Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ethics CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Published byGyles Hodges Modified over 8 years ago

Similar presentations

Presentation on theme: "Ethics CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University"— Presentation transcript:

1 Ethics CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University http://adamdoupe.com

2 Adam Doupé, Security and Vulnerability Analysis Avoiding Jail Pretty easy, don't do anything illegal! What does this mean in a hacking context? –Never hack into a system that you do not own or have permission –Do not attempt to find vulnerabilities in a system that you do not own or have permission

3 Adam Doupé, Security and Vulnerability Analysis Practicing Without Going to Jail Download source code onto a server/system that you control (assuming it is open-source) Only try to find vulnerabilities in a system that has a bug bounty program Become an academic –We can sometimes do vulnerability analysis, however we are very careful to consider the ethical considerations before performing any analysis

4 Adam Doupé, Security and Vulnerability Analysis Bug Bounty Programs A number of web sites have started to offer Bug Bounty programs They will give you money or fame in exchange for reporting security vulnerabilities to them –Make sure that they also give you permission, and make sure you understand what is in scope Google, Facebook, AT&T, Coinbase, Etsy, Github, Heroku, Microsoft, Paypal, –https://bugcrowd.com/list-of-bug-bounty-programs

5 Adam Doupé, Security and Vulnerability Analysis Facebook Incident Security researcher found vulnerability in Facebook to post on anyone's wall Breakdown in communication with Facebook's security team Researcher decided to post on Mark Zuckerberg's wall to get attention about the vulnerability Ultimately, Facebook said that the researcher did not follow the policy and therefore was ineligible for bounty

6 Adam Doupé, Security and Vulnerability Analysis

7

8 Disclosure In case you do find a vulnerability in software, what is your responsibility? –Tell the world (full disclosure) –Tell the company/group responsible for the software (responsible disclosure) –Sell the information to the grey or black market (no disclosure) Personal decision –I believe in responsible disclosure, first disclosing to the company then releasing the information publically

9 Adam Doupé, Security and Vulnerability Analysis Would You Hire a Hacker? Open problem and subject of much discussion Pros: "I want somebody who can find problems before the bad guys do" –Skillful, motivated, etc. Cons: "I don’t want to hire an arsonist as a Fire Marshal" –Problem with teamwork, may damage company, etc. In general assessment of personality is important (morals, ethics, attitude) –And hackers ARE hired all the time How would you fire a hacker?

10 Adam Doupé, Security and Vulnerability Analysis Legal Hacking: Penetration Testing Vulnerability analysis followed by exploitation –Assumptions and hypothesis derived from the analysis are verified on the field –It is usually "black-box" Penetration testing is part of the (larger) security auditing/analysis process –Pentest/fix as a cycle is NOT a good way to ensure the security of a system A comprehensive security analysis process takes into account many other aspects (e.g., source code analysis, policy analysis, social engineering) –For example: The Open-Source Security Testing Methodology http://www.isecom.org/research/osstmm.html 10

11 Adam Doupé, Security and Vulnerability Analysis Discussion: Is Penetration Testing Useful? 11

12 Adam Doupé, Security and Vulnerability Analysis Summary Proceed ethically Only attempt to find vulnerabilities in web applications that you either –Control –Have permission Jail is a possibility Also against ASU policy

Download ppt "Ethics CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University"

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
The impact of IT Around the world By Eddie Cole. The positive social impacts of IT Social networking sites are huge now, bringing in hundreds of millions.

The impact of IT Around the world By Eddie Cole. The positive social impacts of IT Social networking sites are huge now, bringing in hundreds of millions.
Group 4 Project. Why? Scientific investigations of today involve teamwork which, like the Group 4 Project, is interdisciplinary. The underpinnings of.

Group 4 Project. Why? Scientific investigations of today involve teamwork which, like the Group 4 Project, is interdisciplinary. The underpinnings of.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
UNIT 20 The ex-hacker.

UNIT 20 The ex-hacker.
ETHICAL HACKING.

ETHICAL HACKING.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
Black, White, Grey Hat Hackers Not all hackers are bad…which one’s which?

Black, White, Grey Hat Hackers Not all hackers are bad…which one’s which?
Ethics CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Ethics CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
What is identity theft, and how can you protect yourself from it?

What is identity theft, and how can you protect yourself from it?
Ethical Hacking Pratheeba Murugesan. HACKER AENDA  What is Ethical Hacking?  Who are ethical hackers?  Every Website-A Target  Get out of jail free.

Ethical Hacking Pratheeba Murugesan. HACKER AENDA  What is Ethical Hacking?  Who are ethical hackers?  Every Website-A Target  Get out of jail free.
Internet Safety/Cyber Ethics

Internet Safety/Cyber Ethics
Prepared by: Nahed Al-Salah

Prepared by: Nahed Al-Salah
1 CHAPTER 1 POLITICS. 2 Definitions Of The Word Hacker Hacker – someone who has achieved some level of expertise with a computer Hacker – someone who.

1 CHAPTER 1 POLITICS. 2 Definitions Of The Word Hacker Hacker – someone who has achieved some level of expertise with a computer Hacker – someone who.
Computer Security And Computer Crimes. Problem under consideration A software flaw was found in a national bank's web site that allows anyone who knows.

Computer Security And Computer Crimes. Problem under consideration A software flaw was found in a national bank's web site that allows anyone who knows.
The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
1 UNIT 20 The ex-hacker Lecturer: Ghadah Aldehim.

1 UNIT 20 The ex-hacker Lecturer: Ghadah Aldehim.
Ethical Hacking Introduction.  What is Ethical Hacking?  Types of Ethical Hacking  Responsibilities of a ethical hacker  Customer Expectations  Skills.

Ethical Hacking Introduction.  What is Ethical Hacking?  Types of Ethical Hacking  Responsibilities of a ethical hacker  Customer Expectations  Skills.
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

Similar presentations

Ads by Google