1 / 95

Slide Heading

Slide Heading. Ethical Hacking. Ed Chorbajian Affinity Inc. April 11, 2012. Introductions. Affinity, Inc. http://affinityit.com IT services and solutions provider, helping Fortune 500 and growth companies Corporate Headquarters in Milwaukee, WI. Ed Chorbajian echorbajian@affinityit.com

parson
Download Presentation

Slide Heading

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Slide Heading Ethical Hacking Ed Chorbajian Affinity Inc. April 11, 2012

  2. Introductions • Affinity, Inc. • http://affinityit.com • IT services and solutions provider, helping Fortune 500 and growth companies • Corporate Headquarters in Milwaukee, WI • Ed Chorbajian • echorbajian@affinityit.com • New York, NY • linkedin.com/in/edchorbajian

  3. About Affinity, Inc.

  4. About Affinity, Inc. • Clients

  5. About Ed Chorbajian • Certifications • CSSLP, GWAPT, CISSP, GPEN, GCIH, GSLC, SCJP • Experience • 5+ years Security • 10 years Software Development • Education • MBA (80% complete) at New York University Stern • MS in Computer Science • BA in Mathematics and Physics

  6. Agenda Slide Heading

  7. A Hacker is • Someone who • Finds information security vulnerabilities • Exploits them • (Black Hat)

  8. An Ethical Hacker is • Someone who • Finds information security vulnerabilities • Exploits them • Has permission • (White Hat)

  9. Ethics • Yes - “has permission” is a simplification • Ethics describes right and wrong behaviors • Our discussion today is not about ethics

  10. Ethics • Sometimes it depends on your point of view • Hackers that made Stuxnet targeted Iranian nuclear plants and probably delayed Iran’s uranium enrichment program by two years

  11. Find and Exploit Vulnerabilities • SQL Injection humor

  12. Find and Exploit Vulnerabilities • SQL Injection humor

  13. Find and Exploit Vulnerabilities • SQL Injection humor

  14. Find and Exploit Vulnerabilities • SQL Injection humor

  15. Find and Exploit Vulnerabilities • SQL Injection – not so funny • An attack targeting the victim’s data, database and database server • Data: possible to read, add, modify, delete • Database: possible to drop tables, drop indexes, create users, grant and revoke privileges • Database server: possible to mount further attacks against the victim’s internal network

  16. Partial List of Vulnerabilities • Injection • Cross-Site Scripting • Encryption implementation • Parameter Tampering

  17. Partial List of Vulnerabilities • Injection • SQL Injection • LDAP Injection • XML Injection • Code Injection • OS Commanding

  18. Partial List of Vulnerabilities • Cross-Site Scripting • Reflected Cross-Site Scripting • Stored/Persistent Cross-Site Scripting • DOM-based Cross-Site Scripting

  19. Partial List of Vulnerabilities • Encryption implementation • Symmetric • Asymmetric (Public/Private Key Cryptography) • Password Hashes • Key Management

  20. Partial List of Vulnerabilities • Parameter Tampering • Business Logic Abuse • Buffer Overflow • Cross-Site Request Forgery • Information Leakage • Directory Traversal • Authentication/Authorization • Session Fixation

  21. In the past … • To defend your organization • “You don’t need to outrun the bear in the woods, just your neighbor” • Be less insecure • than you neighbor • Hackers attack • the easier targets

  22. Today … • Organizations are specifically targeted • Hacktivists - political agenda • Anonymous

  23. Threat Agents • Unintentional/careless users • Non-professional hackers/script kiddies • Researchers • Professional hackers • Corporate/industrial espionage • Insiders/partners • Organized criminals • Hacktivists • Nation-state intelligence agencies

  24. Today … • Nation-state intelligence agencies • Source: http://www.mcafee.com/us/resources/reports/rp-virtual-criminology-report-2009.pdf

  25. Today … • Advanced Persistent Threat – APT • Have large resources • Have much patience • Target specific organizations • Purpose • Intellectual Property • Disruption • Etc.

  26. Today … • Verizon 2012 Data Breach Investigations Report • March 22, 2012 • (Larger Orgs are samples with at least 1,000 employees) • http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations- report-2012-press_en_xg.pdf

  27. Today … • Verizon 2012 Data Breach Investigations Report • Hacktivists tend to target larger organizations • High profile • Motive is attention and publicity • Denial of Service attacks • Download and distribute secret information • Website defacements

  28. Today … • Verizon 2012 Data Breach Investigations Report • Organized criminals tend to target smaller organizations • Low profile • Motive is money • Smaller revenue - for each attack • High volume - through many attacks • Easier to exploit victims

  29. Today … • Verizon 2012 Data Breach Investigations Report • http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations- report-2012-press_en_xg.pdf

  30. Agenda Slide Heading

  31. Static and Dynamic Analyses • Static - the source code • Can see “everything” • Dynamic - a running application • See everything that is actually there, including • Infrastructure • Middleware • Third-party libraries • Actual source code used

  32. Automated and Manual Techniques • Automated Technique • Use a tool that does much of the work • Catches the more easily detected vulnerabilities • Manual Technique • Use expertise to find vulnerabilities that the tools cannot find on their own • Do much of the work using many tools

  33. Static Analysis • Automated • I personally worked with • IBM Rational AppScan Source Edition for Security (Ounce Labs) • HP Fortify Static Code Analyzer • Can scan 100,000s of lines of code • Expensive tools

  34. Process for Automated • The client stages the source code: • Complete source code that compiles/builds without error • Workspace and project files • All dependencies • SDLC documents • The tools are ineffective when any required component is missing

  35. Process for Automated • Inventory the source code • Configure the tool • Run the scan • Could produce thousands of findings • Analyze the results

  36. Results of the Analysis • Determine if each finding is a False Positive or a True Positive • Raise, lower or keep the suggested severities • Critical • High • Medium • Low • Informational

  37. Results of the Analysis • Communicate the vulnerabilities to the client • Provide recommendations on how to remediate the security defects • The client remediates the defects • Available for assistance - includes explaining in-depth technical questions on vulnerability risks and remediation strategies • Retest

  38. True/False Positive/Negative • False Positive – the tool found a security defect, but it really is not a security defect • The reason to vet the findings • True Positive – the tool found a security defect, and it really is a security defect • The tool did its job

  39. True/False Positive/Negative • True Negative – the tool did not find the security defect, and there is no security defect • The tool did its job • Not reported, but implied • False Negative – the tool did not find the security defect, but there really is a security defect • The tool missed this

  40. Manual Static Analysis • Generally do a targeted search • May not be practical to look at thousands or millions of lines of code • Examples • Authentication/Authorization • Encryption implementation • Logging • Output to web browser

  41. Authentication/Authorization Example • There was a backdoor in a client’ssoftware system, which was written by their vendor • Hard-coded username and password • Bypass normal authentication controls • Unlimited access to the system • Bypass normal authorization controls • Logging turned off for this username • Bypass normal auditing controls

  42. Authentication/Authorization Example • Vendor included the backdoor for convenience • Support and maintenance • In addition to this client, other organizations using this vendor’s system had the same security issue • With the same credentials!

  43. Encryption Implementation Example 1 • Password hashes were not salted • Cryptographic hash is a one-way function • There are no encryption/decryption keys • SHA-2 • Password is encrypted and is not feasible to decrypt

  44. Encryption Implementation Example 1 • How are password hashes utilized? • When a user authenticates, the password is hashed; then the result is compared to the password hash stored in the database • If a hacker get access to the password hashes in the database, then they can use Rainbow Tables to determine the password • Pre-computed password hash values

  45. Encryption Implementation Example 1 • Why is a salt necessary? • A salt is value that is combined with the password before being hashed • The encrypted result is very different than without the salt • Preferably have a different salt for each user

  46. Encryption Implementation Example 2 • Organization has encrypted credit card information • The encryption used AES-128 with the key composed of two 8 character passwords concatenated together

  47. Encryption Implementation Example 2 • Normal use of AES-128 • Encryption key is 128 bits long • 2^128 possible keys • 300,000,000,000,000,000,000,000,000,000,000,000,000 • To guess the key, divide by 500,000 tries/sec • (These days, over 2,000,000 tries/sec) • Then again divide by 86,400 sec/day • Divide by 100 (for a 1% chance of success) • Trillions of years is still not remotely close

  48. Encryption Implementation Example 2 • Normally use of AES-128 • 128 bits = 16 chars x 8 bits/char • Each char has 2^8 = 256 possibilities • Range from ’00’ to ‘FF’ • Hexadecimal notation • 256^16 = (2^8)^16 = 2^(8*16) = 2^128

  49. Encryption Implementation Example 2 • Normal use of AES-128 • Example key in Binary notation: • 00011110001011010110101000011000011000010100001110001101110101100110110010101110111101110001000101111100111110010001001101111010 • Same key as 16 chars Hexadecimal notation: • 1E2D6A1861438DD66CAEF7117CF9137A

  50. Encryption Implementation Example 2

More Related