Web Security: Thinking Like An Attacker
Sarah Chmielewski, Associate Technical Staff of MIT Lincoln Laboratory
Software development focuses on the end user – performance, functionality and usability. Lots of attacks happening against web based applications, so we need to stay one step ahead and “think like a hacker” 🙂
Injection attacks top the most common attack, along with broken authentication management schemes.
Look at Heartbleed – attacked the transport layer. We’ve all heard about it, it unfortunately would leak in memory data. You can play with this yourself – but set up your own server, please don’t attack the still vulnerable servers out there 🙂 (and also don’t expose your server to the Internet… 🙂
Think about how you could’ve discovered this on your own. A traditional attack method are buffer overflows, and there are static analyzers that can catch those. Heartbleed was a buffer overread, though – no static analysis tools that can find this.
Look at your own code for memory accesses – like memcpy.
Another common attack: Cross-Site Request forgery (XSRF). SXRF exploits the way that a client’s browser handles sessions. Check out Google Gruyere – a sandbox to practice with XSRF. They can do things like withdraw money, delete things, all sorts of “fun” things! Look for forms that do not have unique token only sent with the form.
Software developers mostly think of how to build things up – not tear them down. So play around in safe places with these vulns to expand your way of thinking. Also check out Damn Vulnerable Web Applications (dfwa) and also check out OWASP.
there are also websites out there with old capture the flag games on them.
Test Driven Security
Rosalie Tolentino, Developer consultant of ThoughtWorks, Inc
You should not trust incoming data. Think about whitelisting, too.
Simple version: if you’re creating zip codes in the US – it should not allow alphabetic characters.
A great way to prevent CSRF vulns – do more input validation.
Output encoding mentality – separate user data from execution data. Look out for SQL injection attacks.
Use only the least available privilege. Guests should not be able to see invoices, for example, only approved accountants.
Build these into your code, so they run right away. This makes developers more aware.
Just because your developers are adding assertions doesn’t mean you can get rid of QE, security experts or business ownership of security. It also requires that you have test driven development knowledge and security awareness in all of your developers.
Ransomware: An Exploration into the Damaging Threats
Marianne Mallen, Antivirus Researcher of Microsoft Corporation.
Ransomware typically wants money before it will unlock your machine, but sometimes they want information.
Screenlocker – MS has worked with the FBI to kill this one off . It works just like you think, it locks your computer screen. It will claim that the Department of Justice will come after you unless you give them money.
Another encrypts your files and holds them encrypted… until you pay.
Browser locker will prevent you from going to other pages, they will claim you have to pay a fine or go to jail. It’s a false claim, though – restarting your browser will take care of it.
Common distribution methods are from attachments in email, or drive-by download by browser exploit kits or software downloaded by other malware.
They will attract you with fake mails from FedEx or other business services – watch out!
Starting in 2010, there started to be exploit kits available for sale. Script kiddies would buy them and exploit many systems. They could make up to $54,000 a day for “unlocking” a user’s screen.
Many of these will use a command and control server, which use encrypted communication. These attacks are being done so anonymously now that it is hard to shut them down.
If you get hit with Ransomware – don’t hit the panic button, yet.
Be aware – do not just open attachments or click on suspicious links. Hover your mouse over a link to make sure it’s going to take you to the place that’s displayed in the email. Keep your anti-virus and patches up to date. Keep backups!
If your browser is locked – restart. Download Windows Defender Offline. Please don’t pay the ransom! Reach out to experts for help.