Security Theatre - Benelux

Booking.com
W
E
AR
E
H
IR
IN
G
Work @ Booking: http://grnh.se/seomt7

Security Theatre
@thomas_shone
Image by Matt McGee released under CC BY-ND 2.0
https://joind.in/talk/7c669

If you are hacked via OWASP Top
10, you’re not allowed to call it
“advanced” or “sophisticated”
@thegrugq
Reference: https://twitter.com/thegrugq/status/658991205816995840

Crypting services makes most
antivirus techniques useless
Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/

Let us put an unsecured node.js
server on your personal
computer
TrendMicro Antivirus on Windows
Jan 2016
https://code.google.com/p/google-security-research/issues/detail?id=693

Remote code-executions via your
mail client downloading an
email
Sophos Antivirus
June 2015
https://lock.cmpxchg8b.com/sophailv2.pdf

Users are bad at security
➢ Weak passwords
➢ Password reset questions
➢ Human verification sucks
➢ Clickbait and phishing
➢ Attachments
➢ URL mistype
➢ Routine and workarounds
➢ Convenience trumps security

Developers are bad at security
Reference: https://github.com/

43 applications, libraries or frameworks
over 4,800 versions
over 10 million files

255,000 scans
About 6k/month from June 2012 till now

Most popular software
It’s not what you think

I have seen things
Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn

Versioning Hell
1.3-final-beta6-pre-patch3

OpenX
Backdoored for almost a year

Versioning
Projects with bad versioning also have some
of the worst security issues

Automatic Patching
If your software comes with automatic
upgrading, people will use it

Plugins and Templates
If an update needs manual changes for
plugins or template, no one updates

Patch Fatigue Exists
Image by Aaaron Jacobs released under CC BY-SA 2.0

Anger
Image by Josh Janssen released under CC BY-ND 2.0

Why doesn’t someone do
something about it?

Private industry keep
threatening security researchers

"How many Fortune 500
companies are hacked right now?
Answer, 500."
Mikko Hypponen, CRO of F-Secure
Reference: https://twitter.com/mikko/status/184329161257652227

Why don’t we have some form of
standard?

We have ISO 27001/2, ISO 15408,
RFC 2196, PCI DSS, NIST, …
Reference: https://en.wikipedia.org/wiki/Cyber_security_standards

Why doesn’t the government do
something about it?

A Ukrainian power plant was
hacked & shutdown because
someone had macros enabled in
Excel
Reference: https://t.co/PA7cDQC9EI

NSA: We’re just upgrading your
megaflops, promise.

Reference: https://t.co/PA7cDQC9EIImage by Unknown released into the Public Domain

Bargaining
Image by Jeroen Moes released under CC BY-SA 2.0

But what if we installed
advanced IDSs, WAFs and
specialised network hardware

We probably only knew about
one of the two backdoors in our
system
Juniper Networks
Dec 2015
http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-
government-backdoors/

IDSs produce reports. Managers
likes reports: it helps them feel
like they can "manage" security
http://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted-
attacks

We’ll start following prescribed
security standards

That’s great for your insurance
premiums

Ninety percent of
everything is crap.
Sturgeon's law
Reference: https://en.wikipedia.org/wiki/Sturgeon%27s_law

Acceptance
Image by Stephan Brunet released under CC BY-SA 3.0

Most of our security
practices are ineffective

Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
Area of Influence

Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
HR/Training
System
Administrators
Downstream
Providers

Layered
Image by Cadw released under OGL via Commons

Image by Albert Bridge released under CC BY-SA 2.0
Surface Area

Alertness
Image by MeganCollins released under CC BY-NC-ND 3.0

Mitigation
Image by Pivari.com released under CC BY-SA 3.0

Be aware of what you’re
trusting

The hardest part of
security is not writing
secure code

It’s understanding
where you misplace
your trust

I trust my computer is not
compromised
Up-to-date patches
TR
U
ST

I trust that the software is
without vulnerability
Vulnerability research and security updates
TR
U
ST

I trust that the software is
configured properly
Automated provisioning
TR
U
ST

I trust that the network is
configured properly and secure
Good system administrators
TR
U
ST

I trust you are who you say you
are
TLS Certificate Peer Verification or
Authentication
TR
U
ST

I trust you are allowed to talk to
me about this topic
Authorization
TR
U
ST

I trust that what you send me
hasn’t been tampered with
Hashes or signatures
TR
U
ST

I trust that what we talk about is
just between us
Public and private keys
TR
U
ST

I trust your computer is not
compromised
????
TR
U
ST

I trust that what we talk about
won’t be share with others
Contracts, Legalities, Terms of use, ????
TR
U
ST

I trust that the user won’t be the
weak link
Training and procedures
TR
U
ST

Turn your chain into a
mesh
Image by ineverfinishanyth released under CC BY-NC-SA 2.5

Weakening
Compromising encryption or hashing is
about reducing time to crack

Implementation
A bad implementation helps reduce the time
to crack

2 Factor Authentication
composer require pragmarx/google2fa

OAuth2
composer require league/oauth2-client

Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own

if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_close();
session_id($session_to_unset);
session_start();
$_SESSION = array();
session_write_close();
session_destroy();
exit;
}
Mistakes
Deep understanding of the language
C
O
D
E
SAM
PLE
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505

Avoid old tutorials on
encryption
https://gist.github.com/paragonie-
scott/e9319254c8ecbad4f227

Failed: Error Number: 60. Reason: SSL certificate problem, verify that
the CA cert is OK. Details: error:14090086:SSL routines:
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
// Many old tutorials and posts suggest disabling peer verifications
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
// Thankfully PHP 5.6+ handles CA certificate location automatically
// now thanks to https://wiki.php.net/rfc/improved-tls-defaults and
// Daniel Lowrey
Avoid advice like this
Weakening security for convenience
C
O
D
E
SAM
PLE

One way encoding
Comparisons / Integrity Checks

278,362,281
Number of accounts publicly leaked
Reference: https://haveibeenpwned.com/

Weak hash functions
+/- 690GB rainbow tables

$password = 'rasmuslerdorf';
$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Is this call safe?
if (crypt($password, $hash) === $hash) {
echo 'Password is correct';
}
// What about this one?
if (password_verify($password, $hash)) {
}
Bad implementation
Where is the weakness?
C
O
D
E
SAM
PLE

Timing Attacks
Brute forcing cryptographic functions via
time taken to execute

$string1 = 'abcd';
$string2 = 'abce';
$string3 = 'acde';
for ($i=0; $i<10000; $i++) { ($string1 === $string2); }
// Time taken: 0.006923
for ($i=0; $i<10000; $i++) { ($string1 === $string3); }
// Time taken: 0.008344
Timing Attacks
How it works
C
O
D
E
SAM
PLE

Timing attacks can be used to
work out if an account exists,
even if the UI doesn't say so.
@troyhunt, haveibeenpwned.com
Reference: https://t.co/5WkQ48suj7

Well actually
Amount of randomness matters
Reference: http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html

$password = 'rasmuslerdorf';
$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Check the password
if (password_verify($password, $hash)) {
if (password_needs_rehash($hash, PASSWORD_DEFAULT)) {
// Rehash and store in database
$newPassword = password_hash($password, PASSWORD_DEFAULT);
}
}
Rehash
Build it into your flow
C
O
D
E
SAM
PLE

Non-deterministic randomness
is critical in encryption
Used for key generation and nonces

Non-deterministic randomness
is hard
Dual_EC_DRBG was in use for 7 years

// NOT cryptographically secure
rand();
// Cryptographically secure (uses OS-specific source)
random_int();
// Cryptographically secure (uses OS-specific source)
random_bytes();
// Cryptographically secure (uses OpenSSL library)
openssl_random_pseudo_bytes();
Random in code
Know the source
C
O
D
E
SAM
PLE

HEAD http://example.com/index.php
200 OK
Connection: close
Date: Sat, 26 Dec 2015 13:52:01 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Sat, 26 Dec 2015 13:52:01 GMT
Client-Peer: 192.168.0.101:80
Client-Response-Num: 1
X-Powered-By: PHP/5.5.11
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE

Warning: require(assets/includes/footer.php) [function.require]: failed
to open stream: No such file or directory in
/home/user/path/to/assets/includes/operations.php on line 38
Fatal error: require() [function.require]: Failed opening required
'assets/includes/footer.php' (include_path='.:/usr/lib/php:
/usr/local/lib/php') in /home/user/path/to/assets/includes/operations.
php on line 38
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE

Weak password reset
processes
Can you Google the answer?
How do you handle customer support reset?

Customer support
training
Convenience vs Security

@N’s (Naoki Hiroshima) Story
How do you mitigate against this?

Hope
Image by Jenny released under CC BY-NC-ND 2.0

Read
Know about new threats and best practice
changes

Information
Only store what you really need

Patching Strategy
If a dependency prevents updating, resolve it
now

Don’t become
comfortable
Comfort breeds contempt

Training Strategy
Have a process for dealing with account
locks and resets

Compromise Strategy
Have a plan before you need it

Mistakes will be made
Learn from them

Rate limit
Built it now, or you’ll have to build it while an
incident is underway

Monitor everything
You’re more likely to be alerted by a graph
spiking than your IDS

Decouple roles
Databases, servers, domains, roles, ...

Version properly
Major.Minor.Patch. How hard is that?

Composer everything
There is no excuse anymore

Decouple
plugins/templates
Updates should be simple

Get behind PSR-9 & 10
http://www.php-fig.org/psr/

Group
Performance
Image by Matt McGee released under CC BY-ND 2.0

Thank you
https://joind.in/talk/7c669
@thomas_shone

Security Theatre - Benelux

More Related Content

What's hot (20)

Viewers also liked (17)

Similar to Security Theatre - Benelux (20)

More from xsist10 (6)

Recently uploaded (20)

Security Theatre - Benelux