The document provides an overview of common internet security topics such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), password storage best practices, and session security issues. It also discusses server-side security configurations and risks associated with shared hosting environments. Personal security issues are addressed as well, including password management and securing digital communications.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
Day by day, technology introduces new changes affecting several aspects of everyone's life, from private individuals to industry.
In such ever changing world, cutting edge research on application security is one of the topics that requires attention
in order to keep up with this.
Minded Security, since the beginning of its mission, has been focusing on application security research in order to
professionally support analysis and mitigation of old and new threats for our customers.
This talk will go through some of the research performed by Minded Security improving the quality of security and privacy of our customers.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
Day by day, technology introduces new changes affecting several aspects of everyone's life, from private individuals to industry.
In such ever changing world, cutting edge research on application security is one of the topics that requires attention
in order to keep up with this.
Minded Security, since the beginning of its mission, has been focusing on application security research in order to
professionally support analysis and mitigation of old and new threats for our customers.
This talk will go through some of the research performed by Minded Security improving the quality of security and privacy of our customers.
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Nick Sullivan
In this session we will look in depth into what happens when we throw away the assumption that server hardware is trusted. We discuss advanced techniques for protecting software on untrusted clients and how to apply them to servers running on untrusted hardware. This includes anti-reverse engineering methods, secure key management and how to design a system for renewal.
CloudFlare - The Heartbleed Bug - WebinarCloudflare
An encryption flaw, called the Heartbleed bug, is already referred to as one of the biggest security threats on the Internet. The flaw, announced on April 7th, allows an attacker to pull bits of data from a server and potentially access sensitive information.
How did the Heartbleed bug happen? How does it affect your website? What can you do protect yourself?
CloudFlare security engineer Nick Sullivan answers these and more questions on this CloudFlare webinar. At the last portion of the webinar we have Ben Murphy (one of the winners of the CloudFlare Heartbleed challenge) on a Q&A session.
For more information on Heartbleed and the CloudFlare challenge, go to: http://bit.ly/1lVKy4O
For more information on CloudFlare, visit www.cloudflare.com or dial 888-99-FLARE.
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
How a new HTTP response header can help increase the depth of your web application defenses.
Also includes a few slides on HTTP Strict Transport Security, a header which helps protects HTTPS sites from sslstrip attacks.
An overview of the Node.JS platform from a security perspective. Offers guidance on how to secure node apps, as well as ways to test them as an infosec professional. Presented at Rochester Security Summit 2015.
Content Security Policy (CSP) is a browser security mechanism against content injection. Using the CSP header, browsers can restrict content from just the domains whitelisted in the policy. This session shares lessons learned with deploying CSP at Yahoo.
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Nick Sullivan
In this session we will look in depth into what happens when we throw away the assumption that server hardware is trusted. We discuss advanced techniques for protecting software on untrusted clients and how to apply them to servers running on untrusted hardware. This includes anti-reverse engineering methods, secure key management and how to design a system for renewal.
CloudFlare - The Heartbleed Bug - WebinarCloudflare
An encryption flaw, called the Heartbleed bug, is already referred to as one of the biggest security threats on the Internet. The flaw, announced on April 7th, allows an attacker to pull bits of data from a server and potentially access sensitive information.
How did the Heartbleed bug happen? How does it affect your website? What can you do protect yourself?
CloudFlare security engineer Nick Sullivan answers these and more questions on this CloudFlare webinar. At the last portion of the webinar we have Ben Murphy (one of the winners of the CloudFlare Heartbleed challenge) on a Q&A session.
For more information on Heartbleed and the CloudFlare challenge, go to: http://bit.ly/1lVKy4O
For more information on CloudFlare, visit www.cloudflare.com or dial 888-99-FLARE.
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
How a new HTTP response header can help increase the depth of your web application defenses.
Also includes a few slides on HTTP Strict Transport Security, a header which helps protects HTTPS sites from sslstrip attacks.
An overview of the Node.JS platform from a security perspective. Offers guidance on how to secure node apps, as well as ways to test them as an infosec professional. Presented at Rochester Security Summit 2015.
Content Security Policy (CSP) is a browser security mechanism against content injection. Using the CSP header, browsers can restrict content from just the domains whitelisted in the policy. This session shares lessons learned with deploying CSP at Yahoo.
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
Ransomware - a malicious software used by hackers to block access to a computer system until a ransom is paid. Attackers contact the user with ransom demands. Most attackers request payment in Bitcoin (the crypto-currency). Even if you pay the ransom, the attackers may not deliver the key to unencrypt files.
As ransomware attacks continue to grow in number and sophistication, individual PC users and organizations should reassess their current security strategy. There is a common misconception that adding layers of automated defence technologies will reduce the risk of falling victim to ransomware attacks. While endpoint security products and secure email gateways can offer some level of protection, sooner or later a phishing email, which is the most widely-used attack vector, will penetrate defences and user will be faced with determining whether or not an email is legitimate or part of an attack.
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
In this presentation I'm trying to describe the "Top 10 Vulnerabilities in Web Application" according to OWASP (Open Web Application Security Project).
--The top 10 security mistakes that developers make
--How to design software with an assurance of security
Basic security principles for information systems development/deployment. Information security is concerned with the confidentiality, integrity, and availability of information. From these three 'pillars', the following principles must be applied when implementing and maintaining an information system: Accountability.
Jednym z najistotniejszych czynników wspierających ochronę krytycznej infrastruktury sieciowej jest czas reakcji zespołu reagowania na incydenty bezpieczeństwa (Incident Response Team).
Im szybciej, tym lepiej. Rozwiązania wspomagające wczesne wykrywanie ataków oparte o pasywną analizę zapytań DNS, zbiorów danych Netflow czy PCAP warto wesprzeć coraz częściej docenianą i wykorzystywaną produkcyjnie infrastrukturą typu honeynet. Rozsądne osadzenie sond honeypotowych w różnych segmentach sieci pozwoli na wykrycie ataku już w początkowych fazach rekonesansu i enumeracji. Dzięki honeypotom niejednokrotnie uzyskamy także szczegółowe informacje na temat nowej techniki ataku, próby wykorzystania błędu typu 0-day czy bardzo specyficznego użycia znanych od lat narzędzi.
"Know your enemy" - to dewiza, którą powinniśmy się kierować w trosce o rozwój defensywnych umiejętności zespołów bezpieczeństwa i honeypotowa sieć zdecydowanie posiada tu dużą wartość.
Podczas prelekcji postaram się przedstawić sposoby wykorzystania jak i możliwości oferowane przez open source'owe rozwiązania typu honeypot. Będziemy mówić o pojedynczych projektach imitujących rzeczywiste usługi (DNS, SMB, SSH, SCP/SFTP, FTP, telnet, HTTP, TFTP, MySQL/MSSQL, RDP i wiele innych), wstrzykiwaniu poprzez reverse proxy honeypotowych zawartości do aplikacji webowych, atakowaniu atakujących;) , kończąc na dedykowanych platformach z wbudowanych stackiem ELK.
The recent SA-CORE-2014-005 vulnerability has demonstrated that hackers have learnt how to take advantage of Drupal’s functionality to infect a site and go unnoticed. Site builders and site maintainers have a large role to play in preventing these kinds of disasters. Security doesn’t have to be a pain to implement and plan for.
The primary goal of this session is to give people a solid basis in the most common security issues so they can quickly identify those security issues. From there, we'll move into some other common pain-points of site builders like frequently made mistakes, modules to enhance security, and evaluating contributed module quality.
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
These slides were used by our security researcher Sven Morgenroth during the live demo of how to hack web applications and bypass firewalls. You can watch the live demo here: https://www.netsparker.com/blog/web-security/vulnerable-web-applications-developers-target/#livedemo
Having been a Penetration Tester for the last 15+ years I have seen many environments and technologies. I have had the pleasure / hell of testing systems I’ve never even heard of and the agony of defeat on a major scale. Instead of just going over the what we used to work our way in, I want to go over the tricks the BLUE team used to keep us out! We will go over the technologies and techniques that have turned our traditional paths to root from minutes to months and the tricks that got us “caught” along the way. Not all pentests are a dream and the nightmares CAN / DO happen. So, let’s talk about how YOUR environment can become an attackers worst nightmare instead of their favorite playground
Using advanced security and data-protection featuresMariaDB plc
MariaDB has the most comprehensive set of security of features available in an enterprise open source database, rivaling those of proprietary databases. In this session, MariaDB's Anders Karlsson explores some advanced security capabilities, including the built-in database firewall and data masking, both needed to fully protect personally identifiable and/or sensitive personal information (PII/SPI). He then takes a look at the new security features in MariaDB Server 10.4, from client-side encryption to password-crack detection.
5. SQL injections
● Creating queries by string concatenation is “the
wrong way”
● MySQL don't do multiple queries.
● Let DB do validation - use parametrized queries
● ORM frameworks lift the burden
● It is easy to forget to validate inline SQL somewhere
7. XSS
● Escape HTML/JS/XML special characters on
output
● Vulnerability can exist on client side (JS).
● It can get hairy with JS, AJAX, JSONP etc ...
8. CSRF
<img src=”http://www.bank.lv/pay?to=kristaps&amount=100” />
● Third party unauthorized request to web site
● Include unique token into each response and
validate on request.
● Never update data with GET
9. Storing passwords
● Do not expose DB / other credentials
● MD5 is too “cheap”. SHA1 is not “expensive
enough”
● Make hash functions slow.
● Multiple iterations
● Bcrypt
10. Authorization vs Authentication
Autentication: authenticating user credentials.
Usually done once per session.
Authorization: checks that user is authorized to
do particular action.
Must be done on every request.
11. Session fixation
● Session cookie stealing / guessing
● Initialize sessions
● Tie sessions to IP address / User Agent
● Expire / invalidate sessions.
17. One .php file as one script
PHP engine has no “application” concept.
Class files, configuration files, etc should not be
executable …
...everything that is not .php by default is dumped
as plaintext in browser
18. include and require accepts URLs as
parameters
Remote code injection made dead easy
If you disable remote_url_fopen, you cannot open
any URL
(without CURL)
19. All these settings should be disabled by default
On most hosting servers they are not
21. TLS (SSL)
● Public-Private key infrastructure
● Server verification and data encryption
● Ultimate trust to Certificate Authorities (CA)
● Don't use self-signed certificates. Roll out your
own CA .
22. Secure / insecure protocols
● HTTP sends all information in plaintext
● So does FTP/IMAP/POP3/STMP
● Use HTTPS / SFTP / IMAPs / POP3s / STMP
over TLS
● DNS is built on trust. DNSSEC is not (yet)
working.
23. [D]DoS
● DoS – “million” requests from one client
● DDoS – “zillion” requests from “million” clients
● Handle DoS at firewall level.
● Try to survive DDoS at router level.
24. Shared hosting
● Easy, fast, secure – pick two
● “Jail” each site
● Selinux / AppArmor to rescue
● IDS / mod_security is slow
● Test backups.
25. Real life 100% secure system
Slide intentionally left blank
27. Passwords
Passwords are like underwear.
You don't share them and you change them often.
KeepassX
28. Think
● Don't use plaintext protocols over open WiFi
● Secure your home router
● Check URLs and filenames
● Malware doesn't expose itself anymore
● Botnet
● Information stealing
● Avoid buggy and insecure software (flash and
acrobat reader).
30. Handling incidents
● Not all hackers all bad
● Preserve evidence
● Presume that attacker obtained maximum
information.
● System is compromised
● Eliminate attack vectors
● Offline backups help.
32. Futher reading
● www.owasp.org – knowledge
● www.cert.lv – Latvia netsecurity team
Books
● Stealing the Network: How to Own the Box by
R. Russel – hacking “fiction” book.
● Art of Deception by Kevin Mitnick – hacker
“memoirs”