quality software designed to be hacked l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
“Quality Software : Designed to be HACKED!” PowerPoint Presentation
Download Presentation
“Quality Software : Designed to be HACKED!”

Loading in 2 Seconds...

play fullscreen
1 / 41

“Quality Software : Designed to be HACKED!” - PowerPoint PPT Presentation


  • 269 Views
  • Uploaded on

“Quality Software : Designed to be HACKED!” SQNZ Presentation Thursday 16 th February 2006 Andy Prow, Managing Director of Aura Software Security Ltd and Aura Software Architects Ltd The Message “Think about security in EVERY IT project within your organisation”

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '“Quality Software : Designed to be HACKED!”' - Gideon


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
quality software designed to be hacked

“Quality Software:Designed to be HACKED!”

SQNZ Presentation

Thursday 16th February 2006

Andy Prow,

Managing Director of Aura Software Security Ltd and Aura Software Architects Ltd

the message

The Message

“Think about security in EVERY IT project within your organisation”

“Make NO assumptions about which aspects of your IT are SAFE”

“PLAN for a security breach”

“Make information security a CEO and senior management team priority”

“Raise employee awareness of security issues within the whole organisation”

who are we

Who are we?

Andy Prow

Software development industry for 11 years

Lead development and development manager roles

Technical Architect and Solutions Architect

Aura Software Architects (2001)

Software Architecture and Design

Specialist Development (Microsoft Technologies)

Aura Software Security (2005)

Security Analysts and Consultants

Secure Software Development Experts

today s talk

Today’s Talk?

Common Vulnerabilities and Exploits

Things you will be facing and SHOULD know about

2 Demonstrations

Unusual Vulnerabilities

Issues you can’t plan for (real-word examples)

What to do

How do you design and develop secure systems?

How do you keep systems secure over time?

part 1 common vulnerabilities

Part 1:Common Vulnerabilities

“Things to be concerned about”

Web Interfaces

Wireless

Server Exploits

common vulnerabilities web interfaces7

Common Vulnerabilities: Web-interfaces

Web

Unpatched web-servers and database servers.

Automated web-vulnerability scanners

Acunetix, WebInspect

Invalid file permissions

Google searches e.g.

“filetype:mdb users.mdb”

“intitle:index.of.etc passwd”

Custom

Scripting / SQL Code Injection

Cookie tampering – Achilles (web-proxy)

Brute force attacks – Hydra, Brutus

Man in the middle

Sniffing web-traffic

Pharming (DNS cache poisoning)

Proxies that spoof SSL

Odysseus, Achilles

common vulnerabilities web interfaces8

Common Vulnerabilities Web-interfaces

Acunetix

Automated web-vulnerability scanner

demo 1 sql injection

Demo 1SQL Injection

Mark Keegan

Security Consultant

server configuration

Server Configuration

  • Windows 2000 Server (unpatched)
  • .NET Framework 1.1
  • SQL Server 2000
  • Hackme Bank (Foundstone.com)
bypassing login

Bypassing Login

Building up an inline SQL statement

sql = "SELECT * FROM fsb_users WHERE Login_Id = '" & request("txtUserName") & "' AND Password = '" & request("txtPassword") & "'“

bypassing login13

Bypassing Login

SELECT * FROM fsb_users

WHERE Login_Id = ‘mkeegan’

And password = ‘Test123’

‘ or 1=1 --

So how does it work?

SELECT * FROM fsb_users

WHERE Login_Id = ‘’ or 1=1

cmdshell

CmdShell

'; EXEC Master..XP_CMDSHELL DIR--

other attack options

Other Attack Options

Insert a new user

Delete users

Extract system passwords

Enumerate the whole database to determine other tables

Delete the Database !!

Shutdown the server !!

Attack other systems !!

common vulnerabilities wireless

Common VulnerabilitiesWireless

Wireless

Wireless detection tools

Network Stumbler, Kismet (KisMAC)

Hidden SSID identification, AP Model & Type, WEP/WPA, MAC address filtering…

“Wellington WarDrive” in June 2005 – 300+ scanned, 100+ OPEN (50 Corporate), and 100+ poorly secured (WEP and/or MAC address filtering only)

MAC address sniffing

MAC address spoofing

WEP cracking

WPA cracking

common vulnerabilities wireless18

Common VulnerabilitiesWireless

Network Stumbler

Wireless Detection Tool

common vulnerabilities servers

Common VulnerabilitiesServers

Known vulnerabilities and exploits

Specialist tools and websites to:

identify version of server and services (such as telnet, web-server, FTP)

Map versions against known and new exploits

Provide exploitation tools, packets and payloads

Unpatched / slow to patch

“80% of exploits are available within the first 19 days of a critical vulnerability”

Poorly administered

“When the DoD did studies on the matter, they found these actual attacks accounted for only 30% of hacking. Attacks against configuration and essentially poor system hardening account for 70% of successful attacks.”

Unauthorised administrator or physical access

Who are your administrators? Are they skilled?

Secure location

Hardware re-use

common vulnerabilities servers20

Common VulnerabilitiesServers

ElseNot Project - ElseNot.com

“Goal: Exploit for Every Microsoft Security Bulletin”

common vulnerabilities servers21

Common VulnerabilitiesServers

MilW0rm – www.milw0rm.com

Up to date source of exploits for all platforms and applications.

common vulnerabilities servers22

Common VulnerabilitiesServers

Nessus – Server Vulnerability Scanner

demo 2

Demo 2

Creating a remote connection to a vulnerable server

common protection

Common Protection

Normal steps taken

Patching servers

Firewalls, DMZ, VPNs

Website security, SSL

Antivirus and Anti-Spyware products

Mail filters

Additional Steps

Dedicated IT Security Team

Network Monitoring Systems

Intrusion Detection Systems

part 2 unusual vulnerabilities

Part 2:Unusual Vulnerabilities

“Things that pop your bubble”

things that pop your bubble

Things that Pop your Bubble

Wellington bank with 14 locked down wireless AP, but 1 wide-open AP

The issue:Pro-active, “can-do” manager buys a standard DSE Wireless AP to cater for new temporary staff. Simply installs and it works.

The impact:TOTALLY unsecured wireless access point, with default settings connected to corporate LAN!

things that pop your bubble28

Things that Pop your Bubble

“Government agency with a custom application with unsecured NT User IDs and Passwords”

AD is well secured

Users self registerwith AD usernamesand passwords

Custom DB is NOTsecured

things that pop your bubble29

Things that Pop your Bubble

“Managing Director with default wireless AP at home”

The Issue

MD connects to ADSL

Purchases a common ADSL/Wireless router

Plug-and-play settings with NO security

The Threat

The MD’s laptop is now vulnerable to a hack from their home

things that pop your bubble30

Things that Pop your Bubble

Previous Latest Example: “Sony Rootkit”

The Issue

New Sony CDs install a copy protection utility that sits beneath Windows XP, and stops multiple copies of a CD, or unprotected ripping of the CD.

The Threat

The “copy protection utility” is based on a RootKit, which sits beneath the operating system. RootKits are a hacker’s dream as they give escalated permissions to processes, can create files and processes invisible to the OS. Usually the hard-part for a hacker is “how to get a RootKit onto a remote machine?” – thanks Sony!

things that pop your bubble31

Things that Pop your Bubble

New Latest Example: “Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution” (WMF)

Dec 27 2005:

Article on www.SecurityFocus.com

milw0rm exploit 1391

URLs published with damaging WMF

Dec 28 2005:

Microsoft Security Advisory 912840

CVE-2005-4560 (Common Vulnerabilities and Exposures registry)

Work-arounds published

Available as MSF update

Jan 5 2006 :

Microsoft Security Bulletin MS06-001

Jan 15 2006:

milw0rm exploit 1420

part 3 design to be hacked

Part 3:Design to be Hacked

  • Build Security into every phase of your IT projects
    • Requirements
    • Design
    • Build
    • Deploy
    • Maintain
  • Don’t have a single bubble
design to be hacked

Design to be hacked

Requirements Phase

Understand your data assets

Understand the “secure” functions

Think up-front the impact of:

Unauthorised access

Data Tampering

Denial of Service

Threat Modelling

design to be hacked34

Design to be hacked

Design Phase

Follow “best practises”

Build security into every layer

Infrastructure

Client

Server

Database

Users, Administrators and physical access

design to be hacked35

Design to be hacked

Build Phase

Three Levels of Security

BLOCK an attack

TRACE the attack

Take SMART ACTION

Secure Coding Practises

Staff Training

Guidelines

Secure Code Frameworkse.g. The Aura Secure Web Framework (MS .Net)

design to be hacked36

Design to be hacked

Deployment Phase

Baseline

Servers patched

Firewall rules in place

Users locked down

“Dev access” removed

Actually TEST your security!

Initial deployment is the most likely time for mistakes

Perform your first penetration test and security audit NOW.

design to be hacked37

Design to be hacked

Ongoing Maintenance

STAY PATCHED!

Regular penetration tests

Regular security audits

Understand the current threat to YOUR systems

Standard Procedures

Creating new users

Removing old users

Hardware destruction

part 4 secure your organisation

Part 4:Secure your Organisation

Make security part of your day-to-day business

Think security in every IT project

Think security in every IT system

Make information security a CEO and senior management team priority

Do all IT projects have “security tasks”?

Are you developing and deploying “secure systems”?

Raise employee awareness of security issues within the whole organisation.

Data classification

Danger of USB devices, iPods, Sony CDs, Home wireless…

Ongoing training in systems and controls

additional steps

Additional Steps

In-House-Hacker

Performs pro-active security checks. E.g.

Server vulnerability checks

Wireless AP checking

Armed with the latest hacker tools

MUST be well trained

MUST be well trusted

Trusted Security Advisors (Aura)

Constantly monitoring threats, exploits, patches and tools

Trusted entity, who knows your internal IT infrastructure and configuration.

Proactively participates in the hacker / security community e.g.

OWASP – www.OWASP.org - Open Web Application Security Project

the message40

The Message

“Think about security in EVERY IT project within your organisation”

“Make NO assumptions about which aspects of your IT are SAFE”

“PLAN for a security breach”

“Make information security a CEO and senior management team priority”

“Raise employee awareness of security issues within the whole organisation”

quality software designed to be hacked41

“Quality Software:Designed to be HACKED!”

SQNZ Presentation

Thursday 16th February 2006

Andy Prow,

Managing Director of Aura Software Security Ltd and Aura Software Architects Ltd

Andy@AuraSoftwareSecurity.co.nz

Andy@AuraSoftwareArchitects.com

More info is available from

www.AuraSoftwareSecurity.co.nz