Johannes Ullrich is the Chief Research Officer for the SANS Institute, where he is responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. Prior to working for SANS, Johannes worked as a lead support engineer for a Web development company and as a research physicist. Johannes holds a PhD in Physics from SUNY Albany and is located in Jacksonville, Florida.
1. There have been so many reports of passwords being stolen lately. What is going on? Is the password system that everyone is using broken?
Passwords are broken. A password is supposed to be a secret you share with a site to authenticate yourself. In order for this to work, the secret may only be known to you and that particular site. This is no longer true if you use the same password with more than one site. Also, the password has to be hard to guess but easy to remember. It is virtually impossible to come up with numerous hard to guess but easy to remember
A very serious vulnerability in ASP.NET was revealed this past month that allows attackers to completely compromise ASP.NET Forms Authentication, among other things. When things like this happen, as developersit's important to see what lessons can be learned in order to improve the defensibility of our software.
Source: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
This vulnerability illustrates a couple of important lessons that all developers should take note of:
- Doing cryptography correctly is challenging
- Don't store sensitive information on the client
They've fixed the first issue with an out of bandpatch
which means Microsoft took this vulnerability as a very real and serious threat to ...
Checking the integrity of code you download is important and has to be done not just for the initial download, but for updates as well. We will discuss the options to implement integrity checks correctly.
There are a few rules every developer should follow when applying encryption:
- don't invent your own algorithm
Cryptography is a difficult topic, best left to the experts. Implementing encryption algorithms is difficult and there are many traps waiting. Many times, you can get away with a broken custom algorithm, but only because nobody challenges the implementation. If you are happy coding unimportant websites nobody needs, then your time is probably cheap enough where you don't mind wasting a few hours implementing your own broken algorithm.
It is best to stick with standard algorithms. Currently, AES (American Advanced Encryption Standard) is the standard encryption algorithm. The advantage of using a standard like AES is that you will find support in various programming languages and that future support is likely as well.
- use the strongest algorithm you can find
Cryptography is a constant
I regularly get consulted on various web application security issues and defensive strategies. One of the recent "frequently asked questions" is around database encryption of web application. My answers to these kind of questions usually lead to awkward looking faces. I always start off asking more questions about the requirements, "Who are you trying to protect the data from?" and "What data are you trying to protect?" The answers to those questions are usually good indicator whether the person is on the right path or not.
In most cases, database encryption does not prevent the hacker from accessing the backend database via an application compromisse. The reasoning is very simple. If the web application needs to be able to access the data for normal operation and hackers are able to compromise the application, the hackers can essentially access the same data by controlling the applicaton (attacker owns the application). Encryption does not prevent a hacker to access the