BSidesCharm - 2019 - You're Not as Safe as You Think Clearing Up Common Security Misconceptions

um hi everyone thank you for coming and it's the last talk of the day so thank you for being here i'm sure everyone's hungry um so this presentation is called you're not as safe as you think clearing up common security misconceptions and work and uh so in addition to hitting the character limit for session titles we're going to be looking at a few of these common security myths and sort of uh false statements that i've heard over the years in security some of them are just straight up wrong others are just you know a little misconstrued you don't get as much protection as you might think both go ahead and talk about it we're going to look at what the myths do wrong

and what they do right so here's the obligatory who i am i'm from hagerstown maryland i'm nearby um i like web applications and looking at infrastructure things like that i work for independent security evaluators for a security consultancy here in baltimore we do white box black box all kinds of assessments we like application security so a lot of what i'm talking about today is going to be about application security and web applications in particular and we're right next door at the iot village if you want to stop by tomorrow i will be there if i can answer any questions for you [Music] all right so here are some of the topics we're going to look at today we're going

to look at package managers we're going to look at https we're going to look at server side encryption or encryption at rest we're going to look at passwords and then a couple like quick miscellaneous topics at the end all right so first myth software from a package manager is safe so i'm going to start this off right off the bat all these myths are very good things you should probably use most of them just be sure you're not thinking you'll get protections that you don't so when i say package managers package managers we're looking at things that are language specific like npm or pip these are things that install libraries for programming languages we're also

looking at things that are for operating systems like apps or dnf those install packages on your os and we're also looking at application stores used for by mobile os's things like the play store the apple app store microsoft store whatever [Music] so what do they do they install software right so they install it and they usually get the software from some central repository that'll have mirrors whatever and how does the software get there well it depends sometimes software is uploaded by the actual developers sometimes it'll be by the store owners themselves sometimes just some random guy in the street who knows but it gets up there and then what are some of the problems we can see from this so obviously

there's a repository so that's a nice central target that attackers might want to get and this sort of thing does happen again i want to point out that i like package managers i use them they're good things but you have to remember the risks so did the package repository get hacked things like that um are the packages signed does the package manager package manager and the client verify the signatures of these things if the package is up on there and it gets replaced with malware can we detect that that sort of thing how does the software actually get up there um does the app can package uploaders put malware in the package to begin with is someone

reviewing the packages things like google play we see this a lot we they android apps with the malware in it i use an android phone but it's okay we also hear about node has a sort sort of issue before um i'm not a big fan of javascript so i pick on node a little bit but that's okay so package managers again they can be safe but they have to come from a source you trust we want to make sure malware does not get in to begin with if malware gets put in there at some point we want to detect that we want to make sure what else about how the packages get to the client

we want to use secure protocols tls we want https something like that protocol that gives you integrity and confidentiality so the next one i don't know if you guys can see that but i have a green padlock next to my url that means my website is secure so https this is the thing that encrypts your network traffic between your client to the server this is a very nice technology everyone should probably be using it these days because of free certificates and things like that but https does not make your website secure in the sense that your web application itself is going to be secure you can still be vulnerable to things like cross-site scripting cross-site request forgery sql injection

and https is not going to stop those types of attacks okay so the next thing we're going to look at encryption at rest or server side encryption this is what happens when your encryption when your data on your disk is encrypted so you can't just plug in your hard drive and someone else's computer and read the files off of that so this is something that probably everyone with a mobile device should be using may be using by default depends on your os this is good stuff but it's important to recognize that this is encryption at rest so the threat model is more physical access at this point so for like a web server the server

could be in like a locked data center and in particular oftentimes it's in like say an aws cloud facility so i don't have burglary statistics for aws but i assume they're pretty low so i don't think theft is a big deal there um but again encryption at rest this is good stuff you should use this and it's really nice when your server is turned off and your data is actually at rest however it does not really help when an attacker is actually attacking a web application and is pulling off all your data using something like sql injection so again we need to consider the the protection that the technology gives you and the downfalls it has so in this case

encryption arrests you know either srs it's good if it's being sql injected it's not good you can't hack me i have a strong password that's i like this one i i giggled a lot when i came up with that one so good passwords everyone should use good passwords i'm not saying don't use good passwords but it's important to remember what a good password actually gives you mainly it's protection at the login page and i've talked about this a little bit before but after you log in you know you can still be vulnerable to things like cross-site requests for a treat cross-site scripting these web application vulnerabilities will get you no matter how good your password is

so telling your mother to always use a good password telling your dad always use a good password it doesn't matter because they can still get active they're doing things on bad sites but again please use good passwords [Music] we should also consider the fact that it's not always on the user to have all the security the burden of security placed on the users web app developers should do things like you know rate limit the login page they should do things like store the password securely which means don't store the password store password hashes salted password hashes and that sort of thing so again use strong passwords make sure they're you know random try to use different ones for every site

password managers help with this sort of thing but make sure you have a good password manager and again remember that these are not going to stop web application level vulnerabilities and then we're going to close up here with a couple miscellaneous topics um up-to-date software makes you more secure so this is kind of important because right next door we have about like 25 you know or so devices in the iot village and they all have firmware updates and things like that and they might be very secure when they're fully up to date in the sense that known exploits will not work on them however it is my job and like many other people's job to go to work every day and find

exploits and up-to-date software zero days do exist we hear about them all the time so again it's important to remember that up-to-date software will keep you safe from known vulnerabilities but it is not going to stop a targeted hacker trying to get into your system

and then antivirus so antivirus is kind of a touchy subject for some people some people like this some people don't i have seen a lot of laptops given to me over the years and they're you know clearly covered in malware but the antivirus says it's fine it says you need to renew your norton subscription things like that i tend to think these things are more harm than good in a lot of cases but they do have their places in particular we're looking things built in the operating system tend to be better they won't use employee resources and they might do a better job in general we have to be somewhat wary of antiviruses some of these things are huge software

suites they might have like web applications and then you have all those issues that we've been talking about they're running with high privileges sometimes these are like you know kernel level modules running so if there's an issue there you could lose all sorts of data from that in some cases the antivirus might be worse than some of the malware that they claim to protect they do have a place antivirus is say good in an example of you have an enterprise file server you want to make sure the file is uploaded don't have viruses things like that all right this was fast all right so to wrap things up we need to remember that security isn't

something that you can fix with one neat trick there there if you see a blog somewhere says make your site secure with one neat trick they're lying you can't do that secure systems follow secure design principles this is things like having uh use least privileges whenever possible you want defense in depth you want a sound trust model you want to know where everything's coming in have a good threat model so for example secure web application does have https and it probably encrypts its data at rest but it also does other things it's going to check user permissions and it's going to make sure it's not running a bunch of services as root and okay so i hope everyone has heard

hearing about some little security topics here and i'm sure i'm going to get lots of angry emails and thoughts from people so i can take some of those now one in the back what is the benefit of downloading packages over tls from a central package the question is what is the benefit of downloading packages over tls are you a debian user [Laughter] i have i have lots of colleagues and around here that use apps and of course app by default uses http and a lot of distributions the idea there is it can download over this unencrypted protocol because the packages themselves are signed that's right yeah so you can in fact change the repositories to use https and that's a

hardening thing that i recommend i do that on my systems some distributions do use https by default though uh in debian in particular it does not so it there was that issue that came out was that was it this year last year the one where there was an issue with apt itself where it would reach over http and then there's there's a command injection or something in there so that's an example of why https could be helpful there

any comments on cloud security uh anything in particular that's a big topic storing is all right so is storing your data in the cloud safer than on-premises possibly um you have the issue of how's the data getting up there are you securing it are you uploading it securely how secure is the physical premises of say like the aws cloud facility in which case you can probably assume that it's good because like i said i don't think they're being robbed very often that being said i don't know that you could say one way or another that one is better sticking all your data on like say a hard drive just sitting in like your windowsill is obviously not good

but assuming you have good practices on either side it could be could be good either way okay

all right well like i said i will be next door in the iot village tomorrow if you have any other questions for me and thanks for everyone attending