Quality Software: Designed to be HACKED! - PowerPoint PPT Presentation

1 / 41
About This Presentation
Title:

Quality Software: Designed to be HACKED!

Description:

Quality Software: Designed to be HACKED! SQNZ Presentation Thursday 16th February 2006 Andy Prow, Managing Director of Aura Software Security Ltd and – PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0
Slides: 42
Provided by: sqnzOrgNz
Category:

less

Transcript and Presenter's Notes

Title: Quality Software: Designed to be HACKED!


1
Quality Software Designed to be HACKED!
  • SQNZ Presentation
  • Thursday 16th February 2006
  • Andy Prow,
  • Managing Director of Aura Software Security Ltd
    and Aura Software Architects Ltd

2
The Message
  • Think about security in EVERY IT project within
    your organisation
  • Make NO assumptions about which aspects of your
    IT are SAFE
  • PLAN for a security breach
  • Make information security a CEO and senior
    management team priority
  • Raise employee awareness of security issues
    within the whole organisation

3
Who are we?
  • Andy Prow
  • Software development industry for 11 years
  • Lead development and development manager roles
  • Technical Architect and Solutions Architect
  • Aura Software Architects (2001)
  • Software Architecture and Design
  • Specialist Development (Microsoft Technologies)
  • Aura Software Security (2005)
  • Security Analysts and Consultants
  • Secure Software Development Experts

4
Todays Talk?
  • Common Vulnerabilities and Exploits
  • Things you will be facing and SHOULD know about
  • 2 Demonstrations
  • Unusual Vulnerabilities
  • Issues you cant plan for (real-word examples)
  • What to do
  • How do you design and develop secure systems?
  • How do you keep systems secure over time?

5
Part 1Common Vulnerabilities
  • Things to be concerned about
  • Web Interfaces
  • Wireless
  • Server Exploits

6
Common Vulnerabilities Web-interfaces

7
Common Vulnerabilities Web-interfaces
  • Web
  • Unpatched web-servers and database servers.
  • Automated web-vulnerability scanners
  • Acunetix, WebInspect
  • Invalid file permissions
  • Google searches e.g.
  • filetypemdb users.mdb
  • intitleindex.of.etc passwd
  • Custom
  • Scripting / SQL Code Injection
  • Cookie tampering Achilles (web-proxy)
  • Brute force attacks Hydra, Brutus
  • Man in the middle
  • Sniffing web-traffic
  • Pharming (DNS cache poisoning)
  • Proxies that spoof SSL
  • Odysseus, Achilles

8
Common Vulnerabilities Web-interfaces
  • Acunetix
  • Automated web-vulnerability scanner

9
Demo 1SQL Injection
  • Mark Keegan
  • Security Consultant

10
Attack Configuration
11
Server Configuration
  • Windows 2000 Server (unpatched)
  • .NET Framework 1.1
  • SQL Server 2000
  • Hackme Bank (Foundstone.com)

12
Bypassing Login
  • Building up an inline SQL statement
  • sql "SELECT FROM fsb_users WHERE Login_Id
    '" request("txtUserName") "' AND Password
    '" request("txtPassword") "'

13
Bypassing Login
  • SELECT FROM fsb_users
  • WHERE Login_Id mkeegan
  • And password Test123
  • or 11 --
  • So how does it work?
  • SELECT FROM fsb_users
  • WHERE Login_Id or 11

14
Enumerating the database columns

15
CmdShell
  • ' EXEC Master..XP_CMDSHELL DIR--

16
Other Attack Options
  • Insert a new user
  • Delete users
  • Extract system passwords
  • Enumerate the whole database to determine other
    tables
  • Delete the Database !!
  • Shutdown the server !!
  • Attack other systems !!

17
Common VulnerabilitiesWireless
  • Wireless
  • Wireless detection tools
  • Network Stumbler, Kismet (KisMAC)
  • Hidden SSID identification, AP Model Type,
    WEP/WPA, MAC address filtering
  • Wellington WarDrive in June 2005 300
    scanned, 100 OPEN (50 Corporate), and 100
    poorly secured (WEP and/or MAC address filtering
    only)
  • MAC address sniffing
  • MAC address spoofing
  • WEP cracking
  • WPA cracking

18
Common VulnerabilitiesWireless
  • Network Stumbler
  • Wireless Detection Tool

19
Common VulnerabilitiesServers
  • Known vulnerabilities and exploits
  • Specialist tools and websites to
  • identify version of server and services (such as
    telnet, web-server, FTP)
  • Map versions against known and new exploits
  • Provide exploitation tools, packets and payloads
  • Unpatched / slow to patch
  • 80 of exploits are available within the first
    19 days of a critical vulnerability
  • Poorly administered
  • When the DoD did studies on the matter, they
    found these actual attacks accounted for only 30
    of hacking. Attacks against configuration and
    essentially poor system hardening account for 70
    of successful attacks.
  • Unauthorised administrator or physical access
  • Who are your administrators? Are they skilled?
  • Secure location
  • Hardware re-use

20
Common VulnerabilitiesServers
  • ElseNot Project - ElseNot.com
  • Goal Exploit for Every Microsoft Security
    Bulletin

21
Common VulnerabilitiesServers
  • MilW0rm www.milw0rm.com
  • Up to date source of exploits for all platforms
    and applications.

22
Common VulnerabilitiesServers
  • Nessus Server Vulnerability Scanner

23
Demo 2
Creating a remote connection to a vulnerable
server
24
Demo 3

25
Common Protection
  • Normal steps taken
  • Patching servers
  • Firewalls, DMZ, VPNs
  • Website security, SSL
  • Antivirus and Anti-Spyware products
  • Mail filters
  • Additional Steps
  • Dedicated IT Security Team
  • Network Monitoring Systems
  • Intrusion Detection Systems

26
Part 2Unusual Vulnerabilities
  • Things that pop your bubble

27
Things that Pop your Bubble
  • Wellington bank with 14 locked down wireless AP,
    but 1 wide-open AP
  • The issuePro-active, can-do manager buys a
    standard DSE Wireless AP to cater for new
    temporary staff. Simply installs and it works.
  • The impactTOTALLY unsecured wireless access
    point, with default settings connected to
    corporate LAN!

28
Things that Pop your Bubble
  • Government agency with a custom application with
    unsecured NT User IDs and Passwords
  • AD is well secured
  • Users self registerwith AD usernamesand
    passwords
  • Custom DB is NOTsecured

29
Things that Pop your Bubble
  • Managing Director with default wireless AP at
    home
  • The Issue
  • MD connects to ADSL
  • Purchases a common ADSL/Wireless router
  • Plug-and-play settings with NO security
  • The Threat
  • The MDs laptop is now vulnerable to a hack from
    their home

30
Things that Pop your Bubble
  • Previous Latest Example Sony Rootkit
  • The Issue
  • New Sony CDs install a copy protection utility
    that sits beneath Windows XP, and stops multiple
    copies of a CD, or unprotected ripping of the CD.
  • The Threat
  • The copy protection utility is based on a
    RootKit, which sits beneath the operating system.
    RootKits are a hackers dream as they give
    escalated permissions to processes, can create
    files and processes invisible to the OS. Usually
    the hard-part for a hacker is how to get a
    RootKit onto a remote machine? thanks Sony!

31
Things that Pop your Bubble
  • New Latest Example Vulnerability in Graphics
    Rendering Engine Could Allow Remote Code
    Execution (WMF)
  • Dec 27 2005
  • Article on www.SecurityFocus.com
  • milw0rm exploit 1391
  • URLs published with damaging WMF
  • Dec 28 2005
  • Microsoft Security Advisory 912840
  • CVE-2005-4560 (Common Vulnerabilities and
    Exposures registry)
  • Work-arounds published
  • Available as MSF update
  • Jan 5 2006
  • Microsoft Security Bulletin MS06-001
  • Jan 15 2006
  • milw0rm exploit 1420

32
Part 3Design to be Hacked
  • Build Security into every phase of your IT
    projects
  • Requirements
  • Design
  • Build
  • Deploy
  • Maintain
  • Dont have a single bubble

33
Design to be hacked
  • Requirements Phase
  • Understand your data assets
  • Understand the secure functions
  • Think up-front the impact of
  • Unauthorised access
  • Data Tampering
  • Denial of Service
  • Threat Modelling

34
Design to be hacked
  • Design Phase
  • Follow best practises
  • Build security into every layer
  • Infrastructure
  • Client
  • Server
  • Database
  • Users, Administrators and physical access

35
Design to be hacked
  • Build Phase
  • Three Levels of Security
  • BLOCK an attack
  • TRACE the attack
  • Take SMART ACTION
  • Secure Coding Practises
  • Staff Training
  • Guidelines
  • Secure Code Frameworkse.g. The Aura Secure Web
    Framework (MS .Net)

36
Design to be hacked
  • Deployment Phase
  • Baseline
  • Servers patched
  • Firewall rules in place
  • Users locked down
  • Dev access removed
  • Actually TEST your security!
  • Initial deployment is the most likely time for
    mistakes
  • Perform your first penetration test and security
    audit NOW.

37
Design to be hacked
  • Ongoing Maintenance
  • STAY PATCHED!
  • Regular penetration tests
  • Regular security audits
  • Understand the current threat to YOUR systems
  • Standard Procedures
  • Creating new users
  • Removing old users
  • Hardware destruction

38
Part 4Secure your Organisation
  • Make security part of your day-to-day business
  • Think security in every IT project
  • Think security in every IT system
  • Make information security a CEO and senior
    management team priority
  • Do all IT projects have security tasks?
  • Are you developing and deploying secure
    systems?
  • Raise employee awareness of security issues
    within the whole organisation.
  • Data classification
  • Danger of USB devices, iPods, Sony CDs, Home
    wireless
  • Ongoing training in systems and controls

39
Additional Steps
  • In-House-Hacker
  • Performs pro-active security checks. E.g.
  • Server vulnerability checks
  • Wireless AP checking
  • Armed with the latest hacker tools
  • MUST be well trained
  • MUST be well trusted
  • Trusted Security Advisors (Aura)
  • Constantly monitoring threats, exploits, patches
    and tools
  • Trusted entity, who knows your internal IT
    infrastructure and configuration.
  • Proactively participates in the hacker / security
    community e.g.
  • OWASP www.OWASP.org - Open Web Application
    Security Project

40
The Message
  • Think about security in EVERY IT project within
    your organisation
  • Make NO assumptions about which aspects of your
    IT are SAFE
  • PLAN for a security breach
  • Make information security a CEO and senior
    management team priority
  • Raise employee awareness of security issues
    within the whole organisation

41
Quality SoftwareDesigned to be HACKED!
  • SQNZ Presentation
  • Thursday 16th February 2006
  • Andy Prow,
  • Managing Director of Aura Software Security Ltd
    and Aura Software Architects Ltd
  • Andy_at_AuraSoftwareSecurity.co.nz
  • Andy_at_AuraSoftwareArchitects.com
  • More info is available from
  • www.AuraSoftwareSecurity.co.nz
Write a Comment
User Comments (0)
About PowerShow.com