NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security...

18
NCC Hackers Dinis Cruz, Chief Information Security Officer 15 November 2017 1

Transcript of NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security...

Page 1: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

NCC HackersDinis Cruz, Chief Information Security Officer

15 November 2017

1

Page 2: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

Quick Quiz

2

What’s the difference?

Which language?

What is it?

Page 3: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

Recap on last session

3

Page 4: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

XSS

Page 5: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

XSS

5

● In the last session we completed a challenge on XSS (Cross Site Scripting)

● This is a technique used by hackers

● XSS is one of the most common weaknesses in software development

● XSS is a code injection attack that allows an attacker to execute malicious JavaScript in

another user's browser

● An attacker does not directly target his victim

■ They exploit a vulnerability in a website that the victim visits and gets the

website to deliver the malicious JavaScript for them

■ The malicious JavaScript appears to be a legitimate part of the website, the

website acts as an unintentional accomplice to the attacker

Page 6: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

Recap on last session

6

● Last session we completed a challenge on XSS (Cross Site Scripting)

● This is a technique used by hackers

http://www.youtube.com/watch?v=cbmBDiR6WaY
Page 7: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

Any questions?

Page 8: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

The Challenge

8‘XXS in practice’

Page 9: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

How to hack an API…

...and get away with it

Page 10: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

Hacking an API

10

We quickly took you through hacking an API, let’s spend some more time

on that...● API Security is something a company needs to take seriously

● Nobody is going to bail you out if your customers’ credit card numbers are stolen, or your

customers’ users’ personal dating data is published on a torrent website

Page 11: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

Hacking an API

11

● If you’re going to attack an API, then you must understand its perimeters

○ Most APIs use the HTTP protocol

○ HTTP is a text-based protocol which is easy to read

Page 12: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

Secure APIs

12

● An API isn’t secure just because it uses SSL (Secure Sockets Layer) or OAuth (Open Authorisation)

● Developers need to make sure that their APIs keep users’ data (usernames and passwords) secure, which means creating a layer of separation between their information and the client

● A hacker will be looking for security standards that aren’t used correctly

Page 13: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

It happened to us...

13

Page 14: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

The ‘hacker’s blog

14

Page 15: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

The ‘hacker’s blog

15

Page 16: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

He went into every detail!

http://www.ifc0nfig.com/moonpig-vulnerability/

16

http://www.ifc0nfig.com/moonpig-vulnerability/
Page 17: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

The Challenge

17‘find a way to login as admin’

Page 18: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?

Find us on this Slack organisation

https://join.slack.com/t/ncc-hackers/signup

https://join.slack.com/t/ncc-hackers/signup?x=x-266110206775-272785519781

Hackers vs Hackers

Hackers vs Hackers

Hackers Desk

Hackers Desk

Midnight Hackers

Midnight Hackers

Saladin Class Blueprints and Plans - Molten Aether News · u.s.s. saladin class plans control sym ncc- ncc- ncc- ncc- ncc- ncc- main side 8203 .15 second edition release review and

Saladin Class Blueprints and Plans - Molten Aether News · u.s.s. saladin class plans control sym ncc- ncc- ncc- ncc- ncc- ncc- main side 8203 .15 second edition release review and

Ethereum hackers

Ethereum hackers

Ncc Study Material_1KAR Signal Regiment NCC

Ncc Study Material_1KAR Signal Regiment NCC

Marketing social media for trading investmen industry Dinis Guarda

Marketing social media for trading investmen industry Dinis Guarda

Fotos do Campus de Natal D. Dinis

Fotos do Campus de Natal D. Dinis

Hackers 22

Hackers 22

Blockchain in IoT and Other Considerations by Dinis Guarda

Blockchain in IoT and Other Considerations by Dinis Guarda

Hackers & hacktivism

Hackers & hacktivism

Modern Hackers

Modern Hackers

hackers 2 hackers conference III · hackers 2 hackers conference III voip (in)security integrity attacks *caller-id spoofing *problem: easily spoofable/ not always checked / systems

hackers 2 hackers conference III · hackers 2 hackers conference III voip (in)security integrity attacks *caller-id spoofing *problem: easily spoofable/ not always checked / systems

dd1- u.s.s.saladin ncc-500 ca1- u.s.s.constitution ncc ...

dd1- u.s.s.saladin ncc-500 ca1- u.s.s.constitution ncc ...

Growth Hackers

Growth Hackers

Hiring Hackers

Hiring Hackers

NCC Report (2014-2015) NCC Officer Participation

NCC Report (2014-2015) NCC Officer Participation

Lisp Hackers

Lisp Hackers

Hackers, Heroes of the Computer Revolution - Higher Intellectcdn.preterhuman.net/.../Hackers,_Heroes_of_the_Computer_Revolution.pdf · HACKERS, HEROES OF THE COMPUTER REVOLUTION 2

Hackers, Heroes of the Computer Revolution - Higher Intellectcdn.preterhuman.net/.../Hackers,_Heroes_of_the_Computer_Revolution.pdf · HACKERS, HEROES OF THE COMPUTER REVOLUTION 2

2014 Car Hackers Handbook - OpenGarages Car Hackers Handbook - OpenGarages

2014 Car Hackers Handbook - OpenGarages Car Hackers Handbook - OpenGarages