Presentation is loading. Please wait.

Presentation is loading. Please wait.

Missing Encryption of Sensitive Data

Similar presentations


Presentation on theme: "Missing Encryption of Sensitive Data"— Presentation transcript:

1 Missing Encryption of Sensitive Data
Secrieru radu Missing Encryption of Sensitive Data

2 Missing Encryption of Sensitive Data
Agenda History Related vulnerabilities Examples Prevention Reports Missing Encryption of Sensitive Data

3 Missing Encryption of Sensitive Data
Agenda History Related vulnerabilities Examples Prevention Reports Missing Encryption of Sensitive Data

4 Missing Encryption of Sensitive Data
History Ministry of Justice fined £180,000 for losing sensitive data on prisoners “A backup hard drive containing data on 2,935 prisoners went missing at HMP Erlestoke in Wiltshire last May. The information included details of links to organised crime, health information, history of drug misuse and material about victims and visitors. The device was not encrypted.” “In October 2012, Stoke-on-Trent city council was fined £120,000 after a solicitor at the authority sent sensitive information on a child protection case over an insecure and unencrypted network.” Missing Encryption of Sensitive Data

5 Missing Encryption of Sensitive Data
Agenda History Related vulnerabilities Examples Prevention Reports Missing Encryption of Sensitive Data

6 Related Vulnerabilities
CWE-312: Cleartext Storage of Sensitive Information CWE-319: Cleartext Transmission of Sensitive Information CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute CWE-327: Use of a Broken or Risky Cryptographic Algorithm Attacks: CAPEC-117: Interception CAPEC-157: Sniffing Attacks CAPEC-204: Lifting cached, sensitive data embedded in client distributions (thick or thin) Missing Encryption of Sensitive Data

7 Missing Encryption of Sensitive Data
Agenda History Related vulnerabilities Examples Prevention Reports Missing Encryption of Sensitive Data

8 Missing Encryption of Sensitive Data
Examples <?php function persistLogin($username, $password){    $data = array("username" => $username, "password"=> $password);    setcookie ("userdata", } ?> $data Encrypter.encrypt( ); ) Missing Encryption of Sensitive Data

9 Missing Encryption of Sensitive Data
Examples server.sin_family = AF_INET; hp = gethostbyname(argv[1]); if (hp==NULL) error("Unknown host"); memcpy( (char *)&server.sin_addr,(char *)hp->h_addr,hp->h_length); if (argc < 3) port = 80; else port = (unsigned short)atoi(argv[3]); server.sin_port = htons(port); if (connect(sock, (struct sockaddr *)&server, sizeof server) < 0) error("Connecting"); ... while ((n=read(sock,password_buffer,BUFSIZE-1))!=-1) { write(dfd, } encrypt( password_buffer ,n); ) Missing Encryption of Sensitive Data

10 Missing Encryption of Sensitive Data
Examples try { URL u = new URL("http Http hu.setRequestMethod("PUT"); hu.connect(); OutputStream os = hu.getOutputStream(); hu.disconnect(); } catch (IOException e) { //... } s ://www.secret.example.org/"); s URLConnection hu = (Http URLConnection) u.openConnection(); s Missing Encryption of Sensitive Data

11 Missing Encryption of Sensitive Data
Agenda History Related vulnerabilities Examples Prevention Reports Missing Encryption of Sensitive Data

12 Missing Encryption of Sensitive Data
Prevention Requirements Architecture and Design - Threat Modeling Architecture and Design - Libraries or Frameworks Architecture and Design - Separation of Privilege Implementation - Don't cut corners Missing Encryption of Sensitive Data

13 Missing Encryption of Sensitive Data
Agenda History Related vulnerabilities Examples Prevention Reports Missing Encryption of Sensitive Data

14 Missing Encryption of Sensitive Data
Reports CVE password and username stored in cleartext in a cookie CVE password stored in cleartext in a file with insecure permissions CVE chat program disables SSL in some circumstances even when the user says to use SSL. CVE product sends file with cleartext passwords in message intended for diagnostic purposes. Missing Encryption of Sensitive Data

15 Missing Encryption of Sensitive Data
Add-ons Cryptocat - https://addons.mozilla.org/en-US/firefox/addon/cryptocat/ HttpsEverywhere - https://www.eff.org/https-everywhere AdblockPlus Disconnect Web of Trust Missing Encryption of Sensitive Data

16 Missing Encryption of Sensitive Data
Bibliography Missing Encryption of Sensitive Data


Download ppt "Missing Encryption of Sensitive Data"

Similar presentations


Ads by Google