web & cloud security in the real world
TRANSCRIPT
![Page 2: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/2.jpg)
Madhu Akula - Profile• Information Security Researcher• Chapter Lead & Speaker null• Acknowledged by US Department
of Homeland Security.• Found bugs in Google, Microsoft,
Yahoo, Adobe … etc.• Open Source Contributor• Interested in Automation &
DevOps• Never ending learner !
www.madhuakula.com
![Page 3: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/3.jpg)
This is for educational purpose only, I am not responsible for any illegal activities done by any one.
![Page 4: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/4.jpg)
Let’s talk about Social Engineering
![Page 5: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/5.jpg)
My Experience !
![Page 6: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/6.jpg)
Fake Emails
![Page 7: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/7.jpg)
Demo
![Page 8: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/8.jpg)
Data Breaches in Wild
http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html
![Page 9: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/9.jpg)
Sample Web Architecture
![Page 10: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/10.jpg)
Web Security Statistics
http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed6.pdf
![Page 11: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/11.jpg)
Common Web Attacks• Cross Site Scripting (XSS)• SQL Injection• Information Disclosure• Remote Code Execution
Recent :
• Cross Site Port Attacks• Reflected File Download• Etc…
![Page 12: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/12.jpg)
SQL Injection• SQL Injection is one of the most used
vectors when malicious people want to create a new botnet.
• SQL injection occurs when untrusted data is sent to an interpreter as part of a command
• It causes attacker to take control over the database
![Page 13: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/13.jpg)
• SQL Injection Attack• Number plate to foil an automatic license plate
scanner !• An attack which allows SQL to be executed as
part of the input
![Page 14: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/14.jpg)
Bobby Tables !
https://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom
![Page 15: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/15.jpg)
Cross Site Scripting• XSS flaw occurs whenever an application
takes untrusted data and sends it to a web browser without proper validation and escaping.
• XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect user to malicious sites.
![Page 16: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/16.jpg)
Example• One of the most in-famous example is the
MySpace Samy worm. In less than a day he got more a million friends and MySpace had to be shutdown.
• A XSS bug occurring on the website registration page can enable theft of registration details.
• There are many exploitation frameworks for this vulnerability like BEEF, Xenotics, etc.
![Page 17: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/17.jpg)
Information Disclosure• Good security requires having a secure
configuration defined and deployed for the applications, frameworks, application server, web server, database server, and platform.
![Page 18: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/18.jpg)
ExampleNetwork Solutions were offering
wordpress installation on a shared server. The main configuration file wp-config.php was world readable. It causes Mass hack of wordpress
based websites.
![Page 19: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/19.jpg)
Remote Code Execution
An attacker's ability to execute any commands of the attacker's
choice on a target machine or in a target process.
![Page 20: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/20.jpg)
Recent Popular Zero Days
• Java Deserialization Vulnerability• Venom Vulnerability• Beast Vulnerability• Poodle Vulnerability• Heartbleed Vulnerability• Shell Shock Vulnerability• Etc
SSL Related
![Page 21: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/21.jpg)
Demo
![Page 22: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/22.jpg)
Let’s talk about Cloud
![Page 23: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/23.jpg)
![Page 24: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/24.jpg)
Threats Service Provider vs On-
Premise
https://www.rackspace.com/knowledge_center/whitepaper/alert-logic-state-of-cloud-security-report-spring-2012
![Page 25: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/25.jpg)
App Insecurity Scenario
• App has Local File Inclusion bug• The AWS root credentials are being used• They are stored in a world readable file on the server• Attacker reads the credentials and starts multiple
large instances to mine bitcoins• Victim saddled with a massive bill at the end of the
month
http://www.slideshare.net/akashm/security-in-the-cloud-workshop-hstc-2014
![Page 26: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/26.jpg)
Infra Insecurity Scenario
• MySQL Production database is listening on external port
• Developers work directly on production database and requires SQL Management Software
• They log in using the root user of MySQL Database server and a simple password
• Attacker runs a bruteforce script and cracks the password, gains full access to the database.
http://www.slideshare.net/akashm/security-in-the-cloud-workshop-hstc-2014
![Page 27: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/27.jpg)
Heartbleed
https://xkcd.com/1354/
![Page 28: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/28.jpg)
![Page 29: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/29.jpg)
![Page 30: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/30.jpg)
![Page 31: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/31.jpg)
Data Insecurity Scenario
• Database is getting backed up regularly.• Due to performance reasons, database wasn’t
encrypted when initial backups were done.• Dev team moves to newer type SSDs and doesn’t
decommission older HDDs.• Attacker finds older HDDs, does forensics for data
recovery and sell the data for profit.
http://www.slideshare.net/akashm/security-in-the-cloud-workshop-hstc-2014
![Page 32: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/32.jpg)
10 Steps for Cloud• Enumerate all the network interfaces• List all the running services• Harden each service separately based on best
practices.• Secure remote access for server
management(SSH, RDP)• Check operating system patch levels
![Page 33: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/33.jpg)
• Harden networking parameters of the kernel (Linux)
• Enable a host firewall• Do an inventory all user accounts on the server
and audit them• Enable centralized logging• Enable encryption on disks, storage, etc.
![Page 34: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/34.jpg)
Missuses of Cloud(Recent Attacks)
http://thehackernews.com/
![Page 35: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/35.jpg)
![Page 36: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/36.jpg)
Resources• null – null.co.in• Security Tube –
securitytube.net• OWASP – owasp.org• CSA – cloudsecurityalliance.org• Google – Google.com
![Page 37: Web & Cloud Security in the real world](https://reader035.vdocuments.us/reader035/viewer/2022081605/58ec8d4c1a28ab4e788b45ad/html5/thumbnails/37.jpg)
My info while I answer your questions
Madhu AkulaInformation Security Researcher
www.madhuakula.comTwitter : @madhuakula
[email protected] | +91-9676865642