Presentation is loading. Please wait.

Presentation is loading. Please wait.

Missing Encryption of Sensitive Data SECRIERU RADU MISSING ENCRYPTION OF SENSITIVE DATA 1.

Similar presentations


Presentation on theme: "Missing Encryption of Sensitive Data SECRIERU RADU MISSING ENCRYPTION OF SENSITIVE DATA 1."— Presentation transcript:

1 Missing Encryption of Sensitive Data SECRIERU RADU MISSING ENCRYPTION OF SENSITIVE DATA 1

2 Agenda  History  Related vulnerabilities  Examples  Prevention  Reports MISSING ENCRYPTION OF SENSITIVE DATA 2

3 Agenda  History  Related vulnerabilities  Examples  Prevention  Reports MISSING ENCRYPTION OF SENSITIVE DATA 3

4 History Ministry of Justice fined £180,000 for losing sensitive data on prisoners “A backup hard drive containing data on 2,935 prisoners went missing at HMP Erlestoke in Wiltshire last May. The information included details of links to organised crime, health information, history of drug misuse and material about victims and visitors. The device was not encrypted.” “In October 2012, Stoke-on-Trent city council was fined £120,000 after a solicitor at the authority sent sensitive information on a child protection case over an insecure and unencrypted network.” MISSING ENCRYPTION OF SENSITIVE DATA 4

5 Agenda History  Related vulnerabilities  Examples  Prevention  Reports MISSING ENCRYPTION OF SENSITIVE DATA 5

6 Related Vulnerabilities CWE-312: Cleartext Storage of Sensitive Information CWE-319: Cleartext Transmission of Sensitive Information CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute CWE-327: Use of a Broken or Risky Cryptographic Algorithm Attacks:  CAPEC-117: Interception  CAPEC-157: Sniffing Attacks  CAPEC-204: Lifting cached, sensitive data embedded in client distributions (thick or thin) MISSING ENCRYPTION OF SENSITIVE DATA 6

7 Agenda History Related vulnerabilities  Examples  Prevention  Reports MISSING ENCRYPTION OF SENSITIVE DATA 7

8 Examples MISSING ENCRYPTION OF SENSITIVE DATA 8 $username, "password"=> $password); setcookie ("userdata", } ?> Encrypter.encrypt( $data ) );

9 Examples MISSING ENCRYPTION OF SENSITIVE DATA 9 server.sin_family = AF_INET; hp = gethostbyname(argv[1]); if (hp==NULL) error("Unknown host"); memcpy( (char *)&server.sin_addr,(char *)hp->h_addr,hp->h_length); if (argc < 3) port = 80; else port = (unsigned short)atoi(argv[3]); server.sin_port = htons(port); if (connect(sock, (struct sockaddr *)&server, sizeof server) < 0) error("Connecting");... while ((n=read(sock,password_buffer,BUFSIZE-1))!=-1) { write(dfd,... } password_buffer,n ); encrypt( )

10 Examples MISSING ENCRYPTION OF SENSITIVE DATA 10 try { URL u = new URL("http Http hu.setRequestMethod("PUT"); hu.connect(); OutputStream os = hu.getOutputStream(); hu.disconnect(); } catch (IOException e) { //... } ://www.secret.example.org/"); URLConnection) u.openConnection(); URLConnection s s hu = (Http s

11 Agenda History Related vulnerabilities Examples  Prevention  Reports MISSING ENCRYPTION OF SENSITIVE DATA 11

12 Prevention Requirements Architecture and Design - Threat Modeling Architecture and Design - Libraries or Frameworks Architecture and Design - Separation of Privilege Implementation - Don't cut corners MISSING ENCRYPTION OF SENSITIVE DATA 12

13 Agenda History Related vulnerabilities Examples Prevention  Reports MISSING ENCRYPTION OF SENSITIVE DATA 13

14 Reports CVE password and username stored in cleartext in a cookie CVE password stored in cleartext in a file with insecure permissions CVE chat program disables SSL in some circumstances even when the user says to use SSL. … CVE product sends file with cleartext passwords in message intended for diagnostic purposes. MISSING ENCRYPTION OF SENSITIVE DATA 14

15 Add-ons Cryptocat - https://addons.mozilla.org/en-US/firefox/addon/cryptocat/https://addons.mozilla.org/en-US/firefox/addon/cryptocat/ HttpsEverywhere - https://www.eff.org/https-everywherehttps://www.eff.org/https-everywhere AdblockPlus Disconnect Web of Trust MISSING ENCRYPTION OF SENSITIVE DATA 15

16 Bibliography MISSING ENCRYPTION OF SENSITIVE DATA 16


Download ppt "Missing Encryption of Sensitive Data SECRIERU RADU MISSING ENCRYPTION OF SENSITIVE DATA 1."

Similar presentations


Ads by Google