security theatre - amsterdamphp
TRANSCRIPT
Security Theatre@thomas_shone
Image by Matt McGee released under CC BY-ND 2.0
https://joind.in/talk/7f231
If you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated”
@thegrugq
Reference: https://twitter.com/thegrugq/status/658991205816995840
Crypting services makes most antivirus techniques useless
Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/
Let us put an unsecured node.js server on your personal
computer
TrendMicro Antivirus on WindowsJan 2016
https://code.google.com/p/google-security-research/issues/detail?id=693
Remote code-executions via your mail client downloading an email
Sophos AntivirusJune 2015
https://lock.cmpxchg8b.com/sophailv2.pdf
Users are bad at security
➢ Weak passwords➢ Password reset questions➢ Human verification sucks➢ Clickbait and phishing➢ Attachments➢ URL mistype➢ Routine and workarounds➢ Convenience trumps security
Patch Fatigue Exists
Image by Aaaron Jacobs released under CC BY-SA 2.0
Anger
Image by Josh Janssen released under CC BY-ND 2.0
"How many Fortune 500 companies are hacked right now?
Answer, 500."Mikko Hypponen, CRO of F-Secure
Reference: https://twitter.com/mikko/status/184329161257652227
We have ISO 27001/2, ISO 15408, RFC 2196, PCI DSS, NIST, …
Reference: https://en.wikipedia.org/wiki/Cyber_security_standards
A Ukrainian power plant was hacked & shutdown because
someone had macros enabled in Excel
Reference: https://t.co/PA7cDQC9EI
Reference: https://t.co/PA7cDQC9EIImage by Unknown released into the Public Domain
Bargaining
Image by Jeroen Moes released under CC BY-SA 2.0
We probably only knew about one of the two backdoors in our
system
Juniper NetworksDec 2015
http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/
IDSs produce reports. Managers likes reports: it helps them feel like they can "manage" security
http://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted-attacks
Ninety percent of everything is crap.
Sturgeon's law
Reference: https://en.wikipedia.org/wiki/Sturgeon%27s_law
Acceptance
Image by Stephan Brunet released under CC BY-SA 3.0
Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
Area of Influence
Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
HR/Training
System Administrators
Downstream Providers
Layered
Image by Cadw released under OGL via Commons
Image by Albert Bridge released under CC BY-SA 2.0
Surface Area
Alertness
Image by MeganCollins released under CC BY-NC-ND 3.0
Mitigation
Image by Pivari.com released under CC BY-SA 3.0
I trust that the software is without vulnerability
Vulnerability research and security updates
TRUST
I trust that what we talk about won’t be share with others
Contracts, Legalities, Terms of use, ????
TRUST
Turn your chain into a mesh
Image by ineverfinishanyth released under CC BY-NC-SA 2.5
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
Failed: Error Number: 60. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
// Many old tutorials and posts suggest disabling peer verificationscurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
// Thankfully PHP 5.6+ handles CA certificate location automatically// now thanks to https://wiki.php.net/rfc/improved-tls-defaults and// Daniel Lowrey
Avoid advice like thisWeakening security for convenience
CODE SAMPLE
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
$password = 'rasmuslerdorf';$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Is this call safe?if (crypt($password, $hash) === $hash) { echo 'Password is correct';}// What about this one?if (password_verify($password, $hash)) { echo 'Password is correct';}
Bad implementationWhere is the weakness?
CODE SAMPLE
$string1 = 'abcd';$string2 = 'abce';$string3 = 'acde';
for ($i=0; $i<10000; $i++) { ($string1 === $string2); }// Time taken: 0.006923
for ($i=0; $i<10000; $i++) { ($string1 === $string3); }// Time taken: 0.008344
Timing AttacksHow it works
CODE SAMPLE
Timing attacks can be used to work out if an account exists, even if the UI doesn't say so.
@troyhunt, haveibeenpwned.com
Reference: https://t.co/5WkQ48suj7
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false){ parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit;}
MistakesDeep understanding of the language
CODE SAMPLE
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
// NOT cryptographically securerand();
// Cryptographically secure (uses OS-specific source)random_int();
// Cryptographically secure (uses OS-specific source)random_bytes();
// Cryptographically secure (uses OpenSSL library)openssl_random_pseudo_bytes();
Random in codeKnow the source
CODE SAMPLE
HEAD http://example.com/index.php200 OKConnection: closeDate: Sat, 26 Dec 2015 13:52:01 GMTServer: ApacheContent-Type: text/html; charset=UTF-8Client-Date: Sat, 26 Dec 2015 13:52:01 GMTClient-Peer: 192.168.0.101:80Client-Response-Num: 1X-Powered-By: PHP/5.5.11
Information DisclosureEvery piece of information can be leveraged
LOG SAMPLE
HEAD http://example.com/index.php200 OKConnection: closeDate: Sat, 26 Dec 2015 13:52:01 GMTServer: ApacheContent-Type: text/html; charset=UTF-8Client-Date: Sat, 26 Dec 2015 13:52:01 GMTClient-Peer: 192.168.0.101:80Client-Response-Num: 1X-Powered-By: PHP/5.5.11
Information DisclosureEvery piece of information can be leveraged
LOG SAMPLE
Warning: require(assets/includes/footer.php) [function.require]: failed to open stream: No such file or directory in /home/user/path/to/assets/includes/operations.php on line 38
Fatal error: require() [function.require]: Failed opening required 'assets/includes/footer.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/path/to/assets/includes/operations.php on line 38
Information DisclosureEvery piece of information can be leveraged
LOG SAMPLE
Hope
Image by Jenny released under CC BY-NC-ND 2.0
OWASP ASVS ProjectApplication Security Verification Standard
Reference: https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
Group Performance
Image by Matt McGee released under CC BY-ND 2.0