SlideShare a Scribd company logo

How not to suck at Cyber Security

C
Chris Watts

The document discusses various cybersecurity risks and best practices to address them. It covers topics like information leakage, outdated software, authorization bypass, cross-site request forgery (CSRF), cross-site scripting (XSS), social engineering, and the importance of user training. The key message is that while technology is important, humans are often the weakest link and most common cause of breaches. Organizations must have security awareness programs to educate employees on threats like phishing.

Related slideshows

Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
 
Riding Rails 4
Riding Rails 4Riding Rails 4
Riding Rails 4
 
1 of 63
Download to read offline
HOW NOT TO SUCK AT CYBER SECURITY Chris Watts - Feb 2016
DON’T BE EBAY
In 2015 there were +38%more cyber security incidents than in 2014 Global State of Information Security® Survey 2016
Proportion of companies reporting a security incident Global State of Information Security® Survey 2016
CUSTOMER RECORDS Global State of Information Security® Survey 2016 38.27% of compromised assets EMPLOYEE RECORDS 33.25% of compromised assets
While there is no guarantee against being breached, organizations can greatly manage their risk by becoming more vigilant in covering their bases. - Mike Denning, Vice President for Global Security, Verizon
According to the Pareto Principle 80%of the effects are from 20%of the causes Software bugs are not exempt from this rule
BACK TO THE RECENT EBAY HACK
JS NIGHTMARES [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+
[] + [] === '' [] + {} === [object Object] {} + [] === 0 {} + {} === NaN QUIRKY! https://www.destroyallsoftware.com/talks/wat
HOW TO MAKE A LANGUAGE NAND or NOR gates will let you build anything!
With an array of NAND or NOR gates, you can build any other logic gate. Hence FPGAs! In software, if you have a NOT expression and an OR expression, you can emulate any other logic circuit! If you can emulate logic circuits, you can emulate a Turing machine. Pretty much every language already has this requirement [!+]
TURING TARPITS Some people just want to watch the world burn This is an example of Hello World in Brainfuck ++++++++[>++++ [>++>+++>+++>+<<<<-] >+>+>->>+[<]<-] >>.>---.+++++++..+++.>>. <-.<.+++.------.--------.>>+.>++.
To be Turing-complete, an imperative language must: 1. Allow conditional branching 2. Allow read/write access to random memory
To be Turing-complete, a functional language must: 1. Allow abstraction of functions over arguments 2. Allow application of functions to arguments
ENTER JSFUCK A Turing-complete sub-language of JavaScript that runs in the same environment as real JavaScript. And yes, it’s Turing-complete. false => ![] true => !![] undefined => [][[]] NaN => +[![]] 0 => +[] 1 => +!+[] 2 => !+[]+!+[]
Problem: Lots of people want cat pictures and illegible formatting in their listings Solution: Let them insert HTML! Normally, one filters out everything that has the potential to do bad with user-submitted HTML USER INPUT IS A DANGEROUS THING In fact, the best idea is to just avoid it and say no, but customers will be customers.
LET’S LEAVE IN <SCRIPT> TAGS! Now we can offer more features like advertising! And lawsuit-worthy user tracking!
Hey let’s just check for alphanumerics! It’s a super easy regex. /<script>w+</script>//ig ALL WE NEED TO DO IS DISALLOW ALL STRINGS WITHIN <SCRIPT> TAGS SUBMITTED BY USERS
It will be fine, nobody is ever going to be able to execute JavaScript without alphanumerics despite JS being even sketchier than C++[1] - some dev at eBay
NAILED ITNAILED IT
How not to suck at Cyber Security
Two researchers by the names of Charlie Miller and Chris Valasek were able to connect to GM’s OnStar entertainment system from 2012 to 2015. Turns out the entertainment system is connected to the ECU, braking, tire pressure monitoring and steering systems. OF COURSE, IT’S NOT JUST EBAY From 10 miles away, they were able to turn up the car stereo, switch on the wipers, and crash the car flat-out into a ditch.
It will be fine, nobody is ever going to control the car through the entertainment system - some dev at GM
LET’S NOT FOLLOW SUIT DESIGN AS THE ANTI-USER
SQL INJECTION https://xkcd.com/327/
A SIMPLE ATTACK <?php $page = $_GET[‘page’]; $query = “SELECT * FROM transactions LIMIT $page * 20, 20”; ... ?> https://www.securebank.com/transactions/view/3/ https://www.securebank.com/transactions/view/3;DROP USER admin;--/
SOLUTION NEVER trust user-supplied information. Hidden form fields and cookies are also not safe. VALIDATE your inputs. Expecting a number? Assert that! ALWAYS use prepared statements - don’t insert directly into SQL statements $statement = $db->prepare(“SELECT * FROM transactions LIMIT :page, 20”); $statement->bindParam(‘page’, $page * 20);
You would think there’s no harm in leaving the version numbers of your Wordpress installation in the headers or footers of your web page. Some version information also appears in HTTP headers, for example: ‘X-Powered-By: My Cool CMS v3.3.6’ INFORMATION LEAKAGE
EXPLOIT-DB
REMOVE all version identifiers from everything your server sends CHECK what happens on a server error. Does the 500 page show anything useful to a hacker? REMOVE all debugging information, or have it sent to log files SOLUTION
INFORMATION EXPOSURE Sometimes your text editors are the enemy... Of course, Database.php~ is no longer a .php file, so will not get executed when you navigate to it. Instead, it will just download the file to the user, containing the actual PHP code and passwords!
SOLUTION WHITELIST rather than blacklist files that are allowed to be displayed to the user (e.g. in .htaccess) DELETE all temporary files on the production server, edit files on a development server before pushing. MOVE all non-static (e.g. html, jpg, css) files out of the document root. Especially configuration files.
USER UPLOADS By performing the previous steps, you can also protect yourself from malicious uploads being executed. This does not replace the need to check file contents though as if the file exists on the server, it’s more than likely the attacker will find a way to execute it.
Remember the Heartbleed bug of 2014? In 2015 there were still swaths of unprotected servers due to negligence and unwillingness to update. OUTDATED SOFTWARE
sudo apt-get update sudo apt-get upgrade Update any frameworks or libraries you use in your projects too to make sure you don’t appear on the Exploit DB. SOLUTION
Just because the attacker can’t see your source code doesn’t mean they can’t brute force or guess their way in! SECURITY THROUGH OBSCURITY
Assume they can see your source code. SOLUTION
AUTHORIZATION BYPASS Locking the front door is useless if you left the window open. Some companies forget to secure all of their admin pages. Sure, the admin home page is protected by a password, but what about the page where you can modify user permissions?
Storing valuable information in HTML <hidden> fields? Users can modify and do whatever they like to those. HIDDEN FIELDS ARE NOT HIDDEN
SOLUTION CHECK every page, REST service, action and form to make sure only those authorized can perform actions NEVER store internal logic in content the user sends back. This includes cookies! (Although storing this information in sessions with a session token is OK provided you’re using sessions properly)
So you’ve fixed authorization bypass and an admin is logged in. The admin checks the forums and sees this post: CSRF CROSS-SITE REQUEST FORGERY Hi, I’m getting harassed by the user Trump4President. I recorded a chat log here to prove that he’s being derogatory and spiteful to every user in... Little did the admin know, the link actually goes here: https://www.clubpenguin.com/admin/users/Trump4President/perms?admin=true
There are actually two things wrong with this example. 1. A modification action was accessible with a GET request rather than POST. 2. Because the admin was logged in, clicking this link performed the action under the admin’s account. WHAT WENT WRONG
USE POST, PUT, PATCH, DELETE etc. for any mutable actions. Use GET only if data will not be modified by the request. TOKENIZE all forms and actions with a random string generated as the page loads. Store this token in your database to cross-reference when the form is submitted. This token may be stored in a hidden field or cookie. SOLUTION
REDIRECT HIJACKING Sometimes you need to show a page, such as a login page, before redirecting the user to where they wanted to go. If the redirect URL is not sanitized, an attacker might try to use it to direct you to another site. Imagine if a user is presented with a phishing email to change their bank password and they’re presented with a legitimate link to their bank: https://www.securebank.com/account/changepassword?redir=http://evil.com/phish
REDIRECT HIJACKING This attack goes hand-in-hand with CSRF. If the user can be redirected before they realize their session has been hijacked by an evil button, the incident may go completely undetected.
REDIRECT HIJACKING It’s not just limited to redirecting a user either. If your script accesses the server’s filesystem, don’t let this happen: https://www.mycoolforum.com/forum/page=../../../etc/passwd
SOLUTION USE a URL parser on any URL arguments to make sure they’re relative to the document root. DENY use of patterns like ‘../’, ‘~/’ or ‘PROGRA~1/’
Some content is written by the user. This could be something like eBay’s item descriptions, or even a user’s username displayed at the top of the page. If the user can enter HTML tags that they shouldn’t, we already know what can go wrong. XSS CROSS-SITE SCRIPTING
There are two ways XSS can be a problem. 1. Displaying unsanitized information that the user has directly given (such as in a comment post or account bio) 2. Displaying unsanitized information that the user has weaseled into the system (for example, with a database compromise) FIRST AND SECOND ORDER
ESCAPE or encode all characters that should be illegal when displayed on a page. For HTML body, this is <anyelement>, for HTML attributes this is any single or double quote. There are pre-made sanitizers for this job. Perform this when the data is displayed rather than when it is stored. Otherwise you can end up with multiple escaped strings and still be vulnerable to second-order XSS! SOLUTION
How it should be done (escaping with &lt; and &gt;) How it shouldn’t be done
HUMANS THE WEAKEST LINK OF A SECURITY SYSTEM
Of the compromised respondents in the GSISS 34%said current employees were the most likely cause Global State of Information Security® Survey 2016
29%linked attacks to former employees Global State of Information Security® Survey 2016
PRIVILEGE MISUSE is #3 of the 9 biggest causes Verizon Data Breach Investigations Report 2015
Still a common cause of security violations. With a convincing email, an employee can violate the security plan your business so dearly values in a matter of seconds. Hot for 2016 - SMiShing (via SMS) PHISHING
Yes. 23% of phishing emails are opened and 11% of attachments are downloaded according to the 2015 Verizon Data Breach Investigations Report. PEOPLE STILL FALL FOR THAT?
Companies that have an overall security strategy 58% Global State of Information Security® Survey 2016 Companies that have an employee training program 53%
With a suit, tie and clipboard, you can go pretty much anywhere you want. With a tray of coffees, you can go through pretty much any door. It’s this inherent kindness that shows that as security systems go, we are pretty poor. SOCIAL ENGINEERING
In 2007, a mystery man walked into a Belgian bank and stole over €21 million in diamonds from high-security safety deposit boxes using only his charming personality. He gained trust with the personnel by being a nice guy and bringing chocolates. He was able to make copies of the keys and gain information to the diamonds whereabouts. CONFIDENCE
Hence, TO MAKE A SECURE SYSTEM, FIRST REMOVE HUMANS
THANKS! I’ll be glad to take your criticisms Chris Watts - cwatts1@us.ibm.com

More Related Content

How not to suck at Cyber Security

  • 1. HOW NOT TO SUCK AT CYBER SECURITY Chris Watts - Feb 2016
  • 3. In 2015 there were +38%more cyber security incidents than in 2014 Global State of Information Security® Survey 2016
  • 4. Proportion of companies reporting a security incident Global State of Information Security® Survey 2016
  • 5. CUSTOMER RECORDS Global State of Information Security® Survey 2016 38.27% of compromised assets EMPLOYEE RECORDS 33.25% of compromised assets
  • 6. While there is no guarantee against being breached, organizations can greatly manage their risk by becoming more vigilant in covering their bases. - Mike Denning, Vice President for Global Security, Verizon
  • 7. According to the Pareto Principle 80%of the effects are from 20%of the causes Software bugs are not exempt from this rule
  • 8. BACK TO THE RECENT EBAY HACK
  • 10. [] + [] === '' [] + {} === [object Object] {} + [] === 0 {} + {} === NaN QUIRKY! https://www.destroyallsoftware.com/talks/wat
  • 11. HOW TO MAKE A LANGUAGE NAND or NOR gates will let you build anything!
  • 12. With an array of NAND or NOR gates, you can build any other logic gate. Hence FPGAs! In software, if you have a NOT expression and an OR expression, you can emulate any other logic circuit! If you can emulate logic circuits, you can emulate a Turing machine. Pretty much every language already has this requirement [!+]
  • 13. TURING TARPITS Some people just want to watch the world burn This is an example of Hello World in Brainfuck ++++++++[>++++ [>++>+++>+++>+<<<<-] >+>+>->>+[<]<-] >>.>---.+++++++..+++.>>. <-.<.+++.------.--------.>>+.>++.
  • 14. To be Turing-complete, an imperative language must: 1. Allow conditional branching 2. Allow read/write access to random memory
  • 15. To be Turing-complete, a functional language must: 1. Allow abstraction of functions over arguments 2. Allow application of functions to arguments
  • 16. ENTER JSFUCK A Turing-complete sub-language of JavaScript that runs in the same environment as real JavaScript. And yes, it’s Turing-complete. false => ![] true => !![] undefined => [][[]] NaN => +[![]] 0 => +[] 1 => +!+[] 2 => !+[]+!+[]
  • 17. Problem: Lots of people want cat pictures and illegible formatting in their listings Solution: Let them insert HTML! Normally, one filters out everything that has the potential to do bad with user-submitted HTML USER INPUT IS A DANGEROUS THING In fact, the best idea is to just avoid it and say no, but customers will be customers.
  • 18. LET’S LEAVE IN <SCRIPT> TAGS! Now we can offer more features like advertising! And lawsuit-worthy user tracking!
  • 19. Hey let’s just check for alphanumerics! It’s a super easy regex. /<script>w+</script>//ig ALL WE NEED TO DO IS DISALLOW ALL STRINGS WITHIN <SCRIPT> TAGS SUBMITTED BY USERS
  • 20. It will be fine, nobody is ever going to be able to execute JavaScript without alphanumerics despite JS being even sketchier than C++[1] - some dev at eBay
  • 23. Two researchers by the names of Charlie Miller and Chris Valasek were able to connect to GM’s OnStar entertainment system from 2012 to 2015. Turns out the entertainment system is connected to the ECU, braking, tire pressure monitoring and steering systems. OF COURSE, IT’S NOT JUST EBAY From 10 miles away, they were able to turn up the car stereo, switch on the wipers, and crash the car flat-out into a ditch.
  • 24. It will be fine, nobody is ever going to control the car through the entertainment system - some dev at GM
  • 25. LET’S NOT FOLLOW SUIT DESIGN AS THE ANTI-USER
  • 27. A SIMPLE ATTACK <?php $page = $_GET[‘page’]; $query = “SELECT * FROM transactions LIMIT $page * 20, 20”; ... ?> https://www.securebank.com/transactions/view/3/ https://www.securebank.com/transactions/view/3;DROP USER admin;--/
  • 28. SOLUTION NEVER trust user-supplied information. Hidden form fields and cookies are also not safe. VALIDATE your inputs. Expecting a number? Assert that! ALWAYS use prepared statements - don’t insert directly into SQL statements $statement = $db->prepare(“SELECT * FROM transactions LIMIT :page, 20”); $statement->bindParam(‘page’, $page * 20);
  • 29. You would think there’s no harm in leaving the version numbers of your Wordpress installation in the headers or footers of your web page. Some version information also appears in HTTP headers, for example: ‘X-Powered-By: My Cool CMS v3.3.6’ INFORMATION LEAKAGE
  • 31. REMOVE all version identifiers from everything your server sends CHECK what happens on a server error. Does the 500 page show anything useful to a hacker? REMOVE all debugging information, or have it sent to log files SOLUTION
  • 32. INFORMATION EXPOSURE Sometimes your text editors are the enemy... Of course, Database.php~ is no longer a .php file, so will not get executed when you navigate to it. Instead, it will just download the file to the user, containing the actual PHP code and passwords!
  • 33. SOLUTION WHITELIST rather than blacklist files that are allowed to be displayed to the user (e.g. in .htaccess) DELETE all temporary files on the production server, edit files on a development server before pushing. MOVE all non-static (e.g. html, jpg, css) files out of the document root. Especially configuration files.
  • 34. USER UPLOADS By performing the previous steps, you can also protect yourself from malicious uploads being executed. This does not replace the need to check file contents though as if the file exists on the server, it’s more than likely the attacker will find a way to execute it.
  • 35. Remember the Heartbleed bug of 2014? In 2015 there were still swaths of unprotected servers due to negligence and unwillingness to update. OUTDATED SOFTWARE
  • 36. sudo apt-get update sudo apt-get upgrade Update any frameworks or libraries you use in your projects too to make sure you don’t appear on the Exploit DB. SOLUTION
  • 37. Just because the attacker can’t see your source code doesn’t mean they can’t brute force or guess their way in! SECURITY THROUGH OBSCURITY
  • 38. Assume they can see your source code. SOLUTION
  • 39. AUTHORIZATION BYPASS Locking the front door is useless if you left the window open. Some companies forget to secure all of their admin pages. Sure, the admin home page is protected by a password, but what about the page where you can modify user permissions?
  • 40. Storing valuable information in HTML <hidden> fields? Users can modify and do whatever they like to those. HIDDEN FIELDS ARE NOT HIDDEN
  • 41. SOLUTION CHECK every page, REST service, action and form to make sure only those authorized can perform actions NEVER store internal logic in content the user sends back. This includes cookies! (Although storing this information in sessions with a session token is OK provided you’re using sessions properly)
  • 42. So you’ve fixed authorization bypass and an admin is logged in. The admin checks the forums and sees this post: CSRF CROSS-SITE REQUEST FORGERY Hi, I’m getting harassed by the user Trump4President. I recorded a chat log here to prove that he’s being derogatory and spiteful to every user in... Little did the admin know, the link actually goes here: https://www.clubpenguin.com/admin/users/Trump4President/perms?admin=true
  • 43. There are actually two things wrong with this example. 1. A modification action was accessible with a GET request rather than POST. 2. Because the admin was logged in, clicking this link performed the action under the admin’s account. WHAT WENT WRONG
  • 44. USE POST, PUT, PATCH, DELETE etc. for any mutable actions. Use GET only if data will not be modified by the request. TOKENIZE all forms and actions with a random string generated as the page loads. Store this token in your database to cross-reference when the form is submitted. This token may be stored in a hidden field or cookie. SOLUTION
  • 45. REDIRECT HIJACKING Sometimes you need to show a page, such as a login page, before redirecting the user to where they wanted to go. If the redirect URL is not sanitized, an attacker might try to use it to direct you to another site. Imagine if a user is presented with a phishing email to change their bank password and they’re presented with a legitimate link to their bank: https://www.securebank.com/account/changepassword?redir=http://evil.com/phish
  • 46. REDIRECT HIJACKING This attack goes hand-in-hand with CSRF. If the user can be redirected before they realize their session has been hijacked by an evil button, the incident may go completely undetected.
  • 47. REDIRECT HIJACKING It’s not just limited to redirecting a user either. If your script accesses the server’s filesystem, don’t let this happen: https://www.mycoolforum.com/forum/page=../../../etc/passwd
  • 48. SOLUTION USE a URL parser on any URL arguments to make sure they’re relative to the document root. DENY use of patterns like ‘../’, ‘~/’ or ‘PROGRA~1/’
  • 49. Some content is written by the user. This could be something like eBay’s item descriptions, or even a user’s username displayed at the top of the page. If the user can enter HTML tags that they shouldn’t, we already know what can go wrong. XSS CROSS-SITE SCRIPTING
  • 50. There are two ways XSS can be a problem. 1. Displaying unsanitized information that the user has directly given (such as in a comment post or account bio) 2. Displaying unsanitized information that the user has weaseled into the system (for example, with a database compromise) FIRST AND SECOND ORDER
  • 51. ESCAPE or encode all characters that should be illegal when displayed on a page. For HTML body, this is <anyelement>, for HTML attributes this is any single or double quote. There are pre-made sanitizers for this job. Perform this when the data is displayed rather than when it is stored. Otherwise you can end up with multiple escaped strings and still be vulnerable to second-order XSS! SOLUTION
  • 52. How it should be done (escaping with &lt; and &gt;) How it shouldn’t be done
  • 53. HUMANS THE WEAKEST LINK OF A SECURITY SYSTEM
  • 54. Of the compromised respondents in the GSISS 34%said current employees were the most likely cause Global State of Information Security® Survey 2016
  • 55. 29%linked attacks to former employees Global State of Information Security® Survey 2016
  • 56. PRIVILEGE MISUSE is #3 of the 9 biggest causes Verizon Data Breach Investigations Report 2015
  • 57. Still a common cause of security violations. With a convincing email, an employee can violate the security plan your business so dearly values in a matter of seconds. Hot for 2016 - SMiShing (via SMS) PHISHING
  • 58. Yes. 23% of phishing emails are opened and 11% of attachments are downloaded according to the 2015 Verizon Data Breach Investigations Report. PEOPLE STILL FALL FOR THAT?
  • 59. Companies that have an overall security strategy 58% Global State of Information Security® Survey 2016 Companies that have an employee training program 53%
  • 60. With a suit, tie and clipboard, you can go pretty much anywhere you want. With a tray of coffees, you can go through pretty much any door. It’s this inherent kindness that shows that as security systems go, we are pretty poor. SOCIAL ENGINEERING
  • 61. In 2007, a mystery man walked into a Belgian bank and stole over €21 million in diamonds from high-security safety deposit boxes using only his charming personality. He gained trust with the personnel by being a nice guy and bringing chocolates. He was able to make copies of the keys and gain information to the diamonds whereabouts. CONFIDENCE
  • 62. Hence, TO MAKE A SECURE SYSTEM, FIRST REMOVE HUMANS
  • 63. THANKS! I’ll be glad to take your criticisms Chris Watts - cwatts1@us.ibm.com