Registration is in the Lobby of the hotel
Information security is rightly afraid of being marginalized: it has already happened. With the advent of cloud, the velocity of change is breathtaking: while most IT struggle with monthly releases, agile IT businesses routinely conjure thousands of AWS servers, performing over 10 deploys per day. This agility and cost-savings delights the business. And with good reason, it terrifies security.In this talk, I’ll presenting key findings of my 10 years of research of high performing IT operations and security organizations, and my more recent research on the DevOps movement. I’ll talk about why I believe DevOps is so important to addressing the dysfunctional marriage between IT and the business, and what security must do to survive and thrive in this new regime.
Behavioral Security Modeling (BSM), first presented at AppSec USA 2011 in Minneapolis, was conceived as a way of modeling interactions between information and people in terms of socially defined roles and the expected behaviors of the system being designed. By reducing the difference between the expected system behaviors and the actual system behaviors, we can manage the vulnerabilities that are inevitably introduced when the expected and actual system behaviors are out of alignment. BSM asserts that robust, secure information systems are best achieved through carefully modeling human/information interactions in social terms.
Modeling human/information interactions starts with requirements gathering. While traditional security requirements describe how to "keep the bad guys from messing with our stuff," BSM functional requirements seek to define "what the good guys are allowed to do." To address this gap, we have developed a practical, SDLC agnostic method for gathering functional security requirements by defining limits on interactions through a series of questions to identify and clarify constraints, as well as uncover hidden constraints. We will discuss the development of the methodology and demonstrate its use, as described in our white paper, including early experiences implementing the approach.
We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications.
The best security is contextual to each organization, application and feature. Real-world tradeoffs will be discussed in detail for each "control" and "control category" discussed.
With over 5 Billion mobile devices presently in use, mobile applications enable new threats and attacks which introduce significant risks to organizations. As such, it is imperative that we perform our normal application security procedures on all mobile applications, including pen testing and code reviews. Pen testing mobile applications has proven to be difficult when typical application security testing practices are employed. Proxying mobile traffic for examination and modification is anything but straightforward and every application presents its own, unique challenges. David and Dan will explain the issues that arise when trying to proxy mobile application traffic. Join Dan and Dave as they provide guidance and a roadmap so that you may overcome these obstacles.
The proliferation of mobile devices has led to increased emphasis on native applications, such as Objective-C applications written for iOS or Java applications written for Android. Nonetheless, these native client applications frequently use HTTP APIs to communicate with a backend server. In addition, browser-based applications are growing more complex, and are also more likely to make asynchronous calls to HTTP APIs.
In this presentation, we walk through a common (but insecure) method of securing HTTP APIs with SSL. As we will demonstrate, properly configured SSL will protect a protocol from eavesdropping (man-in-the-middle attack) but will not protect that protocol from the end user himself. In particular, we demonstrate how an end user can use an SSL proxy to decrypt and reverse engineer the HTTP API.
We will show a hypothetical HTTP API over SSL that tracks high scores for games. Then we will demonstrate an attack on that HTTP API using mitmproxy, an open source SSL proxy, to show how an attacker can forge a high score, even though the protocol is tunneled over SSL. We will then demonstrate a modified HTTP API that is resistant to this type of attack.
Finally, we will wrap up by discussing other applications of SSL proxies to web application security testing, such as analyzing HTTP APIs to see if any personal information – such as a user’s address book – are being transmitted over the API. This is the same technique used by researcher Arun Thampi in February 2012 to determine that the Path application on iOS was secretly uploading users’ contacts to its HTTP API.
"Be Mean to Your Code" is the concept behind the ruggedization framework called Gauntlt (pronounced like gauntlet) which aims to bring the benefits of Behaviour Driven Development to the realms of automated security testing, application hardening and ruggedization. Gauntlt is an open source ruggedization framework using cucumber and written in ruby. Gauntlt has been developed in collaboration with Netflix to fulfill the role of the "Security Monkey" in their Simian Army--most popularly known for the Chaos Monkey.
Gauntlt is meant to be used by security experts with interest in automation as well as developers with interest in security. It can be used to deliver the results of a security audit or penetration test via failing gauntlt attacks (tests) which can in turn be added to the continuous delivery test suite. Developers know when they have resolved a particular vulnerability when gauntlt no longer reports a failure. Gauntlt can be used in regression tests to detect when a previously resolved vulnerability has been re-introduced.
The creators of Gauntlt, James Wickett, Mani Tadayon and Roy Rapoport, will talk about the history of the project, current roadmap and the planned security testing tools being added to Gauntlt. As part of this talk we will do a hands on demo where we will walk the audience through getting started using gauntlt pre-built attacks and then move to writing their own gauntlt attacks. Come find out how to start being "rugged by example" and how to get started with Gauntlt.
Note: Jeremiah Shirk is filling in for Roy Rapoport.
Gauntlt is MIT Licensed and hosted on github at http://github.com/thegauntlet/gauntlt.
The Browser Exploit Framework (BeEF) Project is extremely popular with application pentesters as it is a powerful tool for demonstrating the impacts of leveraging XSS vulnerabilities to achieve wider compromise into an organization. What if, however, we flipped the BeEF use-case around and instead put it in the hands of web application defenders? By using the open source ModSecurity WAF, we can dynamically hook web attackers with BeEF and monitor their activities and initiate various counter-meseasures.
Early Lunch Option available for Sponsors, Staff, and Speakers
Secure Code Review: Magic or Art? A Simplified Approach to Secure Code Review. Secure code review is one of the best ways to uncover vulnerabilities and reduce risk of online web applications being breached. However, secure code review has always been challenged as being skill and tools intensive. But what if this could be simplified so developers on your team could perform it? What if this could be achieved with minimal impact on deadlines? This presentation will delve into the science and process behind secure code review and will continue to discuss a simplified approach to secure code review: a simplified process to follow, free tools to use and some of the pitfalls to avoid.
Learn how any Mobile Expert aims to crack the application open. While testing / reviewing Android or iOS applications, you will love these handy tricks which will teach you to extract the program code of any Mobile Application. Be it the famous encryption of Apple Applications or Google all famous Android or the RIM claimed Blackberry application, you got the application, you’ll get the learning to view the code. Using demonstrations on platforms/ gadgets like Apple, Android, Blackberry, Windows Mobile, we will highlight the benefits of using the same in day to day pen-testers life cycle.
Objectives:
•To give live demonstrations of cracking the code open from the various Android/Apple/Blackberry/Windows Mobile Applications.
•To share tested and proven methods of discovering insecurities via reverse engineering.
•To learn how to efficiently conduct reverse engineering of mobile applications.
•To develop a process doc for Mobile Reverse Engineering.
This speech will focus on Reverse Engineering and Evaluations of .NET Framework Desktop Software.
I will show the basics of doing Reverse Engineering
-How to get source code
-What to look for
-What are easy vulns to find
This speech will then go a step further into the bleeding edge by modifying the protection/security areas of applications, both adding and removing security systems. I will also show building basic Malware payloads and infecting critical software as well as finding Malware and disecting it.
This speech should give a security professional the basic understanding of how to do a light Black-Box code analysis.
This speech should give a programmer the basics of finding, fighting, and production of MalWare.
Rugged Software was an attempt to get application security unstuck and beyond the .0001% who were already seeking more defensible infrastructure. Over the past 3 years of experimentation, working outside of the security community, and this spring's Rugged Summit... now is the time to bring Rugged to the OWASP community.
Our dependence upon software is growing at a rate faster than our ability to secure it. While it's disappointing to see routine compromises by 13 yr old SQLi attacks, it is far more serious to see vulnerable SW permeate our cars, our critical infrastructure, and even our bodies (via medical devices). Despite excellent and valiant technical advances within the security community, the broader business and development communities remain largely unchanged.
This is more than a technical issue, but also a cultural challenge.To the business, "Security" has become a toxic and dirty word for at least 2 reasons: 1) It is a cost and 2) it is often an inhibitor - preventing the business from doing things it wants to do. People don't care how to do something until they know why it matters or how it is valuable.
This talk will explain the success that Rugged has had in driving more business value and adoption of security. We'll attempt to clear up misconceptions and apprehensions - as well as contextualize how Rugged complements existing bodies of work. We will explain how Rugged has found in DevOps an unexpected ally, blueprint, and invitation to have more substantive impact. Lastly we'll introduce and discuss the just-published "Rugged Handbook" straw man - and invite it to be beaten/enhanced.
The much-acclaimed LASCON-style Speed Debates are coming at you!
The Web platform is hopelessly insecure, yet surprisingly, JavaScript can be transformed into a secure programming language by the subtraction of a small set of features. The design of JavaScript was influenced by Scheme. JavaScript's schemishness is the key to its salvation.
HTML5 isn't just for watching videos on your iPad. Its features may be the target of a security attack as much as they may be used to improve an attack. Vulnerabilities like XSS have been around since the web's beginning, but exploiting them has become increasingly sophisticated.
HTML5 features like WebSockets are part of the framework for controlling browsers compromised by XSS.
This presentation provides an overview of WebSockets: How they might increase the attack surface of a web site, their implications for privacy, and the potential security problems with protocols tunneled over them. Then it demonstrates how WebSockets can be used as an effective part of a hacking framework.
It closes with recommendations for deploying WebSockets securely, applying security principles to web app design, and providing a tool for exploring WebSockets security.
One of the most vital pieces of a secure SDLC is security training – not only for developers, but for Architects, QA and anyone else involved in the creation of software. Too frequently, this is minimized, overlooked or completely absent within an organization. In some cases, the very idea of application security is dismissed as unnecessary.
This talk starts by making a strong argument for developer education, and how it fits into any organization’s SDLC. Training will be put into the context of NIST’s “Security considerations in System Development Life Cycle” Document, Microsoft’s Simplified SDL, BSIMM3 and OWASP Open SAMM.
From there, we discuss other OWASP resources and projects dedicated to developer education, and an in-depth discussion of OWASP WebGoat.NET – an ASP.NET specific re-design of OWASP which meets the needs and addresses the challenges of modern application security training programs.
Lecture will be delivered by Jerry Hoff, VP of Static Code Analysis Division at WhiteHat Security. Jerry is the leader of the OWASP Appsec Tutorial Series, WebGoat.NET and AntiSamy.NET. Jerry is a former developer, author, and has over 10,000 hours delivering technical training. Jerry holds a Masters degree in Computer Science from Washington University in St. Louis.
Key Points:
- Developers need a better way to be education in AppSec
- Equip participants with the tools and evidence they need make an irrefutable case for developer security training
- Analysis of tools/docuemnts/videos that OWASP provides for training
- Introduction of WebGoat.NET: OWASP’s latest tool to help education developers
- Interactive demonstration of WebGoat.NET with full audience participation
Moderator: Jeremiah Grossman
Mobile applications are a part of every persons, and every organizations life. The potential for internal compromise is extremely high in relation to mobile applications due the common architecture that relies on a backend server. It is difficult to understand how easy it is to reverse engineer and modify mobile application unless you do it on a daily basis. In turn, it is difficult to realize what vulnerabilities exist within mobile applications, the backend servers accompanying those application, and what compromises can take place. This talk focuses on helping security experts and mobile developers understand how attackers reverse engineer mobile applications, what an attacker has access to, and how easy it is to circumvent local security implementations. Attendees will be shown real world applications, how the applications security was circumvented, and what consequences occurred. This talk will give insight to security professionals and developers how a malicious user will reverse engineer their applications and how to prevent those attacks. Throughout the talk Otertool - a tool to simplify reverse engineering of Android applications - will be demonstrated and made available to attendees.
With daily code releases and a growing infrastructure, manually reviewing code changes and protecting against security regressions quickly becomes impractical. Even when using security tools, whether commercial or open source, the difficult work of integrating them into the development and security cycles remains. We need to use an automated approach to push these tools as close to when the code is written as possible, allowing us to prevent potential vulnerabilities before they are shipped. We worked with development, operations, and release teams to create a targeted suite of tools focused on specific security concerns that are effective and don’t introduce any noise. This presentation will give an overview of what we’ve done over the past year, what we have learned along the way, and will provide advice for anyone else going down this road.
Abstract:Browser exploits are a primary attack vector to compromise a victims internal network, but they have major restrictions including; limited current browser exploits; the huge price for 0-day browser exploits; and exploit complexity due to sandboxing. So, instead of exploiting the victims browser, what if the victims browser exploited internal systems for you?
The new "BeEF Bind Exploit Proxy" module does this! This BeEF (Browser Exploitation Framework) module will allow penetration testers to proxy exploits through a victims web browser to compromise internal services. Not only this, but the new "BeEF Bind" shellcode also enables the communication channel to the attacker to pass back through the existing browser session.
This attack technique (Inter-protocol Exploitation) removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request. This increases the success rate of client-side exploitation attempts by dramatically increasing the number of vulnerabilities accessible to the attacker.
So how does the new BeEF Bind Exploit Proxy work? BeEF is configured to use the BeEF Bind Exploit Proxy, and is set as the payload for XSS exploits or Phishing attacks. Once the victim visits the malicious site, their web browser becomes hooked and performs JavaScript port scanning across the internal corporate network looking for chosen open ports. Once a server has been identified, the BeEF server is notified and begins to send exploits through the hooked web browser to the service on the internal server. Each of these exploits are configured to use the new BeEF Bind shellcode.
Once an exploit has successfully triggered a vulnerability within the internal service, the BeEF Bind shellcode is executed. This shellcode is designed to setup a web-listener that proxies commands through to a shell on the compromised server. This allows the attacker to send commands through the hooked web browser to the BeEF Bind payload. The command is executed on the compromised server and returned to the web browser in HTTP responses. The hooked web browser is then able to receive the command output and proxy it back to the attacker at the BeEF server.
Penetration testers can now inject steroids into their XSS exploits by replacing simple alert boxes with demonstrations of actual compromised internal machines. They can also now increase the scope and success rate of their Phishing attacks to compromise internal servers. This new approach also minimizes the likelihood of IDS/IPS detection, and does not require an additional socket open back to the attacker via the firewall.
Come and see our live demonstration of this new attack technique in action!
The scale and variety of Amazon Web Servers (AWS) has created a constantly changing landscape. What was previously managed by enterprise IT groups is now done through a variety of Amazon-based services, leaving many questions concerning the risk and security of these environments unanswered. This presentation will discuss the most common mistakes that we have seen in the field and show you how to audit them using AWS Scout.
Scout is a security tool that lets AWS administrators make an assessment of their environments security posture. Using the AWS API, we can gather configuration data for manual inspection or highlight high-risk areas automatically. Rather than pouring through dozens of pages on the web, we can get an clear view of the attack surface.
Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a completely new approach - analyzing code execution, memory and data in runtime, allowing for accurate inspection of the application. We will discuss IAST technology (introduced into the 2011 Hype Cycle) compared with DAST/SAST, and the benefits it provides.
The goal of the talk is to examine and discuss technological concepts rather than specific products or solutions, and includes a technical drill-down into the technology specifics. The talk will begin by presenting the standard IAST building blocks and their benefits, and continue by showing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more…
Information disclosure has always been a boon to hackers.
The Crown Jewel of information disclosure, source code disclosure, is arguably the most significant information an attacker can obtain, and can be used to expose potential code-level vulnerabilities, logic, and hard coded information.
Since vulnerabilities that disclose source code are not always available, we were lead to believe that the concept of security by obscurity can provide some level of protection, as fragile as it may be… but not anymore.
Divination Attacks, a new breed of information gathering attacks, provide the means to identify the memory structure and source code of application components, using black box techniques with unparalleled accuracy.
What is that useful for?
Consider the methods that are required to detect the following complex exposures:
SQL Injection attacks that affects different pages in the application via database values or session attributes, and require the vulnerable page to be accessed through abnormal combinations of authentication, deliberate exceptions, and missing information.
Sounds confusing?
Talented or lucky testers might be able to detect these complex exposures in a limited scope, but have you ever heard of an automated vulnerability scanner, a passive security scanner, or any other black-box tool that can detect these "indirect" attacks with minimal user interference?
"Diviner" - a new OWASP ZAP extension, can be used to locate leads for direct and indirect attacks scenarios on a consistent basis, and can also enable testers to fingerprint server-side source code fragments and visualize the structure of the server memory and inter-page processes, thus, enhancing the tester's decision making process and enabling him to properly invest his time and efforts.
If we are ever going to get ahead of the whack-a-mole security vulnerability game, we, as security professionals need to start getting involved more in the development of software. Let's review the origins of the traditional software development, and what assumptions are made. Then we'll review if those assumptions still hold for modern web applications, and what problems they cause, especially for security. Continuous deployment helps address these problems and allows for faster, more secure development. It's more than just "pushing code a lot", when done correctly it can be transformative to the organization. We'll discuss what continuous deployment is, how to get started, and what components are needed to make it successful, and secure.
Several web applications provide functionality to pull data from other Internet facing Web Applications for either internal use or to verify application availability. We see this in the form of applications pulling images using user specified URLs, applications showing server status for user specified URLs, applications pulling feeds, XML and manifest files etc. An attacker can abuse this functionality to send crafted queries to a remote web server using the application that provides this functionality. The responses can be studied and in the case of unique responses, can be abused to do a blind port scan on any Internet facing device or even on internal local networks and the same server/host.
In this paper we will see how this commonly available functionality in most web applications can be abused by attackers to port scan other servers, or perform a Cross Site Port Scan (XSPS). I found this issue with Facebook, where I was able to port scan any Internet facing server using Facebook’s IP addresses. Consecutively, I was able to identify this issue in several other prominent Web Applications on the Internet, including Google, Apigee, StatMyWeb, Mozilla.org, Face.com, Pinterest, Yahoo, Adobe and several others. We will take a look at the vulnerabilities that were present in the above mentioned web applications that allowed me to abuse the functionality to perform port scans on remote servers using predefined functionality.
An attacker can abuse this by specifying URLs in the form of http://servername:<portnum> to the application and review the response obtained. I have seen three unique responses based on port and service. The following are the different errors/response messages obtained:
1. For an open port running an HTTP service, the error/server response is specific to the call. An attacker may see HTML content or a function specific message like “Image not found” or “Invalid data stream”
2. For an open port running a service other than HTTP (like SSH, TELNET, SMTP or RDP), the error/server response is mostly generic like “Invalid data stream”, “Expected content-type was invalid” or “Received HTTP error code -1 while fetching source feed”
3. For a closed port, the errors/server responses are often descriptive like “HTTP/1.1 503 Service Unavailable”, “[Errno 101] Network is unreachable” or “DOWNLOAD_ERROR_CONNECTION_REFUSED” etc.
Based on these error messages, which are unique for every server tested, we can conclusively identify closed and open ports on remote servers. Even better in some cases, the application displays the actual responses received in raw format allowing us to use it for banner grabbing.
Cross Site Port Scanning is a technique that allows an attacker to abuse perfectly common functionality, like fetching a file or data from a remote server, to perform blind port scans on Internet facing servers. An application which accepts user input as a URL, fetches content from the user supplied URL and displays non-generic errors, is vulnerable to XSPS. An attacker can also enumerate ports on the server that makes the HTTP request on behalf of the user by providing a localhost as the URL with a port parameter.
Simply put, an application that accepts a URL like http://site/images/derp.jpg fetches the content on the server side and displays the image, is vulnerable, if it displays port status or connection specific errors when a user requests the following URLs:
http://site:22/images/nonexistentimage.jpg
http://site:23/images/nonexistentimage.jpg
http://site:3128/images/nonexistentimage.jpg
http://site:3389/images/nonexistentimage.jpg
An attacker would then be able to analyze the error messages and identify open and closed ports based on unique error responses. These responses may be raw socket errors (like “Connection refused” or timeouts) or may be customized by the application (like “Unexpected header found” or “Service was not reachable”)
In this talk jOHN takes apart password protection scheme analyzing the attack resistance of hashes, hmacs, adaptive hashes (such as script), and encryption schemes. First, we present a threat model for password storage. Then audience members will learn the construction, performance, and protective properties of these primitives. Discussion of the primitives will be from a critical perspective modeled as an iterative secure design session.
Ultimately, this session presents the solution and code donated as part of the on-going OWASP PSM (password storage module) project. Discussion of this solution will include key techniques for hardening PSM learned through years of delivering production JavaEE code to customers.
DevOps is the rage these days, but what does it really mean and what does it look like for the AppSec community? This panel will explain DevOps and explore its impact on AppSec and most importantly we will look at how DevOps is changing the shape of the business.
If people in your organization are talking about doing 10 deploys a day to production or are discussing chef and puppet, then this panel is for you. If you are interested in cucumber and integrating security testing into your continuous integration tooling, then this panel is for you. If you are just plain confused about DevOps and think it is just a new buzzword, then this panel is for you. If you are using the cloud at all, then this panel is for you.
This panel features some of the best and brightest minds in the DevOps community and is a don't miss event. We will be taking questions from the audience ahead of time by tweeting with the hashtag #DevOpsPanel the week leading up to the conference.
You dont want to miss this one!
Special Sneak Preview of the REBOOT Film
In the Lobby
During the last year, Michael has moved from working with internal Microsoft product groups, such as Windows, Xbox, Windows Azure and Visual Studio to working more closely with Microsoft customers to help them improve their secure software design and development practices. During this time he has learned a great deal about mapping internal Microsoft thinking to the “real world.” In this keynote, Michael will share some of those experiences and describe some of the successful recommendations.
Honeypots have played a key role as a defensive technology for a long time in IT security with the first public work by Clifford Stoll’s The Cuckoo’s Egg on 1990 and later Bill Cheswick’s “An Evening With Berferd” on the 1991 [2]. For a detailed honeypot history we recommend the book Honeypots: Tracking Hackers.
Wikipedia defines a honeypot as a “trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers”.
Web attacks are the most common form of attack these days due to that it is easy to automatize attacks and web apps suffer from multiple attack vectors. For a detailed web attack landscape report we recommend Imperva’s Web Application Attack Report, Edition #2 – January 2012 [5].
Besides the use of honeypots for system and network security for a long time and the increase of web attacks per year, especially on the Web 2.0, web honeypots are still in infancy stage of research and development or usage as a security defense in corporate networks.
In this presentation, we explore the design and uses of a web honeypot with offensive and defensive capabilities called Carmen Rogue Web Server. Carmen Web Server v1.0 was developed around 2005 while the development of Carmen Web Server v2.0 has picked up on 2012 backed by VULNEX to address today threats focused on web attacks.
By developing a generic but highly customizable and easy to deploy web honeypot we try to make this technology accessible to security teams across the world to help them protect their networks by adding an extra layer of security.
Carmen can be used as a defensive tool to collect data from the attack like the password list from a brute force attack, all kind of attack patterns such as Cross-Site Scripting (XSS) and SQL Injection (iSQL) or even try to confuse attack tools using multiple methods such as Mix Server Simulation (Apache, IIS, etc.) or Fake Session ID Generation among others capabilities. On the opposite side Carmen can also be used as an offensive platform to test application security using fuzzing or to develop exploits by using its plugin and CGI capabilities.
This presentation will dig into web honeypot landscape and related work, the design approach taken for Carmen Web Server, use cases with demos and how to improve this technology.
Social-Engineering is nothing new. From the dawn of man, social-engineering has been an avenue to obtain results through manipulation and deception (not always). As the creator of the Social-Engineer Toolkit (SET), I get a wide variety of experiences and new techniques in identifying ways to penetration organizations in a unique way. You never know what you are going to get on the other end. It's a game of chance, odds, and confidence. During this talk, we'll dive down into how social-engineering and technology can be used in order to compromise multiple avenues of an organization and live demonstrations of a new version of the Social-Engineer Toolkit. I'll also be walking through some of the different SE scenarios and how I overcame a number of challenges and hurdles while performing some of the most difficult red team exercises. Let's play a game of spin the bottle, where the person on the other end is a complete anomaly and unknown. Where your confidence matters and your pretext is everything.
Too often security and IT professionals believe that once a system is compromised, “security” has failed. In the world of Incident Response, security is just beginning. In this talk Richard Bejtlich will share thoughts on how to make incident response work for the benefit of an intrusion victim. He will talk about key ideas that show an organization can suffer compromise yet not suffer real damage, despite the worst intentions of the adversary.
This presentation will focus on new and interesting approaches to web application security problems posed by a continuous deployment environment. Specifically, this presentation will cover useful security systems such as automatic vulnerability and application fault detection, effective platform defenses for XSS/SQLi, practical security alerting mechanisms, and visualizations of security related data. This talk demonstrates how to create these systems using free tools that improve security posture without commercial security products.
Most people are disturbed when they witness just how much of their personal information is accessible the very moment they visit a website. Then, if you give that [malicious] website just one mouse-click --- out goes even more personally identifiable data. We’re talking about full names, where you live, the town where you grew up and went to school, martial status, list of friends, sites you are logged-in to, the software you use complete with version numbers, and in some cases, your browser’s auto-complete data and history of other sites you’ve visited. All of this is performed using nothing but HTML and JavaScript. No need for memory corrupting exploits that escape the confines of the browser walls.
Through a demo-driven presentation, the audience will see first-hand how and why all these attacks are possible, even in the presence of browser silent updates and the latest security improvements such as sandboxes, anti-phishing protections, and the availability of Content Security Policy, X-Frame-Options, Origin, Strict Transport Security, SSL, etc. And just so everyone is crystal clear, firewalls don’t help and neither does anti-virus software. The reason why none of this works is that these web attacks take advantage of flaws in the way the Web was designed to work! Adding insult to injury most of the techniques on display are NOT technically “new,” and this talk will cleverly wire these issues together to make a point, and tell a story. It is the story of Why Web Security Is Fundamentally Broken.
Here’s the punchline: The only known ways to fix these issues adequately is to “break the Web” -- i.e. negatively impact the usability of a significant percentage of websites. Doing so directly conflicts with business interests of the current browser vendors who are looking to grow market share and advertising revenue. Their choice is simple, be less secure and more adopted, rather than secure and obscure. This is the Web security trade-off that’s being made for us.
Throw out everything that you know about security tools today. No more six-figure appliances that only do one thing marginally well. No more proprietary protocols. We deserve better and we demand better. Envision a world where your security tools talk with eachother. They communicate and share data in order to leverage eachothers strengths and and help compensate for their weaknesses. They work together to solve problems. Envision "Symbiotic Security".
Symbiotic Security is a new term that was coined to describe the ability of a tool to consume data from other tools or provide data to other tools. As part of our research, we have examined various classes of tools on the market and identified these abilities in each of them resulting in a label of "Consumer", "Provider", or "Symbiotic". As a consumer of security tools, this completely revolutionizes the way that we make purchases.
As an example, let's pretend that you are purchasing a new Intrusion Prevention System for your enterprise. As you begin to evaluate the various tools from the Gartner Magic Quadrant, you quickly realize that they almost all have the same primary feature set. The key differentiator at this point aren't the rules or the hardware, but rather, the ability for the system to send and receive data with other systems. The IPS itself has some signatures and blocking abilities, but has zero relevancy data. Now, we give the IPS the ability to pull in vulnerability data and system configuration information from network and host scans and we gain relevancy. Add in some additional data on where the potential threat is coming from and now you have the data necessary to take a decisive action on threats. This new system is a "Consumer". Now, if you give the IPS the ability to send information to other devices on things like the source of relevant threats, those devices, like a firewall or HIPS, can now make intelligent blocking decisions as well. Our IPS now has "Provider" abilities. Since our IPS is labeled as both a "Provider" and "Consumer" it is deemed "Symbiotic". This convention can now be used both by the manufacturer to market the value-add of the device as well as a way for the purchasers to differentiate between otherwise similar devices.
In order to demonstrate the true powers of being symbiotic, we are releasing a free tool that epitomizes this concept. The tool, named ThreadFix, has been labeled as a "Consumer" because of it's abilities to pull vulnerability data from static and dynamic scanning tools, threat modeling, and manual penetration tests as well as alert logs and vulnerability details from IDS, IPS, and WAF products. ThreadFix has also been labeled as a "Provider" because of it's abilities to normalize the data consumed and pass it along to IDS, IPS, and WAF for action as well as to your bug tracking system for remediation tracking. Because it can serve both a consumer and provider role, we designate it as a "Symbiotic" tool, thus indicating that it can provide the utmost value to it's users.
We recognize that like any new concept it can take some time to embrace, but we feel certain that labeling tools according to their abilities as "Consumers" and "Providers" can help to facilitate a much needed turn towards openness in our industry. Vendors will get the message that consumers want to select tools that work together in order to achieve their maximum effectiveness. Consumers will get the added value of having tools that work outside of their silos to make their jobs more efficient and maximize their ROI. Please join us in embracing this bold new concept.
This is a version of the talk I gave at Black Hat USA 2012, updated specifically for the AppSec USA audience. The original BlackHat slides are available at "http://www.scribd.com/doc/101185061/Blended-Threats-and-JavaScript", and the source code used in the demonstrations is available at "https://github.com/superevr/ddwrt-install-tool".
During Black Hat 2006, it was shown how common Web browser attacks could be leveraged bypass perimeter firewalls and "Hack Intranet Websites from the Outside." In the years since, the fundamental problems were never addressed and the Intranet remains wide open, probably because the attack techniques described had important limitations. These limitations prevented mass scale and persistent compromise of network connected devices, which include but are not limited to home broadband routers. Now in 2012, with the help of new research and next-generation technologies like HTML5, browser-based Intranet attacks have overcome many of the old limitations and improved to a new degree of scary.
This presentation will cover state-of-the-art browser-to-network threats launched with JavaScript, using zero to minimal user interaction and complete every step of the exploit attack cycle. Starting with enumeration and discovery, escalating the attack further upstream and into embedded network devices, and ultimately mass-scale permanent compromise.
Siebel and JDE platforms are a core part of our global business-critical infrastructure. Our credit card numbers, bills, personal information and consuming habits; top-tier companies' business processes and their most confidential information. It's all in there.
Despite their criticality, there is still today very scarce public information on how attackers may try to break into these systems and what we can do to stop them, placing the bad guys in a very powerful position. The Auditing and InfoSec industries have been traditionally focused only on enforcing segregation of duties controls, and that's not enough anymore.
Join us in this new presentation to understand, through several live demos, how intruders can remotely execute code, steal user passwords and manipulate proprietary technologies to perform espionage, sabotage and fraud attacks, without having a valid user in the systems. Furthermore, you will see how these attacks may be performed over the Internet.
Learn how to mitigate these risks, starting by learning how to assess them in your company using the new version of Bizploit, the opensource ERP Penetration Testing framework, to be released after the talk.
Early Lunch Option available for Sponsors, Staff, and Speakers
I created what became known as the browser "Same-Origin Policy" (SOP) under duress for Netscape 2, 3, and 4 in the mid-nineties.SOP was intended to preserve the integrity of a user/website session against interference from untrusted other sites. As the web evolved, SOP split from a single precise policy into several variations on a theme, but it remains the default browser content security policy framework. I will review SOP's vulnerabilities and its "patches" that were intended to mitigate those avenues of attack. I will close by suggesting an extension to SOP that labels scripts loaded cross-site with origins that are distinguishable from (yet related to) the origin of the including web page or application.
Take this time to grab a bite, socialize and visit the booths in the Foyer areas.
Serving as a scalable alternative to traditional relational databases (RDBs), NoSQL databases have exploded in popularity. NoSQL databases offer more efficient ways to work with large datasets, but serious security issues need to be addressed.
NoSQL databases can suffer from a variety of injection attacks. Most NoSQL databases can’t authenticate and authorize clients, and can’t provide role-based access controls or encryption. Because these controls do not exist, developers and administrators are forced to implement their own controls to compensate for these shortcomings. These compensating controls could become a problem for organizations that have compliance considerations and could make maintaining NoSQL more complex than simply deploying an enterprise relational database that features built-in security.
Because many NoSQL architectures lack encryption and authentication, an attacker could eavesdrop on the client-server communication and obtain private data. Additionally, NoSQL databases can suffer from a variety of injection attacks via Javascript and JSON. Traditional SQL injection countermeasures are not effective against these attacks, so developers must be aware of these threats and write code that attackers can’t penetrate.
In this presentation we’ll talk about how RDB security features and threats apply to NoSQL databases. We’ll also explore the security controls that are present in NoSQL architectures, and cover administrative, compliance and regulatory concerns associated with operating NoSQL architectures in environments that contain sensitive data.
During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks.
The recent Stuxnet, Flame and CA compromises involving Comodo and DigiNotar had three common elements, each was government sponsored, each involved Iran and all three involved a PKI compromise. The presenter will share experience of dealing with the Iranian attack, highlighting the ways in which government sponsored attacks are very different from both 'ordinary' criminal attacks and the Hollywood view of 'cyberwarfare'.
This presentation will provide the audience with a case study of how real world organizations using the public cloud are approaching application security. Netflix, one of the largest AWS and public cloud users in the world, will serve as the subject of the case study.
I will cover a variety of topics of interest to application security personnel, including:
-Automating and integrating security into CI/CD environments
-Large scale vulnerability management
-Continuous security testing and monitoring, including Netflix's Security Monkey framework
-Cultural integration of security in DevOps/agile organizations
Builders vs. Breakers is a fast paced highly interactive game show debate style talk. Each topic starts with a short introduction pitting the Builder vs. the Breaker. It is then opened up for audience participation. After taking views from the audience, the audience votes on a winner. Whichever side wins the debate is rewarded and the contest moves on to the next topic.
Our builder is a veteran software developer building security tools for developers. Our breaker is a seasoned pen tester with product management and research experience. Our game show host keeps the discussion moving smoothly ... and has been known to occasionally express the business perspective.
Questions for debate will be posted/gathered on google docs for preview and participation. Building on our fun experiences at DC20 SkyTalks and BSidesChicago 2011/2012 this talk is aimed at getting the audience involved and ultimately thinking about contributing to the broader community.
In the last year, 2011, major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. as seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF Web Security working group meetings: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July 2011, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services.
The presented technologies are cutting edge and although the specification is not final yet, they are in their final stages and currently in roll-out and ready to be used. Other models that compete or complement this approach shall also be discussed (DNSSEC, etc. ).
HTML5 has empowered browser with a number of new features and functionalities. Browsers with this new architecture include features like XMLHttpRequest Object (L2), Local Storage, File System APIs, WebSQL, WebSocket, File APIs and many more. The browser is emerging as a platform like a little operating system and expanded its attack surface significantly. Applications developed in this new architecture are exposed to an interesting set of vulnerabilities and exploits. Both traditional vulnerabilities like CSRF and XSS can be exploited in this new HTML5 architecture. In this talk we will cover following new attack vectors and variants of XSS and CSRF.
HTML5 driven CSRF with XMLHttpRequest (Level 2)
CSRF with two way attack stream
Cross Site Response Extraction attacks using CSRF
Cross Origing Resource Sharing (CORS) policy hacking and CSRF injections
DOM based XSS with HTML5 applications
Exploiting HTML5 tags, attributes and events
DOM variable extraction with XSS
Exploiting Storage, File System and WebSQL with HTML5 XSS
Layered XSS and making it sticky with HTML5 based iframe sandbox
Jacking with HTML5 tags and features
In this session we will cover new methodology and tools along with some real life cases and demonstration. At the end we will cover some interesting defense methodologies to secure your HTML5 applications.
Consider the major classes of threats that have been significantly mitigated in the past. For OS vulnerabilities, DEP and ASLR have greatly improved the security of every supporting OS. For applications, ORMs have greatly reduced SQL Injection and auto-encoding has greatly reduced XSS. Common to both of these are fundamental changes in the underlying OS or framework, which produces hardened applications without any extra work for developers. Has the scan, fix, rescan cycle finally lost its allure? Matt and Jarret provide their incites into how to revolutionize the app security industry. Come participate in the discussion or just poke holes in Matt and Jarret’s grandiose dream. Maybe you’ll want to passionately defend your corner of the app sec world. Whichever you choose, it will be fun.
HTTP is being used to transport new request formats such as those from mobile apps, REST, JSON, AMF and GWTk, but few security teams have updated their testing procedures. All of these new formats are potential new playgrounds for attackers and pen testers. You just need to know how to play. In this talk, Dan Kuykendall will demonstrate the process of breaking down these new formats and where to attack them on various vulnerable applications. Most of the attacks are the familiar classics like SQL and Command injection applied in modern applications. Attendees will learn to leverage their existing pen testing skills and techniques and apply them to these new formats.
Dan Kuykendall, Co-CEO & CTO of NT OBJECTives, discusses emerging application security threats in the latest technologies.
DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it’s poorly understood.
This talk will focus on the full range of issues around DOM-based XSS. It will start with a discussion of the technical details of the vulnerability, the true nature of the risk it introduces (both likelihood and impact), and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. It will then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. And finally, it will discuss simple techniques for avoiding DOM-based XSS issues in the first place as well as how to mitigate issues that are uncovered during a security review.
The applications on the web, mobile, and the cloud, all have one thing in common: They are all insecure. And in this world that is rife with software vulnerabilities, if there were just seven things you are allowed to place in the bag entitled "software development" and the condition that is imposed on you is that the output from that bag must be secure, what would they be?
In this talk, the seven qualities that will enable your organization to develop reliable and hacker resilient software will be covered. Coverage in scope will be from the builder to the boardroom.
Take aways from the session will include strategies to consider and implement within your organization as you develop software, whether it is for the cloud, mobile devices, or the web.
Seldom in cryptography do we have any unconditional proofs of the difficulty of defeating our cryptosystems. Furthermore, we are often defeated not by the attacks we anticipated, but the vectors we did not know about. Like fire and safety engineers, we learn from the mistakes of the past in order to avoid similar mistakes in the future. This presentation is a summary of the mistakes that web app developers have made in implementing crypytosystems, so that we do not repeat them.
The web has a Confused Deputy problem at the heart of many of our hardest security challenges. Tricking a browser or site into using latent credentials and authentication information for other parties and sites is the game and XSS is how it's played. With CSP, sandboxed iframes, and the next version of Chrome Apps, Google is tackling these the challenges for app authors head-on, making it easier than not to build secure apps and removing the potential for confusion by removing ambient authority itself. This talk explores why, how, and when we might finally improve the baseline security level of new apps.
We present our work of using interactive static analysis to improve upon static analysis techniques by introducing a new mixed-initiative paradigm for interacting with developers to aid in the detection and prevention of security vulnerabilities. The key difference between our approach and standard static analysis is interaction with the developers. Specifically, our approach is predicated on the following principles:
• Secure programming support should be targeted towards general developers who understand the application logic, but may have limited knowledge of secure programming;
• Secure programming support should be provided while the code is being developed, integrated into the development tools;
• Secure programming support should reduce the workload in detecting and resolving vulnerabilities; and
• Developers should be able to provide feedback about the application context that can drive customized security analysis.
We have performed evaluations of our approach using an active open source project, Apache Roller. Our results shows that interactive data flow analysis can potential reduce the effort of finding and fixing vulnerabilities by as much as 50%. Using interactive control flow analysis, we found cross request forgery vulnerabilities in current Roller release. The Roller team issued patches based on our report (CVE-2012-2380). We have also performed user studies, both for students and for professional developers with promising results. For example, preliminary data suggests that using ASIDE students, who do not have secure programming training, can write much more secure code.
Is role-based access control (RBAC) really dead? It has a few snipers lined up to take it out, but it's still a fixture in legacy applications, and the need to abstract and organize permissions isn't going away. The move to third-party application services is both creating a topological crisis for the enterprise and driving its further abstraction as an organization: when there is no more "central control" of an application infrastructure, how are roles supposed to maintain security? This talk describes current issues with RBAC and explores options for the future, including multi-contextual roles and identities, provider-centric roles, and role risk assessment. We promise not to call it RBAC 2.0.
This presentation is centered on a new theory of attack prevention known as the Counterintelligence Attack Theory. The NSA has developed and published an approach to cyber security known as Defense In Depth. It is a practical strategy for achieving Information Assurance in today’s highly networked environments, yet it is used as more of a catch phase than a realistic approach. Best practices and defense simply cannot prevent the attacks which have not been predefined or previously observed.
The Defense In Depth stratagem will be reviewed and the procedure of Counterintelligence Attack Theory is presented as the missing element. The presentation concludes that Cyber Intelligence Analysts are missing from corporate organizations and are needed to develop the ability to understand cyber-attacks through a more holistic approach.
Further Info:
Public entities and private corporations incur considerable expenditures to prevent, mitigate, or remediate cyber-attacks. The current strategy employed is known as Defense In Depth. This is a practical strategy for achieving Information Assurance in today’s highly networked environments. It is a “best practices” strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy recommends a balance between the protection capability and cost, performance, and operational considerations. Unfortunately, the techniques that are used today are mostly based on deploying software and hardware technologies that provide an ability to restrict known attacks (or the proverbial low-hanging-fruit) and are at best reactive in nature.
Best practices simply cannot prevent the attacks which have not been predefined or previously observed. This talk will present a new theory on attack prevention known as the Counterintelligence Attack Theory. It is not from a military perspective and is meant to address those with corporate responsibility for cyber security. Without addressing the legal framework or possible complications of a covert cyber action, this theory is designed to be an additional method of collection for the cyber intelligence analyst.
Security professionals have years of experience logging and tracking network security events to identify unauthorized or malicious activity on a corporate network. Unfortunately, many of today's attacks are focused on the application layer, where the fidelity of logging for security events is less robust. Most application logs are typically used to see errors and failures and the internal state of the system, not events that might be interesting from a security perspective. Security practitioners are concerned with understanding patterns of user behavior and, in the event of an attack, being able to see an entire user’s session. How are application events different from network events? What type of information should security practitioners ensure software developers log for event analysis? What are the types of technologies that enable application-level logging and analysis? In this presentation, John Dickson will discuss what should be present in application logs to help understand threats and attacks, and better guard against them.
Abstract: This presentation focuses on large-scale internet vulnerability research from four unique perspectives, identifying patterns and exposing security issues that are difficult to identify using traditional approaches.
Application Security is a tough challenge in any organization, but working in open source projects has some distinct challenges. Working on AppSec in an open source project that has several hundred employees, thousands of contributors, and hundreds of millions of users has a whole other set of challenges.
In this session I will cover off how the Mozilla Security Assurance team addresses application security for client applications, web applications and services, and introduce two tools that we have developed to help scale our security program.
Closing remarks about the conference and announcing AppSecUSA 2013. This will be done in an unconference style where there is an open mic to talk about what we have learned.
