SlideShare a Scribd company logo

Security and why you need to review yours.

Download as ODP, PDF
David Busby, CISSP
David Busby, CISSP

Talk given at PerconaLive UK 2013, supporting live demo code is @ Github see links in slides.

Technology
1 of 52
Security and why you need to review yours. David Busby Percona Live London 2013
Who am I? David Busby ● Remote DBA for Percona ● January 2013 ● 13 some years as a sysadmin ● Paranoid when it comes to security, and legal agreements. ● Ju-Jitsu instructor (Ni Dan) ● Helps to teach children computing. ● www.percona.com
Agenda What’s an “attack surface” and how to limit it. ● Why password complexity is important. ● Why rigid grants are important. ● SELinux: why you should be using it. ● What's a CVE and why should you care? ● 0-days, and F.U.D ● 5.6 Security features ● Q&A ● www.percona.com
Agenda cont. Some prizes. ● And a disclaimer. ● My opinions expressed may not reflect those of my employer .. and so on ● www.percona.com
What’s an “attack surface”? ● Points in your system which could be attacked. application ● database ● physical systems ● network ● your employees ● hosting provider ● ● hosting providers employees www.percona.com
Reducing your “attack surface” ● Application Sanitize ALL user inputs ● CSRF / XSRF tokens ● W.A.F ● ● ● I.P.S ● ● e.g. mod_security Do not leave an I.P.S in I.D.S mode. security auditing ● Do not rely on scanning software. ● ● Penetration Testing. M.A.C ● SELinux www.percona.com
Reducing your “attack surface” ● Database ● Limit network exposure (no access from the internet) ● Network segregation from application (hardware or vlan) Selective grants ● Complex passwords ● I.P.S ● Avoid “identified by 'the_plain_password'” SQL. ● ● ● Appears in history files e.g. ~/.mysql_history M.A.C ● SELinux (notice a pattern here?) www.percona.com
Reducing your “attack surface” ● Physical Systems Limit physical access. ● ● ● ● Challenge “implied trust”. ● Barclays £1.3m “haul” ● could have been avoided. ● Uniform / badge != identification. ● Security “mantraps”. Don't rely on biometrics ● Just ask the MythBusters on “unbeatable fingerprint readers” Remove uneeded service / application. ● Your rackmount server really doesn't need bluetooth. Image credit: http://news.bbcimg.co.uk/media/images/70014000/jpg/_70014486_co607-13device.jpg www.percona.com
Reducing your “attack surface” ● Network ● Selective ACL ● Specify which hosts may access the DB network and limit the ports. ● ● ● ● ● Application nodes do not need access to SSH on the db servers for instance iptables -N MySQL iptables -I INPUT -j MySQL iptables -A MySQL -s <application_node_range> -p tcp --dport 3306 -m comment --comment “application range access to MySQL” -j ACCEPT Network isolation ● Application systems separated from DB servers. www.percona.com
Reducing your “attack surface” ● Employees (Layer 8 / Meat ware). ● Awareness Training ● Most people want their company to have a high profile. ● ● ● Linkedin, Facebook etc ... ● Finding this much information used to be hard. ● Tools (e.g. Maltego) makes information gathering easier. Customer relations, Improve sales. Makes them easier to target. ● Call $company pretend to be $employee on the road, ask for some otherwise restricted information. ● “Social engineering” Fancy term for conning people. ● “phishing” / “spear phishing” ● “Run this program as root / administrator for free stuff!” www.percona.com
Reducing your “attack surface” ● Employees (cont) ● B.Y.O.D? ● $employee uses $phone for work. ● ● ● $phone is $employee property. $employee uses $phone for: ● email, vpn, intranet, sms/ push notifications. ● Bank application, e-payment (e.g. google wallet). $phone is now a more attractive target. ● Physical attacks. ● Theft, lock screen bypasses, debug abuse (p2p-adb etc.), N.F.C. ● Remote attacks. ● Karma / Jaessegar ● Bluetooth image credit: http://securityreactions.tumblr.com/post/65286584262/byod-good-plan www.percona.com
Reducing your “attack surface” ● Employees (cont) ● Do not blindly trust devices. ● ● ● Malicious H.I.D devices. ● Teensy duino HID prototypes, have evolved. ● DLP Bypass Malicious thunderbolt chain devices. Challenge identity, and “implied trust”. ● ● It’s OK to ask for proof of identity! We do this for all systems, why not people? ● “Hello I am calling from the computer security centre about the virus on your windows machine...” ● Exploiting “implied trust” ● “Would you like a christmas tree in your bank account sir?” (Fonejacker) www.percona.com
Reducing your “attack surface” ● Certain allowances must be made. ● Trust in Service / Hosting Provider. ● Some steps can be taken. ● Challenge identity if conctated, and verify. ● Documentation on security measures / compliance. ● ● ● You get some for a S.L.A ... get one for security! Most have some P.C.I compliance at least. Trust in mobile networks ... (though note GSM and 3G have been proven to be broken). www.percona.com
Why rigid grants are important ● How often do you see an application with "ALL PRIVILEGES ON *.*" ? cacti ● phpmyadmin ● How about "WITH GRANT OPTION"? ● We also need to be concerned with: Super_priv, Create_routine_priv, Insert_priv ● Image credit: http://upload.wikimedia.org/wikipedia/en/8/8c/The_Keymaker.jpg www.percona.com
Why rigid grants are important ● Super ● ● FILE && Create routine ● ● We’re going to abuse this to inject malicious UDF shortly. Insert_priv ● ● kill any process, stop/reset slaves, write to read only etc (part of all). _could_ be used to create users, and access permissions by inserting into mysql schema tables. WITH GRANT OPTION ● no application should need to create grants. www.percona.com
Why password complexity is important ● So let's consider I'm an attacker; I've compromised your web application. ● I've been able to grab a "hashdump". ● A dump of the mysql.users table containing the password hashes. ● Or I'm "sniffing" MySQL traffic from the application host hoping to capture the "handshake" of a privileged user. ● ● More complex requires hash table regeneration due to changing salt. www.percona.com
Why password complexity is important ● Authentication handshake in brief. client opens tcp connection to server. ● mysqld sends greeting with salt (challenge) ● client uses salt and replies with a sha1 sum "password" ● ● ● SHA1(password) XOR SHA1(salt <concat> SHA1(SHA1(password))) MySQL 5.5 password hashes ● SHA1(SHA1(password)) www.percona.com
Why password complexity is important www.percona.com
Why password complexity is important ● We're going to recover the passwords for the following: ● ● ● ● D306CEB16052CBB8539617888512E58CA68EN1AD1 CB7DFF0540F8C51BF178A1502A286FB8F4A2691E E8820BB0161312465DBB69D9E2A1A73841B63B62 B415DD9C4FB5EF59FE80C4FEBC1F9C715E6E97C4 www.percona.com
Why password complexity is important ● Be honest, who is thinking this right now? image credit: http://securityreactions.tumblr.com/post/52788324439/when-i-told-a-former-director-i-could-still-crack-his www.percona.com
Why password complexity is important ● Demo: oclHashcat mysql5 4 hashes < 1 second ● sha1(sha1(password)) www.percona.com
Why password complexity is important ● Know thy “enemy” (and make them your friend) ● oclHashcat ● ● uses openCL for GPU based hash calculation. easily runs 270M/s+ brute force MySQL5 hashes ● ● ● Tested on a Radeon 7750 Fedora 18 x86_64 Many supported hashes pre-computed hash tables ● Stored hashes derived from ● ● ● Dictionaries / wordlists public password list leaks My table has ~151M (and growing) unique words ● Generated from public lists (mostly skullsecurity.org) ● ● Extended using John the ripper. You do not want your password on that list! www.percona.com
Why password complexity is important ● Know thy enemy cont: ● CPU vs GPU ● ● ● GPU processing has greater parallelism resulting in much faster hash rates, CPU hashing is still fast. John the ripper, hashcat (+variants), pyrit Python CPU example (nyancrack) ● Pre computed hash tables != Rainbow tables. www.percona.com
Why password complexity is important ● nyancrack python multiprocessing (~360K/s MySQL5) ● variable threads ● modular extension ● no openCL support (yet) ● low memory overhead ● ● ● ● peak 1015mb consumed producing a 6.1GB file. tuneable memory usage feature planned. Why not have MySQL calc the hashes? ● SLOW! ● < 500 hash / second in limited testing. www.percona.com
Why password complexity is important ● Conclusion? Complexity increase time for recovery. ● cost vs reward. ● “most” attackers want the quick win. ● Reduces “exposure” ● ● If it's going to take N time to recover the password. ● Increased likelyhood of discovering breach before recovery. ● Changing of passwords, renders recovered credentials useless. ● Also remember to “plug the hole”. www.percona.com
SELinux: why you should be using it. ● Let's deal with the what before the why. SELinux is a M.A.C which uses “labels” ● We're going to look at the more common "targeted" policy ● ● ● not covering MLS / Strict /etc/selinux/config ● ● SELINUX=enforcing SELINUXTYPE=targeted www.percona.com
SELinux: why you should be using it. ● Labels ● selinux contexts applied to files, ports ● ● ● user:role:type:level(optional) targeted policy really only looks at the "type" Type enforcement (policies) ● A process running with X context ● ● is allowed to access a resource with the Y context but not Z context. image credit: https://i.chzbgr.com/maxW500/1659454208/hE5C2A3CB/ www.percona.com
SELinux: why you should be using it. ● You want mysql to be able to access. /var/lib/mysql (mysqld_db_t) ● /var/log/mysql (mysql_log_t) ● *:3306 (mysql_port_t) ● ● But you probably do not want MySQL accessing /etc/passwd (passwd_file_t) ● /etc/shadow (shadow_file_t) ● http_port_t , ssh_port_t ● www.percona.com
SELinux: why you should be using it. ● So how do I get the current contexts? ● ls -z ● ps -z ● ● system_u:system_r:mysqld_t:s0 Id -z ● ● ● unconfined_u:object_r:mysqld_db_t:s0 /var/lib/mysql/ibdata1 unconfined_u:unconfined_r:unconfined_t:s0s0:c0.c1023 Many standard linux utilities take the -Z arguments. www.percona.com
SELinux: why you should be using it. ● Most peoples experience of SELinux seems to be: "So I `setenforce 1` and ..." image credit: http://securityreactions.tumblr.com/post/53675346932/hey-guys-check-out-this-new-exploit www.percona.com
SELinux: why you should be using it. ● setenforce 0 == Permissive != OFF Useful for debugging. ● Always go back to setenforce 1 == Enforcing ● ● New tools make things easier. setroubleshoot-server ● libselinux-python ● e.g. from (coming next) demo: ● ● “MySQL connection failed Can't connect to MySQL server on '172.16.33.3' (13)” ● OS error code 13: Permission denied www.percona.com
SELinux: why you should be using it. ● Using SELinux is easier than you might think. ● A couple of “gotchas” to be aware of. ● ● ● New files / dirs inheret contexts Moved files / dirs keep their original contexts Let’s go over to quick examples. ● ● PHP Web app can not connect to MySQL on a remote system. MySQL fails to start with non standard datadir. www.percona.com
SELinux: why you should be using it. ● selinux sebool httpd can network connect db www.percona.com
SELinux: why you should be using it. ● placeholder “none standard datadir location” www.percona.com
SELinux: why you should be using it. ● Ok SELinux is useable, still why should I care? Additional layer of security. ● Mandatory Access Control ● ● Arrests “out of context” behaviour. Discretionary Access Control “trusts running software” - assumes it should access everything the user can. ● Let’s see how bad things could get. ● www.percona.com
SELinux: why you should be using it. ● “Perfect storm” example. ● Webapp has command injection. ● ● Or has a vulneraility such as CVE-2012-1823 ● PHP CGI command injection. (Also has SQL injection but we’re not going to attack it in this example). SELinux is Permissive / OFF ● Bad grants (ALL PRIVILEGES ON *.*) ● We’re going to. ● ● ● ● Deploy a php shell. Deploy a UDF. Have some fun with command line via mysql ... www.percona.com
SELinux: why you should be using it. We're abusing everything we have allready outlined as being “bad”. ● Some steps are purposely skipped! ● ● ● Code will be made available @ Github ● ● This isn’t a “how to hack” Most of it. LEGAL DISCLAIMER! This is on a local VM environment only. ● For informational purposes only. ● Use at your own risk. ● www.percona.com
SELinux: why you should be using it.  Demo “PHP cmd injection” -> “PHP CMD Shell” -> “MySQL load UDF” www.percona.com
SELinux: why you should be using it. ● Assuming everything went as planned ... www.percona.com
What's a CVE and why should you care? ● Common Vulnerabilities and Exposures. ● Common classification and notation of known vulnerabilities. ● ● CVE-2013-2094 perf_swevent_init() privilege escalation. $vendors usually use this to classify vulnerabilities reference in their erratas. ● Not always used as intended however. ● ● e.g. Oracle filed many CVE’s 2013-10-16 and 2013-07-17 CVE-2013-3826 -> CVE-2013-5867 ● “Unspecified vulnerability in Oracle <product> allows remote/local attackers to affect confidentiality/integrity/availability via unknown vectors” ● No helpful information for ‘J.I.T’ / Vulnerability analysis. www.percona.com
What's a CVE and why should you care? ● Information in an as intended CVE filing can be used to: Check $vendor erratas for relevant patches. ● Contact $vendor with relevant information to patch. ● leverage J.I.T methods to mitigate risk. ● e.g. user_u selinux context blocks root shell from CVE ● www.percona.com
What's a CVE and why should you care? ● Syntax is changing from Jan 2014 www.percona.com
What's a CVE and why should you care? ● Additional resources. ● OSVDB ● Open Source Vulnerability Database ● Secunia ● NVD ● National Vulnerability Database www.percona.com
0-days, and F.U.D ● 0-day A attack leveraging an unknown vulnerability. ● Some “claims” are just posturing. ● If concerned search for p.o.c. code and test. ● ● ● In a virtual lab environment. “Hardening” is the best defense against the unknown. (You lock your doors after all). ● ● ● Reducing your attack surface is a good first step. Prepare for the worst hope for the best. “By failing to prepare, you are preparing to fail.” Benjamin Franklin. www.percona.com
0-days, and F.U.D ● 0-days ... it's all about being prepared. ● Be aware of potential unknowns. ● ● If you use HA you prepare for system failiure after all. ● Not much of a leap to prepare for security. Build hardened systems, from the ground up. ● Avoid the “foolish man who built his house on sand” ● Make management easy with $provisioning ● ● ● ● Ansible Puppet Chef Salt www.percona.com
5.6 Security features ● Password Expiration policy ● ● Drops user into “sandbox” when expired. Password Validate password plugin ( 5.6 docs) ● validate_password_policy = LEVEL ● ● ● LOW / 0 ● length >= 8 chars MEDIUM / 1 (Default) ● LOW + ● >= 1 number && >= 1 lowercase && >= 1 upper case. STRONG / 2 ● LOW + MEDIUM + ● substrings >= 4 chars must not appear in defined dictionary file. www.percona.com
5.6 Security features ● Password Validate password plugin cont. ● Customizable :-) ● ● ● ● ● ● validate_password_disctionary_file = ‘’ validate_password_length = 8 validate_password_mixed_case_count = 1 validate_password_number_count = 1 validate_password_special_char_count = 1 Circumventable :-( ● ● @ another system: select PASSWORD('PLUK'); @ 5.6 system with validate_password_policy = MEDIUM ● GRANT ALL PRIVILEGES ON *.* TO ‘pluk’@’localhost’ IDENTIFIED BY PASSWORD ‘*D306CEB16052CBB8539617888512E58CA68E1AD1’ www.percona.com
5.6 Security features ● Pluggable authentication. ● e.g. sha256_password (docs) www.percona.com
5.6 Security features ● Questions? www.percona.com
Percona Live London Sponsors (TBC) Diamond Sponsors Platinum Sponsors www.percona.com
Percona Live London Sponsors (TBC) Exhibitor Sponsors Additional Sponsors Media Sponsors www.percona.com
Annual Percona Live MySQL Conference and Expo The Hyatt Regency Hotel, Santa Clara, CA April 1st-4th, 2014 Visit: http://www.percona.com/live/mysql-conference-2014/ www.percona.com

Recommended

Cumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloudCumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloudDavid Busby, CISSP
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursDavid Busby, CISSP
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 

Recommended

Cumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloudCumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloudDavid Busby, CISSP
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursDavid Busby, CISSP
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat Security Conference
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival GuideKen Johnson
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?Rob Gillen
 
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...RootedCON
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersColdFusionConference
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat Security Conference
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...UISGCON
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdfAbhi Jain
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 

More Related Content

What's hot

BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat Security Conference
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival GuideKen Johnson
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?Rob Gillen
 
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...RootedCON
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat Security Conference
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...UISGCON
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 

What's hot (20)

BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival Guide
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?
 
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...
Juan Francisco Losa - Nuevos enfoques de seguridad en un Banco Digital [roote...
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
 
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 

Similar to Security and why you need to review yours.

Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdfAbhi Jain
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...Demi Ben-Ari
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...MilanAryal
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxssuser020436
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
OSMC 2014: Naemon 1, 2, 3, N | Andreas Ericsson
OSMC 2014: Naemon 1, 2, 3, N | Andreas EricssonOSMC 2014: Naemon 1, 2, 3, N | Andreas Ericsson
OSMC 2014: Naemon 1, 2, 3, N | Andreas EricssonNETWAYS
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at DecisivTeleport
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busbyDavid Busby, CISSP
 
Care and feeding of your website
Care and feeding of your websiteCare and feeding of your website
Care and feeding of your websiteShawn DeWolfe
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROMAnant Shrivastava
 
HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)Phillip Maddux
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows Ron Munitz
 
Gdb basics for my sql db as (percona live europe 2019)
Gdb basics for my sql db as (percona live europe 2019)Gdb basics for my sql db as (percona live europe 2019)
Gdb basics for my sql db as (percona live europe 2019)Valerii Kravchuk
 
Gainesville Web Developer Group, Sept 2012
Gainesville Web Developer Group, Sept 2012Gainesville Web Developer Group, Sept 2012
Gainesville Web Developer Group, Sept 2012Daniel Woods
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website securityDrew Gorton
 
Full stack development
Full stack developmentFull stack development
Full stack developmentArnav Gupta
 

Similar to Security and why you need to review yours. (20)

Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptx
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed Adam
 
OSMC 2014: Naemon 1, 2, 3, N | Andreas Ericsson
OSMC 2014: Naemon 1, 2, 3, N | Andreas EricssonOSMC 2014: Naemon 1, 2, 3, N | Andreas Ericsson
OSMC 2014: Naemon 1, 2, 3, N | Andreas Ericsson
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busby
 
Care and feeding of your website
Care and feeding of your websiteCare and feeding of your website
Care and feeding of your website
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROM
 
Security Issues in Android Custom Rom
Security Issues in Android Custom RomSecurity Issues in Android Custom Rom
Security Issues in Android Custom Rom
 
HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows
 
Gdb basics for my sql db as (percona live europe 2019)
Gdb basics for my sql db as (percona live europe 2019)Gdb basics for my sql db as (percona live europe 2019)
Gdb basics for my sql db as (percona live europe 2019)
 
Gainesville Web Developer Group, Sept 2012
Gainesville Web Developer Group, Sept 2012Gainesville Web Developer Group, Sept 2012
Gainesville Web Developer Group, Sept 2012
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website security
 
Full stack development
Full stack developmentFull stack development
Full stack development
 

Recently uploaded

Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Recently uploaded (20)

Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Security and why you need to review yours.

  • 1. Security and why you need to review yours. David Busby Percona Live London 2013
  • 2. Who am I? David Busby ● Remote DBA for Percona ● January 2013 ● 13 some years as a sysadmin ● Paranoid when it comes to security, and legal agreements. ● Ju-Jitsu instructor (Ni Dan) ● Helps to teach children computing. ● www.percona.com
  • 3. Agenda What’s an “attack surface” and how to limit it. ● Why password complexity is important. ● Why rigid grants are important. ● SELinux: why you should be using it. ● What's a CVE and why should you care? ● 0-days, and F.U.D ● 5.6 Security features ● Q&A ● www.percona.com
  • 4. Agenda cont. Some prizes. ● And a disclaimer. ● My opinions expressed may not reflect those of my employer .. and so on ● www.percona.com
  • 5. What’s an “attack surface”? ● Points in your system which could be attacked. application ● database ● physical systems ● network ● your employees ● hosting provider ● ● hosting providers employees www.percona.com
  • 6. Reducing your “attack surface” ● Application Sanitize ALL user inputs ● CSRF / XSRF tokens ● W.A.F ● ● ● I.P.S ● ● e.g. mod_security Do not leave an I.P.S in I.D.S mode. security auditing ● Do not rely on scanning software. ● ● Penetration Testing. M.A.C ● SELinux www.percona.com
  • 7. Reducing your “attack surface” ● Database ● Limit network exposure (no access from the internet) ● Network segregation from application (hardware or vlan) Selective grants ● Complex passwords ● I.P.S ● Avoid “identified by 'the_plain_password'” SQL. ● ● ● Appears in history files e.g. ~/.mysql_history M.A.C ● SELinux (notice a pattern here?) www.percona.com
  • 8. Reducing your “attack surface” ● Physical Systems Limit physical access. ● ● ● ● Challenge “implied trust”. ● Barclays £1.3m “haul” ● could have been avoided. ● Uniform / badge != identification. ● Security “mantraps”. Don't rely on biometrics ● Just ask the MythBusters on “unbeatable fingerprint readers” Remove uneeded service / application. ● Your rackmount server really doesn't need bluetooth. Image credit: http://news.bbcimg.co.uk/media/images/70014000/jpg/_70014486_co607-13device.jpg www.percona.com
  • 9. Reducing your “attack surface” ● Network ● Selective ACL ● Specify which hosts may access the DB network and limit the ports. ● ● ● ● ● Application nodes do not need access to SSH on the db servers for instance iptables -N MySQL iptables -I INPUT -j MySQL iptables -A MySQL -s <application_node_range> -p tcp --dport 3306 -m comment --comment “application range access to MySQL” -j ACCEPT Network isolation ● Application systems separated from DB servers. www.percona.com
  • 10. Reducing your “attack surface” ● Employees (Layer 8 / Meat ware). ● Awareness Training ● Most people want their company to have a high profile. ● ● ● Linkedin, Facebook etc ... ● Finding this much information used to be hard. ● Tools (e.g. Maltego) makes information gathering easier. Customer relations, Improve sales. Makes them easier to target. ● Call $company pretend to be $employee on the road, ask for some otherwise restricted information. ● “Social engineering” Fancy term for conning people. ● “phishing” / “spear phishing” ● “Run this program as root / administrator for free stuff!” www.percona.com
  • 11. Reducing your “attack surface” ● Employees (cont) ● B.Y.O.D? ● $employee uses $phone for work. ● ● ● $phone is $employee property. $employee uses $phone for: ● email, vpn, intranet, sms/ push notifications. ● Bank application, e-payment (e.g. google wallet). $phone is now a more attractive target. ● Physical attacks. ● Theft, lock screen bypasses, debug abuse (p2p-adb etc.), N.F.C. ● Remote attacks. ● Karma / Jaessegar ● Bluetooth image credit: http://securityreactions.tumblr.com/post/65286584262/byod-good-plan www.percona.com
  • 12. Reducing your “attack surface” ● Employees (cont) ● Do not blindly trust devices. ● ● ● Malicious H.I.D devices. ● Teensy duino HID prototypes, have evolved. ● DLP Bypass Malicious thunderbolt chain devices. Challenge identity, and “implied trust”. ● ● It’s OK to ask for proof of identity! We do this for all systems, why not people? ● “Hello I am calling from the computer security centre about the virus on your windows machine...” ● Exploiting “implied trust” ● “Would you like a christmas tree in your bank account sir?” (Fonejacker) www.percona.com
  • 13. Reducing your “attack surface” ● Certain allowances must be made. ● Trust in Service / Hosting Provider. ● Some steps can be taken. ● Challenge identity if conctated, and verify. ● Documentation on security measures / compliance. ● ● ● You get some for a S.L.A ... get one for security! Most have some P.C.I compliance at least. Trust in mobile networks ... (though note GSM and 3G have been proven to be broken). www.percona.com
  • 14. Why rigid grants are important ● How often do you see an application with "ALL PRIVILEGES ON *.*" ? cacti ● phpmyadmin ● How about "WITH GRANT OPTION"? ● We also need to be concerned with: Super_priv, Create_routine_priv, Insert_priv ● Image credit: http://upload.wikimedia.org/wikipedia/en/8/8c/The_Keymaker.jpg www.percona.com
  • 15. Why rigid grants are important ● Super ● ● FILE && Create routine ● ● We’re going to abuse this to inject malicious UDF shortly. Insert_priv ● ● kill any process, stop/reset slaves, write to read only etc (part of all). _could_ be used to create users, and access permissions by inserting into mysql schema tables. WITH GRANT OPTION ● no application should need to create grants. www.percona.com
  • 16. Why password complexity is important ● So let's consider I'm an attacker; I've compromised your web application. ● I've been able to grab a "hashdump". ● A dump of the mysql.users table containing the password hashes. ● Or I'm "sniffing" MySQL traffic from the application host hoping to capture the "handshake" of a privileged user. ● ● More complex requires hash table regeneration due to changing salt. www.percona.com
  • 17. Why password complexity is important ● Authentication handshake in brief. client opens tcp connection to server. ● mysqld sends greeting with salt (challenge) ● client uses salt and replies with a sha1 sum "password" ● ● ● SHA1(password) XOR SHA1(salt <concat> SHA1(SHA1(password))) MySQL 5.5 password hashes ● SHA1(SHA1(password)) www.percona.com
  • 18. Why password complexity is important www.percona.com
  • 19. Why password complexity is important ● We're going to recover the passwords for the following: ● ● ● ● D306CEB16052CBB8539617888512E58CA68EN1AD1 CB7DFF0540F8C51BF178A1502A286FB8F4A2691E E8820BB0161312465DBB69D9E2A1A73841B63B62 B415DD9C4FB5EF59FE80C4FEBC1F9C715E6E97C4 www.percona.com
  • 20. Why password complexity is important ● Be honest, who is thinking this right now? image credit: http://securityreactions.tumblr.com/post/52788324439/when-i-told-a-former-director-i-could-still-crack-his www.percona.com
  • 21. Why password complexity is important ● Demo: oclHashcat mysql5 4 hashes < 1 second ● sha1(sha1(password)) www.percona.com
  • 22. Why password complexity is important ● Know thy “enemy” (and make them your friend) ● oclHashcat ● ● uses openCL for GPU based hash calculation. easily runs 270M/s+ brute force MySQL5 hashes ● ● ● Tested on a Radeon 7750 Fedora 18 x86_64 Many supported hashes pre-computed hash tables ● Stored hashes derived from ● ● ● Dictionaries / wordlists public password list leaks My table has ~151M (and growing) unique words ● Generated from public lists (mostly skullsecurity.org) ● ● Extended using John the ripper. You do not want your password on that list! www.percona.com
  • 23. Why password complexity is important ● Know thy enemy cont: ● CPU vs GPU ● ● ● GPU processing has greater parallelism resulting in much faster hash rates, CPU hashing is still fast. John the ripper, hashcat (+variants), pyrit Python CPU example (nyancrack) ● Pre computed hash tables != Rainbow tables. www.percona.com
  • 24. Why password complexity is important ● nyancrack python multiprocessing (~360K/s MySQL5) ● variable threads ● modular extension ● no openCL support (yet) ● low memory overhead ● ● ● ● peak 1015mb consumed producing a 6.1GB file. tuneable memory usage feature planned. Why not have MySQL calc the hashes? ● SLOW! ● < 500 hash / second in limited testing. www.percona.com
  • 25. Why password complexity is important ● Conclusion? Complexity increase time for recovery. ● cost vs reward. ● “most” attackers want the quick win. ● Reduces “exposure” ● ● If it's going to take N time to recover the password. ● Increased likelyhood of discovering breach before recovery. ● Changing of passwords, renders recovered credentials useless. ● Also remember to “plug the hole”. www.percona.com
  • 26. SELinux: why you should be using it. ● Let's deal with the what before the why. SELinux is a M.A.C which uses “labels” ● We're going to look at the more common "targeted" policy ● ● ● not covering MLS / Strict /etc/selinux/config ● ● SELINUX=enforcing SELINUXTYPE=targeted www.percona.com
  • 27. SELinux: why you should be using it. ● Labels ● selinux contexts applied to files, ports ● ● ● user:role:type:level(optional) targeted policy really only looks at the "type" Type enforcement (policies) ● A process running with X context ● ● is allowed to access a resource with the Y context but not Z context. image credit: https://i.chzbgr.com/maxW500/1659454208/hE5C2A3CB/ www.percona.com
  • 28. SELinux: why you should be using it. ● You want mysql to be able to access. /var/lib/mysql (mysqld_db_t) ● /var/log/mysql (mysql_log_t) ● *:3306 (mysql_port_t) ● ● But you probably do not want MySQL accessing /etc/passwd (passwd_file_t) ● /etc/shadow (shadow_file_t) ● http_port_t , ssh_port_t ● www.percona.com
  • 29. SELinux: why you should be using it. ● So how do I get the current contexts? ● ls -z ● ps -z ● ● system_u:system_r:mysqld_t:s0 Id -z ● ● ● unconfined_u:object_r:mysqld_db_t:s0 /var/lib/mysql/ibdata1 unconfined_u:unconfined_r:unconfined_t:s0s0:c0.c1023 Many standard linux utilities take the -Z arguments. www.percona.com
  • 30. SELinux: why you should be using it. ● Most peoples experience of SELinux seems to be: "So I `setenforce 1` and ..." image credit: http://securityreactions.tumblr.com/post/53675346932/hey-guys-check-out-this-new-exploit www.percona.com
  • 31. SELinux: why you should be using it. ● setenforce 0 == Permissive != OFF Useful for debugging. ● Always go back to setenforce 1 == Enforcing ● ● New tools make things easier. setroubleshoot-server ● libselinux-python ● e.g. from (coming next) demo: ● ● “MySQL connection failed Can't connect to MySQL server on '172.16.33.3' (13)” ● OS error code 13: Permission denied www.percona.com
  • 32. SELinux: why you should be using it. ● Using SELinux is easier than you might think. ● A couple of “gotchas” to be aware of. ● ● ● New files / dirs inheret contexts Moved files / dirs keep their original contexts Let’s go over to quick examples. ● ● PHP Web app can not connect to MySQL on a remote system. MySQL fails to start with non standard datadir. www.percona.com
  • 33. SELinux: why you should be using it. ● selinux sebool httpd can network connect db www.percona.com
  • 34. SELinux: why you should be using it. ● placeholder “none standard datadir location” www.percona.com
  • 35. SELinux: why you should be using it. ● Ok SELinux is useable, still why should I care? Additional layer of security. ● Mandatory Access Control ● ● Arrests “out of context” behaviour. Discretionary Access Control “trusts running software” - assumes it should access everything the user can. ● Let’s see how bad things could get. ● www.percona.com
  • 36. SELinux: why you should be using it. ● “Perfect storm” example. ● Webapp has command injection. ● ● Or has a vulneraility such as CVE-2012-1823 ● PHP CGI command injection. (Also has SQL injection but we’re not going to attack it in this example). SELinux is Permissive / OFF ● Bad grants (ALL PRIVILEGES ON *.*) ● We’re going to. ● ● ● ● Deploy a php shell. Deploy a UDF. Have some fun with command line via mysql ... www.percona.com
  • 37. SELinux: why you should be using it. We're abusing everything we have allready outlined as being “bad”. ● Some steps are purposely skipped! ● ● ● Code will be made available @ Github ● ● This isn’t a “how to hack” Most of it. LEGAL DISCLAIMER! This is on a local VM environment only. ● For informational purposes only. ● Use at your own risk. ● www.percona.com
  • 38. SELinux: why you should be using it.  Demo “PHP cmd injection” -> “PHP CMD Shell” -> “MySQL load UDF” www.percona.com
  • 39. SELinux: why you should be using it. ● Assuming everything went as planned ... www.percona.com
  • 40. What's a CVE and why should you care? ● Common Vulnerabilities and Exposures. ● Common classification and notation of known vulnerabilities. ● ● CVE-2013-2094 perf_swevent_init() privilege escalation. $vendors usually use this to classify vulnerabilities reference in their erratas. ● Not always used as intended however. ● ● e.g. Oracle filed many CVE’s 2013-10-16 and 2013-07-17 CVE-2013-3826 -> CVE-2013-5867 ● “Unspecified vulnerability in Oracle <product> allows remote/local attackers to affect confidentiality/integrity/availability via unknown vectors” ● No helpful information for ‘J.I.T’ / Vulnerability analysis. www.percona.com
  • 41. What's a CVE and why should you care? ● Information in an as intended CVE filing can be used to: Check $vendor erratas for relevant patches. ● Contact $vendor with relevant information to patch. ● leverage J.I.T methods to mitigate risk. ● e.g. user_u selinux context blocks root shell from CVE ● www.percona.com
  • 42. What's a CVE and why should you care? ● Syntax is changing from Jan 2014 www.percona.com
  • 43. What's a CVE and why should you care? ● Additional resources. ● OSVDB ● Open Source Vulnerability Database ● Secunia ● NVD ● National Vulnerability Database www.percona.com
  • 44. 0-days, and F.U.D ● 0-day A attack leveraging an unknown vulnerability. ● Some “claims” are just posturing. ● If concerned search for p.o.c. code and test. ● ● ● In a virtual lab environment. “Hardening” is the best defense against the unknown. (You lock your doors after all). ● ● ● Reducing your attack surface is a good first step. Prepare for the worst hope for the best. “By failing to prepare, you are preparing to fail.” Benjamin Franklin. www.percona.com
  • 45. 0-days, and F.U.D ● 0-days ... it's all about being prepared. ● Be aware of potential unknowns. ● ● If you use HA you prepare for system failiure after all. ● Not much of a leap to prepare for security. Build hardened systems, from the ground up. ● Avoid the “foolish man who built his house on sand” ● Make management easy with $provisioning ● ● ● ● Ansible Puppet Chef Salt www.percona.com
  • 46. 5.6 Security features ● Password Expiration policy ● ● Drops user into “sandbox” when expired. Password Validate password plugin ( 5.6 docs) ● validate_password_policy = LEVEL ● ● ● LOW / 0 ● length >= 8 chars MEDIUM / 1 (Default) ● LOW + ● >= 1 number && >= 1 lowercase && >= 1 upper case. STRONG / 2 ● LOW + MEDIUM + ● substrings >= 4 chars must not appear in defined dictionary file. www.percona.com
  • 47. 5.6 Security features ● Password Validate password plugin cont. ● Customizable :-) ● ● ● ● ● ● validate_password_disctionary_file = ‘’ validate_password_length = 8 validate_password_mixed_case_count = 1 validate_password_number_count = 1 validate_password_special_char_count = 1 Circumventable :-( ● ● @ another system: select PASSWORD('PLUK'); @ 5.6 system with validate_password_policy = MEDIUM ● GRANT ALL PRIVILEGES ON *.* TO ‘pluk’@’localhost’ IDENTIFIED BY PASSWORD ‘*D306CEB16052CBB8539617888512E58CA68E1AD1’ www.percona.com
  • 48. 5.6 Security features ● Pluggable authentication. ● e.g. sha256_password (docs) www.percona.com
  • 50. Percona Live London Sponsors (TBC) Diamond Sponsors Platinum Sponsors www.percona.com
  • 51. Percona Live London Sponsors (TBC) Exhibitor Sponsors Additional Sponsors Media Sponsors www.percona.com
  • 52. Annual Percona Live MySQL Conference and Expo The Hyatt Regency Hotel, Santa Clara, CA April 1st-4th, 2014 Visit: http://www.percona.com/live/mysql-conference-2014/ www.percona.com

Editor's Notes

  1. There may be (though hopefully not) some runover there&apos;s a lot of material to be covered in a short amount of time, Feel free to catch me after the talk for additional questions / breakout demos. There&apos;s livedemos but just incase there&apos;s also videos to fallback on if $something doesn&apos;twork.
  2. T-Shirts Standard BeagleBone black package, I&apos;ve included 8GB microsd card preloaded with Kali linux. (and extended the partition to use all space). wifi dongle
  3. Cross Site Request Forgery Web Application Firewalls help to block SQL injection for example.
  4. Social engineering is just a fancy term for the con, and Con artists have existed well before computers did, e.g. Victor Lustig “The man who sold the eiffel tower twice” Impersonating “people in authority” aka abusing “implied trust”
  5. As the gif here shows a supposed street performer “has anyone got a phone?” ... “sure here&apos;s mine” “k thanx BYE!” Why would people blindly trust a stranger on the street ? “implied trust” ... I&apos;m performing here look here&apos;s a camera everything safe honest ... Karam / Jassegar attacks (hold up pineapple kit) improsonate wifi networks.
  6. DLP (Data Loss Prevention) If you were to get a free usb device would you think twice about plugging it into your laptop? You really should. Hold up teensy, Irongeek gave a great defcon talk on the subject in 2012 on HID abuse I&apos;ve linked it in this slide.
  7. For 3G Abuse look at the “hotspots” you can buy for around £60 which back onto home broadband; many with default admin passwords which can be abused to perform 3G MITM.
  8. There&apos;s no valid reason for a web facing application to have “GRANT OPTION”. Cpanel, Plesk think of them as the “key maker” from the Matrix revolutions ... if you can compromise them they&apos;ll make the keys for you no need to attack anything else.
  9. Super is grants as part of all. File and creat routines are particuarly evil. Does your application REALLY need file and create routines ?I don&apos;t think so ... Insert_priv can be a “roundabout” way of injection privleges into MySQL NO web facing app needs with GRANT OPTION, as I noted before with the keymaker reference.
  10. I was going to demo here disecting the MySQL handshake, had issues getting the software to work consistently however, so we&apos;re going to attack the standard Password hashes.
  11. Yes sorry this has to be a video, I couldn&apos;t get an external GPU for the laptop and as we&apos;ll see in a moment GPU vs CPU is a non trivial difference.
  12. OclHashcat is but one varient of the hashcat tools. Since upgraded to Fedora 19 and 2x 7750 crossfire cards, clocks around 340M/s
  13. Rainbow tables are still something I am working on for MySQL hashes ... if anyone here has a working knowledge please come see me after the talk!
  14. Nyancrack ... yes the name is a bit rubbish I was working on it late one night and couldn&apos;t think of a name for it, one of my children suggest Nyancat ... of course Nyancrack!
  15. I can&apos;t stress enough if you don&apos;t plug the original comprosmise “hole” any remediation you do is completely useless. Even if you throw a rule in your I.P.S / W.A.F in the interim of developing a fix in the application. Never ignore the issue it will not go away ...
  16. SELinux broke my STUFF! 90% of the time this is just mislabeling.
  17. Use the video here to save time.
  18. Use the video here to save time.
  19. STOP!!! we&apos;ll need to setenforce 0 on both web1 and db1 first!