SlideShare a Scribd company logo

The Immune System of Internet

Mohit Kanwar
Mohit Kanwar

This document discusses hackers and software security. It provides examples of past hacks such as those on Sony Pictures and Citigroup. It outlines why software security is important when handling sensitive user information. The document discusses how hackers think and different types of hackers. It recommends following security principles like defense in depth, least privilege, and keeping security simple. It provides references for further reading on application security topics.

Internet
1 of 40
Download to read offline
Hackers: The Internet's Immune System Disclaimer: Use this knowledge in positive man-ner. Help development of secure software.
Who's Fault??
Who's Fault??
Who's Fault??  Security Failure of respective nations  Intelligence Failure  Failure to prevent such incidents  Failure to implement Security Framework efficiently/
It is because of Osama and Kasab  That we know about our security flaws  That we learn the Hard way, but we did. Think b4 attacking again, We are Stronger!
How do vaccines work?
The Internet's Immune System  It is a constant fight between application developers and hackers.- Who Wins?  Aim of this presentation is to share knowl-edge about developing secure applications.  Understanding how Hackers think.  Security Principles
Why Software Security?  Application Security is an unsaid require-ment  Most of the applications deal with at least one of the following  Financial Information  Credit Cards  Account Numbers  Customer's Personal Information  Name  Contact information
Information Sensitivity  Information about Special People like  Expecting Parents  LGBT Community  Rich & Affluent  Sports Persons Is 10 to 50 times more valuable than the rest of people, as they are target cus-tomers of various products.
Why people hack Software?  Fun/ Pride  Money  Free goodies  Processing power/coin minting  Advertisements  Mind Wash (Religion/Politics)  Wars  To bring out vulnerabilities  Irritating processes
Types of hackers  Black Hat  Grey Hat  White Hat
Hack-1  Sony Pictures  $171 million  Hacked in April to June 2011  Hacked By: LulzSec  Cause: SQL Injection  The hack affected 77 million accounts and is still considered the worst gaming com-munity data breach ever. Attackers stole valuable information: full names, logins, passwords, e-mails, home addresses, pur-chase history, and credit card numbers.
SQL Injection
Hack-2  Citigroup  $2.7 million  Hacked in June 2011  Caused by: poor implementation of authoriza-tion. Secure data accessible to unauthorized users. (URL parameter checks missing)  Exposed the financial data of more than 360,000 customers
User Profile Bug  Consider a user story:  “As an Admin user, I would like to see the pro-file of any selected user in the system”
User Profile Bug  UI / Service / Controller / DAO  Select * from Users where userid =? – passed from user's input
User Profile Bug  User Story Extension  “As a logged in user, I should be able to view my profile”  Developers are lazy  Concept of re-usability  Select * from Users where userid =? – passed from user's profile
Hack-3  AT&T  $2 million  The US carrier was hacked last year, but said no account information was exposed. They said they warned one million customers about the security breach. Money stolen from the hacked business accounts was used by a group related to Al Qaeda to fund terrorist at-tacks in Asia. According to reports, refunding costumers cost AT&T almost $2 million.
Hack-4  Reginaldo Silva was paid $33,500  XML external entity vulnerability https://www.facebook.com/whitehat
XML external entity vulnerability  Similar to SQL Injection  Tainted data is inserted in XML  XML Processor processes tainted data and be-comes hacker's slave.
Is this a hack??  Kind of legal  You can switch it off- Third Party Cookies  Ads all around
Third Party Cookies  Old Standards->RFC 2109 and RFC 2965  specify that browsers should protect user privacy and not allow sharing of cookies between servers by default;  The newer standard-> RFC 6265,  explicitly allows user agents to implement whichever third-party cookie policy they wish
Third Party Cookies Advertising companies use third-party cookies to track a user across multiple sites. In particular, an advertising company can track a user across all pages where it has placed advertising images or web bugs. Knowledge of the pages visited by a user allows the advertising company to target advertisements to the user's presumed preferences.
How do Hackers Think?  Make advantage of any available clues  Error Messages  Time Taken for request to respond  Social Networking  Input fields- XSS  SQL Injection
Error Messages User Story 1:-  “As a user of the system, I want my account to be safeguard against more than 3 invalid re-tries. My account must be locked, if someone attempts to use trial and error to guess my password.” User Story 2  “All error messages must be clear and easy to understand.”
Error Messages  “Your username is Invalid”  “Your password is Invalid”  “You have made 'x' unsuccessful attempts to login. After 3 unsuccessful attempts, your ac-count would be locked out.”  “You have entered invalid username or pass-word. Please retry”
Error Messages  Soln.  Do not reveal any information which should not be. Directly or Indirectly.  Make use of CAPTCHA for repetitive requests.
Time taken to Respond
Time taken to Respond  Soln.  Consistent response time for valid and invalid requests.  Add client identifiers, and respond with a delay of 100n nano seconds.  Where n= number of attempts previously made  1,100, 10,000, 1,000,000  This wouldn't cause much impact on normal users, but would delay hacker's activities hugely.
Security Questions  “What was your first school?”  “Where did you first met your spouse?”  “What is your birth place?”  Disadvantage 1: All info is available on Social Networking Sites.  Disadvantage 2: My first school was  Seventh day adventist Sr. Sec School  Seventh day  7th day  Seven day  seven day  seventhday
Renowned Hackers  Kevin Mitnick  Anonymous  lolzsec
Security Principles
Apply defense in depth Anti Virus software authentication and authorization security BioMatrics DMZ Firewalls (hardware or software) Hashing passwords Intrusion protection and detection system Logging and auditing Vulnaribility detection Physical Security Timed access control Internet Security Awareness VPN Sandboxing
Positive security model
Fail securely  Throw meaningful/clear exceptions  Failure in security mechanism should lead to disallowing of the operation (In Most Cases)  Enable Logging and auditing on exceptions  Analysis of exceptions
Principle of Least Privilege  Begin with least privileges  Provide additional privileges only if required, and after scrutiny
Avoid security by obscurity
Keep security simple  To Implement  To Understand  To Extend  To Validate
If you like it today Planning to do an XTR covering  Send Email from any account  Log the user out by sending an email (url)  Movie ticket Denial of Service  Security Certification in sysinfo.  HackMe Challange
References  http://en.wikipedia.org/wiki/Web_application_security  http://www.hotforsecurity.com/blog/top-5-corporate-losses-due-to-hacking-1820.html  https://www.owasp.org/index.php/How_to_write_insecure_code  ClearlyExplained.com  http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29  9lessons.blogspot.com  http://www.gethow.org/

Recommended

Phishing Attacks - Are You Ready to Respond?
Phishing Attacks - Are You Ready to Respond?Phishing Attacks - Are You Ready to Respond?
Phishing Attacks - Are You Ready to Respond?
Splunk
 
Information security
Information securityInformation security
Information security
Sathyanarayana Panduranga
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasures
Jorge Sebastiao
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
Hai Nguyen
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
srivinayak
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
IJERD Editor
 
Security threats and attacks in cyber security
Security threats and attacks in cyber securitySecurity threats and attacks in cyber security
Security threats and attacks in cyber security
Shri ramswaroop college of engineering and management
 
Sms based otp
Sms based otpSms based otp
Sms based otp
Hai Nguyen
 

Recommended

Phishing Attacks - Are You Ready to Respond?
Phishing Attacks - Are You Ready to Respond?Phishing Attacks - Are You Ready to Respond?
Phishing Attacks - Are You Ready to Respond?
Splunk
 
Information security
Information securityInformation security
Information security
Sathyanarayana Panduranga
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasures
Jorge Sebastiao
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
Hai Nguyen
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
srivinayak
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
IJERD Editor
 
Security threats and attacks in cyber security
Security threats and attacks in cyber securitySecurity threats and attacks in cyber security
Security threats and attacks in cyber security
Shri ramswaroop college of engineering and management
 
Sms based otp
Sms based otpSms based otp
Sms based otp
Hai Nguyen
 
How To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingHow To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and Training
London School of Cyber Security
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
Aryan Ragu
 
Enemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling AccessEnemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling Access
BeyondTrust
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
IJNSA Journal
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper
Hai Nguyen
 
IRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS LocationIRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS Location
IRJET Journal
 
Phishing detection & protection scheme
Phishing detection & protection schemePhishing detection & protection scheme
Phishing detection & protection scheme
Mussavir Shaikh
 
IRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing SecurityIRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing Security
IRJET Journal
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hacking
samprada123
 
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged AccountsHow Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
BeyondTrust
 
Attack chaining for web exploitation #c0c0n2015
Attack chaining for web exploitation #c0c0n2015Attack chaining for web exploitation #c0c0n2015
Attack chaining for web exploitation #c0c0n2015
Abhijeth D
 
Detection of phishing websites
Detection of phishing websitesDetection of phishing websites
Detection of phishing websites
m srikanth
 
The Anatomy of a Data Breach
The Anatomy of a Data BreachThe Anatomy of a Data Breach
The Anatomy of a Data Breach
David Hunt
 
Teaching Your Staff About Phishing
Teaching Your Staff About PhishingTeaching Your Staff About Phishing
Teaching Your Staff About Phishing
Legal Services National Technology Assistance Project (LSNTAP)
 
Attack chaining for web exploitation
Attack chaining for web exploitationAttack chaining for web exploitation
Attack chaining for web exploitation
n|u - The Open Security Community
 
Phishing
PhishingPhishing
Phishing
Alka Falwaria
 
PPT on Phishing
PPT on PhishingPPT on Phishing
PPT on Phishing
Pankaj Yadav
 
Security Breaches from Compromised User Logins
Security Breaches from Compromised User LoginsSecurity Breaches from Compromised User Logins
Security Breaches from Compromised User Logins
IS Decisions
 
Detecting phishing websites using associative classification (2)
Detecting phishing websites using associative classification (2)Detecting phishing websites using associative classification (2)
Detecting phishing websites using associative classification (2)
Alexander Decker
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_Final
Olger Hoxha, CISSP CISM
 
Ethical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfEthical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdf
ShivamSharma909
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Knowledge Group
 

More Related Content

What's hot

How To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingHow To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and Training
London School of Cyber Security
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
Aryan Ragu
 
Enemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling AccessEnemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling Access
BeyondTrust
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
IJNSA Journal
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper
Hai Nguyen
 
IRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS LocationIRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS Location
IRJET Journal
 
Phishing detection & protection scheme
Phishing detection & protection schemePhishing detection & protection scheme
Phishing detection & protection scheme
Mussavir Shaikh
 
IRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing SecurityIRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing Security
IRJET Journal
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hacking
samprada123
 
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged AccountsHow Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
BeyondTrust
 
Attack chaining for web exploitation #c0c0n2015
Attack chaining for web exploitation #c0c0n2015Attack chaining for web exploitation #c0c0n2015
Attack chaining for web exploitation #c0c0n2015
Abhijeth D
 
Detection of phishing websites
Detection of phishing websitesDetection of phishing websites
Detection of phishing websites
m srikanth
 
The Anatomy of a Data Breach
The Anatomy of a Data BreachThe Anatomy of a Data Breach
The Anatomy of a Data Breach
David Hunt
 
Teaching Your Staff About Phishing
Teaching Your Staff About PhishingTeaching Your Staff About Phishing
Teaching Your Staff About Phishing
Legal Services National Technology Assistance Project (LSNTAP)
 
Attack chaining for web exploitation
Attack chaining for web exploitationAttack chaining for web exploitation
Attack chaining for web exploitation
n|u - The Open Security Community
 
Phishing
PhishingPhishing
Phishing
Alka Falwaria
 
PPT on Phishing
PPT on PhishingPPT on Phishing
PPT on Phishing
Pankaj Yadav
 
Security Breaches from Compromised User Logins
Security Breaches from Compromised User LoginsSecurity Breaches from Compromised User Logins
Security Breaches from Compromised User Logins
IS Decisions
 
Detecting phishing websites using associative classification (2)
Detecting phishing websites using associative classification (2)Detecting phishing websites using associative classification (2)
Detecting phishing websites using associative classification (2)
Alexander Decker
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_Final
Olger Hoxha, CISSP CISM
 

What's hot (20)

How To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingHow To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and Training
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
 
Enemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling AccessEnemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling Access
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper
 
IRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS LocationIRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS Location
 
Phishing detection & protection scheme
Phishing detection & protection schemePhishing detection & protection scheme
Phishing detection & protection scheme
 
IRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing SecurityIRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing Security
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hacking
 
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged AccountsHow Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
 
Attack chaining for web exploitation #c0c0n2015
Attack chaining for web exploitation #c0c0n2015Attack chaining for web exploitation #c0c0n2015
Attack chaining for web exploitation #c0c0n2015
 
Detection of phishing websites
Detection of phishing websitesDetection of phishing websites
Detection of phishing websites
 
The Anatomy of a Data Breach
The Anatomy of a Data BreachThe Anatomy of a Data Breach
The Anatomy of a Data Breach
 
Teaching Your Staff About Phishing
Teaching Your Staff About PhishingTeaching Your Staff About Phishing
Teaching Your Staff About Phishing
 
Attack chaining for web exploitation
Attack chaining for web exploitationAttack chaining for web exploitation
Attack chaining for web exploitation
 
Phishing
PhishingPhishing
Phishing
 
PPT on Phishing
PPT on PhishingPPT on Phishing
PPT on Phishing
 
Security Breaches from Compromised User Logins
Security Breaches from Compromised User LoginsSecurity Breaches from Compromised User Logins
Security Breaches from Compromised User Logins
 
Detecting phishing websites using associative classification (2)
Detecting phishing websites using associative classification (2)Detecting phishing websites using associative classification (2)
Detecting phishing websites using associative classification (2)
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_Final
 

Similar to The Immune System of Internet

Ethical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfEthical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdf
ShivamSharma909
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Knowledge Group
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
John Staveley
 
Protecting Your Business From Cybercrime
Protecting Your Business From CybercrimeProtecting Your Business From Cybercrime
Protecting Your Business From Cybercrime
David J Rosenthal
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber security
Sweta Kumari Barnwal
 
Updated Mvc Web security updated presentation
Updated Mvc Web security updated presentationUpdated Mvc Web security updated presentation
Updated Mvc Web security updated presentation
John Staveley
 
Top Network Security Interview Questions That You Should Know.pptx
Top Network Security Interview Questions That You Should Know.pptxTop Network Security Interview Questions That You Should Know.pptx
Top Network Security Interview Questions That You Should Know.pptx
Infosectrain3
 
ITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security SeminarITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security Seminar
Daniel Versola
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
TM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptxTM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptx
MohammedYusuf609377
 
Ethical Hacking .pptx
Ethical Hacking .pptxEthical Hacking .pptx
Ethical Hacking .pptx
johnnymaaza
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
Shivam Sahu
 
Puna 2015
Puna 2015Puna 2015
Puna 2015
Salaj Goyal
 
Cyber security.docx
Cyber security.docxCyber security.docx
Cyber security.docx
saivarun91
 
User security awareness
User security awarenessUser security awareness
User security awareness
K. A. M Lutfullah
 
More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)
Hitoshi Kokumai
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
Narayanan
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
Bosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
Security & Compliance for Startups
Security & Compliance for StartupsSecurity & Compliance for Startups
Security & Compliance for Startups
Symosis Security (Previously C-Level Security)
 
Security Primer
Security PrimerSecurity Primer
Security Primer
Alison Gianotto
 

Similar to The Immune System of Internet (20)

Ethical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfEthical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdf
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
 
Protecting Your Business From Cybercrime
Protecting Your Business From CybercrimeProtecting Your Business From Cybercrime
Protecting Your Business From Cybercrime
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber security
 
Updated Mvc Web security updated presentation
Updated Mvc Web security updated presentationUpdated Mvc Web security updated presentation
Updated Mvc Web security updated presentation
 
Top Network Security Interview Questions That You Should Know.pptx
Top Network Security Interview Questions That You Should Know.pptxTop Network Security Interview Questions That You Should Know.pptx
Top Network Security Interview Questions That You Should Know.pptx
 
ITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security SeminarITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security Seminar
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
 
TM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptxTM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptx
 
Ethical Hacking .pptx
Ethical Hacking .pptxEthical Hacking .pptx
Ethical Hacking .pptx
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
 
Puna 2015
Puna 2015Puna 2015
Puna 2015
 
Cyber security.docx
Cyber security.docxCyber security.docx
Cyber security.docx
 
User security awareness
User security awarenessUser security awareness
User security awareness
 
More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
 
Security & Compliance for Startups
Security & Compliance for StartupsSecurity & Compliance for Startups
Security & Compliance for Startups
 
Security Primer
Security PrimerSecurity Primer
Security Primer
 

Recently uploaded

不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
Azure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdfAzure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdf
AanSulistiyo
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
ukwwuq
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
saathvikreddy2003
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
bseovas
 

Recently uploaded (20)

不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
Azure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdfAzure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdf
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
 

The Immune System of Internet

  • 1. Hackers: The Internet's Immune System Disclaimer: Use this knowledge in positive man-ner. Help development of secure software.
  • 4. Who's Fault??  Security Failure of respective nations  Intelligence Failure  Failure to prevent such incidents  Failure to implement Security Framework efficiently/
  • 5. It is because of Osama and Kasab  That we know about our security flaws  That we learn the Hard way, but we did. Think b4 attacking again, We are Stronger!
  • 7. The Internet's Immune System  It is a constant fight between application developers and hackers.- Who Wins?  Aim of this presentation is to share knowl-edge about developing secure applications.  Understanding how Hackers think.  Security Principles
  • 8. Why Software Security?  Application Security is an unsaid require-ment  Most of the applications deal with at least one of the following  Financial Information  Credit Cards  Account Numbers  Customer's Personal Information  Name  Contact information
  • 9. Information Sensitivity  Information about Special People like  Expecting Parents  LGBT Community  Rich & Affluent  Sports Persons Is 10 to 50 times more valuable than the rest of people, as they are target cus-tomers of various products.
  • 10. Why people hack Software?  Fun/ Pride  Money  Free goodies  Processing power/coin minting  Advertisements  Mind Wash (Religion/Politics)  Wars  To bring out vulnerabilities  Irritating processes
  • 11. Types of hackers  Black Hat  Grey Hat  White Hat
  • 12. Hack-1  Sony Pictures  $171 million  Hacked in April to June 2011  Hacked By: LulzSec  Cause: SQL Injection  The hack affected 77 million accounts and is still considered the worst gaming com-munity data breach ever. Attackers stole valuable information: full names, logins, passwords, e-mails, home addresses, pur-chase history, and credit card numbers.
  • 14. Hack-2  Citigroup  $2.7 million  Hacked in June 2011  Caused by: poor implementation of authoriza-tion. Secure data accessible to unauthorized users. (URL parameter checks missing)  Exposed the financial data of more than 360,000 customers
  • 15. User Profile Bug  Consider a user story:  “As an Admin user, I would like to see the pro-file of any selected user in the system”
  • 16. User Profile Bug  UI / Service / Controller / DAO  Select * from Users where userid =? – passed from user's input
  • 17. User Profile Bug  User Story Extension  “As a logged in user, I should be able to view my profile”  Developers are lazy  Concept of re-usability  Select * from Users where userid =? – passed from user's profile
  • 18. Hack-3  AT&T  $2 million  The US carrier was hacked last year, but said no account information was exposed. They said they warned one million customers about the security breach. Money stolen from the hacked business accounts was used by a group related to Al Qaeda to fund terrorist at-tacks in Asia. According to reports, refunding costumers cost AT&T almost $2 million.
  • 19. Hack-4  Reginaldo Silva was paid $33,500  XML external entity vulnerability https://www.facebook.com/whitehat
  • 20. XML external entity vulnerability  Similar to SQL Injection  Tainted data is inserted in XML  XML Processor processes tainted data and be-comes hacker's slave.
  • 21. Is this a hack??  Kind of legal  You can switch it off- Third Party Cookies  Ads all around
  • 22. Third Party Cookies  Old Standards->RFC 2109 and RFC 2965  specify that browsers should protect user privacy and not allow sharing of cookies between servers by default;  The newer standard-> RFC 6265,  explicitly allows user agents to implement whichever third-party cookie policy they wish
  • 23. Third Party Cookies Advertising companies use third-party cookies to track a user across multiple sites. In particular, an advertising company can track a user across all pages where it has placed advertising images or web bugs. Knowledge of the pages visited by a user allows the advertising company to target advertisements to the user's presumed preferences.
  • 24. How do Hackers Think?  Make advantage of any available clues  Error Messages  Time Taken for request to respond  Social Networking  Input fields- XSS  SQL Injection
  • 25. Error Messages User Story 1:-  “As a user of the system, I want my account to be safeguard against more than 3 invalid re-tries. My account must be locked, if someone attempts to use trial and error to guess my password.” User Story 2  “All error messages must be clear and easy to understand.”
  • 26. Error Messages  “Your username is Invalid”  “Your password is Invalid”  “You have made 'x' unsuccessful attempts to login. After 3 unsuccessful attempts, your ac-count would be locked out.”  “You have entered invalid username or pass-word. Please retry”
  • 27. Error Messages  Soln.  Do not reveal any information which should not be. Directly or Indirectly.  Make use of CAPTCHA for repetitive requests.
  • 28. Time taken to Respond
  • 29. Time taken to Respond  Soln.  Consistent response time for valid and invalid requests.  Add client identifiers, and respond with a delay of 100n nano seconds.  Where n= number of attempts previously made  1,100, 10,000, 1,000,000  This wouldn't cause much impact on normal users, but would delay hacker's activities hugely.
  • 30. Security Questions  “What was your first school?”  “Where did you first met your spouse?”  “What is your birth place?”  Disadvantage 1: All info is available on Social Networking Sites.  Disadvantage 2: My first school was  Seventh day adventist Sr. Sec School  Seventh day  7th day  Seven day  seven day  seventhday
  • 31. Renowned Hackers  Kevin Mitnick  Anonymous  lolzsec
  • 33. Apply defense in depth Anti Virus software authentication and authorization security BioMatrics DMZ Firewalls (hardware or software) Hashing passwords Intrusion protection and detection system Logging and auditing Vulnaribility detection Physical Security Timed access control Internet Security Awareness VPN Sandboxing
  • 35. Fail securely  Throw meaningful/clear exceptions  Failure in security mechanism should lead to disallowing of the operation (In Most Cases)  Enable Logging and auditing on exceptions  Analysis of exceptions
  • 36. Principle of Least Privilege  Begin with least privileges  Provide additional privileges only if required, and after scrutiny
  • 37. Avoid security by obscurity
  • 38. Keep security simple  To Implement  To Understand  To Extend  To Validate
  • 39. If you like it today Planning to do an XTR covering  Send Email from any account  Log the user out by sending an email (url)  Movie ticket Denial of Service  Security Certification in sysinfo.  HackMe Challange
  • 40. References  http://en.wikipedia.org/wiki/Web_application_security  http://www.hotforsecurity.com/blog/top-5-corporate-losses-due-to-hacking-1820.html  https://www.owasp.org/index.php/How_to_write_insecure_code  ClearlyExplained.com  http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29  9lessons.blogspot.com  http://www.gethow.org/