Richard Henson University of Worcester November 2016 COMP3371 Cyber Security Richard Henson University of Worcester November 2016
Week 8: Breach Prevention Strategies Objectives: Compare B2B and B2C use of https to knowledge/ignorance of PKI and differences between “business trust” and “consumer trust” Explain why websites are so often hacked when PKI has been around/trusted for so many years Explain that applications software and even operating systems are flawed and the crucial importance of using “updates” Explain licensing and life-cycle support for software
Global Use of SSL/PKI Recap of start of PKI as (mis)used by business: https://www.sans.org/reading-room/whitepapers/vpns/business-perspective-pki-pki-implementations-fail-success-factors-728 Reports from early days of https… (2000): "Online shopping gets a bad rap in the press, but most of the stories reported are anecdotal tales of companies that haven't put successful defensive measures in place“ "Web businesses running proper screening of customer information are suffering very little, with average fraud losses held to just over 1%.” “Fraud control is clearly possible online, although many companies do not implement stringent screening and prevention measures.”
Security and Online trading as the Information Society progressed… More and more businesses bought into PKI It was expected that these early problems were just “teething troubles” with using new technology and would soon fade away…
Data on the move: Encryption is not enough! The other aspect of SSL/PKI is the establishment of trust between online vendors and customers usually achieved by using encryption AND providing a digital certificate system: verifies the identity at each end of the communication link thereby authenticating the server/user The savvy user knows about digital certificates and expects to be able to view them online
“Mature” use of PKI? But… 15 years on, larger companies use SSL/PKI for secure communications as a matter of course! Conclusion: PKI is industry-standard technology But… (1) companies not applying strict security measures correctly are: being defrauded skewing the statistics for more responsible online traders (2) human error/computer misuse through software vulnerabilities continue…
So, 16 years on… What is being done… and what COULD be done! Problem: is PKI implemented correctly? What about smaller companies with less expertise? Who bothers to check? student research… alarming? action?? ???
Solution… soon! Google’s Browser will check! From early 2017, Google Chrome will check links and show any https link that has flaws… https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/ Now explained on BrightTalk webinar… Hopefully, other Browser manufacturers will follow this excellent practice!
Security Differences between B2B and B2C B2B link has “business trust” set up properly for online trading: use server certificates on web servers use SSL to ensure data is encrypted train users to be aware of danger signs share data in a limited way between organisations B2C: customer only accesses web pages uses shopping cart system to purchase
B2C and Website Vulnerability Small businesses outsource many of their business functions Including: development of website putting website on an Internet-facing webserver
Website Vulnerabilities The Website must have direct access to the Internet so Internet have direct access to website folder on webserver webbots can gather information about the business… find weak links in the website! and possibly weaknesses on the server e.g. “Heartbleed not patched!” http://heartbleed.com/
Software Layers and Operating Systems (OS) Applications os functions & user interface os kernel CPU, motherboard
What if the Operating System has software faults? The platform becomes “unstable”!! Could be errors in hardware control? user interface? utilities? What would happen to: applications running on a poorly designed platform? businesses depending on such apps?
“Good” and “Bad” programming Apollo missions to the moon first use of programming for control “because manual not possible…” Programming used to: put Apollo spacecraft into moon orbit land a small craft and two astronauts
Early example of excellent software Moon landing software (1969)… & final Presidential acclaim for safe coding (2016) http://www.floridatoday.com/story/tech/science/space/2016/11/26/obama-honors-apollo-software-developer-margaret-hamilton/94477822/ https://www.youtube.com/watch?v=X1PNp_YggAA
“Moon Lander” Program Retro rockets of falling LEM vehicle Balanced against moon gravity Limited amount of fuel… Version written for BASIC Very popular early microcomputer game
What happened to “Moon Lander”? In reality… start of the embedded system revolution “A small step for man… a giant step for mankind”… Yes, in many ways!
Is software always safe? Written by humans! Depends how it is: designed coded Tested Lots could… and does… go wrong too much trust? not enough testing?
Other Apollo Programming had vulnerability (!) Apollo guidance system – correct angle on entry into lunar orbit written in Fortran (Formula Translation) most popular engineering/technology language before “C” Fine in Apollo missions 8-12… but crucial flaw: near catastrophe… on Apollo 13 (remember the film?) https://www.youtube.com/watch?v=kAmsi05P9Uw
Vulnerabilities and Breaches (statistics) Apollo failure caused by lack of variable reset to zero (initialisation) vulnerabilities kept occurring control systems need careful testing failure could be fatal Need for an engineering approach!
B2C Software Consumer buys a license to use software during its lifecycle… NOT the software itself! License may become invalid (or useless…) if software no longer supported consumer potentially unaware also applies to operating systems (!)
Publishing of Vulnerabilities Many disturbing examples of data breaches… and software vulnerabilities that provided access for hackers Records of Internet exploitable vulnerabilities finally kept… US security organisation Mitre https://cve.mitre.org/cve/cve.html
Good for Consumers With Mitre initiative… Software companies with faulty code named and shamed… Embarrassing… Over time, software will get better i.e. fewer flaws!
Software Faults & CWE Lot of recent interest in why – 40+ years after Apollo - software (even operating systems…) can be unreliable!!! Mitre… classified software fault types through Common Weakness/Vulnerability Enumeration (CWE/CVE) community support formal published list weaknesses/vulnerabilities Intended use? to better describe software weaknesses in architecture, design, or code [TSI/2012/183] © Copyright 2003-2012
More about CWE Full list of CWE entries… CWE provides: http://cwe.mitre.org/data more commonly encountered weaknesses usually “repeat offenders” CWE provides: standard measuring stick for software tools targeting software weaknesses common baseline standard for efforts to identify, mitigate, and prevent software weaknesses Top 25 (most hacked) vulnerabilities… PTO
CWE Top 25 faults (part 1) 1 CWE-79 Rank ID Name 1 CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') 2 CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') 3 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 4 CWE-352 Cross-Site Request Forgery (CSRF) 5 CWE-285 Improper Access Control (Authorization) 6 CWE-807 Reliance on Untrusted Inputs in a Security Decision 7 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 8 CWE-434 Unrestricted Upload of File with Dangerous Type 9 CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') 10 CWE-311 Missing Encryption of Sensitive Data 11 CWE-798 Use of Hard-coded Credentials 12 CWE-805 Buffer Access with Incorrect Length Value 13 CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') [TSI/2012/183] © Copyright 2003-2012
CWE Top 25 faults (part 2) 14 CWE-129 Rank ID Name 14 CWE-129 Improper Validation of Array Index 15 CWE-754 Improper Check for Unusual or Exceptional Conditions 16 CWE-209 Information Exposure Through an Error Message 17 CWE-190 Integer Overflow or Wraparound 18 CWE-131 Incorrect Calculation of Buffer Size 19 CWE-306 Missing Authentication for Critical Function 20 CWE-494 Download of Code Without Integrity Check 21 CWE-732 Incorrect Permission Assignment for Critical Resource 22 CWE-770 Allocation of Resources Without Limits or Throttling 23 CWE-601 URL Redirection to Untrusted Site ('Open Redirect') 24 CWE-327 Use of a Broken or Risky Cryptographic Algorithm 25 CWE-362 Race Condition [TSI/2012/183] © Copyright 2003-2012
Not just apps… Example of an operating system flaw Apple: “dangerous” flaw revealed in iOS 7 and X (21/2/14) http://gizmodo.com/why-apples-huge-security-flaw-is-so-scary-1529041062
Dangers of not Updating… Flaws in software being detected by Mitre and others all the time… usually published once a fix has been found! makes sense to update to a version that has had vulnerabilities patched! hackers will know all about any vulnerabilities removed by an update, and will be eager to exploit… those who haven’t updated (!)
Not just Apple, of course! Microsoft update regularly, and Windows 10 will receive updates in perpetuity excellent practice! Earlier versions of Windows have a “cut off date” for updates Windows XP was April 2014! Windows 2003 Server was July 2015…
Update Management Essential to update all system and application software as soon as possible after release… updates need to be tested… And roll out planned accordingly! e.g. operating system updates will require reboot so “automatic” updates may cause problems! generally best for administrator to have an alert and install updates asap (after testing!)
Latest versions of Applications Same update principles apply to apps updates free may be required to upgrade to later version Office 2007 “updates” expiring in 2017! again… test first… but may also be a cost! Whether to upgrade matter for fund-holder is cost of upgrade/training justified: better security? increased productivity?
Updates and Development Environments Software, like apps can and do have vulnerabilities need updating like all other software Use of insecure old version particularly worrying… development environments generate code What if that code has vulnerabilities…?
Insecure Development Environments Many web page generator examples available Joomla… WordPress… more recent versions more likely to be secure and still have updates older versions no longer supported so code generated is vulnerable! Java Run-time… regular updates potential knock-on effects for java apps…
Next Week… Web vulnerabilities & Vulnerability Testing! The New Google Chrome!