SlideShare una empresa de Scribd logo

The Life of Breached Data & The Dark Side of Security

Jarrod Overson
Jarrod Overson

QCon SF 2016 security talk about who uses data from massive breaches (like Yahoo, Target), what tools they use, and what damage they inflict.

Tecnología
1 de 82
Descargar para leer sin conexión
The Life of Breached Data & The Dark Side of Security. Jarrod Overson @jsoverson QCon SF 2016
It's more than just massive breaches from large companies, too.
It's small continuous, streams of exploitable data
2.2 Billion
 Leaked credentials in 2016 alone
Every breach adds a piece of you to a criminal's database. Passwords, emails, names, security questions & answers, addresses, and more
Traditional security is like flossing. We know we're supposed to care, but is it really that important?
OWASP Top 10 A1 – Injection A2 – Broken Authentication and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery (CSRF) A9 – Using Known Vulnerable Components A10 – Unvalidated Redirects and Forwards
OWASP Automated Threats OAT-020 Account Aggregation OAT-006 Expediting OAT-019 Account Creation OAT-004 Fingerprinting OAT-003 Ad Fraud OAT-018 Footprinting OAT-009 CAPTCHA Bypass OAT-005 Scalping OAT-010 Card Cracking OAT-011 Scraping OAT-001 Carding OAT-016 Skewing OAT-012 Cashing Out OAT-013 Sniping OAT-007 Credential Cracking OAT-017 Spamming OAT-008 Credential Stuffing OAT-002 Token Cracking OAT-015 Denial of Service OAT-014 Vulnerability Scanning
These attacks aren't cost effective unless automated BY EVIL ROBOTS
Our user-friendly APIs enable our attackers
Not just these APIs
The APIs we expose unintentionally.
The APIs we expose unintentionally.
The APIs we expose unintentionally.
When you read about breaches, what do you do?
Even if you have the most secure site in the world, you don't usually protect against legitimate user logins.
If your users were robots, could you tell?
What percentage of traffic is from bots?
95% ( Current record for automation against a login page, via Shape Security ) What percentage of traffic is from bots?
Why?
Do you… For example Store a type of currency? actual money, point values, gift cards Sell goods? physical, digital, services Have unique PII? health care, social networks Have user generated content? forums, social networks, blogs, comments Have time sensitive features? tickets, flash sales, reservations Pay for digitally validated behavior? ad clicks, reviews, "uber for X"
If you have value, there is value in exploiting you.
Targeted Fraud can take many forms.
But we have captchas!
But captchas don't work.
Estimated 200 million+ hours spent every year deciphering squiggly letters. Luis Von Ahn, creator of captcha * *
Services have been made making captcha bypass even easier.
Services have been made making captcha bypass even easier.
Ever wonder where these ads go?
There's big money in "Work from Home Data Entry" jobs
So we seek alternatives.
Some rely on simple behavior analysis
Some rely on kittens
Some rely on a love for death metal
Some are very high profile
How?
They use a lot of the same tools we already use.
Once you detect an attacker, they are easy to block. Right?
One attacker from one machine can be blocked by IP.
Many attackers sound dangerous but aren't as common as they are made out to be.
One attacker using proxies to look like thousands of users across the globe is difficult to detect and block.
Spikes of traffic across many IPs are normal, except when they aren't
The devices themselves leave fingerprints
And tools are made to leave no fingerprints
Lots of tools.
We can't patch our way through this.
How would you react if you went from … Legitimate traffic
To this Automation detected and blocked Legitimate traffic
Automation detected and blocked Legitimate traffic To this
Automation detected and blocked Legitimate traffic To this
To get an idea, search for : • <your company, service, or CMS> fullz • <your company, service, or CMS> sentrymba • <your company, service, or CMS> carding • <your company, service, or CMS> <tool> tutorial Not sure if you have a problem?
How do you protect you?
Make every password unique. Really.
• LastPass • 1Password • Any locally encrypted db Use a password manager. Use a password manager. LastPass, 1Password, any locally encrypted database.
Use a base password + a site specific string. For example: "hyatt small blue cup" Use a password algorithm
Turn on Multi-Factor Authentication.
How do you protect your users?
First, throw away the myth that the primary risk to passwords is how crackable they are. The biggest risk to you and your users is reused passwords.
Don't add unnecessary password rules 8 char minimum, >64 char maximum, allow ANY character (including spaces)
Do prevent users from using common passwords • 123456 • password • 12345678 • qwerty • 12345 • 123456789 • football • 1234 • 1234567 • baseball • welcome • 1234567890 • abc123 • 111111 • 1qaz2wsx • dragon • master • monkey • letmein • login • princess • qwertyuiop • solo • passw0rd Maintain and use a banned password list
Don't expire passwords unless necessary Expire when accounts are compromised or a user's credentials are leaked.
Offer Multi-Factor Authentication. There any many options and services that make this easy and tolerable.
How do you protect your business?
Use single flows for important transactions. Reduce the attack surface area as much as possible. Login widget Old login flow Regular Login Login at CC entry 2.x login Login on shopping cart VS Login
Ask and be ready for tough questions You may need to re-evaluate costs & value with new parameters.
Get help. You're not alone. Reduce the attack surface area as much as possible. - Helen Keller
The Life of Breached Data & The Dark Side of Security. Jarrod Overson @jsoverson QCon SF 2016

Recomendados

The Dark Side of Security
The Dark Side of SecurityThe Dark Side of Security
The Dark Side of Security
Jarrod Overson
 
Shape Security @ WaffleJS October 16
Shape Security @ WaffleJS October 16Shape Security @ WaffleJS October 16
Shape Security @ WaffleJS October 16
Jarrod Overson
 
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseData Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
David Freeman
 
Server-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityServer-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User Authenticity
David Freeman
 
2018 Hacked Website Trends
2018 Hacked Website Trends2018 Hacked Website Trends
2018 Hacked Website Trends
Sucuri
 
Email attacks and shimming attack
Email attacks and shimming attackEmail attacks and shimming attack
Email attacks and shimming attack
Paul Mbua
 
Beyond The Norm: Building Secure Websites
Beyond The Norm: Building Secure WebsitesBeyond The Norm: Building Secure Websites
Beyond The Norm: Building Secure Websites
Adria Richards
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Distil Networks
 

Recomendados

The Dark Side of Security
The Dark Side of SecurityThe Dark Side of Security
The Dark Side of Security
Jarrod Overson
 
Shape Security @ WaffleJS October 16
Shape Security @ WaffleJS October 16Shape Security @ WaffleJS October 16
Shape Security @ WaffleJS October 16
Jarrod Overson
 
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseData Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
David Freeman
 
Server-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityServer-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User Authenticity
David Freeman
 
2018 Hacked Website Trends
2018 Hacked Website Trends2018 Hacked Website Trends
2018 Hacked Website Trends
Sucuri
 
Email attacks and shimming attack
Email attacks and shimming attackEmail attacks and shimming attack
Email attacks and shimming attack
Paul Mbua
 
Beyond The Norm: Building Secure Websites
Beyond The Norm: Building Secure WebsitesBeyond The Norm: Building Secure Websites
Beyond The Norm: Building Secure Websites
Adria Richards
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Distil Networks
 
10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraud10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraud
WebSitePulse
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Jeremiah Grossman
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
Shubham Gupta
 
Web Browsers and Tracking Protections
Web Browsers and Tracking ProtectionsWeb Browsers and Tracking Protections
Web Browsers and Tracking Protections
Simo Ahava
 
Why use private proxy presentation
Why use private proxy presentationWhy use private proxy presentation
Why use private proxy presentation
FaeriMoon2
 
Managing Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of PasswordsManaging Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of Passwords
PECB
 
Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018
SecuRing
 
GPU based password recovery on Linux. TXLF 2013
GPU based password recovery on Linux. TXLF 2013GPU based password recovery on Linux. TXLF 2013
GPU based password recovery on Linux. TXLF 2013
Brad Richardson
 
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2sSalt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
n|u - The Open Security Community
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
Jerome Smith
 
Password Cracking with Rainbow Tables
Password Cracking with Rainbow TablesPassword Cracking with Rainbow Tables
Password Cracking with Rainbow Tables
Korhan Bircan
 
Cyber security and ethical hacking 9
Cyber security and ethical hacking 9Cyber security and ethical hacking 9
Cyber security and ethical hacking 9
Mehedi Hasan
 
Password Attack
Password Attack Password Attack
Password Attack
Sina Manavi
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
Sina Manavi
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
Jarrod Overson
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Nick Galbreath
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
TEST Huddle
 
How to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistHow to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security Checklist
Pixel Crayons
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
David Perkins
 
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your BusinessConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus
 
Awareness Security 123.pptx
Awareness Security 123.pptxAwareness Security 123.pptx
Awareness Security 123.pptx
RajuSingh730938
 
USG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxUSG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptx
BilmyRikas
 

Más contenido relacionado

La actualidad más candente

Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Jeremiah Grossman
 
Why use private proxy presentation
Why use private proxy presentationWhy use private proxy presentation
Why use private proxy presentation
FaeriMoon2
 
Managing Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of PasswordsManaging Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of Passwords
PECB
 
Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018
SecuRing
 

La actualidad más candente (7)

10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraud10 ways to protect your e commerce site from hacking & fraud
10 ways to protect your e commerce site from hacking & fraud
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
 
Web Browsers and Tracking Protections
Web Browsers and Tracking ProtectionsWeb Browsers and Tracking Protections
Web Browsers and Tracking Protections
 
Why use private proxy presentation
Why use private proxy presentationWhy use private proxy presentation
Why use private proxy presentation
 
Managing Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of PasswordsManaging Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of Passwords
 
Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018
 

Destacado

BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
Jerome Smith
 

Destacado (7)

GPU based password recovery on Linux. TXLF 2013
GPU based password recovery on Linux. TXLF 2013GPU based password recovery on Linux. TXLF 2013
GPU based password recovery on Linux. TXLF 2013
 
Salt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2sSalt Cryptography & Cracking Salted Hashes by fb1h2s
Salt Cryptography & Cracking Salted Hashes by fb1h2s
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
 
Password Cracking with Rainbow Tables
Password Cracking with Rainbow TablesPassword Cracking with Rainbow Tables
Password Cracking with Rainbow Tables
 
Cyber security and ethical hacking 9
Cyber security and ethical hacking 9Cyber security and ethical hacking 9
Cyber security and ethical hacking 9
 
Password Attack
Password Attack Password Attack
Password Attack
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 

Similar a The Life of Breached Data & The Dark Side of Security

Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Nick Galbreath
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
TEST Huddle
 
How to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistHow to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security Checklist
Pixel Crayons
 
USG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxUSG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptx
BilmyRikas
 
USG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxUSG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptx
sumita02
 

Similar a The Life of Breached Data & The Dark Side of Security (20)

The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
How to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistHow to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security Checklist
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
 
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your BusinessConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
 
Awareness Security 123.pptx
Awareness Security 123.pptxAwareness Security 123.pptx
Awareness Security 123.pptx
 
USG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxUSG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptx
 
USG_Security_Awareness_Primer (1).pptx
USG_Security_Awareness_Primer (1).pptxUSG_Security_Awareness_Primer (1).pptx
USG_Security_Awareness_Primer (1).pptx
 
USG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptxUSG_Security_Awareness_Primer.pptx
USG_Security_Awareness_Primer.pptx
 
Data Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
Data Loss Prevention in SharePoint 2016 Webinar with Crow CanyonData Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
Data Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations Seminar
 
Iron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyIron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data Responsibly
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019
 
Online Security and Privacy Issues
Online Security and Privacy IssuesOnline Security and Privacy Issues
Online Security and Privacy Issues
 
Introduction to application security (Arabic)
Introduction to application security (Arabic)Introduction to application security (Arabic)
Introduction to application security (Arabic)
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
 
How I'd hack into your business and how you can stop me!
How I'd hack into your business and how you can stop me!How I'd hack into your business and how you can stop me!
How I'd hack into your business and how you can stop me!
 

Más de Jarrod Overson

Más de Jarrod Overson (16)

Practical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobusPractical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobus
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is Evolving
 
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
 
Analysis of an OSS supply chain attack - How did 8 millions developers downlo...
Analysis of an OSS supply chain attack - How did 8 millions developers downlo...Analysis of an OSS supply chain attack - How did 8 millions developers downlo...
Analysis of an OSS supply chain attack - How did 8 millions developers downlo...
 
Deepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the futureDeepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the future
 
How to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsHow to Reverse Engineer Web Applications
How to Reverse Engineer Web Applications
 
Graphics Programming for Web Developers
Graphics Programming for Web DevelopersGraphics Programming for Web Developers
Graphics Programming for Web Developers
 
JavaScript and the AST
JavaScript and the ASTJavaScript and the AST
JavaScript and the AST
 
ES2015 workflows
ES2015 workflowsES2015 workflows
ES2015 workflows
 
Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014 Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014
 
Idiot proofing your code
Idiot proofing your codeIdiot proofing your code
Idiot proofing your code
 
Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014
 
Managing JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - FluentManaging JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - Fluent
 
Real World Web components
Real World Web componentsReal World Web components
Real World Web components
 
Managing JavaScript Complexity
Managing JavaScript ComplexityManaging JavaScript Complexity
Managing JavaScript Complexity
 
Continuous Delivery for the Web Platform
Continuous Delivery for the Web PlatformContinuous Delivery for the Web Platform
Continuous Delivery for the Web Platform
 

Último

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Último (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

The Life of Breached Data & The Dark Side of Security

  • 1. The Life of Breached Data & The Dark Side of Security. Jarrod Overson @jsoverson QCon SF 2016
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7. It's more than just massive breaches from large companies, too.
  • 8. It's small continuous, streams of exploitable data
  • 9.
  • 11. Every breach adds a piece of you to a criminal's database. Passwords, emails, names, security questions & answers, addresses, and more
  • 12.
  • 13. Traditional security is like flossing. We know we're supposed to care, but is it really that important?
  • 14. OWASP Top 10 A1 – Injection A2 – Broken Authentication and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery (CSRF) A9 – Using Known Vulnerable Components A10 – Unvalidated Redirects and Forwards
  • 15. OWASP Automated Threats OAT-020 Account Aggregation OAT-006 Expediting OAT-019 Account Creation OAT-004 Fingerprinting OAT-003 Ad Fraud OAT-018 Footprinting OAT-009 CAPTCHA Bypass OAT-005 Scalping OAT-010 Card Cracking OAT-011 Scraping OAT-001 Carding OAT-016 Skewing OAT-012 Cashing Out OAT-013 Sniping OAT-007 Credential Cracking OAT-017 Spamming OAT-008 Credential Stuffing OAT-002 Token Cracking OAT-015 Denial of Service OAT-014 Vulnerability Scanning
  • 16. These attacks aren't cost effective unless automated BY EVIL ROBOTS
  • 17. Our user-friendly APIs enable our attackers
  • 19. The APIs we expose unintentionally.
  • 20. The APIs we expose unintentionally.
  • 21. The APIs we expose unintentionally.
  • 22. When you read about breaches, what do you do?
  • 23. Even if you have the most secure site in the world, you don't usually protect against legitimate user logins.
  • 24. If your users were robots, could you tell?
  • 25.
  • 26. What percentage of traffic is from bots?
  • 27. 95% ( Current record for automation against a login page, via Shape Security ) What percentage of traffic is from bots?
  • 28. Why?
  • 29. Do you… For example Store a type of currency? actual money, point values, gift cards Sell goods? physical, digital, services Have unique PII? health care, social networks Have user generated content? forums, social networks, blogs, comments Have time sensitive features? tickets, flash sales, reservations Pay for digitally validated behavior? ad clicks, reviews, "uber for X"
  • 30. If you have value, there is value in exploiting you.
  • 31. Targeted Fraud can take many forms.
  • 32. But we have captchas!
  • 34. Estimated 200 million+ hours spent every year deciphering squiggly letters. Luis Von Ahn, creator of captcha * *
  • 35. Services have been made making captcha bypass even easier.
  • 36. Services have been made making captcha bypass even easier.
  • 37. Ever wonder where these ads go?
  • 38. There's big money in "Work from Home Data Entry" jobs
  • 39. So we seek alternatives.
  • 40. Some rely on simple behavior analysis
  • 41. Some rely on kittens
  • 42. Some rely on a love for death metal
  • 43. Some are very high profile
  • 44. How?
  • 45. They use a lot of the same tools we already use.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52. Once you detect an attacker, they are easy to block. Right?
  • 53. One attacker from one machine can be blocked by IP.
  • 54. Many attackers sound dangerous but aren't as common as they are made out to be.
  • 55. One attacker using proxies to look like thousands of users across the globe is difficult to detect and block.
  • 56. Spikes of traffic across many IPs are normal, except when they aren't
  • 57. The devices themselves leave fingerprints
  • 58. And tools are made to leave no fingerprints
  • 60.
  • 61. We can't patch our way through this.
  • 62. How would you react if you went from … Legitimate traffic
  • 63. To this Automation detected and blocked Legitimate traffic
  • 64. Automation detected and blocked Legitimate traffic To this
  • 65. Automation detected and blocked Legitimate traffic To this
  • 66. To get an idea, search for : • <your company, service, or CMS> fullz • <your company, service, or CMS> sentrymba • <your company, service, or CMS> carding • <your company, service, or CMS> <tool> tutorial Not sure if you have a problem?
  • 67. How do you protect you?
  • 68. Make every password unique. Really.
  • 69. • LastPass • 1Password • Any locally encrypted db Use a password manager. Use a password manager. LastPass, 1Password, any locally encrypted database.
  • 70. Use a base password + a site specific string. For example: "hyatt small blue cup" Use a password algorithm
  • 71. Turn on Multi-Factor Authentication.
  • 72. How do you protect your users?
  • 73. First, throw away the myth that the primary risk to passwords is how crackable they are. The biggest risk to you and your users is reused passwords.
  • 74. Don't add unnecessary password rules 8 char minimum, >64 char maximum, allow ANY character (including spaces)
  • 75. Do prevent users from using common passwords • 123456 • password • 12345678 • qwerty • 12345 • 123456789 • football • 1234 • 1234567 • baseball • welcome • 1234567890 • abc123 • 111111 • 1qaz2wsx • dragon • master • monkey • letmein • login • princess • qwertyuiop • solo • passw0rd Maintain and use a banned password list
  • 76. Don't expire passwords unless necessary Expire when accounts are compromised or a user's credentials are leaked.
  • 77. Offer Multi-Factor Authentication. There any many options and services that make this easy and tolerable.
  • 78. How do you protect your business?
  • 79. Use single flows for important transactions. Reduce the attack surface area as much as possible. Login widget Old login flow Regular Login Login at CC entry 2.x login Login on shopping cart VS Login
  • 80. Ask and be ready for tough questions You may need to re-evaluate costs & value with new parameters.
  • 81. Get help. You're not alone. Reduce the attack surface area as much as possible. - Helen Keller
  • 82. The Life of Breached Data & The Dark Side of Security. Jarrod Overson @jsoverson QCon SF 2016