The Origins of Insecurity, LASCON 2013

Transcript

1. @ngalbreath #lascon2013 The Origins of Insecurity Nick Galbreath LASCON 2013

   Austin, Texas, USA 2013-10-24

2. @ngalbreath #lascon2013 #lascon @ngalbreath [email protected] [email protected]

3. @ngalbreath #lascon2013 • Online advertising infrastructure • Because waiting for

   Google et al to cut you a check isn't a business model.

4. @ngalbreath #lascon2013 How Many Are "pure security"

5. @ngalbreath #lascon2013 Next year bring someone from operations or development

   (Or even from business and product)

6. @ngalbreath #lascon2013 WELL THAT WAS AN INTERESTING YEAR

7. @ngalbreath #lascon2013 Cryptography • A lot of noise going on

   without context that may or may not match your needs or requirements. (there is also good healthy debate on fixing problems) • Think of your threat model to your company (or you).

8. @ngalbreath #lascon2013 http://mashable.com/2013/03/12/forrester-u-s-ecommerce-forecast-2017/ PKI, SSL, TLS Wildly Successful for Commerce

   
   #*--*0/

9. @ngalbreath #lascon2013 everything "leaked" indicates the mathematics is sound

10. @ngalbreath #lascon2013 TLDR; math's hard; let's go shopping (for access)

    http://www.foreignpolicy.com/articles/ 2013/10/15/the_nsa_s_new_codebreakers

11. @ngalbreath #lascon2013 So Successful • I don't know of any

    monetary theft that involved breaking SSL/TLS or the math behind modern cryptography. • It's been so successful everything I know has been attacking data at rest.

12. @ngalbreath #lascon2013 Yeah, but what about that Android problem? And

    NIST PRNG? And all those CA Cert problems?

13. @ngalbreath #lascon2013 Two PRNGs, One Cup SUN SHA1PRNG and NIST

    Dual-EC-DRBG

14. @ngalbreath #lascon2013 Java SecureRandom SUN SHA1PRNG

15. https://bitcointalk.org/index.php?topic=271486.0/ Bitcoins Stolen?

16. BitCoins Stolen! http://bitcoin.org/en/alert/2013-08-11-android

17. Some thoughts for your troubles (and a patch) http://android-developers.blogspot.jp/ 2013/08/some-securerandom-thoughts.html

    5-%3 *UT
    CSPLFO

18. @ngalbreath #lascon2013 Can't Find the Fix • Source is here:

    http://bit.ly/1c3iZCC • Can't find the change • Can't find the bug report • Appears no empirical testing added to source tree. I'm not an Android expert and the source tree is very large. If you know the answers, please let me know!

19. @ngalbreath #lascon2013 But How Did this Happen? "Contrary to many

    earlier reports, the flaw affects all versions of Android, not just 4.2 and earlier, Android Security Engineer Adrian Ludwig told Ars." http://arstechnica.com/security/2013/08/google-confirms- critical-android-crypto-flaw-used-in-5700-bitcoin-heist/

20. @ngalbreath #lascon2013 Someone wasn't happy about losing their bitcoins https://twitter.com/mkdeesu/status/380891694029209602

21. @ngalbreath #lascon2013 Let's Take a Look • July 2006 code

    goes in tree: https://issues.apache.org/jira/browse/HARMONY-872 • October 2006 tests added https://issues.apache.org/jira/browse/HARMONY-1924 hmmmm.... so before we blame yuri...

22. @ngalbreath #lascon2013 SHA1PRNG • Based on known cryptographic primitives: Yes

    • Open specification: ? • Open source reference implementation: ? • Test vectors: ? • Forced to use it: kinda, otherwise you need to find a signed provider. • Code approved in Harmony without tests: yes • Any empirical tests? No. • Any security review in 5+ years: ??

23. @ngalbreath #lascon2013 #VU
    XBJU
    UIFSFT
    NPSF • "In addition to this developer

    recommendation, Android has developed patches that ensure that Android’s OpenSSL PRNG is initialized correctly. Those patches have been provided to OHA partners.We would like to thank Soo Hyeon Kim, Daewan Han of ETRI and Dong Hoon Lee of Korea University who notified Google about the improper initialization of OpenSSL PRNG." • More details here: http://emboss.github.io/blog/ 2013/08/21/openssl-prng-is-not- really-fork-safe/

24. @ngalbreath #lascon2013 More Details • http://armoredbarista.blogspot.ie/ 2013/03/randomly-failed- weaknesses-in-java.html (although their

    paper is published and costs money) • Keith (k3170) Makan http://blog.k3170makan.com/ 2013/08/more-details-on-android- jca-prng-flaw.html#more

25. @ngalbreath #lascon2013 An Interesting Study in Failure. • Specification •

    Implementation • QA • Review • Postmortem

26. @ngalbreath #lascon2013 NIST DUAL-EC-DRBG

27. @ngalbreath #lascon2013 NIST • NIST has a lot of great

    people, working very hard, • Probably has to deal with more conflicts of interest, stress, demands, and bullshit than you can imagine • but as human organization • ... it also has human failings too

28. @ngalbreath #lascon2013 NIST Dual-EC-DRBG • SP 800-90 • 1 of

    3 PRNG algorithms specified • within 6 months of publication, research showed it was unusual • 3x slower, possible backdoor. • Standards process clearly got corrupted

29. @ngalbreath #lascon2013 DUAL-EC-DRBG • Based on known cryptographic primitives: yes

    • Open and Fully specified: yes • Test vectors: yes • As a standard are you forced into using it? No! It's only one of three options.

30. @ngalbreath #lascon2013 It's a Turd But we know exactly it's

    a turd! It's standard turd! That also got approved by ISO and others. It's not the first (WEP), and not the last

31. @ngalbreath #lascon2013 Standards don't mean you suspend common sense

32. @ngalbreath #lascon2013 But we knew in 2007 is was broken,

    and it's also very slow, and there 2 other choices in the standard!

33. @ngalbreath #lascon2013 And good standards don't do any good if

    they aren't implemented

34. @ngalbreath #lascon2013 TLS 1.2 Still not all current browsers support

    it No browser supports GCM mode

35. @ngalbreath #lascon2013 And this has never been done before. Old

    standards will need augmentation.

36. @ngalbreath #lascon2013 Fixing the CA System • Certificate Pinning •

    Certificate Pruning (ala Etsy/Zane Lackey) • HTTPS Strict-Transport-Security • http://certificate-transparency.org/

37. @ngalbreath #lascon2013 Everything Else VHMZ TMJEF XBSOJOH

38. @ngalbreath #lascon2013 App Security Network Security EndPoint Security IT/Internal Development

    Operations stuff you didn't write stuff you did write stuff people use Everything Else

39. @ngalbreath #lascon2013 Proactive Tasks • Detection • Monitoring • Identity

    Management • Design and Architecture • maybe even Development but for reactive tasks...

40. @ngalbreath #lascon2013 IT Internal Tech • Windows / Mac Operating

    Systems • Commercial Applications that run on employee laptops 99% C-based patches or Configuration Mgmt

41. @ngalbreath #lascon2013 Tech Ops • Routers - C • Windows

    / Linux OS updates - C • Core server (application) updates - C • And configuration management

42. @ngalbreath #lascon2013 Development • Input Validation problems • Configuration problems

    • Logical Problems - more interesting • cryptographic • Language platform problems (PHP, Java, et al)

43. @ngalbreath #lascon2013 Language • 99% of patches to language are

    in.. C. • You don't see core libraries for languages (in the end language) patched that often in CVE

44. @ngalbreath #lascon2013 Reactive Summary • Patching and Deploying • Configuration

    Management • Broken applications • Dealing with C based infrastructure

45. @ngalbreath #lascon2013 Patching and Deploying Applications

46. @ngalbreath #lascon2013 Securing More by Patching Less?

47. @ngalbreath #lascon2013 The Theory • Use windows 7+, • Keep

    at patch level • Patch Flash • Patch Reader • Patch Java (or remove) • == 99% of vulnerabilities stopped Trail of Bits - Exploit Intelligence Project http://www.trailofbits.com/research/

48. @ngalbreath #lascon2013 Prioritization is only important if you can't get

    it all done.

49. @ngalbreath #lascon2013 Updating four systems is challenging for many /

    most organizations!

50. @ngalbreath #lascon2013 What can we learn from the hardest apps

    to deploy? Mobile and Desktop Apps and OS

51. @ngalbreath #lascon2013 Google Chrome QPTJUJWF
    FYBNQMF

52. @ngalbreath #lascon2013 ArsTechnica 2013-09-04 http://bit.ly/1ahxEt5

53. @ngalbreath #lascon2013 Key Points • Note it's not 100% instantly..

    there is time to correct for bad releases. • Releases every 4-6 weeks. • Only two version "live" at anytime • Old versions rapidly drop to under 3% of total. • What's going with that 3%?

54. @ngalbreath #lascon2013 Google Android OFHBUJWF
    FYBNQMF

55. @ngalbreath #lascon2013 http://opensignal.com/reports/fragmentation-2013/

56. @ngalbreath #lascon2013 Android Key Points • Releases every 6+ months

    • At least 3 major versions active at any point in time. • Not in control of release process • Slow adoption • It's only this good since people buy new phones.

57. @ngalbreath #lascon2013 Android Solution? • Remove everything from the OS,

    and make applications independent, that also self-update automatically.

58. @ngalbreath #lascon2013 Apple and IOS • Just moved to having

    applications auto- update themselves. • Desktop is lagging behind although you can see the start of an "app store" model there.

59. @ngalbreath #lascon2013 Wordpress
    • WordPress 3.7 introduces automatic background updates

    for security and minor releases (like updating from 3.7 to 3.7.1). http://wordpress.org/news/2013/10/ wordpress-3-7-release-candidate/

60. @ngalbreath #lascon2013 #4%
    BVUP
    VQEBUF https://twitter.com/cperciva/status/392049947614269440

61. @ngalbreath #lascon2013 Conclusion? • You can release faster • You

    can release safely • It's a competitive advantage • It makes things more secure

62. @ngalbreath #lascon2013 But how can we apply this to the

    desktop?

63. @ngalbreath #lascon2013 Desktop Deployment • With all the containerization /

    VM technology, surely we can do something to speed patching and deployment. • Why does only one version need to be installed? • Can we make it so it's easier to roll back or undo? • Can we get feedback faster from our users if something isn't working?

64. @ngalbreath #lascon2013 How can we make patching and deployment easy

    for the dumbest users?

65. @ngalbreath #lascon2013 Configuration Management

66. @ngalbreath #lascon2013 SSL/TLS OMG • Somehow it's turned into a

    science project. • Lots of bad information on the web. • security • performance • compatibility

67. @ngalbreath #lascon2013 5IF
    -JUUMFTU
    $POpH
    ssl_protocols SSLv3 \ TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers

    AES128-SHA; Better than most Could it be better: yes.

68. @ngalbreath #lascon2013 But Being Smart Won't Save You • True

    story • I had custom version of nginx+openssl running • I updated the os ('apt-get' or yum) • over-wrote custom version • My cipher suite changed.. silently.

69. @ngalbreath #lascon2013 And SSL is easy compared to • Firewalls

    • SSH • Any VPN • DNS

70. @ngalbreath #lascon2013 And barriers to entry in putting a server

    "on the internet" keeps getting lower

71. @ngalbreath #lascon2013 How can we make it safe to configure

    a server and keep it secure? ex: no warning when SSLv2 is enabled

72. @ngalbreath #lascon2013 Can we do this for application development too

    ?

73. @ngalbreath #lascon2013 Ruby BrakeMan • Static analysis on commit or

    in real- time. • Sends email when it finds problems, and explains the fix • And sends positive mail when you fix it • I don't know anything about Ruby or RoR (I'm the dumbest guy), but with BrakeMan I'm not going to make rookie mistakes.

74. @ngalbreath #lascon2013 If we can do it for Ruby, I'm

    pretty sure we can do it for apache.conf

75. @ngalbreath #lascon2013 Cryptographic Primitives

76. @ngalbreath #lascon2013 What happened when Google visited this site? Of

    the 1513 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-10-23, and the last time suspicious content was found on this site was on 2013-10-23. Malicious software includes 4 trojan(s). "1*
    GPS
    3FTFBSDI

77. @ngalbreath #lascon2013 Cryptographic Standards

78. @ngalbreath #lascon2013 (SFBU
    "1*
    GPS
    MFHBDZ
    PHP Crypt

79. @ngalbreath #lascon2013 Business Goals

80. @ngalbreath #lascon2013 PHP 5.5 Password Hashing Password Hashing Functions Table

    of Contents • password_get_info — Returns information about the given hash • password_hash — Creates a password hash • password_needs_rehash — Checks if the given hash matches the given options • password_verify — Verifies that a password matches a hash (SFBU
    "1*
    GPS
    FWFSZPOF

81. @ngalbreath #lascon2013 How does this PHP API compare to @manicode's

    best practices? Do Business Level APIs exist for your platform?

82. @ngalbreath #lascon2013 Insecure Random Number Generators

83. @ngalbreath #lascon2013 PRNG • By default, every language provides a

    non- cryptographic, insecure PRNG • Leftover from the 1980s and physics simulations and old computer science problems. • Scripting languages unfortunately copied this model. • And so, we get numerous applications using an insecure system for passwords, reset codes, and worse.

84. @ngalbreath #lascon2013 Meanwhile a Secure Random is hidden • Every

    OS provides an API for this. • PHP even provides 2 or 3 different ways of doing this making it more confusing. • Since the Toy Randoms aren't random enough, people set seeds. random_set_seed(1); include "poisonedfile.php"

85. @ngalbreath #lascon2013 If you need to do physics... • You'll

    likely link in another library anyways. • You are probably linking in a million other libraries anyways. • You have requirements that probably aren't going to be met by the default PRNG anyways.

86. @ngalbreath #lascon2013 For toy applications • You demands aren't very

    high • Perfectly ok to use a secure random • For webapps, if they use a PRNG at all, most will use it only for a few numbers. • Not a performance problem

87. @ngalbreath #lascon2013 And if it's too slow • A Secure

    PRNG will be "slower" • So write your own if it's a problem. • A decent high speed PRNG can be written in a few lines of code if need be. • Every language makes data structure tradeoffs • Why should PRNG be different?

88. @ngalbreath #lascon2013 What if just make the default PRNG, a

    secure PRNG?

89. @ngalbreath #lascon2013 Can We Change PRNG from a Security Problem

    to an Optimization Problem?

90. @ngalbreath #lascon2013 Instead of making systems for the smartest guy,

    we should be making APIs for dumbest.

91. @ngalbreath #lascon2013 C Infrastructure

92. @ngalbreath #lascon2013 Hypothesis: CVE of high severity are overwhelmingly from

    programs written in C. QSPWF
    NF
    XSPOH

93. @ngalbreath #lascon2013 Google Bug Bounty for 3rd Party Code http://googleonlinesecurity.blogspot.com.au/2013/10/going-beyond-

    vulnerability-rewards.html 
    $

94. @ngalbreath #lascon2013 263 Pages The C Programming Language includes stdlib

    too

95. @ngalbreath #lascon2013 Secure Coding in C and C++ 545 Pages

96. @ngalbreath #lascon2013 libinjection • Goal: to eliminate SQLi attacks everywhere.

    • https://libinjection.client9.com/

97. @ngalbreath #lascon2013 What is it? • Small C library to

    detect SQLi in user input. • Really fast • Low false positives • Testable • https://libinjection.client9.com/ But why I did write this in C?

98. @ngalbreath #lascon2013 Because I'm good at it Look Mom, I'm

    in Chrome!

99. @ngalbreath #lascon2013 Maybe Sorry Mom!

100. @ngalbreath #lascon2013 Why C? • Lowest Common Denominator • Be

     able to quickly integrate into other C infrastructure, including hardware. • Eliminate any performance issue that might be an excuse for not using it. • SWIG-generating bindings exist for PHP, Python, Lua • Or use ctypes or libffi • Let's write one for Ruby at this con!

101. @ngalbreath #lascon2013 Why C? • Performance • Integration with everything?

102. @ngalbreath #lascon2013 But what if I could do this without

     using C?

103. @ngalbreath #lascon2013 Can We Change C Programming from a Security

     Problem to an Optimization Problem?

104. @ngalbreath #lascon2013 Hints of the Future • Javascript JITs /

     node.js showing competitive performance • C to LLVM to javascript (??) • PyPy: write a language in RPython and it creates a JIT (whoa) • http://cython.org restricted subset of python that compiles directly to C

105. @ngalbreath #lascon2013 And replacing C bindings for scripting languages •

     lua CFFI - • Now in python lib.cffi • extra C code (either manually written or autogenerated) removed. • Allows for optimization for near native C performance

106. @ngalbreath #lascon2013 A lot of room for innovation.

107. @ngalbreath #lascon2013 So What Is The Origin of Insecurity?

108. @ngalbreath #lascon2013 It's us! • We know configuration management is

     a problem • We know patching and deploying is a problem • We know developers aren't experts in security • We know developers make mistakes • We know C, while essential, is fragile

109. @ngalbreath #lascon2013 But I don't see much work in these

     areas. Offense and Blocking Technologies Dominate

110. @ngalbreath #lascon2013 What can you do

111. @ngalbreath #lascon2013 Think Globally, Act Locally

112. @ngalbreath #lascon2013 Get away from whack-a-mole. Spend some time thinking

     BIG

113. @ngalbreath #lascon2013 Open Source • Zillions of open source projects

     • Most do not have any "dedicated" security ... uhh.. security anything. • Get in the process.

114. @ngalbreath #lascon2013 Powerful • writing fuzzers • compiling with different

     flags • finding test cases • writing test cases • in the development process

115. @ngalbreath #lascon2013 libinjection • This summer, facilitated by the modsecurity

     Team, I worked with • Roberto Salgado @LightOS of http://www.websec.ca • Custom analysis and fuzzing of libinjection • Embarrassing me daily with new exploits. • This provided rapid acceleration of the quality. • Also checkout his SQLi cheat sheet: websec.ca/kb/sql_injection

116. @ngalbreath #lascon2013 Certificate Transparency • Finding certificates that explode the

     parsing code. • Adding test cases • Decoding new exciting ISO time formats.

117. @ngalbreath #lascon2013 •Think Big •Get Involved •Bring your Dev/Ops/Qa/Biz friends

     next year. •Enjoy the Con