Authentication and session management are important aspects of network security. Authentication verifies a user's identity, while session management maintains user access after authentication. Common authentication methods include passwords, multifactor authentication, and digital signatures. Session management uses session IDs and cookies to track authenticated users and can be vulnerable to hijacking attacks. Developers should implement standard security practices like encryption, complex passwords, and short session timeouts to strengthen authentication and prevent session threats.
Account takeover has started to become a huge issue in 2016, but it's actually been the number one attack vector for web applications for the past three years.
Learn how this common attack works, why it's so popular with attackers, and how you can defend against it.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
Account takeover has started to become a huge issue in 2016, but it's actually been the number one attack vector for web applications for the past three years.
Learn how this common attack works, why it's so popular with attackers, and how you can defend against it.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
Make sure you’re defending against the most common web security issues and attacks with this useful overview of software development best-practices. We'll go over the most common attacks against web applications and present real world advice for defending yourself against these types of attacks.
New technology is challenging the premise that we have to choose between more friction or more security for authenticating users. This talk explores the benefits and drawbacks of frictionless authentication options beyond traditional one-time passcodes like biometrics, contextual data, or using devices as secure keys.
A presentation+class delivered to a PHP developer group at Brown University that discussed Web Application Security with a heavy emphasis on PHP, and discussed security in the SDLC, and showed with some examples what to do and not do
You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
Our latest OWASP Top Vulnerabilities Guide updated for new 2017 issues serves as a practical guide to understanding OWASP Top 10 vulnerabilities and preparing a response plan to counter these vulnerabilities.
Designing customer account recovery in a 2FA worldKelley Robinson
You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.
Authentication is a sneaky problem - the most secure options don't usually have widespread adoption, especially among consumer applications. But what if we could fix that? Narrator: we can. WebAuthn is a somewhat new authentication standard that uses our everyday devices like phones and computers and turns them into phishing-resistant security keys. It almost sounds too good to be true. This talk will dig into how the technology works, when you can and should use it, and how to get started. We'll dig into why this isn't widely adopted yet and if or when we can expect it to be. You'll walk away with a better understanding of a new authentication channel and possibly some hope for a more secure future.
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
Oh, WASP! Security Essentials for Web AppsTechWell
The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.
Certificate pinning trends perennially, coming to the fore with each new SSL hack. Security urges developers to implement pinning and many mobile apps do — some applying pinning to problems it doesn't solve while others do so entirely unnecessarily.
Taking a perspective useful to both developers and testers, this presentation highlights the threats that pinning can tackle and covers the tradeoffs inherent in pinning decisions. The presentation explores several flaws found in real applications and describes changes introduced in recent Android versions.
Expect to leave understanding common implementations mistakes, common misconceptions and key subtleties of
pinning that may in fact decrease security or impose undue complexity.
Security professionals agree: SMS based Two-factor Authentication (2FA) is insecure, yet thousands of companies still employ this method to secure their customer-facing applications. This talk will look at the evolution of authentication and provide a data-driven analysis of the tradeoffs between the different types of factors available.
This was the presentation I made to the @LeedsSharp group in Leeds 26/02/2015. It focusses on web application security and the steps you need to take to counter most of the threats which are out there today as determined by the OWASP Top 10. Solutions focus on the MVC.net framework, there is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
Your users are almost certainly vulnerable in one way or another. Mike North explores a series of common web app security pitfalls, first demonstrating how to exploit the vulnerability and then recommending a pragmatic and effective defense against the attack. Buckle up, because Mike's about to take some things you love and depend on and smash them to bits.
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
You think your mobile app is secure, but is it really? In this session from Xamarin Evolve 2016 in Orlando, Alec will give you the Top 10 mobile threats to be aware of and take an in-depth look at how to mitigate some of these threats using Xamarin and the OWASP Mobile Security Project. A video of the talk is available here: https://youtu.be/rCT9kiA7SE0?list=PLM75ZaNQS_Fb7I6E9MDnMgwW1GGZIijf_
Make sure you’re defending against the most common web security issues and attacks with this useful overview of software development best-practices. We'll go over the most common attacks against web applications and present real world advice for defending yourself against these types of attacks.
New technology is challenging the premise that we have to choose between more friction or more security for authenticating users. This talk explores the benefits and drawbacks of frictionless authentication options beyond traditional one-time passcodes like biometrics, contextual data, or using devices as secure keys.
A presentation+class delivered to a PHP developer group at Brown University that discussed Web Application Security with a heavy emphasis on PHP, and discussed security in the SDLC, and showed with some examples what to do and not do
You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
Our latest OWASP Top Vulnerabilities Guide updated for new 2017 issues serves as a practical guide to understanding OWASP Top 10 vulnerabilities and preparing a response plan to counter these vulnerabilities.
Designing customer account recovery in a 2FA worldKelley Robinson
You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.
Authentication is a sneaky problem - the most secure options don't usually have widespread adoption, especially among consumer applications. But what if we could fix that? Narrator: we can. WebAuthn is a somewhat new authentication standard that uses our everyday devices like phones and computers and turns them into phishing-resistant security keys. It almost sounds too good to be true. This talk will dig into how the technology works, when you can and should use it, and how to get started. We'll dig into why this isn't widely adopted yet and if or when we can expect it to be. You'll walk away with a better understanding of a new authentication channel and possibly some hope for a more secure future.
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
Oh, WASP! Security Essentials for Web AppsTechWell
The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.
Certificate pinning trends perennially, coming to the fore with each new SSL hack. Security urges developers to implement pinning and many mobile apps do — some applying pinning to problems it doesn't solve while others do so entirely unnecessarily.
Taking a perspective useful to both developers and testers, this presentation highlights the threats that pinning can tackle and covers the tradeoffs inherent in pinning decisions. The presentation explores several flaws found in real applications and describes changes introduced in recent Android versions.
Expect to leave understanding common implementations mistakes, common misconceptions and key subtleties of
pinning that may in fact decrease security or impose undue complexity.
Security professionals agree: SMS based Two-factor Authentication (2FA) is insecure, yet thousands of companies still employ this method to secure their customer-facing applications. This talk will look at the evolution of authentication and provide a data-driven analysis of the tradeoffs between the different types of factors available.
This was the presentation I made to the @LeedsSharp group in Leeds 26/02/2015. It focusses on web application security and the steps you need to take to counter most of the threats which are out there today as determined by the OWASP Top 10. Solutions focus on the MVC.net framework, there is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
Your users are almost certainly vulnerable in one way or another. Mike North explores a series of common web app security pitfalls, first demonstrating how to exploit the vulnerability and then recommending a pragmatic and effective defense against the attack. Buckle up, because Mike's about to take some things you love and depend on and smash them to bits.
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
You think your mobile app is secure, but is it really? In this session from Xamarin Evolve 2016 in Orlando, Alec will give you the Top 10 mobile threats to be aware of and take an in-depth look at how to mitigate some of these threats using Xamarin and the OWASP Mobile Security Project. A video of the talk is available here: https://youtu.be/rCT9kiA7SE0?list=PLM75ZaNQS_Fb7I6E9MDnMgwW1GGZIijf_
PHP Cookies, Sessions and AuthenticationGerard Sychay
Do you know the difference between the PHP config directives session.gc_maxlifetime and session.cookie_lifetime? Have you wrestled with implementing a “Remember Me” button on your login page? Learn how popular sites, such as Twitter and Facebook, keep you logged in (apparently) forever and the security risks of such methods.
http://github.com/hellogerard/tek11
The Evolution of Authentication: Passwordless Solutions and Digital Identity ...Caroline Johnson
Passwordless authentication is a game-changing approach that aims to eliminate passwords altogether or supplement them with additional layers of security.
An Enhanced Security System for Web Authentication IJMER
Web authentication has low security in these days. Todays, For Authentication purpose,
Textual passwords are commonly used; however, users do not follow their requirements. Users tend to
choose meaningful words from dictionaries, which make textual passwords easy tobreak and vulnerable
to dictionary or brute force attacks. Also, Textual passwords can be identified by 3rd
party software’s.
Many available graphicalpasswords have a password space that is less than or equal to the textual
passwordspace. Smart cards or tokens can be stolen.There are so many biometric authentications have
been proposed; however, users tend to resistusing biometrics because of their intrusiveness and the effect
on their privacy. Moreover,biometrics cannot be evoked.In this paper, we present and evaluate our
contribution,i.e., the OTP and 3-D password. A one-time password (OTP) is a password that isvalid for
only one login session or transaction. OTPs avoid a number of shortcomingsthat are associated with
traditional (static) passwords. The most important shortcoming that is addressed by OTPs is that, in
contrast to static passwords, they are not vulnerable to replay attacks. It means that a potential intruder
who manages to record an OTPthat was already used to log into a service or to conduct a transaction
will not be able toabuse it, since it will be no longer valid. The 3-D password is a multifactor
authenticationscheme. To be authenticated, we present a 3-D virtual environment where the
usernavigates and interacts with various objects. The sequence of actions and interactionstoward the
objects inside the 3-D environment constructs the user’s 3-D password.
Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling
Enterprise Information Security Architecture, Vulnerability
Assessment and Penetration Testing
Types of Social Engineering, Insider Attack, Preventing Insider
Threats, Social Engineering Targets and Defence Strategies
ETHICAL HACKING AND SOCIAL ENGINEERING
Topics Covered: Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling, Enterprise Information Security Architecture, Vulnerability, Assessment and Penetration Testing, Types of Social Engineering, Insider Attack, Preventing Insider Threats, Social Engineering Targets and Defence Strategies
DIGITAL FORENSIC 25In this chapter, youll learn more about.docxlynettearnold46882
DIGITAL FORENSIC 25
In this chapter, you'll learn more about:
· Encryption basics
· Common encryption practices
· Weaknesses of encryption
· What to do when you find encrypted data
Computer forensics is all about perspective and process. A forensic investigator's main perspective must be as a neutral party in all activities. Approach each investigation the same way, ensuring that it is repeatable and sound. After evidence is identified and preserved, analyze it to determine its impact on your case. In many situations, forensic investigators don't have the authority to disclose any evidence except to authorized individuals. It all depends on who owns the computer and who is paying for the investigation. As a forensic investigator, you need to know how to exercise your authority and access protected data properly. The two most common controls that protect data from disclosure are access controls and data encryption. This chapter covers the most common type of access control—the password—and the general topic of encryption.
You will learn basic techniques to obtain passwords to gain access to evidence. You will learn about basic encryption methods and how to recover encrypted evidence.
Passwords
Computer users must commonly provide a user ID to log on to, or otherwise access, a system. User IDs identify a specific user and tell the security subsystem what permissions to grant to that user. Unfortunately, some computer users attempt to impersonate other users by fraudulently providing another person's user ID. By doing so, the impersonator can perform actions that will point back to the stolen user ID owner's account when audited. As a forensic investigator, you'll need to determine the difference between actions taken using a valid user ID and actions conducted by an impersonator using a stolen or otherwise compromised user ID.
user ID
A string of characters that identifies a user in a computing environment.
Real word Scenario
Who Are You, Really?
Fred is an enterprising university student who enjoys testing the limits of his school's computer use policy. The policy clearly states that users may only use their own user IDs to access the computer system. If Fred wants to create some mischief on the university's computer system, he could ignore the policy and use Mary's user ID to access the system. In effect, he could pretend to be Mary. With no controls in place to stop him, Fred could cause many problems and to the untrained eye, it would appear that Mary was the guilty party. A control is anything that stands between Fred and his unauthorized actions. In this case, there actually is at least one control to deter him—the university's computer use and access policy. The university's computer use policy is an administrative control. While administrative controls dictate proper behavior and the penalty of noncompliance, they don't stop unauthorized actions by those who are determined to ignore such policies (as in Fred's case).
There is a si.
Best Practices to Protect Customer Data EffectivelyTentacle Cloud
Customer Service Industry is the main industry facing the problem of cybercrime due to tremendous us of internet. To gain new business opportunities call centers need to protect their customer details from these attacks. It also spoils the company brand name.
Kebocoran Data_ Tindakan Hacker atau Kriminal_ Bagaimana kita mengantisipasi...Equnix Business Solutions
Equnix Business Solutions (Equnix) is an IT Solution provider in Indonesia, providing comprehensive solution services especially on the infrastructure side for corporate business needs based on research and Open Source. Equnix has 3 (three) main services known as the Trilogy of Services: Support (Maintenance/Managed), World class level of Software Development, and Expert Consulting and Assessment for High Performance Transactions System. Equnix is customer oriented, not product or principal. Equal opportunity based on merit is our credo in managing HR development.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
3. Threats to authentication
Hackers are always looking for ways into a
network. If they can acquire your method to
gain access they save themselves hours of
research
Keep in mind that different accounts have
different levels of access, as well if they can
gain any foot hold into a network it gives
them an advantage when looking for more
vulnerabilities.
Also if they use accounts already within the
system it actually helps to mask their actions
because the account they are using will
already have been granted authentication
rights to one degree or another
4. Why is this important?
Authentication-based attacks factored
into about four of every five breaches
involving hacking in 2012
After Celebrity Photo Hack, How Safe Is
the Cloud?
◦ The real question is less about how good
iCloud security is and more about how strong
(and how unique) a user's password is.
• If you can masquerade as another
person, there are no limits on how much
you can compromise the privacy and
integrity of anyone's online data
5. Weakness for authentication
Most developers build their own
authentication and session management
schemes
Authentication and session management
schemes are complex and these custom
built ones tend to have flaws
Since there is no standard for this and
each point of development is different at
times these flaws are difficult to find
when they are not being looked for, such
as when a hacker finally does find them
6. Some Common Authentication
Methods
Use of user ID’s
◦ Standard first initial.Last name, or something more
complex
Passwords
◦ complexity, length, age, timeout, re-tries,
• Multifactor authentication
◦ something you know, have, are
Encryption
◦ PGP, Public-Key Cryptography, SSL, S-HTTP and
S/MIME
One Time Passwords
◦ Hardware/software tokens
Digital Signatures
7. Common Authentication Method
examples:
Use of user ID’s
◦ Common methods revolve around first initial
and last name. ex: r.smith
◦ However this could give an attacker an edge
on finding new accounts. Brute force attack
with every letter of alphabet and #.smith
◦ Possible new method to add protection.
Use of initials and numbers ex. rs1234@spsu.edu
Or in some cases fully different alias’s ex.
ws1289@spsu.edu can actually be
rs1234@spsu.edu
Think in terms of being as obscure so no correlation
can be made to actual data aka. Data Obfuscation
which is used in electronic health records
8. Common Authentication Method
examples:
Passwords
We want a password to have certain complexity to
thwart dictionary and brute force attacks
A good method for solid passwords is the Schneier
scheme
◦ WIw7,mstmsritt... = When I was seven, my sister threw my
stuffed rabbit in the toilet.
◦ Wow...doestcst = Wow, does that couch smell terrible.
◦ Ltime@go-inag~faaa! = Long time ago in a galaxy not far
away at all.
◦ uTVM,TPw55:utvm,tpwstillsecure = Until this very moment,
these passwords were still secure.
Here we take a phrase and break it down into one word
or smaller supposed nonsensical phrase much more
difficult to crack
11. What is it?
Whenever we have data entered in a
form we want to make sure that it is valid
and not corrupted in any way. Here we
are looking at checking the password
someone enters
* Note, while I am using this method here
for my report, you should not do this, a
more secure method would be to email a
token to a person and have them enter a
password there. Having someone enter a
password and gaining access directly
12. Application
Password validation ranges from
checking regular expressions, to
length and complexity. This is used as
a pre curser to defend against brute
force attacks
13. Common Authentication Method
examples:
Multifactor authentication
Something you know – password
Have – security token
Are – a biometric feature, finger print, eye scan
and so on
It is a combination of two or more things, thus
giving a layered defense
Typical scenarios
use of a card, or pins, VPN and use of digital
certificates, finger prints, hard or soft tokens
14. Common Authentication Method
examples:
Encryption
◦ PGP – uses hashes, and compression,
along with symmetric key(one key to
encrypt/decrypt) to protect data
◦ Public-Key Cryptography – use of
asymmetric encryption( one key encrypt,
other decrypt)
◦ SSL, S-HTTP – use of certificates
◦ S/MIME – securing of email
15. Common Authentication Method
examples:
One Time Passwords
◦ Use of challenges and responses for
users
◦ Only good for that session and then times
out
◦ Can be a hard or soft token, emailed or
texted password
Users can be tricked into giving these up with
social engineering and hackers can use that
info to devise a pattern
Possibly subjected to man in middle attacks
due to transmission methods
16. Common Authentication Method
examples:
Digital Signatures
• helps to prove that data sent is from a
reliable source
• gives reassurance
• confirms message wasn’t tampered with
17. Common Authentication Method
examples:
In the next slide we see an example of
hashing a password
And we will see extra security applied
to it with a salt
These are examples of defense in
depth, no one method or layer is
100% reliable
19. What is it?
A hash is a method in which we take a
password in this case and apply a
mathematical algorithm, this algorithm
takes the fixed length password and
turns it into a fixed length binary value.
20. Application
Hash's tend to be used as digital
signatures for software to ensure it
hasn’t been tampered with or
corrupted when downloaded. However
in this case we can use it to protect
our passwords for our users that
attempt to log into our site.
22. What is it?
It is random data that is applied to a
one way function then is added to the
hash of a password
23. Application
Salts when combined with password
hash's help to add a new level of
difficulty in defending against
dictionary attacks
24. Actual Authentication Threats
Confidence Tricks
◦ Various phishing methods
• Remote Technical Tricks
◦ Spoof, proxy exploits, sniffing, old exploits to technology
• Local Technical Tricks
◦ Software vulnerabilities, Trojans, viruses, hardware attacks
• Victim Mistakes
◦ Weak passwords, written down sensitive data, user errors
• Implementation oversights
◦ Replays, trusting bad data, sensitive data remembered in
forms
• Denial of service attacks
◦ Lock outs for authorized users
• Enrollment errors
◦ new set of credentials created
25. Authentication attacks
Attack types Attack description
Brute Force Allows an attacker to guess a
person's user name, password,
credit card number, or
cryptographic key by using an
automated process of trial and
error.
Insufficient Authentication Allows an attacker to access a
website that contains sensitive
content or functions without having
to properly authenticate with the
website.
Weak Password Recovery
Validation
Allows an attacker to access a
website that provides them with
the ability to illegally obtain,
change, or recover another user's
password.
26. Repercussions from
Authentication attacks
Accounts can be locked out, or the
entire user database can be locked
out
Outages can occur if there are
accounts that do batch work
There can a loss of confidence in the
business if such an attack is
publicized
27. Prevention Methods
First and foremost proper code
development
◦ Think like a hacker, look for what can go
wrong instead of waiting for it
Have informed users
◦ Over inform on proper security procedures,
automate the mundane
• User access lattices
◦ Only access to what they need access to
• Security in layers
◦ Never assume one layer will do it all
28. Session management Defined
Session Management – the practice of
overseeing a transfer of data between
two or more entities
Session management focuses on an
already authenticated user
This authenticated user has their
information bound to an actual session
token/ID
29. Threats to Session
management
We've already authenticated properly to
a connection and we begin to do what it
is we do, work, shopping, surfing the
web, our banking…etc
There will be a session identifier for what
you are doing, similar to a tracking
cookie if you will, this id ties you to what
you are actually doing
In essence your leaving a sort of digital
bread crumb trail
30. Why is this important?
Crack in Internet’s foundation of
trust allows HTTPS session
hijacking
◦ “Once the session cookie is decrypted, hackers
can exploit it to gain unauthorized access to the
user account the session cookie is designed to
authenticate. The process from start to finish
takes "a few minutes,“
Yahoo session hijacking likely
culprit of Android spam
31. Weakness for session
management
Most developers build their own
authentication and session management
schemes
Authentication and session management
schemes are complex and these custom
built ones tend to have flaws
Since there is no standard for this and
each point of development is different at
times these flaws are difficult to find
when they are not being looked for, such
as when a hacker finally does find them
32. Some Common Session
Management Methods
Validate Session ID values coming from clients
◦ Have checks in place to confirm who's who
Hard-to-Guess Cookie Values
◦ Match cookies values to session variables to complicate things
User Authentication
◦ Good authentication always helps
SSL Encryption
◦ Encryption always complicates things for hackers
Use of trusted third parties
◦ Use a third party session management implementation to offset risk
Use sufficient session Id length
◦ Same as passwords longer equals more secure
Ensuring no patterns become evident
◦ You don’t want your patterns to be found in your session id’s thy
could be susceptible to brute force attacks
• Associate session id with ip address
◦ Extra layers of security
33. Common Session Management
Method in depth
Hard-to-Guess Cookie Values
Cookies are related to HTTP headers and allow
control over token expiration, time and other
granular features, this is why it’s the most
common method used
The session uses the cookie to maintain the
connection, much like when you authenticate,
the cookie keeps your credentials active over
the session
Making sure cookie values are not easily
guessable prevents a hacker from using the
values and trying to guess a new one and
establish a connection
34. Common Session Management
Method in depth
SSL Encryption
Since cookies are the most common method to
establish and maintain the connection we
should also look at a layered protection
Making sure the cookies are sent over a secure
connection
This will enable one to prevent a successful
man in the middle attack and gain useable data
from a cookie
35. Actual Session Management
threats
Session hijacking attacks, targeted or generic
◦ Targeted goal to impersonate a specific user
◦ Generic they look for any user
Session fixation attack
◦ Attacker hijacks a valid session
Brute force
◦ Finding valid id’s through brute force searches
Cross-site script attack
◦ Use of web applications to gain info
Man-in-the-middle attack/Man-in-the-browser
attack
◦ Actively/passively gaining info from unsuspecting
people
• Prediction attacks
◦ Here a good ID is known and a next valid one is
36. Repercussions from Session
Management attacks
Users can be impersonated and
damage can be masked
Fraud and or theft can occur
dependent upon system access
Worst case elevation of privileges
granted
Best case comprised account is
locked out
37. Prevention Methods
User of cookies
◦ Use of secure flag in header, makes them un-
sniffable, use of restrictions
• Don’t allow users to determine session ids
◦ Make sure they cant reuse old session info
• Each user should get a new identifier to your
site
• Time-out session identifiers
◦ Creates smaller window for attacker
• Allow clean log outs
◦ User logs out session invalidates on client and
server
• Use of secure channels for session cookies
◦ Encryption always hampers things for attackers
38. Summary
Never assume you are hack proof
however make sure you mitigate your
risk, by prioritizing your levels correctly
Take into consideration of what needs
to be protected the most and what the
damage will be if there was a issue
with it
Always make sure to use security in
layers and never put all your eggs in
one basket
39. This article covers some of the principals
laid out earlier in my slide deck
Securing PHP User Authentication,
Login, and Sessions
http://blackbe.lt/php-secure-sessions/
We see use of hashing, linking to ip
addresses, a password validation, length,
complexity, used to make the password and
session id more difficult to discover