SWAT 2014: The Futility of 1.0 Technology against 2.0 Web Application Hacking

Jason Lin Corporate Security Officer Ontario Telemedicine Network

Blair Campbell Senior Manager, Privacy Scotiabank

DISCLAIMER

The content and opinions expressed within and during this presentation are solely the my personal opinions. They do not represent the positions, opinions, viewpoints, policies and/or statements of my employer.

May 8, 2014

Jason C. Lin Corporate Security Officer Ontario Telemedicine Network

Security 1.0 versus Security 2.0

Security 1.0 versus Security 2.0

Legacy Approach Modern Approach

Locked-Down Servers, Firewalls are futile

against web application threats

Organizations needs to ‘harden’ the entire

technical service ecosystem consisting of

infrastructure, network, AND application

Risk Trends

1. Injection

2. Broken Authentication and

Session Management

3. Cross-Site Scripting (XSS)

4. Insecure Direct Object References

5. Security Misconfigurations

6. Sensitive Data Exposure

7. Missing Function Level Access

Control

8. Cross-Site Request Forgery

(CSRF)

9. Using Components with Known

Vulnerabilities

10. Unvalidated Redirects and

Forwards

Data Breaches

Records Date Organization

586 2014-03-24

Orlando Health, Arnold Plamer Hospital for

Children, Winne Palmer Hospital for Women &

Babies

5,400 2014-03-17 Valley View Hospital

150,000,000 2012-03-17 Shanghai Roadway D&B Marketing Services

Co. Ltd

152,000,000 2013-10-03 Adobe Systems, Inc.

130,000,000 2009-01-20

Heartland Payment Systems, Tower Federal

Credit Union, Beverly National Bank, North

Middlesex Savings Bank, Golden Chick

110,000,000 2013-12-18 Target Brands, Inc.

Source: Data Loss DB (datalossdb.org)

A1 – Injection

Technical Impact Business Impact

Can result in data loss or corruption, lack

of accountability, or denial of access.

Injection can sometimes lead to complete

host takeover.

Consider the business value of the

affected data and the platform running the

interpreter. All data could be stolen,

modified, or deleted. Could your

reputation be harmed?

A2: Broken Authentication and Session Management

Technical Impact Business Impact

May allow some or even all accounts to be

attacked. Once successful, the attacker

can do anything the victim could do.

Privileged accounts are frequently

targeted.

Consider the business value of the

affected data or application functions.

Also consider the business impact of

public exposure of the vulnerability

A3 – Cross Site Scripting (XSS)

Technical Impact Business Impact

Attackers can execute scripts in a victim’s

browser to hijack user sessions, deface

web sites, insert hostile content, redirect

users, hijack the user’s browser using

malware, etc.

Consider the business value of the lost

data and impact to your reputation. What

is your legal liability if this data is

exposed? Also consider the damage to

your reputation.

A6 – Sensitive Data Exposure

Technical Impact Business Impact

Failure frequently compromises all data

that should have been protected. Typically,

this information includes sensitive data

such as health records, credentials,

personal data, credit cards, etc.

Consider the business value of the lost

data and impact to your reputation. What

is your legal liability if this data is

exposed? Also consider the damage to

your reputation.

A9 - Using Components with Known Vulnerabilities

Technical Impact Business Impact

The full range of weaknesses is possible,

including injection, broken access control,

XSS, etc. The impact could range from

minimal to complete host takeover and

data compromise

Consider what each vulnerability might

mean for the business controlled by the

affected application. It could be trivial or it

could mean complete compromise.

Requirements Testing

Recommendations

• Enhance the credibility of your organization and its development team

• Reduce loss of revenue and reputation due to a breach resulting from insecure software

Reputation

• Develop an InfoSec program

• Manage security throughout your organization Governance

• Proactively inject security throughout the SDLC

• Privacy by Design Security

• Reduce costs by securing up front

• Reduce production costs, application vulnerabilities and delivery delays Costs

Conclusion

ENCRYPTION 101

Blair Campbell Senior Manager, Privacy Scotiabank

May 8, 2014

DISCLAIMER

The content and opinions expressed within and during this presentation are solely the my personal opinions. They do not represent the positions, opinions, viewpoints, policies and/or statements of my employer.

TABLE OF CONTENTS

1. What is Encryption?

2. An Encryption Timeline

3. Terms

4. Key Length / Size

5. 128-bit Key Brute Force Attack

6. Asymmetrical Encryption

7. Symmetrical Encryption

8. Man in the Middle Attack

9. GCHC – FLYING PIG

10.Questions

What Is Encryption?

An Encryption Timeline – 1900 BC

Khnumhotep II

An Encryption Timeline – 1900 BC

Scytale

An Encryption Timeline – 50 BC

Caesar Cipher

An Encryption Timeline – 1586

Blaise de Vigenère

An Encryption Timeline – 1930s

Enigma Machine

An Encryption Timeline – Mid 1970s

Symmetric-key Encryption

An Encryption Timeline – Mid 1970s

Asymmetric-key Encryption

Terms

Plaintext – text in human-readable form

Ciphertext – encrypted plaintext

Encryption Key – an encryption key specifies the particular transformation of plaintext into ciphertext, or vice versa during decryption.

Digital Certificate – also known as a public key certificate, is a digitally signed document that serves to validate the sender's authorization and name.

Key Length / Size

Length Possible Key Combinations

2-bit 2X2 = 4

16-bit 2x2x2x2x2x2x2x2… = 65536

56-bit 2x2x2x2x2x2x2x2… = 72 thousand quadrillion

128-bit 2 multiplied by 2 128 times over =

339,000,000,000,000,000,

000,000,000,000,000,000

128-bit Brute Force Attack

If you assume:

• There are 7 billion people on the planet.

• Every person on the planet owns 10 computers.

• Each of these computers can test 1 billion key combinations per second.

• On average, you can crack the key after test 50% of the possibilities.

Then the earth’s population can crack one encryption key in 77,000,000,000,000,000,000,000,000 years!

Asymmetric-key Encryption

Symmetric-key Encryption

Man in the Middle Attack

Man in the Middle Attack (cont.)

GCHQ – FLYING PIG

GCHQ – FLYING PIG (cont.)

Questions