Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

Safety first Simon `Firesphere` Erkelens | 2018 Security matters

Slide 3

Slide 3 text

About me Simon `Firesphere` Erkelens ● SilverStripe bespoke software engineer ● Team: Ninja Unicorns ● Community admin (Slack & Forum) ● I maintain the StripeSlackBot (It’s on BitBucket, FOSS) ● That’s Python , SilverStripe 4 & Solr ● Author of MFA modules for SilverStripe 3 & 4 ● Cat owner ● Hans the cow is my mascotte ● I have a zoo on my desk ● Scarily obsessed with security ● Also Solr and search in general ● LEGO! ● Born Dutch (expect cursing) ● Originator and former organizer of StripeCon EU ● I wonder how much I can fit on a single slide ● Yes, this is on purpose ● Bribable with Whisk(e)y, beer or LEGO That’s me ➡ Although, I’m standing right over here, if you hadn’t noticed. That’s my cat, Marika ⬇ That’s Hans ➡ The zoo ⬇ ⬅ Apollo 13 Saturn V LEGO rocket!

Slide 4

Slide 4 text

About me I am to blame for SilverStripe 4 Authenticator Sorry, not sorry! (I promise no more over crowded slides) Simon `Firesphere` Erkelens | 2018

Slide 5

Slide 5 text

A little note The challenge is still open, for 2 years now Simon `Firesphere` Erkelens | 2018

Slide 6

Slide 6 text

Why the rewrite Simon `Firesphere` Erkelens | 2018 Security matters

Slide 7

Slide 7 text

In need of a revamp SilverStripe 3 Authentication If it works, don’t change it ● Not always is a full rewrite of things necessary ● There are bits and bobs that can be reused ● But, refactoring to improve things is a good thing Simon `Firesphere` Erkelens | 2018

Slide 8

Slide 8 text

But it didn’t work Rewriting Authentication If it works, don’t change it ● Not modular ● Hooking in to the process required a lot of copy-pasting ● 3rd party login was a PITA ● Don’t even get me started on MFA implementation ● Rigid flow ● Tightly coupled between Member and Authentication ● It was part of the main track, not a side track Simon `Firesphere` Erkelens | 2018

Slide 9

Slide 9 text

Why the rewrite, it worked, didn’t it? Rewriting Authentication Modularity is important ● Not modular ● A single flow through Security ● A “God controller” that does everything ● Single point of failure ● Hooking in to the process required a lot of copy-pasting ● 3rd party login was a PITA ● Don’t even get me started on MFA implementation ● Rigid flow ● Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018

Slide 10

Slide 10 text

Why the rewrite, it worked, didn’t it? Rewriting Authentication Copy paste should not be a “best solution” ● Not modular ● Hooking in to the process required a lot of copy-pasting ● Ever tried to register your own login controller? ● Or extended Security with so much of duplicate code it made you sick? ● Yeah, “God class” ● 3rd party login was a PITA ● Don’t even get me started on MFA implementation ● Rigid flow ● Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018

Slide 11

Slide 11 text

Why the rewrite, it worked, didn’t it? Rewriting Authentication Third party integrations were painful ● Not modular ● Hooking in to the process required a lot of copy-pasting ● 3rd party login was a PITA ● Have a look at the ActiveDirectory module ● I rest my case ● Don’t even get me started on MFA implementation ● Rigid flow ● Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018

Slide 12

Slide 12 text

Why the rewrite, it worked, didn’t it? Rewriting Authentication Again a hacky copy-paste ● Not modular ● Hooking in to the process required a lot of copy-pasting ● 3rd party login was a PITA ● Don’t even get me started on MFA implementation ● Copy paste all the things! ● Register even more things! ● It literally requires intercepting the construction of the Form ● Best practices are for wussies, right? ● Rigid flow ● Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018

Slide 13

Slide 13 text

Why the rewrite, it worked, didn’t it? Rewriting Authentication Software should not be rigid ● Not modular ● Hooking in to the process required a lot of copy-pasting ● 3rd party login was a PITA ● Don’t even get me started on MFA implementation ● Rigid flow ● The start point and endpoint and everything in between was the same Controller ● The API was not designed for flexible implementations ● Low maintenance at high cost ● Unsafe to extend means a security breach is imminent ● Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018

Slide 14

Slide 14 text

Why the rewrite, it worked, didn’t it? Rewriting Authentication It’s like being chained down ● Not modular ● Hooking in to the process required a lot of copy-pasting ● 3rd party login was a PITA ● Don’t even get me started on MFA implementation ● Rigid flow ● Tightly coupled between Member and Authentication ● Member logged itself in ● Ever heard of someone going to a secure building and shout “I BELONG HERE” and be accepted? ● No actual authenticator that operated independently ● No separation of concerns, Security and Member did everything Simon `Firesphere` Erkelens | 2018

Slide 15

Slide 15 text

How do I go from here? What changed It would be a lot easier to ask what didn’t change ● Member doesn’t have the ability to log in anymore ● Security does, but it’s for the current request only ● Abstracts and Interfaces supply the necessary methods to implement ● Handlers are sub-controllers to handle the request ● Authenticators handle the authentication ● IdentityStore is where the user is “stored” after authentication ● Security only provides the controller wrapper around the forms ● Each step has extension points to hook in your own flow ● These are of limited scope, to prevent security breaches* Simon `Firesphere` Erkelens | 2018

Slide 16

Slide 16 text

Security breaches Simon `Firesphere` Erkelens | 2018 Security matters

Slide 17

Slide 17 text

But… you said it’s better! * I can’t help myself You will be breached. If not today, it’ll be tomorrow ● Preparing for the worst is better than hoping for the best ● We do our best to provide a safe authentication flow ● Most breaches are due to bad practices by (in no particular order): ● SysOps ● DevOps ● Software Engineers ● Clients ● End users ● CMS Users ● Bad password practices ● Not using a password manager Simon `Firesphere` Erkelens | 2018

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

Simon `Firesphere` Erkelens | 2018

Slide 21

Slide 21 text

This... This is my absolute favourite! Taylor Hornby falling for social engineering Social engineering is still very easy. Even if your target knows it’ll happen, even inviting people to try it, and this is a security expert!

Slide 22

Slide 22 text

I had way too much fun looking up all these tweets. It’s been fun, but, security is not something to take lightly! I’m sorry Not really though Simon `Firesphere` Erkelens | 2018

Slide 23

Slide 23 text

Why care? Simon `Firesphere` Erkelens | 2018 Security matters

Slide 24

Slide 24 text

But the new way is so much effort, I don’t need it But my site is low profile Why would/should I care ● One size does fit all ● Just a in a more modular way than it used to be ● Your site’s profile does not mean security should be less ● You have a lock on your door, right? ● Never ever treat security as a side product of your work ● The safety and security of your end user’s life may depend on it ● I’m not joking ● Really, it matters. Have you seen the Facebook breach? ● Your effort into securing your site should be “a lot”, not “I want quick and easy” Simon `Firesphere` Erkelens | 2018

Slide 25

Slide 25 text

A few things to keep in mind But my site is low profile Why would/should I care ● Your site may be low profile ● But what if the CMS user reuses it’s password everywhere? ● One hack elsewhere may lead to CMS access ● Have fun removing that shitty bitcoin JS miner from your site! ● Or even domain hijacking ● Use a password manager (I’ll get to that later) ● BitWarden ● 1Password ● LastPass ● Also, https! (I’ll get to that later too) Simon `Firesphere` Erkelens | 2018

Slide 26

Slide 26 text

SilverStripe 4 Simon `Firesphere` Erkelens | 2018 Security matters

Slide 27

Slide 27 text

Logging a user in Back to SilverStripe SilverStripe 4 How to use authentication 101 ● Log in with a local account ● Injector::inst()->get(IdentityStore::class)->logIn($member) ● So many words, can it be shorter? ● IdentityStore::singleton()->logIn($member) ● Even shorter please? I liked Member::logIn()! ● No. Separation of concerns ● Okay, maybe you could alias it, if you really want to Simon `Firesphere` Erkelens | 2018

Slide 28

Slide 28 text

Logging a user in The login Let’s go ● Authenticator checks if user is indeed who it claims it is ● Hands off to IdentityStore ● IdentityStore handles the setting of cookies/sessions etc. ● For example, SessionAuthenticationHandler ● The user is now logged in ● Return the user to the authenticator Simon `Firesphere` Erkelens | 2018

Slide 29

Slide 29 text

Log user in using the Session SessionAuthenticationHandler Say hello public function logIn(Member $member, $persistent = false, HTTPRequest $request = null) { static::regenerateSessionId(); $request = $request ?: Controller:: curr()->getRequest(); $request->getSession()->set($this->getSessionVariable (), $member->ID); // This lets apache rules detect whether the user has logged in if (Member::config()->get('login_marker_cookie' )) { Cookie:: set(Member::config()->get('login_marker_cookie' ), 1, 0); } } Simon `Firesphere` Erkelens | 2018

Slide 30

Slide 30 text

Authenticating the request via MiddleWare: SessionAuthenticationHandler Say “You are here!” public function authenticateRequest (HTTPRequest $request) { // If ID is a bad ID it will be treated as if the user is not logged in, // rather than throwing a ValidationException $id = $request->getSession()->get($this->getSessionVariable ()); if (!$id) { return null; } /** @var Member $member */ $member = Member::get()->byID($id); return $member; } Simon `Firesphere` Erkelens | 2018

Slide 31

Slide 31 text

To log out, just trash the session SessionAuthenticationHandler And say bye public function logOut(HTTPRequest $request = null) { $request = $request ?: Controller:: curr()->getRequest(); $request->getSession()->restart($request); } Simon `Firesphere` Erkelens | 2018

Slide 32

Slide 32 text

With the whole re-implementation, what can you do? How to implement What has changed ● Your IdentityStore can login based on ● Database/LDAP/SAML/GitHub/Google/Microsoft/Whatever ● Preferably via a Provider, that is ● A Store handles the storage of authenticated users ● An Authenticator handles the authentication of users ● A Provider handles the external communication of userdata ● Middleware handles the internal communication of userdata Simon `Firesphere` Erkelens | 2018

Slide 33

Slide 33 text

Time for a break Simon `Firesphere` Erkelens | 2018 And have a beer or something

Slide 34

Slide 34 text

Third party login Simon `Firesphere` Erkelens | 2018 Security matters

Slide 35

Slide 35 text

Logging a user in without a shadow copy Third party logins It can be done without hacky stuff! ● User logs in with a third party ● Third party supplies the necessary details ● A custom IdentityStore is required for storing the details ● Possibly in Session, or by re-requesting from the third party ● Injector::inst()->get(IdentityStore::class)->logIn($userData) ● The user is now logged in Simon `Firesphere` Erkelens | 2018 Tesla approves ➡

Slide 36

Slide 36 text

How to use the three together GitHub Authentication A quick (theoretical) howto ● IdentityStore is the storage of the login ● Session token ● 3rd party token ● User information ● It is not an authority however ● Controller => RequestHandler => Authenticator {=> Provider} => Store => Handler ● The Handler sets everything up for the Controller Simon `Firesphere` Erkelens | 2018

Slide 37

Slide 37 text

How to use the three together GitHub Authentication Start with a provider ● Provider provides the link between SilverStripe and GitHub ● Providing the link ● Not authorising anything, just giving the link ● Gives the 3rd party response back to the authenticator ● Is not an authenticator or authority Simon `Firesphere` Erkelens | 2018

Slide 38

Slide 38 text

How to use the three together GitHub Authentication Then, an Authenticator ● Authenticator does the checks ● Is the response from GitHub genuine ● Is the response from GitHub valid ● Validate the user has the correct access permissions ● If it all comes together correctly, execute the login procedure Simon `Firesphere` Erkelens | 2018

Slide 39

Slide 39 text

How to use the three together GitHub Authentication Add an IdentityStore ● IdentityStore holds the login state ● Contains the information of the user for each request ● Has the lifetime of the login ● Does not persist beyond session or cookie ● Logs the user in and returns the resulting shadow copy* Simon `Firesphere` Erkelens | 2018

Slide 40

Slide 40 text

How to use the three together GitHub Authentication Ehh, shadow-shadow copy, okay? ● * You said no shadow copy! ● I did, but this shadow copy is non-persistence ● No data stored on SilverStripe side ● A Member object should be returned for ease of use Simon `Firesphere` Erkelens | 2018

Slide 41

Slide 41 text

How to use the three together GitHub Authentication Control it all ● Controller inner workings now that the user exists ● Allow access to closed data ● Let the user possibly edit local profiles ● Hook in to the provider to get more details ● Know the user exists ● FOR A SINGLE REQUEST Simon `Firesphere` Erkelens | 2018

Slide 42

Slide 42 text

MiddleWare GitHub Authentication Stuck in the middle with you ● MiddleWare is what does the actual validation for each request ● MiddleWare checks if the user is valid with the Authenticator ● Not the controller ● MiddleWare logs the user in for the current request ● Okay, not really, IdentityStore does that, but I guess you understand Simon `Firesphere` Erkelens | 2018

Slide 43

Slide 43 text

Sure, why not? GitHub Authentication Relations? Relations! ● GitHub provides a token which can be used as a replacement for ID’s ● You do need to write your own relational pointers though ● Downside is, without a persistent shadow copy, public information is anonymous Simon `Firesphere` Erkelens | 2018

Slide 44

Slide 44 text

Think first, do later Simon `Firesphere` Erkelens | 2018 Security matters

Slide 45

Slide 45 text

How not to use 3rd party logins GitHub Authentication Be good, it’s not that hard ● Store local data indefinitely without confirming it’s still valid ● Use given permissions or data to spam ● Ask for excessive permissions ● Why do you need write access to the twitter feed? ● Or DM’s, you really need that? ● Abuse given rights to the 3rd party application ● E.g. make unwanted pushes to GitHub ● Share secret keys ● Just generally, be good Simon `Firesphere` Erkelens | 2018

Slide 46

Slide 46 text

Not enough funny gifs mate! Simon `Firesphere` Erkelens | 2018 Okay, sorry, let me fix that for you!

Slide 47

Slide 47 text

The outcome Simon `Firesphere` Erkelens | 2018 Security matters

Slide 48

Slide 48 text

Not hacking into Security anymore MFA implementation differences A modular approach ● See the code difference for the following repositories: ● firesphere/silverstripe-bootstrapmfa ● firesphere/silverstripe-bootstrap3mfa ● The amount of effort that goes into adding a second step is massive for SS3 ● The amount of effort for SS4 is more about streamlining the process Simon `Firesphere` Erkelens | 2018

Slide 49

Slide 49 text

SilverStripe doesn’t have to care anymore! We care a lot A modular approach ● We care, a lot actually ● But the framework doesn’t care about where the authentication happens ● Simply put, if the Authenticator returns a valid member, all is good ● If it’s null, we are not logged in ● If you don’t take the token… you’re doing it wrong I guess ● But seriously, the token is what you need Simon `Firesphere` Erkelens | 2018

Slide 50

Slide 50 text

Member So, in retrospect Original flow ● Member gives credentials and shouts ● “I AM ALLOWED TO BE HERE, SEE!” ● End of story ● Okay, not entirely, but it is possible Simon `Firesphere` Erkelens | 2018

Slide 51

Slide 51 text

Member (Visitor) So, in retrospect SilverStripe 4 flow ● Member gives credentials (passport, username/password, etc.) Simon `Firesphere` Erkelens | 2018 Middleware (Security guard) ● Thanks, let’s check Authenticator (Frontdesk employee) ● I’ll ask our security provider for the data (Or I check the database) Provider (Computer which talks to the backend system) ● Here’s the data Authenticator ● Yeah, all good, the data matches the person OR ● Yeah, nah, not gonna happen mate!

Slide 52

Slide 52 text

Other thoughts Simon `Firesphere` Erkelens | 2018 Security matters

Slide 53

Slide 53 text

Besides the flow, there are a few other things you can do Other security measures Passwords, HTTPS, etc. ● OWASP ● Password managers ● HTTPS ● Password rules ● Multi Factor Authentication Simon `Firesphere` Erkelens | 2018

Slide 54

Slide 54 text

Just follow OWASP best practices OWASP Open Web Application Security Project ● Their Top 10 of vulnerability risks is a good place to start ● Juice Shop project ● Zed Attack Proxy ● And a lot more! Simon `Firesphere` Erkelens | 2018

Slide 55

Slide 55 text

A password manager helps! Password managers Don’t use sticky notes ● Explain to your client why ● Explain the benefits ● DO NOT EVER disable pasting of passwords in password fields ● Suggest them to your client, here are a few: ● BitWarden (My favourite, I’m not being paid to say this) ● 1Password ● LastPass Simon `Firesphere` Erkelens | 2018

Slide 56

Slide 56 text

Put all your sites on HTTPS. HTTPS The S stands for “Secure Connection” ● Try visiting an http site on hotel wifi and compare it to https ● See screenshots on next slide ● Let’s Encrypt ● CertBot, ACME2, Secure updates… Let’s Encrypt ● Don’t go EV, never go EV ● Seriously, it’s a waste of money nowadays ● Keep your certificates up to date ● CertBot does that for you ● Register as HSTS ● Force HTTPS across your entire site ● Show your clients Troy Hunt’s demo if they are not sure Simon `Firesphere` Erkelens | 2018

Slide 57

Slide 57 text

Seriously, HTTPS The S stands for “Secure Connection” Simon `Firesphere` Erkelens | 2018 Public hotel wifi, same page, http vs. https

Slide 58

Slide 58 text

Password Rules It’s really simple Simon `Firesphere` Erkelens | 2018 Minimum of 16 characters. I don’t care which as long as they’re not the same

Slide 59

Slide 59 text

HaveIBeenPwnd And don’t appear in HaveIBeenPwnd Okay, I care a little bit ● Check new passwords against known breaches ● firesphere/silverstripe-haveibeenpwnd ● Block known breached passwords ● Doesn’t matter if it wasn’t a breach from your site ● Don’t reuse your passwords ● Don’t expire passwords Simon `Firesphere` Erkelens | 2018

Slide 60

Slide 60 text

Any MFA implementation is better than none MFA Just do it ● Users will hate you for it ● Until they see how their CMS account credentials are suddenly used on their banking without them knowing ● The process of SilverStripe supported modules has been started ● Give it a little bit of time, okay? Simon `Firesphere` Erkelens | 2018

Slide 61

Slide 61 text

In a nutshell So... Things get better ● SilverStripe 4 authentication is better ● Find your in-house security expert (or be the in-house expert!) ● EVERYBODY makes mistakes ● Password managers ● HTTPS ● OWASP ● MFA Simon `Firesphere` Erkelens | 2018

Slide 62

Slide 62 text

Who to follow Twitter ● @Firesphere (that’s me!) ● @troyhunt (Troy Hunt) ● @scott_helme (Scott Helme) ● @j_opdenakker (John Opdenakker) ● @SilverStripe (You know, that company) ● @DefuseSec (Taylor Hornby) ● @ss2342 (Stephen Shkardoon) ● @ismonkeyuser (Monkey User cartoons) Simon `Firesphere` Erkelens | 2018

Slide 63

Slide 63 text

Any questions? Simon `Firesphere` Erkelens | 2018 Pretty sure you have questions, I covered a shitload of things! Speak up!

Slide 64

Slide 64 text

Thank you! @Firesphere https://github.com/Firesphere [email protected] https://speakerdeck.com/firesphere https://casa-laguna.net

Slide 65

Slide 65 text

Okay, I have a question Simon `Firesphere` Erkelens | 2018 What are your thoughts, how can we improve further? Speak up!

Slide 66

Slide 66 text

Links Links in this presentation ● https://www.instagram.com/p/Bom9l5LAIzc/ ● https://github.com/Firesphere/silverstripe-bootstrapmfa ● https://github.com/Firesphere/silverstripe-bootstrap3mfa ● https://github.com/Firesphere/silverstripe-haveibeenpwnd ● https://www.owasp.org ● https://bitwarden.com ● https://1password.com ● https://lastpass.com ● https://www.troyhunt.com/extended-validation-certificates-are-dead/ ● https://hstspreload.org/ ● https://www.troyhunt.com/heres-why-your-static-website-needs-https/ ● https://twitter.com/jaffathecake/status/1044121129848377344 Simon `Firesphere` Erkelens | 2018