The document discusses information security topics like SQL injection and cryptography. It provides an overview of SQL injection vulnerabilities and how they can be exploited to access private data. It then explains techniques for securely storing passwords like hashing and salting. Hashing involves applying a one-way algorithm to a password to generate a fixed-length string, while salting adds a random string to the password before hashing to strengthen security.
The document discusses various techniques for hacking client-side insecurities, including discovering clients on the internet and intranet, attacking client-side through JavaScript jacking and pluggable protocol handlers, exploiting cross-site request forgery vulnerabilities, and fingerprinting clients through analysis of HTTP headers and browser information leaks. The presentation aims to demonstrate these hacking techniques through examples and a question/answer session.
The document discusses honeywords, which are fake passwords that are inserted into a user database along with real user passwords. This allows systems to detect if a password database is stolen by monitoring for logins using the fake honeyword passwords. The document outlines how honeywords can be generated to look realistic, how authentication would work to prevent honeyword logins, and the benefits of using honeywords such as enabling detection of password theft. However, it notes that honeywords do not prevent a database compromise or replace the need for strong password policies and storage mechanisms.
For those of you who missed it, this is my slide deck from SecTor 2009, "When Web 2.0 Attacks!" ... reference to Web 2.0, and many of the technologies that make up the mish-mash that makes today's web application landscape so impossible to secure.
Securious talk at the SWCSC event on 24th Feb 2016.Peter Jones
The document discusses an overview of hacking websites. It begins by defining different types of hackers - white hat hackers who hack for non-malicious reasons, black hat hackers who hack for personal gain or maliciously, and grey hat hackers who fall between the two. The document then discusses why security of websites should be cared about, as hackers may be able to access personal information like names, addresses, financial details. It proceeds to describe the process of an ethical hack, including steps like footprinting, scanning, enumeration, exploiting vulnerabilities, escalating privileges to access passwords and internal networks, and potentially accessing shared resources.
This document discusses using honeywords (decoy passwords) to enhance password security and detect password file breaches. It proposes generating multiple honeywords for each user account by tweaking characters in the true password. If an attacker steals the password file, they cannot be sure which password is real for each account. Entering a honeyword would trigger an alarm. The document outlines honeyword generation algorithms and describes how a separate "honeychecker" component verifies passwords during login to detect use of honeywords. Overall, honeywords aim to deter password cracking and enable detection of password file theft.
This document discusses an OSINT (open-source intelligence) presentation on tools developed with Python for server information, geolocation, metadata, and social media footprinting from Twitter and other sources. It provides information on defining intelligence targets and the types of data to obtain (technical, social, physical, logical). It also lists tools and APIs for geolocation, server information from Censys and Shodan, the Recon-NG toolkit, and OSINT frameworks like Spiderfoot and theHarvester. Python libraries mentioned include BeautifulSoup, Requests, Shodan, and GeoIP. The presentation will be given at PYCONES in October 2016.
This document discusses the use of honeywords in cybersecurity. Honeywords are fake passwords or decoy data that are stored alongside real user passwords and data in a database. This serves to detect unauthorized access attempts, as an intruder would access honeywords which trigger alerts. The document outlines different types of honeyword generation techniques and attacks they aim to mitigate, such as targeted password guessing, intersection attacks, and denial of service attacks.
The document discusses various techniques for hacking client-side insecurities, including discovering clients on the internet and intranet, attacking client-side through JavaScript jacking and pluggable protocol handlers, exploiting cross-site request forgery vulnerabilities, and fingerprinting clients through analysis of HTTP headers and browser information leaks. The presentation aims to demonstrate these hacking techniques through examples and a question/answer session.
The document discusses honeywords, which are fake passwords that are inserted into a user database along with real user passwords. This allows systems to detect if a password database is stolen by monitoring for logins using the fake honeyword passwords. The document outlines how honeywords can be generated to look realistic, how authentication would work to prevent honeyword logins, and the benefits of using honeywords such as enabling detection of password theft. However, it notes that honeywords do not prevent a database compromise or replace the need for strong password policies and storage mechanisms.
For those of you who missed it, this is my slide deck from SecTor 2009, "When Web 2.0 Attacks!" ... reference to Web 2.0, and many of the technologies that make up the mish-mash that makes today's web application landscape so impossible to secure.
Securious talk at the SWCSC event on 24th Feb 2016.Peter Jones
The document discusses an overview of hacking websites. It begins by defining different types of hackers - white hat hackers who hack for non-malicious reasons, black hat hackers who hack for personal gain or maliciously, and grey hat hackers who fall between the two. The document then discusses why security of websites should be cared about, as hackers may be able to access personal information like names, addresses, financial details. It proceeds to describe the process of an ethical hack, including steps like footprinting, scanning, enumeration, exploiting vulnerabilities, escalating privileges to access passwords and internal networks, and potentially accessing shared resources.
This document discusses using honeywords (decoy passwords) to enhance password security and detect password file breaches. It proposes generating multiple honeywords for each user account by tweaking characters in the true password. If an attacker steals the password file, they cannot be sure which password is real for each account. Entering a honeyword would trigger an alarm. The document outlines honeyword generation algorithms and describes how a separate "honeychecker" component verifies passwords during login to detect use of honeywords. Overall, honeywords aim to deter password cracking and enable detection of password file theft.
This document discusses an OSINT (open-source intelligence) presentation on tools developed with Python for server information, geolocation, metadata, and social media footprinting from Twitter and other sources. It provides information on defining intelligence targets and the types of data to obtain (technical, social, physical, logical). It also lists tools and APIs for geolocation, server information from Censys and Shodan, the Recon-NG toolkit, and OSINT frameworks like Spiderfoot and theHarvester. Python libraries mentioned include BeautifulSoup, Requests, Shodan, and GeoIP. The presentation will be given at PYCONES in October 2016.
This document discusses the use of honeywords in cybersecurity. Honeywords are fake passwords or decoy data that are stored alongside real user passwords and data in a database. This serves to detect unauthorized access attempts, as an intruder would access honeywords which trigger alerts. The document outlines different types of honeyword generation techniques and attacks they aim to mitigate, such as targeted password guessing, intersection attacks, and denial of service attacks.
Mr. Donald Rumsfeld, former Defence Secretary of USA, stated in his book "Known and Unknown: A Memoir" that "There are known knowns, things we know that we know; and there are known unknowns, things that we know we don't know. But there are also unknown unknowns, things we do not know we don't know." And to know that unknowns of the unknown, my journey with the APNIC honeynet project started and I am going to share my experiences here in this talk.
Honeywords provide a way to make password cracking detectable by storing fake passwords or "honeywords" along with real user passwords. If an attacker obtains the password hashes, they cannot distinguish real passwords from fake honeywords. Attempting to log in with a honeyword would trigger an alarm since the server knows the real passwords. Honeywords increase security by making it harder for attackers to determine if they have successfully cracked a password or instead retrieved a fake honeyword.
Enterprise password policies are often insufficient to protect against hackers. A recent analysis of nearly 100,000 passwords from a data breach showed that password cracking tools could discover many of the most common passwords within minutes using rainbow tables and dictionaries. While hashing provides some protection, hackers can bypass hashes to crack passwords. Organizations must implement stronger practices like salting hashes and enforcing minimum password strengths.
Detecting Malicious SSL Certificates Using BroAndrew Beard
We have developed a set of techniques to detect malicious SSL certificates using data collected by Bro. Our analysis framework consists of Bro for collecting the data and a variety of tools such as Splunk and AWS ML for data analysis. We show how we used Bro for collecting the attributes we needed for SSL certificates from both good and bad sources. Bro is a very effective and simple tool for analyzing and extracting data from network traffic.
Next, the extracted data was loaded into Splunk and we ran a series of Machine Learning algorithms to identify those attributes that correlated with malicious activity. The algorithms we used also allowed for categorization of certificates used in the delivery and control of malware. Our analysis showed that there were a number of patterns that emerged that allowed for classification of high-jacked devices, self-signed certificates, etc. We will present the results of our analysis which show which attributes are the most relevant for detecting malicious SSL certificates and as well the performance of the ML algorithms. Finally, we show how well the training has worked in detecting new malicious sources. All of the source code will be made available on github.
Achieving flatness selecting the honeywordsKamal Spring
Recently, proposed honey words (decoy passwords) to detect attacks against hashed password databases. For each user account, the legitimate password is stored with several honey words in order to sense impersonation. If honey words are selected properly, a cyber-attacker who steals a file of hashed passwords cannot be sure if it is the real password or a honey word for any account. Moreover, entering with a honey word to login will trigger an alarm notifying the administrator about a password file breach. At the expense of increasing the storage requirement by 20 times, the authors introduce a simple and effective solution to the detection of password file disclosure events. In this study, we scrutinize the honey word system and present some remarks to highlight possible weak points. Also, we suggest an alternative approach that selects the honey words from existing user passwords in the system in order to provide realistic honey words – a perfectly flat honey word generation method – and also to reduce storage cost of the honey word scheme.
Maximiliano Soler gives a presentation on using Google to gather information without sophisticated mechanisms. He demonstrates how to use Google search operators ("dorks") to find vulnerable products, error messages, sensitive files and passwords, foot holds for access, and more. He recommends securing servers and applications, disabling directory browsing, not publishing sensitive info without authentication, and analyzing website search traffic for security.
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
NOTES
--
Slide 8
Some of the categories we will discuss are very broad like this one.
Untrusted command – get / post / rest style params
Clicks
Surprise inputs
Slide 13
Very broad too
Little or no auth
Auth with some bypass possibilities
Some problem with how session is generated, managed, expired
Insufficient sessionID protection
Slide 18
When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser.
Slide 27
Security hardening throughout Application Stack
Unnecessary features enabled or installed?
ports, services, pages, accounts, privileges
Security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values?
Default accounts/ passwords still enabled and unchanged?
Error handling reveal stack traces or other overly informative error messages to users?
Software out of date?
OS, Web Server, DBMS, applications, code libraries
Slide 41
sign up for updates or do regular audits to see versions
there might be technical dependencies
easily exploited by attackers using metaspoilt, info gathering using headers & responses, etc.
Slide 47
We can look at the architecture, give you tips around what you could use, what would be good. This would avoid making any major changes when the product is ready which would save everyone’s time in the long run.
Have sprints with dedicated security features and use those as a selling point for our security conscious customers
Slide 48
Carefully look at the license to make sure you can use it in your type of product. Ask Fallon if you are not sure
Research how much support it gets, how popular it is
Look to find out any vulnerabilities in it before you start using it
Maintain it; Sign up for CVE updates
Ask us if you need to get something reviewed
Slide 50
Not only better and more features
Security vulnerabilities get patched in new versions
New versions get most attention by the companies and old ones stop getting support after some time fully
Most Security Support by the community
Turn on auto updates for Chrome; always look at updates on AppStore
Slide 51
Use different passwords for different sites
Password managers let you set complexity, generate random passwords, etc.
Slide 52
Only grant access to whats needed to get the job done
employee leaves; mistakes; vulnerabilities in other s/w which leverages this;
Don’t install redundant software, plugins, etc.
This opens up so much risk
People forget to uninstall them; s/w doesn't get much attention from community; open ports are left; boom exploited by attackers;
Slide 55
To prevent unintended execution actions
e.g., fail open auth errors
Leak minimal info about infrastructure as this info is leveraged by attackers to carry out further attacks
The document provides guidance on properly storing passwords in a database. It recommends using cryptographically secure hash functions with salts to hash passwords before storage. It discusses approaches like PBKDF2, BCrypt, and SCRYPT that can be used to hash passwords and make brute force attacks more difficult. The document stresses that security should be a higher priority for developers than new frameworks, and provides other recommendations like using standard authentication when possible and limiting database access.
CYBER SCCURITY AND ETHICAL HACKING.pptxDharma920345
The document discusses cyber laws in India related to cybercrimes. It outlines punishments under various sections of the Information Technology Act, 2000 including sections 66, 66B, 66C, 66D, 67, 67A, 67B which deal with offenses such as computer system damage, identity theft, cheating, and publishing obscene material. It also mentions that state-wise data on cases registered under sections 67 and 67A (publishing obscene material) and section 67B (publishing child pornography) is provided by the National Crime Records Bureau.
No one can deny that malware is a serious and growing problem. However, up to this point it has been very difficult to efficiently and accurately quantify exactly how bad it is. In this presentation, Ricky will demonstrate how new scanning technologies like zmap can be used to get complete and up-to-date snapshots of current malware infections, map where the infections are worst, and even track down Command and Control servers.
Andy Watson, an employee of Ionic Security, gave a presentation on properly using cryptography in applications. The presentation covered topics such as random number generation, hashing, salting passwords, key derivation functions, symmetric encryption algorithms and common mistakes made with cryptography. The goal was to help people avoid vulnerabilities like unsalted hashes, hardcoded keys, weak random number generation and improper encryption modes.
Techniques for password hashing and crackingNipun Joshi
This document discusses techniques for securely storing passwords using hashing and preventing cracking. It recommends using algorithms like bcrypt and PBKDF2 that include salts and key stretching to make passwords very difficult to brute force or dictionary attack by requiring extensive time and computing resources. The document provides examples of hashing best practices and measures organizations and users can take to better protect against leaks and unauthorized access.
This document provides instructions on how to hack passwords and create an FTP server on a PC. It discusses techniques like hashing, guessing, using default passwords, brute force attacks, and phishing to hack passwords. It also describes how to crack Windows passwords using tools like Cain and Abel. Additionally, it outlines the steps to obtain a static IP address, install and configure an FTP server software, and set up user accounts on the server.
Personal Internet Security System or "PISS" doesn't exist. It's a mindset that comes from knowledge. Stop looking for someone else's and handle your own. You have an Antivirus? Firewall? Great! But the real threat comes from YOU! The user. That takes knowledge. I attached briefing slides for the typical user with minimal IT knowledge. Sometimes we all need a reminder that we are the ones who is the greatest threat to our networks. It's not a country states or actor. But we are the ones who inadvertently let them walk in.
"474 Password Not Found" by Giuseppe Galli, Saverio Caminiti
Beyond the passwords era: password-less internet is now a reality. Use your smartphone to login using T-OTP created on the spot. Build and design your app and web site using a password-less solution, enforce strong authentication to confirm user identity when developing your applicative code. Include security aspects in the application logic of your app, stop delegating them exclusively to the server. The user of your mobile apps can login without typing any data obtaining a more secure and user-friendly experience. Participate to the draft of the password-less internet Manifesto!
Presentation on topics beyond the conventional ethical hacking , discusses job factors and scope in the security field :) this was presented in LPU (Lovely Professional University) as a Seminar with attendees over 200. Meet m e at FB if u want it fb/nipun.jaswal
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
7 Things People Do To Endanger Their Networksjaymemcree
This document summarizes the seven bad things people do that endanger their network security, as presented by SAGE Computer Associates, Inc. The seven mistakes are: 1) having no security policies, 2) using bad passwords, 3) lacking virus protection, 4) not having backups, 5) inadequate protection against hackers, 6) not keeping software patched and up-to-date, and 7) unrestrained email and instant messaging. For each mistake, the document provides explanations of the issues and risks and suggestions on how SAGE can help, such as creating security policies, evaluating passwords, auditing backups, and providing free initial services to assess security problems.
This document discusses best practices for securely storing passwords. It notes that passwords are often stored insecurely, such as in plain text. To securely store passwords, it recommends encrypting them using cryptographic hash functions with salts. Specifically, it advises using functions such as SHA-2, bcrypt, and scrypt, which can include salts and be slowed down through key stretching to make passwords very difficult to hack or crack. Following these guidelines helps protect users and companies by securing password data.
JSON Web Tokens, or JWTs (pronounced "jots") are an "open, industry standard RFC 7519 method for representing claims securely between two parties" -- but what does that actually *mean*? If you decode the buzzwords, you'll find JWTs solve common problems around authorization for web and mobile apps in a portable, easily implementable fashion -- and you're going to want to use them *everywhere*.
This is the slides accompanying the talk I gave at BSides Hannover 2015, discussing the reverse engineering and exploitation of numerous vulnerabilities in Icomera Moovmanage products along with the post exploitation of such, including the potential creation of a firmware rootkit
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
Andy Watson gave a presentation on properly using cryptography in applications. He discussed random number generation, hashing, salting passwords, key derivation functions, symmetric encryption, and common mistakes made with cryptography. The presentation covered topics like cryptographically secure random number generation, choosing secure hash functions, adding salts to hashes, using functions like PBKDF2 for key derivation, different encryption modes like ECB and GCM, and real examples of cryptography mistakes from companies like LinkedIn.
Mr. Donald Rumsfeld, former Defence Secretary of USA, stated in his book "Known and Unknown: A Memoir" that "There are known knowns, things we know that we know; and there are known unknowns, things that we know we don't know. But there are also unknown unknowns, things we do not know we don't know." And to know that unknowns of the unknown, my journey with the APNIC honeynet project started and I am going to share my experiences here in this talk.
Honeywords provide a way to make password cracking detectable by storing fake passwords or "honeywords" along with real user passwords. If an attacker obtains the password hashes, they cannot distinguish real passwords from fake honeywords. Attempting to log in with a honeyword would trigger an alarm since the server knows the real passwords. Honeywords increase security by making it harder for attackers to determine if they have successfully cracked a password or instead retrieved a fake honeyword.
Enterprise password policies are often insufficient to protect against hackers. A recent analysis of nearly 100,000 passwords from a data breach showed that password cracking tools could discover many of the most common passwords within minutes using rainbow tables and dictionaries. While hashing provides some protection, hackers can bypass hashes to crack passwords. Organizations must implement stronger practices like salting hashes and enforcing minimum password strengths.
Detecting Malicious SSL Certificates Using BroAndrew Beard
We have developed a set of techniques to detect malicious SSL certificates using data collected by Bro. Our analysis framework consists of Bro for collecting the data and a variety of tools such as Splunk and AWS ML for data analysis. We show how we used Bro for collecting the attributes we needed for SSL certificates from both good and bad sources. Bro is a very effective and simple tool for analyzing and extracting data from network traffic.
Next, the extracted data was loaded into Splunk and we ran a series of Machine Learning algorithms to identify those attributes that correlated with malicious activity. The algorithms we used also allowed for categorization of certificates used in the delivery and control of malware. Our analysis showed that there were a number of patterns that emerged that allowed for classification of high-jacked devices, self-signed certificates, etc. We will present the results of our analysis which show which attributes are the most relevant for detecting malicious SSL certificates and as well the performance of the ML algorithms. Finally, we show how well the training has worked in detecting new malicious sources. All of the source code will be made available on github.
Achieving flatness selecting the honeywordsKamal Spring
Recently, proposed honey words (decoy passwords) to detect attacks against hashed password databases. For each user account, the legitimate password is stored with several honey words in order to sense impersonation. If honey words are selected properly, a cyber-attacker who steals a file of hashed passwords cannot be sure if it is the real password or a honey word for any account. Moreover, entering with a honey word to login will trigger an alarm notifying the administrator about a password file breach. At the expense of increasing the storage requirement by 20 times, the authors introduce a simple and effective solution to the detection of password file disclosure events. In this study, we scrutinize the honey word system and present some remarks to highlight possible weak points. Also, we suggest an alternative approach that selects the honey words from existing user passwords in the system in order to provide realistic honey words – a perfectly flat honey word generation method – and also to reduce storage cost of the honey word scheme.
Maximiliano Soler gives a presentation on using Google to gather information without sophisticated mechanisms. He demonstrates how to use Google search operators ("dorks") to find vulnerable products, error messages, sensitive files and passwords, foot holds for access, and more. He recommends securing servers and applications, disabling directory browsing, not publishing sensitive info without authentication, and analyzing website search traffic for security.
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
NOTES
--
Slide 8
Some of the categories we will discuss are very broad like this one.
Untrusted command – get / post / rest style params
Clicks
Surprise inputs
Slide 13
Very broad too
Little or no auth
Auth with some bypass possibilities
Some problem with how session is generated, managed, expired
Insufficient sessionID protection
Slide 18
When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser.
Slide 27
Security hardening throughout Application Stack
Unnecessary features enabled or installed?
ports, services, pages, accounts, privileges
Security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values?
Default accounts/ passwords still enabled and unchanged?
Error handling reveal stack traces or other overly informative error messages to users?
Software out of date?
OS, Web Server, DBMS, applications, code libraries
Slide 41
sign up for updates or do regular audits to see versions
there might be technical dependencies
easily exploited by attackers using metaspoilt, info gathering using headers & responses, etc.
Slide 47
We can look at the architecture, give you tips around what you could use, what would be good. This would avoid making any major changes when the product is ready which would save everyone’s time in the long run.
Have sprints with dedicated security features and use those as a selling point for our security conscious customers
Slide 48
Carefully look at the license to make sure you can use it in your type of product. Ask Fallon if you are not sure
Research how much support it gets, how popular it is
Look to find out any vulnerabilities in it before you start using it
Maintain it; Sign up for CVE updates
Ask us if you need to get something reviewed
Slide 50
Not only better and more features
Security vulnerabilities get patched in new versions
New versions get most attention by the companies and old ones stop getting support after some time fully
Most Security Support by the community
Turn on auto updates for Chrome; always look at updates on AppStore
Slide 51
Use different passwords for different sites
Password managers let you set complexity, generate random passwords, etc.
Slide 52
Only grant access to whats needed to get the job done
employee leaves; mistakes; vulnerabilities in other s/w which leverages this;
Don’t install redundant software, plugins, etc.
This opens up so much risk
People forget to uninstall them; s/w doesn't get much attention from community; open ports are left; boom exploited by attackers;
Slide 55
To prevent unintended execution actions
e.g., fail open auth errors
Leak minimal info about infrastructure as this info is leveraged by attackers to carry out further attacks
The document provides guidance on properly storing passwords in a database. It recommends using cryptographically secure hash functions with salts to hash passwords before storage. It discusses approaches like PBKDF2, BCrypt, and SCRYPT that can be used to hash passwords and make brute force attacks more difficult. The document stresses that security should be a higher priority for developers than new frameworks, and provides other recommendations like using standard authentication when possible and limiting database access.
CYBER SCCURITY AND ETHICAL HACKING.pptxDharma920345
The document discusses cyber laws in India related to cybercrimes. It outlines punishments under various sections of the Information Technology Act, 2000 including sections 66, 66B, 66C, 66D, 67, 67A, 67B which deal with offenses such as computer system damage, identity theft, cheating, and publishing obscene material. It also mentions that state-wise data on cases registered under sections 67 and 67A (publishing obscene material) and section 67B (publishing child pornography) is provided by the National Crime Records Bureau.
No one can deny that malware is a serious and growing problem. However, up to this point it has been very difficult to efficiently and accurately quantify exactly how bad it is. In this presentation, Ricky will demonstrate how new scanning technologies like zmap can be used to get complete and up-to-date snapshots of current malware infections, map where the infections are worst, and even track down Command and Control servers.
Andy Watson, an employee of Ionic Security, gave a presentation on properly using cryptography in applications. The presentation covered topics such as random number generation, hashing, salting passwords, key derivation functions, symmetric encryption algorithms and common mistakes made with cryptography. The goal was to help people avoid vulnerabilities like unsalted hashes, hardcoded keys, weak random number generation and improper encryption modes.
Techniques for password hashing and crackingNipun Joshi
This document discusses techniques for securely storing passwords using hashing and preventing cracking. It recommends using algorithms like bcrypt and PBKDF2 that include salts and key stretching to make passwords very difficult to brute force or dictionary attack by requiring extensive time and computing resources. The document provides examples of hashing best practices and measures organizations and users can take to better protect against leaks and unauthorized access.
This document provides instructions on how to hack passwords and create an FTP server on a PC. It discusses techniques like hashing, guessing, using default passwords, brute force attacks, and phishing to hack passwords. It also describes how to crack Windows passwords using tools like Cain and Abel. Additionally, it outlines the steps to obtain a static IP address, install and configure an FTP server software, and set up user accounts on the server.
Personal Internet Security System or "PISS" doesn't exist. It's a mindset that comes from knowledge. Stop looking for someone else's and handle your own. You have an Antivirus? Firewall? Great! But the real threat comes from YOU! The user. That takes knowledge. I attached briefing slides for the typical user with minimal IT knowledge. Sometimes we all need a reminder that we are the ones who is the greatest threat to our networks. It's not a country states or actor. But we are the ones who inadvertently let them walk in.
"474 Password Not Found" by Giuseppe Galli, Saverio Caminiti
Beyond the passwords era: password-less internet is now a reality. Use your smartphone to login using T-OTP created on the spot. Build and design your app and web site using a password-less solution, enforce strong authentication to confirm user identity when developing your applicative code. Include security aspects in the application logic of your app, stop delegating them exclusively to the server. The user of your mobile apps can login without typing any data obtaining a more secure and user-friendly experience. Participate to the draft of the password-less internet Manifesto!
Presentation on topics beyond the conventional ethical hacking , discusses job factors and scope in the security field :) this was presented in LPU (Lovely Professional University) as a Seminar with attendees over 200. Meet m e at FB if u want it fb/nipun.jaswal
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
7 Things People Do To Endanger Their Networksjaymemcree
This document summarizes the seven bad things people do that endanger their network security, as presented by SAGE Computer Associates, Inc. The seven mistakes are: 1) having no security policies, 2) using bad passwords, 3) lacking virus protection, 4) not having backups, 5) inadequate protection against hackers, 6) not keeping software patched and up-to-date, and 7) unrestrained email and instant messaging. For each mistake, the document provides explanations of the issues and risks and suggestions on how SAGE can help, such as creating security policies, evaluating passwords, auditing backups, and providing free initial services to assess security problems.
This document discusses best practices for securely storing passwords. It notes that passwords are often stored insecurely, such as in plain text. To securely store passwords, it recommends encrypting them using cryptographic hash functions with salts. Specifically, it advises using functions such as SHA-2, bcrypt, and scrypt, which can include salts and be slowed down through key stretching to make passwords very difficult to hack or crack. Following these guidelines helps protect users and companies by securing password data.
JSON Web Tokens, or JWTs (pronounced "jots") are an "open, industry standard RFC 7519 method for representing claims securely between two parties" -- but what does that actually *mean*? If you decode the buzzwords, you'll find JWTs solve common problems around authorization for web and mobile apps in a portable, easily implementable fashion -- and you're going to want to use them *everywhere*.
This is the slides accompanying the talk I gave at BSides Hannover 2015, discussing the reverse engineering and exploitation of numerous vulnerabilities in Icomera Moovmanage products along with the post exploitation of such, including the potential creation of a firmware rootkit
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
Andy Watson gave a presentation on properly using cryptography in applications. He discussed random number generation, hashing, salting passwords, key derivation functions, symmetric encryption, and common mistakes made with cryptography. The presentation covered topics like cryptographically secure random number generation, choosing secure hash functions, adding salts to hashes, using functions like PBKDF2 for key derivation, different encryption modes like ECB and GCM, and real examples of cryptography mistakes from companies like LinkedIn.
Anatomy of Java Vulnerabilities - NLJug 2018Steve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting.
We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in reducing security issues in Java.
Kieon secure passwords theory and practice 2011Kieon
The document discusses password security and different methods for storing passwords. It analyzes passwords from a data breach of 32 million passwords and finds that most passwords were very weak. It then discusses various methods for storing passwords like clear text, hashed passwords without salts, hashed passwords with static salts, and hashed passwords with dynamic salts. Hashing passwords with dynamic salts provides the strongest security since each hash is unique and cannot be cracked using rainbow tables. The document concludes that while no database is completely secure, dynamic hashing with salts makes the passwords much harder to steal through automated attacks or by experienced hackers.
Learn about common web application security threats and how to avoid them in your code. We will discuss general security challenges and high level principles, example attacks, social engineering, browser security and more, providing best practices along the way. This talk is a good review of the topic for experienced developers, and is highly recommended for new programmers who have not been exposed to web application security challenges in the past.
This session is not specific to any particular server-side technology. We will not discuss network security (routers, DMZs) or OS security, as this talk is focused on web application developers.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
2. About
me
ì Miguel
Ibarra
ì PHP
developer
since
2000
ì Actually,
coding
since
1986
ì Projects
from
simple
web
pages
to
GRP’s
ì SoLware
Engineer
@
Tiempo
Development
ì Webservices,
security
and
cryptography
fan
4. I
can
has
ur
data?
ì Today,
informa*on
assets
can
be
more
valuable
than
physical
assets…
ì Lost
your
USB
s*ck
lately?
ì Data
theL
is
becoming
an
every-‐day
issue
and
concern…
6. I
can
has
ur
data?
ì linkedin.com
ì 6th
June
2012
ì More
than
6
million
passwords
ì eharmony.com
ì 6th
June
2012
ì More
than
1.5
million
passwords
ì last.fm
ì 7th
June
2012
ì ?
Million
passwords
ì yahoo.com
ì 12th
June
2012
ì 443K
passwords
ì Sql
injec*on
ì Passwords
in
plain
text…
10. I
can
has
ur
data?
ì Public
web
applica*ons
expose
an
authen,cated
and
authorized
connec,on
to
DBMS
servers
ì DBMS
have
their
own
authen*ca*on
and
authoriza*on
systems
ì Applica*ons
that
use
such
DBMS
need
creden*als
to
connect
to
DB
servers
ì This
type
of
apps
can
have
their
own
auth
procedures
ì They
can
be
vulnerable
11. I
can
has
ur
data?
ì It
does
not
maeer
if
your
DBMS
is
behind
a
firewall
and/or
private
network
User
Public
network
Web
server
Private
network
DBMS
Server
17. Protecting
your
data
–
Password
Hashing
ì Hash
ì Algorithm
that
maps
data
of
variable
length
to
data
of
fixed
length
ì One
way
func*on
ì Output
cannot
be
reversed
using
an
efficient
algorithm
ì Also
called
‘pseudo-‐random
func*on’
ì Output
indis*nguishable
from
true
random
data
ì Popular
hashing
algorithms
ì md5
ì sha1
18. Protecting
your
data
–
Password
Hashing
ì Hash
proper*es
ì Output
yields
a
fixed
length
result
ì md5(‘1’)
=
‘c4ca4238a0b923820dcc509a6f75849’
ì md5(‘Hello
world’)
=
‘3e25960a79dbc69b674cd4ec67a72c62’
ì The
slightest
change,
totally
different
results
ì md5(‘Hello
World’)
=
‘b10a8db164e0754105b7a99be72e3fe5’
22. Protecting
your
data
–
Password
Hashing
ì Again,
cannot
revert
a
hash
using
an
efficient
algorithm
ì …
but
can
be
cracked…
ì Crack
<>
Hack
Hash
Algorithm
Data
23. Protecting
your
data
–
Password
Hashing
ì Brute
force
aeack
ì Generate
hashes
from
a
dic*onary
ì Common
words
ì Generate
character
combina*ons
ì Exhaus*ve
search
ì Generated
hash
=
target
hash?
ì Bingo
ì Inneficient,
but…
ì CPU
power
is
growing
(mul*ple
cores)
ì GPU
can
be
used
too
(thousands
of
cores)
ì Cloud
systems
24. ì
ATI
HD
5970
String
consis*ng
of
a-‐z|A-‐Z|0-‐9
Algorithm
Speed
8
chars
9
chars
10
chars
md5
5600
million
h/s
10
hours
27
days
4.5
years
sha1
2300
million
h/s
26
hours
68
days
11.5
years
25. Protecting
your
data
–
Password
Hashing
ì Hash
database
aeack
ì Query
a
database
with
pregenerated
hashes
ì Several
sites
offer
this
service,
free
ì Google.com
ì hep://bit.ly/15O4SLN
26. Protecting
your
data
–
Password
Hashing
ì Gesng
a
hash
through
sql
injec*on
ì Live
demonstra*on
31. Password
salting
ì Salt
has
to
be
stored
in
clear
text
as
to
authen*cate
a
user
ì if(
hash(<provided
password>
+
<salt
field>)
==
<password
field>
)
then
ì User
creden*als
are
valid
32. Password
salting
ì Hash
database
aeack
becomes
improbable
ì If
hash
remains
unknown,
brute
force
aeack
becomes
improbable
ì Total
characters:
42
ì Calcula*ons
per
second:
4
billion
ì Possible
combina*ons:
522
duovigin*llion
ì Total
*me
to
crack:
4
septendecillion
years*
ì According
to
heps://howsecureismypassword.net/
33. Password
salting
ì But
the
aeacker
could
modify
the
aeack
to
obtain
the
salt
field…
ì DEMO
ì The
aeacker
would
only
need
to
launch
a
brute
force
aeack
ì Generate
some
character
combina*on
string
ì Concatenate
salt
and
hash
ì Compare
hashes
35. Password
stretching
ì To
mi,gate
men*oned
aeack,
use
password
stretching
technique
ì Create
a
recursive
/
itera*ve
algorithm
that
calculates
a
hash
value
over
itself
thousand
(or
more)
*mes
36. Salt
Password
Hash
Salt
Password
Hash
Salt
Password
Hash
Algorithm
Hash
Algorithm
Thousands
of
*mes
37. Password
stretching
ì This
algorithm
should
iterate
enough
to
delay
each
calcula*on
by
1
second
ì In
order
to
crack
with
a
brute
force
aeack,
the
aeacker…
ì Should
know
the
exact
itera*on
count
ì +/-‐
1
itera*on
will
result
in
totally
different
hash
value
ì Should
wait
1
second
between
each
aeemp
ì This
makes
the
aeack
highly
improbable
38. Password
stretching
ì Several
standard
algorithms
for
password
stretching
ì PBKDF2
ì Bcrypt
ì Scrypt
ì …
40. I
can
still
has
ur
data…
ì We
give
it
away
freely…
ì Facebook
ì Twieer
ì Foursquare
ì If
it
is
free,
you
are
the
product
41. I
can
still
has
ur
data…
ì We
uninten*onally
give
it
away…
ì Phishing
scams
ì Social
engineering
ì Adware
/
Spyware
/
Browser
bars
/
Apps
ì Weak
passwords
ì Names
ì Birthdays
ì Phone
numbers
ì Common
passwords
42. I
can
still
has
ur
data…
ì It
is
forcibly/unlawfully
taken
from
us…
ì Extor*ons
/
black
mail
ì Unethical
prac*ces
ì banks
ì Government
spy
programs
ì NSA’s
PRISM
ì Communica*ons
Intercept
System
Mexico
ì Requested
by
USDoS
to
Mexican
Federal
Government
in
2007
ì Request
cancelled
in
2012…
ì Unknown
sponsored
spy
programs
ì Rumored
FinFisher
program
probably
running
in
networks
belonging
to
Uninet,
Iusacell
and
Televisa
44. Cryptography
101
ì Krypto
ì Hidden
ì Graphos
ì Script
ì Tecnique
to
modify
a
linguis*cal
or
caligrafical
presenta*on
of
a
message
ì Ruled
by
an
algorithm
ì Must
allow
forward
and
backward
process
50. Cryptography
101
ì Today,
cryptography
is
performed
by
an
automated
algorithm:
Cipher
ì Short
name
for
pseudo-‐random
permuta*on
ì Takes
an
input
ì Applies
a
reversible
algorithm
ì Outputs
data
indis*nguishable
from
a
truly
random
data
stream
ì Result
space
is
equal
to
message
space
ì No
collisions
52. Cryptography
101
ì Modern
algorithms
use
a
‘key’
ì They
key
is
used
to
transform
a
message
into
a
pseudo-‐random
string
ì This
is
called
‘cipher’
ì This
pseudo-‐random
string
can
be
transformed
back
to
the
original
message
only
with
this
key
ì ‘decipher’
55. Symetric
ciphers
ì The
same
key
is
used
to
cipher
and
decipher
ì The
2
endpoints
must
agree
on
this
key
ì Security
relies
mainly
in
this
key
ì Key
must
be
improbably
guessed
ì Key
space
has
to
be
large…
57. 1
1
0
0
0
0
0
1
0
1
0
1
0
0
0
0
1
0
0
1
0
0
0
1
1
0
0
1
0
0
0
1
0
1
0
1
0
0
0
0
Data
to
cipher
Random
key
Ciphered
data
Data
to
decipher
Random
key
Original
data
58. Symetric
ciphers
ì Ciphered
data
is
impossible
to
decipher
without
the
key
by
an
efficient
algorithm
ì This
is,
no
exhaus*ve
search
for
the
key
ì Is
very
simple
ì Key
length
must
be
the
same
as
message
length
ì Security
measures
applied
while
securily
sharing
the
key
might
as
well
we
applied
to
the
unciphered
message
59. Symetric
ciphers
ì In
fact,
every
symetrical
cipher
weakest
link
is
the
key
ì An
aeacker,
instead
of
brute
forcing
the
key,
might
as
well
focus
on
incercep*ng
the
key
ì Popular
cipher
algorithms
ì DES
ì 3DES
ì AES
61. Asymetric
ciphers
ì Has
a
key
pair
ì Private
key:
only
the
owner
can
know
it
ì Public
key:
owner
can
share
it
freely
ì Message
ciphered
with
the
public
key
can
only
be
deciphered
with
the
private
key
ì Message
ciphered
with
the
private
key
can
be
deciphered
with
the
public
key
ì This
adds
a
message
authen*ca*on
mechanism
62. Asymetric
ciphers
ì Algorithms
are
based
on
prime
number
and
one
way
func*ons
ì Way
too
easy
to
mul*ply
to
prime
numbers
ì Factorizing
a
number
into
its
prime
factors
is
very
difficult
ì Usually
involves
very
large
prime
numbers
ì Hundreds
of
digits
63. Asymetric
ciphers
ì Asymetric
ciphers
require
more
processing
*me
ì Keys
are
required
to
be
large
ì As
today’s
standards,
2048
bits
ì Ciphered
message
is
bigger
than
the
original
message
ì Popular
algorithms
ì RSA
ì Hybrid
symetric/asymetric
algorithms
ì HTTPS/TLS
65. Just
encrypt
it
and
you
are
safe…
are
you?
ì Weakest
links
in
cryptography
ì Again,
the
key…
ì …
and
how
it
is
implemented
ì Aircrack
anyone?
ì WEP
algor*hm:
example
of
bad
crypto
implementa*on
66. Just
encrypt
it
and
you
are
safe…
are
you?
ì Common
cryptography
implementa*on
misconcep*on
C
Message
Key
Cipher
Message
67. Just
encrypt
it
and
you
are
safe…
are
you?
ì Do
not…
ì Use
a
short
key
ì Use
weak
random
data
to
generate
a
key
ì Use
directly
the
generated
key
ì Try
to
derive
the
key
first
ì PBKDF2
ì Pseudo-‐random
func*on
ì Use
the
same
key
to
cipher
iden*cal
messages
ì Informa*on
leak
ì Use
the
same
key
to
cipher
mul*ple
messages
ì WEP’s
Achilles’
heel
ì If
you
need
to,
use
nonces
ì Nonce
≃
salt
ì Nonce
is
included
with
the
message
ì Cipher
and
send…
ì Always
add
signature
verifica*on
mechanism
ì Hash-‐mac
ì Hash
with
a
key
ì Hash-‐mac
signature
included
in
message
68. ì
Do
not
use
weak
random
data
Random
data,
PHP
4’s
rand()
func*on
output
on
Windows
converted
to
bitmap
74. Encryption
in
databases
ì S*ll
informa*on
can
be
leaked
ì Suppose
the
2
users
share
the
same
phone
number,
the
aeacker
could
no*ce
this
since
data
was
ciphered
with
the
same
key
76. Tweakable
encryption
ì Remember,
do
not
use
the
same
key
to
cipher
mul*ple
messages…
ì Do
we
need
to
generate
a
new
key
for
each
record?
ì Say,
we
have
thousands
of
records,
do
we
need
thousand
keys?
ì NO
ì Use
a
tweak
77. Tweakable
encryption
ì Every
table
should
have
a
primary
key
ì So
the
values
inside
the
primary
key
must
be
unique
to
every
record
ì Use
the
master
key
+
primary
key
value,
then
hash
ì f(key,
pk
value)
=
hash(key
+
pk
value)
ì You’ll
have
an
unique
cipher
key
for
each
record
ì Now,
fields
with
the
same
plain
text
value
will
appear
to
be
completely
different
when
ciphered
78. Last
Words
ì Last
words…
ì Informa*on
privacy
is
YOUR
RIGHT
ì Do
you
consider
it
to
be
a
paranoid
idea…
ì …or
a
daily
life
concern?
ì First
informa*on
privacy
law
from
1890
US
ì Laws
cannot
keep
up
with
technology