Transcript Slide 1

All Input is Evil (Part 1)
Introduction
 Will not cover everything
 Healthy level of paranoia
 Use my DVD Swap Shop application (week 2)
Security Considerations
 Authentication
 Authorisation
 Secure communication
 Software + Hardware
The Login
 Provides authentication
 asterisks *********
 SQL injection attack
Human Problems
 A simple conversation
 People use words they can remember
 Same passwords for many sites
 Doctor who fan guess the password
T****S
Dictionary Attacks
 If you know a user name throw the dictionary at it
Brute Force Attack
 If the password is CC but all we know is that it is two
characters long **
AA
AB
BA
BB
BC
CB
CC
 The longer the password the more time we need to crack it.
Countermeasures
 Education
 Don’t use same password for all sites
 Avoid passwords that could be guessed
 Don’t use dictionary words
 Enforce rules in code
 Minimum password length
 Non alpha numeric characters
 Expiration date
 Limit login attempts
Use a Security Framework
 Authentication options in .NET
 Windows
 Passport
 Forms
 DIY
Securing Stored Passwords
 Unsecured Access database
 Stored in App_Data folder
 (Could store on another
drive/machine)
 Plain text password stored in the table
Password Hashing
 .NET Cryptography
 Encryption is ok
 Hashing better
 password123
 IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY=
 Do not store the password in plain text
Adding Salt
 If the passwords for John and Fred without salt look
like this...
 John
 Fred
IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY=
IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY=
 Adding salt would change the hash values like so...

 John
354rlrk8Jv7729qVOrOp0lXUv7RAsdV
 Fred
9Wo0irC6+ylay0CJsLVtWBfbJBSn03j4gzhG
 Concatenate password + email address
Validation
 Who do you trust?
 Do you trust me not to make use of that data in some
way?
 Do you trust me to write a web application that will not
be compromised in any way?
 Not just a matter of what people you trust but what
systems do you trust?
 Exclude list = characters we don’t allow
 Include list = characters we do allow
Code Injection
 Script could run when page is rendered elsewhere in
application
 IIS automatically disallows this
Turn Off Debug Mode
 By entering bad data a hacker could crash your
program
We now Know
 The language of the application (VB.NET)
 The names of several parameters SwapTitle
Description etc..
 In the light of the above probably the names of some
fields in the database (this way the hacker may refine
the SQL injection attacks.)
 The remote path on the server
C:\MyFiles\IMAT1604\content\Widget Swap\Widget
Swap\aswap.aspx.vb
Securing the Communication
Channel
Public and Private Keys
Public and Private Keys
Secure Socket Layer (SSL)
 The browser makes a secure HTTP request HTTPS on
port 443
 The server sends back a digital certificate verifying its
credentials
 The client verifies the certificate with the issuing
agency
 Using the public key the data is encrypted between
client and server
Open Ports
 Port scanners
 Firewalls
 IP Filtering
 Turn off unused services
 Grant Minimum Permissions to Resources