Title: Quality Software: Designed to be HACKED!
1Quality Software Designed to be HACKED!
- SQNZ Presentation
- Thursday 16th February 2006
- Andy Prow,
- Managing Director of Aura Software Security Ltd
and Aura Software Architects Ltd
2The Message
- Think about security in EVERY IT project within
your organisation - Make NO assumptions about which aspects of your
IT are SAFE - PLAN for a security breach
- Make information security a CEO and senior
management team priority - Raise employee awareness of security issues
within the whole organisation
3Who are we?
- Andy Prow
- Software development industry for 11 years
- Lead development and development manager roles
- Technical Architect and Solutions Architect
- Aura Software Architects (2001)
- Software Architecture and Design
- Specialist Development (Microsoft Technologies)
- Aura Software Security (2005)
- Security Analysts and Consultants
- Secure Software Development Experts
-
4Todays Talk?
- Common Vulnerabilities and Exploits
- Things you will be facing and SHOULD know about
- 2 Demonstrations
- Unusual Vulnerabilities
- Issues you cant plan for (real-word examples)
- What to do
- How do you design and develop secure systems?
- How do you keep systems secure over time?
5Part 1Common Vulnerabilities
- Things to be concerned about
- Web Interfaces
- Wireless
- Server Exploits
-
6Common Vulnerabilities Web-interfaces
7Common Vulnerabilities Web-interfaces
- Web
- Unpatched web-servers and database servers.
- Automated web-vulnerability scanners
- Acunetix, WebInspect
- Invalid file permissions
- Google searches e.g.
- filetypemdb users.mdb
- intitleindex.of.etc passwd
- Custom
- Scripting / SQL Code Injection
- Cookie tampering Achilles (web-proxy)
- Brute force attacks Hydra, Brutus
- Man in the middle
- Sniffing web-traffic
- Pharming (DNS cache poisoning)
- Proxies that spoof SSL
- Odysseus, Achilles
-
8Common Vulnerabilities Web-interfaces
- Acunetix
- Automated web-vulnerability scanner
-
9Demo 1SQL Injection
- Mark Keegan
- Security Consultant
10Attack Configuration
11Server Configuration
- Windows 2000 Server (unpatched)
- .NET Framework 1.1
- SQL Server 2000
- Hackme Bank (Foundstone.com)
12Bypassing Login
- Building up an inline SQL statement
- sql "SELECT FROM fsb_users WHERE Login_Id
'" request("txtUserName") "' AND Password
'" request("txtPassword") "'
13Bypassing Login
- SELECT FROM fsb_users
- WHERE Login_Id mkeegan
- And password Test123
- or 11 --
-
- So how does it work?
- SELECT FROM fsb_users
- WHERE Login_Id or 11
-
14Enumerating the database columns
15CmdShell
- ' EXEC Master..XP_CMDSHELL DIR--
16Other Attack Options
- Insert a new user
- Delete users
- Extract system passwords
- Enumerate the whole database to determine other
tables - Delete the Database !!
- Shutdown the server !!
- Attack other systems !!
17Common VulnerabilitiesWireless
- Wireless
- Wireless detection tools
- Network Stumbler, Kismet (KisMAC)
- Hidden SSID identification, AP Model Type,
WEP/WPA, MAC address filtering - Wellington WarDrive in June 2005 300
scanned, 100 OPEN (50 Corporate), and 100
poorly secured (WEP and/or MAC address filtering
only) - MAC address sniffing
- MAC address spoofing
- WEP cracking
- WPA cracking
18Common VulnerabilitiesWireless
- Network Stumbler
- Wireless Detection Tool
19Common VulnerabilitiesServers
- Known vulnerabilities and exploits
- Specialist tools and websites to
- identify version of server and services (such as
telnet, web-server, FTP) - Map versions against known and new exploits
- Provide exploitation tools, packets and payloads
- Unpatched / slow to patch
- 80 of exploits are available within the first
19 days of a critical vulnerability - Poorly administered
- When the DoD did studies on the matter, they
found these actual attacks accounted for only 30
of hacking. Attacks against configuration and
essentially poor system hardening account for 70
of successful attacks. - Unauthorised administrator or physical access
- Who are your administrators? Are they skilled?
- Secure location
- Hardware re-use
20Common VulnerabilitiesServers
- ElseNot Project - ElseNot.com
- Goal Exploit for Every Microsoft Security
Bulletin
21Common VulnerabilitiesServers
- MilW0rm www.milw0rm.com
- Up to date source of exploits for all platforms
and applications.
22Common VulnerabilitiesServers
- Nessus Server Vulnerability Scanner
23Demo 2
Creating a remote connection to a vulnerable
server
24Demo 3
25Common Protection
- Normal steps taken
- Patching servers
- Firewalls, DMZ, VPNs
- Website security, SSL
- Antivirus and Anti-Spyware products
- Mail filters
- Additional Steps
- Dedicated IT Security Team
- Network Monitoring Systems
- Intrusion Detection Systems
26Part 2Unusual Vulnerabilities
- Things that pop your bubble
-
27Things that Pop your Bubble
- Wellington bank with 14 locked down wireless AP,
but 1 wide-open AP - The issuePro-active, can-do manager buys a
standard DSE Wireless AP to cater for new
temporary staff. Simply installs and it works. - The impactTOTALLY unsecured wireless access
point, with default settings connected to
corporate LAN!
28Things that Pop your Bubble
- Government agency with a custom application with
unsecured NT User IDs and Passwords - AD is well secured
- Users self registerwith AD usernamesand
passwords - Custom DB is NOTsecured
29Things that Pop your Bubble
- Managing Director with default wireless AP at
home - The Issue
- MD connects to ADSL
- Purchases a common ADSL/Wireless router
- Plug-and-play settings with NO security
- The Threat
- The MDs laptop is now vulnerable to a hack from
their home
30Things that Pop your Bubble
- Previous Latest Example Sony Rootkit
- The Issue
- New Sony CDs install a copy protection utility
that sits beneath Windows XP, and stops multiple
copies of a CD, or unprotected ripping of the CD. - The Threat
- The copy protection utility is based on a
RootKit, which sits beneath the operating system.
RootKits are a hackers dream as they give
escalated permissions to processes, can create
files and processes invisible to the OS. Usually
the hard-part for a hacker is how to get a
RootKit onto a remote machine? thanks Sony!
31Things that Pop your Bubble
- New Latest Example Vulnerability in Graphics
Rendering Engine Could Allow Remote Code
Execution (WMF) - Dec 27 2005
- Article on www.SecurityFocus.com
- milw0rm exploit 1391
- URLs published with damaging WMF
- Dec 28 2005
- Microsoft Security Advisory 912840
- CVE-2005-4560 (Common Vulnerabilities and
Exposures registry) - Work-arounds published
- Available as MSF update
- Jan 5 2006
- Microsoft Security Bulletin MS06-001
- Jan 15 2006
- milw0rm exploit 1420
32Part 3Design to be Hacked
- Build Security into every phase of your IT
projects - Requirements
- Design
- Build
- Deploy
- Maintain
- Dont have a single bubble
33Design to be hacked
- Requirements Phase
- Understand your data assets
- Understand the secure functions
- Think up-front the impact of
- Unauthorised access
- Data Tampering
- Denial of Service
- Threat Modelling
34Design to be hacked
- Design Phase
- Follow best practises
- Build security into every layer
- Infrastructure
- Client
- Server
- Database
- Users, Administrators and physical access
35Design to be hacked
- Build Phase
- Three Levels of Security
- BLOCK an attack
- TRACE the attack
- Take SMART ACTION
- Secure Coding Practises
- Staff Training
- Guidelines
- Secure Code Frameworkse.g. The Aura Secure Web
Framework (MS .Net)
36Design to be hacked
- Deployment Phase
- Baseline
- Servers patched
- Firewall rules in place
- Users locked down
- Dev access removed
- Actually TEST your security!
- Initial deployment is the most likely time for
mistakes - Perform your first penetration test and security
audit NOW.
37Design to be hacked
- Ongoing Maintenance
- STAY PATCHED!
- Regular penetration tests
- Regular security audits
- Understand the current threat to YOUR systems
- Standard Procedures
- Creating new users
- Removing old users
- Hardware destruction
38Part 4Secure your Organisation
- Make security part of your day-to-day business
- Think security in every IT project
- Think security in every IT system
- Make information security a CEO and senior
management team priority - Do all IT projects have security tasks?
- Are you developing and deploying secure
systems? - Raise employee awareness of security issues
within the whole organisation. - Data classification
- Danger of USB devices, iPods, Sony CDs, Home
wireless - Ongoing training in systems and controls
39Additional Steps
- In-House-Hacker
- Performs pro-active security checks. E.g.
- Server vulnerability checks
- Wireless AP checking
- Armed with the latest hacker tools
- MUST be well trained
- MUST be well trusted
- Trusted Security Advisors (Aura)
- Constantly monitoring threats, exploits, patches
and tools - Trusted entity, who knows your internal IT
infrastructure and configuration. - Proactively participates in the hacker / security
community e.g. - OWASP www.OWASP.org - Open Web Application
Security Project
40The Message
- Think about security in EVERY IT project within
your organisation - Make NO assumptions about which aspects of your
IT are SAFE - PLAN for a security breach
- Make information security a CEO and senior
management team priority - Raise employee awareness of security issues
within the whole organisation
41Quality SoftwareDesigned to be HACKED!
- SQNZ Presentation
- Thursday 16th February 2006
- Andy Prow,
- Managing Director of Aura Software Security Ltd
and Aura Software Architects Ltd - Andy_at_AuraSoftwareSecurity.co.nz
- Andy_at_AuraSoftwareArchitects.com
- More info is available from
- www.AuraSoftwareSecurity.co.nz