Gary Harkin 1

Computer Security

Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand the basics of software security.

Understand the basics of computer security.

Provide minimal opportunity for performance evaluation.

Gary Harkin 2

Why Is This Funny?

Gary Harkin 3

Consider the Application

Add a new user to the databaseGet the users name and other stuffAdd the users name (and other stuff)

to the database.High-fives all around.

Gary Harkin 4

Which looks like?

$name=$_POST_VARS('name_from_form');mysql_query ( “INSERT INTO students (name) VALUES ($name)”, <some other stuff>);high_fives_all_around (“$name added”);

Gary Harkin 5

And You Get This SQL

If $name has the value 'Jimmie'

INSERT INTO students (name) VALUES ('Jimmie')';

Gary Harkin 6

SQL Injection Strikes

If name=ROBERT');DROP TABLE students;--

INSERT INTO students (name) VALUES('ROBERT');DROP TABLE students; --”)

stmt 1: INSERT INTO students (name) VALUES ('ROBERT');

stmt 2: DROP TABLE students;stmt 3: --”)

Gary Harkin 7

What's the Solution?

$name=$_POST_VARS('name_from_form');if (!ereg ('[a-zA-Z ]', $name){ print (“<B>Stop that!</B>”); exit;}mysql_query ( “INSERT INTO students (name) VALUES ($name));high_fives_all_around (“$name added”);

Gary Harkin 8

Other Web Evils?

There are roughly 20 different types ofweb attacks, but each has variations.

Buffer overflows, Cross-site Scripting, Format string exploits, Command Injection,Magic URL exploits, Race condition exploits,weak random number exploits, ...

Gary Harkin 9

But Its All For Fun

Right?

Gary Harkin 10

Gary Harkin 11

Not Really

More than 50% of attacks are now motivated by money.

There are now multiple boiler rooms that consist of teams dedicated to computer crimes.

Gary Harkin 12

Cross-site Scripting

Phishing and Pharming aren't just aboutfood.

You see a link saying “Click here to win afree Spring Break vacation.”

But the link is:http://www.stickit2em.com/sucker.php

What should you do?

Gary Harkin 13

Cross-site Scripting

The Sin:You have a web site that allows usersto post, but you don't check for dangerous code.

The Setup:A user posts a message that includes:

<A HREF=”http://www.sorry.com”>Help Here</A>

Gary Harkin 14

Cross-site Scripting

The Mistake:“I need help, I think I'll click on that!”

The Con:Enter your username and password toget help.

The Bigger Mistake:Duh, OK!

Gary Harkin 15

What To Do?

Sanitize your user inputs.Only legal values allowed?Escape dangerous stuff.

<A HREF=”http://www.sorry.com”>Help Here</A> becomes

&lt; HREF=&quot;http://www.sorry.com&quot;&gt;Help Here&frasl;&lt;

Gary Harkin 16

Make the Illusion Good

Gary Harkin 17

The Viso-Geeks

Gary Harkin 18

How Big Is The Problem?

90% of web sites are vulnerable. 75% of hacks are the result of exploits in web

facing applications. 31% in .gov and .mil Estimated cost is $60 BILLION in U.S. Annual increase in vulnerabilities reported is

42%. Annual increase in attacks is 70%. Average cost is up to $10 M per attack.

Gary Harkin 19

Do You Have Examples?

CardSystems – 2004✔ 263,000 credit card numbers stolen✔ 40 million exposed✔ Millions in fraudulent purchases✔ SQL Injection – attackers dropped a job into the database that ran every 4 days sending records to a remote site.

Gary Harkin 20

MySpace XSS

MySpace 2006 XSS using Flash redirect embed allowscriptaccess="never" src="

http://i105.photobucket.com /albums/mff225/yrkblack/redirecft.swf"

redirect then has access to the account of the user, allowing it to make the same change on their page. It an XSS worm.

Gary Harkin 21

PayPal XSS

PayPal 2004*-2006 XSS using parameter substituion www.paypal.com/xcheck?nextpage=... nextpage should be addr or resolution page PayPal didn't bother to check if nextpage

made sense. Attackers spammed people. They followed

the link and then entered their login data and more.

Gary Harkin 22

Poker Face

Paradise Poker Site – 2005 A user notices that when the dealer shows

an Ace and has a pocket 10, there is a longer delay than if the hole card is something else.

He wins big for a while. Abuse of Functionality exploit.

Gary Harkin 23

What To Do?

You have 2.5 million lines of code and that code is constantly churned by extensions and bug fixes.

Test everything a user can do in every possible way to find vulnerabilities??

There are many things that are perniciously subtle.

You can never make it perfectly safe or prove that it is.

Gary Harkin 24

Accept the security breachor clean a litter box.

Take your pick.

Gary Harkin 25

Vulnerability Fixing Costs

Design Development QA Maintenance0

20

40

60

80

100

120

140

$ Cost

Gary Harkin 26

When Controls Fail

Gary Harkin 27

It Can Ge Expensive

TJ Maxx - $135 M and up to $ 4.5 B AICPA - $30 M ChoicePoint - $15 M + U of C (Los Alamos) - $3 M fine MSU - ?

Identity theft cost averages $32 K Average cost is $10 M Impacts nearly 25% of companies/year

Gary Harkin 28

Legals

33 states have disclosure laws Sarbanes-Oxley Health Information Portability and

Accountability Act PCI DSS ISO 17799 Gramm-Leach-Bliley Act (Financial Ind.)

Gary Harkin 29

Does Anybody Get Caught?

Gary Harkin 30

Yes, increasingly

Brian Salcedo, 9 years, cracking Lowes'. Kevin Mitnick, 5 years, $4k, “Takedown” Unamed 15-year old, 12 months prob + CS; Sinapore newspaper using news/news.

Jeanson Ancheta, 5 yrs, $15,000, installing adware on zombies.

Ken Flury, 3 years, $300K, stolen CitiBank debit card numbers.

Gary Harkin 31

I order you to wear a tie every day, take on a huge mortgage, join the local Rotary Club and act normal in public

Gary Harkin 32

Bottom Line

If you're on the Web, you have security issues.

If you allow the users to input anything, you have bigger issues.

If you store any data, you have really big issues.