Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Surviving Your Next Data Breach

Avatar for Anna Filina Anna Filina
June 01, 2017
Programming
0
110

Surviving Your Next Data Breach

It happens even to tech giants: they get hacked, and client databases get leaked. Let’s look at what data is the most sensitive and what steps we can take to protect it, while still keeping all of the user experience intact. Come see why most web applications do passwords and credit card information wrong.
Avatar for Anna Filina

Anna Filina

June 01, 2017
Tweet

More Decks by Anna Filina

See All by Anna Filina
Better Code Design in PHP
Avatar for Anna Filina afilina
0
220
Semi-Automated Refactoring and Upgrades with Rector
Avatar for Anna Filina afilina
0
130
Better Code Design in PHP
Avatar for Anna Filina afilina
0
380
Better Code Design in PHP
Avatar for Anna Filina afilina
0
520
Adding Tests to Untestable Legacy Code
Avatar for Anna Filina afilina
0
340
Upgrading Legacy to the Latest PHP Version
Avatar for Anna Filina afilina
0
350
Semi-Automated Refactoring and Upgrades with Rector
Avatar for Anna Filina afilina
0
240
Better Code Design in PHP
Avatar for Anna Filina afilina
1
710
Effortless Software Development
Avatar for Anna Filina afilina
1
310

Other Decks in Programming

See All in Programming
Cloudflare Workersで進めるリモートMCP活用
Avatar for syumai syumai
9
1.3k
AIコーディングエージェントを 「使いこなす」ための実践知と現在地 in ログラス / How to Use AI Coding Agent in Loglass
Avatar for r-kagaya rkaga
4
1.4k
Duke on CRaC with Jakarta EE
Avatar for ivargrimstad ivargrimstad
1
180
データと事例で振り返るDevin導入の"リアル" / The Realities of Devin Reflected in Data and Case Studies
Avatar for r-kagaya rkaga
3
2.5k
Jakarta EE Meets AI
Avatar for ivargrimstad ivargrimstad
0
990
ASP.NETアプリケーションのモダナイゼーションについて
Avatar for tomokusaba tomokusaba
0
270
マイコンでもRustのtestがしたい/KernelVM Kansai 11
Avatar for Toshifumi NISHINAGA tnishinaga
1
920
Boost Your Performance and Developer Productivity with Jakarta EE 11
Avatar for ivargrimstad ivargrimstad
0
960
Serving TUIs over SSH with Go
Avatar for Carlos Alexandro Becker caarlos0
0
750
Embracing Ruby magic
Avatar for Vinicius Stock vinistock
2
270
エンジニア向けCursor勉強会 @ SmartHR
Avatar for Yuki Horikoshi yukisnow1823
3
13k
AI時代のリアーキテクチャ戦略 / Re-architecture Strategy in the AI Era
Avatar for dachi023 dachi023
0
120

Featured

See All Featured
Fireside Chat
Avatar for paigeccino paigeccino
37
3.4k
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
28
5.3k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
267
13k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
357
30k
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
26k
Designing Experiences People Love
Avatar for Jonathan Moore moore
142
24k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
7
430
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
280
13k
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.2k
KATA
Avatar for Megan Lloyd mclloyd
29
14k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
29
2.6k
A better future with KSS
Avatar for Kyle Neath kneath
239
17k

Transcript

  1. @afilina Surviving Your Next Data Breach PHPUGFFM, Frankfurt - June

    01, 2017

  2. You will get hacked

  3. It Happens • Dropbox • Adobe • LinkedIn • Yahoo!

    68 million 152 million 164 million 1.2 billion

  4. Anna Filina • Project rescue expert • Dev, trainer, speaker

  5. Way to Get Breached • Hackers • Employees • $5

    consultants

  6. $5 consultants?!

  7. None

  8. Don't use server passwords Use SSH keys

  9. Zero-out development data

  10. Background security checks

  11. Sensitive Data • Passwords • Credit cards • Social security

    numbers • Current locations • IP addresses • ...

  12. Getting Ready for the Breach • Store less • Make

    stolen data useless • Post-breach procedures

  13. Store less sensitive data

  14. $5,000 - $100,000 per month

  15. But... recurring billing!

  16. None

  17. Vault Credit card Token Amount + token App Payment gateway

    User

  18. **** **** **** 0123

  19. Sessions!

  20. None

  21. Vault Credit card Token Amount + token App Payment gateway

    User

  22. **** **** **** 0123 Edit

  23. Implementation Effort? • ~5 hours • Includes reading documentation

  24. Alternative Storage • Comments

  25. Please charge half on 
 4111 1111 1111 1111 


    (06/17) and the other half on
 4012 8888 8888 1881
 (10/19)

  26. Passwords • No plaintext. • No hash.

  27. Rainbow tables!

  28. How do They Work? • Create string permutations • Compute

    hashes • Steal password hashes • Look up in table

  29. Collisions • They are rare • Pick the shortest and

    more obvious • Can just try all matches on a site

  30. Rainbow tables can be downloaded

  31. What Then? • Salted hash • Repeated hashing

  32. Repeated Hashing +salt + hashing Hash Password Hash +salt +

    hashing x20,000

  33. bcrypt

  34. Password Policy • Don't limit number and type of characters

    • Harder to generate rainbow tables • Also prevents brute force

  35. Security Questions • Known by a wide group of people

    • You're storing more private data • Security questions on other sites

  36. Response plan

  37. Example Procedure • Log out. • Mark as compromised (is_dirty=1).

    • Force 2nd factor auth. • Force password change. • Mark as not compromised.

  38. 2FA • 1-time code (e-mail, SMS) • Time-synchronized 1-time password

  39. Next Steps • What else do you not need? •

    E-mails?

  40. Let's protect private data

  41. @afilina afilina.com