web application security and why you should review yours

1 . Web Application Security Why you need to review yours. David Busby Information Security Architect 2017-04-15 

2 . Who am I? 2 • David Busby – Contracting for Percona since January 2013 – Director of UK company Oneiroi LTD – 17 some years as a sysadmin / devops – Ju-Jitsu instructor for family run not for profit club – Volunteer teacher of computing at a UK Secondary school to children. (RasPi, Scratch, Python, Minecraft API, NodeJS car project, currently looking for ideas) – Security paranoia, and lifetime member of the tinfoil hat “club” – C.I.S.S.P - 581907 

3 . Agenda 3 • What is an “attack surface” ? • Acronym hell • Vulnerability naming, stupidity or driving the message home ? • Detection vs Prevention • Emerging technologies • 2014 → 2017 what’s been going on?! (highlights only) • Live compromise demo … (or video if the demo gods are not kind today) 

4 . What is an “attack surface” ? 4 • Points at which your system could be attacked. – Application – Database – Physical systems – Network – Your employees – Hosting provider 

5 . Reducing your “attack surface” 5 • Application – Sanitize ALL user inputs – CSRF / XSRF tokens – Web Application Firewall (W.A.F) e.g. mod_security – I.P.S (do not leave in I.D.S. mode!) – Recurring audit procedures (Chatops works well here) – Mandatory Access Controls (e.g. SELinux) – Ingress and Egress controls (Firewall rules) 

6 . Reducing your “attack surface” 6 • Database – Network segregation from application where possible – Selective GRANT – Complex passwords – Avoid “... IDENTIFIED BY 'plaintext_password'” SQL – Mandatory Access Controls (e.g. SELinux) – Ingress and Egress controls 

7 . Reducing your “attack surface” 7 • Physical systems – Limit physical access to hardware – Barclays £1.3M “haul” could have been avoided (2014 Image credit BBC UK) – “Social engineering” just a new term for con artistry. – Challenge “implied trust” a Badge / Uniform != identification – Don't rely only on biometrics ● just ask the Mythbusters about “unbeatable fingerprint readers” – Remove unneeded service and devices from your hardware – Your rack-mount system probably doesn't need bluetoothd... 

8 . Reducing your “attack surface” 8 • Network – Selective ACL (even if it's only iptables) iptables -N MySQL iptables -I INPUT -j MySQL iptables -A MySQL -s aaa.bbb.ccc.ddd/CIDR -p tcp –dport 3306 -m comment –comment “application range access to MySQL” -j ACCEPT – MySQL doesn't need to be accessible from everywhere on the internet ● Lest we forget CVE-2012-2122 (for I in {1..1000}; do mysql -u root -pbadpass; done) – Segregation – Intrusion Prevention System – Intrusion Detection System 

9 . Reducing your “attack surface” 9 • Employees (Layer 8 / Meat ware) – Awareness training – Social media betrays a wealth of information – B.Y.O.D your “smart” phone is perhaps the single largest repository of personal information you own. – Physical attacks: Theft “Wanna see a magic trick with your phone?”, lock screen bypasses, debug abuse (p2p-adb, vendor “hidden” USB host debug, Rubber ducky brute force), NFC – Remote attacks: Karma / Jassegar, App (e.g. crafted apk) malware, Bluetooth ( android remote bluetooth (bluedroid) crash) 

10 . Reducing your “attack surface” 10 • Employees (Layer 8 / Meat ware) cont. – Malicious H.I.D devices – Teensy Duino HID , DLP Bypass , Rubber Ducky, Bash bunny etc ... – Malicious Thunderbolt chain devices (Thunderstrike2). – Challenge identity and “implied trust” It's OK to ask for ID! – “Hello I'm calling from the computer security center we're receiving alerts about the virus on your windows machine ...” 

11 . Reducing your “attack surface” - “high tech gadgets” 11 • Teensy Duino H.I.D 

12 .Reducing your “attack surface” - “high tech gadgets” Pic of usbarmory here 

13 . Reducing your “attack surface” - “high tech gadgets” 13 • Certain allowances must be made. – Trust in Service / Hosting provide (ensuring you're done your own due diligence). – You want to know about their uptime S.L.A. – Why not ask about any regulatory compliance they have been subject to as well? PCI, SOX, HIPAA ... etc. – Trust in mobile networks .. however GSM is broken and there's lots of “fun” to be had with femtocells. ● (Which is why we have signal & wikr ;-) ) 

14 . Acronym hell 14 • I.D.S / I.P.S – HIDS, HIPS, NIDS, NIPS • W.A.F • S.C.A.D.A (Hydroelectric Dams, Metal foundries, all on the Internet …) • IoT (Internet of things WiFi enabled lightbulb … /me facepalm) • A.C.L && P.O.L.P • M.A.C && D.A.C 

15 . Vulnerability naming stupidity or driving the message home ? 15 • P.O.O.D.L E - CVE-2014-3566 • C.R.I.M.E - CVE-2012-4929 • B.E.A.S.T - CVE-2011-3389 • Heartbleed - CVE-2014-0160 • DirtyCow - CVE-2016-5195 

16 .Vulnerability naming stupidity or driving the message home ? 16 

17 . 2014 → 2017 What has been going on?! 17 • iCloud breach • Hospira drug pump vulnerability • Ransomware hitting Elasticsearch, MongoDB, MySQL • Data breaches (Ashley Madison, Wonga.com, Geekedin, Adobe, the list goes on...) • Windows DoubleAgent un-patchable vulnerability (Feature!) • Vault 7 documents “dropped” (NSA ANT Catalog) • IoT vulnerabilities (too many to list … a webserver on a dishwasher … WHY?!) 

18 . 2014 → 2017 What has been going on?! 18 • Broadcom WiFi vulnerability (Affects most popular phones, iPhone, Nexus etc) • Target breach (via the H.V.A.C system) • Internet of Things Where minimum viable product is the main driving force … (until we have to recall the product...) • S.C.A.D.A online for anyone to play with (Hydro electric dams, Foundries no I’m not making this up ...) • “STOP PUTTING SH*T ON THE INTERNET!” - Viss 

19 . Detection vs Prevention 19 • We are seeing a _slow_ shift toward better security • But still we have some “hold outs” whom are fearful measures preventing a sale / submission / other functionality e.g. IPS • Or an IDS which overwhelms their team with useless information • Let’s go over that a little... 

20 .Detection! 20 • I.D.S 

21 . Detection vs Prevention 21 • And IDS only logs an attack it does not prevent it taking place • You need to – Regularly review the logs (time consuming) – Alert based on certain events (information overload?) • Avoid “boy who called wolf” – Reduce the “noise” – Provide only known important events to your team • Ensure you’re getting regular signature updates 

22 .Prevention?! 22 • I.P.S 

23 . Detection vs Prevention 23 • An IPS takes preventative action against a suspected attack • IF it does prevent known good traffic add an exception (aka False positive) • DO NOT JUST DISABLE IT • Review the logs! • Reduce the “noise” and provide only known bad contextual alerts to you team! • Ensure you’re getting regular signature updates 

24 . Emerging technologies 24 • Vaultproject.io – AES GCM 256bit, API Driven access, Dynamic secrets, Highly available, Audit logging backend, Encrypt/Decrypt service, Leasing & Renewal, Many integrations AWS MySQL PostgreSQL SSH etc. • Haka-security.org – “Software defined security” - LUA DSL Object Orientated, can run against offline pcap files allowing Q&A before deployment or integration into CI chain • Fidoalliance.org – Universal second factor, Universal authentication framework, extensive membership list, 

25 . Emerging technologies 25 • Keybase.io – Socializing encryption, eases PGP adoption, support OTR chats using “paper key” and secured file sharing (https://keybase.io/oneiroi/) • Suricata – Opensource NIDS/NIPS, JSON output support (useful for ELK), Claims 10Gbe support with no ruleset sacrifice, File extraction from network stream, Open Information Security Foundation, works with SNORT rulese 

26 . Emerging technologies 26 • OSQuery – Facebook opensource project, extensible, can be used to check for compliance with policies (among other data) e.g. ● Is AV running ? ● Is Encryption enabled ? ● What browser version is installed ? ● What browser plug-ins are installed ? ● What OS version & patch level is running ? 

27 . The live demo … or video if the demo gods are not kind today. 27 • “Perfect storm” example – Command line injection present in web app (RCE) or CVE-2012-1823 PHP CGI cli injection. – `setenforce 0` (SELinux set to permissive) – “BAD” MySQL Grants: ALL PRIVILEGES ON *.* – “BAD” File (D.A.C) Permissions (plugin dir is set to 0777) – Attack flow: 1. Deploy PHP payload to webserver, establish a reverse_tcp meterpreter shell 2. Deploy UDF “tool” to the MySQL server and use that to “pop” a reverse shell 

28 . The live demo … or video if the demo gods are not kind today. 28 • DISCLAIMER! – We're showing abuse of everything we have already noted as being “bad” – This isn't a “how to hack” legal wouldn't let me do that :-( – You can repeat everything here yourself! (GPL code + resources @ Github (current code will be committed after the conference)) – This demo is on a local VM environment purposely made vulnerable only. – For informational purposes only. – Use at your own risk. – If all else fails I have a backup video … /me crosses fingers 

29 .If $success then ... 29