security theatre - confoo
Post on 20-Jan-2017
11.251 Views
Preview:
TRANSCRIPT
Security Theatre@thomas_shone
Image by Matt McGee released under CC BY-ND 2.0
If you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated”
@thegrugq
Reference: https://twitter.com/thegrugq/status/658991205816995840
Crypting services makes most antivirus techniques useless
Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/
Let us put an unsecured node.js server on your personal
computer
TrendMicro Antivirus on WindowsJan 2016
https://code.google.com/p/google-security-research/issues/detail?id=693
Remote code-executions via your mail client downloading an
Sophos AntivirusJune 2015
https://lock.cmpxchg8b.com/sophailv2.pdf
Reference: https://www.yahoo.com/tech/dutch-consumer-group-demands-samsung-151703102.html
Reference: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
Users are bad at security
➢ Weak passwords➢ Password reset questions➢ Human verification sucks➢ Clickbait and phishing➢ Attachments➢ URL mistype➢ Routine and workarounds➢ Convenience trumps security
Patch Fatigue Exists
Image by Aaaron Jacobs released under CC BY-SA 2.0
Anger
Image by Josh Janssen released under CC BY-ND 2.0
"How many Fortune 500 companies are hacked right now?
Answer, 500."Mikko Hypponen, CRO of F-Secure
Reference: https://twitter.com/mikko/status/184329161257652227
We have ISO 27001/2, ISO 15408, RFC 2196, PCI DSS, NIST, …
Reference: https://en.wikipedia.org/wiki/Cyber_security_standards
A Ukrainian power plant was hacked & shutdown because
someone had macros enabled in Excel
Reference: https://t.co/PA7cDQC9EI
Reference: https://t.co/PA7cDQC9EIImage by Unknown released into the Public Domain
Bargaining
Image by Jeroen Moes released under CC BY-SA 2.0
We probably only knew about one of the two backdoors in our
system
Juniper NetworksDec 2015
http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/
IDSs produce reports. Managers likes reports: it helps them feel like they can "manage" security
http://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted-attacks
Ninety percent of everything is crap.
Sturgeon's law
Reference: https://en.wikipedia.org/wiki/Sturgeon%27s_law
Acceptance
Image by Stephan Brunet released under CC BY-SA 3.0
Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
Area of Influence
Drivers
Services
Operating System203.5M LoC
Area of Influence
Hardware
Disclaimer: Numbers generated using cloc (Service LoC limited to latest releases of MySQL, Apache and PHP)
Operating SystemArea of Influence
Humans DNA7B LoC
Source: http://www.examiner.com/article/dna-the-ultimate-source-code
Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
HR/Training
System Administrators
Downstream Providers
Layered
Image by Cadw released under OGL via Commons
Image by Albert Bridge released under CC BY-SA 2.0
Surface Area
Alertness
Image by MeganCollins released under CC BY-NC-ND 3.0
Mitigation
Image by Pivari.com released under CC BY-SA 3.0
I trust that the software is without vulnerability
Vulnerability research and security updates
TRUST
I trust that what we talk about won’t be share with others
Contracts, Legalities, Terms of use, ????
TRUST
Turn your chain into a mesh
Image by ineverfinishanyth released under CC BY-NC-SA 2.5
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false){ parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit;}
MistakesDeep understanding of the language
CODE SAMPLE
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false){ parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit;}
MistakesDeep understanding of the language
CODE SAMPLE
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
Writes $_SESSION to disk
if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false){ parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit;}
MistakesDeep understanding of the language
CODE SAMPLE
Extracts URL parameters into the namespace.
session_to_unset=a becomes $session_to_unset = “a”;
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
Failed: Error Number: 60. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
// Many old tutorials and posts suggest disabling peer verificationscurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
// Thankfully PHP 5.6+ handles CA certificate location automatically// now thanks to https://wiki.php.net/rfc/improved-tls-defaults and// Daniel Lowrey
Avoid advice like thisWeakening security for convenience
CODE SAMPLE
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
278,362,281Number of accounts publicly leaked
Reference: https://haveibeenpwned.com/
$password = 'rasmuslerdorf';$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Is this call safe?if (crypt($password, $hash) === $hash) { echo 'Password is correct';}// What about this one?if (password_verify($password, $hash)) { echo 'Password is correct';}
Bad implementationWhere is the weakness?
CODE SAMPLE
$string1 = 'abcd';$string2 = 'abce';$string3 = 'acde';
for ($i=0; $i<10000; $i++) { ($string1 === $string2); }// Time taken: 0.008344
for ($i=0; $i<10000; $i++) { ($string1 === $string3); }// Time taken: 0.006923
Timing AttacksHow it works
CODE SAMPLE
Timing attacks can be used to work out if an account exists [...].
@troyhunt, haveibeenpwned.com
Reference: https://t.co/5WkQ48suj7
Well actuallyAmount of randomness matters
Reference: http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html
$password = 'rasmuslerdorf';$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Check the passwordif (password_verify($password, $hash)) { echo 'Password is correct'; if (password_needs_rehash($hash, PASSWORD_DEFAULT)) { // Rehash and store in database $new_password = password_hash($password, PASSWORD_DEFAULT); }}
RehashBuild it into your flow
CODE SAMPLE
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
// NOT cryptographically securerand();
// Cryptographically secure (uses OS-specific source)random_int();
// Cryptographically secure (uses OS-specific source)random_bytes();
// Cryptographically secure (uses OpenSSL library)openssl_random_pseudo_bytes();
Random in codeKnow the source
CODE SAMPLE
HEAD http://example.com/index.php200 OKConnection: closeDate: Sat, 26 Dec 2015 13:52:01 GMTServer: ApacheContent-Type: text/html; charset=UTF-8Client-Date: Sat, 26 Dec 2015 13:52:01 GMTClient-Peer: 192.168.0.101:80Client-Response-Num: 1X-Powered-By: PHP/5.5.11
Information DisclosureEvery piece of information can be leveraged
LOG SAMPLE
HEAD http://example.com/index.php200 OKConnection: closeDate: Sat, 26 Dec 2015 13:52:01 GMTServer: ApacheContent-Type: text/html; charset=UTF-8Client-Date: Sat, 26 Dec 2015 13:52:01 GMTClient-Peer: 192.168.0.101:80Client-Response-Num: 1X-Powered-By: PHP/5.5.11
Information DisclosureEvery piece of information can be leveraged
LOG SAMPLE
Warning: require(assets/includes/footer.php) [function.require]: failed to open stream: No such file or directory in /home/user/path/to/assets/includes/operations.php on line 38
Fatal error: require() [function.require]: Failed opening required 'assets/includes/footer.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/path/to/assets/includes/operations.php on line 38
Information DisclosureEvery piece of information can be leveraged
LOG SAMPLE
Hope
Image by Jenny released under CC BY-NC-ND 2.0
Group Performance
Image by Matt McGee released under CC BY-ND 2.0
top related