"Hands-on SQL Injection Attack and Defense"

Sam Bowne
Instructor
CCSF
-------------------------------------------------------------------------------------------------
What are your obligations to protect data, and when have you been breached? These are not simple questions to answer--a falsely reported data breach at CCSF caused an international scandal in Jan. 2012.

After explaining what a data breach is, I will present an analysis of a recent major attack that breached dozens of companies. I will explain the hashing techniques they used and what they should have used instead.

Conclusion: almost every website is endangering users with poor hashing.

I will explain what happened at CCSF to convince our ex-CTO that we had been breached, and how this incident was spectacularly mishandled to create pointless fear and scandal.
Then I will show stolen data from several companies and compare their password storage systems, which are representative of modern Website security techniques.

The techniques used include:
 Plaintext storage
 Unsalted MD5
 Unsalted SHA-1
 Salted hashes

All these techniques are obsolete and provide almost no protection. The correct technique is to use integrated hashing to slow attacks, with 5000 or more rounds, such as implemented in bcrypt and PBKDF2.

Unfortunately, almost no one is using those techniques. Instead, almost every website you use is foolishly endangering users for no good reason.