Security Theatre@thomas_shone

Image by Matt McGee released under CC BY-ND 2.0

Booking.comW

E ARE HIRING

Work @ Booking: http://grnh.se/seomt7

Illusion

Denial

I know about OWASP!

If you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated”

@thegrugq

Reference: https://twitter.com/thegrugq/status/658991205816995840

But I use antivirus!

Crypting services makes most antivirus techniques useless

Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/

Let us put an unsecured node.js server on your personal

computer

TrendMicro Antivirus on WindowsJan 2016

https://code.google.com/p/google-security-research/issues/detail?id=693

Remote code-executions via your mail client downloading an

email

Sophos AntivirusJune 2015

https://lock.cmpxchg8b.com/sophailv2.pdf

Internet of Things

Reference: https://www.yahoo.com/tech/dutch-consumer-group-demands-samsung-151703102.html

We’re all bad at security

Users are bad at security

Developers are bad at security

Reference: https://github.com/

Hackers are bad at security

A study in scarlet

43 applications, libraries and frameworksover 4,800 versionsover 10 million files

255,000 scansAbout 6k/month from June 2012 - Nov 2015

ResultsJuly 2015

Most popular softwareIt’s not what you think

How bad is it?

Why is it so bad?

I have seen thingsPh'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn

Versioning Hell1.3-final-beta6-pre-patch3

OpenXBackdoored for almost a year

Lessons Learnt

VersioningProjects with bad versioning also have some

of the worst security issues

Automatic PatchingIf your software comes with automatic

upgrading, people will use it

Plugins and TemplatesIf an update needs manual changes for

plugins or template, no one updates

Patch Fatigue Exists

Image by Aaaron Jacobs released under CC BY-SA 2.0

Anger

Image by Josh Janssen released under CC BY-ND 2.0

Why doesn’t someone do something about it?

Private industry keep threatening security researchers

"How many Fortune 500 companies are hacked right now?

Answer, 500."Mikko Hypponen, CRO of F-Secure

Reference: https://twitter.com/mikko/status/184329161257652227

Why don’t we have some form of standard?

We have ISO 27001/2, ISO 15408, RFC 2196, PCI DSS, NIST, …

Reference: https://en.wikipedia.org/wiki/Cyber_security_standards

Why doesn’t the government do something about it?

A Ukrainian power plant was hacked & shutdown because

someone had macros enabled in Excel

Reference: https://t.co/PA7cDQC9EI

NSA: We’re just upgrading your megaflops, promise.

Reference: https://t.co/PA7cDQC9EIImage by Unknown released into the Public Domain

Bargaining

Image by Jeroen Moes released under CC BY-SA 2.0

But what if we installed advanced IDSs, WAFs and

specialised network hardware

We probably only knew about one of the two backdoors in our

system

Juniper NetworksDec 2015

http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/

IDSs produce reports. Managers likes reports: it helps them feel like they can "manage" security

http://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted-attacks

We’ll start following prescribed security standards

That’s great for your insurance premiums

Depression

Ninety percent of everything is crap.

Sturgeon's law

Reference: https://en.wikipedia.org/wiki/Sturgeon%27s_law

Acceptance

Image by Stephan Brunet released under CC BY-SA 3.0

Effective?

Most of our security practices are ineffective

We do security in isolation

Holistic

Hardware

Drivers

Services

Your Dependencies

Operating System

Your Software

Humans

Network / Internet

Area of Influence

Drivers

Services

Operating System203.5M LoC

Area of Influence

Hardware

Disclaimer: Numbers generated using cloc (Service LoC limited to latest releases of MySQL, Apache and PHP)

Operating SystemArea of Influence

Humans DNA7B LoC

Source: http://www.examiner.com/article/dna-the-ultimate-source-code

Hardware

Drivers

Services

Your Dependencies

Operating System

Your Software

Humans

Network / Internet

HR/Training/LART device

System Administrators

Downstream Providers

Layered

Image by Cadw released under OGL via Commons

Image by Albert Bridge released under CC BY-SA 2.0

Surface Area

Alertness

Image by MeganCollins released under CC BY-NC-ND 3.0

Mitigation

Image by Pivari.com released under CC BY-SA 3.0

Trust

Trust?

Be aware of what you’re trusting

The hardest part of security is not writing

secure code

It’s understanding where you misplace

your trust

Trust is a chain

I trust my computer is not compromised

Up-to-date patches

TRUST

I trust that the software is without vulnerability

Vulnerability research and security updates

TRUST

I trust that the software is configured properly

Automated provisioning

TRUST

I trust that the network is configured properly and secure

Good system administrators

TRUST

I trust you are who you say you are

TLS Certificate Peer Verification or Authentication

TRUST

I trust you are allowed to talk to me about this topic

Authorization

TRUST

I trust that what you send me hasn’t been tampered with

Hashes, CRCs or signatures

TRUST

I trust that what we talk about is just between us

Public and private keys

TRUST

I trust your computer is not compromised

????

TRUST

I trust that what we talk about won’t be share with others

Contracts, Legalities, Terms of use, ????

TRUST

I trust that the user won’t be the weak link

Training and procedures

TRUST

Turn your chain into a mesh

Image by ineverfinishanyth released under CC BY-NC-SA 2.5

Common Mistakes

WeakeningCompromising encryption or hashing is

about reducing time to crack

ImplementationA bad implementation helps reduce the time

to crack

Authentication

2 Factor Authenticationcomposer require pragmarx/google2fa

OAuth2composer require league/oauth2-client

Sessions

Image by Wouter van Emmerik released under CC BY-SA 3.0

Never roll your own

if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false){ parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit;}

MistakesDeep understanding of the language

CODE SAMPLE

Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505

if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false){ parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit;}

MistakesDeep understanding of the language

CODE SAMPLE

Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505

Writes $_SESSION to disk

if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false){ parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit;}

MistakesDeep understanding of the language

CODE SAMPLE

Extracts URL parameters into the namespace.

session_to_unset=a becomes $session_to_unset = “a”;

Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505

Encryption

Image by Wouter van Emmerik released under CC BY-SA 3.0

Never roll your own

Avoid old tutorials on encryption

https://gist.github.com/paragonie-scott/e9319254c8ecbad4f227

Failed: Error Number: 60. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

// Many old tutorials and posts suggest disabling peer verificationscurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

// Thankfully PHP 5.6+ handles CA certificate location automatically// now thanks to https://wiki.php.net/rfc/improved-tls-defaults and// Daniel Lowrey

Avoid advice like thisWeakening security for convenience

CODE SAMPLE

Hashing

Image by Wouter van Emmerik released under CC BY-SA 3.0

Never roll your own

One way encodingComparisons / Integrity Checks

Weak hash functions+/- 690GB rainbow tables

Reference: http://project-rainbowcrack.com/table.htm

1,406,470,543Number of accounts publicly leaked

Reference: https://haveibeenpwned.com/

$password = 'rasmuslerdorf';$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';

// Is this call safe?if (crypt($password, $hash) === $hash) { echo 'Password is correct';}// What about this one?if (password_verify($password, $hash)) { echo 'Password is correct';}

Bad implementationWhere is the weakness?

CODE SAMPLE

Timing AttacksBrute forcing cryptographic functions via

time taken to execute

$string1 = 'abcd';$string2 = 'abce';$string3 = 'acde';

for ($i=0; $i<10000; $i++) { ($string1 === $string2); }// Time taken: 0.008344

for ($i=0; $i<10000; $i++) { ($string1 === $string3); }// Time taken: 0.006923

Timing AttacksHow it works

CODE SAMPLE

Timing attacks can be used to work out if an account exists [...].

@troyhunt, haveibeenpwned.com

Reference: https://t.co/5WkQ48suj7

Well actuallyAmount of randomness matters

Reference: http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html

$password = 'rasmuslerdorf';$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';

// Check the passwordif (password_verify($password, $hash)) { echo 'Password is correct'; if (password_needs_rehash($hash, PASSWORD_DEFAULT)) { // Rehash and store in database $new_password = password_hash($password, PASSWORD_DEFAULT); }}

RehashBuild it into your flow

CODE SAMPLE

Randomness

Image by Wouter van Emmerik released under CC BY-SA 3.0

Never roll your own

Non-deterministic randomness is critical in encryption

Used for key generation and nonces

Non-deterministic randomness is hard

Dual_EC_DRBG was in use for 7 years

// NOT cryptographically securerand();

// Cryptographically secure (uses OS-specific source)random_int();

// Cryptographically secure (uses OS-specific source)random_bytes();

// Cryptographically secure (uses OpenSSL library)openssl_random_pseudo_bytes();

Random in codeKnow the source

CODE SAMPLE

Information Disclosure

HEAD http://example.com/index.php200 OKConnection: closeDate: Sat, 26 Dec 2015 13:52:01 GMTServer: ApacheContent-Type: text/html; charset=UTF-8Client-Date: Sat, 26 Dec 2015 13:52:01 GMTClient-Peer: 192.168.0.101:80Client-Response-Num: 1X-Powered-By: PHP/5.5.11

Information DisclosureEvery piece of information can be leveraged

LOG SAMPLE

HEAD http://example.com/index.php200 OKConnection: closeDate: Sat, 26 Dec 2015 13:52:01 GMTServer: ApacheContent-Type: text/html; charset=UTF-8Client-Date: Sat, 26 Dec 2015 13:52:01 GMTClient-Peer: 192.168.0.101:80Client-Response-Num: 1X-Powered-By: PHP/5.5.11

Information DisclosureEvery piece of information can be leveraged

LOG SAMPLE

Warning: require(assets/includes/footer.php) [function.require]: failed to open stream: No such file or directory in /home/user/path/to/assets/includes/operations.php on line 38

Fatal error: require() [function.require]: Failed opening required 'assets/includes/footer.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/path/to/assets/includes/operations.php on line 38

Information DisclosureEvery piece of information can be leveraged

LOG SAMPLE

Social Engineering

Weak password reset processes

Can you Google the answer?How do you handle customer support reset?

Customer support training

Convenience vs Security

@N’s (Naoki Hiroshima) Story

How do you mitigate against this?

Hope

Image by Jenny released under CC BY-NC-ND 2.0

Holistic

A.B.C.

Always Be C Patching

Patching StrategyIf a dependency prevents updating, resolve it

now

Version properlyMajor.Minor.Patch. How hard is that?

Don’t become comfortable

Comfort breeds contempt

ReadKnow about new threats and best practice

changes

Training StrategyHave a process for dealing with account

locks and resets

Compromise StrategyHave a plan before you need it

InformationOnly store what you really need

Mistakes will be madeLearn from them

Rate limitBuilt it now, or you’ll have to build it while an

incident is underway

Monitor everythingYou’re more likely to be alerted by a graph

spiking than your IDS

Decouple rolesDatabases, servers, domains, roles, ...

Composer everythingThere is no excuse anymore

Decouple plugins/templates

Updates should be simple

Get behind PSR-9 & 10http://www.php-fig.org/psr/

Group Performance

Image by Matt McGee released under CC BY-ND 2.0

Thank youFeel free to DM me on @thomas_shone with questions

$string1 = 'abcd';$string2 = 'abce';$status = 0;

if (mb_strlen($string1, '8bit') != mb_strlen($string2, '8bit')) { return false;}for ($i = 0; $i < mb_strlen($string1, '8bit'); $i++) { $status|= (ord($string1[$i]) ^ ord($string2[$i]));}return $status === 0;

Timing AttacksHow it works

CODE SAMPLE