10. T.J. Maxx theft believed largest hack ever TJX cos. put number to loss Wednesday, acknowledges it could still go up By Mark Jewell Associated Press March 30, 2007 BOSTON - A hacker or hackers stole data from at least 45.7 million credit and debit cards of shoppers at off-price retailers including T.J. Maxx and Marshalls in a case believed to be the largest such breach of consumer information. Experts say TJX’s disclosures in a regulatory filing late Wednesday revealed security holes that persist at many firms entrusted with consumer data: failure to promptly delete data on customer transactions, and to guard secrets about how such data is protected through encryption.
11. T.J. Maxx theft believed largest hack ever TJX cos. put number to loss Wednesday, acknowledges it could still go up By Mark Jewell Associated Press March 30, 2007 Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards.
12. Assets are the things an attacker wants to take from you Threats are the ways in which the attacker will try to get at your assets Mitigations are the ways you block the attacker from getting the assets Vulnerabilities are unmitigated threats Threat Models are an assessment of the Assets, Threats, Mitigations and Vulnerabilities of the system you are building or have built
13. Assets are more than money… Reputation & Customer Confidence Confidential Data Processor, Storage, Bandwidth Availability Performance
14. Threat Analysis Secure software starts with understanding the threats Threats are not vulnerabilities Threats live forever How will attackers attempt to compromise the system? Asset Mitigation Threat Vulnerability
15.
16. Written by the user in non-technical languageAs an attacker I want to <attack> So that <crime> By <method>
17. Security User Stories As an attacker I want to obtain credentials So that I can plunder bank accounts By tricking users into logging into my bogus site with a Phishing mail
18.
19.
20.
21.
22. Understand Your Attack Surface Networking protocols that are enabled by default Network Endpoints Code that auto-starts or will execute when accessed Examples: Services, daemons, ISAPI filters and applications, SOAP services, and Web roots Reusable components ActiveX controls, COM objects, and .NET Framework assemblies, especially those marked with the AllowParticallyTrustedCallersAttribute) Process identities for all the code you run User accounts installed
28. Reducing Attack Surface TCP only Service: Manual NetService Lower privilege Turn feature off
29. Reducing Attack Surface TCP only Service: Manual NetService Everyone (Full Control) Admin (Full Control) Everyone (Read) Service (RW) Harden ACLs on data store
30.
31. Defense In Depth Don’t count on one line of defense for everything What if the attacker penetrates that defense? Contain the damage Example – Nuclear Plants
32.
33. “ Multiple redundant safety systems. Nuclear plants are designed according to a "defense in depth" philosophy that requires redundant, diverse, reliable safety systems. Two or more safety systems perform key functions independently, such that, if one fails, there is always another to back it up, providing continuous protection. - Nuclear Energy Institute “
35. Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
36. The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
37. The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
38. The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
39. The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabled Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
40. The underlying DLL (NTDLL.DLL) not vulnerable Even if the buffer was large enough Code made more conservative during Security Push Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS) IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabled Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
41. The underlying DLL (NTDLL.DLL) not vulnerable Even if the buffer was large enough Code made more conservative during Security Push Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS) IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabled Even if it there was an exploitable buffer overrun Would have occurred in w3wp.exe which is now running as ‘network service’ Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
46. Fail To Secure Mode Function Authenticate(UserID As String, Password As String) Dim Authenticated As Boolean = True Try Dim conn As New SqlConnection(connString) conn.Open() Dim cmd As New SqlCommand("SELECT Count(*) FROM Users …”) Dim count As Integer count = cmd.ExecuteScalar() Authenticated = (count = 1) Catch ex As Exception MessageBox.Show("Error logging in " + ex.Message) End Try Return Authenticated End Function Authenticated As Boolean = True Danger!! Assumes Success
47. Fail To Secure Mode Function Authenticate(UserID As String, Password As String) Dim Authenticated As Boolean = True Try Dim conn As New SqlConnection(connString) conn.Open() Dim cmd As New SqlCommand("SELECT Count(*) FROM Users …”) Dim count As Integer count = cmd.ExecuteScalar() Authenticated = (count = 1) Catch ex As Exception MessageBox.Show("Error logging in " + ex.Message) End Try Return Authenticated End Function Authenticated As Boolean = True Danger!! Assumes Success Authenticated flag may still be true here Catch ex As Exception
48.
49. Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review
50. Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review Never connect as SA Don’t Embed Secrets user id=sa password=password Unencrypted & Weak Password
51. Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review Never connect as SA Don’t Embed Secrets user id=sa password=password Unencrypted & Weak Password WHERE ID='" + ID + "'" Don’t Concatenate arguments
52. Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review Never connect as SA Don’t Embed Secrets user id=sa password=password Unencrypted & Weak Password WHERE ID='" + ID + "'" Don’t Concatenate arguments Don’t reveal everything to an attacker For Each err As SqlError
53. Why not connect as SA? Violates the principle of least privilege Threat: Code is subject to attacker elevating privilege Mitigation Recommendation Defense in depth Action: Run SQL as Network Service rather than Local System Reduce surface area: eliminate privileges on everything except for the required stored procedures Action: Create stored procedures Least privilege: run as a lesser privileged user when connecting to database Action: Fix the connection string
54. Why not embed secrets? Violates the principle of avoiding security by obscurity Threat: Secrets are easily discovered Mitigation Recommendation Don’t Store Secrets Tip: Use Windows Authentication Encrypt secrets For .NET 1.1 consider Enterprise Library For .NET 2.0 use Enterprise Library or System.Security.Cryptography.ProtectedData For SQL Server 2005 use EncryptByKey / DecryptByKey
55. Storing Secrets Hackers use search engines to locate secrets Search engines will find anything you have hidden
71. Reduce SQL Surface Area If you don’t connect in a sysadmin role the account used by xp_cmdshell will be the one defined by xp_cmdshell_proxy_account which may have reduced privilege
72. Evil Input Attack - Hotmail October 2001 an XSS vulnerability which allowed an attacker to steal a user's Microsoft .NET Passport session cookies. Exploit for this vulnerability consisted of sending a malicious email to a Hotmail user, which contained malformed HTML. The script filtering code in Hotmail's site failed to remove the broken HTML and Internet Explorer's parsing algorithm happily interpreted the malicious code.
78. discussion: White Listing vs Black Listing Input “Look for valid data and reject everything else” SQL Example: string.Replace(“delete”, “”) “deldeleteete”
79. discussion: White Listing vs Black Listing Input “Look for valid data and reject everything else” SQL Example: string.Replace(“delete”, “”) “deldeleteete” “deldeleteete”
80. discussion: White Listing vs Black Listing Input “Look for valid data and reject everything else” SQL Example: string.Replace(“delete”, “”) “deldeleteete” “deldeleteete” “delete”
81. demo: SQL Injection Sanitizing User Input Select Count(*) From Users Where User Name = ‘’ OR 1+1=2; -- ‘ and password = ‘’
“Search engines will find anything you have hidden” We could say “could, or might find”… but we need to think of this as WILL find anything that we have hidden.