2FA WTF
•
0 likes•193 views
Breaking down the problems with password-only authentication and some of the different options you have for 2FA
Report
Share
Report
Share
Download to read offline
Recommended
2FA, WTF!?
You may recognize Two-factor Authentication (2FA) as an additional safeguard for protecting accounts, but do you really know how it works? This talk will show you how to implement One Time Passwords (including what's happening under the hood of those expiring tokens) and even provide a legitimate use case for QR codes! You'll come away recognizing the different approaches to implementing a 2FA solution and have a better understanding of the solution that's right for your application.
Google Secrets - American Society of Dental Aesthetics
Powerful google secrets hidden in plain sight. Spy on the competition, know what they are doing, know when they do it. Track industry leaders, find out who are they and what they are talking about. Catch a thief, set a plagiarism trap, protect your content.
�
Seek and ye shall find - 28.10.2016
Updated version of this presentation, as presented at #mm16ro on 28th October 2016.
Find out more about the features of product search in Magento 2. Learn about search operators, MySQL fulltext search and more.
At the end, you will find tips how to improve the user experience, either using Magento 2 default tools, extensions or external search engines.
Innovation in marketing by @bdr_Alsaad - الابداعات التسويقية من قبل بدر السعد
تم عرض هذا البرزنتيشن من قبل المسوق السعودي بدر السعد @bdr_alsaad في ملتقى #Reelmarketing2 من إشراف وتنظيم طالبات نادي التسويق بجامعة الملك سعود @Mktclub1
Rods, cones and sharpies
South Wales Agile Group lightning talk for June 2018 on the importance of data visualisation in agile and team environments
A Google Event You Won't Forget
As more businesses migrate their employee email and data into collaborative cloud platforms, default configurations, even in a secured environment, could leave them susceptible to attacks. While these platforms create a centralized way to collaborate, manage access and view the world from a single pane of glass -- they also create unique attack paths that attackers can leverage using built-in APIs.
In this presentation, we will explore an innovative approach to red teaming organizations that use Google Suite as their main cloud provider. We will walk through leveraging features to inject calendar events, phishing credentials, capturing 2-factor tokens, backdooring accounts and finally pilfering secrets. Techniques presented will also be incorporated and released as modules within MailSniper.
Recommended
2FA, WTF!?
You may recognize Two-factor Authentication (2FA) as an additional safeguard for protecting accounts, but do you really know how it works? This talk will show you how to implement One Time Passwords (including what's happening under the hood of those expiring tokens) and even provide a legitimate use case for QR codes! You'll come away recognizing the different approaches to implementing a 2FA solution and have a better understanding of the solution that's right for your application.
Google Secrets - American Society of Dental Aesthetics
Powerful google secrets hidden in plain sight. Spy on the competition, know what they are doing, know when they do it. Track industry leaders, find out who are they and what they are talking about. Catch a thief, set a plagiarism trap, protect your content.
�
Seek and ye shall find - 28.10.2016
Updated version of this presentation, as presented at #mm16ro on 28th October 2016.
Find out more about the features of product search in Magento 2. Learn about search operators, MySQL fulltext search and more.
At the end, you will find tips how to improve the user experience, either using Magento 2 default tools, extensions or external search engines.
Innovation in marketing by @bdr_Alsaad - الابداعات التسويقية من قبل بدر السعد
تم عرض هذا البرزنتيشن من قبل المسوق السعودي بدر السعد @bdr_alsaad في ملتقى #Reelmarketing2 من إشراف وتنظيم طالبات نادي التسويق بجامعة الملك سعود @Mktclub1
Rods, cones and sharpies
South Wales Agile Group lightning talk for June 2018 on the importance of data visualisation in agile and team environments
A Google Event You Won't Forget
As more businesses migrate their employee email and data into collaborative cloud platforms, default configurations, even in a secured environment, could leave them susceptible to attacks. While these platforms create a centralized way to collaborate, manage access and view the world from a single pane of glass -- they also create unique attack paths that attackers can leverage using built-in APIs.
In this presentation, we will explore an innovative approach to red teaming organizations that use Google Suite as their main cloud provider. We will walk through leveraging features to inject calendar events, phishing credentials, capturing 2-factor tokens, backdooring accounts and finally pilfering secrets. Techniques presented will also be incorporated and released as modules within MailSniper.
So whats in a password
Talk from CodeMash on Passwords, cracking them, and intelligent approaches to getting past them.
Presented at CodeMash, January 8, 2014
Breaking vaults: Stealing Lastpass protected secrets
LastPass is a popular password manager that integrates with browsers through plugins. One of the most interesting features is the fact that the encrypted vault is stored in LastPass' servers but they have no access to the content since the master password never leaves the user's machine. All encryption and decryption happens locally. Password managers are a single point of failure by design and therefore they need to be secure. A tool with the sole purpose of storing all your secrets is a important target for any attacker.
The most valuable piece of information is the master password. It is the key to decrypt the data and gain complete access. Research has been done on different attack vectors but the focus is on leaking passwords stored in the vault. This presentation will focus on how it is possible to steal and decrypt the master password. In addition, I will also demonstrate an additional attack vector that results in full access to the vault without the need of the master password. Two different attacks to achieve the same goal, full access to the vault. But given that LastPass supports 2 factor authentication, I will also demonstrate how to bypass it. Last but not least, I will release a Metasploit module that will automate the whole process. Stealing the master password, leaking the encryption key and bypassing 2 factor authentication.
Secure All Teh Things - Add 2 factor authentication to your own CFML projects
Delivered at CFCamp 2018 in Munich Germany.
Security is getting more and more important. A 2-factor authentication will help you securing your logins.
In this Session Rob shows you how to implement a 2-factor authentication for your own website. Learn about the different protocols FIDO U2F, Yubico OTP, Challenge-Response, etc.
See how you can use your personal YubiKey for your own website.
Two Factor Authentication and You
Everyone has at least one password, but that's not enough anymore. When is that not enough? Passwords get out of your hands all the time. You know your password, but what about using something you have in addition to what you know. Let's look at how you can leverage your mobile device for added security, and implement it in your projects. This talk will cover how two factor auth works, how to use it and the ins and outs of rolling your own solution using Time-based One-time Password (TOTP) (and the Google Authenticator app) or a third party service and the pitfalls of both. AWS, Mailchimp, Dropbox and Facebook integrate two factor authentication and you can too! There's no reason not to use it!
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
LastPass is a popular password manager that integrates with browsers through plugins. One of the most interesting features is the fact that the encrypted vault is stored in LastPass' servers but they have no access to the content since the master password never leaves the user's machine. All encryption and decryption happens locally. Password managers are a single point of failure by design and therefore they need to be secure. A tool with the sole purpose of storing all your secrets is a important target for any attacker.
The most valuable piece of information is the master password. It is the key to decrypt the data and gain complete access. Research has been done on different attack vectors but the focus is on leaking passwords stored in the vault. This presentation will focus on how it is possible to steal and decrypt the master password. In addition, I will also demonstrate an additional attack vector that results in full access to the vault without the need of the master password. Two different attacks to achieve the same goal, full access to the vault. But given that LastPass supports 2 factor authentication, I will also demonstrate how to bypass it. Last but not least, I will release a Metasploit module that will automate the whole process. Stealing the master password, leaking the encryption key and bypassing 2 factor authentication.
Be Prepared - Internet Safety
Be Prepared - Internet Safety - this deck was presented to Boy Scouts to help prepare them to talk to others about internet safety.
OK Google, How Do I Red Team GSuite?
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
Why Visibility into Your Stack Matters
When running any amount of systems, gaining visibility into what they are doing can be a non-trivial matter. Starting on the path to monitoring can prove bumpy, and if you don’t measure, you don’t know. In this session, Michael Fiedler, Director of TechOps, will speak on personal experience with scalability, deployment, and monitoring challenges prior to using Datadog - and how that changed. He will cover how to get started, and examples of where monitoring the company's platform with Datadog provided the guiding light towards the team solving scalability problems.
[DBA-Adv]_HiramFleitas_Hack_Protect_Predict_SQLServer_LearnThem
- TITLE: Hack / Protect / Predict SQL Server - Come learn them.
Speaker: Fleitas, Hiram
Duration: 60 minutes
Track: Application & Database Development
Level: Advanced
https://www.sqlsaturday.com/801/Sessions/Details.aspx?sid=83672
- ABSTRACT:
In this session, I'll show you how to hack SQL Server using a simple C# console application and other tools. Most importantly, I'll show you how to protect vectors that perhaps you're trying to use to safeguard sensitive data for GDPR compliance.
1. Tabular Data Stream (TDS) Protocol
2. Dynamic Data Masking
3. Row Level Security (Yep...)
4. Database Source Control
Perhaps, you've seen these exploits before but do you really know how to reproduce them? Or, how to even protect yourself against them? No worries, I'll show you the way along with a load test.
Finally, I am very excited to share with you how to analyze text using pre-trained Machine Learning models to predict a sentiment, on-prem with SQL Server 2017.
5. SQL ML / AI - A deep dive to predict the sentiment
Looking forward to meeting you all.
- BIO:
Hiram Fleitas is the Principal Database Architect at Universal Property and Casualty Insurance Company and leads the company's intelligent edge using Microsoft’s data platform. He currently is developing database applications using Machine Learning models trained on claims, policy, and social media data to predict business opportunities for customer satisfaction and loyalty in real-time.
He has worked with SQL Server for 20 years, from version 6.0 to 2019 with some of the largest companies in the world. He's spoken on SQL Server at User Groups, South Florida Code Camp, PASS SQL Saturdays, and corporate business events, often presenting talks on security, performance, devops, machine learning, and business intelligence. He coded his first program in BASIC when he was 13 years old as a school project and developed a passion for computers ever since.
Hiram is also a code contributor to several opensource projects and serves as an IS Flotilla Staff Officer for the United States Coast Guard Auxiliary. On his time off he mostly enjoys spending time with his wife Christina and two kids, Ocean and Skylar Fleitas. He also wakeboards, wakesurfs, snowboards and does endurance training events by GORUCK’s Cadre-led decorated combat veterans of Special Operations.
https://linkedin.com/in/hiramfleitas/
https://fleitasarts.com
- DATE & TIME:
Saturday - Oct 6, 2018
11:00 am - 12:00 pm Presentation
- LOCATION:
Seminole State College
Partnership Building
100 Weldon Blvd Building UP, Sanford, Florida, 32773
100 Weldon Blvd, Building UP, Sanford, FL 32773
Room #: R1
http://seminolestate.edu
- Follow #SQLSatOrlando on Twitter
https://twitter.com/hashtag/SQLSatOrlando
- Follow @HiramFleitas on Twitter
https://twitter.com/hiramfleitas
Red Team Tactics for Cracking the GSuite Perimeter
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
After the Data Breach: Stolen Credentials
Credentials don’t start out on the dark web - they end there.
When usernames and passwords are compromised in a data breach, the consequences extend far beyond the victim organization due to rampant password reuse. For this reason, NIST recently recommended that organizations check users’ credentials against a set of known compromised passwords. However, by patroning dark web forums and paying for spilled credentials, enterprises indirectly support the criminal ecosystem. Furthermore, attackers often don’t publicly post stolen data until months or years after the breach, if at all. Is there a better way to follow NIST guidelines and protect users from account takeover?
Join Justin Richer, co-author of NIST Digital Identity Guidelines 800-63B, and Gautam Agarwal, Blackfish Product Manager, for a lively discussion on NIST’s password recommendations and how best to prevent account takeover fraud at your organization.
Agenda:
The Threat of Stolen Credentials
Reasoning Behind NIST’s Password Recommendations
Ways to Manage a Password “Breach Corpus”
How Blackfish Helps Organizations Follow NIST Guidelines
Why Visibility into Your Stack Matters
When running any amount of systems, gaining visibility into what they are doing can be a non-trivial matter. Starting on the path to monitoring can prove bumpy, and if you don’t measure, you don’t know. In this session, Michael Fiedler, Director of TechOps, will speak on personal experience with scalability, deployment, and monitoring challenges prior to using Datadog - and how that changed. He will cover how to get started, and examples of where monitoring the company's platform with Datadog provided the guiding light towards the team solving scalability problems.
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Part of F5 mitigations series
Brute force on apps is on the rise
Will become WBT @ F5U
Conclusion:
Internet brute force can go undetected and is a serious threat to applications
F5 owns the largest set of options to detect and prevent application brute force
I See You
In this talk, we will dive into the data captured during last years Wall of Sheep applications and protocols that are giving your away credentials. This is something that anyone, with the right level of knowledge and inclination, could certainly do with a few basic ingredients. We will enumerate them. The dataset we will focus on was gathered as part of the Wall of Sheep contest during DEF CON 22. While this data was gathered using an off the shelf technology, that platform will not be the topic we discuss. Rather, we will focus on the types and scope of data sent totally in the clear for all to see. Additionally, we will discuss the ramifications this might have in a less "friendly" environment --where loss of one's anonymity, might really, really suck. Finally, we will discuss and recommend ways you can hamper this type of collection.
WordPress Security for Beginners
Security can seem intimidating and complex for many of us, but we shouldn’t (can’t) let that stop us from making sure we’re doing everything we can to secure our WordPress sites. After all, our websites are often part of our livelihood.
In this session Adam will discuss the “big picture” of website security and break down the fundamental tasks needed for a strong security plan, in order of importance. Adam will provide an actionable checklist on what you can start doing today to better secure your WordPress websites.
After attending this session, audience members will have a better understanding of website security as a whole and what steps they can take to mitigate risk. Attendees will be able to start building their WordPress security master plan immediately.
Patterns to Bring Enterprise and Social Identity to the Cloud
In this session, we will look at strategies to incorporate identity into cloud applications. Enterprise
identity or social login can both be a part of your go-to-cloud strategy, but you must plan for this
upfront, rather than try to retrofit identity and access control at a later date.
Unleashing Twitter Data for Fun and Insight
Matthew Russell's "Unleashing Twitter Data for Fun and Insight" presentation from Strata 2011. Matthew Russell's "Unleashing Twitter Data for Fun and Insight" presentation from Strata 2011. See http://strataconf.com/strata2011/public/schedule/detail/17714 for an overview of the talk.
Unleashing twitter data for fun and insight
Matthew Russell, VP Engineering at Digital Reasoning, discusses techniques and results of mining twitter data for fun and insight
Protecting your phone verification flow from fraud & abuse
Authenticate 2022 - SMS pumping prevention
Preventing phone verification fraud (SMS pumping)
In the last year we've seen a new type of fraud become more common where fraudsters attack phone verification forms with thousands of requests. This type of attack, known as SMS pumping, causes inflated traffic to your app with the intent to make money and not to steal information. Unfortunately this means you might be hit with higher than expected bills from your telecom provider if your application isn't designed to prevent it.
This talk will describe SMS pumping in more detail, including how it compares to similar attacks like IRSF and how fraudsters profit from this tactic. You'll learn strategies to prevent the attack and improve your phone verification workflow in the process, ensuring all of the benefits of phone number verification without unintended expenses.
More Related Content
Similar to 2FA WTF
So whats in a password
Talk from CodeMash on Passwords, cracking them, and intelligent approaches to getting past them.
Presented at CodeMash, January 8, 2014
Breaking vaults: Stealing Lastpass protected secrets
LastPass is a popular password manager that integrates with browsers through plugins. One of the most interesting features is the fact that the encrypted vault is stored in LastPass' servers but they have no access to the content since the master password never leaves the user's machine. All encryption and decryption happens locally. Password managers are a single point of failure by design and therefore they need to be secure. A tool with the sole purpose of storing all your secrets is a important target for any attacker.
The most valuable piece of information is the master password. It is the key to decrypt the data and gain complete access. Research has been done on different attack vectors but the focus is on leaking passwords stored in the vault. This presentation will focus on how it is possible to steal and decrypt the master password. In addition, I will also demonstrate an additional attack vector that results in full access to the vault without the need of the master password. Two different attacks to achieve the same goal, full access to the vault. But given that LastPass supports 2 factor authentication, I will also demonstrate how to bypass it. Last but not least, I will release a Metasploit module that will automate the whole process. Stealing the master password, leaking the encryption key and bypassing 2 factor authentication.
Secure All Teh Things - Add 2 factor authentication to your own CFML projects
Delivered at CFCamp 2018 in Munich Germany.
Security is getting more and more important. A 2-factor authentication will help you securing your logins.
In this Session Rob shows you how to implement a 2-factor authentication for your own website. Learn about the different protocols FIDO U2F, Yubico OTP, Challenge-Response, etc.
See how you can use your personal YubiKey for your own website.
Two Factor Authentication and You
Everyone has at least one password, but that's not enough anymore. When is that not enough? Passwords get out of your hands all the time. You know your password, but what about using something you have in addition to what you know. Let's look at how you can leverage your mobile device for added security, and implement it in your projects. This talk will cover how two factor auth works, how to use it and the ins and outs of rolling your own solution using Time-based One-time Password (TOTP) (and the Google Authenticator app) or a third party service and the pitfalls of both. AWS, Mailchimp, Dropbox and Facebook integrate two factor authentication and you can too! There's no reason not to use it!
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
LastPass is a popular password manager that integrates with browsers through plugins. One of the most interesting features is the fact that the encrypted vault is stored in LastPass' servers but they have no access to the content since the master password never leaves the user's machine. All encryption and decryption happens locally. Password managers are a single point of failure by design and therefore they need to be secure. A tool with the sole purpose of storing all your secrets is a important target for any attacker.
The most valuable piece of information is the master password. It is the key to decrypt the data and gain complete access. Research has been done on different attack vectors but the focus is on leaking passwords stored in the vault. This presentation will focus on how it is possible to steal and decrypt the master password. In addition, I will also demonstrate an additional attack vector that results in full access to the vault without the need of the master password. Two different attacks to achieve the same goal, full access to the vault. But given that LastPass supports 2 factor authentication, I will also demonstrate how to bypass it. Last but not least, I will release a Metasploit module that will automate the whole process. Stealing the master password, leaking the encryption key and bypassing 2 factor authentication.
Be Prepared - Internet Safety
Be Prepared - Internet Safety - this deck was presented to Boy Scouts to help prepare them to talk to others about internet safety.
OK Google, How Do I Red Team GSuite?
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
Why Visibility into Your Stack Matters
When running any amount of systems, gaining visibility into what they are doing can be a non-trivial matter. Starting on the path to monitoring can prove bumpy, and if you don’t measure, you don’t know. In this session, Michael Fiedler, Director of TechOps, will speak on personal experience with scalability, deployment, and monitoring challenges prior to using Datadog - and how that changed. He will cover how to get started, and examples of where monitoring the company's platform with Datadog provided the guiding light towards the team solving scalability problems.
[DBA-Adv]_HiramFleitas_Hack_Protect_Predict_SQLServer_LearnThem
- TITLE: Hack / Protect / Predict SQL Server - Come learn them.
Speaker: Fleitas, Hiram
Duration: 60 minutes
Track: Application & Database Development
Level: Advanced
https://www.sqlsaturday.com/801/Sessions/Details.aspx?sid=83672
- ABSTRACT:
In this session, I'll show you how to hack SQL Server using a simple C# console application and other tools. Most importantly, I'll show you how to protect vectors that perhaps you're trying to use to safeguard sensitive data for GDPR compliance.
1. Tabular Data Stream (TDS) Protocol
2. Dynamic Data Masking
3. Row Level Security (Yep...)
4. Database Source Control
Perhaps, you've seen these exploits before but do you really know how to reproduce them? Or, how to even protect yourself against them? No worries, I'll show you the way along with a load test.
Finally, I am very excited to share with you how to analyze text using pre-trained Machine Learning models to predict a sentiment, on-prem with SQL Server 2017.
5. SQL ML / AI - A deep dive to predict the sentiment
Looking forward to meeting you all.
- BIO:
Hiram Fleitas is the Principal Database Architect at Universal Property and Casualty Insurance Company and leads the company's intelligent edge using Microsoft’s data platform. He currently is developing database applications using Machine Learning models trained on claims, policy, and social media data to predict business opportunities for customer satisfaction and loyalty in real-time.
He has worked with SQL Server for 20 years, from version 6.0 to 2019 with some of the largest companies in the world. He's spoken on SQL Server at User Groups, South Florida Code Camp, PASS SQL Saturdays, and corporate business events, often presenting talks on security, performance, devops, machine learning, and business intelligence. He coded his first program in BASIC when he was 13 years old as a school project and developed a passion for computers ever since.
Hiram is also a code contributor to several opensource projects and serves as an IS Flotilla Staff Officer for the United States Coast Guard Auxiliary. On his time off he mostly enjoys spending time with his wife Christina and two kids, Ocean and Skylar Fleitas. He also wakeboards, wakesurfs, snowboards and does endurance training events by GORUCK’s Cadre-led decorated combat veterans of Special Operations.
https://linkedin.com/in/hiramfleitas/
https://fleitasarts.com
- DATE & TIME:
Saturday - Oct 6, 2018
11:00 am - 12:00 pm Presentation
- LOCATION:
Seminole State College
Partnership Building
100 Weldon Blvd Building UP, Sanford, Florida, 32773
100 Weldon Blvd, Building UP, Sanford, FL 32773
Room #: R1
http://seminolestate.edu
- Follow #SQLSatOrlando on Twitter
https://twitter.com/hashtag/SQLSatOrlando
- Follow @HiramFleitas on Twitter
https://twitter.com/hiramfleitas
Red Team Tactics for Cracking the GSuite Perimeter
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
After the Data Breach: Stolen Credentials
Credentials don’t start out on the dark web - they end there.
When usernames and passwords are compromised in a data breach, the consequences extend far beyond the victim organization due to rampant password reuse. For this reason, NIST recently recommended that organizations check users’ credentials against a set of known compromised passwords. However, by patroning dark web forums and paying for spilled credentials, enterprises indirectly support the criminal ecosystem. Furthermore, attackers often don’t publicly post stolen data until months or years after the breach, if at all. Is there a better way to follow NIST guidelines and protect users from account takeover?
Join Justin Richer, co-author of NIST Digital Identity Guidelines 800-63B, and Gautam Agarwal, Blackfish Product Manager, for a lively discussion on NIST’s password recommendations and how best to prevent account takeover fraud at your organization.
Agenda:
The Threat of Stolen Credentials
Reasoning Behind NIST’s Password Recommendations
Ways to Manage a Password “Breach Corpus”
How Blackfish Helps Organizations Follow NIST Guidelines
Why Visibility into Your Stack Matters
When running any amount of systems, gaining visibility into what they are doing can be a non-trivial matter. Starting on the path to monitoring can prove bumpy, and if you don’t measure, you don’t know. In this session, Michael Fiedler, Director of TechOps, will speak on personal experience with scalability, deployment, and monitoring challenges prior to using Datadog - and how that changed. He will cover how to get started, and examples of where monitoring the company's platform with Datadog provided the guiding light towards the team solving scalability problems.
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Part of F5 mitigations series
Brute force on apps is on the rise
Will become WBT @ F5U
Conclusion:
Internet brute force can go undetected and is a serious threat to applications
F5 owns the largest set of options to detect and prevent application brute force
I See You
In this talk, we will dive into the data captured during last years Wall of Sheep applications and protocols that are giving your away credentials. This is something that anyone, with the right level of knowledge and inclination, could certainly do with a few basic ingredients. We will enumerate them. The dataset we will focus on was gathered as part of the Wall of Sheep contest during DEF CON 22. While this data was gathered using an off the shelf technology, that platform will not be the topic we discuss. Rather, we will focus on the types and scope of data sent totally in the clear for all to see. Additionally, we will discuss the ramifications this might have in a less "friendly" environment --where loss of one's anonymity, might really, really suck. Finally, we will discuss and recommend ways you can hamper this type of collection.
WordPress Security for Beginners
Security can seem intimidating and complex for many of us, but we shouldn’t (can’t) let that stop us from making sure we’re doing everything we can to secure our WordPress sites. After all, our websites are often part of our livelihood.
In this session Adam will discuss the “big picture” of website security and break down the fundamental tasks needed for a strong security plan, in order of importance. Adam will provide an actionable checklist on what you can start doing today to better secure your WordPress websites.
After attending this session, audience members will have a better understanding of website security as a whole and what steps they can take to mitigate risk. Attendees will be able to start building their WordPress security master plan immediately.
Patterns to Bring Enterprise and Social Identity to the Cloud
In this session, we will look at strategies to incorporate identity into cloud applications. Enterprise
identity or social login can both be a part of your go-to-cloud strategy, but you must plan for this
upfront, rather than try to retrofit identity and access control at a later date.
Unleashing Twitter Data for Fun and Insight
Matthew Russell's "Unleashing Twitter Data for Fun and Insight" presentation from Strata 2011. Matthew Russell's "Unleashing Twitter Data for Fun and Insight" presentation from Strata 2011. See http://strataconf.com/strata2011/public/schedule/detail/17714 for an overview of the talk.
Unleashing twitter data for fun and insight
Matthew Russell, VP Engineering at Digital Reasoning, discusses techniques and results of mining twitter data for fun and insight
Similar to 2FA WTF (20)
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
Secure All Teh Things - Add 2 factor authentication to your own CFML projects
Secure All Teh Things - Add 2 factor authentication to your own CFML projects
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
[DBA-Adv]_HiramFleitas_Hack_Protect_Predict_SQLServer_LearnThem
[DBA-Adv]_HiramFleitas_Hack_Protect_Predict_SQLServer_LearnThem
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
More from Kelley Robinson
Protecting your phone verification flow from fraud & abuse
Authenticate 2022 - SMS pumping prevention
Preventing phone verification fraud (SMS pumping)
In the last year we've seen a new type of fraud become more common where fraudsters attack phone verification forms with thousands of requests. This type of attack, known as SMS pumping, causes inflated traffic to your app with the intent to make money and not to steal information. Unfortunately this means you might be hit with higher than expected bills from your telecom provider if your application isn't designed to prevent it.
This talk will describe SMS pumping in more detail, including how it compares to similar attacks like IRSF and how fraudsters profit from this tactic. You'll learn strategies to prevent the attack and improve your phone verification workflow in the process, ensuring all of the benefits of phone number verification without unintended expenses.
Auth on the web: better authentication
New technology is challenging the premise that we have to choose between more friction or more security for authenticating users. This talk explores the benefits and drawbacks of frictionless authentication options beyond traditional one-time passcodes like biometrics, contextual data, or using devices as secure keys.
WebAuthn
Authentication is a sneaky problem - the most secure options don't usually have widespread adoption, especially among consumer applications. But what if we could fix that? Narrator: we can. WebAuthn is a somewhat new authentication standard that uses our everyday devices like phones and computers and turns them into phishing-resistant security keys. It almost sounds too good to be true. This talk will dig into how the technology works, when you can and should use it, and how to get started. We'll dig into why this isn't widely adopted yet and if or when we can expect it to be. You'll walk away with a better understanding of a new authentication channel and possibly some hope for a more secure future.
2FA in 2020 and Beyond
Security professionals agree: SMS based Two-factor Authentication (2FA) is insecure, yet thousands of companies still employ this method to secure their customer-facing applications. This talk will look at the evolution of authentication and provide a data-driven analysis of the tradeoffs between the different types of factors available.
Identiverse 2020 - Account Recovery with 2FA
You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.
Designing customer account recovery in a 2FA world
You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.
Introduction to SHAKEN/STIR
This talk will discuss the latest advancements with STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs), new tech standards that use well accepted public key cryptography methods to validate caller identification. We’ll discuss the path and challenges to getting this implemented industry wide, where this tech will fall short, and what we can do to limit exposure to call spam and fraud in the meantime.
Intro to SHAKEN/STIR
This talk will discuss the latest advancements with STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs), new tech standards that use well accepted public key cryptography methods to validate caller identification. We’ll discuss the path and challenges to getting this implemented industry wide, where this tech will fall short, and what we can do to limit exposure to call spam and fraud in the meantime.
PSD2, SCA, WTF?
A look at the Payment Services Directive 2 regulations and the Strong Customer Authentication requirements
BSides SF - Contact Center Authentication
You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?
Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone.
Communication @ Startups
Guest lecture for Carnegie Mellon's Software Engineering for Startups course in February 2019.
Contact Center Authentication
You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?
Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone. At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This talk will take a look at that research and outline best practices you can use in your own call centers. You'll leave the session understanding what information should be made available to the agent and what kind of product features you can build into your web or mobile application that can facilitate phone authentication.
Authentication Beyond SMS
Passwords get pwned. SMS 2FA gets compromised. We spend time clicking stop signs just to convince computers we're human. All of this in an attempt to identify a user we will probably never personally know. It's a fascinating challenge and we're up to the task!
This talk will walk through new channels for identity management beyond email and SMS. Encrypted messaging apps like WhatsApp broaden our options for delivering tokens and secure communications but lack the seamless user experience of Push Authentication or the offline benefits of TOTP. We'll dive into the tradeoffs for these approaches and help you choose the approach that will best protect you and your customers from signup to account recovery.
BSides PDX - Threat Modeling Authentication
Passwords get pwned. SMS 2FA gets compromised. We spend time clicking stop signs to convince computers we’re human. Is there a better way?
Practical Cryptography
Crypto is used for a lot more than just currencies. This talk will dive into modern cryptography, the math behind how it works, and its everyday use cases. By looking at the origins of cryptography we’ll follow the progression of methods and algorithms as humans and computers evolved.
More from Kelley Robinson (20)
Protecting your phone verification flow from fraud & abuse
Protecting your phone verification flow from fraud & abuse
Designing customer account recovery in a 2FA world
Designing customer account recovery in a 2FA world
Recently uploaded
Technical Drawings introduction to drawing of prisms
Method of technical Drawing of prisms,and cylinders.
ACEP Magazine edition 4th launched on 05.06.2024
This document provides information about the third edition of the magazine "Sthapatya" published by the Association of Civil Engineers (Practicing) Aurangabad. It includes messages from current and past presidents of ACEP, memories and photos from past ACEP events, information on life time achievement awards given by ACEP, and a technical article on concrete maintenance, repairs and strengthening. The document highlights activities of ACEP and provides a technical educational article for members.
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdf
Governing Equations for Fundamental Aerodynamics
AIR POLLUTION lecture EnE203 updated.pdf
this is a lecture for air pollution lesson in the subject of Ene 203
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
学校原件一模一样【微信:741003700 】《(ANU毕业证书)澳洲国立大学毕业证》【微信:741003700 】学位证,留信认证(真实可查,永久存档)原件一模一样纸张工艺/offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原。
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700
【主营项目】
一.毕业证【q微741003700】成绩单、使馆认证、教育部认证、雅思托福成绩单、学生卡等!
二.真实使馆公证(即留学回国人员证明,不成功不收费)
三.真实教育部学历学位认证(教育部存档!教育部留服网站永久可查)
四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度)
如果您处于以下几种情况:
◇在校期间,因各种原因未能顺利毕业……拿不到官方毕业证【q/微741003700】
◇面对父母的压力,希望尽快拿到;
◇不清楚认证流程以及材料该如何准备;
◇回国时间很长,忘记办理;
◇回国马上就要找工作,办给用人单位看;
◇企事业单位必须要求办理的
◇需要报考公务员、购买免税车、落转户口
◇申请留学生创业基金
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样
学校原件一模一样【微信:741003700 】《(unimelb毕业证书)墨尔本大学毕业证》【微信:741003700 】学位证,留信认证(真实可查,永久存档)原件一模一样纸张工艺/offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原。
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700
【主营项目】
一.毕业证【q微741003700】成绩单、使馆认证、教育部认证、雅思托福成绩单、学生卡等!
二.真实使馆公证(即留学回国人员证明,不成功不收费)
三.真实教育部学历学位认证(教育部存档!教育部留服网站永久可查)
四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度)
如果您处于以下几种情况:
◇在校期间,因各种原因未能顺利毕业……拿不到官方毕业证【q/微741003700】
◇面对父母的压力,希望尽快拿到;
◇不清楚认证流程以及材料该如何准备;
◇回国时间很长,忘记办理;
◇回国马上就要找工作,办给用人单位看;
◇企事业单位必须要求办理的
◇需要报考公务员、购买免税车、落转户口
◇申请留学生创业基金
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
原版一模一样【微信:741003700 】【(csu毕业证书)查尔斯特大学毕业证硕士学历】【微信:741003700 】学位证,留信认证(真实可查,永久存档)offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原海外各大学 Bachelor Diploma degree, Master Degree Diploma
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
PROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.ppt
Ppt on evs amity University project work.........................??????!?!?!?!!?!!?!!?/?/?/?/?/?
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Horizon Generation
Water billing management system project report.pdf
Our project entitled “Water Billing Management System” aims is to generate Water bill with all the charges and penalty. Manual system that is employed is extremely laborious and quite inadequate. It only makes the process more difficult and hard.
The aim of our project is to develop a system that is meant to partially computerize the work performed in the Water Board like generating monthly Water bill, record of consuming unit of water, store record of the customer and previous unpaid record.
We used HTML/PHP as front end and MYSQL as back end for developing our project. HTML is primarily a visual design environment. We can create a android application by designing the form and that make up the user interface. Adding android application code to the form and the objects such as buttons and text boxes on them and adding any required support code in additional modular.
MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software. It is a stable ,reliable and the powerful solution with the advanced features and advantages which are as follows: Data Security.MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software.
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
Kinematics 11th jpp- 01. ( Solved ) unacademy namo kaul on 14th may...
Building Electrical System Design & Installation
Guide for Building Electrical System Design & Installation
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
IIT毕业证原版定制【微信:176555708】【伊利诺伊理工大学毕业证成绩单-学位证】【微信:176555708】(留信学历认证永久存档查询)采用学校原版纸张、特殊工艺完全按照原版一比一制作(包括:隐形水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠,文字图案浮雕,激光镭射,紫外荧光,温感,复印防伪)行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备,十五年致力于帮助留学生解决难题,业务范围有加拿大、英国、澳洲、韩国、美国、新加坡,新西兰等学历材料,包您满意。
◆◆◆◆◆ — — — — — — — — 【留学教育】留学归国服务中心 — — — — — -◆◆◆◆◆
【主营项目】
一.毕业证【微信:176555708】成绩单、使馆认证、教育部认证、雅思托福成绩单、学生卡等!
二.真实使馆公证(即留学回国人员证明,不成功不收费)
三.真实教育部学历学位认证(教育部存档!教育部留服网站永久可查)
四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度)
如果您处于以下几种情况:
◇在校期间,因各种原因未能顺利毕业……拿不到官方毕业证【微信:176555708】
◇面对父母的压力,希望尽快拿到;
◇不清楚认证流程以及材料该如何准备;
◇回国时间很长,忘记办理;
◇回国马上就要找工作,办给用人单位看;
◇企事业单位必须要求办理的
◇需要报考公务员、购买免税车、落转户口
◇申请留学生创业基金
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分→ 【关于价格问题(保证一手价格)
我们所定的价格是非常合理的,而且我们现在做得单子大多数都是代理和回头客户介绍的所以一般现在有新的单子 我给客户的都是第一手的代理价格,因为我想坦诚对待大家 不想跟大家在价格方面浪费时间
对于老客户或者被老客户介绍过来的朋友,我们都会适当给一些优惠。
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
选择实体注册公司办理,更放心,更安全!我们的承诺:可来公司面谈,可签订合同,会陪同客户一起到教育部认证窗口递交认证材料,客户在教育部官方认证查询网站查询到认证通过结果后付款,不成功不收费!
学历顾问:微信:176555708
Recently uploaded (20)
Technical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prisms
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdf
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdf
PROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.ppt
PROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.ppt
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
Water billing management system project report.pdf
Water billing management system project report.pdf
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
Fundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptx
2FA WTF
- 2. 2 FA T W O - FAC TO R AU T H E N T I C AT I O N
- 3. W T F ? !
- 8. h a v e i b e e n p w n e d . c o m
- 9. Password Count 1 123456 22,390,492 2 123456789 7,481,454 3 qwerty 3,752,262 4 111111 3,006,809 5 12345678 2,840,404 6 abc123 2,803,614 7 1234567 2,425,568 8 12345 2,308,872 9 234567890 2,187,868 10 123123 2,143,807 11 000000 1,910,126 12 iloveyou 1,581,914 MOST COMMON PASSWORDS . . . myspace1 735,605
- 11. PA S S WO R D S A R E N ' T E N O U G H
- 12. Factors • Something you know • Something you have • Something you are
- 14. “We learned that SMS-based authentication is not nearly as secure as we would hope. ”Reddit Security Incident Disclosure - 2018-08-01
- 15. Why is SMS Bad? • SS7 vulnerabilities • SIM swapping (social engineering) Link: The Post SS7 Future of 2FA
- 16. SMS Alternatives • YubiKey • Push • TOTP
- 17. YubiKey
- 18. Push
- 19. TOTP (Time-based One Time Passwords)
- 20. TOT P A LG O R I T H M
- 21. 1 . S E C R E T K E Y
- 22. 2 . C U R R E N T T I M E
- 23. 3 . S I G N I N G F U N C T I O N
- 24. 4 . T R U N C AT E
- 26. __________________ | | Don't roll your own crypto! |__________________| (__/) || (•ㅅ•) || / づ
- 27. 2FA & You
- 28. 2FA & Your Website
- 29. “Requiring token-based 2FA [for employees] to gain entry. ”Reddit Security Incident Disclosure - 2018-08-01
- 30. Employees Moderators Everyone else Potential Reddit 2FA Model Required token based 2FA Required 2FA Optional 2FA * *might be managed by IT, not dev
- 31. Balance over $250k Balance over $10k Everyone else Potential Banking 2FA Model Required token based 2FA Required 2FA Optional 2FA
- 32. The risk profile of your users is specific to your business
- 33. SMS 2FA is still better than no 2FA
- 34. Aim for a seamless user experience with 2FA ]