6. If you are hacked via OWASP Top
10, you’re not allowed to call it
“advanced” or “sophisticated”
@thegrugq
Reference: https://twitter.com/thegrugq/status/658991205816995840
8. Crypting services makes most
antivirus techniques useless
Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/
9.
10. Let us put an unsecured node.js
server on your personal
computer
TrendMicro Antivirus on Windows
Jan 2016
https://code.google.com/p/google-security-research/issues/detail?id=693
11. Remote code-executions via your
mail client downloading an
email
Sophos Antivirus
June 2015
https://lock.cmpxchg8b.com/sophailv2.pdf
46. "How many Fortune 500
companies are hacked right now?
Answer, 500."
Mikko Hypponen, CRO of F-Secure
Reference: https://twitter.com/mikko/status/184329161257652227
55. But what if we installed
advanced IDSs, WAFs and
specialised network hardware
56. We probably only knew about
one of the two backdoors in our
system
Juniper Networks
Dec 2015
http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-
government-backdoors/
57. IDSs produce reports. Managers
likes reports: it helps them feel
like they can "manage" security
http://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted-
attacks
98. Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
99. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_close();
session_id($session_to_unset);
session_start();
$_SESSION = array();
session_write_close();
session_destroy();
exit;
}
Mistakes
Deep understanding of the language
C
O
D
E
SAM
PLE
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
101. Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
102.
103. Avoid old tutorials on
encryption
https://gist.github.com/paragonie-
scott/e9319254c8ecbad4f227
104. Failed: Error Number: 60. Reason: SSL certificate problem, verify that
the CA cert is OK. Details: error:14090086:SSL routines:
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
// Many old tutorials and posts suggest disabling peer verifications
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
// Thankfully PHP 5.6+ handles CA certificate location automatically
// now thanks to https://wiki.php.net/rfc/improved-tls-defaults and
// Daniel Lowrey
Avoid advice like this
Weakening security for convenience
C
O
D
E
SAM
PLE
110. $password = 'rasmuslerdorf';
$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Is this call safe?
if (crypt($password, $hash) === $hash) {
echo 'Password is correct';
}
// What about this one?
if (password_verify($password, $hash)) {
echo 'Password is correct';
}
Bad implementation
Where is the weakness?
C
O
D
E
SAM
PLE
112. $string1 = 'abcd';
$string2 = 'abce';
$string3 = 'acde';
for ($i=0; $i<10000; $i++) { ($string1 === $string2); }
// Time taken: 0.006923
for ($i=0; $i<10000; $i++) { ($string1 === $string3); }
// Time taken: 0.008344
Timing Attacks
How it works
C
O
D
E
SAM
PLE
113. Timing attacks can be used to
work out if an account exists,
even if the UI doesn't say so.
@troyhunt, haveibeenpwned.com
Reference: https://t.co/5WkQ48suj7
114. Well actually
Amount of randomness matters
Reference: http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html
115. $password = 'rasmuslerdorf';
$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Check the password
if (password_verify($password, $hash)) {
echo 'Password is correct';
if (password_needs_rehash($hash, PASSWORD_DEFAULT)) {
// Rehash and store in database
$newPassword = password_hash($password, PASSWORD_DEFAULT);
}
}
Rehash
Build it into your flow
C
O
D
E
SAM
PLE
120. // NOT cryptographically secure
rand();
// Cryptographically secure (uses OS-specific source)
random_int();
// Cryptographically secure (uses OS-specific source)
random_bytes();
// Cryptographically secure (uses OpenSSL library)
openssl_random_pseudo_bytes();
Random in code
Know the source
C
O
D
E
SAM
PLE
122. HEAD http://example.com/index.php
200 OK
Connection: close
Date: Sat, 26 Dec 2015 13:52:01 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Sat, 26 Dec 2015 13:52:01 GMT
Client-Peer: 192.168.0.101:80
Client-Response-Num: 1
X-Powered-By: PHP/5.5.11
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE
123. HEAD http://example.com/index.php
200 OK
Connection: close
Date: Sat, 26 Dec 2015 13:52:01 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Sat, 26 Dec 2015 13:52:01 GMT
Client-Peer: 192.168.0.101:80
Client-Response-Num: 1
X-Powered-By: PHP/5.5.11
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE
124. Warning: require(assets/includes/footer.php) [function.require]: failed
to open stream: No such file or directory in
/home/user/path/to/assets/includes/operations.php on line 38
Fatal error: require() [function.require]: Failed opening required
'assets/includes/footer.php' (include_path='.:/usr/lib/php:
/usr/local/lib/php') in /home/user/path/to/assets/includes/operations.
php on line 38
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE