why hackers don t care about your firewall n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Why hackers don’t care about your firewall PowerPoint Presentation
Download Presentation
Why hackers don’t care about your firewall

Loading in 2 Seconds...

play fullscreen
1 / 48

Why hackers don’t care about your firewall - PowerPoint PPT Presentation


  • 85 Views
  • Uploaded on

Why hackers don’t care about your firewall. Seba Deleersnyder seba@owasp.org. Sebastien Deleersnyder?. 5 years developer experience 11 years information security experience Managing Technical Consultant SAIT Zenitel Belgian OWASP chapter founder OWASP board member www.owasp.org

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Why hackers don’t care about your firewall' - idola


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
why hackers don t care about your firewall
Why hackers don’t care about your firewall
  • Seba Deleersnyder
  • seba@owasp.org
sebastien deleersnyder
Sebastien Deleersnyder?
  • 5 years developer experience
  • 11 years information security experience
  • Managing Technical ConsultantSAIT Zenitel
  • Belgian OWASP chapter founder
  • OWASP board member
  • www.owasp.org
  • Co-organizer www.BruCON.org
owasp world
OWASP World

OWASP is a worldwidefree and open community focused on improving the security of application software.

Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks.

Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.

slide4
Myth
  • We are secure because we have a firewall
    • 75% of Internet Vulnerabilities are at Web Application Layer *
  • *Gartner Group (2002 report)
security evolution
Security evolution?

Source: Gunnar Peterson (Arctec Group)

slide8

A firewall friendly protocol

  • =
  • “a skull friendly bullet”
  • (Bruce Schneier)
your security perimeter has huge holes at the application layer
Your security “perimeter” has huge holes at the application layer

Custom Developed Application Code

Application Layer

Databases

Legacy Systems

Web Services

Directories

Human Resrcs

Billing

APPLICATIONATTACK

App Server

Web Server

Hardened OS

Network Layer

Firewall

Firewall

You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

example sql injection attack
example: SQL-injectionattack
  • Select user_informationfrom user_tablewhere username=’input username’ and password=’input password’

Select user_informationfrom user_tablewhere username=’’ or 1=1-– ‘ and password=’abc’

rockyou
RockYou?
  • December 2009
    • a hacker used SQL Injection techniquesto hack the database of RockYou
    • RockYou creates applications for MySpace, Facebook, ...
  • Result
    • data of 32.603.388 users and administrative accounts was compromised (credentials + clear text passwords)
    • the data also containedemail-addresses and passwordsfor 3rd party sites
  • Question: how many of those users use the same password for other sites too?
xss cross site scripting
XSS = Cross-site Scripting
  • Web application vulnerability
  • Injection of code into web pages viewedbyothers

XSS = new buffer overflow

Javascript = new Shell Code

xssed org
XSSED.ORG

Still not fixed (with redirection): http://www.google.com/search?btnI&q=allinurl:http://www.xssed.com/

insecure direct object references illustrated
Insecure Direct Object References Illustrated
  • Attacker notices his acct parameter is 6065

?acct=6065

  • He modifies it to a nearby number

?acct=6066

  • Attacker views the victim’s account information

https://www.onlinebank.com/user?acct=6065

security misconfiguration illustrated
Security Misconfiguration Illustrated

Database

Finance

Transactions

Accounts

Administration

Communication

Knowledge Mgmt

E-Commerce

Bus. Functions

Custom Code

App Configuration

Development

Framework

App Server

QA Servers

Web Server

Hardened OS

Insider

Test Servers

Source Control

serving up malware
Serving up malware

A quick Google Safe Browsing search of TechCrunch Europe's site shows suspicious activity twice over the last 90 days.

"Of the 128 pages we tested on the site over the past 90 days,

58 page(s) resulted in malicious software being downloaded and installed without user consent.”(sep 2010)

Reason: unpatched WordPress

failure to restrict url access illustrated
Failure to Restrict URL Access Illustrated
  • Attacker notices the URL indicates his role

/user/getAccounts

  • He modifies it to another directory (role)

/admin/getAccounts, or

/manager/getAccounts

  • Attacker views more accounts than just their own
encrypt customer data
Encrypt customer data?
  • customer data, 77 Million compromised.(potentially CCs as well)
jobs by cnn
Jobs by CNN?
  • http://ads.cnn.com/event.ng/Type=click&Redirect=http:/bit.ly/cP–XW
download
Download

http://www.owasp.org/index.php/Top_10

samm security practices
SAMM Security Practices
  • The Security Practices cover all areas relevant to software security assurance
  • Each one is a ‘silo’ for improvement
build your roadmap
Build “Your” Roadmap
  • Gap analysis:
    • Capturing scores from detailed assessments versus expected performance levels
    • Demonstrating improvement
    • Capturing scores from before and after an iteration of assurance program build-out
    • Ongoing measurement
  • To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organizations
owasp projects are alive
OWASP Projects Are Alive!

2010

2007

2005

2003

2001

43

upcoming local events
Upcoming local events
  • OWASP Chapter meetings:
    • 23-May - Brussels:
      • The Ghost of XSS Past, Present and Future – A Defensive Tale (by Jim Manico, Infrared Security)
    • 16-Jun - Brussels:
      • The OWASP AppSensor Project (by Colin Watson, Watson Hall Ltd)
      • How to become Twitter's admin: An introduction to Modern Web Service Attacks (by Andreas Falkenberg, RUB)
  • OWASP AppSec Europe – Dublin – Jun 7-9
  • BruCON– Brussels – Sep 19-22
  • OWASP BeNeLux – Luxembourg Nov-30/Dec-1
subscribe mailing list
Subscribe mailing list

www.owasp.be

Keep up to date!

47

w ant to support owasp
Want to support OWASP?

Become member, annual donation of:

$50 Individual

$5000 Corporate

enables the support of OWASP projects, mailing lists, conferences, podcasts,grants and global steering activities…

48