Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Surviving Your Next Data Breach

Surviving Your Next Data Breach

It happens even to tech giants: they get hacked, and client databases get leaked. Let’s look at what data is the most sensitive and what steps we can take to protect it, while still keeping all of the user experience intact. Come see why most web applications do passwords and credit card information wrong.

Anna Filina
PRO

June 01, 2017
Tweet

More Decks by Anna Filina

Other Decks in Programming

Transcript

  1. @afilina
    Surviving Your Next
    Data Breach
    PHPUGFFM, Frankfurt - June 01, 2017

    View Slide

  2. You will get hacked

    View Slide

  3. It Happens
    • Dropbox
    • Adobe
    • LinkedIn
    • Yahoo!
    68 million
    152 million
    164 million
    1.2 billion

    View Slide

  4. Anna Filina
    • Project rescue expert
    • Dev, trainer, speaker

    View Slide

  5. Way to Get Breached
    • Hackers
    • Employees
    • $5 consultants

    View Slide

  6. $5 consultants?!

    View Slide

  7. View Slide

  8. Don't use server passwords
    Use SSH keys

    View Slide

  9. Zero-out
    development data

    View Slide

  10. Background security
    checks

    View Slide

  11. Sensitive Data
    • Passwords
    • Credit cards
    • Social security numbers
    • Current locations
    • IP addresses
    • ...

    View Slide

  12. Getting Ready for the Breach
    • Store less
    • Make stolen data useless
    • Post-breach procedures

    View Slide

  13. Store less sensitive
    data

    View Slide

  14. $5,000 -
    $100,000
    per month

    View Slide

  15. But... recurring
    billing!

    View Slide

  16. View Slide

  17. Vault
    Credit card
    Token
    Amount + token
    App
    Payment
    gateway
    User

    View Slide

  18. **** **** **** 0123

    View Slide

  19. Sessions!

    View Slide

  20. View Slide

  21. Vault
    Credit card
    Token
    Amount + token
    App
    Payment
    gateway
    User

    View Slide

  22. **** **** **** 0123
    Edit

    View Slide

  23. Implementation Effort?
    • ~5 hours
    • Includes reading documentation

    View Slide

  24. Alternative Storage
    • Comments

    View Slide

  25. Please charge half on 

    4111 1111 1111 1111 

    (06/17)
    and the other half on

    4012 8888 8888 1881

    (10/19)

    View Slide

  26. Passwords
    • No plaintext.
    • No hash.

    View Slide

  27. Rainbow tables!

    View Slide

  28. How do They Work?
    • Create string permutations
    • Compute hashes
    • Steal password hashes
    • Look up in table

    View Slide

  29. Collisions
    • They are rare
    • Pick the shortest and more obvious
    • Can just try all matches on a site

    View Slide

  30. Rainbow tables can
    be downloaded

    View Slide

  31. What Then?
    • Salted hash
    • Repeated hashing

    View Slide

  32. Repeated Hashing
    +salt + hashing
    Hash
    Password
    Hash
    +salt + hashing
    x20,000

    View Slide

  33. bcrypt

    View Slide

  34. Password Policy
    • Don't limit number and type of
    characters
    • Harder to generate rainbow tables
    • Also prevents brute force

    View Slide

  35. Security Questions
    • Known by a wide group of people
    • You're storing more private data
    • Security questions on other sites

    View Slide

  36. Response plan

    View Slide

  37. Example Procedure
    • Log out.
    • Mark as compromised (is_dirty=1).
    • Force 2nd factor auth.
    • Force password change.
    • Mark as not compromised.

    View Slide

  38. 2FA
    • 1-time code (e-mail, SMS)
    • Time-synchronized 1-time password

    View Slide

  39. Next Steps
    • What else do you not need?
    • E-mails?

    View Slide

  40. Let's protect private
    data

    View Slide

  41. @afilina afilina.com

    View Slide