Recently I've been thinking I want to move into the information security area and incorporate it into my day job, building .NET web applications.
Having worked for a number of media agencies and software companies. I've seen first-hand that the treatment of app security varies hugely between company. Often the responsibility for security is something thrown at the penetration test team in the week or two before launch [**cough**if they have a pen test team *cough*].
Obviously this is bad practice, security should be a priority, it has to be planned and built into the web application from the outset.
I work with a CMS system called Umbraco, the beauty of Umbraco is that it does give you the ability to build a site the way you want to with complete flexibility. This also means that the site could be as secure or as insecure as the way the developers build it.
With this in mind I head to the talk, Troy split the talk into several discreet areas.
The media portrayal of hackers
Troy put on a youTube video which was a tutorial of a "DDoS" attack, where a kid, after opening a cmd prompt and turning the text color green [the most important part of the hack] pings a random IP address X amount of times. The "hacker" then states that this will cause a "DDoS" attack on the victim IP.
Obviously this is ridiculous, and it reminds me of the kind of thing I did when I was a kid. I even remember turning the screen green [color a]. Our "hacker" sounds young, and after firing off the "DDoS" he states it might take a while, so whilst it DDoS's he advises to spend the time better and "go out and play".
It's the natural curiosity of kids like our hacker, which inspired many of us as children to take steps into the computing field. I can't really blame him, he probably thinks it's cool, the problem is, kids like this can actually do real damage.
This is obviously at odds with the media portrayal of hackers as masked dangerous men in hoodies coding in binary on screens of green text. If you google search hacker, then you'll see what I mean. Well, at least they got the green text right, and maybe our hacker was wearing a ski-mask, we won't ever know.
He was almost certainly wearing a hoody.
The point is, there is a spectrum, from so-called script-kiddies to intelligent determined, experienced and driven hackers, and everything in between. The media portraying them all in the same way is not an accurate description of the threat faced.
Troy is most well know for his website "have I been pwned" a site containing the data from 217 security breaches [correct at the time of writing]. This is a free service allowing users to find out if their email address has been leaked and if their security has been compromised.
When I input my email address, I found I was pwned, and pwned several times! I knew joining myspace was a bad idea. I'm writing a separate post about my journey to know what data was leaked. [actually it wasn't that difficult]
Troy also writes extensively about the security implications of these breaches on his blog. My one criticism of the site, is it has a ridiculous name, yes I know it's leetpeak, but how do I tell my friends and family they should go to a "pwn" site.
Seriously though, it's an awesome site, but change it's name, call it something else.
Neeraj say die
Whenever I want to want to see best practice code to solve my programming problems the first place I go to, even before stackoverflow, is Neeraj Code Solutions. They are the pinnacle of .NET excellence coming out of somewhere in India, run by a man with a great motto.
Troy goes on to show how Neeraj is a terrible coder and is providing awful advice and examples to other developers. Neeraj stores his passwords in plain text in the code example, he also doesn't parameterise his sql commands. This would leave the door open to SQL injection attacks.
Anyway, his site is rife with bad practice, and what's more shocking are all the comments saying how great the code examples are. Head bang wall.
It's time to pull the plug Neeraj on that site of yours, say the thing you'll never say.
Google dorks are crafted searches you can type into google to find sensitive information. Google has indexed many files that expose sensitive information, with a clever use of search operators you can find that data.
This dork looks for web config files sat on ftp servers: https://www.google.co.uk/search?q=inurl:ftp+inurl:web.config+filetype:config You can view the cached compromised data via google, but for safety and security - don't download it, view it.
I spent some time crafting my own dorks after the talk. I quickly came up with my own dork, I found some web config files backed up that included connection string data.
Jesus that's easy, I'm waiting for someone to invent a machine learning algorithm that creates better and better dorks and strips the web of it's valuable data.
Hack phone apps through Fiddler
Troy then showed how Nissan Leafs had a vulnerability in their app allowing anyone to download the app and control the vehicle features of cars. That did look fun, he showed a video where he was sat by a swimming pool in Austrailia and he was screwing with the heating controls of his mate, sat in his Nissan Leaf on the other side of the world.
You can set up your phone to connect to the net via Fiddler on your machine then inspect all traffic coming to and from the app to find vulnerabilities. Thinking about this, you don't even need to do this via your phone, find an android emulator for your machine, download some apps and away you go.
Upstream threats are external threats to a website caused by embedding content from elsewhere. He demonstrated through the Trump Donald and fiddler.
He replaced all background images on the Trump Donald site, showing that if a js resource is included in a site, and that js is compromised, then any piece of js can be included onto your site.
You are reliant on the security of all the resources being included into your site. You are also reliant on there not being security risks to the js itself. Retire.js can be used as a tool to check if the scripts you are using contain vulnerabilities.
On a side note, this got me thinking about vulnerabilities to sites, you could trawl the web looking for js resources that are returning 404's. You could then check if the domain is registered for those sites, if not, register the domain, and place whatever script you want at that path.
You then have control of their website.
To combat upstream threats you can use Subresource Integrity. Use a tool such as srihash to generate a hash of the resource file. Then add an integrity attribute that contains that hash onto your script tag.
So if the hash indicates the file has changed, then the resource won't be loaded. Unfortunately this isn't supported by all browsers. Yeah, it's the usual suspects.
The talk was awesome, I'd say it was a must for all those looking to find out more about info security and how it relates to application development. I will definitely be employing some of the security strategies he mentioned in my future work.
Troy is a great speaker, I've only covered some of his talk in this article, you can view the full talk on the link below.