Post on 12-Jul-2020
SWAT 2014: The Futility of 1.0 Technology against 2.0 Web Application Hacking
Jason Lin Corporate Security Officer Ontario Telemedicine Network
Blair Campbell Senior Manager, Privacy Scotiabank
DISCLAIMER
The content and opinions expressed within and during this presentation are solely the my personal opinions. They do not represent the positions, opinions, viewpoints, policies and/or statements of my employer.
May 8, 2014
Jason C. Lin Corporate Security Officer Ontario Telemedicine Network
Security 1.0 versus Security 2.0
Security 1.0 versus Security 2.0
Legacy Approach Modern Approach
Locked-Down Servers, Firewalls are futile
against web application threats
Organizations needs to ‘harden’ the entire
technical service ecosystem consisting of
infrastructure, network, AND application
Risk Trends
1. Injection
2. Broken Authentication and
Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfigurations
6. Sensitive Data Exposure
7. Missing Function Level Access
Control
8. Cross-Site Request Forgery
(CSRF)
9. Using Components with Known
Vulnerabilities
10. Unvalidated Redirects and
Forwards
Data Breaches
Records Date Organization
586 2014-03-24
Orlando Health, Arnold Plamer Hospital for
Children, Winne Palmer Hospital for Women &
Babies
5,400 2014-03-17 Valley View Hospital
150,000,000 2012-03-17 Shanghai Roadway D&B Marketing Services
Co. Ltd
152,000,000 2013-10-03 Adobe Systems, Inc.
130,000,000 2009-01-20
Heartland Payment Systems, Tower Federal
Credit Union, Beverly National Bank, North
Middlesex Savings Bank, Golden Chick
110,000,000 2013-12-18 Target Brands, Inc.
Source: Data Loss DB (datalossdb.org)
A1 – Injection
Technical Impact Business Impact
Can result in data loss or corruption, lack
of accountability, or denial of access.
Injection can sometimes lead to complete
host takeover.
Consider the business value of the
affected data and the platform running the
interpreter. All data could be stolen,
modified, or deleted. Could your
reputation be harmed?
A2: Broken Authentication and Session Management
Technical Impact Business Impact
May allow some or even all accounts to be
attacked. Once successful, the attacker
can do anything the victim could do.
Privileged accounts are frequently
targeted.
Consider the business value of the
affected data or application functions.
Also consider the business impact of
public exposure of the vulnerability
A3 – Cross Site Scripting (XSS)
Technical Impact Business Impact
Attackers can execute scripts in a victim’s
browser to hijack user sessions, deface
web sites, insert hostile content, redirect
users, hijack the user’s browser using
malware, etc.
Consider the business value of the lost
data and impact to your reputation. What
is your legal liability if this data is
exposed? Also consider the damage to
your reputation.
A6 – Sensitive Data Exposure
Technical Impact Business Impact
Failure frequently compromises all data
that should have been protected. Typically,
this information includes sensitive data
such as health records, credentials,
personal data, credit cards, etc.
Consider the business value of the lost
data and impact to your reputation. What
is your legal liability if this data is
exposed? Also consider the damage to
your reputation.
A9 - Using Components with Known Vulnerabilities
Technical Impact Business Impact
The full range of weaknesses is possible,
including injection, broken access control,
XSS, etc. The impact could range from
minimal to complete host takeover and
data compromise
Consider what each vulnerability might
mean for the business controlled by the
affected application. It could be trivial or it
could mean complete compromise.
Requirements Testing
Recommendations
• Enhance the credibility of your organization and its development team
• Reduce loss of revenue and reputation due to a breach resulting from insecure software
Reputation
• Develop an InfoSec program
• Manage security throughout your organization Governance
• Proactively inject security throughout the SDLC
• Privacy by Design Security
• Reduce costs by securing up front
• Reduce production costs, application vulnerabilities and delivery delays Costs
Conclusion
ENCRYPTION 101
Blair Campbell Senior Manager, Privacy Scotiabank
May 8, 2014
DISCLAIMER
The content and opinions expressed within and during this presentation are solely the my personal opinions. They do not represent the positions, opinions, viewpoints, policies and/or statements of my employer.
TABLE OF CONTENTS
1. What is Encryption?
2. An Encryption Timeline
3. Terms
4. Key Length / Size
5. 128-bit Key Brute Force Attack
6. Asymmetrical Encryption
7. Symmetrical Encryption
8. Man in the Middle Attack
9. GCHC – FLYING PIG
10.Questions
What Is Encryption?
An Encryption Timeline – 1900 BC
Khnumhotep II
An Encryption Timeline – 1900 BC
Scytale
An Encryption Timeline – 50 BC
Caesar Cipher
An Encryption Timeline – 1586
Blaise de Vigenère
An Encryption Timeline – 1930s
Enigma Machine
An Encryption Timeline – Mid 1970s
Symmetric-key Encryption
An Encryption Timeline – Mid 1970s
Asymmetric-key Encryption
Terms
Plaintext – text in human-readable form
Ciphertext – encrypted plaintext
Encryption Key – an encryption key specifies the particular transformation of plaintext into ciphertext, or vice versa during decryption.
Digital Certificate – also known as a public key certificate, is a digitally signed document that serves to validate the sender's authorization and name.
Key Length / Size
Length Possible Key Combinations
2-bit 2X2 = 4
16-bit 2x2x2x2x2x2x2x2… = 65536
56-bit 2x2x2x2x2x2x2x2… = 72 thousand quadrillion
128-bit 2 multiplied by 2 128 times over =
339,000,000,000,000,000,
000,000,000,000,000,000
128-bit Brute Force Attack
If you assume:
• There are 7 billion people on the planet.
• Every person on the planet owns 10 computers.
• Each of these computers can test 1 billion key combinations per second.
• On average, you can crack the key after test 50% of the possibilities.
Then the earth’s population can crack one encryption key in 77,000,000,000,000,000,000,000,000 years!
Asymmetric-key Encryption
Symmetric-key Encryption
Man in the Middle Attack
Man in the Middle Attack (cont.)
GCHQ – FLYING PIG
GCHQ – FLYING PIG (cont.)
Questions