Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Security and why you need to review yours.
1. Security and why you need to
review yours.
David Busby
Percona Live London 2013
2. Who am I?
David Busby
●
Remote DBA for Percona
●
January 2013
●
13 some years as a sysadmin
●
Paranoid when it comes to security, and
legal agreements.
●
Ju-Jitsu instructor (Ni Dan)
●
Helps to teach children computing.
●
www.percona.com
3. Agenda
What’s an “attack surface” and how to limit
it.
●
Why password complexity is important.
●
Why rigid grants are important.
●
SELinux: why you should be using it.
●
What's a CVE and why should you care?
●
0-days, and F.U.D
●
5.6 Security features
●
Q&A
●
www.percona.com
4. Agenda cont.
Some prizes.
●
And a disclaimer.
●
My opinions expressed may not reflect
those of my employer .. and so on
●
www.percona.com
5. What’s an “attack surface”?
●
Points in your system which could be
attacked.
application
●
database
●
physical systems
●
network
●
your employees
●
hosting provider
●
●
hosting providers employees
www.percona.com
6. Reducing your “attack
surface”
●
Application
Sanitize ALL user inputs
●
CSRF / XSRF tokens
●
W.A.F
●
●
●
I.P.S
●
●
e.g. mod_security
Do not leave an I.P.S in I.D.S mode.
security auditing
●
Do not rely on scanning software.
●
●
Penetration Testing.
M.A.C
●
SELinux
www.percona.com
7. Reducing your “attack
surface”
●
Database
●
Limit network exposure (no access from the
internet)
●
Network segregation from application (hardware or
vlan)
Selective grants
●
Complex passwords
●
I.P.S
●
Avoid “identified by 'the_plain_password'” SQL.
●
●
●
Appears in history files e.g. ~/.mysql_history
M.A.C
●
SELinux (notice a pattern here?)
www.percona.com
8. Reducing your “attack
surface”
●
Physical Systems
Limit physical access.
●
●
●
●
Challenge “implied trust”.
●
Barclays £1.3m “haul”
●
could have been avoided.
●
Uniform / badge != identification.
●
Security “mantraps”.
Don't rely on biometrics
●
Just ask the MythBusters on “unbeatable fingerprint
readers”
Remove uneeded service / application.
●
Your rackmount server really doesn't need bluetooth.
Image credit: http://news.bbcimg.co.uk/media/images/70014000/jpg/_70014486_co607-13device.jpg
www.percona.com
9. Reducing your “attack
surface”
●
Network
●
Selective ACL
●
Specify which hosts may access the DB network and
limit the ports.
●
●
●
●
●
Application nodes do not need access to SSH on the db servers
for instance
iptables -N MySQL
iptables -I INPUT -j MySQL
iptables -A MySQL -s <application_node_range> -p tcp --dport
3306 -m comment --comment “application range access to
MySQL” -j ACCEPT
Network isolation
●
Application systems separated from DB servers.
www.percona.com
10. Reducing your “attack
surface”
●
Employees (Layer 8 / Meat ware).
●
Awareness Training
●
Most people want their company to have a high profile.
●
●
●
Linkedin, Facebook etc ...
●
Finding this much information used to be hard.
●
Tools (e.g. Maltego) makes information gathering easier.
Customer relations, Improve sales.
Makes them easier to target.
●
Call $company pretend to be $employee on the road, ask for
some otherwise restricted information.
●
“Social engineering” Fancy term for conning people.
●
“phishing” / “spear phishing”
●
“Run this program as root / administrator for free stuff!”
www.percona.com
11. Reducing your “attack
surface”
●
Employees (cont)
●
B.Y.O.D?
●
$employee uses $phone for work.
●
●
●
$phone is $employee property.
$employee uses $phone for:
●
email, vpn, intranet, sms/ push notifications.
●
Bank application, e-payment (e.g. google wallet).
$phone is now a more attractive target.
●
Physical attacks.
●
Theft, lock screen bypasses, debug abuse (p2p-adb etc.),
N.F.C.
●
Remote attacks.
●
Karma / Jaessegar
●
Bluetooth
image credit: http://securityreactions.tumblr.com/post/65286584262/byod-good-plan
www.percona.com
12. Reducing your “attack
surface”
●
Employees (cont)
●
Do not blindly trust devices.
●
●
●
Malicious H.I.D devices.
●
Teensy duino HID prototypes, have evolved.
●
DLP Bypass
Malicious thunderbolt chain devices.
Challenge identity, and “implied trust”.
●
●
It’s OK to ask for proof of identity!
We do this for all systems, why not people?
●
“Hello I am calling from the computer security centre about the
virus on your windows machine...”
●
Exploiting “implied trust”
●
“Would you like a christmas tree in your bank account sir?”
(Fonejacker)
www.percona.com
13. Reducing your “attack
surface”
●
Certain allowances must be made.
●
Trust in Service / Hosting Provider.
●
Some steps can be taken.
●
Challenge identity if conctated, and verify.
●
Documentation on security measures / compliance.
●
●
●
You get some for a S.L.A ... get one for security!
Most have some P.C.I compliance at least.
Trust in mobile networks ... (though note GSM
and 3G have been proven to be broken).
www.percona.com
14. Why rigid grants are important
●
How often do you see an application with
"ALL PRIVILEGES ON *.*" ?
cacti
●
phpmyadmin
●
How about "WITH GRANT OPTION"?
●
We also need to be concerned with:
Super_priv, Create_routine_priv, Insert_priv
●
Image credit: http://upload.wikimedia.org/wikipedia/en/8/8c/The_Keymaker.jpg
www.percona.com
15. Why rigid grants are important
●
Super
●
●
FILE && Create routine
●
●
We’re going to abuse this to inject malicious UDF shortly.
Insert_priv
●
●
kill any process, stop/reset slaves, write to read only etc
(part of all).
_could_ be used to create users, and access permissions
by inserting into mysql schema tables.
WITH GRANT OPTION
●
no application should need to create grants.
www.percona.com
16. Why password complexity is
important
●
So let's consider
I'm an attacker; I've compromised your web
application.
●
I've been able to grab a "hashdump".
●
A dump of the mysql.users table containing the
password hashes.
●
Or I'm "sniffing" MySQL traffic from the
application host hoping to capture the
"handshake" of a privileged user.
●
●
More complex requires hash table regeneration due to
changing salt.
www.percona.com
17. Why password complexity is
important
●
Authentication handshake in brief.
client opens tcp connection to server.
●
mysqld sends greeting with salt (challenge)
●
client uses salt and replies with a sha1 sum
"password"
●
●
●
SHA1(password) XOR SHA1(salt <concat>
SHA1(SHA1(password)))
MySQL 5.5 password hashes
●
SHA1(SHA1(password))
www.percona.com
19. Why password complexity is
important
●
We're going to recover the passwords for
the following:
●
●
●
●
D306CEB16052CBB8539617888512E58CA68EN1AD1
CB7DFF0540F8C51BF178A1502A286FB8F4A2691E
E8820BB0161312465DBB69D9E2A1A73841B63B62
B415DD9C4FB5EF59FE80C4FEBC1F9C715E6E97C4
www.percona.com
20. Why password complexity is
important
●
Be honest, who is thinking this right now?
image credit: http://securityreactions.tumblr.com/post/52788324439/when-i-told-a-former-director-i-could-still-crack-his
www.percona.com
21. Why password complexity is
important
●
Demo: oclHashcat mysql5 4 hashes < 1
second
●
sha1(sha1(password))
www.percona.com
22. Why password complexity is
important
●
Know thy “enemy” (and make them your
friend)
●
oclHashcat
●
●
uses openCL for GPU based hash calculation.
easily runs 270M/s+ brute force MySQL5 hashes
●
●
●
Tested on a Radeon 7750 Fedora 18 x86_64
Many supported hashes
pre-computed hash tables
●
Stored hashes derived from
●
●
●
Dictionaries / wordlists
public password list leaks
My table has ~151M (and growing) unique words
●
Generated from public lists (mostly skullsecurity.org)
●
●
Extended using John the ripper.
You do not want your password on that list!
www.percona.com
23. Why password complexity is
important
●
Know thy enemy cont:
●
CPU vs GPU
●
●
●
GPU processing has greater parallelism resulting in
much faster hash rates, CPU hashing is still fast.
John the ripper, hashcat (+variants), pyrit
Python CPU example (nyancrack)
●
Pre computed hash tables != Rainbow tables.
www.percona.com
24. Why password complexity is
important
●
nyancrack
python multiprocessing (~360K/s MySQL5)
●
variable threads
●
modular extension
●
no openCL support (yet)
●
low memory overhead
●
●
●
●
peak 1015mb consumed producing a 6.1GB file.
tuneable memory usage feature planned.
Why not have MySQL calc the hashes?
●
SLOW!
●
< 500 hash / second in limited testing.
www.percona.com
25. Why password complexity is
important
●
Conclusion?
Complexity increase time for recovery.
●
cost vs reward.
●
“most” attackers want the quick win.
●
Reduces “exposure”
●
●
If it's going to take N time to recover the password.
●
Increased likelyhood of discovering breach before
recovery.
●
Changing of passwords, renders recovered
credentials useless.
●
Also remember to “plug the hole”.
www.percona.com
26. SELinux: why you should be
using it.
●
Let's deal with the what before the why.
SELinux is a M.A.C which uses “labels”
●
We're going to look at the more common
"targeted" policy
●
●
●
not covering MLS / Strict
/etc/selinux/config
●
●
SELINUX=enforcing
SELINUXTYPE=targeted
www.percona.com
27. SELinux: why you should be
using it.
●
Labels
●
selinux contexts applied to files, ports
●
●
●
user:role:type:level(optional)
targeted policy really only looks at the "type"
Type enforcement (policies)
●
A process running with X context
●
●
is allowed to access a resource with the Y context
but not Z context.
image credit: https://i.chzbgr.com/maxW500/1659454208/hE5C2A3CB/
www.percona.com
28. SELinux: why you should be
using it.
●
You want mysql to be able to access.
/var/lib/mysql (mysqld_db_t)
●
/var/log/mysql (mysql_log_t)
●
*:3306
(mysql_port_t)
●
●
But you probably do not want MySQL
accessing
/etc/passwd (passwd_file_t)
●
/etc/shadow (shadow_file_t)
●
http_port_t , ssh_port_t
●
www.percona.com
29. SELinux: why you should be
using it.
●
So how do I get the current contexts?
●
ls -z
●
ps -z
●
●
system_u:system_r:mysqld_t:s0
Id -z
●
●
●
unconfined_u:object_r:mysqld_db_t:s0
/var/lib/mysql/ibdata1
unconfined_u:unconfined_r:unconfined_t:s0s0:c0.c1023
Many standard linux utilities take the -Z
arguments.
www.percona.com
30. SELinux: why you should be
using it.
●
Most peoples experience of SELinux seems
to be: "So I `setenforce 1` and ..."
image credit: http://securityreactions.tumblr.com/post/53675346932/hey-guys-check-out-this-new-exploit
www.percona.com
31. SELinux: why you should be
using it.
●
setenforce 0 == Permissive != OFF
Useful for debugging.
●
Always go back to setenforce 1 == Enforcing
●
●
New tools make things easier.
setroubleshoot-server
●
libselinux-python
●
e.g. from (coming next) demo:
●
●
“MySQL connection failed Can't connect to MySQL
server on '172.16.33.3' (13)”
●
OS error code 13: Permission denied
www.percona.com
32. SELinux: why you should be
using it.
●
Using SELinux is easier than you might
think.
●
A couple of “gotchas” to be aware of.
●
●
●
New files / dirs inheret contexts
Moved files / dirs keep their original contexts
Let’s go over to quick examples.
●
●
PHP Web app can not connect to MySQL on a remote
system.
MySQL fails to start with non standard datadir.
www.percona.com
33. SELinux: why you should be
using it.
●
selinux sebool httpd can network connect
db
www.percona.com
34. SELinux: why you should be
using it.
●
placeholder “none standard datadir
location”
www.percona.com
35. SELinux: why you should be
using it.
●
Ok SELinux is useable, still why should I
care?
Additional layer of security.
●
Mandatory Access Control
●
●
Arrests “out of context” behaviour.
Discretionary Access Control “trusts running
software” - assumes it should access everything
the user can.
●
Let’s see how bad things could get.
●
www.percona.com
36. SELinux: why you should be
using it.
●
“Perfect storm” example.
●
Webapp has command injection.
●
●
Or has a vulneraility such as CVE-2012-1823
●
PHP CGI command injection.
(Also has SQL injection but we’re not going to attack it
in this example).
SELinux is Permissive / OFF
●
Bad grants (ALL PRIVILEGES ON *.*)
●
We’re going to.
●
●
●
●
Deploy a php shell.
Deploy a UDF.
Have some fun with command line via mysql ...
www.percona.com
37. SELinux: why you should be
using it.
We're abusing everything we have allready
outlined as being “bad”.
●
Some steps are purposely skipped!
●
●
●
Code will be made available @ Github
●
●
This isn’t a “how to hack”
Most of it.
LEGAL DISCLAIMER!
This is on a local VM environment only.
●
For informational purposes only.
●
Use at your own risk.
●
www.percona.com
38. SELinux: why you should be
using it.
Demo “PHP cmd injection” -> “PHP CMD
Shell” -> “MySQL load UDF”
www.percona.com
39. SELinux: why you should be
using it.
●
Assuming everything went as planned ...
www.percona.com
40. What's a CVE and why should
you care?
●
Common Vulnerabilities and Exposures.
●
Common classification and notation of known
vulnerabilities.
●
●
CVE-2013-2094 perf_swevent_init() privilege escalation.
$vendors usually use this to classify vulnerabilities
reference in their erratas.
●
Not always used as intended however.
●
●
e.g. Oracle filed many CVE’s 2013-10-16 and 2013-07-17
CVE-2013-3826 -> CVE-2013-5867
●
“Unspecified vulnerability in Oracle <product> allows
remote/local attackers to affect
confidentiality/integrity/availability via unknown vectors”
●
No helpful information for ‘J.I.T’ / Vulnerability analysis.
www.percona.com
41. What's a CVE and why should
you care?
●
Information in an as intended CVE filing
can be used to:
Check $vendor erratas for relevant patches.
●
Contact $vendor with relevant information to
patch.
●
leverage J.I.T methods to mitigate risk.
●
e.g.
user_u selinux context blocks root shell from CVE
●
www.percona.com
42. What's a CVE and why should
you care?
●
Syntax is changing from Jan 2014
www.percona.com
43. What's a CVE and why should
you care?
●
Additional resources.
●
OSVDB
●
Open Source Vulnerability Database
●
Secunia
●
NVD
●
National Vulnerability Database
www.percona.com
44. 0-days, and F.U.D
●
0-day
A attack leveraging an unknown vulnerability.
●
Some “claims” are just posturing.
●
If concerned search for p.o.c. code and test.
●
●
●
In a virtual lab environment.
“Hardening” is the best defense against the
unknown. (You lock your doors after all).
●
●
●
Reducing your attack surface is a good first step.
Prepare for the worst hope for the best.
“By failing to prepare, you are preparing to fail.” Benjamin Franklin.
www.percona.com
45. 0-days, and F.U.D
●
0-days ... it's all about being prepared.
●
Be aware of potential unknowns.
●
●
If you use HA you prepare for system failiure after all.
●
Not much of a leap to prepare for security.
Build hardened systems, from the ground up.
●
Avoid the “foolish man who built his house on
sand”
●
Make management easy with $provisioning
●
●
●
●
Ansible
Puppet
Chef
Salt
www.percona.com
46. 5.6 Security features
●
Password Expiration policy
●
●
Drops user into “sandbox” when expired.
Password Validate password plugin (
5.6 docs)
●
validate_password_policy = LEVEL
●
●
●
LOW / 0
●
length >= 8 chars
MEDIUM / 1 (Default)
●
LOW +
●
>= 1 number && >= 1 lowercase && >= 1 upper case.
STRONG / 2
●
LOW + MEDIUM +
●
substrings >= 4 chars must not appear in defined dictionary file.
www.percona.com
47. 5.6 Security features
●
Password Validate password plugin cont.
●
Customizable :-)
●
●
●
●
●
●
validate_password_disctionary_file = ‘’
validate_password_length = 8
validate_password_mixed_case_count = 1
validate_password_number_count = 1
validate_password_special_char_count = 1
Circumventable :-(
●
●
@ another system: select PASSWORD('PLUK');
@ 5.6 system with validate_password_policy = MEDIUM
●
GRANT ALL PRIVILEGES ON *.* TO ‘pluk’@’localhost’
IDENTIFIED BY PASSWORD
‘*D306CEB16052CBB8539617888512E58CA68E1AD1’
www.percona.com
52. Annual Percona Live
MySQL Conference and Expo
The Hyatt Regency Hotel, Santa Clara, CA
April 1st-4th, 2014
Visit: http://www.percona.com/live/mysql-conference-2014/
www.percona.com
Editor's Notes
There may be (though hopefully not) some runover there's a lot of material to be covered in a short amount of time, Feel free to catch me after the talk for additional questions / breakout demos.
There's livedemos but just incase there's also videos to fallback on if $something doesn'twork.
T-Shirts
Standard BeagleBone black package,
I've included 8GB microsd card preloaded with Kali linux. (and extended the partition to use all space).
wifi dongle
Cross Site Request Forgery
Web Application Firewalls help to block SQL injection for example.
Social engineering is just a fancy term for the con, and Con artists have existed well before computers did, e.g. Victor Lustig “The man who sold the eiffel tower twice”
Impersonating “people in authority” aka abusing “implied trust”
As the gif here shows a supposed street performer “has anyone got a phone?” ... “sure here's mine” “k thanx BYE!”
Why would people blindly trust a stranger on the street ? “implied trust” ... I'm performing here look here's a camera everything safe honest ...
Karam / Jassegar attacks (hold up pineapple kit) improsonate wifi networks.
DLP (Data Loss Prevention)
If you were to get a free usb device would you think twice about plugging it into your laptop?
You really should.
Hold up teensy, Irongeek gave a great defcon talk on the subject in 2012 on HID abuse I've linked it in this slide.
For 3G Abuse look at the “hotspots” you can buy for around £60 which back onto home broadband; many with default admin passwords which can be abused to perform 3G MITM.
There's no valid reason for a web facing application to have “GRANT OPTION”.
Cpanel, Plesk think of them as the “key maker” from the Matrix revolutions ... if you can compromise them they'll make the keys for you no need to attack anything else.
Super is grants as part of all.
File and creat routines are particuarly evil.
Does your application REALLY need file and create routines ?I don't think so ...
Insert_priv can be a “roundabout” way of injection privleges into MySQL
NO web facing app needs with GRANT OPTION, as I noted before with the keymaker reference.
I was going to demo here disecting the MySQL handshake, had issues getting the software to work consistently however, so we're going to attack the standard Password hashes.
Yes sorry this has to be a video, I couldn't get an external GPU for the laptop and as we'll see in a moment GPU vs CPU is a non trivial difference.
OclHashcat is but one varient of the hashcat tools.
Since upgraded to Fedora 19 and 2x 7750 crossfire cards, clocks around 340M/s
Rainbow tables are still something I am working on for MySQL hashes ... if anyone here has a working knowledge please come see me after the talk!
Nyancrack ... yes the name is a bit rubbish I was working on it late one night and couldn't think of a name for it, one of my children suggest Nyancat ... of course Nyancrack!
I can't stress enough if you don't plug the original comprosmise “hole” any remediation you do is completely useless.
Even if you throw a rule in your I.P.S / W.A.F in the interim of developing a fix in the application.
Never ignore the issue it will not go away ...
SELinux broke my STUFF!
90% of the time this is just mislabeling.
Use the video here to save time.
Use the video here to save time.
STOP!!! we'll need to setenforce 0 on both web1 and db1 first!