This document provides an agenda for a training session on hacking Android APK files at DEF CON 27 on August 8, 2019. The schedule includes introductions, static and dynamic analysis of APKs, forensic analysis, example teardowns, and a capture the flag exercise. The training team consists of three members - Ben Hughes, Liana Parakesyan, and Mattia Campagnano - and their bios are provided. An overview of the OWASP Mobile Top 10 security risks and the OWASP Mobile Security Testing Guide is also given to provide mobile security context. The document concludes by outlining approaches for setting up an Android testing environment including Android Studio, emulators, rooted devices, and common analysis tools.
The document discusses hacking mobile platforms and related security issues. It covers mobile attack vectors such as malware, data exfiltration, tampering and loss. It also discusses vulnerabilities and risks of mobile platforms including app stores, privacy issues, excessive permissions, communication security, jailbreaking/rooting and physical attacks. The objectives of the module are to educate about threats to mobile platforms and how to securely use mobile devices. It describes topics like attacking Android, Blackberry, iOS, Windows Phone and guidelines for mobile security.
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...Black Duck by Synopsys
This document discusses open source software licensing and compliance for cloud-based applications. It begins with disclaimers that the author is not a lawyer and the talk does not provide legal advice. It then summarizes findings from a survey on the future of open source, including that 60% of open source vendors now offer Software as a Service (SaaS) and over 50% of enterprises are expected to contribute to and adopt open source. The rest of the document discusses open source licenses like GPL, LGPL, AGPL and their implications for software delivered via SaaS and containers. It emphasizes the importance of understanding the legal obligations of the licenses for any open source used.
Dave Meurer currently serves as the Senior Technical Alliances Manager at Synopsys' Software Integrity Group’s Business Development team, where he leads technical planning, solution development, enablement, and evangelism with existing and potential strategic alliances and partners of Synopsys. Dave joined Synopsys through the acquisition of Black Duck, where he served in a similar role as the director of sales engineering for North America. Before coming to Black Duck Software, Dave worked for Skyway Software, HSN.com, and Accenture in various management and development roles. When he’s not thinking about joint partner solutions, he plays Uber driver for his five kids’ sports activities. Follow him on Twitter at @davemeurer.
This document discusses hybrid mobile app development. It begins by noting the rise of Android and iOS as dominant mobile platforms, each with their own development approaches, making cross-platform development challenging. Hybrid apps offer a solution, allowing development with a single codebase that can target both platforms. The document then provides an overview of hybrid development techniques like using web technologies or own rendering engines. It compares hybrid and native development, noting hybrid apps can be more cost effective but may have performance limitations. The document concludes by proposing using Flutter for a gaming tournament app, as Flutter allows developing for all platforms from a single Dart codebase and accessing native features.
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...CODE BLUE
Recently, services that provide remote control and acquire vehicle location information (GPS) is increasing. (As far as we know, it has been especially popular in the EV cars.)
These services are the challenging business for the automotive industry and OEMs because these have a potentially huge market or an additional value to their products in the future.
On the other hands, these services may lead to new threats and risks for the automobiles. This is because the Internet connection did not consider it was not necessary for automobiles so far.
Further, some researchers have already reported vulnerabilities in the remote services that are provided by various OEMs.
These issues are all reported in a foreign territory. Then, how about in Japan?
Therefore, we analyze the client apps for Japan provided by the various OEMs. But we also targeted analyzing apps for the US because apps for Japan is not many yet.
Specifically, we analyzed vulnerabilities (cooperation between apps, certificate verification, etc...) and whether these apps are using anti-analysis techniques such as obfuscation.
In this talk, we'll introduce about a potential for abusing of remote service apps in the future and countermeasures for these risks.
--- Naohide Waguri
Naohide Waguri joined FFRI in 2013. Before he joined FFRI, he had participated in software quality assurance, software development and promotion of test automation of network equipment (Gigabit Ethernet or Multilayer switches) as a network engineer. After joined FFRI, he participated in penetration testing, analysis and investigating the trend of cyber attacks. He is currently researching threat/risk analysis and evaluation method for a security of embedded systems such as in-vehicle devices. He was a speaker at CODE BLUE 2015.
Building a Mobile App Pen Testing BlueprintNowSecure
Mobile penetration testing helps uncover app exploits and vulnerabilities and is a crucial component of risk assessment. However, many people fear the complexity and don’t know where to get started.
It all begins with a solid plan of attack. NowSecure veterans of hundreds of mobile app pen tests will walk you through the process of assembling a pen testing playbook to hack your app.
This webinar covers:
+Tips and tricks for targeting common issues
+The best tools for the job
+How to document findings to close the loop on vulnerabilities.
Sogeti Java Meetup - How to ensure your code is maintainablePeter Rombouts
The document discusses ensuring code maintainability. It defines software quality according to ISO 25010 as having quality in use and product quality models. It presents 10 guidelines for writing maintainable code from SIG. It also discusses tools for static code analysis (e.g. SonarQube) and software composition analysis (e.g. WhiteSource Bolt) to help ensure code quality. The presentation aims to help developers choose the right tools to analyze their code and dependencies.
The document discusses hacking mobile platforms and related security issues. It covers mobile attack vectors such as malware, data exfiltration, tampering and loss. It also discusses vulnerabilities and risks of mobile platforms including app stores, privacy issues, excessive permissions, communication security, jailbreaking/rooting and physical attacks. The objectives of the module are to educate about threats to mobile platforms and how to securely use mobile devices. It describes topics like attacking Android, Blackberry, iOS, Windows Phone and guidelines for mobile security.
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...Black Duck by Synopsys
This document discusses open source software licensing and compliance for cloud-based applications. It begins with disclaimers that the author is not a lawyer and the talk does not provide legal advice. It then summarizes findings from a survey on the future of open source, including that 60% of open source vendors now offer Software as a Service (SaaS) and over 50% of enterprises are expected to contribute to and adopt open source. The rest of the document discusses open source licenses like GPL, LGPL, AGPL and their implications for software delivered via SaaS and containers. It emphasizes the importance of understanding the legal obligations of the licenses for any open source used.
Dave Meurer currently serves as the Senior Technical Alliances Manager at Synopsys' Software Integrity Group’s Business Development team, where he leads technical planning, solution development, enablement, and evangelism with existing and potential strategic alliances and partners of Synopsys. Dave joined Synopsys through the acquisition of Black Duck, where he served in a similar role as the director of sales engineering for North America. Before coming to Black Duck Software, Dave worked for Skyway Software, HSN.com, and Accenture in various management and development roles. When he’s not thinking about joint partner solutions, he plays Uber driver for his five kids’ sports activities. Follow him on Twitter at @davemeurer.
This document discusses hybrid mobile app development. It begins by noting the rise of Android and iOS as dominant mobile platforms, each with their own development approaches, making cross-platform development challenging. Hybrid apps offer a solution, allowing development with a single codebase that can target both platforms. The document then provides an overview of hybrid development techniques like using web technologies or own rendering engines. It compares hybrid and native development, noting hybrid apps can be more cost effective but may have performance limitations. The document concludes by proposing using Flutter for a gaming tournament app, as Flutter allows developing for all platforms from a single Dart codebase and accessing native features.
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...CODE BLUE
Recently, services that provide remote control and acquire vehicle location information (GPS) is increasing. (As far as we know, it has been especially popular in the EV cars.)
These services are the challenging business for the automotive industry and OEMs because these have a potentially huge market or an additional value to their products in the future.
On the other hands, these services may lead to new threats and risks for the automobiles. This is because the Internet connection did not consider it was not necessary for automobiles so far.
Further, some researchers have already reported vulnerabilities in the remote services that are provided by various OEMs.
These issues are all reported in a foreign territory. Then, how about in Japan?
Therefore, we analyze the client apps for Japan provided by the various OEMs. But we also targeted analyzing apps for the US because apps for Japan is not many yet.
Specifically, we analyzed vulnerabilities (cooperation between apps, certificate verification, etc...) and whether these apps are using anti-analysis techniques such as obfuscation.
In this talk, we'll introduce about a potential for abusing of remote service apps in the future and countermeasures for these risks.
--- Naohide Waguri
Naohide Waguri joined FFRI in 2013. Before he joined FFRI, he had participated in software quality assurance, software development and promotion of test automation of network equipment (Gigabit Ethernet or Multilayer switches) as a network engineer. After joined FFRI, he participated in penetration testing, analysis and investigating the trend of cyber attacks. He is currently researching threat/risk analysis and evaluation method for a security of embedded systems such as in-vehicle devices. He was a speaker at CODE BLUE 2015.
Building a Mobile App Pen Testing BlueprintNowSecure
Mobile penetration testing helps uncover app exploits and vulnerabilities and is a crucial component of risk assessment. However, many people fear the complexity and don’t know where to get started.
It all begins with a solid plan of attack. NowSecure veterans of hundreds of mobile app pen tests will walk you through the process of assembling a pen testing playbook to hack your app.
This webinar covers:
+Tips and tricks for targeting common issues
+The best tools for the job
+How to document findings to close the loop on vulnerabilities.
Sogeti Java Meetup - How to ensure your code is maintainablePeter Rombouts
The document discusses ensuring code maintainability. It defines software quality according to ISO 25010 as having quality in use and product quality models. It presents 10 guidelines for writing maintainable code from SIG. It also discusses tools for static code analysis (e.g. SonarQube) and software composition analysis (e.g. WhiteSource Bolt) to help ensure code quality. The presentation aims to help developers choose the right tools to analyze their code and dependencies.
During a recent webinar, Tim Mackey, Principal Security Strategist with the Synopsys Cyber Research Center discussed how to streamline the tech due diligence process.
For more information, please visit our website at www.synopsys.com/open-source-audit
The document describes Infraware's POLARIS App Generator (PAG) service, which automatically converts Android APK files into Tizen TPK files. This allows Android apps to be run on Tizen devices using Infraware's POLARIS App Player middleware. The service aims to quickly populate the Tizen app store in its early stages by migrating existing Android apps with minimal effort. It is expected to help grow the Tizen ecosystem by providing a rich app selection, attract more device users, and encourage more developer support for the new platform.
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
In the final installment of our mobile penetration testing trilogy, we dive deep to find security flaws in mobile apps by dissecting the code with reverse-engineering and code analysis.
During a recent webinar attendees learned how a purpose-built M&A open source audit differs from open source management tools and why it matters in tech due diligence. We covered: • The types of risk around open source software • Why depth of analysis matters, and what it results in during M&A diligence • Why accuracy, reporting, and expert human analysis are keys to thorough diligence.
For more information, please visit our website at www.synopsys.com/open-source-audit
During a recent webinar, Phil Odence, General Manager of the Synopsys Black Duck Audit Group presented "Open Source Risk in M&A by the Numbers" For more information, please visit www.synopsys.com/BlackDuck
Mobile Developer's Guide To The Galaxy 12th EditionMarco Tabor
This document provides an overview of the mobile development landscape including key platforms, technologies, and strategies. It discusses the major mobile operating systems including Android, iOS, Windows Phone, BlackBerry 10, and others. It also covers different approaches to building mobile services such as native apps, web apps, and hybrid apps. The document aims to introduce mobile developers to the complex universe of the mobile industry.
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...Fasten Project
Software engineers reuse code to reduce development and maintenance costs but how safe is it to use open source software (OSS)? By using OSS and dependencies to external libraries they can introduce to projects significant operational and compliance risk as well as difficult to assess security implications. The aim of the FASTEN project (a European Union’s H2020 research and innovation programme led by TU Delft) is to address this situation, by developing an intelligent software package management system that will enhance robustness and security in software ecosystems. Our team in Endocode AG is part of the FASTEN project with our FOSS toolchain Quartermaster, which detects license compliance on softwares.
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...NowSecure
+ How do vulnerable mobile apps and insecure V2D communications put drivers and manufacturers at risk?
+ Applying crashworthiness and safety ratings concepts to mobile app and connected car cybersecurity
+ How to manage mobile app security defects and vulnerabilities in the connected car and mobile app development process
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.
This presentation will address all the relevant information about default security postures achieved by using the -aaS model. This session will be a unique opportunity to hear from Murray Goldschmidt, renowned DevSecOps expert, explaining the key items to achieve a secure deployment from build through ongoing continuous deployment, particularly for CI/CD DevOps environments
Key Points To Be Discussed:
-Learn the no-cost or low-cost measures to put in place immediately to secure their -aaS deployments.
-Understand where commercial products provide capability, particularly for container security.
-Understand the weaknesses of public cloud PaaS defaults—examples provided for AWS and Azure. Pre-Requisites:AWS and Azure PaaS offerings.
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year.
Open Source Insight is your weekly news resource for open source security and cybersecurity news!
Mobile Developer's Guide To The Galaxy 11th editionMarco Tabor
To develop for the Android platform, developers need the Android SDK, which includes tools for developing, testing, and debugging apps. The primary programming language is Java. Developers create apps by writing code and designing user interfaces in XML layout files. Apps are tested on emulators and devices before being distributed via the Google Play Store.
To develop for the Android platform, developers need the Android SDK, which includes tools for developing, testing, and debugging apps. The primary programming language is Java. Developers create apps by writing code and designing user interfaces in XML layout files. Apps are tested on emulators and devices before being distributed via the Google Play Store.
The Android STB: A Logical Step in the Evolution of TVBeenius
If only six years ago someone mentioned Android, some of you would not have recognized the name of the operating system (OS). But as technology has advanced, today the name Android is widely recognized as a successful OS for smartphones, tablets, and increasingly for devices such as Smart TVs, set-top boxes, and in the years to come even smart glasses!
Android is an open source software stack for mobile devices that includes an operating system, middleware and key applications. It allows applications to run in their own process using the Dalvik Virtual Machine. The Android software development kit includes tools for application development, debugging, and deployment. While Android offers flexibility and customization, the user interface is not as polished as the iPhone and media syncing requires third party tools rather than a centralized application like iTunes.
Android is an open source operating system for mobile devices that allows developers to create innovative applications. It provides access to core APIs as well as bindings to Android's native APIs. The Android software stack includes applications, application framework, libraries and services, and the Linux kernel. Unlike proprietary platforms, Android is open source and allows customization by device makers and developers.
Mobile Application Development with AndroidIJAAS Team
The Android is mobile platform. It is an open source and free operating system application, by Google it is developed and maintained. It was designed essentially for touch screen mobile devices, such as and tablet, computers, smart phones, watch television, cars etc. Android is one of the most widely used mobile OS. Android is a not only operating system but also key applications and middleware. Android is an open source operating system. It is developed by the open handset Alliance, led by Google, and other companies. Those are used to android studio 2.2.3 version and development the mobile application.
The document summarizes a seminar presentation on PhoneGap. PhoneGap is a mobile development framework that allows developers to build mobile apps using common web technologies like HTML, CSS, and JavaScript. This allows apps to be compiled for multiple platforms like iOS, Android, and Windows Phone from a single codebase. The presentation discusses what PhoneGap is, how it works, its advantages like cross-platform development, and disadvantages like limitations of web-based apps. It includes demo code and concludes PhoneGap is useful for small apps but native development is better for graphics-intensive apps.
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
The document discusses strategies for red teaming Active Directory security. It begins with an overview of Active Directory components and how they can be exploited by attackers. It then covers offensive PowerShell techniques and how PowerShell security can be bypassed. The document also provides methods for effective Active Directory reconnaissance, including discovering administrator accounts and network assets without port scanning. Finally, it discusses some Active Directory defenses that can be deployed and potential bypass techniques.
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
The document discusses vulnerabilities found in seismological network devices that could allow remote exploitation. It begins with a disclaimer and agenda. The speakers are then introduced as researchers from Costa Rica who were interested in these networks due to potential attack scenarios. Through a search engine, they discovered vulnerabilities in devices from multiple vendors. The talk demonstrates taking control of a device and outlines impacts such as sabotage. Recommendations are made to vendors to improve security of these critical scientific instruments.
More Related Content
Similar to DEF CON 27 - workshop - POLOTO - hacking the android apk
During a recent webinar, Tim Mackey, Principal Security Strategist with the Synopsys Cyber Research Center discussed how to streamline the tech due diligence process.
For more information, please visit our website at www.synopsys.com/open-source-audit
The document describes Infraware's POLARIS App Generator (PAG) service, which automatically converts Android APK files into Tizen TPK files. This allows Android apps to be run on Tizen devices using Infraware's POLARIS App Player middleware. The service aims to quickly populate the Tizen app store in its early stages by migrating existing Android apps with minimal effort. It is expected to help grow the Tizen ecosystem by providing a rich app selection, attract more device users, and encourage more developer support for the new platform.
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
In the final installment of our mobile penetration testing trilogy, we dive deep to find security flaws in mobile apps by dissecting the code with reverse-engineering and code analysis.
During a recent webinar attendees learned how a purpose-built M&A open source audit differs from open source management tools and why it matters in tech due diligence. We covered: • The types of risk around open source software • Why depth of analysis matters, and what it results in during M&A diligence • Why accuracy, reporting, and expert human analysis are keys to thorough diligence.
For more information, please visit our website at www.synopsys.com/open-source-audit
During a recent webinar, Phil Odence, General Manager of the Synopsys Black Duck Audit Group presented "Open Source Risk in M&A by the Numbers" For more information, please visit www.synopsys.com/BlackDuck
Mobile Developer's Guide To The Galaxy 12th EditionMarco Tabor
This document provides an overview of the mobile development landscape including key platforms, technologies, and strategies. It discusses the major mobile operating systems including Android, iOS, Windows Phone, BlackBerry 10, and others. It also covers different approaches to building mobile services such as native apps, web apps, and hybrid apps. The document aims to introduce mobile developers to the complex universe of the mobile industry.
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...Fasten Project
Software engineers reuse code to reduce development and maintenance costs but how safe is it to use open source software (OSS)? By using OSS and dependencies to external libraries they can introduce to projects significant operational and compliance risk as well as difficult to assess security implications. The aim of the FASTEN project (a European Union’s H2020 research and innovation programme led by TU Delft) is to address this situation, by developing an intelligent software package management system that will enhance robustness and security in software ecosystems. Our team in Endocode AG is part of the FASTEN project with our FOSS toolchain Quartermaster, which detects license compliance on softwares.
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...NowSecure
+ How do vulnerable mobile apps and insecure V2D communications put drivers and manufacturers at risk?
+ Applying crashworthiness and safety ratings concepts to mobile app and connected car cybersecurity
+ How to manage mobile app security defects and vulnerabilities in the connected car and mobile app development process
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.
This presentation will address all the relevant information about default security postures achieved by using the -aaS model. This session will be a unique opportunity to hear from Murray Goldschmidt, renowned DevSecOps expert, explaining the key items to achieve a secure deployment from build through ongoing continuous deployment, particularly for CI/CD DevOps environments
Key Points To Be Discussed:
-Learn the no-cost or low-cost measures to put in place immediately to secure their -aaS deployments.
-Understand where commercial products provide capability, particularly for container security.
-Understand the weaknesses of public cloud PaaS defaults—examples provided for AWS and Azure. Pre-Requisites:AWS and Azure PaaS offerings.
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year.
Open Source Insight is your weekly news resource for open source security and cybersecurity news!
Mobile Developer's Guide To The Galaxy 11th editionMarco Tabor
To develop for the Android platform, developers need the Android SDK, which includes tools for developing, testing, and debugging apps. The primary programming language is Java. Developers create apps by writing code and designing user interfaces in XML layout files. Apps are tested on emulators and devices before being distributed via the Google Play Store.
To develop for the Android platform, developers need the Android SDK, which includes tools for developing, testing, and debugging apps. The primary programming language is Java. Developers create apps by writing code and designing user interfaces in XML layout files. Apps are tested on emulators and devices before being distributed via the Google Play Store.
The Android STB: A Logical Step in the Evolution of TVBeenius
If only six years ago someone mentioned Android, some of you would not have recognized the name of the operating system (OS). But as technology has advanced, today the name Android is widely recognized as a successful OS for smartphones, tablets, and increasingly for devices such as Smart TVs, set-top boxes, and in the years to come even smart glasses!
Android is an open source software stack for mobile devices that includes an operating system, middleware and key applications. It allows applications to run in their own process using the Dalvik Virtual Machine. The Android software development kit includes tools for application development, debugging, and deployment. While Android offers flexibility and customization, the user interface is not as polished as the iPhone and media syncing requires third party tools rather than a centralized application like iTunes.
Android is an open source operating system for mobile devices that allows developers to create innovative applications. It provides access to core APIs as well as bindings to Android's native APIs. The Android software stack includes applications, application framework, libraries and services, and the Linux kernel. Unlike proprietary platforms, Android is open source and allows customization by device makers and developers.
Mobile Application Development with AndroidIJAAS Team
The Android is mobile platform. It is an open source and free operating system application, by Google it is developed and maintained. It was designed essentially for touch screen mobile devices, such as and tablet, computers, smart phones, watch television, cars etc. Android is one of the most widely used mobile OS. Android is a not only operating system but also key applications and middleware. Android is an open source operating system. It is developed by the open handset Alliance, led by Google, and other companies. Those are used to android studio 2.2.3 version and development the mobile application.
The document summarizes a seminar presentation on PhoneGap. PhoneGap is a mobile development framework that allows developers to build mobile apps using common web technologies like HTML, CSS, and JavaScript. This allows apps to be compiled for multiple platforms like iOS, Android, and Windows Phone from a single codebase. The presentation discusses what PhoneGap is, how it works, its advantages like cross-platform development, and disadvantages like limitations of web-based apps. It includes demo code and concludes PhoneGap is useful for small apps but native development is better for graphics-intensive apps.
Similar to DEF CON 27 - workshop - POLOTO - hacking the android apk (20)
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
The document discusses strategies for red teaming Active Directory security. It begins with an overview of Active Directory components and how they can be exploited by attackers. It then covers offensive PowerShell techniques and how PowerShell security can be bypassed. The document also provides methods for effective Active Directory reconnaissance, including discovering administrator accounts and network assets without port scanning. Finally, it discusses some Active Directory defenses that can be deployed and potential bypass techniques.
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
The document discusses vulnerabilities found in seismological network devices that could allow remote exploitation. It begins with a disclaimer and agenda. The speakers are then introduced as researchers from Costa Rica who were interested in these networks due to potential attack scenarios. Through a search engine, they discovered vulnerabilities in devices from multiple vendors. The talk demonstrates taking control of a device and outlines impacts such as sabotage. Recommendations are made to vendors to improve security of these critical scientific instruments.
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive function. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms for those who already suffer from conditions like anxiety and depression.
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
This document appears to be a preview of slides for a presentation at DEF CON 24 about compelled decryption. The slides discuss the difference between first and third parties in communications and the Communications Assistance for Law Enforcement Act. It also lists several third parties like technology companies and individuals that could potentially be compelled to decrypt communications. The document indicates that it is a preliminary version and the slides may be altered before the actual presentation.
Deep learning systems are susceptible to adversarial manipulation through techniques like generating adversarial samples and substitute models. By making small, targeted perturbations to inputs, an attacker can cause misclassifications or reduce a model's confidence without affecting human perception of the inputs. This is possible due to blind spots in how models learn representations that are different from human concepts. Defending against such attacks requires training models with adversarial techniques to make them more robust.
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
This document outlines various strategies and tactics for overthrowing a government through covert and clandestine means, including cyber espionage, propaganda, agitation of public unrest, sabotage of critical infrastructure, and manipulation of financial systems. It discusses using mercenaries and private intelligence agencies to carry out these activities at an arm's length from sponsorship by nation states. Specific examples from Kuwait in 2011 are referenced to illustrate techniques for fomenting revolution through cyber and information operations.
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
This document discusses various ways that hardware can become "bricked", or rendered unusable, through both software and hardware issues. It covers 101 different bricking scenarios across firmware, printed circuit boards, connectors, integrated circuits, and unexpected situations. Examples include wiping firmware, damaging traces on PCBs, breaking solder joints on connectors, applying too much voltage to ICs, and devices being bricked by environmental factors. The document provides tips for both bricking and avoiding bricking hardware, as well as techniques for potentially unbricking devices.
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
This document provides an overview of a talk on novel USB attacks that can provide remote command and control of even air-gapped machines with minimal forensic footprint. It describes building an open-source toolset using freely available hardware that implements a stealthy bi-directional communication channel over USB using a keyboard/mouse and generic HID profiles to deploy payloads and proxy traffic without touching the network. The talk will demonstrate attacking Windows systems by staging payloads in memory to avoid disk artifacts and establishing a VNC session without user interaction or malware deployment. Source code and documentation for the toolset, called USaBUSe, will be released on GitHub at Defcon.
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
The document discusses common challenges and failures that can occur when conducting phishing campaigns professionally. It outlines eleven stories of phishing failures caused by issues like poor scheduling, spam filters blocking emails, not having enough target email addresses, domain name choices being too obvious, and lack of communication. For each failure, it provides recommendations on how to avoid the problem by improving collaboration, communication, planning and negotiation with the client organization. The overall message is that success requires treating phishing engagements as multi-party negotiations and managing expectations through clear communication and involvement of all stakeholders.
The document discusses vulnerabilities found in human-machine interface (HMI) solutions used for industrial control systems. It details a case study of multiple stack-based buffer overflow vulnerabilities found in Advantech WebAccess through an RPC service that could allow remote code execution. The vulnerabilities were caused by improper validation of user-supplied input to functions like sprintf and strcpy. While patches were released, analysis showed the fixes did not fully address the underlying problems with input handling.
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
This document summarizes tool-assisted speedruns (TAS) of video games. It discusses how emulators and tools are used to play games faster than humanly possible by deterministically recording every input. Advanced techniques like memory searching and scripting push games to their limits. Console verification devices were developed to play back TAS movies on original hardware. The document argues that TAS tools are like penetration testing tools and can be used to find and exploit vulnerabilities in games. It demonstrates an arbitrary code execution in Pokemon Red using an unintended opcode execution.
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
This document shows a graph with distance on the x-axis ranging from 0 to 35 meters and Received Signal Strength (RSS) in dBm on the y-axis ranging from -100 to -40 dBm. The graph contains a line for a model with a path loss exponent of 2.0 as well as scattered data points representing collected RSS measurements.
This document provides an overview of a hands-on, turbocharged pragmatic cloud security training that covers topics in a fraction of the normal time by slimming down four days of material into four hours. It will cover configuring production-quality AWS accounts, building deployment pipelines, and automating security controls. Most examples will use Ruby and Python. Nearly all labs will be in AWS. There will be minimal slides and hand-holding. Participants are responsible for their own AWS bills after the training.
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
The document discusses the results of a study on the impact of COVID-19 lockdowns on air pollution. Researchers analyzed data from dozens of countries and found that lockdowns led to an average decline of nearly 30% in nitrogen dioxide levels over cities. However, they also observed that this improvement was temporary and air pollution rebounded once lockdowns were lifted as vehicle traffic increased again. The short-term reductions could help policymakers design better emission control strategies in the future.
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
Little Snitch is a host-based firewall for macOS that intercepts connection attempts and allows the user to approve or deny them. The document discusses understanding, bypassing, and reversing Little Snitch. It provides an overview of Little Snitch's components and architecture, describes several methods for bypassing its network filtering, and examines techniques for interacting with and disabling Little Snitch's kernel extension through the I/O Kit framework.
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
The document summarizes two presentations on cracking electronic safe locks. It discusses cracking a Sargent & Greenleaf 6120 safe lock by using a power analysis side-channel attack to recover the keycode stored in clear in the lock's EEPROM. It also discusses cracking a Sargent & Greenleaf Titan PivotBolt safe lock by using a timing side-channel attack to recover the keycode, and defeating the lock's incorrect code lockout feature.
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
This document discusses hacking heavy trucks and related networking protocols. It describes building a "Truck-in-a-Box" simulator to experiment with truck electronics and protocols like J1939 and J1708. The document outlines adventures in truck hacking, including modifying engine parameters, impersonating an engine control module, and exploiting bad cryptography. Details are provided on new hardware tools like the Truck Duck for analyzing truck communication networks.
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
The document provides an overview of a workshop on practical Android application exploitation. The workshop aims to teach skills for performing reverse engineering, static and dynamic testing, and binary analysis of Android applications. It will use demonstrations and hands-on exercises with custom applications like InsecureBankv2. The workshop focuses on discovery and remediation, targeting intermediate to advanced skill levels. It will cover tools, techniques, and common vulnerabilities to exploit Android applications.
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
The document discusses vulnerabilities in VNC implementations that allow unauthenticated access. It notes that a scan of the internet found over 335,000 VNC servers, with around 8,000 having no authentication. This lack of authentication allows attackers to access and "pivot" into internal networks. The document provides statistics on different VNC protocol versions found and describes exploits that could allow compromising devices to access additional internal systems through insecure VNC implementations and proxies.
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
Droid-FF is an Android fuzzing framework that aims to automate the fuzzing process on Android devices. It uses Python scripts and integrates fuzzing tools like Peach and radamsa to generate test case data. The framework runs fuzzing campaigns on Android devices, processes the logs to identify crashes, verifies the crashes are unique, maps crashes to source code locations, and analyzes crashes for exploitability using a GDB plugin. The goal of Droid-FF is to make fuzzing easier on mobile devices and help find more crashes and potential vulnerabilities in Android applications and frameworks.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/how-axelera-ai-uses-digital-compute-in-memory-to-deliver-fast-and-energy-efficient-computer-vision-a-presentation-from-axelera-ai/
Bram Verhoef, Head of Machine Learning at Axelera AI, presents the “How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-efficient Computer Vision” tutorial at the May 2024 Embedded Vision Summit.
As artificial intelligence inference transitions from cloud environments to edge locations, computer vision applications achieve heightened responsiveness, reliability and privacy. This migration, however, introduces the challenge of operating within the stringent confines of resource constraints typical at the edge, including small form factors, low energy budgets and diminished memory and computational capacities. Axelera AI addresses these challenges through an innovative approach of performing digital computations within memory itself. This technique facilitates the realization of high-performance, energy-efficient and cost-effective computer vision capabilities at the thin and thick edge, extending the frontier of what is achievable with current technologies.
In this presentation, Verhoef unveils his company’s pioneering chip technology and demonstrates its capacity to deliver exceptional frames-per-second performance across a range of standard computer vision networks typical of applications in security, surveillance and the industrial sector. This shows that advanced computer vision can be accessible and efficient, even at the very edge of our technological ecosystem.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.