Secure Operation of a Cloud Solution 1

Rüdiger Kügler | WIBU-SYSTEMS AG

Rüdiger Kügler

Security Expert

rk@wibu.com

Secure Operation of a Cloud Solution

30.01.2014

Secure Operation of a Cloud Solution 2

What is the cloud?

30.01.2014

???

Secure Operation of a Cloud Solution 3

The theory

Software as a Service (SaaS)

Infrastructure as a Service (IaaS)

Platform as a Service (PaaS)

Webspace

30.01.2014

Secure Operation of a Cloud Solution 4

CLOUD SOLUTIONS IN PRACTICE

30.01.2014

Secure Operation of a Cloud Solution 5

Salesforce

30.01.2014

No

Software

v

Secure Operation of a Cloud Solution 6

Amazon Cloud Drive

30.01.2014

v

Webspace for images

Secure Operation of a Cloud Solution 7

Blue Ray Ripper / MMOs

30.01.2014

v

Secure Operation of a Cloud Solution 8

ArchiCAD

30.01.2014

v

Private Cloud(similar to a Terminal Server)

Secure Operation of a Cloud Solution 9

REQUIREMENTS – PERSPECTIVE OF A SOFTWARE VENDOR

30.01.2014

Secure Operation of a Cloud Solution 10

The ISV offers SaaS

The vendor installs and operates the solution

(mostly) Browser-based access

Special solutions for the cloud

Challenges: Licensing models (rental, InApp purchase, pay-per-use, …)

Users‘ identification

Security of the solution

30.01.2014

Secure Operation of a Cloud Solution 11

Mixed solutions

Native client + Computing power from the vendor in the cloud

For the user „Under the hood“

Internet connection required

Challenges: What needs to be computed in the cloud?

Licensing models (purchase cost = once, cloud = recurrent costs)

30.01.2014

Secure Operation of a Cloud Solution 12

User operates the Private Cloud

30.01.2014

Original Vendors‘ Software

The user installs it autonomously in the cloud (Private Cloud)

Challenges Licensing (the PC is more powerful = fewer PCs = fewer licenses)

Copy protection (Dongle? Binding to the PC?)

Secure Operation of a Cloud Solution 13

HOW TO IMPLEMENT A SAAS SOLUTION ON THE SERVER?

30.01.2014

Secure Operation of a Cloud Solution 14

PHP / Script code

30.01.2014

ApacheHttpd

v

PHP

Secure Operation of a Cloud Solution 15

Java

30.01.2014

ApplicationServer

(Tomcat)

v

Java VM

Secure Operation of a Cloud Solution 16

.NET

30.01.2014

IIS

v

ASP.NET(DLL)

Secure Operation of a Cloud Solution 17

WHY HACKING A CLOUD SOLUTION?

30.01.2014

Secure Operation of a Cloud Solution 18

Just for Fun

30.01.2014

You have been hacked!

Secure Operation of a Cloud Solution 19

Credit card details

30.01.2014

2013-041113-10045

ESC

Euro Slave CardUranium Version

12/2099

Secure Operation of a Cloud Solution 20

Passwords

30.01.2014

v

E-Mail

Banking

Facebook

HotelsSony PSN

Secure Operation of a Cloud Solution 21

Data and formulae

30.01.2014

Medical records

Customer’sdataTurnover

data

Cola recipe:• 100 g sugar• 100 ml water

???

Secure Operation of a Cloud Solution 22

Sabotage

30.01.2014

v PLC +OPC UA

Secure Operation of a Cloud Solution 23

HOW TO HACK A CLOUD SOLUTION?

30.01.2014

Secure Operation of a Cloud Solution 24

Exploit

30.01.2014

Program failure

Secure Operation of a Cloud Solution 25

Exploit

Exploiting a vulnerability

Usually a buffer overflow

Starting the code with the application rights (Webserver !?)

Payload can be modified

Zero-Day-Exploit

30.01.2014

Secure Operation of a Cloud Solution 26

SQL Injection

$query = "SELECT user, passwordFROM usersWHERE user = '".$user."' AND password = '".$password."'";

$count = mysql_num_rows($result);

if ($count > 0)

{

print ("Erfolgreich eingeloggt");

}

30.01.2014

Secure Operation of a Cloud Solution 27

SQL Injection

Call:

test.php?user=rk@wibu.com&password=secret

= > Successful login

Call:

test.php?user=rk@wibu.com&password=wrong

=> Failure

30.01.2014

Secure Operation of a Cloud Solution 2830.01.2014

Secure Operation of a Cloud Solution 2930.01.2014

Secure Operation of a Cloud Solution 3030.01.2014

Secure Operation of a Cloud Solution 3130.01.2014

Secure Operation of a Cloud Solution 32

SQL Injection

Injection:

test.php?user=rk@wibu.dom&password=wrong' OR 'a'='a

= > Successful login, even if the password is incorrect

30.01.2014

Secure Operation of a Cloud Solution 33

SQL Injection

Tamper WHERE queries

Including new commands („;“) INSERT

DROP

Spying out data („UNION“)

…

30.01.2014

Secure Operation of a Cloud Solution 34

Cross Side Scripting

Inject code into another page Texts as parameters

JavaScript files as parameters

30.01.2014

Secure Operation of a Cloud Solution 3530.01.2014

Secure Operation of a Cloud Solution 3630.01.2014

Somewhere else !

Secure Operation of a Cloud Solution 37

HOW TO MAKE IT SECURE?

30.01.2014

Secure Operation of a Cloud Solution 38

Escape SQL

PHP mysql_real_escape_string

Manual check

Binding parameters

Protection against SQL injection

30.01.2014

Secure Operation of a Cloud Solution 39

Passwords

Never save them in clear text

„Encryption “ (Hash value) Random Salt value

Hash (Salt + Password)

Save Hash and Salt

Hash = Employee cannot read the password

Salt = Security against rainbow tables and identical passwords

30.01.2014

Secure Operation of a Cloud Solution 40

Updates

Always update the operating system as soon as new patches are available

Always update the server (Apache, IIS, Tomcat, …) as soon as new patches are available

Protection against known Exploits

30.01.2014

Secure Operation of a Cloud Solution 41

Name and Version

30.01.2014

ServerTokens FullServerSignature On

Secure Operation of a Cloud Solution 42

Name and Version

30.01.2014

ServerTokens ProdServerSignature Off

Secure Operation of a Cloud Solution 43

No phpinfo()

30.01.2014

Secure Operation of a Cloud Solution 44

System Error Messages

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\wwwroot\dmz\demo\en\test.php on line 54 Call Stack: 0.9981 349568 1. {main}() C:\wwwroot\dmz\demo\en\test.php:0 1.0081 537128 2. mysql_num_rows()

30.01.2014

display_errors = On

Secure Operation of a Cloud Solution 45

System Error Messages

30.01.2014

display_errors = Off

Secure Operation of a Cloud Solution 46

File extensions

Index.php

Index.html

Index.asp

Index.jsp

Should the extensions be hidden?

30.01.2014

Secure Operation of a Cloud Solution 47

Data configuration

30.01.2014

Secure Operation of a Cloud Solution 48

Data configuration

Don’t store configuration data inside the Web-Root

Be careful with file extensions!!!

30.01.2014

Secure Operation of a Cloud Solution 49

Avoid GET

127.0.0.1 - - [04/Nov/2013:08:30:19 +0100] "GET /demo/en/test.php?user=rk@wibu.com&password=secret HTTP/1.1" 200 1371

127.0.0.1 - - [04/Nov/2013:08:34:50 +0100] "GET /demo/en/test.php?user=rk@wibu.com&password=secure HTTP/1.1" 200 -

127.0.0.1 - - [04/Nov/2013:08:35:26 +0100] "GET /demo/en/test.php?user=rk@wibu.com&password=secure HTTP/1.1" 200 1381

30.01.2014

Secure Operation of a Cloud Solution 50

User‘s rights

Which rights has the web server (IIS, Apache, own Server, …)?

In case of Exploit, the attacker obtains the same rights!

Rights in the database Web User = generic user

Do not need Create / Drop / Alter / …

30.01.2014

Secure Operation of a Cloud Solution 51

Validate the inputs

Black list What is prohibited

Better: White list Verify inputs validity

Prevention: SQL Injection / Cross Side Scripting

30.01.2014

Secure Operation of a Cloud Solution 52

ADVANCED OPTIONS

30.01.2014

Secure Operation of a Cloud Solution 53

Diversity

30.01.2014

ApacheTomcat(Java)

Protected area

Web serverin DMZ

DB

ApacheHttpd(Php)

v

Secure Operation of a Cloud Solution 54

Certificates

Server certificate

30.01.2014

ApacheHttpd(Php)

v

Key + Certificate

Secure Operation of a Cloud Solution 55

Certificates

Client certificate

30.01.2014

ApacheHttpd(Php)

v

Key + Certificate

Key + Certificate

Certificate

Secure Operation of a Cloud Solution 56

Client Certificate for lc-admin.codemeter.com

30.01.2014

Secure Operation of a Cloud Solution 57

Access only trough certificate

30.01.2014

Secure Operation of a Cloud Solution 58

Monitoring

Availability monitoring

Security monitoring

30.01.2014

Secure Operation of a Cloud Solution 59

SUMMARY

30.01.2014

Secure Operation of a Cloud Solution 60

In short

Save passwords encrypted

Validate inputs

Install updates as soon as available

Do not display error messages (log only)

Reveal nothing about the system

Minimize rights as much as possible

Web-Root is only for Web-Root

30.01.2014

Secure Operation of a Cloud Solution 61

WHAT CAN WIBU DO FOR YOU?

30.01.2014

Secure Operation of a Cloud Solution 62

License Central

30.01.2014

What the secure operation of CodeMeter License Central means for you: Creation, management and distribution of licenses

Secure architecture

Constant monitoring

Professional support

Updates of the operating system and the application

Secure Operation of a Cloud Solution 63

CodeMeter as a Token

Save private keys and certificates in CmDongle PKCS#11 compliant

CSSI Middleware

Save private keys in CmDongle Lean, proprietary solution

RSA and ECC: Use of international standards

30.01.2014

Secure Operation of a Cloud Solution 64

Protection against Reverse Engineering

30.01.2014

AxProtector for .NET

AxProtector for Java

CmActLicense Bound to IP Adress

None bind

Secure Operation of a Cloud Solution 65

Unified Solution: CodeMeter

30.01.2014

Licensing, Protection and Security

Authentication for SaaS Certificate based, Lean solution

License models for all use cases Usage based, Feature based, Time based, concurrent sessions,

single user, …

Encryption of data

Single solution for managing licenses and services

Secure Operation of a Cloud Solution 66

Professional Service

30.01.2014

Specifications

Implementation

Security audits

Germany +49-721-931720

USA +1-425-7756900

China +86-21-55661790

Worldwide http://www.wibu.com info@wibu.com

Secure Operation of a Cloud Solution 67

Thank you

30.01.2014