Security Threat Update - The Newest Threats and How to Protect Against Them

Faculty:Scott Greene

ofEvidence Solutions, Inc.

Scott@EvidenceSolutions.comwww.EvidenceSolutions.com

►If builders built houses the way programmers built programs, the first woodpecker to come along would destroy civilization. - Gerald Weinberg

Protect the Information

Provide Access

Rank Securities Technology

ASI M86 Daily Finance SANS

1 Mobile Devices Default or Weak Passwords

Targeted Attacks Mobile Threats Targeted Malware

2 C-Level Targets SQL Injection Social Media Scams

Embedded Hardware

Lack of Incident Response

3 Social Media Cyber Threats

Excessive Priveledges

Mobile Malware Virtual Currency IPv6

4 You are infected Too many DBMS features on

Third Party Exploits

OS Advances Steer Hackers

ARM (Mobile) Hacking

5 Physical Can Be Digital

Broken Configuration Management

Exploit Kits & Malware

URL Hijacking Social Engineering

6 Cloud Computing

Buffer Overflows

Compromised Websites

Rogue Certs Social Media

7 Breaches will be shared

Prviledge Escalation

Botnets Cyber War Compliance

8 Zero Day Threats will increase

Denial of Service

Malware Spam Hactivism Monitoring

9 Insiders Unpatched DBMS

Sporting Event Scams

Legalized Spam Wireless Security

10 Greater Regulation

Unencrpyted data

Cloud Service Attacks

Industrial Attacks Cloud Computing

Threats

►March 30, 2012: Utah Department of Health

►Records leak►780,000 personal health records exposed

Cause:►Weak password on server

Spam & Attack Mitigation

Spam & Attack Mitigation

►Log unsuccessful email attempts, both incoming and outgoing. Spear phishers often have to guess the mail format (i.e. firstname.lastname@xyz.com, lastname@xyz.com, FLastname@xyz.com, etc) therefore it is likely the mail server will reject mis-formatted emails.

Spam & Attack Mitigation

►This is likely the first sign your organization may be targeted.

►By reviewing logs shortly after trigger events, it is possible to learn whether attempts are being made and thus new rule sets can be created to block the sender and alert the individual they are being targeted.

Spam & Attack Mitigation

►If it is determined there is an attack against an individual or group occurring, notify the individual or group.

Spam Mitigation

Spam Mitigation

Spam Mitigation

►http://www.spamhaus.org/statistics/networks/

Mobile Devices

►Including, but not limited to: Cellular phones Smartphones Tablets Laptops

Mobile Device Dangers

Mobile Device Dangers

►What Happens when a Smartphone is lost: Symantec did a study where they “lost”

50 cell phones in 5 cities….►72% of people tried to access photos►57% tried to open a file named "Saved

Passwords“►43% tried to open an app named "Online

Banking.“ Only 50% of the finders attempted to

reunite the phone with its owner.

Mobile Device Dangers

►There is a dramatic increase in malware designed to attack mobile devices that run Android.

►The total number of identified threats to Android devices more than quadrupled in the first quarter of 2012, reaching 8,000.

►Part of that increase, however, came from improved detection.

Mobile Phone Dangers

►Most mobile malware aimed at Android did not come from apps offered through the Google Play app marketplace.

Smart Phone Management

►Mobile Device Management (MDM) This product line secures, monitors,

manages and supports mobile devices deployed across mobile operators, service providers and enterprises.

MDM typically includes over-the-air distribution of applications, data and configuration settings for all types of mobile devices: mobile phones, smartphones, tablets, etc.

Smart Phone Management

►This applies to both company-owned and employee-owned (BYOD) devices across the enterprise or mobile devices owned by consumers.

Smart Phone Management

►MDM abilities include: Inventory Updates Diagnostics Backup & Restore Asset Tracking Password

Enforcement Encryption Remote Control /

Management

Remote Lock Remote Wiping Software Installation Locating and Bread-

crumbing Software Whitelist /

Blacklist Corp Data Tracking

Smart Phone Management

►Issues: User Consent / Policy

►General Policy►Eligibility►Acceptable Use►Financial Responsibility►Program Management►Equipment

Smart Phone Management

►Acceptable use: While driving a motor vehicle Personal Use Use in Accordance with COMPANY Code of

Conduct

Smart Phone Management

►Issues: Sandboxing of corporate data

►Makes employees feel good Rooting ( some systems try to detect it )

Solutions

►Microsoft Exchange Active Synch (EAS)►Websense►Blackberry Enterprise Server

Instant Messaging (IM)

►Text►Webcams►Voice►Files

Instant Messaging (IM)

► Vulnerabilities Sending / Receiving sensitive data Viruses aimed at IM ( Choke Virus )

► Antivirus tools at the gateway do not detect IM traffic and there for will not see viruses that are received by users.

Hackers have used IM networks to deliver:► Phishing attempts► Poison URL's► Virus-laden files

These deliveries are done by:► Sending of Files that users execute

Could be viruses, trojans or spyware► The use of "socially engineered" text & web addresses that

entice the recipient to open a URL that then downloads malicious code.

Instant Messaging (IM)

► The IM Security Center, a collaboration between security companies and corporations, has tracked attacks over IM since 2003 and shows well over 1000 distinct attacks over the public IM networks.

► Since 2007 there has been a steady increase in IM attacks

► While still small, IM attacks continue to growth with the increased usage of IM.

► Couple that with the adoption of IM in the workplace makes IM an attractive vector for hackers

► Individuals and companies must take precautions to avoid infection.

Peer to Peer Networks (P2P)

►Peer to peer: Local shared network resources

►Location specific Wide area peer to peer networking

software►Anywhere in the world

Peer to Peer Networks (P2P)

►Many peer-to-peer networks are under constant attack in a variety of ways: Poisoning attacks by supplying files with

enticing names. Man-in-Middle (the attacker intercepts

files by obtaining the communication between two different users. Attackers can go on to change the information or simply pass it on untouched. This is all done undetected)

Peer to Peer Networks (P2P)

Polluting attacks by inserting "bad" chunks/packets into a valid file on the network ( sometimes done by man in the middle )

Defection attacks (attaching to networks where security is lax)

Malware in the peer-to-peer network software itself. The software is distributed containing spyware or trojans

Denial of service attacks

Peer to Peer Networks (P2P)

Identity attacks ( tracking down the users of the network and harassing or legally attacking them)

Spamming (sending unsolicited information across the network--not necessarily as a denial of service attack and not necessarily e-mail)

Sybil attacks (one malicious identity that can be presented as multiple identities allowing the attacker to control a whole portion of the network)

Peer to Peer Networks (P2P)

Personal information is at risk because users expose certain files by putting them in shared document folders.

These documents are at risk are due to misplaced files, confusing interface design, Incentive to share a large number of files, general laziness on the part of the user, wizards designed to determine media folders, and poor organization habits.

Peer to Peer Networks (P2P)

►Future Risks: Second generation Peer-to-Peer file

sharing software now has the ability to search indexes using file names and information that is associated with the files. This makes it easy for the searching of “Bank Account” information.

These can also search using Regular Expressions:►1=\<5\d\d\d[\-\. ](\d\d\d\d[\-\. ]){2}\d\d\d\d\>

RSA InsecureIDs & Lockheed

►Lockheed said: “our systems remain secure” No customer data was compromised No Employee personal data has been

compromised. No such assurance was given for

►proprietary data►military systems data

RSA InsecureIDs

►As reported by The Christian Science Monitor, a DOD document states: "Any computer-based attack by an adversary nation that damages US critical infrastructure or US military readiness could be an 'act of war,' according to new Defense Department cyberwarfare policies that have yet to be officially unveiled."

RSA InsecureIDs

►Going back to just passwords, but making them strong ones and authenticating the endpoint Making sure that the machine being

signed in from by a user is the normal machine used by the user.

Google Hack

►Google announced that hackers have gone after specifically targeted U.S. government officials and military personnel Gmail users.

►Why would government leaders use Gmail in the first place? U.S. government officials, after all, have access to official government email systems that have layer after layer of security.

►So how does Gmail, Google's cloud-based email service, come into play?

Google Vulnerabilities

►Eight vulnerabilities in Google services were revealed during the Hack in the Box conference in Amsterdam on Thursday 5/24/2012

►That same group claims to have discovered more than 100 such bugs over the past few months.

Bot Nets

►"bots" are a type of malware that allows an attacker to take control over an affected computer.

►Also known as "Web robots", bots are usually part of a network of infected machines linked by the internet.

►These victim machines make up a “Bot Net” that stretch across the globe.

Bot Nets

►Since a bot infected computer follows its master's orders and are generally referred to as "zombies".

►Cybercriminals that control these bots are called bot-herders or bot-masters.

►It is hard to detect bots on your network. Until they leap into action.

Bot Nets

►Bot Nets might have a few hundred or a couple thousand computers, but others have tens and even hundreds of thousands of zombies at their disposal.

►Conficker / Downadup Worm

Bot Nets

►"Botnets are one of the greatest facilitators of cybercrime these days. Really the cybercrime arena is wrapped around botnets." --Wendi Whitmore, special agent, Air Force

Office of Special Investigations

In October 2006, a foreign hacker broke into a system at a water-filtration plant in Harrisburg, Pa., after an employee's laptop computer was compromised via the Internet and then used as an entry point to install malware on the plant's computer

BYOD Policy

►Allowing employees to use their personal mobile devices for work-related tasks provides advantages: less laptop lugging easier connectivity potentially better interfaces

BYOD Policy

►It can also help an organization financially when the organization doesn’t have to pay for: Smartphones Tablets Data plans

BYOD Policy

►The risks of BYOD including security vulnerabilities support costs liability issues

BYOD Policy

►Organization that allow employees to bring devices to work should have a well-defined BYOD policy and mechanisms to enforce it.

BYOD Policy

►Defining a BYOD policy: 1) define the scope of control the business

expects to maintain over employee-owned devices.

BYOD Policy

►2) Acceptable use corporate IT resources on mobile devices Require VPN access minimal security controls on the device the need for company-provided

components►Secure Sockets Layer (SSL) certificates for

authentication rights of the organization to alter the

device (e.g., to remotely wipe a lost or stolen device).

BYOD Policy

►2) acceptable use Encryption of data Prohibit storage of business data Prohibit storage of passwords etc

Unauthorized Hardware

►Hackers are constantly looking for targets. Unprotected systems that are attached to networks.

►Do you know what’s on your network? Users add things to networks all the time. Inventory often Control what is attached Do not hook up a system until it is

configured

Unauthorized Hardware

►Solutions Maintain accurate inventory of physical

systems as they relate to your Asset Inventory►Include:

IP Address Mac Address Device Name Purpose Owner / Manager responsible

Unauthorized Hardware

►Solutions Use and test Network Inventory software

and / or hardware Test the operation often with a known

rogue machine Test the delay before the machines are

quarantined and users confronted.

Unauthorized Hardware

►Solutions When alerts are received treat them as

important Safeguard the accurate database created

by the software. Compare the software database with the

physical asset list. Implement configuration management

systems to ensure that all systems are safely patched.

Unauthorized Software

►Hackers & Bots are looking for software to compromise as well.

►Do you know what is on your user’s machines? Have and manage to a White List of

accepted software Document all exceptions

Unauthorized Software

►Solutions Maintain accurate inventory of acceptable

software►Include:

Manufacturer VersionIf an exception: Device Name Purpose Owner / Manager responsible

Unauthorized Software

►Solutions: Install software inventory & Management

tools►Requirements should be:

For Operating Systems►Version►Patches installed

For Applications►Type►Manufacturer►Version►Patch Level

Unauthorized Software

►Solutions Install software inventory & management

tools►The most effective tools include:

Hash of known good versions Can prevent execution of anything not on the ‘White

List’ Can validate the location of the file in the file system Allowed users

Unauthorized Software

►Solutions Operating Systems

►Consistency is key►Drivers should all be signed

Should only be from the manufacturers of the device installed.

Harden Workstations & Servers

►Systems that are installed, hooked up and not properly secured pose a significant threat.

Harden Workstations & Servers

►Solutions Ideally have your hardware vendor setup

the machines with an image that is created / updated on a regular basis.

Install from a secure server that contains updated images of what should be on a machine.

Harden Workstations & Servers

►Solutions Remove all extraneous users that come

with the OS Shutdown and remove all extra services Shut down all unused ports Install local Firewall software & configure

Harden Workstations & Servers

►Solutions Run assessment programs regularly Test with systems that aren’t configured

correctly Test by injecting systems that are

configured correctly

Harden Devices

►Secure configurations of network devices such as firewalls, routers, and switches. While on the radar are rarely double checked after configuration.

►Hackers have automated tools looking for holes in the perimeter as well as in internal devices.

Harden Devices

►Secure Firewall Configurations Auditing 75% of firewalls have rules that are not

required 50% of those are dangerous

Harden Devices

►Solutions Create a standard configuration document Follow the standard configuration

document Filter all un-needed services Exceptions, when required, should have a

time limit or a review period Log log log Monitor & review

Harden Devices

►Solutions Use penetration tools regularly

►Test from the outside world & the inside world All devices should use encrypted

configuration logins Use separate physical networks where

possible Use VLANs where physically separating

the networks is not possible.

►"A network of hackers, most based in China, have been making up to 70,000 attempts a day to break into the NYPD's computer system, the city's Commissioner, Raymond Kelly, revealed Wednesday.”

Log Log Log

►Many incidents can be readily revealed with a bit of logging and analysis those logs.

Logs

►Solutions Almost everything that has a log should

have the log turned on. Logs should include:

►Date/time►Source IP►Destination IP►Port►Etc

Logs

►Solutions Use standard SYSLOG entries or use

software that converts logs to a common log format.

Store logs for a while – space & DVDs are cheap

Create systems & procedures for analyzing logs.►These systems should have ‘normal’ items and

‘abnormal’ items

Logs

►Solutions All remote access logging:

►should be in detail►Should be rigorously analyzed.

All security alerts should be logged.►Workstation►Servers►Devices

Logs

►Solutions Use unified time

►This allows logs to be matched up across many devices and / or networks.

Border devices►Should log verbosely►Should log all traffic

Blocked Allowed

Logs

►Solutions Logs should be secured Logs should be exported & saved on Write

Once devices.or Logs should be written to dedicated

logging servers. The dedicated logging servers with

separate security credentials

Logs

►Solutions Test the logs and review after:

►Normal / acceptable traffic►Push the system►Attempt to penetrate the network.

Inside Outside

►Compare and correlate the data on all of the logs for validity.

Logs

►Solutions Review

►Logs everyday►Use automated tools to analyze large amounts

of data. Test

►Attack a system►Test the response time.

Discovery Action taken to attack

Malware

►6 million+ unique malware samples were identified in the first quarter of 2011, a 26% increase from Q1 of 2010 and far exceeding any first quarter in malware history.

►70,000 new malware strains are detected every day.

Malware

►McAfee says that PC malware had its "busiest quarter in recent history," in their quarterly security report released Wednesday 5/23/2012.

Malware

►Malware targeting Apple computers also continued to rise steadily. New malware for the Mac exploded in the second quarter of 2011, but this last quarter saw the most new cases since then with about 250.

What exactly is a RootKit?

►A rootkit is a software/hardware application that enables continued priveileged access to a computer while actively concealing its presence from authorized users and administrators.

What exactly is a RootKit?

►The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

Persistent Rootkits

►Persistent rootkits activate each time the system boots.

►Persistant RootKits start automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and they execute without user intervention.

Memory-Based Rootkits

►Memory-based rootkits have no persistent code and therefore does not survive a reboot.

User-mode Rootkits

► These rootkits usually intercept user centered Operating System information and provide results that prevent the user from seeing the RootKit executable files and libraries.

► In this case Windows native API serves as the interface between user-mode client software and kernel-mode services.

► The most sophisticated user-mode rootkits intercept File System, Registry, and System Process functions of the Native Winows API preventing the detection of the RootKit.

Kernel-mode Rootkits

►These RootKits are usually the most powerful since they can intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data.

►Kernal RootKits hiding their presence by removing the process from the kernel's list of active processes. These Rootkits will be normally be absent from the Task Manager.

A Brief History of RootKits

►The first Windows RootKit called NTRootkit appeared in 1999 in NT

►HackerDefender followed in 2003.►The first Mac rootkit targeting OS X

appeared in 2009►And the Stuxnet worm was the first to

target programmable logic controllers (PLC).

And then there was:

►The Sony BMG copy protection rootkit

Our protected environments

►Classic Perimeter Firewall ACL (port and web filter) IDS / NIPS / HIDS Proxy

►Patch Control►Personal Fire Walls

Our Protected Environments…

►Rootkits still penetrate►Even proxies, Websense, IE lockdowns

are not a perfect solution►Volume so high and attackers so

sophisticated, that a tiny percentage gets through…

Our Protected Environments…

►It is estimated that: In a 24 hour period Of 44K web sessions Accessing 10K hosts Approx 20 web exploits were discovered

►So What? .04%? Big deal!

Limit Administrators

►All too often users are granted “Administrator” privileges on networks, servers & workstations. When they do have this access associated with one of their accounts, they tend to use the account with Administrative privileges.

Limit Administrators

►Solutions Monitor and log all users that need

‘administrator’ ( and Super User ) access. Create multiple accounts for such users

and encourage them to use the ‘administrator’ capable user only when required by their job.

Require such users to have STRONG passwords.

Limit Administrators

►Solutions Remote ‘administrator’ access should be

prevented.►Once connected with a non-administrator

account users can login to additional systems with their ‘administrator’ account.

Audit / confirm►Audit all users with ‘Administrator’ capabilities

often.►Remove such privileges when they are no

longer needed by the user.

Limit Administrators

►Solutions Audit / confirm

►Review logs to ensure that users are not abusing the rules:

Reading e-mail with their privileged accounts Browsing the Internet

Educate ‘Administrator’ users about social engineering techniques

Attempt to Social Engineer ‘Administrator’ users.

Limit Administrators

►Solutions Require two factor authentication for all

Administrator accounts Use roles / groups to segregate

responsibilities►Workstation Administrators only have access

to administration of workstations, laptops, etc►Domains administrators only have

administrator access to servers

Limit Administrators

►Solutions Audit Processes

►Look at all processes that have ‘Administrator’ privileges. Reduce to only what is required.

►Review logs that have detailed entries often to determine if any Rogue ‘Administrators’ or ‘Administrator’ privilege software exist in your domain

Limit Administrators

►Solutions Audit Processes

►Look at all processes that have ‘Administrator’ privileges. Reduce to only what is required.

►Review logs that have detailed entries often to determine if any Rogue ‘Administrators’ or ‘Administrator’ privilege software exist in your domain

Limit Administrators

►Make being logged in as an administrator as annoying as you can No email access No Web Access 1 minute to lock machine in Screen Saver

People People People

►Organizations with educated users have fewer problems. Threats to organizations

►Social engineering►Sloppy users

End users are fooled into opening attachments and loading software from untrusted sites, visiting web sites where they are infected and more.

System administrators are also fooled like normal users but are also tested when:► unauthorized accounts are set up on their systems,

when unauthorized equipment is attached, when large amounts of data are exfiltrated.

People People People

Threats to organizations►Sloppy users

System administrators are also fooled like normal users but are also tested when:►unauthorized accounts are set up on their

systems►unauthorized equipment is attached►when large amounts of data are exfiltrated.

Security operators and analysts are hit with new and innovative attacks with:►sophisticated privilege escalation►Redirection►other attacks along with a continuous stream of

more traditional attacks. ( They get distracted )

People People People

Threats to organizations►Sloppy users

Application programmers are tested by criminals who find and exploit the vulnerabilities they leave in their code.

►Stubborn Organizations System owners are tested when they are asked to

invest in cyber security but are unaware or refuse to accept the devastating impact a compromise and data exfiltration or data alteration would have on their mission

Social Engineering

►Methods 1) call help desk to find out the secret

questions with a non target 2) They gather up the target’s secret

question answers. 3) once they have that they get the help

desk to change the password 4) then they call the target and inform

them about the change

Social Engineering

►Methods QUICK CHANGE

►1) help the user change their password by intimating that you are from the help desk

►2) and then tell the user not to reveal their current password for security purposes

Social Engineering

►Methods give out usb flash drive with malicious

code

get a keylogger with bluetooth

Social Media

►Policy Single person or limited persons who can

post Policy about what they can post

►On the Internet…. Nobody knows you’re a dog. And increasingly, nobody knows you’re a

hacker.

Events & Social Engineering

►Just over one year ago: Osama Bin Laden's Death a Party for

Spammers, Fake AV Scammers

Events & Social Engineering

►This year:Month Date Event Location

May 18-19

G8 Summit Camp David

May 20-21

NATO Summit Chicago, IL

June 18-20

G-20 Summit Los Cabos, Mexico

JulyAugust

27 to12

Summer Olympics London

August 27-30

Republican National Conv.

Tampa, FL

September

03-06

Democratic National Conv.

Charlotte, NC

November

18-19

Asia Pacific Economic Summit

Russky Island

Events & Social Engineering

►Based on history, malicious persons will capitalize on these high profile events to collect intelligence, distribute spam and/or draw attention to ideological causes.

►Some foreign intelligence services will likely use socially engineered spear-phishing emails to masquerade as a trustworthy entity and target individuals affiliated with these events.

Events & Social Engineering

►Normally targeting begins as early as months before the event and may continue until weeks after the event concludes.

Events & Social Engineering

►These targeted activities are an effort to collect economic and political strategies, talking points, and related intelligence related to the event of countries and key personalities in attendance in order to negotiate and compete from a position of strength.

Events & Social Engineering

►These events may also become prime spam content for criminals seeking financial gain.

►The spam may be used to distribute malware or phish PII or financial information.

►Phishing and scams imitating official 2012 Olympic correspondence or offering tickets have already begun circulating in the wild.

Events & Social Engineering

►Lastly, hacktivists have defaced and disrupted the websites of conference related financial, corporate, and government entities to promote their ideological positions.

►It is probable that hacktivists will conduct similar activities during the summits.

Mitigation

►Train user to be wary of unsolicited attachments, even from people you know - Just because an email message looks like it came from a familiar source, malicious persons often "spoof" the return address, making it look like the message came from someone else.

Mitigation

►Check with the person who supposedly sent the message to make sure it's legitimate before opening any attachments. This also includes email messages that appear to be from your Internet Service Provider (ISP) or software vendor claiming to include patches or anti-virus software. ISPs and software vendors do not send patches or software in email.

Mitigation

►Keep software up to date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities (see US-CERT Security Tip ST04-006, Understanding Patches for more information). Many operating systems offer automatic updates. If this option is available, you should enable it.

Mitigation

►Teach your employees to trust their instincts - If email or attachment seem suspicious, don't open it, even if your antivirus software indicates that the message is virus free.

►Attackers are constantly releasing “zero-days” and most likely your anti-virus software does not have a signature for it yet.

Top 25 Programming Errors► CATEGORY: Insecure Interaction Between Components

CWE-20: Improper Input Validation► It's the number one killer of healthy software, so you're just asking for trouble if

you don't ensure that your input conforms to expectations. CWE-116: Improper Encoding or Escaping of Output

► Computers have a strange habit of doing what you say, not what you mean. Insufficient output encoding is the often-ignored sibling to poor input validation, but it is at the root of most injection-based attacks, which are all the rage these days.

CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')► If attackers can influence the SQL that you use to communicate with your

database, then they can. CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')

► Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications.

CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')► When you invoke another program on the operating system, but you allow

untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers.

Top 25 Programming Errors► CATEGORY: Insecure Interaction Between Components

CWE-319: Cleartext Transmission of Sensitive Information► If your software sends sensitive information across a network, such as

private data or authentication credentials, that information crosses many systems and components. If Sent in clear text is it intercept-able.

CWE-352: Cross-Site Request Forgery (CSRF)► With cross-site request forgery, the attacker gets the victim to

activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim sends data from his browser to your site for someone else.

CWE-362: Race Condition► Attackers will consciously look to exploit race conditions to cause

chaos or get your application to cough up something valuable. CWE-209: Error Message Information Leak

► If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data that allows a hacker entry into your database.

Top 25 Programming Errors► CATEGORY: Risky Resource Management

CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer► Buffer overflows are Mother Nature's little reminder of that law of physics that

says if you try to put more stuff into a container than it can hold, you're asking for trouble.

CWE-642: External Control of Critical State Data► There are many ways to store user state data without the overhead of a

database. Unfortunately, if you store that data in a place where an attacker can access temporary data and modify it, they may be able to pass parameters and information that they should not be able to.

CWE-73: External Control of File Name or Path► When you use an outsider's input while constructing a filename, you're taking a

chance. If you're not careful, an attacker could send files and information that they should not normally be able to send.

CWE-426: Untrusted Search Path► If a resource search path is under attacker control, then the attacker can modify

it to point to resources of the attacker's choosing. This causes the software to access the wrong resources at the wrong time.

CWE-94: Failure to Control Generation of Code (aka 'Code Injection')► For ease of development, sometimes you can't beat using a couple lines of code

to employ lots of functionality. It's even cooler when you can pass additional ‘dynamic’ code to the application for it to run.

Top 25 Programming Errors

► CATEGORY: Risky Resource Management CWE-494: Download of Code Without Integrity Check

► You don't need to be a guru to realize that if you download code and execute it, you're trusting that the source of that code isn't malicious.

CWE-404: Improper Resource Shutdown or Release►When your precious system resources have reached their end-

of-life, you need to remove, release, shut down properly to allow the system to use those resources.

CWE-665: Improper Initialization► Just as you should start your day with a healthy breakfast,

proper initialization helps to ensure that code will run properly. CWE-682: Incorrect Calculation

►When attackers have some control over the inputs that are used in numeric calculations, this weakness can lead to vulnerabilities. It could cause you to make incorrect security decisions. Over flows etc.

Top 25 Programming Errors► CATEGORY: Porous Defenses

CWE-285: Improper Access Control (Authorization)► If you don't ensure that your software's users are only doing what

they're allowed to, then attackers will try to exploit your improper authorization and exercise unauthorized functionality that you only intended for restricted users.

CWE-327: Use of a Broken or Risky Cryptographic Algorithm► You may be tempted to develop your own encryption scheme in the

hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers. Use Standard Encryption routines and algorithms

CWE-259: Hard-Coded Password► Hard-coding a secret account and password into your software's

authentication module is an easy thing to hack. Further it prevents readily changeable passwords.

CWE-732: Insecure Permission Assignment for Critical Resource► If you have critical programs, data stores, or configuration files with

permissions that make your resources accessible to the world - well, that's just what they'll become accessible to the world.

Top 25 Programming Errors

► CATEGORY: Porous Defenses CWE-330: Use of Insufficiently Random Values

► If you use security features that require good randomness, but you don't provide it, then you'll have attackers laughing all the way to the bank. Imagine how quickly a Las Vegas casino would go out of business if gamblers could predict the next roll of the dice, spin of the wheel, or turn of the card.

CWE-250: Execution with Unnecessary Privileges► Spider Man said “With great power comes great

responsibility." Your software may need special privileges to perform certain operations, but wielding those privileges longer than necessary can be extremely risky.

CWE-602: Client-Side Enforcement of Server-Side Security► Remember that underneath that fancy GUI, it's just code.

Attackers can reverse engineer your client and write their own custom clients that leave out certain inconvenient features like all those pesky security controls. Servers should have the same security as the client.

Top 25 Programming Errors

►Resources to Help Eliminate The Top 25 Errors

►cwe.mitre.org/top25/

Multi Factor Authentication

►Biometrics►Key cards►RSA Keys

Miscellaneous topics

►Internal hackers►filtering of e-mail at the border or

beyond►flash drives►Open Source applications►user level threats

Resources

►Microsoft’s Web Application Configuration Analyzer (just released 2.0) Scans IIS servers Hosted applications SQL Server instances for common security

issues and mis-configurations.

Resources

►Foundstone ( a McAfee organization )►Google diggity►Bing diggity

►Stach & Liu used Google trends:

►Stachliu.com/index.php/resources/tools/googlehackingtools

Resources

►Free Windows rootkit detection tools: Sysinternals Rootkit Revealer Avast! Antivirus Sophos Anti-Rootkit F-Secure Blacklight MalwareBytes HijackThis Kaspersky removal tool

Resources

►Infragard►NIST

Disclaimer

►Scott Greene, Evidence Solutions are not recommending that you leave your current job to find one of the following jobs:

Top 20 Coolest Jobs in IT

► 1 Information Security Crime Investigator/Forensics Expert

► 2 System, Network, and/or Web Penetration Tester► 3 Forensic Analyst► 4 Incident Responder► 5 Security Architect► 6 Malware Analyst► 7 Network Security Engineer► 8 Security Analyst► 9 Computer Crime Investigator

Top 20 Coolest Jobs in IT

► 10 CISO/ISO or Director of Security► 11 Application Penetration Tester► 12 Security Operations Center Analyst► 13 Prosecutor Specializing in Information Security

Crime► 14 Technical Director and Deputy CISO► 15 Intrusion Analyst► 16 Vulnerability Researcher/ Exploit Developer► 17 Security Auditor► 18 Security-savvy Software Developer► 19 Security Maven in an Application Developer

Organization► 20 Disaster Recovery/Business Continuity

Analyst/Manager

►Computers are like Old Testament gods; lots of rules and no mercy.

- Joseph Campbell

►The Million Dollar Homepage is a website conceived in 2005 by 21-year-old student Alex Tew from Wiltshire, England, to raise money for his university education. The home page consists of a million pixels arranged in a 1000 × 1000 pixel grid; the image-based links on it were sold for $1 per pixel in 10 × 10 blocks.

Evalution

►I value your comments. Please fill in your evaluation form found at the end of your packet.

Scott Greene: Other topics available

► Computer Forensics► Computer Forensics for Defense Attorneys► Personal Privacy in the Information Age► High Technology: Just where is technology going?► Bypassing Security: How They Steal Company Data ► Fundamentals of Digital Forensics► Technology Forensics: Theory & Potential... is it Science or Art?► Technology Forensics: Case Examples► Technology Forensics: Intellectual property and identity theft► Technology Forensics: Hardware and Software tools / Show and Tell► Portable Devices Issues and Answers: A discussion about cell phones and the

stories they can tell.► Anti-Digital Forensics. Or is it Digital Anti-Forensics?► Data Security and Confidentiality Issues► E-mail: The digital Smoking Gun

Contact InformationScott Greene, SCFE

Evidence Solutions, Inc866-795-7166

Scott@EvidenceSolutions.com