Ladd Van TolSenior Software Engineer

Security on the Web

Part Two - Attacks and Defenses

•Lesson: people aren’t always who they seem

Anecdote

•Provide timely software update information via website, and through desktop software

•Second most popular Mac site after Apple

What is the business?

•Complex network topologies•Supporting high traffic first priority•Time pressures•Minimum Cost Mentality•Off-the-shelf tools often have holes•Custom-built tools often have holes•Difficult to enforce “policy” on

“enemy”•Must be proactive

Why Security Is Hard

Typical Web Topology

•Operating Systems•Linux on x86•Solaris on Sparc

•Software•Apache•MySQL•Tomcat, PHP, modperl, FastCGI•SpinBox ad server

Heterogeneous Environment

•≈ 18 million page views/month•≈ 15 million client connects/month•≈ 200,000 registered users•≈ 4 TB/month bandwidth

High Traffic

•Marketing very rarely interested in technical perfection

•Compressed schedules afford little time for even finishing features

•Engineers stressed out

Time Pressures

•If it hasn’t been broken, why bother spending money/time on additional security?

•If we can fix the immediate vulnerability, why go further?

Minimum Cost Mentality

•Commercial Software•Better support•Less code review

•Free software•More code review•Less support

•Argument over which is better•Cutting edge packages have more holes•Buffer overflows common cause of

breach•Solutions: Java, libsafe, careful programming

Off-the-shelf Tools

•Difficult for generalists to understand best practices in security

•Time-consuming to provide decent security

•Throw-away mentality

Custom-built Tools

•Protect company data•Code•Databases

•Protect privacy of users•Software Inventories

•Prevent abuses by users•Misuse of discussion areas, etc.

•Provide maximum availability

What is the policy?

•Competitors•Misappropriation of data

•Users & Developers•Abuse of reviews

•Employees/Contractors•Abuse of power

•Malicious crackers•Denial of Service•Theft of Company secrets•Destruction of data

Who Are The Enemies?

•Well, we didn’t think that would happen...

Reactive Defenses

•“Borrowing” of timely information•Strategies for Defense•Tag data & track migration•Analyze web server logs for robots•Delay competitors•Block competitors•Break kneecaps

Competitors

•Inappropriate #&*$@!^ content•Defenses•Dirty word filter compiled from AOL list•Evaluating user complaints•Editorial deletion

•Countermeasure performed by actual user•“F*ck microsoft. MSN messenger

sucks.”

Review Abuse 1

•Posting repeated reviews from one account

•Defenses•allow maximum of two reviews per 24-

hour period per account•average star rating only counts newest

review from each account

•Countermeasure performed by actual user•Create multiple accounts

Review Abuse 2

•Repeated reviews from multiple accounts

•Defenses•IP address logging•Editorial guesswork•Evaluating user complaints

•Countermeasure performed by actual user•Denial•IP masking

Review Abuse 3

•HTML Injection, via screen name text input

•Defense•Make sure to escape all user input

Review Abuse 4

•Site management desired removal of a contractor’s access before he knew of firing

•Contractor hired for dubious reasons•Strategy•Wait for off-peak time•Verify all logins idle for several hours•Change password•Kill all other logins•Begin code review

•Lesson•Hire qualified, mature personnel

Contractor

•SYN flood attack•Duration: 4+ days•Extreme impact on site

responsiveness•Defenses•Turn on SYN cookies•Wait for attack to subside

•Try to determine source (very difficult)

Malicious Crackers 1

•Hacked vulnerable BIND in Redhat 6.0 on intranet server as part of DDoS

•Installed trojaned versions of “ls”, “ssh”, other system executables

•Caught by noticing “ls” looked funny•Defense•Install patched BIND•Replace compromised executables

•Better defense•Tripwire

Malicious Crackers 2

•Backups•Probing own security•Applying security patches before

breach•Understand human issues

Proactive Defenses

•Accidental deletion of entire product database by employee

•Defense•Backups!

Oops!

•Difficult to tell whether things are secure

•Use analysis tools for sanity check•Example:ladd% sudo nmap -sS -O versiontracker.com

Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP portInteresting ports on www.versiontracker.com (66.179.48.100):(The 1545 ports scanned but not shown below are in state: filtered)Port State Service80/tcp open http 81/tcp open hosts2-ns 82/tcp open xfer 83/tcp open mit-ml-dev

No OS matches for host (test conditions non-ideal).TCP/IP fingerprint:SInfo(V=2.54BETA30%P=powerpc-apple-darwin5.3%D=4/10%Time=3E95FCAD%O=80%C=-1)TSeq(Class=TR%IPID=RPI%TS=U)T1(Resp=Y%DF=N%W=1FFE%ACK=S++%Flags=AS%Ops=ME)T2(Resp=N)T3(Resp=N)T4(Resp=N)T5(Resp=N)T6(Resp=N)T7(Resp=N)PU(Resp=N)

Probing Security 1

•Example:sudo nmap -sS -O www.uwlax.edu

Password:

Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )Interesting ports on webserver.uwlax.edu (138.49.128.196):(The 1527 ports scanned but not shown below are in state: closed)Port State Service21/tcp open ftp 25/tcp open smtp 80/tcp open http 111/tcp filtered sunrpc 135/tcp filtered loc-srv 136/tcp filtered profile 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 194/tcp filtered irc 443/tcp open https 445/tcp filtered microsoft-ds 637/tcp open unknown (lanserver) 994/tcp filtered ircs 1002/tcp open unknown (MS personalization & membership services?) 1434/tcp filtered ms-sql-m 2301/tcp open compaqdiag 3389/tcp open msrdp (Microsoft Terminal Server?)6969/tcp filtered acmsoda (Gate Crasher Trojan Horse) 10000/tcp open snet-sensor-mgmt (Network Data Management Protocol?) 12345/tcp filtered NetBus 31337/tcp filtered Elite

No exact OS matches for host

Probing Security 2

•Stay on top of patches•Write applications to be paranoid•Solving human problems requires

humans•Know your employees•Backup, backup•Test for security breaches

Summary

• cap’n crunch in cyberspace - http://www.webcrunchers.com/crunch/• CERT - http://www.cert.org/

• Personal experience, 3+ years at:

• MacFixIt.com

• MacCentral.com

• VersionTracker.com

• libsafe - http://www.research.avayalabs.com/project/libsafe/

Bibliography