Understanding Online Security

Understanding

Online Security

Michael Dowden@mrdowden

Goals

➔Understand Internet security basics

➔Better equipped to protect yourself online

➔Prepared to implement basic software security

➔Able to research security topics

Overview

➔Internet Technology

➔Attack Vectors

➔Common Attacks

➔Security Principles & Terminology

➔Safety & Security Tips

Attack Goals

Michael Dowden

➔Education◆ BS Computer Science

◆ MBA Entrepreneurship

➔Experience◆ Software Development and IT since 1992

◆ 12+ years software security

◆ Full Stack - Hardware to User Interface

◆Worked with 60+ organizations in multiple industries

Senior Principal Consultant & Software Architecture Lead @ CSpring

Internet Technology

DNS

39.838389, -86.383388

804 E Main St, Brownsburg, IN 46112

DNS

216.58.216.206

DNS Server GoogleBrowser

Google.com

TCP/IP

HT

TP

Client

(Web Browser)Internet Server

Request

Response

Request

Response

User System

Administrator

Client


Request

Response

Request

Response

User System

Administrator

Email / Website / Hack / XSS / CSRF

Permissions / Injection / DDoS / Hack

Man in the Middle

Social Engineering

Attack V

ecto

rs..

.and

mo

de

s o

f d

eliv

ery

Client


Request

Response

Request

Response

User System

Administrator

Email / Website / Hack / XSS / CSRF

Permissions / Injection / DDoS / Hack

Man in the Middle

Social Engineering

Softw

are

Mitig

ation

HTTPS / VPN / Tor

Headers / CSRF / Password Managers

/ Public Key Encryption

Encryption / Authentication /

Authorization

Least Privilege / Training

Common Attacks

DNS Hijacking

➔Redirect domain name to fake address

➔Used to:

◆ Collect data & credentials

◆ Steal money

➔Protection:

◆ Disable open relay on DNS servers

◆ DNSSEC

216.58.216.206

111.22.33.213

Browser

google.com

DNS Server

Google

Bad Search

Site

Man-in-the-Middle

➔Eavesdropping or dual authentication

➔Used to:

◆ Defeat encryption and authentication

◆ Steal data

◆ Act on behalf of the user

➔Protection:

◆ Public key infrastructure such as TLS over TCP

Normal Connection

Compromised Connections

Clickjacking

➔Subvert mouse clicks

➔Used to:◆ Redirect to foreign sites

◆ Bypass browser security

◆ Modify privacy settings

➔Protection:◆ Proper use of X-Frame-Options

◆ Client-side frame detection

CSRF (Cross-Site Request Forgery)

➔Impersonate user to the server

➔Used to:

◆ Coerce user action

◆ Transfer control or resources

➔Protection:

◆ Unpredictable token in each request

◆ Use framework built-in defenses

Client

Attacker

Server

Server

XSS (Cross-Site Scripting)

➔Verbatim display of user-submitted content

➔Used to:◆ Steal personal information

◆ Hijack sessions or Install Trojans

◆ Redirect to foreign sites

➔Protection:◆ Encode all user-provided data

◆ Use safe JavaScript APIs (never eval)

Client

Client

Server

Server

(SQL) Injection

➔Verbatim user-submitted content in query

➔Used to:◆ Steal data

◆ Corrupt data

➔Protection:◆ Prepared statements

◆ Escape user input

https://xkcd.com/327/

Distributed Denial of Service

Website

Legitimate User

➔Flood a website with traffic

➔Used to:

◆ Shut down targeted website

◆ Block traffic from the website

◆ Extort payments

➔Protection:

◆ Firewalls block attacking traffic

Social Engineering

➔Simply ask someone for their credentials

➔Used to:

◆ Obtain credentials

◆ Access secure systems

➔Protection:

◆ Training

◆ Never tell anyone your passwords https://xkcd.com/538/

Security Principles &

Terminology

Key Objectives

➔ Ensure users are who they claim to be…with every request

➔ Users can do what they need…but no more

➔ Data is kept safe

➔ Communication is kept private

Authentication

➔Identity

➔Something you Know (password)

➔Something you Are (biometrics)

➔Something you Have (security key)

Natalie Curtiss : Grandmother? (https://flic.kr/p/7VqQPa)

Authorization

➔Restrict access to specific data

➔Access levels:

◆ View

◆ Change

◆ Delete

➔Rules applied based upon ID trust

Least P

rivile

ge

htt

ps://x

kcd

.co

m/8

98

/

Obscurity

➔Can’t put the cat back in the bag

➔Security requires shared algorithms

➔Implementation accuracy requires public review

➔Unpredictable level of risk

Which box holds

the prize?

Cryptography

➔Mathematically provable complexity

➔Cryptographic hash

➔Symmetric encryption

➔Public-key encryption

➔Transport Layer Security (https)

Public Private

Public Private

Encrypts

Decrypts

Verifies

Chain of Trust

➔Digital Signatures

➔Certificates

➔Only sign certificates you know

➔Only accept certificates you trust

Minimum Developer Responsibility

➔HTTPS

➔Password Protection

◆Hashing for Auth

◆AES for System Logins

➔OWASP Top 10 - https://owasp.org

https://owasp.org

Passwords

Password Protection

➔Hash, don’t encrypt

◆ Secure algorithm (SHA512, bcrypt)

➔Salt

◆ Two salts - row and app

➔Iterate

◆ Key derivation (PBKDF2, bcrypt)

➔Go slow!

+

1000x

1. Click “forgot password”

2. Enter identification

3. Receive email

4. Click link

5. Enter security key(s)

6. Enter new password

Change Password

Website Security Form

Password FormNew Password

Passw

ord

sh

ttp

s://x

kcd

.co

m/9

36

/

Safety & Security Tips

Networking Tips

➔Always use a Router with Firewall

➔Secure your WiFi

➔Don’t connect to unknown WiFi networks

➔Use VPN over unsecured WiFi

Email Tips

➔Don’t open email from an unknown sender

➔Never open unexpected attachments in your email

➔Avoid clicking links in an email

Website Tips

➔Always log out when finished

➔Keep your browser up-to-date (Chrome, Firefox, Opera)

➔Don’t submit information to unsecure connection

Password Tips

➔Use a Password Manager (LastPass, 1Password, KeePass)

➔Use long and complex passwords (30 random characters)

➔Use 2-factor authentication when available

➔Change compromised passwords

Tools

➔LastPass - https://www.lastpass.com/

➔Have I been pwnd? - https://haveibeenpwned.com/

➔Abine Blur - https://www.abine.com/index.html

https://www.lastpass.com/

https://haveibeenpwned.com/

https://www.abine.com/index.html

Discussion

Why aren’t all systems secure?

➔Education & Training

➔Weakest Link

➔Trade-offs

➔Moving Target

➔Laws & Politics

Security decisions

➔What are we protecting?

➔What is the likelihood of attack?

➔What are the risks of security failure?

➔What are the probable attack vectors?

➔How will we detect and report breaches?

➔Don’t forget the ethics!

How does online security help people?

➔Restrict access to financial assets

➔Protect your identity and personal information

➔Defend against device takeover

➔Shelter citizens from oppressive governments

➔Preserve 1st, 4th, and 5th amendment rights

Resources

➔Troy Hunthttps://www.troyhunt.com/

➔Brian Krebshttps://krebsonsecurity.com/

➔WIRED Threat Levelhttps://www.wired.com/category/threatlevel

➔Pluralsighthttps://pluralsight.com/browse/information-cyber-security

https://www.troyhunt.com/

https://krebsonsecurity.com/

https://www.wired.com/category/threatlevel

https://pluralsight.com/browse/information-cyber-security

Michael Dowden

@mrdowden

linkedin.com/in/mdowden

plus.google.com/+MichaelDowden

[email protected]@

lanyrd.com/profile/mrdowden/