sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

Similar documents
Ethical Hacking and Prevention

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

sottotitolo A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

GCIH. GIAC Certified Incident Handler.

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Network Intrusion Goals and Methods

PHP-security Software lifecycle General Security Webserver security PHP security. Security Summary. Server-Side Web Languages

Computer Security: Principles and Practice

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Hackveda Training - Ethical Hacking, Networking & Security

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Web Security. Outline

NET 311 INFORMATION SECURITY

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Test Harness for Web Application Attacks

Ethical Hacker Foundation and Security Analysts Course Semester 2

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

P2_L12 Web Security Page 1

The Interactive Guide to Protecting Your Election Website

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Endpoint Security - what-if analysis 1

sottotitolo Socket Programming Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

CSCE 548 Building Secure Software SQL Injection Attack

Web Application Vulnerabilities: OWASP Top 10 Revisited


Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Chapter 7. Denial of Service Attacks

Course. Curriculum ADVANCED ETHICAL HACKING

Computer Security and Privacy

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

CS System Security 2nd-Half Semester Review

Threat Modeling OWASP. The OWASP Foundation Martin Knobloch OWASP NL Chapter Board

Copyright

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Man-In-The-Browser Attacks. Daniel Tomescu

CSE 565 Computer Security Fall 2018

Curso: Ethical Hacking and Countermeasures

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Internet of Things (IoT) Attacks. The Internet of Things (IoT) is based off a larger concept; the Internet of Things came

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

(CNS-301) Citrix NetScaler 11 Advance Implementation

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

The Protocols that run the Internet

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

ISA564 SECURITY LAB. Code Injection Attacks

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

CSC 574 Computer and Network Security. TCP/IP Security

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Smart Attacks require Smart Defence Moving Target Defence

Last time. Trusted Operating System Design. Security in Networks. Security Features Trusted Computing Base Least Privilege in Popular OSs Assurance

Everything you need to know about IPv6 security I can manage in 30min. IPv6 Day Copenhagen November 2017

sottotitolo Network Administration Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

Managed Application Security trends and best practices in application security

CS 155 Final Exam. CS 155: Spring 2012 June 11, 2012

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

DDoS attack patterns across the APJ cloud market. Samuel Chen CCIE#9607 Enterprise Security Architect, Manager - APJ

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Lecture 4: Threats CS /5/2018

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

sottotitolo A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

INTRODUCTION ON D-DOS. Presentation by RAJKUMAR PATOLIYA

Security+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing. International Standard Book Number:

Understanding Cisco Cybersecurity Fundamentals

Securing Applications in C/C++

Certified Ethical Hacker (CEH)

Introduction to Security. Computer Networks Term A15

CSCE 813 Internet Security Case Study II: XSS

A (sample) computerized system for publishing the daily currency exchange rates

IRL: Live Hacking Demos!

COMP9321 Web Application Engineering

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Accounting Information Systems

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

Language-Based Protection

COMPUTER NETWORK SECURITY

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Secure Programming I. Steven M. Bellovin September 28,

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

Operating System Security

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Instructions 1 Elevation of Privilege Instructions

Common Websites Security Issues. Ziv Perry

Transcription:

Titolo presentazione Piattaforme Software per la Rete sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17

Outline 1) Introduction to System Security 2) Basic Exploits 3) Network Attacks 4) Web Exploits 5) Safe passwords 2/23

Introduction to System Security

Why a lesson on internet security? Nowadays, security of systems is fundamental at any level, from the small company to the government servers No course of system security in the bachelor degree Any programmer and system administrator sholud be aware of basic attack techniques The blame of a security breach can be of: Users open email attachments, bad passwords, Programmers bugs System Administrator wrong configurations 4/23

Which is the perfectly secure system? 1) A well-configured well-programmed computer 2) A computer not connected to internet 3) A computer turned off 4) A computer disconnected to the power supply 5/23

The trust parts Do you trust on the software you buy? Do you trust on the firewall you are using? Do you trust on Linux kernel? Do you trust of your compiler? Do you trust of your BIOS? Do you trust of your hardware? 6/23

The Risk Hardering the system may be very costly In terms of programming hours, user experience, computational capacity, etc. How much effort should I invest in securing my system? It depends on risk: RISK = ASSETS * VULNERABILITIES * THREATS 7/23

Basic Exploits

The classic: Buffer Overflow (1/2) The buffer overflow is a typical exploit that allows you to execute arbitrary code on a (remote) machine It is basically a bug in a software: void chiedi_user() { char buffer[256]; scanf( %s, buffer); printf( You have written %s!, buffer); } 9/23

The classic: Buffer Overflow (2/2) return address other variables buffer[252-255]... buffer[4-7] buffer[0-3] 10/23

The classic 2: Format String How to write a correct printf: printf( %s, mionome); How to write a terrible printf: printf(mionome); An attacker can READ and WRITE the stack of your application! 11/23

Network Attacks

The * spoofing Network protocols trust hosts. But an host can fake: its IP address its MAC address ARP messages ICMP messages DNS resolutions 13/23

Man in the Middle 14/23

DoS attacks DoS = Denial of Service Trying to make a server or a network unavailable typically via a flood of requests attempting to overload the target system/network RAM Exhaustion, TCP connections exhaustion, threads exhaustion, etc. 15/23

DDoS attacks DDoS = Distributed Denial of Service A DoS attack using compromised machines (botnet) 16/23

Web Exploits

SQL Injection Classic vulnerability of HTTP applications Example of vulnerable PHP code: $sql = SELECT * FROM users WHERE user=. $_GET[ user ]. AND password=. $_GET[ password ]. ; mysql_query($sql); What if $_GET[ password ] = OR 1 = 1? SELECT * FROM users WHERE user=... AND password= OR 1 = 1 18/23

XSS: Cross-Site Scripting Injection of client-side code in vulnerable web pages Currently, the most common security vulnerability What if we add in the comment form a valid HTML, maybe a Javascript code? 19/23

Safe Passwords

Password The easiest attack is to guess the user password Most common passwords*: 1) 123456 290k occurrences 2) 12345 79k occurrences 3) 123456789 76k occurrences 4) password 59k occurrences 5) Iloveyou 49k occurrences * http://reusablesec.blogspot.it/2009/12/rockyou-32-million-password-list-top.html 21/23

A great password According to NASA guidelines*: It should contain at least 8 characters It should contain a mix of 4 types of characters It should not be a name of a dictionary word It should not be related to you (no name, no birth date, no dog name, etc.) * https://www.nasa.gov/centers/dryden/pdf/89163main_train_timesheet.pdf 22/23

XKCD: Password 23/23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback