions such asshopping and bill paying. They are really twopeas in a pod. Neither authentication nor ses-sion management was considered when theHTTP protocol was invented as it is a state-less protocol. So using these two features asthe Internet has matured has proven to be avery difficult situation.

Unfortunately, authentication and sessionmanagement are wrought with vulnerabilitiesin many web applications. The tools and tech-niques used to exploit each differ slightly, but

because of the close relationship of authenti-cation and session management it makes per-

fect sense to investigate them together.

Path traversal attacks occur when hackers areallowed to traipse through the directory struc-ture of the web server. This is most commonwhen web applications allow upload function-ality and the user (attacker) crafts a maliciousinput value that is processed by the web ap-plication and allows access to sensitive direc-tories on the web server.

We will look at the directories that are oftenunder attack in both Windows and Linux envi-ronments and how these attacks actually takeplace!



32/78

Authentication and session vulnerabilities

Todays Internet has been twisted and con-torted to use authentication and session man-agement, essentially breaking both. The mostcommon authentication attack uses a proxy-based attack tool (Burp Suites Intruder, forexample) to brute force the login credentials of

a legitimate user. There is not a lot of stealthto this type of attack, but its very successfulbecause users continue to pick weak pass-words. We will be using Burp Intruder as ourtool of choice along with a list of the mostcommonly used weak passwords.

There are several aspects of authenticationthroughout the web application that need to beconsidered for these attacks, such as:

Application login Password change Secret questions Predictable usernames Predictable initial password Passwords that never expire.

Throughout this article, the term cookie willbe used to mean session cookie or sessionidentifier. Session management attacks are

only possible in two flavors: 1) attacking howstrongly the session identifier is generated(measuring entropy); and 2) attacking how thecookie is used and handled by the web appli-cation.

Attacking how a cookie is generated is verydifficult because most of the session man-agement frameworks bundled with web serv-ers are capable of creating cookies that arevery difficult to guess even when a hacker has

tons of processing power to generate thou-sands of cookies in short order. A much moreapplicable attack is to investigate how the ap-plication uses the cookie. This type of attackdoesnt require understanding how a cookiewas generated, but instead focuses on ac-cessing and using the cookie in a nefariousmanner. A hacker will gladly steal and use asecurely generated cookie!

Path traversal vulnerabilities

When a web server is installed and config-ured, the web application is given a slice ofthe file system on the web server that the ap-

plication is allowed to live in. These alloweddirectories are usually a couple of foldersdeep into the file system of the web serverand include 100% of what the web applicationneeds to perform in normal circumstances: thecode, the images, the database, the stylesheets, and everything else that the applica-tion may need. The application should never

attempt to access resources that are outsideof its prescribed directories because the otherresources on the web server arent applicableto the applications scope. The ability for ahacker to break outside this confined worldand access resources on the web server thathe shouldnt is the core concept of path tra-versal attacks.

Brute force authentication attacks

Authentication actually takes place in manyother parts of the web application other thanthe main login page. It is also present whenyou change your password, update your ac-count information, use the password recoveryfunctionality, answering secret questions, andwhen you use the remember me option. If anyof these authentication processes is flawed,the security of all the other authenticationmechanisms may be compromised.

The frightening thing about authentication vul-nerabilities is that they can open the door forall other accounts to be compromised. Imag-ine the carnage when an administrators ac-count is compromised because of poorauthentication!

We will be using the Brute Force exercise inDVWA as our guide to complete an onlinebrute force authentication attack. It is an

HTML form-based authentication page; justlike over 90% of web applications use. Despiteongoing efforts to include additional factorsinto the authentication process, such asCAPTCHA and challenge questions, the tradi-tional username and password is still the mostpopular authentication mechanism.

This attack is much different than the offlinepassword hash cracking that we completedwith John the Ripper. We will now be interact-ing directly with the web application and data-base that process the username and pass-word parameters during authentication.



33/78

Online brute force authentication hacking ismuch slower than offline password hashcracking because we are making repeated re-quests to the application and must wait for it togenerate a response and send it back.

Intercepting the authentication attempt

Browse to the Brute Force exercise in DVWAand ensure Burp is configured as the proxywith your browser. We want to intercept a loginattempt that we send to the application, somake sure Burp Intercept is set to on. Wearent trying to guess the username andpassword manually in this HTML form, but

rather this step is just priming the pump so weunderstand what parameters are sent to theapplication during a normal authentication at-tempt. It makes absolutely no difference whatwe provide for username and password. Iveentered corndogsfor the username andsureareyummyfor the password as shown inFigure 1.

Once you submit this login attempt with theLogin button, you can see the parameters inthe Params tab in Burp Intercept that are usedduring an authentication attempt as shown inFigure 2.

Figure 1 - Initial login attempt to be captured by Burp Intercept.

Figure 2 - Intercepted authentication parameters in DVWA.



34/78

We are only concerned with the username andpassword parameters for this attack; the otherthree will be left alone. Remember, we fullyexpect this login attempt to fail. Our only goalright now is to get a valid authentication at-tempt in our proxy history so we can changesthe parameters values to exploit the weakauthentication process.

You can now forward this request to the appli-cation as well as the subsequent responsesuntil you get the Username and/or passwordincorrect message on the page.

One feature of a web proxy that is often over-looked is that it catalogs every single request

and response cycle that passes through it.You can then go back and inspect (and reuse)any request that you have already made. Thisis exactly why you primed the pump with thesure-to-fail authentication attempt. It wassurely going to fail, but you needed a requestthat had everything correct except the user-name and password! You can review all the

requests youve made in the history tab in theProxy tool of Burp. You are specifically lookingfor the authentication attempt you just madewith the corndogsusername andsureareyummypassword combination asshown in Figure 3.

Figure 3 - Authentication attempt retrieved from the proxy history of Burp Intercept.

If youre overwhelmed by the sheer amount ofrequests in this history view, it is helpful tolook for requests that have parameters (lookfor the checked checkbox in the Params col-umn) as well as ordering the requests by date/time.

You can see the username and password thatyou submitted in the parameters view in thelower part of the screen.

Configuring Burp Intruder

You can now use this request as your skeletonto attempt to exploit this authentication pagewith different usernames and passwords. Todo this, simply right-click on the request and

select send to intruder as shown in Figure 4on the following page.



35/78

Figure 4 - Sending the authentication attempt to Intruder.

Burp Intruder is a tool for automating custom-ized attacks against web applications, but it isnot purely a point-and-click tool. You need toconfigure Intruder to only attack the parame-ters that you choose and with the exact pay-

loads that you select. In the Positions tab ofIntruder you can see there are five automati-cally highlighted parameters that you maywant to brute force as shown in Figure 5.

Figure 5 - Automatically identified parameters in Burp Intruder.

These five parameters should look very famil-iar, as they are the exact same parametersthat you saw in the intercepted request. You

are only concerned with the username andpassword parameters and the other three canbe left alone. In order for Intruder to ignorethese three benign parameters, you need to

clear the payload markers (the squiggly mark-ings before and after each parameter value)by highlighting them and clicking the clear but-

ton. One youve successfully done that, youwill have only two positions marked: usernameand password.



36/78

Intruder payloads

You also need to consider the attack type thatwe want to conduct. Intruder has four differentattack types that you can select from the pull-down menu.

1. Sniper:This attack uses a single set of

payloads and targets each position in turnbefore iterating to the next value. This ismost applicable when fuzzing for vulner-abilities such as cross-site scripting (XSS).

2. Battering Ram:This attack also uses asingle set of payloads, but inserts the samepayload into all of the marked parameters atonce. This is most applicable when an at-tack requires the same input to be insertedin multiple places such a username in thecookie header and the message body si-multaneously.

3. Pitchfork: This attack uses multiple pay-load sets for each marked parameter anditerates through all payload sets simultane-ously. This is most applicable when an at-tack requires related values to be used inseveral parameters in the request such as auser_ID parameter and the correspondingfirst_name parameter. A pitchfork attack willadvance each of these payloads in parallel

so the first values of each payload will exe-cute, followed by the second value of eachpayload, and so on.

4. Cluster Bomb: This attack uses multiplepayload sets, but a different payload set foreach marked parameter and iteratesthrough each payload set in turn to ensureall possible combinations are used. This at-tack is most applicable when an attack re-quires different input to be used in multiple

places in the request such as a usernameand password. The cluster bomb attack willlock in the first payload (username, for ex-ample) and iterate all of the passwords withthis first username. Once all the passwordvalues have been tried for the first user-name, the username is changed to the sec-ond username and the entire password list

is used with this second username.

Obviously you are going to use the clusterbomb attack type for the authentication hack,but knowing when to use each of these attacktypes is a great weapon in your arsenal. TheHelp menu is Burp Suite has additional docu-mentation on these attack types if youd likefurther explanation. Once youve selectedCluster bomb from the drop-down menu, youcan select the Payloads tab in Intruder. A pay-load is the values to iterate through during thebrute forcing. You have two positions availableto send payloads to: the username and thepassword. The Payload set drop-down menuin Intruder indicates which parameter you aretargeting and they are processed in the sameorder that they appear in the positions tab, sousername is up first.

There are many options for the username pay-

load, but perhaps the most useful is the run-time file that can be fed to Intruder during theattack. Such a file is a great place to store us-ernames that you gather during the previousrecon steps. We already know the five validusers for DVWA so its an easy task to startgedit, create a text file full of valid users, andsave it as dvwa_users.txt in the root directorythat we can use in Intruder as shown in Figure6.

Figure 6 - Creating the dvwa_users.txt file to be used by Burp Intruder.



37/78

We are going to use a readily available pass-word list as the runtime file for the passwordparameter. It is the 500 Worst Passwords listfrom the team at Skull Security that can bedownloaded as a .bz2 file fromhttp://www.skullsecurity.org/wiki/ind

ex.php/Passwords. Save this file in your rootdirectory and then open a terminal and run the

following command to extract it to a text file.

bunzip2 500-worst-passwords.txt.bz2

Once youve successfully downloaded andunzipped this password list, run an ls com-mand to ensure the text file is in your root di-rectory. If everything goes as intended, boththe username file (dvwa_users.txt) and pass-word file (500-worst-passwords.txt) will beavailable as text files in your root directory.

With these lists ready and the payload mark-ers set in Intruder, the only remaining task be-fore attempting this exploit is to assign eachtext file as a runtime file. There is a PayloadOptions (Runtime file) section where you can

browse your local hard drive to select your textfile for each payload. Remember position 1 isfor dvwa_users.txt and position 2 is for500-worst-passwords.txt.

Running intruder

You can execute this exploit by selecting start

attack from the Intruder menu. Burp Intruderwill alert you that the free version is throttled toattack slower, so you will need to click-throughthis prompt. Because youre most likely usingthe free version of Burp Suite, this attack willtake approximately 30-40 minutes to finish be-cause of the nearly 2,500 requests with a onesecond delay between each request runningon only one thread. The pro version, however,will tear through this attack very quickly! Thevast majority of your authentication attemptswill fail, but its easy to identify the few re-quests that are a different length as successfullogins when sorting by response length asshown in Figure 7.

Figure 7 - Successful brute force logins via Intruder.

You can also include custom string terms tosearch for so its easier to identify a successfullogin under the options tab in Intruder. Per-haps you want to search for the term Wel-come! as a known string when authenticationis successful. Just make sure you know anactual string that will be displayed with a valid

authentication attempt otherwise it will returnno results.

Session attacks

Here are some of the most popular sessionattacks that are currently being used by hack-ers to exploit session vulnerabilities.

Session Hijacking:This is when a users

session identifier is stolen and used by theattacker to assume the identity of the user.The stealing of the session identifier can be

executed several different ways, but cross-site scripting (XSS) is the most common.

Session Fixation:This is when an attacker isassigned a valid session identifier by the ap-plication and then feeds this session to anunknowing user. This is usually done with a

web URL that the user must click on the link.Once the user clicks the link and signs intothe application, the attacker can then use thesame session identifier to assume the iden-tity of the user. This attack also occurs whenthe web server accepts any session from auser (or attacker) and does not assign a newsession upon authentication. In this case, theattacker will use his or her own, pre-chosensession, to send to the victim. These attacks

work because the session identifier is al-lowed to be reused (or replayed) in multiplesessions.



38/78

Session Donation:This is very similar to ses-sion fixation, but instead of assuming theidentity of the user, the attacker will feed thesession identifier of the attackers session tothe user in hopes that the user completes anaction unknowingly. The classic example isto feed the user a valid session identifier thatties back to the attackers profile page that

has no information populated. When the userpopulates the form (with password, creditcard info, and other goodies), the informationis actually tied to the attackers account.

Session ID in the URL:This is when sessionidentifiers are passed as URL parametersduring the request and response cycle. If thisfunctionality is present, an attacker can feedsuch a URL to the user to conduct any of theattacks described above.

Cracking cookies

One of the first activities that new security re-searchers always attempt is cracking session-generating algorithms so they can predict ses-sion identifiers. I was even a faculty supervisorfor such an adventure! My team created anapplication that logged into an application, ar-chived the assigned cookie, logged out of theapplication, and repeated that cycle millions of

times.

Once we gathered over one million sessionidentifiers, we mined the database for any in-stance of duplicate cookies. None were to befound. We then turned our attention to trying tocrack the algorithm that created these cook-ies. No dice. We calculated that it would takeseveral hundreds of years before compromis-ing the algorithm. If you think that attackingthese algorithms is the path of least resistance

to web application compromise, youre doing itwrong.

There was a time when session identifierswere created using weak algorithms, but thosedays are long gone. Unless a web administra-tor totally misses the boat when configuringthe application environment or somebody de-cides to roll their own session creation algo-rithm (always a terrible idea), there is littlehope in attacking the algorithm that generatessession identifiers. Is it mathematically possi-ble? Absolutely! Is it a good use of your timeand resource? Not in a million years (which ishow long some of the cracks will take)!

Burp Sequencer

You can test how strongly session identifiersare generated by using Burp Sequencer,which tests for randomness in session valueswhere the security of the application relies onunpredictability of these random session iden-tifiers. Its a very handy tool that performs ex-

tensive analysis on gathered session IDs anddisplays the results in easy to understandgraphs and tables.

Burp Sequencer tests a hypothesis (the ses-sion identifier is actually randomly generated)against a collection of gathered session iden-tifiers to calculate the probability of actual ran-domness. This is fancy talk for it checks tosee if the sessions cookie is actually randomcompared to tons of other session cookies. Ifthis probability falls below the significancelevel, the session identifier is categorized asnon-random. By default Sequencer uses the.0002-.03% FIPS standard for significance,but you are free to adjust this measurementfor your own uses. FIPS is the Federal Infor-mation Processing Standards that is usedgovernment-wide for security and interoper-ability of Federal computer systems. The stepsto conduct a Sequencer test and analysis are

very easy to perform:

1.Find a request in your proxy history that hasa session identifier in its response. This ses-sion identifier is what we want to test and ana-lyze with Sequencer.2.Use the right-click menu on this request tosend to sequencer.3.Identify the session identifier in Sequencerif its not automatically identified. Sequencerwill automatically identify most stock web envi-

ronments session identifiers.4. Set any options youd like in Sequencersuch as the thread count and request speed todictate the speed in which the session identifi-ers will be gathered. Remember its criticalthat you get the session identifiers are quicklyas possible without losing sessions to otherusers. If you can get a large consecutivestream of session identifiers, your testing willbe more accurate.5. Click the Start Capture button. You can re-view results as soon as Sequencer has beenissued 100 session identifiers. The FIPS stan-dard mandates 20,000 session identifiers tobe reliable.



39/78

6.Review the results of the tests in the gener-ated charts.

Here is a screenshot identifying the sessionidentifier right after sending the request to Se-quencer. This is a screenshot of Daf conduct-

ing this analysis on the BBC news website,not us using DVWA. Notice the token startsand token ends options on the right side of thescreen that identify the exact parameter thatyoud like tested as shown in Figu

Documents

INSECURE-Mag-39.pdf