TechED 2013
I recently attended 2 amazingly fun filled Hack-Ed sessions at Microsoft's TechEd, Australia. The speakers were Kirk Jackson and Andy Prow. And as promised, there was live hacking on stage and awkward humour that will made us cringe (in a good way). Not to mention, I won a chocolate bar! Yay!I have posed a link to both their sessions below but I though I'd quickly touch on a few important things that they spoke about. I also highly recommend you follow their blog at http://www.hack-ed.com/.
Kirk and Andy went through a couple of recent security breaches around the world (I've listed a few below). But what was really funny was that most of them were easily preventable.
I know you've probably heard this before, but as web developers, security should not be an after-thought to the development process, but rather an integral part of your design. I highly recommend that you have a read through the Open Web Application Security Project (OWASP). They have recently updated their list of top 10 vulnerabilities to look out for, available at https://www.owasp.org/index.php/Top_10_2013-Top_10.
Interesting Security Breaches
Now here are some of the interesting attacks that Kirk and Andy mentioned.- AP Twitter Account Hacked: Dow Drops 150 Points, wiping out $136 billion in value. Read more here (http://www.bloomberg.com/news/2013-04-23/dow-jones-drops-recovers-after-false-report-on-ap-twitter-page.html).
- More than 6 million LinkedIn passwords stolen. They passwrods were stored as SHA1 but not salted! Read more here (http://money.cnn.com/2012/06/06/technology/linkedin-password-hack/index.htm). Read more about SHA1 + Salt.
- 450,000 Yahoo! Passwords Stolen in Data Breach. Apparently they were unencrypted plain text. YIKES! Read more here (http://www.technewsdaily.com/4563-yahoo-password-data-breach.html).
- First State Super - system flaw, exposed by IT security consultant Patrick Webster, allowed members to access other members' statements simply by changing a number in the URL bar. Read more here (http://www.smh.com.au/it-pro/security-it/super-bad-first-state-set-police-on-man-who-showed-them-how--770000-accounts-could-be-ripped-off-20111018-1lvx1.html and http://www.smh.com.au/it-pro/security-it/claims-first-state-super-flaw-ignored-for-years-20111020-1m9ao.html)
- AusPost - system flaw allows altering the six digit code at the end of the URL causes personal information from other customers' address books to be exposed. Read more here ( http://www.news.com.au/technology/australia-post-hit-by-security-breach-again/story-e6frfro0-1226507720654#ixzz2eIyUiVXO )
Some interesting types of attacks
- Website defacement (Specifically search defacement): http://www.websitepulse.com/blog/what-is-website-defacement
- 3Dos Attack: While DDos attack occurs from multiple sites, 3Dos attack occurs at multi layers. (Eg. Load 1.5 mill network connections & brute force password craking at the same time. Net & appl layer.)
- Zip of doom: Upload zips which when uncompressed on the server eats up the free space.
- Billion Laughs Attack: http://en.wikipedia.org/wiki/Billion_laughs
Regardless of where your entity sits, data must be protected. Investing in security may not remove the possibility of a data breach. Consider turn to one of the top virtual data room service providers.
ReplyDelete