A6 Security Misconfiguration

Problem and Protection

o 

o 

o 

o 

o 

o 

Security Misconfiguration

o  New to the OWASP Top 10. Was there in 2004. Dropped out in 2007

o  This happens when the system admins, DBAs, and developers leave security holes in the configuration of computer systems

How attackers do it

o  Glean info about the targeted system's stack •  OS and version number •  Web server type (Apache, IIS, etc.) •  RDBMS (MySQL, SQL Server, Oracle, etc.) •  Web development language •  Tools/libraries used (Castle, NHibernate, etc.)

o  Check their data sources for all known exploits against any part of that stack. •  There are known vulnerabilities for each level of the

stack. o  Begin hacking away

How we protect ourselves

o  Don't give away info about your stack o  Change default user accounts o  Delete unused pages and user accounts o  Turn off unused services o  Whitelist pages o  Stay up-to-date on patches o  Consider internal attackers as well as

external o  Use automated scanners

Be secretive

o  Obfuscate or anonymize ... •  Error

messages •  HTTP headers •  URLs

o  Don't let anyone know what makes up your stack •  Anybody know for sure what the big boys use?

Change default accounts

o  When you install an OS or server tool, it has a default root account with a default password

o  Examples: •  Windows – "Administrator" & "Administrator" •  Sql Server – "sa" & no password •  Oracle – "MASTER" & "PASSWORD" •  Apache – "root" & "changethis"

o  Make sure you change these passwords! o  Completely delete the accounts when possible

Delete unused pages o  Remove all files and

pages that are no longer needed

o  Focus on: •  Installation default and

sample pages •  Pages that we've migrated •  Old and backed-up config

files

Delete unused accounts

o  As soon as an employee or contractor leaves, change his password

o  Change his username o  Move files and delete the account o  Look for old client accounts and delete them

Turn off unused services o  Look through all running services o  If they're not being used, turn them off o  Disable them upon system startup o  Pay particular attention to:

•  Services enabled upon install ― Remote debugging ― Content management

•  Services turned on ad-hoc ― One-time use ― "This is a temporary fix. We'll put a better solution in later."

o  Inside IIS, too •  Directory browsing •  Ability to run scripts and executables

Whitelist pages

o  Serve only pages that are allowed o  Intercept requests for pages and disallow

any request for something other than ... •  *.html •  *.jsp •  *.js •  *.css •  etc.

o  Whitelists are better than blacklists

Update patches

o  Patch Tuesday is the most overlooked defense

o  Day-one vulnerabilities

Follow the news

o  Subscribe to vendors' alert lists o  RSS feed to Wired, Slashdot, etc. o  Use Ifttt.com to get alerts sent to your email

or phone o  Twitter users to follow:

•  @ZeroDayDan – Insider's POV •  @AaronPortnoy – Development techniques •  @PaulDotCom – Podcasts & videos also •  @SteveWerby – Hacker with a business mind

Consider internal attackers

o  Not just disgruntled folks either o  Rootkits can be installed o  Private files can be exposed o  Web.config can't be served to browsers, but

it can be read by employees •  Encrypt parts of it

Use automated scanners

o  Download and install one or more automated scanners •  Microsoft Baseline Security Analyzer (MBSA) •  WebScarab from OWASP •  Burp •  Paros

o  After all, attackers will use tools like this against you

o  Harden yourself against them

Summary

o  Many hackers find ways to damage our systems that can be stopped by some simple maintenance of the stack •  Applying patches •  Removing or changing authentication on

unneeded or default accounts •  Whitelist the files served •  Using automated scanners

Like a garden ... If you tend to it a tiny bit every day, it will be beautiful But if you neglect it for a period of time, it gets very out-of-hand

Further study

o  TED Talk on Stuxnet: o  http://bit.ly/StuxnetTEDTalk

o  Secure deployment section in the OWASP Development Guide: •  http://www.owasp.org/index.php/Configuration

o  DB of known default accounts: o  http://www.cirt.net/passwords

o  Vulnerability scanning software: o  http://sectools.org/web-scanners.html