Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
The open source TodoMVC project implements a Todo application using popular JavaScript MV* frameworks. Some of the implementations add support for compile to JavaScript languages, module loaders and real time backends. This presentation will demonstrate a TodoMVC implementation which adds support for the forthcoming W3C Web Cryptography API, as well as review some key cryptographic concepts and definitions.
Instead of storing the Todo list as plaintext in localStorage, this "secure" TodoMVC implementation encrypts Todos using a password derived key. The PBKDF2 algorithm is used for the deriveKey operation, with getRandomValues generating a cryptographically random salt. The importKey method sets up usage of AES-CBC for both encrypt and decrypt operations. The final solution helps address item "A6-Sensitive Data Exposure" from the OWASP Top 10.
With the Web Cryptography API being a recommendation in 2014, any Q&A time will likely include browser implementations and limitations, and whether JavaScript cryptography adds any value.
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
The increasing capabilities and performance of the web platform allow for more feature-rich user experiences. How can JavaScript based applications utilize information security and cryptography principles? This session will explore the current state of JavaScript and Web Cryptography. We will review some basic concepts and definitions, discuss the role of TLS/SSL, show some working examples that apply cryptography to real-world use cases and take a peek at the upcoming W3C WebCryptoAPI. Code samples will use CryptoJS in the browser and the Node.js Crypto module on the server. An extended example will secure the popular TodoMVC project using PBKDF2 for key generation, HMAC for data integrity and AES for encryption.
(Blockchain Training: https://www.edureka.co/blockchain-training)
Hashgraph is a consensus mechanism based on virtual voting. How is this better than Blockchain? or Is it? Find out while we compare these two in this short tutorial.
Here is the link to the Blockchain blog series: https://goo.gl/DPoAHR
You can also refer to this playlist on Blockchain: https://goo.gl/V5iayd
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsSecuRing
Last year at AppSec EU I had a presentation about the Ethereum smart contracts and did a technical showcase of some of their potential vulnerabilities and security flaws. I also presented my proposition on how to handle the responsible disclosure process in the smart contracts world.
This year I want to focus on the whole process of security testing and present it by analogies to the web applications which are quite well-known. Smart contracts are described as Web3 decentralized apps and I believe that my talk will not only bring new light on this subject but will also help to understand and organize the way of testing. I am going to cover the whole SDLC and show the similarities and differences between the smart contracts and web applications on each step.
The presented overview is especially important nowadays when the biggest companies are building their own blockchain platforms and cryptocurrencies – i.e. Libra introduced by Facebook (which by the way also supports smart contracts).
I am also going to show the differences in the arsenal of vulnerabilities, security tools and standards by the analogy to web apps arsenal. I think that, even though there exist a lot of great security projects for smart contracts, we do not have a single, widely accepted security standard (such as ASVS in web apps world). I would like to discuss potential work that needs to be done in that area and show my preliminary work on that matter.
After this presentation audience will know what are the similarities and differences between smart contracts and web apps in the SDLC, an arsenal of tools and standards, but also will have a fresh overview of possible options and current trends.
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
The presentation focuses on the whole process of security testing and present it by analogies to the web applications which are quite well-known. It covers the whole SDLC and show the similarities and differences in the arsenal of vulnerabilities, security tools and standards between the smart contracts and web applications on each step. Even though there exist a lot of great security projects for smart contracts, we do not have single, widely accepted security standard (such as ASVS in web apps world). That is why we introduce SCSVS (Smart Contract Security Verification Standard), a open-source 13-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
Denis Kolegov, Oleg Broslavsky, Power of Community 2018, Seoul, Korea
Today, «SD-WAN» is a very hot and attractive topic. Software-defined WAN (SD-WAN) is a technology based on software-defined network (SDN) approach applied to wide area networks (WAN) in enterprise networks. According to Gartner’s predictions study, more than 50% of routers will be replaced with SD-WAN solutions by 2020.
In this presentation, we disclose a set of vulnerabilities in widespread and most popular SD-WAN products including Citrix NetScaler and Silver Peak EdgeConnect. We present the new results of our research, consider some technical details of the insecure design and found vulnerabilities, and describe different attack scenarios that may allow an attacker to compromise SD-WAN control and data planes.
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
The open source TodoMVC project implements a Todo application using popular JavaScript MV* frameworks. Some of the implementations add support for compile to JavaScript languages, module loaders and real time backends. This presentation will demonstrate a TodoMVC implementation which adds support for the forthcoming W3C Web Cryptography API, as well as review some key cryptographic concepts and definitions.
Instead of storing the Todo list as plaintext in localStorage, this "secure" TodoMVC implementation encrypts Todos using a password derived key. The PBKDF2 algorithm is used for the deriveKey operation, with getRandomValues generating a cryptographically random salt. The importKey method sets up usage of AES-CBC for both encrypt and decrypt operations. The final solution helps address item "A6-Sensitive Data Exposure" from the OWASP Top 10.
With the Web Cryptography API being a recommendation in 2014, any Q&A time will likely include browser implementations and limitations, and whether JavaScript cryptography adds any value.
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
The increasing capabilities and performance of the web platform allow for more feature-rich user experiences. How can JavaScript based applications utilize information security and cryptography principles? This session will explore the current state of JavaScript and Web Cryptography. We will review some basic concepts and definitions, discuss the role of TLS/SSL, show some working examples that apply cryptography to real-world use cases and take a peek at the upcoming W3C WebCryptoAPI. Code samples will use CryptoJS in the browser and the Node.js Crypto module on the server. An extended example will secure the popular TodoMVC project using PBKDF2 for key generation, HMAC for data integrity and AES for encryption.
(Blockchain Training: https://www.edureka.co/blockchain-training)
Hashgraph is a consensus mechanism based on virtual voting. How is this better than Blockchain? or Is it? Find out while we compare these two in this short tutorial.
Here is the link to the Blockchain blog series: https://goo.gl/DPoAHR
You can also refer to this playlist on Blockchain: https://goo.gl/V5iayd
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsSecuRing
Last year at AppSec EU I had a presentation about the Ethereum smart contracts and did a technical showcase of some of their potential vulnerabilities and security flaws. I also presented my proposition on how to handle the responsible disclosure process in the smart contracts world.
This year I want to focus on the whole process of security testing and present it by analogies to the web applications which are quite well-known. Smart contracts are described as Web3 decentralized apps and I believe that my talk will not only bring new light on this subject but will also help to understand and organize the way of testing. I am going to cover the whole SDLC and show the similarities and differences between the smart contracts and web applications on each step.
The presented overview is especially important nowadays when the biggest companies are building their own blockchain platforms and cryptocurrencies – i.e. Libra introduced by Facebook (which by the way also supports smart contracts).
I am also going to show the differences in the arsenal of vulnerabilities, security tools and standards by the analogy to web apps arsenal. I think that, even though there exist a lot of great security projects for smart contracts, we do not have a single, widely accepted security standard (such as ASVS in web apps world). I would like to discuss potential work that needs to be done in that area and show my preliminary work on that matter.
After this presentation audience will know what are the similarities and differences between smart contracts and web apps in the SDLC, an arsenal of tools and standards, but also will have a fresh overview of possible options and current trends.
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
The presentation focuses on the whole process of security testing and present it by analogies to the web applications which are quite well-known. It covers the whole SDLC and show the similarities and differences in the arsenal of vulnerabilities, security tools and standards between the smart contracts and web applications on each step. Even though there exist a lot of great security projects for smart contracts, we do not have single, widely accepted security standard (such as ASVS in web apps world). That is why we introduce SCSVS (Smart Contract Security Verification Standard), a open-source 13-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
Denis Kolegov, Oleg Broslavsky, Power of Community 2018, Seoul, Korea
Today, «SD-WAN» is a very hot and attractive topic. Software-defined WAN (SD-WAN) is a technology based on software-defined network (SDN) approach applied to wide area networks (WAN) in enterprise networks. According to Gartner’s predictions study, more than 50% of routers will be replaced with SD-WAN solutions by 2020.
In this presentation, we disclose a set of vulnerabilities in widespread and most popular SD-WAN products including Citrix NetScaler and Silver Peak EdgeConnect. We present the new results of our research, consider some technical details of the insecure design and found vulnerabilities, and describe different attack scenarios that may allow an attacker to compromise SD-WAN control and data planes.
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...SecuRing
The most common blockchain-based application is Bitcoin - cryptocurrency worth a couple of thousands $ per BTC. But Bitcoin is built on the Blockchain 1.0. The second generation of blockchain opened a much broader field of application and is described as mechanism allowing programmable transactions. Smart Contracts, as they are called, are scripts that are executed and stored in the blockchain...
As the industry embraces a culture of automation and continuous delivery, the rate of change is faster than ever. Security testing traditionally happens just before deploying to production: can this scale when deployments happen more frequently? This talk will discuss how the same automation tooling that enables continuous change can be leveraged to enable continuous security too.
Author: Jakub Kaluzny
Let's talk about large-scale security programmes and maintaining security with tens of project teams - agile or waterfall, in-house or outsourced. I will discuss how to effectively track security requirements, organise threat modelling sessions, log output from those and translate it into penetration testing scope and test cases. We will dive deep into evil brainstorming, come up with abuser stories for each user story and define what makes the SDLC process secure or not. This talk is based on my work with different organisations in multiple countries and observations what works well in regards to security at scale and what does not.
Improving privacy in blockchain using homomorphic encryption Razi Rais
The slide deck from my session on "Privacy in the blockchain using homomorphic encryption" at blockchain conference (http://blockchainconf.tech).
Agenda:
1. Understand Privacy & Role of Homomorphic Encryption (HE)
2. Blockchain & Zero-Knowledge Proofs (zk-SNARKS)
3. Tools & Technologies
4. Demos (Healthcare & Identity)
After my offensive presentation "Testing iOS Apps without Jailbreak in 2018" it is time to focus also on building not just breaking. This talk will cover the most important milestones in reaching secure iOS/macOS apps. I'm going to show you how to develop modern & secure iOS/macOS apps using new security features presented at the latest Apple's Worldwide Developers Conference. Hackers will be satisfied as well, since I'm going to cover also pen tester's perspective. What's more - I will share with you details of multiple vulnerabilities (*including not disclosed previously*) that I found during security assessments and my research of Apple's applications.
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
In this presentation, we show promising new defense-in-depth techniques to protect modern web applications from old and new classes of bugs: Suborigins to have finer-grained control over origin boundaries, Site Isolation and XSDB against Spectre and Meltdown attacks, and last but not least Origin and Feature Policy. In addition to that, we explain new features of the upcoming CSP 3 specification like 'unsafe-hashed-attributes' and give an overview of how we were able to enforce CSP as a strong mitigation against cross-site scripting on over 50% of production web traffic at Google. With increased adoption new challenges arise: dealing with CSP report noise - generated by buggy browsers, extensions, malware and security software - devising an effective monitoring infrastructure, and keeping on top of bypassing techniques. In this presentation we reveal how our internal CSP infrastructure works and how we solved problems, share our experience, show real-world examples, best practices and common pitfalls. Finally, we hint at a new promising web mitigation technique, which we hope to see gaining traction in the near future: Suborigins.
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...Codemotion
The dark-web including TOR, FreeNet and I2P, is that part of the Internet that is not indexed by traditional search engines and where anonymity and confidentiality is enforced at the root. For these characteristics, cyber- criminals started abusing the dark-web to conduct illicit or malicious activities like illegal trading, malware hosting, and more recently targeted attacks. In this talk, we explore the cyber-criminal ecosystem in the dark-web and provides insights on its activities against hidden services and other users.
The 2nd Official W3C DID Working Group Meeting (The Netherlands)SSIMeetup
https://ssimeetup.org/did-report-2-2nd-official-w3c-did-working-group-meeting-netherlands-drummond-reed-markus-sabadello-webinar-45/
The DID Report 2 about the Second Meeting of the W3C DID Working Group with Drummond Reed and Markus Sabadello from Danube Tech, co-authors of the W3C DID specification.
DID spec co-author Drummond Reed and Markus Sabadello will report back from Amsterdam (The Netherlands) for the second official meeting of the W3C DID Working Group taking place from January 29-31, 2020 to share highlights of the meeting and the roadmap for taking DIDs to a full Web standard.
This session will be followed one hour later by a full DID education session based on the DID chapter published with Manning by IdentityBook.info authors Drummond Reed, Markus Sabadello and Alex Preukschat. If you want to learn all the basics about DIDs please also join this session here: Webinar 46
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
This slide deck is structured to start from the basics of web application security and explores common web attacks. The first half is packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in webappsec.
The deck dives into XSS, CSRF and SQL injections. It briefly outlines others like XXE, SSRF, logic errors, broken session management, and so on.
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
The developer is an easy and valuable target for malicious minds. The reasons for that are numerous and hard to come by. This talk delivers examples, proof, discussion and awkward moments in a pretty special way.
Everybody hates developers – especially web developers. And why not? The cracks and crevices of their APIs and implementations are the reason that vulnerabilities in web applications are still a widespread issue – and will continue to be in the foreseeable future.
Bashing and blaming them for their wrongdoings is fun – boy, they are stupid in their mistakes! But has anyone ever dared to have an open on stage battle with an actual developer?
And who of the developers dares to face their collective nemesis – the attacker? Can there be life where matter and anti-matter collide? We will know about this soon – because this is what this talk is going to be about. Developer versus attacker – vulnerability versus defense. Be prepared for swearing, violence and people leaving the stage prematurely in tears.
Getting Started in Blockchain Security and Smart Contract AuditingBeau Bullock
Why is blockchain security important?
Blockchain usage has exploded since the Bitcoin whitepaper was first published in 2008. Many applications rely on this technology for increased trust and privacy, where they would otherwise be absent from a centralized system.
The ecosystem surrounding blockchain technology is large, complex, and has many moving pieces. Exchanges exist where users can transact various cryptocurrencies, NFTs, and tokens. Smart contracts can be written to programmatically apply behavior to blockchain transactions. Decentralized Finance (DeFi) markets exist where users can swap tokens without needing to sign up for an account.
All of these pieces are prone to vulnerabilities, and with blockchain being at the forefront of emerging technology new issues are being found daily.
In this Black Hills Information Security (BHIS) webcast, we'll use case studies about recent blockchain hacks to introduce the underlying issues that occur in writing/engineering smart contracts that have ultimately lead to the loss of millions of dollars to attackers.
The subject of passwords is important today since they protect all of your accounts, and are frequently attacked by crackers. In this presentation I examine the technology used to handle and protect passwords, and make recommendations for what the user can do to protect themselves online.
Session slides from Future Insights Live, Vegas 2015:
https://futureinsightslive.com/las-vegas-2015/
So many network intrusions, so many email spools made public. Remember HBGary, Stratfor, 'The Fappening', Sony Pictures hacks? How about the Snowden Files? The potential liabilities of communicating in plain text has become too expensive to continue to do so. Zero-Knowledge systems can be made useful, elegant even. The problem with putting privacy first in our communications tools is that most of the existing privacy applications were created by crypto-nerds, most of whom have never overlapped with the world of UX. In this talk, Privacy will be put at the core of application design by way of new metaphors for arcane cryptography jargon (that few endusers understand). Using frameworks and services created for this new 'privacy first' era, your application can be built in a way that removes liability, is regulatory-compliant and elegant.
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...SecuRing
The most common blockchain-based application is Bitcoin - cryptocurrency worth a couple of thousands $ per BTC. But Bitcoin is built on the Blockchain 1.0. The second generation of blockchain opened a much broader field of application and is described as mechanism allowing programmable transactions. Smart Contracts, as they are called, are scripts that are executed and stored in the blockchain...
As the industry embraces a culture of automation and continuous delivery, the rate of change is faster than ever. Security testing traditionally happens just before deploying to production: can this scale when deployments happen more frequently? This talk will discuss how the same automation tooling that enables continuous change can be leveraged to enable continuous security too.
Author: Jakub Kaluzny
Let's talk about large-scale security programmes and maintaining security with tens of project teams - agile or waterfall, in-house or outsourced. I will discuss how to effectively track security requirements, organise threat modelling sessions, log output from those and translate it into penetration testing scope and test cases. We will dive deep into evil brainstorming, come up with abuser stories for each user story and define what makes the SDLC process secure or not. This talk is based on my work with different organisations in multiple countries and observations what works well in regards to security at scale and what does not.
Improving privacy in blockchain using homomorphic encryption Razi Rais
The slide deck from my session on "Privacy in the blockchain using homomorphic encryption" at blockchain conference (http://blockchainconf.tech).
Agenda:
1. Understand Privacy & Role of Homomorphic Encryption (HE)
2. Blockchain & Zero-Knowledge Proofs (zk-SNARKS)
3. Tools & Technologies
4. Demos (Healthcare & Identity)
After my offensive presentation "Testing iOS Apps without Jailbreak in 2018" it is time to focus also on building not just breaking. This talk will cover the most important milestones in reaching secure iOS/macOS apps. I'm going to show you how to develop modern & secure iOS/macOS apps using new security features presented at the latest Apple's Worldwide Developers Conference. Hackers will be satisfied as well, since I'm going to cover also pen tester's perspective. What's more - I will share with you details of multiple vulnerabilities (*including not disclosed previously*) that I found during security assessments and my research of Apple's applications.
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
In this presentation, we show promising new defense-in-depth techniques to protect modern web applications from old and new classes of bugs: Suborigins to have finer-grained control over origin boundaries, Site Isolation and XSDB against Spectre and Meltdown attacks, and last but not least Origin and Feature Policy. In addition to that, we explain new features of the upcoming CSP 3 specification like 'unsafe-hashed-attributes' and give an overview of how we were able to enforce CSP as a strong mitigation against cross-site scripting on over 50% of production web traffic at Google. With increased adoption new challenges arise: dealing with CSP report noise - generated by buggy browsers, extensions, malware and security software - devising an effective monitoring infrastructure, and keeping on top of bypassing techniques. In this presentation we reveal how our internal CSP infrastructure works and how we solved problems, share our experience, show real-world examples, best practices and common pitfalls. Finally, we hint at a new promising web mitigation technique, which we hope to see gaining traction in the near future: Suborigins.
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...Codemotion
The dark-web including TOR, FreeNet and I2P, is that part of the Internet that is not indexed by traditional search engines and where anonymity and confidentiality is enforced at the root. For these characteristics, cyber- criminals started abusing the dark-web to conduct illicit or malicious activities like illegal trading, malware hosting, and more recently targeted attacks. In this talk, we explore the cyber-criminal ecosystem in the dark-web and provides insights on its activities against hidden services and other users.
The 2nd Official W3C DID Working Group Meeting (The Netherlands)SSIMeetup
https://ssimeetup.org/did-report-2-2nd-official-w3c-did-working-group-meeting-netherlands-drummond-reed-markus-sabadello-webinar-45/
The DID Report 2 about the Second Meeting of the W3C DID Working Group with Drummond Reed and Markus Sabadello from Danube Tech, co-authors of the W3C DID specification.
DID spec co-author Drummond Reed and Markus Sabadello will report back from Amsterdam (The Netherlands) for the second official meeting of the W3C DID Working Group taking place from January 29-31, 2020 to share highlights of the meeting and the roadmap for taking DIDs to a full Web standard.
This session will be followed one hour later by a full DID education session based on the DID chapter published with Manning by IdentityBook.info authors Drummond Reed, Markus Sabadello and Alex Preukschat. If you want to learn all the basics about DIDs please also join this session here: Webinar 46
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
This slide deck is structured to start from the basics of web application security and explores common web attacks. The first half is packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in webappsec.
The deck dives into XSS, CSRF and SQL injections. It briefly outlines others like XXE, SSRF, logic errors, broken session management, and so on.
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
The developer is an easy and valuable target for malicious minds. The reasons for that are numerous and hard to come by. This talk delivers examples, proof, discussion and awkward moments in a pretty special way.
Everybody hates developers – especially web developers. And why not? The cracks and crevices of their APIs and implementations are the reason that vulnerabilities in web applications are still a widespread issue – and will continue to be in the foreseeable future.
Bashing and blaming them for their wrongdoings is fun – boy, they are stupid in their mistakes! But has anyone ever dared to have an open on stage battle with an actual developer?
And who of the developers dares to face their collective nemesis – the attacker? Can there be life where matter and anti-matter collide? We will know about this soon – because this is what this talk is going to be about. Developer versus attacker – vulnerability versus defense. Be prepared for swearing, violence and people leaving the stage prematurely in tears.
Getting Started in Blockchain Security and Smart Contract AuditingBeau Bullock
Why is blockchain security important?
Blockchain usage has exploded since the Bitcoin whitepaper was first published in 2008. Many applications rely on this technology for increased trust and privacy, where they would otherwise be absent from a centralized system.
The ecosystem surrounding blockchain technology is large, complex, and has many moving pieces. Exchanges exist where users can transact various cryptocurrencies, NFTs, and tokens. Smart contracts can be written to programmatically apply behavior to blockchain transactions. Decentralized Finance (DeFi) markets exist where users can swap tokens without needing to sign up for an account.
All of these pieces are prone to vulnerabilities, and with blockchain being at the forefront of emerging technology new issues are being found daily.
In this Black Hills Information Security (BHIS) webcast, we'll use case studies about recent blockchain hacks to introduce the underlying issues that occur in writing/engineering smart contracts that have ultimately lead to the loss of millions of dollars to attackers.
The subject of passwords is important today since they protect all of your accounts, and are frequently attacked by crackers. In this presentation I examine the technology used to handle and protect passwords, and make recommendations for what the user can do to protect themselves online.
Session slides from Future Insights Live, Vegas 2015:
https://futureinsightslive.com/las-vegas-2015/
So many network intrusions, so many email spools made public. Remember HBGary, Stratfor, 'The Fappening', Sony Pictures hacks? How about the Snowden Files? The potential liabilities of communicating in plain text has become too expensive to continue to do so. Zero-Knowledge systems can be made useful, elegant even. The problem with putting privacy first in our communications tools is that most of the existing privacy applications were created by crypto-nerds, most of whom have never overlapped with the world of UX. In this talk, Privacy will be put at the core of application design by way of new metaphors for arcane cryptography jargon (that few endusers understand). Using frameworks and services created for this new 'privacy first' era, your application can be built in a way that removes liability, is regulatory-compliant and elegant.
Crypto workshop part 3 - Don't do this yourselfhannob
Slides from a workshop I held on cryptography for web developers.
Part 3 is about the complexity of writing crypto code and why you should avoid doing it yourself it you're not a real expert.
https://blog.hboeck.de/archives/849-Slides-from-cryptography-workshop-for-web-developers.html
Cryptocurrency is a fantastic payment option that differs from traditional cash in many ways. In any event, it faces a range of issues and dangers connected to cryptocurrency security, such as cyber assaults, phishing, and so on, since it is subject to the fewest regulations and standards. As a result, if you use cryptocurrencies, you should exercise care and get familiar with all of the methods available to safeguard the security of your bitcoin wallet.
Highly Secure Cryptography Algorithm Method to Safeguard Audios and Visualsijcisjournal
Internet hacking has become common now a days and is increasing day by day. It is a high time to safeguard our data. There are several cryptographic methods and algorithms that are evolved and already exist. How about additional protection makes us stress free? In this paper, I present a unique design of cryptographic algorithm which is specifically designed for Auditory cryptography and visual cryptography to make the encryption and decryption technique stronger. The purpose is to make it very difficult to decode the file when an unauthorized user accesses the data. This algorithm is a combination of multiple techniques such as Ant Algorithm, Logical Gates Technique, Dual authorization PINs, Indexed Arrays. Combination of these techniques makes the algorithm unique and strong to secure the data. This research was implemented on audio files, images and video files. The study of the result shows effective way of masking the data as it is hard to decode without PINs. Also, performance of the algorithm is efficient during encryption and decryption process.
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALSijcisjournal
Internet hacking has become common now a days and is increasing day by day. It is a high time to safeguard our data. There are several cryptographic methods and algorithms that are evolved and already exist. How about additional protection makes us stress free? In this paper, I present a unique design of cryptographic algorithm which is specifically designed for Auditory cryptography and visual cryptography to make the encryption and decryption technique stronger. The purpose is to make it very difficult to decode the file when an unauthorized user accesses the data. This algorithm is a combination of multiple techniques such as Ant Algorithm, Logical Gates Technique, Dual authorization PINs, Indexed Arrays. Combination of these techniques makes the algorithm unique and strong to secure the data. This research was implemented on audio files, images and video files. The study of the result shows effective way of masking the data as it is hard to decode without PINs. Also, performance of the algorithm is efficient during encryption and decryption process.
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALSijdms
Internet hacking has become common now a days and is increasing day by day. It is a high time to
safeguard our data. There are several cryptographic methods and algorithms that are evolved and already
exist. How about additional protection makes us stress free? In this paper, I present a unique design of
cryptographic algorithm which is specifically designed for Auditory cryptography and visual cryptography
to make the encryption and decryption technique stronger. The purpose is to make it very difficult to decode
the file when an unauthorized user accesses the data. This algorithm is a combination of multiple
techniques such as Ant Algorithm, Logical Gates Technique, Dual authorization PINs, Indexed Arrays.
Combination of these techniques makes the algorithm unique and strong to secure the data. This research
was implemented on audio files, images and video files. The study of the result shows effective way of
masking the data as it is hard to decode without PINs. Also, performance of the algorithm is efficient
during encryption and decryption process.
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALSijcisjournal
Internet hacking has become common now a days and is increasing day by day. It is a high time to
safeguard our data. There are several cryptographic methods and algorithms that are evolved and already
exist. How about additional protection makes us stress free? In this paper, I present a unique design of
cryptographic algorithm which is specifically designed for Auditory cryptography and visual cryptography
to make the encryption and decryption technique stronger. The purpose is to make it very difficult to decode
the file when an unauthorized user accesses the data. This algorithm is a combination of multiple
techniques such as Ant Algorithm, Logical Gates Technique, Dual authorization PINs, Indexed Arrays.
Combination of these techniques makes the algorithm unique and strong to secure the data. This research
was implemented on audio files, images and video files. The study of the result shows effective way of
masking the data as it is hard to decode without PINs. Also, performance of the algorithm is efficient
during encryption and decryption process.
Secure by Default Web Applications with Apache SlingRobert Munteanu
A product that works is not done, as there are many facets to consider – availability, scalability, security. Of those, security is probably the most expensive to get wrong.
By analysing a simple web application built on top of Apache Sling and its threat model, we will review the main attack vectors and how they can be mitigated. You will see what the general approaches are and also how Apache Sling allows you to eliminate entire classes of vulnerabilities by using secure-by-default components. Although we will use Apache Sling for examples, previous knowledge of Sling or its components is not required.
20 years of web cryptography, and its amazing how frequently its configured sub-optimally. We've had numerous encryption algorithms, digests, protocols come, and should have GONE, but everyone has just left them on. Its time to shut out the legacy browser. The vast majority of the worlds browser install base now auto-updates, and with strict (and prescriptive) compliance in force, we get to drop the bloat form the past. In this talk we'll cover the current TRANSITIONS we're going through from a web admins perspective: TLS, Cipher Suites, HTTP Security Headers, CAs, the move to an encrypted-by-default web, and more.
CCPA (California Consumer Privacy Act) Tips For Software Developers and ManagersAdam Sbeta
You can NO LONGER prevent a cyber attack, but you CAN prevent the business impact and cost. What costs money is the breach, not the attack in itself.
"Secure Your Bottom Line: The Forgotten Cybersecurity Battleground" was a presentation given at the 2019 Silicon Valley Code Camp CyberCrimeExperts.org to help software developers secure the weakest link, their own devices. It's also a call to assist in implanting a new generation that is aware of the drastic affect of default passwords to incentive them to design sourcecode and IoT devices that don't have such a master key nor default password that is not enforced to change.
MAIN TAKEAWAYS:
* Espionage has moved from physical to stealing technology to copy (like the Chinese J31 program and commercial C919)
* Don't store master keys or any passwords in your github or source code. Stored encrypted is better, but not having either is best.
* Stolen passwords is everywhere, which makes cloud not that secure if you are reusing passwords or your own computer is not secure (regardless of your IT's efforts). 94% of data breaches had an Antivirus (not Next Generation Endpoint Protection with Intrusion Prevention System) and a high-end Firewall. Github ransomcloud had developers either pay the ransom or risk having their sourcecode published as open-source :(
* A few tools to protect your source code or storing you device's processes in a database to query for any anomalies (if you love databases)
* Default passwords on routers allowed one group to take over 500,000 US home routers and redirect DNS requests, and taking over 10s of millions of IoT devices with default passwords attacked the internet in 2016. The bad guys have a lot more power now! So stop developing devices with default passwords, and think twice before plugging anything to the network or your machine.
* Don't write passwords in spreadsheets and on your computer. They're safer on a paper, but not on your screen! Try password managers for passwords you use the most, but understand what tool you're using and secure that very well.
* Make sure your laptop is encrypted, a stolen or lost laptop can cause a data breach.
* Passwords are so cheap on the dark web, know what your have out there.
* Wifi devices connect to the strongest link. Use hotspot from your phone instead of public wifis, or at least use a know VPN and not the cheapest (you paying them to store your traffic).
* Validate phone encryption and privacy, know what apps you're installing on work phones regardless of how famous they are. We are looking for companies to perform research on new phone privacy techniques.
* CCPA (The California Consumer Privacy Act) is due in January 2020 and most companies haven't even heard about it. As a non-profit, we are looking for companies to have open dialog about ways to reduce an impact of a cyber attack or data breach. It is similar to GDPR, and enforcement can be either by the Attorney General or class-action lawsuit.
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesTrend Micro
Dave Asprey, VP-Cloud Security of Trend Micro presented to members of the SDforum in Jan. 2011. This is an adapted version of is presentation which covers key considerations addressing data privacy concerns in the Cloud.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
Cryptography In The Browser Using JavaScript
1. JavaScript Crypto In The Browser
Barry Steyn
barry.steyn@gmail.com
March 2013
Barry Steyn JavaScript Crypto In The Browser March 2013 1/9
2. Overview
1 What Is Cryptography
Definition
2 Cryptography In The Browser: Pros and Cons
The Pros
3 Cryptography In The Browser: Pros and Cons
The Cons
4 Cryptographic Jargon
Some Jargon
5 Block Ciphers, MACs And Key Derivation Functions
Three Important Constructions
6 The Stanford JavaScript Cryptographic Library
A quick Intro
A Demo
Barry Steyn JavaScript Crypto In The Browser March 2013 2/9
3. Cryptography: A Definition
Wikipedia Definition
Cryptography is the practice and study of techniques for secure
communication in the presence of third parties.
Cryptography = Computer Security
Cryptographic communication relies upon trust:
Examples: You trust the other party you are communicating with, You
trust a certificate authority etc
The less entities that you need to trust, the better the security
Therefore, a good cryptographic protocol trusts as little as
possible
Barry Steyn JavaScript Crypto In The Browser March 2013 3/9
4. Cryptography In The Browser: Pros
Why Would One Want To Do Crypto In JavaScript On The Client
Encrypted peer-to-peer communication
Users can trust less by ensuring all crypto is done locally
A JavaScript interpreter is available on most internet devices
Barry Steyn JavaScript Crypto In The Browser March 2013 4/9
5. Cryptography In The Browser: Cons
Unfortunately, Crypto Security In The Browser Is Unknown At Best,
And Insecure At Worst
Here are three reasons why
1 You need to download the JS crypto library from a trusted source
The less trust, the better the security.
2 A browser is not a good environment for crypto.
3 JavaScript’s maliability is great for scripting, terrible for crypto
security.
4 For more info, check at
http://www.matasano.com/articles/javascript-cryptography
You Have Been Warned!!!
Barry Steyn JavaScript Crypto In The Browser March 2013 5/9
6. Cryptography: Some Jargon
Encryption and Decryption
Encryption Transforms a message that is in plain-text to cipher-text
Decryption Transforms a cipher-text message to the original
plain-text
Encryption takes two inputs
Key - kept secret
Plain-text Message
Decryption takes two inputs
Key - kept secret
cipher-text message - note that this is not secret, but is only useful
if one knows the secret key
Barry Steyn JavaScript Crypto In The Browser March 2013 6/9
7. Cryptography: Block Cipher and Key Derivation
Block Cipher - The workhorse of the cryptographic world
Input - n byte message
Output - n byte cipher
Example block cipher: AES. Input and output is 16 bytes (128 bits)
MAC - Message Authenticating Code
A MAC guarantees message integrity
Key Derivation Function
A key is normally derived from something a human should
remember - for example, a password
A key derivation function makes storage safer - It does this by
doing three things:
1 Passwords are hashed so as not to store them in plain text.
2 Passwords are salted to make them more secure against a rainbow
attack.
3 Key derivation is purposfully slow! Therefore, superior harware (should
in theory) struggle.
Barry Steyn JavaScript Crypto In The Browser March 2013 7/9
8. SJCL
So you still want to use crypto in the browser?
Then use The Stanford JavaScript Crypto Library
1 Its authors are hardcore cryptographers, led by Prof. Dan Boneh of
Stanford University (who personally had a hand in writing the library).
2 It is easy to use, and it tries to make things as secure as possible
while adhering to ease of use.
3 Its small (6.4 KB compressed)
Barry Steyn JavaScript Crypto In The Browser March 2013 8/9
9. SJCL - A Demo
Demo
Barry Steyn JavaScript Crypto In The Browser March 2013 9/9