1 / 23

Security

Security. All Input is Evil (Part 1). Introduction. Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2). Security Considerations. Authentication  Authorisation Secure communication Software + Hardware. The Login. Provides authentication

sagnes
Télécharger la présentation

Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security

  2. All Input is Evil (Part 1)

  3. Introduction • Will not cover everything • Healthy level of paranoia • Use my DVD Swap Shop application (week 2)

  4. Security Considerations • Authentication  • Authorisation • Secure communication • Software + Hardware

  5. The Login • Provides authentication • asterisks ********* • SQL injection attack

  6. Human Problems • A simple conversation • People use words they can remember • Same passwords for many sites • Doctor who fan guess the password T****S

  7. Dictionary Attacks • If you know a user name throw the dictionary at it

  8. Brute Force Attack • If the password is CC but all we know is that it is two characters long ** AA AB BA BB BC CB CC • The longer the password the more time we need to crack it.

  9. Countermeasures • Education • Don’t use same password for all sites • Avoid passwords that could be guessed • Don’t use dictionary words • Enforce rules in code • Minimum password length • Non alpha numeric characters • Expiration date • Limit login attempts

  10. Use a Security Framework • Authentication options in .NET • Windows • Passport • Forms • DIY

  11. Securing Stored Passwords • Unsecured Access database • Stored in App_Data folder • (Could store on another drive/machine) • Plain text password stored in the table

  12. Password Hashing • .NET Cryptography • Encryption is ok • Hashing better • password123 • IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY= • Do not store the password in plain text

  13. Adding Salt • If the passwords for John and Fred without salt look like this... • John IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY= • Fred IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY= • Adding salt would change the hash values like so... • John 354rlrk8Jv7729qVOrOp0lXUv7RAsdV • Fred 9Wo0irC6+ylay0CJsLVtWBfbJBSn03j4gzhG • Concatenate password + email address

  14. Validation • Who do you trust? • Do you trust me not to make use of that data in some way?  • Do you trust me to write a web application that will not be compromised in any way? • Not just a matter of what people you trust but what systems do you trust? • Exclude list = characters we don’t allow • Include list = characters we do allow

  15. Code Injection • Script could run when page is rendered elsewhere in application • IIS automatically disallows this

  16. Turn Off Debug Mode • By entering bad data a hacker could crash your program

  17. We now Know • The language of the application (VB.NET) • The names of several parameters SwapTitle Description etc.. • In the light of the above probably the names of some fields in the database (this way the hacker may refine the SQL injection attacks.) • The remote path on the server C:\MyFiles\IMAT1604\content\Widget Swap\Widget Swap\aswap.aspx.vb

  18. Securing the Communication Channel

  19. Public and Private Keys

  20. Public and Private Keys

  21. Secure Socket Layer (SSL) • The browser makes a secure HTTP request HTTPS on port 443 • The server sends back a digital certificate verifying its credentials • The client verifies the certificate with the issuing agency • Using the public key the data is encrypted between client and server

  22. Open Ports • Port scanners • Firewalls • IP Filtering • Turn off unused services • Grant Minimum Permissions to Resources

More Related