2. About Speaker
ïŒSpeaker @ JavaOne, NFJS, Devcon, Borcon
ïŒSun Certified Java 2 Architect.
ïŒInstructor for VisiBroker for Java, OOAD, Rational Rose,
and Java Development.
ïŒJBoss Certified Developer
Professor - Sipe
2Wednesday, February 4, 2009
3. Agenda
ïŒSecurity Landscape
ïŒHacking Philosophy
â The Sorting Hat
ïŒInformation Gathering
â Information leak
â Finding the exploits
ïŒSecurity Threats
â Brute Force
â XSS
â SQL Injection
ïŒDos and Donâts
ïŒSummary
3Wednesday, February 4, 2009
4. Security Statistics
ïŒGartner
â 75% of all attacks are directed at the web application layer
â 2/3 of all web applications are vulnerable
â 80% of organizations will experience an application security
incident by 2010
ïŒIBM
â 10% of IT dollars are spent on web application security
ïŒMitre
â XSS and SQL Injection are #1 and #2 reported
vulnerabilities
4Wednesday, February 4, 2009
5. Alarming Truth
ïŒâApproximately 100 million Americans have been
informed that they have suffered a security breach so
this problem has reached epidemic proportions.â
â Jon Oltsik â Enterprise Strategy Group
ïŒâUp to 21,000 loan clients may have had data exposedâ
â Marcella Bombardieri, Globe Staff/August 24, 2006
ïŒâPersonal information stolen from 2.2 million active-duty
members of the military, the government saidâŠâ
â New York Times/June 7, 2006
ïŒâHacker may have stolen personal identifiable
information for 26,000 employees..â
â ComputerWorld, June 22, 2006
5Wednesday, February 4, 2009
11. Black Hat Approach
ïŒInformation Gathering
â Sometimes targeted on a âclientâ
â Sometimes targeting a vulnerability
ïŒScanning
â Network mapping
â Ports
ïŒGaining Access
ïŒElevate Privileges
ïŒCover Tracks
11Wednesday, February 4, 2009
14. Black Hat Principles
ïŒInside Out Access
ïŒMost People
â Like free stuff!
â Are curious
â Are not security savvy
â Choose usability over security
â Choose performance over security
ïŒExpense
â Too costly to secure everything
14Wednesday, February 4, 2009
15. Hacker
ïŒJohn Draper â âCaptain Crunchâ
â Toy whistle provides free long distance calling
15Wednesday, February 4, 2009
25. Cross Site Scripting (XSS)
ïŒMalicious script echoed back in browser
ïŒConsequence:
â Internet Worm
âą MySpace
âą Meebo
â Session Tokens stolen
â Future surfing compromised
25Wednesday, February 4, 2009
26. XSS Testing
ïŒSubmit a simple <script>alert(document.cookie)</
script> to a web page
ïŒIf alert pops, life is good!
â Or bad
âą Just depends on if youâre a white hat or black hat ï
26Wednesday, February 4, 2009
27. XSS Details
ïŒCommon
â Search
â Error Pages
â Returned Forms
ïŒAiding Technologies
â AJAX
â Flash
â IFrame
27Wednesday, February 4, 2009
28. XSS â The Exploit
1. Link to Account
in email
2. Embedded script
Sent to target
3. Script executed on client
browser
4. Script provides cookie
and session data
5. Hacker users credentials
28Wednesday, February 4, 2009
35. SQL Inject Answers from Errors
' having 1=1 --
' group by login.primarykey having 1=1 --
' union select min(username),1,1,1,1 from login
where username > 'a'--
35Wednesday, February 4, 2009
36. SQL Injection: Want a Password?
'union select min(password),1,1,1,1 from login
where username = 'ab***ilr'--
36Wednesday, February 4, 2009
42. Dos & Donâts
ïŒDonât
â Use Magic URL and Hidden fields for
private data
â Use Security by ignorance
â Rely on secrecy of the scheme
â Reveal Passwords to User
â Use Cookies for private data
â Trust the client for anything
âą Cookie expiration
ïŒDo
â Tighten Security
â Use Security Appliances
âą Watchfire
â Rely on secrecy of a set of keys
â Tighten Passwords
â Develop a policy
â Enforce time limits on authenticators
â Security Reviews
42Wednesday, February 4, 2009
43. Hacker
ïŒAdrian Lamo â âHomeless Hackerâ
â Hacked
âą NY Times
âą MSFT
âą NBC
43Wednesday, February 4, 2009
44. Resources
ïŒMust watch program
â http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar
ïŒVulnerability and exploit info
â www.cert.org
â http://www.owasp.org/index.php/Top_10_2007
â http://seclists.org/
ïŒTools
â http://www.elhacker.net/hacking-programas-hack.htm
â http://www.tahribat.com/doc.asp?docid=87
ïŒSecurity Policy
â http://www.sans.org/resources/policies/
44Wednesday, February 4, 2009
46. Summary
ïŒ Itâs a Scary World!
ïŒ White Hats are always on the defense
ïŒ Obtain skills in Defense against the
Dark Arts
ïŒ And Good Luck!
46Wednesday, February 4, 2009
47. Questions
ïŒ Please Fill Out Surveys
kensipe@gmail.com
twitter: kensipe
blog: kensipe.blogspot.com
47Wednesday, February 4, 2009