![if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_close();
session_id($session_to_unset);
session_start();
$_SESSION = array();
session_write_close();
session_destroy();
exit;
}
Mistakes
Deep understanding of the language
C
O
D
E
SAM
PLE
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505](https://image.slidesharecdn.com/security-theatre-php-uk-160219143607/85/Security-Theatre-PHP-UK-Conference-107-320.jpg)
![if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_close();
session_id($session_to_unset);
session_start();
$_SESSION = array();
session_write_close();
session_destroy();
exit;
}
Mistakes
Deep understanding of the language
C
O
D
E
SAM
PLE
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
Writes $_SESSION to
disk](https://image.slidesharecdn.com/security-theatre-php-uk-160219143607/85/Security-Theatre-PHP-UK-Conference-108-320.jpg)
![if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_close();
session_id($session_to_unset);
session_start();
$_SESSION = array();
session_write_close();
session_destroy();
exit;
}
Mistakes
Deep understanding of the language
C
O
D
E
SAM
PLE
Extracts URL parameters into
the namespace.
session_to_unset=a becomes
$session_to_unset = “a”;
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505](https://image.slidesharecdn.com/security-theatre-php-uk-160219143607/85/Security-Theatre-PHP-UK-Conference-109-320.jpg)
![Timing attacks can be used to
work out if an account exists [...].
@troyhunt, haveibeenpwned.com
Reference: https://t.co/5WkQ48suj7](https://image.slidesharecdn.com/security-theatre-php-uk-160219143607/85/Security-Theatre-PHP-UK-Conference-123-320.jpg)
![Warning: require(assets/includes/footer.php) [function.require]: failed
to open stream: No such file or directory in
/home/user/path/to/assets/includes/operations.php on line 38
Fatal error: require() [function.require]: Failed opening required
'assets/includes/footer.php' (include_path='.:/usr/lib/php:
/usr/local/lib/php') in /home/user/path/to/assets/includes/operations.
php on line 38
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE](https://image.slidesharecdn.com/security-theatre-php-uk-160219143607/85/Security-Theatre-PHP-UK-Conference-134-320.jpg)
Security Theatre - PHP UK Conference
- 1. Booking.com W E AR E H IR IN G Work @ Booking: http://grnh.se/seomt7
- 2. Security Theatre @thomas_shone Image by Matt McGee released under CC BY-ND 2.0 https://joind.in/talk/172ca
- 3. Illusion
- 4. Denial
- 5. I know about OWASP!
- 6. If you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated” @thegrugq Reference: https://twitter.com/thegrugq/status/658991205816995840
- 7. But I use antivirus!
- 8. Crypting services makes most antivirus techniques useless Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/
- 10. Let us put an unsecured node.js server on your personal computer TrendMicro Antivirus on Windows Jan 2016 https://code.google.com/p/google-security-research/issues/detail?id=693
- 11. Remote code-executions via your mail client downloading an email Sophos Antivirus June 2015 https://lock.cmpxchg8b.com/sophailv2.pdf
- 17. We’re all bad at security
- 18. Users are bad at security ➢ Weak passwords ➢ Password reset questions ➢ Human verification sucks ➢ Clickbait and phishing ➢ Attachments ➢ URL mistype ➢ Routine and workarounds ➢ Convenience trumps security
- 19. Developers are bad at security Reference: https://github.com/
- 20. Hackers are bad at security
- 21. A study in scarlet
- 22. 43 applications, libraries or frameworks over 4,800 versions over 10 million files
- 23. 255,000 scans About 6k/month from June 2012 till now
- 25. Most popular software It’s not what you think
- 29. How bad is it?
- 33. Why is it so bad?
- 39. I have seen things Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn
- 42. OpenX Backdoored for almost a year
- 44. Lessons Learnt
- 45. Versioning Projects with bad versioning also have some of the worst security issues
- 46. Automatic Patching If your software comes with automatic upgrading, people will use it
- 47. Plugins and Templates If an update needs manual changes for plugins or template, no one updates
- 48. Patch Fatigue Exists Image by Aaaron Jacobs released under CC BY-SA 2.0
- 49. Anger Image by Josh Janssen released under CC BY-ND 2.0
- 50. Why doesn’t someone do something about it?
- 51. Private industry keep threatening security researchers
- 52. "How many Fortune 500 companies are hacked right now? Answer, 500." Mikko Hypponen, CRO of F-Secure Reference: https://twitter.com/mikko/status/184329161257652227
- 53. Why don’t we have some form of standard?
- 54. We have ISO 27001/2, ISO 15408, RFC 2196, PCI DSS, NIST, … Reference: https://en.wikipedia.org/wiki/Cyber_security_standards
- 55. Why doesn’t the government do something about it?
- 56. A Ukrainian power plant was hacked & shutdown because someone had macros enabled in Excel Reference: https://t.co/PA7cDQC9EI
- 58. NSA: We’re just upgrading your megaflops, promise.
- 59. Reference: https://t.co/PA7cDQC9EIImage by Unknown released into the Public Domain
- 60. Bargaining Image by Jeroen Moes released under CC BY-SA 2.0
- 61. But what if we installed advanced IDSs, WAFs and specialised network hardware
- 62. We probably only knew about one of the two backdoors in our system Juniper Networks Dec 2015 http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of- government-backdoors/
- 63. IDSs produce reports. Managers likes reports: it helps them feel like they can "manage" security http://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted- attacks
- 64. We’ll start following prescribed security standards
- 65. That’s great for your insurance premiums
- 66. Depression
- 67. Ninety percent of everything is crap. Sturgeon's law Reference: https://en.wikipedia.org/wiki/Sturgeon%27s_law
- 68. Acceptance Image by Stephan Brunet released under CC BY-SA 3.0
- 69. Effective?
- 70. Most of our security practices are ineffective
- 71. We do security in isolation
- 72. Holistic
- 73. Hardware Drivers Services Your Dependencies Operating System Your Software Humans Network / Internet Area of Influence
- 74. Drivers Services Operating System 203.5M LoC Area of Influence Hardware Disclaimer: Numbers generated using cloc (Service LoC limited to latest releases of MySQL, Apache and PHP)
- 75. Operating System Area of Influence Humans DNA 7B LoC Source: http://www.examiner.com/article/dna-the-ultimate-source-code
- 76. Hardware Drivers Services Your Dependencies Operating System Your Software Humans Network / Internet HR/Training System Administrators Downstream Providers
- 77. Layered Image by Cadw released under OGL via Commons
- 78. Image by Albert Bridge released under CC BY-SA 2.0 Surface Area
- 79. Alertness Image by MeganCollins released under CC BY-NC-ND 3.0
- 80. Mitigation Image by Pivari.com released under CC BY-SA 3.0
- 81. Trust
- 82. Trust?
- 83. Be aware of what you’re trusting
- 84. The hardest part of security is not writing secure code
- 85. It’s understanding where you misplace your trust
- 86. Trust is a chain
- 87. I trust my computer is not compromised Up-to-date patches TR U ST
- 88. I trust that the software is without vulnerability Vulnerability research and security updates TR U ST
- 89. I trust that the software is configured properly Automated provisioning TR U ST
- 90. I trust that the network is configured properly and secure Good system administrators TR U ST
- 91. I trust you are who you say you are TLS Certificate Peer Verification or Authentication TR U ST
- 92. I trust you are allowed to talk to me about this topic Authorization TR U ST
- 93. I trust that what you send me hasn’t been tampered with Hashes or signatures TR U ST
- 94. I trust that what we talk about is just between us Public and private keys TR U ST
- 95. I trust your computer is not compromised ???? TR U ST
- 96. I trust that what we talk about won’t be share with others Contracts, Legalities, Terms of use, ???? TR U ST
- 97. I trust that the user won’t be the weak link Training and procedures TR U ST
- 98. Turn your chain into a mesh Image by ineverfinishanyth released under CC BY-NC-SA 2.5
- 99. Common Mistakes
- 100. Weakening Compromising encryption or hashing is about reducing time to crack
- 101. Implementation A bad implementation helps reduce the time to crack
- 102. Authentication
- 103. 2 Factor Authentication composer require pragmarx/google2fa
- 105. Sessions
- 106. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own
- 107. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) { parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit; } Mistakes Deep understanding of the language C O D E SAM PLE Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
- 108. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) { parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit; } Mistakes Deep understanding of the language C O D E SAM PLE Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505 Writes $_SESSION to disk
- 109. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) { parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit; } Mistakes Deep understanding of the language C O D E SAM PLE Extracts URL parameters into the namespace. session_to_unset=a becomes $session_to_unset = “a”; Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
- 110. Encryption
- 111. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own
- 113. Avoid old tutorials on encryption https://gist.github.com/paragonie- scott/e9319254c8ecbad4f227
- 114. Failed: Error Number: 60. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed // Many old tutorials and posts suggest disabling peer verifications curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // Thankfully PHP 5.6+ handles CA certificate location automatically // now thanks to https://wiki.php.net/rfc/improved-tls-defaults and // Daniel Lowrey Avoid advice like this Weakening security for convenience C O D E SAM PLE
- 115. Hashing
- 116. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own
- 117. One way encoding Comparisons / Integrity Checks
- 118. 278,362,281 Number of accounts publicly leaked Reference: https://haveibeenpwned.com/
- 119. Weak hash functions +/- 690GB rainbow tables
- 120. $password = 'rasmuslerdorf'; $hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a'; // Is this call safe? if (crypt($password, $hash) === $hash) { echo 'Password is correct'; } // What about this one? if (password_verify($password, $hash)) { echo 'Password is correct'; } Bad implementation Where is the weakness? C O D E SAM PLE
- 121. Timing Attacks Brute forcing cryptographic functions via time taken to execute
- 122. $string1 = 'abcd'; $string2 = 'abce'; $string3 = 'acde'; for ($i=0; $i<10000; $i++) { ($string1 === $string2); } // Time taken: 0.008344 for ($i=0; $i<10000; $i++) { ($string1 === $string3); } // Time taken: 0.006923 Timing Attacks How it works C O D E SAM PLE
- 123. Timing attacks can be used to work out if an account exists [...]. @troyhunt, haveibeenpwned.com Reference: https://t.co/5WkQ48suj7
- 124. Well actually Amount of randomness matters Reference: http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html
- 125. $password = 'rasmuslerdorf'; $hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a'; // Check the password if (password_verify($password, $hash)) { echo 'Password is correct'; if (password_needs_rehash($hash, PASSWORD_DEFAULT)) { // Rehash and store in database $new_password = password_hash($password, PASSWORD_DEFAULT); } } Rehash Build it into your flow C O D E SAM PLE
- 126. Randomness
- 127. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own
- 128. Non-deterministic randomness is critical in encryption Used for key generation and nonces
- 129. Non-deterministic randomness is hard Dual_EC_DRBG was in use for 7 years
- 130. // NOT cryptographically secure rand(); // Cryptographically secure (uses OS-specific source) random_int(); // Cryptographically secure (uses OS-specific source) random_bytes(); // Cryptographically secure (uses OpenSSL library) openssl_random_pseudo_bytes(); Random in code Know the source C O D E SAM PLE
- 132. HEAD http://example.com/index.php 200 OK Connection: close Date: Sat, 26 Dec 2015 13:52:01 GMT Server: Apache Content-Type: text/html; charset=UTF-8 Client-Date: Sat, 26 Dec 2015 13:52:01 GMT Client-Peer: 192.168.0.101:80 Client-Response-Num: 1 X-Powered-By: PHP/5.5.11 Information Disclosure Every piece of information can be leveraged LO G SAM PLE
- 133. HEAD http://example.com/index.php 200 OK Connection: close Date: Sat, 26 Dec 2015 13:52:01 GMT Server: Apache Content-Type: text/html; charset=UTF-8 Client-Date: Sat, 26 Dec 2015 13:52:01 GMT Client-Peer: 192.168.0.101:80 Client-Response-Num: 1 X-Powered-By: PHP/5.5.11 Information Disclosure Every piece of information can be leveraged LO G SAM PLE
- 134. Warning: require(assets/includes/footer.php) [function.require]: failed to open stream: No such file or directory in /home/user/path/to/assets/includes/operations.php on line 38 Fatal error: require() [function.require]: Failed opening required 'assets/includes/footer.php' (include_path='.:/usr/lib/php: /usr/local/lib/php') in /home/user/path/to/assets/includes/operations. php on line 38 Information Disclosure Every piece of information can be leveraged LO G SAM PLE
- 135. Social Engineering
- 136. Weak password reset processes Can you Google the answer? How do you handle customer support reset?
- 137. Customer support training Convenience vs Security
- 138. @N’s (Naoki Hiroshima) Story How do you mitigate against this?
- 139. Dip your toes in the Sea of Security James Titcumb 14:40 New Relic Track
- 140. Hope Image by Jenny released under CC BY-NC-ND 2.0
- 141. Holistic
- 142. A.B.C.
- 143. Always Be C Patching
- 144. Patching Strategy If a dependency prevents updating, resolve it now
- 145. Version properly Major.Minor.Patch. How hard is that?
- 146. Don’t become comfortable Comfort breeds contempt
- 147. Read Know about new threats and best practice changes
- 148. Training Strategy Have a process for dealing with account locks and resets
- 149. Compromise Strategy Have a plan before you need it
- 150. Information Only store what you really need
- 151. Mistakes will be made Learn from them
- 152. Rate limit Built it now, or you’ll have to build it while an incident is underway
- 153. Monitor everything You’re more likely to be alerted by a graph spiking than your IDS
- 154. Decouple roles Databases, servers, domains, roles, ...
- 155. Composer everything There is no excuse anymore
- 156. Decouple plugins/templates Updates should be simple
- 157. Get behind PSR-9 & 10 http://www.php-fig.org/psr/
- 158. Group Performance Image by Matt McGee released under CC BY-ND 2.0