Lesson 13: Security

Homepage Content Slides Video

Warning

This lesson is under construction. Learn from it at your own risk. If you have any feedback, please fill out our General Feedback Survey.

Overview

Security

se·cu·ri·ty ( siˈkyo͝oritē/ ) [ noun ]

The state of being free from danger or threat.

The safety of a state or organization against criminal activity such as terrorism, theft, or espionage.

Types of Security

XKCD on WiFi Security

There are three main types of security in computing:

Types of Security

Physical Security
Use physical barriers to prevent unauthorized access to data
Software Security
Fix flaws in your application that could grant attackers unwanted levels of access to your systems

Types of Security

Network Security

Security pertaining to networked services (websites, databases, etc).

  • Active: in which an intruder initiates commands to disrupt the network's normal operation (Denial-of-Service, Ping of Death)
  • Passive: a network intruder intercepts data traveling through the network. (Man-in-the-Middle, Wiretapping, Idle Scan)

Each of these encompasses a field of computer security unto itself. We will at least mention each of them in more detail, but we will focus on network security in this course.

Threat Models

Threat models allow you to focus and limit your security resources on what is necessary instead of what is possible.

Threat models are the assessment of which attacker you are protecting against. This is so you don't spend too much time in a panic attack trying to protect your tiny webapp from the NSA.

Access Control

XKCD Identity Comic

Access Control is a framework for controlling who has access to what resources on a system. There are many ways to implement Access Control, but the three basic principles of Access Control are Identification, Authentication, and Authorization.

Passwords / Passphrases

Problems with Passwords

Passwords are a necessary part of security. They aren't great though for a few reasons.

Solutions for Passwords

Choosing Pass-phrases

Relevant funny bash.org post

Choosing Pass-phrases

XKCD passwords comic

Certificates and HTTPS

HTTPS Lock in Browser URL Bar

Types of Attacks

Frequency of online attacks (37% Cross Site Scripting, 16% SQL Injection, etc)

Code Injection

Billy Droptables XKCD Comic

Code Injection is the act of inserting code into a running process (website, webapp, word processor, etc.) with malicious intention.

Code Injection Attacks

SQL Injection:
SQL Injection is when you take advantage of the fact that a form input is inserted directly into a SQL query. You write some password and then write a new SQL query which drops all tables, or returns all data, exploiting an easy security hole.
+-----------+----------------------------------------+
| username: | admin                                  |
+-----------+----------------------------------------+
| password: | pass' || true); DROP TABLE STUDENTS;-- |
+-----------+----------------------------------------+

Code Injection Attacks

Cross-Site Scripting (XSS):
Cross-Site Scripting is when a malicious script is sent to, and run on, a person's computer. This tends to take advantage of the fact that your browser blindly runs any JavaScript you tell it to.
<img onerror=alert("Tracking your IP with a GUI interface!");>

Code Injection Attacks

Cross-Site Request Forgery (CSRF):
CSRF is when one website on your browser tries to carry out an action as you on a different website. For instance you're an admin of some big social media website, you get an email, embedded in the email is a CSRF script which tries to delete all user accounts on your website. Since you've got your credentials cached your browser doesn't know better and can run that command because it looks like any other command.
<img src="http://example.com/?action="Delete All Accounts">

Code Injection Defenses

Some of these attacks are very hard to fight against, but they all have industry-tested solutions that are easy enough to implement in an application of your own.

Code Injection Defenses

Sanitize Inputs
Input sanitation is when your code sniffs a piece of input to see if it looks like a SQL or code of any kind. If it does look like code it's probably malicious so your program errors out and tells the user to enter a real input.

Code Injection Defenses

CSRF Tokens
A CSRF token is a unique string that has to be tied to each request you send to a server. You don't need to log back in each time you get a new one but the application won't complete your action unless the token is included in your query. This means only the website you're logged into can send a real query because only that website knows the CSRF token.

Web Server Attacks

Apache Version Vulnerability

Web Server attacks take advantage in vulnerabilities of specific versions or default configurations of webservers.

Discovering Vulnerabilities

  1. Test and document the bug to verify it exists.

    If you think you encountered a bug, make sure you can replicate it. If you can't how can you expect the developers to recreate it?

  2. Disclose it privately to those responsible for fixing it.

    Provide examples – it’s basically a bug report, but through private channels (not public tracker yet!)

  3. Give them time to release a patch before announcing it.

    Google waits 90 days to announce a bug after informing the developers.

Further Reading

codebashing.com/sql_demo
Try your hand at actual SQL Injection attacks
OverTheWire Wargames
Learn the basics of offensive security by solving challenges and using exploits to gain access to the password for the next level.