SECURITY FOR DESIGNERS

equableunalaskaΑσφάλεια

9 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

73 εμφανίσεις

a
nd people who make their own sites

By Carlton Sue

@iamcarlsue


carlton.sue@fishnetsecurity.com

SECURITY FOR DESIGNERS

OVERVIEW


Introduction


Choosing a Target


Myths and Facts


Target Surface


Popular Vulnerabilities


XSS


SQL injection


Misconfiguration and Updates


Working on the Road


VPN


Secure
WiFI

vs

OpenWifi


Environment security


Connecting to hosts


Server updates


Checking what's out there


Nessus &
Nmap


PCI and standards compliance


Web Goat/OWASP


Contact info

INTRODUCTION


Name: Carl Sue


Occupation: Security Researcher (Pen Tester, Hacker)


Company: Security Analyst at FishNet Security.


Background: 4 years IT consulting Nominal Components, 1
year development experience (web development/unity)
PrimerLabs
, 1 year IT and Security manager Pro
-
In
-
Sites,
1 year Web Application Security Analyst FishNet Security.


Education: A.A. Computer Science, Mira Costa College.


Speaker at:
Barcamp

SD,
FMoF
, WIMP, Ignite
-
ToorCamp
,
ToorCon SD.

CHOOSING A TARGET
: MYTHS AND FACTS



Myths


Hackers are magic, see James bond or
just about any “TV/Movie Hacker”


Hackers attack at random


while not a
myth some hackers are differently
motivated then others rent still costs
money and standard legal pay is high.


____<insert technology here> ___

is
secure. Security is more about risk
mitigation than removal.


Hackers are all bad, sorry two sides to
every coin, the best hackers are usually
neutral.



Facts


It takes a hacker a long time to build an
attack, time usually = money.


Insecure sites (or hosts) can be used to
launch an attack, obfuscating their true
location.


Hardened targets detour hackers, while
you site may not be completely secure but
if it looks harder to hack you hacker may
look for targets else ware. > competition…


CHOOSING A TARGET: TARGET SURFACE


Most hackers choose targets
based on low hanging fruit
;

CMS out of date,
eval
(), script
execution and filter less
content entry.


Exposing your server can
peek a hackers interest.


All ports should be closed
when not in use. (ssh)


The smaller your target
surface is the better.


For larger companies sites like
shodan

(
http://shodanhq.com
)

can be used to discover
unknown target surface.


Anything on your site can
potentially be searched for on
google
, entire books are
written on this.

POPULAR VULNERABILITIES

POPULAR
VULNERABILITIES: XSS


Cross site scripting (XSS) is a vulnerability
caused by the unexpected execution of
scripts on the client.


XSS is usually JavaScript however it is
used to describe any unwanted script
execution triggered by an attacker.


Analysts estimate that 90% of sites on the
internet are vulnerable to XSS.


DOM based XSS attacks content loaded
after a browser has retrieved content.


DOM XSS attacks stick out to users and
require being sent to victim but can still
result in large information leaks.


Non
-
Reflected XSS is an attack that is
sent to a user who makes a request with
the exploit triggering the effect.


Reflected XSS, the most damaging
because it effects anyone who browses to
it, takes place when an attacker infects a
page with a malicious script.


Most XSS exploits can be blocked by
escaping characters (&

&
amp;)
when
they get submitted, and using a policy
engine to sanitize user input with a
whitelist.


Google XSS cheat sheet OWASP for more
information.

POPULAR VULNERABILITIES: SQL
INJECTION


SQL Injection is a very damaging attack
that can create
a severe
information leak.


SQL Injection occurs when a web site or
application accepts and executes SQL
commands.


SQL Injection is common with PHP and
ASP/.NET sites.


SQL Injection occurs when SQL query
enter a program from an untrusted source
and is executed.


To avoid this attack developers can use
prepared statements which keep attackers
from being able to change query intent.


Similarly developers can use stored
procedures.


Both use pre defined queries and accept
parameters at runtime.


A third method of defense is escaping all
user supplied input with database defined
escape values. Server Side


Escaping characters allows a database to
determine the difference between
“untrusted” content and developers code.


Predetermined statements and procedures
are recommended and all three can be
used in combination.

POPULAR
VULNERABILITIES
: MISCONFIGURATION


Our final popular vulnerability is
misconfiguration.


Misconfiguration occurs when an
applications environment becomes out
dated or has settings that are known to
cause vulnerabilities.


In this case an environment is defined as
anything between and including the hosts
operating system, and framework plugins.


A

web application/site Content
Management System (CMS) needs to be
checked regularly for updates to both core
framework and plug
-
ins / add
-
ons.


Below a CMS runs a Database and at
least one web server technology, “0
-
day”
exploits cause developers to release
security patches that should be run.


If the application connects to other
services (
iMAP
, Active Directory, FTP, etc.)
make sure to keep these services
updated, especially if service is not local.


Development teams at all levels release
security patches these should be run as
soon as possible.


A host manager should keep the host and
host’s services up to date with regular
patches and distribution upgrades.

WORKING ON THE ROAD

WORKING ON THE ROAD:
SECURE
VS

OPEN
WIFI


Secure
WiFi

(WEP, WPA/2) is slightly
mislabeled it should be Exclusive
WiFi
.


Some coffee shops (Starbucks) offer
segregated networks.


Most local coffee shops do not offer
segregated networks.


If the network is not segregated users
with access to the
WiFi

password can
still capture traffic.


“Secure” refers to the connection not the
network.



Like living in a gated community with a
neighbor who is a cat burglar.


Open
WiFi

on the other hand allows
anyone with the right equipment to
capture your traffic.


Ultimately being on
WiFi

(unless
network is segregated) opens you up to
having your traffic captured.


There are a few technologies that
protect against traffic capture.


VPNs, SSL, and SSH are great ways to
encrypt traffic for transfer over
WiFi
.

WORKING ON THE ROAD:
VPN


Virtual Private Network.


VPN’s provide a secure way to connect
to other networks.


Come in three flavors; OpenVPN, PPTP,
and L2TP/IPSEC.


PPTP is a basic protocol all but out of
use due to security issues and stability.


PPTP’s only real advantage is its
comparability and ease of setup.


OpenVPN uses Open Source protocols

to provide a very FAST and still secure
connection.


OpenVPN’s

limitations exist almost
exclusively in comparability with mobile.


L2TP/IPSec uses the IPSec protocol to
handle encryption and is approved for
NSA Top Secrete transfer. (AES256)


L2TP is Slightly slower than OpenVPN

due to encryption.


L2TP is way hard to set up but once it is
it’s solid as a rock.


L2TP provides native support for all
desktop, and mobile devices.

ENVIRONMENT SECURITY

ENVIRONMENT SECURITY: CONNECTING TO HOSTS


SSH/SCP is a technology for connecting to
other computers over a network port 22.


Provides a “Tunnel” to direct traffic similar
to a VPN when using the

D flag.
(
SSH

D
user@host:port
)


It can be used through the terminal or with
GUI software (
filezilla
) to provide folders.


Standard way of connecting to a server to
make changes.


SSL is used for public identification of a
specific device or network.


Verified by a third party called a CA or
Certificate Authority.


Can be used for encrypting traffic and
verifying in both directions but usually only
used for clients to verify servers.


Can protect against traffic capture.


FTP provides file transfer, File Transfer
Protocol.


Files should be transferred using the SFTP
protocol to encrypt traffic during transfer.


Traffic moves through many devices when
moving across the internet, encryption
protects your data from being captured by
these devices.

ENVIRONMENT SECURITY: SERVER UPDATES


Servers require regular updating, and so does everything else.


Windows servers run windows update at least once a month “Patch
Tuesday” 2
nd

Tuesday of the month.


Mac OS run Software Update, or
AppStore

regularly for security
patches.


Unix/Linux package managers handle updates. (Ubuntu


apt
-
get update; apt
-
get upgrade
)


Be careful when updating some updates require being reconfiguration,
if a live service needs to be updated test on a beta server.


Distribution updates are important too and should be invested in as
soon as possible.

ENVIRONMENT SECURITY: NESSUS &
NMAP


If you run your own server or VPS you can use services like
Nessus and NMAP to run scans on your server.


Results of Nessus will provide an idea of what your full attack
surface is.


Nessus has a community version available for free, for larger
infrastructures is worth its cost.


n
map

on the other hand is free and can help you find ports
and services that might be accidentally open.


Many other tools come available on back track that can help
you get a better idea for your attack surface.

WEB GOAT/OWASP


Web Goat is an application designed by OWASP (Open Web
Application Security Project) for teaching how to exploit web
applications.


Provides an example of the top ten most discovered
vulnerabilities.


Shows instructions on understanding theses vulnerabilities
better so they can be defended against.


OWASP is a great tool for keeping up to date with common
web application vulnerabilities.


OWASP offers a large amount of cheat sheets and references
for web application vulnerabilities.

PCI AND STANDARDS COMPLIANCE


Payment Card Industry Data
Security Standard (PCI) is an
information security standard
for organizations that handle
cardholder information.


PCI is an quickly judged
standard that businesses can
use to show they are aware of
their clients privacy and have
an interest in protecting it.


Similar to BBB for ecommerce
and online sales.


Unlike BBB PCI certification is
distributed and can be
acquired from any company
who offers PCI compliance
testing.


HIPAA, Health Insurance
Portability and Accountability
Act is used for medical
compliance.


Compliance certifications
represent an industry standard
and provide peace of mind.

CONTACT INFO


Thanks to WIMP for having me!


Site:
http://carlsue.com


Twitter: @iamcarlsue


Custom Backtrack 5 r3 with
web goat:
http://goo.gl/9akF0