Quality Software: Designed to be HACKED!

1
Quality Software Designed to be HACKED!

• SQNZ Presentation
• Thursday 16th February 2006
• Andy Prow,
• Managing Director of Aura Software Security Ltd
  and Aura Software Architects Ltd

2
The Message

• Think about security in EVERY IT project within
  your organisation
• Make NO assumptions about which aspects of your
  IT are SAFE
• PLAN for a security breach
• Make information security a CEO and senior
  management team priority
• Raise employee awareness of security issues
  within the whole organisation

3
Who are we?

• Andy Prow
• Software development industry for 11 years
• Lead development and development manager roles
• Technical Architect and Solutions Architect
• Aura Software Architects (2001)
• Software Architecture and Design
• Specialist Development (Microsoft Technologies)
• Aura Software Security (2005)
• Security Analysts and Consultants
• Secure Software Development Experts

4
Todays Talk?

• Common Vulnerabilities and Exploits
• Things you will be facing and SHOULD know about
• 2 Demonstrations
• Unusual Vulnerabilities
• Issues you cant plan for (real-word examples)
• What to do
• How do you design and develop secure systems?
• How do you keep systems secure over time?

5
Part 1Common Vulnerabilities

• Things to be concerned about
• Web Interfaces
• Wireless
• Server Exploits

6
Common Vulnerabilities Web-interfaces

7
Common Vulnerabilities Web-interfaces

• Web
• Unpatched web-servers and database servers.
• Automated web-vulnerability scanners
• Acunetix, WebInspect
• Invalid file permissions
• Google searches e.g.
• filetypemdb users.mdb
• intitleindex.of.etc passwd
• Custom
• Scripting / SQL Code Injection
• Cookie tampering Achilles (web-proxy)
• Brute force attacks Hydra, Brutus
• Man in the middle
• Sniffing web-traffic
• Pharming (DNS cache poisoning)
• Proxies that spoof SSL
• Odysseus, Achilles

8
Common Vulnerabilities Web-interfaces

• Acunetix
• Automated web-vulnerability scanner

9
Demo 1SQL Injection

• Mark Keegan
• Security Consultant

10
Attack Configuration
11
Server Configuration

• Windows 2000 Server (unpatched)
• .NET Framework 1.1
• SQL Server 2000
• Hackme Bank (Foundstone.com)

12
Bypassing Login

• Building up an inline SQL statement
• sql "SELECT FROM fsb_users WHERE Login_Id
  '" request("txtUserName") "' AND Password
  '" request("txtPassword") "'

13
Bypassing Login

• SELECT FROM fsb_users
• WHERE Login_Id mkeegan
• And password Test123
• or 11 --
• So how does it work?
• SELECT FROM fsb_users
• WHERE Login_Id or 11

14
Enumerating the database columns

15
CmdShell

• ' EXEC Master..XP_CMDSHELL DIR--

16
Other Attack Options

• Insert a new user
• Delete users
• Extract system passwords
• Enumerate the whole database to determine other
  tables
• Delete the Database !!
• Shutdown the server !!
• Attack other systems !!

17
Common VulnerabilitiesWireless

• Wireless
• Wireless detection tools
• Network Stumbler, Kismet (KisMAC)
• Hidden SSID identification, AP Model Type,
  WEP/WPA, MAC address filtering
• Wellington WarDrive in June 2005 300
  scanned, 100 OPEN (50 Corporate), and 100
  poorly secured (WEP and/or MAC address filtering
  only)
• MAC address sniffing
• MAC address spoofing
• WEP cracking
• WPA cracking

18
Common VulnerabilitiesWireless

• Network Stumbler
• Wireless Detection Tool

19
Common VulnerabilitiesServers

• Known vulnerabilities and exploits
• Specialist tools and websites to
• identify version of server and services (such as
  telnet, web-server, FTP)
• Map versions against known and new exploits
• Provide exploitation tools, packets and payloads
• Unpatched / slow to patch
• 80 of exploits are available within the first
  19 days of a critical vulnerability
• Poorly administered
• When the DoD did studies on the matter, they
  found these actual attacks accounted for only 30
  of hacking. Attacks against configuration and
  essentially poor system hardening account for 70
  of successful attacks.
• Unauthorised administrator or physical access
• Who are your administrators? Are they skilled?
• Secure location
• Hardware re-use

20
Common VulnerabilitiesServers

• ElseNot Project - ElseNot.com
• Goal Exploit for Every Microsoft Security
  Bulletin

21
Common VulnerabilitiesServers

• MilW0rm www.milw0rm.com
• Up to date source of exploits for all platforms
  and applications.

22
Common VulnerabilitiesServers

• Nessus Server Vulnerability Scanner

23
Demo 2
Creating a remote connection to a vulnerable
server
24
Demo 3

25
Common Protection

• Normal steps taken
• Patching servers
• Firewalls, DMZ, VPNs
• Website security, SSL
• Antivirus and Anti-Spyware products
• Mail filters
• Additional Steps
• Dedicated IT Security Team
• Network Monitoring Systems
• Intrusion Detection Systems

26
Part 2Unusual Vulnerabilities

• Things that pop your bubble

27
Things that Pop your Bubble

• Wellington bank with 14 locked down wireless AP,
  but 1 wide-open AP
• The issuePro-active, can-do manager buys a
  standard DSE Wireless AP to cater for new
  temporary staff. Simply installs and it works.
• The impactTOTALLY unsecured wireless access
  point, with default settings connected to
  corporate LAN!

28
Things that Pop your Bubble

• Government agency with a custom application with
  unsecured NT User IDs and Passwords
• AD is well secured
• Users self registerwith AD usernamesand
  passwords
• Custom DB is NOTsecured

29
Things that Pop your Bubble

• Managing Director with default wireless AP at
  home
• The Issue
• MD connects to ADSL
• Purchases a common ADSL/Wireless router
• Plug-and-play settings with NO security
• The Threat
• The MDs laptop is now vulnerable to a hack from
  their home

30
Things that Pop your Bubble

• Previous Latest Example Sony Rootkit
• The Issue
• New Sony CDs install a copy protection utility
  that sits beneath Windows XP, and stops multiple
  copies of a CD, or unprotected ripping of the CD.
• The Threat
• The copy protection utility is based on a
  RootKit, which sits beneath the operating system.
  RootKits are a hackers dream as they give
  escalated permissions to processes, can create
  files and processes invisible to the OS. Usually
  the hard-part for a hacker is how to get a
  RootKit onto a remote machine? thanks Sony!

31
Things that Pop your Bubble

• New Latest Example Vulnerability in Graphics
  Rendering Engine Could Allow Remote Code
  Execution (WMF)
• Dec 27 2005
• Article on www.SecurityFocus.com
• milw0rm exploit 1391
• URLs published with damaging WMF
• Dec 28 2005
• Microsoft Security Advisory 912840
• CVE-2005-4560 (Common Vulnerabilities and
  Exposures registry)
• Work-arounds published
• Available as MSF update
• Jan 5 2006
• Microsoft Security Bulletin MS06-001
• Jan 15 2006
• milw0rm exploit 1420

32
Part 3Design to be Hacked

• Build Security into every phase of your IT
  projects
• Requirements
• Design
• Build
• Deploy
• Maintain
• Dont have a single bubble

33
Design to be hacked

• Requirements Phase
• Understand your data assets
• Understand the secure functions
• Think up-front the impact of
• Unauthorised access
• Data Tampering
• Denial of Service
• Threat Modelling

34
Design to be hacked

• Design Phase
• Follow best practises
• Build security into every layer
• Infrastructure
• Client
• Server
• Database
• Users, Administrators and physical access

35
Design to be hacked

• Build Phase
• Three Levels of Security
• BLOCK an attack
• TRACE the attack
• Take SMART ACTION
• Secure Coding Practises
• Staff Training
• Guidelines
• Secure Code Frameworkse.g. The Aura Secure Web
  Framework (MS .Net)

36
Design to be hacked

• Deployment Phase
• Baseline
• Servers patched
• Firewall rules in place
• Users locked down
• Dev access removed
• Actually TEST your security!
• Initial deployment is the most likely time for
  mistakes
• Perform your first penetration test and security
  audit NOW.

37
Design to be hacked

• Ongoing Maintenance
• STAY PATCHED!
• Regular penetration tests
• Regular security audits
• Understand the current threat to YOUR systems
• Standard Procedures
• Creating new users
• Removing old users
• Hardware destruction

38
Part 4Secure your Organisation

• Make security part of your day-to-day business
• Think security in every IT project
• Think security in every IT system
• Make information security a CEO and senior
  management team priority
• Do all IT projects have security tasks?
• Are you developing and deploying secure
  systems?
• Raise employee awareness of security issues
  within the whole organisation.
• Data classification
• Danger of USB devices, iPods, Sony CDs, Home
  wireless
• Ongoing training in systems and controls

39
Additional Steps

• In-House-Hacker
• Performs pro-active security checks. E.g.
• Server vulnerability checks
• Wireless AP checking
• Armed with the latest hacker tools
• MUST be well trained
• MUST be well trusted
• Trusted Security Advisors (Aura)
• Constantly monitoring threats, exploits, patches
  and tools
• Trusted entity, who knows your internal IT
  infrastructure and configuration.
• Proactively participates in the hacker / security
  community e.g.
• OWASP www.OWASP.org - Open Web Application
  Security Project

40
The Message

• Think about security in EVERY IT project within
  your organisation
• Make NO assumptions about which aspects of your
  IT are SAFE
• PLAN for a security breach
• Make information security a CEO and senior
  management team priority
• Raise employee awareness of security issues
  within the whole organisation

41
Quality SoftwareDesigned to be HACKED!

• SQNZ Presentation
• Thursday 16th February 2006
• Andy Prow,
• Managing Director of Aura Software Security Ltd
  and Aura Software Architects Ltd
• Andy_at_AuraSoftwareSecurity.co.nz
• Andy_at_AuraSoftwareArchitects.com
• More info is available from
• www.AuraSoftwareSecurity.co.nz