Surviving Your Next Data Breach

Surviving Your Next Data Breach

It happens even to tech giants: they get hacked, and client databases get leaked. Let’s look at what data is the most sensitive and what steps we can take to protect it, while still keeping all of the user experience intact. Come see why most web applications do passwords and credit card information wrong.

B3b2139e4f2c0eca4efe2379fcebc1c5?s=128

Anna Filina

June 01, 2017
Tweet

Transcript

  1. @afilina Surviving Your Next Data Breach PHPUGFFM, Frankfurt - June

    01, 2017
  2. You will get hacked

  3. It Happens • Dropbox • Adobe • LinkedIn • Yahoo!

    68 million 152 million 164 million 1.2 billion
  4. Anna Filina • Project rescue expert • Dev, trainer, speaker

  5. Way to Get Breached • Hackers • Employees • $5

    consultants
  6. $5 consultants?!

  7. None
  8. Don't use server passwords Use SSH keys

  9. Zero-out development data

  10. Background security checks

  11. Sensitive Data • Passwords • Credit cards • Social security

    numbers • Current locations • IP addresses • ...
  12. Getting Ready for the Breach • Store less • Make

    stolen data useless • Post-breach procedures
  13. Store less sensitive data

  14. $5,000 - $100,000 per month

  15. But... recurring billing!

  16. None
  17. Vault Credit card Token Amount + token App Payment gateway

    User
  18. **** **** **** 0123

  19. Sessions!

  20. None
  21. Vault Credit card Token Amount + token App Payment gateway

    User
  22. **** **** **** 0123 Edit

  23. Implementation Effort? • ~5 hours • Includes reading documentation

  24. Alternative Storage • Comments

  25. Please charge half on 
 4111 1111 1111 1111 


    (06/17) and the other half on
 4012 8888 8888 1881
 (10/19)
  26. Passwords • No plaintext. • No hash.

  27. Rainbow tables!

  28. How do They Work? • Create string permutations • Compute

    hashes • Steal password hashes • Look up in table
  29. Collisions • They are rare • Pick the shortest and

    more obvious • Can just try all matches on a site
  30. Rainbow tables can be downloaded

  31. What Then? • Salted hash • Repeated hashing

  32. Repeated Hashing +salt + hashing Hash Password Hash +salt +

    hashing x20,000
  33. bcrypt

  34. Password Policy • Don't limit number and type of characters

    • Harder to generate rainbow tables • Also prevents brute force
  35. Security Questions • Known by a wide group of people

    • You're storing more private data • Security questions on other sites
  36. Response plan

  37. Example Procedure • Log out. • Mark as compromised (is_dirty=1).

    • Force 2nd factor auth. • Force password change. • Mark as not compromised.
  38. 2FA • 1-time code (e-mail, SMS) • Time-synchronized 1-time password

  39. Next Steps • What else do you not need? •

    E-mails?
  40. Let's protect private data

  41. @afilina afilina.com