Safety first: Security matters

78c8b0dece5b99f0fecd2eb64d08eb83?s=47 Firesphere
October 17, 2018

Safety first: Security matters

Presentation done at the SilverStripe Meetup Group, Wellington.

All links in this presentation are on the last slide for convenience

78c8b0dece5b99f0fecd2eb64d08eb83?s=128

Firesphere

October 17, 2018
Tweet

Transcript

  1. None
  2. Safety first Simon `Firesphere` Erkelens | 2018 Security matters

  3. About me Simon `Firesphere` Erkelens • SilverStripe bespoke software engineer

    • Team: Ninja Unicorns • Community admin (Slack & Forum) • I maintain the StripeSlackBot (It’s on BitBucket, FOSS) • That’s Python , SilverStripe 4 & Solr • Author of MFA modules for SilverStripe 3 & 4 • Cat owner • Hans the cow is my mascotte • I have a zoo on my desk • Scarily obsessed with security • Also Solr and search in general • LEGO! • Born Dutch (expect cursing) • Originator and former organizer of StripeCon EU • I wonder how much I can fit on a single slide • Yes, this is on purpose • Bribable with Whisk(e)y, beer or LEGO That’s me ➡ Although, I’m standing right over here, if you hadn’t noticed. That’s my cat, Marika ⬇ That’s Hans ➡ The zoo ⬇ ⬅ Apollo 13 Saturn V LEGO rocket!
  4. About me I am to blame for SilverStripe 4 Authenticator

    Sorry, not sorry! (I promise no more over crowded slides) Simon `Firesphere` Erkelens | 2018
  5. A little note The challenge is still open, for 2

    years now Simon `Firesphere` Erkelens | 2018
  6. Why the rewrite Simon `Firesphere` Erkelens | 2018 Security matters

  7. In need of a revamp SilverStripe 3 Authentication If it

    works, don’t change it • Not always is a full rewrite of things necessary • There are bits and bobs that can be reused • But, refactoring to improve things is a good thing Simon `Firesphere` Erkelens | 2018
  8. But it didn’t work Rewriting Authentication If it works, don’t

    change it • Not modular • Hooking in to the process required a lot of copy-pasting • 3rd party login was a PITA • Don’t even get me started on MFA implementation • Rigid flow • Tightly coupled between Member and Authentication • It was part of the main track, not a side track Simon `Firesphere` Erkelens | 2018
  9. Why the rewrite, it worked, didn’t it? Rewriting Authentication Modularity

    is important • Not modular • A single flow through Security • A “God controller” that does everything • Single point of failure • Hooking in to the process required a lot of copy-pasting • 3rd party login was a PITA • Don’t even get me started on MFA implementation • Rigid flow • Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018
  10. Why the rewrite, it worked, didn’t it? Rewriting Authentication Copy

    paste should not be a “best solution” • Not modular • Hooking in to the process required a lot of copy-pasting • Ever tried to register your own login controller? • Or extended Security with so much of duplicate code it made you sick? • Yeah, “God class” • 3rd party login was a PITA • Don’t even get me started on MFA implementation • Rigid flow • Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018
  11. Why the rewrite, it worked, didn’t it? Rewriting Authentication Third

    party integrations were painful • Not modular • Hooking in to the process required a lot of copy-pasting • 3rd party login was a PITA • Have a look at the ActiveDirectory module • I rest my case • Don’t even get me started on MFA implementation • Rigid flow • Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018
  12. Why the rewrite, it worked, didn’t it? Rewriting Authentication Again

    a hacky copy-paste • Not modular • Hooking in to the process required a lot of copy-pasting • 3rd party login was a PITA • Don’t even get me started on MFA implementation • Copy paste all the things! • Register even more things! • It literally requires intercepting the construction of the Form • Best practices are for wussies, right? • Rigid flow • Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018
  13. Why the rewrite, it worked, didn’t it? Rewriting Authentication Software

    should not be rigid • Not modular • Hooking in to the process required a lot of copy-pasting • 3rd party login was a PITA • Don’t even get me started on MFA implementation • Rigid flow • The start point and endpoint and everything in between was the same Controller • The API was not designed for flexible implementations • Low maintenance at high cost • Unsafe to extend means a security breach is imminent • Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018
  14. Why the rewrite, it worked, didn’t it? Rewriting Authentication It’s

    like being chained down • Not modular • Hooking in to the process required a lot of copy-pasting • 3rd party login was a PITA • Don’t even get me started on MFA implementation • Rigid flow • Tightly coupled between Member and Authentication • Member logged itself in • Ever heard of someone going to a secure building and shout “I BELONG HERE” and be accepted? • No actual authenticator that operated independently • No separation of concerns, Security and Member did everything Simon `Firesphere` Erkelens | 2018
  15. How do I go from here? What changed It would

    be a lot easier to ask what didn’t change • Member doesn’t have the ability to log in anymore • Security does, but it’s for the current request only • Abstracts and Interfaces supply the necessary methods to implement • Handlers are sub-controllers to handle the request • Authenticators handle the authentication • IdentityStore is where the user is “stored” after authentication • Security only provides the controller wrapper around the forms • Each step has extension points to hook in your own flow • These are of limited scope, to prevent security breaches* Simon `Firesphere` Erkelens | 2018
  16. Security breaches Simon `Firesphere` Erkelens | 2018 Security matters

  17. But… you said it’s better! * I can’t help myself

    You will be breached. If not today, it’ll be tomorrow • Preparing for the worst is better than hoping for the best • We do our best to provide a safe authentication flow • Most breaches are due to bad practices by (in no particular order): • SysOps • DevOps • Software Engineers • Clients • End users • CMS Users • Bad password practices • Not using a password manager Simon `Firesphere` Erkelens | 2018
  18. None
  19. None
  20. Simon `Firesphere` Erkelens | 2018

  21. This... This is my absolute favourite! Taylor Hornby falling for

    social engineering Social engineering is still very easy. Even if your target knows it’ll happen, even inviting people to try it, and this is a security expert!
  22. I had way too much fun looking up all these

    tweets. It’s been fun, but, security is not something to take lightly! I’m sorry Not really though Simon `Firesphere` Erkelens | 2018
  23. Why care? Simon `Firesphere` Erkelens | 2018 Security matters

  24. But the new way is so much effort, I don’t

    need it But my site is low profile Why would/should I care • One size does fit all • Just a in a more modular way than it used to be • Your site’s profile does not mean security should be less • You have a lock on your door, right? • Never ever treat security as a side product of your work • The safety and security of your end user’s life may depend on it • I’m not joking • Really, it matters. Have you seen the Facebook breach? • Your effort into securing your site should be “a lot”, not “I want quick and easy” Simon `Firesphere` Erkelens | 2018
  25. A few things to keep in mind But my site

    is low profile Why would/should I care • Your site may be low profile • But what if the CMS user reuses it’s password everywhere? • One hack elsewhere may lead to CMS access • Have fun removing that shitty bitcoin JS miner from your site! • Or even domain hijacking • Use a password manager (I’ll get to that later) • BitWarden • 1Password • LastPass • Also, https! (I’ll get to that later too) Simon `Firesphere` Erkelens | 2018
  26. SilverStripe 4 Simon `Firesphere` Erkelens | 2018 Security matters

  27. Logging a user in Back to SilverStripe SilverStripe 4 How

    to use authentication 101 • Log in with a local account • Injector::inst()->get(IdentityStore::class)->logIn($member) • So many words, can it be shorter? • IdentityStore::singleton()->logIn($member) • Even shorter please? I liked Member::logIn()! • No. Separation of concerns • Okay, maybe you could alias it, if you really want to Simon `Firesphere` Erkelens | 2018
  28. Logging a user in The login Let’s go • Authenticator

    checks if user is indeed who it claims it is • Hands off to IdentityStore • IdentityStore handles the setting of cookies/sessions etc. • For example, SessionAuthenticationHandler • The user is now logged in • Return the user to the authenticator Simon `Firesphere` Erkelens | 2018
  29. Log user in using the Session SessionAuthenticationHandler Say hello public

    function logIn(Member $member, $persistent = false, HTTPRequest $request = null) { static::regenerateSessionId(); $request = $request ?: Controller:: curr()->getRequest(); $request->getSession()->set($this->getSessionVariable (), $member->ID); // This lets apache rules detect whether the user has logged in if (Member::config()->get('login_marker_cookie' )) { Cookie:: set(Member::config()->get('login_marker_cookie' ), 1, 0); } } Simon `Firesphere` Erkelens | 2018
  30. Authenticating the request via MiddleWare: SessionAuthenticationHandler Say “You are here!”

    public function authenticateRequest (HTTPRequest $request) { // If ID is a bad ID it will be treated as if the user is not logged in, // rather than throwing a ValidationException $id = $request->getSession()->get($this->getSessionVariable ()); if (!$id) { return null; } /** @var Member $member */ $member = Member::get()->byID($id); return $member; } Simon `Firesphere` Erkelens | 2018
  31. To log out, just trash the session SessionAuthenticationHandler And say

    bye public function logOut(HTTPRequest $request = null) { $request = $request ?: Controller:: curr()->getRequest(); $request->getSession()->restart($request); } Simon `Firesphere` Erkelens | 2018
  32. With the whole re-implementation, what can you do? How to

    implement What has changed • Your IdentityStore can login based on • Database/LDAP/SAML/GitHub/Google/Microsoft/Whatever • Preferably via a Provider, that is • A Store handles the storage of authenticated users • An Authenticator handles the authentication of users • A Provider handles the external communication of userdata • Middleware handles the internal communication of userdata Simon `Firesphere` Erkelens | 2018
  33. Time for a break Simon `Firesphere` Erkelens | 2018 And

    have a beer or something
  34. Third party login Simon `Firesphere` Erkelens | 2018 Security matters

  35. Logging a user in without a shadow copy Third party

    logins It can be done without hacky stuff! • User logs in with a third party • Third party supplies the necessary details • A custom IdentityStore is required for storing the details • Possibly in Session, or by re-requesting from the third party • Injector::inst()->get(IdentityStore::class)->logIn($userData) • The user is now logged in Simon `Firesphere` Erkelens | 2018 Tesla approves ➡
  36. How to use the three together GitHub Authentication A quick

    (theoretical) howto • IdentityStore is the storage of the login • Session token • 3rd party token • User information • It is not an authority however • Controller => RequestHandler => Authenticator {=> Provider} => Store => Handler • The Handler sets everything up for the Controller Simon `Firesphere` Erkelens | 2018
  37. How to use the three together GitHub Authentication Start with

    a provider • Provider provides the link between SilverStripe and GitHub • Providing the link • Not authorising anything, just giving the link • Gives the 3rd party response back to the authenticator • Is not an authenticator or authority Simon `Firesphere` Erkelens | 2018
  38. How to use the three together GitHub Authentication Then, an

    Authenticator • Authenticator does the checks • Is the response from GitHub genuine • Is the response from GitHub valid • Validate the user has the correct access permissions • If it all comes together correctly, execute the login procedure Simon `Firesphere` Erkelens | 2018
  39. How to use the three together GitHub Authentication Add an

    IdentityStore • IdentityStore holds the login state • Contains the information of the user for each request • Has the lifetime of the login • Does not persist beyond session or cookie • Logs the user in and returns the resulting shadow copy* Simon `Firesphere` Erkelens | 2018
  40. How to use the three together GitHub Authentication Ehh, shadow-shadow

    copy, okay? • * You said no shadow copy! • I did, but this shadow copy is non-persistence • No data stored on SilverStripe side • A Member object should be returned for ease of use Simon `Firesphere` Erkelens | 2018
  41. How to use the three together GitHub Authentication Control it

    all • Controller inner workings now that the user exists • Allow access to closed data • Let the user possibly edit local profiles • Hook in to the provider to get more details • Know the user exists • FOR A SINGLE REQUEST Simon `Firesphere` Erkelens | 2018
  42. MiddleWare GitHub Authentication Stuck in the middle with you •

    MiddleWare is what does the actual validation for each request • MiddleWare checks if the user is valid with the Authenticator • Not the controller • MiddleWare logs the user in for the current request • Okay, not really, IdentityStore does that, but I guess you understand Simon `Firesphere` Erkelens | 2018
  43. Sure, why not? GitHub Authentication Relations? Relations! • GitHub provides

    a token which can be used as a replacement for ID’s • You do need to write your own relational pointers though • Downside is, without a persistent shadow copy, public information is anonymous Simon `Firesphere` Erkelens | 2018
  44. Think first, do later Simon `Firesphere` Erkelens | 2018 Security

    matters
  45. How not to use 3rd party logins GitHub Authentication Be

    good, it’s not that hard • Store local data indefinitely without confirming it’s still valid • Use given permissions or data to spam • Ask for excessive permissions • Why do you need write access to the twitter feed? • Or DM’s, you really need that? • Abuse given rights to the 3rd party application • E.g. make unwanted pushes to GitHub • Share secret keys • Just generally, be good Simon `Firesphere` Erkelens | 2018
  46. Not enough funny gifs mate! Simon `Firesphere` Erkelens | 2018

    Okay, sorry, let me fix that for you!
  47. The outcome Simon `Firesphere` Erkelens | 2018 Security matters

  48. Not hacking into Security anymore MFA implementation differences A modular

    approach • See the code difference for the following repositories: • firesphere/silverstripe-bootstrapmfa • firesphere/silverstripe-bootstrap3mfa • The amount of effort that goes into adding a second step is massive for SS3 • The amount of effort for SS4 is more about streamlining the process Simon `Firesphere` Erkelens | 2018
  49. SilverStripe doesn’t have to care anymore! We care a lot

    A modular approach • We care, a lot actually • But the framework doesn’t care about where the authentication happens • Simply put, if the Authenticator returns a valid member, all is good • If it’s null, we are not logged in • If you don’t take the token… you’re doing it wrong I guess • But seriously, the token is what you need Simon `Firesphere` Erkelens | 2018
  50. Member So, in retrospect Original flow • Member gives credentials

    and shouts • “I AM ALLOWED TO BE HERE, SEE!” • End of story • Okay, not entirely, but it is possible Simon `Firesphere` Erkelens | 2018
  51. Member (Visitor) So, in retrospect SilverStripe 4 flow • Member

    gives credentials (passport, username/password, etc.) Simon `Firesphere` Erkelens | 2018 Middleware (Security guard) • Thanks, let’s check Authenticator (Frontdesk employee) • I’ll ask our security provider for the data (Or I check the database) Provider (Computer which talks to the backend system) • Here’s the data Authenticator • Yeah, all good, the data matches the person OR • Yeah, nah, not gonna happen mate!
  52. Other thoughts Simon `Firesphere` Erkelens | 2018 Security matters

  53. Besides the flow, there are a few other things you

    can do Other security measures Passwords, HTTPS, etc. • OWASP • Password managers • HTTPS • Password rules • Multi Factor Authentication Simon `Firesphere` Erkelens | 2018
  54. Just follow OWASP best practices OWASP Open Web Application Security

    Project • Their Top 10 of vulnerability risks is a good place to start • Juice Shop project • Zed Attack Proxy • And a lot more! Simon `Firesphere` Erkelens | 2018
  55. A password manager helps! Password managers Don’t use sticky notes

    • Explain to your client why • Explain the benefits • DO NOT EVER disable pasting of passwords in password fields • Suggest them to your client, here are a few: • BitWarden (My favourite, I’m not being paid to say this) • 1Password • LastPass Simon `Firesphere` Erkelens | 2018
  56. Put all your sites on HTTPS. HTTPS The S stands

    for “Secure Connection” • Try visiting an http site on hotel wifi and compare it to https • See screenshots on next slide • Let’s Encrypt • CertBot, ACME2, Secure updates… Let’s Encrypt • Don’t go EV, never go EV • Seriously, it’s a waste of money nowadays • Keep your certificates up to date • CertBot does that for you • Register as HSTS • Force HTTPS across your entire site • Show your clients Troy Hunt’s demo if they are not sure Simon `Firesphere` Erkelens | 2018
  57. Seriously, HTTPS The S stands for “Secure Connection” Simon `Firesphere`

    Erkelens | 2018 Public hotel wifi, same page, http vs. https
  58. Password Rules It’s really simple Simon `Firesphere` Erkelens | 2018

    Minimum of 16 characters. I don’t care which as long as they’re not the same
  59. HaveIBeenPwnd And don’t appear in HaveIBeenPwnd Okay, I care a

    little bit • Check new passwords against known breaches • firesphere/silverstripe-haveibeenpwnd • Block known breached passwords • Doesn’t matter if it wasn’t a breach from your site • Don’t reuse your passwords • Don’t expire passwords Simon `Firesphere` Erkelens | 2018
  60. Any MFA implementation is better than none MFA Just do

    it • Users will hate you for it • Until they see how their CMS account credentials are suddenly used on their banking without them knowing • The process of SilverStripe supported modules has been started • Give it a little bit of time, okay? Simon `Firesphere` Erkelens | 2018
  61. In a nutshell So... Things get better • SilverStripe 4

    authentication is better • Find your in-house security expert (or be the in-house expert!) • EVERYBODY makes mistakes • Password managers • HTTPS • OWASP • MFA Simon `Firesphere` Erkelens | 2018
  62. Who to follow Twitter • @Firesphere (that’s me!) • @troyhunt

    (Troy Hunt) • @scott_helme (Scott Helme) • @j_opdenakker (John Opdenakker) • @SilverStripe (You know, that company) • @DefuseSec (Taylor Hornby) • @ss2342 (Stephen Shkardoon) • @ismonkeyuser (Monkey User cartoons) Simon `Firesphere` Erkelens | 2018
  63. Any questions? Simon `Firesphere` Erkelens | 2018 Pretty sure you

    have questions, I covered a shitload of things! Speak up!
  64. Thank you! @Firesphere https://github.com/Firesphere simonerkelens@silverstripe.com https://speakerdeck.com/firesphere https://casa-laguna.net

  65. Okay, I have a question Simon `Firesphere` Erkelens | 2018

    What are your thoughts, how can we improve further? Speak up!
  66. Links Links in this presentation • https://www.instagram.com/p/Bom9l5LAIzc/ • https://github.com/Firesphere/silverstripe-bootstrapmfa •

    https://github.com/Firesphere/silverstripe-bootstrap3mfa • https://github.com/Firesphere/silverstripe-haveibeenpwnd • https://www.owasp.org • https://bitwarden.com • https://1password.com • https://lastpass.com • https://www.troyhunt.com/extended-validation-certificates-are-dead/ • https://hstspreload.org/ • https://www.troyhunt.com/heres-why-your-static-website-needs-https/ • https://twitter.com/jaffathecake/status/1044121129848377344 Simon `Firesphere` Erkelens | 2018