Wednesday, December 31, 2014

Tech Ed - Why a Hacker can own your servers in a day!

I have watched a number of security related sessions but the TWC Why a Hacker Can Own Your Web Servers in a Day! session at Tech Ed Europe 2014 by Marcus Murray and Hasain Alshakarti was one of the best that I have ever seen. They both work at Truesec who conduct Penetration Testing amongst many other security related services. What made this security session stand out is that they went beyond the basic demonstrations of commonly known exploits (SQL Injection, XSS etc). They continued to progress the exploit to show how professional hackers would spread their sphere of influence to ultimately compromising your entire network. What made this even more relevant in the real world was that all the attack vectors they demonstrated had been previously found whilst performing pen testing against some of their customers. This is seriously scary stuff but fascinating at the same time.

In summary, their session consisted of demonstrating three exploits:
1) An image upload exploit which ended up with the web server, SQL server and Domain Controller being compromised.
2) A SQL injection attack which resulted in the SQL server becoming compromised and in turn, only a matter of time before other servers were compromised thanks to what was demonstrated in the first exploit.
3) XSS attack using a live website which results in the attacker being able to do some very scary stuff to your browser session.

I will not go into detail here about the attacks they demonstrated as to do them justice you really need to watch the Tech Ed session. All I will say is the photo upload exploit is pure genius. From uploading a photo to owning the Domain Controller--it's chilling. Granted, it's a very specific exploit but for impact purposes, I have not seen anything else that beats it yet. Kudos to them for finding and being able to exploit this.

They introduced a range of security / hacker tools which I had never heard of before. These tools made the process of "owning" servers through known exploits like "Token Kidnapping" so easy it was scary. 

If I have some spare time on my hands, I would like to attempt to recreate these exploits with the aid of some virtual infrastructure on Azure as there is plenty to be learnt here.

As a developer, if you think security is something that you do not have to be concerned about, watch this session and I hope you will be scared into thinking otherwise by the end of it. This session demonstrates the sophistication and lengths a professional hacker will go to when attempting to compromise your applications security.

A quick look at Marcus's previous Tech Ed sessions shows a string of them running back to 2010. I will be checking these out for sure for some more security goodness.