No content

Safety first Simon `Firesphere` Erkelens | 2018 Security matters

About me Simon `Firesphere` Erkelens ● SilverStripe bespoke software engineer ● Team: Ninja Unicorns ● Community admin (Slack & Forum) ● I maintain the StripeSlackBot (It’s on BitBucket, FOSS) ● That’s Python , SilverStripe 4 & Solr ● Author of MFA modules for SilverStripe 3 & 4 ● Cat owner ● Hans the cow is my mascotte ● I have a zoo on my desk ● Scarily obsessed with security ● Also Solr and search in general ● LEGO! ● Born Dutch (expect cursing) ● Originator and former organizer of StripeCon EU ● I wonder how much I can fit on a single slide ● Yes, this is on purpose ● Bribable with Whisk(e)y, beer or LEGO That’s me ➡ Although, I’m standing right over here, if you hadn’t noticed. That’s my cat, Marika ⬇ That’s Hans ➡ The zoo ⬇ ⬅ Apollo 13 Saturn V LEGO rocket!

About me I am to blame for SilverStripe 4 Authenticator Sorry, not sorry! (I promise no more over crowded slides) Simon `Firesphere` Erkelens | 2018

A little note The challenge is still open, for 2 years now Simon `Firesphere` Erkelens | 2018

Why the rewrite Simon `Firesphere` Erkelens | 2018 Security matters

In need of a revamp SilverStripe 3 Authentication If it works, don’t change it ● Not always is a full rewrite of things necessary ● There are bits and bobs that can be reused ● But, refactoring to improve things is a good thing Simon `Firesphere` Erkelens | 2018

But it didn’t work Rewriting Authentication If it works, don’t change it ● Not modular ● Hooking in to the process required a lot of copy-pasting ● 3rd party login was a PITA ● Don’t even get me started on MFA implementation ● Rigid flow ● Tightly coupled between Member and Authentication ● It was part of the main track, not a side track Simon `Firesphere` Erkelens | 2018

Why the rewrite, it worked, didn’t it? Rewriting Authentication Modularity is important ● Not modular ● A single flow through Security ● A “God controller” that does everything ● Single point of failure ● Hooking in to the process required a lot of copy-pasting ● 3rd party login was a PITA ● Don’t even get me started on MFA implementation ● Rigid flow ● Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018

Why the rewrite, it worked, didn’t it? Rewriting Authentication Copy paste should not be a “best solution” ● Not modular ● Hooking in to the process required a lot of copy-pasting ● Ever tried to register your own login controller? ● Or extended Security with so much of duplicate code it made you sick? ● Yeah, “God class” ● 3rd party login was a PITA ● Don’t even get me started on MFA implementation ● Rigid flow ● Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018

Why the rewrite, it worked, didn’t it? Rewriting Authentication Third party integrations were painful ● Not modular ● Hooking in to the process required a lot of copy-pasting ● 3rd party login was a PITA ● Have a look at the ActiveDirectory module ● I rest my case ● Don’t even get me started on MFA implementation ● Rigid flow ● Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018

Why the rewrite, it worked, didn’t it? Rewriting Authentication Again a hacky copy-paste ● Not modular ● Hooking in to the process required a lot of copy-pasting ● 3rd party login was a PITA ● Don’t even get me started on MFA implementation ● Copy paste all the things! ● Register even more things! ● It literally requires intercepting the construction of the Form ● Best practices are for wussies, right? ● Rigid flow ● Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018

Why the rewrite, it worked, didn’t it? Rewriting Authentication Software should not be rigid ● Not modular ● Hooking in to the process required a lot of copy-pasting ● 3rd party login was a PITA ● Don’t even get me started on MFA implementation ● Rigid flow ● The start point and endpoint and everything in between was the same Controller ● The API was not designed for flexible implementations ● Low maintenance at high cost ● Unsafe to extend means a security breach is imminent ● Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018

Why the rewrite, it worked, didn’t it? Rewriting Authentication It’s like being chained down ● Not modular ● Hooking in to the process required a lot of copy-pasting ● 3rd party login was a PITA ● Don’t even get me started on MFA implementation ● Rigid flow ● Tightly coupled between Member and Authentication ● Member logged itself in ● Ever heard of someone going to a secure building and shout “I BELONG HERE” and be accepted? ● No actual authenticator that operated independently ● No separation of concerns, Security and Member did everything Simon `Firesphere` Erkelens | 2018

How do I go from here? What changed It would be a lot easier to ask what didn’t change ● Member doesn’t have the ability to log in anymore ● Security does, but it’s for the current request only ● Abstracts and Interfaces supply the necessary methods to implement ● Handlers are sub-controllers to handle the request ● Authenticators handle the authentication ● IdentityStore is where the user is “stored” after authentication ● Security only provides the controller wrapper around the forms ● Each step has extension points to hook in your own flow ● These are of limited scope, to prevent security breaches* Simon `Firesphere` Erkelens | 2018

Security breaches Simon `Firesphere` Erkelens | 2018 Security matters

But… you said it’s better! * I can’t help myself You will be breached. If not today, it’ll be tomorrow ● Preparing for the worst is better than hoping for the best ● We do our best to provide a safe authentication flow ● Most breaches are due to bad practices by (in no particular order): ● SysOps ● DevOps ● Software Engineers ● Clients ● End users ● CMS Users ● Bad password practices ● Not using a password manager Simon `Firesphere` Erkelens | 2018

No content

No content

Simon `Firesphere` Erkelens | 2018

This... This is my absolute favourite! Taylor Hornby falling for social engineering Social engineering is still very easy. Even if your target knows it’ll happen, even inviting people to try it, and this is a security expert!

I had way too much fun looking up all these tweets. It’s been fun, but, security is not something to take lightly! I’m sorry Not really though Simon `Firesphere` Erkelens | 2018

Why care? Simon `Firesphere` Erkelens | 2018 Security matters

But the new way is so much effort, I don’t need it But my site is low profile Why would/should I care ● One size does fit all ● Just a in a more modular way than it used to be ● Your site’s profile does not mean security should be less ● You have a lock on your door, right? ● Never ever treat security as a side product of your work ● The safety and security of your end user’s life may depend on it ● I’m not joking ● Really, it matters. Have you seen the Facebook breach? ● Your effort into securing your site should be “a lot”, not “I want quick and easy” Simon `Firesphere` Erkelens | 2018

A few things to keep in mind But my site is low profile Why would/should I care ● Your site may be low profile ● But what if the CMS user reuses it’s password everywhere? ● One hack elsewhere may lead to CMS access ● Have fun removing that shitty bitcoin JS miner from your site! ● Or even domain hijacking ● Use a password manager (I’ll get to that later) ● BitWarden ● 1Password ● LastPass ● Also, https! (I’ll get to that later too) Simon `Firesphere` Erkelens | 2018

SilverStripe 4 Simon `Firesphere` Erkelens | 2018 Security matters

Logging a user in Back to SilverStripe SilverStripe 4 How to use authentication 101 ● Log in with a local account ● Injector::inst()->get(IdentityStore::class)->logIn($member) ● So many words, can it be shorter? ● IdentityStore::singleton()->logIn($member) ● Even shorter please? I liked Member::logIn()! ● No. Separation of concerns ● Okay, maybe you could alias it, if you really want to Simon `Firesphere` Erkelens | 2018

Logging a user in The login Let’s go ● Authenticator checks if user is indeed who it claims it is ● Hands off to IdentityStore ● IdentityStore handles the setting of cookies/sessions etc. ● For example, SessionAuthenticationHandler ● The user is now logged in ● Return the user to the authenticator Simon `Firesphere` Erkelens | 2018

Log user in using the Session SessionAuthenticationHandler Say hello public function logIn(Member $member, $persistent = false, HTTPRequest $request = null) { static::regenerateSessionId(); $request = $request ?: Controller:: curr()->getRequest(); $request->getSession()->set($this->getSessionVariable (), $member->ID); // This lets apache rules detect whether the user has logged in if (Member::config()->get('login_marker_cookie' )) { Cookie:: set(Member::config()->get('login_marker_cookie' ), 1, 0); } } Simon `Firesphere` Erkelens | 2018

Authenticating the request via MiddleWare: SessionAuthenticationHandler Say “You are here!” public function authenticateRequest (HTTPRequest $request) { // If ID is a bad ID it will be treated as if the user is not logged in, // rather than throwing a ValidationException $id = $request->getSession()->get($this->getSessionVariable ()); if (!$id) { return null; } /** @var Member $member */ $member = Member::get()->byID($id); return $member; } Simon `Firesphere` Erkelens | 2018

To log out, just trash the session SessionAuthenticationHandler And say bye public function logOut(HTTPRequest $request = null) { $request = $request ?: Controller:: curr()->getRequest(); $request->getSession()->restart($request); } Simon `Firesphere` Erkelens | 2018

With the whole re-implementation, what can you do? How to implement What has changed ● Your IdentityStore can login based on ● Database/LDAP/SAML/GitHub/Google/Microsoft/Whatever ● Preferably via a Provider, that is ● A Store handles the storage of authenticated users ● An Authenticator handles the authentication of users ● A Provider handles the external communication of userdata ● Middleware handles the internal communication of userdata Simon `Firesphere` Erkelens | 2018

Time for a break Simon `Firesphere` Erkelens | 2018 And have a beer or something

Third party login Simon `Firesphere` Erkelens | 2018 Security matters

Logging a user in without a shadow copy Third party logins It can be done without hacky stuff! ● User logs in with a third party ● Third party supplies the necessary details ● A custom IdentityStore is required for storing the details ● Possibly in Session, or by re-requesting from the third party ● Injector::inst()->get(IdentityStore::class)->logIn($userData) ● The user is now logged in Simon `Firesphere` Erkelens | 2018 Tesla approves ➡

How to use the three together GitHub Authentication A quick (theoretical) howto ● IdentityStore is the storage of the login ● Session token ● 3rd party token ● User information ● It is not an authority however ● Controller => RequestHandler => Authenticator {=> Provider} => Store => Handler ● The Handler sets everything up for the Controller Simon `Firesphere` Erkelens | 2018

How to use the three together GitHub Authentication Start with a provider ● Provider provides the link between SilverStripe and GitHub ● Providing the link ● Not authorising anything, just giving the link ● Gives the 3rd party response back to the authenticator ● Is not an authenticator or authority Simon `Firesphere` Erkelens | 2018

How to use the three together GitHub Authentication Then, an Authenticator ● Authenticator does the checks ● Is the response from GitHub genuine ● Is the response from GitHub valid ● Validate the user has the correct access permissions ● If it all comes together correctly, execute the login procedure Simon `Firesphere` Erkelens | 2018

How to use the three together GitHub Authentication Add an IdentityStore ● IdentityStore holds the login state ● Contains the information of the user for each request ● Has the lifetime of the login ● Does not persist beyond session or cookie ● Logs the user in and returns the resulting shadow copy* Simon `Firesphere` Erkelens | 2018

How to use the three together GitHub Authentication Ehh, shadow-shadow copy, okay? ● * You said no shadow copy! ● I did, but this shadow copy is non-persistence ● No data stored on SilverStripe side ● A Member object should be returned for ease of use Simon `Firesphere` Erkelens | 2018

How to use the three together GitHub Authentication Control it all ● Controller inner workings now that the user exists ● Allow access to closed data ● Let the user possibly edit local profiles ● Hook in to the provider to get more details ● Know the user exists ● FOR A SINGLE REQUEST Simon `Firesphere` Erkelens | 2018

MiddleWare GitHub Authentication Stuck in the middle with you ● MiddleWare is what does the actual validation for each request ● MiddleWare checks if the user is valid with the Authenticator ● Not the controller ● MiddleWare logs the user in for the current request ● Okay, not really, IdentityStore does that, but I guess you understand Simon `Firesphere` Erkelens | 2018

Sure, why not? GitHub Authentication Relations? Relations! ● GitHub provides a token which can be used as a replacement for ID’s ● You do need to write your own relational pointers though ● Downside is, without a persistent shadow copy, public information is anonymous Simon `Firesphere` Erkelens | 2018

Think first, do later Simon `Firesphere` Erkelens | 2018 Security matters

How not to use 3rd party logins GitHub Authentication Be good, it’s not that hard ● Store local data indefinitely without confirming it’s still valid ● Use given permissions or data to spam ● Ask for excessive permissions ● Why do you need write access to the twitter feed? ● Or DM’s, you really need that? ● Abuse given rights to the 3rd party application ● E.g. make unwanted pushes to GitHub ● Share secret keys ● Just generally, be good Simon `Firesphere` Erkelens | 2018

Not enough funny gifs mate! Simon `Firesphere` Erkelens | 2018 Okay, sorry, let me fix that for you!

The outcome Simon `Firesphere` Erkelens | 2018 Security matters

Not hacking into Security anymore MFA implementation differences A modular approach ● See the code difference for the following repositories: ● firesphere/silverstripe-bootstrapmfa ● firesphere/silverstripe-bootstrap3mfa ● The amount of effort that goes into adding a second step is massive for SS3 ● The amount of effort for SS4 is more about streamlining the process Simon `Firesphere` Erkelens | 2018

SilverStripe doesn’t have to care anymore! We care a lot A modular approach ● We care, a lot actually ● But the framework doesn’t care about where the authentication happens ● Simply put, if the Authenticator returns a valid member, all is good ● If it’s null, we are not logged in ● If you don’t take the token… you’re doing it wrong I guess ● But seriously, the token is what you need Simon `Firesphere` Erkelens | 2018

Member So, in retrospect Original flow ● Member gives credentials and shouts ● “I AM ALLOWED TO BE HERE, SEE!” ● End of story ● Okay, not entirely, but it is possible Simon `Firesphere` Erkelens | 2018

Member (Visitor) So, in retrospect SilverStripe 4 flow ● Member gives credentials (passport, username/password, etc.) Simon `Firesphere` Erkelens | 2018 Middleware (Security guard) ● Thanks, let’s check Authenticator (Frontdesk employee) ● I’ll ask our security provider for the data (Or I check the database) Provider (Computer which talks to the backend system) ● Here’s the data Authenticator ● Yeah, all good, the data matches the person OR ● Yeah, nah, not gonna happen mate!

Other thoughts Simon `Firesphere` Erkelens | 2018 Security matters

Besides the flow, there are a few other things you can do Other security measures Passwords, HTTPS, etc. ● OWASP ● Password managers ● HTTPS ● Password rules ● Multi Factor Authentication Simon `Firesphere` Erkelens | 2018

Just follow OWASP best practices OWASP Open Web Application Security Project ● Their Top 10 of vulnerability risks is a good place to start ● Juice Shop project ● Zed Attack Proxy ● And a lot more! Simon `Firesphere` Erkelens | 2018

A password manager helps! Password managers Don’t use sticky notes ● Explain to your client why ● Explain the benefits ● DO NOT EVER disable pasting of passwords in password fields ● Suggest them to your client, here are a few: ● BitWarden (My favourite, I’m not being paid to say this) ● 1Password ● LastPass Simon `Firesphere` Erkelens | 2018

Put all your sites on HTTPS. HTTPS The S stands for “Secure Connection” ● Try visiting an http site on hotel wifi and compare it to https ● See screenshots on next slide ● Let’s Encrypt ● CertBot, ACME2, Secure updates… Let’s Encrypt ● Don’t go EV, never go EV ● Seriously, it’s a waste of money nowadays ● Keep your certificates up to date ● CertBot does that for you ● Register as HSTS ● Force HTTPS across your entire site ● Show your clients Troy Hunt’s demo if they are not sure Simon `Firesphere` Erkelens | 2018

Seriously, HTTPS The S stands for “Secure Connection” Simon `Firesphere` Erkelens | 2018 Public hotel wifi, same page, http vs. https

Password Rules It’s really simple Simon `Firesphere` Erkelens | 2018 Minimum of 16 characters. I don’t care which as long as they’re not the same

HaveIBeenPwnd And don’t appear in HaveIBeenPwnd Okay, I care a little bit ● Check new passwords against known breaches ● firesphere/silverstripe-haveibeenpwnd ● Block known breached passwords ● Doesn’t matter if it wasn’t a breach from your site ● Don’t reuse your passwords ● Don’t expire passwords Simon `Firesphere` Erkelens | 2018

Any MFA implementation is better than none MFA Just do it ● Users will hate you for it ● Until they see how their CMS account credentials are suddenly used on their banking without them knowing ● The process of SilverStripe supported modules has been started ● Give it a little bit of time, okay? Simon `Firesphere` Erkelens | 2018

In a nutshell So... Things get better ● SilverStripe 4 authentication is better ● Find your in-house security expert (or be the in-house expert!) ● EVERYBODY makes mistakes ● Password managers ● HTTPS ● OWASP ● MFA Simon `Firesphere` Erkelens | 2018

Who to follow Twitter ● @Firesphere (that’s me!) ● @troyhunt (Troy Hunt) ● @scott_helme (Scott Helme) ● @j_opdenakker (John Opdenakker) ● @SilverStripe (You know, that company) ● @DefuseSec (Taylor Hornby) ● @ss2342 (Stephen Shkardoon) ● @ismonkeyuser (Monkey User cartoons) Simon `Firesphere` Erkelens | 2018

Any questions? Simon `Firesphere` Erkelens | 2018 Pretty sure you have questions, I covered a shitload of things! Speak up!

Thank you! @Firesphere https://github.com/Firesphere [email protected] https://speakerdeck.com/firesphere https://casa-laguna.net

Okay, I have a question Simon `Firesphere` Erkelens | 2018 What are your thoughts, how can we improve further? Speak up!

Links Links in this presentation ● https://www.instagram.com/p/Bom9l5LAIzc/ ● https://github.com/Firesphere/silverstripe-bootstrapmfa ● https://github.com/Firesphere/silverstripe-bootstrap3mfa ● https://github.com/Firesphere/silverstripe-haveibeenpwnd ● https://www.owasp.org ● https://bitwarden.com ● https://1password.com ● https://lastpass.com ● https://www.troyhunt.com/extended-validation-certificates-are-dead/ ● https://hstspreload.org/ ● https://www.troyhunt.com/heres-why-your-static-website-needs-https/ ● https://twitter.com/jaffathecake/status/1044121129848377344 Simon `Firesphere` Erkelens | 2018