2. ImagePass
Sistem za autentifikaciju zasnovan na grafičkim lozinkama:
▸ Prepoznavanje fotografija
▸ Koristi obučavajući set od 5x6 fotografija
▸ Autentifikacioni set od 4x4 fotografije
▸ Koriste se Single-Object fotografije
2
9. Cloud sigurnosne pretnje
9
Data Loss
and Data
Breaches
Account or
Service
Hijacking
Insecure
Interfaces
and APIs
Malicious
Insiders
Abusive use
of Cloud
Services
11. Cloud sigurnosni napadi
SQL
Injection
❏ Izbegavati dinamički generisane
SQL upite
❏ Filtriracija podataka sa ulaza pre
samog upisa u bazu
❏ Parametrized queries i Prepared
statements
MITM
(Man In The
Middle)
❏ Pravilno konfigurisan SSL [7]
❏ Upotreba alata za enkripciju:
Dsniff, Ettercap, Wsniff, Airjack
20. Cloud sigurnosni napadi
Rešenja protiv Sniffing napada:
➢ Sprečavanje korišćenja
nesigurnih mreža
➢ Upotreba VPN-a - enkripcija
poruka
➢ Upotreba IDS sistema za
uzbunu
28. Odbrane od napada na BP
1. Access control
- Mandatory access control
- Discretionary access control
- Role-based access control
28
29. Odbrane od napada na BP
2. Data encryption
- Proces pretvaranja običnog
teksta u kodiran tekst na osnovu
enkripcijskog ključa i algoritma
29
30. SQLIA post-generated pristup
30
SQLIA
Context Sensitive
String Evaluation
Parse tree
evaluation based on
grammar:
Positive tainting and
Syntax aware
evaluation
Pixy
Program Query
Language
32. Napadi na transportovane
podatke preko HTTPS-a
32
Man In The Middle
[13]
Heartbleed [14]
ARP Spoofing
DNS Spoofing
Triple Handshake
Authentication
Attack [15]
DROWN [16]
39. Reference
● [1] - Amara, N., Zhiqui, H. and Ali, A., 2017, October. Cloud computing security threats and attacks with their mitigation techniques. In 2017 International
Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC) (pp. 244-251). IEEE.
● [2] - Chou, T.S., 2013. Security threats on cloud computing vulnerabilities. International Journal of Computer Science & Information Technology, 5(3), p.79.
● [3] - "Cloud Computing-ENISA-Benefits, risks, and recommendations for information security," ENISA, 2009
● [4] - CSA: The Notorious Nine Cloud Computing Top Threats," Cloud Security Alliance, 2013
● [5] - A. Behl, "Emerging security challenges in cloud computing: An insight to cloud security challenges and their mitigation," in World Congress on Information
and Communication Technologies (WICT), Mumbai, India, 2011
● [6] - J. G. a. I. M. Mohamed Al Morsy, "An Analysis of the Cloud Computing Security Problem," in In Proceedings of APSEC Cloud Workshop, Sydney, Australia,
2010
● [7] - P. K. A. Freier, "Netscape Communications," August 2011.
● [8] - A. B. P. Rakshitha C M, "A survey on detection and mitigation of zombie attacks in the cloud environment," in 2nd International Conference on Applied and
Theoretical Computing and Communication Technology (iCATccT) , Bangalore, India,2016.
● [9] - What is a DNS attack? - https://cybernews.com/resources/what-is-a-dns-attack/
● [10] - What is Packet Sniffing Attack? - Types and How to Prevent It? - https://www.thecrazyprogrammer.com/2021/12/packet-sniffing-
attack.html#How_to_Prevent_Packet_Sniffing_Attack
● [11] - Michael Soltys, March 31, 2020. -Cybersecurity in the AWS Cloud
● [12] - S. Kulkarni and S. Urolagin, "Review of Attacks on Databases and Database Security Techniques", International Journal of Emerging Technology and
Advanced Engineering, vol. 2, no. 11, November 2012, ISSN 2250-2459.
39
40. Reference
● [13] - Kefei Cheng, Tingqiang Jia, Meng Gao, Research and Implementation of Three HTTPS Attacks, journal of networks, vol. 6, no. 5, May 2011
● [14] - Marco Carvalho, Jared DeMott, Richard Ford, David A. Wheeler, Heartbleed 101, published by the IEEE Computer and Reliability Societies July/August 2014
● [15] - Ali Alkazimi, Eduardo B. Fernandez, A Misuse Pattern for Transport Layer Security (TLS): Triple Handshake Authentication Attack
● [16] - Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adria, J. Alex Halderman, Viktor
Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar and Yuval Shavitt, DROWN: Breaking TLS using SSLv2, Proceedings of the 25th
USENIX Security Symposium, August 2016
40