I am, over the next several months, going to attempt to brooch the subject of security. This is a subject full of controversy, misinformation (or lack of information), and a general lack of understanding of what security is, who are we defending against, how ‘they’ (whomever they may be) will try to attack us.

The Problem

Security is defending against infinity and infinity keeps changing. The interesting thing about security is that there is no way to always know who the attackers will be, how they will attack or for that matter, if they were successful in their attacks or not. Another problem is, what kinds of security tools exist to help protect a system against attacks? Which of course leads to another problem, what kind of attacks exist against these tools and how do you implement these tools properly? These are problems that I’ve been facing lately with a large project I’ve been tasked to work on and I’ve been on a journey to discover the answers to these problems and thought I’d share.

Wax On, Wax Off

So how does one start out as a grasshopper and become a jedi master? Well a great way to start is to learn from the masters, but first, we have to know who those masters are. Here are just a couple of masters that you should know:

1. Bruce Schneier: Security expert and author. He is a great, comprehensive teacher and has written several books on cryptography and even more importantly, how to implement cartographic systems. He also has a great blog on security.
2. Alfred Menezes, Paul van Oorschot and Scott Vanstone: Co-authors of several cryptography books most notably The Handbook of Applied Cryptography
3. Whitfield Diffie: A security expert and the co-inventor of the Diffie-Hellman key exchange algorithm.
4. Adi Shamir: Inventor of RSA and numerous other cryptographic algorithms.

“Your done?!?!!?” cryptography masters scream, and I respond, “so sorry, I just don’t have time/patience to reference every single security master”. These are just a couple guys to know about but you should learn about more of the masters.

What Exactly Is Security?

Security, in short, is either two things. #1 Complete void of access: Scenario, you have a document on a computer in a metal room with big locks on the doors and there is no network connections of any kind to this computer. #2 Cryptography: Assuming that you require access to data, cryptography is the over-arching solution.

Security Principals

Kerckhoffs’s principle

Only secrecy of the key provides security. You are not required to show the world your code, however, your dependence on security must be based on the cryptographic keys being secret. Any dependency beyond this is false security. We have seen time and time again that a determined attacker can, and will, thwart any security system that is dependent on anything other than the secrecy of the cryptographic key.

Security By Obfuscation

There are many companies/organizations who think of obfuscation as a defense when all obfuscation can ever be is a deterrent. Any determined attacker can, eventually, get past obfuscation especially when your talking about a published solution. The mindset of a security expert is to assume the enemy knows the internals of the system and design the system so that the attacker still cannot breach it. The ‘enemy’ could be anyone. It could be someone in an organization. It could be a designer or developer of the security system! The goal should always be that even if you know the entire system from start to finish, you still could not breach the security within a reasonable amount of time. There are some good reasons for obfuscation, code obfuscation for instance. That can help to deter individuals from stealing your product and make it slightly harder for an attacker to understand how your system works, but you must never think of obfuscation as a defense.

Futility

“It is futile to lock the barn door after the horse has been stolen”. This is a great concept that has many implications. One of these implications is that security must extend from the source, all the way to the destination. If there is a section of the data’s journey in which the attacker is able to get the data, all has been for naught.

The Weakest Link

“Security is only as strong as the weakest link”. It doesn’t matter how thick and strong 299 links in a powerful chain are, if the 300th chain in the very center of the chain is made of thin, weak tin, the entire chain is as strong as weak tin. Any attacker who is worth his salt is not going to start an attack at the thickest point in the chain, he is going to go straight for the weakest link in the chain to break through.

Over the next few months I’ll be talking more about my journey through security and will hopefully help myself and others have a better understanding of security

I just wrote a new post (http://www.zonkio.com/the-javascript-injection-problem_685.html) on Zonkio. The post is about the dangers of javascript injection and understanding good coding practices when dealing with client server architecture.

A very overlooked part of PHP security is file uploading. A quick for instance. Lets say that you have a file uploader in which there is no security applied. Any file may be uploaded to the server. What if someone uploads a file that has a little extension by the name of ‘.php’? All that needs to be done now is in the file write a little script with ‘fopen’ and read all the files and echo them out to the browser. Now we have all the source code (maybe even usernames/passwords if we’re lucky) to the entire application. Not only that, but now we can write sql code to get all the data we want from the database. Then we could get really mean and update the database with some malicious javascript and have it download viruses or trojans on all the users computers who visit the website. Now google checks your website, realizes something bad is going on and decides to blacklist your website. Now mr. user comes along to your website, and he’s using firefox. Firefox checks with google to see if its ok to visit the website, google says ‘noooo’, firefox puts up a really scary red screen with a hand and an exclamation point and mr. user gets scared and decides never to come to this ‘bad’ site again. Then russia decides to launch ‘nucular’ missiles and we’re back in the cold war…. ok,, maybe not that last part but pretty much all the stuff before ‘nucular’ missiles I’ve experienced happening. So how do we stop the madness??

(more…)

_{Updated on 01/22/2009} There is no such thing as a 100% secure anything in this world of hackers/counter hackers. Especially when it comes to the world of web development. One of the many methods hackers use to infiltrate web applications is through session fixation. Session fixation is a way that hackers can use to gain unauthorized access to another users login. So how do we guard against this?

(more…)

The Legacy

I recently worked on a legacy asp web application that had been hacked. The problem? The programmers didn’t think that hackers would/could attack them. This seems to be a prevalent problem in the development world. Developers have a zebra mentality. ‘Ok, we all have to cross the river, but if we all jump in at the same time hopefully I won’t be the one to get eaten’. If you don’t see the flaw in this logic please do not waste any more time with this article and go have loads of fun playing Click the Button. If you do see the logic continue on.

(more…)