Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

For the best experience please use the latest Chrome, Safari or Firefox browser.

CIS 115

Lecture 22: Cybersecurity Topics

How can we keep our data secure?

Image Source: jadikreatif on Flickr

Authentication

Passwords

Image Source: XKCD

Cracking Passwords - Brute Force

Cracking Passwords - Lookup Table

Source: Gizmodo

Rainbow Tables

Password Entropy

Image Source: XKCD

Password Entropy

Image Source: XKCD

Password Entropy

Image Source: XKCD

Storing Passwords Securely

Store the password itself

Storing Passwords Securely

Encrypt all passwords with a key

Password Salt

Storing Passwords Securely

Encrypt all passwords with a global salt value

Storing Passwords Securely

Encrypt all passwords with a unique salt value

Image Source: XKCD

Social Engineering

Using techniques to compromise a system by exploiting the users directly instead of the system's security

Image Source: Wikipedia

Pretexting

Image Source: Penetration Test Lab

Impersonation

Image Source: 1worder

Image Source: John Gosier on Flickr

Phishing

419 Scams

419 Scams

Baiting

Image Source: Wikipedia

Threats

Image Source: XKCD

Combating Social Engineering

Social Engineering in Practice

Read the Report

Interception Attacks

Intercepting information in order to impersonate another entity or modify the information before it is received

Man in the Middle Attack

Image Source: Wikipedia

Man in the Browser Attack

Image Source: Cronto

Combating Interception Attacks

Malware

Morris Worm

Image Source: Wikipedia

Morris Worm

Morris Worm

Image Source: Wikipedia

Conficker

Stuxnet

Image Source: Wikipedia

Stuxnet

Fake AntiVirus

Cryptolocker

Image Source: Geek.com

Cryptolocker

Software Attacks

Attacking vulnerabilities in the software running on a system to gain access or retrieve secure data

SQL Injection

Image Source: XKCD

SQL Injection

statement := "SELECT * FROM userinfo
WHERE id = " + a_variable + ";” a_variable = “1” SELECT * FROM userinfo WHERE id=1;

SQL Injection

statement := "SELECT * FROM userinfo
WHERE id = " + a_variable + ";” a_variable = “1” SELECT * FROM userinfo WHERE id=1; statement := "SELECT * FROM userinfo
WHERE id = " + a_variable + ";” a_variable = “1;DROP TABLE users;” SELECT * FROM userinfo WHERE id=1;DROP TABLE users;

SQL Injection

http://books.example.com/showReview.php?ID=5 
SELECT * FROM bookreviews WHERE ID = '5';

SQL Injection

http://books.example.com/showReview.php?ID=5 
SELECT * FROM bookreviews WHERE ID = '5';


http://books.example.com/showReview.php?ID=5 AND 1=1
SELECT * FROM bookreviews WHERE ID = '5' AND '1'='1';

SQL Injection

http://books.example.com/showReview.php?ID=5 
SELECT * FROM bookreviews WHERE ID = '5';


http://books.example.com/showReview.php?ID=5 AND 1=1
SELECT * FROM bookreviews WHERE ID = '5' AND '1'='1';


http://books.example.com/showReview.php?ID=5 AND substring(@@version,1,1)=4
SELECT * FROM bookreviews WHERE ID = '5' AND substring(@@version,1,1)=4;

Buffer Overflow

Image Source: Wikipedia

Buffer Overflow

Image Source: Wikipedia

Why?

Account Access

Image Source: Wikipedia

Botnets

Image Source: Wikipedia

Social Activism / Hactivism

Image Source: Wikipedia

Chaos

Image Source: Wikipedia

Discussion


Is that ethical? Is that legal?
Is that useful information?
Should you be put in jail for this?

It actually happened!

Article on Sophos

Results of the Scan

Image Source: Census2012 on Sourceforge

Image Source: XKCD

Image Source: Census2012 on Sourceforge