Developer Blog

Secure Your Software for Battle

A World Wide War is being fought across the software world. The warring factions are engaging in battles in IT centers, corporate offices and your homes; between security experts on one side and cyber-criminals on the other.

This world we live in is getting increasingly connected and computerized. Consumers, organizations and governments alike are conducting business electronically at an ever increasing pace. This requires organizations to store information about their consumers. This includes financial, personal data as well as data about their online and spending habits.

Corporations need to secure this data because

  • privacy laws demand it
  • consumers demand it
  • it gives them a competitive advantage

Naturally, this data is prized by hackers, criminals, competitive entities and unfriendly state agents. This battle of wits between the security experts and the cyber-criminals is an ongoing one and is only going to get bigger.

The systems that process and store data also become targets — either to disable them, or to access, corrupt or destroy data.

Securing the data and the systems that manage it is now a high priority and high profile task. Or, it should be if they mean business. It is no longer a nice-to-have or even a should-have. It is now a must-have.

Companies that don’t have their act together … are in for a crude awakening in the internet age, to significant damage to their business and reputation (http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data), and in some cases to an end of their very existence (http://www.forbes.com/sites/cameronkeng/2014/02/25/bitcoins-mt-gox-shuts-down-loses-409200000-dollars-recovery-steps-and-taking-your-tax-losses).

The War Zone

The increasing mobility of data in corporations is one of the biggest challenges faced in the last couple of years. Users are feeling empowered to access data from anywhere. The BYOD (Bring Your Own Device) trend is bringing in new attack vectors. The data access end-point is also going through a transformation. No longer are these Windows-based, but now a diverse mix of different systems. Some of them are still in their infancy compared to long established platforms like Windows/Unix. These platforms are new targets, and malware for mobile devices is now a rapidly growing threat.

Employees are bringing in their smartphones, tablets and next-gen ultrabooks in to the corporate networks. IT professionals are being required to secure sensitive data on devices the have little control over.

The growing popularity of the “Internet of things” (smartphones, tablets, wearable gadgets, and interconnected devices) makes a fluid situation even more dynamic for security experts. They present ripe targets for cyber-criminals looking to either find access to your data or cause a large-scale disruption.

Cyber-criminals are getting sophisticated themselves. They are using underground online marketplaces to sell their wares and services. The Blackhole exploit kit accounted for almost a third of all malware infestations in 2012. And, it spawned a new generation of botnet exploits that drew on its source code for inspiration.

The Attacks

As the arms race unfolds between the cyber-criminals and security experts, here are some security threats that are at the top the list.

Cloud

Cloud computing continues to grow in popularity — and so too will the number of security threats targeting the cloud. It’s important that businesses realize that whilst they may outsource the handling and storage of their data, they can’t outsource the responsibility for the data itself. If their provider’s systems are breached, and data is exposed, the businesses are responsible.

Therefore, any risks need to be assessed in the same way as they would if they were holding the data internally. Other issues organizations should consider include: where will the data be stored, what happens to any data if organizations switch providers and what steps are being taken to secure the data on their provider’s systems, including how they prevent other customers from accessing it.

The bad guys will look to targeting the cloud in 2014, with cloud service provider employees the main focus. Successful phishing attacks on staff, especially if the password re-use jackpot is hit, have been the door to entry of many online member databases during 2013.

APT

APT or Advanced Persistent Threat is a set of well-camouflaged, focused, continuous hacking activities against a single target. APT activities require a high-level of stealth sustained over a period of time. These employ advanced malware to exploit vulnerabilities in the targets. And these are usually orchestrated for business or political motives. Flame/Gauss and Stuxnet are examples of recent APT attacks used to attack financial, government and military institutions.

Social Engineering

It’s a tried-and-true tactic in both the physical and digital worlds – social engineering. Before the digital age, this meant sneaking one’s way past the security desk with glib talk vs. a cleverly-worded email. Now social engineering has moved onto social networks, including Facebook and LinkedIn.

Attackers are increasing their use of social engineering, which goes beyond calling targeted employees and trying to trick them into giving up information. Cyber-criminals will try to hide malware using deceitful tactics to trick you into installing it.

The task of cybercriminal is a lot simpler — check if details are already posted on social networks. Social networks are about networking people; a convincing-looking profile of a company or person followed by a friend/connection request can be enough to get a social engineering attack started. Sarah Palin’s Yahoo email account was compromised using information that was publicly available on her social media profiles (birth name, date of birth etc).

Password Management

We live in a world where people are increasingly connected through social networking, cloud services & smart devices. This presents a password management headache for users and, by extension, the services they use. People tend to reuse passwords. More than half users reuse passwords for their online accounts. A data breach in one vendor/service provider can potentially put their accounts at other services at risk. If that weren’t scary enough, over a quarter tend to use easy-to-remember passwords such as birthdays or people’s names, opening the door for their online accounts to be hacked into by criminals. It’s worrying aspect for corporations that so many people are making life so easy for cyber-criminals hackers. Especially because simple to make strong password security a part of one’s everyday life.

BYOD (Bring Your Own Device )

This is one threat vector that will give security professionals many sleepless nights. BYOD (Bring Your Own Device) increases data leakage potential especially from devices unprotected by device specific counter-measures such as passcode/passphrase protection. etc. Most organizations going down the BYOD path aren’t implementing appropriate training for employees.

Attackers will try and circumvent app review and detection mechanisms on these devices. If possible their apps will mimic the UI of the native settings page and trick the user in to granting them admin privileges on the device. The device sensors such as GPS, microphone and cameras coupled with the ability to network over WIFI and mobile networks, could become tools for engineering further attacks.

The main areas of risk include: * Data loss — lost or stolen devices * ID theft — thieves logging in to your online accounts using saved credentials on your stolen device * Data leakage — via bogus WIFI access points and malware

Botnets

Essentially, a botnet is a collection of networked computers running a program to perform a task. Initially, most botnets were employed to perform legitimate tasks such controlling IRC channels. Later they were deployed to distribute spam, or perform DDos attacks.

Botnet operators are beginning to design systems that are more adaptive and redundant than many corporate and government networks. Botnets such as Gameover have replaced the traditional command and control link with a peer-to-peer network of infected systems. Controlling this agile attack vector before it can be used as an advanced persistent threat (APT) and migrates into smart mobile devices is crucial.

We’re also likely to see more mobile botnets, of the sort created using the RootSmart backdoor in Q1 2012. In order to prevent falling victim to mobile malware, businesses should install anti-malware protection on their Android devices, secure the data held on them and make sure that this can be wiped remotely if the device is lost or stolen. Businesses should also develop a policy for staff on how to reduce the risks from mobile devices. This should include not rooting the device, avoiding public Wi-Fi networks for confidential transactions, not relying solely on a simple PIN and only installing apps from trusted sources.

Spam

People still send emails. So do bad guys, and they will keep doing so long as people keep using email. You see spam that link to financial scams that are now mostly ignored, spam that link to malware designed to install botnet agents, spam that attempt to seem legit by linking to current events. Phishing via deceptive links in spam is a very common attack. Spammers are also wising up to having their bots and servers taken down. Snowshoe spam is their innovation against this countermeasure. This involves distributing their spamming across multiple ip addresses, spreading the load. Hence, the metaphor.

The Defense

So what are organizations to do to deflect security attacks? It used to be about securing the perimeter in the past. Now the perimeter is blurred due to BYOD and cloud services trends.

There is no one good answer. But most of them would include adopting treating security as a feature, good engineering practices, implementing systems, good employer training, a good plan to manage responses to attacks and finally transparency.

At Originate, when we work with partners, we emphasize security up front as a key element of the systems we build. In most cases, we have been able to educate and received buy-in from our partners. In one case however, we received push back on implementing a policy to enforce strong passwords — the partners feared having a strong password policy would impact user registration. Guess what, on the first day of launch, the first account to be compromised was the admin account. Fortunately, we were monitoring all activity and were able to retake control of the account and secure it. Needless to say, we got the go-ahead to implement the strong-password policy.

Make security a feature ( and not a Non-functional requirement )

When writing applications, security aspects should be first-class requirements. It cannot be a bolt-on later. Build the app with the best security practices from the start. According to security firms FireEye and Secunia, the real security problems in this decade are not in our operating systems but in the applications we run on them.

Design Software with Secure Features

Security issues in design and semantic flaws (ones that are not syntactic or code related), such as business logic flaws, cannot be detected in code and need to be inspected by performing threat models and abuse cases modeling during the design stage.

Threat modeling is an iterative technique used to identify the threats to the software being built. It starts by identifying the security objectives of the software and profiles it. It breaks the software into physical and logical constructs generating the software context that includes data flow diagrams, and end-to-end deployment scenarios, identifying entry and exit points, protocols, components, identities, and services.

Threat Modeling is performed during the design stage so that necessary security controls (safeguards) can be developed during the development phase of the software.

Develop Software with Secure Features

Follow the Saltzer and Schroeder list of principles for building good secure software:

Design principle What does it mean? Example
Economy of mechanism Keep the design as simple and small as possible. Modular, minimalistic code developed using TDD (only write code to make the tests pass),centralized services
Fail-safe defaults Access denied by default, and permitted explicitly Firewalls are configured such that the default is to deny access
Complete mediation Every access to every object checked for authority. Rely as little as possible on access decisions retrieved from a cache. File permissions tend to reflect this model: the operating system checks the user requesting access against the file’s ACL.
Open design The design should not be secret, the implementation of safeguards is. Cryptographic algorithms
Separation of privilege More than one condition is required to authorize a task Bank lockers, nuclear launch systems (I hope!), that use two separate keys to operate
Least privilege Invoke minimum privileges running web servers using accounts with reduced privileges
Least common mechanisms Minimize the amount of mechanism common to more than one user and depended on by all users. Role based dynamic libraries
Psychological acceptability Requires the policy interface to reflect the user’s mental model of protection Help dialogs, intuitive iconography

Use secure-coding best practices

A stitch in time saves nine. It is always cheaper to build secure applications then to correct the security bugs later. Making security a check-off item for code reviews. OwASP and Apple have good checklists that software development organizations would do well to follow.

Use source code analysis tools

Whenever possible integrate source-code analysis tools (Fortify, FindBugs, etc.) in to your development process. However, it is not a substitute for testing. And it can generate a lot of false positives initially. But it can be a useful tool in locating security vulnerabilities.

Use testing techniques to stress security features

Focus on abuse/negative test cases as well: test the evil path in unit and integration tests using. Running penetration tests against new releases as part of the release process using tools like SkipFish, MetaSploit etc.

Password and Session Management

Passwords are the keys to a user’s account. It is often a target to gain unauthorized access. Password strength is key in thwarting such attacks. Enforce a strong password policy. However, it does present an inconvenience to users who now have to remember long complex passwords. A good strategy around that is to not have to manage passwords and authentication at all. Implement single sign-on, so that users need to only have to authenticate once. Or, offload it to an 3rd party authentication authority using OAuth. However, if you do implement authentication ensure that

  • user credentials are never stored in clear text — makes sure that they are hashed and salted
  • never send user credentials over an un-encrypted connection

Session tokens should always be generated on the server. Use existing application frameworks for session management as much as possible. For example, Rails, Play, Lift, J2EE/Spring, ASP.Net etc., come with features around strongly encrypted sessions, protections against attacks like CSRF, XSS, SQL injection, session replay, timeouts etc. That wheel’s been invented and rolls well.

The bad guys will still be targeting the cloud in 2014, with cloud service provider employees the main focus. Successful phishing attacks on staff, especially if the password re-use jackpot is hit, have been the door to entry of many online member databases during 2013. Ultimately, with innovation and planning, cloud services could reduce business risks by providing greater flexibility, resiliency and security

Input validation

One of the most effective safeguards against hacking attacks is to perform input validation. Input validation should take place on the server side for all data. Validation criteria should be set for input fields. All data should be encoded before use. Input validation techniques along with proper encoding help block against many attack vectors like XSS, SQL Injection and remote file inclusion.

Use open source cryptography

The only way to secure architectures is to use systems, algorithms, and implementations that are well known to be safe, and which have been peer reviewed in the open by lots of people, and which have withstood a lot of hacking attempts in production already. Custom or proprietary solutions often have not gone through this process, and as a result are often riddled with security weaknesses that can and will be exploited.

Configuring for security

What does this mean? It is simply managing and defining a process to ensure that the systems the software runs on have been secured adequately. Harden your infrastructure by:

  1. Ensuring all software is updated to the latest security patches. This includes the OS, Web/App server, databases. And, any other component in the system architecture. Define a process to keep these components abreast of the latest updates and patches and deploying them to all deployed environments in a timely manner. The process should also include seemingly innocuous peripherals such as networked printers, VOIP phones
  2. Turning off or disabling all unused and unnecessary features (e.g. ports, services, accounts )
  3. Changing all default passwords and or accounts.
  4. Ensuring that error handling does not reveal any stack traces or other sensitive information to the users.

In 2013, a third of the most serious threats facing enterprises were associated with worms (Win32/Conficker, INF/Autorun, Win32/Dorkbot) infecting windows systems. Worms are commonly spread through network drives, abusing the Autorun feature or exploiting weak passwords.

The Conficker worm exploited weak passwords. Once it compromised a system, it could steal the credentials of an IT administrator to spread on the internal network.

Manage data exposure

Analyze your data characteristics and determine which data is sensitive enough to require extra protection ( e.g. passwords, credit card numbers, health records, etc.). Ensure that such data is never backed up or transmitted in clear text. Ensure that strong/updated cryptographic algorithms are used to encrypt such data. Don’t store data unnecessarily. Data you don’t have is impossible to steal. For example, don’t store credit card numbers if you use a payment gateway, simply store only the last 4 digits for tracking purposes. Also, no sensitive information such as IP addresses in logs. Ensure passwords are stored with algorithms specifically designed for password encryption such as bcrypt, PBKDF2 or scrpyt.

Manage the end-points

BYOD is here to stay. CEOs want to use the latest in mobile technology — the President of the United States uses a tablet. It has it’s benefits – reduced capital expense, and productivity gains. While there are some businesses that may do well to steer away from this trend, most corporations can benefit if they manage this trend with their organization, rather than fight it. Put in a plan to train employees & raise awareness regarding the risks using their devices to access corporate data. Consider implementing a MDM (Mobile Device Management) solution to manage access to corporate apps and access on employee devices. MobileIron, Airwatch/VmWare, Citrix among others have MDM suites to manage BYOD issues. Also, consider reigning it in using a CYOD (Choose your Own Device) option — where the business has a list of approved devices the employees chose from, to gain access to corporate systems.

Employee Training

Education is a good risk-mitigator as well. Training developers to follow good design principles (including the ones mentioned above) helps build good secure software. Training operations to configure for security means there will be fewer if not none, changes that could compromise security, for example, inadvertently removing access restrictions on network drives, which happens more often than one would imagine.

Stay Paranoid

It is impossible to protect anything that is in the users hands from being read in its completeness. For example, the attempts to encrypt digital media like DVDs have all been hacked with ease. There is no platform or app that hasn’t been hacked and studied in detail by the community, even if it requires modifying the hardware that the code is running on, either for establishing a street cred or for financial gain. Sony’s Playstation was protected on the hardware level against hacks. Even that wasn’t enough protection apparently — you could buy extra chips (called flashers) could solder onto chips on the motherboard. You could then downgrade the firmware and load pirated games onto it.

Stay vigilant for any signs of abnormal activity on your network. No alarm should be treated as to insignificant to investigate. Just recently, a large store chain revealed that they did not take early warning signs of abnormal activity too seriously, eventually resulting in a data breach that impacted 70 million customers, and more importantly a loss of trust and goodwill.

Every piece of code, data, or hardware that is in the users hands must be considered read and understood in its completeness, even if that means grinding away a hardware chip layer by layer and photographing the internals. People do that. Obfuscation might be helpful to reduce the size of the shipped binaries, but it doesn’t prevent reading and manipulation of the compiled code.

No input from the outside world, even if it seems to come from our own client apps over secure channels, must be trusted. The clients might be (and will be) compromised, and will send malicious data, no matter how obfuscated or protected they are. If there are truly security-relevant things, they have to remain on the servers, and have to happen there.

Further reading

Comments