Archives

Categories

Recent Comments

Subscribe to this blog's feed
Bookmark and Share

Essays

01/21/2010

Secure web form authentication using stored procedures

This is a posting I've been planning to do for several months but am just finding time for. One of the most common questions I get from developers is how they should be handling authentication. My advice is always the same - don't. I have no idea why developers want to be custodians of data as sensitive as a username and password when there are federated identity providers such as OpenID that will accept that risk on the developer's behalf.

Some developers insist on localized identity management, so the next couple of posts are going to illustrate how they can implement web forms securely using MySQL stored procedures and UUIDs to insulate them from the risks storing credentials.

Before getting to code-level specifics, let's define the problem we're solving.

First, we want to make sure that a single user's credentials cannot be discovered via SQL injection or other application-level security flaws. Most developers mitigate this by only storing one-way hashes of passwords.

Second, because hashes are susceptible to rainbow tables attacks, we want to make sure that an attacker cannot obtain any aggregated credential hashes. Keep in mind that many users utilize the same (or similar) passwords across many system. This means that aggregated credential hashed are extremely valuable to an attacker. To mitigate this, we will check authentication within a stored procedure. If the password hash is checked via a stored procedure and the application user only has execute permissions, an attacker cannot extract aggregated credentials even if they completely control an application.

Finally, we want to make sure that an attacker cannot easily mine your database for aggregated private or sensitive data through application-level flaws. By using a UUID as the primary key instead of a username or canonical index, we make it very difficult for an attacker to extract data for a single arbitrary user; this also makes data aggregation more difficult.

That's probably as clear as mud, so I'll explain via code examples. The principals all apply no matter what platform you're on, but the examples are all using MySQL 5.1.x.

Continue reading "Secure web form authentication using stored procedures" »

Posted at 08:37 PM in Essays, Security, Software, Systems | | Comments (2) | TrackBack (0)

Technorati Tags: , , , , , , ,

|

05/09/2008

Who'd want to hack me?

Lots of people want to hack you. Despite persistent stereotypes about bored teenagers, cyber-crime is big business. A search on the Russian Business Network should end any doubts about that. Physical world criminals have very simple motives; they're after valuables -- money, jewelry, electronics, cars. Cyber criminals really aren't any different. If you want to know what they're after, follow the money.

Q: "Willie, why do you rob banks?"

A: "Cause that's where the money is."

-- Willy Sutton, depresson-era bank robber

There are three things every user has that are valuable to cyber criminals:

  • Financial Assets and Intellectual Property.
  • Computing Resources.
  • Identity.

The first of these things is the most obvious. Financial records -- including bank account and credit card information -- are almost as good as cash to a criminal. Even if individual assets are modest, when aggregated with other victims, the value of the information is significant and is sold and traded online.

Intellectual property is similarly valuable as the MPAA will attest to. While most intellectual property -- an unfinished novel, plans for the new deck, and the latest vacation pictures -- probably aren't as valuable as a major motion picture, piracy does occur. If the machine contains IP belonging to a commercial, governmental, or academic institution, it could be extraordinarily valuable or compromising.

The value of computing resources isn't quite as intuitive. Every modern computer has storage, network bandwidth, and processing power. All three of these things are useful to a criminal.

Storage is the most obvious commodity they're after. Why would a criminal store black market files on their own machines when they can do it anonymously on somebody else's? All of those pirated movies that the MPAA is hunting down have to be stored somewhere. So does the source code for the most recent catastrophic virus outbreak. And then there's child pornography. There are serious legal consequences if it's found on a computer, and criminals love to transfer that sort of risk to the unsuspecting.

Bandwidth is valuable for similar reasons. A computer's Internet connection connection can be used to host this illicit content for downloading. It can also be used to attack other machines. A botnet is a collection of computers that have been hacked and can be controlled remotely by the attacker. These huge groups of hundreds of thousands of compromised machines can be used in coordinated attacks against individualsbusinesses, and nation states.

Processing power is a little bit more subtle. Keep in mind that encryption is at the core of security technology. It's what keeps passwords, communications, and commerce private. Without it, anybody could listen in during online banking sessions and while credit card numbers are sent to online stores. Essentially, encryption is just very complex math which, given a big enough calculator, can be solved. While this doesn't seem as immediate a risk as bandwidth and storage, it does pose a viable long-term threat.

The final and most universal asset that every end user has is identity. This is a dual threat -- first to your personal assets and second to the assets and intellectual property of any person or organization trusts you.

Identity theft is all over the news these days. This type of identity threat is the theft of a victim's real-world identity. But what about a victim's online identity? Highly targeted phishing e-mails that appear to come from a trusted individual or organization are much likelier to succeed than random spam. Another attack would be to use a victim's electronic credentials (usually a password) to access an employer's intellectual property or financial assets -- employees who's username and/or password can be cracked or discovered open an employer's network up to attack from the inside.

Cybercrime is clearly a problem that threatens all types of computer users from the board room to the backyard; everyone is a target.

This document is intended for a non-technical audience. It's a sketch for part of a document I'm working on that introduces business users to online risks and best practices...


Continue reading "Who'd want to hack me?" »

Posted at 01:19 PM in Essays, Security, Trust | | Comments (0) | TrackBack (0)

|