Almost two thirds of confirmed breaches involve using weak or stolen passwords - it’s not a new threat, but it works. By the end of this talk you will understand the Account Takeover threat, and walk away with some techniques & tools for detection and response within your own web applications.
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
http://blog.mazinahmed.net/2016/10/bug-bounty-hunting-swiss-cyber-storm.html
How to do well in Bug bounty programs. Presentation at @nullhyd by AbhijethAbhijeth D
This is a presentation which talks about how to do well in Bug bounty programs. The slides explain few best practices suggested by top best bug hunters around the world.
For further details about the presentation/suggestions feel free to contact @abhijeth.
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
http://blog.mazinahmed.net/2016/10/bug-bounty-hunting-swiss-cyber-storm.html
How to do well in Bug bounty programs. Presentation at @nullhyd by AbhijethAbhijeth D
This is a presentation which talks about how to do well in Bug bounty programs. The slides explain few best practices suggested by top best bug hunters around the world.
For further details about the presentation/suggestions feel free to contact @abhijeth.
Enterprise Logging and Log Management: Hot Topics by Dr. Anton ChuvakinAnton Chuvakin
Title: Enterprise Logging and Log Management: Hot TopicsDate & Time: Thursday, April 1, 2010, 11:00am Eastern Capturing log information is critical to IT organizations for many reasons, including for security incident detection and response, and for compliance with numerous regulations and standards. Join one of the foremost experts on log management, Dr. Anton Chuvakin, as we discuss enterprise logging challenges and issues.
This presentation is in English; the announcement (beneath) & talk were in Dutch (NL)
OpenTechTalks | Ethisch hacken met Kali
Overheden, bedrijven en particulieren worden steeds kwetsbaarder voor aanvallen van black hat hackers, criminelen die de lekken in computers uitbuiten voor geldgewin of louter om schade te veroorzaken. Daartegenover staan de white hat hackers: zij testen computersystemen op fouten en dichten de lekken voordat malafide hackers inbreken. Tijl Deneut (UGent/Howest) geeft een overzicht van welke vormen van cybercriminalteit er bestaan en hoe je je ertegen kunt wapenen. De focus ligt op Kali Linux, een besturingssysteem dat honderden beveiligings- en testprogramma's bundelt. Volgende vragen komen aan bod: hoe installeer je Kali Linux? Hoe kun je in een veilige omgeving testen? Is ethisch hacken eigenlijk wel legaal? Algemene IT-kennis is aangewezen. Achteraf drinken we een glas in het café van Vooruit.
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
Creating a quality web application is hard. It’s hard to gain customers, it’s hard to build your reputation and it’s hard to keep the costs low. Nevertheless, security is often an afterthought. However… Have you considered the cost of fixing security issues later? What about the reputational damage of a security breach? Are you worried about your customers’ data? We will talk about good security coding practices for web applications and how to apply them early on using some real world examples. We will also help you to think about your website’s vulnerabilities from the view of a hacker.
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...PROIDEA
According to the very recent research by global technology company Nuix, most of the hackers (88%) can compromise the system in 12 hours and exfiltrate in another 12 hours (81% respondents). Is the situation really so bad? And what about Security Operation Centres, could not they make the bad guys stop? Let’s have a quick look into the hacker’s arsenal and examine SOC defences.
Modern cyber warfare is really brilliant, introducing such weapons as gargantuan size DDoS attacks & infected smart devices, defences augmented with “next generation” security devices, Big Data Analytics and Threat Intelligence. Finally, the defenders have new soldier on the battlefield, the Space Marine of cybersecurity - Threat Hunter. What can possibly go wrong? Why are the breaches still happening? Is SOC really failing miserably this war? Let’s try to find the answers.
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.
We are delighted to have Gary Miliefsky on our second Hacker Hotshot of 2013! Gary is the Editor of Cyber Defense Magazine, which he recently founded after years of being a cover story author and regular contributor to Hakin9 Magazine. In partnership with UMASS, he started the Cyber Defense Test Labs to perform independent lab reviews of next generation information security products. Gary is also the founder of NetClarity, Inc., which is the world's first next generation agentless, non-inline network access control (NAC) and bring your own device (BYOD) management appliances vendor based on a patented technology which he invented.
Adversary Driven Defense in the Real WorldJames Wickett
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
LoginCat - the only application layer, zero trust, and negative trust cybersecurity solution out there.
Secure your Enterprise applications, at the application layer, which is exactly what hackers are after, without any modification to the applications themselves.
Slides de mi Conferencia: We Are Digital Puppets Actualizada (Inglés) que dicté en San Francisco CA. Hablo sobre el Tracking y el profiling de personas.
A Recipe for Password Storage: Add Salt to TasteNick Malcolm
First presented at OWASP NZ 2020.
https://owasp.org/www-event-2020-NewZealandDay/
Storing passwords is as simple as following a recipe when developers use their frameworks, but there are sometimes choices to make when it comes to ingredients and amounts. Argon, PBKDF2? What’s a Salt? How many rounds?
Join me on this cooking-themed presentation on password storage!
Every time a website gets breached you hope to hear “your password was salted and hashed” instead of “your passwords were stored in plain text” - but what does that actually mean, and why is it a good thing?
Wash your hands, don your apron, and join me for as we follow the recipe for storing passwords safely. We’ll learn a bit about cryptography and one-way functions (that’s the hash!), how to source good ingredients (bcrypt, scrypt, argon, oh my!), why adding a pinch of salt helps, how many times must we stir the mix, and what happens if we miss a step? In the face of an attacker, will our delicious password loaf rise to the occasion, or will it fall flat in disappointment and despair?!
First presented at AISA Cyber Conference AU in 2018. How to “Speak Developer” and Create a Winning Security Culture in Your Software Development Teams.
There aren’t enough security people in the workforce to scale to the demands of our business needs, but there’s an untapped resource already sitting within our organisations: developers and testers. In this session we’ll learn how to speak their language and create a security culture which will support secure development and ultimately enable innovative practices within the business.
As security professionals we often battle to make ourselves understood with developers. Maybe we’re too risk oriented. Perhaps we’re only confident talking at a network level. Or our business has adopted an agile methodology and our old practices are being seen as road blockers. Whatever the reason, we need to change the way we interact with development teams.
By understanding their context, speaking their language, enabling them with tools, and being seen as a trusted advisor – not the enemy – we can move at a pace and scale where security is baked in to our development culture across the organisation.
If you’re a security professional working within an organisation that does software development, or an IT manager looking to make the most of limited resources, this session is for you.
More Related Content
Similar to How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
Enterprise Logging and Log Management: Hot Topics by Dr. Anton ChuvakinAnton Chuvakin
Title: Enterprise Logging and Log Management: Hot TopicsDate & Time: Thursday, April 1, 2010, 11:00am Eastern Capturing log information is critical to IT organizations for many reasons, including for security incident detection and response, and for compliance with numerous regulations and standards. Join one of the foremost experts on log management, Dr. Anton Chuvakin, as we discuss enterprise logging challenges and issues.
This presentation is in English; the announcement (beneath) & talk were in Dutch (NL)
OpenTechTalks | Ethisch hacken met Kali
Overheden, bedrijven en particulieren worden steeds kwetsbaarder voor aanvallen van black hat hackers, criminelen die de lekken in computers uitbuiten voor geldgewin of louter om schade te veroorzaken. Daartegenover staan de white hat hackers: zij testen computersystemen op fouten en dichten de lekken voordat malafide hackers inbreken. Tijl Deneut (UGent/Howest) geeft een overzicht van welke vormen van cybercriminalteit er bestaan en hoe je je ertegen kunt wapenen. De focus ligt op Kali Linux, een besturingssysteem dat honderden beveiligings- en testprogramma's bundelt. Volgende vragen komen aan bod: hoe installeer je Kali Linux? Hoe kun je in een veilige omgeving testen? Is ethisch hacken eigenlijk wel legaal? Algemene IT-kennis is aangewezen. Achteraf drinken we een glas in het café van Vooruit.
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
Creating a quality web application is hard. It’s hard to gain customers, it’s hard to build your reputation and it’s hard to keep the costs low. Nevertheless, security is often an afterthought. However… Have you considered the cost of fixing security issues later? What about the reputational damage of a security breach? Are you worried about your customers’ data? We will talk about good security coding practices for web applications and how to apply them early on using some real world examples. We will also help you to think about your website’s vulnerabilities from the view of a hacker.
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...PROIDEA
According to the very recent research by global technology company Nuix, most of the hackers (88%) can compromise the system in 12 hours and exfiltrate in another 12 hours (81% respondents). Is the situation really so bad? And what about Security Operation Centres, could not they make the bad guys stop? Let’s have a quick look into the hacker’s arsenal and examine SOC defences.
Modern cyber warfare is really brilliant, introducing such weapons as gargantuan size DDoS attacks & infected smart devices, defences augmented with “next generation” security devices, Big Data Analytics and Threat Intelligence. Finally, the defenders have new soldier on the battlefield, the Space Marine of cybersecurity - Threat Hunter. What can possibly go wrong? Why are the breaches still happening? Is SOC really failing miserably this war? Let’s try to find the answers.
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.
We are delighted to have Gary Miliefsky on our second Hacker Hotshot of 2013! Gary is the Editor of Cyber Defense Magazine, which he recently founded after years of being a cover story author and regular contributor to Hakin9 Magazine. In partnership with UMASS, he started the Cyber Defense Test Labs to perform independent lab reviews of next generation information security products. Gary is also the founder of NetClarity, Inc., which is the world's first next generation agentless, non-inline network access control (NAC) and bring your own device (BYOD) management appliances vendor based on a patented technology which he invented.
Adversary Driven Defense in the Real WorldJames Wickett
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
LoginCat - the only application layer, zero trust, and negative trust cybersecurity solution out there.
Secure your Enterprise applications, at the application layer, which is exactly what hackers are after, without any modification to the applications themselves.
Slides de mi Conferencia: We Are Digital Puppets Actualizada (Inglés) que dicté en San Francisco CA. Hablo sobre el Tracking y el profiling de personas.
Similar to How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover) (20)
A Recipe for Password Storage: Add Salt to TasteNick Malcolm
First presented at OWASP NZ 2020.
https://owasp.org/www-event-2020-NewZealandDay/
Storing passwords is as simple as following a recipe when developers use their frameworks, but there are sometimes choices to make when it comes to ingredients and amounts. Argon, PBKDF2? What’s a Salt? How many rounds?
Join me on this cooking-themed presentation on password storage!
Every time a website gets breached you hope to hear “your password was salted and hashed” instead of “your passwords were stored in plain text” - but what does that actually mean, and why is it a good thing?
Wash your hands, don your apron, and join me for as we follow the recipe for storing passwords safely. We’ll learn a bit about cryptography and one-way functions (that’s the hash!), how to source good ingredients (bcrypt, scrypt, argon, oh my!), why adding a pinch of salt helps, how many times must we stir the mix, and what happens if we miss a step? In the face of an attacker, will our delicious password loaf rise to the occasion, or will it fall flat in disappointment and despair?!
First presented at AISA Cyber Conference AU in 2018. How to “Speak Developer” and Create a Winning Security Culture in Your Software Development Teams.
There aren’t enough security people in the workforce to scale to the demands of our business needs, but there’s an untapped resource already sitting within our organisations: developers and testers. In this session we’ll learn how to speak their language and create a security culture which will support secure development and ultimately enable innovative practices within the business.
As security professionals we often battle to make ourselves understood with developers. Maybe we’re too risk oriented. Perhaps we’re only confident talking at a network level. Or our business has adopted an agile methodology and our old practices are being seen as road blockers. Whatever the reason, we need to change the way we interact with development teams.
By understanding their context, speaking their language, enabling them with tools, and being seen as a trusted advisor – not the enemy – we can move at a pace and scale where security is baked in to our development culture across the organisation.
If you’re a security professional working within an organisation that does software development, or an IT manager looking to make the most of limited resources, this session is for you.
All aboard the Cyber Security Rollercoaster!Nick Malcolm
Originally presented at ITx 2016: https://itx.nz/Programme/68/All-aboard-the-Cyber-Security-Rollercoaster
Not a day goes by where we don't hear of a website being hacked, a few hundred thousand user details being exposed, or another organisation scammed out of a pretty penny. The world of cyber security is hurtling along at break neck pace.
Nick Malcolm will push the pause button and look back at the highs and lows of the last year's major security incidents, and see what we can learn from them.
He will look at our current position, and in to the future. What are the threat trends and emerging risks we face awaiting us around the bend?
He will then show some of technologies and innovations which are helping to keep the web secure, educate the public, and empower IT professionals.
It's a rollercoaster, but it doesn't have to be scary - climb aboard and learn how to enjoy the ride!
This talk, originally given at WellRailed, dives in to what timing attacks are, some examples, and how to defend against them.
A timing attack is when an attacker can figure out stuff they shouldn’t by asking questions and measuring how long it takes for you to respond.
Originally presented on 26 May 2016: www.meetup.com/wellrailed/events/231113047/
We can do a lot to secure our web-app backends, but ultimately our users email and password are the front door, and they're notoriously insecure. This talk quickly shows you how to mitigate this attack vector by detecting and responding to login anomalies using ThisData's Login Intelligence API.
This talk was originally presented as at Ruby Nights Auckland on March 24 2016: http://www.meetup.com/aucklandruby/events/228852539/
Adding Two Factor Authentication to your App with AuthyNick Malcolm
This talk explains what two factor authentication is, and how to implement it in a Ruby on Rails app with Authy.
Originally presented at Auckland Ruby Nights on April 23 2015: http://www.meetup.com/aucklandruby/events/221958178/
A short overview of why ThisData uses CloudFlare, and what web app developers can get if they too use CloudFlare.
This was originally presented at Auckland Ruby Nights on Dec 16 2015: http://www.meetup.com/aucklandruby/events/227131243/
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
3. What we’ll cover
● What is Account Takeover?
● (Why) Is Account Takeover a problem?
● How can we prevent it?
● How can we detect it?
● How can we respond?
22. Detection
● Goal: learn what “normal” looks like
○ What browser do they use?
○ What locations do they work from?
● The buzzword here is: BEHAVIOURAL ANALYTICS
or ANOMALY DETECTION,
or USER AND ENTITY BEHAVIOUR ANALYTICS (UEBA)
● Simple learning & rules can get you pretty far
25. AuthTables
● User ID + Cookies and IP Addresses
○ Same cookie, new IP ✓ PASS.
○ New cookie, same IP ✓ PASS.
○ New cookie, new IP ✗ FAIL.
● Can also incorporate IP threat feeds
○ Tor, Spammy IPs, Botnets, etc
● Problem: hard pass or fail
26. Detection
● IP Address
● Geolocation
● Velocity
● Browser & OS
● Browser fingerprint
● Time of Day
● Cursor movement
● Typing speed
On phones:
● How you walk
● Touch pressure
● Swipe movement
● How you hold your phone
● How you move your phone
29. Detection
● Machine Learning is great when:
○ You have a lot of data
○ You understand your data well
● There are two ways to train it:
○ Supervised: we tell it what’s good and bad (labels)
○ Unsupervised: figures labels out itself
32. Detection
● You can do it yourself!
○ Simple pass/fail: AuthTables
○ Smarter: Statistics
○ Smarterer: Machine Learning
● Or you can pay someone to do it for you!