You may recognize Two-factor Authentication (2FA) as an additional safeguard for protecting accounts, but do you really know how it works? This talk will show you how to implement One Time Passwords (including what's happening under the hood of those expiring tokens) and even provide a legitimate use case for QR codes! You'll come away recognizing the different approaches to implementing a 2FA solution and have a better understanding of the solution that's right for your application.
Google Secrets - American Society of Dental AestheticsTed Ricasa
Powerful google secrets hidden in plain sight. Spy on the competition, know what they are doing, know when they do it. Track industry leaders, find out who are they and what they are talking about. Catch a thief, set a plagiarism trap, protect your content.
Updated version of this presentation, as presented at #mm16ro on 28th October 2016.
Find out more about the features of product search in Magento 2. Learn about search operators, MySQL fulltext search and more.
At the end, you will find tips how to improve the user experience, either using Magento 2 default tools, extensions or external search engines.
Innovation in marketing by @bdr_Alsaad - الابداعات التسويقية من قبل بدر السعدNoura Alandas
تم عرض هذا البرزنتيشن من قبل المسوق السعودي بدر السعد @bdr_alsaad في ملتقى #Reelmarketing2 من إشراف وتنظيم طالبات نادي التسويق بجامعة الملك سعود @Mktclub1
As more businesses migrate their employee email and data into collaborative cloud platforms, default configurations, even in a secured environment, could leave them susceptible to attacks. While these platforms create a centralized way to collaborate, manage access and view the world from a single pane of glass -- they also create unique attack paths that attackers can leverage using built-in APIs.
In this presentation, we will explore an innovative approach to red teaming organizations that use Google Suite as their main cloud provider. We will walk through leveraging features to inject calendar events, phishing credentials, capturing 2-factor tokens, backdooring accounts and finally pilfering secrets. Techniques presented will also be incorporated and released as modules within MailSniper.
You may recognize Two-factor Authentication (2FA) as an additional safeguard for protecting accounts, but do you really know how it works? This talk will show you how to implement One Time Passwords (including what's happening under the hood of those expiring tokens) and even provide a legitimate use case for QR codes! You'll come away recognizing the different approaches to implementing a 2FA solution and have a better understanding of the solution that's right for your application.
Google Secrets - American Society of Dental AestheticsTed Ricasa
Powerful google secrets hidden in plain sight. Spy on the competition, know what they are doing, know when they do it. Track industry leaders, find out who are they and what they are talking about. Catch a thief, set a plagiarism trap, protect your content.
Updated version of this presentation, as presented at #mm16ro on 28th October 2016.
Find out more about the features of product search in Magento 2. Learn about search operators, MySQL fulltext search and more.
At the end, you will find tips how to improve the user experience, either using Magento 2 default tools, extensions or external search engines.
Innovation in marketing by @bdr_Alsaad - الابداعات التسويقية من قبل بدر السعدNoura Alandas
تم عرض هذا البرزنتيشن من قبل المسوق السعودي بدر السعد @bdr_alsaad في ملتقى #Reelmarketing2 من إشراف وتنظيم طالبات نادي التسويق بجامعة الملك سعود @Mktclub1
As more businesses migrate their employee email and data into collaborative cloud platforms, default configurations, even in a secured environment, could leave them susceptible to attacks. While these platforms create a centralized way to collaborate, manage access and view the world from a single pane of glass -- they also create unique attack paths that attackers can leverage using built-in APIs.
In this presentation, we will explore an innovative approach to red teaming organizations that use Google Suite as their main cloud provider. We will walk through leveraging features to inject calendar events, phishing credentials, capturing 2-factor tokens, backdooring accounts and finally pilfering secrets. Techniques presented will also be incorporated and released as modules within MailSniper.
LastPass is a popular password manager that integrates with browsers through plugins. One of the most interesting features is the fact that the encrypted vault is stored in LastPass' servers but they have no access to the content since the master password never leaves the user's machine. All encryption and decryption happens locally. Password managers are a single point of failure by design and therefore they need to be secure. A tool with the sole purpose of storing all your secrets is a important target for any attacker.
The most valuable piece of information is the master password. It is the key to decrypt the data and gain complete access. Research has been done on different attack vectors but the focus is on leaking passwords stored in the vault. This presentation will focus on how it is possible to steal and decrypt the master password. In addition, I will also demonstrate an additional attack vector that results in full access to the vault without the need of the master password. Two different attacks to achieve the same goal, full access to the vault. But given that LastPass supports 2 factor authentication, I will also demonstrate how to bypass it. Last but not least, I will release a Metasploit module that will automate the whole process. Stealing the master password, leaking the encryption key and bypassing 2 factor authentication.
Secure All Teh Things - Add 2 factor authentication to your own CFML projectsRob Dudley
Delivered at CFCamp 2018 in Munich Germany.
Security is getting more and more important. A 2-factor authentication will help you securing your logins.
In this Session Rob shows you how to implement a 2-factor authentication for your own website. Learn about the different protocols FIDO U2F, Yubico OTP, Challenge-Response, etc.
See how you can use your personal YubiKey for your own website.
Everyone has at least one password, but that's not enough anymore. When is that not enough? Passwords get out of your hands all the time. You know your password, but what about using something you have in addition to what you know. Let's look at how you can leverage your mobile device for added security, and implement it in your projects. This talk will cover how two factor auth works, how to use it and the ins and outs of rolling your own solution using Time-based One-time Password (TOTP) (and the Google Authenticator app) or a third party service and the pitfalls of both. AWS, Mailchimp, Dropbox and Facebook integrate two factor authentication and you can too! There's no reason not to use it!
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
LastPass is a popular password manager that integrates with browsers through plugins. One of the most interesting features is the fact that the encrypted vault is stored in LastPass' servers but they have no access to the content since the master password never leaves the user's machine. All encryption and decryption happens locally. Password managers are a single point of failure by design and therefore they need to be secure. A tool with the sole purpose of storing all your secrets is a important target for any attacker.
The most valuable piece of information is the master password. It is the key to decrypt the data and gain complete access. Research has been done on different attack vectors but the focus is on leaking passwords stored in the vault. This presentation will focus on how it is possible to steal and decrypt the master password. In addition, I will also demonstrate an additional attack vector that results in full access to the vault without the need of the master password. Two different attacks to achieve the same goal, full access to the vault. But given that LastPass supports 2 factor authentication, I will also demonstrate how to bypass it. Last but not least, I will release a Metasploit module that will automate the whole process. Stealing the master password, leaking the encryption key and bypassing 2 factor authentication.
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
When running any amount of systems, gaining visibility into what they are doing can be a non-trivial matter. Starting on the path to monitoring can prove bumpy, and if you don’t measure, you don’t know. In this session, Michael Fiedler, Director of TechOps, will speak on personal experience with scalability, deployment, and monitoring challenges prior to using Datadog - and how that changed. He will cover how to get started, and examples of where monitoring the company's platform with Datadog provided the guiding light towards the team solving scalability problems.
- TITLE: Hack / Protect / Predict SQL Server - Come learn them.
Speaker: Fleitas, Hiram
Duration: 60 minutes
Track: Application & Database Development
Level: Advanced
https://www.sqlsaturday.com/801/Sessions/Details.aspx?sid=83672
- ABSTRACT:
In this session, I'll show you how to hack SQL Server using a simple C# console application and other tools. Most importantly, I'll show you how to protect vectors that perhaps you're trying to use to safeguard sensitive data for GDPR compliance.
1. Tabular Data Stream (TDS) Protocol
2. Dynamic Data Masking
3. Row Level Security (Yep...)
4. Database Source Control
Perhaps, you've seen these exploits before but do you really know how to reproduce them? Or, how to even protect yourself against them? No worries, I'll show you the way along with a load test.
Finally, I am very excited to share with you how to analyze text using pre-trained Machine Learning models to predict a sentiment, on-prem with SQL Server 2017.
5. SQL ML / AI - A deep dive to predict the sentiment
Looking forward to meeting you all.
- BIO:
Hiram Fleitas is the Principal Database Architect at Universal Property and Casualty Insurance Company and leads the company's intelligent edge using Microsoft’s data platform. He currently is developing database applications using Machine Learning models trained on claims, policy, and social media data to predict business opportunities for customer satisfaction and loyalty in real-time.
He has worked with SQL Server for 20 years, from version 6.0 to 2019 with some of the largest companies in the world. He's spoken on SQL Server at User Groups, South Florida Code Camp, PASS SQL Saturdays, and corporate business events, often presenting talks on security, performance, devops, machine learning, and business intelligence. He coded his first program in BASIC when he was 13 years old as a school project and developed a passion for computers ever since.
Hiram is also a code contributor to several opensource projects and serves as an IS Flotilla Staff Officer for the United States Coast Guard Auxiliary. On his time off he mostly enjoys spending time with his wife Christina and two kids, Ocean and Skylar Fleitas. He also wakeboards, wakesurfs, snowboards and does endurance training events by GORUCK’s Cadre-led decorated combat veterans of Special Operations.
https://linkedin.com/in/hiramfleitas/
https://fleitasarts.com
- DATE & TIME:
Saturday - Oct 6, 2018
11:00 am - 12:00 pm Presentation
- LOCATION:
Seminole State College
Partnership Building
100 Weldon Blvd Building UP, Sanford, Florida, 32773
100 Weldon Blvd, Building UP, Sanford, FL 32773
Room #: R1
http://seminolestate.edu
- Follow #SQLSatOrlando on Twitter
https://twitter.com/hashtag/SQLSatOrlando
- Follow @HiramFleitas on Twitter
https://twitter.com/hiramfleitas
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
After the Data Breach: Stolen CredentialsSBWebinars
Credentials don’t start out on the dark web - they end there.
When usernames and passwords are compromised in a data breach, the consequences extend far beyond the victim organization due to rampant password reuse. For this reason, NIST recently recommended that organizations check users’ credentials against a set of known compromised passwords. However, by patroning dark web forums and paying for spilled credentials, enterprises indirectly support the criminal ecosystem. Furthermore, attackers often don’t publicly post stolen data until months or years after the breach, if at all. Is there a better way to follow NIST guidelines and protect users from account takeover?
Join Justin Richer, co-author of NIST Digital Identity Guidelines 800-63B, and Gautam Agarwal, Blackfish Product Manager, for a lively discussion on NIST’s password recommendations and how best to prevent account takeover fraud at your organization.
Agenda:
The Threat of Stolen Credentials
Reasoning Behind NIST’s Password Recommendations
Ways to Manage a Password “Breach Corpus”
How Blackfish Helps Organizations Follow NIST Guidelines
When running any amount of systems, gaining visibility into what they are doing can be a non-trivial matter. Starting on the path to monitoring can prove bumpy, and if you don’t measure, you don’t know. In this session, Michael Fiedler, Director of TechOps, will speak on personal experience with scalability, deployment, and monitoring challenges prior to using Datadog - and how that changed. He will cover how to get started, and examples of where monitoring the company's platform with Datadog provided the guiding light towards the team solving scalability problems.
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
Part of F5 mitigations series
Brute force on apps is on the rise
Will become WBT @ F5U
Conclusion:
Internet brute force can go undetected and is a serious threat to applications
F5 owns the largest set of options to detect and prevent application brute force
In this talk, we will dive into the data captured during last years Wall of Sheep applications and protocols that are giving your away credentials. This is something that anyone, with the right level of knowledge and inclination, could certainly do with a few basic ingredients. We will enumerate them. The dataset we will focus on was gathered as part of the Wall of Sheep contest during DEF CON 22. While this data was gathered using an off the shelf technology, that platform will not be the topic we discuss. Rather, we will focus on the types and scope of data sent totally in the clear for all to see. Additionally, we will discuss the ramifications this might have in a less "friendly" environment --where loss of one's anonymity, might really, really suck. Finally, we will discuss and recommend ways you can hamper this type of collection.
Security can seem intimidating and complex for many of us, but we shouldn’t (can’t) let that stop us from making sure we’re doing everything we can to secure our WordPress sites. After all, our websites are often part of our livelihood.
In this session Adam will discuss the “big picture” of website security and break down the fundamental tasks needed for a strong security plan, in order of importance. Adam will provide an actionable checklist on what you can start doing today to better secure your WordPress websites.
After attending this session, audience members will have a better understanding of website security as a whole and what steps they can take to mitigate risk. Attendees will be able to start building their WordPress security master plan immediately.
Patterns to Bring Enterprise and Social Identity to the Cloud CA API Management
In this session, we will look at strategies to incorporate identity into cloud applications. Enterprise
identity or social login can both be a part of your go-to-cloud strategy, but you must plan for this
upfront, rather than try to retrofit identity and access control at a later date.
Matthew Russell's "Unleashing Twitter Data for Fun and Insight" presentation from Strata 2011. Matthew Russell's "Unleashing Twitter Data for Fun and Insight" presentation from Strata 2011. See http://strataconf.com/strata2011/public/schedule/detail/17714 for an overview of the talk.
In the last year we've seen a new type of fraud become more common where fraudsters attack phone verification forms with thousands of requests. This type of attack, known as SMS pumping, causes inflated traffic to your app with the intent to make money and not to steal information. Unfortunately this means you might be hit with higher than expected bills from your telecom provider if your application isn't designed to prevent it.
This talk will describe SMS pumping in more detail, including how it compares to similar attacks like IRSF and how fraudsters profit from this tactic. You'll learn strategies to prevent the attack and improve your phone verification workflow in the process, ensuring all of the benefits of phone number verification without unintended expenses.
LastPass is a popular password manager that integrates with browsers through plugins. One of the most interesting features is the fact that the encrypted vault is stored in LastPass' servers but they have no access to the content since the master password never leaves the user's machine. All encryption and decryption happens locally. Password managers are a single point of failure by design and therefore they need to be secure. A tool with the sole purpose of storing all your secrets is a important target for any attacker.
The most valuable piece of information is the master password. It is the key to decrypt the data and gain complete access. Research has been done on different attack vectors but the focus is on leaking passwords stored in the vault. This presentation will focus on how it is possible to steal and decrypt the master password. In addition, I will also demonstrate an additional attack vector that results in full access to the vault without the need of the master password. Two different attacks to achieve the same goal, full access to the vault. But given that LastPass supports 2 factor authentication, I will also demonstrate how to bypass it. Last but not least, I will release a Metasploit module that will automate the whole process. Stealing the master password, leaking the encryption key and bypassing 2 factor authentication.
Secure All Teh Things - Add 2 factor authentication to your own CFML projectsRob Dudley
Delivered at CFCamp 2018 in Munich Germany.
Security is getting more and more important. A 2-factor authentication will help you securing your logins.
In this Session Rob shows you how to implement a 2-factor authentication for your own website. Learn about the different protocols FIDO U2F, Yubico OTP, Challenge-Response, etc.
See how you can use your personal YubiKey for your own website.
Everyone has at least one password, but that's not enough anymore. When is that not enough? Passwords get out of your hands all the time. You know your password, but what about using something you have in addition to what you know. Let's look at how you can leverage your mobile device for added security, and implement it in your projects. This talk will cover how two factor auth works, how to use it and the ins and outs of rolling your own solution using Time-based One-time Password (TOTP) (and the Google Authenticator app) or a third party service and the pitfalls of both. AWS, Mailchimp, Dropbox and Facebook integrate two factor authentication and you can too! There's no reason not to use it!
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
LastPass is a popular password manager that integrates with browsers through plugins. One of the most interesting features is the fact that the encrypted vault is stored in LastPass' servers but they have no access to the content since the master password never leaves the user's machine. All encryption and decryption happens locally. Password managers are a single point of failure by design and therefore they need to be secure. A tool with the sole purpose of storing all your secrets is a important target for any attacker.
The most valuable piece of information is the master password. It is the key to decrypt the data and gain complete access. Research has been done on different attack vectors but the focus is on leaking passwords stored in the vault. This presentation will focus on how it is possible to steal and decrypt the master password. In addition, I will also demonstrate an additional attack vector that results in full access to the vault without the need of the master password. Two different attacks to achieve the same goal, full access to the vault. But given that LastPass supports 2 factor authentication, I will also demonstrate how to bypass it. Last but not least, I will release a Metasploit module that will automate the whole process. Stealing the master password, leaking the encryption key and bypassing 2 factor authentication.
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
When running any amount of systems, gaining visibility into what they are doing can be a non-trivial matter. Starting on the path to monitoring can prove bumpy, and if you don’t measure, you don’t know. In this session, Michael Fiedler, Director of TechOps, will speak on personal experience with scalability, deployment, and monitoring challenges prior to using Datadog - and how that changed. He will cover how to get started, and examples of where monitoring the company's platform with Datadog provided the guiding light towards the team solving scalability problems.
- TITLE: Hack / Protect / Predict SQL Server - Come learn them.
Speaker: Fleitas, Hiram
Duration: 60 minutes
Track: Application & Database Development
Level: Advanced
https://www.sqlsaturday.com/801/Sessions/Details.aspx?sid=83672
- ABSTRACT:
In this session, I'll show you how to hack SQL Server using a simple C# console application and other tools. Most importantly, I'll show you how to protect vectors that perhaps you're trying to use to safeguard sensitive data for GDPR compliance.
1. Tabular Data Stream (TDS) Protocol
2. Dynamic Data Masking
3. Row Level Security (Yep...)
4. Database Source Control
Perhaps, you've seen these exploits before but do you really know how to reproduce them? Or, how to even protect yourself against them? No worries, I'll show you the way along with a load test.
Finally, I am very excited to share with you how to analyze text using pre-trained Machine Learning models to predict a sentiment, on-prem with SQL Server 2017.
5. SQL ML / AI - A deep dive to predict the sentiment
Looking forward to meeting you all.
- BIO:
Hiram Fleitas is the Principal Database Architect at Universal Property and Casualty Insurance Company and leads the company's intelligent edge using Microsoft’s data platform. He currently is developing database applications using Machine Learning models trained on claims, policy, and social media data to predict business opportunities for customer satisfaction and loyalty in real-time.
He has worked with SQL Server for 20 years, from version 6.0 to 2019 with some of the largest companies in the world. He's spoken on SQL Server at User Groups, South Florida Code Camp, PASS SQL Saturdays, and corporate business events, often presenting talks on security, performance, devops, machine learning, and business intelligence. He coded his first program in BASIC when he was 13 years old as a school project and developed a passion for computers ever since.
Hiram is also a code contributor to several opensource projects and serves as an IS Flotilla Staff Officer for the United States Coast Guard Auxiliary. On his time off he mostly enjoys spending time with his wife Christina and two kids, Ocean and Skylar Fleitas. He also wakeboards, wakesurfs, snowboards and does endurance training events by GORUCK’s Cadre-led decorated combat veterans of Special Operations.
https://linkedin.com/in/hiramfleitas/
https://fleitasarts.com
- DATE & TIME:
Saturday - Oct 6, 2018
11:00 am - 12:00 pm Presentation
- LOCATION:
Seminole State College
Partnership Building
100 Weldon Blvd Building UP, Sanford, Florida, 32773
100 Weldon Blvd, Building UP, Sanford, FL 32773
Room #: R1
http://seminolestate.edu
- Follow #SQLSatOrlando on Twitter
https://twitter.com/hashtag/SQLSatOrlando
- Follow @HiramFleitas on Twitter
https://twitter.com/hiramfleitas
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
After the Data Breach: Stolen CredentialsSBWebinars
Credentials don’t start out on the dark web - they end there.
When usernames and passwords are compromised in a data breach, the consequences extend far beyond the victim organization due to rampant password reuse. For this reason, NIST recently recommended that organizations check users’ credentials against a set of known compromised passwords. However, by patroning dark web forums and paying for spilled credentials, enterprises indirectly support the criminal ecosystem. Furthermore, attackers often don’t publicly post stolen data until months or years after the breach, if at all. Is there a better way to follow NIST guidelines and protect users from account takeover?
Join Justin Richer, co-author of NIST Digital Identity Guidelines 800-63B, and Gautam Agarwal, Blackfish Product Manager, for a lively discussion on NIST’s password recommendations and how best to prevent account takeover fraud at your organization.
Agenda:
The Threat of Stolen Credentials
Reasoning Behind NIST’s Password Recommendations
Ways to Manage a Password “Breach Corpus”
How Blackfish Helps Organizations Follow NIST Guidelines
When running any amount of systems, gaining visibility into what they are doing can be a non-trivial matter. Starting on the path to monitoring can prove bumpy, and if you don’t measure, you don’t know. In this session, Michael Fiedler, Director of TechOps, will speak on personal experience with scalability, deployment, and monitoring challenges prior to using Datadog - and how that changed. He will cover how to get started, and examples of where monitoring the company's platform with Datadog provided the guiding light towards the team solving scalability problems.
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
Part of F5 mitigations series
Brute force on apps is on the rise
Will become WBT @ F5U
Conclusion:
Internet brute force can go undetected and is a serious threat to applications
F5 owns the largest set of options to detect and prevent application brute force
In this talk, we will dive into the data captured during last years Wall of Sheep applications and protocols that are giving your away credentials. This is something that anyone, with the right level of knowledge and inclination, could certainly do with a few basic ingredients. We will enumerate them. The dataset we will focus on was gathered as part of the Wall of Sheep contest during DEF CON 22. While this data was gathered using an off the shelf technology, that platform will not be the topic we discuss. Rather, we will focus on the types and scope of data sent totally in the clear for all to see. Additionally, we will discuss the ramifications this might have in a less "friendly" environment --where loss of one's anonymity, might really, really suck. Finally, we will discuss and recommend ways you can hamper this type of collection.
Security can seem intimidating and complex for many of us, but we shouldn’t (can’t) let that stop us from making sure we’re doing everything we can to secure our WordPress sites. After all, our websites are often part of our livelihood.
In this session Adam will discuss the “big picture” of website security and break down the fundamental tasks needed for a strong security plan, in order of importance. Adam will provide an actionable checklist on what you can start doing today to better secure your WordPress websites.
After attending this session, audience members will have a better understanding of website security as a whole and what steps they can take to mitigate risk. Attendees will be able to start building their WordPress security master plan immediately.
Patterns to Bring Enterprise and Social Identity to the Cloud CA API Management
In this session, we will look at strategies to incorporate identity into cloud applications. Enterprise
identity or social login can both be a part of your go-to-cloud strategy, but you must plan for this
upfront, rather than try to retrofit identity and access control at a later date.
Matthew Russell's "Unleashing Twitter Data for Fun and Insight" presentation from Strata 2011. Matthew Russell's "Unleashing Twitter Data for Fun and Insight" presentation from Strata 2011. See http://strataconf.com/strata2011/public/schedule/detail/17714 for an overview of the talk.
In the last year we've seen a new type of fraud become more common where fraudsters attack phone verification forms with thousands of requests. This type of attack, known as SMS pumping, causes inflated traffic to your app with the intent to make money and not to steal information. Unfortunately this means you might be hit with higher than expected bills from your telecom provider if your application isn't designed to prevent it.
This talk will describe SMS pumping in more detail, including how it compares to similar attacks like IRSF and how fraudsters profit from this tactic. You'll learn strategies to prevent the attack and improve your phone verification workflow in the process, ensuring all of the benefits of phone number verification without unintended expenses.
New technology is challenging the premise that we have to choose between more friction or more security for authenticating users. This talk explores the benefits and drawbacks of frictionless authentication options beyond traditional one-time passcodes like biometrics, contextual data, or using devices as secure keys.
Authentication is a sneaky problem - the most secure options don't usually have widespread adoption, especially among consumer applications. But what if we could fix that? Narrator: we can. WebAuthn is a somewhat new authentication standard that uses our everyday devices like phones and computers and turns them into phishing-resistant security keys. It almost sounds too good to be true. This talk will dig into how the technology works, when you can and should use it, and how to get started. We'll dig into why this isn't widely adopted yet and if or when we can expect it to be. You'll walk away with a better understanding of a new authentication channel and possibly some hope for a more secure future.
Security professionals agree: SMS based Two-factor Authentication (2FA) is insecure, yet thousands of companies still employ this method to secure their customer-facing applications. This talk will look at the evolution of authentication and provide a data-driven analysis of the tradeoffs between the different types of factors available.
You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.
Designing customer account recovery in a 2FA worldKelley Robinson
You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.
This talk will discuss the latest advancements with STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs), new tech standards that use well accepted public key cryptography methods to validate caller identification. We’ll discuss the path and challenges to getting this implemented industry wide, where this tech will fall short, and what we can do to limit exposure to call spam and fraud in the meantime.
This talk will discuss the latest advancements with STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs), new tech standards that use well accepted public key cryptography methods to validate caller identification. We’ll discuss the path and challenges to getting this implemented industry wide, where this tech will fall short, and what we can do to limit exposure to call spam and fraud in the meantime.
You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?
Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone.
You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?
Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone. At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This talk will take a look at that research and outline best practices you can use in your own call centers. You'll leave the session understanding what information should be made available to the agent and what kind of product features you can build into your web or mobile application that can facilitate phone authentication.
Passwords get pwned. SMS 2FA gets compromised. We spend time clicking stop signs just to convince computers we're human. All of this in an attempt to identify a user we will probably never personally know. It's a fascinating challenge and we're up to the task!
This talk will walk through new channels for identity management beyond email and SMS. Encrypted messaging apps like WhatsApp broaden our options for delivering tokens and secure communications but lack the seamless user experience of Push Authentication or the offline benefits of TOTP. We'll dive into the tradeoffs for these approaches and help you choose the approach that will best protect you and your customers from signup to account recovery.
Crypto is used for a lot more than just currencies. This talk will dive into modern cryptography, the math behind how it works, and its everyday use cases. By looking at the origins of cryptography we’ll follow the progression of methods and algorithms as humans and computers evolved.
ACEP Magazine edition 4th launched on 05.06.2024Rahul
This document provides information about the third edition of the magazine "Sthapatya" published by the Association of Civil Engineers (Practicing) Aurangabad. It includes messages from current and past presidents of ACEP, memories and photos from past ACEP events, information on life time achievement awards given by ACEP, and a technical article on concrete maintenance, repairs and strengthening. The document highlights activities of ACEP and provides a technical educational article for members.
Water billing management system project report.pdfKamal Acharya
Our project entitled “Water Billing Management System” aims is to generate Water bill with all the charges and penalty. Manual system that is employed is extremely laborious and quite inadequate. It only makes the process more difficult and hard.
The aim of our project is to develop a system that is meant to partially computerize the work performed in the Water Board like generating monthly Water bill, record of consuming unit of water, store record of the customer and previous unpaid record.
We used HTML/PHP as front end and MYSQL as back end for developing our project. HTML is primarily a visual design environment. We can create a android application by designing the form and that make up the user interface. Adding android application code to the form and the objects such as buttons and text boxes on them and adding any required support code in additional modular.
MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software. It is a stable ,reliable and the powerful solution with the advanced features and advantages which are as follows: Data Security.MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software.