Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
-
Upload
jonmccoy -
Category
Technology
-
view
158 -
download
1
description
Transcript of Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
AppSec USA 2014
Denver, ColoradoHacking .NET/C# Applications:
Defend By DesignJon McCoy
DigitalBodyGuard
What is a Defendable System
What is a Strong/Weak Design
How to view a Software System
This Speech
Thanks AppSec/OWASPA Critical part of the security world
Thanks To
Jon McCoy - DigitalBodyGuard• Software Engineer
• Digital Security
• Application Level Security
• .NET Framework Expert
• Attack and Defense
Introduction
Work Area:PenTesting and Active Defender
Specialize:.Net Framework Systems
Overview
What is a Thick Client?
GrayWolf
Demo
Context
Share What I Have Seen
Context
What is aDefendable API
Context
What is aDefendable API
Context
Focus of this talk
Daemon
API
Service
Focus of this talk
= =
Focus of this talk
= =
Focus of this talk
Daemon
Service Security
Business UnitsNetwork
Client World View
Cyber Attack
Users
Web Server
DB
Client Wants it secure
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
WebLog
Communications
Web Service
Web Service
SOPE/REST
Encrypted
AuthAuth
SOPE/REST
Encrypted
UMLUnified Modeling Language
Network Diagram
Cyber Attack
Critical Units
Credit Cards
Production DB
$1,000,000
$20,000,000
User Info DB
$100,000
Client Is Strong
Strong
Critical Units
Credit Cards
Production DB
$1,000,000
$20,000,000
User Info DB
$100,000
A Security Review
I ”PenTester” will hit you at
Lets say you are “Secure”
• Network• Computer Login• Employees• Hardware• TechSupport• ………..
Strong
I ”The Hacker” will Attack
Lets say you are “Secure”
• Users• Your Physical Infrastructure• Your Web-Face• All Digital Devices• ………..• Except (X/Y/Z)
My Team
A Security Review
On Problem
Still Good Everything is Bad
• We took full control of Domain Admin• We took full control of Network• We took full control of Database Systems• We took full control of Physical Security• We took full control of File Management• We took full control of Back Up…..• ………..
Security Review
On Problem
Everything is Bad
How do we Fix This
Critical Units
Credit Cards
Production DB
$2,000,000
$20,000,000
User Info DB
$200,000
Layered Defenses
Credit Cards
Production DB
$2,000,000
$20,000,000
User Info DB
$200,000
Layered Defenses
Cards Hash
User Info DB
Credit Cards
Production DB
Layered Defenses
Cards Hash
User Info DB
Credit Cards
Production DB
Guards
Quick Recommendations
API Type: OWIN.orgREST – SOPE – Socket
DB Type: Node.JS – Neo4Netde Database
Security: OAuth (2)RSA 4096 – AES 256 – MAC(message authentication code)
API Type: REST – SOPE – Socket
DB Type: Node Database – Sharding & Segmentation
Security:RSA 4096 – AES 256 – MAC(message authentication code)
• Detect and Protect the Perimeter• Guard and Respond• Build Choke Points• Find the Weak Blind Spots• …………
Layered Defense
“Client Remediates the Issues”
Client is stronger
Layered Defense
Attacking as Hackers
Layered Defense
Layered Defense
• We took Admin in 2-4 hours(Tell Client 8 Hours)• We took full control of Network• We took full control of Database Systems• We Failed to control of Physical Security• We took full control of File Management• We Failed to control of Back Up…..• ………..
Security Review
How do we Fix This
Layered defense
Detection and Response
Guard Post
Now we have started talking the same
Language
Now Security Can Start
Segmentation
Anit-Pattern
Pattern=
==
Developer=>ITGood Design
Bad Design
Separation
Controllers
Facade
Claims
Actions
View
Authentication===
Developer => DBA
Security Controls
Attack Vector
Security Test
Defendable Systems
Security User Story
Security Unit Test=
==
Developer=>Security
Language = Context
Now Security Can Start
Get to know the Client
Web Data Processing
Strong API/DAL
Communications
Data Access Layer
Communications
Data Access Layer
Communications
Data Access LayerCommunications
Communications
Strong vs WeakSoftware
DEMO
Communications
Security Level
Communications
Security Level
Communications
Communications
Communications
Domain Expert
Communications
Design Security
DEMO
Communications
Two Completely Different SystemsPOS
Web
Communications
POS
Web
Communications
POS
Web
DB
IT/&/Networking
TeamsPOS != WEB != DB != IT
Mockup Project
Defend the POS
Communications
Trusted Network
Point Of Sales
Clients & Partners
Communications
Built 5 Years ago
Changes Twice a year
Only X can Access it
Bad Fix
Bandage Security
Communications
Communications
$250kYou will preventX/Y/Z AttacksBest “Buzzword” Protection
• Turn Key• Reliable• Low Long Term Cost• Free Upgrades for Three Years• ……….
Communications
Design Security
Communications
Communications
Secure System
Communications
Secure System
Log System
Passive Detection
Communications
API/DAL
Log
Detection
Communications
API/DAL
Log
Detection
Communications
API/DAL
Log
Detection
Honey-Pot
Communications
API/DAL
Log
Detection
Honey-Pot
Communications
API/DAL
Log Detection
Honey-Pot
API/DAL
Communications
API/DAL
Log Detection
Honey-Pot
Data Management &
Point To Point CryptoAPI/DAL
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
Crypto
API/DAL
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
Crypto
CommunicationsSegmented
Network
POS Auth
Communications
Data API
POSAuth
Auth
• Segmented Hardware• Segmented User Authentication(NO AD!)• Segmented Management• Segmented Data Storage/Backup• Segmented Buildings• Segmented Developers• Segmented IT/Security• Segmented Power…….
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
Web
Communications
POS
Web
Data API
Communications
Data API
POS
Web
SQL
SQL
Communications
Data API
POS
Web
SQL-Injection=>
SQL
Security User Stories----SQL Injection----
• Detect SQL-injection• Prevent SQL-injection
• Respond to SQL-injection
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
Web
SQL-Injection=>
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
Web
SQL-Injection
Protection
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
Web
SQL-Injection
Protection
SQL
Protection
SQL-Injection
Protection
SQL-Injection
Protection
Security User Stories----SQL Injection----
• Detect SQL-injection• Prevent SQL-injection
• Respond to SQL-injection
Security Unity Test----SQL Injection----
• API -> SQL-injection• Processing Logic -> SQL-injection
• BackEnd -> SQL-injection
• Detect Injection
SQL-Injection
Security User Stories----SQL Injection Occurred----
• Evaluate SQL-injection• If Critical Respond
• If non-Critical Notify/Fix
Security Unity Test----SQL Injection Detection---
• API -> Notify• Processing Logic -> Notify
• BackEnd -> Notify
• LockDown Each Layer
SQL-Injection
Occurred
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
Web
SQL-Injection
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
Web
Security Response
Communications
Data API
POS
Web
SQL
SQL
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
Web
SOAP -
REST
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
Web
SQL
Protection
SQLSOAP
- REST
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
Web
Communications
Data API
POS
Web
SQL
SQL
Log
Communications
Data API
POS
Web
SOPE/REST
SOPE/REST
Communications
Data API
POS
Web
SOPE/RESTEncrypted
SOPE/REST
Communications
POS
Web
SOPE/RESTEncrypted
SOPE/REST
Why?
Not encrypt?
Communications
Web
SOPE/REST
Why?
Not encrypt?
Communications
Web
SOPE/REST
Do Not Trust
Publicly Exposed
Design PatternExposed SystemBURN THEM!!!!
Communications
Web
SOPE/REST
Encrypted
SOPE/REST
POSI/O
Web
Detect and Burn
CommunicationsSOPE/REST
Encrypted
SOPE/REST
POSI/ODetect
and Burn
Communications
Web
SOPE/REST
Encrypted
POSI/O
Service
Quick TangentBetter Web Server Layout
Communications
Web Service
Web Service
SOPE/REST
Encrypted
SOPE/REST
Encrypted
Communications
Web Service
Web Service
SOPE/REST
Encrypted
AuthAuth
SOPE/REST
Encrypted
Segmentation Is Good
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
Web
Communications
POS
Web
Communications
POS
Web Bridge
Communications
POS
Web Bridge
Communications
POS
Web
BridgeDetection is Easy
Everything is Hard
Locking it down is Easy
Detection is Easy
If Breach Occurs POS
WebBridge
Lock it All Down
Respond Aggressively
Burn it all Down
Fix ExploitReplace Server
Rotate Security
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
Web
For a Secure Segmentation -
Developers Need To Design And Control• FireWalls• Network Layout• System Provisioning • System Security• ………
Communications
API/DAL
Log Detection
Honey-Pot
POS
Web
Port:1234
Incoming TCP/UDP
From: 10.88.10.1
To: 10.88.11.255
Port:7676
Incoming TCP/UDP
From: 10.88.88.1
To: 10.88.99.111
Layered Defense
Security Test
For DeveloperSecurity User Stories
----Core DataBase is Hacked----
For SecuritySecurity User Stories
----Core DataBase is Hacked----
For SysAdminSecurity User Stories
----Core DataBase is Hacked----
For CxOSecurity User Stories
----Core DataBase is Hacked----
For ………..Security User Stories
----Core DataBase is Hacked----
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
WebLog
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
WebLog
Security User Stories----Core DataBase is Hacked----
• Prevent Changing the Logs• Prevent Access to Other DBs
Systems Game Theory
Systems Game TheoryAnti-Fragile
Security User Stories----Lost DataBase Bridge----
• Keep WebServer Up• Take Services Down
• Sync After Bridge is Up
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
WebLog
Security User Stories----Lost DataBase Bridge----
• Keep WebServer Up• Take Services Down
• Sync After Bridge is Up
Developer Response System
• Security User Stories • Security Unit Test
• Security Response Stories
Communications
API/DAL
Log Detection
Honey-Pot
Crypto
CryptoPOS
WebLog
Security Response Stories----Hacker on Core Bridge----
• Guns• Fire• Pain
Security Response Stories----Hacker on Core Bridge----
• Activate Full Security Response• Revoke All Security Tokens• Lock Down All Choke Points
Developer Response System
Security User Stories----Lost POS Ingress---
• Revoke Old POS Privileges• Standup New POS System
• Standup New POS Auth System
Communications
Data API
POSAuth
Auth
Auth
Communications
Data API
POSAuth
Auth
Auth
Network Diagram
If Extra Time
Fun Attack Demo
GrayWolf
Demo
Context
172
FIN