basic security for digital companies - #marketersunbound (2014)
Post on 22-Apr-2015
101 Views
Preview:
DESCRIPTION
TRANSCRIPT
Security for Digital Companies
Observations, lessons, and advice from a hacker
Presented by Justin Bull!September 9th, 2014
Who am I
Who am I• Justin Bull
• Software developer at
• Security nutbar
• Ethically curious
• @f3ndot on Twitter
Outline
• Canada Revenue Agency: A Case Study
• Responsible disclosure
• Security 101 for a digital company
• Q & A, time permitting
–Quinn Norton, 2014
“Everything is broken.”
–Quinn Norton, 2014
“Everything is broken.”
It's all about risk management & incident response
Canada Revenue Agency:A case study
Canada Revenue Agency:A tale of woe
Think of the word “Government”
Think of the word “Government”
What comes to mind?
Think of the word “Government”
• Slow
What comes to mind?
Think of the word “Government”
• Slow
• Inefficient
What comes to mind?
Think of the word “Government”
• Slow
• Inefficient
• Lots of red tape
What comes to mind?
Think of the word “Government”
• Slow
• Inefficient
• Lots of red tape
• Bureaucratic
What comes to mind?
Yeah…
We have a problem
The heartbleed bug affected 17.5% of all
website servers.
–Netcraft, 2014
That’s around half a million websites
–Netcraft, 2014
Who was affected
Who was affected
• My personal servers
Who was affected
• My personal servers
• Banks
Who was affected
• My personal servers
• Banks
• Almost every, single digital company
Who was affected
• My personal servers
• Banks
• Almost every, single digital company
• …and the Government of Canada
Was CRA self aware?
Was CRA self aware?Nope.
Was CRA self aware?F A I LNope.
Could CRA be notified?
Could CRA be notified?
Nope, nope, nope!
Could CRA be notified?
Nope, nope, nope!
Could CRA be notified?F A I LNope, nope, nope!
Was CRA at least quick when they did know?
Was CRA at least quick when they did know?
Sorta, not really
Was CRA at least quick when they did know?
Sorta, not really
Was CRA at least quick when they did know?
Sorta, not reallyF A I L
We all know about the 900 SIN’s !
But were there other attacks? !
We all know about the 900 SIN’s !
But were there other attacks? !
We will never know
What could CRA have done?
What could CRA have done?
• Have a competent security officer or sysadmin
What could CRA have done?
• Have a competent security officer or sysadmin
• Inter-department cooperation with CSEC (they knew 1 day before Heartbleed went public)
What could CRA have done?
• Have a competent security officer or sysadmin
• Inter-department cooperation with CSEC (they knew 1 day before Heartbleed went public)
• A way for people to tell them security issues
What could CRA have done?
• Have a competent security officer or sysadmin
• Inter-department cooperation with CSEC (they knew 1 day before Heartbleed went public)
• A way for people to tell them security issues
• Be quick!
–Almost any company
“We don’t have time or money to think about security right now.”
Responsible Disclosure The bare minimum for security
Responsible Disclosure
• Officially allows users/hackers/researchers to contact you about security issues
• Basically just a webpage
• Cheapest security investment you can make*
*depending who you talk you
Who has a RD policy?•
• Microsoft
• GitHub
• Apple
• Tesla Motors… Yes, really
Danger, Will Robinson!It’s surprisingly hard to get right
Danger, Will Robinson!It’s surprisingly hard to get right
You need to set up proper encryption and decide on how to communicate with
researchers.
Lessons learned
Lessons learned
• It’s pesky and time consuming if you have security debt
Lessons learned
• It’s pesky and time consuming if you have security debt
• Expect a lot of bullshit, entitlement, and comedy (See @CluelessSec)
Lessons learned
• It’s pesky and time consuming if you have security debt
• Expect a lot of bullshit, entitlement, and comedy (See @CluelessSec)
• Expect to be humbled
Responsible Disclosure: you should have it
The bare minimum:
Responsible Disclosure: you should have it
• Offer no reward or swag
The bare minimum:
Responsible Disclosure: you should have it
• Offer no reward or swag
• Tell people what’s acceptable, what’s not
The bare minimum:
Responsible Disclosure: you should have it
• Offer no reward or swag
• Tell people what’s acceptable, what’s not
• Provide a special email or a direct phone number
The bare minimum:
Security 101 for Digital Companiesaka “How to not get hacked within a year”*
* no promises 😜
Encrypt your passwords!
No excuses.
Encrypt your passwords!
No excuses.None.
Encrypt your passwords!
Encrypt your passwords!The consequences
Encrypt your passwords!
• Domino effect with other customer’s accounts
The consequences
Encrypt your passwords!
• Domino effect with other customer’s accounts
• Permanent black mark on your company record
The consequences
Encrypt your passwords!
• Domino effect with other customer’s accounts
• Permanent black mark on your company record
• You could be sued. Maybe even class-action
The consequences
Encrypt your passwords!
• Domino effect with other customer’s accounts
• Permanent black mark on your company record
• You could be sued. Maybe even class-action
• It’s so cheap and easy to do now. Why not?
The consequences
Encrypt your passwords!But, don’t roll your own crypto
Encrypt your passwords!
• MD5, SHA1, etc. were not designed for passwords
But, don’t roll your own crypto
Encrypt your passwords!
• MD5, SHA1, etc. were not designed for passwords
• Use a password hashing library for your language
But, don’t roll your own crypto
Encrypt your passwords!
• MD5, SHA1, etc. were not designed for passwords
• Use a password hashing library for your language
• It should use bcrypt, scrypt, PBKDF2, or an algorithm designed for passwords
But, don’t roll your own crypto
Encrypt your passwords!
• MD5, SHA1, etc. were not designed for passwords
• Use a password hashing library for your language
• It should use bcrypt, scrypt, PBKDF2, or an algorithm designed for passwords
• You want it to be slow to hash, maybe 1 second
But, don’t roll your own crypto
Wat.
You want something to run slowly? !
Why on earth…?
Wat.
It’s a numbers gameMake it expensive for attackers to brute force your
passwords
–Colin Percival (scrypt), 2009
Password Specifics
Password Specifics• You’re gonna encrypt ‘em, right?
• Enforce password minimums (min. 8 chars, etc.)
Password Specifics• You’re gonna encrypt ‘em, right?
• Enforce password minimums (min. 8 chars, etc.)
• Expire a login after 8 hours? a day? 2 months?
Password Specifics• You’re gonna encrypt ‘em, right?
• Enforce password minimums (min. 8 chars, etc.)
• Expire a login after 8 hours? a day? 2 months?
• Changing/resetting password patterns
Password Specifics• You’re gonna encrypt ‘em, right?
• Enforce password minimums (min. 8 chars, etc.)
• Expire a login after 8 hours? a day? 2 months?
• Changing/resetting password patterns
• Beware of bad security questions!See goodsecurityquestions.com
Lock ‘em out.Guessed wrong too many times?
Wait 5 minutes, or longer.
SSL/TLS aka
HTTPS aka
SSL/TLS aka
HTTPS aka
Why SSL/TLS, !
no matter what?
• Foreign & domestic governments
• Foreign & domestic governments
• Them nasty hackers
• Foreign & domestic governments
• Them nasty hackers
• Even that “innocent” person at the café
• Foreign & domestic governments
• Them nasty hackers
• Even that “innocent” person at the café
• Your competitor?
• Foreign & domestic governments
• Them nasty hackers
• Even that “innocent” person at the café
• Your competitor?
• Users find comfort in green padlocks…
Get Auth & Auth Right!
Get Auth & Auth Right!
• Research latest Authorization & Authentication practices or libraries
Get Auth & Auth Right!
• Research latest Authorization & Authentication practices or libraries
• The most common languages or frameworks already have libraries available
Get Auth & Auth Right!
• Research latest Authorization & Authentication practices or libraries
• The most common languages or frameworks already have libraries available
• A rock solid login mechanism is your foundation
Have multi-level access?
Have multi-level access?
Guest, User, Moderator, Admin?
Have multi-level access?
Guest, User, Moderator, Admin?
Research or build ACL into foundations of your code.
Got money, but no time? !
Don’t know how screwed you are?
Got money, but no time? !
Don’t know how screwed you are?
Hire a pen tester!
Got money, but no time? !
Don’t know how screwed you are?
Hire a pen tester!
Beware the snakeoil.
Top 10
• Get every dev into it, until they dream about it
Top 10
• Get every dev into it, until they dream about it
• Covers most common & most dangerous web app security issues(XSS, CSRF, SQLi, etc.)
Top 10
• Get every dev into it, until they dream about it
• Covers most common & most dangerous web app security issues(XSS, CSRF, SQLi, etc.)
• Print out OWASP’s guide books too. (They’re tomes, but good desk references)
Operational Security
Operational Security• Don’t email passwords
Operational Security• Don’t email passwords
• Don’t email passwords
Operational Security• Don’t email passwords
• Don’t email passwords
• Use a password management application
✦ 1Password
✦ KeePass
✦ LastPass
Operational Security• Don’t email passwords
• Don’t email passwords
• Use a password management application
✦ 1Password
✦ KeePass
✦ LastPassHell, even use sticky notes
Just don’t email passwords.
Some security is about good PR…
Public Relations
• Got social? Use it."
• Got blog? Use it."
• Got email base? Use it."
• Got media attention? Use it.
Public Relations
• Got social? Use it."
• Got blog? Use it."
• Got email base? Use it."
• Got media attention? Use it.
See a pattern?
Public Relations
• Give the facts & truth
• Try not to spin too much
• Transparency & honesty is key
Do it right, !
and you might escape unscathed
That’s all folks!
This presentation has been a
Attribution–ShareAlike 4.0 International licensed work.C
Questions?
C Credits• “Anonymous Hacker” by Brian Klug (CC BY-NC 2.0) (Slide 1, 43)
• “Heartbleed” by Leena Snidate/Codenomicon (CC0 1.0) (Slide 9)
• “The Secret” by Cedward Brice (CC BY-NC 2.0) (Slide 24)
• “Pure Mathematics” by Ed Brambley (CC BY-SA 2.0) (Slide 31)
• “Widget, confused as ever” by Anna Pickard (CC BY-NC-SA 2.0) (Slide 36, 37)
• “The Big E Day 2 2011” by RustyClark (CC BY 2.0) (Slide 40)
• “EFF version of NSA logo” by EFF (CC BY 2.0) (Slide 43)
• “Bryant Park, Nov 2009 - 52” by Ed Yourdon (CC BY 2.0) (Slide 43)
• “Owasp logo” by OWASP (CC BY-SA 3.0) (Slide 47, 48)
• “Day 342 - Hacker” by Christophe Verdier (CC BY-NC 2.0) (Slide 54)
• “Question Box” by Raymond Bryson (CC BY 2.0) (Slide 55)
top related