Date post: | 15-Jul-2015 |
Category: |
Internet |
Upload: | mohit-kanwar |
View: | 90 times |
Download: | 1 times |
Hackers: The Internet's Immune System
Disclaimer: Use this knowledge in positive man-ner. Help development of secure software.
Who's Fault??
Security Failure of respective nations
Intelligence Failure Failure to prevent
such incidents Failure to implement
Security Framework efficiently/
It is because of Osama and Kasab
That we know about our security flaws That we learn the Hard way, but we did.
Think b4 attacking again, We are Stronger!
The Internet's Immune System It is a constant fight between application
developers and hackers.- Who Wins? Aim of this presentation is to share knowl-
edge about developing secure applications. Understanding how Hackers think. Security Principles
Why Software Security?
Application Security is an unsaid require-ment
Most of the applications deal with at least one of the following
Financial Information Credit Cards Account Numbers
Customer's Personal Information Name Contact information
Information Sensitivity
Information about Special People like Expecting Parents LGBT Community Rich & Affluent Sports Persons
Is 10 to 50 times more valuable than the rest of people, as they are target cus-tomers of various products.
Why people hack Software?
Fun/ Pride Money
Free goodies Processing power/coin minting
Advertisements Mind Wash (Religion/Politics)
Wars To bring out vulnerabilities
Irritating processes
Hack-1
Sony Pictures $171 million Hacked in April to June 2011 Hacked By: LulzSec Cause: SQL Injection The hack affected 77 million accounts and
is still considered the worst gaming com-munity data breach ever. Attackers stole valuable information: full names, logins, passwords, e-mails, home addresses, pur-chase history, and credit card numbers.
Hack-2
Citigroup $2.7 million Hacked in June 2011 Caused by: poor implementation of authoriza-
tion. Secure data accessible to unauthorized users. (URL parameter checks missing)
Exposed the financial data of more than 360,000 customers
User Profile Bug
Consider a user story: “As an Admin user, I would like to see the pro-
file of any selected user in the system”
User Profile Bug
UI / Service / Controller / DAO Select * from Users where userid =? – passed from
user's input
User Profile Bug
User Story Extension “As a logged in user, I should be able to view
my profile”
Developers are lazy Concept of re-usability
Select * from Users where userid =? – passed from user's profile
Hack-3
AT&T $2 million The US carrier was hacked last year, but said
no account information was exposed. They said they warned one million customers about the security breach. Money stolen from the hacked business accounts was used by a group related to Al Qaeda to fund terrorist at-tacks in Asia. According to reports, refunding costumers cost AT&T almost $2 million.
Hack-4
Reginaldo Silva was paid $33,500 XML external entity vulnerability
https://www.facebook.com/whitehat
XML external entity vulnerability
Similar to SQL Injection Tainted data is inserted in XML XML Processor processes tainted data and be-
comes hacker's slave.
Third Party Cookies
Old Standards->RFC 2109 and RFC 2965 specify that browsers should protect user privacy and not
allow sharing of cookies between servers by default; The newer standard-> RFC 6265,
explicitly allows user agents to implement whichever third-party cookie policy they wish
Third Party Cookies
Advertising companies use third-party cookies to track a user across multiple sites. In particular, an advertising company can track a user across all pages where it has placed advertising images or web bugs. Knowledge of the pages visited by a user allows the advertising company to target advertisements to the user's presumed preferences.
How do Hackers Think?
Make advantage of any available clues Error Messages Time Taken for request to respond Social Networking Input fields- XSS SQL Injection
Error Messages
User Story 1:- “As a user of the system, I want my account to
be safeguard against more than 3 invalid re-tries. My account must be locked, if someone attempts to use trial and error to guess my password.”User Story 2
“All error messages must be clear and easy to understand.”
Error Messages
“Your username is Invalid” “Your password is Invalid” “You have made 'x' unsuccessful attempts to
login. After 3 unsuccessful attempts, your ac-count would be locked out.”
“You have entered invalid username or pass-word. Please retry”
Error Messages
Soln. Do not reveal any information which should not
be. Directly or Indirectly. Make use of CAPTCHA for repetitive requests.
Time taken to Respond
Soln. Consistent response time for valid and invalid
requests. Add client identifiers, and respond with a delay
of 100n nano seconds. Where n= number of attempts previously made 1,100, 10,000, 1,000,000
This wouldn't cause much impact on normal users, but would delay hacker's activities hugely.
Security Questions
“What was your first school?” “Where did you first met your spouse?” “What is your birth place?”
Disadvantage 1: All info is available on Social Networking Sites.
Disadvantage 2: My first school was Seventh day adventist Sr. Sec School Seventh day 7th day Seven day seven day seventhday
Apply defense in depth
Anti Virus software
authentication and authorization security
BioMatrics
DMZ
Firewalls (hardware or software)
Hashing passwords
Intrusion protection and detection system
Logging and auditing
Vulnaribility detection
Physical Security
Timed access control
Internet Security Awareness
VPN
Sandboxing
Fail securely
Throw meaningful/clear exceptions Failure in security mechanism should lead to
disallowing of the operation (In Most Cases) Enable Logging and auditing on exceptions Analysis of exceptions
Principle of Least Privilege
Begin with least privileges Provide additional privileges only if required,
and after scrutiny
If you like it today
Planning to do an XTR covering Send Email from any account Log the user out by sending an email (url) Movie ticket Denial of Service Security Certification in sysinfo. HackMe Challange
References
http://en.wikipedia.org/wiki/Web_application_security http://www.hotforsecurity.com/blog/top-5-corporate-losses-due-to-hacking-1820.html https://www.owasp.org/index.php/How_to_write_insecure_code ClearlyExplained.com http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29 9lessons.blogspot.com http://www.gethow.org/