Passport Project Introduction -- Single Sign-on Concept Demo of Passport Behind the Scenes -- Packet Capture Vulnerabilities & Futures Team –Jay Benson,

Slides:



Advertisements
Similar presentations
ETHICAL HACKING.
Advertisements

Craig Rimando Luke White. “hacking” - negative connotation Not always that way Originally a compliment Not all hacking necessarily bad “Good” hacking?
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Name : Ahmed S. Eleyan No. : Teacher : Rasha Attalah Subject : Secure Your Data Date : 20 / 12 / 2010 College of Engineering.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
Ethical Hacking Introduction.  What is Ethical Hacking?  Types of Ethical Hacking  Responsibilities of a ethical hacker  Customer Expectations  Skills.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
By: Ansuya Chauhan.
IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.
Plug-in and Automatic update security Presented by Maxamed Hilowle.
Electronic Transaction Security (E-Commerce)
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
A Secure Network Access Protocol (SNAP) A. F. Al Shahri, D. G. Smith and J. M. Irvine Proceedings of the Eighth IEEE International Symposium on Computers.
An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.
Microsoft Passport Waldemar Swiercz.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
CS795/895.NET Passport1. NET PASSPORT &TRUSTBRIDGE SHRIPAD PATIL CS795/895 SECURITY IN DISTRIBUTED SYSTEMS.
Chapter 4 Application Security Knowledge and Test Prep
Key Management and Distribution. YSLInformation Security – Mutual Trust2 Major Issues Involved in Symmetric Key Distribution For symmetric encryption.
Internet Protocol Security (IPSec)
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
SSH Secure Login Connections over the Internet
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.
E safety. Ads It’s always best to not click on ads when you see them, and it’s always a good idea to ignore them, but if there are too many you can always.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Securing Operating Systems Chapter 10. Security Maintenance Practices and Principles Basic proactive security can prevent many problems Maintenance involves.
Session 11: Security with ASP.NET
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Electronic Payment Systems. How do we make an electronic payment? Credit and debit cards Smart cards Electronic cash (digital cash) Electronic wallets.
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
SSL/TLS after DigiNotar and BEAST
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.
Doc.: IEEE ai Submission Paul Lambert, Marvell Security Review and Recommendations for IEEE802.11ai Fast Initial Link Setup Author:
Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Dale Smith COSC 4010 Computer Security Authentication & Security in the.NET environment.
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko.
Module 11: Securing a Microsoft ASP.NET Web Application.
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
1 Using GSM/UMTS for Single Sign-On 28 th October 2003 SympoTIC 2003 Andreas Pashalidis and Chris J. Mitchell.
Behind Enemy Lines Administrative Web Application Attacks Rafael Dominguez Vega 12 th of March 2009.
Virtual Private Network. VPN In the most basic definition, VPN is a connection which allows 2 computers or networks to communicate with each other across.
Ethical Hacking: Hacking GMail. Teaching Hacking.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
1 X.509-style PKI Revolves around the distribution and management of digital identity certificates Invented in 1978 to facilitate message encryption In.
science/internet-intro
1 Host versus Network Security Steven M. Bellovin
Chris Calderon – February 2016 MIS 534 Information Security Management.
What the $#*! IS my password? Secure Online Password Storage Lon Smith Aaron Gremmert.
Is finding security holes a good idea? Presented By: Jeff Wheeler CSC 682.
Security Issues Introduction.. Security All the connectivity schemes you will hear about have security implications. –4 computer security incidents in.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Objectives Who I Am The Company I Interned With The Projects I Worked On Project Details How The Experience Relates To My Education Conclusions Drawn.
CNP Fraud. Occurs when a fraudster falsifies an application to acquire a credit card using an individual’s personal information. (Eg: postal intercept)
CSCE 548 Student Presentation By Manasa Suthram
Secure Software Confidentiality Integrity Data Security Authentication
Ethical hacking
Single Sign On Glen Dorton 1/18/2019.
Wireless Spoofing Attacks on Mobile Devices
Introduction to Networking Security
Founded in 2002, Credit Abuse Resistance Education (CARE) educates high school and college students on the responsible use of credit and other fundamentals.
Presentation transcript:

Passport Project Introduction -- Single Sign-on Concept Demo of Passport Behind the Scenes -- Packet Capture Vulnerabilities & Futures Team –Jay Benson, AACC –Lew Pulsipher, CCCC –Roseann Thomas, FTCC –Tenette Prevatte, FTCC

Single Sign-on Concept Numerous Accounts –Internet Stores –Financial Orgs –Etc. One Passport Account –Trusted Intermediary –Holds User ID and Wallet Passport Account Authenticates User to All Accounts –Automatic re-direction –Encrypted links and cookies

Single Sign-on Big Picture Through pre-arrangement, User has signed an agreement with Passport.com. 1.User accesses some site, clicks on Passport icon, and is re-directed to Passport.com. 2.User authenticates to Passport.com, and is given an encrypted cookie Notice that Passport.com does not communicate directly with the target site 3.User is re-directed back to original site, and cookie is used to validate user to the site 4.User continues dialog with site 1 2 3,4 Some Site Passport.com

Typical Attacks Centralized database –Fake Merchant Site –DNS Redirections –Hack Centralized Database Dependence on fundamentally insecure mechanisms –Dependence upon JavaScript –Cookies are Persistent

The Dilemma of Vulnerability Reporting Two ways for “white hats” to report vulnerabilities –Secretly notify a few individuals and the vendor –Announce the problem on bug/security forums Each method has advantages and drawbacks Reporting of Passport vulnerabilities especially illustrates these drawbacks

“Secret” Disclosure Method Secret method –For months, before the vulnerability is fixed, people are at risk –If the vulnerability is never fixed, who knows about it? –If the vulnerability is fixed with a “quiet” patch, how many users will ignore the patch –What if “some kid” discovers the problem, rather than a well-known security person?

Announce to the World Announce to the world method –Too often, the vulnerability is never fixed, or “some kid” gets frustrated –The vulnerability is then announced to the world Drawback: now there’s a mad scramble to patch the problem before Black Hats take advantage of it Advantage: problem gets fixed, and gets fixed FAST Because the unknown person gets such publicity, there’s every incentive to use the “announce” method

Some Examples Some Passport Vulnerability reports –IEEE Computer Networks Journal, July 2000 “Risks of the Passport Single Signon Protocol” –2600 Quarterly, Fall 2001 “Passport Hacking” –Shiflett.org, Aug 2002 “Passport Hacking Revisited” –Gartner Research, May 2003 (Pakistani researcher) “Security Flaw Shows…” –“Secret” method referred to in Jan 2005 in CSO Magazine “Beyond Passport Vulnerabilities” –And many others

Variety of approaches IEEE highly respected, “secret” report first 2600 is “The Hacker Quarterly” (see 2600.com); probably not “secret” Shiflett.org—follow-up to 2600 showing how to hack Microsoft’s fix! Gartner respected research group, but the original discoverer evidently used the non-secret method of reporting. In “CSO” only the existence, not details, of a vulnerability is reported, which was fixed very quickly

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.