Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Quality Software: Designed to be HACKED!” SQNZ Presentation Thursday 16 th February 2006 Andy Prow, Managing Director of Aura Software Security Ltd and.

Similar presentations


Presentation on theme: "“Quality Software: Designed to be HACKED!” SQNZ Presentation Thursday 16 th February 2006 Andy Prow, Managing Director of Aura Software Security Ltd and."— Presentation transcript:

1 “Quality Software: Designed to be HACKED!” SQNZ Presentation Thursday 16 th February 2006 Andy Prow, Managing Director of Aura Software Security Ltd and Aura Software Architects Ltd

2 The Message “Think about security in EVERY IT project within your organisation” “Make NO assumptions about which aspects of your IT are SAFE” “PLAN for a security breach” “Make information security a CEO and senior management team priority” “Raise employee awareness of security issues within the whole organisation”

3 Who are we? Andy Prow –Software development industry for 11 years –Lead development and development manager roles –Technical Architect and Solutions Architect Aura Software Architects (2001) –Software Architecture and Design –Specialist Development (Microsoft Technologies) Aura Software Security (2005) –Security Analysts and Consultants –Secure Software Development Experts

4 Today’s Talk? Common Vulnerabilities and Exploits –Things you will be facing and SHOULD know about –2 Demonstrations Unusual Vulnerabilities –Issues you can’t plan for (real-word examples) What to do –How do you design and develop secure systems? –How do you keep systems secure over time?

5 Part 1: Common Vulnerabilities “Things to be concerned about” Web Interfaces Wireless Server Exploits

6 Common Vulnerabilities: Web-interfaces

7 Web –Unpatched web-servers and database servers. Automated web-vulnerability scanners –Acunetix, WebInspect –Invalid file permissions Google searches e.g. –“filetype:mdb users.mdb” –“intitle:index.of.etc passwd” –Custom Scripting / SQL Code Injection Cookie tampering – Achilles (web-proxy) Brute force attacks – Hydra, Brutus –Man in the middle Sniffing web-traffic Pharming (DNS cache poisoning) Proxies that spoof SSL Odysseus, Achilles

8 Common Vulnerabilities Web-interfaces Acunetix –Automated web-vulnerability scanner

9 Demo 1 SQL Injection Mark Keegan Security Consultant

10 Attack Configuration

11 Server Configuration Windows 2000 Server (unpatched).NET Framework 1.1 SQL Server 2000 Hackme Bank (Foundstone.com)

12 Bypassing Login Building up an inline SQL statement sql = "SELECT * FROM fsb_users WHERE Login_Id = '" & request("txtUserName") & "' AND Password = '" & request("txtPassword") & "'“

13 Bypassing Login SELECT * FROM fsb_users WHERE Login_Id = ‘mkeegan’ And password = ‘Test123’ ‘ or 1=1 -- So how does it work? SELECT * FROM fsb_users WHERE Login_Id = ‘’ or 1=1

14 Enumerating the database columns User_idNumeric User_nameVarchar Login_idVarchar PasswordVarchar Creation_datedatetime

15 CmdShell '; EXEC Master..XP_CMDSHELL DIR--

16 Other Attack Options Insert a new user Delete users Extract system passwords Enumerate the whole database to determine other tables Delete the Database !! Shutdown the server !! Attack other systems !!

17 Common Vulnerabilities Wireless Wireless –Wireless detection tools Network Stumbler, Kismet (KisMAC) Hidden SSID identification, AP Model & Type, WEP/WPA, MAC address filtering… “Wellington WarDrive” in June 2005 – 300+ scanned, 100+ OPEN (50 Corporate), and 100+ poorly secured (WEP and/or MAC address filtering only) –MAC address sniffing –MAC address spoofing –WEP cracking –WPA cracking

18 Common Vulnerabilities Wireless Network Stumbler –Wireless Detection Tool

19 Common Vulnerabilities Servers Known vulnerabilities and exploits –Specialist tools and websites to: identify version of server and services (such as telnet, web-server, FTP) Map versions against known and new exploits Provide exploitation tools, packets and payloads –Unpatched / slow to patch “80% of exploits are available within the first 19 days of a critical vulnerability” Poorly administered “When the DoD did studies on the matter, they found these actual attacks accounted for only 30% of hacking. Attacks against configuration and essentially poor system hardening account for 70% of successful attacks.” Unauthorised administrator or physical access –Who are your administrators? Are they skilled? –Secure location –Hardware re-use

20 Common Vulnerabilities Servers ElseNot Project - ElseNot.comElseNot.com –“Goal: Exploit for Every Microsoft Security Bulletin”

21 Common Vulnerabilities Servers MilW0rm – www.milw0rm.com –Up to date source of exploits for all platforms and applications.

22 Common Vulnerabilities Servers Nessus – Server Vulnerability Scanner

23 Demo 2 Creating a remote connection to a vulnerable server

24 Demo 3

25 Common Protection Normal steps taken –Patching servers –Firewalls, DMZ, VPNs –Website security, SSL –Antivirus and Anti-Spyware products –Mail filters Additional Steps –Dedicated IT Security Team –Network Monitoring Systems –Intrusion Detection Systems

26 Part 2: Unusual Vulnerabilities “Things that pop your bubble”

27 Things that Pop your Bubble Wellington bank with 14 locked down wireless AP, but 1 wide-open AP –The issue: Pro-active, “can-do” manager buys a standard DSE Wireless AP to cater for new temporary staff. Simply installs and it works. –The impact: TOTALLY unsecured wireless access point, with default settings connected to corporate LAN!

28 Things that Pop your Bubble “Government agency with a custom application with unsecured NT User IDs and Passwords” –AD is well secured –Users self register with AD usernames and passwords –Custom DB is NOT secured

29 Things that Pop your Bubble “Managing Director with default wireless AP at home” –The Issue MD connects to ADSL Purchases a common ADSL/Wireless router Plug-and-play settings with NO security –The Threat The MD’s laptop is now vulnerable to a hack from their home

30 Things that Pop your Bubble Previous Latest Example: “Sony Rootkit” –The Issue New Sony CDs install a copy protection utility that sits beneath Windows XP, and stops multiple copies of a CD, or unprotected ripping of the CD. –The Threat The “copy protection utility” is based on a RootKit, which sits beneath the operating system. RootKits are a hacker’s dream as they give escalated permissions to processes, can create files and processes invisible to the OS. Usually the hard-part for a hacker is “how to get a RootKit onto a remote machine?” – thanks Sony!

31 Things that Pop your Bubble New Latest Example: “Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution” (WMF) -Dec 27 2005: -Article on www.SecurityFocus.comwww.SecurityFocus.com -milw0rm exploit 1391 -URLs published with damaging WMF -Dec 28 2005: -Microsoft Security Advisory 912840 -CVE-2005-4560 (Common Vulnerabilities and Exposures registry) -Work-arounds published -Available as MSF update -Jan 5 2006 : -Microsoft Security Bulletin MS06-001 –Jan 15 2006: -milw0rm exploit 1420

32 Part 3: Design to be Hacked Build Security into every phase of your IT projects –Requirements –Design –Build –Deploy –Maintain Don’t have a single bubble

33 Design to be hacked Requirements Phase –Understand your data assets –Understand the “secure” functions –Think up-front the impact of: Unauthorised access Data Tampering Denial of Service –Threat Modelling

34 Design to be hacked Design Phase –Follow “best practises” –Build security into every layer Infrastructure Client Server Database Users, Administrators and physical access

35 Design to be hacked Build Phase –Three Levels of Security 1.BLOCK an attack 2.TRACE the attack 3.Take SMART ACTION –Secure Coding Practises –Staff Training –Guidelines –Secure Code Frameworks e.g. The Aura Secure Web Framework (MS.Net)

36 Design to be hacked Deployment Phase –Baseline Servers patched Firewall rules in place Users locked down “Dev access” removed –Actually TEST your security! Initial deployment is the most likely time for mistakes Perform your first penetration test and security audit NOW.

37 Design to be hacked Ongoing Maintenance –STAY PATCHED! –Regular penetration tests –Regular security audits –Understand the current threat to YOUR systems –Standard Procedures Creating new users Removing old users Hardware destruction

38 Part 4: Secure your Organisation Make security part of your day-to-day business –Think security in every IT project –Think security in every IT system Make information security a CEO and senior management team priority –Do all IT projects have “security tasks”? –Are you developing and deploying “secure systems”? Raise employee awareness of security issues within the whole organisation. –Data classification –Danger of USB devices, iPods, Sony CDs, Home wireless… –Ongoing training in systems and controls

39 Additional Steps In-House-Hacker –Performs pro-active security checks. E.g. Server vulnerability checks Wireless AP checking –Armed with the latest hacker tools –MUST be well trained –MUST be well trusted Trusted Security Advisors (Aura) –Constantly monitoring threats, exploits, patches and tools –Trusted entity, who knows your internal IT infrastructure and configuration. –Proactively participates in the hacker / security community e.g. OWASP – www.OWASP.org - Open Web Application Security Projectwww.OWASP.org

40 The Message “Think about security in EVERY IT project within your organisation” “Make NO assumptions about which aspects of your IT are SAFE” “PLAN for a security breach” “Make information security a CEO and senior management team priority” “Raise employee awareness of security issues within the whole organisation”

41 “Quality Software: Designed to be HACKED!” SQNZ Presentation Thursday 16 th February 2006 Andy Prow, Managing Director of Aura Software Security Ltd and Aura Software Architects Ltd Andy@AuraSoftwareSecurity.co.nz Andy@AuraSoftwareArchitects.com More info is available from www.AuraSoftwareSecurity.co.nz


Download ppt "“Quality Software: Designed to be HACKED!” SQNZ Presentation Thursday 16 th February 2006 Andy Prow, Managing Director of Aura Software Security Ltd and."

Similar presentations


Ads by Google