6. If you are hacked via OWASP Top
10, you’re not allowed to call it
“advanced” or “sophisticated”
@thegrugq
Reference: https://twitter.com/thegrugq/status/658991205816995840
8. Crypting services makes most
antivirus techniques useless
Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/
9.
10. Let us put an unsecured node.js
server on your personal
computer
TrendMicro Antivirus on Windows
Jan 2016
https://code.google.com/p/google-security-research/issues/detail?id=693
11. Remote code-executions via your
mail client downloading an email
Sophos Antivirus
June 2015
https://lock.cmpxchg8b.com/sophailv2.pdf
46. "How many Fortune 500
companies are hacked right now?
Answer, 500."
Mikko Hypponen, CRO of F-Secure
Reference: https://twitter.com/mikko/status/184329161257652227
55. But what if we installed advanced
IDSs, WAFs and specialised
network hardware
56. We probably only knew about
one of the two backdoors in our
system
Juniper Networks
Dec 2015
http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-
government-backdoors/
57. IDSs produce reports. Managers
likes reports: it helps them feel
like they can "manage" security
http://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted-
attacks
99. Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
100.
101. Avoid old tutorials on
encryption
https://gist.github.com/paragonie-
scott/e9319254c8ecbad4f227
102. Failed: Error Number: 60. Reason: SSL certificate problem, verify that
the CA cert is OK. Details: error:14090086:SSL routines:
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
// Many old tutorials and posts suggest disabling peer verifications
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
// Thankfully PHP 5.6+ handles CA certificate location automatically
// now thanks to https://wiki.php.net/rfc/improved-tls-defaults and
// Daniel Lowrey
Avoid advice like this
Weakening security for convenience
C
O
D
E
SAM
PLE
107. $password = 'rasmuslerdorf';
$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Is this call safe?
if (crypt($password, $hash) === $hash) {
echo 'Password is correct';
}
// What about this one?
if (password_verify($password, $hash)) {
echo 'Password is correct';
}
Bad implementation
Where is the weakness?
C
O
D
E
SAM
PLE
109. $string1 = 'abcd';
$string2 = 'abce';
$string3 = 'acde';
for ($i=0; $i<10000; $i++) { ($string1 === $string2); }
// Time taken: 0.006923
for ($i=0; $i<10000; $i++) { ($string1 === $string3); }
// Time taken: 0.008344
Timing Attacks
How it works
C
O
D
E
SAM
PLE
110. Timing attacks can be used to
work out if an account exists,
even if the UI doesn't say so.
@troyhunt, haveibeenpwned.com
Reference: https://t.co/5WkQ48suj7
112. Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
113. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_close();
session_id($session_to_unset);
session_start();
$_SESSION = array();
session_write_close();
session_destroy();
exit;
}
Mistakes
Deep understanding of the language
C
O
D
E
SAM
PLE
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
118. // NOT cryptographically secure
rand();
// Cryptographically secure (uses OS-specific source)
random_int();
// Cryptographically secure (uses OS-specific source)
random_bytes();
// Cryptographically secure (uses OpenSSL library)
openssl_random_pseudo_bytes();
Random in code
Know the source
C
O
D
E
SAM
PLE
120. HEAD http://example.com/index.php
200 OK
Connection: close
Date: Sat, 26 Dec 2015 13:52:01 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Sat, 26 Dec 2015 13:52:01 GMT
Client-Peer: 192.168.0.101:80
Client-Response-Num: 1
X-Powered-By: PHP/5.5.11
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE
121. HEAD http://example.com/index.php
200 OK
Connection: close
Date: Sat, 26 Dec 2015 13:52:01 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Sat, 26 Dec 2015 13:52:01 GMT
Client-Peer: 192.168.0.101:80
Client-Response-Num: 1
X-Powered-By: PHP/5.5.11
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE
122. Warning: require(assets/includes/footer.php) [function.require]: failed
to open stream: No such file or directory in
/home/user/path/to/assets/includes/operations.php on line 38
Fatal error: require() [function.require]: Failed opening required
'assets/includes/footer.php' (include_path='.:/usr/lib/php:
/usr/local/lib/php') in /home/user/path/to/assets/includes/operations.
php on line 38
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE