Security Theatre - Benelux

25 %
75 %
Information about Security Theatre - Benelux

Published on January 29, 2016

Author: xsist10

Source: slideshare.net

1. Booking.com W E AR E H IR IN G Work @ Booking: http://grnh.se/seomt7

2. Security Theatre @thomas_shone Image by Matt McGee released under CC BY-ND 2.0 https://joind.in/talk/7c669

3. Illusion

4. Denial

5. I know about OWASP!

6. If you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated” @thegrugq Reference: https://twitter.com/thegrugq/status/658991205816995840

7. But I use antivirus!

8. Crypting services makes most antivirus techniques useless Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/

9. Let us put an unsecured node.js server on your personal computer TrendMicro Antivirus on Windows Jan 2016 https://code.google.com/p/google-security-research/issues/detail?id=693

10. Remote code-executions via your mail client downloading an email Sophos Antivirus June 2015 https://lock.cmpxchg8b.com/sophailv2.pdf

11. We’re all bad at security

12. Users are bad at security ➢ Weak passwords ➢ Password reset questions ➢ Human verification sucks ➢ Clickbait and phishing ➢ Attachments ➢ URL mistype ➢ Routine and workarounds ➢ Convenience trumps security

13. Developers are bad at security Reference: https://github.com/

14. Hackers are bad at security

15. A study in scarlet

16. 43 applications, libraries or frameworks over 4,800 versions over 10 million files

17. 255,000 scans About 6k/month from June 2012 till now

18. Results July 2015

19. Most popular software It’s not what you think

20. How bad is it?

21. Why is it so bad?

22. I have seen things Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn

23. Versioning Hell 1.3-final-beta6-pre-patch3

24. OpenX Backdoored for almost a year

25. Lessons Learnt

26. Versioning Projects with bad versioning also have some of the worst security issues

27. Automatic Patching If your software comes with automatic upgrading, people will use it

28. Plugins and Templates If an update needs manual changes for plugins or template, no one updates

29. Patch Fatigue Exists Image by Aaaron Jacobs released under CC BY-SA 2.0

30. Anger Image by Josh Janssen released under CC BY-ND 2.0

31. Why doesn’t someone do something about it?

32. Private industry keep threatening security researchers

33. "How many Fortune 500 companies are hacked right now? Answer, 500." Mikko Hypponen, CRO of F-Secure Reference: https://twitter.com/mikko/status/184329161257652227

34. Why don’t we have some form of standard?

35. We have ISO 27001/2, ISO 15408, RFC 2196, PCI DSS, NIST, … Reference: https://en.wikipedia.org/wiki/Cyber_security_standards

36. Why doesn’t the government do something about it?

37. A Ukrainian power plant was hacked & shutdown because someone had macros enabled in Excel Reference: https://t.co/PA7cDQC9EI

38. NSA: We’re just upgrading your megaflops, promise.

39. Reference: https://t.co/PA7cDQC9EIImage by Unknown released into the Public Domain

40. Bargaining Image by Jeroen Moes released under CC BY-SA 2.0

41. But what if we installed advanced IDSs, WAFs and specialised network hardware

42. We probably only knew about one of the two backdoors in our system Juniper Networks Dec 2015 http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of- government-backdoors/

43. IDSs produce reports. Managers likes reports: it helps them feel like they can "manage" security http://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted- attacks

44. We’ll start following prescribed security standards

45. That’s great for your insurance premiums

46. Depression

47. Ninety percent of everything is crap. Sturgeon's law Reference: https://en.wikipedia.org/wiki/Sturgeon%27s_law

48. Acceptance Image by Stephan Brunet released under CC BY-SA 3.0

49. Effective?

50. Most of our security practices are ineffective

51. We do security in isolation

52. Holistic

53. Hardware Drivers Services Your Dependencies Operating System Your Software Humans Network / Internet Area of Influence

54. Hardware Drivers Services Your Dependencies Operating System Your Software Humans Network / Internet HR/Training System Administrators Downstream Providers

55. Layered Image by Cadw released under OGL via Commons

56. Image by Albert Bridge released under CC BY-SA 2.0 Surface Area

57. Alertness Image by MeganCollins released under CC BY-NC-ND 3.0

58. Mitigation Image by Pivari.com released under CC BY-SA 3.0

59. Trust

60. Trust?

61. Be aware of what you’re trusting

62. The hardest part of security is not writing secure code

63. It’s understanding where you misplace your trust

64. Trust is a chain

65. I trust my computer is not compromised Up-to-date patches TR U ST

66. I trust that the software is without vulnerability Vulnerability research and security updates TR U ST

67. I trust that the software is configured properly Automated provisioning TR U ST

68. I trust that the network is configured properly and secure Good system administrators TR U ST

69. I trust you are who you say you are TLS Certificate Peer Verification or Authentication TR U ST

70. I trust you are allowed to talk to me about this topic Authorization TR U ST

71. I trust that what you send me hasn’t been tampered with Hashes or signatures TR U ST

72. I trust that what we talk about is just between us Public and private keys TR U ST

73. I trust your computer is not compromised ???? TR U ST

74. I trust that what we talk about won’t be share with others Contracts, Legalities, Terms of use, ???? TR U ST

75. I trust that the user won’t be the weak link Training and procedures TR U ST

76. Turn your chain into a mesh Image by ineverfinishanyth released under CC BY-NC-SA 2.5

77. Common Mistakes

78. Weakening Compromising encryption or hashing is about reducing time to crack

79. Implementation A bad implementation helps reduce the time to crack

80. Authentication

81. 2 Factor Authentication composer require pragmarx/google2fa

82. OAuth2 composer require league/oauth2-client

83. Sessions

84. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own

85. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) { parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit; } Mistakes Deep understanding of the language C O D E SAM PLE Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505

86. Encryption

87. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own

88. Avoid old tutorials on encryption https://gist.github.com/paragonie- scott/e9319254c8ecbad4f227

89. Failed: Error Number: 60. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed // Many old tutorials and posts suggest disabling peer verifications curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // Thankfully PHP 5.6+ handles CA certificate location automatically // now thanks to https://wiki.php.net/rfc/improved-tls-defaults and // Daniel Lowrey Avoid advice like this Weakening security for convenience C O D E SAM PLE

90. Hashing

91. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own

92. One way encoding Comparisons / Integrity Checks

93. 278,362,281 Number of accounts publicly leaked Reference: https://haveibeenpwned.com/

94. Weak hash functions +/- 690GB rainbow tables

95. $password = 'rasmuslerdorf'; $hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a'; // Is this call safe? if (crypt($password, $hash) === $hash) { echo 'Password is correct'; } // What about this one? if (password_verify($password, $hash)) { echo 'Password is correct'; } Bad implementation Where is the weakness? C O D E SAM PLE

96. Timing Attacks Brute forcing cryptographic functions via time taken to execute

97. $string1 = 'abcd'; $string2 = 'abce'; $string3 = 'acde'; for ($i=0; $i<10000; $i++) { ($string1 === $string2); } // Time taken: 0.006923 for ($i=0; $i<10000; $i++) { ($string1 === $string3); } // Time taken: 0.008344 Timing Attacks How it works C O D E SAM PLE

98. Timing attacks can be used to work out if an account exists, even if the UI doesn't say so. @troyhunt, haveibeenpwned.com Reference: https://t.co/5WkQ48suj7

99. Well actually Amount of randomness matters Reference: http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html

100. $password = 'rasmuslerdorf'; $hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a'; // Check the password if (password_verify($password, $hash)) { echo 'Password is correct'; if (password_needs_rehash($hash, PASSWORD_DEFAULT)) { // Rehash and store in database $newPassword = password_hash($password, PASSWORD_DEFAULT); } } Rehash Build it into your flow C O D E SAM PLE

101. Randomness

102. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own

103. Non-deterministic randomness is critical in encryption Used for key generation and nonces

104. Non-deterministic randomness is hard Dual_EC_DRBG was in use for 7 years

105. // NOT cryptographically secure rand(); // Cryptographically secure (uses OS-specific source) random_int(); // Cryptographically secure (uses OS-specific source) random_bytes(); // Cryptographically secure (uses OpenSSL library) openssl_random_pseudo_bytes(); Random in code Know the source C O D E SAM PLE

106. Information Disclosure

107. HEAD http://example.com/index.php 200 OK Connection: close Date: Sat, 26 Dec 2015 13:52:01 GMT Server: Apache Content-Type: text/html; charset=UTF-8 Client-Date: Sat, 26 Dec 2015 13:52:01 GMT Client-Peer: 192.168.0.101:80 Client-Response-Num: 1 X-Powered-By: PHP/5.5.11 Information Disclosure Every piece of information can be leveraged LO G SAM PLE

108. HEAD http://example.com/index.php 200 OK Connection: close Date: Sat, 26 Dec 2015 13:52:01 GMT Server: Apache Content-Type: text/html; charset=UTF-8 Client-Date: Sat, 26 Dec 2015 13:52:01 GMT Client-Peer: 192.168.0.101:80 Client-Response-Num: 1 X-Powered-By: PHP/5.5.11 Information Disclosure Every piece of information can be leveraged LO G SAM PLE

109. Warning: require(assets/includes/footer.php) [function.require]: failed to open stream: No such file or directory in /home/user/path/to/assets/includes/operations.php on line 38 Fatal error: require() [function.require]: Failed opening required 'assets/includes/footer.php' (include_path='.:/usr/lib/php: /usr/local/lib/php') in /home/user/path/to/assets/includes/operations. php on line 38 Information Disclosure Every piece of information can be leveraged LO G SAM PLE

110. Social Engineering

111. Weak password reset processes Can you Google the answer? How do you handle customer support reset?

112. Customer support training Convenience vs Security

113. @N’s (Naoki Hiroshima) Story How do you mitigate against this?

114. Hope Image by Jenny released under CC BY-NC-ND 2.0

115. Holistic

116. Read Know about new threats and best practice changes

117. Information Only store what you really need

118. Patching Strategy If a dependency prevents updating, resolve it now

119. Don’t become comfortable Comfort breeds contempt

120. Training Strategy Have a process for dealing with account locks and resets

121. Compromise Strategy Have a plan before you need it

122. Mistakes will be made Learn from them

123. Rate limit Built it now, or you’ll have to build it while an incident is underway

124. Monitor everything You’re more likely to be alerted by a graph spiking than your IDS

125. Decouple roles Databases, servers, domains, roles, ...

126. Version properly Major.Minor.Patch. How hard is that?

127. Composer everything There is no excuse anymore

128. Decouple plugins/templates Updates should be simple

129. Get behind PSR-9 & 10 http://www.php-fig.org/psr/

130. Group Performance Image by Matt McGee released under CC BY-ND 2.0

131. Thank you https://joind.in/talk/7c669 @thomas_shone

Add a comment

Related pages

Security Theatre - PHPBenelux Conference 2016 - Joind.in

This is not your normal security talk. Sure we talk about secure communication and the importance of hashing and encrypting (and why rolling your own is ...
Read more

Benelux Theater - Contact

Wij zijn Benelux Theater en een partner op het gebied van het boeken van binnen- en buitenlandse artiesten, dj’s, (rand)animatie, special acts, hosts en ...
Read more

F-15 Theater Security Package Arrives in Europe - YouTube

F-15 Theater Security Package Arrives in Europe. HD Video by Airman 1st Class Andrew Carroll | AFN BENELUX | Date: 04.01.2015. A theatre ...
Read more

ASIS Benelux (@ASIS_Benelux) | Twitter

ASIS Benelux @ ASIS_Benelux. Benelux Chapter of ASIS international, world wide the largest and most influential organisation for security professionals
Read more

Updated brochure European Security Conference available ...

ASIS International Benelux chapter The leading organization for security ... in a theatre and in the congress and meeting centre there will be plenty ...
Read more

Easynet - Home

Security. Managed Firewall; Remote Access; Strong Authentication; Email Security; Web Security; Voice. SIP Trunking; Hosted IP Telephony; Case Studies ...
Read more

Entertainment - Honeywell Security BENELUX

Honeywell Security Group, electronische beveiligingssystemen, inbraakalarm, Galaxy, centrales, ... DeLaMar Theater zet Honeywell op de planken :
Read more

TCC - Home Page 409th Contracting Support Brigade

Welcome To The Theater Contracting Support Center! The Theater Contracting Center (TCC) provides theater-wide contracting support in the areas of ...
Read more

USAG Benelux

USAG Benelux provides premier installation services to support a diverse, transforming community, ensure mission readiness, and enhance quality of life.
Read more