Upload
team-wibu
View
71
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Data don’t lie. Cloud-based computing is ramping up in every day usage and encounters a wide spread acceptance. There are actually several factors that determine the success of SaaS, IaaS and PaaS, all connected to business enablement: - Platform independence - Price competitiveness, especially in times of cost optimization - Technological innovation - Greater implementation agility in a complete license lifecycle management Whether you have already embraced this revolution and are considering moving forward to a private cloud, or you are an early adopter that is going to gradually transition from on-premise to cloud-based solutions, hacking attempts are likely to knock on your door. Do you have the expertise to recognize them in time, and possibly prevent them before they affect the security of your data and that of your customers? Wibu-Systems is ready to reveal a number of frequent scenarios software publishers might find themselves in. From an analytical perspective but in a simple language we will navigate you from theory to practice through: - The most common reasons that drive hacking - The architectural weaknesses of a cloud system - The security measures you should be sure to put in place The professional services from Wibu-Systems will assist you in assessing your requirements and specifications, with special attention to the security aspect of your cloud-based solution.
Citation preview
Secure Operation of a Cloud Solution 1
Rüdiger Kügler | WIBU-SYSTEMS AG
Rüdiger Kügler
Security Expert
Secure Operation of a Cloud Solution
30.01.2014
Secure Operation of a Cloud Solution 2
What is the cloud?
30.01.2014
???
Secure Operation of a Cloud Solution 3
The theory
Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Webspace
30.01.2014
Secure Operation of a Cloud Solution 4
CLOUD SOLUTIONS IN PRACTICE
30.01.2014
Secure Operation of a Cloud Solution 5
Salesforce
30.01.2014
No
Software
v
Secure Operation of a Cloud Solution 6
Amazon Cloud Drive
30.01.2014
v
Webspace for images
Secure Operation of a Cloud Solution 7
Blue Ray Ripper / MMOs
30.01.2014
v
Secure Operation of a Cloud Solution 8
ArchiCAD
30.01.2014
v
Private Cloud(similar to a Terminal Server)
Secure Operation of a Cloud Solution 9
REQUIREMENTS – PERSPECTIVE OF A SOFTWARE VENDOR
30.01.2014
Secure Operation of a Cloud Solution 10
The ISV offers SaaS
The vendor installs and operates the solution
(mostly) Browser-based access
Special solutions for the cloud
Challenges: Licensing models (rental, InApp purchase, pay-per-use, …)
Users‘ identification
Security of the solution
30.01.2014
Secure Operation of a Cloud Solution 11
Mixed solutions
Native client + Computing power from the vendor in the cloud
For the user „Under the hood“
Internet connection required
Challenges: What needs to be computed in the cloud?
Licensing models (purchase cost = once, cloud = recurrent costs)
30.01.2014
Secure Operation of a Cloud Solution 12
User operates the Private Cloud
30.01.2014
Original Vendors‘ Software
The user installs it autonomously in the cloud (Private Cloud)
Challenges Licensing (the PC is more powerful = fewer PCs = fewer licenses)
Copy protection (Dongle? Binding to the PC?)
Secure Operation of a Cloud Solution 13
HOW TO IMPLEMENT A SAAS SOLUTION ON THE SERVER?
30.01.2014
Secure Operation of a Cloud Solution 14
PHP / Script code
30.01.2014
ApacheHttpd
v
PHP
Secure Operation of a Cloud Solution 15
Java
30.01.2014
ApplicationServer
(Tomcat)
v
Java VM
Secure Operation of a Cloud Solution 16
.NET
30.01.2014
IIS
v
ASP.NET(DLL)
Secure Operation of a Cloud Solution 17
WHY HACKING A CLOUD SOLUTION?
30.01.2014
Secure Operation of a Cloud Solution 18
Just for Fun
30.01.2014
You have been hacked!
Secure Operation of a Cloud Solution 19
Credit card details
30.01.2014
2013-041113-10045
ESC
Euro Slave CardUranium Version
12/2099
Secure Operation of a Cloud Solution 20
Passwords
30.01.2014
v
Banking
HotelsSony PSN
Secure Operation of a Cloud Solution 21
Data and formulae
30.01.2014
Medical records
Customer’sdataTurnover
data
Cola recipe:• 100 g sugar• 100 ml water
???
Secure Operation of a Cloud Solution 22
Sabotage
30.01.2014
v PLC +OPC UA
Secure Operation of a Cloud Solution 23
HOW TO HACK A CLOUD SOLUTION?
30.01.2014
Secure Operation of a Cloud Solution 24
Exploit
30.01.2014
Program failure
Secure Operation of a Cloud Solution 25
Exploit
Exploiting a vulnerability
Usually a buffer overflow
Starting the code with the application rights (Webserver !?)
Payload can be modified
Zero-Day-Exploit
30.01.2014
Secure Operation of a Cloud Solution 26
SQL Injection
$query = "SELECT user, passwordFROM usersWHERE user = '".$user."' AND password = '".$password."'";
$count = mysql_num_rows($result);
if ($count > 0)
{
print ("Erfolgreich eingeloggt");
}
30.01.2014
Secure Operation of a Cloud Solution 27
SQL Injection
Call:
[email protected]&password=secret
= > Successful login
Call:
[email protected]&password=wrong
=> Failure
30.01.2014
Secure Operation of a Cloud Solution 2830.01.2014
Secure Operation of a Cloud Solution 2930.01.2014
Secure Operation of a Cloud Solution 3030.01.2014
Secure Operation of a Cloud Solution 3130.01.2014
Secure Operation of a Cloud Solution 32
SQL Injection
Injection:
[email protected]&password=wrong' OR 'a'='a
= > Successful login, even if the password is incorrect
30.01.2014
Secure Operation of a Cloud Solution 33
SQL Injection
Tamper WHERE queries
Including new commands („;“) INSERT
DROP
Spying out data („UNION“)
…
30.01.2014
Secure Operation of a Cloud Solution 34
Cross Side Scripting
Inject code into another page Texts as parameters
JavaScript files as parameters
30.01.2014
Secure Operation of a Cloud Solution 3530.01.2014
Secure Operation of a Cloud Solution 3630.01.2014
Somewhere else !
Secure Operation of a Cloud Solution 37
HOW TO MAKE IT SECURE?
30.01.2014
Secure Operation of a Cloud Solution 38
Escape SQL
PHP mysql_real_escape_string
Manual check
Binding parameters
Protection against SQL injection
30.01.2014
Secure Operation of a Cloud Solution 39
Passwords
Never save them in clear text
„Encryption “ (Hash value) Random Salt value
Hash (Salt + Password)
Save Hash and Salt
Hash = Employee cannot read the password
Salt = Security against rainbow tables and identical passwords
30.01.2014
Secure Operation of a Cloud Solution 40
Updates
Always update the operating system as soon as new patches are available
Always update the server (Apache, IIS, Tomcat, …) as soon as new patches are available
Protection against known Exploits
30.01.2014
Secure Operation of a Cloud Solution 41
Name and Version
30.01.2014
ServerTokens FullServerSignature On
Secure Operation of a Cloud Solution 42
Name and Version
30.01.2014
ServerTokens ProdServerSignature Off
Secure Operation of a Cloud Solution 43
No phpinfo()
30.01.2014
Secure Operation of a Cloud Solution 44
System Error Messages
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\wwwroot\dmz\demo\en\test.php on line 54 Call Stack: 0.9981 349568 1. {main}() C:\wwwroot\dmz\demo\en\test.php:0 1.0081 537128 2. mysql_num_rows()
30.01.2014
display_errors = On
Secure Operation of a Cloud Solution 45
System Error Messages
30.01.2014
display_errors = Off
Secure Operation of a Cloud Solution 46
File extensions
Index.php
Index.html
Index.asp
Index.jsp
Should the extensions be hidden?
30.01.2014
Secure Operation of a Cloud Solution 47
Data configuration
30.01.2014
Secure Operation of a Cloud Solution 48
Data configuration
Don’t store configuration data inside the Web-Root
Be careful with file extensions!!!
30.01.2014
Secure Operation of a Cloud Solution 49
Avoid GET
127.0.0.1 - - [04/Nov/2013:08:30:19 +0100] "GET /demo/en/[email protected]&password=secret HTTP/1.1" 200 1371
127.0.0.1 - - [04/Nov/2013:08:34:50 +0100] "GET /demo/en/[email protected]&password=secure HTTP/1.1" 200 -
127.0.0.1 - - [04/Nov/2013:08:35:26 +0100] "GET /demo/en/[email protected]&password=secure HTTP/1.1" 200 1381
30.01.2014
Secure Operation of a Cloud Solution 50
User‘s rights
Which rights has the web server (IIS, Apache, own Server, …)?
In case of Exploit, the attacker obtains the same rights!
Rights in the database Web User = generic user
Do not need Create / Drop / Alter / …
30.01.2014
Secure Operation of a Cloud Solution 51
Validate the inputs
Black list What is prohibited
Better: White list Verify inputs validity
Prevention: SQL Injection / Cross Side Scripting
30.01.2014
Secure Operation of a Cloud Solution 52
ADVANCED OPTIONS
30.01.2014
Secure Operation of a Cloud Solution 53
Diversity
30.01.2014
ApacheTomcat(Java)
Protected area
Web serverin DMZ
DB
ApacheHttpd(Php)
v
Secure Operation of a Cloud Solution 54
Certificates
Server certificate
30.01.2014
ApacheHttpd(Php)
v
Key + Certificate
Secure Operation of a Cloud Solution 55
Certificates
Client certificate
30.01.2014
ApacheHttpd(Php)
v
Key + Certificate
Key + Certificate
Certificate
Secure Operation of a Cloud Solution 56
Client Certificate for lc-admin.codemeter.com
30.01.2014
Secure Operation of a Cloud Solution 57
Access only trough certificate
30.01.2014
Secure Operation of a Cloud Solution 58
Monitoring
Availability monitoring
Security monitoring
30.01.2014
Secure Operation of a Cloud Solution 59
SUMMARY
30.01.2014
Secure Operation of a Cloud Solution 60
In short
Save passwords encrypted
Validate inputs
Install updates as soon as available
Do not display error messages (log only)
Reveal nothing about the system
Minimize rights as much as possible
Web-Root is only for Web-Root
30.01.2014
Secure Operation of a Cloud Solution 61
WHAT CAN WIBU DO FOR YOU?
30.01.2014
Secure Operation of a Cloud Solution 62
License Central
30.01.2014
What the secure operation of CodeMeter License Central means for you: Creation, management and distribution of licenses
Secure architecture
Constant monitoring
Professional support
Updates of the operating system and the application
Secure Operation of a Cloud Solution 63
CodeMeter as a Token
Save private keys and certificates in CmDongle PKCS#11 compliant
CSSI Middleware
Save private keys in CmDongle Lean, proprietary solution
RSA and ECC: Use of international standards
30.01.2014
Secure Operation of a Cloud Solution 64
Protection against Reverse Engineering
30.01.2014
AxProtector for .NET
AxProtector for Java
CmActLicense Bound to IP Adress
None bind
Secure Operation of a Cloud Solution 65
Unified Solution: CodeMeter
30.01.2014
Licensing, Protection and Security
Authentication for SaaS Certificate based, Lean solution
License models for all use cases Usage based, Feature based, Time based, concurrent sessions,
single user, …
Encryption of data
Single solution for managing licenses and services
Secure Operation of a Cloud Solution 66
Professional Service
30.01.2014
Specifications
Implementation
Security audits
Germany +49-721-931720
USA +1-425-7756900
China +86-21-55661790
Worldwide http://www.wibu.com [email protected]
Secure Operation of a Cloud Solution 67
Thank you
30.01.2014