cs327e elements of databases
play

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. - PowerPoint PPT Presentation

Oct 10, 2022 •50 likes •440 views

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: October 31, 2016 at 12:21 CS327E SQL Injection Slideset: 1 SQL Injection What Id Like

  1. CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: October 31, 2016 at 12:21 CS327E SQL Injection Slideset: 1 SQL Injection

  2. What I’d Like to Discuss Why cyber security is Important Why cyber security is hard SQL Injection CS327E SQL Injection Slideset: 2 SQL Injection

  3. From the Headlines Silent War , Vanity Fair, July 2013 On the hidden battlefields of history’s first known cyber-war, the casualties are piling up. In the U.S., many banks have been hit, and the telecommunications industry seriously damaged, likely in retaliation for several major attacks on Iran. Washington and Tehran are ramping up their cyber-arsenals, built on a black-market digital arms bazaar, enmeshing such high-tech giants as Microsoft, Google, and Apple. CS327E SQL Injection Slideset: 3 SQL Injection

  4. From the Headlines U.S. Not Ready for Cyberwar Hostile Attackers Could Launch , The Daily Beast, 2/21/13 Leon Panetta says future attacks could plunge the U.S. into chaos. We’re not prepared. If the nightmare scenario becomes suddenly real ... If hackers shut down much of the electrical grid and the rest of the critical infrastructure goes with it ... If we are plunged into chaos and suffer more physical destruction than 50 monster hurricanes and economic damage that dwarfs the Great Depression ... Then we will wonder why we failed to guard against what outgoing Defense Secretary Leon Panetta has termed a “cyber-Pearl Harbor.” CS327E SQL Injection Slideset: 4 SQL Injection

  5. The U.S. at Risk? Experts believe that U.S. is perhaps particularly vulnerable to cyberattack compared to many other countries. Why? CS327E SQL Injection Slideset: 5 SQL Injection

  6. The U.S. at Risk? Experts believe that U.S. is perhaps particularly vulnerable to cyberattack compared to many other countries. Why? The U.S. is highly dependent on technology. Sophisticated attack tools are easy to come by. A lot of critical information is available on-line. Critical infrastructure may be accessible remotely. Other nations exercise more control over information and resources. CS327E SQL Injection Slideset: 6 SQL Injection

  7. How Bad Is It? Cyberwarfare greater threat to US than terrorism, say security experts , Al Jazeera America, 1/7/14 Cyberwarfare is the greatest threat facing the United States — outstripping even terrorism — according to defense, military, and national security leaders in a Defense News poll. 45 percent of the 352 industry leaders polled said cyberwarfare is the gravest danger to the U.S., underlining the government’s shift in priority—and resources—toward the burgeoning digital arena of warfare. CS327E SQL Injection Slideset: 7 SQL Injection

  8. Is Cyber Security Particularly Hard? Why would cybersecurity by any harder than other technological problems? CS327E SQL Injection Slideset: 8 SQL Injection

  9. Is Cyber Security Particularly Hard? Why would cybersecurity by any harder than other technological problems? Partial answer: Most technological problems are concerned with ensuring that something good happens. Security is all about ensuring that bad things never happen . To ensure that, you have to know what all the bad things are! CS327E SQL Injection Slideset: 9 SQL Injection

  10. Cyber Defense is Asymmetric In cybersecurity, you have to defeat an actively malicious adversary . The defender has to find and eliminate all exploitable vulnerabilities; the attacker only needs to find one ! CS327E SQL Injection Slideset: 10 SQL Injection

  11. Cyber Security is Tough Perfect security is unachievable in any useful system. We trade-off security with other important goals: functionality, usability, efficiency, time-to-market, and simplicity. CS327E SQL Injection Slideset: 11 SQL Injection

  12. Is It Getting Better? “The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it.” –Robert H. Morris (mid 1980’s), former chief scientist of the National Computer Security Center “Unfortunately the only way to really protect [your computer] right now is to turn it off, disconnect it from the Internet, encase it in cement and bury it 100 feet below the ground.” –Prof. Fred Chang (2009), former director of research at NSA CS327E SQL Injection Slideset: 12 SQL Injection

  13. Some Sobering Facts There is no completely reliable way to tell whether a given piece of software contains malicious functionality. Once PCs are infected they tend to stay infected. The median length of infection is 300 days. “The number of detected information security incidents has risen 66% year over year since 2009. In the 2014 survey, the total number of security incidents detected by respondents grew to 42.8 million around the world, up 48% from 2013—an average of 117,339 per day.” (CGMA Magazine, 10/8/2014) CS327E SQL Injection Slideset: 13 SQL Injection

  14. The Cost of Data Breaches The Privacy Right’s Clearinghouse’s Chronology of Data Breaches (January, 2012) estimates that more than half a billion sensitive records have been breached since 2005 . This is actually a very “conservative estimate.” The Ponemon Institute estimates that the approximate current cost per record compromised is around $318. “A billion here, a billion there, and pretty soon you’re talking real money” (attributed to Sen. Everett Dirksen) CS327E SQL Injection Slideset: 14 SQL Injection

  15. How Bad Could it Be? Some security experts warn that a successful possible widespread attack on U.S. computing infrastructure could largely shut down the U.S. economy for up to 6 months. It is estimated that the destruction from a single wave of cyber attacks on U.S. critical infrastructures could exceed $700 billion USD—the equivalent of 50 major hurricanes hitting U.S. soil at once. (Source: US Cyber Consequences Unit) CS327E SQL Injection Slideset: 15 SQL Injection

  16. CyberAttacks: An Existential Threat? Cyberattacks an ’Existential Threat’ to U.S., FBI Says , Computerworld, 3/24/10 A top FBI official warned today that many cyber-adversaries of the U.S. have the ability to access virtually any computer system, posing a risk that’s so great it could “challenge our country’s very existence.” According to Steven Chabinsky, deputy assistant director of the FBI’s cyber division: “The cyber threat can be an existential threat—meaning it can challenge our country’s very existence, or significantly alter our nation’s potential.” CS327E SQL Injection Slideset: 16 SQL Injection

  17. Structure of an SQL Injection? CS327E SQL Injection Slideset: 17 SQL Injection

  18. What is SQL Injection? An SQL Injection is a vulnerability that results when you give an attacker the ability to influence the SQL queries that you pass to the database. They’ve been around a long time. In 1998, Rain Forest Puppy wrote an article for Phrack titled “NT Web Technology Vulnerabilities” that first highlighted SQL injection attacks. CS327E SQL Injection Slideset: 18 SQL Injection

  19. Web Application Structure Most Web applications are interactive , accepting input from the user. Many are also database driven , meaning that they query a database in response to user input. Web applications often have three tiers : 1 presentation tier : interface (e.g. web browser) accepting user inputs; 2 middle (logic) tier : services user requests by presenting queries to the database; 3 data tier : database processing queries from the logic tier. CS327E SQL Injection Slideset: 19 SQL Injection

  20. Web Application Structure CS327E SQL Injection Slideset: 20 SQL Injection

  21. Accepting User Input Many web applications accept user input from online forms, search boxes, etc. The user is free to type in any ASCII text. The application interprets that text to generate an appropriate response. CS327E SQL Injection Slideset: 21 SQL Injection

  22. Simple SQLi Example Scenario 1: an online retailer provides an option to search for products of interest, including those less than a given price. E.g. to view all products of cost less than $100, the user inputs: Products: all Cost below: 100 In response, the interface produces URL: http : //www. dupe . com/ products . php? v a l =100 CS327E SQL Injection Slideset: 22 SQL Injection

  23. Simple SQLi Example In response, to this http request http : //www. dupe . com/ products . php? v a l =100 the middle layer code ( products.php ) generates a query to the data layer: SELECT ∗ FROM Products WHERE P r i c e < ’ 100 ’ ORDER BY P ro d u c tDe s c rip tio n ; CS327E SQL Injection Slideset: 23 SQL Injection

  24. Simple SQLi Example (Continued) But suppose the attacker types: Products: all Cost below: 100’ OR ’1’=’1 The system generates the following http request: http : //www. dupe . com/ products . php? v a l =100’ OR ’1 ’= ’1 CS327E SQL Injection Slideset: 24 SQL Injection

  25. Simple SQLi Example (Continued) A careless middle layer might produce this query for the data layer: SELECT ∗ FROM Products WHERE P r i c e < ’ 100 ’ OR ’ 1 ’=’ 1 ’ ORDER BY P ro d u c tDe s c rip tio n ; Now the user sees all products, not just those under $100. CS327E SQL Injection Slideset: 25 SQL Injection

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sampling from Databases CompSci 590.02 Instructor: AshwinMachanavajjhala Lecture 2 : 590.02

Sampling from Databases CompSci 590.02 Instructor: AshwinMachanavajjhala Lecture 2 : 590.02

Sampling from Databases CompSci 590.02 Instructor: AshwinMachanavajjhala Lecture 2 : 590.02 Spring 13 1 Recap Given a set of elements, random sampling when number of elements N is known is easy if you have random access to any arbitrary

1.03k views • 34 slides
Creating Databases and Tables Introduction to Databases in Python Creating Databases

Creating Databases and Tables Introduction to Databases in Python Creating Databases

INTRODUCTION TO DATABASES IN PYTHON Creating Databases and Tables Introduction to Databases in Python Creating Databases Varies by the database type Databases like PostgreSQL and MySQL have command line tools to initialize

878 views • 31 slides
Databases and PHP Accessing databases from PHP PHP &amp; Databases l PHP can connect to

Databases and PHP Accessing databases from PHP PHP &amp; Databases l PHP can connect to

Databases and PHP Accessing databases from PHP PHP &amp; Databases l PHP can connect to virtually any database l There are specific functions built-into PHP to connect with some DB l There is also generic ODBC functions that will work with many

868 views • 28 slides
Sampling from Databases CompSci 590.04 Instructor:

Sampling from Databases CompSci 590.04 Instructor:

Sampling from Databases CompSci 590.04 Instructor: AshwinMachanavajjhala Lecture 2 : 590.04 Fall 15 1 Recap Given a set of elements, random sampling

709 views • 34 slides
3. Text and document databases Normal databases: formatted records; document databases:

3. Text and document databases Normal databases: formatted records; document databases:

3. Text and document databases Normal databases: formatted records; document databases: free-form or semi-structured data (e.g. XML). Application areas: - Office automation, document archives - Digital libraries - Electronic dictionaries

741 views • 38 slides
Module 3: Creating and Managing Databases Overview Creating Databases Creating

Module 3: Creating and Managing Databases Overview Creating Databases Creating

Module 3: Creating and Managing Databases Overview Creating Databases Creating Filegroups Managing Databases Introduction to Data Structures Creating Databases Defining Databases How the Transaction Log Works

445 views • 18 slides
CSE 462 - Databases Oliver Kennedy okennedy@buffalo.edu 1 Why Study Databases? 2 3 3 2

CSE 462 - Databases Oliver Kennedy okennedy@buffalo.edu 1 Why Study Databases? 2 3 3 2

CSE 462 - Databases Oliver Kennedy okennedy@buffalo.edu 1 Why Study Databases? 2 3 3 2 Queries per Second 3 Interesting Problems Algorithms Systems Databases Hardware Theory 4 $$$ 8 of the top 10 Forbes Global 2000 Software &amp;

1.12k views • 73 slides
Introduc)on*to*Databases 1 Rela%onal(Databases(with(PostgreSQL

Introduc)on*to*Databases 1 Rela%onal(Databases(with(PostgreSQL

Introduc)on*to*Databases 1 Rela%onal(Databases(with(PostgreSQL Databases(have(tables(to(classify(data Collec3ons(have: rows :(data(defining(an(en3re(rectod,(e.g.(a(user columns

862 views • 25 slides
8.3 Mining Sequence Patterns in Transactional Databases 499 the items in s 2 , and so on. An item

8.3 Mining Sequence Patterns in Transactional Databases 499 the items in s 2 , and so on. An item

Chapter 8 Mining Stream, Time-Series, and Sequence Data 498 8.3 Mining Sequence Patterns in Transactional Databases A sequence database consists of sequences of ordered elements or events, recorded with or without a concrete notion of time. There

555 views • 31 slides
OF ELEMENTS -Rishi INTRODUCTION: There are 114 elements known at present and it is very

OF ELEMENTS -Rishi INTRODUCTION: There are 114 elements known at present and it is very

PERIODIC CLASSIFICATION OF ELEMENTS -Rishi INTRODUCTION: There are 114 elements known at present and it is very difficult to study the properties of all these elements separately. Around the year 1800, only 30 elements were known.

558 views • 24 slides
Streaming Algorithm: Filtering &amp; Coun4ng Dis4nct Elements

Streaming Algorithm: Filtering &amp; Coun4ng Dis4nct Elements

Streaming Algorithm: Filtering &amp; Coun4ng Dis4nct Elements CompSci 590.04 Instructor: AshwinMachanavajjhala Lecture 6 : 590.04 Fall 15 1 Streaming Databases

312 views • 27 slides
Introduction to Databases Introduction to Databases in Python A database consists of tables

Introduction to Databases Introduction to Databases in Python A database consists of tables

INTRODUCTION TO DATABASES IN PYTHON Introduction to Databases Introduction to Databases in Python A database consists of tables Census State_Fact state sex age pop2000 pop2008 name abbreviation type New F 0 120355 122194 New York

699 views • 27 slides
Streaming Algorithm: Filtering &amp; Counting Distinct Elements CompSci 590.02 Instructor:

Streaming Algorithm: Filtering &amp; Counting Distinct Elements CompSci 590.02 Instructor:

Streaming Algorithm: Filtering &amp; Counting Distinct Elements CompSci 590.02 Instructor: AshwinMachanavajjhala Lecture 6 : 590.02 Spring 13 1 Streaming Databases Continuous/Standing Queries: Every time a new data item enters the system,

478 views • 26 slides
I. Elements and bonds B. Bonds 1. Elements bond to make molecules 2. Each element can make a set

I. Elements and bonds B. Bonds 1. Elements bond to make molecules 2. Each element can make a set

1/25/20 I. Elements and bonds A. Elements L01: Chemistry of Life BIOL 153/L Black Hills State Univ. Ramseys 1. The periodic table 2. Primary elements of life C = Carbon H = Hydrogen N = Nitrogen O = Oxygen P = Phosphorous S = Sulfur

399 views • 16 slides
HUDOC databases: CPT and ESC Patrick Mller HUDOC databases: CPT and ESC HUDOC HUDOC = Human

HUDOC databases: CPT and ESC Patrick Mller HUDOC databases: CPT and ESC HUDOC HUDOC = Human

HUDOC databases: CPT and ESC Patrick Mller HUDOC databases: CPT and ESC HUDOC HUDOC = Human Rights DOCumentation HUDOC is more than ECHR case-law CPT and ESC databases existed, but were not very visible, and technically

371 views • 9 slides
1 2 What is covered in this presentation? A brief history of databases NoSQL WHY, WHAT

1 2 What is covered in this presentation? A brief history of databases NoSQL WHY, WHAT

1 2 What is covered in this presentation? A brief history of databases NoSQL WHY, WHAT &amp; WHEN? Characteristics of NoSQL databases Aggregate data models CAP theorem Ashwani Kumar 16 February 2018 NOSQL Databases 3

647 views • 31 slides
Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March 2010 Overview Actively manage incident handling Be ready BEFORE an incident Based on NIST SP800-61rev1 recommendation

466 views • 32 slides
CSU WHEAT BREEDING AND GENETICS PROGRAM CHALLENGES AND OPPORTUNITIES Scott D. Haley CSU Wheat

CSU WHEAT BREEDING AND GENETICS PROGRAM CHALLENGES AND OPPORTUNITIES Scott D. Haley CSU Wheat

CSU WHEAT BREEDING AND GENETICS PROGRAM CHALLENGES AND OPPORTUNITIES Scott D. Haley CSU Wheat Breeder Soil and Crop Sciences Department Colorado State University Fort Collins, Colorado wheat.colostate.edu Outline US Wheat Production

559 views • 31 slides
From Penetrate and Patch to Building Security In Michael Hicks Professor of Computer Science

From Penetrate and Patch to Building Security In Michael Hicks Professor of Computer Science

From Penetrate and Patch to Building Security In Michael Hicks Professor of Computer Science and the UofM Institute for Advanced Computer Studies (UMIACS) Distinguished Scholar-Teacher talk September 28, 2015 Security breaches Just a few:

898 views • 74 slides
PCI DSS 3.0 Changes &amp; Challenges EVAN FRANCEN, CISSP CISM PRESIDENT/CO-FOUNDER FRSECURE PCI

PCI DSS 3.0 Changes &amp; Challenges EVAN FRANCEN, CISSP CISM PRESIDENT/CO-FOUNDER FRSECURE PCI

PCI DSS 3.0 Changes &amp; Challenges EVAN FRANCEN, CISSP CISM PRESIDENT/CO-FOUNDER FRSECURE PCI DSS 3.0 Changes &amp; Challenges Topics FRSecure, the company Introduction to PCI-DSS Recent breaches Recent PCI-DSS changes

599 views • 25 slides
PCI: A Four-Letter Word of E-Commerce Presented by Matt Kleve (vordude) h t t p : / / w

PCI: A Four-Letter Word of E-Commerce Presented by Matt Kleve (vordude) h t t p : / / w

Commerce PCI: A Four-Letter Word of E-Commerce Presented by Matt Kleve (vordude) h t t p : / / w w w . f l i c k r . c o m / p h o t o s / s h a w n z l e a / 5 2 7 8 5 7 7 8 7 / W h o i s t

1.04k views • 79 slides
Eclipse Planning Efforts July 20, 2017 Updated: 8/15/2016 Purpose Provid ide Situ ituatio

Eclipse Planning Efforts July 20, 2017 Updated: 8/15/2016 Purpose Provid ide Situ ituatio

Eclipse Planning Efforts July 20, 2017 Updated: 8/15/2016 Purpose Provid ide Situ ituatio ional l Aware reness on th the Eclips lipse Over ervi view ew of the e States 2017 Sola lar Eclips lipse Coordin dinati tion Pla

928 views • 21 slides
P5 Outdoor Adventure Camp @ MOE Labrador Adventure Centre 16 18 January 2020 Thursday to

P5 Outdoor Adventure Camp @ MOE Labrador Adventure Centre 16 18 January 2020 Thursday to

P5 Outdoor Adventure Camp @ MOE Labrador Adventure Centre 16 18 January 2020 Thursday to Saturday Overview Camp Objectives Learning Outcomes Accommodation Safety Programme Overview Things to bring

746 views • 45 slides
TITLE It depends on what you mean by title p y y 2 WOULD YOU RUN WINDOWS ON YOUR

TITLE It depends on what you mean by title p y y 2 WOULD YOU RUN WINDOWS ON YOUR

TITLE It depends on what you mean by title p y y 2 WOULD YOU RUN WINDOWS ON YOUR GRANDMOTHERS PACEMAKER? Andrew S. Tanenbaum Vrije Universiteit Amsterdam 3 LINUX IS STILL OBSOLETE Andrew S. Tanenbaum Vrije Universiteit

1.29k views • 83 slides

More recommend