[CB16] 80ćéă§Webăä¸ĺ¨:ăŻăă ăăŚă ăŞăźăăĄăźăˇă§ăłăŤăăăšăąăźăŠăăŤăŞăăŁăłăŹăźăăŞăłă by Isaac DawsonCODE BLUE
[CB16] 80ćéă§Webăä¸ĺ¨:ăŻăă ăăŚă ăŞăźăăĄăźăˇă§ăłăŤăăăšăąăźăŠăăŤăŞăăŁăłăŹăźăăŞăłă by Isaac DawsonCODE BLUE
6. GOOD GUYS & GALS BAD GUYS & GALS
SANITIZE INPUT
2 FACTOR AUTH
WEAK-PASSWORD CHECKS
ENCRYPT DATA AT REST
HTTPS
DEFAULT ADMIN PASSWORD
MORE...
7. âANY FOOL CAN THROW A STONE
DOWN A WELL, BUT IT TAKES A
WISE MAN TO GET IT OUTâ
âChinese proverb (probably)
TEXT
8. LET'S FOCUS ON WHAT WE CAN DO
VECTORS
⸠Platform: OS, Network, CPU
⸠Client: XSS, HTTPS, CSRF, etc
⸠Social Engineering, Physical Security
⸠Application: Dependencies, Authentication,
Authorization, Encryption, etc
9. ⸠Platform: OS, Network, CPU
⸠Client: XSS, HTTPS, CSRF, etc
⸠Social Engineering, Physical Security
⸠Application: Dependencies, Authentication,
Authorization, Encryption, etc
LET'S FOCUS ON WHAT WE CAN DO
VECTORS
11. WHY IS THIS IMPORTANT?
STRUTS IS EVERYWHERE
⸠RedMonk estimates that at least 65% of the Fortune 100
companies are actively using the Struts framework.
⸠According to the Struts website: Lockheed Martin, the
IRS, Citigroup, Vodafone, Virgin Atlantic, Readerâs
Digest, OfďŹce Depot, and SHOWTIME have used the
framework.
14. Equifax has been intensely investigating the scope of the intrusion with the
assistance of a leading, independent cybersecurity firm to determine what
information was accessed and who has been impacted. We know that
criminals exploited a U.S. website application vulnerability. The vulnerability
was Apache Struts CVE-2017-5638. We continue to work with law
enforcement as part of our criminal investigation, and have shared
indicators of compromise with law enforcement.
Equifax Statement
IT WAS CVE-2017-5638
https://help.equifax.com/s/article/What-was-the-vulnerability
16. ADGENDA
⸠CVE-2017-5638 deep dive
⸠How it lead to the Equifax hack
⸠Why it shouldn't have happened
⸠How you can make sure it doesn't happen to you
18. HOW IT WORKS
CVE-2017-5638
⸠Send multipart/form-data request to Upload action
⸠Add a Content-Type header with an OGNL expression
⸠Server will execute arbitrary Java code in the expression
26. HOW IT HAPPENED...
TIMELINE (2017)
⸠March 6: â¨
CVE-2017-5638 (S2-045) discovered
⸠March 7: â¨
Struts 2.3.32 and 2.5.10.1 released with a ďŹx
⸠May to July: â¨
Equifax says hackers gained unauthorized access to its data
⸠July 29: â¨
Equifax discovers the hack and immediately stops the intrusion
⸠September 7: â¨
Equifax ofďŹcially alerts the public
28. VERIZON DATA BREACH INVESTIGATIONS REPORT
⸠More than 70% of real-world attacks exploit a known
vulnerability for which a ďŹx is available but has not yet
been applied
http://www.verizonenterprise.com/verizon-insights-lab/dbir/
55. KNOW YOUR DEPENDENCIES
TAKE ACTION!
1. Automate: mvn versions:update-properties
2. Generate dependency reports
3. Use dependency monitoring: https://snyk.io
4. Use Gradle and dependencies.lock
5. Watch NVD feeds: https://nvd.nist.gov/
56. STRUTS WAS NOT THE ONLY CULPRIT
MANY REASONS
⸠Using dependencies with known vulnerabilities
⸠Failure to sanitize user input
⸠Lack of network segmentation
⸠Inadequate encryption of PII
⸠Ineffective intrusion detection mechanisms
59. WHAT TO LOG?
⸠Logins (Successful and
Failed)
⸠Logouts
⸠Password changes
⸠User proďŹle changes
⸠Password reset
⸠User de-registration
⸠Authorization failures
⸠Changes to access levels
⸠Operational activities
(backups)
⸠Input validation failures
⸠Any sensitive operation
60. WHAT NOT TO LOG
⸠Session ID (hash instead)
⸠Passwords
⸠Anything sensitive
61. WHAT NOT TO LOG
⸠In 2012, Radu Dragusin discovered a log ďŹle on a public
IEEE FTP server that contained more than 100,000
usernames and passwords
⸠Google, Apple, Microsoft, Oracle, IBM
62. IN ADDITION TO INFO, WARN, DEBUG, ETC
HOW TO LOG
⸠SECURITY_SUCCESS
⸠SECURITY_FAILURE
⸠SECURITY_AUDIT
64. YOUR LOGS SHOULD BE ABLE TO ANSWER THESE QUESTIONS
LOGGING
⸠What happened?
⸠Who did it?
⸠When did it happen?
⸠How was our security circumvented?
⸠What data was viewed or modiďŹed?
⸠How can we prevent this from happening again?
66. OWASP APP SENSOR PROJECT
⸠Detect and respond to attacks from within the application
67. APP LAYER INTRUSION DETECTION
⸠Traditional intrusion detection systems focus on attacks
below the HTTP layer
⸠They do not provide context within the application
environment
74. @Path("/accounts") public class AccountViewHandler {
@Inject
AppSensorClient ids;
@GET @Path("/view") Account findAccount(@QueryParam("id") String id)
throws NotAuthorizedException {
User user = UserContext.getCurrentUser();
if (!user.isAuthorized(Data.Account, id)) {
Event event = new Event(
new User(
user.getUsername()),
DetectionPoints.BRUTE_FORCE_ACCOUNT);
ids.addEvent(event);
throw new NotAuthorizedException(
"Not authorized to access this account.");
}
Account account = accountDao.find(id);
return account;
}
}
75.
76. TAKE ACTION
INTRUSION DETECTION
⸠Log all security related actions
⸠Except secrets
⸠Monitor your logs
⸠Add Detection Points
⸠React to Detection Point Triggers
77.
78. APACHE STRUTS STATEMENT ON EQUIFAX SECURITY BREACH
RECOMMENDATIONS
⸠Understand which supporting frameworks and libraries are used in your software products and in
which versions. Keep track of security announcements affecting this products and versions.
⸠Establish a process to quickly roll out a security ďŹx release of your software product once supporting
frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or
a few days, not weeks or months. Most breaches we become aware of are caused by failure to update
software components that are known to be vulnerable for months or even years.
⸠Any complex software contains ďŹaws. Don't build your security policy on the assumption that
supporting software products are ďŹawless, especially in terms of security vulnerabilities.
⸠Establish security layers. It is good software engineering practice to have individually secured layers
behind a public-facing presentation layer such as the Apache Struts framework. A breach into the
presentation layer should never empower access to signiďŹcant or even all back-end information
resources.Â
⸠Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a
lot of open source and commercial products available to detect such patterns and give alerts. We
recommend such monitoring as good operations practice for business critical Web-based services.
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
79. APACHE STRUTS STATEMENT ON EQUIFAX SECURITY BREACH
RECOMMENDATIONS
⸠Know your dependencies
⸠Thou shall have Continuous Deployment
⸠Remember that software is insecure
⸠Thou shall have security layers
⸠Thou shall monitor for unusual patterns