This document discusses the challenges of building secure mobile applications. It covers why security is important for mobile, how to secure applications in an insecure mobile environment, and case studies of mobile security implementations. Some key points discussed include using HTTPS for end-to-end security, securing the key exchange process, ensuring strong entropy for keys, implementing message integrity checks, and supporting a wide range of mobile devices and networks.
Security is a very important aspect of web applications. In order to protect sensitive data we should use cryptography. But cryptography means security? Absolutely not, especially if developers do not,especially if developers do not use it properly. In this talk I would like to present some best practices in PHP to implement secure cryptography using the extensions mcrypt, Hash and OpenSSL.
The goal of this talk is to provide the results of passive and active fingerprinting for SD-WAN systems using a common threat intelligence approach. We explore Internet-based and cloud-based publicly available SD-WAN systems using the well-known «Shodan» and «Censys» search engines and custom developed automation tools and show that most of the SD-WAN systems have known vulnerabilities related to outdated software and insecure configuration.
Anton Nikolaev, Denis Kolegov, Oleg Broslavsky
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3 Akana
Recently revealed vulnerabilities in SSLv3, OpenSSL and other cipher suites may expose your transactions or APIs over web browsers, web servers or HTTPS to new threats. Hackers can attack and take advantage of the protocol version negotiation features built into SSL/TLS to force the use of SSL 3.0 and decrypt selected content within the SSL sessions. Given these vulnerabilities, how can businesses ensure and safeguard critical data? Attend this webinar to learn HTTPS configuration best practices and tools to harden your HTTPS endpoints with right protocols and cipher suites.
Security is a very important aspect of web applications. In order to protect sensitive data we should use cryptography. But cryptography means security? Absolutely not, especially if developers do not,especially if developers do not use it properly. In this talk I would like to present some best practices in PHP to implement secure cryptography using the extensions mcrypt, Hash and OpenSSL.
The goal of this talk is to provide the results of passive and active fingerprinting for SD-WAN systems using a common threat intelligence approach. We explore Internet-based and cloud-based publicly available SD-WAN systems using the well-known «Shodan» and «Censys» search engines and custom developed automation tools and show that most of the SD-WAN systems have known vulnerabilities related to outdated software and insecure configuration.
Anton Nikolaev, Denis Kolegov, Oleg Broslavsky
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3 Akana
Recently revealed vulnerabilities in SSLv3, OpenSSL and other cipher suites may expose your transactions or APIs over web browsers, web servers or HTTPS to new threats. Hackers can attack and take advantage of the protocol version negotiation features built into SSL/TLS to force the use of SSL 3.0 and decrypt selected content within the SSL sessions. Given these vulnerabilities, how can businesses ensure and safeguard critical data? Attend this webinar to learn HTTPS configuration best practices and tools to harden your HTTPS endpoints with right protocols and cipher suites.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
Denis Kolegov, Oleg Broslavsky, Power of Community 2018, Seoul, Korea
Today, «SD-WAN» is a very hot and attractive topic. Software-defined WAN (SD-WAN) is a technology based on software-defined network (SDN) approach applied to wide area networks (WAN) in enterprise networks. According to Gartner’s predictions study, more than 50% of routers will be replaced with SD-WAN solutions by 2020.
In this presentation, we disclose a set of vulnerabilities in widespread and most popular SD-WAN products including Citrix NetScaler and Silver Peak EdgeConnect. We present the new results of our research, consider some technical details of the insecure design and found vulnerabilities, and describe different attack scenarios that may allow an attacker to compromise SD-WAN control and data planes.
Hardening cassandra for compliance or paranoiazznate
How to secure a cassandra cluster. Includes details on configuring SSL, setting up a certificate authority and creating certificates and trust chains for the JVM.
Droidcon 2011 - Branding Headache? Here's Your PainkillerMasabi
Some useful tips and techniques for developing mobile apps across multiple different brands, presented by mobile developer, Joana Cruz e Costa, at Droidcon 2011.
Transport mTicketing: The mCommerce CatalystMasabi
A joint presentation by Masabi and thetrainline on how transport mTickets is driving wider mCommerce because for many consumers it is the first experience of their mobile phone beyond voice or text. Presented at the BlackBerry Innovation Forum, 12th October 2011.
Slides from Ben Whitaker's talk about new mobile ticketing approaches for public transport including mobile payments via credit card this month at the UK's ITS Passenger Information Interest Group's seminar on Options for Ticketing and Standards in Ticketing on the 27th May 2009 in London.
Highlights of new features in the UK's Rail Barcode Ticket standard, and a brief summary of the lower capital expenditure soft-rollout of visual barcode ticketing on paper and mobile versus the large up-front costs of smartcard. Finally a summary of selling tickets from the mobile phone, and the benefits it brings to the operator.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
Denis Kolegov, Oleg Broslavsky, Power of Community 2018, Seoul, Korea
Today, «SD-WAN» is a very hot and attractive topic. Software-defined WAN (SD-WAN) is a technology based on software-defined network (SDN) approach applied to wide area networks (WAN) in enterprise networks. According to Gartner’s predictions study, more than 50% of routers will be replaced with SD-WAN solutions by 2020.
In this presentation, we disclose a set of vulnerabilities in widespread and most popular SD-WAN products including Citrix NetScaler and Silver Peak EdgeConnect. We present the new results of our research, consider some technical details of the insecure design and found vulnerabilities, and describe different attack scenarios that may allow an attacker to compromise SD-WAN control and data planes.
Hardening cassandra for compliance or paranoiazznate
How to secure a cassandra cluster. Includes details on configuring SSL, setting up a certificate authority and creating certificates and trust chains for the JVM.
Droidcon 2011 - Branding Headache? Here's Your PainkillerMasabi
Some useful tips and techniques for developing mobile apps across multiple different brands, presented by mobile developer, Joana Cruz e Costa, at Droidcon 2011.
Transport mTicketing: The mCommerce CatalystMasabi
A joint presentation by Masabi and thetrainline on how transport mTickets is driving wider mCommerce because for many consumers it is the first experience of their mobile phone beyond voice or text. Presented at the BlackBerry Innovation Forum, 12th October 2011.
Slides from Ben Whitaker's talk about new mobile ticketing approaches for public transport including mobile payments via credit card this month at the UK's ITS Passenger Information Interest Group's seminar on Options for Ticketing and Standards in Ticketing on the 27th May 2009 in London.
Highlights of new features in the UK's Rail Barcode Ticket standard, and a brief summary of the lower capital expenditure soft-rollout of visual barcode ticketing on paper and mobile versus the large up-front costs of smartcard. Finally a summary of selling tickets from the mobile phone, and the benefits it brings to the operator.
Masabi, the leader in mobile ticketing and innovative fare collection for transit, invites you discover what the latest updates from Apple - Apple Pay - mean in the context of mobile ticketing, NFC and Open Payments.
In-depth list of attacks against various crypto implementations. Developers seem to have gotten the message not to design their own ciphers. Now, we're trying to get the message out that you shouldn't be implementing your own crypto protocols or constructions, using low-level crypto libraries. Instead, developers should work at a higher level, using libraries like GPGME, Keyczar, or cryptlib. If you do end up designing/implementing your own construction, getting it reviewed by a third party is an expensive but vital task.
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Nate Lawson
History and future of copy protection. Builds on the property of asymmetry as a way of analyzing copy protection features. Defenders only need to increase cost to attackers, not build an impenetrable wall. Included a live demo of reading a C64 game and cracking its protection, as well as an intro to the Xbox 360 drive hacks. Ended with some simple recommendations for repairing the 360 hacks.
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Nick Sullivan
In this session we will look in depth into what happens when we throw away the assumption that server hardware is trusted. We discuss advanced techniques for protecting software on untrusted clients and how to apply them to servers running on untrusted hardware. This includes anti-reverse engineering methods, secure key management and how to design a system for renewal.
Strong cryptography is the usage of systems or components that are considered highly resistant to cryptanalysis, the study of methods to cracking the codes. In this talk I would like to present the usage of strong cryptography in PHP. Security is a very important aspect of web applications especially when they manipulate data like passwords, credit card numbers, or sensitive data (as health, financial activities, sexual behavior or sexual orientation, social security numbers, etc). In particular I will present the extensions mcrypt, Hash, and OpenSSL that are been improved in the last version of PHP. These are the slides presented during my talk at PHP Dutch Conference 2011.
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
The boom of AI brought to the market a set of impressive solutions both on the hardware and software side. On the other hand, massive implementation of AI in various areas brings about problems, and security is one of the greatest concerns.
In this talk we will present results of hands-on vulnerability research of different components of AI infrastructure including NVIDIA DGX GPU servers, ML frameworks such as Pytorch, Keras and Tensorflow, data processing pipelines and specific applications, including Medical Imaging and face recognition powered CCTV. Updated Internet Census toolkit based on the Grinder framework will be introduced.
Feasibility of Security in Micro-Controllersardiri
Is it possible to secure micro-controllers used within IoT?
With the introduction of micro controllers such as the Arduino, Raspberry Pi and BeagleBone – it has become easy to connect sensors to gather information and utilise network connections to build an IoT ecosystem. Strong encryption schemes like RSA/AES/SHA and ecliptic curves cryptography (ECC) have been difficult to introduce due to limited performance and memory capabilities of the micro controllers used and using standard libraries just isn’t feasible – we find that designated and optimised software is the only feasible way forward.
Many information security systems rely on cryptographic schemes that need truly random numbers be secure. In recent months there have been several high profile news stories about weaknesses or potential compromises in both software and hardware random number generators. A compromised random number generator is difficult to catch because it can output random looking data that is predictable to an attacker only. In this talk I describe how to go from knowledge of a weakness in a random number generator to a full security compromise.
We will look at examples including how to fully decrypt a TLS stream, how to compromise a bitcoin wallet by looking at the ECDSA signatures on the public block chain, how to factor improperly generated RSA keys, and more. There will be live demos and discussions of interesting ways to pull off these attacks.
Shameful secrets of proprietary network protocolsSlawomir Jasek
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
During our last tool talk at NEOISF, Matt Neely talked about using a Fon (a wireless access point) with Karmetasploit to attack wireless clients for penetration testing. In this talk we will take this concept a step further and show you what the latest techniques are for conducting man-in-the-middle attacks (MITM). First, we will define what man-in-the-middle attacks are and why we should be doing these in our penetration tests. The technical discussion will include talk about our old favorites like Wireshark, Ettercap and Cain. Next, we will show some new techniques introduced with tools like SSLStrip, The Middler, and Network Miner. Finally, we will end with an open discussion on how to defend against man-in-the-middle attacks.
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
Analysis of virtualized rootkit detection methods. Introduces "Samsara", our framework for detecting virtualization and an implementation of data/instruction TLB sizing, HPET timer, and VT errata tests. We predict the future will be cat-and-mouse, where each side analyzes and responds to the behavior of their opponent, ad infinitum. Joint talk given with Thomas Ptacek and Peter Ferrie.
Security is a very important aspect of web applications. In order to protect sensitive data we should use cryptography. But does cryptography mean security? Absolutely not, especially if developers do not use it properly.
In these slides, Enrico Zimuel, PHP Architect - ZF Core team member, presents some best practices in PHP to implement secure cryptography using the extensions mcrypt, Hash and OpenSSL.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
5. Don’t!
GSM encryption has been broken
Attacks and data theft have occurred
6. HTTPS =
end-to-end security
Mature key
infrastructure
Browser support
consistent, improving
Padlock icons
Certificate display
Colour coding title bar
7. WAP SECURITY WAP2 SECURITY
Inherently insecure: Like the web:
Most handsets
Used on older browsers, use this with
“Wap” settings “Internet” settings
8. Inconsistent UI support
Maybe you get a padlock icon
Certificate details are buried under
menus
Details are not always clear
Inconsistent naming, etc
9. Pros:
Reformat desktop-optimised pages for
mobile
Cons:
Break HTTPS end-to-end security
10. Some will ignore HTTPS
Others will insert themselves in the
connection
Handset cannot verify end certificate
11. This is similar to a man in the middle
attack
Thief proxies the real site
Steals information passing through
Handset can see
thief’s certificate
So should be able
to inform user
12. Transcoder’s certificate would
obscure thief’s
We don’t know transcoder’s policy for
flagging suspicious certs
We shouldn’t have to care!
13. You can ask a transcoder not to
transform your content
Set HTTP header
Cache-Control = “no-transformquot;
Eg. For Apache:
<FilesMatch quot;.(php|cgi|pl)$quot;>
Header append Cache-Control quot;no-transform”
</FilesMatch>
http://mobiforge.com/developing/story/setting-http-
headers-advise-transcoding-proxies
Transcoders should remove themselves
from HTTPS connections with this header
16. Symmetric Session Encryption
Message Integrity Checks
Key Generation: Entropy and
Pseudo-Random Number Generators
Key Exchange and server authentication
Asymmetric encryption for key exchange
17. Fast Processing, less than 1ms
Algorithms: AES, 3DES (Triple DES), RC4, Blowfish
Minimum Key size: 128 bits
Same keys at sender and receiver (hence Symmetric)
Sender Receiver
Session Key1 ABCDEF DADCCB Session Key1
Encrypt Decrypt
DADCCB ABCDEF
18.
19. Has the message been tampered with?
Successful decrypt does not mean message is authentic and
undamaged.
CRC is not enough, a deliberate attack could allow for CRC change
Sender
DADCCB
Session Key1 ABCDEF
Encrypt
Receiver
DADCCB
DADCCA Session Key1
Decrypt
DADCCA ABCDEZ
20. Message Integrity Code – must be inside encrypted message, such as a hash
Message Authentication Code – can be outside
Code is created cryptographically from the un-encrypted payload, and added
to the message.
Attacker cannot make a message adjustment and the corresponding
MIC/MAC change so they are detected
Receiver
Sender
DADCCA Session Key1
Session Key1 ABCDEF
Decrypt
Encrypt MAC
ABCDEZ
DADCCB ASAKFA
Check MAC
DADCCA
ASAKFA ASAKFA KADILSB
21. Sender
Receiver
Session Key1 Session Key1
Both sender and receiver need same key
Attacker must not discover/guess key
4 digit pin code is so short that it can be
guessed very quickly – not secure
Any key material in the application can be
seen by attacker during download
22. PKI Public/Private Key Encryption
Slower Processing – 10ms to over 10 seconds
Algorithms: RSA, Elliptic Curves (ECC) – difficult maths
Minimum Key sizes: 1024bit RSA or 160bit ECC
Different key to reverse encryption, public key is freely available
Sender Receiver
ZAPLAS Private Key1
Public WXYZ
Key1
Encrypt Decrypt
ZAPLAS WXYZ
23.
24. For a given algorithm, larger
keys provide better security
BUT – only if all of the key
material is unknown to the
attacker.
Effective key strength is
only the size of the
unknown data inside the
key
256bit key made from a 4 digit Pin
is only 13bits of effective security
25. Possible values: 0 – 9999
Assuming each is equally likely
213 = 8192
A 4 digit PIN key = 13bit security
Whether using 64bit DES or 256bit AES!
On average, crackable in 9999/
2 =
5000 attempts
26. Used to create symmetric session key
Not really random – deterministic to allow testing
The programmer must seed with something really random –
ENTROPY.
User1 Attacker1 User2
Seed Seed Seed
(4 digit pin) (guess) (934351...)
pRNG pRNG pRNG
4510920……… 4510920……… 1275676………
User 1 is probably in trouble – if seed is easy to guess e.g. 5000 guesses for PIN
then the session KEY is easy to guess, in just 5000 attempts, regardless of key size
27. Good Sources: the USER or environment noise
Timing of user keypresses
Microphone input
Pen/mouse/accelerometer wiggling
Camera image taken especially for randomness
Bad Sources: the DEVICE
Time (a favourite for lazy programmers)
Time taken for long process or program startup
Time between ticks of a throttled state machine
IMEI
Network delays
Free memory
“Anyone who considers arithmetical methods of producing random digits
is, of course, in a state of sin.” von Neumann
28. Standard keypad has 16-20 keys
0123456789*#, direction and soft keys
=> 4 bits per keypress (24 = 16)
Time presses for extra bits
Assume 30ms clock granularity
1 press per second av. => ~4 bits
Resource loading => no entropy
S40 is almost entirely repeatable
S60 is almost entirely random…
29. No key exchange protection
Only exchange a guessable PIN
Embed session or partial keys inside application
Lack of Asymmetric encryption
No real entropy
Seeds from time or some other non-chaotic source
No message integrity check
Vulnerable to message alteration
No replay attack prevention
Server can process repeat transactions
30. Easy to make maths or key mistakes
Performance on older handsets
Sometimes traded for code size
Certification tests (with lots of test data)
Reveal subtle bugs
Assure correctness
31. Free!
Big
JavaME version is ~1Mb jar
You need to prune it!
Unit test heavily if you make changes
Size comparison (once optimised):
34. Cap-Ex intensive rollouts
Users need new hardware
Cards (eg. Oyster) or NFC phones
When will NFC handsets be
mainstream?
O2: “2013”
(O2/Telefonica are the operator most involved in NFC trials)
36. Reliable, fast
Offline scanning
Tickets still work when Internet doesn’t!
Open security
PKI signatures prevent modification
Public Key verification is cheap, easy
Royalty free, open barcodes
Aztec scans best on a handset screen
37. Tickets must be
supported on everything!
Smartphones are a niche
SMS / MMS / Wap / Web
delivery supported
Apps can add:
Better rendering
=> faster scanning
Quick, secure purchase
39. Parking payments straight from phone
No need for explicit sign-up or passwords
Just type CVV again for future purchases
All user data entry and validation performed off-line
by application
Secure SMS for users without data settings or with
poor reception
New user can sign-up and pay in just one SMS
95% of trial users said:
“better than the IVR system we used until now”
40. Chiltern Railways with YourRail
Trial user feedback: “Better than the web!”
Buy anywhere
No paper, no queues - barcode tickets
Tunnels aren’t showstoppers!
Auto-detects SMS or GPRS
1-2 SMS per ticket
Doubles the consumer uptake by removing Data issues
Quick repeat tickets
Customer loyalty and lock-in
41. Playtech (AIM: PTEC)
World’s largest public online
gaming software supplier
Sign-up, deposits and pay-
outs from the handset
Hot swap mid-game
Desktop & mobile share login
1000+ handsets, multiple
casinos, multiple languages
42. Application advantages:
Secure even on old phones
Improved usability
Reduced bandwidth
Common mistakes:
Must use same login as web
Opera Mini FAQ says don’t
use Mini for secure data!
Though some banks
recommend it…
43. Cashless Purchases
Match Tickets - no touting
Refreshments - faster service,
no shrinkage
Merchandise - can even post to
home
Live offers to Fans, at
optimum times
Ticket offers mid-week
(at pub o’clock)
Encourage early entry
Follow-up offers after a win
45. 1. Security is good maths AND good design
2. If you use HTTPS, set the
no-transform header (and hope)!
3. Support every handset
4. Remember the entropy
5. 2D barcodes offer lower cap-ex than
NFC, without the wait
46.
47. Transport Finance &
Banks
Entitlement &
Gaming
Venues
48. • 3rd party certified
Security • End-to-end
• Fast and small
• Popular handsets
Portability • All form factors
• Fragmentation
• Offline functions
Usability • Interactive
experience
• Slick and attractive
49. US Government Certified
British Telecom validated
IET Security Award
Latest Encryption Strength
1024bit RSA, 256bit AES
Standard Server Cryptography
Tiny 3Kb library
Works on all Java phones
Extremely fast
Secures any medium
SMS, GPRS, Bluetooth, NFC
On-phone storage
50. Masabi Proxy Retailer Web
(can be hosted by
retailer) Services
SMS “Tickets” to 89080
1
2
Auto-Install SMS
3
Purchase Request
and Payment Details 4
(sent by encrypted SMS or Data
from the mobile application) XML Web
Service Requests
5
Success message
with content, ticket or code
Editor's Notes
<number>
<number>
Masabi have been producing downloadable mobile applications for over 7 years, and today Masabi secure mobile applications process millions of dollars worth of transactions every year<number>
If you can’t trust the networks, or are using phones that don’t have HTTPS, then you have to take matters into your own hands and put in end-to-end encryption from your app to your own server to ensure that you always know the level of security between server and customer<number>
<number>
17
17
19
20
20
20
20
24
24
Testing to ensure pRNG’s are implemented correctly is to ensure that pRNG output never becomes cyclic or tends towards a stable value.26
26
26
26
26
26
26
We’re using on-screen barcodes to show the ticket values for reading by automatic gates, or checking by the train guards who carry hand-held scanners.The ticket code can be transferred to the NFC element on compatible phones (like this nokia 6131) but this handset is the only mainstream GSM handset with NFC and we’ve not heard of others in the pipeline.Even when NFC services become mainstream, you will still need a secure interface to purchase entitlements, before they get transferred to the NFC element. 26
26
26
26
26
26
Simple – simply put in your car, your credit card, and how long you want to park.Brand new user can sign up and pay in just one secure SMS (or 0.02pence worth of data)Extend your parking without returning to the vehicle.26
Credit Card details entered just once into the application.Users have said “easier to use the mobile purchase than web purchase” because of quick, optimised workflow.26
26
26
26
26
26
Come see me after for live demos, or to chat about building secure mobile applications form-commerce,Banking,Ticketing,Messaging,Read our blog for more details on security.blog.masabi.com26
26
Our applications are built on three core principals –Make the application usable and relevant to the end user, and make the default use cases quick and easy on the mobile. (I’ll show you some sides of that later)Then, PORTABILITY to all popular handsets, including the older handsets that many developers avoid, to ensure the largest possible user-base for your service.For Mobile commerce – security, on all phones, to modern public standards.26
Standard GSM services are not secure to Financial Services or Payment Card Industry regulations. You shouldn’t use SMS or WAP to send payment instructions, bank passwords or credit card details because too many individuals can gain access to them in transit.(True end-to-end https is only available on the latest handsets – slow and not usable from Java or SMS.)\"The contents of SMS messages are known to the network operator's systems and personnel. Therefore, SMS is not an appropriate technology for secure communications. Most users do not realise how easy it may be to intercept“ Nick Jones, Gartner Research 2002 http://www.gartner.com/DisplayDocument?doc_cd=111720“It would not be enough for a financial institution to provide mobile banking services relying on de-facto GSM protocol security”Pakistan State Bank, Guidelines for Branchless Banking 2007http://www.sbp.org.pk/bprd/2007/Guidelines-Branchless-Banking.pdfWe built EncryptME to the latest standards for new secure web services, and it is still the world’s only US Government Certified mobile java security library.At 3kb, it can provide security on the oldest java handsets, including the black and white Nokia 6310i (show legendary retro business phone)Most importantly, it allows SMS data to be encrypted too!Servers can continue to use standard cryptography from Sun or Microsoft etc – they don’t need to use custom or proprietary security libraries.26
Repeat purchases just use steps 3,4,5, and the user only has to enter CVV number.26