Net security 101Internet is hostile network

Kristaps Kūlis

“Real” security

● Security trough security, not obscurity

House secured by door keys, not by putting doors on roof.

● Ongoing process

Be conservative in what you do; be liberal in what you accept from others

/Postel's law/

Web applications

SQL injection

SQL injections

● Creating queries by string concatenation is “the wrong way”

● MySQL don't do multiple queries.● Let DB do validation - use parametrized queries ● ORM frameworks lift the burden

● It is easy to forget to validate inline SQL somewhere

XSS

XSS

● Escape HTML/JS/XML special characters on output

● Vulnerability can exist on client side (JS).● It can get hairy with JS, AJAX, JSONP etc ...

CSRF

● Third party unauthorized request to web site ● Include unique token into each response and

validate on request.● Never update data with GET

<img src=”http://www.bank.lv/pay?to=kristaps&amount=100” />

Storing passwords

● Do not expose DB / other credentials● MD5 is too “cheap”. SHA1 is not “expensive

enough”● Make hash functions slow.

● Multiple iterations ● Bcrypt

Authorization vs Authentication

Autentication: authenticating user credentials.Usually done once per session.

Authorization: checks that user is authorized to do particular action.

Must be done on every request.

Session fixation

● Session cookie stealing / guessing● Initialize sessions ● Tie sessions to IP address / User Agent● Expire / invalidate sessions.

PHP specific problems

register_globals ~50% of open source PHP app vulnerabilities

works only when register_globals are on

safe_modeWrong place, wrong solution

magic_quotesGives false sense of security and

no real protection

display_errorsGives away too much information

Log your errors, do not display them

One .php file as one scriptPHP engine has no “application” concept.

Class files, configuration files, etc should not be executable …

...everything that is not .php by default is dumped as plaintext in browser

include and require accepts URLs as parameters

Remote code injection made dead easy

If you disable remote_url_fopen, you cannot open any URL (without CURL)

All these settings should be disabled by defaultOn most hosting servers they are not

Server securityenviroment matters

TLS (SSL)

● Public-Private key infrastructure ● Server verification and data encryption● Ultimate trust to Certificate Authorities (CA) ● Don't use self-signed certificates. Roll out your

own CA .

Secure / insecure protocols

● HTTP sends all information in plaintext● So does FTP/IMAP/POP3/STMP● Use HTTPS / SFTP / IMAPs / POP3s / STMP

over TLS ● DNS is built on trust. DNSSEC is not (yet)

working.

[D]DoS

● DoS – “million” requests from one client● DDoS – “zillion” requests from “million” clients● Handle DoS at firewall level.● Try to survive DDoS at router level.

Shared hosting

● Easy, fast, secure – pick two ● “Jail” each site ● Selinux / AppArmor to rescue● IDS / mod_security is slow● Test backups.

Real life 100% secure system

Slide intentionally left blank

Personal securityweakest chain link

Passwords

Passwords are like underwear.You don't share them and you change them often.

KeepassX

Think

● Don't use plaintext protocols over open WiFi● Secure your home router● Check URLs and filenames● Malware doesn't expose itself anymore

● Botnet● Information stealing

● Avoid buggy and insecure software (flash and acrobat reader).

Securing digital communication

● Skype is sort-of secure● PGP● S/MIME

Handling incidents

● Not all hackers all bad● Preserve evidence● Presume that attacker obtained maximum

information. ● System is compromised● Eliminate attack vectors● Offline backups help.

Questions ?

Futher reading

● www.owasp.org – knowledge● www.cert.lv – Latvia netsecurity team

Books● Stealing the Network: How to Own the Box by

R. Russel – hacking “fiction” book.● Art of Deception by Kevin Mitnick – hacker

“memoirs”