2. About Speaker
Speaker @ JavaOne, NFJS, Devcon, Borcon
Sun Certified Java 2 Architect.
Instructor for VisiBroker for Java, OOAD, Rational Rose,
and Java Development.
JBoss Certified Developer
Professor - Sipe
2Wednesday, February 4, 2009
3. Agenda
Security Landscape
Hacking Philosophy
– The Sorting Hat
Information Gathering
– Information leak
– Finding the exploits
Security Threats
– Brute Force
– XSS
– SQL Injection
Dos and Don’ts
Summary
3Wednesday, February 4, 2009
4. Security Statistics
Gartner
– 75% of all attacks are directed at the web application layer
– 2/3 of all web applications are vulnerable
– 80% of organizations will experience an application security
incident by 2010
IBM
– 10% of IT dollars are spent on web application security
Mitre
– XSS and SQL Injection are #1 and #2 reported
vulnerabilities
4Wednesday, February 4, 2009
5. Alarming Truth
“Approximately 100 million Americans have been
informed that they have suffered a security breach so
this problem has reached epidemic proportions.”
– Jon Oltsik – Enterprise Strategy Group
“Up to 21,000 loan clients may have had data exposed”
– Marcella Bombardieri, Globe Staff/August 24, 2006
“Personal information stolen from 2.2 million active-duty
members of the military, the government said…”
– New York Times/June 7, 2006
“Hacker may have stolen personal identifiable
information for 26,000 employees..”
– ComputerWorld, June 22, 2006
5Wednesday, February 4, 2009
11. Black Hat Approach
Information Gathering
– Sometimes targeted on a “client”
– Sometimes targeting a vulnerability
Scanning
– Network mapping
– Ports
Gaining Access
Elevate Privileges
Cover Tracks
11Wednesday, February 4, 2009
14. Black Hat Principles
Inside Out Access
Most People
– Like free stuff!
– Are curious
– Are not security savvy
– Choose usability over security
– Choose performance over security
Expense
– Too costly to secure everything
14Wednesday, February 4, 2009
15. Hacker
John Draper – “Captain Crunch”
– Toy whistle provides free long distance calling
15Wednesday, February 4, 2009
25. Cross Site Scripting (XSS)
Malicious script echoed back in browser
Consequence:
– Internet Worm
• MySpace
• Meebo
– Session Tokens stolen
– Future surfing compromised
25Wednesday, February 4, 2009
26. XSS Testing
Submit a simple <script>alert(document.cookie)</
script> to a web page
If alert pops, life is good!
– Or bad
• Just depends on if you’re a white hat or black hat
26Wednesday, February 4, 2009
27. XSS Details
Common
– Search
– Error Pages
– Returned Forms
Aiding Technologies
– AJAX
– Flash
– IFrame
27Wednesday, February 4, 2009
28. XSS – The Exploit
1. Link to Account
in email
2. Embedded script
Sent to target
3. Script executed on client
browser
4. Script provides cookie
and session data
5. Hacker users credentials
28Wednesday, February 4, 2009
35. SQL Inject Answers from Errors
' having 1=1 --
' group by login.primarykey having 1=1 --
' union select min(username),1,1,1,1 from login
where username > 'a'--
35Wednesday, February 4, 2009
36. SQL Injection: Want a Password?
'union select min(password),1,1,1,1 from login
where username = 'ab***ilr'--
36Wednesday, February 4, 2009
42. Dos & Don’ts
Don’t
– Use Magic URL and Hidden fields for
private data
– Use Security by ignorance
– Rely on secrecy of the scheme
– Reveal Passwords to User
– Use Cookies for private data
– Trust the client for anything
• Cookie expiration
Do
– Tighten Security
– Use Security Appliances
• Watchfire
– Rely on secrecy of a set of keys
– Tighten Passwords
– Develop a policy
– Enforce time limits on authenticators
– Security Reviews
42Wednesday, February 4, 2009
43. Hacker
Adrian Lamo – “Homeless Hacker”
– Hacked
• NY Times
• MSFT
• NBC
43Wednesday, February 4, 2009
44. Resources
Must watch program
– http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar
Vulnerability and exploit info
– www.cert.org
– http://www.owasp.org/index.php/Top_10_2007
– http://seclists.org/
Tools
– http://www.elhacker.net/hacking-programas-hack.htm
– http://www.tahribat.com/doc.asp?docid=87
Security Policy
– http://www.sans.org/resources/policies/
44Wednesday, February 4, 2009
46. Summary
It’s a Scary World!
White Hats are always on the defense
Obtain skills in Defense against the
Dark Arts
And Good Luck!
46Wednesday, February 4, 2009
47. Questions
Please Fill Out Surveys
kensipe@gmail.com
twitter: kensipe
blog: kensipe.blogspot.com
47Wednesday, February 4, 2009