Security

@brampatelski

    brampatelski

Me

Passion

How do things....

  • Work
  • Break
  • Abuse
  • Improve

Conferences

Heroes

Who are you?

Accounts

Hacked?

Security?

Password hygiene

Tips?

Change often

Long (8+)

Unique

Remember

Don't write down

UPPERCASE

Complex

l33tsp34k

Example

  • MySecretPassword123!
  • MySecretPassword123@
  • MySecretPassword123#
  • MySecretPassword123$
  • ???

Periodic change

  • 8 to 25 chars
  • min 1 UPPERCASE
  • min 1 lowercase
  • min 1 number
  • min 1 special

Complex

Check!

P@ssw0rd

* Checks all boxes

Unique

Long

Complex vs Long

  3 positions

10 options

10 positions

  3 options

10

3

10

3

= 1000

= 59049

Make your passwords looooooooonnnngggg

80+ accounts? Complex password rules? Good luck

Remember?

with random pw-generator:

Password-manager

My superl33t complex unique PW leaked out

2FA

2FA

Password storage

Hashing

Hashing

  • MD2*
  • MD4*
  • MD5*
  • SHA-0*
  • SHA-1*
  • SHA-256
  • SHA-512
  • HAVAL*
  • PANAMA*
  • RIPEMD-128/256
  • RIPEMD-160/320
  • Tiger
  • WHIRLPOOL

* Broken

Rainbow tables

Salting

HASH

Pepper

HASH

super-secret-app-key

Hardening

ENCRYPT

Hackers

  • criminal
  • personal gain
  • etc.

Black hat

  • ethical hacker
  • pen-tester
  • security professional
  • authorized

White hat

  • non-professional
  • not authorized
  • criminal?

Grey hat

  • White hats
  • Punisher style

Red hat*

* Not this one

This one:

  • kids
  • pranks
  • no coding skills
  • use scripts / tools

Script kiddies

Becomes...

  • curious kids
  • wanna be white-hat

Green hat

  • revenge hacker
  • hate-porn

Blue hat

  • insider
  • whistleblower
  • corporate revenge hacker

Corporate hacker

  • Greenpeace-style
  • ISIS hackers
  • Anonymous collective
  • etc.
  • Range of skill-levels

Activist

APT-names:

  • Jackals
  • Spiders
  • Unl. funds
  • Expert knowledge
  • You're F#'d

State sponsored

APT-names:

  • Bears (Russia)
  • Kitten (Iran)
  • Panda (China)
  • Chollima (NKorea)

Hacks

* Link

Data leaks

Mostly script kiddies

Web-cams

Don't try this at home

Disclaimer

Web-cams

Web-cams

URL-params

Is this hacking?

SQL-Injection

SELECT * FROM users
WHERE user = '$USR'
AND password = '$PWD';
SELECT * FROM users
WHERE user = 'bram'
AND password = 'qwerty';
bram
qwerty

SQL-Injection

SELECT * FROM users
WHERE user = '$USR'
AND password = '$PWD';
SELECT * FROM users
WHERE user = '' or true--'
AND password = 'qwerty';
' or true--
<empty>
SELECT * FROM users
WHERE user = '' or true--

SQL-Injection

SELECT * FROM users
WHERE user = '$USR'
AND password = '$PWD';
SELECT * FROM users
WHERE user = 'sinead o'connor'
AND password = '';
sinead o'connor
<empty>

SQL-Injection

Spare sheets

Diffie-Hellman

A = g  mod p

B = g  mod p

S = B  mod p

S = A  mod p

a

a

b

b

Don't try this at home

Don't try this at home

Seriously

Made with Slides.com