Presentation is loading. Please wait.

Presentation is loading. Please wait.

When Vulnerability Disclosure Gets Ugly For CNIT 123 1-17-2015 All materials posted at samsclass.info and free to use.

Published byCharles Owen Modified over 9 years ago

Similar presentations

Presentation on theme: "When Vulnerability Disclosure Gets Ugly For CNIT 123 1-17-2015 All materials posted at samsclass.info and free to use."— Presentation transcript:

1 When Vulnerability Disclosure Gets Ugly For CNIT 123 1-17-2015 All materials posted at samsclass.info and free to use

2

3 Obvious Security Problems Cold Calls All materials posted at samsclass.info and free to use

4 Old Wordpress Version Wall Street Journal – Wordpress version from 2012 – Ty Ryan Satterfield (@I_am_ryan_S) All materials posted at samsclass.info and free to use

5 SQLi on Pastebin All materials posted at samsclass.info and free to use

6 Websmart, Inc. and 100,000 Vulnerable Websites All materials posted at samsclass.info and free to use

7 Pharma Infections at Colleges All materials posted at samsclass.info and free to use

8

9 19 Colleges Infected with Pharma 5 Fixed within a few weeks 7 Fixed within 8 months 7 Still Infected on 7-19-14 http://samsclass.info/125/proj11/subtle-infect.htm#19more All materials posted at samsclass.info and free to use

10

11 Infections at UC Santa Cruz All materials posted at samsclass.info and free to use

12 UCSC cleaned their server Re-infected a week later NEED ROOT CAUSE ANALYSIS All materials posted at samsclass.info and free to use

13 Many More Pharma Infections Dozens of other schools, businesses, foreign sites, etc. http://samsclass.info/125/proj11/subtle- infect.htm#19more All materials posted at samsclass.info and free to use

14 Exposed Data All materials posted at samsclass.info and free to use

15 Exposed Error Logs Can leak cookies Even when secured by HTTPS All materials posted at samsclass.info and free to use

16 Google Dork for Exposed ELMAH Pages All materials posted at samsclass.info and free to use

17 Exposed Student Data All materials posted at samsclass.info and free to use

18 Exposed Password Hash All materials posted at samsclass.info and free to use

19 Plaintext Login Pages at Colleges All materials posted at samsclass.info and free to use

20 Insecure Login Pages at Colleges 90 colleges notified in Dec, 2013 All materials posted at samsclass.info and free to use

21 Big Names Cornell Johns Hopkins Stanford UC Berkeley All materials posted at samsclass.info and free to use

22 Results 7 months after notification: 16/57 plaintext login pages fixed or improved (28%) 8/33 mixed login pages fixed or improved (24%) All materials posted at samsclass.info and free to use

23 Other Problems All materials posted at samsclass.info and free to use

24 ActiveMQ Free open-source middleware from Apache A Defcon talk said it was often insecure, so I looked on SHODAN to see All materials posted at samsclass.info and free to use

25

26

27 Real Check Data? All materials posted at samsclass.info and free to use

28

29

30 Wordpress Bots All materials posted at samsclass.info and free to use

31 >2000 WordPress Bots Thanks to Steven Veldkamp All materials posted at samsclass.info and free to use

32 WordPress Has Known for 7 Years All materials posted at samsclass.info and free to use

33

34

35

36

37 Open DNS Resolvers at Colleges All materials posted at samsclass.info and free to use

38 Results Seven months after notification 38% decrease in open resolvers, from a total of 682 to 421 All materials posted at samsclass.info and free to use

39

40

41

42

43 Results After 4 Days 4/19 colleges improved their rating 3 emails returned (but one of them improved) 4 responses, 2 hostile, 2 friendly All materials posted at samsclass.info and free to use

44 HIPAA Violation at LSU All materials posted at samsclass.info and free to use

45 Open FTP Server with Medical Data All materials posted at samsclass.info and free to use

46 Reaction I notified them on June 17, 2014 No reply, but server was down 4 hours later Then on Aug. 28... All materials posted at samsclass.info and free to use

47 Reaction All materials posted at samsclass.info and free to use

48 John Poffenbarger All materials posted at samsclass.info and free to use

49 John Poffenbarger I encourage you to promptly investigate after publicly denouncing any such behaviors, as I would not expect an institution to accept, endorse, or tolerate any such actions. I would have to wonder how this would affect the moral judgment of your graduating students entering the workforce. All materials posted at samsclass.info and free to use

50

51 LSU Legal Notice All materials posted at samsclass.info and free to use

52 I Protested – To the reporter – To the CEO of his newspaper – To the Feds, against LSU, for HIPAA whistleblower retaliation After a few days, it was clear that none of this was going to do any good All materials posted at samsclass.info and free to use

53 I Believed 1.My actions were 100% lawful 2.Newspapers can't just publish complete lies and get away with it 3.I enjoyed HIPAA whistleblower protection 4.I'm in real trouble now, time to call a lawyer All materials posted at samsclass.info and free to use

54 Computer Fraud and Abuse Act (a) Whoever— – (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— – (C) information from any protected computer; shall be punished as provided in subsection (c) of this section. (2) the term “protected computer” means a computer— – (B) which is used in or affecting interstate or foreign commerce or communication http://www.law.cornell.edu/uscode/text/18/1030

55 All materials posted at samsclass.info and free to use

Download ppt "When Vulnerability Disclosure Gets Ugly For CNIT 123 1-17-2015 All materials posted at samsclass.info and free to use."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Slide 1 FastFacts Feature Presentation February 21, 2013 To dial in, use this phone number and participant code… Phone number: 888-651-5908 Participant.

Slide 1 FastFacts Feature Presentation February 21, 2013 To dial in, use this phone number and participant code… Phone number: Participant.
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.

Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.
Sex Offender Registration and Community Notification Meeting The purpose of community notification is to provide information to protect you and your family,

Sex Offender Registration and Community Notification Meeting The purpose of community notification is to provide information to protect you and your family,
United States v. Nosal. The Nosal Fact Pattern Korn/Ferry computer Confidential information and trade secrets Authorized access by users logging in with.

United States v. Nosal. The Nosal Fact Pattern Korn/Ferry computer Confidential information and trade secrets Authorized access by users logging in with.
1 ENFORCING SOCIAL MEDIA AND COMPUTER USAGE POLICIES Haley R. Van Loon BrownWinick 666 Grand Avenue, Suite 2000 Des Moines, IA 50309-2510 Telephone: 515-248-6625.

1 ENFORCING SOCIAL MEDIA AND COMPUTER USAGE POLICIES Haley R. Van Loon BrownWinick 666 Grand Avenue, Suite 2000 Des Moines, IA Telephone:
Infotex Awareness Training Tools. m.infotex.com/tools Information Security Tools.

Infotex Awareness Training Tools. m.infotex.com/tools Information Security Tools.
Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.

Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.
Locking the Backdoor: Computer Security and Medical Office Practice Dr. Maury Pinsk, FRCPC University of Alberta Division of Pediatric Nephrology.

Locking the Backdoor: Computer Security and Medical Office Practice Dr. Maury Pinsk, FRCPC University of Alberta Division of Pediatric Nephrology.
Using e-journals Birkbeck Library. Using e-journals: outline of session What are journals / ejournals? Understanding a journal reference Finding a specific.

Using e-journals Birkbeck Library. Using e-journals: outline of session What are journals / ejournals? Understanding a journal reference Finding a specific.
CSC101 FINAL PROJECT by Sally Fletcher & Nicole Seguin December 11 th, 2003.

CSC101 FINAL PROJECT by Sally Fletcher & Nicole Seguin December 11 th, 2003.
Best Practices – Overview

Best Practices – Overview
DePaul Bears Try Your Luck!. Why buy this product? Approximately 1,000,000 cell phone users Approximately 2,000,000 or more people play the lottery New.

DePaul Bears Try Your Luck!. Why buy this product? Approximately 1,000,000 cell phone users Approximately 2,000,000 or more people play the lottery New.
Case #2- Prescription Renewal. John is a 45 year old male who has no refills left on his anti- hypertensive medications. He decided to phone his local.

Case #2- Prescription Renewal. John is a 45 year old male who has no refills left on his anti- hypertensive medications. He decided to phone his local.
Legal Issues Concerning Minors For STD Workers ISDH STD Prevention Program 2014.

Legal Issues Concerning Minors For STD Workers ISDH STD Prevention Program 2014.
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
Teenangel Gabriella. AIM is an instant messaging system. You have to be thirteen years old to use AIM. Besides sending messages, AIM is also used to tell.

Teenangel Gabriella. AIM is an instant messaging system. You have to be thirteen years old to use AIM. Besides sending messages, AIM is also used to tell.
Avon Foundation for Women Breast Health Outreach Program Online Application Tutorial.

Avon Foundation for Women Breast Health Outreach Program Online Application Tutorial.

Similar presentations

Ads by Google