Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Defying Logic - Business Logic Testing with AutomationRafal Los
Straight from Black Hat Europe - this talk lays the foundation for going-forward research and development into whether 'business logic' can be tested using automation and seeks to define boundaries, key assertions, and a roadmap for further work.
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Defying Logic - Business Logic Testing with AutomationRafal Los
Straight from Black Hat Europe - this talk lays the foundation for going-forward research and development into whether 'business logic' can be tested using automation and seeks to define boundaries, key assertions, and a roadmap for further work.
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
0-Day Up Your Sleeve - Attacking macOS EnvironmentsSecuRing
Do you have Macs in your company's infrastructure? Nowadays, I bet that in most cases the answer would be YES. Macs stopped being computers only used in startups. We can observe them even in huge legacy environments in banks and other corporations. The problem is that they are usually not symmetrically secured, compared to the rest of Windows stations. Macs are not immune, they can be insecurely configured and now...even Apple admits that malware is present on Macs.
In this presentation I will:
1. Introduce you to macOS security mechanisms
2. Perform step-by-step macOS infection based on my 0-day (live demo)
3. Show you post-exploitation techniques
4. Attack installed apps and collect data from them
5. Give recommendations on how to harden your Mac and macOS infrastructure
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Rapid Threat Model Prototyping methodologyGeoffrey Hill
Here are the slides from my Rapid Threat Model Prototyping (RTMP) talks, covering my new threat modelling process. I will be adding more material to this github repo over time: https://github.com/geoffrey-hill-tutamantic/rapid-threat-model-prototyping-docs
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
NOTES
--
Slide 8
Some of the categories we will discuss are very broad like this one.
Untrusted command – get / post / rest style params
Clicks
Surprise inputs
Slide 13
Very broad too
Little or no auth
Auth with some bypass possibilities
Some problem with how session is generated, managed, expired
Insufficient sessionID protection
Slide 18
When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser.
Slide 27
Security hardening throughout Application Stack
Unnecessary features enabled or installed?
ports, services, pages, accounts, privileges
Security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values?
Default accounts/ passwords still enabled and unchanged?
Error handling reveal stack traces or other overly informative error messages to users?
Software out of date?
OS, Web Server, DBMS, applications, code libraries
Slide 41
sign up for updates or do regular audits to see versions
there might be technical dependencies
easily exploited by attackers using metaspoilt, info gathering using headers & responses, etc.
Slide 47
We can look at the architecture, give you tips around what you could use, what would be good. This would avoid making any major changes when the product is ready which would save everyone’s time in the long run.
Have sprints with dedicated security features and use those as a selling point for our security conscious customers
Slide 48
Carefully look at the license to make sure you can use it in your type of product. Ask Fallon if you are not sure
Research how much support it gets, how popular it is
Look to find out any vulnerabilities in it before you start using it
Maintain it; Sign up for CVE updates
Ask us if you need to get something reviewed
Slide 50
Not only better and more features
Security vulnerabilities get patched in new versions
New versions get most attention by the companies and old ones stop getting support after some time fully
Most Security Support by the community
Turn on auto updates for Chrome; always look at updates on AppStore
Slide 51
Use different passwords for different sites
Password managers let you set complexity, generate random passwords, etc.
Slide 52
Only grant access to whats needed to get the job done
employee leaves; mistakes; vulnerabilities in other s/w which leverages this;
Don’t install redundant software, plugins, etc.
This opens up so much risk
People forget to uninstall them; s/w doesn't get much attention from community; open ports are left; boom exploited by attackers;
Slide 55
To prevent unintended execution actions
e.g., fail open auth errors
Leak minimal info about infrastructure as this info is leveraged by attackers to carry out further attacks
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
TOPS Technologies Leading IT Training Institute offer training in Php, .Net, Java, iPhone, Android, Software testing and SEO. By TOPS Technologies. http://www.tops-int.com
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Student placements at Amazon, Microsoft and Google - a round-table talkDSCMunich
Did you ever want to work at one of the biggest companies in the world, where the changes you make have an impact on millions of users? Have you ever wondered what it is like to be an intern or working student at Google, Microsoft or Amazon? Are you thinking about applying?
This is the session for you!
We invited three students who have interned or worked as working student at these companies and will share their experiences and some application tips with you. Afterwards, there is more than enough time to ask them anything. See you there!
Google STEP internship opportunity .pptxssuser5a0cba
NOTE: This event is not hosted by nor represents Google. The event is held by “Google Developer Student Clubs ELTE, IIEST” with the goal of sharing the experience and opportunity with fellows students.
The Student Training in Engineering Program (STEP) is a 12-week internship for first- and second-year undergraduate students with a passion for Computer Science.
0-Day Up Your Sleeve - Attacking macOS EnvironmentsSecuRing
Do you have Macs in your company's infrastructure? Nowadays, I bet that in most cases the answer would be YES. Macs stopped being computers only used in startups. We can observe them even in huge legacy environments in banks and other corporations. The problem is that they are usually not symmetrically secured, compared to the rest of Windows stations. Macs are not immune, they can be insecurely configured and now...even Apple admits that malware is present on Macs.
In this presentation I will:
1. Introduce you to macOS security mechanisms
2. Perform step-by-step macOS infection based on my 0-day (live demo)
3. Show you post-exploitation techniques
4. Attack installed apps and collect data from them
5. Give recommendations on how to harden your Mac and macOS infrastructure
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Rapid Threat Model Prototyping methodologyGeoffrey Hill
Here are the slides from my Rapid Threat Model Prototyping (RTMP) talks, covering my new threat modelling process. I will be adding more material to this github repo over time: https://github.com/geoffrey-hill-tutamantic/rapid-threat-model-prototyping-docs
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
NOTES
--
Slide 8
Some of the categories we will discuss are very broad like this one.
Untrusted command – get / post / rest style params
Clicks
Surprise inputs
Slide 13
Very broad too
Little or no auth
Auth with some bypass possibilities
Some problem with how session is generated, managed, expired
Insufficient sessionID protection
Slide 18
When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser.
Slide 27
Security hardening throughout Application Stack
Unnecessary features enabled or installed?
ports, services, pages, accounts, privileges
Security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values?
Default accounts/ passwords still enabled and unchanged?
Error handling reveal stack traces or other overly informative error messages to users?
Software out of date?
OS, Web Server, DBMS, applications, code libraries
Slide 41
sign up for updates or do regular audits to see versions
there might be technical dependencies
easily exploited by attackers using metaspoilt, info gathering using headers & responses, etc.
Slide 47
We can look at the architecture, give you tips around what you could use, what would be good. This would avoid making any major changes when the product is ready which would save everyone’s time in the long run.
Have sprints with dedicated security features and use those as a selling point for our security conscious customers
Slide 48
Carefully look at the license to make sure you can use it in your type of product. Ask Fallon if you are not sure
Research how much support it gets, how popular it is
Look to find out any vulnerabilities in it before you start using it
Maintain it; Sign up for CVE updates
Ask us if you need to get something reviewed
Slide 50
Not only better and more features
Security vulnerabilities get patched in new versions
New versions get most attention by the companies and old ones stop getting support after some time fully
Most Security Support by the community
Turn on auto updates for Chrome; always look at updates on AppStore
Slide 51
Use different passwords for different sites
Password managers let you set complexity, generate random passwords, etc.
Slide 52
Only grant access to whats needed to get the job done
employee leaves; mistakes; vulnerabilities in other s/w which leverages this;
Don’t install redundant software, plugins, etc.
This opens up so much risk
People forget to uninstall them; s/w doesn't get much attention from community; open ports are left; boom exploited by attackers;
Slide 55
To prevent unintended execution actions
e.g., fail open auth errors
Leak minimal info about infrastructure as this info is leveraged by attackers to carry out further attacks
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
TOPS Technologies Leading IT Training Institute offer training in Php, .Net, Java, iPhone, Android, Software testing and SEO. By TOPS Technologies. http://www.tops-int.com
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Student placements at Amazon, Microsoft and Google - a round-table talkDSCMunich
Did you ever want to work at one of the biggest companies in the world, where the changes you make have an impact on millions of users? Have you ever wondered what it is like to be an intern or working student at Google, Microsoft or Amazon? Are you thinking about applying?
This is the session for you!
We invited three students who have interned or worked as working student at these companies and will share their experiences and some application tips with you. Afterwards, there is more than enough time to ask them anything. See you there!
Google STEP internship opportunity .pptxssuser5a0cba
NOTE: This event is not hosted by nor represents Google. The event is held by “Google Developer Student Clubs ELTE, IIEST” with the goal of sharing the experience and opportunity with fellows students.
The Student Training in Engineering Program (STEP) is a 12-week internship for first- and second-year undergraduate students with a passion for Computer Science.
The Career Practitioner's Guide to Conducting a WebinarMelissa A. Venable
This session includes an overview of free web-conferencing tools, as well as a step-by-step checklist for planning, presenting, and evaluating a career development webinar.
Computer courses in Chandigarh at CBitss Technologies value for money Our Basics of Computer course content is organized to cover all ideas under Basics of Computer Training
Google Associate Cloud Engineer Certification TipsDaniel Zivkovic
Tips & best practices to prepare for the GCP ACE (Associate Cloud Engineer) Exam by Dan Sullivan - the author of the official Google Cloud Certified study guides!
Event details: https://www.meetup.com/Serverless-Toronto/events/271344917/
Event recording: http://youtube.serverlesstoronto.org/
RSVP for more exciting (online) events at https://www.meetup.com/Serverless-Toronto/events/
At Netflix, we try to provide the best personalized video recommendations to our members. To do this, we need to adapt our recommendations for each contextual situation, which depends on information such as time or device. In this talk, I will describe how state of the art Contextual Recommendations are used at Netflix. A first example of contextual adaptation is the model that powers the Continue Watching row. It uses a feature-based approach with a carefully constructed training set to learn how to adapt to the context of the member. Next, I will dive into more modern approaches such as Tensor Factorization and LSTMs and share some results from deployments of these methods. I will highlight lessons learned and some common pitfalls of using these powerful methods in industrial scale systems. Finally, I will touch upon system reliability, choice of optimization metrics, hidden costs, risks and benefits of using highly adaptive systems.
As a 3 times successful student and 2 times successful mentor for Google Summer of Code, I share my thoughts on a successful Google Summer of Code. This presentation has evolved over the time with feedback from multiple mentors and students.
Exploring Career Paths in Cybersecurity for Technical CommunicatorsBen Woelk, CISSP, CPTC
Brief overview of career options in cybersecurity for technical communicators. Includes discussion of my career path, certification options, NICE and NIST resources.
The Impact of Artificial Intelligence on Modern Society.pdfssuser3e63fc
Just a game Assignment 3
1. What has made Louis Vuitton's business model successful in the Japanese luxury market?
2. What are the opportunities and challenges for Louis Vuitton in Japan?
3. What are the specifics of the Japanese fashion luxury market?
4. How did Louis Vuitton enter into the Japanese market originally? What were the other entry strategies it adopted later to strengthen its presence?
5. Will Louis Vuitton have any new challenges arise due to the global financial crisis? How does it overcome the new challenges?Assignment 3
1. What has made Louis Vuitton's business model successful in the Japanese luxury market?
2. What are the opportunities and challenges for Louis Vuitton in Japan?
3. What are the specifics of the Japanese fashion luxury market?
4. How did Louis Vuitton enter into the Japanese market originally? What were the other entry strategies it adopted later to strengthen its presence?
5. Will Louis Vuitton have any new challenges arise due to the global financial crisis? How does it overcome the new challenges?Assignment 3
1. What has made Louis Vuitton's business model successful in the Japanese luxury market?
2. What are the opportunities and challenges for Louis Vuitton in Japan?
3. What are the specifics of the Japanese fashion luxury market?
4. How did Louis Vuitton enter into the Japanese market originally? What were the other entry strategies it adopted later to strengthen its presence?
5. Will Louis Vuitton have any new challenges arise due to the global financial crisis? How does it overcome the new challenges?
2. Agenda
● Introduction
● Internship Opportunities
● Application Process
● Selection Process
● Interview Preparation
● Offices
● In conversation with the interns
● FAQ
3. Internship Opportunities
● Regions
○ EMEA - Europe
○ North America
○ Other parts of the world
● Roles
○ SWE/SRE - Bachelor, Master and PhD students
○ STEP interns - First and second year students
○ Research - Bachelor, Master and PhD students
● Duration
○ Typically 12-14 weeks
4. Dates - Europe (EMEA)
● Application opens around October 19th
● Aplay as soon as possible!
● Application closes - end of November
Dates - North America
● Applications are already open!
● Deadline - February
Note: Only one application per region needed (final location
depends on the host matching).
Application Process
5. void internshipApplication(CV cv) {
// Most probably on 19/10
sendApplication(“https://careers.google.com", cv);
fillQuestionnaire();
for (int i = 0; i < 2; i++) {
intreview(); // ~45min
Thread.sleep(900000); // 15min = 900000ms
} // 2 weeks
try {
while (!hostMatched()) {
hostInterview.wait();
}
signContact();
} catch (InternshipDeadlineTimeout e) {}
}
6. ➔CV Screening
➔Coding excercise (sometimes)
2 - 3 elementary coding questions
Online platform
➔Fill a questionnaire with interests and preferences
Consider not focusing on a single area (mention specific Google products)
You can change your answers during the process
➔Technical interviews
2 interviews (virtual with Google engineers) - 45 min
Choose programming langugage (Python, Java, C/C++, etc)
Third interview in rare cases
Hiring committee (~2 weeks)
Selection Process
7. ➔Intern placement (host matching)
Based on the preferences from questionnaire potential team is matched
Short interview (usually not technical, be friendly!)
Previous experience and skills, meet each other
Discuss team’s area of work, potential project and technologies
Usually 3 candidates, mutual host-intern match needed
➔Offer, contact, formalities
Recieve an offer from the recruiter
Accept and sign a contract 🎉
Complete visa and other formalities
Selection Process
8. Interview preparation
• Do not focus on complicated algorithms
• Cracking the Coding Interview (only certain chapters)
• LeetCode (including forum)
• YouTube videos (mock interviews)
• Coding and CS fundamentals, high-level theory, data structures, algorithms
• Choose programming language (Python, Java, C/C++, etc)
• Code is written in Google Doc (try to make it runnable)
• Speak your mind!
• Discuss your thought process, listen to hints, comment of advantages and
disadvantages, note time and space complexity
9. • Restaurants (breakfast, lunch, dinner),
micro-kitchens, gym, special rooms, events
Main Google hubs:
• Zurich, London, Munich
• Mountain View, New York City
Internships 2022:
• 3 days in office, 2 days in office/WFH
Implications on:
• Visa process
• Compensation
• Relocation bonus
Offices
14. FAQ
● Da li je potrebno savrseno uraditi sve algoritamske
zadatke, do kraja?
● Koji nivo edukacije je potreban i da li studenti koji ne
studiraju CS mogu konkurisati za praksu?
● Razlike između prakse online i uživo?
● Da li je tokom vaše prakse postojao mentor zadužen samo
za vas?
● Pored tehničkog znanja, koji još skill ste unapredili tokom
trajanja prakse?