smau roma 2013 alessio pennasilico
DESCRIPTION
Basta hacker in TV!TRANSCRIPT
![Page 2: Smau Roma 2013 Alessio Pennasilico](https://reader033.vdocuments.net/reader033/viewer/2022052901/557001c3d8b42a84618b5059/html5/thumbnails/2.jpg)
Basta hacker in TV! [email protected]
$whois -=mayhem=-
Committed: AIP Associazione Informatici Professionisti, CLUSIT
AIPSI Associazione Italiana Professionisti Sicurezza InformaticaItalian Linux Society, Sikurezza.org, AIP/OPSI
Hacker’s Profiling Project, CrISTAL
2
!
Security Evangelist @
![Page 3: Smau Roma 2013 Alessio Pennasilico](https://reader033.vdocuments.net/reader033/viewer/2022052901/557001c3d8b42a84618b5059/html5/thumbnails/3.jpg)
Basta hacker in TV! [email protected]
Non credere a tutto quel che vedi in televisione...
Mia nonna diceva...
3
![Page 14: Smau Roma 2013 Alessio Pennasilico](https://reader033.vdocuments.net/reader033/viewer/2022052901/557001c3d8b42a84618b5059/html5/thumbnails/14.jpg)
Basta hacker in TV! [email protected]
Visualroute?
Chi di voi lo usa per determinare la sorgente di un attacco?
14
![Page 31: Smau Roma 2013 Alessio Pennasilico](https://reader033.vdocuments.net/reader033/viewer/2022052901/557001c3d8b42a84618b5059/html5/thumbnails/31.jpg)
Basta hacker in TV! [email protected]
SQL Injection
Video su SQL Injection
31
Video su SQL Injection
![Page 32: Smau Roma 2013 Alessio Pennasilico](https://reader033.vdocuments.net/reader033/viewer/2022052901/557001c3d8b42a84618b5059/html5/thumbnails/32.jpg)
Basta hacker in TV! [email protected]
Altri rischi?
Posso interrogare il DB e ottenere tutti i dati contenuti:
' UNION ALL SELECT NULL,username,password,NULL FROM utenti WHERE 'x'='x
32
![Page 34: Smau Roma 2013 Alessio Pennasilico](https://reader033.vdocuments.net/reader033/viewer/2022052901/557001c3d8b42a84618b5059/html5/thumbnails/34.jpg)
Basta hacker in TV! [email protected]
Come mi proteggo?
Evito di processare i caratteri speciali come ‘
Prevedo il processo che si chiama “normalizzare l’input”
34
![Page 35: Smau Roma 2013 Alessio Pennasilico](https://reader033.vdocuments.net/reader033/viewer/2022052901/557001c3d8b42a84618b5059/html5/thumbnails/35.jpg)
Basta hacker in TV! [email protected]
Esempio
$user=mysql_escape_string($_POST['user']);$password=mysql_escape_string($_POST['password']);
$query="SELECT * FROM Users WHERE username='$user' AND password='$password';
35
![Page 40: Smau Roma 2013 Alessio Pennasilico](https://reader033.vdocuments.net/reader033/viewer/2022052901/557001c3d8b42a84618b5059/html5/thumbnails/40.jpg)
Basta hacker in TV! [email protected]
Cosa dobbiamo affrontare?
Rischi
reali, concretisemplici da trasformare in incidenti
alta probabilità di conversione in incidentgrande impatto sul business
40
![Page 41: Smau Roma 2013 Alessio Pennasilico](https://reader033.vdocuments.net/reader033/viewer/2022052901/557001c3d8b42a84618b5059/html5/thumbnails/41.jpg)
Basta hacker in TV! [email protected]
Cosa fare?
Rischi
facili da preveniredifficili da mitigare a posteriori
41
![Page 42: Smau Roma 2013 Alessio Pennasilico](https://reader033.vdocuments.net/reader033/viewer/2022052901/557001c3d8b42a84618b5059/html5/thumbnails/42.jpg)
Basta hacker in TV! [email protected]
Security by Design
Se costruisco una casasenza progettare
uscite di sicurezzacostruirle a lavori finiti
sarà disastroso
42
![Page 43: Smau Roma 2013 Alessio Pennasilico](https://reader033.vdocuments.net/reader033/viewer/2022052901/557001c3d8b42a84618b5059/html5/thumbnails/43.jpg)
Alessio L.R. [email protected]: mayhemsppFaceBook/linkedin: alessio.pennasilico
Domande?
These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution-ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :)
Grazie per l’attenzione!