The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference
|
|
- Justin Wilcox
- 6 years ago
- Views:
Transcription
1 The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit The OWASP Foundation
2 Introduction More and more organizations are examining PKI solutions (client cert authentication) to provide an answer to modern authentication threats This presentation will examine the common notions about PKI in web applications and present various threats This lecture is: NOT going to reveal any flaws in RSA or Digital Signatures technology IS going to present how poor implementation can allow hackers to work around it OWASP & WASC AppSec 2007 Conference San Jose Nov
3 Agenda Common Credential Theft Threats Suggested PKI Authentication Solution Attacks on PKI Implementation Poor Application Integration Trojans PKI Phishing Demo Conclusion Mitigation OWASP & WASC AppSec 2007 Conference San Jose Nov
4 Common Credentials Theft Threats Phishing/Pharming Malicious Links DNS Hijacking Trojan/Malware Online Phishing Against OTP Trojans HTTP Monitoring Key Loggers XSS Attacks Session Hijacking XSS Based Phishing OWASP & WASC AppSec 2007 Conference San Jose Nov
5 Suggested Solution PKI & Client Certs PKI Authentication Combines: Something you Have (Smartcard / Token) Something you Know (PIN) Some modern implementations are seeking to replace the PIN with biometric authentication Authentication requires the physical device to be plugged in (Private key stored on device) The combination of smart card, PIN, and the strength of RSA, is why many consider PKI authentication as hack proof. OWASP & WASC AppSec 2007 Conference San Jose Nov
6 The PKI Lie A Hack Proof Solution The Hack Proof notion, urges organizations to switch to PKI based authentication at high costs Financial Organizations Many banks are deploying PKI authentication for customers The solutions are considered so secure that previous Phishing/Pharming warnings are removed! Governments Digital signatures are now legally valid In some countries they are considerably more abiding than normal signatures OWASP & WASC AppSec 2007 Conference San Jose Nov
7 The PKI (sad) Truth PKI Authentication is not Hack Proof Secure in Theory Very strong encryption & authentication algorithms Verified robust implementation (Common Criteria) Fails in Practice: Integration of the solution with the surrounding environment may allow compromise End Point Integration (PC/User) Web Application Integration Allows performing real time attacks OWASP & WASC AppSec 2007 Conference San Jose Nov
8 Application Integration Flaws Poor Authentication Verification by Application Poor Session Integration Relying on session information for authentication No binding of application session and SSL session XSS Vulnerabilities Data Theft Execution of Operations Invocation of Signing Operations (if cached) The sky is the limit OWASP & WASC AppSec 2007 Conference San Jose Nov
9 Client Side Attacks Trojans Trojans - No #1 Pharming Technique But also useful for direct data compromise OWASP & WASC AppSec 2007 Conference San Jose Nov
10 Client Side Attacks - Trojans Complete takeover of smartcard / token The Simple Way Cached PIN The Hard Way Stealing & Using PIN Step #1 Obtaining PIN Key Loggers USB Sniffers (Encryption might be a problem ) Driver Manipulation Step #2 Utilizing Card GUI Based Macro (Visible to user ) Direct DLL Access Silent Mode OWASP & WASC AppSec 2007 Conference San Jose Nov
11 Client Side Attacks - Phishing One of the most prominent attacks today Surely solved by PKI (or not?) OWASP & WASC AppSec 2007 Conference San Jose Nov
12 Real Time PKI Phishing - Overview Real Time Phishing provides a mean for overcoming the need of credentials theft. Rather than being stolen, the credentials are used in real time, while the device is plugged Once hijacked, the attacker can exploit the existing credentials using CSRF, Reflected XSS or other means As common with other CSRF/XSS attacks, the user has little, if any, way of preventing this. OWASP & WASC AppSec 2007 Conference San Jose Nov
13 Real Time PKI Phishing - Analysis The attack is performed by creating a faked site (much like regular Phishing attacks) The site has no content, and contains 2 frames: Frame I - Uses entire screen area and presents the real site Frame II Invisible, and is used for taking advantage of the logged on user Utilizing cross domain techniques (CSRF, JavaScript inclusion, etc.) Frame II, already authenticated, is used to launch attacks OWASP & WASC AppSec 2007 Conference San Jose Nov
14 Real Time PKI Phishing - Flow User follows link to malicious (Phished) site The response includes an empty content HTML, as following: <HTML> <IFRAME WIDTH=100% HEIGHT=100% NAME=REAL FRAMEBORDER=1 SRC= ></IFRAME> <IFRAME WIDTH=0% HEIGHT=0% NAME=EVIL FRAMEBODER=1> </IFRAME> <SCRIPT SRC= </HTML> OWASP & WASC AppSec 2007 Conference San Jose Nov
15 Real Time PKI Phishing Flow (Cont d) The user is then presented with the Certificate selection The user experience is IDENTICAL OWASP & WASC AppSec 2007 Conference San Jose Nov
16 Real Time PKI Phishing Flow (Cont d) Once the user has logged on, the user is able to browser through the site The malicious site is now able to perform navigation events on the 2 nd IFrame. This allows execution of any operation in the site on behalf of the user OWASP & WASC AppSec 2007 Conference San Jose Nov
17 Real Time PKI Phishing Demo OWASP & WASC AppSec 2007 Conference San Jose Nov
18 Real Time PKI Phishing Limitations Data Viewing May not be possible (Cross Site Limitations) Relies on CSRF Capabilities (Won t work well in.net ) However both limitations are easily bypassed with Reflected XSS The Phishing site provides the persistency platform XSS can then be used to access sensitive data XSS can also be used to obtaining whatever random data required to overcome CSRF protection OWASP & WASC AppSec 2007 Conference San Jose Nov
19 Additional Real Time PKI Phishing Aspects Proprietary ActiveX based authentication (As opposed to integrated browser certificates) Identifying when the main frame has been successfully authenticated can be performed using cross domain exploits (e.g. JS includes) Man in the Middle Techniques An Alternative to CSRF/XSS Attacks Establish a connection with the client, and relay the challenge from the original server to the client. Might generate some warnings, but users tend to ignore those OWASP & WASC AppSec 2007 Conference San Jose Nov
20 Conclusion Embedding PKI authentication in web applications is not a magic solution! Trojans, Pharming, Phishing, CSRF, XSS, as well as other applications vulnerabilities, remain a significant concern These problems must be addressed well before implementing client side certificates With that said client side certificates stored on secure physical device are still a very strong form of authentication OWASP & WASC AppSec 2007 Conference San Jose Nov
21 Mitigation CSRF Protection Massively discussed yesterday XSS Protection Massively discussed for the past few years Trojans Protection Tricky (Requires taking the PC out of the equation ) On-Device PIN Input & Verification On-Device Biometric Verification On-Device OK confirmation Clean From-Device OS Boot (Might work with virtualization as well ) OWASP & WASC AppSec 2007 Conference San Jose Nov
22 Thank You! Questions? OWASP & WASC AppSec 2007 Conference San Jose Nov
Attacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationOvertaking Google Desktop Leveraging XSS to Raise Havoc. 6 th OWASP AppSec Conference. The OWASP Foundation
Overtaking Google Desktop Leveraging XSS to Raise Havoc 6 th OWASP AppSec Conference Milan - May 2007 Yair Amit Senior Security Researcher, Watchfire yaira@watchfire.com +972-9-9586077 ext 4039 Copyright
More informationLecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
More informationLecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationStop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico
1 Stop sweating the password and learn to love public key cryptography Chris Streeks Solutions Engineer, Yubico Stop Sweating the Password! 2 Agenda Introduction The modern state of Phishing How to become
More informationVidder PrecisionAccess
Vidder PrecisionAccess Transparent Multi-Factor Authentication June 2015 910 E HAMILTON AVENUE. SUITE 430. CAMPBELL, CA 95008 P: 408.418.0440 F: 408.706.5590 WWW.VIDDER.COM Table of Contents I. Overview...
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationWeb Security, Summer Term 2012
IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session
More informationWeb Security, Summer Term 2012
Table of Contents IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Introduction Examples of Attacks Brute Force Session
More informationWHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationINF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015
INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3
More informationFeaturing. and. Göteborg. Ulf Larson Thursday, October 24, 13
Featuring and Göteborg OWASP top ten 2013 Based on risk data from eight firms that specialize in application security, This data spans over 500,000 vulnerabilities across hundreds of organizations and
More informationMulti-Factor Authentication: Security or Snake Oil? Steven Myers Rachna Dhamija Jeffrey Friedberg
Multi-Factor Authentication: Security or Snake Oil? Steven Myers Rachna Dhamija Jeffrey Friedberg Phishing & Identity Theft Historically most online banking done with passwords (single-factor authentication)
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationBerner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2
Table of Contents Hacking Web Sites Broken Authentication Emmanuel Benoist Spring Term 2018 Introduction Examples of Attacks Brute Force Session Spotting Replay Attack Session Fixation Attack Session Hijacking
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationPro s and con s Why pins # s, passwords, smart cards and tokens fail
Current Authentication Methods Pro s and con s Why pins # s, passwords, smart cards and tokens fail IDENTIFYING CREDENTIALS In The Physical World Verified by Physical Inspection of the Credential by an
More informationCommon Websites Security Issues. Ziv Perry
Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP
More informationAguascalientes Local Chapter. Kickoff
Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationTowards a uniform solution to identity theft
Towards a uniform solution to identity theft November 2006 (V2.1) Lockstep Technologies www.lockstep.com.au Everybody s talking about identity theft. And many banks and other institutions are doing something
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationCSCD 303 Essential Computer Security Fall 2018
CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server
More informationWayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk
Wayward Wi-Fi How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk 288 MILLION There are more than 288 million unique Wi-Fi networks worldwide. Source: Wireless Geographic Logging
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationBank Infrastructure - Video - 1
Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation
More informationCSCD 303 Essential Computer Security Fall 2017
CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the
More informationSecuring Internet Communication: TLS
Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases
More informationProgress Exchange June, Phoenix, AZ, USA 1
1 COMP-1: Securing your web application against hackers Edwin Lijnzaad & Ronald Smits Consultants Agenda Introduction Issues How to... Questions 2 COMP-1: Securing your web application against hackers
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationAuthentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1
Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability
More informationPaystar Remittance Suite Tokenless Two-Factor Authentication
Paystar Remittance Suite Tokenless Two-Factor Authentication Introduction Authentication is the process by which a computer system positively identifies a user It is commonly considered to be one of the
More informationAuthor: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0
Author: Tonny Rabjerg Version: 20150730 Company Presentation WSF 4.0 WSF 4.0 Cybercrime is a growth industry. The returns are great, and the risks are low. We estimate that the likely annual cost to the
More informationSOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications
Enabling and Securing Digital Business in Economy Protect s Serving Business Critical Applications 40 percent of the world s web applications will use an interface Most enterprises today rely on customers
More informationOnline Banking Security
Online Banking Security Fabian Alenius Uwe Bauknecht May 17, 2009 Contents 1 Introduction 2 2 Secure Communication 2 2.1 Password authentication..................... 2 2.2 One-time Passwords.......................
More informationSafelayer's Adaptive Authentication: Increased security through context information
1 Safelayer's Adaptive Authentication: Increased security through context information The password continues to be the most widely used credential, although awareness is growing that it provides insufficient
More informationCSC 482/582: Computer Security. Cross-Site Security
Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential
More informationOpenID Security Analysis and Evaluation
University of British Columbia OpenID Security Analysis and Evaluation San-Tsai Sun, Kirstie Hawkey, Konstantin Beznosov Laboratory for Education and Research in Secure Systems Engineering (LERSSE) University
More informationProtecting Against Online Fraud. F5 EMEA Webinar August 2014
Protecting Against Online Fraud F5 EMEA Webinar August 2014 Agenda Fraud threat trends and business challenges Web fraud protection Mobile fraud protection Security operations center Example architecture
More informationPhishing Read Behind The Lines
Phishing Read Behind The Lines Veljko Pejović veljko@cs.ucsb.edu What is Phishing? "Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and
More informationAuthentication Methods
CERT-EU Security Whitepaper 16-003 Authentication Methods D.Antoniou, K.Socha ver. 1.0 20/12/2016 TLP: WHITE 1 Authentication Lately, protecting data has become increasingly difficult task. Cyber-attacks
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationWEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More informationDeliver Strong Mobile App Security and the Ultimate User Experience
Deliver Strong Mobile App Security and the Ultimate User Experience The Presenters Will LaSala, Director of Services @ VASCO Will has been with VASCO since 2001 and over the years has been involved in
More informationChrome Extension Security Architecture
Chrome Extension Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline Chrome extension introduction Threats towards extension Chrome extension s security architecture
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationSecuring Information Systems
Chapter 7 Securing Information Systems 7.1 2007 by Prentice Hall STUDENT OBJECTIVES Analyze why information systems need special protection from destruction, error, and abuse. Assess the business value
More informationIdentity Theft, Phishing and Pharming: Accountability & Responsibilities. OWASP AppSec DC October The OWASP Foundation
Identity Theft, Phishing and Pharming: Accountability & Responsibilities OWASP AppSec DC October 2005 Danny Allan Research Analyst, Watchfire dannya@watchfire.com 781-547-7833 Copyright 2005 - The OWASP
More informationEthical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities
Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand
More informationTopics. Ensuring Security on Mobile Devices
Ensuring Security on Mobile Devices It is possible right? Topics About viaforensics Why mobile security matters Types of security breaches and fraud Anticipated evolution of attacks Common mistakes that
More informationCSCE 813 Internet Security Case Study II: XSS
CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that
More informationEn partenariat avec CA Technologies. Genève, Hôtel Warwick,
SIGS Afterwork Event in Geneva API Security as Part of Digital Transformation Projects The role of API security in digital transformation Nagib Aouini, Head of Cyber Security Services Defense & Cyber Security
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationHacker Attacks on the Horizon: Web 2.0 Attack Vectors
IBM Software Group Hacker Attacks on the Horizon: Web 2.0 Attack Vectors Danny Allan Director, Security Research dallan@us.ibm.com 2/21/2008 Agenda HISTORY Web Eras & Trends SECURITY Web 2.0 Attack Vectors
More informationIs Your Online Bank Really Secure?
Is Your Online Bank Really Secure? Zoltan Szalai / ebanking Solution Manager April 25, 2013 2 Gemalto for You ONE THIRD OF THE WORLD S POPULATION USE OUR SOLUTIONS EVERYDAY BANKS & RETAIL TELECOM TRANSPORT
More informationSecure Frame Communication in Browsers Review
Secure Frame Communication in Browsers Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationSo Many Ways to Slap a YoHo: Hacking Facebook & YoVille
Tom Stracener Strace, Contract Engineer MITRE EvilAdamSmith, Sr. Security Consultant Sean Barnum, Cybersecurity Principal MITRE So Many Ways to Slap a YoHo: Hacking Facebook & YoVille Misclaneous Disclaimers
More informationSECURITY TESTING. Towards a safer web world
SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September
More informationCOPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51
Acknowledgments Introduction Part I: The Basics in Depth 1 Chapter 1: Windows Attacks 3 Attack Classes 3 Automated versus Dedicated Attacker 4 Remote versus Local 7 Types of Attacks 8 Dedicated Manual
More informationGOING WHERE NO WAFS HAVE GONE BEFORE
GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation
More informationMBFuzzer - MITM Fuzzing for Mobile Applications
MBFuzzer - MITM Fuzzing for Mobile Applications Fatih Özavcı Mentor of MBFuzer @ yakindanegitim.org fatih.ozavci at gamasec.net gamasec.net/fozavci Scope Yakindan Egitim Project Security Vulnerabilities
More informationCYBER ATTACKS EXPLAINED: PACKET SPOOFING
CYBER ATTACKS EXPLAINED: PACKET SPOOFING Last month, we started this series to cover the important cyber attacks that impact critical IT infrastructure in organisations. The first was the denial-of-service
More informationWhitepaper on AuthShield Two Factor Authentication with SAP
Whitepaper on AuthShield Two Factor Authentication with SAP By AuthShield Labs Pvt. Ltd Table of Contents Table of Contents...2 1.Overview...4 2. Threats to account passwords...5 2.1 Social Engineering
More informationCross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security
Cross-Site Request Forgery: The Sleeping Giant Jeremiah Grossman Founder and CTO, WhiteHat Security Cross-Site Request Forgeries (CSRF) 1. Session Riding 2. Client-Side Trojans 3. Confused Deputy 4. Web
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationWeb Application Threats and Remediation. Terry Labach, IST Security Team
Web Application Threats and Remediation Terry Labach, IST Security Team IST Security Team The problem While we use frewalls and other means to prevent attackers from access to our networks, we encourage
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationSecurity 08. Black Hat Search Engine Optimisation. SIFT Pty Ltd Australia. Paul Theriault
Security 08 Black Hat Search Engine Optimisation SIFT Pty Ltd Australia Paul Theriault 1. Search Engine Optimisation 2. Blackhat techniques explained 3. Security Recommendations Search Engine Optimisation
More informationWhat is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.
P1L4 Authentication What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource. Authentication: Who are you? Prove it.
More informationBuilding Trust in the Internet of Things
AN INTEL COMPANY Building Trust in the Internet of Things Developing an End-to-End Security Strategy for IoT Applications WHEN IT MATTERS, IT RUNS ON WIND RIVER EXECUTIVE SUMMARY Recent security breaches
More informationSichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
More informationApplication. Security. on line training. Academy. by Appsec Labs
Application Security on line training Academy by Appsec Labs APPSEC LABS ACADEMY APPLICATION SECURITY & SECURE CODING ON LINE TRAINING PROGRAM AppSec Labs is an expert application security company serving
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationCyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX
Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security HTML PHP Database Linux Operating System and Networking: LINUX NETWORKING Information Gathering:
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationSecuring Internet Communication
Securing Internet Communication CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/
More informationEthical Hacking. Content Outline: Session 1
Ethical Hacking Content Outline: Session 1 Ethics & Hacking Hacking history : How it all begin - Why is security needed? - What is ethical hacking? - Ethical Hacker Vs Malicious hacker - Types of Hackers
More informationMOBILE THREAT LANDSCAPE. February 2018
MOBILE THREAT LANDSCAPE February 2018 WHERE DO MOBILE THREATS COME FROM? In 2017, mobile applications have been a target of choice for hackers to access and steal data, with 86% of mobile threats coming
More informationKishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009
Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationEndpoint Security - what-if analysis 1
Endpoint Security - what-if analysis 1 07/23/2017 Threat Model Threats Threat Source Risk Status Date Created File Manipulation File System Medium Accessing, Modifying or Executing Executable Files File
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationSecurity and Authentication
Security and Authentication Authentication and Security A major problem with computer communication Trust Who is sending you those bits What they allow to do in your system 2 Authentication In distributed
More informationGetting Into Mobile Without Getting Into Trouble
Getting Into Mobile Without Getting Into Trouble Greg Kliewer Senior Solutions Strategist October, 2014 The good old days Network separation No programmatic access from the Public Internet Safety through
More informationBreaking FIDO Yubico. Are Exploits in There?
Breaking FIDO Are Exploits in There? FIDO U2F (Universal 2nd Factor) Analyzing FIDO U2F Attack and Countermeasures Implementation Considerations Resources 2 User Experience 1. Enter username/pwd 2. Insert
More informationPenetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant
Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by
More informationWeb Security. Thierry Sans
Web Security Thierry Sans 1991 Sir Tim Berners-Lee Web Portals 2014 Customer Resources Managemen Accounting and Billing E-Health E-Learning Collaboration Content Management Social Networks Publishing Web
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationCS 142 Winter Session Management. Dan Boneh
CS 142 Winter 2009 Session Management Dan Boneh Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be long (Gmail - two weeks) or short without session mgmt:
More informationEthical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters
Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters - Durkee Consulting, Inc. Background Founder of Durkee Consulting since 1996 Founder of Rochester
More informationSecuring Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software
Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational
More informationSPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006
SPOOFING Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Learning Objectives Students should be able to: Determine relevance of
More informationICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder
ICS 351: Today's plan web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder 1 web scripting languages web content described by HTML was originally static, corresponding to files
More informationStrong Authentication for Physical Access using Mobile Devices
Strong Authentication for Physical Access using Mobile Devices DoD Identity Protection and Management Conference May 15-17, 2012 Dr. Sarbari Gupta, CISSP, CISA sarbari@electrosoft-inc.com 703-437-9451
More informationExploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
More information