security theatre (php leuven)
TRANSCRIPT
Security Theatre@thomas_shone
Image by Matt McGee released under CC BY-ND 2.0
Illusion
Denial
I know about OWASP!
If you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated”
@thegrugq
Reference: https://twitter.com/thegrugq/status/658991205816995840
But I use antivirus!
Crypting services makes most antivirus techniques useless
Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/
Let us put an unsecured node.js server on your personal
computer
TrendMicro Antivirus on WindowsJan 2016
https://code.google.com/p/google-security-research/issues/detail?id=693
Remote code-executions via your mail client downloading an
Sophos AntivirusJune 2015
https://lock.cmpxchg8b.com/sophailv2.pdf
Internet of Things
Reference: https://www.yahoo.com/tech/dutch-consumer-group-demands-samsung-151703102.html
We’re all bad at security
Users are bad at security
Hackers are bad at security
A study in scarlet
43 applications, libraries and frameworksover 4,800 versionsover 10 million files
255,000 scansAbout 6k/month from June 2012 - Nov 2015
ResultsJuly 2015
Most popular softwareIt’s not what you think
How bad is it?
Why is it so bad?
I have seen thingsPh'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn
Versioning Hell1.3-final-beta6-pre-patch3
OpenXBackdoored for almost a year
Lessons Learnt
VersioningProjects with bad versioning also have some
of the worst security issues
Automatic PatchingIf your software comes with automatic
upgrading, people will use it
Plugins and TemplatesIf an update needs manual changes for
plugins or template, no one updates
Patch Fatigue Exists
Image by Aaaron Jacobs released under CC BY-SA 2.0
Anger
Image by Josh Janssen released under CC BY-ND 2.0
Why doesn’t someone do something about it?
Private industry keep threatening security researchers
"How many Fortune 500 companies are hacked right now?
Answer, 500."Mikko Hypponen, CRO of F-Secure
Reference: https://twitter.com/mikko/status/184329161257652227
Why don’t we have some form of standard?
We have ISO 27001/2, ISO 15408, RFC 2196, PCI DSS, NIST, …
Reference: https://en.wikipedia.org/wiki/Cyber_security_standards
Why doesn’t the government do something about it?
A Ukrainian power plant was hacked & shutdown because
someone had macros enabled in Excel
Reference: https://t.co/PA7cDQC9EI
NSA: We’re just upgrading your megaflops, promise.
Reference: https://t.co/PA7cDQC9EIImage by Unknown released into the Public Domain
Bargaining
Image by Jeroen Moes released under CC BY-SA 2.0
But what if we installed advanced IDSs, WAFs and
specialised network hardware
We probably only knew about one of the two backdoors in our
system
Juniper NetworksDec 2015
http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/
IDSs produce reports. Managers likes reports: it helps them feel like they can "manage" security
http://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted-attacks
We’ll start following prescribed security standards
That’s great for your insurance premiums
Depression
Ninety percent of everything is crap.
Sturgeon's law
Reference: https://en.wikipedia.org/wiki/Sturgeon%27s_law
Acceptance
Image by Stephan Brunet released under CC BY-SA 3.0
Effective?
Most of our security practices are ineffective
We do security in isolation
Holistic
Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
Area of Influence
Drivers
Services
Operating System203.5M LoC
Area of Influence
Hardware
Disclaimer: Numbers generated using cloc (Service LoC limited to latest releases of MySQL, Apache and PHP)
Operating SystemArea of Influence
Humans DNA7B LoC
Source: http://www.examiner.com/article/dna-the-ultimate-source-code
Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
HR/Training/LART device
System Administrators
Downstream Providers
Layered
Image by Cadw released under OGL via Commons
Image by Albert Bridge released under CC BY-SA 2.0
Surface Area
Alertness
Image by MeganCollins released under CC BY-NC-ND 3.0
Mitigation
Image by Pivari.com released under CC BY-SA 3.0
Trust
Trust?
Be aware of what you’re trusting
The hardest part of security is not writing
secure code
It’s understanding where you misplace
your trust
Trust is a chain
I trust my computer is not compromised
Up-to-date patches
TRUST
I trust that the software is without vulnerability
Vulnerability research and security updates
TRUST
I trust that the software is configured properly
Automated provisioning
TRUST
I trust that the network is configured properly and secure
Good system administrators
TRUST
I trust you are who you say you are
TLS Certificate Peer Verification or Authentication
TRUST
I trust you are allowed to talk to me about this topic
Authorization
TRUST
I trust that what you send me hasn’t been tampered with
Hashes, CRCs or signatures
TRUST
I trust that what we talk about is just between us
Public and private keys
TRUST
I trust your computer is not compromised
????
TRUST
I trust that what we talk about won’t be share with others
Contracts, Legalities, Terms of use, ????
TRUST
I trust that the user won’t be the weak link
Training and procedures
TRUST
Turn your chain into a mesh
Image by ineverfinishanyth released under CC BY-NC-SA 2.5
Common Mistakes
WeakeningCompromising encryption or hashing is
about reducing time to crack
ImplementationA bad implementation helps reduce the time
to crack
Authentication
2 Factor Authenticationcomposer require pragmarx/google2fa
OAuth2composer require league/oauth2-client
Sessions
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false){ parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit;}
MistakesDeep understanding of the language
CODE SAMPLE
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false){ parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit;}
MistakesDeep understanding of the language
CODE SAMPLE
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
Writes $_SESSION to disk
if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false){ parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit;}
MistakesDeep understanding of the language
CODE SAMPLE
Extracts URL parameters into the namespace.
session_to_unset=a becomes $session_to_unset = “a”;
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
Encryption
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
Avoid old tutorials on encryption
https://gist.github.com/paragonie-scott/e9319254c8ecbad4f227
Failed: Error Number: 60. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
// Many old tutorials and posts suggest disabling peer verificationscurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
// Thankfully PHP 5.6+ handles CA certificate location automatically// now thanks to https://wiki.php.net/rfc/improved-tls-defaults and// Daniel Lowrey
Avoid advice like thisWeakening security for convenience
CODE SAMPLE
Hashing
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
One way encodingComparisons / Integrity Checks
Weak hash functions+/- 690GB rainbow tables
Reference: http://project-rainbowcrack.com/table.htm
1,406,470,543Number of accounts publicly leaked
Reference: https://haveibeenpwned.com/
$password = 'rasmuslerdorf';$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Is this call safe?if (crypt($password, $hash) === $hash) { echo 'Password is correct';}// What about this one?if (password_verify($password, $hash)) { echo 'Password is correct';}
Bad implementationWhere is the weakness?
CODE SAMPLE
Timing AttacksBrute forcing cryptographic functions via
time taken to execute
$string1 = 'abcd';$string2 = 'abce';$string3 = 'acde';
for ($i=0; $i<10000; $i++) { ($string1 === $string2); }// Time taken: 0.008344
for ($i=0; $i<10000; $i++) { ($string1 === $string3); }// Time taken: 0.006923
Timing AttacksHow it works
CODE SAMPLE
Timing attacks can be used to work out if an account exists [...].
@troyhunt, haveibeenpwned.com
Reference: https://t.co/5WkQ48suj7
Well actuallyAmount of randomness matters
Reference: http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html
$password = 'rasmuslerdorf';$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Check the passwordif (password_verify($password, $hash)) { echo 'Password is correct'; if (password_needs_rehash($hash, PASSWORD_DEFAULT)) { // Rehash and store in database $new_password = password_hash($password, PASSWORD_DEFAULT); }}
RehashBuild it into your flow
CODE SAMPLE
Randomness
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
Non-deterministic randomness is critical in encryption
Used for key generation and nonces
Non-deterministic randomness is hard
Dual_EC_DRBG was in use for 7 years
// NOT cryptographically securerand();
// Cryptographically secure (uses OS-specific source)random_int();
// Cryptographically secure (uses OS-specific source)random_bytes();
// Cryptographically secure (uses OpenSSL library)openssl_random_pseudo_bytes();
Random in codeKnow the source
CODE SAMPLE
Information Disclosure
HEAD http://example.com/index.php200 OKConnection: closeDate: Sat, 26 Dec 2015 13:52:01 GMTServer: ApacheContent-Type: text/html; charset=UTF-8Client-Date: Sat, 26 Dec 2015 13:52:01 GMTClient-Peer: 192.168.0.101:80Client-Response-Num: 1X-Powered-By: PHP/5.5.11
Information DisclosureEvery piece of information can be leveraged
LOG SAMPLE
HEAD http://example.com/index.php200 OKConnection: closeDate: Sat, 26 Dec 2015 13:52:01 GMTServer: ApacheContent-Type: text/html; charset=UTF-8Client-Date: Sat, 26 Dec 2015 13:52:01 GMTClient-Peer: 192.168.0.101:80Client-Response-Num: 1X-Powered-By: PHP/5.5.11
Information DisclosureEvery piece of information can be leveraged
LOG SAMPLE
Warning: require(assets/includes/footer.php) [function.require]: failed to open stream: No such file or directory in /home/user/path/to/assets/includes/operations.php on line 38
Fatal error: require() [function.require]: Failed opening required 'assets/includes/footer.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/path/to/assets/includes/operations.php on line 38
Information DisclosureEvery piece of information can be leveraged
LOG SAMPLE
Social Engineering
Weak password reset processes
Can you Google the answer?How do you handle customer support reset?
Customer support training
Convenience vs Security
@N’s (Naoki Hiroshima) Story
How do you mitigate against this?
Hope
Image by Jenny released under CC BY-NC-ND 2.0
Holistic
A.B.C.
Always Be C Patching
Patching StrategyIf a dependency prevents updating, resolve it
now
Version properlyMajor.Minor.Patch. How hard is that?
Don’t become comfortable
Comfort breeds contempt
ReadKnow about new threats and best practice
changes
Training StrategyHave a process for dealing with account
locks and resets
Compromise StrategyHave a plan before you need it
InformationOnly store what you really need
Mistakes will be madeLearn from them
Rate limitBuilt it now, or you’ll have to build it while an
incident is underway
Monitor everythingYou’re more likely to be alerted by a graph
spiking than your IDS
Decouple rolesDatabases, servers, domains, roles, ...
Composer everythingThere is no excuse anymore
Decouple plugins/templates
Updates should be simple
Get behind PSR-9 & 10http://www.php-fig.org/psr/
Group Performance
Image by Matt McGee released under CC BY-ND 2.0
Thank youFeel free to DM me on @thomas_shone with questions
$string1 = 'abcd';$string2 = 'abce';$status = 0;
if (mb_strlen($string1, '8bit') != mb_strlen($string2, '8bit')) { return false;}for ($i = 0; $i < mb_strlen($string1, '8bit'); $i++) { $status|= (ord($string1[$i]) ^ ord($string2[$i]));}return $status === 0;
Timing AttacksHow it works
CODE SAMPLE