My Presentations for the 2013 MPICT Winter Conference
Data Breaches and Password Hashes
Abstract
What are your obligations to protect data, and when have you been breached? These are not simple questions to answer--a falsely reported data breach at CCSF caused an international scandal in Jan. 2012.
After explaining what a data breach is, I will present an analysis of a recent major attack that breached dozens of companies. I will explain the hashing techniques they used and what they should have used instead.
Description
I will explain what happened at CCSF to convince our ex-CTO that we had been breached, and how this incident was spectacularly mishandled to create pointless fear and scandal.
Then I will show stolen data from several companies and compare their password storage systems, which are representative of modern Website security techniques.
The techniques used include:
- Plaintext storage
- Unsalted MD5
- Unsalted SHA-1
- Salted hashes
All these techniques are obsolete and provide almost no protection. The correct technique is to use iterated hashing to slow attacks, with 5000 or more rounds, such as implemented in bcrypt and PBKDF2.
Unfortunately, almost no one is using those techniques. Instead, almost every website you use is foolishly endangering users for no good reason.
Hands-on SQL Injection Attack and Defense
Description
The vast majority of all stolen data was taken with SQL injection. Every security professional needs to understand it well.
After a brief explanation of the vulnerabilities, attacks, and defenses, students will set up a vulnerable SQL website using SQLol, exploit it with Havij (the tool Anonymous used to exploit PBS), and protect it with input validation.
Additional projects are available for you to use in your classes, demonstrating other attacks and a better defense--parameterized queries.
All the powerpoint slides, lecture notes, and hands-on projects will be freely available for you to incorporate into your own classes.
Hands-on component
Students will set up a SQL server and a vulnerable application, exploit it, and patch it to make it more secure. We can provide netbooks for students to use, or they can use their own laptops. An internet connection would be nice but if it doesn't work, the workshop can proceed without it.
Students can use their own laptops, if they have VMware and BackTrack 5 ready to go.
Posted by Sam Bowne on 11-2-12, revised 11-30-12