Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web & Cloud Security in the real world

1,230 views

Published on

Presented as a keynote speaker at Dayananda Sagar College and event conducted by CompTIA.

Published in: Technology
  • I’ve personally never heard of companies who can produce a paper for you until word got around among my college groupmates. My professor asked me to write a research paper based on a field I have no idea about. My research skills are also very poor. So, I thought I’d give it a try. I chose a writer who matched my writing style and fulfilled every requirement I proposed. I turned my paper in and I actually got a good grade. I highly recommend ⇒ www.HelpWriting.net ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • over $300k/year taking surveys? ➢➢➢ https://t.cn/A6ybK1ra
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Get Paid To Waste Time On YouTube! ♣♣♣ https://tinyurl.com/rbrfd6j
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Web & Cloud Security in the real world

  1. 1. Web & Cloud Security in the Real World Madhu Akula @madhuakula
  2. 2. Madhu Akula - Profile • Information Security Researcher • Chapter Lead & Speaker null • Acknowledged by US Department of Homeland Security. • Found bugs in Google, Microsoft, Yahoo, Adobe … etc. • Open Source Contributor • Interested in Automation & DevOps • Never ending learner ! www.madhuakula.com
  3. 3. This is for educational purpose only, I am not responsible for any illegal activities done by any one.
  4. 4. Let’s talk about Social Engineering
  5. 5. My Experience !
  6. 6. Fake Emails
  7. 7. Demo
  8. 8. Data Breaches in Wild http://www.idtheftcenter.org/ITRC-Surveys-
  9. 9. Sample Web Architecture
  10. 10. Web Security Statistics http://www.imperva.com/docs/HII_Web_Application_Attack_Report_
  11. 11. Common Web Attacks • Cross Site Scripting (XSS) • SQL Injection • Information Disclosure • Remote Code Execution Recent : • Cross Site Port Attacks • Reflected File Download • Etc…
  12. 12. SQL Injection • SQL Injection is one of the most used vectors when malicious people want to create a new botnet. • SQL injection occurs when untrusted data is sent to an interpreter as part of a command • It causes attacker to take control over the database
  13. 13. • SQL Injection Attack • Number plate to foil an automatic license plate scanner ! • An attack which allows SQL to be executed as part of the input
  14. 14. Bobby Tables ! https://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom
  15. 15. Cross Site Scripting • XSS flaw occurs whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. • XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect user to malicious sites.
  16. 16. Example • One of the most in-famous example is the MySpace Samy worm. In less than a day he got more a million friends and MySpace had to be shutdown. • A XSS bug occurring on the website registration page can enable theft of registration details. • There are many exploitation frameworks for this vulnerability like BEEF, Xenotics, etc.
  17. 17. Information Disclosure • Good security requires having a secure configuration defined and deployed for the applications, frameworks, application server, web server, database server, and platform.
  18. 18. Example Network Solutions were offering wordpress installation on a shared server. The main configuration file wp- config.php was world readable. It causes Mass hack of wordpress based websites.
  19. 19. Remote Code Execution An attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process.
  20. 20. Recent Popular Zero Days • Java Deserialization Vulnerability • Venom Vulnerability • Beast Vulnerability • Poodle Vulnerability • Heartbleed Vulnerability • Shell Shock Vulnerability • Etc SSL Related
  21. 21. Demo
  22. 22. Let’s talk about Cloud
  23. 23. Threats Service Provider vs On-Premise https://www.rackspace.com/knowledge_center/whitepaper/alert-logic-state-of-cloud-security-report-
  24. 24. App Insecurity Scenario • App has Local File Inclusion bug • The AWS root credentials are being used • They are stored in a world readable file on the server • Attacker reads the credentials and starts multiple large instances to mine bitcoins • Victim saddled with a massive bill at the end of the month http://www.slideshare.net/akashm/security-in-the-cloud-workshop-
  25. 25. Infra Insecurity Scenario • MySQL Production database is listening on external port • Developers work directly on production database and requires SQL Management Software • They log in using the root user of MySQL Database server and a simple password • Attacker runs a bruteforce script and cracks the password, gains full access to the database. http://www.slideshare.net/akashm/security-in-the-cloud-workshop-
  26. 26. Heartbleed https://xkcd.com/1354/
  27. 27. Data Insecurity Scenario • Database is getting backed up regularly. • Due to performance reasons, database wasn’t encrypted when initial backups were done. • Dev team moves to newer type SSDs and doesn’t decommission older HDDs. • Attacker finds older HDDs, does forensics for data recovery and sell the data for profit. http://www.slideshare.net/akashm/security-in-the-cloud-workshop-
  28. 28. 10 Steps for Cloud • Enumerate all the network interfaces • List all the running services • Harden each service separately based on best practices. • Secure remote access for server management(SSH, RDP) • Check operating system patch levels
  29. 29. • Harden networking parameters of the kernel (Linux) • Enable a host firewall • Do an inventory all user accounts on the server and audit them • Enable centralized logging • Enable encryption on disks, storage, etc.
  30. 30. Missuses of Cloud (Recent Attacks) http://thehackernews.c om/
  31. 31. Resources • null – null.co.in • Security Tube – securitytube.net • OWASP – owasp.org • CSA – cloudsecurityalliance.org • Google – Google.com
  32. 32. My info while I answer your questions Madhu Akula Information Security Researcher www.madhuakula.com Twitter : @madhuakula madhu.akula@hotmail.com | +91-9676865642

×