Spi Workshop Preso Worm Hack2

8/8/2019 Spi Workshop Preso Worm Hack2

http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 1/56



SPI Dynamics Confidential

Agenda

Part 1: Introduction – How on earth did we get to this point?

Part 2: Identifying the Problem – How does this stuff happen?

Part 3: Key Application Vulnerabilities – Past, present and

future

Part 4: What Application Security Means to ComplianceEfforts and how to fix the problem.

Part 5: More information and online resources

Part 6: Q&A




Part One

Introduction

Who We Are - SPI Dynamics in a nutshell Application Security -How did we get to

this point?




SPI Dynamics

We manufacture and license WebInspect, our industry

leading web application security assessment product,to enterprises, consultants, and other institutions,both directly and via global partners.

We own the world’s leading database of webapplication security vulnerabilities, SecureBase™.

SecureBase is updated frequently by SPI Labs, ourU.S.-based research & development organization.

The Leader In Web ApplicationSecurity Assessment




Web Sites

Web Server

HTML

CGI

Browser

Simple, single server solutions




Web Applications

Browser

Web Servers

PresentationLayer

Media Store

Very complex architectures, multipleplatforms, multiple protocols

DatabaseServer

Customer Identification

AccessControls

TransactionInformation

Core BusinessData

Wireless

Web Services

ApplicationServer

BusinessLogic

Contentservices




Common Web Applications




The Absolute Truth

All code has bugs – regardless of platform,language or application.

From a Microsoft to a Mom and Pop’s home-brewed application, all code has bugs.

Some bugs are functionality bugs, which arediscovered by QA.

Other bugs are security bugs, which largely gounidentified.

As long as functionality is the main objective andnot security, there will always be vulnerabilities incomputer applications.




is is your application design.

This is your developed application.

This is all the stuff thatyour application issupposed to do.

This is all the stuff thatyour application wassupposed to do, but

doesn’t do. These areFunctionality bugs

This is all the stuff that your

application CANalso do, but you’re

not aware of.These are Security

vulnerabilities

Why These Thing Happen




Security Professionals Don’tKnow The Applications

“As an ApplicationDeveloper, I canbuild great featuresand functions whilemeeting deadlines,

but I don’t knowhow to develop myweb applicationwith security inmind.”

The Web ApplicationSecurity Gap

“As a Network SecurityProfessional, I don’tknow how mycompany’s webapplications aresupposed to work so Ideploy a protective

solution…but don’tknow if it’s protectingwhat it’s supposed to.”

ApplicationDevelopers andQA ProfessionalsDon’t KnowSecurity

Why Web Application Attacks Occur




Web Applications Breach the Perimeter

HTTP

I N T E

R N E T

D M Z

T R

U S

T E D

I N S

I D E

C O

R P

O R A T E

I N S

I D E

FTP TELNET

Firewall only allows PORT 80 (or 443SSL) traffic from the internet to theweb server.

Any – Web Server: 80

Firewall only allows applicationson the web server to talk toapplication server.

Web Server Application Server

Firewall onlyallows application

server to talk todatabase server.

Application Server Database

IMAP SSH POP3

http://www.samba.org/samba/vendors/qube.jpg






Web Applications Invite Public Access

“Today over 70% of attacks against acompany’s website orweb application comeat the ‘ApplicationLayer’ not the networkor system layer.”

- Gartner Group




Web Application Risk

“Web application incidents cost companiesmore than $320,000,000 in 2001.”

Forty-four percent (223 respondents) to the2002 Computer Crime and Security Survey werewilling and/or able to quantify their financiallosses. These 223 respondents reported$455,848,000 in financial losses.

“2002 Computer Crime and Security Survey”

Computer Security Institute & San FranciscoFBI Computer Intrusion Squad




Part Two

Identifying the Problem

What are the primary vulnerabilities? How and why they occur




Web Application Vulnerabilities

Platform

Administration

Application

Known

Vulnerabilities

Extension Checking

Common File Checks

Data ExtensionChecking

Backup Checking

Directory

Enumeration

Path Truncation

Hidden Web Paths

Forceful Browsing

Parameter

Manipulation

Cross-Site ScriptingSQL Injection

Buffer Overflow

Reverse Directory

Transversal

JAVA Decompilation

Path TruncationHidden Web Paths

Cookie Manipulation

Application Mapping

Backup Checking

Directory Enumeration

Web application vulnerabilitiesoccur in multiple areas.



Cross Site Scripting

(or XSS)





SQL Injection




SQL Injection – Defined

SQL injection is a technique for exploiting webapplications that use client-supplied data in SQLqueries without stripping potentially harmful

characters first.

Allow me to demonstrate!




Part Three

Key Application Vulnerabilities

Past, Present and Future

Google Hacking



Google Hacking

More then searching for great pr0n.




Google Hacking

Find vulnerable sites using Google (Old method –new life)

Example Search Queries

“filetype:mdb inurl:admin” – 180 results “Filetype:xls inurl:admin” – 14,100 results

“ORA-00921: unexpected end of SQLcommand” – 3,470 results

“allintitle:Netscape Enterprise Server HomePage” – 431 results




Google Hacking

Take this method a step further and use it tonarrow your attack victims.

“inurl:id= filetype:asp site:gov” – 572,000 results

“inurl:id= filetype:asp site:com” – 7,150,000results

“inurl:id= filetype:asp site:org” – 3,240,000results

Use this list as a baseline for identifying SQLinjection vulnerabilities




Google Hacking

Take this method a step further and use it tonarrow your attack victims.

“inurl:id= filetype:asp site:gov” – 572,000 results

“inurl:id= filetype:asp site:com” – 7,150,000results

“inurl:id= filetype:asp site:org” – 3,240,000results

Use this list as a baseline for identifying SQLinjection vulnerabilities




Google Hacking

Took 1 hour of coding

500 vulnerable sites were found in 1 minute and26 seconds




Google Hacking

Application Worm

Find next victim

Exploit victim Exploit victim




Enter the Santy Worm

Perl.Santy is a worm written in Perl script that attempts tospread to Web servers running versions of the phpBB 2.xbulletin board software Viewtopic.PHP PHP Script Injection

Vulnerability

Other systems are not affected. If successful, the worm copiesitself to the server and overwrites the files with the followingextensions:.asp, .htm, .jsp, .php, .phtm, .shtm

The worm uses the Google search engine to find potential new

infection targets. Google has now implemented blockingPerl.Santy search requests, which is expected to greatly reducethe worm's ability to propagate and lower the risk of furtherinfections.




Enter the Santy Worm

Perl.Santy.A [Computer Associates], Santy [F-Secure], Net-Worm.Perl.Santy.a [Kaspersky],Perl/Santy.worm [McAfee], PHP/Santy.A.worm[Panda], Perl/Santy-A [Sophos], WORM_SANTY.A

[Trend Micro]

UNIX, LINUX, Windows 2000, Windows 95,Windows 98, Windows Me, Windows NT, Windows

Server 2003, Windows XP




http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&q=allinurl%3A+

%22viewtopic.php%22+%22



The Past, the Present, and the Future of Hacking

How prolific could this whole scenario be?




Where We’ve Been – The Past

Since most sites werestatic HTML, not much todo but try to obtain root /admin privileges on the

machine or deface thewebsite.

This proved for some

great comedy.




Where We’re At– The Present

Since more dynamicand unique content hasbeen added towebsites, and usersdemand even MOREfunctionality so thatthey can do everythingelectronically, insecurecontent was added atan expedited pace!

And users andmanagement demandeven more!




Where We’re Going– The Future

Application hacking isbecoming more complexas applications arebecoming more complex.The possibilities are

endless when it comesdown to what can youexploit in webapplications.

Take for InstanceApplication Worms, WebApplication Worms.



What Application Security Means to Compliance Efforts

How prolific could this whole scenario be?




Types of Compliance Regulations

Privacy

HIPPA (Health Insurance Portability andAccountability Act)

SOX (The Sarbanes-Oxley Act )

GLBA (Gramm-Leach-Bliley Act)

Disclosure

CA1386

Federal Trade Commission

Privacy Policy

Practice

PCI




Privacy

Privacy

HIPAA (Health Insurance Portability andAccountability Act)

SOX (The Sarbanes-Oxley Act )

GLBA (Gramm-Leach-Bliley Act)




HIPAA

The Health Insurance Portability and Accountability Act(HIPAA) mandates the privacy and security of personalhealth

The Security Rule of the Act recommends informationsecurity best practices to protect personal information.

HIPAA requires organizations to perform a HIPAA security

risk assessment to determine what applications and data arevulnerable, to ensure proper authentication, accesscontrol, and logging systems, and to conduct ongoingauditing of information systems to test for newly discoveredvulnerabilities.

Web Challenge:

Establishing a security policy

Establishing standards that support the policy

Effectively auditing to ensure policy compliance






GLBA - The Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA), formally known as the Financial

Modernization Act of 1999, Established requirements for financial institutions in the United States

to protect consumers’ personal financial information. The GLBA contains three principle requirements

The Financial Privacy Rule requires financial institutions to publisha privacy notice to their customers

Consumers also must be given the right to limit the sharing of

their personal information. The Safeguards Rules require all financial institutions to design,

implement and maintain safeguards and a security plan to protectcustomer information that they handle.

Web Challenges Customer information resides on the same networks as web

applications or there associated systems (Databases, etc)

Web front ends for financial systems are a common interface tocustomer financial systems. These can be susceptible to web application attacks Requires the development of a policy




Disclosure

Disclosure

CA1386

MANY others are coming VERY SOON




CA 1386

Enacted in order to force anyone holding private personalinformation, to inform consumers immediately if theirpersonal information has been compromised.

The law also gives consumers the right to sue

Any business, organization or individual that holds private

personal information for a person residing in the state of California is bound by the provisions of the law, soCalifornia SB 1386 has a much greater impact nationallythan is typical for state legislation.

Web Challenges:

Is a performance based law, not policy based

If you get hacked you have to disclose the incident






Privacy Policy

www.owasp.org

www.webappsec.org

www.securityfocus.com

www.spidynamics.com

http://www.owasp.org/

http://www.webappsec.org/

http://www.securityfocus.com/

http://www.spidynamics.com/


http://www.securityfocus.com/







From: http://www.ftc.gov/privacy/

“Under the FTC Act, the Commission guards againstunfairness and deception by enforcing companies'privacy promises about how they collect , use andsecure consumers' personal information.”

Web security challenge: Companies are being investigated for FTC violations

because they are not living up to there stated policy

http://www.webappsec.org/documents/real_world_web_hac

PETCO

Guess Many others

http://www.ftc.gov/privacy/

http://www.webappsec.org/documents/real_world_web_hacking.shtml

http://www.webappsec.org/documents/real_world_web_hacking.shtml

http://www.ftc.gov/privacy/




Visa PCI

The Payment Card Industry (PCI) Data Security Standard is acollaborative effort by Visa, MasterCard, American Express andDiscover to ensure the protection of customers' personalinformation.

The standard establishes 12 security requirements that allmembers, merchants and service providers must adhere to.

Sections 6, 11 and 12 have specific web related issues.

Web security challenges

PCI is the most comprehensive and specific standard in theindustry.

Following the standard will greatly improve a companies

web application security overall

Not following PCI can cost a company it’s ability to processcredit cards




VISA PCI

http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html

Go to VISA.COM and search for PCI

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data

2. Do not use vendor-supplied defaults for system passwords and other securityparameters

Protect Cardholder Data

3. Protect stored data

4. Encrypt transmission of cardholder data and sensitive information across publicnetworks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security






General compliance needs

Establish a security policy

Identify what will be done to address web applicationsecurity needs and who will be responsible for it

Follow the policy

Ensure that security policies are being followed

throughout the software lifecycle Document that the policy was followed

Have a record of testing that was done to ensure thatthe policy was followed

SDLC

The Software Development Lifecycle Cycle needs torespect and support compliance efforts

Unlike other compliance efforts, web application securityneeds to be integrated into the SDLC




ASAP Process

Security Training

Threat

Modeling

Create Development

Standards

Infrastructure

Design

Security

Kickoff

Requirements Design Development Test (QA) Release

Source code review

Development

AssessmentTools

Pen Testing

Secure coding

libraries

QA

AutomatedAssessment

tools

QA Manual

Assessment

tools

Automated assessment

tools

Security services

Infrastructure Assessment

Support &

Services

Regulatory Compliance




Enterprise-Wide Web Application Security

Web Application Security testingmust be applied in all phases of theApplication Lifecycle and by allconstituencies throughout theenterprise – Auditors, Application

Developers, QA and SecurityOperations.

AA DD

QQSS

WebApplication

Security

WebApplication

Security

WebApplication

Security

WebApplication

Security




• Must have clear cut securityrequirement to follow duringDevelopment and QA phases

• Need to run automated tests on code

during Development phase• Must utilize secure code for re-use

• Require automated testing productsthat integrate into currentenvironment

Application Developers


QQSS

A

WebWebApplication

Web

Application

Security

Web

Application

Security

A

DD




Quality Assurance Professionals

•Must test applications not only for functionality but also for security

•Must test environments for potential flaws and insecurities

•Must provide detailed security flaw reports to development

•Require automated testing products that integrate into currentenvironment


DD

SS

A

WebWebApplicationWeb

Application

Security

WebApplication

Security

A

QQ






• Help define regulatory requirements during

the Definition phase of the Application

Lifecycle

• Assess applications once they are in theProduction phase to validate compliance

• Must act as resource for what is and is not

acceptable

Security Auditors and Risk

and Compliance Officers


DD

QQSS

WebWebApplication

WebApplication

Security

WebApplication

Security

A

P t Fi




Part Five

Other Online Resources

Websites and mailing lists on the net

W b it




Websites

- www.spidynamics.com

Web Application Security Consortium -www.webappsec.org

CGISecurity.net – http://www.cgisecurity.net/

Open Web Application security Project -www.owasp.org

WebAppSec Mailing list – Security Focus



http://www.cgisecurity.net/



http://www.cgisecurity.net/





Questions?

Contact



Contact

SPI Dynamics, Inc.115 Perimeter Center Place

Suite 1100

Atlanta, GA 30346

For a freeWebInspectTM 15-daytrial download visit:

www.spidynamics.com

Brian Christian: [email protected]

Date post:	10-Apr-2018
Category:	Documents
Upload:	parth-r-shah
View:	218 times
Download:	0 times

Spi Workshop Preso Worm Hack2

Documents