The document discusses cybersecurity risks and how developers can help address them. It notes that cybercriminals target developers because they have privileged access and knowledge of systems. Developers are often too trusting and ignore security, installing software without checking for malware or disabling certificate validation. The talk urges developers to take security more seriously by keeping systems updated, using strong authentication, and being wary of suspicious network connections and downloads from untrusted sources. Developers must help address the growing problem of cybercrime by promoting secure development best practices.
Jax london2016 cybercrime-and-the-developerSteve Poole
In the emerging world of DevOps and the Cloud, most developers are trying to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resiliency and scaling to an application. Still, one critical item consistently overlooked is security.
The world of the Cyber Criminal is closer than you realize. Watch a real man-in-the-middle demonstration and learn just how simple it can be for others to steal your secrets. In this talk you’ll learn about other practical examples of how you can inadvertently leave the doors open and what you can do to keep your system secure. In the end, security is everyone’s concern and this talk will teach you a few of simple actions you can take (and some behaviours you must change) to create a more secure application in the Cloud.
Cybercrime and the Developer: How to Start Defending Against the Darker Side...Steve Poole
JavaOne 2016 Talk
In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviors you must change) to create a more secure Java application for the cloud. The world of the cybercriminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
n the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security.
In this session, learn about a few of the simple actions you can take (and some behaviors you must change) to create a more secure Java application for the cloud. The world of the cyber criminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
Cybercrime how bad can it be? Organised attacks around the world in 2016 have shown how unprepared we are to deal with the growth of Cybercrime. In this talk learn a little about the scale of the challenge developers face from assaults on our systems. Be prepared to be appalled and scared. Fainting is not allowed. Discover how to fight back and see how you can change your behaviour and your code to defend against these attacks.
Your destiny is clear - it’s time to be come a Cyber Defender
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverEC-Council
CLOUD PROXY TECHNOLOGY [THE CHANGING LANDSCAPE OF THE NETWORK PROXY]
This class will cover the distinctions between traditional proxy technology and the emergence in recent years of cloud proxy and why it matters to organizations today. We will review real use cases and their corresponding screen shots to provide a stimulating session.
BREAKING SMART [BANK] STATEMENTS
Explanation of how I find and exploit a security flaw (bad implementation of cryptography) in a bank statement, sent via email, of one of the biggest banks in Mexico.
My talk on VB2019, HITB Cyberweek 2019, CODEBLUE2019, AVAR2019 about the APT attackers responsible for coincheck/coinbase attack. The attackers are very active and discrete, has already made ton of illegal profit. Definitely interesting to track for security researchers/threat hunters.
This includes:
1. Victim's view
2. Attackers' view
3. Blue team's view
4. Malware information
5. The attackers' previous attacks
Jax london2016 cybercrime-and-the-developerSteve Poole
In the emerging world of DevOps and the Cloud, most developers are trying to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resiliency and scaling to an application. Still, one critical item consistently overlooked is security.
The world of the Cyber Criminal is closer than you realize. Watch a real man-in-the-middle demonstration and learn just how simple it can be for others to steal your secrets. In this talk you’ll learn about other practical examples of how you can inadvertently leave the doors open and what you can do to keep your system secure. In the end, security is everyone’s concern and this talk will teach you a few of simple actions you can take (and some behaviours you must change) to create a more secure application in the Cloud.
Cybercrime and the Developer: How to Start Defending Against the Darker Side...Steve Poole
JavaOne 2016 Talk
In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviors you must change) to create a more secure Java application for the cloud. The world of the cybercriminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
n the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security.
In this session, learn about a few of the simple actions you can take (and some behaviors you must change) to create a more secure Java application for the cloud. The world of the cyber criminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
Cybercrime how bad can it be? Organised attacks around the world in 2016 have shown how unprepared we are to deal with the growth of Cybercrime. In this talk learn a little about the scale of the challenge developers face from assaults on our systems. Be prepared to be appalled and scared. Fainting is not allowed. Discover how to fight back and see how you can change your behaviour and your code to defend against these attacks.
Your destiny is clear - it’s time to be come a Cyber Defender
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverEC-Council
CLOUD PROXY TECHNOLOGY [THE CHANGING LANDSCAPE OF THE NETWORK PROXY]
This class will cover the distinctions between traditional proxy technology and the emergence in recent years of cloud proxy and why it matters to organizations today. We will review real use cases and their corresponding screen shots to provide a stimulating session.
BREAKING SMART [BANK] STATEMENTS
Explanation of how I find and exploit a security flaw (bad implementation of cryptography) in a bank statement, sent via email, of one of the biggest banks in Mexico.
My talk on VB2019, HITB Cyberweek 2019, CODEBLUE2019, AVAR2019 about the APT attackers responsible for coincheck/coinbase attack. The attackers are very active and discrete, has already made ton of illegal profit. Definitely interesting to track for security researchers/threat hunters.
This includes:
1. Victim's view
2. Attackers' view
3. Blue team's view
4. Malware information
5. The attackers' previous attacks
Basic Security for Digital Companies - #MarketersUnbound (2014)Justin Bull
Speaking about how to go about taking security seriously in a digital company. Be it from scratch, or fixing a legacy codebase, learn from Canada Revenue Agency's Heartbleed mess-up and advice from a white-hat hacker.
The subject of passwords is important today since they protect all of your accounts, and are frequently attacked by crackers. In this presentation I examine the technology used to handle and protect passwords, and make recommendations for what the user can do to protect themselves online.
How do you make secure connections to Web sites? Can you be safe making connections and purchases online? This presentation will cover how security is achieved and give you suggestions for protecting yourself.
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
Defensive security is a rat race. We detect new threats, we reverse engineer them and develop defenses while the bad guys just make new threats. We often just document a new threat and stop when the blog post is published. This talk will take it a step further on how to proactively disrupt threats and threat actors, not just from your organization but completely. As a case study, Operation Tovar and whatever else I take down between now and THOTCON will be used as examples of how this can be accomplished without a large legal team and without massive collateral damage (i.e. the No-IP incident). Tools will be demonstrated that are used for near-time surveillance of criminal networks.
Phishing for clicks is like the VA portion of a Pentest. It feels nice being a hacker, but that fuzzy feeling wears off quickly, once you learn about command and control.
Everyone knows in theory what phishing is, what phishing emails looks like, they even may even theoretically know how it all works.
What about executing a Phishing campaign? This talk will show you the journey of setting up and executing a Phishing campaign to gain command and control. I have tried a few frameworks, coded some pages myself and will show the way I learned to Phish.
This is not just about sending an email and a link, this is about bypassing the email minefield to get the email to the target and having the payload call back out of the network.
We will go through:
Choosing and setting up a Phishing Framework
Cloning a site
Testing delivery and bypassing Spam filters with a payload (Click Once)
Testing different user interactions for executing payloads
Learning different payloads for command and control
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
DNS: STRATEGIES FOR REDUCING DATA LEAKAGE & PROTECTING ONLINE PRIVACY
DNS is the foundational protocol used to directly nearly all Internet traffic making the collection and analysis of DNS traffic highly valuable. This talk will examine ways in which you can effectively limit the disclosure of your online habits through securing the way your local DNS resolvers work.
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
Sector 2016 Chris Gates & Haydn Johnson
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago.
Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.
Your organization has either; BEEN attacked, is currently BEING attacked or WILL be attacked by cyber criminals. Our mission is to provide you with the knowledge, the vision, and the solutions to secure your critical assets.
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviours you must change) to create a more secure Java application for the cloud. The world of the cybercriminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
Basic Security for Digital Companies - #MarketersUnbound (2014)Justin Bull
Speaking about how to go about taking security seriously in a digital company. Be it from scratch, or fixing a legacy codebase, learn from Canada Revenue Agency's Heartbleed mess-up and advice from a white-hat hacker.
The subject of passwords is important today since they protect all of your accounts, and are frequently attacked by crackers. In this presentation I examine the technology used to handle and protect passwords, and make recommendations for what the user can do to protect themselves online.
How do you make secure connections to Web sites? Can you be safe making connections and purchases online? This presentation will cover how security is achieved and give you suggestions for protecting yourself.
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
Defensive security is a rat race. We detect new threats, we reverse engineer them and develop defenses while the bad guys just make new threats. We often just document a new threat and stop when the blog post is published. This talk will take it a step further on how to proactively disrupt threats and threat actors, not just from your organization but completely. As a case study, Operation Tovar and whatever else I take down between now and THOTCON will be used as examples of how this can be accomplished without a large legal team and without massive collateral damage (i.e. the No-IP incident). Tools will be demonstrated that are used for near-time surveillance of criminal networks.
Phishing for clicks is like the VA portion of a Pentest. It feels nice being a hacker, but that fuzzy feeling wears off quickly, once you learn about command and control.
Everyone knows in theory what phishing is, what phishing emails looks like, they even may even theoretically know how it all works.
What about executing a Phishing campaign? This talk will show you the journey of setting up and executing a Phishing campaign to gain command and control. I have tried a few frameworks, coded some pages myself and will show the way I learned to Phish.
This is not just about sending an email and a link, this is about bypassing the email minefield to get the email to the target and having the payload call back out of the network.
We will go through:
Choosing and setting up a Phishing Framework
Cloning a site
Testing delivery and bypassing Spam filters with a payload (Click Once)
Testing different user interactions for executing payloads
Learning different payloads for command and control
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
DNS: STRATEGIES FOR REDUCING DATA LEAKAGE & PROTECTING ONLINE PRIVACY
DNS is the foundational protocol used to directly nearly all Internet traffic making the collection and analysis of DNS traffic highly valuable. This talk will examine ways in which you can effectively limit the disclosure of your online habits through securing the way your local DNS resolvers work.
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
Sector 2016 Chris Gates & Haydn Johnson
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago.
Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.
Your organization has either; BEEN attacked, is currently BEING attacked or WILL be attacked by cyber criminals. Our mission is to provide you with the knowledge, the vision, and the solutions to secure your critical assets.
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviours you must change) to create a more secure Java application for the cloud. The world of the cybercriminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
2022 Rea & Associates' Cybersecurity Conference Rea & Associates
This presentation will give you insights into timely information about current cybersecurity threats faced by small and mid-sized businesses, incident response plans, and Cybersecurity Maturity Model Certification (CMMC) compliance protocols required for government contracts and what you need to do now to protect your business from a cyberattack.
Protecting Your IP: Data Security for Software TechnologyShawn Tuma
Cybersecurity attorney Shawn Tuma presented on Protecting Your IP: Data Security for Software Technology at Texas Bar CLE's Intellectual Property Law 101 Course for 2017 on February 22, 2017 in Austin, Texas.
Humorous discussion presenting some of the kids of risks that face public facing Web sites for corporations ranging from hacking to legal to social media scares. Slides are illustrative in nature and the aim of the talk is more awareness than anything else.
Info Session on Cybersecurity & Cybersecurity Study JamsGDSCCVR
In an era where digital threats are ever-evolving, understanding the fundamentals of cybersecurity is crucial.
Highlights of the Event:
💡 Google Cybersecurity Certification Scholarship.
🎭 Cloning and Phishing Demystified
🚨 Unravelling the Depths of Database Breaches
🛡️ Digital safety 101
🧼 Self-Check for Cyber Hygiene
⏺️ Event Details:
Date: 18th December 2023
Time: 6:00 PM to 7:00 PM
Venue: Online
We are surrounding with technology. The more we surround and integrate with technology the more we will be in risk our privacy data/online/internet/cyber. Not only you are in risk, your family and friend alos in risk. If we think I am not important person then that would be your great mistake. You are important to someone in somewhere in this world.
Mind it your daily life is watched by someone. So be conscious… remember Prevention is Better than cure.
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Alexandre Sieira
The human mind evolved to draw quick conclusions for survival. Behavioral economists, like Daniel Kahneman and Dan Ariely, are publishing research on when, why and how decision making can be consistently and predictably irrational. You could say these researchers are reverse engineering the wetware, finding bugs and race conditions and disclosing them.People are key to an organization’s information security, even if you believe in the “people, processes and technology” tripod. People define and execute processes. People decide funding for, implement, operate and/or monitor the technology. Your adversaries are people. At least until we reach the AI singularity, that is.Until then, the aim of this talk is to present some of the counter-intuitive findings of behavioral economics research and their implications for how information security is handled at the organizational and market levels. Our hope is that the audience will find they could benefit from changing established, seemingly sensible and logical actions we all do to better match how the wetware actually works.
Presented at BSides SF on Feb. 28th, 2016.
A Webinar on cyber Security Awareness and Digital Safety is hosted on the 7th of June, 2020. Sthir Yuwa in association with Information Security Response Team Nepal and Center For Cyber Security Research and Innovation conducted successfully. There were almost 70 participants on this webinar.
This wonderful presentation, appropriate for teens and young adults, was created by Symantec's Rayane Hazimeh for the Dubai Techfest, 2013. We thank her for generously sharing her content with the SlideShare community.
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
Maven Central hits 1 Trillion downloads, Cyber bad guys make $6 Trillion, Governments respond and of course AI. What happened this year and what does it mean for 2024? A look at what Sonatype discovered in preparing the 9th State of the Software Supply Chain Report and what it could mean for developers in the future.
2024 is going to be difficult for all of us: find out how, why and just what you need to do next!
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
For all in IT—Developer, QA, DevOps, or SecOps—the future is driven by two game-changers: the ascent of Generative AI and heightened governmental scrutiny of software. Similar to the industrial revolution’s upheaval, their influence will revolutionise and reinvent the technology we use and our relationship with it. We’ll unpack how these factors redefine our tech practices today and tomorrow. Prepare for role evolution, new opportunities, and shifts, including the evolving dynamic with open source. Join this deep dive to discern the real ramifications.
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
In the Java world Maven Central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.
Times are changing and so is Maven Central.
As cyberattacks grow the defences at Maven Central have grown too and now we're on the offence. Learn how Maven Central is working with the Linux Foundation and others to add features and services that will keep the Java community safer, more informed and better prepared.
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
Over the last ten years we’ve seen cybercrime accelerate beyond all comprehension, We’ve seen the growing and relentless impact it has on our society and our economies. It’s taken a long time for the world to act but finally we’re coming together to resist this uniquely 21st century evil.
At the heart of the resistance are developers. Whatever role you have, whatever programming language or software you use - the battle is at your door.
In this session we’ll brief you on the state of the situation and what you can do to be more prepared. We’ll look at the bad guys and how they operate, we’ll examine recent legal and government responses and, most importantly, how the software industry is working together to create the tools, frameworks and education needed to help us all become the developers we need to be.
A new hope for 2023? What developers must learn nextSteve Poole
Over the last ten years, we’ve seen cybercrime accelerate beyond all comprehension and the growing and relentless impact it has on our society and economies. It’s taken a long time for the world to act, but finally, we’re coming together to resist this uniquely 21st-century evil.
At the heart of the resistance are developers. Whatever role you have, whatever programming language or software you use - the battle is at your door.
In this session, we’ll brief you on the state of the situation and what you can do to be more prepared.: we’ll look at the bad guys and how they operate, examine recent legal and government responses and, most importantly, how the software industry is working together to create the tools, frameworks and education needed to help us all become the developers we need to be.
Three-card Monte, Find the Lady - the game goes by many names but at its core is a simple scam. You think you're in control but you're not: it's a game you can't win, and if you do it's only temporary to give you false confidence.
Software delivery is rapidly becoming a shell game: bad actors trying to force you to use compromised components, bad actors trying to take over your build processes and insert malware. Bad actors subverting your processes while give you false confidence that everything is ok.
This session introduces you to an active defence you can start to use now.
In this talk we’ll explain how the SBOM or Software Bill of Materials is emerging as the base for new tools and new thinking about producing software.
We’ll explain what an SBOM is , how it provides significant protection against software delivery attacks and what tools exist today for you to use.
We’ll walk through from source code to deployment and examine where the bad guys can get in and what SBOM related defences exist.
Learning how the shell game is played reduces the risk. Avoiding the game altogether is the wiser choice. SBOMs may just be the way to do that.
Superman or Ironman - can everyone be a 10x developer?Steve Poole
It’s all about productivity or maybe it’s all about delivering value. Or creating secure applications, dealing with changing directions.
Whatever it it we often feel that we’re lacking - that it’s hard enough to be any sort of developer. That even 1x is often a challenge
In this talk we’re going to examine how to think more clearly about being a Java developer:, help you understand the tools and approaches that can offer practical insight into how you work now as well as providing guidance on alternatives that just might give you the powered armour you need.
A mix of tools, proven processes, new techniques and lessons learnt the hard way make up a session designed to help you understand that being a 10x developer isn’t about having super powers - it’s about using the powers you already have in wiser, more considered ways.
It’s just there. Just like the stars, just like electricity, just like Java.
In the Java world Maven central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.
Recently though we’ve seen questions raised about the Java code that is hosted there. Other repositories have been experiencing unprecedented attempts to upload malware and even in the Java world there are significant vulnerabilities that some have called to be removed.
This talk is intended to give you the background of Maven central and what the philosophy is for dealing with problematic content.
We’ll also explore how the service works under the covers, the API’s you might not be aware of and what’s coming up next.
Maven Central is not going away - but it might just get more exciting!
It’s just there. Just like the stars, just like electricity, just like Java.
In the Java world Maven central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.
Recently though we’ve seen questions raised about the Java code that is hosted there. Other repositories have been experiencing unprecedented attempts to upload malware and even in the Java world there are significant vulnerabilities that some have called to be removed.
This talk is intended to give you the background of Maven central, explain why Sonatype,( who are the stewards of Maven Central), provide such a critical service and what our philosophy is for dealing with problematic content.
We’ll also explore how the service works under the covers, the API’s you might not be aware of and what’s coming up next.
Maven Central is not going away - but it might just get more exciting!
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Steve Poole
A small but vital step on a long road was made last year. The President of the USA signed an executive order towards improving the situation on cybersecurity. In this session you’ll learn more about what was ordered and how it’s the beginning of a significant change in how software will be developed, delivered and secured in the future – not just in the USA but world wide too. The need to have a vastly improved software supply chain to counter the challenges of cyber attacks is well understood and many tools already exist. Learn more about the tooling landscape, what’s on the horizon and how presidential orders, the software industry and application development are coming together to take even bigger steps towards safeguarding the future.
Log4Shell - Armageddon or Opportunity.pptxSteve Poole
It’s said that everyone remembers where they were when a momentous event occurs. Where were you on the 10 December 2021 or did the most comprehensively dangerous Java vulnerability pass you by?
Don’t be fooled into thinking it’s all over. Even by mid year the number of vulnerable servers will still be high because organisations still fail assess their vulnerability state correctly.
In this session I’ll cover, in detail, the actual mechanics of the vulnerability and demo a simple attack. I’ll take you through why this vulnerability can be as bad as it gets and explain what the options are to protect you application and how to assess if you’re still at risk.
It’s not all bad news. The Log4Shell wake up call shows us that we’re not paying the right sort of attention to security across the board but we can learn to do better. I’ll end the talk with explaining why security really matters, what developers can do improve their understanding of security principles in general and cover some of the practical next steps that are available.
Log4Shell is changing our world - let’s make sure its for the right reasons. Opportunity is knocking on your door.
Want to make some money? A little bitcoin on the side? In this session we’ll take you through a few of the ways that Ransomware works. Probably one of the fastest growing forms of cybercrime - we’ll explore the motivations (it’s not all about money) how a typical attack occurs , how your actions and inactions help make the problem worse and generally educate you on the ransomware-as-a-service business that could easily be coming to a server near you. Take the time to see how your CI/CD pipelines can be vulnerable and what you can do to make your application safer and your data more secure.
Some say ransomware is simply a cost of doing business - whether thats true or not ransomware is not going away any time soon This talk will help you get up to speed and started on your journey of improving your defences.
Game Over or Game Changing? Why Software Development May Never be the same againSteve Poole
A small but vital step on a long road was made this year. The President of the USA signed an executive order towards improving the situation on cybersecurity. In this session you’ll learn more about what was ordered and how it’s the beginning of a significant change in how software will be developed, delivered and secured in the future – not just in the USA but world wide too. The need to have a vastly improved software supply chain to counter the challenges of cyber attacks is well understood and many tools already exist. Learn more about the tooling landscape, what’s on the horizon and how presidential orders, the software industry and application development are coming together to take even bigger steps towards safeguarding the future.
Agile Islands 2020 - Dashboards and CultureSteve Poole
This talk examines how what you share will define you. The act of monitoring and dashboarding can have a profound effect, good or bad - on the attitudes and culture of the teams involved. With supporting case studies this session will show how you to help make any team more effective
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Steve Poole
Much of the adoption of Agile and DevOps tools and processes focus on the benefits to delivering high quality code on an industrial scale. Although we all recognise that good visual representations of progress and status are critical, it may not be obvious that the act of visualisation can have a profound effect on the attitudes and culture of the teams involved. The right sort of data and appropriate dash-boarding can improve the morale and effectiveness of all the teams involved. The wrong sort of can have the opposite effect.
This talk examines how what you share will define you. Through real examples and a live demo, the speaker will show you how to design status and trend displays that will make your teams more effective without overloading them. The talk will also include case studies with various types of teams to highlight how you can apply this thinking to help make any group more effective.
Beyond the Pi: What’s Next for the Hacker in All of Us?Steve Poole
Being a geek can be a tough life. Once you’ve got those LEDs blinking or that robot car moving around, the fun can be over. So what else is there to play with? What other exciting ideas are out there? For the geek at heart, this session showcases some of the new and newish tech that’s available for you to play with.
From AR to VR, from mind control to autonomous drones, we have a lot of everything, and some of it will even be on display. Whether it’s tech you can wear or tech that swims, we’ve got the insight. Bring your mind, and let us refuel your imagination.
Drooling optional.
A Modern Fairy Tale: Java Serialization Steve Poole
Once, long ago, we we looked at serialization as an important addition to Java. As the years passed, we began to recognize the flaws in its design and sighed. Today we realize that the story of serialization has become a dark and twisted tale. In this session, see why we still need serialization, how the built-in design is fatally flawed, and how it is being exploited and used against us. Learn how to work against the dark arts rallied against us, and understand how even the alternative forms of Java serialization can still be open to attack.
Does this tale have a happy ending? Can goodness prevail and can you make your application safe from Java serialisation weaknesses?
Only your can decide.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
2. About me
Steve Poole
IBM Lead Engineer
@spoole167
Making Java Real Since Version 0.9
Open Source Advocate
Mad Scientist
DevOps Practitioner (whatever that means!)
Driving Change
3. This talk
• I’m a DevOps practitioner – not a security expert.
• Arose
• because of “compliance”. What does that mean? How do I find out more?
• because I didn’t understand what the cybersecurity fuss was all about
• because giving uneducated developers access to cloud resources generally
has unfortunate consequences
• is about understanding the risks, and & how and why we need to
behave differently.
• Is the talk before you learn how to write secure Java
• Here’s what I’ve learnt so far…
4. what I want you to remember
• The scale of the challenge with security and the ‘net’ and know its
not going to get fixed quickly.
• you as a developer have the most important job to fix this.
• you need to learn about ‘security’ and become an advocate and
shameless promoter of best practices
5. Outline
• What’s the problem – why does this all matter?
• Who is at risk?
• Who are the bad guys?
• How do they get in?
• How you need to change?
• What you need to change?
• Going forward..
11. Friday, October 21st 2016 Dyn cyberattack
https://en.wikipedia.org/wiki/2016_Dyn_cyberattack
Dyn (a major DNS provider) networks were attacked
three times by hackers using a DDOS attack
The attack was the largest ever recorded
10s of millions of IP addresses
1.2 terabits per second
Various groups have claimed responsibility
http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/
12. Friday, October 21st 2016 Dyn cyberattack
https://en.wikipedia.org/wiki/2016_Dyn_cyberattack
13. • Behind the attack was a large botnet
• printers, IP cameras, residential gateways , baby monitors, desktops, laptops
• Even medical equipment…
• Whether politically motivated or not the attack shows the porous
nature of both the internet and our private networks
• The rise of the “system on a chip”
• The rise of the Internet of Things
Friday, October 21st 2016 Dyn cyberattack
17. “Organized Cybercrime is the most profitable type of crime”
• Cybercrime is estimated to be worth 445 Billion Dollars a Year
• In 2013 the United Nations Office on Drugs and Crime (UNODC) estimated
globally the illicit drug trade was worth 435 Billion Dollars
• Guess which one has the least risk to the criminal?
• Guess which is growing the fastest?
• Guess which one is the hardest to prosecute?
• Guess which one is predicted to reach 2100 Billion Dollars by 2019?
20. What data are they after?
• Moving beyond credit card numbers
• Long term identify theft
• That means quiet and repeated infiltration
• no more cyber-graffiti “Thiz Site belonz to uz”
• Though any personal data is useful and worth $$$
• Medical data, Sensitive Personal Information etc
• Information that gives insight into behavior
• Access to your systems
Lesson 1
Protect all data
21. Its about Facts about you
• Any piece of personal information about YOU is useful. It get’s sold on and
somewhere someone brings it all together.
• Can I connect your email address to your data of birth?
• Can I find out where you live?
• Can I find out who you work for?
• Can I find out what you think about your boss?
• Can I find out what sites you’ve visited?
• The more I know about you – the more I can refine the attack.
• The more I know about you – the more $$ I can make
• And attacks are more than “technical”
Lesson 2
All your data is
valuable
22. DEAR SIR/MA'AM.
YOUR ATM CARD OF $10.5MILLION DOLLARS WAS RETURNED TODAY BY OUR COURIER
DELIVERY COMPANY, AND WE ARE GOING TO CANCEL THE ATM CARD IF YOU FAILS TO
ACKNOWLEDGE THIS MESSAGE, WE SHALL ALSO ASSUME THAT WHAT OUR COURIER
DELIVERY COMPANY TOLD US IS NOTHING BUT THE TRUTH THAT YOU DON'T NEED YOUR
ATM CARD OF $10.5 MILLION DOLLARS ANY LONGER.
DO ACKNOWLEDGE THIS MESSAGE AS SOON AS POSSIBLE.
YOURS FAITHFULLY.
YOURS SINCERELY,
MR MARK WRIGHT,
DIRECTOR FOREIGN REMITTANCE
ATM CARD SWIFT PAYMENT DEPARTMENT
ZENITH BANK OF NIGERIA.
23. Federal Bureau of Investigation (FBI)
Anti-Terrorist And Monitory Crime Division.
Federal Bureau Of Investigation.
J.Edgar.Hoover Building Washington Dc
Customers Service Hours / Monday To Saturday
Office Hours Monday To Saturday:
Dear Beneficiary,
Series of meetings have been held over the past 7 months with the secretary general of
the United Nations Organization. This ended 3 days ago. It is obvious that you have not
received your fund which is to the tune of $16.5million due to past corrupt Governmental
Officials who almost held the fund to themselves for their selfish reason and some
individuals who have taken advantage of your fund all in an attempt to swindle your fund
which has led to so many losses from your end and unnecessary delay in the receipt of
your fund.for more information do get back to us.
….
Upon receipt of payment the delivery officer will ensure that your package is sent within
24 working hours.
24. Dear Winner,
This is to inform you that you have been selected for a prize of a brand
new 2016 Model BMW Hydrogen 7 Series Car, a Check of $500,000.00
USD and an Apple laptop from the international balloting programs
held on the 27th, section of the 2016 annual award promo in the
UNITED STATE OF AMERICA.
26. From <your boss>
I’ve spoken to the Italians and they will send us the goods if we pay
$3M immediately. Details below.
I’m off to the golf course – no distractions please.
Lesson 3
If something is suspicious or unusual – double
check. You think all the bad guys are stupid?
27. an email from an international
transport company urging
recipients to open a waybill in
a zip
(The Zip content launches a
downloader)
The targets are busy and not IT
savy. The criminals are IT savy
and industry savy
☹️ ☹️
28. Even more
Email Instructions to victims to download an Android app onto a
mobile device.
That app contains a SMS hijacker.
The app listens for incoming SMS messages containing transaction
authorization codes from the bank.
Lesson 4
Never install software without checking
it’s providence
29. Phishing -> Spear Phishing -> Personalised
Attacks
• The move is towards more organised and long term attacks that are
hidden from view.
• Think about this – when you’re trawling the net for gullible people
you set the bar low.
• With personalised attacks you invest more and make it compelling.
• You victims views on Facebook about their boss, how busy they are,
important deals coming up. It all helps to craft that million dollar scam…
30. Who’s being targeted?
• Middle level executives – afraid of their bosses?
• New joiners – easy to make a mistake?
• Busy and harassed key individuals – too busy to take time to
consider?
• Disgruntled employees – want to hurt the company? Make some $?
• And Developers – the golden goose.
Lesson 5
The bad guys prey on the weak,
vulnerable and ignorant
31. Developers
• Why ?
• We know the inside story
• We write the code
• We have elevated privileges
• We are over trusting
• We use other peoples code and tools without inspection
• we are ignorant of security matters
Lesson 6
The bad guys prey on the weak,
vulnerable and ignorant:
That’s you
33. Ever googled for:
“very trusting trust manager”
“Getting Java to accept all certs over HTTPS”
“How to Trust Any SSL Certificate”
“Disable Certificate Validation in Java”
34. TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
X509Certificate[] certs, String authType) {
}
public boolean isClientTrusted( X509Certificate[] cert) {
return true;
}
public boolean isServerTrusted( X509Certificate[] cert) {
return true;
}
}
};
Ever written something
like this?
37. We’ve all done something like that
We do it all the time
38. We’ve all done something like that
We do it all the time
The whole world does it
How bad can it be?
39. We’ve all done something like that
We do it all the time
The whole world does it
Github search “implements TrustManager” ….
40. We’ve found 72,609 code results
AlwaysValidTrustManager
TrustAllServersWrappingTrustManager
A very friendly, accepting trust
manager factory. Allows anything
through. all kind of certificates are
accepted and trusted.
A very trusting trust manager that
accepts anything
// Install the all-trusting trust
manager
OverTrustingTrustProvider
AllTrustingSecurityManagerPlugin.java
AcceptingTrustManagerFactory.java
AllTrustingCertHttpRequester.java
41. Developers are too trusting.
Linux Repos
npm
npm is the package manager for JavaScript. Find, share,
and reuse packages of code from hundreds of thousands
of developers — and assemble them in powerful new
ways.
Great sentiments. “But Caveat Emptor”
43. So who are the
bad guys?
https://www.flickr.com/photos/monsieurlui/
44. A mirror of you?
• Organized and methodical
• organized like startup companies.
• “employ” highly experienced developers with deep knowledge
• Constantly innovating malware, seeking out vulnerabilities
• Sharing what they find with each other (for $ of course)
• Goal focused
• the average age of a cybercriminal is 35 years old.
45. Already into crime
• Adrian Leppard, the Commissioner of the City of London Police:
• “We estimate that around 25 per cent of the organized crime groups in this
country are now involved in financial crime in one shape or another…”
• University of Cambridge researchers report that 60% of cyber-criminals had
criminal records which were completely unrelated to cyber-crime
• “those traditional offenders are changing their behavior and moving to the
internet”.
Lesson 7
Cybercriminals mostly get caught for something other than
cybercrime
47. Basic ways in: The old fashioned set
• Social engineering – convince you to open the door
• Vulnerability exploits – find doors already open
• Inside information – you tell them where the keys are for gain
Lesson 8
The bad guys can already get into your systems easier than you
ever thought possible.
48. Vulnerabilities
• Bugs and design flaws in your software
and the software you use.
• Everyone has them.
• Researchers are looking for them all the
time.
• So are the bad guys
https://www.flickr.com/photos/electronicfrontierfoundation/
51. • It’s usually a combination of
software weaknesses that
get exploited
• Sometimes a BIG exploit
appears
• Zero Day exploits are just
that.
• Shame we don’t give them
much attention
• Someone elses problem?
Vulnerabilities Lesson 9
Vulnerabilities are everywhere
Lesson 10
Keeping up-to-date with critical
patches is one of the most important
things you can do
Lesson 11
Ignoring this side of Software
Engineering is criminal
52. Deep breath
• To minimize the potential impact of vulnerabilities you need to keep
your software up-to-date all-the-time
• Almost all technical breaches come from exploiting known
vulnerabilities
• Keeping current means only zero-day exploits can be used.
• Do that and the bad guys will move on to someone more vulnerable
• Use DevOps techniques and tools to help make this much easier.
53. The new attack vectors
• Devices, Devices, Devices
• Eavesdropping, network devices with default passwords
• Drive-by gateways
• Poorly secured new deployments on a cloud
• New devices on the internet get found in 15 mins. Get tailored
attack in 45
• Ransomware
• Blackmail and extortion
• Extending Malware into real products.
• Helpful free stuff – like docker images
• Dangerous paid stuff - like game trainers
• Actual ’at the source’ injections - like pull requests!
• Like unknown helpful people – do you know what can happen in a git
merge?
https://www.flickr.com/photos/famzoo/
54. Devices inside your network
• What’s CPU’s are connected to your network?
• Smart printers?
• Smart TV’s?
• BYODs?
• How many devices have default passwords?
• How many computers have passwords that everyone knows?
• How many are running older unpatched software?
Lesson 12
You cannot ever assume your internal network is safe
and uncompromised
Lesson 13
Really Strong
authentication
is an
imperative.
55. Personal Passwords
• What can I say: use keys wherever you can
• Treat passwords and private keys like the crown jewels.
• Have as many different passwords/keys as you can for different functions and activities
• Use a good password safe
• Never divulge your password to anyone or write it down.
• Once it’s out of your hands treat it as hacked
Lesson 14
Understand just how easily (or not) passwords can be cracked
https://en.wikipedia.org/wiki/Password_cracking
56. Wifi Gateways
Are everywhere
How do you know that a SSID you see is not fake?
In your office.
In your home.
At a conference
In a Coffee Shop.
63. Internet
websitegateway
Man in the middle attack for http
Give me data
browser
Here is data
Give me data
Do bad things with
data
Here is data
SSID: OpenConference
Password: easy
65. Internet
websitegateway
The normal (simplfied) flow for https
Client Hello (max SSL version supported)
browser
Server Hello (what SSL version to be used)
Server SSL CertificateCheck
Certificate
Send random local key encoded using Server SSL certificate
Secure, two way encrypted communications
Certificate
Authorities
67. Internet
websitegateway
Man in the middle attack for https – you accept the certificate
Client Hello
browser
Server Hello
Server SSL Certificate
Check
Certificate
Send different random local key
Secure
communications
Client Hello
Server Hello
Gateway SSL Certificate
Send random local key
Secure, two way communications
Certificate
Authorities
switched
68. 1) Simple hijacked https case – you accepted
the certificate – but at least you saw it
69. 2) Simple hijacked https case – you have a
bogus certificate authority locally
70. Internet
websitegateway
Man in the middle attack for https – version 2
Client Hello
browser
Server Hello
Server SSL Certificate
Check
Certificate
Send different random local key
Secure
communications
Client Hello
Server Hello
Gateway SSL Certificate
Send random local key
Secure, two way communications
Bogus Certificate
Authority switched
71. 2) Simple hijacked https case – you have a bogus
certificate authority locally – and you didn’t even
know it was there
It might even have been issued by your company
and been stolen and used against you
72. It can be even easier/worse
• If your initial request to a server is http (ie unencrypted)
• A MITM can replace all inline https references with http
• Then when your form is submitted it’s sent unencrypted
• Maybe the server will bounce the request. But it’s too late- your private data is gone.
• Typical pattern:
1. MITM tracks a single important server target. The thieves now how the flows work. They
track your usage
2. When your userid / password is requested the https is already forced to http.
3. Your data is sent in the clear. The MITM sends you a ‘there was a problem’ msg and gets out of
your way.
4. You refresh and resubmit.
5. None the wiser…
73. Internet
websitegateway
Stealing your data with http
http
browser
post to https://foo.com
http
post to
http://foo.com
http post
Server unavailable
RELOAD http
https post
post to https://foo.com
switched
74. Wifi gateways
Lesson 15
There are so many ways your data is at risk.
Use a VPN to get to a gateway you trust.
Be very wary of http urls in general
75. Man in the middle attacks
Lesson 16
You cannot assume the data you have accessed is valid unless you have a
secure connection at all times.
Otherwise you could download modified or copied files:
Docker Images, ISO’s, exes, RPMs, PowerPoint, Text files
Anything.
Lesson 17
Assertions and assumptions don’t “cut the mustard”
Deep dive into the communications processes and prove it
76. More bad news
• Our use of tools that interact over ssl tend to have the certificate
checking turned off!
• For reasonable reasons?
• “The server I access is self-signed”
• “I want to access multiple servers “
• Unexpectedly?
• “I thought I was using the tool correctly”
• “I didn’t realize what the default setting was”
• “I trusted the tool to do the right thing”
• Maliciously?
• “Someone changed the script and I don’t know why”
The default configuration of Apache
Maven 3.0.4, when using Maven Wagon
2.1, disables SSL certificate checks,
which allows remote attackers to spoof
servers via a man-in-the-middle (MITM)
attack.
77. Lesson 18 – sloppy use of tools will bite you big time
Lesson 19 – Don’t make assumptions
Prove the tools do what you expect.
Build “fake / compromised” target
servers etc and add to your testsuites
Lesson 20 – Reduce opportunities for unaccountable process changes by
adopting DevOps principles for Infrastructure-as-Code etc
78. And even worse…
• Developers download code, tools, certificates etc without considering
the consequences.
• We believe implicitly that other developers are trustworthy.
How one developer just broke Node, Babel and
thousands of projects in 11 lines of JavaScript
Code pulled from NPM – which everyone was using
http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/
What if he’d added
malware instead?
79. Lesson 21 – Don’t download or depend on random code. Ensure you trust
the providers and you understand what they are doing to earn and keep your
trust. Examine the processes they have to ensure that the code / binaries /
certificates being hosted are legitimate
Lesson 22 – Build your own internal caches and repositories. Scan them for
known vulnerabilities AND change all those embedded default passwords
OR buy the service from someone you trust.
80. Recap
• Cybercrime is set to become the largest form of crime ever
• Developers are key to preventing this
• We have the tools and techniques make reduce the problem
• We’re one of the worst adaptors of security protocols and practises
With great power comes great responsibility
81. Developers to the rescue?
• What we all have to do differently from now on
• Be much more security conscious
• Become intimately aware of how the bad guys get in
• Reduce our blind trust levels
• Learn how authentication and encryption actually works
• Make security a part of our psyche
• Bring Security Architects into the development process
82. More snippets of advice
• Don’t allow any admin access from outsite your firewall except via a VPN
• Don’t allow admin / critical functions to be executed on arbitrary developer m/cs
• Use strong firewalls on every system
• Whitelist outgoing connections.
• Hack your own systems…
• Change ALL default passwords
• Docker –if the is no Dockerfile run away. If there is a dockerfile read it and build your
own image. (How do you know the image and the docker file match)
• Reduce likelihood of exploits etc escaping by using separate Virtual Machines for
different actives.
• Don’t add developer backdoors!
83. https://www.flickr.com/photos/schill/
Why do you need
a blanket “god”
mode?
Why would you deploy a
server or application
with default passwords
unchanged?
Why would you
share this power?
Why would you
remain ignorant of
how your system
or home is kept
secure?
Would you have
one key for every
lock at home?
Would you give your
colleagues power of
attorney over you?
Would you have a front
door with a lock that every
one in the world had a key
to?