Armorizing applications
84
Armorizing Applications Iftach Ian Amit Director of Services Friday, October 11, 13
-
Upload
iftach-ian-amit -
Category
Technology
-
view
184 -
download
0
description
In this talk from Ian Amit, he will try to address things from a more tactical (read: practical) perspective for application development. What 'we' see, or want, from a security practitioner perspective is nice, but enabling it from an application view isn't trivial. He'll cover the aspects that the attendees can gain from having applications designed and implemented in certain manners, while of course not changing the way things are being practiced these days (too much). He will also show how logging (yes… plain old boring logging) can go a long way, and how applications that are a bit more self conscience to their state can be utilised to detect attacks before they actually happen.
Transcript of Armorizing applications
Armorizing Applications
Iftach Ian AmitDirector of Services
Friday, October 11, 13
Hi!
Friday, October 11, 13
I’m not an application guy :-|
Friday, October 11, 13
I’m a security guy
Who actually used to do some application stuff
Friday, October 11, 13
whoami?
$ id
uid=501(iamit) gid=20(ioactive) groups=12(hack),33(research),61(dev),79(red_team),80(sexy_defense),81(exil),98(idf),100(dc9723),204(/dev/null)
Friday, October 11, 13
Attack?
Defense!
Friday, October 11, 13
So, I’ve been dealing with defense a lot
Friday, October 11, 13
As in - helping defenders get a head start
Friday, October 11, 13
Guess what? We are still failing on the basics...
Friday, October 11, 13
Logs...
Friday, October 11, 13
Logs...
Firewall
Friday, October 11, 13
Logs...
FirewallIDS
Friday, October 11, 13
Logs...
FirewallIDS
IPS
Friday, October 11, 13
Logs...
FirewallIDS
IPS
Network
Friday, October 11, 13
Logs...
FirewallIDS
IPS
Network
HTTPD
Friday, October 11, 13
Logs...
FirewallIDS
IPS
Network
HTTPD
DBMS
Friday, October 11, 13
Logs...
FirewallIDS
IPS
Network
HTTPD
DBMS DNS
Friday, October 11, 13
Logs...
FirewallIDS
IPS
Network
HTTPD
DBMS DNS
Application?
Friday, October 11, 13
We still have sucky application logs :-(
Friday, October 11, 13
Friday, October 11, 13
I mean, we came a long way since web-app coding in the 90’s
I know. I’ve lived through it :-(
Friday, October 11, 13
Example:
Friday, October 11, 13
Example:
Friday, October 11, 13
Example:
Uses MVC. Actually very nicely
architected...
Friday, October 11, 13
Example:
Uses MVC. Actually very nicely
architected...
Friday, October 11, 13
Example:
Uses MVC. Actually very nicely
architected...Good start. At least
we can haz data.
Friday, October 11, 13
Example:
Uses MVC. Actually very nicely
architected...Good start. At least
we can haz data.
This is pretty much useless*
Friday, October 11, 13
Example:
Uses MVC. Actually very nicely
architected...Good start. At least
we can haz data.
This is pretty much useless*
* from a security perspective.no doubt that when this breaks you’ll need it
Friday, October 11, 13
Let’s get back to basics for a sec here
Friday, October 11, 13
time=2013-03-02 23:59:57 action=drop orig=192.168.1.103 i/f_dir=inbound i/f_name=eth1c0 has_accounting=0 product=VPN-1 & FireWall-1 policy_name=INTERNET src=1.2.3.4 s_port=37586 dst=3.4.5.6 service=80 proto=tcp rule=16 xlatesrc=8.9.10.11 xlatesport=57517 xlatedport=0 NAT_rulenum=4 NAT_addtnl_rulenum=internal
Friday, October 11, 13
Friday, October 11, 13
but wait,
how about them HTTPD?
Friday, October 11, 13
193.205.210.42 - - [09/Oct/2013:00:57:17 -0700] "GET /blog/2013/07/mail-encryption-for-android/ HTTP/1.1" 200 32064 "https://www.google.it/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-includes/js/comment-reply.min.js?ver=3.6.1 HTTP/1.1" 200 1068 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-content/plugins/podpress/js/podpress.js?ver=3.6.1 HTTP/1.1" 200 40786 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-content/plugins/jetpack/modules/sharedaddy/sharing.css?ver=2.5 HTTP/1.1" 200 11641 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-content/plugins/lightbox-2/lightbox.js?ver=1.8 HTTP/1.1" 200 21623 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1 HTTP/1.1" 200 7484 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"193.205.210.42 - - [09/Oct/2013:00:57:20 -0700] "GET /blog/wp-content/plugins/podpress/players/1pixelout/1pixelout_audio-player.js HTTP/1.1" 200 12305 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"193.205.210.42 - - [09/Oct/2013:00:57:20 -0700] "GET /blog/wp-content/plugins/jetpack/modules/wpgroho.js?ver=3.6.1 HTTP/1.1" 200 1212 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"193.205.210.42 - - [09/Oct/2013:00:57:20 -0700] "GET /blog/wp-content/plugins/jetpack/modules/sharedaddy/sharing.js?ver=20121205 HTTP/1.1" 200 39040 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"193.205.210.42 - - [09/Oct/2013:00:57:21 -0700] "GET /blog/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=3.5.2 HTTP/1.1" 200 8610 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"193.205.210.42 - - [09/Oct/2013:00:57:21 -0700] "GET /blog/wp-content/plugins/contact-form-7/includes/js/jquery.form.min.js?ver=3.40.0-2013.08.13 HTTP/1.1" 200 14910 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"193.205.210.42 - - [09/Oct/2013:00:57:23 -0700] "GET /favicon.ico HTTP/1.1" 200 1351 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"193.205.210.42 - - [09/Oct/2013:00:57:23 -0700] "GET /blog/wp-includes/js/jquery/jquery.js?ver=1.10.2 HTTP/1.1" 200 93371 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"Friday, October 11, 13
Don’t get me started...
Friday, October 11, 13
And that’s AFTER taking into account “log analyzers”
Friday, October 11, 13
“But you security guys have all these fancy SIEM stuff, right?”
Friday, October 11, 13
Friday, October 11, 13
Friday, October 11, 13
Friday, October 11, 13
Yes, we have fancy dashboardsand graphs
and sometimes synchronized logs from multiple sources
But it’s still a pain in the tuches
Friday, October 11, 13
WHY?
Friday, October 11, 13
Friday, October 11, 13
The application has ALL THE CONTEXT
Friday, October 11, 13
Friday, October 11, 13
Friday, October 11, 13
Friday, October 11, 13
Yet you keep it to yourself
Friday, October 11, 13
This made me cry in joy:
Friday, October 11, 13
Friday, October 11, 13
Firewall Web Server
Client XClient XClient YClient XClient YClient YClient XClient XClient XClient YClient Y
indexitemsindexitems+aitemsitems+ccheckoutloginconfirmcheckoutconfirm
Friday, October 11, 13
Firewall Web ServerApplication
Client XClient XClient YClient XClient YClient YClient XClient XClient XClient YClient Y
indexitemsindexitems+aitemsitems+ccheckoutloginconfirmcheckoutconfirm
- John, from X, justbought A and shippedit paying with CC
- Client from Y tried tobypass app logic and avoidpayment/auth
Friday, October 11, 13
Friday, October 11, 13
Friday, October 11, 13
Friday, October 11, 13
Rinse, Lather,Repeat
Friday, October 11, 13
Everywhere!
DB AccessSession ManagementState ManagementUser Management
...
Friday, October 11, 13
Be a dot connector!
Friday, October 11, 13
Counter Intelligence use-case
Problemdormant accounts used
for fraud (and/or money laundering)
Friday, October 11, 13
Counter Intelligence use-case
Problemdormant accounts used
for fraud (and/or money laundering)
Account
Friday, October 11, 13
Counter Intelligence use-case
Problemdormant accounts used
for fraud (and/or money laundering)
Account
Friday, October 11, 13
Counter Intelligence use-case
Problemdormant accounts used
for fraud (and/or money laundering)
Account
>1yr dormant
Friday, October 11, 13
Counter Intelligence use-case
Problemdormant accounts used
for fraud (and/or money laundering)
Account
>1yr dormant
laundering
Friday, October 11, 13
Counter Intelligence use-case
Problemdormant accounts used
for fraud (and/or money laundering)
Account
>1yr dormant
laundering
Intl. transfers
Friday, October 11, 13
Counter Intelligence use-case
Problemdormant accounts used
for fraud (and/or money laundering)
Account
>1yr dormant
laundering
Intl. transfersInternal/External???
Friday, October 11, 13
Account
Friday, October 11, 13
AccountAccountAccountAccountAccount
Friday, October 11, 13
List
AccountAccountAccountAccountAccount
Friday, October 11, 13
Marketing
Accounting
Branch mgmt.List
AccountAccountAccountAccountAccount
Friday, October 11, 13
Marketing
Accounting
Branch mgmt.
List
AccountAccountAccountAccountAccount
Friday, October 11, 13
Marketing
Accounting
Branch mgmt.
List
AccountAccountAccountAccountAccount
List
AccountAccountAccountAccountAccount
Friday, October 11, 13
Marketing
Accounting
Branch mgmt.
List
AccountAccountAccountAccountAccount
List
AccountAccountAccountAccountAccountList
AccountAccountAccountAccountAccount
Friday, October 11, 13
Marketing
Accounting
Branch mgmt.
List
AccountAccountAccountAccountAccount
List
AccountAccountAccountAccountAccountList
AccountAccountAccountAccountAccount
Internaluser
Friday, October 11, 13
Marketing
Accounting
Branch mgmt.
List
AccountAccountAccountAccountAccount
List
AccountAccountAccountAccountAccountList
AccountAccountAccountAccountAccount
Internaluser
Friday, October 11, 13
Marketing
Accounting
Branch mgmt.
List
AccountAccountAccountAccountAccount
List
AccountAccountAccountAccountAccountList
AccountAccountAccountAccountAccount
Internaluser
Friday, October 11, 13
Internaluser
Friday, October 11, 13
Internaluser
PC
Friday, October 11, 13
Internaluser
PC
Friday, October 11, 13
Internaluser
PC Trojan
Friday, October 11, 13
Internaluser
PC Trojan
Friday, October 11, 13
Internaluser
PC Trojan
Friday, October 11, 13
Internaluser
PC Trojan
C&C
Friday, October 11, 13
Internaluser
PC Trojan
C&CBad Guys(tm)
Friday, October 11, 13
Log on context
Weird state changes
Repeatable expectable actions
Who, what, why
Help me get the story right!
Friday, October 11, 13
Questions? Comments!
Ian Amit@iiamit
Friday, October 11, 13
