This talk will address a fundamental challenge in information security: Authentication, or how to establish trust between a user and their collection of devices and internet services.
I will start by describing the current state of play: a regular user typically has at least one computer and a smartphone; each individual is then subscribed to tens or sometimes hundreds of Internet services which are accessed using these devices. Even these services are interconnected with trust relations, such as email accounts that receive password reset tokens. Some of these relations are not so obvious...
The complexity of this arrangement is rising so fast that it's getting harder for end users (even power users) to cope with all of its security implications. Most users will not have any strategy to manage their security, using the same password for all services and devices; but even most power users such as infosec professionals make mistakes that can be exploited.
I will illustrate the current scenario with a dissection of the Mat Honan hack and my own experience mapping the interconnections between my own devices and services.
I will then attempt to provide a strategy to schematize and improve the level of trust between users and devices / services, analysing ad-hoc strategies by power users and provide the tools to create a personal strategy.
Finally I’ll look into what the future of authentication, and what this Tangled Web might bring us: mutual authentication between devices, the future of two factor, the role of social networks, location based authentication, behaviour based trust, trust federation.
SSL was developed in 1994 to secure communications between web browsers and servers. It uses public key cryptography and X.509 certificates to authenticate peers and encrypt data in transit. However, the current public key infrastructure (PKI) model that underpins SSL has several flaws, including being controlled by a small number of certificate authorities, making it vulnerable to hacks and insider threats. Some propose decentralizing trust decisions so that individuals, rather than centralized authorities, ultimately determine what is trusted. Others are working on alternative approaches like certificate pinning to avoid relying solely on the existing PKI model. Overall, there is recognition that the current system for establishing trust in SSL/TLS needs improvement.
This document discusses web security from an auditor's perspective. It covers several security countermeasures and their effectiveness, including SQL injection, cross-site scripting (XSS), and virtual keyboards. Regarding SQL injection, the document states that prevention is relatively easy through parameterized queries and developers are winning the battle for eradication. For XSS, the document argues the risk is being lost unless the root cause of mixing code and data is addressed, which is difficult without protocol changes. Virtual keyboards are deemed an obsolete solution that fails to mitigate current threats and gives a false sense of security. The rise of social media also poses new security challenges.
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
Welcome to the lighter side of the software security world!
We’ll explain complex topics like injection flaws, configuration errors, and parameter tampering with real-world analogies, like breaking into your house through your shed, or sneaking into a Coldplay concert using a reflective yellow vest, a walkie talkie toy, and your bravado. If you’ve ever struggled to remember exactly how these issues work or struggled to explain them to someone outside of the security field, this presentation will help (and probably make you laugh).
Topics covered include:
- Injection Flaws
- XSS
- SQL Injection
- Broken Authentication
- Privilege Escalation
- Information Disclosure
- Parameter Tampering
- Configuration Errors
This webinar is ideal for anyone who wants to understand core Application Security concepts so they can apply risk mitigation strategies with better context.
Weaknesses in authentication and encryption across many systems allowed significant security flaws to emerge in 2008, including issues with DNS, SSL, and SNMPv3. These flaws occurred because critical systems like DNS, which underlie authentication in many other areas, cannot reliably authenticate responses. Fixing these problems was challenging due to dependencies between systems and the complexity of coordinating updates. The speaker argues that securing DNS could help address authentication issues in linked systems by providing a secure, scalable place to publish cryptographic keys and other authentication data.
This document summarizes Dan Kaminsky's talk on rethinking web defense. Some key points:
1) Common web vulnerabilities like XSS and XSRF persist due to how difficult it is for developers to implement defenses like randomized tokens in a way that doesn't break other aspects of a site.
2) Web security solutions often ignore other engineering requirements around performance, compatibility, reliability and usability, making them difficult and expensive to implement.
3) Kaminsky argues the security community needs to develop defenses that meet all engineering requirements and don't break the web, rather than just criticizing developers. A secure session context could help prevent entire classes of vulnerabilities.
Peter Wood is the founder and CEO of First Base Technologies LLP, an information security firm. He has over 45 years of experience in engineering, IT, and information security. The document discusses how red team exercises can help organizations test their security defenses by simulating how attackers might target their cloud environments and users. It provides examples of how attackers could conduct reconnaissance, planning, and social engineering spear phishing attacks to trick users into providing credentials that give access to sensitive systems and data. The document emphasizes the importance of security awareness training for users and moving away from single-factor authentication.
- The speaker is known as 'isox', a web penetration tester and CISO who will discuss strategies for finding and reporting security vulnerabilities as part of a bug bounty program.
- They describe disparate hacking groups as "hungry nomads" using common techniques to attack targets, like a "castle with gold" that offers payments for successful attacks.
- The speaker analyzes vulnerabilities like weak authentication, lack of input validation, and failure to properly secure APIs. They emphasize automating testing and sharing knowledge rather than relying on public exploits.
- Overall, the discussion encourages an ethical approach to vulnerability research for commercial bug bounty programs. The speaker advocates thoroughly investigating targets, creatively developing custom test cases,
SSL was developed in 1994 to secure communications between web browsers and servers. It uses public key cryptography and X.509 certificates to authenticate peers and encrypt data in transit. However, the current public key infrastructure (PKI) model that underpins SSL has several flaws, including being controlled by a small number of certificate authorities, making it vulnerable to hacks and insider threats. Some propose decentralizing trust decisions so that individuals, rather than centralized authorities, ultimately determine what is trusted. Others are working on alternative approaches like certificate pinning to avoid relying solely on the existing PKI model. Overall, there is recognition that the current system for establishing trust in SSL/TLS needs improvement.
This document discusses web security from an auditor's perspective. It covers several security countermeasures and their effectiveness, including SQL injection, cross-site scripting (XSS), and virtual keyboards. Regarding SQL injection, the document states that prevention is relatively easy through parameterized queries and developers are winning the battle for eradication. For XSS, the document argues the risk is being lost unless the root cause of mixing code and data is addressed, which is difficult without protocol changes. Virtual keyboards are deemed an obsolete solution that fails to mitigate current threats and gives a false sense of security. The rise of social media also poses new security challenges.
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
Welcome to the lighter side of the software security world!
We’ll explain complex topics like injection flaws, configuration errors, and parameter tampering with real-world analogies, like breaking into your house through your shed, or sneaking into a Coldplay concert using a reflective yellow vest, a walkie talkie toy, and your bravado. If you’ve ever struggled to remember exactly how these issues work or struggled to explain them to someone outside of the security field, this presentation will help (and probably make you laugh).
Topics covered include:
- Injection Flaws
- XSS
- SQL Injection
- Broken Authentication
- Privilege Escalation
- Information Disclosure
- Parameter Tampering
- Configuration Errors
This webinar is ideal for anyone who wants to understand core Application Security concepts so they can apply risk mitigation strategies with better context.
Weaknesses in authentication and encryption across many systems allowed significant security flaws to emerge in 2008, including issues with DNS, SSL, and SNMPv3. These flaws occurred because critical systems like DNS, which underlie authentication in many other areas, cannot reliably authenticate responses. Fixing these problems was challenging due to dependencies between systems and the complexity of coordinating updates. The speaker argues that securing DNS could help address authentication issues in linked systems by providing a secure, scalable place to publish cryptographic keys and other authentication data.
This document summarizes Dan Kaminsky's talk on rethinking web defense. Some key points:
1) Common web vulnerabilities like XSS and XSRF persist due to how difficult it is for developers to implement defenses like randomized tokens in a way that doesn't break other aspects of a site.
2) Web security solutions often ignore other engineering requirements around performance, compatibility, reliability and usability, making them difficult and expensive to implement.
3) Kaminsky argues the security community needs to develop defenses that meet all engineering requirements and don't break the web, rather than just criticizing developers. A secure session context could help prevent entire classes of vulnerabilities.
Peter Wood is the founder and CEO of First Base Technologies LLP, an information security firm. He has over 45 years of experience in engineering, IT, and information security. The document discusses how red team exercises can help organizations test their security defenses by simulating how attackers might target their cloud environments and users. It provides examples of how attackers could conduct reconnaissance, planning, and social engineering spear phishing attacks to trick users into providing credentials that give access to sensitive systems and data. The document emphasizes the importance of security awareness training for users and moving away from single-factor authentication.
- The speaker is known as 'isox', a web penetration tester and CISO who will discuss strategies for finding and reporting security vulnerabilities as part of a bug bounty program.
- They describe disparate hacking groups as "hungry nomads" using common techniques to attack targets, like a "castle with gold" that offers payments for successful attacks.
- The speaker analyzes vulnerabilities like weak authentication, lack of input validation, and failure to properly secure APIs. They emphasize automating testing and sharing knowledge rather than relying on public exploits.
- Overall, the discussion encourages an ethical approach to vulnerability research for commercial bug bounty programs. The speaker advocates thoroughly investigating targets, creatively developing custom test cases,
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Jason Hong
We introduce UniAuth, a set of mechanisms for streamlining authentication to devices and web services. With UniAuth, a user first authenticates himself to his UniAuth client, typically his smartphone or wearable device. His client can then authenticate to other services on his behalf. In this paper, we focus on exploring the user experiences with an early iPhone prototype called Knock x Knock. To manage a variety of accounts securely in a usable way, Knock x Knock incorporates features not supported in existing password managers, such as tiered and location-aware lock control, authentication to laptops via knocking, and storing credentials locally while working with laptops seamlessly. In two field studies, 19 participants used Knock x Knock for one to three weeks with their own devices and accounts. Our participants were highly positive about Knock x Knock, demonstrating the desirability of our approach. We also discuss interesting edge cases and design implications.
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
httpscreenshot is a tool developed internally over the past year and a half. It has become one of our go to tools for the reconnaissance phase of every penetration test. The tool itself takes a list of addresses, domains, URLs, and visits each in a browser, parses SSL certificates to add new hosts, and captures a screenshot/HTML of the browser instance. Similar tools exist but none met our needs with regards to speed (threaded), features (JavaScript support, SSL auto detection and certificate scraping), and reliability.
The cluster portion of the tool will go through and group "similar" websites together, where "similar" is determined by a fuzzy matching metric.
This tool can be used by both blue and red teams. The blue teams can use this tool to quickly create an inventory of applications and devices they have running in their environments. This inventory will allow them to quickly see if there is anything running in their environment that they may not know about which should be secured or in many cases removed.
The red teams can use this tool to quickly create the same inventory as part of our reconnaissance, which is often very effective in identifying potential target assets.
The document discusses security as an ongoing process rather than a feature or checklist. It emphasizes that security requires thinking like a paranoid person and acknowledging that systems will eventually be hacked. The document provides steps to take such as knowing your data, users, and laws; making good security decisions; documenting everything; and practicing security processes. It also gives best practices for different security layers like input validation, authentication, authorization, and more. The overall message is that security requires constant attention and effort from all parties.
Christopher Grayson discusses authentication, passwords, how to break password-based authentication schemes, and lastly introduces LavaPasswordFactory.
LavaPasswordFactory is a password list generation tool that also contains functionality for cleaning password lists based on password policies.
This document discusses ransomware and its future impact. It begins with an introduction to the speaker, Peter Wood, and his background. It then provides definitions of ransomware, discusses its growing scale and impact on businesses. It outlines how ransomware infects systems and evolves its methods. Specifically, it discusses the evolution of targeted ransomware like Samas that aims to encrypt entire networks of large organizations. Finally, it discusses defenses against ransomware including regular backups, patching, and education along with the risks of paying ransom demands.
Security Compensation - How to Invest in Start-Up SecurityChristopher Grayson
If you can offload security functions to secure third party services, do so. Start security practices as soon as possible to avoid issues later. Some key security practices for startups include implementing least privilege for user accounts, hardening web browsers, using strong authentication and password management, securely configuring applications and services, and establishing processes for provisioning and revoking employee access.
Cookies stored by web browsers can be easily stolen, as most browsers store them in plaintext. Popular browsers like Firefox store cookies in SQLite databases, Internet Explorer in text files, and Opera and Safari in custom binary formats - all of which can be read easily by tools or code. Chromium encrypts cookies on Windows, Mac, and Linux, but cookies can still be decrypted on Linux. Physical access, social engineering, malware, and other attacks can steal browser cookies. Defenses include disk encryption, application firewalls, SELinux, and a master password for cookies.
This document discusses T. Rob Wyatt and his work on improving security and building the Internet of Things. It proposes an alternative model for connecting IoT devices that focuses on local connectivity and data ownership rather than requiring devices to connect through proprietary vendor networks. The model emphasizes local functionality, interoperability across devices, and giving users control over their own data.
The document discusses a presentation given by Andrew Kozma on using BackTrack Linux and other tools for penetration testing. It begins by introducing Kozma and his interests in infosec, BackTrack, and Bruce Lee. It then outlines the phases of a penetration test including reconnaissance, vulnerability analysis, exploitation, and reporting. The presentation demonstrates using tools like Recon-ng and the Social Engineering Toolkit to gather intelligence on a target and conduct client-side attacks using malicious websites and Java applets to gain remote access. It discusses using Metasploit payloads and maintaining persistence on compromised systems. The presentation emphasizes the importance of security awareness and defense.
A talk about the importance of Web security, tailored towards IT people of local municipalities.
This was an invited talk at the information day on online security for the municipalities of Flemish Brabant (Belgium).
This talk will introduce Zero-Knowledge Proofs (ZKPs) and explain why they are a key element in a growing number of privacy-preserving, digital-identity platforms. Clare will provide basic illustrations of ZKPs and leave the necessary mathematics foundations to the readers.
After this talk you will understand that there is a variety of ZKPs, it’s still early days, and why ZKP is such a perfect tool for digital identity platforms. This talk includes significant updates from the newly-organized ZKProof Standardization organization plus a signal of maturity: one of the first known ZKP vulnerabilities.
Clare will explain why ZKPs are so powerful, and why they are building blocks for a range of applications including privacy-preserving cryptocurrency such as Zcash, Ethereum, Artificial Intelligence, and older versions of Trusted Platform Modules (TPMs). The presentation includes many backup slides for future learning and researching, including four slides of references.
This document discusses emerging security threats in an increasingly connected world. It outlines how technologies in homes, vehicles, and workplaces are becoming more connected and integrated with networked devices and services. This brings new conveniences but also creates new security vulnerabilities and potential threats. Examples discussed include ransomware targeting smart home appliances, hacking in-vehicle infotainment systems to endanger drivers, and exploiting wireless docking stations to perform DMA attacks at offices. The presenters recommend practicing good security hygiene like keeping systems patched and monitoring for indicators of compromise, as well as designing new connected devices with security compromises in mind from the start.
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
SaaS and IaaS are new frontiers for a lot of security teams. We'll explore some thoughts at how you might approach some of these areas of your environment from a hunting or IR perspective. This was from a Sans webinar on 2019-09-25.
Technology in a global society presentationdelmount
This document discusses cyber security and the need for protection. It notes that while there were only 6 security incidents reported in 1988, that number rose dramatically to over 34,000 incidents reported between the first and third quarters of 2010 alone. Common types of security like passwords, antivirus software, and dealing with social engineering threats are discussed. The document also provides tips on creating strong passwords and explains why antivirus software is necessary given the enormous rise in viruses, malware, and other online threats. It concludes by discussing some notable cyber attacks and questioning whether we will ever achieve 100% security online.
Matt Nelson, SpecterOps
A persistent "enlightened" attacker will invest the required resources to bypass any and all security features that might stand between them and their objective, regardless if these features are guaranteed to be serviced as security boundaries or not. This includes researching and developing attacks against Windows security features that may impose a hurdle in their attack chain. This talk will outline recent research into features such as User Account Control (UAC), the Antimalware Scan Interface (AMSI) and Device Guard and how these bypasses are useful to attackers in an operational context.
Some examples include:
UAC: If an attacker compromises a user that is running as a split-token administrator, bypassing UAC is required in order to perform any administrative actions; such as dumping credentials from memory.
AMSI: With in-memory attacks becoming more prevalent via scripting languages, AMSI is the next logical step to facilitate detection. An attacker will need to bypass AMSI in order to safely operate in memory when using PowerShell, VBScript, or JScript.
Device Guard: As organizations begin to consider whitelisting solutions, an attacker is required to adapt and develop a bypass to these technologies. One such solution is Device Guard, which can be used to heavily restrict what is allowed to execute on the system. In order to accomplish their objective, an attacker would need to bypass User Mode Code Integrity (UMCI). Such research can find novel ways to execute code in ways that are not likely to be detected.
I will also cover some of the fixes that have been implemented in newer versions of the Windows Operating System. Fixing these bypasses will not only make Windows safer, but it will begin to disrupt attackers by raising the cost associated with successfully executing an attack.
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
The document discusses security issues with internet-connected embedded devices, known as the "Internet of Things". It outlines several vulnerabilities that have already been exploited, including devices being used to mine cryptocurrency or launch DDoS attacks without owner permission. Specific examples are given of vulnerabilities in D-Link routers, including backdoors, default credentials, buffer overflows and cross-site request forgery issues that can allow full device compromise. The document argues that many other device types like medical equipment and industrial controls face similar insecurity risks if not properly secured.
How to Protect Yourself From Heartbleed Security FlawConnectSafely
This document provides tips on how to protect yourself from the Heartbleed security flaw. It advises users to check if sites they visit are vulnerable, change passwords once sites are confirmed not vulnerable, monitor accounts for suspicious activity, use strong and unique passwords at least 8 characters with numbers, symbols and capital letters, consider two-factor authentication, avoid phishing scams, and use a password manager for strong randomly generated passwords.
A maioria dos informáticos, incluíndo os que trabalham em segurança, tem apenas noções básicas sobre criptografia assimétrica. A maioria de nós sabe utilizar os vários algoritmos, embora desconheça como operam. Nesta talk pretendo falar um pouco mais em detalhe sobre estes algoritmos, em particular o RSA. Irei falar sobre aplicações práticas de criptografia assimétrica (desde o SSL, passando pela Playstation 3 até ao Cartão do Cidadão), limitações dos algoritmos, ataques aos mesmos e falhas de implementação recentemente conhecidas. O objectivo principal desta talk é desmistificar esta "vaca sagrada" que é a criptografia assimétrica, demonstrando que não é uma panaceia: também tem falhas e limitações.
O documento descreve três histórias de investigações forenses realizadas pelo autor. A primeira história envolve um servidor comprometido que estava distribuindo conteúdo pirata. A segunda história envolve investigações de sistemas de clientes bancários para determinar se foram vítimas de fraude. A terceira história envolve um site comprometido que estava redirecionando usuários para sites maliciosos.
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
In this talk I will attempt to share my experience of over 10 years conducting Web Application security assessments. I will present the current panorama of Web application security practices and talk about what are we doing well and how we can do better. Also, the Web 2.0 has sparked a “social revolution” of the Web, how can security benefit from that revolution?
Presented at https://www.owasp.org/index.php/OWASP_IBWAS10
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Jason Hong
We introduce UniAuth, a set of mechanisms for streamlining authentication to devices and web services. With UniAuth, a user first authenticates himself to his UniAuth client, typically his smartphone or wearable device. His client can then authenticate to other services on his behalf. In this paper, we focus on exploring the user experiences with an early iPhone prototype called Knock x Knock. To manage a variety of accounts securely in a usable way, Knock x Knock incorporates features not supported in existing password managers, such as tiered and location-aware lock control, authentication to laptops via knocking, and storing credentials locally while working with laptops seamlessly. In two field studies, 19 participants used Knock x Knock for one to three weeks with their own devices and accounts. Our participants were highly positive about Knock x Knock, demonstrating the desirability of our approach. We also discuss interesting edge cases and design implications.
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
httpscreenshot is a tool developed internally over the past year and a half. It has become one of our go to tools for the reconnaissance phase of every penetration test. The tool itself takes a list of addresses, domains, URLs, and visits each in a browser, parses SSL certificates to add new hosts, and captures a screenshot/HTML of the browser instance. Similar tools exist but none met our needs with regards to speed (threaded), features (JavaScript support, SSL auto detection and certificate scraping), and reliability.
The cluster portion of the tool will go through and group "similar" websites together, where "similar" is determined by a fuzzy matching metric.
This tool can be used by both blue and red teams. The blue teams can use this tool to quickly create an inventory of applications and devices they have running in their environments. This inventory will allow them to quickly see if there is anything running in their environment that they may not know about which should be secured or in many cases removed.
The red teams can use this tool to quickly create the same inventory as part of our reconnaissance, which is often very effective in identifying potential target assets.
The document discusses security as an ongoing process rather than a feature or checklist. It emphasizes that security requires thinking like a paranoid person and acknowledging that systems will eventually be hacked. The document provides steps to take such as knowing your data, users, and laws; making good security decisions; documenting everything; and practicing security processes. It also gives best practices for different security layers like input validation, authentication, authorization, and more. The overall message is that security requires constant attention and effort from all parties.
Christopher Grayson discusses authentication, passwords, how to break password-based authentication schemes, and lastly introduces LavaPasswordFactory.
LavaPasswordFactory is a password list generation tool that also contains functionality for cleaning password lists based on password policies.
This document discusses ransomware and its future impact. It begins with an introduction to the speaker, Peter Wood, and his background. It then provides definitions of ransomware, discusses its growing scale and impact on businesses. It outlines how ransomware infects systems and evolves its methods. Specifically, it discusses the evolution of targeted ransomware like Samas that aims to encrypt entire networks of large organizations. Finally, it discusses defenses against ransomware including regular backups, patching, and education along with the risks of paying ransom demands.
Security Compensation - How to Invest in Start-Up SecurityChristopher Grayson
If you can offload security functions to secure third party services, do so. Start security practices as soon as possible to avoid issues later. Some key security practices for startups include implementing least privilege for user accounts, hardening web browsers, using strong authentication and password management, securely configuring applications and services, and establishing processes for provisioning and revoking employee access.
Cookies stored by web browsers can be easily stolen, as most browsers store them in plaintext. Popular browsers like Firefox store cookies in SQLite databases, Internet Explorer in text files, and Opera and Safari in custom binary formats - all of which can be read easily by tools or code. Chromium encrypts cookies on Windows, Mac, and Linux, but cookies can still be decrypted on Linux. Physical access, social engineering, malware, and other attacks can steal browser cookies. Defenses include disk encryption, application firewalls, SELinux, and a master password for cookies.
This document discusses T. Rob Wyatt and his work on improving security and building the Internet of Things. It proposes an alternative model for connecting IoT devices that focuses on local connectivity and data ownership rather than requiring devices to connect through proprietary vendor networks. The model emphasizes local functionality, interoperability across devices, and giving users control over their own data.
The document discusses a presentation given by Andrew Kozma on using BackTrack Linux and other tools for penetration testing. It begins by introducing Kozma and his interests in infosec, BackTrack, and Bruce Lee. It then outlines the phases of a penetration test including reconnaissance, vulnerability analysis, exploitation, and reporting. The presentation demonstrates using tools like Recon-ng and the Social Engineering Toolkit to gather intelligence on a target and conduct client-side attacks using malicious websites and Java applets to gain remote access. It discusses using Metasploit payloads and maintaining persistence on compromised systems. The presentation emphasizes the importance of security awareness and defense.
A talk about the importance of Web security, tailored towards IT people of local municipalities.
This was an invited talk at the information day on online security for the municipalities of Flemish Brabant (Belgium).
This talk will introduce Zero-Knowledge Proofs (ZKPs) and explain why they are a key element in a growing number of privacy-preserving, digital-identity platforms. Clare will provide basic illustrations of ZKPs and leave the necessary mathematics foundations to the readers.
After this talk you will understand that there is a variety of ZKPs, it’s still early days, and why ZKP is such a perfect tool for digital identity platforms. This talk includes significant updates from the newly-organized ZKProof Standardization organization plus a signal of maturity: one of the first known ZKP vulnerabilities.
Clare will explain why ZKPs are so powerful, and why they are building blocks for a range of applications including privacy-preserving cryptocurrency such as Zcash, Ethereum, Artificial Intelligence, and older versions of Trusted Platform Modules (TPMs). The presentation includes many backup slides for future learning and researching, including four slides of references.
This document discusses emerging security threats in an increasingly connected world. It outlines how technologies in homes, vehicles, and workplaces are becoming more connected and integrated with networked devices and services. This brings new conveniences but also creates new security vulnerabilities and potential threats. Examples discussed include ransomware targeting smart home appliances, hacking in-vehicle infotainment systems to endanger drivers, and exploiting wireless docking stations to perform DMA attacks at offices. The presenters recommend practicing good security hygiene like keeping systems patched and monitoring for indicators of compromise, as well as designing new connected devices with security compromises in mind from the start.
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
SaaS and IaaS are new frontiers for a lot of security teams. We'll explore some thoughts at how you might approach some of these areas of your environment from a hunting or IR perspective. This was from a Sans webinar on 2019-09-25.
Technology in a global society presentationdelmount
This document discusses cyber security and the need for protection. It notes that while there were only 6 security incidents reported in 1988, that number rose dramatically to over 34,000 incidents reported between the first and third quarters of 2010 alone. Common types of security like passwords, antivirus software, and dealing with social engineering threats are discussed. The document also provides tips on creating strong passwords and explains why antivirus software is necessary given the enormous rise in viruses, malware, and other online threats. It concludes by discussing some notable cyber attacks and questioning whether we will ever achieve 100% security online.
Matt Nelson, SpecterOps
A persistent "enlightened" attacker will invest the required resources to bypass any and all security features that might stand between them and their objective, regardless if these features are guaranteed to be serviced as security boundaries or not. This includes researching and developing attacks against Windows security features that may impose a hurdle in their attack chain. This talk will outline recent research into features such as User Account Control (UAC), the Antimalware Scan Interface (AMSI) and Device Guard and how these bypasses are useful to attackers in an operational context.
Some examples include:
UAC: If an attacker compromises a user that is running as a split-token administrator, bypassing UAC is required in order to perform any administrative actions; such as dumping credentials from memory.
AMSI: With in-memory attacks becoming more prevalent via scripting languages, AMSI is the next logical step to facilitate detection. An attacker will need to bypass AMSI in order to safely operate in memory when using PowerShell, VBScript, or JScript.
Device Guard: As organizations begin to consider whitelisting solutions, an attacker is required to adapt and develop a bypass to these technologies. One such solution is Device Guard, which can be used to heavily restrict what is allowed to execute on the system. In order to accomplish their objective, an attacker would need to bypass User Mode Code Integrity (UMCI). Such research can find novel ways to execute code in ways that are not likely to be detected.
I will also cover some of the fixes that have been implemented in newer versions of the Windows Operating System. Fixing these bypasses will not only make Windows safer, but it will begin to disrupt attackers by raising the cost associated with successfully executing an attack.
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
The document discusses security issues with internet-connected embedded devices, known as the "Internet of Things". It outlines several vulnerabilities that have already been exploited, including devices being used to mine cryptocurrency or launch DDoS attacks without owner permission. Specific examples are given of vulnerabilities in D-Link routers, including backdoors, default credentials, buffer overflows and cross-site request forgery issues that can allow full device compromise. The document argues that many other device types like medical equipment and industrial controls face similar insecurity risks if not properly secured.
How to Protect Yourself From Heartbleed Security FlawConnectSafely
This document provides tips on how to protect yourself from the Heartbleed security flaw. It advises users to check if sites they visit are vulnerable, change passwords once sites are confirmed not vulnerable, monitor accounts for suspicious activity, use strong and unique passwords at least 8 characters with numbers, symbols and capital letters, consider two-factor authentication, avoid phishing scams, and use a password manager for strong randomly generated passwords.
A maioria dos informáticos, incluíndo os que trabalham em segurança, tem apenas noções básicas sobre criptografia assimétrica. A maioria de nós sabe utilizar os vários algoritmos, embora desconheça como operam. Nesta talk pretendo falar um pouco mais em detalhe sobre estes algoritmos, em particular o RSA. Irei falar sobre aplicações práticas de criptografia assimétrica (desde o SSL, passando pela Playstation 3 até ao Cartão do Cidadão), limitações dos algoritmos, ataques aos mesmos e falhas de implementação recentemente conhecidas. O objectivo principal desta talk é desmistificar esta "vaca sagrada" que é a criptografia assimétrica, demonstrando que não é uma panaceia: também tem falhas e limitações.
O documento descreve três histórias de investigações forenses realizadas pelo autor. A primeira história envolve um servidor comprometido que estava distribuindo conteúdo pirata. A segunda história envolve investigações de sistemas de clientes bancários para determinar se foram vítimas de fraude. A terceira história envolve um site comprometido que estava redirecionando usuários para sites maliciosos.
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
In this talk I will attempt to share my experience of over 10 years conducting Web Application security assessments. I will present the current panorama of Web application security practices and talk about what are we doing well and how we can do better. Also, the Web 2.0 has sparked a “social revolution” of the Web, how can security benefit from that revolution?
Presented at https://www.owasp.org/index.php/OWASP_IBWAS10
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device.
This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried.
Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon
Confraria Security And IT - End Point SecurityLuis Grangeia
O documento discute a segurança dos "endpoints" e como os sistemas operativos estão se tornando mais restritivos para proteger os usuários. Modelos como em smartphones estão ganhando popularidade, limitando o que os usuários podem fazer e sandboxing aplicativos. Isso traz mais segurança, mas também custos em termos de controle e dependência do fabricante.
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
Second presentation of my research into reverse engineering a TomTom Runner GPS watch. In this I explain how I got running code inside an unfamiliar device and proceeded to bypass its security measures and extract firmware keys and code from the device.
More details on my personal blog, at http://grangeia.io
Presented in October 2015 at "Confraria de Segurança da Informação" in Lisbon
New attack vectors for heartbleed: Enterprise wireless (and wired) networks.
This talk exposes a relatively obscure use of the heartbleed flaw: exploiting EAP-PEAP | EAP-TLS | EAP-TTLS network authentication protocols.
Update (02-06-2014): This blog post gives out more details and contains links to the cupid patch.
http://www.sysvalue.com/heartbleed-cupid-wireless/
Securing and Safeguarding Your Library SetupBrian Pichman
We will explore various tools, techniques, & procedures to ensure our environment's safety & security. Leave with a list of ideas you can use today within your library.
CyberSecurity - Computers In Libraries 2024Brian Pichman
Protecting privacy and security while leveraging technology to accomplish positive change is becoming a serious challenge for individuals, communities, and businesses. This workshop, led by expert leaders and practitioners, covers personal and organizational privacy as well as top security issues for libraries and their communities, especially the implications of AI. If you don’t have a security plan in place, are unsure of where to even start to make sure your library is secure, or have an existing plan in place but want to cross your T’s and dot your I’s, come to this interactive workshop.
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleBrian Pichman
Step right into a realm where cyber security meets the enchanting world of Harry Potter! Join Brian Pichman, our fearless Defense Against the Dark Arts wizard, as he unveils the secrets to safeguarding our digital realms. Prepare to be captivated as Brian illuminates the spellbinding techniques of encryption, firewalls, and intrusion detection, equipping us to fortify our cherished data against the sinister forces of the digital realm.
But beware! Just like in the magical world, treacherous adversaries prowl the shadows. Brian will expose the dark arts of phishing, ransomware, and social engineering, empowering us to defend our digital castles. Engrossed in tales of peril and armed with ancient cyber security spells, this captivating presentation promises to leave you spellbound and ready to protect yourself in this ever-evolving landscape. So grab your wands and brace yourselves as Brian Pichman conjures a shield of protection, ensuring the safety of our digital realms against the forces of darkness. Together, we shall prevail in this journey of cyber security and magic.
Creating a digital toolkit for users: How to teach our users how to limit the...Justin Denton
Ever wonder what you should or shouldn’t share on the internet? Do you see users who are posting everything thing they possibly could on the internet and wonder how to help educate them to protect themselves?
All of this collective sharing, creates a data gold mine for hackers to do their evil bidding. In this session we will talk about what to post on the internet and what not too. We will also look into what hackers can use from the information you’ve posted on the internet and how they can use it to gain access to your and your users personal lives, accounts, credit cards, and more. During this session, we’ll dive into building a strategy plan to help limit and hopefully eliminate these references from your digital footprint to help ensure you are more secure than you were when you first started this session.
By the end of this webinar, attendees will have a virtual toolkit and strategies to help educate users on protecting themselves while online.
The slideshow accompanied a TechTalk on Social Media: Coping with the Risks presented on Thursday, March 28, 2019, by Jonathan Bacon for the Johnson County Community College Retirees Association.
Session Description: Communication between family and friends today typically includes the use of social media. Any involvement with social media includes risks that threaten your privacy and personal finances. Yet involvement is hard to avoid since we all rely on texts, email, Facebook and other online communications for personal, professional and financial activities. In this session, we’ll discuss the risks, online etiquette, defensive behaviors and other solutions to the online threats we all face.
Nicholas Davis gave a presentation on information security in healthcare environments. He discussed HIPAA obligations to protect patient information including confidentiality, integrity and availability. He described common types of controls like technical and administrative controls and ways information can leak, such as through printers or unprotected trash bins. He warned of social engineering threats like pretexting and phishing scams that try to trick users into revealing sensitive information. He provided tips for strong passwords and protecting devices and networks from malware. The talk emphasized the importance of both technical security measures and educating users to identify and avoid social engineering attempts.
Ever wonder, "how can I make my home internet more secure" or "how can I make sure my kids are safely browsing the internet"? Join this cat meme filled presentation on how to secure your home's internet; everything from securing your wireless network to tools that you can use to help keep you and your family safe while surfing the web.
This document provides tips for improving mobile security and avoiding common threats. It discusses how smartphones and tablets have become ubiquitous, yet many users are unaware of security risks like malware, phishing scams, and unsecured wireless connections. The document outlines three main categories of threats - email/communication, malware, and phishing. It provides specific safety guidelines, such as disabling unnecessary wireless services, using app ratings to identify trustworthy software, avoiding suspicious email attachments and links, and promptly changing passwords if a device is compromised. The overall message is that mobility benefits from an informed approach and sense of responsibility regarding digital safety.
Securing & Safeguarding Your Library Setup.pptxBrian Pichman
With all the things that go "bump" in the night, nothing worries administrators and even end users more than a security incident. This webinar will focus on building an understanding of IT Security and the tools that can help mitigate risk. Moreover, attendees will leave with a clear understanding of general informational security terms and processes that they can implement in their library same day to help safeguard and better protect their infrastructure and data. Brian Pichman of the Evolve Project will lead us through putting together components for a Security and Risk Plan and how to properly respond to threats and attacks.
How To Keep the Grinch From Ruining Your Cyber MondayMichele Chubirka
Ready to avoid crowded stores and online scammers during the holidays? Join Michele Chubirka as she goes through:
-Tips for safe online shopping and securing your banking information
-Protecting yourself from internet scams, phishing and fraud
Safeguard your personal information against identity theft
-How to use Anti-virus and other security software to keep your digital information safe.
This document discusses cyber security issues facing government offices in India and provides recommendations. It notes that over 14,000 Indian sites were hacked in one year, banks lost money to cyber criminals, and personal data has been leaked from breaches. Proper precautions are recommended like using strong passwords, two-factor authentication, privacy settings, and firewalls. Government offices should maximize security by properly configuring firewalls and operating systems, installing essential secure software and certificates, and monitoring network activity.
This talk is a summarized view of the various other talks in my profile. It was given to TACOM HQ LCMC as part of the "Our Shared Responsibility" initiative.
This is a good topical overview with some technical information.
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
Cyber Security Awareness Session conducted by Lightracers Consulting, for Management and non-IT employees. In this learning presentation, we will look at - What is Cyber Crime, Types of Cyber crime, What is Cyber Security, Types of Threats, Social Engineering techniques, Identifying legitimate and secure websites, Protection measures, Cyber Law in India followed by a small quiz.
2016 Secure World Expo - Security AwarenessPedro Serrano
The document provides tips for employees on security best practices. It discusses how individuals are targeted through phishing emails and malicious files. It recommends using strong, unique passwords and two-factor authentication. It also suggests being cautious of public Wi-Fi networks, checking bank statements regularly for fraudulent activity, and shredding documents with personal information. The presentation emphasizes that security starts with each individual and raising awareness of common social engineering techniques.
Internet fraud involves using the internet to commit fraudulent activities. Common types of internet fraud include credit/debit card fraud, business deceit, and identity theft. To prevent internet fraud, it is important to keep firewalls and antivirus/antispyware software updated, use strong and unique passwords, watch out for phishing scams, and protect personal information.
This document discusses various cyber threats and provides tips to protect against them. It begins by outlining groups that may want personal information, such as nation states, cyber criminals, and corporate spies. It then details common cyber threats like malware, viruses, worms, spyware, and social engineering. The document provides examples of these threats and discusses how to prevent identity theft, protect sensitive data, use social media securely, and identify phishing attempts. It concludes by offering advice on mobile, wireless, and internet security best practices.
Computer and internet security is important because online activities create data about users that could be compromised. It is easy to stay safe by securing data with strong passwords, keeping private information private by being aware of sharing, preventing attacks using antivirus software, and preparing for potential issues by backing up important files. The document provides tips for creating strong and unique passwords, maintaining privacy online, protecting against viruses and malware, and backing up data to secure information.
The document provides tips on privacy and security in the digital age. It discusses how privacy has eroded due to factors like government surveillance, data breaches, and social media. It then gives an 11 step plan for protecting privacy that includes using antivirus software, patching systems, securing devices, using encryption and being wary of downloads, phishing, and revealing private information. The document stresses that if something seems suspicious to get help from experts.
The document provides guidance on establishing a strong password policy for a financial institution. It discusses threats like brute force attacks and outlines guidelines for enforcing strong passwords, including minimum length of 8 characters, requiring multiple character sets, and not allowing dictionary words or usernames in passwords. It also covers topics like default passwords, credential harvesting, idle accounts, password storage, changing passwords, security questions, and moving beyond passwords to other forms of authentication.
Similar to Man vs Internet - Current challenges and future tendencies of establishing trust between humans and machines (20)
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfTechgropse Pvt.Ltd.
In this blog post, we'll delve into the intersection of AI and app development in Saudi Arabia, focusing on the food delivery sector. We'll explore how AI is revolutionizing the way Saudi consumers order food, how restaurants manage their operations, and how delivery partners navigate the bustling streets of cities like Riyadh, Jeddah, and Dammam. Through real-world case studies, we'll showcase how leading Saudi food delivery apps are leveraging AI to redefine convenience, personalization, and efficiency.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Man vs Internet - Current challenges and future tendencies of establishing trust between humans and machines
1. Man vs Internet
Current challenges and future tendencies of establishing trust between humans and
machines
Luis Grangeia
BSidesLisbon 2013
Image stolen from manvinternet.com
2. About me
Luis Grangeia <luis.grangeia at gmail.com>
• IT Security Auditor (pen-tester) since 2001
• First at SideStep, now at SysValue
• Computer nerd since 1987
• Breaking stuff (and failing to fix it back)
since 1979
3. Agenda
• What‟s this about
• The curious case of Mat Honan
• Trust and Authentication
• Future Tendencies
• Strategies for pitfall avoidance
4. About this talk
• This is not about:
• Open Source Intelligence
• The NSA
• SQL Injection or Buffer Overflows
• This is about:
• [Establishing | Maintaining | Exploiting] trust relations between
users, devices and services
• Explore current problems and future tendencies in authentication
• “Meta” stuff to start a dialogue
5. The “Mat Honan Hack”
From zero to total online identity compromise
6. Meet Mat Honan
• Tech savvy blogger/writer for Gizmodo, Wired
• Strong online presence:
• Twitter
• About.me
• Apple Account
• Google Account
• Etc.
• Has a cool twitter handle: twitter.com/mat
• Is about to get hacked
7. Mat Honan
Timeline: August 3rd 2012
• 16h33: Someone calls AppleCare pretending to be Mat
Honan, provides for some security information and asks for
a temporary password.
• 16h50: A password reset confirmation arrives at Mat‟s
me.com mailbox, completing the hijacking of the Mat‟s
iCloud service.
• 16h52: A Gmail password recovery email arrives at Mat‟s
me.com address. Two minutes later another email arrives
informing of a password change on the Gmail account.
• 17h00: Mat‟s iPhone is remotely wiped via iCloud.
8. Mat Honan
Timeline: August 3rd 2012 (cont.)
• 17h01: Mat‟s iPad is remotely wiped via iCloud.
• 17h02: Mat‟s Twitter account is reset. The password his
sent to his compromised Gmail Account.
• 17h05: Mat‟s Macbook is remotely wiped via iCloud
(containing the only copies of the birth of his baby
daughter).
• 17h05: Mat‟s entire Google account, containing 8 years
worth of personal e-mail messages, is deleted.
• 17h12: Attackers post a message to his Twitter account,
taking credit for the hack.
16. Hacking Mat Honan
Time to call Amazon
• Time to call Amazon‟s phone support
• Call #1:
• “Hi, my name is Mat Honan, please add a new Credit Card 123
number to my account. My billing address is xyz. Thanks!”
• Call #2:
• “Hi, I‟m Mat Honan. Please add e-mail address evil@me.com
to my account. Here is credit card information 123 to verify
my identity.”
• Step #3:
• Ask for password reset e-mail to evil@me.com address
17. Hacking Mat Honan
Account owned!
Last 4 digits of Mat‟s
real credit card
Account owned!
twitter.com/mat
Account owned!
mhonan@gmail.com
Account owned!
mhonan@me.com
18. What went Wrong?
• Poor password choices?
• Poor phone identity verification procedures?
• Bad trust relationship choices by Mat?
• Lack of 2-factor authentication? Where?
• What could we do better?
20. Authentication vs Trust
• Authentication: To provide proof of identity by means
of one (or more) of these:
• Something you know
• Something you have
• Something you are
• Trust: belief in the reliability, truth, ability, or strength of
someone or something.
• Authentication is impossible to do without Trust!
21. Something you know
• Passwords
• Answers to „secret‟ security questions
• Date of Birth, registered VISA, home/billing
address, email, etc.
22. Something you know: Passwords
• Password Problems
• Simple passwords
• Same password used across services
• Services get hacked all the time
• Over 280 million password hashes leaked (2010-2012)
• Once the hash is out there, its probably getting cracked
• Eg. Google „qeadzcwrsfxv1331‟
23. Something you know: Passwords
• In the Mat Honan Hack:
• Mat used 1Password
• Long and robust password to decrypt keyfile
• Master password not used anywhere else
• Keyfile was stored in Dropbox and synced across all his
devices
• Caveat: never send master password through the network
or type it on a device you don‟t absolutely trust.
24. Something you know: Other
• Answers to ‘secret’ security questions
• Date of Birth, registered VISA, home/billing address,
email, etc.
• Information leaks by services
• Answers can be found on Google
• If it is a secret answer, why am I giving it away?
27. Something you know: Other
• In the Mat Honan hack:
• Google:
• leaked part of the recovery e-mail: m****n@me.com
• Amazon:
• Name + Billing Address == full account compromise
• Leaked last 4 digits of VISA after
• Apple:
• Public information + 4 Digits of VISA == full account compromise
29. Something you have
• Access to a previously authenticated/trusted device
• Access to a mobile phone number (SMS/voice code)
• Access to a mobile app (authenticator)
30. Something you have
• Access to third party accounts (email)
• Frequently used for password resets
31. Something you have
• In the Mat Honan hack:
• No second factor authentication used
• Chained trust relationships:
mhonan@me.com
GoogleTwitter
@mat
Apple
mhonan@gmail.com
32. Something you are
• Biometrics
• Still a gimmick but is now seeing a boost in usage:
• Android Face Unlock
• iPhone 5S Touch ID
• Voice recognition (in Google Now, probably Siri later)
• Xbox One (the creepiest of them all)
34. Something you are
• Problems:
• Biometrics is only good for local device authentication
• Not fit for network authentication
• Unless you want to see your biometric info travelling through the
Internet…
• Must trust device completely
• Specially if its connected to a network!
• What happens if the device steals our biometric info or uploads it to the
cloud?
• If you lose the device, you lose your bio data to the attacker.
35. Something you are
• In the Mat Honan hack:
• Biometrics was not used at all
• Would not have prevented anything, as biometrics is only
useful for local (physically proximate) device
authentication.
36. Authentication: Is this it?
• Something you know
• Something you have
• Something you are
• ???
Is this all there is?
How do we humans authenticate ourselves?
37. Context Information
• Context!
• Complements Authentication
• Helps quantify trust
• Where you are (location)
• What are you doing (behavior)
• Who are you talking to (social relations)
39. Context: behavior
“Actimize has core offerings across all
financial crime prevention and compliance
areas built on a unified reporting and case
management platform. Actimize is known
for its use of analytics and modeling
techniques that uncover anomalous
financial transactions, like
fraud, money laundering and market
manipulation.”
48. Something you know: Passwords
• Password Strategies
• Use different passwords for every service
• Long and randomly generated
• Stored in a password vault:
• Keepass
• 1Password
• Password Safe
• Cloud synced encrypted password storage is a good
compromise
• Several key files on your cloud storage
• Plausible deniability
• Segregation of virtual “personas”
• Avoid trusting your passwords to one single online service
• Lastpass
49. Something you know: Other
• Security Questions & Personal Information
• Strategies:
• Never provide meaningful answers to security questions
• Give out a different random answer and treat it like a password
• Beware of services with lax/faulty procedures for account
recovery
• Apple, Amazon (presumably better by now)
50. Something you have
• Strategies:
• Put all the eggs on one basket and protect the basket!
• Make all accounts password reset go to a secure 2-factor account
(eg. Google)
51. Audit your accounts / services
• Regularly audit the relations between your services
• Password reset tokens (avoid the Mat Honan mistake)
• Look at what information leaks on password reset procedures for
some services
FacebookAmazon Google
(with 2-factor authentication)
Dropbox Twitter
52. Something you are
• Strategies:
• Use biometrics sparingly and only on devices you really
trust
• Beware of companies uploading your bio data to the cloud
(Microsoft)
• Have a plan ready if the device gets lost / stolen
• More on this later
• Hope that remote wipe works well
53. Increasing Trust in Devices
• Have a plan if your phone/laptop gets stolen:
• Did you have encryption in place?
• Did you have pin/pattern/password lock?
• What information was in it?
• What information/accounts might be compromised?
• Can you remotely wipe the device? How fast can you do it?
• Can you de-authorize the device on the registered services?
54. Increasing Trust in Devices
• All your access to Internet services via devices!
• Make it so losing only one device does not grant the new
owner long term access to important services
Location History / Other
Context Information Smartphone
+ + = OK
55. Closing Thoughts
• No one is more interested than securing your online identities
than you. No one will do it for you!
• Having access to several services and devices should be a
strength, not a weakness.
• Plan for the loss/theft of a device or the compromise of a
service. It will happen.
• Look for vulnerabilities in Password Reset/Change Security
Information Procedures on Microsoft/Google/Facebook.
• You‟ll be amazed
- This is not a technical talk- This is not about open source intelligence- This is not about the NSA reading your email - This talk is about exploiting the bond between the human element and the technology element - This is about maintaining trust between individuals/services/devices - This is about authenticating (establishing trust) individuals and services - This is about exploiting trust relationships between services/devices/individuals -
Mat Honan is an online Journalist, your usual late twenties, early thirties journalist/blogger. He writes for gizmodo and Wired magazine, where he regularly reviews all sorts of new gadgets and other Internet trends. He is up to speed with current Internet trends and memes, in other words, he is not a grandma or grandpa. He is tech savvy.Mat Honan uses the latest and greatest gadgets and online services. He has Gmail account, uses Twitter several times during the day. He has Macbook, an ipad and an iphone. All linked to the cloud via Apple’s icloud service. He frequently buys books and other items via his Amazon account.Mat is fairly informed about password security. He uses 1Password heavily. Most of his passwords are long, alphanumeric strings of gibberish with random symbols which he stores on his cloud synched encrypted keychain.Everything was fine and good until one friday, on the 3rd of August 2012, in the space of an hour, while he was happily playing with his baby daughter, his entire digital life was destroyed. His twitter account was hijacked and used to post racist and homophobic messages. His AppleID account was broken into and used to remotely erase all of the data on his iPhone, iPad and Macbook. His Gmail hijacked as well.And all of that because the attacker wanted to take over his Twitter account “because it had a cool three-letter handle”.
What followed was a painful process of several days of him trying to figure out exactly what happened, recovering access to his accounts and his files. It was not easy. It wasn’t cheap either. A lot of stuff was permanently wiped from his macbook. He got most of his photos and documents back by calling a data recovery company. It cost him around 1700 USD, just for this service.Eventually he got his digital life back, but it was a traumatic experience.
We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
So what went wrong here?Poor password choices?Poor password reset mechanisms?Poor trust relationship choices?All of the above? Let’s try to expose the weaknesses of this particular case and also other issues that could have been exploited.
First lets review the basic notions. What is authentication? In information security, a unanimous definition of authentication can be the act of providing proof of identity by means of a proof. That proof can be:Something you knowSomething you haveSomething you areThis is the basic stuff. Let’s go over these three factors and try to relate them with the Mat Honan hack.
Sources: Over 280 million password hashes leaked between 2010-2012http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/Something you knowThe first factor is “Something you know”. This is basically a piece of information that is shared between the user and the service, and supposedly only the authorized user may know.The obvious first example of “something you know” is passwords. I know most of us are aware that passwords have several problems and need to be used properly, and it’s important that we search for an alternative or complement to passwords. However, for 90% of the services you use, passwords remain the only alternative for authentication. The most common mistakes are choosing a simple password, based on a dictionary word, that could be vulnerable to an online dictionary or brute force attack. Also one of the most common (and most dangerous) mistake is to use the same password for all your services.Web sites and services get hacked all the time. Even high profile sites such as Linkedin and Yahoo got hacked. Passwords get leaked, usually in hashed form. I wont go over this topic as this has already been covered a lot, but I’ll just give you this little fact: over 280 MILLION password hashes got hacked between 2010 and 2012. That’s a lot. What’s interesting to learn is that for a random sample of 10.000 password hashes, experienced crackers can usually crack around 80% to 90% of these in the space of one hour.So we need a strategy to deal with passwords.
Is that all there is? Is this all that we, humans, use to trust each other?What if:…I left this room and 5 seconds later appeared on a live TV broadcast next to Obama in Washington?…I left this room and 500 years later appeared exiting an Alien UFO, looking exactly the same?…I didn’t leave this room and another person looking and talking like myself appeared here next to me?…And every time, I knew the same, had access to the same and appeared (inside and out) exactly like me in all three cases?We humans don’t think much about it (because these things don’t happen a lot), but we use more to authenticate ourselves: Context!Where you are (location);What are you doing (behaviour);Who are you talking to (relation/social);
We humans don’t think much about it (because these things don’t happen a lot), but we use more to authenticate ourselves: Context!Where you are (location);What are you doing (behaviour);Who are you talking to (relation/social);
[Password Strategies]Personal note about Lastpass: the reason I don’t like it is because your basically putting all your trust on one entity. If Lastpass gets compromised all your passwords are automatically gone. The main advantage of Keepass and dropbox (or another cloudbased file storage) is that you are basically segregating the trust between to entities. Dropbox stores your encrypted password file but never actually receives the password to decrypt it. Keepass receives the decryption password but, unless the program is modified to send your decrypted passwords through the network (possible but unlikely and easy to detect), you are good.