Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Source Conference
This document discusses attacking Oracle web applications using Metasploit and the wXf framework. It begins with an introduction of the speaker and describes why Oracle middleware is prevalent yet often unpatched. It then demonstrates how to locate Oracle servers, find default content, and abuse features like iSQLPlus, Oracle Portal, and Database Access Descriptors to attack systems. The document provides examples of exploiting information disclosure, authentication bypass, and SQL injection vulnerabilities. It concludes with recommendations around removing default content, patching systems, and using web application firewalls for defense.
Ben Agre - Adding Another Level of Hell to Reverse EngineeringSource Conference
This document provides an overview of a new binary obfuscation technique using opaque predicates and semi-junk code. It begins with introductions and background on reverse engineering, common packers, and ways they are currently defeated. It then describes how the presented technique is different in that it adds non-deterministic randomization and state-aware semi-junk code to functions to make them functionally isomorphic but visually different each time. The objectives are to frustrate IDA and make continued analysis costly rather than just the initial barrier. It explains how opaque predicates, call indirection, register manipulation, and dynamic rewriting of functions achieves this. The tool is slated for release in late May after the author's finals.
The document discusses exploit kits, which are software packages that automate the exploitation of vulnerabilities to deliver malicious payloads like malware. It provides statistics on the prevalence of exploit kits in botnets and malware distribution. Key points include that 7 out of 10 botnets use exploit kits, over 35,000 servers served exploit kits in 2010, and the most commonly exploited vulnerabilities targeted Internet Explorer, Adobe Reader, Java, and Adobe Flash. The document also discusses the business aspects that make exploit kits successful like price, included exploits, and additional services.
This document discusses how companies can use data to understand customer behavior and improve various aspects of their business. It provides examples of how analytics platforms like Google Analytics and Piwik can be used to analyze customer usage patterns and optimize elements like website design, marketing campaigns, and product offerings based on data. Specific strategies mentioned include A/B testing to determine the most effective design changes, and analyzing metrics like signup and retention rates to identify areas for improvement.
The document discusses using data and analytics to understand customers. It describes common analytics platforms like Google Analytics and Piwik and how they can be used to analyze website and app usage. The document also discusses how A/B testing can be used to test different design variations and optimize elements like images, text, pricing to improve user engagement and conversions based on data collected. It provides examples of how the Obama campaign extensively used A/B testing to improve donation and signup conversions.
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Source Conference
This document discusses attacking Oracle web applications using Metasploit and the wXf framework. It begins with an introduction of the speaker and describes why Oracle middleware is prevalent yet often unpatched. It then demonstrates how to locate Oracle servers, find default content, and abuse features like iSQLPlus, Oracle Portal, and Database Access Descriptors to attack systems. The document provides examples of exploiting information disclosure, authentication bypass, and SQL injection vulnerabilities. It concludes with recommendations around removing default content, patching systems, and using web application firewalls for defense.
Ben Agre - Adding Another Level of Hell to Reverse EngineeringSource Conference
This document provides an overview of a new binary obfuscation technique using opaque predicates and semi-junk code. It begins with introductions and background on reverse engineering, common packers, and ways they are currently defeated. It then describes how the presented technique is different in that it adds non-deterministic randomization and state-aware semi-junk code to functions to make them functionally isomorphic but visually different each time. The objectives are to frustrate IDA and make continued analysis costly rather than just the initial barrier. It explains how opaque predicates, call indirection, register manipulation, and dynamic rewriting of functions achieves this. The tool is slated for release in late May after the author's finals.
The document discusses exploit kits, which are software packages that automate the exploitation of vulnerabilities to deliver malicious payloads like malware. It provides statistics on the prevalence of exploit kits in botnets and malware distribution. Key points include that 7 out of 10 botnets use exploit kits, over 35,000 servers served exploit kits in 2010, and the most commonly exploited vulnerabilities targeted Internet Explorer, Adobe Reader, Java, and Adobe Flash. The document also discusses the business aspects that make exploit kits successful like price, included exploits, and additional services.
This document discusses how companies can use data to understand customer behavior and improve various aspects of their business. It provides examples of how analytics platforms like Google Analytics and Piwik can be used to analyze customer usage patterns and optimize elements like website design, marketing campaigns, and product offerings based on data. Specific strategies mentioned include A/B testing to determine the most effective design changes, and analyzing metrics like signup and retention rates to identify areas for improvement.
The document discusses using data and analytics to understand customers. It describes common analytics platforms like Google Analytics and Piwik and how they can be used to analyze website and app usage. The document also discusses how A/B testing can be used to test different design variations and optimize elements like images, text, pricing to improve user engagement and conversions based on data collected. It provides examples of how the Obama campaign extensively used A/B testing to improve donation and signup conversions.
Eric Cowperthwaite became the CSO of Providence Health & Services in May 2006 after they had experienced several data security incidents including stolen laptops containing patient data. As the new CSO, he had to establish an information security program from the ground up amid middle management resistance and a decentralized IT environment. Over several years, he implemented new security controls, became transparent with regulators investigating HIPAA violations, and signed a resolution agreement to establish specific requirements. More recently, he has focused on building sustainability through an enterprise risk management program with governance separated from operations and independent oversight of the chief risk officer.
Geer - Hutton - Shannon - A Pilot Project On The Use Of Prediction Markets I...Source Conference
The document discusses a pilot project to use prediction markets to collect informed opinions from security professionals on future security events. Prediction markets aggregate anonymous predictions from a crowd to forecast outcomes. The pilot will test various security-related contracts over 60 days with 20-30 participants to see if the consensus opinions are useful for participants, organizations, and the security industry. The goal is to accelerate sharing of actionable security information from diverse sources using prediction markets.
Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
Stephen Doherty, Symantec - iBanking is a relative newcomer to the mobile malware scene whose use was first identified in August of 2013. The Trojan targets Android devices and can be remotely controlled over SMS and HTTP. iBanking began life as a simple SMS stealer and call redirector, but has undergone significant development since then. iBanking is available for purchase on a private underground forum for between $4k - $5k, with the next release expected to include a 0-day exploit for the Android operating system. This presentation will discuss iBanking - it's capabilities and the reasons for targeting mobile devices.
This document provides best practices and guidance for threat modeling. It discusses key concepts like taxonomy, timing of threat modeling, contributors, audience, and tools. Common pitfalls discussed include not making it a collaborative effort, poor presentation of results, deleting threats, failing to identify assets properly, making unreasonable threats, digging too deep initially, and not versioning threat modeling results. The overall aim is to help people understand how to effectively incorporate threat modeling into their projects and security development lifecycle.
The document discusses the SPDY and QUIC protocols which aim to improve upon HTTP. SPDY focuses on multiplexing, prioritization, header compression, and server push/hints. QUIC aims to eliminate head-of-line blocking, support 0RTT connections, recover lost packets, and survive network changes. Both protocols aim to improve web performance but also face security challenges around things like certificate revocation and content inspection. The future may see both protocols widely adopted in web clients, servers, and network infrastructure.
Are Agile And Secure Development Mutually Exclusive?Source Conference
The document discusses agile and secure software development. It provides an overview of traditional waterfall and agile project methods. Agile practices like working in short cycles, customer collaboration, and responding to change are highlighted. The roles of project managers, quality assurance teams, and security practices within agile development are also examined. Finally, the document questions whether agile and secure development can be mutually exclusive.
Egészség mint versenyelőny - Egészségtrendek a munkahelyenAndras Kiss
2013. május 30.
Egészség mint versenyelőny - HR workshop
Graphisoft Park
http://bhc.hu/hrworkshop/
Kiss Katalin (Szinapszis Kft.) - Egészségtrendek a munkahelyen
Az egészség fogalma életünk több területén is felértékelődött, és - legyen szó termékekről (pl. élelmiszerek) vagy szolgáltatásokról (pl. magándiagnosztika) - jelentős piaci átalakulások figyelhetők meg. A Szinapszis Kft. egy friss lakossági piackutatása most betekintést enged arról, hol tartanak az egészségtrendek a munkahely vonatkozásában, mit gondolnak az emberek a dolgozói egészség védelméről, mennyiben tekintik ezt a munkáltató feladatának. A felmérés több szempont (pl. vállalati méret, a válaszadó beosztása) szerint is vizsgálja majd a lakossági véleményeket.
A videós interakcióelemzés a gyakorlatban: az újmédia eszközök hatása a tanulói teljesítményre kutatás tapasztalatai alapján -
Gulyás Enikő, Nagyné Klujber Márta, Racsko Réka
Eric Cowperthwaite became the CSO of Providence Health & Services in May 2006 after they had experienced several data security incidents including stolen laptops containing patient data. As the new CSO, he had to establish an information security program from the ground up amid middle management resistance and a decentralized IT environment. Over several years, he implemented new security controls, became transparent with regulators investigating HIPAA violations, and signed a resolution agreement to establish specific requirements. More recently, he has focused on building sustainability through an enterprise risk management program with governance separated from operations and independent oversight of the chief risk officer.
Geer - Hutton - Shannon - A Pilot Project On The Use Of Prediction Markets I...Source Conference
The document discusses a pilot project to use prediction markets to collect informed opinions from security professionals on future security events. Prediction markets aggregate anonymous predictions from a crowd to forecast outcomes. The pilot will test various security-related contracts over 60 days with 20-30 participants to see if the consensus opinions are useful for participants, organizations, and the security industry. The goal is to accelerate sharing of actionable security information from diverse sources using prediction markets.
Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
Stephen Doherty, Symantec - iBanking is a relative newcomer to the mobile malware scene whose use was first identified in August of 2013. The Trojan targets Android devices and can be remotely controlled over SMS and HTTP. iBanking began life as a simple SMS stealer and call redirector, but has undergone significant development since then. iBanking is available for purchase on a private underground forum for between $4k - $5k, with the next release expected to include a 0-day exploit for the Android operating system. This presentation will discuss iBanking - it's capabilities and the reasons for targeting mobile devices.
This document provides best practices and guidance for threat modeling. It discusses key concepts like taxonomy, timing of threat modeling, contributors, audience, and tools. Common pitfalls discussed include not making it a collaborative effort, poor presentation of results, deleting threats, failing to identify assets properly, making unreasonable threats, digging too deep initially, and not versioning threat modeling results. The overall aim is to help people understand how to effectively incorporate threat modeling into their projects and security development lifecycle.
The document discusses the SPDY and QUIC protocols which aim to improve upon HTTP. SPDY focuses on multiplexing, prioritization, header compression, and server push/hints. QUIC aims to eliminate head-of-line blocking, support 0RTT connections, recover lost packets, and survive network changes. Both protocols aim to improve web performance but also face security challenges around things like certificate revocation and content inspection. The future may see both protocols widely adopted in web clients, servers, and network infrastructure.
Are Agile And Secure Development Mutually Exclusive?Source Conference
The document discusses agile and secure software development. It provides an overview of traditional waterfall and agile project methods. Agile practices like working in short cycles, customer collaboration, and responding to change are highlighted. The roles of project managers, quality assurance teams, and security practices within agile development are also examined. Finally, the document questions whether agile and secure development can be mutually exclusive.
Egészség mint versenyelőny - Egészségtrendek a munkahelyenAndras Kiss
2013. május 30.
Egészség mint versenyelőny - HR workshop
Graphisoft Park
http://bhc.hu/hrworkshop/
Kiss Katalin (Szinapszis Kft.) - Egészségtrendek a munkahelyen
Az egészség fogalma életünk több területén is felértékelődött, és - legyen szó termékekről (pl. élelmiszerek) vagy szolgáltatásokról (pl. magándiagnosztika) - jelentős piaci átalakulások figyelhetők meg. A Szinapszis Kft. egy friss lakossági piackutatása most betekintést enged arról, hol tartanak az egészségtrendek a munkahely vonatkozásában, mit gondolnak az emberek a dolgozói egészség védelméről, mennyiben tekintik ezt a munkáltató feladatának. A felmérés több szempont (pl. vállalati méret, a válaszadó beosztása) szerint is vizsgálja majd a lakossági véleményeket.
A videós interakcióelemzés a gyakorlatban: az újmédia eszközök hatása a tanulói teljesítményre kutatás tapasztalatai alapján -
Gulyás Enikő, Nagyné Klujber Márta, Racsko Réka
SFTY4ALL – telemedicina az idősek és a munkavállalók szolgálatában Daniel Kulin, MD
Az e-poster a Belügyi Tudományos Tanács "Pandémiás kihívások – digitális válaszok" c. 2020 novemberében rendezett konferenciáján került előadásra.
A pulzoximéter használatát COVID pandémia idején hazai és nemzetközi szakmai ajánlások bátorítják. A fertőzés kialakulásakor csökkenő véroxigénszint, illetve emelkedett szívfrekvencia fontos adatok lehetnek az orvosi és járványügyi döntéshozatalban. Az egyénileg elvégzett pulzoximetriás mérések rendszerbe foglalása, digitális továbbítása és nagy populáción való követhetősége fontos szempontjai a sikeres járványkezelésnek. Orvos-kutató csoportunk szakemberei jelentős klinikai és elméleti tudományos háttérrel rendelkeznek a tele-pulzoximetriai és a pulzushullám analízis kutatás-fejlesztés területén (www.premier.pregnascan.eu, www.sfty4all.com). A pandémiás helyzetre válaszul 2020. szeptemberére megalkottunk egy komplex telemonitoring rendszert (SFTY4ALL). Részei: orvosi pulzoximéter, okostelefonos applikáció és többszintű, webes áttekintő felületek a beérkező mérések vizsgálatához. Orvosi szakirodalmi adatok alapján joggal várhatjuk a rendszertől, hogy a két célterületen, idősotthonokban és a munkahelyeken a napi szintű, akár többször ismételhető mérések központi ellenőrzésével hatékonyabbá tehetjük a megelőzést, időben elvégzett izolációt, támogathatjuk a kórházi ellátás szükségességének időbeni felismerését illetve bővíthetjük a SARS-CoV2019 fertőzés lefolyásának dinamikájáról szerzett eddigi tudományos ismereteinket. A felhasználókhoz kihelyezett rendszerek a fertőzés, eddig még minimálisan kutatott krónikus szív-érrendszeri hatásainak monitorizálásában is használható lesz.
Dr. habil. Kollár Csaba PhD.: Mindennapok mesterséges intelligenciájaCsaba KOLLAR (Dr. PhD.)
A Magyar Hadtudományi Társaság és a Magyar Honvédség vitéz Szurmay Sándor Budapest Helyőrség Dandár eseménye
időpont: 2024. Június 6.
helyszín: Stefánia Palota – Honvéd Kulturális Központ
Dr. habil. Kollár Csaba PhD.: Mindennapok mesterséges intelligenciája
Im 2012
1. Innovatív orvosi alkalmazások
iMobil eszközökre
Geges József
Ovidius Co., Ltd. West Sussex, UK
ovidiusltd@mail.com
Informatio Scientica Informatio Medicata
2012, Budapest
1
2. Tisztázandó fogalmak
• innovatív
• alkalmazás
• mobil
• eszköz
Informatio Scientica Informatio Medicata
2012, Budapest
2
3. Milyen típusú alkalmazás
• „nagygépes” másolatok
• mobil eszközökre optimalizált platform
• kizárólag mobil eszközökre fejlesztett
• kiegészítőkkel használt alkalmazások
Informatio Scientica Informatio Medicata
2012, Budapest
3
4. Mi jellemzi a mai állapotokat
szüntelen versengés
• eszközök
• gyártók
• platformok
• szolgáltatók
• felhasználók között
Informatio Scientica Informatio Medicata
2012, Budapest
4
5. Nem hagyható figyelmen kívül
• technológiai fejlődés
• tartalmi változások
• társadalmi elvárások
• felhasználói elvárások
• gazdasági, politikai vetület
Informatio Scientica Informatio Medicata
2012, Budapest
5