410 likes | 713 Views
“Quality Software : Designed to be HACKED!” SQNZ Presentation Thursday 16 th February 2006 Andy Prow, Managing Director of Aura Software Security Ltd and Aura Software Architects Ltd The Message “Think about security in EVERY IT project within your organisation”
E N D
“Quality Software:Designed to be HACKED!” SQNZ Presentation Thursday 16th February 2006 Andy Prow, Managing Director of Aura Software Security Ltd and Aura Software Architects Ltd
The Message “Think about security in EVERY IT project within your organisation” “Make NO assumptions about which aspects of your IT are SAFE” “PLAN for a security breach” “Make information security a CEO and senior management team priority” “Raise employee awareness of security issues within the whole organisation”
Who are we? Andy Prow Software development industry for 11 years Lead development and development manager roles Technical Architect and Solutions Architect Aura Software Architects (2001) Software Architecture and Design Specialist Development (Microsoft Technologies) Aura Software Security (2005) Security Analysts and Consultants Secure Software Development Experts
Today’s Talk? Common Vulnerabilities and Exploits Things you will be facing and SHOULD know about 2 Demonstrations Unusual Vulnerabilities Issues you can’t plan for (real-word examples) What to do How do you design and develop secure systems? How do you keep systems secure over time?
Part 1:Common Vulnerabilities “Things to be concerned about” Web Interfaces Wireless Server Exploits
Common Vulnerabilities: Web-interfaces Web Unpatched web-servers and database servers. Automated web-vulnerability scanners Acunetix, WebInspect Invalid file permissions Google searches e.g. “filetype:mdb users.mdb” “intitle:index.of.etc passwd” Custom Scripting / SQL Code Injection Cookie tampering – Achilles (web-proxy) Brute force attacks – Hydra, Brutus Man in the middle Sniffing web-traffic Pharming (DNS cache poisoning) Proxies that spoof SSL Odysseus, Achilles
Common Vulnerabilities Web-interfaces Acunetix Automated web-vulnerability scanner
Demo 1SQL Injection Mark Keegan Security Consultant
Server Configuration • Windows 2000 Server (unpatched) • .NET Framework 1.1 • SQL Server 2000 • Hackme Bank (Foundstone.com)
Bypassing Login Building up an inline SQL statement sql = "SELECT * FROM fsb_users WHERE Login_Id = '" & request("txtUserName") & "' AND Password = '" & request("txtPassword") & "'“
Bypassing Login SELECT * FROM fsb_users WHERE Login_Id = ‘mkeegan’ And password = ‘Test123’ ‘ or 1=1 -- So how does it work? SELECT * FROM fsb_users WHERE Login_Id = ‘’ or 1=1
CmdShell '; EXEC Master..XP_CMDSHELL DIR--
Other Attack Options Insert a new user Delete users Extract system passwords Enumerate the whole database to determine other tables Delete the Database !! Shutdown the server !! Attack other systems !!
Common VulnerabilitiesWireless Wireless Wireless detection tools Network Stumbler, Kismet (KisMAC) Hidden SSID identification, AP Model & Type, WEP/WPA, MAC address filtering… “Wellington WarDrive” in June 2005 – 300+ scanned, 100+ OPEN (50 Corporate), and 100+ poorly secured (WEP and/or MAC address filtering only) MAC address sniffing MAC address spoofing WEP cracking WPA cracking
Common VulnerabilitiesWireless Network Stumbler Wireless Detection Tool
Common VulnerabilitiesServers Known vulnerabilities and exploits Specialist tools and websites to: identify version of server and services (such as telnet, web-server, FTP) Map versions against known and new exploits Provide exploitation tools, packets and payloads Unpatched / slow to patch “80% of exploits are available within the first 19 days of a critical vulnerability” Poorly administered “When the DoD did studies on the matter, they found these actual attacks accounted for only 30% of hacking. Attacks against configuration and essentially poor system hardening account for 70% of successful attacks.” Unauthorised administrator or physical access Who are your administrators? Are they skilled? Secure location Hardware re-use
Common VulnerabilitiesServers ElseNot Project - ElseNot.com “Goal: Exploit for Every Microsoft Security Bulletin”
Common VulnerabilitiesServers MilW0rm – www.milw0rm.com Up to date source of exploits for all platforms and applications.
Common VulnerabilitiesServers Nessus – Server Vulnerability Scanner
Demo 2 Creating a remote connection to a vulnerable server
Common Protection Normal steps taken Patching servers Firewalls, DMZ, VPNs Website security, SSL Antivirus and Anti-Spyware products Mail filters Additional Steps Dedicated IT Security Team Network Monitoring Systems Intrusion Detection Systems
Part 2:Unusual Vulnerabilities “Things that pop your bubble”
Things that Pop your Bubble Wellington bank with 14 locked down wireless AP, but 1 wide-open AP The issue:Pro-active, “can-do” manager buys a standard DSE Wireless AP to cater for new temporary staff. Simply installs and it works. The impact:TOTALLY unsecured wireless access point, with default settings connected to corporate LAN!
Things that Pop your Bubble “Government agency with a custom application with unsecured NT User IDs and Passwords” AD is well secured Users self registerwith AD usernamesand passwords Custom DB is NOTsecured
Things that Pop your Bubble “Managing Director with default wireless AP at home” The Issue MD connects to ADSL Purchases a common ADSL/Wireless router Plug-and-play settings with NO security The Threat The MD’s laptop is now vulnerable to a hack from their home
Things that Pop your Bubble Previous Latest Example: “Sony Rootkit” The Issue New Sony CDs install a copy protection utility that sits beneath Windows XP, and stops multiple copies of a CD, or unprotected ripping of the CD. The Threat The “copy protection utility” is based on a RootKit, which sits beneath the operating system. RootKits are a hacker’s dream as they give escalated permissions to processes, can create files and processes invisible to the OS. Usually the hard-part for a hacker is “how to get a RootKit onto a remote machine?” – thanks Sony!
Things that Pop your Bubble New Latest Example: “Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution” (WMF) Dec 27 2005: Article on www.SecurityFocus.com milw0rm exploit 1391 URLs published with damaging WMF Dec 28 2005: Microsoft Security Advisory 912840 CVE-2005-4560 (Common Vulnerabilities and Exposures registry) Work-arounds published Available as MSF update Jan 5 2006 : Microsoft Security Bulletin MS06-001 Jan 15 2006: milw0rm exploit 1420
Part 3:Design to be Hacked • Build Security into every phase of your IT projects • Requirements • Design • Build • Deploy • Maintain • Don’t have a single bubble
Design to be hacked Requirements Phase Understand your data assets Understand the “secure” functions Think up-front the impact of: Unauthorised access Data Tampering Denial of Service Threat Modelling
Design to be hacked Design Phase Follow “best practises” Build security into every layer Infrastructure Client Server Database Users, Administrators and physical access
Design to be hacked Build Phase Three Levels of Security BLOCK an attack TRACE the attack Take SMART ACTION Secure Coding Practises Staff Training Guidelines Secure Code Frameworkse.g. The Aura Secure Web Framework (MS .Net)
Design to be hacked Deployment Phase Baseline Servers patched Firewall rules in place Users locked down “Dev access” removed Actually TEST your security! Initial deployment is the most likely time for mistakes Perform your first penetration test and security audit NOW.
Design to be hacked Ongoing Maintenance STAY PATCHED! Regular penetration tests Regular security audits Understand the current threat to YOUR systems Standard Procedures Creating new users Removing old users Hardware destruction
Part 4:Secure your Organisation Make security part of your day-to-day business Think security in every IT project Think security in every IT system Make information security a CEO and senior management team priority Do all IT projects have “security tasks”? Are you developing and deploying “secure systems”? Raise employee awareness of security issues within the whole organisation. Data classification Danger of USB devices, iPods, Sony CDs, Home wireless… Ongoing training in systems and controls
Additional Steps In-House-Hacker Performs pro-active security checks. E.g. Server vulnerability checks Wireless AP checking Armed with the latest hacker tools MUST be well trained MUST be well trusted Trusted Security Advisors (Aura) Constantly monitoring threats, exploits, patches and tools Trusted entity, who knows your internal IT infrastructure and configuration. Proactively participates in the hacker / security community e.g. OWASP – www.OWASP.org - Open Web Application Security Project
The Message “Think about security in EVERY IT project within your organisation” “Make NO assumptions about which aspects of your IT are SAFE” “PLAN for a security breach” “Make information security a CEO and senior management team priority” “Raise employee awareness of security issues within the whole organisation”
“Quality Software:Designed to be HACKED!” SQNZ Presentation Thursday 16th February 2006 Andy Prow, Managing Director of Aura Software Security Ltd and Aura Software Architects Ltd Andy@AuraSoftwareSecurity.co.nz Andy@AuraSoftwareArchitects.com More info is available from www.AuraSoftwareSecurity.co.nz