Embed Size (px)
Citation preview
@thomas_shoneImage by Matt McGee released under CC BY-ND 2.0
Security Theatre
Booking.com
Welcome to Therapy
Image by THX0477 released under CC BY 2.0
Denial
Illusion
I know about OWASP!
If you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated”
@thegrugq
Reference: https://twitter.com/thegrugq/status/658991205816995840
But I use antivirus!
Crypting makes antivirus techniques useless
Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/
Unsecured node.js server
TrendMicro Antivirus on WindowsJan 2016
https://code.google.com/p/google-security-research/issues/detail?id=693
Remote code-executions via Buffer Overflow
Sophos AntivirusJune 2015
https://lock.cmpxchg8b.com/sophailv2.pdf
Double Agent Attack
Avast, AVG, Avira, Bitdefender, TrendMicro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, Quick Heal,
and Norton - March 2017https://www.wired.com/2017/03/clever-doubleagent-attack-turns-antivirus-malware/
Internet of Things
Reference: https://www.yahoo.com/tech/dutch-consumer-group-demands-samsung-151703102.html
We’re all bad at security
Users
Developers
Hackers
A study in scarlet
43 applications, libraries and frameworksover 4,800 versionsover 10 million files
255,000 scansAbout 6k/month from June 2012 - Nov 2015
ResultsJuly 2015
Most popular softwareIt’s not what you think
How bad is it?
Why is it so bad?
I have seen thingsPh'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn
Versioning Hell1.3-final-beta6-pre-patch3
OpenXBackdoored for almost a year
Lessons Learnt
VersioningProjects with bad versioning also have some
of the worst security issues
Automatic PatchingIf your software comes with automatic
upgrading, people will use it
Plugins and TemplatesIf an update needs manual changes for
plugins or template, no one updates
Image by Aaaron Jacobs released under CC BY-SA 2.0
Patch Fatigue Exists
Image by Josh Janssen released under CC BY-ND 2.0
Anger
Why doesn’t someone do something about it?
Private industry keep threatening security researchers
List of well referenced situations of the above: http://attrition.org/errata/legal_threats/
"How many Fortune 500 companies are hacked right now?
Answer, 500."Mikko Hypponen, CRO of F-Secure
Reference: https://twitter.com/mikko/status/184329161257652227
Why don’t we have some form of standard?
We have ISO 27001/2, ISO 15408, RFC 2196, PCI DSS, NIST, …
Reference: https://en.wikipedia.org/wiki/Cyber_security_standards
Why doesn’t the government do something about it?
Don’t lump me in with
those idiots.
Reference: https://t.co/PA7cDQC9EIImage by Unknown released into the Public Domain
Fine… no backdoor in E2E encryption.
Julian King, Security Commissioner, EU
Reference: https://www.theregister.co.uk/2017/10/19/eu_crypto_cracking/
Fine… no backdoor in E2E encryption. But store everything
in plaintext.
Rod Rosenstein, Deputy Attorney General, USA
Reference: https://www.theregister.co.uk/2017/10/30/encryption_backdoors_plaintext_deputy_ag/
Image by Jeroen Moes released under CC BY-SA 2.0
Bargaining
But what if we installed advanced IDSs, WAFs and
specialised network hardware
We probably only knew about one of the two backdoors in our
system
Juniper NetworksDec 2015
http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/
Depression
Ninety percent of everything is crap.
Sturgeon's law
Reference: https://en.wikipedia.org/wiki/Sturgeon%27s_law
Infosec - A profession that turns normal people into whiskey drinking,
swearing, paranoid, disheartened curmudgeons with no hope for the future of computers or humanity.
@mzbat
Reference: https://www.urbandictionary.com/define.php?term=Infosec
Image by Stephan Brunet released under CC BY-SA 3.0
Acceptance
Effective?
Most of our security practices are ineffective
We do security in isolation
Holistic
Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
Area of Influence
Drivers
Services
Operating System203.5M LoC
Area of Influence
Hardware
Disclaimer: Numbers generated using cloc (Service LoC limited to latest releases of MySQL, Apache and PHP)
Operating SystemArea of Influence
Humans DNA7B LoC
Source: http://www.examiner.com/article/dna-the-ultimate-source-code
Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
HR/Training/LART device
System Administrators
Downstream Providers
Image by Cadw released under OGL via Commons
Layered
Surface Area
Image by Albert Bridge released under CC BY-SA 2.0
Image by MeganCollins released under CC BY-NC-ND 3.0
Alertness
Image by Pivari.com released under CC BY-SA 3.0
Mitigation
Trust
Trust??????
Be aware of what you’re trusting
The hardest part of security is not writing
secure code
It’s understanding where you’re misplace
your trust
Trust is a chain
I trust my computer is not compromised
Up-to-date patches
TRUST
I trust that the software is without vulnerability
Vulnerability research and security updates
TRUST
I trust that the software is configured properly
Automated provisioning
TRUST
I trust that the network is configured properly and secure
Good system administrators
TRUST
I trust you are who you say you are
TLS Certificate Peer Verification or Authentication
TRUST
I trust you are allowed to talk to me about this topic
Authorization
TRUST
I trust that what you send me hasn’t been tampered with
Hashes, CRCs or signatures
TRUST
I trust that what we talk about is just between us
Public and private keys
TRUST
I trust your computer is not compromised
????
TRUST
I trust that what we talk about won’t be share with others
Contracts, Legalities, Terms of use, ????
TRUST
I trust that the user won’t be the weak link
Training and procedures
TRUST
Turn your chain into a mesh
Image by ineverfinishanyth released under CC BY-NC-SA 2.5
Common Mistakes
WeakeningCompromising encryption or hashing is
about reducing time to crack
ImplementationA bad implementation helps reduce the time
to crack
Authentication
2 Factor Authenticationcomposer require pragmarx/google2fa
OAuth2composer require league/oauth2-client
Sessions
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false){ parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit;}
MistakesDeep understanding of the language
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
CODE SAMPLE
if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false){ parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit;}
MistakesDeep understanding of the language
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
Writes $_SESSION to disk
CODE SAMPLE
if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false){ parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit;}
MistakesDeep understanding of the language
CODE SAMPLE
Extracts URL parameters into the namespace.
session_to_unset=a becomes $session_to_unset = “a”;
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
Encryption
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
Avoid old tutorials on encryption
https://gist.github.com/paragonie-scott/e9319254c8ecbad4f227
Failed: Error Number: 60. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
// Many old tutorials and posts suggest disabling peer verificationscurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
// Thankfully PHP 5.6+ handles CA certificate location automatically// thanks to https://wiki.php.net/rfc/improved-tls-defaults and// Daniel Lowrey
Avoid advice like thisWeakening security for convenience
CODE SAMPLE
Hashing
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
One way encodingComparisons / Integrity Checks
Weak hash functions+/- 690GB rainbow tables
Reference: http://project-rainbowcrack.com/table.htm
4,797,089,933Number of accounts publicly leaked
Reference: https://haveibeenpwned.com/
$password = 'rasmuslerdorf';$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Is this call safe?if (crypt($password, $hash) === $hash) { echo 'Password is correct';}// What about this one?if (password_verify($password, $hash)) { echo 'Password is correct';}
Bad implementationWhere is the weakness?
CODE SAMPLE
Timing AttacksBrute forcing cryptographic functions via
time taken to execute
$string1 = 'abcd';$string2 = 'abce';$string3 = 'acde';
for ($i=0; $i<10000; $i++) { ($string1 === $string2); }// Time taken: 0.008344
for ($i=0; $i<10000; $i++) { ($string1 === $string3); }// Time taken: 0.006923
Timing AttacksHow it works
CODE SAMPLE
Timing attacks can be used to work out if an account exists [...].
@troyhunt, haveibeenpwned.com
Reference: https://t.co/5WkQ48suj7
Well actuallyAmount of randomness matters
Reference: http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html
$password = 'rasmuslerdorf';$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Check the passwordif (password_verify($password, $hash)) { echo 'Password is correct'; if (password_needs_rehash($hash, PASSWORD_DEFAULT)) { // Rehash and store in database $new_password = password_hash($password, PASSWORD_DEFAULT); }}
RehashBuild it into your flow
CODE SAMPLE
Randomness
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
Non-deterministic randomness is critical in encryption
Used for key generation and nonces
Non-deterministic randomness is hard
Dual_EC_DRBG was in use for 7 years
// NOT cryptographically securerand();
// Cryptographically secure (uses OS-specific source)random_int();
// Cryptographically secure (uses OS-specific source)random_bytes();
// Cryptographically secure (uses OpenSSL library)openssl_random_pseudo_bytes();
Random in codeKnow the source
CODE SAMPLE
Information Disclosure
HEAD http://example.com/index.php200 OKConnection: closeDate: Sat, 26 Dec 2015 13:52:01 GMTServer: ApacheContent-Type: text/html; charset=UTF-8Client-Date: Sat, 26 Dec 2015 13:52:01 GMTClient-Peer: 192.168.0.101:80Client-Response-Num: 1X-Powered-By: PHP/5.5.11
Information DisclosureEvery piece of information can be leveraged
LOG SAMPLE
HEAD http://example.com/index.php200 OKConnection: closeDate: Sat, 26 Dec 2015 13:52:01 GMTServer: ApacheContent-Type: text/html; charset=UTF-8Client-Date: Sat, 26 Dec 2015 13:52:01 GMTClient-Peer: 192.168.0.101:80Client-Response-Num: 1X-Powered-By: PHP/5.5.11
Information DisclosureEvery piece of information can be leveraged
LOG SAMPLE
Warning: require(assets/includes/footer.php) [function.require]: failed to open stream: No such file or directory in /home/user/path/to/assets/includes/operations.php on line 38
Fatal error: require() [function.require]: Failed opening required 'assets/includes/footer.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/path/to/assets/includes/operations.php on line 38
Information DisclosureEvery piece of information can be leveraged
LOG SAMPLE
Social Engineering
Weak password reset processes
Can you Google the answer?How do you handle customer support reset?
Customer support training
Convenience vs Security
@N’s (Naoki Hiroshima) Story
How do you mitigate against this?
Image by Jenny released under CC BY-NC-ND 2.0
Hope
Holistic
A.B.C.
Always Be C Patching
Patching StrategyIf a dependency prevents updating, resolve it
now
Version properlyMajor.Minor.Patch. How hard is that?
Don’t become comfortable
Comfort breeds contempt
ReadKnow about new threats and best practice
changes
Training StrategyHave a process for dealing with account
locks and resets
Compromise StrategyHave a plan before you need it
InformationOnly store what you really need
Mistakes will be madeLearn from them
Rate limitBuilt it now, or you’ll have to build it while an
incident is underway
Monitor everythingYou’re more likely to be alerted by a graph
spiking than your IDS
Decouple rolesDatabases, servers, domains, roles, ...
Image by Matt McGee released under CC BY-ND 2.0
Group Performance
