How not to suck at Cyber Security

HOW NOT TO
SUCK AT CYBER
SECURITY
Chris Watts - Feb 2016

In 2015 there were
+38%more cyber security incidents than in 2014
Global State of Information Security® Survey 2016

Proportion of companies reporting a security incident

CUSTOMER RECORDS
38.27% of compromised assets
EMPLOYEE RECORDS
33.25% of compromised assets

While there is no guarantee against
being breached, organizations can
greatly manage their risk by becoming
more vigilant in covering their bases.
- Mike Denning, Vice President for Global Security, Verizon

According to the Pareto Principle
80%of the effects are from
20%of the causes
Software bugs are not exempt from this rule

JS NIGHTMARES
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+

[] + [] === ''
[] + {} === [object Object]
{} + [] === 0
{} + {} === NaN
QUIRKY!
https://www.destroyallsoftware.com/talks/wat

HOW TO MAKE
A LANGUAGE
NAND or NOR gates will let you build anything!

With an array of NAND or NOR gates, you can build any
other logic gate. Hence FPGAs!
In software, if you have a NOT expression and an OR expression, you
can emulate any other logic circuit!
If you can emulate logic circuits, you can emulate a Turing machine.
Pretty much every language already has this requirement [!+]

TURING TARPITS
Some people just want to watch the world burn
This is an example of Hello World in Brainfuck
++++++++[>++++
[>++>+++>+++>+<<<<-]
>+>+>->>+[<]<-]
>>.>---.+++++++..+++.>>.
<-.<.+++.------.--------.>>+.>++.

To be Turing-complete, an
imperative language must:
1. Allow conditional branching
2. Allow read/write access to random
memory

To be Turing-complete, a
functional language must:
1. Allow abstraction of functions over
arguments
2. Allow application of functions to
arguments

ENTER JSFUCK
A Turing-complete sub-language of JavaScript that runs in the same
environment as real JavaScript. And yes, it’s Turing-complete.
false => ![]
true => !![]
undefined => [][[]]
NaN => +[![]]
0 => +[]
1 => +!+[]
2 => !+[]+!+[]

Problem: Lots of people want cat pictures
and illegible formatting in their listings
Solution: Let them insert HTML!
Normally, one filters out everything that
has the potential to do bad with
user-submitted HTML
USER INPUT IS A
DANGEROUS THING
In fact, the best idea is to just avoid it and
say no, but customers will be customers.

LET’S LEAVE IN
<SCRIPT> TAGS!
Now we can offer more
features like advertising!
And lawsuit-worthy user tracking!

Hey let’s just check for alphanumerics! It’s a super easy regex.
/<script>w+</script>//ig
ALL WE NEED TO DO IS DISALLOW ALL
STRINGS WITHIN <SCRIPT> TAGS
SUBMITTED BY USERS

It will be fine, nobody is ever going to
be able to execute JavaScript without
alphanumerics despite JS being even
sketchier than C++[1]
- some dev at eBay

How not to suck at Cyber Security

Two researchers by the names of Charlie
Miller and Chris Valasek were able to
connect to GM’s OnStar entertainment
system from 2012 to 2015.
Turns out the entertainment system is
connected to the ECU, braking, tire
pressure monitoring and steering systems.
OF COURSE, IT’S NOT JUST
EBAY
From 10 miles away, they were able to
turn up the car stereo, switch on the
wipers, and crash the car flat-out into a
ditch.

It will be fine, nobody is ever going to
control the car through the
entertainment system
- some dev at GM

LET’S NOT FOLLOW SUIT
DESIGN AS
THE
ANTI-USER

SQL INJECTION
https://xkcd.com/327/

A SIMPLE ATTACK
<?php
$page = $_GET[‘page’];
$query = “SELECT * FROM transactions LIMIT $page * 20, 20”;
...
?>
https://www.securebank.com/transactions/view/3/
https://www.securebank.com/transactions/view/3;DROP USER admin;--/

SOLUTION
NEVER trust user-supplied information. Hidden form fields and cookies are also not safe.
VALIDATE your inputs. Expecting a number? Assert that!
ALWAYS use prepared statements - don’t insert directly into SQL statements
$statement = $db->prepare(“SELECT * FROM transactions LIMIT :page, 20”);
$statement->bindParam(‘page’, $page * 20);

You would think there’s no harm in leaving the version numbers of
your Wordpress installation in the headers or footers of your web
page.
Some version information also appears in HTTP headers, for
example: ‘X-Powered-By: My Cool CMS v3.3.6’
INFORMATION LEAKAGE

REMOVE all version identifiers from everything your server sends
CHECK what happens on a server error. Does the 500 page show
anything useful to a hacker?
REMOVE all debugging information, or have it sent to log files
SOLUTION

INFORMATION EXPOSURE
Sometimes your text editors are the enemy...
Of course, Database.php~ is no longer a .php file, so will not get executed when you
navigate to it.
Instead, it will just download the file to the user, containing the actual PHP code and
passwords!

SOLUTION
WHITELIST rather than blacklist files that are allowed to be displayed to the user (e.g. in
.htaccess)
DELETE all temporary files on the production server, edit files on a development server
before pushing.
MOVE all non-static (e.g. html, jpg, css) files out of the document root. Especially
configuration files.

USER UPLOADS
By performing the previous steps, you can also protect yourself from malicious uploads
being executed.
This does not replace the need to check file contents though as if the file exists on the
server, it’s more than likely the attacker will find a way to execute it.

Remember the Heartbleed bug of 2014?
In 2015 there were still swaths of unprotected servers due to
negligence and unwillingness to update.
OUTDATED SOFTWARE

sudo apt-get update
sudo apt-get upgrade
Update any frameworks or libraries you use in your projects too to
make sure you don’t appear on the Exploit DB.
SOLUTION

Just because the attacker can’t see your source code doesn’t mean
they can’t brute force or guess their way in!
SECURITY THROUGH OBSCURITY

Assume they can see your source code.
SOLUTION

AUTHORIZATION BYPASS
Locking the front door is useless if you left the window open.
Some companies forget to secure all of their admin pages. Sure, the
admin home page is protected by a password, but what about the
page where you can modify user permissions?

Storing valuable information in HTML <hidden> fields?
Users can modify and do whatever they like to those.
HIDDEN FIELDS ARE NOT HIDDEN

SOLUTION
CHECK every page, REST service, action and form to make sure only
those authorized can perform actions
NEVER store internal logic in content the user sends back. This
includes cookies! (Although storing this information in sessions with a
session token is OK provided you’re using sessions properly)

So you’ve fixed authorization bypass and an admin is logged in.
The admin checks the forums and sees this post:
CSRF CROSS-SITE REQUEST FORGERY
Hi, I’m getting harassed by the user Trump4President. I recorded a chat log here to prove that
he’s being derogatory and spiteful to every user in...
Little did the admin know, the link actually goes here:
https://www.clubpenguin.com/admin/users/Trump4President/perms?admin=true

There are actually two things wrong with this example.
1. A modification action was accessible with a GET request rather
than POST.
2. Because the admin was logged in, clicking this link performed
the action under the admin’s account.
WHAT WENT WRONG

USE POST, PUT, PATCH, DELETE etc. for any mutable actions. Use
GET only if data will not be modified by the request.
TOKENIZE all forms and actions with a random string generated as
the page loads. Store this token in your database to
cross-reference when the form is submitted. This token may be
stored in a hidden field or cookie.
SOLUTION

REDIRECT HIJACKING
Sometimes you need to show a page, such as a login page, before
redirecting the user to where they wanted to go.
If the redirect URL is not sanitized, an attacker might try to use it to
direct you to another site. Imagine if a user is presented with a
phishing email to change their bank password and they’re
presented with a legitimate link to their bank:
https://www.securebank.com/account/changepassword?redir=http://evil.com/phish

REDIRECT HIJACKING
This attack goes hand-in-hand with CSRF. If the user can be
redirected before they realize their session has been hijacked by an
evil button, the incident may go completely undetected.

REDIRECT HIJACKING
It’s not just limited to redirecting a user either. If your script accesses
the server’s filesystem, don’t let this happen:
https://www.mycoolforum.com/forum/page=../../../etc/passwd

SOLUTION
USE a URL parser on any URL arguments to make sure they’re
relative to the document root.
DENY use of patterns like ‘../’, ‘~/’ or ‘PROGRA~1/’

Some content is written by the user. This could be something like
eBay’s item descriptions, or even a user’s username displayed at the
top of the page.
If the user can enter HTML tags that they shouldn’t, we already know
what can go wrong.
XSS CROSS-SITE SCRIPTING

There are two ways XSS can be a problem.
1. Displaying unsanitized information that the user has directly
given (such as in a comment post or account bio)
2. Displaying unsanitized information that the user has weaseled
into the system (for example, with a database compromise)
FIRST AND SECOND ORDER

ESCAPE or encode all characters that should be illegal when
displayed on a page. For HTML body, this is <anyelement>, for HTML
attributes this is any single or double quote. There are pre-made
sanitizers for this job.
Perform this when the data is displayed rather than when it is stored.
Otherwise you can end up with multiple escaped strings and still be
vulnerable to second-order XSS!
SOLUTION

How it should be done (escaping with < and >)
How it shouldn’t be done

HUMANS
THE WEAKEST LINK OF A
SECURITY SYSTEM

Of the compromised respondents in the GSISS
34%said current employees were the most likely cause

29%linked attacks to former employees

PRIVILEGE MISUSE
is #3 of the 9 biggest causes
Verizon Data Breach Investigations Report 2015

Still a common cause of security violations. With a convincing email,
an employee can violate the security plan your business so dearly
values in a matter of seconds.
Hot for 2016 - SMiShing (via SMS)
PHISHING

Yes.
23% of phishing emails are opened and 11% of attachments are
downloaded according to the 2015 Verizon Data Breach
Investigations Report.
PEOPLE STILL FALL FOR
THAT?

Companies that have an overall security strategy
58%
Companies that have an employee training program
53%

With a suit, tie and clipboard, you can go pretty much anywhere you
want.
With a tray of coffees, you can go through pretty much any door.
It’s this inherent kindness that shows that as security systems go, we
are pretty poor.
SOCIAL ENGINEERING

In 2007, a mystery man walked into a Belgian bank and stole over
€21 million in diamonds from high-security safety deposit boxes using
only his charming personality.
He gained trust with the personnel by being a nice guy and bringing
chocolates. He was able to make copies of the keys and gain
information to the diamonds whereabouts.
CONFIDENCE

Hence,
TO MAKE A SECURE SYSTEM,
FIRST REMOVE HUMANS

THANKS!
I’ll be glad to take your criticisms
Chris Watts - cwatts1@us.ibm.com

How not to suck at Cyber Security

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to How not to suck at Cyber Security (20)

How not to suck at Cyber Security