"Hack a lock and get free rides! (No free beer yet though...). This talk will explore the ever growing ride sharing economy and look at how the BLE ""Smart"" locks on shared bicycles work. The entire solution will be deconstructed and examined, from the mobile application to its supporting web services and finally communications with the lock. We will look at how to go about analysing communications between a mobile device and the lock, what works, what doesn't.
Previous talks on attacking BLE targeted the protocol itself using various hardware and software such as Ubertooth and Wireshark, which could be potentially difficult for someone new wanting to explore BLE and the ever connected IoT world. I'll simplify and stupidify the entire process such that anyone with a mobile phone and basic experience with Frida can go about breaking locks and hacking BLE the world over."
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
The document discusses 5 ways to exploit JTAG (Joint Test Action Group) interfaces to gain unauthorized access or privileges on a system. The 5 techniques are: 1) Accessing non-volatile storage like flash memory via boundary scan, 2) Scraping memory for offline forensic analysis, 3) Patching boot arguments to change how the system boots, 4) Directly patching the kernel by modifying code or function pointers in memory, and 5) Patching a specific process by searching memory for its code and modifying it. While some techniques like memory scraping are slow, others like boot argument patching or kernel patching can be done quickly and provide privileged access. JTAG interfaces provide I/O, execution control, and memory access that enable
The document discusses digital signatures and how they provide authenticity, integrity and non-repudiation for electronic documents. It explains how digital signatures are generated using public/private key pairs, and how they vary based on the document content. It also discusses the role of a certification authority in a public key infrastructure for verifying and validating digital signatures.
Digital signatures provide authenticity, integrity and non-repudiation to electronic documents by using public key infrastructure. Under PKI, each individual has a public/private key pair, and certification authorities verify and certify individuals' public keys. Digital signatures are generated by encrypting a document hash with an individual's private key and can be verified by decrypting with the corresponding public key.
Using Amazon Machine Learning to Identify Trends in IoT Data - Technical 201Amazon Web Services
Internet of Things is creating a tidal wave of new data including events, correlations, business value, and much more. With the proliferation of new data sets, it also introduces more potential issues, errors, and spurious values.
In this session, we will explore using Amazon Machine Learning to analyse and understand the new data collected within your IoT solution. In addition, we will learn how to discover patterns, trends, anomalies, and correlations by demonstrating the capabilities of Amazon Machine Learning and SparkML running on AWS Cloud.
Speaker: Simon Elisha, Solutions Architect, Amazon Web Services
Using amazon machine learning to identify trends in io t data technical 201Amazon Web Services
Internet of Things is creating a tidal wave of new data including events, correlations, business value, and much more. With the proliferation of new data sets, it also introduces more potential issues, errors, and spurious values.
In this session, we will explore using Amazon Machine Learning to analyse and understand the new data collected within your IoT solution. In addition, we will learn how to discover patterns, trends, anomalies, and correlations by demonstrating the capabilities of Amazon Machine Learning and SparkML running on AWS Cloud.
Speaker: Simon Elisha, Solutions Architect, Amazon Web Services
The document discusses real-time image recognition using Apache Spark. It describes how images are analyzed to extract histogram of oriented gradients (HOG) descriptors, which are stored as feature vectors in a MemSQL table. Similar images can then be identified by comparing feature vectors using dot products, enabling searches of millions of images per second. A demo is shown generating HOG descriptors from an image and storing them as a vector for fast similarity matching.
Transformation 101 - Business Model WorkshopDaniel Li
The document discusses how an industrial equipment company can transform its business model using IoT and Azure cloud services. It outlines opportunities to shift from a product-focused to a service-focused model by leveraging sensor data from devices to offer predictive maintenance, remote monitoring and analytics services. This would allow the company to generate recurring revenue streams from subscriptions rather than one-time hardware sales and improve customer retention. The document also provides examples of how other manufacturers have transformed their business models and customer relationships through digital technologies and IoT solutions.
MongoDB .local Munich 2019: Telediagnosis@Daimler powered by MongoDBMongoDB
Daimler will present the Mercedes Telediagnosis use case where MongoDB was chosen as the storage document database.
You will learn some basics about Telediagnosis, the requirements which drove us to MongoDB, the advantages we achieved, and our experiences on our MongoDB journey.
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
The document discusses 5 ways to exploit JTAG (Joint Test Action Group) interfaces to gain unauthorized access or privileges on a system. The 5 techniques are: 1) Accessing non-volatile storage like flash memory via boundary scan, 2) Scraping memory for offline forensic analysis, 3) Patching boot arguments to change how the system boots, 4) Directly patching the kernel by modifying code or function pointers in memory, and 5) Patching a specific process by searching memory for its code and modifying it. While some techniques like memory scraping are slow, others like boot argument patching or kernel patching can be done quickly and provide privileged access. JTAG interfaces provide I/O, execution control, and memory access that enable
The document discusses digital signatures and how they provide authenticity, integrity and non-repudiation for electronic documents. It explains how digital signatures are generated using public/private key pairs, and how they vary based on the document content. It also discusses the role of a certification authority in a public key infrastructure for verifying and validating digital signatures.
Digital signatures provide authenticity, integrity and non-repudiation to electronic documents by using public key infrastructure. Under PKI, each individual has a public/private key pair, and certification authorities verify and certify individuals' public keys. Digital signatures are generated by encrypting a document hash with an individual's private key and can be verified by decrypting with the corresponding public key.
Using Amazon Machine Learning to Identify Trends in IoT Data - Technical 201Amazon Web Services
Internet of Things is creating a tidal wave of new data including events, correlations, business value, and much more. With the proliferation of new data sets, it also introduces more potential issues, errors, and spurious values.
In this session, we will explore using Amazon Machine Learning to analyse and understand the new data collected within your IoT solution. In addition, we will learn how to discover patterns, trends, anomalies, and correlations by demonstrating the capabilities of Amazon Machine Learning and SparkML running on AWS Cloud.
Speaker: Simon Elisha, Solutions Architect, Amazon Web Services
Using amazon machine learning to identify trends in io t data technical 201Amazon Web Services
Internet of Things is creating a tidal wave of new data including events, correlations, business value, and much more. With the proliferation of new data sets, it also introduces more potential issues, errors, and spurious values.
In this session, we will explore using Amazon Machine Learning to analyse and understand the new data collected within your IoT solution. In addition, we will learn how to discover patterns, trends, anomalies, and correlations by demonstrating the capabilities of Amazon Machine Learning and SparkML running on AWS Cloud.
Speaker: Simon Elisha, Solutions Architect, Amazon Web Services
The document discusses real-time image recognition using Apache Spark. It describes how images are analyzed to extract histogram of oriented gradients (HOG) descriptors, which are stored as feature vectors in a MemSQL table. Similar images can then be identified by comparing feature vectors using dot products, enabling searches of millions of images per second. A demo is shown generating HOG descriptors from an image and storing them as a vector for fast similarity matching.
Transformation 101 - Business Model WorkshopDaniel Li
The document discusses how an industrial equipment company can transform its business model using IoT and Azure cloud services. It outlines opportunities to shift from a product-focused to a service-focused model by leveraging sensor data from devices to offer predictive maintenance, remote monitoring and analytics services. This would allow the company to generate recurring revenue streams from subscriptions rather than one-time hardware sales and improve customer retention. The document also provides examples of how other manufacturers have transformed their business models and customer relationships through digital technologies and IoT solutions.
MongoDB .local Munich 2019: Telediagnosis@Daimler powered by MongoDBMongoDB
Daimler will present the Mercedes Telediagnosis use case where MongoDB was chosen as the storage document database.
You will learn some basics about Telediagnosis, the requirements which drove us to MongoDB, the advantages we achieved, and our experiences on our MongoDB journey.
This document discusses tools for analyzing IMS performance, including information available in the IMS log. It provides examples of IMS log reports showing transaction statistics, database activity, and syncpoint timing. The presentation encourages using this data to identify high-volume transactions that are slow to process or miss service level targets in order to optimize performance.
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
1. The document discusses challenges in designing authentication protocols for smartphones controlling IoT devices via BLE. Limited input/output interfaces and privacy standards for devices pose challenges.
2. The study focuses on analyzing BLE protocols to discover these challenges, applying the methods to commercial products like the popular Gogoro Smart Scooter.
3. Analyzing the Gogoro protocol revealed flaws without SMP pairing, allowing others to unlock scooters. A dual-counter enhanced authentication protocol is proposed to better authenticate devices.
This document discusses digital signatures and public key infrastructure (PKI). It explains that digital signatures provide authenticity, integrity, and non-repudiation for electronic documents by encrypting a document hash with a private key. A PKI involves a certification authority that issues digital certificates binding users' identities to their public keys. The certification authority's public key is certified by a controller. Digital signatures and PKIs enable secure e-commerce, e-governance and authentication over the internet.
This talk is an introduction about technical aspects of how payment cards function, what technical protocols are involved and what are implementation complexities in a typical payments project. You will learn about concepts like Authorisation and Clearing, Tokenization and know about novelties in the payment world, which will affect consumers in the nearest future.
This document discusses security and performance issues for websites. It covers topics like user access and publishing, protecting pages, performance issues, and secure servers. It also provides examples of HTTP cookie files, CGI security risks, hidden URLs, an example of a high-performance NASA website, extranets for sharing confidential information, and details about the Stronghold secure server software.
This document summarizes an presentation on industrial protocols for pentesters. It discusses several common industrial protocols including Modbus, Siemens S7, PROFINET, and provides information on analyzing them such as looking for patterns in hex dumps. Example tools for scanning devices and extracting information via these protocols are also presented. The document concludes with a reminder of resources for further information on industrial control systems security.
Detecting Malicious Websites using Machine LearningAndrew Beard
We present a set of newly tuned algorithms that can distinguish between malicious and non-malicious websites with a high degree of accuracy using Machine Learning (ML). We use the Bro IDS/IPS tool for extracting the SSL certificates from network traffic and training the ML algorithms.
The extracted SSL attributes are then loaded into multiple ML frameworks such as Splunk, AWS ML and we run a series of classification algorithms to identify those attributes that correlate with malicious sites.
Our analysis shows that there are a number of emerging patterns that even allow for identification of high-jacked devices and self-signed certificates. We present the results of our analysis which show which attributes are the most relevant for detecting malicious SSL certificates and as well the performance of the ML algorithms.
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
This document summarizes an presentation on industrial protocols for pentesters. It discusses several common industrial protocols including Modbus, Siemens S7, PROFINET, and provides information on analyzing them such as looking for patterns in hex dumps. Specific exploitation techniques are mentioned such as extracting password hashes from TIA Portal project files or intercepting S7 authentication challenges and responses. The presenters provide resources for further information on industrial control systems and security.
This document summarizes an presentation on industrial protocols for penetration testers. It discusses several common industrial protocols including Modbus, Siemens S7, PROFINET, and provides information on analyzing them such as looking for patterns in hex dumps. Specific attacks are mentioned like extracting password hashes from TIA Portal project files or intercepting S7 authentication challenges and responses. Tools for scanning devices and manipulating protocols are also introduced. The presentation aims to help penetration testers evaluate security of industrial control systems.
This document summarizes an presentation on industrial protocols for pentesters. It discusses several common industrial protocols including Modbus, Siemens S7, PROFINET, and provides information on analyzing them such as looking for patterns in hex dumps. Specific attacks are mentioned like extracting password hashes from TIA Portal project files or intercepting S7 authentication challenges and responses. Tools for scanning devices and manipulating protocols are also introduced. The presentation aims to help pentesters evaluate security of industrial control systems.
Mike lawell executionplansformeremortals_2015mlawell
This document provides a beginner's introduction to execution plans in SQL Server. It covers basic concepts like execution steps, operators like nested loops, merge and hash joins. It also discusses cardinality estimation, parallelism and reading execution plans. The overall goal is to explain execution plans at a high level for those new to the topic.
Almost all security research has a question often left unanswered: what would be the financial consequence, if a discovered vulnerability is maliciously exploited? The security community almost never knows, unless a real attack takes place and the damage becomes known to the public. Development of the cryptocurrencies made it even more difficult to control the impact of an attack since all the security relies on a single wallet's private key which needs to stay secure. Multiple breaches of private wallets and public currency exchange services are well-known, and to address the issue a few companies have come up with secure hardware storage devices to preserve the wallet's secrets at all costs.
But, how secure are they? In this research, we show how software attacks can be used to break in the most protected part of the hardware wallet, the Secure Element, and how it can be exploited by an attacker. The number of identified vulnerabilities in the hardware wallet show how software vulnerabilities in the TEE operating system can lead to a compromise of the memory isolation and a reveal of secrets of the OS and other user applications. Finally, based on the identified vulnerabilities an attack is proposed which allows anyone with only physical access to the hardware wallet to retrieve secret keys and data from the device. Additionally, a supply chain attack on a device allowing an attacker to bypass security features of the device and have full control of the installed wallets on the device.
The document discusses diagnosing and mitigating MySQL performance issues. It describes using various operating system monitoring tools like vmstat, iostat, and top to analyze CPU, memory, disk, and network utilization. It also discusses using MySQL-specific tools like the MySQL command line, mysqladmin, mysqlbinlog, and external tools to diagnose issues like high load, I/O wait, or slow queries by examining metrics like queries, connections, storage engine statistics, and InnoDB logs and data written. The agenda covers identifying system and MySQL-specific bottlenecks by verifying OS metrics and running diagnostics on the database, storage engines, configuration, and queries.
This document discusses Apple Pay and Touch ID security. It summarizes that Apple Pay uses tokenization to securely store payment credentials in the Secure Enclave instead of actual credit card details. Touch ID fingerprints are also stored encrypted in the Secure Enclave and are never sent to Apple. The document also demonstrates how to use debugging and hooking techniques on a jailbroken device to analyze the internals of how Apple Pay and Touch ID work.
SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunk
The document provides an agenda for a SplunkLive! presentation on installing and using Splunk. It includes downloading required files, importing sample data, conducting searches on the data, and exploring various Splunk features through a live demonstration. Common installation problems are also addressed. The presentation aims to provide attendees with the knowledge and skills to get started using Splunk through hands-on learning and a question and answer session.
1. The document describes the use of elliptic curves in public-key cryptography and discusses elliptic curve Diffie-Hellman key exchange. It provides examples of generating private and public keys for Alice and Bob and computing the shared secret key.
2. It defines the elliptic curve secp256k1 parameters used, including the prime field, generator point, and order. Private keys, public keys, and shared secret keys are displayed for Alice and Bob.
3. The shared secret keys computed independently by Alice and Bob are shown to be equal, demonstrating a successful key exchange without transmitting secrets.
This document contains the configuration of a router with the hostname YurezADSLrouter. It is configured to provide DHCP services to local clients on the 10.10.10.0/24 network from pool CLIENT_LAN. It also has an IPv6 tunnel interface to Hurricane Electric which it uses to provide IPv6 connectivity and prefix delegation to local clients. Network address translation (NAT) is configured to translate addresses of devices on the inside interface to the outside interface address.
[Project report]digital speedometer with password enabled speed controlling(1...Shivam Patel
This document describes a digital speedometer project that displays vehicle speed and controls speed limits. It takes speed input from the vehicle speedometer cable and executes speed limiting. The system includes a keypad, LCD display, and microcontroller. The user can enter a password via the keypad. The microcontroller then controls vehicle speed and prevents overspeeding. Figures and tables describe the system design and components like the microcontroller, LCD, and sensors. The document also includes a flowchart of the software program.
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
The Verizon Breach Investigation Report (VBIR) is an annual report analyzing cybersecurity incidents based on real-world data. It categorizes incidents and identifies emerging trends, threat actors, motivations, attack vectors, affected industries, common attack patterns, and recommendations. Each report provides the latest insights and data to give organizations a global perspective on evolving cyber threats.
More Related Content
Similar to Hacking BLE Bicycle Locks for Fun and a Small Profit
This document discusses tools for analyzing IMS performance, including information available in the IMS log. It provides examples of IMS log reports showing transaction statistics, database activity, and syncpoint timing. The presentation encourages using this data to identify high-volume transactions that are slow to process or miss service level targets in order to optimize performance.
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
1. The document discusses challenges in designing authentication protocols for smartphones controlling IoT devices via BLE. Limited input/output interfaces and privacy standards for devices pose challenges.
2. The study focuses on analyzing BLE protocols to discover these challenges, applying the methods to commercial products like the popular Gogoro Smart Scooter.
3. Analyzing the Gogoro protocol revealed flaws without SMP pairing, allowing others to unlock scooters. A dual-counter enhanced authentication protocol is proposed to better authenticate devices.
This document discusses digital signatures and public key infrastructure (PKI). It explains that digital signatures provide authenticity, integrity, and non-repudiation for electronic documents by encrypting a document hash with a private key. A PKI involves a certification authority that issues digital certificates binding users' identities to their public keys. The certification authority's public key is certified by a controller. Digital signatures and PKIs enable secure e-commerce, e-governance and authentication over the internet.
This talk is an introduction about technical aspects of how payment cards function, what technical protocols are involved and what are implementation complexities in a typical payments project. You will learn about concepts like Authorisation and Clearing, Tokenization and know about novelties in the payment world, which will affect consumers in the nearest future.
This document discusses security and performance issues for websites. It covers topics like user access and publishing, protecting pages, performance issues, and secure servers. It also provides examples of HTTP cookie files, CGI security risks, hidden URLs, an example of a high-performance NASA website, extranets for sharing confidential information, and details about the Stronghold secure server software.
This document summarizes an presentation on industrial protocols for pentesters. It discusses several common industrial protocols including Modbus, Siemens S7, PROFINET, and provides information on analyzing them such as looking for patterns in hex dumps. Example tools for scanning devices and extracting information via these protocols are also presented. The document concludes with a reminder of resources for further information on industrial control systems security.
Detecting Malicious Websites using Machine LearningAndrew Beard
We present a set of newly tuned algorithms that can distinguish between malicious and non-malicious websites with a high degree of accuracy using Machine Learning (ML). We use the Bro IDS/IPS tool for extracting the SSL certificates from network traffic and training the ML algorithms.
The extracted SSL attributes are then loaded into multiple ML frameworks such as Splunk, AWS ML and we run a series of classification algorithms to identify those attributes that correlate with malicious sites.
Our analysis shows that there are a number of emerging patterns that even allow for identification of high-jacked devices and self-signed certificates. We present the results of our analysis which show which attributes are the most relevant for detecting malicious SSL certificates and as well the performance of the ML algorithms.
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
This document summarizes an presentation on industrial protocols for pentesters. It discusses several common industrial protocols including Modbus, Siemens S7, PROFINET, and provides information on analyzing them such as looking for patterns in hex dumps. Specific exploitation techniques are mentioned such as extracting password hashes from TIA Portal project files or intercepting S7 authentication challenges and responses. The presenters provide resources for further information on industrial control systems and security.
This document summarizes an presentation on industrial protocols for penetration testers. It discusses several common industrial protocols including Modbus, Siemens S7, PROFINET, and provides information on analyzing them such as looking for patterns in hex dumps. Specific attacks are mentioned like extracting password hashes from TIA Portal project files or intercepting S7 authentication challenges and responses. Tools for scanning devices and manipulating protocols are also introduced. The presentation aims to help penetration testers evaluate security of industrial control systems.
This document summarizes an presentation on industrial protocols for pentesters. It discusses several common industrial protocols including Modbus, Siemens S7, PROFINET, and provides information on analyzing them such as looking for patterns in hex dumps. Specific attacks are mentioned like extracting password hashes from TIA Portal project files or intercepting S7 authentication challenges and responses. Tools for scanning devices and manipulating protocols are also introduced. The presentation aims to help pentesters evaluate security of industrial control systems.
Mike lawell executionplansformeremortals_2015mlawell
This document provides a beginner's introduction to execution plans in SQL Server. It covers basic concepts like execution steps, operators like nested loops, merge and hash joins. It also discusses cardinality estimation, parallelism and reading execution plans. The overall goal is to explain execution plans at a high level for those new to the topic.
Almost all security research has a question often left unanswered: what would be the financial consequence, if a discovered vulnerability is maliciously exploited? The security community almost never knows, unless a real attack takes place and the damage becomes known to the public. Development of the cryptocurrencies made it even more difficult to control the impact of an attack since all the security relies on a single wallet's private key which needs to stay secure. Multiple breaches of private wallets and public currency exchange services are well-known, and to address the issue a few companies have come up with secure hardware storage devices to preserve the wallet's secrets at all costs.
But, how secure are they? In this research, we show how software attacks can be used to break in the most protected part of the hardware wallet, the Secure Element, and how it can be exploited by an attacker. The number of identified vulnerabilities in the hardware wallet show how software vulnerabilities in the TEE operating system can lead to a compromise of the memory isolation and a reveal of secrets of the OS and other user applications. Finally, based on the identified vulnerabilities an attack is proposed which allows anyone with only physical access to the hardware wallet to retrieve secret keys and data from the device. Additionally, a supply chain attack on a device allowing an attacker to bypass security features of the device and have full control of the installed wallets on the device.
The document discusses diagnosing and mitigating MySQL performance issues. It describes using various operating system monitoring tools like vmstat, iostat, and top to analyze CPU, memory, disk, and network utilization. It also discusses using MySQL-specific tools like the MySQL command line, mysqladmin, mysqlbinlog, and external tools to diagnose issues like high load, I/O wait, or slow queries by examining metrics like queries, connections, storage engine statistics, and InnoDB logs and data written. The agenda covers identifying system and MySQL-specific bottlenecks by verifying OS metrics and running diagnostics on the database, storage engines, configuration, and queries.
This document discusses Apple Pay and Touch ID security. It summarizes that Apple Pay uses tokenization to securely store payment credentials in the Secure Enclave instead of actual credit card details. Touch ID fingerprints are also stored encrypted in the Secure Enclave and are never sent to Apple. The document also demonstrates how to use debugging and hooking techniques on a jailbroken device to analyze the internals of how Apple Pay and Touch ID work.
SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunk
The document provides an agenda for a SplunkLive! presentation on installing and using Splunk. It includes downloading required files, importing sample data, conducting searches on the data, and exploring various Splunk features through a live demonstration. Common installation problems are also addressed. The presentation aims to provide attendees with the knowledge and skills to get started using Splunk through hands-on learning and a question and answer session.
1. The document describes the use of elliptic curves in public-key cryptography and discusses elliptic curve Diffie-Hellman key exchange. It provides examples of generating private and public keys for Alice and Bob and computing the shared secret key.
2. It defines the elliptic curve secp256k1 parameters used, including the prime field, generator point, and order. Private keys, public keys, and shared secret keys are displayed for Alice and Bob.
3. The shared secret keys computed independently by Alice and Bob are shown to be equal, demonstrating a successful key exchange without transmitting secrets.
This document contains the configuration of a router with the hostname YurezADSLrouter. It is configured to provide DHCP services to local clients on the 10.10.10.0/24 network from pool CLIENT_LAN. It also has an IPv6 tunnel interface to Hurricane Electric which it uses to provide IPv6 connectivity and prefix delegation to local clients. Network address translation (NAT) is configured to translate addresses of devices on the inside interface to the outside interface address.
[Project report]digital speedometer with password enabled speed controlling(1...Shivam Patel
This document describes a digital speedometer project that displays vehicle speed and controls speed limits. It takes speed input from the vehicle speedometer cable and executes speed limiting. The system includes a keypad, LCD display, and microcontroller. The user can enter a password via the keypad. The microcontroller then controls vehicle speed and prevents overspeeding. Figures and tables describe the system design and components like the microcontroller, LCD, and sensors. The document also includes a flowchart of the software program.
Similar to Hacking BLE Bicycle Locks for Fun and a Small Profit (20)
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
The Verizon Breach Investigation Report (VBIR) is an annual report analyzing cybersecurity incidents based on real-world data. It categorizes incidents and identifies emerging trends, threat actors, motivations, attack vectors, affected industries, common attack patterns, and recommendations. Each report provides the latest insights and data to give organizations a global perspective on evolving cyber threats.
The document summarizes the top 10 cybersecurity risks presented to the board of directors of a manufacturing company. It discusses each risk such as insider threats, cloud security, ransomware attacks, third party risks, and data security. For each risk, it provides the current posture in terms of controls, compliance level, and planned improvements. The CISO and other leaders such as the managing director, finance director, and chief risk officer attended the presentation.
Simplifying data privacy and protection.pdfPriyanka Aash
1) Data is growing exponentially which increases the risk and impact of data breaches, while compliance requirements are also becoming more stringent.
2) IBM Security Guardium helps customers address this by discovering, classifying, and protecting sensitive data across platforms and simplifying compliance.
3) It detects threats in real-time, increases data security accuracy, and reduces the time spent on audits and issue remediation, helping customers minimize the impact of potential data breaches and address local compliance requirements.
Generative AI and Security (1).pptx.pdfPriyanka Aash
Generative AI and Security Testing discusses generative AI, including its definition as a subset of AI focused on generating content similar to human creations. The document outlines the evolution of generative AI from artificial neural networks to modern models like GPT, GANs, and VAEs. It provides examples of different types of generative AI like text, image, audio, and video generation. The document proposes potential uses of generative AI like GPT for security testing tasks such as malware generation, adversarial attack simulation, and penetration testing assistance.
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
The document discusses shifting the focus in cybersecurity from vulnerability management to weakness management and attack surface management. It argues that attacks persist because approaches focus only on software vulnerabilities, while ignoring other weaknesses like technological, people and process weaknesses that expand the potential attack surface. A new approach is needed that takes a holistic view of all weaknesses and continuously monitors the entire attack surface to better prevent attacks.
The document summarizes key aspects of the proposed Digital Personal Data Protection Act 2023 in India, including its scope, definitions, obligations of data fiduciaries, grounds for processing personal data, notice requirements for data principals, and penalties for non-compliance. It outlines categories of entities that would be considered significant data fiduciaries and the additional obligations that would apply to them. The summary also compares some aspects of the proposed Indian law to the General Data Protection Regulation (GDPR) in the European Union.
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
This document discusses cybersecurity threats and SentinelOne's solutions. It begins with questions about an organization's cyber preparedness and budget. It then discusses the cat-and-mouse game between attackers and defenders. The document highlights growing ransomware threats and payments. It argues SentinelOne provides a unified security solution that lowers costs, risks, and complexity while improving detection and response. It shares industry recognition for SentinelOne and concludes by thanking the audience.
An IT systems outage and distributed denial of service (DDoS) attack impacted an organization called XYZ Ltd. This was followed by a ransom demand email from an anonymous sender threatening to release sensitive project data. When the ransom deadline passed, anonymous hackers released a video on social media and the data breach began receiving media coverage. A customer then contacted XYZ to inquire about the data leak and if their content was impacted. The document outlines discussions between teams at XYZ on responding to the cyber incident and lessons learned.
The CISO Platform is a 10+ year old dedicated social platform for CISOs and senior IT security leaders that has grown to over 40,000 members across 20+ countries. Through sharing and collaboration, the community has created over 500 checklists, frameworks, and playbooks that are available for free to members. The platform also hosts an annual security conference with over 100 speakers and 20 workshops attended by 20,000 people. The goal of the CISO Platform is to build tangible community goods and resources through open sharing and collaboration among security professionals.
This document provides updates from the Chennai Chapter of the CISO Platform for 2021. It discusses the following:
1. The Breach and Attack Summit held in December which included panel discussions, presentations, task forces, and workshops despite natural disasters, with over 200 attendees.
2. Chapter meetings focused on ransomware trends and lessons learned from attacks.
3. A kids initiative to promote cybersecurity awareness through sessions for students, parents and teachers at local schools.
4. The task forces focused on topics like cyber risk quantification, quantum computing, cyber insurance and privacy.
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Lessons Learned From Ransomware AttacksPriyanka Aash
The document summarizes a ransomware attack experienced by the author's organization and the lessons learned. It describes how the ransomware encrypted files and powered off virtual machines. It then details the recovery process over several days, including bringing in an incident response firm, rebuilding infrastructure, and restoring service for customers. Key lessons included having stronger access controls, backups stored separately, and implementing security tools like EDR, centralized logging, and identity management best practices.
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
3. whoami
• From Sunny Singapore
• Senior Security Consultant @ MWR
• Mobile and Wireless geek
– BlackHat USA 2016 – Bad for Enterprise:
Attacking BYOD Enterprise Mobile Security Solutions
2
4. Bike-Sharing Economy and the BLE “Smart” Lock
1
Overview
3
Building a Master Key3
Demo
4
Analyzing Communications
2
7. Major Players
6
Country China China Singapore
Founded 2014 2015 2017
Operations 20 Countries 16 Countries 22 Countries
Cost SGD$0.50/30min
8. Bluetooth Low Energy
Generic Access Profile (GAP)
• Peripheral
Small low powered device
e.g. bicycle lock
• Central
High powered computing device
e.g. Mobile Phone
9. Bluetooth Low Energy
8
Generic Attribute Profile (GATT)
• Services
Groups of Characteristics
16/128-bit UUID
• Characteristics
A single data point
16/128-bit UUID
21. iOS CoreBluetooth
CBPeripheral
• Remote peripheral devices that the app has discovered advertising or is currently connected
to.
• -m "*[CBPeripheral readValue*]"
• -m "*[CBPeripheral writeValue*]"
• -m "*[CBPeripheral setNotifyValue*]"
CBPeripheralDelegate
• Provides methods called on events relating to discovery, exploration, and interaction with a
remote peripheral.
• -m "*[* *didUpdateNotificationStateForCharacteristic*]"
• -m "*[* *didUpdateValueForCharacteristic*]"
20
22. Summary…
Scan QR Code
01
02
Get Lock Key From Server
04
Request Encrypted Token
05
Gets Encrypted Token
06
Decrypt Token & Unlock!
03
Server Responds with Lock Key
41. 02
App Checks Lock Status. Uploads Coordinates.
04
Server Responds with Unlock Key
05
03
Server Responds with Lock Status
http://www.mobike.com/down
load/app.html?b=AXXXXXXX
01
Unlock Bike Lock