JavaOne 2016 Talk
In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviors you must change) to create a more secure Java application for the cloud. The world of the cybercriminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
Jax london2016 cybercrime-and-the-developerSteve Poole
In the emerging world of DevOps and the Cloud, most developers are trying to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resiliency and scaling to an application. Still, one critical item consistently overlooked is security.
The world of the Cyber Criminal is closer than you realize. Watch a real man-in-the-middle demonstration and learn just how simple it can be for others to steal your secrets. In this talk you’ll learn about other practical examples of how you can inadvertently leave the doors open and what you can do to keep your system secure. In the end, security is everyone’s concern and this talk will teach you a few of simple actions you can take (and some behaviours you must change) to create a more secure application in the Cloud.
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviours you must change) to create a more secure Java application for the cloud. The world of the cybercriminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
Cybercrime how bad can it be? Organised attacks around the world in 2016 have shown how unprepared we are to deal with the growth of Cybercrime. In this talk learn a little about the scale of the challenge developers face from assaults on our systems. Be prepared to be appalled and scared. Fainting is not allowed. Discover how to fight back and see how you can change your behaviour and your code to defend against these attacks.
Your destiny is clear - it’s time to be come a Cyber Defender
n the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security.
In this session, learn about a few of the simple actions you can take (and some behaviors you must change) to create a more secure Java application for the cloud. The world of the cyber criminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
Humorous discussion presenting some of the kids of risks that face public facing Web sites for corporations ranging from hacking to legal to social media scares. Slides are illustrative in nature and the aim of the talk is more awareness than anything else.
Jax london2016 cybercrime-and-the-developerSteve Poole
In the emerging world of DevOps and the Cloud, most developers are trying to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resiliency and scaling to an application. Still, one critical item consistently overlooked is security.
The world of the Cyber Criminal is closer than you realize. Watch a real man-in-the-middle demonstration and learn just how simple it can be for others to steal your secrets. In this talk you’ll learn about other practical examples of how you can inadvertently leave the doors open and what you can do to keep your system secure. In the end, security is everyone’s concern and this talk will teach you a few of simple actions you can take (and some behaviours you must change) to create a more secure application in the Cloud.
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviours you must change) to create a more secure Java application for the cloud. The world of the cybercriminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
Cybercrime how bad can it be? Organised attacks around the world in 2016 have shown how unprepared we are to deal with the growth of Cybercrime. In this talk learn a little about the scale of the challenge developers face from assaults on our systems. Be prepared to be appalled and scared. Fainting is not allowed. Discover how to fight back and see how you can change your behaviour and your code to defend against these attacks.
Your destiny is clear - it’s time to be come a Cyber Defender
n the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security.
In this session, learn about a few of the simple actions you can take (and some behaviors you must change) to create a more secure Java application for the cloud. The world of the cyber criminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
Humorous discussion presenting some of the kids of risks that face public facing Web sites for corporations ranging from hacking to legal to social media scares. Slides are illustrative in nature and the aim of the talk is more awareness than anything else.
This wonderful presentation, appropriate for teens and young adults, was created by Symantec's Rayane Hazimeh for the Dubai Techfest, 2013. We thank her for generously sharing her content with the SlideShare community.
Basic Security for Digital Companies - #MarketersUnbound (2014)Justin Bull
Speaking about how to go about taking security seriously in a digital company. Be it from scratch, or fixing a legacy codebase, learn from Canada Revenue Agency's Heartbleed mess-up and advice from a white-hat hacker.
Creating a digital toolkit for users: How to teach our users how to limit the...Justin Denton
Ever wonder what you should or shouldn’t share on the internet? Do you see users who are posting everything thing they possibly could on the internet and wonder how to help educate them to protect themselves?
All of this collective sharing, creates a data gold mine for hackers to do their evil bidding. In this session we will talk about what to post on the internet and what not too. We will also look into what hackers can use from the information you’ve posted on the internet and how they can use it to gain access to your and your users personal lives, accounts, credit cards, and more. During this session, we’ll dive into building a strategy plan to help limit and hopefully eliminate these references from your digital footprint to help ensure you are more secure than you were when you first started this session.
By the end of this webinar, attendees will have a virtual toolkit and strategies to help educate users on protecting themselves while online.
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Alexandre Sieira
The human mind evolved to draw quick conclusions for survival. Behavioral economists, like Daniel Kahneman and Dan Ariely, are publishing research on when, why and how decision making can be consistently and predictably irrational. You could say these researchers are reverse engineering the wetware, finding bugs and race conditions and disclosing them.People are key to an organization’s information security, even if you believe in the “people, processes and technology” tripod. People define and execute processes. People decide funding for, implement, operate and/or monitor the technology. Your adversaries are people. At least until we reach the AI singularity, that is.Until then, the aim of this talk is to present some of the counter-intuitive findings of behavioral economics research and their implications for how information security is handled at the organizational and market levels. Our hope is that the audience will find they could benefit from changing established, seemingly sensible and logical actions we all do to better match how the wetware actually works.
Presented at BSides SF on Feb. 28th, 2016.
The Information Age has been marked by data privacy scandals and resulting landmark legislation: the implementation of GDPR, mass data leaks, Cambridge Analytica and numerous hacking incidents have taught governments and global corporate entities that cybersecurity is paramount. How are you protecting the data of your clients, consumers and users? Join this session to update yourself on the latest thinking in the field with expertise from Guy Golan, renowned cyber security and privacy expert and corporate governance specialist. More details to follow.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
Info Session on Cybersecurity & Cybersecurity Study JamsGDSCCVR
In an era where digital threats are ever-evolving, understanding the fundamentals of cybersecurity is crucial.
Highlights of the Event:
💡 Google Cybersecurity Certification Scholarship.
🎭 Cloning and Phishing Demystified
🚨 Unravelling the Depths of Database Breaches
🛡️ Digital safety 101
🧼 Self-Check for Cyber Hygiene
⏺️ Event Details:
Date: 18th December 2023
Time: 6:00 PM to 7:00 PM
Venue: Online
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library. There's a focus on practical ways to secure yourself, browsers and other things. Also some dicussion on privacy
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
Maven Central hits 1 Trillion downloads, Cyber bad guys make $6 Trillion, Governments respond and of course AI. What happened this year and what does it mean for 2024? A look at what Sonatype discovered in preparing the 9th State of the Software Supply Chain Report and what it could mean for developers in the future.
2024 is going to be difficult for all of us: find out how, why and just what you need to do next!
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
For all in IT—Developer, QA, DevOps, or SecOps—the future is driven by two game-changers: the ascent of Generative AI and heightened governmental scrutiny of software. Similar to the industrial revolution’s upheaval, their influence will revolutionise and reinvent the technology we use and our relationship with it. We’ll unpack how these factors redefine our tech practices today and tomorrow. Prepare for role evolution, new opportunities, and shifts, including the evolving dynamic with open source. Join this deep dive to discern the real ramifications.
More Related Content
Similar to Cybercrime and the Developer: How to Start Defending Against the Darker Side [CON3328]
This wonderful presentation, appropriate for teens and young adults, was created by Symantec's Rayane Hazimeh for the Dubai Techfest, 2013. We thank her for generously sharing her content with the SlideShare community.
Basic Security for Digital Companies - #MarketersUnbound (2014)Justin Bull
Speaking about how to go about taking security seriously in a digital company. Be it from scratch, or fixing a legacy codebase, learn from Canada Revenue Agency's Heartbleed mess-up and advice from a white-hat hacker.
Creating a digital toolkit for users: How to teach our users how to limit the...Justin Denton
Ever wonder what you should or shouldn’t share on the internet? Do you see users who are posting everything thing they possibly could on the internet and wonder how to help educate them to protect themselves?
All of this collective sharing, creates a data gold mine for hackers to do their evil bidding. In this session we will talk about what to post on the internet and what not too. We will also look into what hackers can use from the information you’ve posted on the internet and how they can use it to gain access to your and your users personal lives, accounts, credit cards, and more. During this session, we’ll dive into building a strategy plan to help limit and hopefully eliminate these references from your digital footprint to help ensure you are more secure than you were when you first started this session.
By the end of this webinar, attendees will have a virtual toolkit and strategies to help educate users on protecting themselves while online.
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Alexandre Sieira
The human mind evolved to draw quick conclusions for survival. Behavioral economists, like Daniel Kahneman and Dan Ariely, are publishing research on when, why and how decision making can be consistently and predictably irrational. You could say these researchers are reverse engineering the wetware, finding bugs and race conditions and disclosing them.People are key to an organization’s information security, even if you believe in the “people, processes and technology” tripod. People define and execute processes. People decide funding for, implement, operate and/or monitor the technology. Your adversaries are people. At least until we reach the AI singularity, that is.Until then, the aim of this talk is to present some of the counter-intuitive findings of behavioral economics research and their implications for how information security is handled at the organizational and market levels. Our hope is that the audience will find they could benefit from changing established, seemingly sensible and logical actions we all do to better match how the wetware actually works.
Presented at BSides SF on Feb. 28th, 2016.
The Information Age has been marked by data privacy scandals and resulting landmark legislation: the implementation of GDPR, mass data leaks, Cambridge Analytica and numerous hacking incidents have taught governments and global corporate entities that cybersecurity is paramount. How are you protecting the data of your clients, consumers and users? Join this session to update yourself on the latest thinking in the field with expertise from Guy Golan, renowned cyber security and privacy expert and corporate governance specialist. More details to follow.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
Info Session on Cybersecurity & Cybersecurity Study JamsGDSCCVR
In an era where digital threats are ever-evolving, understanding the fundamentals of cybersecurity is crucial.
Highlights of the Event:
💡 Google Cybersecurity Certification Scholarship.
🎭 Cloning and Phishing Demystified
🚨 Unravelling the Depths of Database Breaches
🛡️ Digital safety 101
🧼 Self-Check for Cyber Hygiene
⏺️ Event Details:
Date: 18th December 2023
Time: 6:00 PM to 7:00 PM
Venue: Online
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library. There's a focus on practical ways to secure yourself, browsers and other things. Also some dicussion on privacy
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
Maven Central hits 1 Trillion downloads, Cyber bad guys make $6 Trillion, Governments respond and of course AI. What happened this year and what does it mean for 2024? A look at what Sonatype discovered in preparing the 9th State of the Software Supply Chain Report and what it could mean for developers in the future.
2024 is going to be difficult for all of us: find out how, why and just what you need to do next!
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
For all in IT—Developer, QA, DevOps, or SecOps—the future is driven by two game-changers: the ascent of Generative AI and heightened governmental scrutiny of software. Similar to the industrial revolution’s upheaval, their influence will revolutionise and reinvent the technology we use and our relationship with it. We’ll unpack how these factors redefine our tech practices today and tomorrow. Prepare for role evolution, new opportunities, and shifts, including the evolving dynamic with open source. Join this deep dive to discern the real ramifications.
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
In the Java world Maven Central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.
Times are changing and so is Maven Central.
As cyberattacks grow the defences at Maven Central have grown too and now we're on the offence. Learn how Maven Central is working with the Linux Foundation and others to add features and services that will keep the Java community safer, more informed and better prepared.
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
Over the last ten years we’ve seen cybercrime accelerate beyond all comprehension, We’ve seen the growing and relentless impact it has on our society and our economies. It’s taken a long time for the world to act but finally we’re coming together to resist this uniquely 21st century evil.
At the heart of the resistance are developers. Whatever role you have, whatever programming language or software you use - the battle is at your door.
In this session we’ll brief you on the state of the situation and what you can do to be more prepared. We’ll look at the bad guys and how they operate, we’ll examine recent legal and government responses and, most importantly, how the software industry is working together to create the tools, frameworks and education needed to help us all become the developers we need to be.
A new hope for 2023? What developers must learn nextSteve Poole
Over the last ten years, we’ve seen cybercrime accelerate beyond all comprehension and the growing and relentless impact it has on our society and economies. It’s taken a long time for the world to act, but finally, we’re coming together to resist this uniquely 21st-century evil.
At the heart of the resistance are developers. Whatever role you have, whatever programming language or software you use - the battle is at your door.
In this session, we’ll brief you on the state of the situation and what you can do to be more prepared.: we’ll look at the bad guys and how they operate, examine recent legal and government responses and, most importantly, how the software industry is working together to create the tools, frameworks and education needed to help us all become the developers we need to be.
Three-card Monte, Find the Lady - the game goes by many names but at its core is a simple scam. You think you're in control but you're not: it's a game you can't win, and if you do it's only temporary to give you false confidence.
Software delivery is rapidly becoming a shell game: bad actors trying to force you to use compromised components, bad actors trying to take over your build processes and insert malware. Bad actors subverting your processes while give you false confidence that everything is ok.
This session introduces you to an active defence you can start to use now.
In this talk we’ll explain how the SBOM or Software Bill of Materials is emerging as the base for new tools and new thinking about producing software.
We’ll explain what an SBOM is , how it provides significant protection against software delivery attacks and what tools exist today for you to use.
We’ll walk through from source code to deployment and examine where the bad guys can get in and what SBOM related defences exist.
Learning how the shell game is played reduces the risk. Avoiding the game altogether is the wiser choice. SBOMs may just be the way to do that.
Superman or Ironman - can everyone be a 10x developer?Steve Poole
It’s all about productivity or maybe it’s all about delivering value. Or creating secure applications, dealing with changing directions.
Whatever it it we often feel that we’re lacking - that it’s hard enough to be any sort of developer. That even 1x is often a challenge
In this talk we’re going to examine how to think more clearly about being a Java developer:, help you understand the tools and approaches that can offer practical insight into how you work now as well as providing guidance on alternatives that just might give you the powered armour you need.
A mix of tools, proven processes, new techniques and lessons learnt the hard way make up a session designed to help you understand that being a 10x developer isn’t about having super powers - it’s about using the powers you already have in wiser, more considered ways.
It’s just there. Just like the stars, just like electricity, just like Java.
In the Java world Maven central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.
Recently though we’ve seen questions raised about the Java code that is hosted there. Other repositories have been experiencing unprecedented attempts to upload malware and even in the Java world there are significant vulnerabilities that some have called to be removed.
This talk is intended to give you the background of Maven central and what the philosophy is for dealing with problematic content.
We’ll also explore how the service works under the covers, the API’s you might not be aware of and what’s coming up next.
Maven Central is not going away - but it might just get more exciting!
It’s just there. Just like the stars, just like electricity, just like Java.
In the Java world Maven central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.
Recently though we’ve seen questions raised about the Java code that is hosted there. Other repositories have been experiencing unprecedented attempts to upload malware and even in the Java world there are significant vulnerabilities that some have called to be removed.
This talk is intended to give you the background of Maven central, explain why Sonatype,( who are the stewards of Maven Central), provide such a critical service and what our philosophy is for dealing with problematic content.
We’ll also explore how the service works under the covers, the API’s you might not be aware of and what’s coming up next.
Maven Central is not going away - but it might just get more exciting!
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Steve Poole
A small but vital step on a long road was made last year. The President of the USA signed an executive order towards improving the situation on cybersecurity. In this session you’ll learn more about what was ordered and how it’s the beginning of a significant change in how software will be developed, delivered and secured in the future – not just in the USA but world wide too. The need to have a vastly improved software supply chain to counter the challenges of cyber attacks is well understood and many tools already exist. Learn more about the tooling landscape, what’s on the horizon and how presidential orders, the software industry and application development are coming together to take even bigger steps towards safeguarding the future.
Log4Shell - Armageddon or Opportunity.pptxSteve Poole
It’s said that everyone remembers where they were when a momentous event occurs. Where were you on the 10 December 2021 or did the most comprehensively dangerous Java vulnerability pass you by?
Don’t be fooled into thinking it’s all over. Even by mid year the number of vulnerable servers will still be high because organisations still fail assess their vulnerability state correctly.
In this session I’ll cover, in detail, the actual mechanics of the vulnerability and demo a simple attack. I’ll take you through why this vulnerability can be as bad as it gets and explain what the options are to protect you application and how to assess if you’re still at risk.
It’s not all bad news. The Log4Shell wake up call shows us that we’re not paying the right sort of attention to security across the board but we can learn to do better. I’ll end the talk with explaining why security really matters, what developers can do improve their understanding of security principles in general and cover some of the practical next steps that are available.
Log4Shell is changing our world - let’s make sure its for the right reasons. Opportunity is knocking on your door.
Want to make some money? A little bitcoin on the side? In this session we’ll take you through a few of the ways that Ransomware works. Probably one of the fastest growing forms of cybercrime - we’ll explore the motivations (it’s not all about money) how a typical attack occurs , how your actions and inactions help make the problem worse and generally educate you on the ransomware-as-a-service business that could easily be coming to a server near you. Take the time to see how your CI/CD pipelines can be vulnerable and what you can do to make your application safer and your data more secure.
Some say ransomware is simply a cost of doing business - whether thats true or not ransomware is not going away any time soon This talk will help you get up to speed and started on your journey of improving your defences.
Game Over or Game Changing? Why Software Development May Never be the same againSteve Poole
A small but vital step on a long road was made this year. The President of the USA signed an executive order towards improving the situation on cybersecurity. In this session you’ll learn more about what was ordered and how it’s the beginning of a significant change in how software will be developed, delivered and secured in the future – not just in the USA but world wide too. The need to have a vastly improved software supply chain to counter the challenges of cyber attacks is well understood and many tools already exist. Learn more about the tooling landscape, what’s on the horizon and how presidential orders, the software industry and application development are coming together to take even bigger steps towards safeguarding the future.
Agile Islands 2020 - Dashboards and CultureSteve Poole
This talk examines how what you share will define you. The act of monitoring and dashboarding can have a profound effect, good or bad - on the attitudes and culture of the teams involved. With supporting case studies this session will show how you to help make any team more effective
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Steve Poole
Much of the adoption of Agile and DevOps tools and processes focus on the benefits to delivering high quality code on an industrial scale. Although we all recognise that good visual representations of progress and status are critical, it may not be obvious that the act of visualisation can have a profound effect on the attitudes and culture of the teams involved. The right sort of data and appropriate dash-boarding can improve the morale and effectiveness of all the teams involved. The wrong sort of can have the opposite effect.
This talk examines how what you share will define you. Through real examples and a live demo, the speaker will show you how to design status and trend displays that will make your teams more effective without overloading them. The talk will also include case studies with various types of teams to highlight how you can apply this thinking to help make any group more effective.
Beyond the Pi: What’s Next for the Hacker in All of Us?Steve Poole
Being a geek can be a tough life. Once you’ve got those LEDs blinking or that robot car moving around, the fun can be over. So what else is there to play with? What other exciting ideas are out there? For the geek at heart, this session showcases some of the new and newish tech that’s available for you to play with.
From AR to VR, from mind control to autonomous drones, we have a lot of everything, and some of it will even be on display. Whether it’s tech you can wear or tech that swims, we’ve got the insight. Bring your mind, and let us refuel your imagination.
Drooling optional.
A Modern Fairy Tale: Java Serialization Steve Poole
Once, long ago, we we looked at serialization as an important addition to Java. As the years passed, we began to recognize the flaws in its design and sighed. Today we realize that the story of serialization has become a dark and twisted tale. In this session, see why we still need serialization, how the built-in design is fatally flawed, and how it is being exploited and used against us. Learn how to work against the dark arts rallied against us, and understand how even the alternative forms of Java serialization can still be open to attack.
Does this tale have a happy ending? Can goodness prevail and can you make your application safe from Java serialisation weaknesses?
Only your can decide.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfJay Das
With the advent of artificial intelligence or AI tools, project management processes are undergoing a transformative shift. By using tools like ChatGPT, and Bard organizations can empower their leaders and managers to plan, execute, and monitor projects more effectively.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
2. About me
Steve Poole
IBM Lead Engineer
@spoole167
Making Java Real Since Version 0.9
Open Source Advocate
DevOps Practitioner (whatever that means!)
Driving Change
Currently creating
Development Pipeline
tool chains for IBM
cloud products
3. This talk
• I’m a DevOps practitioner – not a security expert.
• Arose because of “compliance”
• What does that mean?
• How do I find out more?
• Arose because I didn’t understand what the fuss was all about
• Arose because giving uneducated developers access to cloud resources generally has unfortunate
consequences
• Is not about Application Design
• It’s about how and why we need to behave differently.
• Here’s what I’ve learnt so far…
But I know quite a few now
4. Outline
• What’s the problem – why does this all matter?
• Who is at risk?
• Who are the bad guys?
• How do they get in?
• How you need to change?
• What you need to change?
• Going forward..
9. “Organized Cybercrime is the most profitable type of crime”
• Cybercrime is estimated to be worth 445 Billion Dollars a Year
• In 2013 the United Nations Office on Drugs and Crime (UNODC) estimated
globally the illicit drug trade was worth 435 Billion Dollars
• Guess which one has the least risk to the criminal?
• Guess which is growing the fastest?
• Guess which one is the hardest to prosecute?
• Guess which one is predicted to reach 2100 Billion Dollars by 2019?
12. What data are they after?
• Moving beyond credit card numbers
• Long term identify theft
• That means quiet and repeated infiltration
• no more cyber-graffiti “Thiz Site belonz to uz”
• Though any personal data is useful and worth $$$
• Medical data, Sensitive Personal Information etc
• Information that gives insight into behavior
• Access to your systems
Lesson 1
Protect all data
13. Its about Facts about you
• Any piece of personal information about YOU is useful. It get’s sold on and
somewhere someone brings it all together.
• Can I connect your email address to your data of birth?
• Can I find out where you live?
• Can I find out who you work for?
• Can I find out what you think about your boss?
• Can I find out what sites you’ve visited?
• The more I know about you – the more I can refine the attack.
• The more I know about you – the more $$ I can make
• And attacks are more than “technical”
Lesson 2
All your data is
valuable
14. • DEAR SIR/MA'AM.
• YOUR ATM CARD OF $10.5MILLION DOLLARS WAS RETURNED TODAY BY OUR COURIER
DELIVERY COMPANY, AND WE ARE GOING TO CANCEL THE ATM CARD IF YOU FAILS TO
ACKNOWLEDGE THIS MESSAGE, WE SHALL ALSO ASSUME THAT WHAT OUR COURIER
DELIVERY COMPANY TOLD US IS NOTHING BUT THE TRUTH THAT YOU DON'T NEED YOUR
ATM CARD OF $10.5 MILLION DOLLARS ANY LONGER.
• DO ACKNOWLEDGE THIS MESSAGE AS SOON AS POSSIBLE.
• YOURS FAITHFULLY.
• YOURS SINCERELY,
• MR MARK WRIGHT,
• DIRECTOR FOREIGN REMITTANCE
• ATM CARD SWIFT PAYMENT DEPARTMENT
• ZENITH BANK OF NIGERIA.
😀
15. Federal Bureau of Investigation (FBI)
Anti-Terrorist And Monitory Crime Division.
Federal Bureau Of Investigation.
J.Edgar.Hoover Building Washington Dc
Customers Service Hours / Monday To Saturday
Office Hours Monday To Saturday:
Dear Beneficiary,
Series of meetings have been held over the past 7 months with the secretary general of
the United Nations Organization. This ended 3 days ago. It is obvious that you have not
received your fund which is to the tune of $16.5million due to past corrupt Governmental
Officials who almost held the fund to themselves for their selfish reason and some
individuals who have taken advantage of your fund all in an attempt to swindle your fund
which has led to so many losses from your end and unnecessary delay in the receipt of
your fund.for more information do get back to us.
….
Upon receipt of payment the delivery officer will ensure that your package is sent within
24 working hours.
😀
16. Dear Winner,
This is to inform you that you have been selected for a prize of a brand
new 2016 Model BMW Hydrogen 7 Series Car, a Check of $500,000.00
USD and an Apple laptop from the international balloting programs
held on the 27th, section of the 2016 annual award promo in the
UNITED STATE OF AMERICA.
😀
18. From <your boss>
I’ve spoken to the Italians and they will send us the goods if we pay
$3M immediately. Details below.
I’m off to the golf course – no distractions please.
☹️
Lesson 3
If something is suspicious or unusual – double
check. You think all the bad guys are stupid?
19. an email from an international
transport company urging
recipients to open a waybill in
a zip
(The Zip content launches a
downloader)
The targets are busy and not IT
savy. The criminals are IT savy
and industry savy
☹️ ☹️
20. Even more
Email Instructions to victims to download an Android app onto a
mobile device.
That app contains a SMS hijacker.
The app listens for incoming SMS messages containing transaction
authorization codes from the bank.
Lesson 4
Never install software without checking
it’s providence
21. Phishing -> Spear Phishing -> Personalised
Attacks
• The move is towards more organised and long term attacks that are
hidden from view.
• Think about this – when you’re trawling the net for gullible people
you set the bar low.
• With personalised attacks you invest more and make it compelling.
• You victims views on Facebook about their boss, how busy they are,
important deals coming up. It all helps to craft that million dollar scam…
22. Who’s being targeted?
• Middle level executives – afraid of their bosses?
• New joiners – easy to make a mistake?
• Busy and harassed key individuals – too busy to take time to
consider?
• Disgruntled employees – want to hurt the company? Make some $?
• And Developers – the golden goose.
Lesson 5
The bad guys prey on the weak,
vulnerable and ignorant
23. Developers
• Why ?
• We know the inside story
• We write the code
• We have elevated privileges
• We are over trusting
• We use other peoples code and tools without inspection
• we are ignorant of security matters
Lesson 6
The bad guys prey on the weak,
vulnerable and ignorant:
That’s you
25. Every googled for:
“very trusting trust manager”
“Getting Java to accept all certs over HTTPS”
“How to Trust Any SSL Certificate”
“Disable Certificate Validation in Java”
26. TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
X509Certificate[] certs, String authType) {
}
public boolean isClientTrusted( X509Certificate[] cert) {
return true;
}
public boolean isServerTrusted( X509Certificate[] cert) {
return true;
}
}
};
Ever written something
like this?
29. We’ve all done something like that
We do it all the time
30. We’ve all done something like that
We do it all the time
The whole world does it
How bad can it be?
31. We’ve all done something like that
We do it all the time
The whole world does it
Github search “implements TrustManager” ….
32. We’ve found 72,609 code results
AlwaysValidTrustManager
TrustAllServersWrappingTrustManager
A very friendly, accepting trust
manager factory. Allows anything
through. all kind of certificates are
accepted and trusted.
A very trusting trust manager that
accepts anything
// Install the all-trusting trust
manager
OverTrustingTrustProvider
AllTrustingSecurityManagerPlugin.java
AcceptingTrustManagerFactory.java
AllTrustingCertHttpRequester.java
33. Developers are too trusting.
Linux Repos
npm
npm is the package manager for JavaScript. Find, share,
and reuse packages of code from hundreds of thousands
of developers — and assemble them in powerful new
ways.
Great sentiments. “But Caveat Emptor”
35. So who are the
bad guys?
https://www.flickr.com/photos/monsieurlui/
36. A mirror of you?
• Organized and methodical
• organized like startup companies.
• “employ” highly experienced developers with deep knowledge
• Constantly innovating malware, seeking out vulnerabilities
• Sharing what they find with each other (for $ of course)
• Goal focused
• the average age of a cybercriminal is 35 years old.
37. Already into crime
• Adrian Leppard, the Commissioner of the City of London Police:
• “We estimate that around 25 per cent of the organized crime groups in this
country are now involved in financial crime in one shape or another…”
• University of Cambridge researchers report that 60% of cyber-criminals had
criminal records which were completely unrelated to cyber-crime
• “those traditional offenders are changing their behavior and moving to the
internet”.
Lesson 7
Cybercriminals mostly get caught for something other than
cybercrime
39. Basic ways in: The old fashioned set
• Social engineering – convince you to open the door
• Vulnerability exploits – find doors already open
• Inside information – you tell them where the keys are for gain
Lesson 8
The bad guys can already get into your systems easier than you
ever thought possible.
40. Vulnerabilities
• Bugs and design flaws in your software
and the software you use.
• Everyone has them.
• Researchers are looking for them all the
time.
• So are the bad guys
https://www.flickr.com/photos/electronicfrontierfoundation/
42. • It’s usually a combination of
software weaknesses that
get exploited
• Sometimes a BIG exploit
appears
• Zero Day exploits are just
that.
• Shame we don’t give them
much attention
• Someone elses problem?
Vulnerabilities Lesson 9
Vulnerabilities are everywhere
Lesson 10
Keeping up-to-date with critical
patches is one of the most important
things you can do
Lesson 11
Ignoring this side of Software
Engineering is criminal
43. The new attack vectors
• Devices, Devices, Devices
• Eavesdropping, network devices with default passwords
• Drive-by gateways
• Ransomware
• Blackmail and extortion
• Extending Malware into real products.
• Helpful free stuff – like docker images
• Dangerous paid stuff - like game trainers
• Actual ’at the source’ injections - like pull requests!
• Like unknown helpful people – do you know what can happen in a
git merge?
https://www.flickr.com/photos/famzoo/
44. Devices inside your network
• What’s CPU’s are connected to your network?
• Smart printers?
• Smart TV’s?
• BYODs?
• How many devices have default passwords?
• How many computers have passwords that everyone knows?
• How many are running older unpatched software?
Lesson 12
You cannot ever assume your internal network is safe
and uncompromised
Lesson 13
Really Strong
authentication
is an
imperative.
45. Personal Passwords
• What can I say: use keys wherever you can
• Treat passwords and private keys like the crown jewels.
• Have as many different passwords/keys as you can for different functions and activities
• Use a good password safe
• Never divulge your password to anyone or write it down.
• Once it’s out of your hands treat it as hacked
Lesson 14
Understand just how easily (or not) passwords can be cracked
https://en.wikipedia.org/wiki/Password_cracking
46. Wifi Gateways
Are everywhere
How do you know that a SSID you see is not fake?
In your office.
In your home.
At a conference
In a Coffee Shop.
51. Internet😀
websitegateway
Man in the middle attack for http
Give me data
browser
Here is data
Give me data
Do bad things with
data
Here is data
SSID: OpenConference
Password: easy
52. Internet😀
websitegateway
The normal (simplfied) flow for https
Client Hello (max SSL version supported)
browser
Server Hello (what SSL version to be used)
Server SSL CertificateCheck
Certificate
Send random local key encoded using Server SSL certificate
Secure, two way encrypted communications
Certificate
Authorities
53. Internet😀
websitegateway
Man in the middle attack for https – version 1
Client Hello
browser
Server Hello
Server SSL Certificate
Check
Certificate
Send different random local key
Secure
communications
Client Hello
Server Hello
Gateway SSL Certificate
Send random local key
Secure, two way communications
Certificate
Authorities
54. Internet😀
websitegateway
Man in the middle attack for https – version 2
Client Hello
browser
Server Hello
Server SSL Certificate
Check
Certificate
Send different random local key
Secure
communications
Client Hello
Server Hello
Gateway SSL Certificate
Send random local key
Secure, two way communications
Bogus Certificate
Authority
55. Internet😀
websitegateway
Man in the middle attack for https – version 2
Client Hello
browser
Server Hello
Server SSL Certificate
Check
Certificate
Send different random local key
Secure
communications
Client Hello
Server Hello
Gateway SSL Certificate
Send random local key
Secure, two way communications
Internal CA
56. It gets worse
• If your initial request to a server is http (ie unencrypted)
• A MITM can replace all inline https references with http
• Then when your form is submitted it’s sent unencrypted
• Maybe the server will bounce the request. But it’s too late- your private data is gone.
• Typical pattern:
1. MITM tracks a single important server target. The thieves now how the flows work. They
track your usage
2. When your userid / password is requested the https is already forced to http.
3. Your data is sent in the clear. The MITM sends you a ‘there was a problem’ msg and gets out of
your way.
4. You refresh and resubmit.
5. None the wiser…
57. Internet😀
websitegateway
Stealing your data with http
http
browser
post to https://foo.com
http
post to
http://foo.com
http post
Server unavailable
RELOAD http
https post
post to https://foo.com
58. Wifi gateways
Lesson 15
There are so many ways your data is at risk.
Use a VPN to get to a gateway you trust.
Be very wary of http urls in general
59. Man in the middle attacks
Lesson 16
You cannot assume the data you have accessed is valid unless you have a
secure connection at all times.
Otherwise you could download modified or copied files:
Docker Images, ISO’s, exes, RPMs, PowerPoint, Text files
Anything.
Lesson 17
Assertions and assumptions don’t “cut the mustard”
Deep dive into the communications processes and prove it
60. More bad news
• Our use of tools that interact over ssl tend to have the certificate
checking turned off!
• For reasonable reasons?
• “The server I access is self-signed”
• “I want to access multiple servers “
• Unexpectedly?
• “I thought I was using the tool correctly”
• “I didn’t realize what the default setting was”
• “I trusted the tool to do the right thing”
• Maliciously?
• “Someone changed the script and I don’t know why”
61. Lesson 18 – sloppy use of tools will bite you big time
Lesson 19 – Don’t make assumptions
Prove the tools do what you expect.
Build “fake / compromised” target
servers etc and add to your testsuites
Lesson 20 – Reduce opportunities for unaccountable process changes by
adopting DevOps principles for Infrastructure-as-Code etc
62. And even worse…
• Developers download code, tools, certificates etc without considering
the consequences.
• We believe implicitly that other developers are trustworthy.
How one developer just broke Node, Babel and
thousands of projects in 11 lines of JavaScript
Code pulled from NPM – which everyone was using
http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/
What if he’d added
malware instead?
63. Lesson 21 – Don’t download or depend on random code. Ensure you trust
the providers and you undersand what they are doing to earn and keep your
trust. Examine the processes they have to ensure that the code / binaries /
certificates being hosted are legitimate
Lesson 22 – Build your own internal caches and repositories. Scan them for
known vulnerabilities AND change all those embedded default passwords
OR buy the service from someone you trust.
64. Recap
• Cybercrime is set to become the largest form of crime ever
• Developers are key to preventing this
• We’re one of the worst adaptors of security protocols and practises
With great power comes great responsibility
65. • “Developers are overly-focused on testing and scanning for known
vulnerabilities in software after it’s been released, and under-focused
on poor software development practices that lead to vulnerable
applications that hackers can exploit. This may be the biggest cyber
threat of all.”
• Frank Zinghini, CEO of Applied Visions
66. Developers to the rescue?
• What we all have to do differently from now on
• Be much more security conscious
• Become intimately aware of how the bad guys get in
• Reduce our blind trust levels
• Learn how authentication and encryption actually works
• Make security a part of our psyche
• Bring Security Architects into the development process
67. More snippets of advice
• Don’t allow any admin access from outsite your firewall except via a VPN
• Don’t allow admin / critical functions to be executed on arbitrary developer m/cs
• Use strong firewalls on every system
• Whitelist outgoing connections.
• Hack your own systems…
• Change ALL default passwords
• Docker –if the is no Dockerfile run away. If there is a dockerfile read it and build your
own image. (How do you know the image and the docker file match)
• Reduce likelihood of exploits etc escaping by using separate Virtual Machines for
different actives.
• Don’t add developer backdoors!
68. https://www.flickr.com/photos/schill/
Why do you need
a blanket “god”
mode?
Why would you deploy a
server or application
with default passwords
unchanged?
Why would you
share this power?
Why would you
remain ignorant of
how your system
or home is kept
secure?
Would you have
one key for every
lock at home?
Would you give your
colleagues power of
attorney over you?
Would you have a front
door with a lock that every
one in th world had a key
to?