Sensitive Data Exposure

00:00

Hello. My name's I Happily welcome to the overview off Secure code in

00:05

sensitive details for your vulnerability is actually doing about three on the list of the top 10 hopes. Vulnerabilities for 2000 and 17. Andi needs are gonna be concentrated. Intruded causes scenario imparts prevention on some of these questions. Now this vulnerable. It's actually, of course,

00:21

when you have sensitive information like P I, which is a personally identifiable information

00:26

I used to uniquely identify an individual when they are not adequately protected from being disclosed. Top accounts such information can actually be singing. Their text text is the normal human readable card sequence off Carter's. Now you see

00:40

or in very guessing who forms or crack able form on Jesus dashboard. You can't find such on users. Dodge Book. I'm going to show you an example. Person. Then you can also hijack on encrypted traffic.

00:52

That's daytime transit. Once I jacked, that's like that's what we call man into me to you. A job that's on you. Simply analyze it to get some of the sensitive P I. That's what I want is where you have on ash or weekly ash, or even on a protected these columns.

01:08

The database is where you have your information or your data. Any donkeys?

01:12

Wendy, I'm not

01:14

asked for their weekly asked for the honor even encrypted out. So those are some of the forms in which saw this Attackers can actually pick sensitive information. Some of such sensitive information include your password, your credit card number, your credit card being session tokens order authentication credentials

01:34

now what? That it causes off this sensitive the time exposure. Like I just mentioned earlier. One is where you have unencrypted or weekly encrypted or weekly ash. P i. It at interest interest is when it's all moving, like the Tardis databases entrees, your files or folders. Your documents are traced

01:53

now, but when it is entrusted, when it is best sensing form of on immune, or when the tide's moving from one

02:00

Applications honor application in on the next walk in a traffic so that is in transit does that it's too busy forms in which we have our data. When they are unencrypted, weekly, encrypted or weekly heart, they can actually cause sensitive the tires. Put your vulnerability. So let's see how some of these things look.

02:20

He realized

02:21

here. I'm going to take your true this same occupational die boots we club. So here you have the mark three. You can actually sign up if you've got me falling off from the previous models. So sign off here on here. I've actually signed up and as amusing White three days. I want to get that out signing I got.

02:40

Now,

02:40

this is sensitive. The exposure you're going to see from here said data exposure.

02:47

Hey, the guy would do injection. Unfortunately for him, the world editors sign there on Mark's text. So here, I can't do injection by those dreams. That's SQL injection. I mean, like, I don't do, um,

03:00

Rodman

03:02

or one equals one Ben Ash. There's no use on the vans actually marked, man. So I'm just guessing so. But that's not what I'm actually interested in, um, actually interested in one because one then here I can do. And I just lived up. Opened as SQL injection. You need to sit. Yes. Grand injection.

03:20

More do. That's more so. Let's submit these

03:24

now Also submit. I are going to get sensitive information in clear on max forms. You can see past what is in care takes this dangerous. You can sit. You can see credit card in remarks from depend. You know, marks for these are

03:40

P. I don't meant to be mocked. I'm protecting. That's a very serious problem.

03:45

Now that's simply shows to us that this information in transit is in namaste from less city one that is even in act arrests. You can see people's information. Credit card details on marks from this is very dangerous, but you can actually mask them.

04:03

I'm going to show you on a don't You guys see this are

04:06

and Krypton. Yeah. I've actually used years to encrypt some of them. Let me show you our actually did that in the court here. Um, here. You see, I used a year's and creeps while if you sign up to be told or you be informed

04:24

to enter the user An impossible city council sipping on all of the sober. When Ewing, when you enter some of those 74

04:30

at the back. And this is what I do, I just call this a yes and could function so encrypts It's I want it then. Chris, it's This is the form in which you see, Then you guys see, Anybody who even has access to this cannot decrypt it except on our secrets. It's in the application. I'm going to show you where I

04:47

also didn't do the decryption in the application

04:51

here. When your selection it I call on A S D. Cribs on this Was the passkey actually used and crying. So you can see is still the same guy I used here when I was encrypts any Yeah, and Christ. Whatever basket used to encrypt is the same thing I used to decrypt.

05:09

But you're calling the same different function. Yeah, I'm calling a year's discreet on Laguna case. When I encrypted, I called

05:15

E s in Crete. That's how it goes. Now

05:18

let's take a look at how it is when you now call. It's here sensitive the dice, pushing the solution. I'm going to signing again here. Even if the guy does injection the well FBI, I am Max, making it a bit difficult for the calm while presenting information to d

05:36

legitimate use. Also hear that, Sally? It says

05:40

I'm still going to do, um

05:43

SQL injection in the tree wasn't true. Then I'll do on ash yet. So looking you can see this is actually shown it in in clear text. But that is not the intention. Now the intention is actually to mask. Then you got it.

06:01

You can see the possible. It is no marks.

06:03

You can see. Yeah, you got a seditious credit card. It's not marked only the last four digits. Asham, Here we are. We actually have different standards. So I'm sure the 1st 4 digits and the last digit blow, at least for this particle ends up. We can see it has been months ready, cultural being months.

06:19

Now, the mask in function is actually a job, A scripts function. I'll show you

06:25

the Java script where that's is doing. Um, here,

06:29

you guys see Have Cissy Mass. Candace. Credit God. Mosca being Mosca. So here. And I'll call the function here system Askar Mark's mask, the credit card, then our Moscow maths. The password campaign. So that's why you see them

06:46

in masks from So that's how it actually happens. It is very, very okay, Joey, But I must warn you, in this case,

06:54

not so mask in Jabba Strip. Because javascript is in this case, actually, yes, in this case is actually a front and technology. So there's a possibility that

07:03

CASS can actually go to your beach on do view. Um, big sauce

07:12

you got actually do view. Big source.

07:15

Um, here,

07:17

you're gonna see view beach source. I want to do view page source. They will see all the contents, including our javascript farm. Yes, including JavaScript. So let's take a look at the name of that part's glad JavaScript farm on. See how it is being used here we have the TSP solution. That's name off

07:38

the job are stripped funds. So let's look for you here,

07:42

Andrew F. So I'm way too sad for that. You can see this Jabba Strip. So once I click on needs on the front end, how easy See all of these. So it's dangerous. We now understand the algorithm on it cost to get it. So our advance, you know, to do it at this point, that's why you need to call

08:01

the ATM asking

08:03

anyway, It is not even not possible to drink at this point. It is better to do it at the level off the tablets, which is at the park in or even at the Motor Live, which is also on the back and wants to do your masking. Yet theatre cow will not be able. Even when he does you paid sauce, you won't be able to see all of this. So that's just also undo,

08:22

um

08:24

sensitive guitar explosion. Now what's the impact can actually need to call sanctions. You can eat two money laundry You need to ghost authentication. It can lead to deduct that all these are very, very important, like on sanctions. If somebody gets your maybe or your platform

08:41

somebody's details are stolen Then I can actually see you to court

08:46

because in that case, it is our platform that my detail, his best to know has been stolen Their money, laundry somebody who was my credit card details can actually use it on long that money from our accounts or any other ghost authentication.

08:58

If you are still in my password on the user name, you can actually use it to logging without knowing who is behind identity. Did not that Zander Rowan.

09:07

So how do you prevent this? One is for you to be able to encrypt data at rest with strong are worried that you can see where I used A S and Creeps

09:16

also tried to encrypt the time transit. You can use SSL or tell it, said as 1.3 is actually delete those rituals released August 2000 and it's in just last thing. Then avoid old our weekend. Christina Ashen are going. Those are the ways in which you can actually prevent sensitive type

09:37

when I believed it. So it's quiz time. Which of the following is not a P I

09:41

with no bed This or beds models meeting in my patrons? Yes.

09:46

In this case, it is I p address for eggs, actually debatable in some countries at the addresses. No Pierre. In some other countries, it is a PR. In some cases, they exit. It is a secondary p I had because it cannot be used so uniquely identify and individual die. Actually, that's why it's called intubated body are ours.

10:05

Our Johnny P I now Summerlee We don't about sensitive the diets. Pleasure, which is about the switch off

10:11

personally identifiable information on the cost, has bean unencrypted on ash quickly and quit their weekly Ashby I Andi I showed you a sample of the scenario. The impacts could be Scott sanctions, money laundering on evil over the things then prevention of advice that you strong encryption and bash him

10:31

metals.

10:33

So a lot of good has just want to court and get functionality is working. I've been in that chute before as a could. You just want to write the programs. I want the functionalities, our walk walking. You are very, very finally, that without putting security in mind, it is a very injustice. So the cost of fixing some of this security just after an incident

10:50

is are usually weak. I have done