Hackers: The Internet's Immune System

Disclaimer: Use this knowledge in positive man-ner. Help development of secure software.

Who's Fault??

Who's Fault??

Who's Fault??

Security Failure of respective nations

Intelligence Failure Failure to prevent

such incidents Failure to implement

Security Framework efficiently/

It is because of Osama and Kasab

That we know about our security flaws That we learn the Hard way, but we did.

Think b4 attacking again, We are Stronger!

How do vaccines work?

The Internet's Immune System It is a constant fight between application

developers and hackers.- Who Wins? Aim of this presentation is to share knowl-

edge about developing secure applications. Understanding how Hackers think. Security Principles

Why Software Security?

Application Security is an unsaid require-ment

Most of the applications deal with at least one of the following

Financial Information Credit Cards Account Numbers

Customer's Personal Information Name Contact information

Information Sensitivity

Information about Special People like Expecting Parents LGBT Community Rich & Affluent Sports Persons

Is 10 to 50 times more valuable than the rest of people, as they are target cus-tomers of various products.

Why people hack Software?

Fun/ Pride Money

Free goodies Processing power/coin minting

Advertisements Mind Wash (Religion/Politics)

Wars To bring out vulnerabilities

Irritating processes

Types of hackers

Black Hat

Grey Hat

White Hat

Hack-1

Sony Pictures $171 million Hacked in April to June 2011 Hacked By: LulzSec Cause: SQL Injection The hack affected 77 million accounts and

is still considered the worst gaming com-munity data breach ever. Attackers stole valuable information: full names, logins, passwords, e-mails, home addresses, pur-chase history, and credit card numbers.

SQL Injection

Hack-2

Citigroup $2.7 million Hacked in June 2011 Caused by: poor implementation of authoriza-

tion. Secure data accessible to unauthorized users. (URL parameter checks missing)

Exposed the financial data of more than 360,000 customers

User Profile Bug

Consider a user story: “As an Admin user, I would like to see the pro-

file of any selected user in the system”

User Profile Bug

UI / Service / Controller / DAO Select * from Users where userid =? – passed from

user's input

User Profile Bug

User Story Extension “As a logged in user, I should be able to view

my profile”

Developers are lazy Concept of re-usability

Select * from Users where userid =? – passed from user's profile

Hack-3

AT&T $2 million The US carrier was hacked last year, but said

no account information was exposed. They said they warned one million customers about the security breach. Money stolen from the hacked business accounts was used by a group related to Al Qaeda to fund terrorist at-tacks in Asia. According to reports, refunding costumers cost AT&T almost $2 million.

Hack-4

Reginaldo Silva was paid $33,500 XML external entity vulnerability

https://www.facebook.com/whitehat

XML external entity vulnerability

Similar to SQL Injection Tainted data is inserted in XML XML Processor processes tainted data and be-

comes hacker's slave.

Is this a hack??

Kind of legal You can switch it off- Third Party Cookies Ads all around

Third Party Cookies

Old Standards->RFC 2109 and RFC 2965 specify that browsers should protect user privacy and not

allow sharing of cookies between servers by default; The newer standard-> RFC 6265,

explicitly allows user agents to implement whichever third-party cookie policy they wish

Third Party Cookies

Advertising companies use third-party cookies to track a user across multiple sites. In particular, an advertising company can track a user across all pages where it has placed advertising images or web bugs. Knowledge of the pages visited by a user allows the advertising company to target advertisements to the user's presumed preferences.

How do Hackers Think?

Make advantage of any available clues Error Messages Time Taken for request to respond Social Networking Input fields- XSS SQL Injection

Error Messages

User Story 1:- “As a user of the system, I want my account to

be safeguard against more than 3 invalid re-tries. My account must be locked, if someone attempts to use trial and error to guess my password.”User Story 2

“All error messages must be clear and easy to understand.”

Error Messages

“Your username is Invalid” “Your password is Invalid” “You have made 'x' unsuccessful attempts to

login. After 3 unsuccessful attempts, your ac-count would be locked out.”

“You have entered invalid username or pass-word. Please retry”

Error Messages

Soln. Do not reveal any information which should not

be. Directly or Indirectly. Make use of CAPTCHA for repetitive requests.

Time taken to Respond

Time taken to Respond

Soln. Consistent response time for valid and invalid

requests. Add client identifiers, and respond with a delay

of 100n nano seconds. Where n= number of attempts previously made 1,100, 10,000, 1,000,000

This wouldn't cause much impact on normal users, but would delay hacker's activities hugely.

Security Questions

“What was your first school?” “Where did you first met your spouse?” “What is your birth place?”

Disadvantage 1: All info is available on Social Networking Sites.

Disadvantage 2: My first school was Seventh day adventist Sr. Sec School Seventh day 7th day Seven day seven day seventhday

Renowned Hackers

Kevin Mitnick Anonymous lolzsec

Security Principles

Apply defense in depth

Anti Virus software

authentication and authorization security

BioMatrics

DMZ

Firewalls (hardware or software)

Hashing passwords

Intrusion protection and detection system

Logging and auditing

Vulnaribility detection

Physical Security

Timed access control

Internet Security Awareness

VPN

Sandboxing

Positive security model

Fail securely

Throw meaningful/clear exceptions Failure in security mechanism should lead to

disallowing of the operation (In Most Cases) Enable Logging and auditing on exceptions Analysis of exceptions

Principle of Least Privilege

Begin with least privileges Provide additional privileges only if required,

and after scrutiny

Avoid security by obscurity

Keep security simple

To Implement To Understand To Extend To Validate

If you like it today

Planning to do an XTR covering Send Email from any account Log the user out by sending an email (url) Movie ticket Denial of Service Security Certification in sysinfo. HackMe Challange

References

http://en.wikipedia.org/wiki/Web_application_security http://www.hotforsecurity.com/blog/top-5-corporate-losses-due-to-hacking-1820.html https://www.owasp.org/index.php/How_to_write_insecure_code ClearlyExplained.com http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29 9lessons.blogspot.com http://www.gethow.org/