The document provides an overview of practical cryptography and the GPG/PGP encryption tools. It discusses symmetric and public key cryptography theory. It then demonstrates how to use GPG/PGP to generate keys, encrypt and decrypt files, digitally sign documents, verify signatures, and distribute public keys through a key server. It also discusses how the web of trust model works to validate identities through in-person key signing after carefully verifying a user's identity.
Seguridad en microservicios via micro profile jwtCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente se presenta el proyecto Eclipse MicroProfile JWT que provee un API Java Empresarial optimizado para arquitecturas orientadas a Microservicios. Se presentará un caso práctico en el que se desarrollará una aplicación segura con MicroProfile JWT, Apache TomEE y AngularJS. Demostrando de esta forma las capacidades de configuración, CDI, autenticación y autorización avanzadas que ofrece Eclipse MicroProfile JWT. Durante esta sesión los asistentes podrán ver los conceptos básicos de seguridad REST con Oauth 2.0, JWT y Http signatures. El caso práctico será presentado utilizando Eclipse Microprofile sobre una aplicación con un Front-End AngularJS y Java EE en Apache TomEE.
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...PROIDEA
The most common blockchain-based application is Bitcoin - cryptocurrency worth a couple of thousands $ per BTC. But Bitcoin is built on the Blockchain 1.0. The second generation of blockchain opened a much broader field of application and is described as mechanism allowing programmable transactions. Smart Contracts, as they are called, are scripts that are executed and stored in the blockchain. Their code, storage and execution calls are all publicly available and verifiable. The execution and verification processes are held by miners what makes the decentralized ecosystem slow, but secure. Smart contracts have many applications from ICOs, through digital identity management, non-digital asset (diamond, real estate, IoT device, etc.) ownership management and tracing to almost anything you can think of. An example of second generation blockchain platform that support smart contracts is Ethereum. The miners, who execute contracts and secure the platform, are paid with Ether, which is the Ethereum cryptocurrency (worth about $1k) and an incentive for hackers. Ethereum’s smart contracts are written in the Solidity language, which is similar to well-known high-level languages, and compiled to Ethereum Virtual Machine bytecode stored in blockchain. It is a complex software implementing new and often difficult to follow in every detail technology. Thus it makes an explosive mix with high potential for human mistake by developer. The problem is that even a very small coding mistake can lead to losses of millions of dollars. The goal of this presentation is to shed the light on the security of smart contracts, its potential vulnerabilities and popular design and implementation security flaws.
GnuPG, popularly knowns as gpg is an alternative to PGP module and mainly used for encryption and decryption of keys while sending mail or data.
This presentation shows various useful gpg commands that you can use in day-to-day life.
Pgsodium's Features: those not provided by pgcrypto and integration with rem...EDB
pgsodium is a Postgres extension that provides an alternative to pgcrypto with encryption functions that wrap the libsodium encryption library. It offers features like multi-layered role-based access to symmetric functions, integration with key management systems, end-to-end encryption with key exchange, and streaming encryption with forward secrecy. It aims to address limitations of pgcrypto like lack of key derivation, public key signing, and missing cryptography functions.
This document provides an agenda for a MuleSoft meetup on cryptography in MuleSoft. The agenda includes an introduction, overview of cryptography concepts, demonstrations of cryptography functionality in MuleSoft like encryption, decryption, signatures, and a Q&A session. Attendees are asked to introduce themselves and provide their name, company, location, and MuleSoft experience. The meetup speaker is then introduced.
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet
"Safely Storing Secrets and Credentials in Git for use by
Puppet: The BlackBox Project" presented by Thomas A. Limoncelli, Stack Exchange at Puppet Camp NYC 2014
This document outlines the agenda for a MuleSoft meetup on cryptography in MuleSoft. The agenda includes an introduction, overview of cryptography concepts, demonstrations of cryptography functionality in MuleSoft like PGP encryption/decryption, JCE encryption, XML encryption, and a Q&A session. The meetup leaders are introduced and a statement is provided indicating they are not representing their companies. The speaker is identified and their experience summarized. The document concludes with trivia questions and a request for feedback.
Seguridad en microservicios via micro profile jwtCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente se presenta el proyecto Eclipse MicroProfile JWT que provee un API Java Empresarial optimizado para arquitecturas orientadas a Microservicios. Se presentará un caso práctico en el que se desarrollará una aplicación segura con MicroProfile JWT, Apache TomEE y AngularJS. Demostrando de esta forma las capacidades de configuración, CDI, autenticación y autorización avanzadas que ofrece Eclipse MicroProfile JWT. Durante esta sesión los asistentes podrán ver los conceptos básicos de seguridad REST con Oauth 2.0, JWT y Http signatures. El caso práctico será presentado utilizando Eclipse Microprofile sobre una aplicación con un Front-End AngularJS y Java EE en Apache TomEE.
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...PROIDEA
The most common blockchain-based application is Bitcoin - cryptocurrency worth a couple of thousands $ per BTC. But Bitcoin is built on the Blockchain 1.0. The second generation of blockchain opened a much broader field of application and is described as mechanism allowing programmable transactions. Smart Contracts, as they are called, are scripts that are executed and stored in the blockchain. Their code, storage and execution calls are all publicly available and verifiable. The execution and verification processes are held by miners what makes the decentralized ecosystem slow, but secure. Smart contracts have many applications from ICOs, through digital identity management, non-digital asset (diamond, real estate, IoT device, etc.) ownership management and tracing to almost anything you can think of. An example of second generation blockchain platform that support smart contracts is Ethereum. The miners, who execute contracts and secure the platform, are paid with Ether, which is the Ethereum cryptocurrency (worth about $1k) and an incentive for hackers. Ethereum’s smart contracts are written in the Solidity language, which is similar to well-known high-level languages, and compiled to Ethereum Virtual Machine bytecode stored in blockchain. It is a complex software implementing new and often difficult to follow in every detail technology. Thus it makes an explosive mix with high potential for human mistake by developer. The problem is that even a very small coding mistake can lead to losses of millions of dollars. The goal of this presentation is to shed the light on the security of smart contracts, its potential vulnerabilities and popular design and implementation security flaws.
GnuPG, popularly knowns as gpg is an alternative to PGP module and mainly used for encryption and decryption of keys while sending mail or data.
This presentation shows various useful gpg commands that you can use in day-to-day life.
Pgsodium's Features: those not provided by pgcrypto and integration with rem...EDB
pgsodium is a Postgres extension that provides an alternative to pgcrypto with encryption functions that wrap the libsodium encryption library. It offers features like multi-layered role-based access to symmetric functions, integration with key management systems, end-to-end encryption with key exchange, and streaming encryption with forward secrecy. It aims to address limitations of pgcrypto like lack of key derivation, public key signing, and missing cryptography functions.
This document provides an agenda for a MuleSoft meetup on cryptography in MuleSoft. The agenda includes an introduction, overview of cryptography concepts, demonstrations of cryptography functionality in MuleSoft like encryption, decryption, signatures, and a Q&A session. Attendees are asked to introduce themselves and provide their name, company, location, and MuleSoft experience. The meetup speaker is then introduced.
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet
"Safely Storing Secrets and Credentials in Git for use by
Puppet: The BlackBox Project" presented by Thomas A. Limoncelli, Stack Exchange at Puppet Camp NYC 2014
This document outlines the agenda for a MuleSoft meetup on cryptography in MuleSoft. The agenda includes an introduction, overview of cryptography concepts, demonstrations of cryptography functionality in MuleSoft like PGP encryption/decryption, JCE encryption, XML encryption, and a Q&A session. The meetup leaders are introduced and a statement is provided indicating they are not representing their companies. The speaker is identified and their experience summarized. The document concludes with trivia questions and a request for feedback.
The document provides an overview of Gnu Privacy Guard (GPG), a free software replacement for PGP. It discusses generating and exchanging keys, encrypting and decrypting documents, and making and verifying signatures with GPG. The document also covers cryptographic concepts like symmetric and asymmetric ciphers, digital signatures, and how GPG implements a hybrid cryptosystem. Key management topics like validating keys, distributing keys, and managing trust are also outlined.
Thwarting The Surveillance in Online Communication by Adhokshaj MishraOWASP Delhi
This document discusses techniques for countering online surveillance and protecting private communications. It begins by outlining common surveillance methods used by governments and companies, such as wiretapping and exploiting software vulnerabilities. It then discusses using cryptography to counter surveillance and keep data safe, such as encrypting files and filling volumes with cryptographically secure random data. Secure authentication techniques are presented that allow verifying credentials without revealing passwords. Finally, the document details a method for encrypting and authenticating private messages between two parties using Diffie-Hellman key exchange and digital signatures to provide encryption, authentication, deniability and perfect forward secrecy.
The document discusses the STRIKE project which aims to improve privacy and security in digital communication. It provides an overview of encryption technologies like PGP and tools like Enigmail that implement these standards. Currently, the STRIKE team is working to incorporate test-driven development, continuous integration, and code documentation into the Enigmail Thunderbird plugin to strengthen its security and usability. Interested individuals can follow the project's progress or contribute code.
This document discusses abusing public keyservers by uploading large, bloated keys and files using PGP. It introduces PGP File System (PGPFS), a proof-of-concept that stores files encrypted in PGP keys and uploads them to keyservers. While slow and relying on obscurity, PGPFS ensures keys are never truly deleted and replicates data across keyservers. The document argues this is an amusing way to abuse keyservers since they cannot delete keys. It provides code and invites questions.
Bitcoin’s blockchain - from hashes to Escrow and beyondGrzegorz Gawron
This document summarizes the key building blocks of Bitcoin's blockchain, including cryptographic hash functions, hash pointers, the Merkle tree, digital signatures, and transaction scripts. It discusses how hash functions are used to link blocks together in the blockchain and ensure data integrity. Transaction scripts allow for advanced applications like multisignature escrow, green addresses for third-party exchanges, and efficient micropayments. The challenges of bootstrapping consensus, 51% attacks, and changing the blockchain protocol through hard or soft forks are also outlined.
Welcome to the "How to Securely Create Cryptographic Keys" with Joshua McDougall. This presentation was delivered on Thursday, August 29th 2019.
In this class, scholars will learn the process of creating keys with proper entropy, backup processes, and how environmental factors can weaken or improve the strength and secrecy of the key.
By the end of the session, you will understand entropy sources, physical wallets, secure environments, and other helpful items that all come together to create strong keys for holding assets. You will each work within groups to create a multi-sig wallet that each scholar is a member of, verifying the key along the way and creating tamper-evident backups.
Total privacy of transactions, Mimblewimble and GrinEugene Pavlenko
Mimblewimble protocol, initially proposed in 2016 as a privacy and scaling solution for Bitcoin, is the essence of the latest cryptography and blockchain inventions of top scientists and core bitcoin developers.
Grin, is the famous implementation of this protocol, eagerly expected by industry. It was launched this year on the 15th of January as a separate blockchain and a completely private payment system with its own coin.
Cybersecurity Awareness Training Presentation v1.2DallasHaselhorst
This cybersecurity awareness training is meant to be used by organizations and end users to educate them on ways to avoid scams/attacks and become more security aware. This slide deck is based on version 1.2 of our wildly popular slide deck we originally released as open-source in September 2019. In just over 6 months, it was downloaded thousands of times and in over 150 countries!
On our website, you will also find several other related goodies. For example, we have a free cybersecurity quiz that is based directly off of this material so anyone can test their awareness knowledge. We have a downloadable 'certificate of completion' for this training; this allows attendees to fill-in their name and date so they can then print it out to show others (or even their employer) that they are now more cyber aware.
https://www.treetopsecurity.com/cat
We also have a video/webinar presentation of this material if you would like to share it with others.
https://www.treetopsecurity.com/cat#video
Want to take this content and present it in your own community? Fantastic! You may download this slide deck as editable content. This allows you to make changes and present it at your local library, business events, co-working spaces, schools, etc. The latest version is always available on our website as a Microsoft PowerPoint presentation (.pptx) or using ‘Make a Copy’ in Google Slides.
https://www.treetopsecurity.com/slides
This document introduces Cloakcast, a suite of tools for encrypted chatting. Cloakcast aims to hide who users are communicating with, the contents of their conversations, and when they are chatting, even if a malicious third party is sniffing traffic. It works by having clients encrypt messages using the recipient's PGP key and the server's PGP key before sending. The encrypted message is then decrypted and re-encrypted by the server before being sent to the recipient. Future versions may route traffic through Tor for additional anonymity. The document also provides background on Go, the programming language used to build Cloakcast, and shares code samples.
Strong cryptography is the usage of systems or components that are considered highly resistant to cryptanalysis, the study of methods to cracking the codes. In this talk I would like to present the usage of strong cryptography in PHP. Security is a very important aspect of web applications especially when they manipulate data like passwords, credit card numbers, or sensitive data (as health, financial activities, sexual behavior or sexual orientation, social security numbers, etc). In particular I will present the extensions mcrypt, Hash, and OpenSSL that are been improved in the last version of PHP. These are the slides presented during my talk at PHP Dutch Conference 2011.
Security everywhere digital signature and digital fingerprint v1 (personal)Paul Yang
This is the slide I used to train people about the security concepts, such as digital signature and digital fingerprint.
I tried to use friendly way to explain the topic with animation and many example in real life.
Hope it helps for you.
This document discusses public-key cryptography and digital signatures. It begins with an introduction to symmetric and asymmetric key cryptography, including the basic concepts and differences between the two approaches. It then provides more details on public-key cryptography principles, including how public/private key pairs are generated and used. The document explains the RSA algorithm for public-key encryption and decryption in detail with examples. It also covers digital signature models and how they provide message authentication, integrity, and non-repudiation using public-key techniques. Diffie-Hellman key exchange is introduced as a method for securely transmitting a symmetric secret key between two parties.
The document discusses hacking arcade machines by exploiting vulnerabilities in how game profiles are loaded and signed from USB drives. Specifically, it finds that the game In The Groove 2 does not properly check if profile data is from an arcade machine or personal computer, allowing injected Lua code. It then details how to sign a rogue profile with the private keys, which are shared between arcade machines, and use it to run arbitrary code covertly by inserting a malicious USB drive.
This document contains information about encryption, SSH, and IPSec. It discusses encryption techniques like public key encryption and digital signatures. It describes the open source program GNU Privacy Guard (GnuPG) and how it can be used to encrypt and sign messages on Linux. It also covers Secure Shell (SSH) including how it provides secure connections using encryption and authentication. It discusses how SSH keys work and how to configure SSH. Finally, it discusses IPsec and how it incorporates network security directly into IP by providing encryption and authentication of packets sent over the network.
An introduction to asymmetric cryptography with an in-depth look at RSA, Diffie-Hellman, the FREAK and LOGJAM attacks on TLS/SSL, and the "Mining your P's and Q's attack".
This document provides an overview of encryption and PGP/GPG basics. It discusses the main types of encryption, what PGP and GPG are used for, how to generate and manage keys, import/export keys, encrypt and sign files, and some best practices. The document provides step-by-step instructions for common PGP/GPG tasks like generating keys, uploading them to keyservers, verifying keys, and encrypting/decrypting files.
PGP (Pretty Good Privacy) is an encryption program that uses public/private key pairs to encrypt messages between parties. Mule supports adding PGP encryption using its Encryption Processor. This allows encrypting payloads before sending. The example shows fetching data from a database, encrypting it using PGP, and sending to an ActiveMQ queue. It configures the Encryption module to use PGP, sets keys, and tests the flow by triggering it from Postman.
The document describes Windows Credentials Editor (WCE), a tool that manipulates Windows logon sessions to dump and modify credentials in memory. WCE has two main features - it can dump in-memory credentials like usernames, domains, and NTLM hashes from current, future, and terminated logon sessions; and it supports pass-the-hash by allowing changes to NTLM credentials or creation of new logon sessions with arbitrary credentials. The document discusses two methods WCE could use - directly calling authentication package APIs, which requires running code in LSASS; or reading LSASS memory to locate logon session and credential structures and decrypt credentials without injecting code.
The document discusses database forensics and analysis techniques. It introduces current challenges, available tools, and new approaches using external tables to preserve metadata when collecting evidence. Typical patterns seen in database objects like SYS.USER$ are shown, like multiple accounts with login attempts or similar lock times indicating password guessing. Timeline creation is demonstrated to combine data from different sources.
The document provides an overview of Gnu Privacy Guard (GPG), a free software replacement for PGP. It discusses generating and exchanging keys, encrypting and decrypting documents, and making and verifying signatures with GPG. The document also covers cryptographic concepts like symmetric and asymmetric ciphers, digital signatures, and how GPG implements a hybrid cryptosystem. Key management topics like validating keys, distributing keys, and managing trust are also outlined.
Thwarting The Surveillance in Online Communication by Adhokshaj MishraOWASP Delhi
This document discusses techniques for countering online surveillance and protecting private communications. It begins by outlining common surveillance methods used by governments and companies, such as wiretapping and exploiting software vulnerabilities. It then discusses using cryptography to counter surveillance and keep data safe, such as encrypting files and filling volumes with cryptographically secure random data. Secure authentication techniques are presented that allow verifying credentials without revealing passwords. Finally, the document details a method for encrypting and authenticating private messages between two parties using Diffie-Hellman key exchange and digital signatures to provide encryption, authentication, deniability and perfect forward secrecy.
The document discusses the STRIKE project which aims to improve privacy and security in digital communication. It provides an overview of encryption technologies like PGP and tools like Enigmail that implement these standards. Currently, the STRIKE team is working to incorporate test-driven development, continuous integration, and code documentation into the Enigmail Thunderbird plugin to strengthen its security and usability. Interested individuals can follow the project's progress or contribute code.
This document discusses abusing public keyservers by uploading large, bloated keys and files using PGP. It introduces PGP File System (PGPFS), a proof-of-concept that stores files encrypted in PGP keys and uploads them to keyservers. While slow and relying on obscurity, PGPFS ensures keys are never truly deleted and replicates data across keyservers. The document argues this is an amusing way to abuse keyservers since they cannot delete keys. It provides code and invites questions.
Bitcoin’s blockchain - from hashes to Escrow and beyondGrzegorz Gawron
This document summarizes the key building blocks of Bitcoin's blockchain, including cryptographic hash functions, hash pointers, the Merkle tree, digital signatures, and transaction scripts. It discusses how hash functions are used to link blocks together in the blockchain and ensure data integrity. Transaction scripts allow for advanced applications like multisignature escrow, green addresses for third-party exchanges, and efficient micropayments. The challenges of bootstrapping consensus, 51% attacks, and changing the blockchain protocol through hard or soft forks are also outlined.
Welcome to the "How to Securely Create Cryptographic Keys" with Joshua McDougall. This presentation was delivered on Thursday, August 29th 2019.
In this class, scholars will learn the process of creating keys with proper entropy, backup processes, and how environmental factors can weaken or improve the strength and secrecy of the key.
By the end of the session, you will understand entropy sources, physical wallets, secure environments, and other helpful items that all come together to create strong keys for holding assets. You will each work within groups to create a multi-sig wallet that each scholar is a member of, verifying the key along the way and creating tamper-evident backups.
Total privacy of transactions, Mimblewimble and GrinEugene Pavlenko
Mimblewimble protocol, initially proposed in 2016 as a privacy and scaling solution for Bitcoin, is the essence of the latest cryptography and blockchain inventions of top scientists and core bitcoin developers.
Grin, is the famous implementation of this protocol, eagerly expected by industry. It was launched this year on the 15th of January as a separate blockchain and a completely private payment system with its own coin.
Cybersecurity Awareness Training Presentation v1.2DallasHaselhorst
This cybersecurity awareness training is meant to be used by organizations and end users to educate them on ways to avoid scams/attacks and become more security aware. This slide deck is based on version 1.2 of our wildly popular slide deck we originally released as open-source in September 2019. In just over 6 months, it was downloaded thousands of times and in over 150 countries!
On our website, you will also find several other related goodies. For example, we have a free cybersecurity quiz that is based directly off of this material so anyone can test their awareness knowledge. We have a downloadable 'certificate of completion' for this training; this allows attendees to fill-in their name and date so they can then print it out to show others (or even their employer) that they are now more cyber aware.
https://www.treetopsecurity.com/cat
We also have a video/webinar presentation of this material if you would like to share it with others.
https://www.treetopsecurity.com/cat#video
Want to take this content and present it in your own community? Fantastic! You may download this slide deck as editable content. This allows you to make changes and present it at your local library, business events, co-working spaces, schools, etc. The latest version is always available on our website as a Microsoft PowerPoint presentation (.pptx) or using ‘Make a Copy’ in Google Slides.
https://www.treetopsecurity.com/slides
This document introduces Cloakcast, a suite of tools for encrypted chatting. Cloakcast aims to hide who users are communicating with, the contents of their conversations, and when they are chatting, even if a malicious third party is sniffing traffic. It works by having clients encrypt messages using the recipient's PGP key and the server's PGP key before sending. The encrypted message is then decrypted and re-encrypted by the server before being sent to the recipient. Future versions may route traffic through Tor for additional anonymity. The document also provides background on Go, the programming language used to build Cloakcast, and shares code samples.
Strong cryptography is the usage of systems or components that are considered highly resistant to cryptanalysis, the study of methods to cracking the codes. In this talk I would like to present the usage of strong cryptography in PHP. Security is a very important aspect of web applications especially when they manipulate data like passwords, credit card numbers, or sensitive data (as health, financial activities, sexual behavior or sexual orientation, social security numbers, etc). In particular I will present the extensions mcrypt, Hash, and OpenSSL that are been improved in the last version of PHP. These are the slides presented during my talk at PHP Dutch Conference 2011.
Security everywhere digital signature and digital fingerprint v1 (personal)Paul Yang
This is the slide I used to train people about the security concepts, such as digital signature and digital fingerprint.
I tried to use friendly way to explain the topic with animation and many example in real life.
Hope it helps for you.
This document discusses public-key cryptography and digital signatures. It begins with an introduction to symmetric and asymmetric key cryptography, including the basic concepts and differences between the two approaches. It then provides more details on public-key cryptography principles, including how public/private key pairs are generated and used. The document explains the RSA algorithm for public-key encryption and decryption in detail with examples. It also covers digital signature models and how they provide message authentication, integrity, and non-repudiation using public-key techniques. Diffie-Hellman key exchange is introduced as a method for securely transmitting a symmetric secret key between two parties.
The document discusses hacking arcade machines by exploiting vulnerabilities in how game profiles are loaded and signed from USB drives. Specifically, it finds that the game In The Groove 2 does not properly check if profile data is from an arcade machine or personal computer, allowing injected Lua code. It then details how to sign a rogue profile with the private keys, which are shared between arcade machines, and use it to run arbitrary code covertly by inserting a malicious USB drive.
This document contains information about encryption, SSH, and IPSec. It discusses encryption techniques like public key encryption and digital signatures. It describes the open source program GNU Privacy Guard (GnuPG) and how it can be used to encrypt and sign messages on Linux. It also covers Secure Shell (SSH) including how it provides secure connections using encryption and authentication. It discusses how SSH keys work and how to configure SSH. Finally, it discusses IPsec and how it incorporates network security directly into IP by providing encryption and authentication of packets sent over the network.
An introduction to asymmetric cryptography with an in-depth look at RSA, Diffie-Hellman, the FREAK and LOGJAM attacks on TLS/SSL, and the "Mining your P's and Q's attack".
This document provides an overview of encryption and PGP/GPG basics. It discusses the main types of encryption, what PGP and GPG are used for, how to generate and manage keys, import/export keys, encrypt and sign files, and some best practices. The document provides step-by-step instructions for common PGP/GPG tasks like generating keys, uploading them to keyservers, verifying keys, and encrypting/decrypting files.
PGP (Pretty Good Privacy) is an encryption program that uses public/private key pairs to encrypt messages between parties. Mule supports adding PGP encryption using its Encryption Processor. This allows encrypting payloads before sending. The example shows fetching data from a database, encrypting it using PGP, and sending to an ActiveMQ queue. It configures the Encryption module to use PGP, sets keys, and tests the flow by triggering it from Postman.
The document describes Windows Credentials Editor (WCE), a tool that manipulates Windows logon sessions to dump and modify credentials in memory. WCE has two main features - it can dump in-memory credentials like usernames, domains, and NTLM hashes from current, future, and terminated logon sessions; and it supports pass-the-hash by allowing changes to NTLM credentials or creation of new logon sessions with arbitrary credentials. The document discusses two methods WCE could use - directly calling authentication package APIs, which requires running code in LSASS; or reading LSASS memory to locate logon session and credential structures and decrypt credentials without injecting code.
The document discusses database forensics and analysis techniques. It introduces current challenges, available tools, and new approaches using external tables to preserve metadata when collecting evidence. Typical patterns seen in database objects like SYS.USER$ are shown, like multiple accounts with login attempts or similar lock times indicating password guessing. Timeline creation is demonstrated to combine data from different sources.
This document provides an overview of database security platforms and the evolution of this market. Some key points:
- Database security platforms have evolved beyond just monitoring database activity and now incorporate features like vulnerability assessment, user rights management, data discovery/filtering, and blocking capabilities.
- The increased scope of monitoring coverage and additional security features mean "Database Activity Monitoring" is no longer an accurate term - these solutions are now more appropriately called "Database Security Platforms."
- These platforms consolidate multiple database security tools into a single solution and can monitor both relational and non-relational databases as well as multiple database types.
- Vendors are beginning to differentiate their database security platforms based on primary use cases
The document discusses how Windows Credentials Editor (WCE) can be used to obtain credentials stored in memory on Windows systems, allowing an attacker to steal usernames and hashes to perform pass-the-hash attacks without cracking passwords. WCE enables bypassing common pre-exploitation techniques by directly using harvested credentials. Leaving logon sessions disconnected rather than logged off can leave credentials exposed in memory as "zombie sessions".
By using specially crafted parameters in double quotes, it is possible to bypass the input validation of the Oracle dbms_assert package and inject SQL code. This allows dozens of already patched Oracle vulnerabilities to be exploited again across versions 8.1.7.4 to 10.2.0.2. The researcher notified Oracle of the problem in April 2006. To mitigate risks, privileges like CREATE PROCEDURE should be revoked to prevent injection of malicious functions or procedures.
This document describes a new method for exploiting PL/SQL injection without needing to create functions or procedures. It involves injecting a pre-compiled cursor using the DBMS_SQL package to execute arbitrary SQL. The attacker can use this to grant privileges to themselves or create their own functions without any system privileges beyond CREATE SESSION. It provides an example exploiting the SDO_DROP_USER_BEFORE trigger in Oracle to gain DBA privileges in this way without needing CREATE PROCEDURE permission.
This document discusses a vulnerability in Oracle databases that allows privilege escalation from CREATE USER privileges to SYSDBA privileges. It provides code examples demonstrating how a user with CREATE USER privileges can create a function with the same name as a built-in SYS function to override the namespace and elevate their privileges when SYS executes the function. The document outlines best practices for prevention, including not logging in as SYS, closely monitoring CREATE USER privileges, and using a tool like Sentrigo Hedgehog for advanced monitoring and alerts. It also provides recommendations for forensic response if privilege escalation occurs.
1. The document discusses SSH tricks and configuration tips for securing SSH connections and servers. It provides examples of SSH client-side one-liners and ways to quickly set up an SSH server.
2. SSH is a secure network protocol for exchanging data between networked devices. The document outlines ways to lock down SSH servers and clients through configuration files and access controls.
3. The document shows examples of SSH port forwarding, tunnels, and other one-liners that can enable remote access or administration through SSH connections.
The document discusses a Layer 7 DDOS attack called an HTTP POST attack. It works by sending legitimate HTTP POST requests to a server but slowly sending the content over an extended period, tying up server resources. This attack is more effective than the HTTP GET Slowloris attack as it fully sends the HTTP headers immediately, bypassing defenses against Slowloris. The attack code example shows how it generates random content lengths and sends payload bytes slowly over time to perform the DDOS attack.
This document summarizes optimizations to TLS/SSL including False Start, Snap Start, and defenses against the BEAST attack. False Start allows the client to send application data before receiving the server's Finished message to reduce latency. Snap Start uses cached handshake parameters to further reduce latency. However, both introduce security risks. The BEAST attack exploits TLS CBC encryption and IV reuse, but can be prevented by changing the encryption mode or adding padding.
Kyle Young presents on SSH tricks and configuration tips. He discusses the history and uses of SSH, how to securely connect to SSH servers by verifying fingerprints, and ways to lock down SSH servers and clients through configuration files like sshd_config and ssh_config. He also shares some useful SSH client-side one-liners.
This document describes padding oracle attacks on cryptographic hardware devices that allow encrypted keys to be imported. It presents two types of attacks: 1) An improved Bleichenbacher attack that exploits RSA PKCS#1v1.5 padding to reveal an imported private key in an average of 49,000 oracle queries. 2) An adaptation of the Vaudenay CBC attack to reveal keys encrypted with CBC and PKCS#5 padding. It demonstrates these attacks on commercial security tokens, smartcards, and electronic ID cards to reveal stored cryptographic keys.
The document discusses proper password hashing methods for securely storing passwords. It begins by stating that most websites currently do not properly store passwords, either in plaintext or with a single hash without salt. This is irresponsible. The document then discusses proper hashing methods that should be used, including adding salt, using key derivation functions like PBKDF2, ARC4PBKDF2, and bcrypt. PBKDF2 works by repeatedly hashing the password with a salt, while ARC4PBKDF2 additionally encrypts the password and hashes with an evolving ARC4 stream for added complexity. Bcrypt is also an adaptive function that works similarly to PBKDF2 but in a more complicated way. The document
This document proposes a new method for improving the cryptanalytic time-memory trade-off technique. The original technique, introduced by Hellman in 1980, precomputes ciphertexts to reduce cryptanalysis time at the cost of memory usage. The new method reduces the number of calculations needed during cryptanalysis by a factor of two compared to the existing approach using distinguished points. As an example, the new method can crack 99.9% of Windows password hashes in 13.6 seconds using 1.4GB of precomputed data, much faster than the 101 seconds taken by the existing approach.
This document provides an introduction and overview of threading and concurrency in Perl. It begins with definitions of threads and concurrency basics. It then discusses Perl's implementation of threads since version 5.6, noting that global variables are non-shared by default and sharing must be explicit. The document outlines various threading primitives and synchronization mechanisms in Perl like locks, condition variables, and shows examples of building thread-safe data structures like queues. It concludes with best practices and implementing other common synchronization primitives.
The document is a series of lines repeatedly stating "Author: Bill Buchanan". It does not contain any other substantive information in the content. The author of the document is Bill Buchanan, as his name is listed on every line.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
2. What's in this talk
● Introduction & Theory
– Symmetric Crypto
– Public Key Crypto
– Encryption and signing
● GPG/PGP
– What it is
– Key creation and basic management
– Encryption & decryption
– Signing
– Key management
3. What's in the next talk(s)?
● gpg
– Mail client integration; GUIs
● ssh
– Key creation; Use; Key management; Agents
● X.509 certificates
– Generating certs; Management in browsers;
Apache and HTTPS
8. Theory: Public Key Crypto
Hello, Hello,
World World
A B
QRGEF QRGEF
AJJTO AJJTO
9. Public/Private Keys
● Public Key ● Private key
– Can be seen by – Must be kept secret
anyone – Can be used to find
– System still secure matching public
key
B
A
● Keys generated together as a keypair
14. GPG: What does it do?
● Everything:
– Encryption
– Decryption
– Signing
– Signature checking
– Web of trust
15. Key creation
$ gpg --gen-key
...
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits
long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
16. Key creation
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 5y
Key expires at Wed 30 Jan 2013 14:28:40 GMT
Is this correct? (y/N) y
17. Key creation
You need a user ID to identify your key; the
software constructs the user ID
from the Real Name, Comment and Email Address in
this form:
"Heinrich Heine (Der Dichter) <heinrichh@...>"
Real name: Harry Pearce
Email address: pearceh@mi5.gov.uk
Comment: Section D
You selected this USER-ID:
"Harry Pearce (Section D) <pearceh@mi5.gov.uk>"
Change (N)ame, (C)omment, (E)mail or
(O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
Enter passphrase:
18. Key creation
gpg: key 603652F2 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2013-01-30
pub 1024D/603652F2 2008-02-01 [expires: 2013-01-30]
Key fingerprint = 628B 640D A7A6 4F98 D746 E355 8B26 B823 6036 52F2
uid Harry Pearce (Head of Section D) <pearceh@mi5.gov.uk>
sub 2048g/FFC30BC8 2008-02-01 [expires: 2013-01-30]
All done, keypair created.
20. Encryption
$ gpg -e my-secrets.txt
You did not specify a user ID. (you may use "-r")
Current recipients:
Enter the user ID. End with an empty line:
pearceh@mi5.gov.uk
Current recipients:
2048g/0FC718A8 2007-12-07 "Harry Pearce (Head of
Section D) <pearceh@mi5.gov.uk>"
Enter the user ID. End with an empty line:
$ ls
my-secrets.txt my-secrets.txt.gpg
21. Decryption
pearce@willow:~$ gpg -d my-secrets.txt.gpg
You need a passphrase to unlock the secret key for
user: “Harry Pearce (Section D) <pearceh@mi5.gov.uk>”
2048-bit ELG-E key, ID FFC30BC8, created 2008-02-01
(main key ID 603652F2)
Enter passphrase:
Section D personnel
Carter, Adam
Younis, Zafar
Portman, Jo
Wynn-Jones, Malcolm
James, Connie
22. Signatures
pearce@willow:~$ cat will.txt
In the event of my death, I hereby leave all my
worldly goods and chattels to the Battersea Dogs Home.
Harry Pearce.
pearce@willow:~$ gpg --clearsign will.txt
You need a passphrase to unlock the secret key for
user: "Harry Pearce (Section D) <pearceh@mi5.gov.uk>"
1024-bit DSA key, ID 603652F2, created 2008-02-01
pearce@willow:~$ ls
my-secrets.txt my-secrets.txt.gpg will.txt
will.txt.asc
23. Signatures
pearce@willow:~$ cat will.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In the event of my death, I hereby leave all my
worldly goods and chattels
to the Battersea Dogs Home.
Harry Pearce.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHoztsiya4I2A2UvIRAqHrAJ9SzWJkBcBQepCIrtZNTTz8gd
qBuACfXlC2
rWl83jYJKlJbmNx7THQRIWw=
=mBj0
-----END PGP SIGNATURE-----
24. Verify a signature
pearce@willow:~$ gpg --verify will.txt.asc
gpg: Signature made Fri 01 Feb 2008 15:31:56 GMT
using DSA key ID 603652F2
gpg: Good signature from "Harry Pearce (Section
D) <pearceh@mi5.gov.uk>"
25. Key Distribution
● Q. How to get your public key to someone?
● A. A Public Key server!
●
● Upload your key to the server
● Others can download it
– Verify your signatures
– Encrypt files for you to read
27. Key Distribution
pearce@willow:~$ gpg --recv-keys --keyserver
wwwkeys.uk.pgp.net EA2B228F
gpg: requesting key EA2B228F from hkp server
wwwkeys.uk.pgp.net
gpg: key EA2B228F: public key "Hugo Mills (University
of Southampton) <hugo@omii.ac.uk>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP
trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q,
0n, 0m, 0f, 1u
gpg: next trustdb check due at 2013-01-30
gpg: Total number processed: 1
gpg: imported: 1
28. Web Of Trust
● Q. How do I know the key is good?
● A. Web of Trust
●
● Signing a key
– I have verified the identity of the person
– I have verified that this key is controlled by
that person
– I trust this person to perform those same
checks well
30. Keysigning
● Signing a key is a statement that:
– I believe and have verified that this key is
controlled by a person matching the identity
in the key
– I trust this person to perform similarly good
identity checks
●
● Beforehand
– gpg --fingerprint 603652F2
– Print out several copies on slips of paper
31. Keysigning
● When you meet
– Exchange fingerprint slips and ID papers
– Check ID papers against person (does the
photo match?)
– Check ID papers against the key details
– Initial the slip and keep it
– Hand papers back
● What to accept for ID?
– Passport, national ID card, photo driving
license, other government-issued photo ID
– Some people only accept passport – up to you
32. Keysigning
● After you meet
– gpg --recv-keys keyid
– gpg --fingerprint keyid
● Check this with the fingerprint on paper
– dd if=/dev/urandom count=64 bs=1 |
hexdump >person.gpg
● Encrypt and mail it to their email addresses,
asking for it to be returned to you.
– Check the returned mail against the copy you
kept
– Sign and upload the key
33. Keysigning
pearce@willow:~$ gpg --ask-cert-level --sign-key EA2B228F
[...]
pub 1024D/EA2B228F created: 2007-09-06 expires: 2009-09-05
usage: SC
trust: unknown validity: unknown
Primary key fingerprint: 8995 11CC 3CA7 690C C09E 43B3 420D F030
EA2B 228F
Hugo Mills (University of Southampton) <hugo@omii.ac.uk>
This key is due to expire on 2009-09-05.
How carefully have you verified the key you are about to sign
actually belongs
to the person named above? If you don't know what to answer,
enter "0".
(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.
34. Keysigning
Your selection? (enter `?' for more information): 3
Are you sure that you want to sign this key with your
key "Harry Pearce (Section D) <pearceh@mi5.gov.uk>" (603652F2)
I have checked this key very carefully.
Really sign? (y/N) y
You need a passphrase to unlock the secret key for
user: "Harry Pearce (Section D) <pearceh@mi5.gov.uk>"
1024-bit DSA key, ID 603652F2, created 2008-02-01
passphrase
pearce@willow:~$ gpg --send-keys EA2B228F
gpg: sending key EA2B228F to hkp server wwwkeys.uk.pgp.net
All done.
35. Key Management
● List public keys
– gpg --list-keys
● List public keys and their fingerprints
– gpg --fingerprint
● List public keys and their signatures
– gpg --list-sigs
● Can do this for a particular key using key
ID, name or email address to search
37. Key Revocation
● If your key becomes compromised, or
otherwise defunct
– Private key file lost, stolen or compromised
– Lost passphrase
– No longer used
– Newer key in use
● Use a revocation certificate to cancel your
key
● Generate cert when you generate key
38. Key revocation
● Generate a revocation cert
– gpg --gen-revoke 603652F2 >revoke.gpg
● Best when you generate the key
● Keep this file safe
● To revoke the key, import it into GPG
– gpg --import <revoke.gpg
– gpg --send-keys 603652F2
39. Further reading
● gpg --edit-key has a “help” command
● http://gnupg.org/