1.Web Application Security And Why You Need To Review Yours David Busby Percona
2.Who am I? ● David Busby ○ Contracting for Percona since January 2013 ○ 18+ years as sysadmin / devops / security ○ Volunteer work: ■ Assistant Scout Leader ■ Assistant Instructure (computing for children) ■ ex-Assistant coach Ju-Jitsu (Nidan) ○ Security “nut” ○ Lifetime member of the “tinfoil hat” club ○ C.I.S.S.P ■ 581907 2
3.Talk Agenda ● What we will cover ○ What is an “attack surface”? ○ Acronym hell, just what do those mean ? ○ Vulnerability naming, new trend or benefit ? ○ Detection, Prevention, or both ? ○ Emerging technologies / projects. ○ 2014 -> 2018 highlights ○ Live compromise demo covering everything we’ve discussed as ‘bad’ ■ Or most likely the backup video (if anything goes wrong or we’re out of time). 3
4.What is an attack surface ?
5.What is an attack surface ? Assessing your attack surface can feel like... 5
6.What is an attack surface ? What it really is ... I built an awesome Failed to Fined in EU court SaaS everyone will consider data for GDPR like! privacy violation Built an awesome unaware of the Web app now full web application for dangers of user- of ‘adult’ content. hosting cat pictures content Who cares about Breach / hack ? Just ship it now! security anyway We’ve got ? insurance! 6
7.What is an attack surface ? ● An attack surface is any point in which your org, person, application, provider may be attacked. ○ Your web application ○ Your database ○ Your physical systems ■ Yes we’re also including your laptops, cellular device and the all B.Y.O.D ○ Your network ○ Your staff! ○ Your hosting, processing, other providers. ■ You’re only insured if you can prove you have taken commercialy reasonable measures to protect your organisation. 7
8.What is an attack surface ? ● Application ○ Sanitize ALL user inputs. ○ Implement audit logs! ■ An audit log should contain enough detail to reverse the actions taken. ■ An audit log should contain accurate time keeping. ■ An audit log MUST be shipped OFF the device on which it is generated. ○ Recurring audit procedures. ■ Logs are GREAT! Unless no one is looking at them ... ○ Mandatory access controls ○ Ingress and Egress filtering ○ Web Application Firewalls ■ Layer 7 firewall ○ Intrusion Prevention Systems ○ Implement CSRF / XSRF protections ■ E.g. csrf_tokens in cookies. 8
9.What is an attack surface ? ● Database ○ Network Isolation! ■ Only allow access form known web app nodes! ■ Default (on most RDBMS) is to bind to 0.0.0.0:$DB_PORT (which is listen to all interfaces) ■ ~5M MySQL hosts noted on shodan.io ● 5.0, 5.1, both forks are EOL! ○ Selective permissions ■ STOP giving “ALL ON *.*” Please! ○ Password complexity ■ Still important today! ■ Unless you have a kick-a** PKI setup and are using client certs or vault with ephemeral credentials ○ Mandatory Access Control ■ SELinux in enforcing mode please! ■ GRSecurity, AppArmor etc. 9
10.What is an attack surface ? ● Physical Systems ○ LIMIT physical access to your systems ○ Barclays bank 2014 had £1.3m stolen ■ Adversaries used KVM over 2.4Ghz wifi after posing as a service company ■ No one checked, and they were allowed unchallenged access to workstations. ■ Social engineering ? This is nothing new this is con-artistry. ○ Deploy multiple layers of protection for physical assets. ■ 2FA - (yes even on laptops) ■ Encryption (LUKS,eCryptFS,Bitlocker,Filevault) - especially on laptops! ○ Disable unneeded services / functionality ■ Your 1u rackmount likely does not need bluetoothd! ○ Do not rely on a single measure for protection such as biometrics. ■ The mythbusters defeated a >$10k biometric lock with a photocopier ... ○ Challenge “implied trust” a badge or uniform != ID ■ It is OK to ask for ID and check for authorization, we do this with systems without thinking about it, we should apply this to people too! 10
11.What is an attack surface ? ● Network ○ Isolation! (A.C.L) ■ Your web app needs to talk to your database service. ■ It doesn’t need to talk to SSH on the server. ■ Iptables, if nothing else works! ○ Your chosen DBMS DOES NOT need to be accessible from everywhere! ■ MongoDB, Elasticsearch -> Ransomware ? ● No! Malicious users taking advantage of DBMS left open! ○ Network Intrusion Detection System - NIDS / Network Intrusion Prevention System (NIPS) ■ Suricata, Bro, Snort, are all great and OSS! ● (I use suricata) ○ Segregation ■ Implement vlans and ACLs that prevent cross-vlan traffic unless implicitly allowed! 11
12.What is an attack surface ? ● Your staff (layer 8, meatware, P.E.B.K.A.C ...) ○ Awareness training ○ Social media training and policy ■ It _used_ to be hard to find out about an organisation now it’s all open for all to see in most cases. ○ B.Y.O.D ■ Your “smart” phone is the single most valuable asset to an adversary as. ● It’s unlikely to have any hardening, D.L.P protection upon it ● It’s likely to have access to Mail, Cloud files, calendars, VPN, SSH, RDP, VNC, etc ... ● It’s likely to be running an out of date OS ○ Remote (wireless) attacks ■ WiFi: Karma (was Jasager), Rogue A.P. (hostapd), etc... ■ Bluetooth: bluesnark, snoopi, BtleJuice, etc ... 12
13.“High tech gadgets” ● The BBC Article on the Barclays £1.3m “haul” noted the use of “high tech” gadgets. ○ They are now commodity gadgets ■ RubberDucky $45 ■ bashBunny $100 ■ Maldunio £13.00 / £24.00 (Elite) ■ usbNinja $99 ■ WiFi pineapple ● Nano $100 ■ You also can use a PiZero and some soldering for all this. ○ Accessing the tools to demonstrate “Edge case black hat nonsense” has never been easier. ○ Use a wireless mouse / keyboard ? About that ... 14
14.“High tech gadgets” 15
15.“High tech gadgets” ● Let’s talk about malicious HID... ○ Because I didn’t want to fly my quad in here... ■ Or try to fly with it. ■ Live demo time! 16
16.Acronym Hell Just what do they mean?
17.Acronym hell? 18
18.Acronym hell? ● In Security we <3 acronyms as much (if not more) than DevOps, Sysadmins, DevSec ... ○ I.P.S ■ Intrusion Prevention System (Can be Host based, Network Based or both) ● H.I.P.S, N.I.P.S ■ Host Based: ● File Consistency Enforcement ○ I.D.S ■ Intrusion Detection system (Again can be host based, network based or both) ● H.I.D.S, N.I.D.S ■ File Consistency Monitoring ● Auditd can do this! ● Inotify events ○ W.A.F ■ Web Application firewall ● Layer 7 protection against SQLi, XSS, and other known attacks ● mod_security 19
19.Acronym hell? ● Continued ... ○ S.C.A.D.A ■ Supervisory Control And Data Acquisition ● Industrial foundries, nuclear power plants, hydroelectric dams, diesel engine testing facilities, point of sale, Hospital beds ... ■ I.o.T ● Internet of Things ● If there can be a thing, and you can put a webserver on the thing; should you put a webserver on the thing ? - Viss ■ A.C.L ● Access Control Lists ■ P.O.L.P ● Path of Least Privilege ■ M.A.C + D.A.C ● Mandatory Access Control ● Discretionary Access Control ○ There’s plenty more ... 20
20.Vulnerability naming Stupidity or ... ?
21.Vulnerability naming ● MeltDown ○ CVE-2017-5715,CVE-2017-5753 ● Spectre ○ CVE-2017-5754 ● P.O.O.D.L.E ○ CVE-2014-3556 ● C.R.I.M.E ○ CVE-2012-4929 ● B.E.A.S.T ○ CVE-2011-3389 ● HeartBleed ○ CVE-2014-0160 ● DirtyCow ○ CVE-2016-5195 22
22.Detection, Prevention, Both ?
23.Detection, Prevention, Both ? ● Detection ○ I.D.S ■ Can be on your hosts / servers ● Hostbased Intrusion Detection System ● Aka File consistency monitoring ■ Can be on your hosts / servers / firewalls network ● Monitors network for known intrusions ● Rule based. 25
24.Detection, Prevention, Both ? ● Detection ○ I.D.S 26
25.Detection, Prevention, Both ? ● Prevention ○ I.P.S ■ Can be on your hosts / servers ● Hostbased Intrusion Prevention System ● Aka File consistency enforcement ■ Can be on your hosts / servers / firewalls network ● Monitors and prevents network for known intrusions ● Rule based. 27
26.Detection, Prevention, Both ? 28
27.Detection, Prevention, Both ? ● On single solution is going to cover all your use cases. ● I.D.S is great ○ _IF_ someone/something is watching the logs 24x7 and responding to them ● I.P.S is great ○ _until_ it blocks your staff trying to do something and they use an insecure network to do it anyway. ● Choose what fits your use case ○ I.P.S on webapps makes sense if you don’t expect file edits. ■ They are really easy to write (I wrote one in python using gamin to hook inotify events, to work with SCM to produce diff and revert php files ON_WRITECLOSE) ○ I.P.S makes sense on the network edge ■ RUN RECURRING TESTS! ■ Aka. tabletop exercises, simulate an attacker and observe the effectiveness of the IPS & (blue)team. 29
29.Emerging Technologies ● Hashicorp - vault ○ AES256-GCM, API ○ Highly available secrets store, with third party testing now completed! ○ Key:value storage for secrets (now supports versioning!) ○ Full audit logs ○ LDAP, DUO, Okta, Github, etc ..., support for user auth. ○ _MANY_ secret backends for ephemeral credentials supported ■ AD, AliCloud, AWS, Azure, Consul, Cubbyhole, Databases (many support in MySQL, MongoDB, PostGres, MSSQL ...), GC + KMS, K:V, Identity, Nomad, PKI, RabbitMQ, SSH, TOTP, Transit (send data, get encrypted /decrypted data). ■ Pluggable secrets backend! ■ Percona Server 5.7 has vault keyring plugin available! 31