Security threatsInsecure Cryptographic Storage<br />Master’s Studio in SDE<br />Assignment #4<br />Eva Rio<br />30.09.2011...
Cryptography<br />Crypto (hidden) + graphie(symbol): The art of writing or solving codes<br />Pictures: wikipedia<br />#1 ...
Encryption<br />Transform information (using an algorithm) to make it  unreadable without a key<br />Easy example:<br />KE...
Insecure Cryptography Storage<br />This threat ranks #7 in the OWASP Top 10 Application Security Risks 2010<br />Applies t...
Implications for businesses<br />Both users and companies may suffer<br />Data is one of the most valuable assets for a co...
Recommendations<br />Encrypt the data if it is sensitive!<br />Do not use:<br />your own algorithms<br />weak algorithms t...
Mindmap<br />
Mindmap2<br />
Upcoming SlideShare
Loading in...5
×

Security threats - Data Eencryption Storage

292

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
292
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Sensitive data: passwords, personal information, credit card numbers, health records…It is usually combined with other types of attacks (meaning that first the database needs to be accessed)Try 5f4dcc3b5aa765d61d8327deb882cf99 in http://hashcrack.com/index.phpOne of these “long lists” can be the dictionary…
  • Both users and companies might suffer. A user does not want his/her, for instance, credit card number stolen (this is privacy violation, and might lead to identity theft). In the same way, a company does not want its confidential information stolen, or data from its clients (because of legal issues).Legal issues: privacy, identity theft, fraud, data can be sold to competitors…iTunes case: credit cards info stolen + iTunes accounts stolen  http://www.bbc.co.uk/news/technology-12127603, http://mashable.com/2010/07/04/itunes-accounts-hacked/
  • This are algorithms for store data, not for communicationsMD: Message-Digest AlgorithmSHA – Secure Hash AlgorithmProtect the key (do not store it together with the algorithm)Remember data encryption cannot assure:- Integrity of the data (is the information correct and accurate?)-The authenticity of the datahttp://listverse.com/2007/10/01/top-10-uncracked-codes/
  • Security threats - Data Eencryption Storage

    1. 1. Security threatsInsecure Cryptographic Storage<br />Master’s Studio in SDE<br />Assignment #4<br />Eva Rio<br />30.09.2011<br />
    2. 2. Cryptography<br />Crypto (hidden) + graphie(symbol): The art of writing or solving codes<br />Pictures: wikipedia<br />#1 – Public domain<br />#2 – ©Hans Hillewaert<br />God<br />Soul<br />Red<br />…<br />
    3. 3. Encryption<br />Transform information (using an algorithm) to make it unreadable without a key<br />Easy example:<br />KEY<br />
    4. 4. Insecure Cryptography Storage<br />This threat ranks #7 in the OWASP Top 10 Application Security Risks 2010<br />Applies to sensitive data stored in a database:<br />Developers do not encrypt the data<br />Developers encrypt the data using weak encryption methods (e.g. home-grown algorithms, SHA-1, MD5)<br />It is usually combined with other types of attacks<br />Attackers can decipher the information if:<br />They have the key<br />Trial and error (attackers have the “hash values” and check against long lists of possible passwords for validity – eg: http://hashcrack.com/index.php, rainbow tables)<br />
    5. 5. Implications for businesses<br />Both users and companies may suffer<br />Data is one of the most valuable assets for a company<br />Main implications<br />Legal issues: companies are accountable for the data they store and the use (and misuse) of that data<br />Privacy violation<br />Identity theft<br />Fraud<br />Example: iTunes accounts in July 2010 and January 2011<br />“I will never use my debit card with Itunes again” –tofublock<br />Reputation: the image of the company can be seriously damaged<br />Confidential information: secrets, patents, research... can be stolen<br />
    6. 6. Recommendations<br />Encrypt the data if it is sensitive!<br />Do not use:<br />your own algorithms<br />weak algorithms that have been proved to be vulnerable (MD5, SHA-1)<br />Use:<br />Strong algorithms SHA-2, SHA-3 (2012)<br />Salt (generated random bits + info, e.g. f23r5jfaf+password)<br />Random keys<br />Asymmetric keys (one for ciphering, one for deciphering)<br />Restrain who has access to the data<br />Protect the key<br />
    7. 7. Mindmap<br />
    8. 8. Mindmap2<br />
    9. 9. References<br />“Insecure Cryptographic Storage”, OWASP, 2010<br />B. Hardin, “Insecure Cryptographic Storage”, Miscellaneous security [online] http://misc-security.com/blog/2009/09/insecure-cryptographic-storage/<br />Cryptography, Wikipedia<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×