EVERYTHING YOU NEED TO KNOW ABOUT SECURITY

MIKI REZENTES

MOST OF WHAT YOU NEED TO KNOW ABOUT SECURITY

MIKI REZENTES

A TINY BIT ABOUT SECURITYMIKI REZENTES

REALITY VS. THE MOVIES

I’LL CREATE A GUI INTERFACE USING VISUAL BASIC, SEE IF I CAN TRACK AN IP ADDRESS.

Some tv show character

DEFENDING AGAINST CRIME ON TV

SECURITY

TALK OUTLINE

▸Personal security

▸Development security

▸Data Security and Encryption

PERSONAL SECURITY

▸Passwords

▸Logout

▸Install your updates

▸Don’t trust email

▸2 Factor Auth

PASSWORDS

ENTROPY

DON’T REUSE

HAVE YOU BEEN POWNED?

PASSWORD MANAGERS

RECOVERY CODES

IN REVIEW

PASSWORD

▸Don’t reuse passwords

▸Make strong passwords

▸Use a password manager

▸Keep you recovery codes

LOGOUT

INSTALL UPDATES

THIS BREACH WAS COMPLETELY PREVENTABLE.

THE SOFTWARE PATCH HAS BEEN AVAILABLE

FOR MONTHS

Expert quote on pretty much all security breaches

EMAIL

EMAIL

▸ Is not secure communication

▸ Was not designed for security

▸ Can contain really bad stuff - Phishing

▸ Don’t be afraid to throw it away without looking

▸ Don’t open, don’t click

2 FACTOR AUTH

PERSONAL SECURITY

▸Passwords

▸Logout

▸Install your updates

▸Don’t trust email

▸2 Factor Auth

Recap

DEVELOPMENT SECURITY

THERE IS ALWAYS THAT ONE PERSON.

Miki

MENTAL FLOOD

▸ Obscurity is not Security

▸ Don’t trust user input

▸ Front end validation is just a pre-check

▸ If your API isn’t protected, nothing is protected

▸ Are my dependencies up to date?

▸ Do I understand our permissions model?

▸ Do I understand everything my app is dependent on?

OWASP

▸ OWASP Top 10 Application Security Risks - 2017

▸ Injection

▸ Broken Authentication and Session Management

▸ Cross Site Scripting (XSS)

▸ Broken Access Control

▸ Security Misconfiguration

▸ Sensitive Data Exposure

▸ Insufficient Attack Protection

▸ Cross - Site Request Forgery (CSRF)

▸ Using Components with Known Vulnerabilities

▸ Under protected APIs

FRAMEWORK SECURITY

Caution: ADVANCED TECHNIQUE

LANGUAGE SECURITY

WHAT ARE THE SECURITY VULNERABILITIES OF _________________?

Every programmer

Caution: ADVANCED TECHNIQUE

READABLE CODE

MONITORING - NOTHING IS 100% SECURE

METRICS

▸Know what’s normal

▸Identify irregularities

▸Automate alerts

▸Gather forensic data

INSTALL UPDATES

GO TEAM!

DATA SECURITY AND ENCRYPTION

POSSIBLE WEAKNESSES

▸ in the cryptographic algorithms

▸in the implementation

INSTALL UPDATES

WHAT DOES IT MEAN

▸Protect data confidentiality

▸Prevent file/data tampering

CONFIDENTIALITY

PREVENTING FILE OR DATA TAMPERING

KEYS

DON’T SHARE YOUR PRIVATE KEY EVER EVER EVER

ENCRYPTIONciphertextplaintext

ALSO FROM WIKIPEDIA

TYPES OF ENCRYPTION

▸Symmetric Key / Private key

▸Public Key

ENCRYPTION ALGORITHMS

▸DES

▸Triple DES

▸RSA - used by PGP and GPG programs

▸AES - Advanced Encryption Standard

BASE 64 ENCODING

BASE 64 ENCODING

▸ represent binary data in an ASCII string format by translating it into a radix-64 representation

▸ Ensures the data is unlikely to be modified in transit

▸ choose 64 characters that are both members of a subset common to most encodings, and printable

PREVENT TAMPERING

PREVENTING FILE OR DATA TAMPERING

CHECKSUMA checksum is a small-sized datum derived from a block of digital data for the

purpose of detecting errors which may have been introduced during

its transmission or storage

Checksums are calculated using a checksum function. These functions are usually

posted with the file being downloaded.

PREVENTING FILE OR DATA TAMPERING

HASHINGA hash function is any function that can be used to map data of

arbitrary size to data of fixed size

PREVENTING FILE OR DATA TAMPERING

CRYPTOGRAPHIC HASH▸ A hash function which is designed to be a one-way

function.

▸ Used to store passwords

▸ Never store plain text passwords

▸ When a user signs in, the password is hashed and compared to the stored hash.

▸ If the hashes match, access is granted.

PREVENTING FILE OR DATA TAMPERING

GOOD HASH FUNCTIONS▸Deterministic - same message

produces the same result

▸Quick

▸Can’t be reversed

▸Low collision

FROM WIKIPEDIA

MACMessage Authentication Code gives a recipient reason to believe:

▸ the message was created by a known sender (authentication)

▸ the message was not altered in transit (integrity).

FROM WIKIPEDIA

SIGNATURES A valid digital signature gives a recipient reason to believe:

▸ the message was created by a known sender (authentication)

▸ the sender cannot deny having sent the message (non-repudiation)

▸ the message was not altered in transit (integrity).

FROM WIKIPEDIA

MACS VS. SIGS▸ MACs differ from digital signatures as MAC values are

both generated and verified using the same secret key

▸ MACs do not provide the property of non-repudiation offered by signatures

SUPER HIGH LEVEL PROCESS

▸ Take a key

▸ A signing algorithm that takes a message and a key and produces a signature/mac.

▸ A signature verifying algorithm that takes the message, a key and signature, either accepts or rejects the message's claim to authenticity.

FROM WIKIPEDIA

HMACkeyed-hash message authentication code:

▸ cryptographic hash function and a secret cryptographic key

▸ the message was created by a known sender (authentication)

▸ the message was not altered in transit (integrity).

CERTIFICATE CHAINS

CERTIFICATE AUTHORITY

▸acts as a trusted third party

▸ issues digital certificates (Root certificates)

▸certifies the ownership of a public key by the named subject of the certificate

FROM WIKIPEDIA

X509

▸ a standard that defines the format of public key certificates

▸ The Issuer of each certificate (except the last one) matches the Subject of the next certificate in the list.

▸ Each certificate (except the last one) is supposed to be signed by the secret key corresponding to the next certificate in the chain (i.e. the signature of one certificate can be verified using the public key contained in the following certificate).

▸ The last certificate in the list is a trust anchor: a certificate that you trust because it was delivered to you by some trustworthy procedure.

TLS TRANSPORT LAYER SECURITY

HIGH LEVEL CONNECTION STEPS

▸ Browsers are shipped with a collection of root certs.

▸ Client hello (random value, cipher suites)

▸ Server hello (server random value)

▸ Server sends cert, client may send their cert

▸ client creates a random Pre-Master Secret and encrypts it with the server’s public key

HIGH LEVEL CONNECTION STEPS - CONT.

▸ server and client each generate the Master Secret and session keys

▸ client sends "Change cipher spec”

▸ Server receives "Change cipher spec”

▸ All messages sent from client to server and from server to client are encrypted using session key

BLOCKCHAIN

JUST FOR FUN

▸ No More Secrets

▸ geektyper.com