Coding Blocks

We wrap up our discussion of PagerDuty’s Security Training, while Joe declares this year is already a loss, Michael can’t even, and Allen says doody, err, duty.

The full show notes for this episode are available at https://www.codingblocks.net/episode177.

Sponsors

  • Datadog – Sign up today for a free 14 day trial and get a free Datadog t-shirt after creating your first dashboard.
  • Linode – Sign up for $100 in free credit and simplify your infrastructure with Linode’s Linux virtual machines.
  • Shortcut – Project management has never been easier. Check out how Shortcut is project management without all the management.

Survey Says

How awesome was Game Ja-Ja-Ja-Jamuary?!

Take the survey at: https://www.codingblocks.net/episode177.

News

  • Ja Ja Ja Jamuary is complete and there are 46 new games in the world. Go play! (itch.io)

Session Management

  • Session management is the ability to identify a user over multiple requests.
  • HTTP is stateless, so there needs to be a way to maintain state.
    • Cookies are commonly used to store information on the client to be sent back to the server on subsequent requests.
      • They usually contains a session token of some sort, which should be a random unique string.
      • Do NOT store sensitive information in the cookie, such as no usernames, passwords, etc.
        • Besides tampering, it can be difficult to revoke the cookies.

Session Hijacking

  • Session hijacking is stealing a user’s session, possibly by:
    • Guessing or stealing the session identifiers, or
    • Taking over cookies that weren’t properly locked down.

Session Fixation

  • Session fixation is when a bad actor creates a session that you will unknowingly take over, thus giving the bad actor access to the data in the user’s session.
    • This used to be more of an issue when session tokens were passed around in the URL (remember CFID and CFTOKEN?!).
  • Always treat cookies like any other user input, don’t implicitly trust it, because it can be manipulated on the client.

How to Secure / Verify Sessions

  • Add extra pieces of data to the session you can verify when requests are made.
  • Ensure you actually created the session.
  • Make sure it hasn’t expired and ensure you set expirations for sessions.
    • All of this just catches the easy stuff.
  • Session ID’s should be unique and random.
  • Ensure the following when sending cookies to the client:
    • Secure flag is set,
    • httpOnly flag is set, and
    • The domain is set on the cookie so it can only be used by your application.
  • To avoid the session fixation we mentioned earlier, ALWAYS make sure to send a new session ID when privileges are elevated, i.e. a login.
  • Always keep information stored on the server side, not on the client.
  • Make sure you have an expiration that is set on the server side session. This should be completely independent of the cookie because the cookie values can be manipulated.
  • When a user logs out or the session expires, ensure you fully destroy all session information.
  • NEVER TRUST USER INPUT!

Permissions

  • Try to avoid using sudo in any shell scripts if you can.
    • If you can’t avoid it, use it with care.
  • The the principle of least privilege, i.e. more restrictive permissions, as in, can you live with read-only perms?
  • Revoke permissions you don’t need.
  • Create separate users for separate needs.
    • If you need to delete files from a storage bucket, have a service account or user set up with just that permission.
    • Same for managing compute instances.
  • Use the least permissive approach you can as it greatly reduces risks.

Other Classic Vulnerabilities

  • Buffer overflow: This is when a piece of data is stored somewhere it shouldn’t be able to access.
    • From Wikipedia, a buffer overflow _”is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations.”_
    • Typically these are used to execute malicious code by putting instructions in a piece of memory that is to be executed after a previous statement completes.
    • One malicious use of a buffer overflow is using a NOP sled (no-operation sled) to fill up the buffer with a lot of NOPs with your malicious code at the end of the ride.
      • Apparently you can use this method to easily get a root shell – article linked in the resources
      • Metasploit (YouTube)
  • Path Traversal: This is when you “break out” of the web server’s directory and are able to access, or serve up, content from elsewhere on the server
    • Remember, your dependencies may also have vulnerabilities such as this. You need to run scans on your apps, code, and infrastructure.
  • Side Channel Attacks: This is when the attacker is using information that’s not necessarily part of a process to get information about that process. Examples include:
    • Timing attack: Understanding how long certain processes take can allow you to infer information about the process. For example, multiplication takes longer than addition so you might be able to determine that there’s multiplication happening.
    • Power analysis: This is when you can actually figure out what a processor is doing by analyzing the electrical power being consumed. An example of this process is called differential power analysis.
    • Acoustic cryptanalysis: This is when the attacker is analyzing sounds to find out what’s going on, such as using a microphone to listen to the sounds of typing a password.
    • Data remanence: This is when an attacker gets sensitive data after it was thought to have been deleted.

Resources we Like

Tip of the Week

  • Did you know you can use your phone as a pro level webcam? Thanks Simon Barker! (reincubate.com)
  • From the tip hotline (cb.show/tips) – Mikerg sent us a great site for learning VSCode. Some are free, some require a $3 monthly subscription, but the ones Joe has done have been really good. Not just VSCode either! IntelliJ, Gmail, lots of other stuff! (keycombiner.com)
  • How to use Visual Studio Code as the default editor for Git MergeTool (stackoverflow.com)
  • Five Easy to Miss PostgreSQL Query Performance Bottlenecks (pawelurbanek.com)
Direct download: coding-blocks-episode-177.mp3
Category:Software Development -- posted at: 9:52pm EDT

We’re pretty sure we’re almost done and we’re definitely all present for the recording as we continue discussing PagerDuty’s Security Training, while Allen won’t fall for it, Joe takes the show to a dark place, and Michael knows obscure, um, stuff.

The full show notes for this episode are available at https://www.codingblocks.net/episode176.

Sponsors

  • Datadog – Sign up today for a free 14 day trial and get a free Datadog t-shirt after creating your first dashboard.
  • Linode – Sign up for $100 in free credit and simplify your infrastructure with Linode’s Linux virtual machines.
  • Shortcut – Project management has never been easier. Check out how Shortcut is project management without all the management.

Survey Says

For this year's Game Jam, you are ...

Take the survey at: https://www.codingblocks.net/episode176.

News

  • Thanks for the reviews!
    • iTunes: YouCanSayThisNickname
  • Game Ja Ja Ja Jam is coming up! Just a few days away! (itch.io)

XSS – Cross Site Scripting

  • Q: What is XSS? A: XSS is injecting snippets of code onto webpages that will be viewed by others.
    • This can allow the attacker to basically have access to everything a user does or types on a page.
  • Consider something like a comment on a forum, or blog that allows one to save malicious code.
    • The attacker could potentially access cookies and session information,
    • As well as gain access to keyboard entry on the page.
  • You can sanitize the inputs, but that’s not good enough.
    • You can’t check for everything in the world.
  • You really need to be encoding the stored information before you present it back to any users.
    • This allows things to be displayed as they were entered, but not executed by the browser.
    • Different languages, frameworks, libraries, etc., have their own ways of encoding information before it’s rendered by the browser. Get familiar with your library’s specific ways.
  • User supplied data should ALWAYS be encoded before being rendered by the browser. ALWAYS.
    • This goes for HTML, JS, CSS, etc.
  • Use a library for encoding because the chances are they’ve been vetted.
    • Just like we mentioned before, you still have to be diligent about using 3rd party libraries. Using a 3rd party library doesn’t mean you can wash your hands of it.
  • Content Security Policy (CSP) is another way to handle this. (Wikipedia)
  • OWASP considers XSS a type of Injection attack in 2021.

CSRF – Cross Site Request Forgery

  • Q: What is CSRF? A: CSRF is tricking someone into doing something they didn’t want to do, or didn’t know they were doing.
  • A couple of examples were given:
    • For example, set the img src to the logout for the site so that when someone visits the page, they’re automatically logged out.
      • Just imagine if the image source pointed to something a little more nefarious.
    • Another example is a button that tricked you into performing an action such as an account deletion on another site. Can be done using a form post and a simple button click.
  • How do you avoid this?
    • Synchronizer token:
      • This is a hidden field on every user submittable form on a site that has a value that’s private to the user’s session.
        • These tokens should be cryptographically strong random values so they can never be guessed or reverse engineered.
        • These tokens should never be shared with anyone else.
      • When the form is submitted, the token is validated against the user’s session token, and if it matches, go ahead with the action, otherwise abort.
    • Again, there are a number of frameworks and libraries out there that have anti-forgery built in. Check with your specific documentation.
  • They go on to say that anything that is not a READ operation should have CSRF tokens.
  • NEVER use GET requests for state changing operations!
    • PagerDuty had a funny mention about an administrative site that included links to delete rows from the database using GET requests. However, as the browser pre-fetched the links, it deleted the database.
  • OWASP dropped CSRF from the Top 10 in 2017 because the statistical data didn’t rank it highly enough to make the list.

Click-jacking

  • Q: What is click-jacking? A: Click-jacking is when you are fooled into clicking on something you didn’t intend to.
    • For example, rendering a page over the top of an iframe, and anything that was clicked on that top page (that seemed innocent) would actually make the click happen on the iframe‘d page, like clicking a Buy it Now button.
    • Another example is moving a window as soon as you click causing you to click on something you didn’t intend to click.
  • The best way to prevent click-jacking is to lock down what an iframe can load using the HTTP header X-FRAME-OPTIONS, set to either SAMEORIGIN or DENY. (developer.mozilla.org)

Account Enumeration

  • Q: What is account enumeration? A: Account enumeration is when an attacker attempts to extract users or information from a website.
    • Failed logins that take longer for one user than another may indicate that the one that took longer was a real user, maybe because it takes longer as it tries to hash the password.
    • Similar type of thing could happen if customers are subdomained. One subdomain shows properly and another fails. This reveals information about the customers.
  • These may be frustrating, as they pointed out, as you have to walk the line between user experience and security.
    • Just be aware of what type of data you might be exposing with these types of operations.
  • Regarding logins:
    • If the user exists or doesn’t, run the same hashing algorithm to not give away which is real or not.
    • If a user does a password reset, don’t give a message indicating whether the account really existed or not. Keep the flow and messaging the same.

Resources we Like

Tip of the Week

  • CloudFlare let’s you deploy JAMStack websites for free using their edge network. (pages.cloudflare.com)
  • Amazon has their own open-source game engine, Open 3D Engine, aka O3DE. It’s the successor to Lumber Yard, a AAA-capable, cross-platform, open source, 3D engine licensed under Apache 2.0. (aws.amazon.como3de.org)
  • Let’s talk about CSS! Ever use border to try and figure out layout issues? Why not use outline instead? Thanks Andrew Diamond! (W3Schools.com)
    • We discussed a similar technique as a TotW for episode 81.
  • Have you seen those weird mobile game ads? Click this link, maybe when you’re not at work, and embrace the weird world of mobile game ads. (Reddit)
    • Nostalgia for the 80’s? People have uploaded some of the tapes that used to play on the loudspeakers at US department store, K-Mart (Nerdist.com)
  • OWASP publishes cheat sheets for security. (cheatsheetseries.owasp.org)
Direct download: coding-blocks-episode-176.mp3
Category:Software Development -- posted at: 8:01pm EDT

We continue our discussion of PagerDuty’s Security Training presentation while Michael buys a vowel, Joe has some buffer, and Allen hits everything he doesn’t aim for.

The full show notes for this episode are available at https://www.codingblocks.net/episode175.

Sponsors

  • Datadog – Sign up today for a free 14 day trial and get a free Datadog t-shirt after creating your first dashboard.
  • Linode – Sign up for $100 in free credit and simplify your infrastructure with Linode’s Linux virtual machines.
  • Shortcut – Project management has never been easier. Check out how Shortcut is project management without all the management.

Survey Says

Do stick with your New Year's resolutions?

Take the survey at: https://www.codingblocks.net/episode175.

News

  • Thanks for the reviews!
    • iTunes: aodiogo
  • Game Ja-Ja-Ja-Jamuary is coming up, sign up is open now! (itch.io)

Encryption

  • OWASP has the more generic “Cryptographic Failures” at #2, up from #3 in 2017.
  • PagerDuty defines encryption as encoding information in such a way that only authorized readers can access it.
    • Note that this is an informal definition that speaks to the most common use of the word.
  • Encryption is really, really difficult to get right. There are people that spend their whole lives thinking about encryption, and breaking encryption. You may think you’re a genius by coming up with a non-standard implementation, but unfortunately the attackers are really sophisticated and this strategy has shown to fail over and over.
  • There are different types of encryption:
    • Symmetric/Asymmetric – refers to whether the keys for reading and writing the encrypted data are the same.
    • Block Cipher – Lets you encrypt and decrypt the data in whole chunks. You need to have an entire block to encrypt or decrypt the whole block at once.
    • Public/Private Key – A kind of asymmetric encryption intended for situations where you want groups to be able to share one of the keys. For example, you can publish a public PGP key and then people can use that to send you a message. You keep the private key private, so you’re the only entity that can read the message.
    • Stream Cipher – Encode “on the fly”, think about HTTPS, great for streaming. You can start reading before you have the entire message. Great for situations where performance is important, or you might miss data.

Encryption in Transit

  • Also known by other names such as data in motion.
  • Designed to protect against entities that can snoop (or manipulate!) our communications.
  • You can do this with HTTPS, TLS, IPsec.
  • Perfect Forward Secrecy is the key to protecting past communications, by generating a new key for a single session so that compromised keys only affect the specific session they were used for.
  • From Wikipedia “In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised.” (Wikipedia)

Encryption at Rest

  • Simply means that data is encrypted where it’s stored.
    • An example of this is full disk encryption on laptops and desktops. The entire drive is encrypted so if someone were to steal the drive, it’d essentially be useless without the keys to decrypt the data on the drive.
  • For PagerDuty, and many other companies, the most important information to protect is customer data, just as important as your own passwords.
  • PagerDuty’s data classifications:
    • General data – This is anything available to the public.
    • Business data – Includes operating data for the business, such as payroll, employee info, etc. This type of data is expected to be encrypted in transit and at rest.
    • Customer data – This is data provided to the company by the customer and is expected to be encrypted in transit and at rest.
      • Customer data includes controls such as authentication, access control, storage, auditing, encryption, and destruction.
      • Business data has similar controls except without the auditing.
  • PagerDuty called out when using cloud systems, make sure you’re enabling the encryption on the various services, like S3, GCS, Blob storage, etc.
    • They mentioned it’s just a checkbox, but in reality you’re probably using scripts, templates, etc. So make sure you know the configurations to include to enable encryption.
  • Another interesting thing they do at PagerDuty: they get alerted when a resource is created without encryption enabled.
  • What about third parties you use? Should they encrypt as well? YES!!!
    • Perform vendor risk assessments prior to using the vendor. If they don’t pass the security assessment, use a different vendor.

Secret Management

  • Q. What is it? A. Protecting and auditing access to secrets.
    • Auditing so that you can see when someone is using your secrets that shouldn’t, as well as keep track of systems that should and are using secrets.
  • Hashicorp Vault has a great video to learn about the challenges of managing secrets. (YouTube)
  • What are secrets?
    • Secrets are sensitive things such as tokens, keys, passwords, user names, many others.
  • Secrets should NOT be stored in source control.
    • Although it seems to happen all the time, be it on purpose, by accident, etc.
    • Anyone with access to the code can now access the secrets.
  • PagerDuty uses Vault. Vault:
    • Securely stores secrets,
    • Provides audit access to those secrets, and
    • Provides mechanisms to rotate the secrets if/when necessary.
  • Don’t hardcode or come up with crazy ways to get secrets into your applications.
  • Secrets should never be shared, i.e. if two people need access to a system, they should have their own secrets to access that system.
    • Or maybe you have a “jump” server that has access to an external system, and users have access to the jump server.
  • NEVER share passwords over insecure channels. This can include channels such as:
    • Slack,
    • Email,
    • SMS,
    • But this is not an exhaustive list.
  • If you do accidentally post a secret in a chat or an insecure channel, you should:
    • Let the security team know immediately (you have a security team right?!), and
    • Find out how to rotate the secret and do it.
  • Never allow a secret to be logged!
    • This can be especially egregious if you’re logging customer credentials you don’t control.
    • Be sure you are sanitizing your log data before you log.

Resources we Like

Tip of the Week

  • Hashicorp Vault is a tool for managing secrets, but did you know they have a ton of plugins? Take a look! (VaultProject.io)
  • Unity has tools built in for common game functionality, it’s worth taking a few minutes to google for something before you start typing. Don’t worry, there is still plenty of code to write, but these tools improve the quality and consistency of your game.
  • You can use animation clips to create advanced character animations, but it’s also good for simple tweens and motions that need to happen once, or in a loop. No need for “Rotator.cs” type classes that you see in a lot of Unity tutorials. (docs.unity3d.com)
  • NavMeshes are an efficient ways of handling pathfinding, which is an important piece of many games. You can learn the basics in just a few minutes and accomplish some amazing things. (docs.unity3d.com)
  • GoFullPage lets you take a screenshot of a whole webpage, bada bing, bada boom. (chrome.google.comGoFullPage.com)
Direct download: coding-blocks-episode-175.mp3
Category:Software Development -- posted at: 8:01pm EDT

1