Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Problems at Colleges All materials posted at samsclass.info and free to use.

Published byChristiana Perry Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Problems at Colleges All materials posted at samsclass.info and free to use."— Presentation transcript:

1 Security Problems at Colleges All materials posted at samsclass.info and free to use

2 OWASP All materials posted at samsclass.info and free to use

3 OWASP.org Security tips, tools, and coding guidance for Web applications All materials posted at samsclass.info and free to use

4 `

5

6

7 Cross-Site Request Forgery All materials posted at samsclass.info and free to use

8 Login Secured with HTTPS All materials posted at samsclass.info and free to use

9 Authenticated Traffic Not Encrypted All materials posted at samsclass.info and free to use

10 Authentication Cookie All materials posted at samsclass.info and free to use

11

12 Blanket Solution: HTTPS Use HTTPS for all transactions But that might be – Expensive – Complicated – Slow All materials posted at samsclass.info and free to use

13

14

15 CSRF Demo All materials posted at samsclass.info and free to use

16 Cookie Cadger All materials posted at samsclass.info and free to use

17 Homework Project All materials posted at samsclass.info and free to use

18 Vulnerable Sites Amazon.com AOL.com siliconvalley-codecamp.com All materials posted at samsclass.info and free to use

19 Amazon Sends Authentication Token Unencrypted All materials posted at samsclass.info and free to use

20 HTTPS-Only Sites Google and Gmail Live.com (Microsoft) Yahoo.com Paypal.com All materials posted at samsclass.info and free to use

21 Partially Vulnerable Sites Tigerdirect.com Wordpress.com All materials posted at samsclass.info and free to use

22 SQL Injection All materials posted at samsclass.info and free to use

23

24 SQL Injection Vulnerability caused by using input from the user which can be misinterpreted as active code Weak defense: filter out special characters Strong defense: parameterized queries All materials posted at samsclass.info and free to use

25

26 SQLi on Pastebin All materials posted at samsclass.info and free to use

27 URL for Live Demo http://app.ocp.dc.gov/RUI/information/award s/detail.asp?award_id=4279%27%20AND%20 999=991%20AND%20%27AEEs%27=%27AEEs All materials posted at samsclass.info and free to use

28

29 Extracting Data No apostrophe required All materials posted at samsclass.info and free to use

30 Pharma Infections at Colleges All materials posted at samsclass.info and free to use

31

32 19 Colleges Infected with Pharma 5 Fixed within a few weeks 7 Fixed within 8 months 7 Still Infected on 7-19-14 http://samsclass.info/125/proj11/subtle-infect.htm#19more All materials posted at samsclass.info and free to use

33

34 Infections at UC Santa Cruz All materials posted at samsclass.info and free to use

35 UCSC cleaned their server Re-infected a week later NEED ROOT CAUSE ANALYSIS All materials posted at samsclass.info and free to use

36 Many More Pharma Infections Dozens of other schools, businesses, foreign sites, etc. http://samsclass.info/125/proj11/subtle- infect.htm#19more All materials posted at samsclass.info and free to use

37 Exposed Data All materials posted at samsclass.info and free to use

38 Exposed Error Logs Can leak cookies Even when secured by HTTPS All materials posted at samsclass.info and free to use

39 Google Dork for Exposed ELMAH Pages All materials posted at samsclass.info and free to use

40 Exposed Student Data All materials posted at samsclass.info and free to use

41 Exposed Password Hash All materials posted at samsclass.info and free to use

42 Open FTP Server with Medical Data All materials posted at samsclass.info and free to use

43 Libel by SC Magazine All materials posted at samsclass.info and free to use

44 Plaintext Login Pages at Colleges All materials posted at samsclass.info and free to use

45 Insecure Login Pages at Colleges 90 colleges notified in Dec, 2013 All materials posted at samsclass.info and free to use

46 Big Names Cornell Johns Hopkins Stanford UC Berkeley All materials posted at samsclass.info and free to use

47 Results 7 months after notification: 16/57 plaintext login pages fixed or improved (28%) 8/33 mixed login pages fixed or improved (24%) All materials posted at samsclass.info and free to use

48 Other Problems All materials posted at samsclass.info and free to use

49 ActiveMQ Free open-source middleware from Apache A Defcon talk said it was often insecure, so I looked on SHODAN to see All materials posted at samsclass.info and free to use

50

51

52 Real Check Data? All materials posted at samsclass.info and free to use

53

54

55 Wordpress Bots All materials posted at samsclass.info and free to use

56 >2000 WordPress Bots Thanks to Steven Veldkamp All materials posted at samsclass.info and free to use

57 WordPress Has Known for 7 Years All materials posted at samsclass.info and free to use

58

59

60

61

62 Open DNS Resolvers at Colleges All materials posted at samsclass.info and free to use

63 Results Seven months after notification 38% decrease in open resolvers, from a total of 682 to 421 All materials posted at samsclass.info and free to use

64 Old Wordpress Version Wall Street Journal – Wordpress version from 2012 – Ty Ryan Satterfield (@I_am_ryan_S) All materials posted at samsclass.info and free to use

Download ppt "Security Problems at Colleges All materials posted at samsclass.info and free to use."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.

DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Spotting Web Vulnerabilities (from the eyes of an Script Kiddie)

Spotting Web Vulnerabilities (from the eyes of an Script Kiddie)
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
By Swapnesh Chaubal Rohit Bhat. BEAST : Browser Exploit Against SSL/TLS Julianno Rizzo and Thai Duong demonstrated this attack.

By Swapnesh Chaubal Rohit Bhat. BEAST : Browser Exploit Against SSL/TLS Julianno Rizzo and Thai Duong demonstrated this attack.
8/1/2015. Please Ask Questions! 2 Hacks In The News Office of Personnel Management (OPN) Flash vulnerabilities Sony Heartbleed iCloud Leaked Pictures.

8/1/2015. Please Ask Questions! 2 Hacks In The News Office of Personnel Management (OPN) Flash vulnerabilities Sony Heartbleed iCloud Leaked Pictures.

Similar presentations

Ads by Google