Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Surviving Your Next Data Breach

Surviving Your Next Data Breach

It happens even to tech giants: they get hacked, and client databases get leaked. Let’s look at what data is the most sensitive and what steps we can take to protect it, while still keeping all of the user experience intact. Come see why most web applications do passwords and credit card information wrong.

Anna Filina

May 24, 2017
Tweet

More Decks by Anna Filina

Other Decks in Programming

Transcript

  1. It Happens • Dropbox • Adobe • LinkedIn • Yahoo!

    68 million 152 million 164 million 1.2 billion
  2. Sensitive Data • Passwords • Credit cards • Social security

    numbers • Current locations • IP addresses • ...
  3. Getting Ready for the Breach • Store less • Make

    stolen data useless • Post-breach procedures
  4. Please charge half on 
 4111 1111 1111 1111 


    (06/17) and the other half on
 4012 8888 8888 1881
 (10/19)
  5. How do They Work? • Create string permutations • Compute

    hashes • Steal password hashes • Look up in table
  6. Collisions • They are rare • Pick the shortest and

    more obvious • Can just try all matches on a site
  7. Password Policy • Don't limit number and type of characters

    • Harder to generate rainbow tables • Also prevents brute force
  8. Security Questions • Known by a wide group of people

    • You're storing more private data • Security questions on other sites
  9. Example Procedure • Log out. • Mark as compromised (is_dirty=1).

    • Force 2nd factor auth. • Force password change. • Mark as not compromised.