Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Information Systems

Password Breaches - OWASP Appsec USA 2013

advertisement 
Passwords
Breaches, Storage, Attacks
OWASP AppSec USA 2013
About Me
michael@ShapeSecurity.com
Password in the News
UNDERSTANDING PASSWORD
THREATS
Online Attacks
•
•
Online Attacks
interact with web interface via scripts &
• Attackers
automation
• Defenses Available: Account Lockout, Attacker Profiling,
Anti-automation
Example Online Attacks
• Password Brute Force - 4 variations
• Credential Stuffing - (Reuse of compromised passwords)
• Account Lockout
Offline Attacks
•
Offline Attacks
have password hashes and are performing
• Attackers
attacks against file
• Defenses Available: Only the strong hashing algorithm you
selected
•
Example Offline Attacks
• Hash brute force - dictionary or iterative
• Rainbow tables
OFFLINE PASSWORD STORAGE
Password Storage
• Bad Approaches
• Your own algorithm
• md5
• sha1
• encryption
• base64 encoding
• rot 13
• Good Approach
• Bcrypt
• Scrypt
• PBKDF2
+ Per user salt
ADDITIONAL ATTACKS
Denial of Service
Denial of Service (DOS)
Distributed Denial of Service (DDOS)
Denial of Service
DDOS Comparisons
Traditional Network DDOS
Application Abuse DOS
•
•
•
•
•
overwhelms target with volume
exhausts bandwidth / capacity of
network devices
Requires large number of
machines
Defenses: CDN, anti-DDOS
services
•
•
•
invokes computationally intense
application functions
exhausts CPU / memory of web
servers
Requires few machines
Defenses: Few available, must
customize
Credential Stuffing
Account Take Over - Credential Stuffing
Distributed App Lock Out
Distributed App Lock Out
Service Desk Overload
Service Desk Overload
Take Aways
• Password Hashing
– Don’t get breached - Defense in depth
– Don’t exacerbate breach – use correct hashing
• Online Attacks
– Prepare for automated attacks
– Different attacks and motivation from Criminal
Enterprises, Hacktivism, Nation State, etc
Thanks!
michael@shapesecurity.com
http://michael-coates.blogspot.com
@_mwc
Related documents
Revenge-Seeking Behaviors
Revenge-Seeking Behaviors
Download PDF - Echo Photo Agency
Download PDF - Echo Photo Agency
slides - Stanley Bak
slides - Stanley Bak
Managing Threats in a Changing World
Managing Threats in a Changing World
Computer Security: Principles and Practice, 1/e
Computer Security: Principles and Practice, 1/e
dos_nanog
dos_nanog
How to start Whitepins - AMAS-Team
How to start Whitepins - AMAS-Team
Slide 1
Slide 1
Abstract
Abstract
William Stallings, Cryptography and Network Security 3/e
William Stallings, Cryptography and Network Security 3/e
Research Journal of Applied Sciences, Engineering and Technology 7(13): 2711-2713,... ISSN: 2040-7459; e-ISSN: 2040-7467
Research Journal of Applied Sciences, Engineering and Technology 7(13): 2711-2713,... ISSN: 2040-7459; e-ISSN: 2040-7467
Protection of Different Agent with Improved Ids Detection Abstract
Protection of Different Agent with Improved Ids Detection Abstract
Distributed Denial of Service Attacks (DDoS) were one of the most
Distributed Denial of Service Attacks (DDoS) were one of the most
DoS Attacks
DoS Attacks
ch08 - Columbus State University
ch08 - Columbus State University
agenda
agenda
Course Technology/Cengage Learning - c-jump
Course Technology/Cengage Learning - c-jump
9/11 PPT
9/11 PPT
CS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security
Andrew Knotts' presentation on Distributed DOS attacks
Andrew Knotts' presentation on Distributed DOS attacks
Password-Based Football
Password-Based Football
Overview of Computer Security
Overview of Computer Security
Download
advertisement