Is it good to be paranoid ?


Published on

Introduction to web security
Tech Talk @ Georgia Tech
9 March 2011

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Spamming remains economically viable because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of unsolicited mail has become very high. In the year 2011 the estimated figure for spam messages are around seven trillion. The costs, such as lost productivity and fraud, are borne by the public and by Internet service providers, which have been forced to add extra capacity to cope with the deluge.
  • Not everyone is technical, we as developers understand many concepts of security and try to be cautious But normal users do not understand many of these concepts Keeping the web safe for such kind of users is very important
  • Is it good to be paranoid ?

    1. 1. Is it good to be paranoid ?<br />introduction to web security<br />Tech talk @ Georgia Tech, <br />March 2011<br />
    2. 2. Subramanyan Murali<br />yahoo<br />Mail Engineer <br />Hacker, Photographer, Traveler <br />@rmsguhan<br />
    3. 3. par·a·noi·a<br />nparanoia [pӕrəˈnoiə]<br />a type of mental illness in which a person has fixed & unreasonable ideas that he/she is very important, or that other people are being unfair or un-friendly to him/her<br />3<br />
    4. 4. in Yahoo!, they are just people who care a lot about web security <br />4<br />
    5. 5. Q.What is the problem ? <br />
    6. 6. Spammers want to do cheap advertising & unsolicited marketing<br />
    7. 7. Phisherswant to steal user identity for personal benefit<br />
    8. 8. Crackers want to break into your systems & profit <br />
    9. 9. Jokers just want to watch the world burn <br />
    10. 10. “It’s necessary to build an application that is user friendly, high performing, accessible and secure, all while executing partially in an un-trusted environment that you, the developer, have no control over”<br /><ul><li>Philip Tellis, Yahoo! Paranoid</li></ul> <br />
    11. 11. A tech-savy user maybe aware …<br />
    12. 12. … but to some cookies are still made of dough & chocolate chips <br />
    13. 13. A.Keep it simple for normal users Make it hard for users with evil intentions <br />
    14. 14. Users have a lot of trust on the web & share a lot of information <br />
    15. 15. Every attack is unique & exploits weakness <br />
    16. 16. Types of web attacks<br />Phishing & Spamming <br />Scamming <br />Code Injection<br />Forgery & spoofing <br />
    17. 17. Cross(X)Side Scripting <br />17<br />
    18. 18. XSS<br />Filter all input that you are going to save <br />Be aware of the data you are saving <br />URL should save only urls<br />Numbers should save only numbers <br />Never open up your site based purely on trust<br />
    19. 19. SQL / Shell Injection<br />
    20. 20.<br />
    21. 21. <?php $user = $_GET[‘user’]; $message = $_GET[‘message’];function save_message($user, $message){  $sql = "INSERT INTO Messages (            user, message          ) VALUES (            '$user', '$message’          )";   return mysql_query($sql);}?><br />
    22. 22. test');DROP TABLE Messages;test'), ('user2', 'Cheap medicine at ...'), ('user3', 'Cheap medicine at …<br />
    23. 23. Cross-Site Request Forgery<br />
    24. 24. <imgsrc=“” style="position:absolute;left:-999em;”><br />
    25. 25. <iframename="pharma” style="display:none;"></iframe><form id="pform” action=“”      method="POST”      target="pharma”><input type="hidden" name="message" value="Cheap medicine at ..."></form><script>document.getElementById('pform').submit();</script><br />
    26. 26. Issue a unique token / crumb that only your server would know for that sessionCheck if the posted data has that token<br />
    27. 27. For normal posts, use a time bound token <?phpfunction get_nonce() {  return md5($secret . ":"  . $user . ":"  . ceil(time()/86400));}?>For more sensitive posts, use a token that is stored in user session <br />
    28. 28. Click-jacking<br />
    29. 29. Tab-Jacking<br />
    30. 30. New secure technology does not guarantee a secure application<br />
    31. 31. As developers, we need to cautious<br />
    32. 32. Resources<br /><br /><br /><br /><br /><br /><br /><br />
    33. 33. Be paranoid, be smartThank you ! <br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.