The increasing capabilities and performance of the web platform allow for more feature-rich user experiences. How can JavaScript based applications utilize information security and cryptography principles? This session will explore the current state of JavaScript and Web Cryptography. We will review some basic concepts and definitions, discuss the role of TLS/SSL, show some working examples that apply cryptography to real-world use cases and take a peek at the upcoming W3C WebCryptoAPI. Code samples will use CryptoJS in the browser and the Node.js Crypto module on the server. An extended example will secure the popular TodoMVC project using PBKDF2 for key generation, HMAC for data integrity and AES for encryption.
SpringOne Platform 2017
Ryan Baxter, Pivotal
You have heard and seen great things about Spring Cloud and you decide it is time to dive in and try it out yourself. You fire up your browser head to Google and land on the Spring Cloud homepage. Then it hits you, where do you begin? What do each of these projects do? Do you need to use all of them or can you be selective? The number of projects under the Spring Cloud umbrella has grown immensely over the past couple of years and if you are a newcomer to the Spring Cloud ecosystem it can be quite daunting to sift through the projects to find what you need. By the end of this talk you will leave with a solid understanding of the Spring Cloud projects, how to use them to build cloud native apps, and the confidence to get started!
Docker is popular open-source software containerization platform. It provides an ability to package software into standardised units on Docker for software development. In this hands-on introductory session, I introduce the concept of containers and provide an overview of Docker. Participants can learn important concepts in Docker step-by-step and learn by example by running commands with me. The main session involves using Docker CLI (Command Line Interface) covering all the key concepts such as creating images and managing containers. What is more, this workshop ends with a complete example of getting some amazing work done with ease using Docker. Presented in OSI Days '16: http://opensourceindia.in/osidays/workshops-osi-2016/
Upping the APT hunting game: learn the best YARA practices from KasperskyKaspersky
Have you ever wondered how Kaspersky discovered some of the world’s most famous APT attacks? Now, the answer is within your reach. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team (GReAT), will be sharing best practices on the use of YARA, an essential tool for APT hunters that can assist with the discovery of new malware samples, exploits and zero-days, speed up incident response, and increase your defenses by deploying custom rules inside your organization.
If you ever wanted to master YARA and achieve a new level of knowledge in APT detection, mitigation and response, now is your chance.
This brief webinar is based on Kaspersky’s exclusive training on YARA rules, which has already helped improve the APT detection strategies of many cybersecurity teams from leading businesses across the world. During the webinar, you will learn how to write test and improve effective YARA rules. You will also get a glimpse of some of our internal tools and learn how to maximize your knowledge for building effective APT detection strategies with YARA.
This practical webinar is useful for security researchers and incident response personnel, malware analysts, security engineers, network security analysts, APT researchers and IT security staff. The content is suitable for both beginners and seasoned YARA users. The full webinar can be seen: https://kas.pr/92tr
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
SpringOne Platform 2017
Ryan Baxter, Pivotal
You have heard and seen great things about Spring Cloud and you decide it is time to dive in and try it out yourself. You fire up your browser head to Google and land on the Spring Cloud homepage. Then it hits you, where do you begin? What do each of these projects do? Do you need to use all of them or can you be selective? The number of projects under the Spring Cloud umbrella has grown immensely over the past couple of years and if you are a newcomer to the Spring Cloud ecosystem it can be quite daunting to sift through the projects to find what you need. By the end of this talk you will leave with a solid understanding of the Spring Cloud projects, how to use them to build cloud native apps, and the confidence to get started!
Docker is popular open-source software containerization platform. It provides an ability to package software into standardised units on Docker for software development. In this hands-on introductory session, I introduce the concept of containers and provide an overview of Docker. Participants can learn important concepts in Docker step-by-step and learn by example by running commands with me. The main session involves using Docker CLI (Command Line Interface) covering all the key concepts such as creating images and managing containers. What is more, this workshop ends with a complete example of getting some amazing work done with ease using Docker. Presented in OSI Days '16: http://opensourceindia.in/osidays/workshops-osi-2016/
Upping the APT hunting game: learn the best YARA practices from KasperskyKaspersky
Have you ever wondered how Kaspersky discovered some of the world’s most famous APT attacks? Now, the answer is within your reach. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team (GReAT), will be sharing best practices on the use of YARA, an essential tool for APT hunters that can assist with the discovery of new malware samples, exploits and zero-days, speed up incident response, and increase your defenses by deploying custom rules inside your organization.
If you ever wanted to master YARA and achieve a new level of knowledge in APT detection, mitigation and response, now is your chance.
This brief webinar is based on Kaspersky’s exclusive training on YARA rules, which has already helped improve the APT detection strategies of many cybersecurity teams from leading businesses across the world. During the webinar, you will learn how to write test and improve effective YARA rules. You will also get a glimpse of some of our internal tools and learn how to maximize your knowledge for building effective APT detection strategies with YARA.
This practical webinar is useful for security researchers and incident response personnel, malware analysts, security engineers, network security analysts, APT researchers and IT security staff. The content is suitable for both beginners and seasoned YARA users. The full webinar can be seen: https://kas.pr/92tr
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
Presentation done at the November meeting of the Sudoers Barcelona group (https://www.meetup.com/sudoersbcn/).
HashiCorp Vault (https://www.vaultproject.io/)
"Vault és una eina per emmagatzemar i gestionar secrets. Veurem què ofereix, com instal·lar-la, utilitzar-la i operar-la, i la nostra experiència."
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
I claim that none of the commonly used embedding methods capture any semantics.
It's fine if you want to move from a symbolic to a numeric or geometric representation, but when you do, don't throw the semantic baby out with the symbolic bathwater.
I argue that a useful definition of semantics is "predictable inference". This makes it possible to have semantics outside a logical framework.
A methodological warning from 1976: don't fool yourself that wishful mnemonics in your knowledge graph are "semantics". Therefore, knowledge graphs without a schema/ontology is just a data graph, without much semantics.
Finally, a discussion of some embedding methods that do manage to take semantics into account (TransOWL, ball embeddings like ELEm and EmEL++, and box embeddings like BoxEL and Box^2EL.
So: even if you do move to a non-symbolic representation (numerical, geometric), make sure you keep the semantics: don't throw the semantic baby out with the symbolic bathwater.
Le déploiement des applications en mode SaaS, Office 365, Yammer, Salesforce, WebEX, Box et bien d’autres…devient incontournable. Cette démarche est souvent accompagnée d'une volonté de profiter des nouveaux usages telles que la mobilité, l'utilisation des tablettes et des smartphones, le BYOD, ..
Si l'IAM (Identity & Access management) n'est pas adapté à ce nouveau contexte, le taux d'adoption des nouvelles applications ou des nouveaux usages s'en trouvera ralenti. La multiplicité des Login/Mot de passe deviendra rapidement un frein à cette adoption en même temps qu’une menace sur la sécurité globale.
C'est pourquoi une stratégie d’adoption du SaaS doit être accompagnée d’une stratégie de gouvernance et de sécurité des Identités et des Accès cohérente.
Découvrez dans cette étude :
- État de l’art des offres IDaaS du marché : critères fonctionnels, techniques et juridiques
- De l’IAM traditionnelle à l’IDentity as a Service : contraintes, bénéfices, les scénarios possibles et les architectures
- Les offres du marché, actuelles et futures
- Les freins et les leviers : retour d’expériences clients
Étude réalisée au cours du premier semestre 2013 à partir d'un panel de clients représentatifs des différents secteurs d'activités des sociétés du CAC40.
Synthèse de l'étude présentée aux assises de la sécurité à Monaco le 3 Octobre 2013.
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)DevOps.com
As containers and Kubernetes are adopted in production, security is a critical concern and DevOps teams need to go beyond image scanning. Use cases such as runtime security, network visibility and segmentation, incident response and compliance become priorities as your Kubernetes security framework matures.
In this talk, we’ll share an overview of runtime security, discuss approaches used by open source and commercial tools, and hear how users are getting started quickly without impacting developer productivity.
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
Docker is hot, Docker security is not? In this talk the risks, benefits and defenses of Docker are discussed. They are followed up by some best practices, which can you use in your daily activities. What is clear is that there is still a lot to do to get your containers secured.
Event: Docker Amsterdam Meetup - January 2015
This presentation was given by Michael Boelen, January 23rd at Schuberg Philis. The event was organized by Mark Robert Coleman with help of Harm Boertien. With a full house of people, Docker security was discussed.
About the author:
Michael Boelen is founder of CISOfy and researches Linux security to build tools and documentation, to simplify it for others. Examples are tools like Rootkit Hunter and Lynis, blog posts and presentations.
Building Robust ETL Pipelines with Apache SparkDatabricks
Stable and robust ETL pipelines are a critical component of the data infrastructure of modern enterprises. ETL pipelines ingest data from a variety of sources and must handle incorrect, incomplete or inconsistent records and produce curated, consistent data for consumption by downstream applications. In this talk, we’ll take a deep dive into the technical details of how Apache Spark “reads” data and discuss how Spark 2.2’s flexible APIs; support for a wide variety of datasources; state of art Tungsten execution engine; and the ability to provide diagnostic feedback to users, making it a robust framework for building end-to-end ETL pipelines.
You'll understand how hackers can attack resources hosted in the Azure and protect Azure infrastructure by identifying vulnerabilities, along with extending your pentesting tools and capabilities.
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
How to test infrastructure code: automated testing for Terraform, Kubernetes,...Yevgeniy Brikman
This talk is a step-by-step, live-coding class on how to write automated tests for infrastructure code, including the code you write for use with tools such as Terraform, Kubernetes, Docker, and Packer. Topics covered include unit tests, integration tests, end-to-end tests, test parallelism, retries, error handling, static analysis, and more.
Security as Code: A DevSecOps ApproachVMware Tanzu
SpringOne 2021
Session Title: Security as Code: A DevSecOps Approach
Speakers: Alvaro Muñoz, Staff Security Researcher at GitHub; Tony Torralba, Software Engineer at GitHub
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
The open source TodoMVC project implements a Todo application using popular JavaScript MV* frameworks. Some of the implementations add support for compile to JavaScript languages, module loaders and real time backends. This presentation will demonstrate a TodoMVC implementation which adds support for the forthcoming W3C Web Cryptography API, as well as review some key cryptographic concepts and definitions.
Instead of storing the Todo list as plaintext in localStorage, this "secure" TodoMVC implementation encrypts Todos using a password derived key. The PBKDF2 algorithm is used for the deriveKey operation, with getRandomValues generating a cryptographically random salt. The importKey method sets up usage of AES-CBC for both encrypt and decrypt operations. The final solution helps address item "A6-Sensitive Data Exposure" from the OWASP Top 10.
With the Web Cryptography API being a recommendation in 2014, any Q&A time will likely include browser implementations and limitations, and whether JavaScript cryptography adds any value.
Presentation done at the November meeting of the Sudoers Barcelona group (https://www.meetup.com/sudoersbcn/).
HashiCorp Vault (https://www.vaultproject.io/)
"Vault és una eina per emmagatzemar i gestionar secrets. Veurem què ofereix, com instal·lar-la, utilitzar-la i operar-la, i la nostra experiència."
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
I claim that none of the commonly used embedding methods capture any semantics.
It's fine if you want to move from a symbolic to a numeric or geometric representation, but when you do, don't throw the semantic baby out with the symbolic bathwater.
I argue that a useful definition of semantics is "predictable inference". This makes it possible to have semantics outside a logical framework.
A methodological warning from 1976: don't fool yourself that wishful mnemonics in your knowledge graph are "semantics". Therefore, knowledge graphs without a schema/ontology is just a data graph, without much semantics.
Finally, a discussion of some embedding methods that do manage to take semantics into account (TransOWL, ball embeddings like ELEm and EmEL++, and box embeddings like BoxEL and Box^2EL.
So: even if you do move to a non-symbolic representation (numerical, geometric), make sure you keep the semantics: don't throw the semantic baby out with the symbolic bathwater.
Le déploiement des applications en mode SaaS, Office 365, Yammer, Salesforce, WebEX, Box et bien d’autres…devient incontournable. Cette démarche est souvent accompagnée d'une volonté de profiter des nouveaux usages telles que la mobilité, l'utilisation des tablettes et des smartphones, le BYOD, ..
Si l'IAM (Identity & Access management) n'est pas adapté à ce nouveau contexte, le taux d'adoption des nouvelles applications ou des nouveaux usages s'en trouvera ralenti. La multiplicité des Login/Mot de passe deviendra rapidement un frein à cette adoption en même temps qu’une menace sur la sécurité globale.
C'est pourquoi une stratégie d’adoption du SaaS doit être accompagnée d’une stratégie de gouvernance et de sécurité des Identités et des Accès cohérente.
Découvrez dans cette étude :
- État de l’art des offres IDaaS du marché : critères fonctionnels, techniques et juridiques
- De l’IAM traditionnelle à l’IDentity as a Service : contraintes, bénéfices, les scénarios possibles et les architectures
- Les offres du marché, actuelles et futures
- Les freins et les leviers : retour d’expériences clients
Étude réalisée au cours du premier semestre 2013 à partir d'un panel de clients représentatifs des différents secteurs d'activités des sociétés du CAC40.
Synthèse de l'étude présentée aux assises de la sécurité à Monaco le 3 Octobre 2013.
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)DevOps.com
As containers and Kubernetes are adopted in production, security is a critical concern and DevOps teams need to go beyond image scanning. Use cases such as runtime security, network visibility and segmentation, incident response and compliance become priorities as your Kubernetes security framework matures.
In this talk, we’ll share an overview of runtime security, discuss approaches used by open source and commercial tools, and hear how users are getting started quickly without impacting developer productivity.
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
Docker is hot, Docker security is not? In this talk the risks, benefits and defenses of Docker are discussed. They are followed up by some best practices, which can you use in your daily activities. What is clear is that there is still a lot to do to get your containers secured.
Event: Docker Amsterdam Meetup - January 2015
This presentation was given by Michael Boelen, January 23rd at Schuberg Philis. The event was organized by Mark Robert Coleman with help of Harm Boertien. With a full house of people, Docker security was discussed.
About the author:
Michael Boelen is founder of CISOfy and researches Linux security to build tools and documentation, to simplify it for others. Examples are tools like Rootkit Hunter and Lynis, blog posts and presentations.
Building Robust ETL Pipelines with Apache SparkDatabricks
Stable and robust ETL pipelines are a critical component of the data infrastructure of modern enterprises. ETL pipelines ingest data from a variety of sources and must handle incorrect, incomplete or inconsistent records and produce curated, consistent data for consumption by downstream applications. In this talk, we’ll take a deep dive into the technical details of how Apache Spark “reads” data and discuss how Spark 2.2’s flexible APIs; support for a wide variety of datasources; state of art Tungsten execution engine; and the ability to provide diagnostic feedback to users, making it a robust framework for building end-to-end ETL pipelines.
You'll understand how hackers can attack resources hosted in the Azure and protect Azure infrastructure by identifying vulnerabilities, along with extending your pentesting tools and capabilities.
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
How to test infrastructure code: automated testing for Terraform, Kubernetes,...Yevgeniy Brikman
This talk is a step-by-step, live-coding class on how to write automated tests for infrastructure code, including the code you write for use with tools such as Terraform, Kubernetes, Docker, and Packer. Topics covered include unit tests, integration tests, end-to-end tests, test parallelism, retries, error handling, static analysis, and more.
Security as Code: A DevSecOps ApproachVMware Tanzu
SpringOne 2021
Session Title: Security as Code: A DevSecOps Approach
Speakers: Alvaro Muñoz, Staff Security Researcher at GitHub; Tony Torralba, Software Engineer at GitHub
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
The open source TodoMVC project implements a Todo application using popular JavaScript MV* frameworks. Some of the implementations add support for compile to JavaScript languages, module loaders and real time backends. This presentation will demonstrate a TodoMVC implementation which adds support for the forthcoming W3C Web Cryptography API, as well as review some key cryptographic concepts and definitions.
Instead of storing the Todo list as plaintext in localStorage, this "secure" TodoMVC implementation encrypts Todos using a password derived key. The PBKDF2 algorithm is used for the deriveKey operation, with getRandomValues generating a cryptographically random salt. The importKey method sets up usage of AES-CBC for both encrypt and decrypt operations. The final solution helps address item "A6-Sensitive Data Exposure" from the OWASP Top 10.
With the Web Cryptography API being a recommendation in 2014, any Q&A time will likely include browser implementations and limitations, and whether JavaScript cryptography adds any value.
When you don't have 0days: client-side exploitation for the massesMichele Orru
Conference: InsomniHack (21 March 2014)
Talk speakers:
Michele Orru (@antisnatchor)
Krzysztof Kotowicz (@kkotowicz)
Talk abstract:
A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.
Hold on! Not all is lost! There is still hope for pwning targets without 0days.
We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.
The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.
We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.
You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.
I presented this overview lecture at Computer Applications for the 21st century – Synergies and Vistas organized by Vidyasagar College, Kolkata in 2008
SunshinePHP 2017: Tales From The Crypt - A Cryptography PrimerAdam Englander
This presentation is meant to help PHP developers gain a working understanding of common terms used in cryptography, understand the key drivers for choosing cryptography methodologies, algorithms and strengths,
and know which PHP modules and packages to use.
Наше сообщество SkillsWiki с интересом наблюдает за стремительным изменением рынка, темпы конкуренции которого увеличиваются год за годом. IT и бизнес подталкивают друг друга все к более быстрым изменениям. Agile, гибкие процессы во многих областях давно стали необходимостью. Неудивительно, что все эти изменения постепенно коренным образом перестраивают профиль сотрудников, изменяют подходы к образованию, заставляют людей по-другому смотреть на свое развитие, карьеру. Узкоспециализированные профессии постепенно отмирают, на их место приходят более универсальные профессии, способные сочетать навыки нескольких специализацией, умение приспосабливаться и быстро реагировать на потребности бизнеса. Как и всех, нас интересует наше будущее, наша востребованность. Можем ли мы полагаться в своем развитии на мнение коллег на работе? А идет ли в ногу со временем вся компания в целом? Какие специалисты потребуются рынку через несколько лет? На примере исследования рынков труда России и США по таким популярным и новым специализациями как DevOps Engineer, Data Scientist, .NET Developer, мы постарались выделить главные тренды ближайших лет и ориентиры для личного развития.
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
A detailed description about Cryptography explaining the topic from the very basics. Explaining how it all started, and how is it currently being applied in the real world. Mostly useful for students in engineering and mathematics.
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
Recently we’ve seen many vulnerabilities related to improper certificate validation. Those vulnerabilities come from developers’ ignorance or misunderstanding of basic knowledge of certificate validation or insufficient testing of validation code. This presentation starts with the basics of the certificate validation process, surveys several vulnerabilities in the real world, and concludes with lessons learned from real-world vulnerabilities.
This is presented on JavaOne2015.
Content Security Policy (CSP) is a browser security mechanism against content injection. Using the CSP header, browsers can restrict content from just the domains whitelisted in the policy. This session shares lessons learned with deploying CSP at Yahoo.
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
Denis Kolegov, Oleg Broslavsky, Power of Community 2018, Seoul, Korea
Today, «SD-WAN» is a very hot and attractive topic. Software-defined WAN (SD-WAN) is a technology based on software-defined network (SDN) approach applied to wide area networks (WAN) in enterprise networks. According to Gartner’s predictions study, more than 50% of routers will be replaced with SD-WAN solutions by 2020.
In this presentation, we disclose a set of vulnerabilities in widespread and most popular SD-WAN products including Citrix NetScaler and Silver Peak EdgeConnect. We present the new results of our research, consider some technical details of the insecure design and found vulnerabilities, and describe different attack scenarios that may allow an attacker to compromise SD-WAN control and data planes.
Website & Internet + Performance testingRoman Ananev
The presentation about how the site works on the Internet and what happens when you open it in your browser. What happens under the hood of the server and browser.
How to measure the performance of the CS-Cart project simply and without technical knowledge :) And of course, why all the online-performance-testing services lie, or dont provides a clear view ;)
https://www.simtechdev.com/cloud-hosting
---
Cloud hosting for CS-Cart, Multi-Vendor, WordPress, and Magento
by Simtech Development - AWS and CS-Cart certified hosting provider
free installation & migration | free 24/7 server monitoring | free daily backups | free SSL | and more...
20 years of web cryptography, and its amazing how frequently its configured sub-optimally. We've had numerous encryption algorithms, digests, protocols come, and should have GONE, but everyone has just left them on. Its time to shut out the legacy browser. The vast majority of the worlds browser install base now auto-updates, and with strict (and prescriptive) compliance in force, we get to drop the bloat form the past. In this talk we'll cover the current TRANSITIONS we're going through from a web admins perspective: TLS, Cipher Suites, HTTP Security Headers, CAs, the move to an encrypted-by-default web, and more.
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
Stay safe, grab a drink and join us virtually for our upcoming "The Hacking Game - A Road to Post Exploitation" meetup
to learn how hackers can compromise the software supply chain, advanced data protection methods on WebLogic Server and
how to use AI in order to protect your software.
Agenda:
17:00 - 17:10 - 'Opening words' - by Gidi Farkash (CISO at Pipl Security)
17:10 - 17:40 - 'Tracking Attackers in Open Source Supply Chain - Lessons Learned' - by Jossef Harush Kadouri (Head of Software Supply Chain Security at Checkmarx)
17:40 - 18:20 - 'WebLogic - The Road to Post Exploitation' - by Amit German (Cyber Security Researcher at Pentera)
18:20 - 19:00 - 'AI In The Hands of Application Security' - by Brit Glazer (Head of Information Security at Unit)
WebRTC gives us a way to do real-time, peer-to-peer communication on the web. In this talk, we'll go over the current state of WebRTC (both the awesome parts and the parts which need to be improved) as well as what could come in the future. Mostly though, we'll take a look at how to combine WebRTC with other web technologies to create great experiences on the front-end for real-time, p2p web apps.
From localhost to the cloud: A Journey of DeploymentsTegar Imansyah
28 September 2019. Event from HIMATIFA Universitas Pembangunan Nasional “Veteran” Jawa Timur called "IT Festival 2019".
In this talk, I present basic knowledge about how the web works, what is the different cloud computing with existing solution and how to deploy to server.
Training Webinar: Enterprise application performance with server push technol...OutSystems
1st Session - WebSockets, a Server Push Technology:
- Differences between Pull and Push technologies
- What are WebSockets
- A bit of History behind WebSockets
- When to use WebSockets
- How to integrate WebSockets with OutSystems
- Considerations when using WebSockets
Free Online training: https://www.outsystems.com/learn/courses/
Follow us on Twitter http://www.twitter.com/OutSystemsDev
Like us on Facebook http://www.Facebook.com/OutSystemsDev
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)Ericom Software
WebSockets couples the performance and flexibility of TCP with the reach of HTTP Prediction: WebSockets will replace simple TCP as preferred underlying protocol.
To see how Websockets are used in a popular HTML5-based remote access solution, by visiting the following URL: http://j.mp/1luquBQ
Similar to Developer's Guide to JavaScript and Web Cryptography (20)
Sharpen your "Architectural Documentation" SawKevin Hakanson
All solutions implicitly have an architecture, ideally one which is both intentional and documented. The Architectural Decision Records (ADR) process distributes architectural decision-making across team members. Accelerate the time-consuming process of hand drawing diagrams by rendering from a text-based source. Communicate effectively by committing both your markdown-based ADRs and text-based diagrams into your source code repository. This talk will review these techniques, provide actionable steps to adoption, and even live-code some examples.
Who's in your Cloud? Cloud State MonitoringKevin Hakanson
When it comes to cloud operations, monitoring security and visibility are critical. Integration by other systems via Cloud APIs is one of the most powerful value drivers of the hyperscale cloud providers.
In this session, we will describe Cloud State Monitoring, including why it is important and who needs awareness in your organization. An explanation of the categories of Cloud APIs (including the management plane, control plane, and data plane) will give us background. Specific use cases across AWS, Azure, and GCP will dive deep into various changes you might not have considered monitoring.
Adopting Multi-Cloud Services with ConfidenceKevin Hakanson
In transitioning to multi-cloud, IT organizations have the same responsibility to provide quality service and operational security yet have a much greater need to understand how to efficiently govern and manage these disparate cloud services.
In this session, we will examine some key patterns and models taken from a Cloud Adoption Framework through a multi-cloud lens. The presentation will include a mixture of high-level guidance, examples where vocabulary and terminology differ, and opinions on when to utilize cloud-agnostic vs cloud-native technologies for strategic decisions.
Attendees will leave with a better understanding of how to implement a Cloud Adoption Framework across multiple clouds and a higher level of confidence in their multi-cloud adoption plans.
Introduction to Speech Interfaces for Web ApplicationsKevin Hakanson
Speaking with your computing device is becoming commonplace. Most of us have used Apple's Siri, Google Now, Microsoft's Cortana, or Amazon's Alexa - but how can you speak with your web application? The Web Speech API can enable a voice interface by adding both Speech Synthesis (Text to Speech) and Speech Recognition (Speech to Text) functionality.
This session will introduce the core concepts of Speech Synthesis and Speech Recognition. We will evaluate the current browser support and review alternative options. See the JavaScript code and UX design considerations required to add a speech interface to your web application. Come hear if it's as easy as it sounds?
Learning to Mod Minecraft: A Father/Daughter RetrospectiveKevin Hakanson
Video: https://youtu.be/InbVSEA8V0U
What do Minecraft and Blockly have in common? Minecraft is a popular, open world video game where players can build structures using digital blocks. Blockly is a open source visual programming language where students can build programs using blocks. LearnToMod combined these together to teach students how to modify Minecraft using either the Blockly visual editor or JavaScript.
This session will be the retrospective of an enthusiastic father teaching his hesitant daughter (who loves Minecraft) about programming. We started with Hour of Code and pair-programmed through LearnToMod’s video lessons. What did we create? How did we like it? What would we recommend to others? Come learn about our experience and ask questions.
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
The OWASP Top 10 provides a list of the 10 most critical web application security risks. How do these relate to AngularJS applications? What security vulnerabilities should developers be aware of beyond XSS and CSRF?
This session will review the OWASP Top 10 with a front-end development focus on HTML and JavaScript. It will look at patterns to implement and others to consider avoiding. We will also explore several built-in features of AngularJS that help secure your application.
Make your own Print & Play card game using SVG and JavaScriptKevin Hakanson
Want to leverage your creativity, love of board games, and web platform experience to do something different? Turn your imagination into a Print & Play card game using only a modern web browser, color printer and text editor.
This session will use the Scalable Vector Graphics (SVG) image format and JavaScript programming language to make a deck of cards for a simple game. Creating a few cards in graphics software like Inkscape is one thing, but what about 50 or 100 cards? What happens when you need to update them all? That’s the value of generating your SVG using JavaScript.
We will start with a blank screen, adding color and graphics elements like lines, shapes, text and images. Learn about container elements and defining content for re-use. Understand how units in the SVG coordinate system can transform our on-screen creation into an 8.5 by 11 inch printed page (or PDF). SVG examples will be both in their native XML format and created from JavaScript using Snap.svg, an open source library from Adobe designed for modern web browsers.
You will leave this session with a basic knowledge of SVG concepts, how to programmatically generate SVG using JavaScript, and how to make your SVG creation printer friendly.
Embracing HTTP is an important property of well constructed ReSTful and web apis. Every web developer is familiar with GET and POST, 200 and 404, Accept and Content-Type; but what about 207 and 413, OPTIONS and PROPFIND, Transfer-Encoding and X-File-Size? This session will be based on usage of various HTTP methods, headers and status codes drawn from the development of large scale, web applications. Examples will include raw HTTP, mixed in with JavaScript and ASP.NET MVC code.
Implementing Messaging Patterns in JavaScript using the OpenAjax HubKevin Hakanson
Is your web application a tightly coupled, DOM event handler mess? Use techniques from the Enterprise Integration Patterns book to build better components. Concepts including message, publish-subscribe channel, request-reply and message filter will be demonstrated in JavaScript (along with corresponding tests) using the OpenAjax Hub.
Internationalize your JavaScript Application: Prepare for "the next billion" ...Kevin Hakanson
Are you prepared for "the next billion" internet users, most of whom don't use English as their primary language? This session will explore the globalization (internationalization and localization) of JavaScript based applications. It will look at the ECMAScript Internationalization API and popular open source projects like AngularJS, messageformat.js, jQuery Globalize and twitter-cldr-js. Topics will include cultures/locales, character encoding, number formatting, date formatting, choice/plural formatting and translations.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
3. Abstract
The increasing capabilities and performance of the web platform
allow for more feature-rich user experiences. How can
JavaScript based applications utilize information security and
cryptography principles? This session will explore the current
state of JavaScript and Web Cryptography. We will review some
basic concepts and definitions, discuss the role of TLS/SSL,
show some working examples that apply cryptography to realworld use cases and take a peek at the upcoming W3C
WebCryptoAPI. Code samples will use CryptoJS in the browser
and the Node.js Crypto module on the server. An extended
example will secure the popular TodoMVC project using
PBKDF2 for key generation, HMAC for data integrity and AES for
encryption.
4. (Less) Abstract
web platform
The increasing capabilities and performance of the
allow for more featurerich user experiences. How can JavaScript based applications utilize information security and
JavaScript and
Web Cryptography. We will review some basic concepts and
definitions, discuss the role of TLS/SSL, show some working examples that apply
cryptography principles? This session will explore the current state of
cryptography to real-world use cases and take a peek at the upcoming W3C WebCryptoAPI. Code
CryptoJS in the browser and the Node.js
Crypto module on the server. An extended example will
secure the popular TodoMVC project using PBKDF2 for key
samples will use
generation, HMAC for data integrity and AES for encryption.
6. Bio
Kevin Hakanson is an application architect for Thomson
Reuters where he is focused on highly scalable web
applications, especially the JavaScript and security
aspects. His background includes both .NET and Java, but
he is most nostalgic about Lotus Notes. He has been
developing professionally since 1994 and holds a Master’s
degree in Software Engineering. When not staring at a
computer screen, he is probably staring at another screen,
either watching TV or playing video games with his family.
7. What to Expect
● Concepts and Definitions
○ (slides with lots of words I won't read aloud)
● Real World Examples
○ (including proper attribution and hyperlinks)
● JavaScript Code Samples
○ (some of them "forked" from the internet)
● Attempts at Humor
○ (I will laugh at my own jokes)
● Questions
○ (OK during presentation)
9. Project which offers the same Todo application
implemented using MV* concepts in most of the
popular JavaScript MV* frameworks of today.
http://todomvc.com/
https://github.com/addyosmani/todomvc
10. Today's Session "todos'
● Review the relevant cryptography concepts.
● Use JavaScript and Web technologies to
apply these cryptography concepts.
11. Why? TodoMVC Uses localStorage
Chrome keeps localStorage in an SQLite file:
OS X:
~/Library/Application Support/Google/Chrome/Default/Local Storage
Windows: %HOMEPATH%AppDataLocalGoogleChromeUser DataDefaultLocal Storage
$ sqlite3 http_todomvc.com_0.localstorage
SQLite version 3.7.5
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select * from ItemTable;
todos-jquery|[{"id":"b6731fa4-2e52-43c1-ae2f4d431f9bef75","title":"secure todos with
JavaScript cryptography","completed":false}]
12. This Is What I Want
● Enter Password before access to "todos"
● Encrypted "at rest" in localStorage
13.
14. Acronymphobia?
AES CA CBC CSRF DES
DSA ECC FIPS HMAC
ISO IV MD5 MITM NIST
OCB OWASP PBKDF2
PKCS PII PKI PRNG RC4
RSA SHA1 SSL TLS XSS
15. Glossary
Glossary of Key Information Security Terms
(Draft)
http://csrc.nist.gov/publications/drafts/ir-7298rev2/nistir7298_r2_draft.pdf
common security terms has been extracted from NIST
Federal Information Processing Standards (FIPS), the
Special Publication (SP) 800 series, NIST Interagency
Reports (NISTIRs), and from the Committee for National
Security Systems Instruction 4009 (CNSSI-4009)
16. NIST and FIPS
NIST - National Institute of Standards and
Technology
http://www.nist.gov/index.html
FIPS - Federal Information Processing
Standard
http://www.nist.gov/itl/fips.cfm
FIPS PUB - FIPS Publication
http://csrc.nist.gov/publications/PubsFIPS.html
17. Cryptography
The discipline that embodies principles, means,
and methods for providing information security,
including confidentiality, data integrity, nonrepudiation, and authenticity.
SOURCE: SP 800-21
18. Cipher, Plaintext and Ciphertext
Cipher: Series of transformations that converts
plaintext to ciphertext using the Cipher Key.
Plaintext: Data input to the Cipher or output
from the Inverse Cipher.
Ciphertext: Data output from the Cipher or
input to the Inverse Cipher.
SOURCE: FIPS 197
19. Cryptographic Key
A parameter used in conjunction with a cryptographic
algorithm that determines
●
●
●
●
●
●
the transformation of plaintext data into ciphertext data,
the transformation of ciphertext data into plaintext data,
a digital signature computed from data,
the verification of a digital signature computed from
data,
an authentication code computed from data, or
an exchange agreement of a shared secret.
SOURCE: FIPS 140-2
20. Secure Socket Layer (SSL)
A protocol used for protecting private information during
transmission via the Internet.
Note: SSL works by using a public key to encrypt data
that's transferred over the SSL connection. Most Web
browsers support SSL, and many Web sites use the
protocol to obtain confidential user information, such as
credit card numbers. By convention, URLs that require an
SSL connection start with “https:” instead of “http:.”
SOURCE: CNSSI-4009
25. W3C Web Cryptography API
This specification describes a JavaScript API
for performing basic cryptographic operations in
web applications, such as hashing, signature
generation and verification, and encryption and
decryption.
http://www.w3.org/TR/WebCryptoAPI/
26. WebCryptoAPI Charter
Primary API Features in scope are: key
generation, encryption, decryption, deletion,
digital signature generation and verification,
hash/message authentication codes, key
transport/agreement, strong random number
generation, key derivation functions, and key
storage and control beyond the lifetime of a
single session.
http://www.w3.org/2011/11/webcryptography-charter.html
29. Web Cryptography Working Group
Schedule of Deliverables
○ April 2012: Group Formation
○ June 2012: Expected first public Working Draft of
Web Cryptography API spec
○ October 2013: Expected Last Call
○ June 2014: Expected Candidate Recommendation
○ September 2014: Expected Proposed
Recommendation
○ Jan 2015: Expected Recommendation
http://www.w3.org/2012/webcrypto/Overview.html
32. Require Internet Explorer 11?
● Internet Explorer 11 added support for the
Web Cryptography API
○ However, based on spec before CryptoOperation changed to
support TC39/DOM Promises
○ Included in Windows 8.1 or as update to Windows 7 or
Windows Server 2008
http://windows.microsoft.com/en-us/internet-explorer/ie-11-release-preview
● MSDN Documentation:
○ Internet Explorer 11 Developer Guide > Privacy and security >
Web Cryptography API
http://msdn.microsoft.com/en-us/library/ie/dn265046(v=vs.85).aspx
○ Web applications > Web Cryptography
http://msdn.microsoft.com/en-us/library/ie/dn302338(v=vs.85).aspx
33. Use Case: Netflix
● HTML5 Video in IE 11 on Windows 8.1
Wednesday, June 26, 2013
"future of premium video on the web, since they allow
playback of premium video directly in the browser
without the need to install plugins"
"Microsoft implemented the Web Cryptography API
(WebCrypto) in Internet Explorer, which allows us to
encrypt and decrypt communication between our
JavaScript application and the Netflix servers."
http://techblog.netflix.com/2013/06/html5-video-in-ie-11-on-windows-81.html
34. Contribute to Chromium?
Open-source project behind Google Chrome.
● Issue 245025: Implement WebCrypto in blink
https://code.google.com/p/chromium/issues/detail?id=245025
● Issue 243345: [OWP Launch] DOM Futures
https://code.google.com/p/chromium/issues/detail?id=243345
●
WebCrypto implementation in Chromium
https://docs.google.com/document/d/184AgXzLAoUjQjrtNdbimceyXVYzrn3tGpf3xQGCN10g
35. Chromium Crypto Status
● Runtime Enabled Features
http://www.chromium.org/blink/runtime-enabled-features
● As of Tue Sep 24 05:59:19 2013 UTC
○ Crypto status=test
http://src.chromium.
org/viewvc/blink/trunk/Source/core/page/RuntimeEnabledFeatures.in
● When Crypto status=experimental
○
chrome://flags/#enable-experimental-web-platform-features
36. Contribute to Firefox?
● Bug 865789 - (web-crypto) Implement W3C
Web Crypto API
○ https://bugzilla.mozilla.org/show_bug.cgi?id=865789
37. PolyCrypt: A WebCrypto Polyfill
"a pure JavaScript implementation of the
WebCrypto API that people can use to get a
feel for how they can use the API in practice"
Currently under active development by BBN
Technologies, with funding from DHS S&T.
http://polycrypt.net/
https://github.com/polycrypt/polycrypt
39. Stanford Javascript Crypto Library
● SJCL is "a secure, powerful, fast, small,
easy-to-use, cross-browser library for
cryptography in Javascript"
● 2009 whitepaper focused on k-weight,
performance and cryptographic randomness
○
"In Internet Explorer 8 our code is 11 times faster than the fastest
current implementation."
○
"Our code is also 12% smaller than the smallest implementation
currently available"
○
"Our PRNG itself is a modified version of the Fortuna PRNG."
http://crypto.stanford.edu/sjcl/
40. CryptoJS
CryptoJS is a growing collection of standard
and secure cryptographic algorithms
implemented in JavaScript using best practices
and patterns.
● Hashers
● HMAC
● PBKDF2
● Ciphers
● Encoders
https://code.google.com/p/crypto-js/
41. Node.js Crypto
● Use require('crypto') to access this
module.
● The crypto module requires OpenSSL to be
available on the underlying platform.
● It also offers a set of wrappers for
OpenSSL's hash, hmac, cipher, decipher,
sign and verify methods.
http://nodejs.org/api/crypto.html
42. OpenSSL
The OpenSSL Project is a collaborative effort to
develop a robust, commercial-grade, fullfeatured, and Open Source toolkit
implementing the Secure Sockets Layer (SSL
v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general
purpose cryptography library.
http://www.openssl.org/
43. Javascript Cryptography Considered
Harmful (circa 2010)
● Opinion on browser Javascript cryptography
○ "with SSL, you no longer need Javascript
cryptography; you have 'real' cryptography"
○ "no reliable way for any piece of Javascript code to
verify its execution environment"
○ "can't outsource random number generation in a
cryptosystem"
○ "practically no value to doing crypto in Javascript
once you add SSL to the mix"
○ "store the key on that server [and] documents there"
http://www.matasano.com/articles/javascript-cryptography/
44. Host-Proof Hosting
● In A Blink
●
○ Sketch: Locked inside data cloud, key at browser.
Solution
○ Host sensitive data in encrypted form, so that clients
can only access and manipulate it by providing a
pass-phrase which is never transmitted to the
server. The server is limited to persisting and
retrieving whatever encrypted data the browser
sends it, and never actually accesses the sensitive
data in its plain form. It. All encryption and
decryption takes place inside the browser itself.
http://ajaxpatterns.org/Host-Proof_Hosting (July 2005)
45. Web-browser encryption of personal health information [http://www.biomedcentral.com/1472-6947/11/70]
Encryption data flow. A diagram laying out how the encrypted data and the user-supplied passcode are used to decrypt the data.
Morse et al. BMC Medical Informatics and Decision Making 2011 11:70
doi:10.1186/1472-6947-11-70
46. Host-Proof Hosting "Requirements"
● Secure transport mechanism (HTTPS).
● Trust provider that hosts web application and serves
HTML and JavaScript resources.
● Defend against and accept risk of script injection (XSS)
threat.
○ However, unauthorized access by hackers only
attacks users who access the application while
infected, and not the entire persisted data store.
● Avoid proving "Schneier's Law"
○ Anyone can invent a security system that he himself
cannot break.
http://www.schneier.com/blog/archives/2011/04/schneiers_law.html
47. OWASP Top 10 2013
●
●
●
●
●
●
●
●
●
●
A1-Injection
A2-Broken Authentication and Session Management
A3-Cross-Site Scripting (XSS)
A4-Insecure Direct Object References
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Missing Function Level Action Control
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards
https://www.owasp.org/index.php/Top_10_2013
48. OWASP Top 10 Change From 2010
2013-A6: Sensitive Data Exposure
● New category created by merging 2010-A7 – Insecure
●
Cryptographic Storage & 2010-A9 - Insufficient
Transport Layer Protection, plus adding browser side
sensitive data risks as well.
Covers sensitive data protection from the moment
sensitive data is provided by the user, sent to and
stored within the application, and then sent back to the
browser again.
https://www.owasp.org/index.php/Top_10_2013-Release_Notes
49. A6-Sensitive Data Exposure
Am I Vulnerable To 'Sensitive Data Exposure'?
1. Is any of this data stored in clear text long term,
including backups of this data?
2. Is any of this data transmitted in clear text, internally or
externally? Internet traffic is especially dangerous.
3. Are any old / weak cryptographic algorithms used?
4. Are weak crypto keys generated, or is proper key
management or rotation missing?
5. Are any browser security directives or headers missing
when sensitive data is provided by / sent to the
browser?
https://www.owasp.org/index.php/Top_10_2013-A6
51. Cryptographic Hash Function
A function that maps a bit string of arbitrary length to a fixed
length bit string. Approved hash functions satisfy the
following properties:
1) (One-way) It is computationally infeasible to find any
input which maps to any pre-specified output, and
2) (Collision resistant) It is computationally infeasible to
find any two distinct inputs that map to the same output.
SOURCE: SP 800-21
52. SHA-1 Definition
SHA-1 uses a sequence of logical functions, f0, f1,…, f79.
Each function ft, where 0 ≤ t < 79, operates on three 32-bit
words, x, y, and z, and produces a 32-bit word as output.
The function f(x, y, z) is defined as follows:
SOURCE: FIPS 180-4
53.
54. OpenSSL
$ echo -n "The quick brown fox jumps over the lazy dog" |
openssl dgst -sha1
(stdin)= 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
CryptoJS
> CryptoJS
.SHA1("The quick brown fox jumps over the lazy dog")
.toString();
"2fd4e1c67a2d28fced849ee1bb76e7391b93eb12"
Node.js
> require("crypto")
.createHash("sha1")
.update("The quick brown fox jumps over the lazy dog")
.digest("hex");
'2fd4e1c67a2d28fced849ee1bb76e7391b93eb12'
55. HTML5 Drag & Drop SHA1
var dropZone = document.getElementById('drop_zone');
dropZone.addEventListener('drop', handleFileSelect, false);
function handleFileSelect(evt) {
evt.stopPropagation();
evt.preventDefault();
var files = evt.dataTransfer.files;
for (var i = 0, f; f = files[i]; i++) {
var reader = new FileReader();
reader.readAsArrayBuffer(f);
reader.onload = (function(theFile) {
return function(e) {
var wordArray = CryptoJS.lib.WordArray.create(e.target.result);
var hash = CryptoJS.SHA1(wordArray);
};
})(f);
}
}
57. Hash-based Message Authentication
Code (HMAC)
A message authentication code that uses a
cryptographic key in conjunction with a hash
function.
SOURCE: FIPS 201; CNSSI-4009
58. Symmetric Key
A cryptographic key that is used to perform
both the cryptographic operation and its
inverse, for example to encrypt and decrypt, or
create a message authentication code and to
verify the code.
SOURCE: SP 800-63; CNSSI-4009
59. Digital Signature
The result of a cryptographic transformation of
data which, when properly implemented,
provides the services of:
1. origin authentication,
2. data integrity, and
3. signer non-repudiation.
SOURCE: FIPS 140-2
60. require('cookie-signature')
● Node module used by connect, which is
used by express
● Signs the value of a cookie
exports.sign = function(val, secret){
if ('string' != typeof val) throw new TypeError('cookie required');
if ('string' != typeof secret) throw new TypeError('secret required');
return val + '.' + crypto
.createHmac('sha256', secret)
.update(val)
.digest('base64')
.replace(/=+$/, '');
};
https://github.com/visionmedia/node-cookie-signature
61. This express code
app.use( express.cookieParser( "key" ) );
res.cookie( "text", "The quick brown fox jumps over the lazy dog",
{ signed : true } );
creates this signed cookie
Set-Cookie: text=s%3AThe%20quick%20brown%20fox%20jumps%20over%20the%20lazy%
20dog.97yD9DBThCSxMpjmqm%2BxQ%2B9NWaFJRhdZl0edvC0aPNg; Path=/
which matches our CryptoJS test
var hash = CryptoJS.HmacSHA256( "The quick brown fox jumps over the lazy dog",
"key" );
var base64 = CryptoJS.enc.Base64.stringify( hash );
equal( base64, "97yD9DBThCSxMpjmqm+xQ+9NWaFJRhdZl0edvC0aPNg=", "matches value"
);
and OpenSSL command line.
$ echo -n "The quick brown fox jumps over the lazy dog" | openssl dgst -sha256 hmac "key" -binary | openssl base64
97yD9DBThCSxMpjmqm+xQ+9NWaFJRhdZl0edvC0aPNg=
64. Password-Based Key Derivation
Functions (PBKDF)
● The randomness of cryptographic keys is
essential for the security of cryptographic
applications.
● Most user-chosen passwords have low
entropy and weak randomness properties.
○ shall not be used directly as cryptographic keys
● KDFs are deterministic algorithms that are
used to derive cryptographic keying material
from a secret value, such as a password.
SOURCE: SP 800-132
65. PBKDF Specification
Input:
P
Password
S
Salt
C
Iteration count
kLen Length of MK in bits; at most (232-1) x hLen
Parameter:
PRF HMAC with an approved hash function
hlen Digest size of the hash function
Output:
mk
Master key
http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
66. Salt
A non-secret value that is used in a
cryptographic process, usually to ensure that
the results of computations for one instance
cannot be reused by an Attacker.
SOURCE: SP 800-63; CNSSI-4009
68. Pseudorandom number generator
(PRNG)
An algorithm that produces a sequence of bits
that are uniquely determined from an initial
value called a seed. The output of the PRNG
“appears” to be random, i.e., the output is
statistically indistinguishable from random
values. A cryptographic PRNG has the
additional property that the output is
unpredictable, given that the seed is not known.
SOURCE: CNSSI-4009
71. Node.js crypto.randomBytes()
● Generates cryptographically strong pseudorandom data.
var buf = crypto.randomBytes(256);
● The Crypto module was added to Node …
before there were Buffer objects for
handling binary data.
● As such, ... many methods accept and
return Binary-encoded strings by default
rather than Buffers.
http://nodejs.org/api/crypto.html
72. Node.js Buffer
● Pure JavaScript is Unicode friendly but not nice to
●
●
binary data.
Raw data is stored in instances of the Buffer class. A
Buffer is similar to an array of integers but corresponds
to a raw memory allocation outside the V8 heap.
Converting between Buffers and JavaScript string
objects requires an explicit encoding method.
○ 'binary' - A way of encoding raw binary data into strings by using
only the first 8 bits of each character.
○
'hex' - Encode each byte as two hexadecimal characters.
http://nodejs.org/api/buffer.html#buffer_buffer
73. window.crypto.getRandomValues()
If you provide an integer-based TypedArray,
the function is going fill the array with
cryptographically random numbers.
var buf = new Uint8Array(32);
window.crypto.getRandomValues(buf);
https://developer.mozilla.org/en-US/docs/DOM/window.crypto.getRandomValues
http://msdn.microsoft.com/en-us/library/ie/dn302324(v=vs.85).aspx
74. TypedArray
ECMAScript [ECMA-262] has traditionally been
used in contexts where there is no access to
binary data. Where binary data has needed to
be manipulated, it is often stored as a String
and accessed using charCodeAt(), or stored as
an Array with conversion to and from base64
for transmission.
https://www.khronos.org/registry/typedarray/specs/latest/
75. CryptoJS.lib.WordArray
A WordArray object represents an array of 32-bit words.
var hash = CryptoJS.SHA256("Message");
alert(hash.toString(CryptoJS.enc.Base64));
// L3dmip37+NWEi57rSnFFypTG7ZI25Kdz9tyvpRMrL5E=
alert(hash.toString(CryptoJS.enc.Latin1));
// /wf��ûøÕ���ëJqEÊ�Æí�6ä§söܯ¥+/�
alert(hash.toString(CryptoJS.enc.Hex));
// 2f77668a9dfbf8d5848b9eeb4a7145ca94c6ed9236e4a773f6dcafa5132b2f91
https://code.google.com/p/crypto-js/#The_Hasher_Output
76.
77. AES
The Advanced Encryption Standard specifies a U.S.
government approved cryptographic algorithm that can be
used to protect electronic data. The AES algorithm is a
symmetric block cipher that can encrypt (encipher) and
decrypt (decipher) information. This standard specifies the
Rijndael algorithm, a symmetric block cipher that can
process data blocks of 128 bits, using cipher keys with
lengths of 128, 192, and 256 bits.
SOURCE: FIPS 197
78. (CC BY 3.0) http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html
79. Initialization Vector (IV)
A vector used in defining the starting point of an
encryption process within a cryptographic
algorithm.
SOURCE: FIPS 140-2
80. OpenSSL Encryption Format
Since OpenSSL 0.9.5 (early 2000), openssl
enc produces output in the following format :
● "Salted__" magic string
● 8 bytes of salt
● encrypted data
To decrypt a file encrypted with 0.9.4 (or
earlier) or other crypto software, use the nosalt command line option.
http://www.mail-archive.com/openssl-users@openssl.org/msg35646.html
82. OpenSSL EVP_BytesToKey()
Derives a key and IV from a password and salt.
Not compatible with PBKDF2.
$ openssl enc -aes-256-cbc -k
"password" -S 4521F86027413403 -P
salt=4521F86027413403
key=0CD1D07EB67E19EF56EA0F3A9A8F8A7C95
7A2CB208327E0E536608FF83256C96
iv =6C4C31BDAB7BAFD35B23691EC521E28D
83. OpenSSL Encryption
OpenSSL command line encryption with key
and IV instead of password and salt.
$ echo -n "Message" | openssl enc -aes-256-cbc iv 6C4C31BDAB7BAFD35B23691EC521E28D -K
0CD1D07EB67E19EF56EA0F3A9A8F8A7C957A2CB208327E0E
536608FF83256C96 | xxd -p
23e5ebe72d99cf302c99183c05cf050a
84. CryptoJS Key and IV
var testVector = { plaintext : "Message",
iv : "6C4C31BDAB7BAFD35B23691EC521E28D",
key : "0CD1D07EB67E19EF56EA0F3A9A8F8A7C957A2CB208327E0E536608FF83256C96",
ciphertext :
"53616c7465645f5f4521f8602741340323e5ebe72d99cf302c99183c05cf050a"};
var rawEnc = CryptoJS.AES.encrypt(testVector.plaintext,
CryptoJS.enc.Hex.parse(testVector.key),
{ iv : CryptoJS.enc.Hex.parse(testVector.iv), mode: CryptoJS.mode.CBC});
equal(CryptoJS.enc.Hex.stringify(rawEnc.ciphertext),
testVector.ciphertext.substring(32), "decrypt matches ciphertext");
85. CryptoJS Password and Salt
var testVector = { plaintext : "Message",
iv : "6C4C31BDAB7BAFD35B23691EC521E28D",
key : "0CD1D07EB67E19EF56EA0F3A9A8F8A7C957A2CB208327E0E536608FF83256C96",
ciphertext : "53616c7465645f5f4521f8602741340323e5ebe72d99cf302c99183c05cf050a"};
// https://code.google.com/p/crypto-js/issues/detail?id=85
var compatEnc = CryptoJS.AES.encrypt(testVector.plaintext, "password",
{ salt: CryptoJS.enc.Hex.parse("4521F86027413403") });
var iv = CryptoJS.enc.Hex.stringify(compatEnc.iv).toUpperCase();
equal(iv, testVector.iv, "matches iv");
var key = CryptoJS.enc.Hex.stringify(compatEnc.key).toUpperCase();
equal(key, testVector.key, "matches key");
var ciphertext = CryptoJS.enc.Hex.stringify(compatEnc.ciphertext);
equal(ciphertext, testVector.ciphertext.substring(32), "matches ciphertext");
86. CryptoJS Password and NoSalt
var nosalt = CryptoJS.lib.WordArray.random(0);
// { salt : null } will generate random salt
var enc = CryptoJS.AES.encrypt("Message", "password",
{ salt: nosalt });
var ciphertext = CryptoJS.enc.Hex.stringify(enc.ciphertext);
equal(ciphertext, "0293cf0bdf5323cff809ba406ffc8283",
"decrypt matches nosalt ciphertext");
87. Node.js Crypto Key and IV
var crypto = require("crypto");
var testVector = { plaintext : "Message",
iv : "6C4C31BDAB7BAFD35B23691EC521E28D",
key : "0CD1D07EB67E19EF56EA0F3A9A8F8A7C957A2CB208327E0E536608FF83256C96",
ciphertext :
"53616c7465645f5f4521f8602741340323e5ebe72d99cf302c99183c05cf050a"};
var key = new Buffer(testVector.key, "hex");
var iv = new Buffer(testVector.iv, "hex");
var rawEnc = crypto.createCipheriv("aes-256-cbc", key, iv);
var rawCrypted = rawEnc.update(testVector.plaintext, "utf8", "hex");
rawCrypted += rawEnc.final("hex");
console.log(rawCrypted);
// 23e5ebe72d99cf302c99183c05cf050a
92. Data Flow and Storage
●
●
●
●
Salt = initial random
IV = initial random
HMAC = SHA256(salt, key)
Ciphertext = AES(iv | todos, key)
93. Add Password Entry Field
<header id="header">
<h1><span>secure</span> todos</h1>
<input id="new-todo"
placeholder="What needs to be done?"
style="display: none">
<input id="todo-password"
type="password"
placeholder="Enter Password"
autofocus
class="edit">
</header>
94. Set and Confirm Password
On first use, password must be established.
95. Enter and Validate Password
On subsequent uses, password must be
entered to unlock todos.
An invalid password will shake the password
input field and outline in red.
100. Windows Azure ProTip
● Azure maps app.js to run on server using iisnode
module in wwwroot/web.config
● TodoMVC uses app.js as JavaScript filename
requested by browser
● Problem: these do not work together
● Solution: create /public/web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<remove name="iisnode" />
</handlers>
</system.webServer>
</configuration>
101. render: function () {
if (this.key) {
this.$password.hide();
this.$newTodo.show().focus();
this.$todoList.html(this.todoTemplate(this.todos));
this.$main.toggle(!!this.todos.length);
this.$toggleAll.prop('checked', !this.activeTodoCount());
this.renderFooter();
Utils.store('todos-jquery-encrypted',
this.encryptTodos(this.key));
} else {
this.$newTodo.hide();
if (!this.initialized) {
var placeholder = (this.$password.data("confirm") ?
"Confirm Password" : "Set Password");
this.$password.attr("placeholder", placeholder);
}
this.$password.show().focus();
}
}
102. Encrypt todos
encryptTodos: function (key) {
var hexSalt =
CryptoJS.enc.Hex.stringify(this.encryptedData.salt);
var plaintext = hexSalt + JSON.stringify(this.todos);
var enc = CryptoJS.AES.encrypt(plaintext, key,
{ iv: this.encryptedData.iv, mode: CryptoJS.mode.CBC });
var encryptedTodos = {
salt : this.encryptedData.salt,
hmac : this.encryptedData.hmac,
iv : this.encryptedData.iv,
ciphertext : enc.ciphertext
};
return encryptedTodos;
}
103. Decrypt todos and Check Integrity
var hmac = CryptoJS.HmacSHA256(this.encryptedData.salt, key);
if (hmac.toString() != this.encryptedData.hmac.toString() ) {
return null;
}
var cipherParams = CryptoJS.lib.CipherParams.create({
ciphertext: this.encryptedData.ciphertext});
var dec = CryptoJS.AES.decrypt(cipherParams, key,
{ iv: this.encryptedData.iv, mode: CryptoJS.mode.CBC });
var plaintext = CryptoJS.enc.Latin1.stringify(dec);
var hexSalt = CryptoJS.enc.Hex.stringify(this.encryptedData.
salt);
var pos = plaintext.indexOf(hexSalt, 0);
104. Store Encrypted (Write)
if (arguments.length > 1) {
// write
var writeStore = {
salt : CryptoJS.enc.Hex.stringify(data.salt),
hmac : CryptoJS.enc.Hex.stringify(data.hmac),
iv :
CryptoJS.enc.Hex.stringify(data.iv),
ciphertext :
CryptoJS.enc.Base64.stringify(data.ciphertext)
};
return localStorage.setItem(namespace,
JSON.stringify(writeStore));
} else {
// read on next slide
}
105. Store Encrypted (Read)
var readStore = localStorage.getItem(namespace);
data = {};
if (readStore && JSON.parse(readStore)) {
// existing
var tmpData = JSON.parse(readStore);
data.salt = CryptoJS.enc.Hex.parse(tmpData.salt);
data.hmac = CryptoJS.enc.Hex.parse(tmpData.hmac);
data.iv =
CryptoJS.enc.Hex.parse(tmpData.iv);
data.ciphertext = CryptoJS.enc.Base64.parse(tmpData.ciphertext);
} else {
data.salt = CryptoJS.lib.WordArray.random(256 / 8);
data.hmac = null;
data.iv = CryptoJS.lib.WordArray.random(128 / 8);
data.ciphertext = null;
}
return data;
// new