Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Surviving Your Next Data Breach

Anna Filina
PRO
June 01, 2017
Programming
0
88

Surviving Your Next Data Breach

It happens even to tech giants: they get hacked, and client databases get leaked. Let’s look at what data is the most sensitive and what steps we can take to protect it, while still keeping all of the user experience intact. Come see why most web applications do passwords and credit card information wrong.

Anna Filina
PRO

June 01, 2017
Tweet

More Decks by Anna Filina

See All by Anna Filina
Writing Testable Symfony Apps
afilina
PRO
0
110
Upgrading Legacy to the Latest PHP Version
afilina
PRO
0
150
Avoid Costly Framework Upgrades
afilina
PRO
2
1.4k
Fantastic Bugs and How to Avoid Them
afilina
PRO
1
830
Adding Tests to Untestable Legacy Code
afilina
PRO
4
890
You Don't Need More Developers
afilina
PRO
5
1.2k
Fantastic Bugs and How to Avoid Them
afilina
PRO
0
190
Ship 10 Times Faster With These Designs
afilina
PRO
0
440
Effortless Software Development
afilina
PRO
1
410

Other Decks in Programming

See All in Programming
ゲームの抽選ロジックにGenericsを使ってみたら開発が楽になった話
qualiarts
0
110
FSE時代におけるWEBサイト制作の研究 #wpshinshu / 2023-05-20 Shinshu WordPress Meetup vol.23
torounit
0
220
Firebase A/B TestingとRemote Config
を最大限に活用する方法
mukky620
1
370
Kotlin 2.0을 통해 알아보는 코틀린의 미래
dalinaum
1
1.6k
新人PHPer向け 圧倒的に差をつける仕事の進め方 #phpstudy
77web
2
560
Multiverse Ruby
shioyama
2
2.5k
フロントエンド刷新をプロジェクトとして進める際に気をつけていること
koba04
1
1.2k
Goのメモリ管理 / Memory management in Go
ymotongpoo
4
3.2k
Learn Ractor
m_seki
1
1.5k
CloudWatchLogsが個人情報保護の盲点になっていませんか?
shoheihosaka
0
160
sync.Mutexの仕組みを理解する
ffjlabo
1
530
Google I/O 2023 の 個人的おすすめセッションの紹介 / Introducing interesting sessions at Google IO 2023
numeroanddev
1
120

Featured

See All Featured
Designing for Performance
lara
601
65k
Adopting Sorbet at Scale
ufuk
66
8k
Agile that works and the tools we love
rasmusluckow
322
20k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Debugging Ruby Performance
tmm1
68
11k
In The Pink: A Labor of Love
frogandcode
133
21k
Robots, Beer and Maslow
schacon
154
7.5k
Design by the Numbers
sachag
272
18k
How to name files
jennybc
51
80k
Fashionably flexible responsive web design (full day workshop)
malarkey
395
64k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
Teambox: Starting and Learning
jrom
124
8k

Transcript

  1. @afilina
    Surviving Your Next
    Data Breach
    PHPUGFFM, Frankfurt - June 01, 2017

    View Slide

  2. You will get hacked

    View Slide

  3. It Happens
    • Dropbox
    • Adobe
    • LinkedIn
    • Yahoo!
    68 million
    152 million
    164 million
    1.2 billion

    View Slide

  4. Anna Filina
    • Project rescue expert
    • Dev, trainer, speaker

    View Slide

  5. Way to Get Breached
    • Hackers
    • Employees
    • $5 consultants

    View Slide

  6. $5 consultants?!

    View Slide

  7. View Slide

  8. Don't use server passwords
    Use SSH keys

    View Slide

  9. Zero-out
    development data

    View Slide

  10. Background security
    checks

    View Slide

  11. Sensitive Data
    • Passwords
    • Credit cards
    • Social security numbers
    • Current locations
    • IP addresses
    • ...

    View Slide

  12. Getting Ready for the Breach
    • Store less
    • Make stolen data useless
    • Post-breach procedures

    View Slide

  13. Store less sensitive
    data

    View Slide

  14. $5,000 -
    $100,000
    per month

    View Slide

  15. But... recurring
    billing!

    View Slide

  16. View Slide

  17. Vault
    Credit card
    Token
    Amount + token
    App
    Payment
    gateway
    User

    View Slide

  18. **** **** **** 0123

    View Slide

  19. Sessions!

    View Slide

  20. View Slide

  21. Vault
    Credit card
    Token
    Amount + token
    App
    Payment
    gateway
    User

    View Slide

  22. **** **** **** 0123
    Edit

    View Slide

  23. Implementation Effort?
    • ~5 hours
    • Includes reading documentation

    View Slide

  24. Alternative Storage
    • Comments

    View Slide

  25. Please charge half on 

    4111 1111 1111 1111 

    (06/17)
    and the other half on

    4012 8888 8888 1881

    (10/19)

    View Slide

  26. Passwords
    • No plaintext.
    • No hash.

    View Slide

  27. Rainbow tables!

    View Slide

  28. How do They Work?
    • Create string permutations
    • Compute hashes
    • Steal password hashes
    • Look up in table

    View Slide

  29. Collisions
    • They are rare
    • Pick the shortest and more obvious
    • Can just try all matches on a site

    View Slide

  30. Rainbow tables can
    be downloaded

    View Slide

  31. What Then?
    • Salted hash
    • Repeated hashing

    View Slide

  32. Repeated Hashing
    +salt + hashing
    Hash
    Password
    Hash
    +salt + hashing
    x20,000

    View Slide

  33. bcrypt

    View Slide

  34. Password Policy
    • Don't limit number and type of
    characters
    • Harder to generate rainbow tables
    • Also prevents brute force

    View Slide

  35. Security Questions
    • Known by a wide group of people
    • You're storing more private data
    • Security questions on other sites

    View Slide

  36. Response plan

    View Slide

  37. Example Procedure
    • Log out.
    • Mark as compromised (is_dirty=1).
    • Force 2nd factor auth.
    • Force password change.
    • Mark as not compromised.

    View Slide

  38. 2FA
    • 1-time code (e-mail, SMS)
    • Time-synchronized 1-time password

    View Slide

  39. Next Steps
    • What else do you not need?
    • E-mails?

    View Slide

  40. Let's protect private
    data

    View Slide

  41. @afilina afilina.com

    View Slide