Topics covered:

  • Security Vulnerability Testing – Main Concepts
  • Characteristics of a Secure Software
  • Threat Modeling
  • Popular Software Attacks
  • Tools for Security Testing

Video (in Bulgarian)

Presentation Content

Security Testing

  • What is security testing?
    • Directed and focused form of testing that attempts to force specific failures to occur
      • Focused especially on reliability

The Bug Hypothesis

  • Where do bugs come from?
    • Bugs arise from interactions between the software and its environment during operation
    • What is the software’s operating environment ?
      • The human user
      • The file system
      • The operating system
      • Other cohabitating and interoperating software
  • Where do bugs come from?
    • Bugs arise from the software’s capabilities
      • Accepting inputs
      • Producing outputs
      • Storing data
      • Performing computations

Feature or Bug

  • Is Software Security a Feature ?
    • Most people consider software security as a necessary feature of a product
  • Is Security Vulnerability a Bug ?
    • If the software “failed” and allowed a hacker to see personal info, most users would consider that a software bug

Vulnerability Categories

  • Vulnerabilities typically fall into two categories
    • Bugs at the implementation level
      • Bugs tend to be easier for attackers to exploit
    • Flaws at the design level
      • The hardest defect category to handle
      • Also the most prevalent and critical

Reasons for Failures

  • In the real world, software failures usually happen spontaneously
    • Without intentional mischief
  • Failures can be result of malicious attacks
    • For the Challenge/Prestige
    • Curiosity driven
    • Aiming to use resources
    • Vandalizing
    • Stealing

Security Testing in the Software Development Life Cycle

  • Software security testing includes:
    • Creating security abuse/misuse cases
    • Listing normative security requirements
    • Performing architectural risk analysis
    • Building risk-based security test plans
    • Wielding static analysis tools
    • Performing security tests
    • Performing penetration testing in the final environment
    • Cleaning up after security breaches

Secure Software Characteristics

  • Confidentiality
    • Disclosure of information to only intended parties
  • Integrity
    • Determine whether the information is correct or not
  • Data Security
    • Privacy
    • Data Protection
    • Controlled Access
  • Authentication
    • Access to Authorized People
  • Availability
    • Ready for Use when expected
  • Non Repudiation
    • Information Exchange with proof

Is Your Application “Secure”?

Ever have anyone ask you this?
There’s an easy answer: NO
There are no “Secure” apps
But there are apps that are secure enough
How to achieve enough security?

What Does “Secure Enough” Mean to You?

  • Nobody has an infinite security budget
    • Many folks would be happy if they had any budget
  • Be practical!
    • Get the mostbang for your buck

What is Threat Modeling?

  • Threat modeling
    • A process for evaluating a software system for security issues
    • Can be considered as a variation of formal reviews
    • The review team looks for areas of the product’s feature set that are susceptible to security vulnerabilities

Threat Modeling Concepts

  • Threat modeling helps you find what is “secure enough”
    • What are you trying to protect?
    • Who is likely to attack you?
    • What avenues of attack exist?
    • Which vulnerabilities are the highest risk?
  • Go after the high risk vulnerabilities first!

Approaches to Threat Modeling

Threat Modeling Steps

  • Threat modeling follows a few steps:
    • Assemble the threat modeling team
    • Identify the assets
    • Create an architecture overview
    • Decompose the application
    • Identify the threats
    • Document the threats
    • Rank the threats

Threat Ranking

  • Threats are not equally important
  • A way to rank the threats is the DREAD formula – using these criteria:
    • Damage potential
    • Reproducibility
    • Exploitability
    • Affected Users
    • Discoverability

Famous security breaches

  • Ashley Madison data breach
  • Facebook bug that could have allowed for any photo on the site to be deleted
  • The 8 characters that crash Skype
  • The Heartbleed Bug

Security Organizations

  • SANS (System Administration, Networking, and Security) Institute
    • Established in1989as a cooperative research and education organization
    • Enables more than 165,000 security professionals, auditors, system administrators, and network administrators to share the lessons they are learning and find solutions to the challenges they face
    • Seewww.sans.orgfor more information
  • OWASP (Open Web Application Security Project)
    • Established in2001worldwide not-for-profit charitable organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.
    • Seewww.owasp.orgfor more information

SANS Top 15 Most Dangerous Vulnerabilities

  • SQL injection
  • OS command injection
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Unrestricted upload of dangerous file
  • URL redirection to untrusted site (Open Redirect)
  • Buffer overflow
  • Improper limitation of a pathname
  • Download of a code without integrity check
  • Uncontrolled format string
  • Missing or incorrect authorization
  • Use of hard-coded credentials
  • Missing encryption of sensitive data
  • Execution of unnecessary privileges
  • Improper restriction of excessive authentication attempts

SQL Injection

  • What is SQL injection?
    • A code injection technique
    • Malicious code is inserted into strings
      • Later passed to an instance of SQL Server for parsing and execution

SQL Injection Example

Original SQL Query:
String sqlQuery = "SELECT \* FROM user WHERE name = '" \+ username \+"' AND pass='" \+ password \+ "'“

Setting username to John & password to ’ OR ‘1’= '1 produces
String sqlQuery = SELECT \* FROM user WHERE name = 'John' AND pass='' OR '1'='1'

  • The result:
    • If a user John exists – he islogged in without password

Preventing SQL Injection

  • Use Prepared Statements
  • Validate all of the user information
  • Remove special characters from the user input
  • Never show SQL error messages to the user
  • Use different field names for user interface and database
  • Disable all unused features of the database
  • Limit user permissions for the database

OS Command Injection

  • An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application.
  • The application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user
  • However, commands are executed with the same privileges and environment as the application has

XSS – Cross-site Scripting

  • What is XSS?
    • Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user’s browser.

Why XSS is dangerous?

  • Stealing other user’s cookies
  • Keylogging
  • Phishing
  • Stealing their private information
  • Performing actions on behalf of other users
  • Redirecting to other websites
  • Showing ads in hidden IFRAMES and pop-ups

Types of XSS

  • Persistent XSS
    • The malicious string originates from the website’s database.
  • Reflected XSS
    • The malicious string originates from the victim’s request.
  • DOM-based XSS
    • The vulnerability is in the client-side code rather than the server-side code.

Preventing XSS

Validate all input data from the user
Never show data entered by the user without cleaning them from JavaScript and HTML

Acunetix Vulnerability Scanner

Acunetix WVS (www.acunetix.com)checks your web applications for XSS, SQL Injection & other vulnerabilities
Free demo version with limited functionality available (no details, reports or saved results)

Buffer Overflow

  • What is buffer overflow?
    • An anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory
    • Also called buffer overrun

Buffer Overflow - The Usual Victims

  • Buffer overflow is commonly associated with C and C++
    • Provide no built-in protection against accessing or overwriting data

What is Wireshark?

  • What is Wireshark ?
    • Free and open-source packet analyzer
    • Used for:
      • Network troubleshooting
      • Analysis
      • Software and communications protocol development
    • Source:http://www.wireshark.org/

Password Attacks

  • What is a password attack?
    • A type of software attack in which the attacker tries to guess passwords or crack encrypted password files
      • Either manually or through the use of scripts

Types of Password Attacks

  • Simple guessing
  • Dictionary attacks
    • Using a list of popular passwords
  • Password phishing
    • Masquerading as a trustworthy entity
  • Brute force attacks
    • Generating all possible combinations

Users & Passwords

  • 9.8% have the passwords password, 123456 or 12345678;
  • 14% have a password from the top 10 passwords
  • 40% have a password from the top 100 passwords
  • 79% have a password from the top 500 passwords
  • 91% have a password from the top 1 000 passwords
  • 98.8% have a password from the top 10 000 passwords

What is THC-Hydra?

  • A very fast network logon cracker which support many different services.
  • Free of charge for non-enterprise use
  • Source:http://www.thc.org/
  • Protocols supported
    • POP3
    • FTP
    • HTTP-GET, HTTP-FORM-POST, HTTPS-GET…
    • Firebird
    • Subversion (SVN)
    • Telnet
    • And many more…

Type of attacks?

  • What type of attacks can HYDRA-HTC do?
    • Parallel dictionary attacks (16 threads by default)
    • Brute force/Hybrid attacks
    • Check for null, reversed, same as username passwords
    • Slow down the process of attack- prevent detection- IPS (Intrusion Prevention System)
    • Parallel attack of different servers

Denial of Service Attack (DoS)

  • What is Denial of Service attack?
    • An attempt to make a computer resource unavailable to its intended users
    • Sending messages which exhaust service provider’s resources
      • Network bandwidth, system resources, application resources

Distributed Denial-of-service (DDoS) Attacks

  • DDoS attacks
    • Employing multiple (dozens to millions) compromised computers to perform a coordinated and widely distributed DoS attack

Preventing DoS

  • Limit ability of systems to send spoofed packets
  • Rate controls in upstream distribution nets
  • Use modified TCP connection handling
  • Block IP broadcasts
  • Block suspicious services & combinations
  • Manage application attacks with “puzzles” to distinguish legitimate human requests
  • Good general system security practices
  • Use mirrored and replicated servers when high performance and reliability required

Open Redirect

URL Manipulation Attacks

Why URL manipulation?

  • Why would someone manipulate URL?
    • Getting a web server to deliver web pages he is not supposed to have access to
    • Trigering an exception thus revealing information in an error message

URL Manipulation Example

Cross-Site Request Forgery

  • A.k.aone-click attack or session riding and abbreviated as CSRF (pronounced sea-surf) or XSRF
  • Type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts
  • A vulnerable URL:http://bank.example.com/withdraw?account=bob&amount=1000000&for=mallory
  • Secret cookies and accepting only POST requests does not help

Error Messages

  • Error messages can reveal important information about your site
    • Error messages like that should not be allowed:

IP Spoofing

  • What is IP address spoofing?
    • Creation of Internet Protocol (IP) packets with a forged source IP address
  • What is the purpose?
    • Concealing the identity of the sender
    • Impersonating another computing system

Session Hijacking

  • What is session hijacking?
    • Getting access to the session state of a particular user
    • Steals a valid session ID which is used to get into system and retrieve the data

Spoofing vs. Hijacking

  • Spoofing
    • An attacker does not actively take another user offline to perform the attack
    • He mainly pretends to be another user or machine to gain access
  • Hijacking
    • An attacker takes over an existing session
    • He relies on the legitimate user to make a connection and authenticate
    • Subsequently, the attacker takes over the session

Session Hijacking Methods

  • Session fixation
    • Setting a user’s session id to a predefined one
  • Session sidejacking
    • Using packet sniffing to read network traffic between two parties and steal the session cookie
  • Cross-site scripting
    • Obtain a copy of the cookie

Protecting Against Session Hijacking

  • Use encryption
  • Use a secure protocol
  • Limit incoming connections
  • Minimize remote access
  • Educate the employees

Social Engineering

  • What is social engineering?
    • The act of manipulating people into performing actions or revealing confidential information
      • Instead of breaking in or using technical hacking techniques
      • Essentially – a fancier, more technical way of lying

Popular Social Engineering Methods

  • “Dumpster Diving”
  • “Shoulder Surfing”
  • Malicious E-mail Attachments
  • Deception and Manipulation
  • “Phishing”
  • “Pharming”
  • Reverse Social Engineering
  • PBX Disguise

Phishing

Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication

Pharming

Pharming is a hacker’s attack aiming to redirect a website’s traffic to another, bogus website.

“Dumpster Diving”

"Dumpster Diving“, a.k.a. trashing or skipping, is the practice of sifting through commercial or residential trash to find items that have been discarded by their owners, but which may be useful to the dumpster diver

Deception and Manipulation

Real story: Japan Earthquake scammers were spreading malicious links to “dramatic” videos of the disaster. So, you ended up clicking on a link that actually downloaded malware onto your PC or took you to a phishing site that asked for personal information

“Shoulder Surfing”

  • These are direct observation techniques, such as looking over someone’s shoulder, to get information. Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they:
    • fill out a form
    • enter their PIN
    • enter their password
    • tell sensitive information over the phone

PBX Disguise

Public Business Exchange – attacker manipulates company ID system to impersonate someone of authority

“Hello? Who is this? Tech support? Oh, I’m sorry. I’m trying to reach Terry Simpson at extension 24667. Can you transfer me, please? I’m in a hurry.” … “Hi Terry, this is Jim from Tech Support. You can verify my identity from the caller-ID. Yes, I need to reset your password…”

Reverse Social Engineering

  • A final, more advanced method of gaining illicit information is known as “reverse social engineering”. This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around
    • Includes three phases: sabotage, advertising, assisting