Passwords Breaches, Storage, Attacks OWASP AppSec USA 2013.

Slides:



Advertisements
Similar presentations
The OWASP Foundation Secure Password Storage Verify Only Add Salt Slow Down (or) HMAC/Isolation.
Advertisements

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Secure Password Storage JOSHUA SMALL LHNSKEYHTTPS://GITHUB.COM/TECHNION/ LHNSKEY - ROOT PASSWORD GENERATOR FOR CVE
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Chapter 3 Passwords Principals Authenticate to systems.
1 Network Security Derived from original slides by Henric Johnson Blekinge Institute of Technology, Sweden From the book by William Stallings.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CS795/895.NET Passport1. NET PASSPORT &TRUSTBRIDGE SHRIPAD PATIL CS795/895 SECURITY IN DISTRIBUTED SYSTEMS.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.
FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.
Time-Memory tradeoffs in password cracking 1. Basic Attacks Dictionary attack: –What if password is chosen well? Brute Force (online version): –Try all.
CIS 450 – Network Security Chapter 8 – Password Security.
Attacks Against Database By: Behnam Hossein Ami RNRN i { }
ENTERPRISE COMPUTING QUIZ By: Lean F. Torida
Databases and security continued CMSC 461 Michael Wilson.
Security Testing Case Study 360logica Software Testing Services.
Introduction to ITE Chapter 9 Computer Security. Why Study Security?  This is a huge area for computer technicians.  Security isn’t just anti-virus.
Mark Shtern. Passwords are the most common authentication method They are inherently insecure.
Authentication Key HMAC(MK, “auth”) Server Encryption Key HMAC(MK, “server_enc”) User Password Master Key (MK) Client Encryption Key HMAC(MK, “client_enc”)
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—1-1 Building a Simple Network Securing the Network.
Trojan Virus By Forbes and Mark. What is a Trojan virus Trojans are malicious programs that perform actions that have not been authorised by the user.
Password Management Strategies for Online Accounts Shirley Gaw, Edward W. Felten Princeton University.
Denial of Service (DoS) DoS attacks are aggressive attacks on an individual computer or groups of computers with the intent to deny services to intended.
Introduction. Readings r Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edn. 3 m Note: All figures from this book.
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.
Advanced Accounting Information Systems Day 23 Operating Systems Security October 16, 2009.
Security. Security Flaws Errors that can be exploited by attackers Constantly exploited.
How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Mehmud Abliz, Taieb Znati, ACSAC (Dec., 2009). Outline Introduction Desired properties Basic scheme Improvements to the basic scheme Analysis Related.
Attack and Malicious Code Andrew Anaruk. Security Threats Denial of Service (DoS) Attacks Spoofing Social Engineering Attacks on Encrypted Data Software.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Denial of Service Attack 발표자 : 전지훈. What is Denial of Service Attack?  Denial of Service Attack = DoS Attack  Service attacks on a Web server floods.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.
November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan.
Lecture 5 User Authentication modified from slides of Lawrie Brown.
Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.
Module 4 Password Cracking
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Chapter 17– Attacking Application Architecture Hareesh Lingareddy.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
FERPA & Data Security:FERPA & Data Security: Passwords and Authenticators.
Internet security for the home Paul Norton MEng(Hons) MIEE Electronic engineer working for Pascall Electronics Ltd. on the Isle of Wight A talk on Internet.
Understanding Security Policies Lesson 3. Objectives.
MIGHTY CRACKER Chris Bugg Chris Hamm Jon Wright Nick Baum We could consider using the Mighty Cracker Logo located in the Network Folder.
 Computer Network Attack  “… actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers.
James F. Fox MENA Cyber Security Practice Lead Presenters Cyber Security in a Mobile and “Always-on” World Booz | Allen | Hamilton.
I have edited and added material.
Configuring Windows Firewall with Advanced Security
Online password manager By: Anthony diveronica
Authentication CSE 465 – Information Assurance Fall 2017 Adam Doupé
Attack Examples : DOS, Social Engineering
Authentication by Passwords
An Introduction to Web Application Security
Kiran Subramanyam Password Cracking 1.
Authentication CSE 365 – Information Assurance Fall 2018 Adam Doupé
Exercise: Hashing, Password security, And File Integrity
CS5220 Advanced Topics in Web Programming Secure REST API
Network Penetration Testing & Defense
Authentication CSE 365 – Information Assurance Fall 2019 Adam Doupé
Presentation transcript:

Passwords Breaches, Storage, Attacks OWASP AppSec USA 2013

About Me

Password in the News

UNDERSTANDING PASSWORD THREATS

Online Attacks Attackers interact with web interface via scripts & automation Defenses Available: Account Lockout, Attacker Profiling, Anti-automation Example Online Attacks Password Brute Force - 4 variations Credential Stuffing - (Reuse of compromised passwords) Account Lockout

Offline Attacks Attackers have password hashes and are performing attacks against file Defenses Available: Only the strong hashing algorithm you selected Example Offline Attacks Hash brute force - dictionary or iterative Rainbow tables

OFFLINE PASSWORD STORAGE

Password Storage Bad Approaches Your own algorithm md5 sha1 encryption base64 encoding rot 13 Good Approach Bcrypt Scrypt PBKDF2 + Per user salt

ADDITIONAL ATTACKS

Denial of Service Denial of Service (DOS) Distributed Denial of Service (DDOS)

Denial of Service

DDOS Comparisons Traditional Network DDOS overwhelms target with volume exhausts bandwidth / capacity of network devices Requires large number of machines Defenses: CDN, anti-DDOS services Application Abuse DOS invokes computationally intense application functions exhausts CPU / memory of web servers Requires few machines Defenses: Few available, must customize

Credential Stuffing Account Take Over - Credential Stuffing

Distributed App Lock Out

Service Desk Overload

Take Aways Password Hashing – Don’t get breached - Defense in depth – Don’t exacerbate breach – use correct hashing Online Attacks – Prepare for automated attacks – Different attacks and motivation from Criminal Enterprises, Hacktivism, Nation State, etc

Thanks!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.