Passwords get pwned. SMS 2FA gets compromised. We spend time clicking stop signs just to convince computers we're human. All of this in an attempt to identify a user we will probably never personally know. It's a fascinating challenge and we're up to the task!
This talk will walk through new channels for identity management beyond email and SMS. Encrypted messaging apps like WhatsApp broaden our options for delivering tokens and secure communications but lack the seamless user experience of Push Authentication or the offline benefits of TOTP. We'll dive into the tradeoffs for these approaches and help you choose the approach that will best protect you and your customers from signup to account recovery.
Bug bounty program offer numerous benefits to the sponsoring companies. Government organizations as well as private organizations will benefit if they have bug hunters sniffing around on their network.
Evil User Stories - Improve Your Application SecurityAnne Oikarinen
This document discusses using "evil user stories" to improve application security. Evil user stories describe how attackers might compromise systems or abuse features from a malicious perspective. They can help security teams think like attackers and identify threats early. The document provides examples of evil user stories and corresponding mitigations that could be used to refine security testing and prevent vulnerabilities.
Beyond identity soft choice tech you oughta know 03042022Philip Moroni
Beyond Identity aims to deliver the industry's first un-phishable and frictionless multi-factor authentication by removing passwords and continuously assessing risk signals from endpoints, detection technologies, and AI/ML. Their mission is to radically improve how organizations protect their modern cloud and hybrid environments with a "passwordless" approach. They value putting customers first and promoting trust, integrity, and blameless collaboration within the team.
Continuous Acceleration with a Software Supply Chain ApproachSonatype
This document appears to be notes from a presentation given by Gene Kim and Josh Corman on continuous acceleration using a software supply chain approach. It includes slides on where organizations have been with IT operations and development being at war, the benefits organizations see when adopting DevOps practices, and observations from the DevOps Enterprise Summit. It discusses the importance of security and compliance being integrated into development processes. The presentation aims to discuss where organizations want to go in terms of innovating faster while maintaining quality, timelines and budgets.
User Reviews: Your Best Kept Content Marketing SecretUberflip
This document summarizes a webinar about how companies can leverage user reviews to accelerate sales. The webinar discusses how buyers are increasingly relying on peer reviews in their purchase decisions and search behavior. It then provides best practices for companies to build a strong user review program, including acquiring reviews, maximizing review content value, refreshing reviews, responding to critique, and measuring success. Specific success stories are shared, such as how Tealium increased on-site conversion and pipeline by displaying reviews. The webinar concludes by providing resources for building a user review program to increase sales.
Passwords get pwned. SMS 2FA gets compromised. We spend time clicking stop signs just to convince computers we're human. All of this in an attempt to identify a user we will probably never personally know. It's a fascinating challenge and we're up to the task!
This talk will walk through new channels for identity management beyond email and SMS. Encrypted messaging apps like WhatsApp broaden our options for delivering tokens and secure communications but lack the seamless user experience of Push Authentication or the offline benefits of TOTP. We'll dive into the tradeoffs for these approaches and help you choose the approach that will best protect you and your customers from signup to account recovery.
Bug bounty program offer numerous benefits to the sponsoring companies. Government organizations as well as private organizations will benefit if they have bug hunters sniffing around on their network.
Evil User Stories - Improve Your Application SecurityAnne Oikarinen
This document discusses using "evil user stories" to improve application security. Evil user stories describe how attackers might compromise systems or abuse features from a malicious perspective. They can help security teams think like attackers and identify threats early. The document provides examples of evil user stories and corresponding mitigations that could be used to refine security testing and prevent vulnerabilities.
Beyond identity soft choice tech you oughta know 03042022Philip Moroni
Beyond Identity aims to deliver the industry's first un-phishable and frictionless multi-factor authentication by removing passwords and continuously assessing risk signals from endpoints, detection technologies, and AI/ML. Their mission is to radically improve how organizations protect their modern cloud and hybrid environments with a "passwordless" approach. They value putting customers first and promoting trust, integrity, and blameless collaboration within the team.
Continuous Acceleration with a Software Supply Chain ApproachSonatype
This document appears to be notes from a presentation given by Gene Kim and Josh Corman on continuous acceleration using a software supply chain approach. It includes slides on where organizations have been with IT operations and development being at war, the benefits organizations see when adopting DevOps practices, and observations from the DevOps Enterprise Summit. It discusses the importance of security and compliance being integrated into development processes. The presentation aims to discuss where organizations want to go in terms of innovating faster while maintaining quality, timelines and budgets.
User Reviews: Your Best Kept Content Marketing SecretUberflip
This document summarizes a webinar about how companies can leverage user reviews to accelerate sales. The webinar discusses how buyers are increasingly relying on peer reviews in their purchase decisions and search behavior. It then provides best practices for companies to build a strong user review program, including acquiring reviews, maximizing review content value, refreshing reviews, responding to critique, and measuring success. Specific success stories are shared, such as how Tealium increased on-site conversion and pipeline by displaying reviews. The webinar concludes by providing resources for building a user review program to increase sales.
What is ? Modern business questions 2014Exo Futures
What is:
- Important
- Innovation
-- Is it only technology innovation?
- Entrepreneurship
- Money
- Cloud
-- Is it more than the internet?
- Mobility
- Big data
- Business Model
“Digital Transformation: Going Beyond Buzzwords” - ConveyUX Boston 2019 Keyno...Jaime Levy Consulting
Digital Transformation is not about applying the latest trending technology to your company’s value proposition out of fear of falling behind. Instead, it’s an overarching strategy with measurable milestones for reshaping the way that the business runs in order to provide a better customer experience. This requires senior leadership, product owners and cross-functional teams to evolve their corporate culture into one where collaboration, rapid experimentation, and process optimization is the norm. This talk provides a theoretical foundation along with practical techniques for the implementation of real Digital Transformation.
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
The document discusses cybersecurity risks and how developers can help address them. It notes that cybercriminals target developers because they have privileged access and knowledge of systems. Developers are often too trusting and ignore security, installing software without checking for malware or disabling certificate validation. The talk urges developers to take security more seriously by keeping systems updated, using strong authentication, and being wary of suspicious network connections and downloads from untrusted sources. Developers must help address the growing problem of cybercrime by promoting secure development best practices.
The document discusses how conversion optimization is key to online marketing success. It explains that every interaction online is an opportunity for conversion, whether that's an ad click leading to a visit, or an email subscription. The rest of the funnel includes aggregating audiences, using analytics to understand metrics, and optimizing for better conversion rates. Subsequent sections cover understanding the customer psyche, common questions and concerns that must be addressed, user flow and persuasion techniques, and landing page design best practices focused on addressing the key questions and moving visitors towards the desired goal.
This document summarizes a webinar on safe digital credentials. It introduces the concept of safe credentials and outlines five tests to determine if credentials are safe: 1) preventing correlation by decoupling issuers and verifiers, 2) using safe signatures to prevent correlation, 3) ensuring portability and interoperability, 4) enabling flexibility and data minimization, and 5) ensuring trust goes both ways between individuals and organizations. The webinar featured a panel discussion between experts from Mastercard, CULedger, and Evernym on architecting credentials to maximize security, privacy, flexibility and interoperability.
Biometric authentication methods (BAM) use unique biological characteristics like fingerprints, irises, and facial features to verify someone's identity. Common biometric traits used include fingerprints, irises, faces, DNA, and voices. BAM is used for high security areas like airports, government buildings, and apps like banking. It works by comparing a stored biometric template to a new scan and authenticating if they match. While convenient, BAM raises privacy concerns if data is exposed, and identities cannot be changed if compromised. Overall, BAM replaces passwords and pins but does not significantly change markets or jobs.
The Future of Authentication - Verifiable Credentials / Self-Sovereign IdentityEvernym
What does a world without passwords and usernames look like? What would a truly secure single sign-on system mean for your customer and employee experiences? What if multi-factor authentication was consistent and interoperable across the Internet?
On our July 9th webinar, we were joined by our partners at Condatis to dive into these very questions around the future of authentication, covering:
◙ The four types of authentication supported by Evernym today
◙ The flaws in today’s password-based, security question, and social login models
◙ The benefits of using verifiable portable credentials for authentication
◙ Using self-sovereign identity for multi-factor authentication
◙ A showcase of live SSI-enabled authentication projects
Presenters:
◙ Andy Tobin, EMEA Managing Director, Evernym
◙ Chris Eckl, Chief Technology Officer, Condatis
◙ James Monaghan, VP Product, Evernym
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
Cybercrime how bad can it be? Organised attacks around the world in 2016 have shown how unprepared we are to deal with the growth of Cybercrime. In this talk learn a little about the scale of the challenge developers face from assaults on our systems. Be prepared to be appalled and scared. Fainting is not allowed. Discover how to fight back and see how you can change your behaviour and your code to defend against these attacks.
Your destiny is clear - it’s time to be come a Cyber Defender
CIS14: How I Came to Share Signals and Learned to Love my Identity SystemCloudIDSummit
Andrew Nash, Confyrm
A look at how operational notifications can be aggregated, processed and shared in ways that increase the resiliency and trust of your identity ecosystem.
Organizational Challenge of Enterprise RoadmappingRich Mironov
At INDUSTRY EUROPE conference (Dublin, April 2019): Especially at enterprise software companies, there are some inherent mis-alignments among internal stakeholders that can complicate our product planning. This talk was an occasionally humorous look at the systemic conflicts between single-account-focused sales teams, market-focused product managers, and executives. How do we respect and understand each other when we may have very different objectives?
MarTech 2017: A Scientific Look at B2B Buying in the Age of AICaliberMind
Raviv Turner, Co-Founder & CEO of CaliberMind, a B2B buyer journey analytics and orchestration platform and Gord Hotchkiss (author of The Buyersphere Project) share their findings on stage at MarTech 2017 from analyzing 11,257 IT buying journeys using CaliberMind, looking at structured and unstructured data (emails, recorded sales calls, sales notes, chats, social feeds) from CRM, MAP, Web Analytics and engagement systems.
Learn more here: https://www.calibermind.com/b2bcdi
*Learn about the growing complexity of B2B buying, multiple buyer personas, longer sales cycles, lower conversion.
*Learn why B2B companies are missing 80% of buying behavior signals from unstructured data (emails, sales calls, sales notes, social feeds etc')
*Learn why siloed marketing and sales stacks get in the way of accelerating B2B buying.
*Learn how an AI-powered Customer Data Platform can help you integrate, measure and optimize B2B marketing and sales throughout the entire customer journey by providing a holistic, data-driven perspective on revenue growth.
In this session, you’ll get an inside look at how CA Veracode’s content and messaging strategy has evolved around application developers, while still supporting aggressive pipeline goals for engaging and accelerating qualified leads and opportunities.
This is the new order of CRM. The value of a customer goes beyond the transaction. Social layered into transactional information gives brands a holistic view of the customer and greater context in their propensities as customers and potential advocates.
Email often seems more of a trick than a treat. Mysterious bounces, pixels that suddenly appear and change your formatting, graphics that don't render right are just a few issues that can make your hair stand on end. Join email expert, HighRoad Jenny, as she faces the top email fears head on and teaches you that there's nothing scary about email marketing.
Content Marketing World Presentation [Tech Industry Workshop]: Helping, Not H...Deanna Lazzaroni
I gave this presentation at Content Marketing World 2014 for a 6-hour Tech/ Software Industry Workshop. Other presenters included Lee Odden, CEO at TopRank Online Marketing; Connie Bensen from Dell; Pam Didner, formerly from Intel and author of new book "Global Content Marketing"; and Koka Sexton from LinkedIn's Sales Solutions team.
Online Listening and Opinion Analytics for Customer CareHugo Zaragoza
Customer Care has gone Social, whether we like it or not...
Social Media Monitoring and Opinion Analytics tools are becoming a key technology to optimize Customer Care processes. But doing things right is HARD!
In this presentation Hugo Zaragoza, director of Websays, presents some of the opportunities and challenges ahead.
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience ReportGene Kim
Talk video: https://www.youtube.com/watch?v=5mbp3SEha38&t=1652s
Blog post: https://itrevolution.com/love-letter-to-clojure-part-1
I will explain how learning the Clojure programming language three years ago changed my life. It led to a series of revelations about all the invisible structures that are required to enable developers to be productive. These concepts show up all over The Unicorn Project, but most prominently in the First Ideal of Locality and Simplicity, and how it can lead to the Second Ideal of Focus, Flow, and Joy.
Without doubt, Clojure was one of the most difficult things I’ve learned professionally, but it has also been one of the most rewarding. It brought the joy of programming back into my life. For the first time in my career, as I’m nearing fifty years old, I’m finally able to write programs that do what I want them to do, and am able to build upon them for years without them collapsing like a house of cards, as has been my normal experience.
The famous French philosopher Claude Lévi-Strauss would say of certain tools, “Is it good to think with?” For reasons that I will try to explain in this post, Clojure embraces a set of design principles and sensibilities that were new to me: functional programming, immutability, an astonishingly strong sense of conservative minimalism (e.g., hardly any breaking changes in ten years!), and much more…
Clojure introduced to me a far better set of tools to think with and to also build with. It’s also led to a set of aha moments that explain why for decades my code would eventually fall apart, becoming more and more difficult to change, as if collapsing under its own weight. Learning Clojure taught me how to prevent myself from constantly self-sabotaging my code in this way.
How 200,000 companies including Century 21, Intercom, Reputation Squad, Worka...Clément Delangue
This document summarizes how over 200,000 companies have increased their media monitoring ROI with Mention. It provides examples of how companies like Century 21, Intercom, and Workable use Mention for high-level monitoring, community management, lead generation, consulting, and integrations. The document demonstrates Mention's real-time alerts, mobile access, analytics, and integrations with tools like Buffer, Giphy, and Zapier. It also outlines strategies for generating leads, competitive analysis, and increasing ROI through social customer support and partnerships.
Protecting your phone verification flow from fraud & abuseKelley Robinson
The document discusses SMS pumping fraud and how to prevent it. SMS pumping involves abusing phone verification systems to trigger a large number of SMS messages to generate revenue from mobile carriers. Attackers enroll phone numbers from different carriers, have one-time passwords sent to each number, and carriers share the resulting SMS revenue with the attackers. The document recommends ways for websites to protect against this fraud, such as adding CAPTCHAs, setting rate limits on messages to numbers, implementing delays between verification attempts, restricting destination countries, and monitoring OTP conversion rates.
In the last year we've seen a new type of fraud become more common where fraudsters attack phone verification forms with thousands of requests. This type of attack, known as SMS pumping, causes inflated traffic to your app with the intent to make money and not to steal information. Unfortunately this means you might be hit with higher than expected bills from your telecom provider if your application isn't designed to prevent it.
This talk will describe SMS pumping in more detail, including how it compares to similar attacks like IRSF and how fraudsters profit from this tactic. You'll learn strategies to prevent the attack and improve your phone verification workflow in the process, ensuring all of the benefits of phone number verification without unintended expenses.
More Related Content
Similar to BSides PDX - Threat Modeling Authentication
What is ? Modern business questions 2014Exo Futures
What is:
- Important
- Innovation
-- Is it only technology innovation?
- Entrepreneurship
- Money
- Cloud
-- Is it more than the internet?
- Mobility
- Big data
- Business Model
“Digital Transformation: Going Beyond Buzzwords” - ConveyUX Boston 2019 Keyno...Jaime Levy Consulting
Digital Transformation is not about applying the latest trending technology to your company’s value proposition out of fear of falling behind. Instead, it’s an overarching strategy with measurable milestones for reshaping the way that the business runs in order to provide a better customer experience. This requires senior leadership, product owners and cross-functional teams to evolve their corporate culture into one where collaboration, rapid experimentation, and process optimization is the norm. This talk provides a theoretical foundation along with practical techniques for the implementation of real Digital Transformation.
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
The document discusses cybersecurity risks and how developers can help address them. It notes that cybercriminals target developers because they have privileged access and knowledge of systems. Developers are often too trusting and ignore security, installing software without checking for malware or disabling certificate validation. The talk urges developers to take security more seriously by keeping systems updated, using strong authentication, and being wary of suspicious network connections and downloads from untrusted sources. Developers must help address the growing problem of cybercrime by promoting secure development best practices.
The document discusses how conversion optimization is key to online marketing success. It explains that every interaction online is an opportunity for conversion, whether that's an ad click leading to a visit, or an email subscription. The rest of the funnel includes aggregating audiences, using analytics to understand metrics, and optimizing for better conversion rates. Subsequent sections cover understanding the customer psyche, common questions and concerns that must be addressed, user flow and persuasion techniques, and landing page design best practices focused on addressing the key questions and moving visitors towards the desired goal.
This document summarizes a webinar on safe digital credentials. It introduces the concept of safe credentials and outlines five tests to determine if credentials are safe: 1) preventing correlation by decoupling issuers and verifiers, 2) using safe signatures to prevent correlation, 3) ensuring portability and interoperability, 4) enabling flexibility and data minimization, and 5) ensuring trust goes both ways between individuals and organizations. The webinar featured a panel discussion between experts from Mastercard, CULedger, and Evernym on architecting credentials to maximize security, privacy, flexibility and interoperability.
Biometric authentication methods (BAM) use unique biological characteristics like fingerprints, irises, and facial features to verify someone's identity. Common biometric traits used include fingerprints, irises, faces, DNA, and voices. BAM is used for high security areas like airports, government buildings, and apps like banking. It works by comparing a stored biometric template to a new scan and authenticating if they match. While convenient, BAM raises privacy concerns if data is exposed, and identities cannot be changed if compromised. Overall, BAM replaces passwords and pins but does not significantly change markets or jobs.
The Future of Authentication - Verifiable Credentials / Self-Sovereign IdentityEvernym
What does a world without passwords and usernames look like? What would a truly secure single sign-on system mean for your customer and employee experiences? What if multi-factor authentication was consistent and interoperable across the Internet?
On our July 9th webinar, we were joined by our partners at Condatis to dive into these very questions around the future of authentication, covering:
◙ The four types of authentication supported by Evernym today
◙ The flaws in today’s password-based, security question, and social login models
◙ The benefits of using verifiable portable credentials for authentication
◙ Using self-sovereign identity for multi-factor authentication
◙ A showcase of live SSI-enabled authentication projects
Presenters:
◙ Andy Tobin, EMEA Managing Director, Evernym
◙ Chris Eckl, Chief Technology Officer, Condatis
◙ James Monaghan, VP Product, Evernym
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
Cybercrime how bad can it be? Organised attacks around the world in 2016 have shown how unprepared we are to deal with the growth of Cybercrime. In this talk learn a little about the scale of the challenge developers face from assaults on our systems. Be prepared to be appalled and scared. Fainting is not allowed. Discover how to fight back and see how you can change your behaviour and your code to defend against these attacks.
Your destiny is clear - it’s time to be come a Cyber Defender
CIS14: How I Came to Share Signals and Learned to Love my Identity SystemCloudIDSummit
Andrew Nash, Confyrm
A look at how operational notifications can be aggregated, processed and shared in ways that increase the resiliency and trust of your identity ecosystem.
Organizational Challenge of Enterprise RoadmappingRich Mironov
At INDUSTRY EUROPE conference (Dublin, April 2019): Especially at enterprise software companies, there are some inherent mis-alignments among internal stakeholders that can complicate our product planning. This talk was an occasionally humorous look at the systemic conflicts between single-account-focused sales teams, market-focused product managers, and executives. How do we respect and understand each other when we may have very different objectives?
MarTech 2017: A Scientific Look at B2B Buying in the Age of AICaliberMind
Raviv Turner, Co-Founder & CEO of CaliberMind, a B2B buyer journey analytics and orchestration platform and Gord Hotchkiss (author of The Buyersphere Project) share their findings on stage at MarTech 2017 from analyzing 11,257 IT buying journeys using CaliberMind, looking at structured and unstructured data (emails, recorded sales calls, sales notes, chats, social feeds) from CRM, MAP, Web Analytics and engagement systems.
Learn more here: https://www.calibermind.com/b2bcdi
*Learn about the growing complexity of B2B buying, multiple buyer personas, longer sales cycles, lower conversion.
*Learn why B2B companies are missing 80% of buying behavior signals from unstructured data (emails, sales calls, sales notes, social feeds etc')
*Learn why siloed marketing and sales stacks get in the way of accelerating B2B buying.
*Learn how an AI-powered Customer Data Platform can help you integrate, measure and optimize B2B marketing and sales throughout the entire customer journey by providing a holistic, data-driven perspective on revenue growth.
In this session, you’ll get an inside look at how CA Veracode’s content and messaging strategy has evolved around application developers, while still supporting aggressive pipeline goals for engaging and accelerating qualified leads and opportunities.
This is the new order of CRM. The value of a customer goes beyond the transaction. Social layered into transactional information gives brands a holistic view of the customer and greater context in their propensities as customers and potential advocates.
Email often seems more of a trick than a treat. Mysterious bounces, pixels that suddenly appear and change your formatting, graphics that don't render right are just a few issues that can make your hair stand on end. Join email expert, HighRoad Jenny, as she faces the top email fears head on and teaches you that there's nothing scary about email marketing.
Content Marketing World Presentation [Tech Industry Workshop]: Helping, Not H...Deanna Lazzaroni
I gave this presentation at Content Marketing World 2014 for a 6-hour Tech/ Software Industry Workshop. Other presenters included Lee Odden, CEO at TopRank Online Marketing; Connie Bensen from Dell; Pam Didner, formerly from Intel and author of new book "Global Content Marketing"; and Koka Sexton from LinkedIn's Sales Solutions team.
Online Listening and Opinion Analytics for Customer CareHugo Zaragoza
Customer Care has gone Social, whether we like it or not...
Social Media Monitoring and Opinion Analytics tools are becoming a key technology to optimize Customer Care processes. But doing things right is HARD!
In this presentation Hugo Zaragoza, director of Websays, presents some of the opportunities and challenges ahead.
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience ReportGene Kim
Talk video: https://www.youtube.com/watch?v=5mbp3SEha38&t=1652s
Blog post: https://itrevolution.com/love-letter-to-clojure-part-1
I will explain how learning the Clojure programming language three years ago changed my life. It led to a series of revelations about all the invisible structures that are required to enable developers to be productive. These concepts show up all over The Unicorn Project, but most prominently in the First Ideal of Locality and Simplicity, and how it can lead to the Second Ideal of Focus, Flow, and Joy.
Without doubt, Clojure was one of the most difficult things I’ve learned professionally, but it has also been one of the most rewarding. It brought the joy of programming back into my life. For the first time in my career, as I’m nearing fifty years old, I’m finally able to write programs that do what I want them to do, and am able to build upon them for years without them collapsing like a house of cards, as has been my normal experience.
The famous French philosopher Claude Lévi-Strauss would say of certain tools, “Is it good to think with?” For reasons that I will try to explain in this post, Clojure embraces a set of design principles and sensibilities that were new to me: functional programming, immutability, an astonishingly strong sense of conservative minimalism (e.g., hardly any breaking changes in ten years!), and much more…
Clojure introduced to me a far better set of tools to think with and to also build with. It’s also led to a set of aha moments that explain why for decades my code would eventually fall apart, becoming more and more difficult to change, as if collapsing under its own weight. Learning Clojure taught me how to prevent myself from constantly self-sabotaging my code in this way.
How 200,000 companies including Century 21, Intercom, Reputation Squad, Worka...Clément Delangue
This document summarizes how over 200,000 companies have increased their media monitoring ROI with Mention. It provides examples of how companies like Century 21, Intercom, and Workable use Mention for high-level monitoring, community management, lead generation, consulting, and integrations. The document demonstrates Mention's real-time alerts, mobile access, analytics, and integrations with tools like Buffer, Giphy, and Zapier. It also outlines strategies for generating leads, competitive analysis, and increasing ROI through social customer support and partnerships.
Protecting your phone verification flow from fraud & abuseKelley Robinson
The document discusses SMS pumping fraud and how to prevent it. SMS pumping involves abusing phone verification systems to trigger a large number of SMS messages to generate revenue from mobile carriers. Attackers enroll phone numbers from different carriers, have one-time passwords sent to each number, and carriers share the resulting SMS revenue with the attackers. The document recommends ways for websites to protect against this fraud, such as adding CAPTCHAs, setting rate limits on messages to numbers, implementing delays between verification attempts, restricting destination countries, and monitoring OTP conversion rates.
In the last year we've seen a new type of fraud become more common where fraudsters attack phone verification forms with thousands of requests. This type of attack, known as SMS pumping, causes inflated traffic to your app with the intent to make money and not to steal information. Unfortunately this means you might be hit with higher than expected bills from your telecom provider if your application isn't designed to prevent it.
This talk will describe SMS pumping in more detail, including how it compares to similar attacks like IRSF and how fraudsters profit from this tactic. You'll learn strategies to prevent the attack and improve your phone verification workflow in the process, ensuring all of the benefits of phone number verification without unintended expenses.
The document discusses improving authentication on the web while reducing friction for users. It covers using biometric authentication, background signals from devices, and turning devices into authentication keys. The presenter recommends limiting stored data, using contextual data for step-up authentication, offering device authentication where possible, and planning for fallback options in case primary authentication fails. Overall, the goal is to make authentication secure yet easy for users.
Authentication is a sneaky problem - the most secure options don't usually have widespread adoption, especially among consumer applications. But what if we could fix that? Narrator: we can. WebAuthn is a somewhat new authentication standard that uses our everyday devices like phones and computers and turns them into phishing-resistant security keys. It almost sounds too good to be true. This talk will dig into how the technology works, when you can and should use it, and how to get started. We'll dig into why this isn't widely adopted yet and if or when we can expect it to be. You'll walk away with a better understanding of a new authentication channel and possibly some hope for a more secure future.
This document provides an introduction to public key cryptography. It explains that public key crypto uses two keys - a public key that can be shared and a private key that is kept secret. The document discusses how public key crypto works using RSA encryption as an example. It also covers other common public key crypto algorithms like Diffie-Hellman key exchange and elliptic curve cryptography. The document discusses key sizes and their relationship to security strength and provides examples of public key crypto implementations in Python.
Security professionals agree: SMS based Two-factor Authentication (2FA) is insecure, yet thousands of companies still employ this method to secure their customer-facing applications. This talk will look at the evolution of authentication and provide a data-driven analysis of the tradeoffs between the different types of factors available.
You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.
Designing customer account recovery in a 2FA worldKelley Robinson
You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.
This talk will discuss the latest advancements with STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs), new tech standards that use well accepted public key cryptography methods to validate caller identification. We’ll discuss the path and challenges to getting this implemented industry wide, where this tech will fall short, and what we can do to limit exposure to call spam and fraud in the meantime.
This talk will discuss the latest advancements with STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs), new tech standards that use well accepted public key cryptography methods to validate caller identification. We’ll discuss the path and challenges to getting this implemented industry wide, where this tech will fall short, and what we can do to limit exposure to call spam and fraud in the meantime.
The document discusses how to build a better Scala community. It recommends practicing empathy by understanding others' perspectives, building trust through thoughtful questions and admitting mistakes, and empowering others by teaching, answering questions, and making space for new people. The key ideas are that community is important, should be inclusive of people from various backgrounds, and improved by experienced members helping and learning from others.
You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?
Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone.
This document provides tips for communication at startups. It recommends knowing your audience and building relationships by sharing context and being concise. It also suggests asking thoughtful "why" questions to understand priorities and decisions. Finally, it advises documenting work through diagrams and written explanations to make "glue work" visible and help future communications.
You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?
Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone. At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This talk will take a look at that research and outline best practices you can use in your own call centers. You'll leave the session understanding what information should be made available to the agent and what kind of product features you can build into your web or mobile application that can facilitate phone authentication.
This document provides an introduction to public key cryptography. It discusses how public key cryptography works using asymmetric key pairs with a public key and private key. The document explains how the RSA algorithm can be used for encrypting messages with a public key and signing with a private key. It also briefly covers other common public key algorithms like Diffie-Hellman key exchange and Elliptic Curve Cryptography. Key sizes and security strengths are discussed. Python implementations and everyday uses of public key cryptography are also mentioned.
The document discusses best practices for implementing two-factor authentication (2FA) using Authy. It covers why 2FA is important for security, different 2FA methods like SMS, push notifications, and time-based one-time passwords. The document also discusses potential issues with SMS 2FA, alternatives to SMS, onboarding users for 2FA, user experience with 2FA, and practical cryptography techniques used in 2FA apps like Authy. Several Twilio engineers provide insights into building phone verification at scale and preventing social engineering attacks using Twilio Flex.
Crypto is used for a lot more than just currencies. This talk will dive into modern cryptography, the math behind how it works, and its everyday use cases. By looking at the origins of cryptography we’ll follow the progression of methods and algorithms as humans and computers evolved.
You may recognize Two-factor Authentication (2FA) as an additional safeguard for protecting accounts, but do you really know how it works? This talk will show you how to implement One Time Passwords (including what's happening under the hood of those expiring tokens) and even provide a legitimate use case for QR codes! You'll come away recognizing the different approaches to implementing a 2FA solution and have a better understanding of the solution that's right for your application.
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECTjpsjournal1
The rivalry between prominent international actors for dominance over Central Asia's hydrocarbon
reserves and the ancient silk trade route, along with China's diplomatic endeavours in the area, has been
referred to as the "New Great Game." This research centres on the power struggle, considering
geopolitical, geostrategic, and geoeconomic variables. Topics including trade, political hegemony, oil
politics, and conventional and nontraditional security are all explored and explained by the researcher.
Using Mackinder's Heartland, Spykman Rimland, and Hegemonic Stability theories, examines China's role
in Central Asia. This study adheres to the empirical epistemological method and has taken care of
objectivity. This study analyze primary and secondary research documents critically to elaborate role of
china’s geo economic outreach in central Asian countries and its future prospect. China is thriving in trade,
pipeline politics, and winning states, according to this study, thanks to important instruments like the
Shanghai Cooperation Organisation and the Belt and Road Economic Initiative. According to this study,
China is seeing significant success in commerce, pipeline politics, and gaining influence on other
governments. This success may be attributed to the effective utilisation of key tools such as the Shanghai
Cooperation Organisation and the Belt and Road Economic Initiative.
Introduction- e - waste – definition - sources of e-waste– hazardous substances in e-waste - effects of e-waste on environment and human health- need for e-waste management– e-waste handling rules - waste minimization techniques for managing e-waste – recycling of e-waste - disposal treatment methods of e- waste – mechanism of extraction of precious metal from leaching solution-global Scenario of E-waste – E-waste in India- case studies.
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Sinan KOZAK
Sinan from the Delivery Hero mobile infrastructure engineering team shares a deep dive into performance acceleration with Gradle build cache optimizations. Sinan shares their journey into solving complex build-cache problems that affect Gradle builds. By understanding the challenges and solutions found in our journey, we aim to demonstrate the possibilities for faster builds. The case study reveals how overlapping outputs and cache misconfigurations led to significant increases in build times, especially as the project scaled up with numerous modules using Paparazzi tests. The journey from diagnosing to defeating cache issues offers invaluable lessons on maintaining cache integrity without sacrificing functionality.
Advanced control scheme of doubly fed induction generator for wind turbine us...IJECEIAES
This paper describes a speed control device for generating electrical energy on an electricity network based on the doubly fed induction generator (DFIG) used for wind power conversion systems. At first, a double-fed induction generator model was constructed. A control law is formulated to govern the flow of energy between the stator of a DFIG and the energy network using three types of controllers: proportional integral (PI), sliding mode controller (SMC) and second order sliding mode controller (SOSMC). Their different results in terms of power reference tracking, reaction to unexpected speed fluctuations, sensitivity to perturbations, and resilience against machine parameter alterations are compared. MATLAB/Simulink was used to conduct the simulations for the preceding study. Multiple simulations have shown very satisfying results, and the investigations demonstrate the efficacy and power-enhancing capabilities of the suggested control system.
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...shadow0702a
This document serves as a comprehensive step-by-step guide on how to effectively use PyCharm for remote debugging of the Windows Subsystem for Linux (WSL) on a local Windows machine. It meticulously outlines several critical steps in the process, starting with the crucial task of enabling permissions, followed by the installation and configuration of WSL.
The guide then proceeds to explain how to set up the SSH service within the WSL environment, an integral part of the process. Alongside this, it also provides detailed instructions on how to modify the inbound rules of the Windows firewall to facilitate the process, ensuring that there are no connectivity issues that could potentially hinder the debugging process.
The document further emphasizes on the importance of checking the connection between the Windows and WSL environments, providing instructions on how to ensure that the connection is optimal and ready for remote debugging.
It also offers an in-depth guide on how to configure the WSL interpreter and files within the PyCharm environment. This is essential for ensuring that the debugging process is set up correctly and that the program can be run effectively within the WSL terminal.
Additionally, the document provides guidance on how to set up breakpoints for debugging, a fundamental aspect of the debugging process which allows the developer to stop the execution of their code at certain points and inspect their program at those stages.
Finally, the document concludes by providing a link to a reference blog. This blog offers additional information and guidance on configuring the remote Python interpreter in PyCharm, providing the reader with a well-rounded understanding of the process.
Null Bangalore | Pentesters Approach to AWS IAMDivyanshu
#Abstract:
- Learn more about the real-world methods for auditing AWS IAM (Identity and Access Management) as a pentester. So let us proceed with a brief discussion of IAM as well as some typical misconfigurations and their potential exploits in order to reinforce the understanding of IAM security best practices.
- Gain actionable insights into AWS IAM policies and roles, using hands on approach.
#Prerequisites:
- Basic understanding of AWS services and architecture
- Familiarity with cloud security concepts
- Experience using the AWS Management Console or AWS CLI.
- For hands on lab create account on [killercoda.com](https://killercoda.com/cloudsecurity-scenario/)
# Scenario Covered:
- Basics of IAM in AWS
- Implementing IAM Policies with Least Privilege to Manage S3 Bucket
- Objective: Create an S3 bucket with least privilege IAM policy and validate access.
- Steps:
- Create S3 bucket.
- Attach least privilege policy to IAM user.
- Validate access.
- Exploiting IAM PassRole Misconfiguration
-Allows a user to pass a specific IAM role to an AWS service (ec2), typically used for service access delegation. Then exploit PassRole Misconfiguration granting unauthorized access to sensitive resources.
- Objective: Demonstrate how a PassRole misconfiguration can grant unauthorized access.
- Steps:
- Allow user to pass IAM role to EC2.
- Exploit misconfiguration for unauthorized access.
- Access sensitive resources.
- Exploiting IAM AssumeRole Misconfiguration with Overly Permissive Role
- An overly permissive IAM role configuration can lead to privilege escalation by creating a role with administrative privileges and allow a user to assume this role.
- Objective: Show how overly permissive IAM roles can lead to privilege escalation.
- Steps:
- Create role with administrative privileges.
- Allow user to assume the role.
- Perform administrative actions.
- Differentiation between PassRole vs AssumeRole
Try at [killercoda.com](https://killercoda.com/cloudsecurity-scenario/)
artificial intelligence and data science contents.pptxGauravCar
What is artificial intelligence? Artificial intelligence is the ability of a computer or computer-controlled robot to perform tasks that are commonly associated with the intellectual processes characteristic of humans, such as the ability to reason.
› ...
Artificial intelligence (AI) | Definitio
Discover the latest insights on Data Driven Maintenance with our comprehensive webinar presentation. Learn about traditional maintenance challenges, the right approach to utilizing data, and the benefits of adopting a Data Driven Maintenance strategy. Explore real-world examples, industry best practices, and innovative solutions like FMECA and the D3M model. This presentation, led by expert Jules Oudmans, is essential for asset owners looking to optimize their maintenance processes and leverage digital technologies for improved efficiency and performance. Download now to stay ahead in the evolving maintenance landscape.
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...IJECEIAES
Climate change's impact on the planet forced the United Nations and governments to promote green energies and electric transportation. The deployments of photovoltaic (PV) and electric vehicle (EV) systems gained stronger momentum due to their numerous advantages over fossil fuel types. The advantages go beyond sustainability to reach financial support and stability. The work in this paper introduces the hybrid system between PV and EV to support industrial and commercial plants. This paper covers the theoretical framework of the proposed hybrid system including the required equation to complete the cost analysis when PV and EV are present. In addition, the proposed design diagram which sets the priorities and requirements of the system is presented. The proposed approach allows setup to advance their power stability, especially during power outages. The presented information supports researchers and plant owners to complete the necessary analysis while promoting the deployment of clean energy. The result of a case study that represents a dairy milk farmer supports the theoretical works and highlights its advanced benefits to existing plants. The short return on investment of the proposed approach supports the paper's novelty approach for the sustainable electrical system. In addition, the proposed system allows for an isolated power setup without the need for a transmission line which enhances the safety of the electrical network
4. @kelleyrobinson
“How can we help users avoid harm?
This begins with a clear understanding
of the actual harms they face, and a
realistic understanding of their
constraints.
”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
21. @kelleyrobinson
“It is mainly time, and not money, that
users risk losing when attacked. It is also
time that security advice asks of them.
”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
23. @kelleyrobinson
1. Compromised factors
(hacked, guessed, or brute forced)
2. Phishing or vishing
🚩 What can go wrong?
https://www.nds.rub.de/media/ei/veroeffentlichungen/2017/01/13/OIDCSecurity_1.pdf
https://tools.ietf.org/html/rfc6819
30. @kelleyrobinson
“We must prioritize advice...Since users
cannot do everything, they must select
which advice they will follow and will
ignore.
”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
36. @kelleyrobinson
How to drive adoption of MFA
• Profile settings
• Prompt during onboarding
• Have an ICO
40% adoption
100% adoption
2% adoption
37. SMS 2FA is still
better than
no 2FA
@kelleyrobinson
38. “When we exaggerate all dangers we
simply train users to ignore us.
@kelleyrobinson
Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
”
44. @kelleyrobinson
↩ Account recovery
• Use authentication factors instead of identity
(i.e. pin code instead of SSN)
• Use security questions that aren't fact based
(unavailable via OSINT)
http://goodsecurityquestions.com/examples/
46. @kelleyrobinson
ℹ Support costs relative to losses ⬇
💰 Losses due to account takeover ⬇
😈 Number of compromised accounts ⬇
😃 Customer satisfaction ⬆
47. @kelleyrobinson
“Security people are full of morbid and
detailed monologues about the pervasive
catastrophes that surround us.
”James Mickens, This World of Ours