SlideShare a Scribd company logo

The Immune System of Internet

Mohit Kanwar, profile picture
Mohit Kanwar

This document discusses hackers and software security. It provides examples of past hacks such as those on Sony Pictures and Citigroup. It outlines why software security is important when handling sensitive user information. The document discusses how hackers think and different types of hackers. It recommends following security principles like defense in depth, least privilege, and keeping security simple. It provides references for further reading on application security topics.

Internet
Related topics:
Internet Security Digital Security
1 of 40
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Hackers: The Internet's Immune System Disclaimer: Use this knowledge in positive man-ner. Help development of secure software.
Who's Fault??
Who's Fault??
Who's Fault??  Security Failure of respective nations  Intelligence Failure  Failure to prevent such incidents  Failure to implement Security Framework efficiently/
It is because of Osama and Kasab  That we know about our security flaws  That we learn the Hard way, but we did. Think b4 attacking again, We are Stronger!
How do vaccines work?
The Internet's Immune System  It is a constant fight between application developers and hackers.- Who Wins?  Aim of this presentation is to share knowl-edge about developing secure applications.  Understanding how Hackers think.  Security Principles
Why Software Security?  Application Security is an unsaid require-ment  Most of the applications deal with at least one of the following  Financial Information  Credit Cards  Account Numbers  Customer's Personal Information  Name  Contact information
Information Sensitivity  Information about Special People like  Expecting Parents  LGBT Community  Rich & Affluent  Sports Persons Is 10 to 50 times more valuable than the rest of people, as they are target cus-tomers of various products.
Why people hack Software?  Fun/ Pride  Money  Free goodies  Processing power/coin minting  Advertisements  Mind Wash (Religion/Politics)  Wars  To bring out vulnerabilities  Irritating processes
Types of hackers  Black Hat  Grey Hat  White Hat
Hack-1  Sony Pictures  $171 million  Hacked in April to June 2011  Hacked By: LulzSec  Cause: SQL Injection  The hack affected 77 million accounts and is still considered the worst gaming com-munity data breach ever. Attackers stole valuable information: full names, logins, passwords, e-mails, home addresses, pur-chase history, and credit card numbers.
SQL Injection
Hack-2  Citigroup  $2.7 million  Hacked in June 2011  Caused by: poor implementation of authoriza-tion. Secure data accessible to unauthorized users. (URL parameter checks missing)  Exposed the financial data of more than 360,000 customers
User Profile Bug  Consider a user story:  “As an Admin user, I would like to see the pro-file of any selected user in the system”
User Profile Bug  UI / Service / Controller / DAO  Select * from Users where userid =? – passed from user's input
User Profile Bug  User Story Extension  “As a logged in user, I should be able to view my profile”  Developers are lazy  Concept of re-usability  Select * from Users where userid =? – passed from user's profile
Hack-3  AT&T  $2 million  The US carrier was hacked last year, but said no account information was exposed. They said they warned one million customers about the security breach. Money stolen from the hacked business accounts was used by a group related to Al Qaeda to fund terrorist at-tacks in Asia. According to reports, refunding costumers cost AT&T almost $2 million.
Hack-4  Reginaldo Silva was paid $33,500  XML external entity vulnerability https://www.facebook.com/whitehat
XML external entity vulnerability  Similar to SQL Injection  Tainted data is inserted in XML  XML Processor processes tainted data and be-comes hacker's slave.
Is this a hack??  Kind of legal  You can switch it off- Third Party Cookies  Ads all around
Third Party Cookies  Old Standards->RFC 2109 and RFC 2965  specify that browsers should protect user privacy and not allow sharing of cookies between servers by default;  The newer standard-> RFC 6265,  explicitly allows user agents to implement whichever third-party cookie policy they wish
Third Party Cookies Advertising companies use third-party cookies to track a user across multiple sites. In particular, an advertising company can track a user across all pages where it has placed advertising images or web bugs. Knowledge of the pages visited by a user allows the advertising company to target advertisements to the user's presumed preferences.
How do Hackers Think?  Make advantage of any available clues  Error Messages  Time Taken for request to respond  Social Networking  Input fields- XSS  SQL Injection
Error Messages User Story 1:-  “As a user of the system, I want my account to be safeguard against more than 3 invalid re-tries. My account must be locked, if someone attempts to use trial and error to guess my password.” User Story 2  “All error messages must be clear and easy to understand.”
Error Messages  “Your username is Invalid”  “Your password is Invalid”  “You have made 'x' unsuccessful attempts to login. After 3 unsuccessful attempts, your ac-count would be locked out.”  “You have entered invalid username or pass-word. Please retry”
Error Messages  Soln.  Do not reveal any information which should not be. Directly or Indirectly.  Make use of CAPTCHA for repetitive requests.
Time taken to Respond
Time taken to Respond  Soln.  Consistent response time for valid and invalid requests.  Add client identifiers, and respond with a delay of 100n nano seconds.  Where n= number of attempts previously made  1,100, 10,000, 1,000,000  This wouldn't cause much impact on normal users, but would delay hacker's activities hugely.
Security Questions  “What was your first school?”  “Where did you first met your spouse?”  “What is your birth place?”  Disadvantage 1: All info is available on Social Networking Sites.  Disadvantage 2: My first school was  Seventh day adventist Sr. Sec School  Seventh day  7th day  Seven day  seven day  seventhday
Renowned Hackers  Kevin Mitnick  Anonymous  lolzsec
Security Principles
Apply defense in depth Anti Virus software authentication and authorization security BioMatrics DMZ Firewalls (hardware or software) Hashing passwords Intrusion protection and detection system Logging and auditing Vulnaribility detection Physical Security Timed access control Internet Security Awareness VPN Sandboxing
Positive security model
Fail securely  Throw meaningful/clear exceptions  Failure in security mechanism should lead to disallowing of the operation (In Most Cases)  Enable Logging and auditing on exceptions  Analysis of exceptions
Principle of Least Privilege  Begin with least privileges  Provide additional privileges only if required, and after scrutiny
Avoid security by obscurity
Keep security simple  To Implement  To Understand  To Extend  To Validate
If you like it today Planning to do an XTR covering  Send Email from any account  Log the user out by sending an email (url)  Movie ticket Denial of Service  Security Certification in sysinfo.  HackMe Challange
References  http://en.wikipedia.org/wiki/Web_application_security  http://www.hotforsecurity.com/blog/top-5-corporate-losses-due-to-hacking-1820.html  https://www.owasp.org/index.php/How_to_write_insecure_code  ClearlyExplained.com  http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29  9lessons.blogspot.com  http://www.gethow.org/

More Related Content

PPTX
Phishing Attacks - Are You Ready to Respond?
Splunk
 
PPT
Information security
Sathyanarayana Panduranga
 
PPTX
Email phishing and countermeasures
Jorge Sebastiao
 
PDF
Identity cues two factor data sheet
Hai Nguyen
 
PPT
Software Security Testing
srivinayak
 
PDF
M-Pass: Web Authentication Protocol
IJERD Editor
 
PPTX
Security threats and attacks in cyber security
Shri ramswaroop college of engineering and management
 
PDF
Sms based otp
Hai Nguyen
 
Phishing Attacks - Are You Ready to Respond?
Splunk
 
Information security
Sathyanarayana Panduranga
 
Email phishing and countermeasures
Jorge Sebastiao
 
Identity cues two factor data sheet
Hai Nguyen
 
Software Security Testing
srivinayak
 
M-Pass: Web Authentication Protocol
IJERD Editor
 
Security threats and attacks in cyber security
Shri ramswaroop college of engineering and management
 
Sms based otp
Hai Nguyen
 

What's hot (20)

PDF
How To Catch a Phish: User Awareness and Training
London School of Cyber Security
 
PPT
Phishing attacks ppt
Aryan Ragu
 
PDF
Enemy from Within: Managing and Controlling Access
BeyondTrust
 
PDF
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
IJNSA Journal
 
PDF
1208 wp-two-factor-and-swivel-whitepaper
Hai Nguyen
 
PDF
IRJET - Secure Banking Application with Image and GPS Location
IRJET Journal
 
PPT
Phishing detection & protection scheme
Mussavir Shaikh
 
PDF
IRJET- Honeywords: A New Approach for Enhancing Security
IRJET Journal
 
DOCX
Final report ethical hacking
samprada123
 
PDF
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
BeyondTrust
 
PDF
Attack chaining for web exploitation #c0c0n2015
Abhijeth D
 
PPTX
Detection of phishing websites
m srikanth
 
PDF
The Anatomy of a Data Breach
David Hunt
 
PPTX
Teaching Your Staff About Phishing
Legal Services National Technology Assistance Project (LSNTAP)
 
PPTX
Attack chaining for web exploitation
n|u - The Open Security Community
 
PPT
Phishing
Alka Falwaria
 
PPTX
PPT on Phishing
Pankaj Yadav
 
PDF
Security Breaches from Compromised User Logins
IS Decisions
 
PDF
Detecting phishing websites using associative classification (2)
Alexander Decker
 
PDF
OlgerHoxha_Thesis_Final
Olger Hoxha, CISSP CISM
 
How To Catch a Phish: User Awareness and Training
London School of Cyber Security
 
Phishing attacks ppt
Aryan Ragu
 
Enemy from Within: Managing and Controlling Access
BeyondTrust
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
IJNSA Journal
 
1208 wp-two-factor-and-swivel-whitepaper
Hai Nguyen
 
IRJET - Secure Banking Application with Image and GPS Location
IRJET Journal
 
Phishing detection & protection scheme
Mussavir Shaikh
 
IRJET- Honeywords: A New Approach for Enhancing Security
IRJET Journal
 
Final report ethical hacking
samprada123
 
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
BeyondTrust
 
Attack chaining for web exploitation #c0c0n2015
Abhijeth D
 
Detection of phishing websites
m srikanth
 
The Anatomy of a Data Breach
David Hunt
 
Teaching Your Staff About Phishing
Legal Services National Technology Assistance Project (LSNTAP)
 
Attack chaining for web exploitation
n|u - The Open Security Community
 
Phishing
Alka Falwaria
 
PPT on Phishing
Pankaj Yadav
 
Security Breaches from Compromised User Logins
IS Decisions
 
Detecting phishing websites using associative classification (2)
Alexander Decker
 
OlgerHoxha_Thesis_Final
Olger Hoxha, CISSP CISM
 
Ad

Similar to The Immune System of Internet (20)

PDF
Ethical Hacking Interview Questions and Answers.pdf
ShivamSharma909
 
PPTX
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Knowledge Group
 
PPT
Web security presentation
John Staveley
 
PDF
Protecting Your Business From Cybercrime
David J Rosenthal
 
PDF
Module 3-cyber security
Sweta Kumari Barnwal
 
PPT
Updated Mvc Web security updated presentation
John Staveley
 
PPTX
Top Network Security Interview Questions That You Should Know.pptx
Infosectrain3
 
PPTX
ITSolutions|Currie Network Security Seminar
Daniel Versola
 
PDF
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
PPTX
TM112 Meeting10-Dangerous Data.pptx
MohammedYusuf609377
 
PPTX
Ethical Hacking .pptx
johnnymaaza
 
PPTX
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
Shivam Sahu
 
PDF
Puna 2015
Salaj Goyal
 
DOCX
Cyber security.docx
saivarun91
 
PPTX
User security awareness
K. A. M Lutfullah
 
DOCX
More Issues on Digital Identity (24Feb2023)
Hitoshi Kokumai
 
PPT
Ethical_Hacking_ppt
Narayanan
 
PDF
Security issue in e commerce
Bosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
PDF
Security & Compliance for Startups
Symosis Security (Previously C-Level Security)
 
PDF
Security Primer
Alison Gianotto
 
Ethical Hacking Interview Questions and Answers.pdf
ShivamSharma909
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Knowledge Group
 
Web security presentation
John Staveley
 
Protecting Your Business From Cybercrime
David J Rosenthal
 
Module 3-cyber security
Sweta Kumari Barnwal
 
Updated Mvc Web security updated presentation
John Staveley
 
Top Network Security Interview Questions That You Should Know.pptx
Infosectrain3
 
ITSolutions|Currie Network Security Seminar
Daniel Versola
 
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
TM112 Meeting10-Dangerous Data.pptx
MohammedYusuf609377
 
Ethical Hacking .pptx
johnnymaaza
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
Shivam Sahu
 
Puna 2015
Salaj Goyal
 
Cyber security.docx
saivarun91
 
User security awareness
K. A. M Lutfullah
 
More Issues on Digital Identity (24Feb2023)
Hitoshi Kokumai
 
Ethical_Hacking_ppt
Narayanan
 
Security issue in e commerce
Bosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
Security & Compliance for Startups
Symosis Security (Previously C-Level Security)
 
Security Primer
Alison Gianotto
 
Ad

Recently uploaded (20)

PPTX
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PPTX
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PDF
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
PPTX
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PDF
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
Funds Management Learning Material for Beg
NKKumar16
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 

The Immune System of Internet

  • 1. Hackers: The Internet's Immune System Disclaimer: Use this knowledge in positive man-ner. Help development of secure software.
  • 4. Who's Fault??  Security Failure of respective nations  Intelligence Failure  Failure to prevent such incidents  Failure to implement Security Framework efficiently/
  • 5. It is because of Osama and Kasab  That we know about our security flaws  That we learn the Hard way, but we did. Think b4 attacking again, We are Stronger!
  • 7. The Internet's Immune System  It is a constant fight between application developers and hackers.- Who Wins?  Aim of this presentation is to share knowl-edge about developing secure applications.  Understanding how Hackers think.  Security Principles
  • 8. Why Software Security?  Application Security is an unsaid require-ment  Most of the applications deal with at least one of the following  Financial Information  Credit Cards  Account Numbers  Customer's Personal Information  Name  Contact information
  • 9. Information Sensitivity  Information about Special People like  Expecting Parents  LGBT Community  Rich & Affluent  Sports Persons Is 10 to 50 times more valuable than the rest of people, as they are target cus-tomers of various products.
  • 10. Why people hack Software?  Fun/ Pride  Money  Free goodies  Processing power/coin minting  Advertisements  Mind Wash (Religion/Politics)  Wars  To bring out vulnerabilities  Irritating processes
  • 11. Types of hackers  Black Hat  Grey Hat  White Hat
  • 12. Hack-1  Sony Pictures  $171 million  Hacked in April to June 2011  Hacked By: LulzSec  Cause: SQL Injection  The hack affected 77 million accounts and is still considered the worst gaming com-munity data breach ever. Attackers stole valuable information: full names, logins, passwords, e-mails, home addresses, pur-chase history, and credit card numbers.
  • 14. Hack-2  Citigroup  $2.7 million  Hacked in June 2011  Caused by: poor implementation of authoriza-tion. Secure data accessible to unauthorized users. (URL parameter checks missing)  Exposed the financial data of more than 360,000 customers
  • 15. User Profile Bug  Consider a user story:  “As an Admin user, I would like to see the pro-file of any selected user in the system”
  • 16. User Profile Bug  UI / Service / Controller / DAO  Select * from Users where userid =? – passed from user's input
  • 17. User Profile Bug  User Story Extension  “As a logged in user, I should be able to view my profile”  Developers are lazy  Concept of re-usability  Select * from Users where userid =? – passed from user's profile
  • 18. Hack-3  AT&T  $2 million  The US carrier was hacked last year, but said no account information was exposed. They said they warned one million customers about the security breach. Money stolen from the hacked business accounts was used by a group related to Al Qaeda to fund terrorist at-tacks in Asia. According to reports, refunding costumers cost AT&T almost $2 million.
  • 19. Hack-4  Reginaldo Silva was paid $33,500  XML external entity vulnerability https://www.facebook.com/whitehat
  • 20. XML external entity vulnerability  Similar to SQL Injection  Tainted data is inserted in XML  XML Processor processes tainted data and be-comes hacker's slave.
  • 21. Is this a hack??  Kind of legal  You can switch it off- Third Party Cookies  Ads all around
  • 22. Third Party Cookies  Old Standards->RFC 2109 and RFC 2965  specify that browsers should protect user privacy and not allow sharing of cookies between servers by default;  The newer standard-> RFC 6265,  explicitly allows user agents to implement whichever third-party cookie policy they wish
  • 23. Third Party Cookies Advertising companies use third-party cookies to track a user across multiple sites. In particular, an advertising company can track a user across all pages where it has placed advertising images or web bugs. Knowledge of the pages visited by a user allows the advertising company to target advertisements to the user's presumed preferences.
  • 24. How do Hackers Think?  Make advantage of any available clues  Error Messages  Time Taken for request to respond  Social Networking  Input fields- XSS  SQL Injection
  • 25. Error Messages User Story 1:-  “As a user of the system, I want my account to be safeguard against more than 3 invalid re-tries. My account must be locked, if someone attempts to use trial and error to guess my password.” User Story 2  “All error messages must be clear and easy to understand.”
  • 26. Error Messages  “Your username is Invalid”  “Your password is Invalid”  “You have made 'x' unsuccessful attempts to login. After 3 unsuccessful attempts, your ac-count would be locked out.”  “You have entered invalid username or pass-word. Please retry”
  • 27. Error Messages  Soln.  Do not reveal any information which should not be. Directly or Indirectly.  Make use of CAPTCHA for repetitive requests.
  • 28. Time taken to Respond
  • 29. Time taken to Respond  Soln.  Consistent response time for valid and invalid requests.  Add client identifiers, and respond with a delay of 100n nano seconds.  Where n= number of attempts previously made  1,100, 10,000, 1,000,000  This wouldn't cause much impact on normal users, but would delay hacker's activities hugely.
  • 30. Security Questions  “What was your first school?”  “Where did you first met your spouse?”  “What is your birth place?”  Disadvantage 1: All info is available on Social Networking Sites.  Disadvantage 2: My first school was  Seventh day adventist Sr. Sec School  Seventh day  7th day  Seven day  seven day  seventhday
  • 31. Renowned Hackers  Kevin Mitnick  Anonymous  lolzsec
  • 33. Apply defense in depth Anti Virus software authentication and authorization security BioMatrics DMZ Firewalls (hardware or software) Hashing passwords Intrusion protection and detection system Logging and auditing Vulnaribility detection Physical Security Timed access control Internet Security Awareness VPN Sandboxing
  • 35. Fail securely  Throw meaningful/clear exceptions  Failure in security mechanism should lead to disallowing of the operation (In Most Cases)  Enable Logging and auditing on exceptions  Analysis of exceptions
  • 36. Principle of Least Privilege  Begin with least privileges  Provide additional privileges only if required, and after scrutiny
  • 37. Avoid security by obscurity
  • 38. Keep security simple  To Implement  To Understand  To Extend  To Validate
  • 39. If you like it today Planning to do an XTR covering  Send Email from any account  Log the user out by sending an email (url)  Movie ticket Denial of Service  Security Certification in sysinfo.  HackMe Challange
  • 40. References  http://en.wikipedia.org/wiki/Web_application_security  http://www.hotforsecurity.com/blog/top-5-corporate-losses-due-to-hacking-1820.html  https://www.owasp.org/index.php/How_to_write_insecure_code  ClearlyExplained.com  http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29  9lessons.blogspot.com  http://www.gethow.org/