Security Trifecta – Overview of Vulnerabilities in the Racing Industry Gus Fritschie December 11, 2013.

Slides:

Advertisements

Similar presentations

Advertisements

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

George Tubin Senior Analyst Consumer Banking © 2005 The Tower Group, Inc. May not be reproduced by any means without express permission. All rights reserved.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

SiteLock Internet Security: Big Threats for Small Business.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Web Application Security

How to Defend Against FISMA Gus Fritschie and Andrew Du June 1st, 2013 FISMA Compliance.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

OWASP Mobile Top 10 Why They Matter and What We Can Do

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

SEC835 Database and Web application security Information Security Architecture.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Enterprise Privacy Architectures Leveraging Encryption to Keep Data Private Karim Toubba VP of Product Management Ingrian Networks.

Suggested grade levels 7-12 Students will explore strategies that promote personal safety when using the texting-based social network, Twitter.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

Web Application Firewall (WAF) RSA ® Conference 2013.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Protecting the Player– Information Security Concerns Gus March 21, 2014.

Safe Use of Social Media Cadets – Air Force’s Future.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

CSC-682 Advanced Computer Security Analyzing Websites for User-Visible Security Design Flaws Pompi Rotaru Based on an article by : Laura Falk, Atul Prakash,

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Applications Testing By Jamie Rougvie Supported by.

Building Secure Web Applications With ASP.Net MVC.

Enforcing Cyber security in Mobile Applications – Public Sector Use Case SAPHINA MCHOME, VIOLA RUKIZA TANZANIA REVENUE AUTHORITY INFORMATION AND COMMUNICATION.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Ch. 7 -Attacking Session Management Latasha A. Gibbs CSCE 813 – Internet Security, Fall 2012 College of Engineering and Computing University of South Carolina.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Frontline Enterprise Security

Deconstructing API Security

Database security Diego Abella. Database security Global connection increase database security problems. Database security is the system, processes, and.

Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.

Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.

Computer Security By Duncan Hall.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

Confidentiality, Integrity, Awareness What Does It Mean To You.

Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA.

Web Applications on the battlefield Alain Abou Tass.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Syo-401 Question Answer. QUESTION 1 An achievement in providing worldwide Internet security was the signing of certificates associated with which of the.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

Identity and Access Management

Module: Software Engineering of Web Applications

3 Do you monitor for unauthorized intrusion activity?

Web Application Protection Against Hackers and Vulnerabilities

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

API Security Auditing Be Aware,Be Safe

Secure Software Confidentiality Integrity Data Security Authentication

Marking Scheme for Semantic-aware Web Application Security

Introduction to Networking

Securing the Internet of Things: Key Insights and Best Practices Across the Industry Theresa Bui Revon IoT Cloud Strategy.

Presentation transcript:

Security Trifecta – Overview of Vulnerabilities in the Racing Industry Gus Fritschie December 11, 2013

© SeNet International Corp December 2013 SeNet Who We Are – SeNet International

© SeNet International Corp December 2013 SeNet Who We Are – Gus Fritschie CTO of SeNet International Subject Matter Expert in Gaming and iGaming security Presented at multiple conferences, including Defcon on iGaming issues Written multiple articles on gaming security for both print and online publications Most importantly I want sites and organizations to be safe and secure because I am also a player Follow on

© SeNet International Corp December 2013 SeNet Why This Talk? The future of gaming, if not the Internet is tied closely to it. Even those components that may not be specifically tied to iGaming (i.e. OTB) still require a certain level of security. While the racing industry has had a head start (thanks to UIEGA) it only leads by a couple of lengths, and when it comes to security it is neck-to-neck. We need to learn from past mistakes in other sectors in order to avoid them in the future. Often security is seen as a cost and something we don’t think about until there is a problem (similar to flooded basement). However, this trend needs to change and we need to become more proactive compared to reactive.

© SeNet International Corp December 2013 SeNet How is Online Racing Security Different From This?

© SeNet International Corp December 2013 SeNet Security is Security There is no difference! Racing and iGaming face the same problems and need the same level of protection as other verticals. Areas that need to be taken into account include: Application Security Network Security System Security Database Mobile Physical And more………

© SeNet International Corp December 2013 SeNet Security is all About Managing Risk You will never be 100% secure, the key is to understand the risks you face and with that information make informed business decisions. In order to be 100% secure you would need to do this…….

© SeNet International Corp December 2013 SeNet Are Compliance Standards the Answer?

© SeNet International Corp December 2013 SeNet Compliance Does Not Equal Security But it is a starting point and better than nothing. Need to approach it from more than a paperwork exercise. The problem is most of the compliance standards (current gaming included) are not strict enough and leave organizations with a false sense of security. Compliance != Secure

© SeNet International Corp December 2013 SeNet What is the Solution? The answer is a comprehensive, enterprise solution across all facets. Too long of an answer for this brief presentation. In my opinion two ways organizations are most likely to get compromised. 1.Attacks via the application (both web and mobile) 2.Social engineering attacks Let’s look closer at the first method……

© SeNet International Corp December 2013 SeNet Types of Application Attacks

© SeNet International Corp December 2013 SeNet Security Needs to be Baked into the SDLC Examples: Audit logging design possibly include redundancy, retention, and reliability (unintentional 3 r's there); Session design possibly include concurrency control, lock, identification, replay Access, authentication, and authorization (intentional 3 a's there) Error handling design Unit test automation by check-in gates Code coverage Design for functional testing Information input restriction RBAC Partitioning Information validation Rules engine/input validation, app firewall Risk-based approach vs. compliance-only focus. Security integration to system development is critical to front-end design

© SeNet International Corp December 2013 SeNet Examples

© SeNet International Corp December 2013 SeNet. Session Token in URL

© SeNet International Corp December 2013 SeNet Account Number Enumeration

© SeNet International Corp December 2013 SeNet Backend Password and Username Exposed in Request

© SeNet International Corp December 2013 SeNet Backend Password and Username Exposed in Request (Cont.) GET / php/fw/php_BRIS_BatchAPI/2.3/Games/Payouts?ip= &username=strikeit&password=1tg00d &affid=5000&output=json HTTP/1.1

© SeNet International Corp December 2013 SeNet What is this?

© SeNet International Corp December 2013 SeNet Weak Password Policy

© SeNet International Corp December 2013 SeNet Password Stored in Clear-text in Database Using the forgot password function the password is sent via and is the same password as initially set. This indicates passwords are stored in clear-text.

© SeNet International Corp December 2013 SeNet Cross-site Scripting (XSS)

© SeNet International Corp December 2013 SeNet Cross-site Scripting (XSS)

© SeNet International Corp December 2013 SeNet Conclusion This introduction presentation just touched on some of the security issues that the Online Racing Industry need to take into account. All examples used were discovered via passive analysis, no active or scanning was performed on sites. Less than a few hours were used to locate these “low-hanging” vulnerabilities, certainly more exist. During the rest of this panel discussion we will dive deeper into some of these attack vectors and others that you need to be aware of.