Security and Authentication
|
|
- Laura Armstrong
- 5 years ago
- Views:
Transcription
1 Security and Authentication CS 370 SE Practicum, Cengiz Günay (Some slides courtesy of Eugene Agichtein and the Internets) CS 370, Günay (Emory) Security and Authentication Spring / 15
2 Agenda Upcoming milestones: 4/17: Testing/surveying ends; x bugs, improve concept 4/22: Hacking ends; submit survey reports (anonymous) 4/24: The APPrentice! Final demo to tech transfer and business people. You will be red! 5/5: Final deliverables: installation instructions, user documentation, code documentation, package CS 370, Günay (Emory) Security and Authentication Spring / 15
3 Agenda Upcoming milestones: Today: 4/17: Testing/surveying ends; x bugs, improve concept 4/22: Hacking ends; submit survey reports (anonymous) 4/24: The APPrentice! Final demo to tech transfer and business people. You will be red! 5/5: Final deliverables: installation instructions, user documentation, code documentation, package Security and authentication CS 370, Günay (Emory) Security and Authentication Spring / 15
4 Agenda Upcoming milestones: Today: 4/17: Testing/surveying ends; x bugs, improve concept 4/22: Hacking ends; submit survey reports (anonymous) 4/24: The APPrentice! Final demo to tech transfer and business people. You will be red! 5/5: Final deliverables: installation instructions, user documentation, code documentation, package Security and authentication First: Heartbleed caught the internet o guard CS 370, Günay (Emory) Security and Authentication Spring / 15
5
6 Entry/Exit Surveys Exit survey: JavaScript, AJAX, dynamic web frameworks Give a specic example usage of AJAX in a popular web service that you use. What do you think is the next step for web computing considering the rapid development of client-side technologies? Entry survey: Security What is the Heartbleed vulnerability? How come it wasn't discovered until now? How can a programmer make such a mistake? CS 370, Günay (Emory) Security and Authentication Spring / 15
7 Security: Heartbleed Open Source Code: CS 370, Günay (Emory) Security and Authentication Spring / 15
8 Security: Heartbleed Open Source Code: "Given enough eyeballs, all bugs are shallow" -Linus's Law (from the Cathedral and the Bazaar) CS 370, Günay (Emory) Security and Authentication Spring / 15
9 Security: Heartbleed Open Source Code: "Given enough eyeballs, all bugs are shallow" -Linus's Law (from the Cathedral and the Bazaar) Yeah, but OpenSSL fail? CS 370, Günay (Emory) Security and Authentication Spring / 15
10 Security: Heartbleed Open Source Code: "Given enough eyeballs, all bugs are shallow" -Linus's Law (from the Cathedral and the Bazaar) Yeah, but OpenSSL fail? Programmer submitted buggy code, reviewers didn't catch it either The whole world missed it for two years (except the NSA) Heartbeat feature was new and not that sensitive CS 370, Günay (Emory) Security and Authentication Spring / 15
11 Security: Heartbleed Open Source Code: "Given enough eyeballs, all bugs are shallow" -Linus's Law (from the Cathedral and the Bazaar) Yeah, but OpenSSL fail? Programmer submitted buggy code, reviewers didn't catch it either The whole world missed it for two years (except the NSA) Heartbeat feature was new and not that sensitive Isn't SSL supposed to be encrypted? CS 370, Günay (Emory) Security and Authentication Spring / 15
12 Security: Heartbleed Open Source Code: "Given enough eyeballs, all bugs are shallow" -Linus's Law (from the Cathedral and the Bazaar) Yeah, but OpenSSL fail? Programmer submitted buggy code, reviewers didn't catch it either The whole world missed it for two years (except the NSA) Heartbeat feature was new and not that sensitive Isn't SSL supposed to be encrypted? Yep, it leaked the data securely CS 370, Günay (Emory) Security and Authentication Spring / 15
13 Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS CS 370, Günay (Emory) Security and Authentication Spring / 15
14 Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data CS 370, Günay (Emory) Security and Authentication Spring / 15
15 Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? CS 370, Günay (Emory) Security and Authentication Spring / 15
16 Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks CS 370, Günay (Emory) Security and Authentication Spring / 15
17 Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks Why not use Web of Trust? CS 370, Günay (Emory) Security and Authentication Spring / 15
18 Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks Why not use Web of Trust? Decentralized PGP system Problem: Expiration or lost private keys New entries untrusted, possible to create many fake entries with strong trust CS 370, Günay (Emory) Security and Authentication Spring / 15
19 Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks Why not use Web of Trust? Decentralized PGP system Problem: Expiration or lost private keys New entries untrusted, possible to create many fake entries with strong trust When to use HTTPS? Before login? During login authentication? During whole session? CS 370, Günay (Emory) Security and Authentication Spring / 15
20 Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks Why not use Web of Trust? Decentralized PGP system Problem: Expiration or lost private keys New entries untrusted, possible to create many fake entries with strong trust When to use HTTPS? Before login? During login authentication? During whole session? But there was a lot of heartbleed. What now? CS 370, Günay (Emory) Security and Authentication Spring / 15
21 Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks Why not use Web of Trust? Decentralized PGP system Problem: Expiration or lost private keys New entries untrusted, possible to create many fake entries with strong trust When to use HTTPS? Before login? During login authentication? During whole session? But there was a lot of heartbleed. What now? Not again.. CS 370, Günay (Emory) Security and Authentication Spring / 15
22
23
24 Cookie Authentication Authentication steps: 1 Client authenticates Cookie contents: 2 Server sends session key domain + data + expiration date 3 Client saves key in cookie and uses it during session CS 370, Günay (Emory) Security and Authentication Spring / 15
25 Cookie Authentication Authentication steps: 1 Client authenticates Cookie contents: 2 Server sends session key domain + data + expiration date 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? CS 370, Günay (Emory) Security and Authentication Spring / 15
26 Cookie Authentication Authentication steps: 1 Client authenticates Cookie contents: 2 Server sends session key domain + data + expiration date 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? Solutions: Cookie expiration, ushing cookies, disabling cookies. CS 370, Günay (Emory) Security and Authentication Spring / 15
27 Authentication steps: 1 Client authenticates 2 Server sends session key Cookie Authentication 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? Solutions: Cookie expiration, ushing cookies, disabling cookies. Cross site logins? How do the like buttons on non-facebook sites work? Cookie contents: domain + data + expiration date CS 370, Günay (Emory) Security and Authentication Spring / 15
28 Authentication steps: 1 Client authenticates 2 Server sends session key Cookie Authentication 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? Solutions: Cookie expiration, ushing cookies, disabling cookies. Cross site logins? How do the like buttons on non-facebook sites work? Multiple iframe elements can fetch pages from across domains (i.e. access dierent cookies) Cookie contents: domain + data + expiration date CS 370, Günay (Emory) Security and Authentication Spring / 15
29 Authentication steps: 1 Client authenticates 2 Server sends session key Cookie Authentication 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? Solutions: Cookie expiration, ushing cookies, disabling cookies. Cross site logins? How do the like buttons on non-facebook sites work? Multiple iframe elements can fetch pages from across domains (i.e. access dierent cookies) Google AdSense: cross-site ads uses cookies Cookie contents: domain + data + expiration date CS 370, Günay (Emory) Security and Authentication Spring / 15
30 Authentication steps: 1 Client authenticates 2 Server sends session key Cookie Authentication 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? Solutions: Cookie expiration, ushing cookies, disabling cookies. Cross site logins? How do the like buttons on non-facebook sites work? Multiple iframe elements can fetch pages from across domains (i.e. access dierent cookies) Google AdSense: cross-site ads uses cookies Helps NSA track you Cookie contents: domain + data + expiration date CS 370, Günay (Emory) Security and Authentication Spring / 15
31 Hacking: Tracking Track people via s? CS 370, Günay (Emory) Security and Authentication Spring / 15
32 Hacking: Tracking Track people via s? header codes (look at your Gmail headers!) Visible/invisible images (how??) CS 370, Günay (Emory) Security and Authentication Spring / 15
33 Hacking: Tracking Track people via s? header codes (look at your Gmail headers!) Visible/invisible images (how??) Anonymous s? demo phishing (only for the gullible) CS 370, Günay (Emory) Security and Authentication Spring / 15
34 Two-step authentication? More on authentication CS 370, Günay (Emory) Security and Authentication Spring / 15
35 Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device CS 370, Günay (Emory) Security and Authentication Spring / 15
36 Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? CS 370, Günay (Emory) Security and Authentication Spring / 15
37 Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? Generates a unique password each time That can verify your authenticity (through public-private keys) CS 370, Günay (Emory) Security and Authentication Spring / 15
38 Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? Generates a unique password each time That can verify your authenticity (through public-private keys) What're the best practices in authentication? Use PHP to transmit and store cleartext passwords? CS 370, Günay (Emory) Security and Authentication Spring / 15
39 Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? Generates a unique password each time That can verify your authenticity (through public-private keys) What're the best practices in authentication? Use PHP to transmit and store cleartext passwords? Err, no. CS 370, Günay (Emory) Security and Authentication Spring / 15
40 Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? Generates a unique password each time That can verify your authenticity (through public-private keys) What're the best practices in authentication? Use PHP to transmit and store cleartext passwords? Err, no. Standards: OAuth Facebook, Google, Microsoft APIs require it At version 2.0 CS 370, Günay (Emory) Security and Authentication Spring / 15
41 Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? Generates a unique password each time That can verify your authenticity (through public-private keys) What're the best practices in authentication? Use PHP to transmit and store cleartext passwords? Err, no. Standards: OAuth Facebook, Google, Microsoft APIs require it At version 2.0 Complementary to OpenID passwordless logins via installing certicates in browser, smart cards, biometrics, etc. private key on the client side; personal URI holds public key CS 370, Günay (Emory) Security and Authentication Spring / 15
42
43
44 Structure looks ne, even has padding!
45 Structure looks ne, even has padding! First read type & length:
46 Structure looks ne, even has padding! First read type & length: Looks right so far:
47 Structure looks ne, even has padding! Response from Yahoo!: First read type & length: Looks right so far:
48 Upcoming episodes Documentation, coding style, sustainability, design patterns Scrum now! CS 370, Günay (Emory) Security and Authentication Spring / 15
Documentation and Deployment
Documentation and Deployment CS 370 SE Practicum, Cengiz Günay (Some slides courtesy of Eugene Agichtein and the Internets) I know what I learned this semester: CS 370, Günay (Emory) Documentation and
More informationAJAX: From the Client-side with JavaScript, Back to the Server
AJAX: From the Client-side with JavaScript, Back to the Server Asynchronous server calls and related technologies CS 370 SE Practicum, Cengiz Günay (Some slides courtesy of Eugene Agichtein and the Internets)
More informationDefeating All Man-in-the-Middle Attacks
Defeating All Man-in-the-Middle Attacks PrecisionAccess Vidder, Inc. Defeating All Man-in-the-Middle Attacks 1 Executive Summary The man-in-the-middle attack is a widely used and highly preferred type
More informationTopic 15: Authentication
Topic 15: Authentication CITS3403 Agile Web Development Getting MEAN with Mongo, Express, Angular and Node, Chapter 11 Semester 1, 2018 Secure web apps Security is a primary concern for anyone developing
More informationSecurity. SWE 432, Fall 2017 Design and Implementation of Software for the Web
Security SWE 432, Fall 2017 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Authorization oauth 2 Security Why is it important? Users data is
More informationSecurity & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of
Contents Security & Privacy Contents Web Architecture and Information Management [./] Spring 2009 INFO 190-02 (CCN 42509) Erik Wilde, UC Berkeley School of Information Abstract 1 Security Concepts Identification
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationAuthentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1
Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability
More informationThe PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference
The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Copyright 2007 - The OWASP Foundation Permission is granted to copy,
More informationStop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico
1 Stop sweating the password and learn to love public key cryptography Chris Streeks Solutions Engineer, Yubico Stop Sweating the Password! 2 Agenda Introduction The modern state of Phishing How to become
More informationAuthentication in the Cloud. Stefan Seelmann
Authentication in the Cloud Stefan Seelmann Agenda Use Cases View Points Existing Solutions Upcoming Solutions Use Cases End user needs login to a site or service End user wants to share access to resources
More informationOverview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.
Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw
More informationSecurity Improvements on Cast Iron
IBM Software Group Security Improvements on Cast Iron 7.0.0.2 Subhashini Yegappan, Software Support Engineer (syegapp@us.ibm.com) Raja Sreenivasan, Advisory Software Engineer (rsreeniv@in.ibm.com) 31-Mar-2015
More informationSecure Sockets Layer (SSL) / Transport Layer Security (TLS)
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Brad Karp UCL Computer Science CS GZ03 / M030 20 th November 2017 What Problems Do SSL/TLS Solve? Two parties, client and server, not previously
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationBerner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2
Table of Contents Hacking Web Sites Broken Authentication Emmanuel Benoist Spring Term 2018 Introduction Examples of Attacks Brute Force Session Spotting Replay Attack Session Fixation Attack Session Hijacking
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationRobust Defenses for Cross-Site Request Forgery
University of Cyprus Department of Computer Science Advanced Security Topics Robust Defenses for Cross-Site Request Forgery Name: Elena Prodromou Instructor: Dr. Elias Athanasopoulos Authors: Adam Barth,
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationBiting the Hand that Feeds You
Biting the Hand that Feeds You Storing and Serving Malicious Content from Popular Web Servers Billy K Rios (BK) and Nate McFeters Agenda Domain Names and Trust Who do you Trust? Biting the Hand - Yahoo
More informationRobust Defenses for Cross-Site Request Forgery
Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis Petros Paper Authors: Adam Barth, Collin Jackson, John C. Mitchell Outline What is CSRF attack? What is a login
More informationContents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4
Contents SSL-Based Services: HTTPS and FTPS 2 Generating A Certificate 2 Creating A Self-Signed Certificate 3 Obtaining A Signed Certificate 4 Enabling Secure Services 5 SSL/TLS Security Level 5 A Note
More informationMost Common Security Threats (cont.)
Most Common Security Threats (cont.) Denial of service (DoS) attack Distributed denial of service (DDoS) attack Insider attacks. Any examples? Poorly designed software What is a zero-day vulnerability?
More informationAuthentication Technology for a Smart eid Infrastructure.
Authentication Technology for a Smart eid Infrastructure. www.aducid.com One app to access all public and private sector online services. One registration allows users to access all their online accounts
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationAUTHENTICATION AND LOOKUP FOR NETWORK SERVICES
Vol.5, No.1, pp. 81-90, 2014 doi: 10.7903/ijecs.1040 AUTHENTICATION AND LOOKUP FOR NETWORK SERVICES Daniel J. Buehrer National Chung Cheng University 168 University Rd., Min-Hsiung Township, Chiayi County,
More informationCryptographic Protocols 1
Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange
More informationSecurity and Privacy
E-mail Security and Privacy Department of Computer Science Montclair State University Course : CMPT 320 Internet/Intranet Security Semester : Fall 2008 Student Instructor : Alex Chen : Dr. Stefan Robila
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationDefinition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party
Definition Anonymous Communication Hiding identities of parties involved in communications from each other, or from third-parties Who you are from the communicating party Who you are talking to from everyone
More informationProgress Exchange June, Phoenix, AZ, USA 1
1 COMP-1: Securing your web application against hackers Edwin Lijnzaad & Ronald Smits Consultants Agenda Introduction Issues How to... Questions 2 COMP-1: Securing your web application against hackers
More informationAuthentication CHAPTER 17
Authentication CHAPTER 17 Authentication Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources. getting entrance
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationCh 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated
Ch 1: The Mobile Risk Ecosystem CNIT 128: Hacking Mobile Devices Updated 1-12-16 The Mobile Ecosystem Popularity of Mobile Devices Insecurity of Mobile Devices The Mobile Risk Model Mobile Network Architecture
More informationCS Paul Krzyzanowski
Computer Security 17. Tor & Anonymous Connectivity Anonymous Connectivity Paul Krzyzanowski Rutgers University Spring 2018 1 2 Anonymity on the Internet Often considered bad Only criminals need to hide
More informationLECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security
Repetition Lect 7 LECT 8 WEB SECURITY Access control Runtime protection Trusted computing Java as basic model for signed code Trusted Computing Group TPM ARM TrustZone Mobile Network security GSM security
More informationWeb Security Model and Applications
Web Security Model and Applications In this Tutorial Motivation: formal security analysis of web applications and standards Our Model of the Web Infrastructure Single Sign-On Case Studies Formal Security
More informationTrust Infrastructure of SSL
Trust Infrastructure of SSL CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL Trust 1 SSL/TLS The main workhorse of secure Internet communication. Everyday, billions of
More informationBuilding a Secure PI Web API Environment
Building a Secure PI Web API Environment Presented by Mike Sloves Ray Verhoeff User Conference 2017 Themes 2 What do we mean by secure? Basic summary of security concepts: Minimizing the Attack Vector
More informationWe will resume at 3:30 pm Enjoy your break!
We will resume at 3:30 pm Enjoy your break! Presented by Mike Sloves Ray Verhoeff Building a Secure PI Web API Environment Presented by Mike Sloves Ray Verhoeff User Conference 2017 Themes 3 What do we
More informationCS November 2018
Authentication Distributed Systems 25. Authentication For a user (or process): Establish & verify identity Then decide whether to allow access to resources (= authorization) Paul Krzyzanowski Rutgers University
More informationCan HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit
Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit 1 2 o hai. 3 Why Think About HTTP Strict Transport Security? Roadmap what is HSTS?
More informationNIELSEN API PORTAL USER REGISTRATION GUIDE
NIELSEN API PORTAL USER REGISTRATION GUIDE 1 INTRODUCTION In order to access the Nielsen API Portal services, there are three steps that need to be followed sequentially by the user: 1. User Registration
More informationBreaking SSL Why leave to others what you can do yourself?
Breaking SSL Why leave to others what you can do yourself? By Ivan Ristic 1/ 26 Who is Ivan Ristic? 1) ModSecurity (open source web application firewall), 2) Apache 2/ 33 Security (O Reilly, 2005), 3)
More informationDjango: Views, Templates, and Sessions
Django: Views, Templates, and Sessions CS 370 SE Practicum, Cengiz Günay (Some slides courtesy of Eugene Agichtein and the Internets) CS 370, Günay (Emory) Django Views/Templates Spring 2014 1 / 7 Agenda
More informationOAuth and OpenID Connect (IN PLAIN ENGLISH)
OAuth and OpenID Connect (IN PLAIN ENGLISH) NATE BARBETTINI @NBARBETTINI @OKTADEV A lot of confusion around OAuth. Terminology and jargon Incorrect advice Identity use cases (circa 2007) Simple login forms
More informationSo Many Ways to Slap a YoHo: Hacking Facebook & YoVille
Tom Stracener Strace, Contract Engineer MITRE EvilAdamSmith, Sr. Security Consultant Sean Barnum, Cybersecurity Principal MITRE So Many Ways to Slap a YoHo: Hacking Facebook & YoVille Misclaneous Disclaimers
More informationCookies, sessions and authentication
Cookies, sessions and authentication TI1506: Web and Database Technology Claudia Hauff! Lecture 7 [Web], 2014/15 1 Course overview [Web] 1. http: the language of Web communication 2. Web (app) design &
More informationPROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent
More informationSecure Frame Communication in Browsers Review
Secure Frame Communication in Browsers Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University
Identity Management and Federated ID (Liberty Alliance) ISA 767, Secure Electronic Commerce Xinwen Zhang, xzhang6@gmu.edu George Mason University Identity Identity is the fundamental concept of uniquely
More informationHTTP Mutual authentication protocol proposal. Yutaka OIWA RCIS, AIST
HTTP Mutual authentication protocol proposal Yutaka OIWA RCIS, AIST Problem Current HTTP auth is weak In security: Basic: plain-text authentication Digest: off-line attack, not well implemented TLS Client
More informationBarracuda Security Service User Guide
The Barracuda Email Security Service is a cloud-based email security service that protects both inbound and outbound email against the latest spam, viruses, worms, phishing, and denial of service attacks.
More informationAdvanced API Security
Advanced API Security ITANA Group Nuwan Dias Architect 22/06/2017 Agenda 2 HTTP Basic Authentication Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l 3 API Security is about controlling Access Delegation
More informationBusiness value of Federated Login for Enterprises Enterprise SaaS vendors Consumer websites
Business value of Federated Login for Enterprises Enterprise SaaS vendors Consumer websites Eric Sachs Product Manager, Google Security & CIO organization My Identity Enterprise Space 2008 - Cloud Computing
More informationOpenID Security Analysis and Evaluation
University of British Columbia OpenID Security Analysis and Evaluation San-Tsai Sun, Kirstie Hawkey, Konstantin Beznosov Laboratory for Education and Research in Secure Systems Engineering (LERSSE) University
More informationCNIT 129S: Securing Web Applications. Ch 4: Mapping the Application
CNIT 129S: Securing Web Applications Ch 4: Mapping the Application Mapping Enumerate application's content and functionality Some is hidden, requiring guesswork and luck to discover Examine every aspect
More informationIERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu
IERG 4210 Tutorial 07 Securing web page (I): login page and admin user authentication Shizhan Zhu Content for today Phase 4 preview From now please pay attention to the security issue of your website This
More informationReal-world security analyses of OAuth 2.0 and OpenID Connect
Real-world security analyses of OAuth 2.0 and OpenID Connect Wanpeng Li and Chris J Mitchell 1 Agenda Single sign-on and identity management OAuth 2.0 Two case studies Security analyses OpenID Connect
More informationFindings for
Findings for 198.51.100.23 Scan started: 2017-07-11 12:30 UTC Scan ended: 2017-07-11 12:39 UTC Overview Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 80/tcp
More informationWeb Security: Vulnerabilities & Attacks
Computer Security Course. Song Dawn Web Security: Vulnerabilities & Attacks Cross-site Scripting What is Cross-site Scripting (XSS)? Vulnerability in web application that enables attackers to inject client-side
More informationBEST PRACTICES FOR PERSONAL Security
BEST PRACTICES FOR PERSONAL Email Security Sometimes it feels that the world of email and internet communication is fraught with dangers: malware, viruses, cyber attacks and so on. There are some simple
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationLecture 7: Dates/Times & Sessions. CS 383 Web Development II Wednesday, February 14, 2018
Lecture 7: Dates/Times & Sessions CS 383 Web Development II Wednesday, February 14, 2018 Date/Time When working in PHP, date is primarily tracked as a UNIX timestamp, the number of seconds that have elapsed
More informationSecurity: Focus of Control
Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized
More informationWHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs
ENSURING SECURITY WITH OPEN APIs Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs The security features that banks must build into their financial solutions
More informationMTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions
MTAT.07.019 Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions Kristjan Krips 1 Introduction Mozilla Firefox has 24.05% of the recorded usage share of web browsers as of October
More informationLecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
More informationLecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationAN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE
AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE Nicholas Carlini, Adrienne Porter Felt, David Wagner University of California, Berkeley CHROME EXTENSIONS CHROME EXTENSIONS servers servers
More informationSecurity Specification
Security Specification Security Specification Table of contents 1. Overview 2. Zero-knowledge cryptosystem a. The master password b. Secure user authentication c. Host-proof hosting d. Two-factor authentication
More informationSecurity and Anonymity
Security and Anonymity Distributed Systems need a network to send messages. Any message you send in a network can be looked at by any router or machine it goes through. Further if your machine is on the
More informationCSCD 303 Essential Computer Security Fall 2017
CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the
More informationPalo Alto Networks PAN-OS
RSA Security Analytics Ready Implementation Guide Partner Information Last Modified: November 24 th, 2014 Product Information Partner Name Palo Alto Networks Web Site www.paloaltonetworks.com Product Name
More informationHow to Render SSL Useless. Render SSL Useless. By Ivan Ristic 1 / 27
How to Render SSL Useless By Ivan Ristic 1 / 27 Who is Ivan Ristic? 1) ModSecurity (open source web application firewall), 2) Apache 2 / 33 Security (O Reilly, 2005), 3) SSL Labs (research and assessment
More informationSECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA
SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA CTO Office www.digi.me another Engineering Briefing digi.me keeping your data secure at all times ALL YOUR DATA IN ONE PLACE TO SHARE WITH PEOPLE WHO
More informationBEYOND TRADITIONAL PASSWORD AUTHENTICATION: PKI & BLOCKCHAIN
SESSION ID: GPS-R09B BEYOND TRADITIONAL PASSWORD AUTHENTICATION: PKI & BLOCKCHAIN Sid Desai Head of Business Development Remme.io @skd_desai Agenda Our relationship to our digital-selves Evolution of Authentication
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationASP.NET State Management Techniques
ASP.NET State Management Techniques This article is for complete beginners who are new to ASP.NET and want to get some good knowledge about ASP.NET State Management. What is the need of State Management?
More informationMan-In-The-Browser Attacks. Daniel Tomescu
Man-In-The-Browser Attacks Daniel Tomescu 1 About me Work and education: Pentester @ KPMG Romania Moderator @ Romanian Security Team MSc. Eng. @ University Politehnica of Bucharest OSCP, CREST CRT Interests:
More informationTesting login process security of websites. Benjamin Krumnow
Testing login process security of websites Benjamin Krumnow Benjamin Krumnow 2 Initial Project: Shepherd Marc Sleegers, B.Sc., master student at the Open University Bachelor Thesis, March 2017 [1] Counting
More information1000 Ways to Die in Mobile OAuth. Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague
1000 Ways to Die in Mobile OAuth Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague What is this work about? In 2014, Studied OAuth usage in 200 Android/iOS OAuth applications.
More informationLecture 41 Blockchain in Government III (Digital Identity)
Blockchains Architecture, Design and Use Cases Prof. Sandip Chakraborty Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture 41 Blockchain in Government III
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationSecurity: Focus of Control. Authentication
Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized
More informationHandout 20 - Quiz 2 Solutions
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.033 Computer Systems Engineering: Spring 2001 Handout 20 - Quiz 2 Solutions 20 Average: 81 Median: 83 Std.
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationWHITE PAPER. Authentication and Encryption Design
WHITE PAPER Authentication and Encryption Design Table of Contents Introduction Applications and Services Account Creation Two-step Verification Authentication Passphrase Management Email Message Encryption
More informationWeb Security, Summer Term 2012
IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session
More informationWeb Security, Summer Term 2012
Table of Contents IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Introduction Examples of Attacks Brute Force Session
More informationSecurity Course. WebGoat Lab sessions
Security Course WebGoat Lab sessions WebGoat Lab sessions overview Initial Setup Tamper Data Web Goat Lab Session 4 Access Control, session information stealing Lab Session 2 HTTP Basics Sniffing Parameter
More informationKerberos and Single Sign On with HTTP
Kerberos and Single Sign On with HTTP Joe Orton Red Hat Overview Introduction The Problem Current Solutions Future Solutions Conclusion Introduction WebDAV: common complaint of poor support for authentication
More informationDO NOT OPEN UNTIL INSTRUCTED
CS 378 - Network Security and Privacy Spring 2017 FINAL May 3, 2017 DO NOT OPEN UNTIL INSTRUCTED YOUR NAME: Collaboration policy No collaboration is permitted on this exam. Any cheating (e.g., submitting
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationReminders. Emory Horror Code:
Reminders Emory Horror Code: Request permission and document any code you did not write We won't hesitate to report you: will cause a dent in your life Reminders Emory Horror Code: Request permission and
More informationToday s Lecture. Secure Communication. A Simple Protocol. Remote Authentication. A Simple Protocol. Rules. I m Alice. I m Alice
Today s Lecture Secure Communication Tom Chothia Computer Security, Lecture 8 Protocols in and ob notation Some Key Establishment Protocol Secure Sockets Layer (SSL) / Transport Later Security (TLS) Certificates
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More information