Bcs april 2013

369 views
294 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
369
On SlideShare
0
From Embeds
0
Number of Embeds
42
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Bcs april 2013

  1. 1. (Web) SecurityAll in the mind(?)BCS TalkApril 2013
  2. 2. 23/04/13 BCS - April 20132Who, me?• Clinton Ingrams• CSC– Cyber Security Centre, DMU– Teaching CS since 1986– Love PHP
  3. 3. 23/04/13 BCS - April 20133• The problems• What, if anything, can be done?
  4. 4. 23/04/13 BCS - April 20134Famous Hacks• LinkedIn• eHarmony
  5. 5. 23/04/13 BCS - April 20135Problem 1 – the Wetware• Gullible people– Dont understand/care about security• Social Engineeringhttp://www.madsecurity.com/portfolio/social-engineering/
  6. 6. 23/04/13 BCS - April 20136Problems 2 – crappy Web Apps• Web application issues– OWASP top 10• Errors in business logic– Ebay– TV news service– bitcoins
  7. 7. 23/04/13 BCS - April 20137• Web sites are easy to build• Web applications are also easy– PHP – very easy to learn• (could make it harder)
  8. 8. 23/04/13 BCS - April 20138• WAMP or XAMPP make the AMP stack toinstall & configure• Wordpress, Drupal & Joomla make iteasy...– but reliant on the developers
  9. 9. 23/04/13 BCS - April 20139Common hacks• SQLi, XSS, Command Line Injection– SEO attacks• Clickjacking, CSRFing, Cross-site HistoryManipulation• Hacks are “easy” with automated toolkits– Backtrack & Samurai– Metasploit– SQLMap
  10. 10. 23/04/13 BCS - April 201310Problem 3 – Smart ...• Buildings• Towns & Cities
  11. 11. 23/04/13 BCS - April 201311Problem 3 – Smart ...• Medical–Pacemakers–Diagnosic equipment–Data set manipulation
  12. 12. 23/04/13 BCS - April 201312Problem 3 – Smart ...• Utilities–SCADA problems• Supervisory Control and DataAcquisition• Industrial Control Systems–Stuxnet
  13. 13. 23/04/13 BCS - April 201313Problem 3 – Smart ...• Transport–Traffic Control systems–Hugo Teso• Hacked aircraft systems with anAndoid app
  14. 14. 23/04/13 BCS - April 201314Solutions
  15. 15. 23/04/13 BCS - April 201315• Government• Organisations– Voluntary– Business– News• Education
  16. 16. 23/04/13 BCS - April 201316Government• Cyber Security Fusion Cell• The “Dads Army” of cyber securityspecialists
  17. 17. 23/04/13 BCS - April 201317Vulnerability Assessments• 4 layers– Scans– Automated toolkits– Penetration tests– Physical probing• See Tiger Team videos
  18. 18. 23/04/13 BCS - April 201318Education(education, education)• Teaching:– MSc/BSc in Computer Security & ForensicComputing• Training– Collaborate with commercial trainers• Research
  19. 19. 23/04/13 BCS - April 201319Teaching Web Appdevelopment• Architecture• OOP• Frameworks & CMS
  20. 20. 23/04/13 BCS - April 201320Teaching - security• Web App Architecture• Monitoring– Iptables– Snort• Penetration testing– Toolkits– Deliberately vulnerable web apps• DVWA• Mutillidae• WebGoat
  21. 21. 23/04/13 BCS - April 201321Research• Vehicle Forensics– Cyber MOT• Collaborations with legal experts, cyberpsychologists, historians & linguists• Read more at:http://www.dmu.ac.uk/research/research-faculties-and-institutes/technology/cyber-security-centre/research.aspx
  22. 22. 23/04/13 BCS - April 201322TSI• Trustworthy Software Initiative“A public-private partnership for enhancingthe overall software and systems culture,with the objective that all software shouldbecome designed, implemented andmaintained in a trustworthy manner.”
  23. 23. 23/04/13 BCS - April 201323Risks• Trust disappears as the web becomes amore dangerous place for business,education and entertainment
  24. 24. 23/04/13 BCS - April 201324Reading• http://www.theiet.org/• http://www.theregister.co.uk/• https://www.owasp.org/• http://www.webappsec.org/• http://samurai.inguardians.com/• http://plaintextoffenders.com/• http://www.trutv.com/video/tiger-team/tiger-team-101-1-of-4.html

×