1 / 48

Why hackers don’t care about your firewall

Why hackers don’t care about your firewall. Seba Deleersnyder seba@owasp.org. Sebastien Deleersnyder?. 5 years developer experience 11 years information security experience Managing Technical Consultant SAIT Zenitel Belgian OWASP chapter founder OWASP board member www.owasp.org

idola
Download Presentation

Why hackers don’t care about your firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Why hackers don’t care about your firewall • Seba Deleersnyder • seba@owasp.org

  2. Sebastien Deleersnyder? • 5 years developer experience • 11 years information security experience • Managing Technical ConsultantSAIT Zenitel • Belgian OWASP chapter founder • OWASP board member • www.owasp.org • Co-organizer www.BruCON.org

  3. OWASP World OWASP is a worldwidefree and open community focused on improving the security of application software. Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.

  4. Myth • We are secure because we have a firewall • 75% of Internet Vulnerabilities are at Web Application Layer * • *Gartner Group (2002 report)

  5. Source: Jeremiah Grossman, BlackHat 2001

  6. 20th century technology

  7. Security evolution? Source: Gunnar Peterson (Arctec Group)

  8. A firewall friendly protocol • = • “a skull friendly bullet” • (Bruce Schneier)

  9. Your security “perimeter” has huge holes at the application layer Custom Developed Application Code Application Layer Databases Legacy Systems Web Services Directories Human Resrcs Billing APPLICATIONATTACK App Server Web Server Hardened OS Network Layer Firewall Firewall You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

  10. OWASP Top 10

  11. A1 – Injection

  12. example: SQL-injectionattack • Select user_informationfrom user_tablewhere username=’input username’ and password=’input password’ Select user_informationfrom user_tablewhere username=’’ or 1=1-– ‘ and password=’abc’

  13. RockYou? • December 2009 • a hacker used SQL Injection techniquesto hack the database of RockYou • RockYou creates applications for MySpace, Facebook, ... • Result • data of 32.603.388 users and administrative accounts was compromised (credentials + clear text passwords) • the data also containedemail-addresses and passwordsfor 3rd party sites • Question: how many of those users use the same password for other sites too?

  14. A2 – Cross-Site Scripting (XSS)

  15. XSS = Cross-site Scripting • Web application vulnerability • Injection of code into web pages viewedbyothers XSS = new buffer overflow Javascript = new Shell Code

  16. XSSED.ORG Still not fixed (with redirection): http://www.google.com/search?btnI&q=allinurl:http://www.xssed.com/

  17. Browser Exploitation Framework

  18. A3 – Broken Authentication and Session Management

  19. Session Fixation Attack

  20. A4 – Insecure Direct Object References

  21. Insecure Direct Object References Illustrated • Attacker notices his acct parameter is 6065 ?acct=6065 • He modifies it to a nearby number ?acct=6066 • Attacker views the victim’s account information https://www.onlinebank.com/user?acct=6065

  22. A5 – Cross Site Request Forgery (CSRF)

  23. CSRF Illustrated

  24. CSRF Illustrated

  25. Good Saturday for OrkutUsers

  26. A6 – Security Misconfiguration

  27. Security Misconfiguration Illustrated Database Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code App Configuration Development Framework App Server QA Servers Web Server Hardened OS Insider Test Servers Source Control

  28. Serving up malware A quick Google Safe Browsing search of TechCrunch Europe's site shows suspicious activity twice over the last 90 days. "Of the 128 pages we tested on the site over the past 90 days, 58 page(s) resulted in malicious software being downloaded and installed without user consent.”(sep 2010) Reason: unpatched WordPress

  29. A7 – Failure to Restrict URL Access

  30. Failure to Restrict URL Access Illustrated • Attacker notices the URL indicates his role /user/getAccounts • He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts • Attacker views more accounts than just their own

  31. A8 – Insecure Cryptographic Storage

  32. Encrypt customer data? • customer data, 77 Million compromised.(potentially CCs as well)

  33. A9 – Insufficient Transport Layer Protection

  34. Still not using SSL?

  35. A10 – Unvalidated Redirects and Forwards

  36. Jobs by CNN? • http://ads.cnn.com/event.ng/Type=click&Redirect=http:/bit.ly/cP–XW

  37. Download http://www.owasp.org/index.php/Top_10

  38. Can we win the war on insecure software?

  39. Enter the rest of OWASP

  40. Software Assurance Maturiy Model(SAMM)

  41. SAMM Security Practices • The Security Practices cover all areas relevant to software security assurance • Each one is a ‘silo’ for improvement

  42. Build “Your” Roadmap • Gap analysis: • Capturing scores from detailed assessments versus expected performance levels • Demonstrating improvement • Capturing scores from before and after an iteration of assurance program build-out • Ongoing measurement • To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organizations

  43. OWASP Projects Are Alive! 2010 … 2007 2005 2003 2001 43

  44. www.owasp.org 44

  45. OWASP Near You

  46. Upcoming local events • OWASP Chapter meetings: • 23-May - Brussels: • The Ghost of XSS Past, Present and Future – A Defensive Tale (by Jim Manico, Infrared Security) • 16-Jun - Brussels: • The OWASP AppSensor Project (by Colin Watson, Watson Hall Ltd) • How to become Twitter's admin: An introduction to Modern Web Service Attacks (by Andreas Falkenberg, RUB) • OWASP AppSec Europe – Dublin – Jun 7-9 • BruCON– Brussels – Sep 19-22 • OWASP BeNeLux – Luxembourg Nov-30/Dec-1

  47. Subscribe mailing list www.owasp.be Keep up to date! 47

  48. Want to support OWASP? Become member, annual donation of: $50 Individual $5000 Corporate enables the support of OWASP projects, mailing lists, conferences, podcasts,grants and global steering activities… 48

More Related