Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Surviving Your Next Data Breach

Surviving Your Next Data Breach

It happens even to tech giants: they get hacked, and client databases get leaked. Let’s look at what data is the most sensitive and what steps we can take to protect it, while still keeping all of the user experience intact. Come see why most web applications do passwords and credit card information wrong.

Anna Filina

June 01, 2017
Tweet

More Decks by Anna Filina

Other Decks in Programming

Transcript

  1. @afilina
    Surviving Your Next
    Data Breach
    PHPUGFFM, Frankfurt - June 01, 2017

    View full-size slide

  2. You will get hacked

    View full-size slide

  3. It Happens
    • Dropbox
    • Adobe
    • LinkedIn
    • Yahoo!
    68 million
    152 million
    164 million
    1.2 billion

    View full-size slide

  4. Anna Filina
    • Project rescue expert
    • Dev, trainer, speaker

    View full-size slide

  5. Way to Get Breached
    • Hackers
    • Employees
    • $5 consultants

    View full-size slide

  6. $5 consultants?!

    View full-size slide

  7. Don't use server passwords
    Use SSH keys

    View full-size slide

  8. Zero-out
    development data

    View full-size slide

  9. Background security
    checks

    View full-size slide

  10. Sensitive Data
    • Passwords
    • Credit cards
    • Social security numbers
    • Current locations
    • IP addresses
    • ...

    View full-size slide

  11. Getting Ready for the Breach
    • Store less
    • Make stolen data useless
    • Post-breach procedures

    View full-size slide

  12. Store less sensitive
    data

    View full-size slide

  13. $5,000 -
    $100,000
    per month

    View full-size slide

  14. But... recurring
    billing!

    View full-size slide

  15. Vault
    Credit card
    Token
    Amount + token
    App
    Payment
    gateway
    User

    View full-size slide

  16. **** **** **** 0123

    View full-size slide

  17. Vault
    Credit card
    Token
    Amount + token
    App
    Payment
    gateway
    User

    View full-size slide

  18. **** **** **** 0123
    Edit

    View full-size slide

  19. Implementation Effort?
    • ~5 hours
    • Includes reading documentation

    View full-size slide

  20. Alternative Storage
    • Comments

    View full-size slide

  21. Please charge half on 

    4111 1111 1111 1111 

    (06/17)
    and the other half on

    4012 8888 8888 1881

    (10/19)

    View full-size slide

  22. Passwords
    • No plaintext.
    • No hash.

    View full-size slide

  23. Rainbow tables!

    View full-size slide

  24. How do They Work?
    • Create string permutations
    • Compute hashes
    • Steal password hashes
    • Look up in table

    View full-size slide

  25. Collisions
    • They are rare
    • Pick the shortest and more obvious
    • Can just try all matches on a site

    View full-size slide

  26. Rainbow tables can
    be downloaded

    View full-size slide

  27. What Then?
    • Salted hash
    • Repeated hashing

    View full-size slide

  28. Repeated Hashing
    +salt + hashing
    Hash
    Password
    Hash
    +salt + hashing
    x20,000

    View full-size slide

  29. Password Policy
    • Don't limit number and type of
    characters
    • Harder to generate rainbow tables
    • Also prevents brute force

    View full-size slide

  30. Security Questions
    • Known by a wide group of people
    • You're storing more private data
    • Security questions on other sites

    View full-size slide

  31. Response plan

    View full-size slide

  32. Example Procedure
    • Log out.
    • Mark as compromised (is_dirty=1).
    • Force 2nd factor auth.
    • Force password change.
    • Mark as not compromised.

    View full-size slide

  33. 2FA
    • 1-time code (e-mail, SMS)
    • Time-synchronized 1-time password

    View full-size slide

  34. Next Steps
    • What else do you not need?
    • E-mails?

    View full-size slide

  35. Let's protect private
    data

    View full-size slide

  36. @afilina afilina.com

    View full-size slide