computer security - montana state university · 2007. 11. 1. · gary harkin 1 computer security...
TRANSCRIPT
![Page 1: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/1.jpg)
Gary Harkin 1
Computer Security
Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand the basics of software security.
Understand the basics of computer security.
Provide minimal opportunity for performance evaluation.
![Page 2: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/2.jpg)
Gary Harkin 2
Why Is This Funny?
![Page 3: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/3.jpg)
Gary Harkin 3
Consider the Application
Add a new user to the databaseGet the users name and other stuffAdd the users name (and other stuff)
to the database.High-fives all around.
![Page 4: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/4.jpg)
Gary Harkin 4
Which looks like?
$name=$_POST_VARS('name_from_form');mysql_query ( “INSERT INTO students (name) VALUES ($name)”, <some other stuff>);high_fives_all_around (“$name added”);
![Page 5: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/5.jpg)
Gary Harkin 5
And You Get This SQL
If $name has the value 'Jimmie'
INSERT INTO students (name) VALUES ('Jimmie')';
![Page 6: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/6.jpg)
Gary Harkin 6
SQL Injection Strikes
If name=ROBERT');DROP TABLE students;--
INSERT INTO students (name) VALUES('ROBERT');DROP TABLE students; --”)
stmt 1: INSERT INTO students (name) VALUES ('ROBERT');
stmt 2: DROP TABLE students;stmt 3: --”)
![Page 7: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/7.jpg)
Gary Harkin 7
What's the Solution?
$name=$_POST_VARS('name_from_form');if (!ereg ('[a-zA-Z ]', $name){ print (“<B>Stop that!</B>”); exit;}mysql_query ( “INSERT INTO students (name) VALUES ($name));high_fives_all_around (“$name added”);
![Page 8: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/8.jpg)
Gary Harkin 8
Other Web Evils?
There are roughly 20 different types ofweb attacks, but each has variations.
Buffer overflows, Cross-site Scripting, Format string exploits, Command Injection,Magic URL exploits, Race condition exploits,weak random number exploits, ...
![Page 9: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/9.jpg)
Gary Harkin 9
But Its All For Fun
Right?
![Page 10: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/10.jpg)
Gary Harkin 10
![Page 11: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/11.jpg)
Gary Harkin 11
Not Really
More than 50% of attacks are now motivated by money.
There are now multiple boiler rooms that consist of teams dedicated to computer crimes.
![Page 12: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/12.jpg)
Gary Harkin 12
Cross-site Scripting
Phishing and Pharming aren't just aboutfood.
You see a link saying “Click here to win afree Spring Break vacation.”
But the link is:http://www.stickit2em.com/sucker.php
What should you do?
![Page 13: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/13.jpg)
Gary Harkin 13
Cross-site Scripting
The Sin:You have a web site that allows usersto post, but you don't check for dangerous code.
The Setup:A user posts a message that includes:
<A HREF=”http://www.sorry.com”>Help Here</A>
![Page 14: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/14.jpg)
Gary Harkin 14
Cross-site Scripting
The Mistake:“I need help, I think I'll click on that!”
The Con:Enter your username and password toget help.
The Bigger Mistake:Duh, OK!
![Page 15: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/15.jpg)
Gary Harkin 15
What To Do?
Sanitize your user inputs.Only legal values allowed?Escape dangerous stuff.
<A HREF=”http://www.sorry.com”>Help Here</A> becomes
< HREF="http://www.sorry.com">Help Here⁄<
![Page 16: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/16.jpg)
Gary Harkin 16
Make the Illusion Good
![Page 17: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/17.jpg)
Gary Harkin 17
The Viso-Geeks
![Page 18: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/18.jpg)
Gary Harkin 18
How Big Is The Problem?
90% of web sites are vulnerable. 75% of hacks are the result of exploits in web
facing applications. 31% in .gov and .mil Estimated cost is $60 BILLION in U.S. Annual increase in vulnerabilities reported is
42%. Annual increase in attacks is 70%. Average cost is up to $10 M per attack.
![Page 19: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/19.jpg)
Gary Harkin 19
Do You Have Examples?
CardSystems – 2004✔ 263,000 credit card numbers stolen✔ 40 million exposed✔ Millions in fraudulent purchases✔ SQL Injection – attackers dropped a job into the database that ran every 4 days sending records to a remote site.
![Page 20: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/20.jpg)
Gary Harkin 20
MySpace XSS
MySpace 2006 XSS using Flash redirect embed allowscriptaccess="never" src="
http://i105.photobucket.com /albums/mff225/yrkblack/redirecft.swf"
redirect then has access to the account of the user, allowing it to make the same change on their page. It an XSS worm.
![Page 21: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/21.jpg)
Gary Harkin 21
PayPal XSS
PayPal 2004*-2006 XSS using parameter substituion www.paypal.com/xcheck?nextpage=... nextpage should be addr or resolution page PayPal didn't bother to check if nextpage
made sense. Attackers spammed people. They followed
the link and then entered their login data and more.
![Page 22: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/22.jpg)
Gary Harkin 22
Poker Face
Paradise Poker Site – 2005 A user notices that when the dealer shows
an Ace and has a pocket 10, there is a longer delay than if the hole card is something else.
He wins big for a while. Abuse of Functionality exploit.
![Page 23: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/23.jpg)
Gary Harkin 23
What To Do?
You have 2.5 million lines of code and that code is constantly churned by extensions and bug fixes.
Test everything a user can do in every possible way to find vulnerabilities??
There are many things that are perniciously subtle.
You can never make it perfectly safe or prove that it is.
![Page 24: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/24.jpg)
Gary Harkin 24
Accept the security breachor clean a litter box.
Take your pick.
![Page 25: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/25.jpg)
Gary Harkin 25
Vulnerability Fixing Costs
Design Development QA Maintenance0
20
40
60
80
100
120
140
$ Cost
![Page 26: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/26.jpg)
Gary Harkin 26
When Controls Fail
![Page 27: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/27.jpg)
Gary Harkin 27
It Can Ge Expensive
TJ Maxx - $135 M and up to $ 4.5 B AICPA - $30 M ChoicePoint - $15 M + U of C (Los Alamos) - $3 M fine MSU - ?
Identity theft cost averages $32 K Average cost is $10 M Impacts nearly 25% of companies/year
![Page 28: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/28.jpg)
Gary Harkin 28
Legals
33 states have disclosure laws Sarbanes-Oxley Health Information Portability and
Accountability Act PCI DSS ISO 17799 Gramm-Leach-Bliley Act (Financial Ind.)
![Page 29: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/29.jpg)
Gary Harkin 29
Does Anybody Get Caught?
![Page 30: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/30.jpg)
Gary Harkin 30
Yes, increasingly
Brian Salcedo, 9 years, cracking Lowes'. Kevin Mitnick, 5 years, $4k, “Takedown” Unamed 15-year old, 12 months prob + CS; Sinapore newspaper using news/news.
Jeanson Ancheta, 5 yrs, $15,000, installing adware on zombies.
Ken Flury, 3 years, $300K, stolen CitiBank debit card numbers.
![Page 31: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/31.jpg)
Gary Harkin 31
I order you to wear a tie every day, take on a huge mortgage, join the local Rotary Club and act normal in public
![Page 32: Computer Security - Montana State University · 2007. 11. 1. · Gary Harkin 1 Computer Security Goals Give Denbigh his Birthday off. Get Gary out of the office for a bit. Understand](https://reader035.vdocument.in/reader035/viewer/2022071419/61186cbc1570f262f920b56b/html5/thumbnails/32.jpg)
Gary Harkin 32
Bottom Line
If you're on the Web, you have security issues.
If you allow the users to input anything, you have bigger issues.
If you store any data, you have really big issues.