Transcript Presentation8 - University Of Worcester

COMP3371
Cyber Security
Richard Henson
University of Worcester
November 2016
Week 8: Breach Prevention
Strategies

Objectives:
 Compare B2B and B2C use of https to
knowledge/ignorance of PKI and differences
between “business trust” and “consumer trust”
 Explain why websites are so often hacked when
PKI has been around/trusted for so many years
 Explain that applications software and even
operating systems are flawed and the crucial
importance of using “updates”
 Explain licensing and life-cycle support for
software
Global Use of SSL/PKI

Recap of start of PKI as (mis)used by business:

 https://www.sans.org/readingroom/whitepapers/vpns/business-perspective-pki-pkiimplementations-fail-success-factors-728
Reports from early days of https… (2000):
 "Online shopping gets a bad rap in the press, but most of the
stories reported are anecdotal tales of companies that haven't
put successful defensive measures in place“
 "Web businesses running proper screening of customer
information are suffering very little, with average fraud losses
held to just over 1%.”
 “Fraud control is clearly possible online, although many
companies do not implement stringent screening and prevention
measures.”
Security and Online trading as the
Information Society progressed…

More and more businesses bought into PKI

It was expected that these early problems were
just “teething troubles” with using new
technology and would soon fade away…
Data on the move:
Encryption is not enough!

The other aspect of SSL/PKI is the
establishment of trust between online vendors
and customers
 usually achieved by using encryption AND providing
a digital certificate system:
» verifies the identity at each end of the communication link
» thereby authenticating the server/user

The savvy user knows about digital certificates
and expects to be able to view them online
“Mature” use of PKI?

15 years on, larger companies use SSL/PKI
for secure communications as a matter of
course!
 Conclusion: PKI is industry-standard technology

But…
 (1) companies not applying strict security
measures correctly are:
» being defrauded
» skewing the statistics for more responsible online traders
(2) human error/computer misuse through
software vulnerabilities continue…
So, 16 years on…
What is being done… and
what COULD be done!

Problem:
is PKI implemented correctly?
What about smaller companies with
less expertise?
Who bothers to check?
» student research… alarming?
» action?? ???
Solution… soon!
Google’s Browser will check!

From early 2017, Google Chrome will
check links and show any https link that
has flaws…
https://www.wired.com/2016/11/googleschrome-hackers-flip-webs-security-model/
Now explained on BrightTalk webinar…

Hopefully, other Browser manufacturers
will follow this excellent practice!
Security Differences between
B2B and B2C

B2B link has “business trust”
set up properly for online trading:
use server certificates on web servers
use SSL to ensure data is encrypted
train users to be aware of danger signs
share data in a limited way between
organisations

B2C: customer only accesses web pages
uses shopping cart system to purchase
B2C and Website Vulnerability

Small businesses outsource many of
their business functions

Including:
development of website
putting website on an Internet-facing
webserver
Website Vulnerabilities

The Website must have direct access to
the Internet
so Internet have direct access to website
folder on webserver
webbots can gather information about the
business…
» find weak links in the website!
» and possibly weaknesses on the server
» e.g. “Heartbleed not patched!”

http://heartbleed.com/
Software Layers and
Operating Systems (OS)
Applications
os functions & user interface
os kernel
CPU, motherboard
What if the Operating System
has software faults?
The platform becomes “unstable”!!
 Could be errors in

hardware control?
user interface?
utilities?

What would happen to:
applications running on a poorly designed
platform?
businesses depending on such apps?
“Good” and “Bad”
programming

Apollo missions to the moon
first use of programming for control
“because manual not possible…”

Programming used to:
put Apollo spacecraft into moon orbit
land a small craft and two astronauts
Early example of
excellent software

Moon landing
software (1969)…
& final Presidential
acclaim for safe
coding (2016)
» http://www.floridatoday
.com/story/tech/scienc
e/space/2016/11/26/ob
ama-honors-apollosoftware-developermargarethamilton/94477822/
https://www.youtube.com/watch?v=X1
PNp_YggAA
“Moon Lander” Program
Retro rockets of falling LEM vehicle
 Balanced against moon gravity
 Limited amount of fuel…
 Version written for BASIC
 Very popular early microcomputer game

What happened to
“Moon Lander”?

In reality…
start of the embedded system revolution

“A small step for man… a giant step for
mankind”…
Yes, in many ways!
Is software always safe?
Written by humans!
 Depends how it is:

designed
coded
Tested

Lots could… and does… go wrong
too much trust?
not enough testing?
Other Apollo Programming
had vulnerability (!)

Apollo guidance system – correct angle
on entry into lunar orbit
written in Fortran (Formula Translation)
» most popular engineering/technology language
before “C”

Fine in Apollo missions 8-12…
but crucial flaw: near catastrophe… on
Apollo 13 (remember the film?)
» https://www.youtube.com/watch?v=kAmsi05P9Uw
Vulnerabilities and Breaches
(statistics)

Apollo failure caused by lack of variable
reset to zero (initialisation)
vulnerabilities kept occurring
control systems need careful testing
failure could be fatal
Need for an engineering approach!
B2C Software

Consumer buys a license to use
software during its lifecycle…
NOT the software itself!

License may become invalid (or
useless…) if software no longer
supported
consumer potentially unaware
also applies to operating systems (!)
Publishing of Vulnerabilities

Many disturbing examples of data
breaches…
and software vulnerabilities that provided
access for hackers

Records of Internet exploitable
vulnerabilities finally kept…
US security organisation Mitre
» https://cve.mitre.org/cve/cve.html
Good for Consumers

With Mitre initiative…
Software companies with faulty code
named and shamed…
Embarrassing…

Over time, software will get better
i.e. fewer flaws!
Software Faults & CWE


Lot of recent interest in why – 40+ years after
Apollo - software (even operating systems…)
can be unreliable!!!
Mitre…
 classified software fault types through Common
Weakness/Vulnerability Enumeration (CWE/CVE)
» community support
» formal published list weaknesses/vulnerabilities

Intended use?
to better describe software weaknesses in
architecture, design, or code
24
[TSI/2012/183]
© Copyright 2003-2012
More about CWE

Full list of CWE entries…
http://cwe.mitre.org/data
more commonly encountered weaknesses
usually “repeat offenders”

CWE provides:
standard measuring stick for software tools
targeting software weaknesses
common baseline standard for efforts to
identify, mitigate, and prevent software
weaknesses
 Top 25 (most hacked) vulnerabilities… PTO
CWE Top 25 faults (part 1)
Rank
ID
Name
1
CWE-79
2
CWE-89
3
CWE-120
4
5
6
7
CWE-352
CWE-285
CWE-807
CWE-22
8
9
CWE-434
CWE-78
10
11
12
13
CWE-311
CWE-798
CWE-805
CWE-98
Failure to Preserve Web Page Structure ('Cross-site
Scripting')
Improper Sanitization of Special Elements used in an
SQL Command ('SQL Injection')
Buffer Copy without Checking Size of Input ('Classic
Buffer Overflow')
Cross-Site Request Forgery (CSRF)
Improper Access Control (Authorization)
Reliance on Untrusted Inputs in a Security Decision
Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
Unrestricted Upload of File with Dangerous Type
Improper Sanitization of Special Elements used in an OS
Command ('OS Command Injection')
Missing Encryption of Sensitive Data
Use of Hard-coded Credentials
Buffer Access with Incorrect Length Value
Improper Control of Filename for Include/Require
Statement in PHP Program ('PHP File Inclusion') [TSI/2012/183]
© Copyright 2003-2012
CWE Top 25 faults (part 2)
Rank
ID
14
15
CWE-129 Improper Validation of Array Index
CWE-754 Improper Check for Unusual or Exceptional
Conditions
CWE-209 Information Exposure Through an Error Message
CWE-190 Integer Overflow or Wraparound
CWE-131 Incorrect Calculation of Buffer Size
CWE-306 Missing Authentication for Critical Function
CWE-494 Download of Code Without Integrity Check
CWE-732 Incorrect Permission Assignment for Critical
Resource
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
CWE-362 Race Condition
16
17
18
19
20
21
22
23
24
25
Name
[TSI/2012/183]
© Copyright 2003-2012
Not just apps… Example of an
operating system flaw

Apple:
“dangerous” flaw revealed in iOS 7 and X
(21/2/14)
http://gizmodo.com/why-apples-hugesecurity-flaw-is-so-scary-1529041062
Dangers of not Updating…

Flaws in software being detected by Mitre
and others all the time…

usually published once a fix has been found!
» makes sense to update to a version that has had
vulnerabilities patched!
hackers will know all about any vulnerabilities
removed by an update, and will be eager to
exploit… those who haven’t updated (!)
Not just Apple, of course!

Microsoft update regularly, and
Windows 10 will receive updates in
perpetuity
excellent practice!

Earlier versions of Windows have a “cut
off date” for updates
Windows XP was April 2014!
Windows 2003 Server was July 2015…
Update Management

Essential to update all system and
application software as soon as
possible after release…
updates need to be tested…
And roll out planned accordingly!
e.g. operating system updates will require
reboot
» so “automatic” updates may cause problems!
» generally best for administrator to have an alert
and install updates asap (after testing!)
Latest versions of Applications

Same update principles apply to apps
updates free
may be required to upgrade to later version
» Office 2007 “updates” expiring in 2017!
again… test first… but may also be a cost!

Whether to upgrade
matter for fund-holder
is cost of upgrade/training justified:
» better security?
» increased productivity?
Updates and Development
Environments

Software, like apps
can and do have vulnerabilities
need updating like all other software

Use of insecure old version particularly
worrying…
development environments generate code
What if that code has vulnerabilities…?
Insecure Development
Environments

Many web page generator examples
available
Joomla… WordPress…
» more recent versions more likely to be secure
and still have updates
» older versions no longer supported so code
generated is vulnerable!

Java Run-time…
regular updates
» potential knock-on effects for java apps…
Next Week…

Web vulnerabilities & Vulnerability
Testing!

The New Google Chrome!