SlideShare a Scribd company logo
1 of 82
Download to read offline
The Life of Breached Data &
The Dark Side of Security.
Jarrod Overson
@jsoverson
QCon SF 2016
It's more than just massive breaches
from large companies, too.
It's small continuous, streams of exploitable data
2.2 Billion

Leaked credentials in 2016 alone
Every breach adds a piece of you to a criminal's database.
Passwords, emails, names, security questions & answers, addresses, and more
Traditional security is like flossing.
We know we're supposed to care,
but is it really that important?
OWASP Top 10
A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery (CSRF)
A9 – Using Known Vulnerable Components
A10 – Unvalidated Redirects and Forwards
OWASP Automated Threats
OAT-020 Account Aggregation OAT-006 Expediting
OAT-019 Account Creation OAT-004 Fingerprinting
OAT-003 Ad Fraud OAT-018 Footprinting
OAT-009 CAPTCHA Bypass OAT-005 Scalping
OAT-010 Card Cracking OAT-011 Scraping
OAT-001 Carding OAT-016 Skewing
OAT-012 Cashing Out OAT-013 Sniping
OAT-007 Credential Cracking OAT-017 Spamming
OAT-008 Credential Stuffing OAT-002 Token Cracking
OAT-015 Denial of Service OAT-014 Vulnerability Scanning
These attacks aren't cost effective unless automated
BY EVIL
ROBOTS
Our user-friendly APIs enable our attackers
Not just these APIs
The APIs we expose unintentionally.
The APIs we expose unintentionally.
The APIs we expose unintentionally.
When you read about breaches, what do you do?
Even if you have the most secure site in the world,
you don't usually protect against legitimate user logins.
If your users were robots,
could you tell?
What percentage of traffic is from bots?
95%
( Current record for automation against a login page, via Shape Security )
What percentage of traffic is from bots?
Why?
Do you… For example
Store a type of currency? actual money, point values, gift cards
Sell goods? physical, digital, services
Have unique PII? health care, social networks
Have user generated content? forums, social networks, blogs, comments
Have time sensitive features? tickets, flash sales, reservations
Pay for digitally validated behavior? ad clicks, reviews, "uber for X"
If you have value, there is value in exploiting you.
Targeted Fraud can take many forms.
But we have captchas!
But captchas don't work.
Estimated 200 million+ hours spent
every year deciphering squiggly letters.
Luis Von Ahn, creator of captcha
*
*
Services have been made making captcha bypass even easier.
Services have been made making captcha bypass even easier.
Ever wonder where these ads go?
There's big money in "Work from Home Data Entry" jobs
So we seek alternatives.
Some rely on simple behavior analysis
Some rely on kittens
Some rely on a love for death metal
Some are very high profile
How?
They use a lot of the same tools we already use.
Once you detect an attacker, they are easy to block.
Right?
One attacker from one machine
can be blocked by IP.
Many attackers sound dangerous but
aren't as common as they are made out to be.
One attacker using proxies to
look like thousands of users across the globe
is difficult to detect and block.
Spikes of traffic across many IPs are normal, except when they aren't
The devices themselves leave fingerprints
And tools are made to leave no fingerprints
Lots of tools.
We can't patch our way through this.
How would you react if you went from …
Legitimate traffic
To this
Automation detected and blocked
Legitimate traffic
Automation detected and blocked
Legitimate traffic
To this
Automation detected and blocked
Legitimate traffic
To this
To get an idea, search for :
• <your company, service, or CMS> fullz
• <your company, service, or CMS> sentrymba
• <your company, service, or CMS> carding
• <your company, service, or CMS> <tool> tutorial
Not sure if you have a problem?
How do you protect you?
Make every password unique. Really.
• LastPass
• 1Password
• Any locally encrypted db
Use a password manager.
Use a password manager.
LastPass, 1Password, any locally encrypted database.
Use a base password + a site specific string.
For example: "hyatt small blue cup"
Use a password algorithm
Turn on Multi-Factor Authentication.
How do you protect your users?
First, throw away the myth that the primary risk to
passwords is how crackable they are.
The biggest risk to you and your users is reused
passwords.
Don't add unnecessary password rules
8 char minimum, >64 char maximum, allow ANY character (including spaces)
Do prevent users from using common passwords
• 123456
• password
• 12345678
• qwerty
• 12345
• 123456789
• football
• 1234
• 1234567
• baseball
• welcome
• 1234567890
• abc123
• 111111
• 1qaz2wsx
• dragon
• master
• monkey
• letmein
• login
• princess
• qwertyuiop
• solo
• passw0rd
Maintain and use a banned password list
Don't expire passwords unless necessary
Expire when accounts are compromised or a user's credentials are leaked.
Offer Multi-Factor Authentication.
There any many options and services that make this easy and tolerable.
How do you protect your business?
Use single flows for important transactions.
Reduce the attack surface area as much as possible.
Login widget
Old login flow
Regular Login
Login at CC entry
2.x login
Login on
shopping cart
VS
Login
Ask and be ready for tough questions
You may need to re-evaluate costs & value with new parameters.
Get help. You're not alone.
Reduce the attack surface area as much as possible.
- Helen Keller
The Life of Breached Data &
The Dark Side of Security.
Jarrod Overson
@jsoverson
QCon SF 2016

More Related Content

What's hot

10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraud10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraudWebSitePulse
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)Shubham Gupta
 
Web Browsers and Tracking Protections
Web Browsers and Tracking ProtectionsWeb Browsers and Tracking Protections
Web Browsers and Tracking ProtectionsSimo Ahava
 
Why use private proxy presentation
Why use private proxy   presentationWhy use private proxy   presentation
Why use private proxy presentationFaeriMoon2
 
Managing Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of PasswordsManaging Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of PasswordsPECB
 
Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018SecuRing
 

What's hot (7)

10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraud10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraud
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
 
Web Browsers and Tracking Protections
Web Browsers and Tracking ProtectionsWeb Browsers and Tracking Protections
Web Browsers and Tracking Protections
 
Why use private proxy presentation
Why use private proxy   presentationWhy use private proxy   presentation
Why use private proxy presentation
 
Managing Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of PasswordsManaging Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of Passwords
 
Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018
 

Viewers also liked

GPU based password recovery on Linux. TXLF 2013
GPU based password recovery on Linux. TXLF 2013GPU based password recovery on Linux. TXLF 2013
GPU based password recovery on Linux. TXLF 2013Brad Richardson
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyJerome Smith
 
Password Cracking with Rainbow Tables
Password Cracking with Rainbow TablesPassword Cracking with Rainbow Tables
Password Cracking with Rainbow TablesKorhan Bircan
 
Cyber security and ethical hacking 9
Cyber security and ethical hacking 9Cyber security and ethical hacking 9
Cyber security and ethical hacking 9Mehedi Hasan
 
Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 

Viewers also liked (7)

GPU based password recovery on Linux. TXLF 2013
GPU based password recovery on Linux. TXLF 2013GPU based password recovery on Linux. TXLF 2013
GPU based password recovery on Linux. TXLF 2013
 
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2sSalt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
 
Password Cracking with Rainbow Tables
Password Cracking with Rainbow TablesPassword Cracking with Rainbow Tables
Password Cracking with Rainbow Tables
 
Cyber security and ethical hacking 9
Cyber security and ethical hacking 9Cyber security and ethical hacking 9
Cyber security and ethical hacking 9
 
Password Attack
Password Attack Password Attack
Password Attack
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 

Similar to The Life of Breached Data & The Dark Side of Security

The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleJarrod Overson
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
How to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistHow to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistPixel Crayons
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorDavid Perkins
 
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your BusinessConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your BusinessConnXus
 
Awareness Security 123.pptx
Awareness Security 123.pptxAwareness Security 123.pptx
Awareness Security 123.pptxRajuSingh730938
 
USG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxUSG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxBilmyRikas
 
USG_Security_Awareness_Primer (1).pptx
USG_Security_Awareness_Primer (1).pptxUSG_Security_Awareness_Primer (1).pptx
USG_Security_Awareness_Primer (1).pptxssuser59e4b8
 
USG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxUSG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxsumita02
 
Data Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
Data Loss Prevention in SharePoint 2016 Webinar with Crow CanyonData Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
Data Loss Prevention in SharePoint 2016 Webinar with Crow CanyonVlad Catrinescu
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarBrian Campbell
 
Iron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyIron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyGabor Szathmari
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019Jarrod Overson
 
Online Security and Privacy Issues
Online Security and Privacy IssuesOnline Security and Privacy Issues
Online Security and Privacy Issuesebusinessmantra
 
Introduction to application security (Arabic)
Introduction to application security (Arabic)Introduction to application security (Arabic)
Introduction to application security (Arabic)Sameh Deabes
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thUnited Technology Group (UTG)
 
How I'd hack into your business and how you can stop me!
How I'd hack into your business and how you can stop me!How I'd hack into your business and how you can stop me!
How I'd hack into your business and how you can stop me!AVG Technologies AU
 

Similar to The Life of Breached Data & The Dark Side of Security (20)

The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
How to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistHow to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security Checklist
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
 
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your BusinessConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
 
Awareness Security 123.pptx
Awareness Security 123.pptxAwareness Security 123.pptx
Awareness Security 123.pptx
 
USG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxUSG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptx
 
USG_Security_Awareness_Primer (1).pptx
USG_Security_Awareness_Primer (1).pptxUSG_Security_Awareness_Primer (1).pptx
USG_Security_Awareness_Primer (1).pptx
 
USG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxUSG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptx
 
Data Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
Data Loss Prevention in SharePoint 2016 Webinar with Crow CanyonData Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
Data Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations Seminar
 
Iron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyIron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data Responsibly
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019
 
Online Security and Privacy Issues
Online Security and Privacy IssuesOnline Security and Privacy Issues
Online Security and Privacy Issues
 
Introduction to application security (Arabic)
Introduction to application security (Arabic)Introduction to application security (Arabic)
Introduction to application security (Arabic)
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
 
How I'd hack into your business and how you can stop me!
How I'd hack into your business and how you can stop me!How I'd hack into your business and how you can stop me!
How I'd hack into your business and how you can stop me!
 

More from Jarrod Overson

Practical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobusPractical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobusJarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingJarrod Overson
 
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...Jarrod Overson
 
Analysis of an OSS supply chain attack - How did 8 millions developers downlo...
Analysis of an OSS supply chain attack - How did 8 millions developers downlo...Analysis of an OSS supply chain attack - How did 8 millions developers downlo...
Analysis of an OSS supply chain attack - How did 8 millions developers downlo...Jarrod Overson
 
Deepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the futureDeepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the futureJarrod Overson
 
How to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsHow to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsJarrod Overson
 
Graphics Programming for Web Developers
Graphics Programming for Web DevelopersGraphics Programming for Web Developers
Graphics Programming for Web DevelopersJarrod Overson
 
JavaScript and the AST
JavaScript and the ASTJavaScript and the AST
JavaScript and the ASTJarrod Overson
 
Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014 Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014 Jarrod Overson
 
Idiot proofing your code
Idiot proofing your codeIdiot proofing your code
Idiot proofing your codeJarrod Overson
 
Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014Jarrod Overson
 
Managing JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - FluentManaging JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - FluentJarrod Overson
 
Real World Web components
Real World Web componentsReal World Web components
Real World Web componentsJarrod Overson
 
Managing JavaScript Complexity
Managing JavaScript ComplexityManaging JavaScript Complexity
Managing JavaScript ComplexityJarrod Overson
 
Continuous Delivery for the Web Platform
Continuous Delivery for the Web PlatformContinuous Delivery for the Web Platform
Continuous Delivery for the Web PlatformJarrod Overson
 

More from Jarrod Overson (16)

Practical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobusPractical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobus
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is Evolving
 
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
 
Analysis of an OSS supply chain attack - How did 8 millions developers downlo...
Analysis of an OSS supply chain attack - How did 8 millions developers downlo...Analysis of an OSS supply chain attack - How did 8 millions developers downlo...
Analysis of an OSS supply chain attack - How did 8 millions developers downlo...
 
Deepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the futureDeepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the future
 
How to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsHow to Reverse Engineer Web Applications
How to Reverse Engineer Web Applications
 
Graphics Programming for Web Developers
Graphics Programming for Web DevelopersGraphics Programming for Web Developers
Graphics Programming for Web Developers
 
JavaScript and the AST
JavaScript and the ASTJavaScript and the AST
JavaScript and the AST
 
ES2015 workflows
ES2015 workflowsES2015 workflows
ES2015 workflows
 
Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014 Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014
 
Idiot proofing your code
Idiot proofing your codeIdiot proofing your code
Idiot proofing your code
 
Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014
 
Managing JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - FluentManaging JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - Fluent
 
Real World Web components
Real World Web componentsReal World Web components
Real World Web components
 
Managing JavaScript Complexity
Managing JavaScript ComplexityManaging JavaScript Complexity
Managing JavaScript Complexity
 
Continuous Delivery for the Web Platform
Continuous Delivery for the Web PlatformContinuous Delivery for the Web Platform
Continuous Delivery for the Web Platform
 

Recently uploaded

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Recently uploaded (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

The Life of Breached Data & The Dark Side of Security

  • 1. The Life of Breached Data & The Dark Side of Security. Jarrod Overson @jsoverson QCon SF 2016
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7. It's more than just massive breaches from large companies, too.
  • 8. It's small continuous, streams of exploitable data
  • 9.
  • 11. Every breach adds a piece of you to a criminal's database. Passwords, emails, names, security questions & answers, addresses, and more
  • 12.
  • 13. Traditional security is like flossing. We know we're supposed to care, but is it really that important?
  • 14. OWASP Top 10 A1 – Injection A2 – Broken Authentication and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery (CSRF) A9 – Using Known Vulnerable Components A10 – Unvalidated Redirects and Forwards
  • 15. OWASP Automated Threats OAT-020 Account Aggregation OAT-006 Expediting OAT-019 Account Creation OAT-004 Fingerprinting OAT-003 Ad Fraud OAT-018 Footprinting OAT-009 CAPTCHA Bypass OAT-005 Scalping OAT-010 Card Cracking OAT-011 Scraping OAT-001 Carding OAT-016 Skewing OAT-012 Cashing Out OAT-013 Sniping OAT-007 Credential Cracking OAT-017 Spamming OAT-008 Credential Stuffing OAT-002 Token Cracking OAT-015 Denial of Service OAT-014 Vulnerability Scanning
  • 16. These attacks aren't cost effective unless automated BY EVIL ROBOTS
  • 17. Our user-friendly APIs enable our attackers
  • 19. The APIs we expose unintentionally.
  • 20. The APIs we expose unintentionally.
  • 21. The APIs we expose unintentionally.
  • 22. When you read about breaches, what do you do?
  • 23. Even if you have the most secure site in the world, you don't usually protect against legitimate user logins.
  • 24. If your users were robots, could you tell?
  • 25.
  • 26. What percentage of traffic is from bots?
  • 27. 95% ( Current record for automation against a login page, via Shape Security ) What percentage of traffic is from bots?
  • 28. Why?
  • 29. Do you… For example Store a type of currency? actual money, point values, gift cards Sell goods? physical, digital, services Have unique PII? health care, social networks Have user generated content? forums, social networks, blogs, comments Have time sensitive features? tickets, flash sales, reservations Pay for digitally validated behavior? ad clicks, reviews, "uber for X"
  • 30. If you have value, there is value in exploiting you.
  • 31. Targeted Fraud can take many forms.
  • 32. But we have captchas!
  • 34. Estimated 200 million+ hours spent every year deciphering squiggly letters. Luis Von Ahn, creator of captcha * *
  • 35. Services have been made making captcha bypass even easier.
  • 36. Services have been made making captcha bypass even easier.
  • 37. Ever wonder where these ads go?
  • 38. There's big money in "Work from Home Data Entry" jobs
  • 39. So we seek alternatives.
  • 40. Some rely on simple behavior analysis
  • 41. Some rely on kittens
  • 42. Some rely on a love for death metal
  • 43. Some are very high profile
  • 44. How?
  • 45. They use a lot of the same tools we already use.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52. Once you detect an attacker, they are easy to block. Right?
  • 53. One attacker from one machine can be blocked by IP.
  • 54. Many attackers sound dangerous but aren't as common as they are made out to be.
  • 55. One attacker using proxies to look like thousands of users across the globe is difficult to detect and block.
  • 56. Spikes of traffic across many IPs are normal, except when they aren't
  • 57. The devices themselves leave fingerprints
  • 58. And tools are made to leave no fingerprints
  • 60.
  • 61. We can't patch our way through this.
  • 62. How would you react if you went from … Legitimate traffic
  • 63. To this Automation detected and blocked Legitimate traffic
  • 64. Automation detected and blocked Legitimate traffic To this
  • 65. Automation detected and blocked Legitimate traffic To this
  • 66. To get an idea, search for : • <your company, service, or CMS> fullz • <your company, service, or CMS> sentrymba • <your company, service, or CMS> carding • <your company, service, or CMS> <tool> tutorial Not sure if you have a problem?
  • 67. How do you protect you?
  • 68. Make every password unique. Really.
  • 69. • LastPass • 1Password • Any locally encrypted db Use a password manager. Use a password manager. LastPass, 1Password, any locally encrypted database.
  • 70. Use a base password + a site specific string. For example: "hyatt small blue cup" Use a password algorithm
  • 71. Turn on Multi-Factor Authentication.
  • 72. How do you protect your users?
  • 73. First, throw away the myth that the primary risk to passwords is how crackable they are. The biggest risk to you and your users is reused passwords.
  • 74. Don't add unnecessary password rules 8 char minimum, >64 char maximum, allow ANY character (including spaces)
  • 75. Do prevent users from using common passwords • 123456 • password • 12345678 • qwerty • 12345 • 123456789 • football • 1234 • 1234567 • baseball • welcome • 1234567890 • abc123 • 111111 • 1qaz2wsx • dragon • master • monkey • letmein • login • princess • qwertyuiop • solo • passw0rd Maintain and use a banned password list
  • 76. Don't expire passwords unless necessary Expire when accounts are compromised or a user's credentials are leaked.
  • 77. Offer Multi-Factor Authentication. There any many options and services that make this easy and tolerable.
  • 78. How do you protect your business?
  • 79. Use single flows for important transactions. Reduce the attack surface area as much as possible. Login widget Old login flow Regular Login Login at CC entry 2.x login Login on shopping cart VS Login
  • 80. Ask and be ready for tough questions You may need to re-evaluate costs & value with new parameters.
  • 81. Get help. You're not alone. Reduce the attack surface area as much as possible. - Helen Keller
  • 82. The Life of Breached Data & The Dark Side of Security. Jarrod Overson @jsoverson QCon SF 2016