Submit Search
Upload
Lotus Security Part I
•
5 likes
•
1,263 views
Sanjaya K Saxena
Follow
Building Rock Solid Lotus Domino Security Part I - Essential Information Security Concepts
Read less
Read more
Technology
News & Politics
Report
Share
Report
Share
1 of 54
Recommended
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
jayeshpar2006
Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012
44CON
Domino testing presentation
Domino testing presentation
dominion
Domino security
Domino security
dominion
Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012
44CON
Lotus Security Part II
Lotus Security Part II
Sanjaya K Saxena
Statistics & Decision Science for Agile - A Guided Tour
Statistics & Decision Science for Agile - A Guided Tour
Sanjaya K Saxena
Lotus Admin Training Part II
Lotus Admin Training Part II
Sanjaya K Saxena
Recommended
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
jayeshpar2006
Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012
44CON
Domino testing presentation
Domino testing presentation
dominion
Domino security
Domino security
dominion
Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012
44CON
Lotus Security Part II
Lotus Security Part II
Sanjaya K Saxena
Statistics & Decision Science for Agile - A Guided Tour
Statistics & Decision Science for Agile - A Guided Tour
Sanjaya K Saxena
Lotus Admin Training Part II
Lotus Admin Training Part II
Sanjaya K Saxena
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
More Related Content
Recently uploaded
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Recently uploaded
(20)
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Featured
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
Skeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
Introduction to Data Science
Introduction to Data Science
Christy Abraham Joy
Time Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
Vit Horky
The six step guide to practical project management
The six step guide to practical project management
MindGenius
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson36
Featured
(20)
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
Skeleton Culture Code
Skeleton Culture Code
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Getting into the tech field. what next
Getting into the tech field. what next
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
How to have difficult conversations
How to have difficult conversations
Introduction to Data Science
Introduction to Data Science
Time Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
The six step guide to practical project management
The six step guide to practical project management
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Lotus Security Part I
1.
Lotus Domino Building Rock
Solid Security Part - I © Sanjaya Kumar Saxena
2.
The Alarming Truth
Italian Bank hit by ea ch XSS Fraudsters Chinese H L s Data B8r exis NePoit, Feb 17, 200 x — Netcraft, Jan 8 2008 18-million acker ste als s — HackB Identities gton — Washin ase.com IndiaTimes.com M , Feb 10 , 2008 alware Hackers break into — Information W eek, Feb 17, 200 r’s Presidential Mac blogs defaced 8 Ecuado 6 by XSS website Ha g Stage 007 ckin eb 9 2 — The Register, Feb 17, 2008 — Thaindian, Feb 11, 2008 — Wikiped ia, F RIAA wiped off the Net — The Register, Jan 20 websites , 2008 Greek Ministry intrusion Your Free MacW by hacker1,2008 orld hit 3 Expo Platinum Pass own rini, Jan eKathime — CNet, Jan 1 es d — 4,2008 Hacker steals Drive -by Pharmin g Davidson Co.’s r tak ia acke ylvan H in the Wild n 21 2008 Client Data enns 6, 2008 P an — Symantec, Ja — Falls Tribune, J Feb 4 2008 — AP, © Sanjaya Kumar Saxena
3.
Vulnerability Consequences
As a percentage of Overall Disclosures in 2006-2008 © Sanjaya Kumar Saxena
4.
Vulnerabilities by Attack
Technique © Sanjaya Kumar Saxena
5.
What is Information? Knowledge
acquired through study or experience or instruction A collection of facts or data In our context of ISO 27K, An asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. Categories Internal External Customer Outsourced © Sanjaya Kumar Saxena
6.
What is Security? Freedom
from Danger, Risk, etc.; Safety. Precautions taken to guard against Crime, Attack, Sabotage, Espionage, etc. © Sanjaya Kumar Saxena
7.
What is Information
Security? “ The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, ” and counter such threats. from U.S. National Information Systems Security Glossary © Sanjaya Kumar Saxena
8.
What is Information
Security? “ The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, ” and counter such threats. from U.S. National Information Systems Security Glossary © Sanjaya Kumar Saxena
9.
What is Information
Security? Confidentiality Ensuring that information is accessible only to those authorized to have access Integrity Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that authorized users have access to information and associated assets when required from ISO 27001 © Sanjaya Kumar Saxena
10.
What is a
Threat? Something that is a source of danger, “Earthquakes are a constant threat in Japan” In our context, Unwanted events that may result in harm to asset(s) Maybe deliberate or accidental Exploits known Vulnerabilities © Sanjaya Kumar Saxena
11.
Information Security Threats
THREAT Source Technique Method Internal Eavesdropping Unstructured External Privacy Structured Authentication Repudiation Unauthorized Access Denial of Service © Sanjaya Kumar Saxena
12.
Vulnerabilities Weakness in
the system Result of bug or design/deployment flaw Common Vulnerabilities: Buffer Overflow SQL Injection Cross Site Scripting (XSS) Directory Traversal SPAM is the result of SMTP vulnerabilites © Sanjaya Kumar Saxena
13.
Threats - Counter
Measures Eavesdropping Cryptography Privacy Cryptography Authentication Passwords/Certificates Repudiation Digital Signatures Unauthorized Access ACLs/Cryptography Denial of Service Availability/Firewall © Sanjaya Kumar Saxena
14.
SQL Injection SQL
Injection vulnerabilities occurs due to improper validations on user input fields. This attack can be mounted when a form field contents are used to build SQL statements dynamically inside the code, which is subsequently executed. This may allow the attacker to include malicious code in to the dynamically created SQL statement by tricking the data entered in the input field. The attacker may gain access to back-end database allowing him/her to read, delete and modify information. A SQL injection attack at the time of logging into an application is shown in the following slides. © Sanjaya Kumar Saxena
15.
SQL Injection Username:
Password: Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
16.
SQL Injection Username:
UserID Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
17.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + + ” ’ AND UserID password = ‘ “ + + ” ’ ”; Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
18.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + + ” ’ ”; Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
19.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
20.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
21.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena © Sanjaya Kumar Saxena
22.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- © Sanjaya Kumar Saxena
23.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- SELECT * from tUsers where userid = ‘ ’ AND password = ‘pw3007’ © Sanjaya Kumar Saxena
24.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- SELECT * from tUsers where userid = ‘‘ or 1=1 --’ AND password = ‘pw3007’ © Sanjaya Kumar Saxena
25.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- SELECT * from tUsers where userid = ‘‘ or 1=1 --’ AND password = ‘pw3007’ © Sanjaya Kumar Saxena
26.
XSS Attack Cross Site
Scripting vulnerabilities occur when a web based application does not validate user inputs on form fields, syntax of urls etc. An attacker can embed their own code into the Data entry form, manipulating the appearance and/or behavior of the page. A web-link is crafted and placed on the page in a manner that entices users to click on the link. Users treat the link placed on the web form as coming from a trusted source or same organization, thereby falling a prey to this vulnerability. The attacker gets access to sensitive application information by accessing cookie data of the user’s account on the vulnerable website/application. XSS attack is shown in the following slides, displaying a form field that allowed user to enter JavaScript code which returns complete user profile information from the application’s database. In this example “alert(document.cookie)” is entered in an input field leading to compromising cookie information. © Sanjaya Kumar Saxena
27.
XSS A simple entry
form of a social networking application © Sanjaya Kumar Saxena
28.
XSS Field manipulation with
javascript © Sanjaya Kumar Saxena
29.
XSS All it takes
to popup your sensitive information from the database © Sanjaya Kumar Saxena
30.
XSS - SAMY
MySpace Worm <script> A Self propagating, Cross Site Scripting (XSS) Worm affected millions of profiles on My Space © Sanjaya Kumar Saxena
31.
XSS - SAMY
MySpace Worm <script> <script> The process began when a user (SAMY) placed a javascript code in his profile on Myspace.com, a community site for sharing photos and staying in touch with friends. © Sanjaya Kumar Saxena
32.
XSS - SAMY
MySpace Worm <script> <script> When other users of Myspace.com viewed SAMY’s profile, the code would initiate a background request via AJAX, to add SAMY in user’s friends list. © Sanjaya Kumar Saxena
33.
XSS - SAMY
MySpace Worm <script> <script> This code was bypassing the normal approval process of adding a user of application to their friends list. © Sanjaya Kumar Saxena
34.
XSS - SAMY
MySpace Worm <script> <script> <script> The next step in the script was self replicating © Sanjaya Kumar Saxena
35.
XSS - SAMY
MySpace Worm <script> <script> <script> This involved parsing out the code and pasting it to viewing user’s profile. © Sanjaya Kumar Saxena
36.
XSS - SAMY
MySpace Worm This process would repeat in the newly infected user’s profile <script> <script> <script> © Sanjaya Kumar Saxena
37.
XSS - SAMY
MySpace Worm <script> <script> <script> © Sanjaya Kumar Saxena
38.
XSS - SAMY
MySpace Worm The spread of virus limits itself to the website and can essentially create a denial-of-service attack, due to the exponential spread of attacker’s friends list. This code will not affect any other site, except the malicious code can be used by another hacker. © Sanjaya Kumar Saxena
39.
Typical Attack Methodology A
Quick Preview Reconnaissance Discover & Understand Vulnerabilities Mount Attack © Sanjaya Kumar Saxena
40.
Reconnaissance An inspection or
exploration of an area, especially in the context of military information gathering. Commonly known techniques: Social Engineering Dumpster Driving Leveraging Web WHOIS DNS Search Engine Web-based Online Tools http://privacy.net/analyze http://network-tools.com © Sanjaya Kumar Saxena
41.
Reconnaisance Example Open
web-site, View source to check out web server No information – Use TELNET IIS V5 has over 250 known vulnerabilities © Sanjaya Kumar Saxena
42.
Attack Demonstration -
Step 1 Search engines can be used to look up NSFs on web © Sanjaya Kumar Saxena
43.
Attack Demonstration -
Step 2 Names.nsf found exposed © Sanjaya Kumar Saxena
44.
Attack Demonstration -
Step 3 © Sanjaya Kumar Saxena
45.
Attack Demonstration -
Step 4 © Sanjaya Kumar Saxena
46.
Counter Measures Basic Concepts
© Sanjaya Kumar Saxena
47.
What is a
Cryptography? “ Algorithms implemented in hardware or software to mathematically combine a key with plain text to produce cipher text and to convert cipher ” text to its original plain text form. © Sanjaya Kumar Saxena
48.
Dual Key Cryptography Secret
(or Public Key) Secret (or Public Key) Encryptor Decryptor Message Message © Sanjaya Kumar Saxena
49.
Digital Signature
# Your Secret Key Hash Encryptor + Message with # Message Digital Signature Hash Digital Signature = Decryptor Hash Your Public Key © Sanjaya Kumar Saxena
50.
A Fundamental Question
How do I trust a public key? CERTIFICATE Let a trustworthy agency certify it! Name Public Key Expiry Date Certificate: Issuer ID Other Attributes Like a driving license or passport Certifies your public key and other attributes Issued by a trustworthy agency Called Certification Agency (CA) CA’s Digital Signature © Sanjaya Kumar Saxena
51.
Secured Transactions using
Certificates Validate by: Establishing Trust Authenticate by: Challenging Each Other © Sanjaya Kumar Saxena
52.
Estalishing Trust By
Exchange of Certificates After masking private data (if any) By Comparing Certificates Trust the public key if the two have a common CA Possible in a hierarchical situation also © Sanjaya Kumar Saxena
53.
Authentication - Step
1 Requester generates a random # and challenges the server to sign it. ❶ Server signs and sends it back. ❷ Signature Requester verifies the signature. ❸ Signature © Sanjaya Kumar Saxena
54.
Authentication - Step
2 Server generates a random # and challenges the requester to sign it. ❶ Requester signs and sends it back. ❷ Signature Server verifies the signature. ❸ Signature Authentication is Successful! © Sanjaya Kumar Saxena