"It's Just a Web Site": How Poor Web Programming is Ruining Information Security

Transcript

1. “It’s Just a Web Site...” How Poor Web Programming is

   Ruining Information Security Mark Stanislav <[email protected]>

2. ME n Senior Consultant for a Managed Security Services Provider

   (MSSP) in Ann Arbor n Build Rails apps/Ruby scripts for internal process software n Lead for “Ethical Hacking” services n Project management and stuff n Publicly published 14 vulnerabilities for a variety of open-source web apps... with one on the way 20% 40% 40% Writing Code Breaking Code Everything Else

3. 2011; Let’s Review!

4. “...posted a dump of information extracted from MySQL, including the

   cracked passwords of users...” March 2011 http://www.scmagazineus.com/oracles-mysqlcom-hacked-via-sql-injection/article/199419/

5. “The attacker uncovered email addresses of select Barracuda employees with

   their passwords as well as name, email address, company affiliations and phone numbers of sales leads generated by the company’s channel partners...” April 2011 http://www.eweek.com/c/a/Security/Security-Firm-Barracuda-Networks-Embarrassed-by-Hacker-Database-Breakin-729619/

6. “During the incident, parts of the company's database, including customer

   data and submitted certificate requests, were accessed...” May 2011 http://www.h-online.com/security/news/item/Another-Comodo-SSL-registrar-hacked-1250283.html

7. “...it [LulzSec] posted information for staffers, the PBS network, and

   password info for PBS stations.” http://www.huffingtonpost.com/2011/05/30/pbs-hacked-tupac-alive_n_868673.html “...a ‘very small number’ of administrative user names and encrypted passwords were stolen.” http://www.huffingtonpost.com/2011/06/25/pbs-hacked-again-some-dat_n_884472.html May 2011 June 2011

8. http://www.pcworld.com/businesscenter/article/229868/citigroup_breach_exposed_data_on_210000_customers.html “Citigroup admitted on Wednesday that an attack on its

   website allowed hackers to view customers' names, account numbers and contact information such as e-mail addresses for about 210,000 of its cardholders.” June 2011

9. “...that they [LulzSec] have broken into SonyPictures.com and compromised more

   than 1 million user accounts. An additional 75,000 music codes and 3.5 million coupons were also uncovered.” June 2011 http://www.cnn.com/2011/TECH/web/06/03/sony.pictures.hacked.mashable/index.html

10. You’ve been scared of... nAPT nPeople’s Liberation Army nAl-Qaeda nThe

    Malicious Insider

11. But you got owned by... LulzSec

12. So what gives...?

13. Poor Web Programming!

14. Want to be a hacker? Mark Stanislav One Hundred My

    New Best Friend 100 What did they do wrong? 08/21/2011

15. They let me control... Mark Stanislav One Hundred Thousand and

    00/100-- My New Best Friend 100,000.00 ...the important details. 08/21/2011

16. But everyone knows not to do that!

17. http://test.com/news.php?id=11 What about now? http://test.com/news.php?id=’ UNION SELECT password FROM Users;--

    An attacker can control these details too....

18. Both accept certain kinds of input Checks: Name. Value. Memo.

    Signature. URL: Site. Page. Parameters. Both can be compromised if you aren’t careful Checks and Web Sites Checks: Additional numbers or commas URL: Additional file or database queries Both problems are easily fixed...

19. So what was that? n Most high-profile web site attacks

    this year (and many, many years past) were due to what’s called ‘SQL Injection’ n SQL injection simply means passing extra database instructions to a web application which was never intended to allow such a thing n Example: You view a web site to read a news article and can pass extra database requests to steal user passwords n In many cases, the attack can be fully automated to look for “the check not properly filled-out” and compromise can occur without a human doing any work...

20. An Anecdote...

21. Other ‘Bad Things’ n Local File Inclusion: I can pick

    which files off of your web server I want to view n Local File Deletion: I can pick which files off of your web server I want to delete n Authentication Bypass: I don’t need to even steal your username and/or password n Lack of Cryptography: As if bad passwords weren’t easy enough to brute-force, we can just steal plaintext passwords for all of your users

22. Defending Sites in Two Easy Steps n All input accepted

    from users should be validated and/or sanitized for things we don’t want to accept n Example: If a news web site accepts an article ‘ID’ which should be a number, why would we allow a user to enter quotes or semi-colons? n Usage of third-party products which identify common ‘attacks’ and prevent them from being executed -- both free and commercial options! n Oh, Barracuda Networks sells one to do that...

23. We’re Past Passwords n Duo Security (Ann Arbor-based) provides easy

    to use, low- cost, quick to integrate two-factor authentication n Supported Languages: Python, Ruby, PHP, Java, ASP.NET, Node.js, Cold Fusion, Classic ASP n WordPress and Drupal integrations provided n Provide users with at least a choice of if they want to protect their web accounts with layered & sensible authentication

24. But there’s a larger problem Years of School License Medical

    Doctor Pharmacist Lawyer Psychiatrist Web Programmer 11 O 8 O 7 O 10 O 0 X

25. Apples and Oranges? n All of the aforementioned professions deal

    with people’s personal data; medically, financially, or otherwise n Each profession requires extensive knowledge of the given craft to properly handle their clients n A professional for each career should be expected to adhere to ethical standards relating to the information they deal with n Everyone makes mistakes, but there are consequences for each profession... except web programming!

26. Web Programmers n Generally unrestricted access to customer databases with

    the ability to provide interaction with that data for patrons n Rarely have a system of checks and balances to ensure they aren’t doing something reckless or careless n Likely don’t have to document what, why, or how they did what they did in a given situation n Can determine how information flows, how it’s protected, and who can access it from around the globe at any time and they’ve probably never been taught to do any of it...

27. Education and the Web n The majority of schools offering

    web application development programs are ‘certificates of achievement’ or similar from community colleges/online for-profits n Courses for web application development rarely focus on information security concepts as a core tenant to curriculum n You aren’t going to find many Bachelor degrees in web application development; it will be lumped-in with a Computer Science degree... if at all n Even then, the problem isn’t just ‘web applications’

28. Framing Things n By the age of 22, I had

    publicly accessible web applications on production infrastructure at two different Michigan universities (legitimately) n There was no ‘security review process’ or audit of my code done to ensure that no resources were at risk by publishing these applications; malicious or otherwise n There were no questions asked of my credentials (or lack of) to be a web application developer n I’ve never taken a web programming course n I am not the exception, I am the every-day reality

29. Smoke and Mirrors n Most people don’t know what a

    web application does, they just see the end result n Cool graphics, nice color schemes, impressive animations, navigations links, and lots of text n Experienced programmers will make bad decisions to push out code faster to appease their employers or reduce the time & effort it takes for them to do work n Inexperienced programmers will make bad decisions because they have no idea they are making bad decisions

30. Let’s Change Things

31. Everyone Plays a Role n Managers: Establish essential standards for

    your developers to adhere to; these must be mandatory and likely audited by a third-party quarterly n Developers: Create a mentality that information security is a core focus of any code you write; make a game out of finding teammates’ vulnerabilities and review as a team why that failure occurred and update code tests n Educators: Establish a proper, accredited Bachelor’s program at your university for web development and ensure that curriculum or entire courses are devoted to information security for programmers

32. Legislators n “require businesses with the personal information of more

    than 10,000 customers to implement privacy and security programs to ensure the safety of pertinent data.” n “The Justice Department will be able to fine firms that violate the law $5,000 per violation per day, with a maximum of $20 million per violation. Individuals affected by violations of the law will also have the ability to bring civil actions against the businesses involved.” http://thehill.com/blogs/hillicon-valley/technology/180325-new-bill-from-blumenthal-would-require-firms-to-beef-up-security-and-privacy-practices The Personal Data Protection and Breach Accountability Act of 2011

33. The Industry n It’s time to create a licensing board

    with regulation for developers that are involved in certain industries n Medical, Financial, Governmental, Commerce n Track ethics violations and negligent/careless work n Establish a basic certification for information security competence for the language(s) a developer programs in n These are not popular ideas but things have gotten out of hand and there’s nothing to stop it from getting worse n There’s too much at stake not to

34. STORY TIME - Part 1 n Scenario: n Company Type:

    Medical Reimbursement n Issue: SQL Injection n Result: PII, w/ SSN + HIPAA info for all customers n Scenario: n Company Type: Medical Insurance n Issue: Unprotected administration functions n Result: PII w/ clear-text password for all customers

35. STORY TIME - Part 2 n Scenario: n Company Type:

    Property Insurance n Issue: Failed implementation of session handling n Result: PII + insurance information for all customers n Scenario: n Company Type: Property Sales n Issue: Unauthenticated AJAX REST method n Result: Mortgage documents w/ SSN for all customers

36. STORY TIME - Part 3 n Scenario: n Company Type:

    Hotel Management n Issue: Poorly coded WordPress Plugin n Results: n Unsalted MD5 password hashes leading to 60 passwords for customers/employees n Intranet access with cracked passwords n Filesystem access on web server n Intranet access to other database servers

37. FREE SUGGESTIONS n DO NOT CREATE YOUR OWN.... n Cryptographic

    algorithms (encryption/hashing) n Database abstraction libraries n WHEN STORING PASSWORDS, DO NOT USE... n Clear-text passwords, unsalted hash output n Better yet, use http://en.wikipedia.org/wiki/PBKDF2 n WHEN USING AJAX/API METHODS ENSURE... n User privilege levels are well-defined and utilized n Unauthenticated users can’t access admin functions

38. Other Resources n OWASP (https://www.owasp.org/) n “The Open Web Application

    Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.” n https://www.owasp.org/index.php/Detroit n Brakeman: Automated Rails Security Scanner n http://brakemanscanner.org n RIPS: PHP Static Code Analysis n http://rips-scanner.sourceforge.net

39. Thanks! Questions? n Contact n [email protected] n @markstanislav n http://www.uncompiled.com/