The Internet of Fails - Where IoT (the Internet of Things) has gone wrong and how we’re making it right. By Mark Stanislav @mstanislav, Senior Security Consultant, Rapid7
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
This whitepaper details research conducted by Rapid7, which reveals that around 40-50 million network-enabled devices are at risk due to vulnerabilities found in the Universal Plug and Play (UPnP) protocol. UPnP enables devices such as routers, printers, network-attached storage (NAS), media players and smart TVs to communicate with each other. The paper investigates how three groups of security flaws relating to the UPnP protocol are exposing millions of users to attacks that could lead to a remote compromise of the vulnerable device.
Fragments-Plug the vulnerabilities in your AppAppsecco
Appsecco presented on the common mistakes that developers make when building mobile apps.
This session covered how these mistakes make your app vulnerable to attack and abuse? How an attacker perceives security of mobile app?
https://youtu.be/EzC86gWVPZk
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
The 2012 Verizon Data Breach Investigations Report quantified the sharp increase in cyber threats, noting that 68% were due to malware, up 20% from 2011. What is most concerning is that 85% of breaches took weeks or more to discover. Despite the focus on threat prevention, breaches will happen. In this environment the ability to identify risk, protect vulnerable assets and manage threats become critical. Learn how these combined solutions can help your organization identify behavioral anomalies, internal and external threats, and prevent breaches based on accurate enterprise security intelligence.
To download a free Nexpose demo, clock here: http://www.rapid7.com/products/nexpose/compare-downloads.jsp
How Healthcare CISOs Can Secure Mobile DevicesSkycure
Original webinar: http://get.skycure.com/mobile-security-in-healthcare-webinar
In this webinar, Jim Routh, CSO at Aetna, and Adi Sharabani, CEO and co-founder at Skycure, discuss:
- The state of mobile security in Healthcare organizations
- How to improve incident response and resilience of mHealth IT operations
- How to leverage risk-based mobility to predict, detect and protect against threats
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
This whitepaper details research conducted by Rapid7, which reveals that around 40-50 million network-enabled devices are at risk due to vulnerabilities found in the Universal Plug and Play (UPnP) protocol. UPnP enables devices such as routers, printers, network-attached storage (NAS), media players and smart TVs to communicate with each other. The paper investigates how three groups of security flaws relating to the UPnP protocol are exposing millions of users to attacks that could lead to a remote compromise of the vulnerable device.
Fragments-Plug the vulnerabilities in your AppAppsecco
Appsecco presented on the common mistakes that developers make when building mobile apps.
This session covered how these mistakes make your app vulnerable to attack and abuse? How an attacker perceives security of mobile app?
https://youtu.be/EzC86gWVPZk
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
The 2012 Verizon Data Breach Investigations Report quantified the sharp increase in cyber threats, noting that 68% were due to malware, up 20% from 2011. What is most concerning is that 85% of breaches took weeks or more to discover. Despite the focus on threat prevention, breaches will happen. In this environment the ability to identify risk, protect vulnerable assets and manage threats become critical. Learn how these combined solutions can help your organization identify behavioral anomalies, internal and external threats, and prevent breaches based on accurate enterprise security intelligence.
To download a free Nexpose demo, clock here: http://www.rapid7.com/products/nexpose/compare-downloads.jsp
How Healthcare CISOs Can Secure Mobile DevicesSkycure
Original webinar: http://get.skycure.com/mobile-security-in-healthcare-webinar
In this webinar, Jim Routh, CSO at Aetna, and Adi Sharabani, CEO and co-founder at Skycure, discuss:
- The state of mobile security in Healthcare organizations
- How to improve incident response and resilience of mHealth IT operations
- How to leverage risk-based mobility to predict, detect and protect against threats
Tools for Evaluating Mobile Threat Defense SolutionsSkycure
View recorded webinar - http://get.skycure.com/evaluating-mobile-threat-defense-solution
Get the tools and information you need to make the evaluation process of Mobile Threat Defense solutions easier and ensure your success.
Three Secrets to Becoming a Mobile Security SuperheroSkycure
View recorded webinar here - http://hubs.ly/H03W-Ns0
Learn the secrets of one mobile security superhero as he details his journey to defend his organization, the 2nd largest beverage distributor, against mobile threats.
The Future of Embedded and IoT Security: Kaspersky Operating SystemKaspersky Lab
KasperskyOS – Secure Operating System for embedded connected systems with specific requirements for cyber security. KasperskyOS aims to protect software and data systems from the consequences of the intrusion of malicious code, viruses and hacker attacks. These can provoke harmful behavior in any part of the system, potentially resulting in loss or leakage of sensitive data, reduced performance and denial of service. In addition it reduces the risk of harm caused by program bugs, unintentional mistakes or premeditated abuse.
How Aetna Mitigated 701 Malware Infections on Mobile DevicesSkycure
View webinar recording - http://hubs.ly/H06134H0
Learn how Aetna protects its corporate data from mobile threats while providing a better user experience and complying with strict industry regulations.
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...Erin Sweeney
You face an increasing number of cyber threats that are difficult to detect and defeat. Beating them might seem like Mission: Impossible. It's not.
Palo Alto Networks and Splunk with their next-generation, best-of-breed technologies have developed a joint solution to make defeating these threats Mission: Possible. Join us on Tuesday, June 30, in Santa Clara for a workshop providing hands-on exposure to both technologies. You'll walk away knowing how to:
Prevent known and unknown threats at both the network and endpoint through a wide range of integrated technologies including: firewall, application visibility and control, cloud-based malware analysis, advanced endpoint protection, mobile workforce security, and data loss prevention (Palo Alto Networks)
Harness all the raw log files and event data generated by any user, system, or application in your IT infrastructure (aka "big data") to quickly perform Security Information Event Management (SIEM)-like use cases including: advanced threat and anomaly detection, incident investigations and forensics, and security/compliance reporting and analytics (Splunk)
Automatically pass data on threats from Splunk to Palo Alto Networks to enable automated remediation
Are you a security or networking professional looking to get hands-on experience with these next-generation technologies? Don't let your network self-destruct.
Today’s threat landscape has triggered an explosion of new security solutions all promising to identify threats and reduce risk. Yet, with all these new approaches, breaches continue to rise as organizations struggle to use their security controls effectively and quickly respond to threats.
Description:
Cyber thieves use brute force to target enterprise mobile devices. They know the smartphones and tablets your employees use for personal and work purposes are treasure troves of valuable, unprotected data.
With these slides, you’ll learn:
· The latest attack vectors used by cybercriminals to breach enterprise mobile devices
· How attackers operationalize campaigns across several platforms using the same command and control back ends
· How Check Point SandBlast Mobile protects mobile devices and data from attacks.
To watch the accompanying webinar, go to: https://youtu.be/7wJhateDKUs
Advanced Persistent Threat (APT) is a term given to attacks that specifically and persistently target an entity. The security community views this type of attack as a complex, sophisticated cyber-attack that can last months or even years. However, new research indicates that these attacks are actually being achieved by much simpler methods.
Imperva's Application Defense Center (ADC) has discovered that data breaches commonly associated with APT require only basic technical skills. As a result, security teams need to fundamentally shift their focus from absolute prevention of intrusion to protecting critical data assets once intruders have gained access to their infrastructure.
This presentation will:
- Expose some powerful, yet extremely simple techniques that allow attackers to efficiently expand their reach within an infected organization
- Show how attackers achieve their goals without resorting to zero-day vulnerabilities and sophisticated exploits
- Discuss how organizations can protect themselves against the advance of such attacks
How to Predict, Detect and Protect Against Mobile Cyber AttacksSkycure
Watch webinar recording: http://hubs.ly/H01l56L0
Join Brian Katz, director of mobile strategy at VMware, and Varun Kohli, vice president at Skycure, discuss how to:
- Get visibility into ALL mobile threats, vulnerabilities and attacks impacting your organization today
- Integrate Skycure with AirWatch to predict, detect, and protect against mobile cyber attacks
- Stop attacks before they make it to the enterprise by profiling good and bad device, app and user behaviors by leveraging crowd wisdom
How to Add Advanced Threat Defense to Your EMMSkycure
View recorded webinar here: http://hubs.ly/y0SRV90
In this webinar presentation we discuss how to:
- Stop mobile attacks before they make it to the enterprise by leveraging crowd wisdom
- Dynamically enforce BYOD, security and compliance policies based on actively detected threats
- Leverage risk-based enterprise mobility management to detect and protect against corporate espionage via infiltrated mobile devices
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Skycure
How can mobile device data be protected? This SANS webcast reviews the current and emerging services and practices designed to help secure and protect the data on these devices, and identifies areas where solutions are needed to fill the remaining gaps and provides recommendations for a holistic approach including mobile threat protection.
Watch the webinar recording: http://hubs.ly/y0XwTS0
In this RSA Conference webcast, security experts Adi Sharabani and Yair Amit describe the current threat landscape for mobile devices and discuss security strategies.
Do you struggle with finding the best way to communicate with your CIO/CISO about why a security solution is worth the money and implementation effort for your company? The hardest part of the process when buying a new product is often getting your boss to sign on and understand why the purchase is important. In this webinar you will hear straight from the horses (boss!) mouth as the CIO of Rapid7, Jay Leader, details the 5 questions you should be able to answer before approaching your boss in order to explain your solution choice effectively.
Allison MacLeod, Sr. Director of Demand Gen at Rapid7 presented "Making Predictive Analytics Work" at the MassTLC sales and marketing conference, March 2016
Tools for Evaluating Mobile Threat Defense SolutionsSkycure
View recorded webinar - http://get.skycure.com/evaluating-mobile-threat-defense-solution
Get the tools and information you need to make the evaluation process of Mobile Threat Defense solutions easier and ensure your success.
Three Secrets to Becoming a Mobile Security SuperheroSkycure
View recorded webinar here - http://hubs.ly/H03W-Ns0
Learn the secrets of one mobile security superhero as he details his journey to defend his organization, the 2nd largest beverage distributor, against mobile threats.
The Future of Embedded and IoT Security: Kaspersky Operating SystemKaspersky Lab
KasperskyOS – Secure Operating System for embedded connected systems with specific requirements for cyber security. KasperskyOS aims to protect software and data systems from the consequences of the intrusion of malicious code, viruses and hacker attacks. These can provoke harmful behavior in any part of the system, potentially resulting in loss or leakage of sensitive data, reduced performance and denial of service. In addition it reduces the risk of harm caused by program bugs, unintentional mistakes or premeditated abuse.
How Aetna Mitigated 701 Malware Infections on Mobile DevicesSkycure
View webinar recording - http://hubs.ly/H06134H0
Learn how Aetna protects its corporate data from mobile threats while providing a better user experience and complying with strict industry regulations.
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...Erin Sweeney
You face an increasing number of cyber threats that are difficult to detect and defeat. Beating them might seem like Mission: Impossible. It's not.
Palo Alto Networks and Splunk with their next-generation, best-of-breed technologies have developed a joint solution to make defeating these threats Mission: Possible. Join us on Tuesday, June 30, in Santa Clara for a workshop providing hands-on exposure to both technologies. You'll walk away knowing how to:
Prevent known and unknown threats at both the network and endpoint through a wide range of integrated technologies including: firewall, application visibility and control, cloud-based malware analysis, advanced endpoint protection, mobile workforce security, and data loss prevention (Palo Alto Networks)
Harness all the raw log files and event data generated by any user, system, or application in your IT infrastructure (aka "big data") to quickly perform Security Information Event Management (SIEM)-like use cases including: advanced threat and anomaly detection, incident investigations and forensics, and security/compliance reporting and analytics (Splunk)
Automatically pass data on threats from Splunk to Palo Alto Networks to enable automated remediation
Are you a security or networking professional looking to get hands-on experience with these next-generation technologies? Don't let your network self-destruct.
Today’s threat landscape has triggered an explosion of new security solutions all promising to identify threats and reduce risk. Yet, with all these new approaches, breaches continue to rise as organizations struggle to use their security controls effectively and quickly respond to threats.
Description:
Cyber thieves use brute force to target enterprise mobile devices. They know the smartphones and tablets your employees use for personal and work purposes are treasure troves of valuable, unprotected data.
With these slides, you’ll learn:
· The latest attack vectors used by cybercriminals to breach enterprise mobile devices
· How attackers operationalize campaigns across several platforms using the same command and control back ends
· How Check Point SandBlast Mobile protects mobile devices and data from attacks.
To watch the accompanying webinar, go to: https://youtu.be/7wJhateDKUs
Advanced Persistent Threat (APT) is a term given to attacks that specifically and persistently target an entity. The security community views this type of attack as a complex, sophisticated cyber-attack that can last months or even years. However, new research indicates that these attacks are actually being achieved by much simpler methods.
Imperva's Application Defense Center (ADC) has discovered that data breaches commonly associated with APT require only basic technical skills. As a result, security teams need to fundamentally shift their focus from absolute prevention of intrusion to protecting critical data assets once intruders have gained access to their infrastructure.
This presentation will:
- Expose some powerful, yet extremely simple techniques that allow attackers to efficiently expand their reach within an infected organization
- Show how attackers achieve their goals without resorting to zero-day vulnerabilities and sophisticated exploits
- Discuss how organizations can protect themselves against the advance of such attacks
How to Predict, Detect and Protect Against Mobile Cyber AttacksSkycure
Watch webinar recording: http://hubs.ly/H01l56L0
Join Brian Katz, director of mobile strategy at VMware, and Varun Kohli, vice president at Skycure, discuss how to:
- Get visibility into ALL mobile threats, vulnerabilities and attacks impacting your organization today
- Integrate Skycure with AirWatch to predict, detect, and protect against mobile cyber attacks
- Stop attacks before they make it to the enterprise by profiling good and bad device, app and user behaviors by leveraging crowd wisdom
How to Add Advanced Threat Defense to Your EMMSkycure
View recorded webinar here: http://hubs.ly/y0SRV90
In this webinar presentation we discuss how to:
- Stop mobile attacks before they make it to the enterprise by leveraging crowd wisdom
- Dynamically enforce BYOD, security and compliance policies based on actively detected threats
- Leverage risk-based enterprise mobility management to detect and protect against corporate espionage via infiltrated mobile devices
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Skycure
How can mobile device data be protected? This SANS webcast reviews the current and emerging services and practices designed to help secure and protect the data on these devices, and identifies areas where solutions are needed to fill the remaining gaps and provides recommendations for a holistic approach including mobile threat protection.
Watch the webinar recording: http://hubs.ly/y0XwTS0
In this RSA Conference webcast, security experts Adi Sharabani and Yair Amit describe the current threat landscape for mobile devices and discuss security strategies.
Do you struggle with finding the best way to communicate with your CIO/CISO about why a security solution is worth the money and implementation effort for your company? The hardest part of the process when buying a new product is often getting your boss to sign on and understand why the purchase is important. In this webinar you will hear straight from the horses (boss!) mouth as the CIO of Rapid7, Jay Leader, details the 5 questions you should be able to answer before approaching your boss in order to explain your solution choice effectively.
Allison MacLeod, Sr. Director of Demand Gen at Rapid7 presented "Making Predictive Analytics Work" at the MassTLC sales and marketing conference, March 2016
Life's a Breach: Yahoo Gets Burned by SQL InjectionRapid7
Rapid7 analyzed the details of 453,492 breached Yahoo! records and found that the majority of the published passwords were only "poor" or "weak" in strength due to a number of basic password security errors. In addition, over 100,000 Gmail accounts and thousands of Hotmail and AOL accounts may also have been compromised if users had reused their passwords across accounts. This infographic details other key findings from the analysis.
The Consensus Audit Guidelines (CAG) provide critical U.S. Federal government infrastructures with a proactive cyber-security framework to prioritize critical IT security concerns. The goal of applying CAG is not simply to become compliant with regulations, but rather to provide a template for making security best practices an integral part of system design and operation so that Federal agencies can ensure their systems are capable of withstanding the more frequent and in-depth attacks found in an increasingly complex threat landscape. This compliance guide will provide readers with an overview of the requirements as well as suggested steps in achieving CAG compliance.
How to Manage Your Security Control's EffectivenessRapid7
In this Rapid7 video, Jane Man will discuss proper security controls effectiveness. She will talk about what it takes to assess your current security controls today and how to harden these control even more for security. She also talks about how you can go about choosing the most important security controls to assess.
All government agencies, government contractors, and organizations that exchange data directly with government systems must be FISMA compliant. This may include such diverse entities as data clearinghouses, state government departments, and government military subcontractors if data is exchanged directly with Federal government systems. Coverage may expand to include public and private sector entities that utilize manage or run critical infrastructures if FISMA security controls are combined with the Consensus Audit Guidelines as part of the new U.S. Information and Communications Enhancement (ICE) Act.
The North American Electric Reliability Corporation (NERC) introduced Critical Infrastructure Protections (CIPs) as mandatory cyber security regulations, intended to protect the bulk electric grid. This compliance guide, updated according to NERC CIP version 4 (applicable as of June 25, 2012), provides an overview of the compliance requirements as well as steps to achieve NERC compliance.
To download a free Nexpose demo, click here:
http://www.rapid7.com/products/nexpose/compare-downloads.jsp
To download a free Metasploit demo, click here:
http://www.rapid7.com/products/metasploit/download.jsp
Peter Hoddie's keynote for IEEE at CES 2016. He explores upcoming trends for developers in the IoT space, scriptable IoT leading us to the right standards, and JavaScript for the IoT.
The Internet of Things: We've Got to ChatDuo Security
BSides SF, February 2014: http://www.securitybsides.com/w/page/70849271/BSidesSF2014
Duo's Zach Lanier (@quine) & Mark Stanislav (@markstanislav) on IoT (Internet of Things) security, announcing http://BuildItSecure.ly
How Cyberflow Analytics have used KeyLines’ network visualization functionality to develop the next generation of cyber security analytics platform – built for the scope and scale of the Internet of Things.
Mobile apps are the entry point to your web applications, APIs and web services. But sometimes the developer implements security in the mobile app that can easily be bypassed by a malicious attacker, allowing the attacker to exploit your web applications and steal confidential information. In this presentation I will show you how easy it is to attack a mobile application, intercept the communication and exploit the trust model of mobile apps. I will also give an overview of the OWASP Top 10 Mobile Risks.
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
Companies and researchers are exploring ways to make software and hardware development easier for the masses. Soon you will be able to build your own autonomous drone, create a sensor that assess the watering needs of your plants, and develop a cat tracking device with minimal coding and hardware skills.
What is the place of security and privacy in this exciting development?
Are we building the next generation of Internet security vulnerabilities right now?
In his talk Hannes Tschofenig will highlight challenges with Internet of Things, what role standardization plays, and what contributions ARM, a provider of microprocessor IP, is making to improve IoT security.
The Hardcore Stuff I Hack:
This talk is going to give a run through of some of the technical challenges paul and his team have overcome over the years - in as much hardcore detail as possible
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
"Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose.
In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day)."
(Source: Black Hat USA 2016, Las Vegas)
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
"In the past two years, smart speakers have become the most popular IoT device, Amazon_ Google and Apple have introduced their own smart speaker products. Most of these smart speakers have natural language recognition, chat, music playback, IoT device control, shopping, and so on. Manufacturers use artificial intelligence technology to make smart speakers have similar human capabilities in the chat conversation. However, with the smart speakers coming into more and more homes, and the function is becoming more powerful, its security has been questioned by many people. People are worried that smart speakers will be hacked to leak their privacy, and our research proves that this concern is very necessary.
In this talk, we will present how to use multiple vulnerabilities to achieve remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice."
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
The progress of AI in the last decade has seemed almost magical. But we will discuss the unique challenges posed by Security and what makes this domain the biggest challenge for AI. Reporting from the frontlines, we will describe the deployment of large-scale production-grade AI systems to combat security breaches, using lessons learned at Avast from defending over 400 million consumers every single day. Topics will cover the recent AI advancements in file-based anti-malware solutions, behavior-based on-device solutions, and network-based IoT security solutions.
This talk summarizes the state of IoT security, specifically as it relates to Industrial Control and Energy. When hearing the buzz-word “Internet of Things,” we typically think of the consumer world: smart toasters and connected fridges. However, there is a staggering number of networked embedded devices that perform life- and mission-critical tasks that our daily lives depend on. Industrial Control Systems (ICS) are not unique snowflakes anymore but use the same ubiquitous technology as found in consumer IoT Devices. This presentation summarizes our experiences at Senrio exploiting embedded system and discusses the reasons why these insecure design patterns exist; including business drivers and technology factors. We will share stories and anecdotes based on 10 years of research, training and consulting (including real vulnerabilities and how they work).
iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)Jonathan Engelsma
This lecture looks at multithreading and networking in Swift on iOS. We discuss why these concepts are important in the context of iOS programming and then demonstrate how the concepts are properly applied.
This lecture is part of a course intended to be an intensive and very compressed deep dive into iOS development in Swift. Visit the course web page to get copies of the course outline, lecture notes, sample code, etc.
Course website: http://www.themobilemontage.com/2015/05/12/ios-bootcamp-learning-to-create-awesome-apps-on-ios-using-swift/
Though the potential of the IoT is vast, adoption can easily be curtailed by security worries. No company wants their products to be a victim of a hack, yet many do not appear to consider security as a primary driver of design decisions. This presentation will look at IoT security and describe what product designers – regardless of platform – need to be aware of if they want to build a secure and successful device.
IoT security encompasses requirements that are new for many product designers – such as provisioning, authentication, OTA upgrades and link encryption – and weaknesses in any one could potentially be used to compromise the security of the end product. From physical attacks to analysis of communications channels, there are many possible attack vectors that need to be considered.
From hacked routers to refrigerators sending spam email, there have been a lot of scary news stories about Internet of Things (IoT) security, or lack of it. According to the 2014 Hewlett-Packard Internet of Things Research Study, 70% of Internet connected devices they surveyed didn’t even use encrypted network connections. The US Federal Trade Commission (FTC) recently weighed in on the issue too, releasing a report that outlines potential IoT security risks, ranging from unauthorized access and misuse of personal information, to facilitation of attacks on other systems and risks to personal safety.
Similar to The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7 (20)
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...Rapid7
You have probably heard about some of the latest, high profile, breaches in the retail space. Home Depot, eBay, and Target were massive targets for hackers recently. View this infographic to learn the process an attacker must go through in order to steal credit card information.
This Whiteboard Wednesday video is on DREAD as a reporting methodology as it pertains to penetration testing. Rene Aguero, Senior Sales Engineer for Rapid7 will dive into the DREAD and why he thinks that every pen tester should use DREAD as a reporting methodology when pen testing. Check out the video to learn more!
For more Whiteboard Wednesday videos, click here: http://www.rapid7.com/resources/videos/
Rapid7 Report: Data Breaches in the Government SectorRapid7
Rapid7, the leading provider of security risk intelligence solutions, analyzed data collected and categorized by the Privacy Rights Clearinghouse Chronology of Data Breaches. Using this data, the company outlined patterns for government data breaches, including year, month, location and breach type patterns. This information and tips for protecting infrastructure can ensure that government IT environments stay protected against malicious attacks and unintended disclosure.
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
The Payment Card Industry Data Security Standards (PCI DSS), with its over 200 requirements, can seem like a daunting set of regulations. Nonetheless, if your organization handles any kind of credit card information, you must be PCI DSS compliant. As difficult as this can seem, you can get expert help with our new eBook: Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS Compliance.
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
Cyber-attacks designed for financial gain are on the rise, targeting proprietary information including customer and financial information. With over 127 million records exposed in 2007 in the US alone, attacks are becoming increasingly more sophisticated. Learn more about best practices to protect the cardholder data environment and achieve PCI compliance.
According to Analysts, the Higher Education sector is the most breached of any industry. This white paper outlines key reasons why universities are more affected by security issues and how they can better prepare themselves to address IT security and vulnerability management challenges.
Protecting Patient Health Information in the HITECH EraRapid7
The American Healthcare system is getting a complete facelift thanks to incentives to adopt Health Information Technology introduced by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act contains tools for the enforcement of HIPAA regulations, as well as incentives to accelerate the adoption of information systems that reduce costs, gain efficiencies, and ultimately improve patient care while keeping patient health information secure. This paper examines the HITECH Act, the enforcement mechanisms the HITECH Act provides for HIPAA, and the key security challenges healthcare services face in order to protect patient health information as part of becoming HIPAA compliant.
The Dynamic Nature of Virtualization SecurityRapid7
The cornerstones of a proactive security strategy are vulnerability management and risk assessment. However, traditional “scan-and-patch” vulnerability scanning approaches are inadequate for dynamic, virtualized environments. Traditional scanners cannot track changes in real time, so they cannot accurately measure constantly changing risks. Anyone charged with securing IT assets needs to understand the dynamic security risks inherent to virtualized environments, and more importantly, what to do to mitigate those risks. This whitepaper explores the challenges of securing a virtualized environment and gives actionable solutions to address them.
A penetration test is often a key requirement for compliance with key regulations. But while many organizations know they need penetration testing, it can be hard to know how to fit them in to a larger security program, or even how to get started. Our whitepaper, "What is Penetration Testing? An Introduction for IT Managers," is a clear and succinct introduction to the core principles and best practices of penetration testing.
It seems like we've been hearing a lot about phishing in the news in recent years, and this threat hasn't abated yet. Why are attacks via phishing -and social engineering in general -so prevalent and so effective? This whitepaper examines the many different methods employed in phishing attacks and social engineering campaigns, and offers a solution-based approach to mitigating risk from these attack vectors.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Essentials of Automations: Optimizing FME Workflows with Parameters
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
1. Where IoT has gone wrong and how we’re making it right
THE INTERNET
OF FAILS
Mark Stanislav, mstanislav@rapid7.com
2. IoT, Cool! So What’s Wrong?
• Pervasiveness: You won’t have one IoT device, you’ll have ten.
– That’s a lot of new attack surface to your life and/or business
• Uniqueness: IoT devices are a wild-west of mixed technologies.
– How do I patch firmware on these dozen devices?
– Which random vendor made the hardware inside this device?
• Ecosystem: Your vendor may be leveraging six other vendors.
– Where’s your data going once it enters that IoT device?
– Who has access to your network via proxy connections?
3. The Internet of Things “Line of Insanity”TM
Sane Reasonable InsaneQuestionable
Egg TrayIP Camera Door LockDoor Bell
4. Cheap Hardware, Unlimited Possibilities
Electric Imp ($25) Gumstix ($169) Arduino ($75)
Raspberry Pi ($35)Pinoccio ($59)
5. How Do You Determine Security?
Philips ($60) LimitlessLED ($23)INSTEON ($30)
Vendors could each use different hardware, software, APIs,
third-party service providers, and patching mechanisms
7. Interconnected Vulnerabilities!
• If-This-Then-That (IFTTT) supports
over 110 platforms, services, and
devices
• Allows for event-based actions
across disparate technologies
• This behavior will become a
consumer expectation rather than
merely a “nice to have”
8. The Government is Watching :)
January 8th, 2014
FTC Commissioner Maureen Ohlhausen sits on panel at CES about IoT
November 21st, 2013
Internet of Things - Privacy and Security in a Connected World Workshop
February 7th, 2014
FTC approves final order settling charges against TRENDnet, Inc.
June 3rd, 2013
Software & Information Industry Association asks FTC to be careful with IoT
February 18th, 2014
US CERT works with IOActive to resolve Belkin WeMo vulnerabilities
January 25, 2015
FTC publishes a report on IoT around privacy and security focuses
10. Hardware Security
• Many devices use generic SoCs/boards
• Quick development, few security features (“HW hacking made easy”)
• Use of same components and firmware means one bug affects many products
• Little expertise required to design, build, and ship an “IoT Product”
+ =+
Least common denominator:
Logic analyzer Bus Pirate UART headers Console!
12. Challenges: Software Security
• Selected platform often locks dev/vendor into given OS choice
• Proprietary OSes -- don’t peek inside the black box!
• Linux, Contiki, QNX, et. al (all with their own issues)
• Little consideration given to least-priv, mitigations, hardening, etc.
• Third-party dependencies
• Inherited bugs/attack surface
Bro, do you even randomize?
13. Comms/Network Security
• WiFi goofiness (“device as AP”, no WPA, exploitable behavior, etc.)
• Plaintext protocols or poor crypto at transport layer
– …or lack of cert pinning where SSL/TLS actually used
• Unprotected FW updates/downloads
• Otherwise seemingly unnecessary services listening
– Telnet, SSH, FTP, you name it…
• Shared accounts/auth material for “support” or updates
• Use of tech such as ZigBee and cellular introduce additional security concerns
"Cellular made easy"
14. Platform* Security
• Authentication? Signed requests? Unlikely.
• Input manipulation is a less obvious concern when
developers do mobile and embedded
• Yup… OWASP {Mobile,Web} Top 10
• Leveraging third-party service providers introduce
exponential complexities and further increases potential
attack surface
• Quick & Dirty cloud infrastructure yields poor accessibility
and potentially confidentiality
* for our purposes “Platform” also includes supporting infrastructure, services, frameworks, etc.
15. User Awareness & Behavior
• Users may not know (let alone care) how to update
device firmware or apps
– Disparity in management: web console v. mobile
app v. physical “update” button
• Lack of feedback or notification for updates or errors
– How does a user know their IoT device was
updated or, worse, compromised?
17. Oh, You Wanted Authentication?
• Issue: Some TRENDnet IP camera models didn’t authenticate users
connecting to http://camera-ip/anony/mjpg.cgi which exposed actual
video feeds of people’s cameras.
• Hypothetical Exploit:
– Google for “inurl:/anony/mjpg.cgi”
– Be a big creep that nobody likes
• Fix: Always verify all expected “private” URLs actually require
authentication. This is easily accomplished with a curl script or
Selenium.
18. You Get Keys, and You Get Keys…
EVERYBODY GETS KEYS!
• Issue: IOActive determined that Belkin’s WeMo devices were including their GPG signing key and
password inside of the firmware its self.
• Hypothetical Exploit:
– Retrieve firmware signing key + password
– MITM firmware feed announcing updates
– Own WeMo devices
– Flip lights and stuff
• Fix: Don’t try to “hide” secret data in firmware, a lot of people are looking there. Signing firmware is
great… just don’t let attackers sign it, too :)
19. Smart Bulbs, Not Always a Bright Idea
• Issue: Context found that LIFX utilized a hardcoded symmetric key for
encrypting data across 6LoWPAN, including WiFi credentials
• Hypothetical Exploit:
– Give a LIFX user a new bulb as a “gift”
– Get creepily close to their house
– Wait for them to add the new bulb, sniff traffic
– Decrypt packet capture with symmetric key
– Jump on their WiFi network and do bad things
• Fix: No, seriously, for the last time, don’t hardcode passwords/keys/etc. in
your firmware.
21. Telnet & Static Root Password? :(
• Issue: The camera’s mobile app contained hardcoded root credentials so that it could
initiate firmware upgrades by connecting over Telnet and echoing out a shell script to start
the process.
• Hypothetical Exploit:
• Run strings on the decrypted mobile application
• Connect to any camera you can reach via Telnet as root
• View the admin password for the camera’s web interface and login
• Fix: Don’t use Telnet for anything. Don’t hardcode passwords. Promise?
22. "Protecting" Data
• Issue: Unencrypted camera “alert” video clips were
uploaded to Amazon S3 into one bucket and protected only
by an MD5-string filename. Oh, and no SSL.
• Hypothetical Exploit:
• Generate MD5 strings with the filename format
• Be really, really, really patient
• View random videos of cats hitting cans
• Fix: Leverage the AWS Identity and Access Management
functionality to provide unique access control per customer
to only their data.
23. API = Always Poorly Implemented
• Issue: API calls for third-party services were done without SSL
and used an MD5-sum of the user’s password as a secret.
• Hypothetical Exploit:
• Go to Starbucks and hopefully get a PSL
• MITM network traffic
• Wait for someone to check their video camera
• Retrieve their MD5’ed password, crack, repeat
• Fix: If you setup third-party credentials for your customers, do
NOT transmit their real account password. Make sure your
vendors basic aspects of API security.
26. Session Handling Sorrow
• Issue: Session IDs are “generated” by using only the exact UNIX epoch timestamp of when
you logged into the service for this IoT device.
• Hypothetical Exploit:
– Enumerate 172,800 recent epoch timestamps
– Set your session ID to each timestamp
– Send a GET request to determine validity
– “Become” a user with a browser header
• Fix: Use your web framework’s default session handler.
27. Don’t Trust What You Haven’t Verified
• Issue: Purchasing in-app credits for use with the device via the app store lets the mobile
application dictate that a purchase occurred.
• Hypothetical Exploit:
– Pick a number… any number
– Make an API call with that number
– Gain that many “things” for your account
• Fix: Don’t let a mobile app be the authority on any account balances. Always use a
transaction log on the backend to reconcile what purchases have occurred and what
balances should be.
28. Hiding in Plain(text) Sight
• Issue: A chicken-and-egg problem existed where sensitive details about a user were
provided prior to authorization from said user.
• Hypothetical Exploit:
– Ask a user to be your friend
– Data is transmitted over the wire about that user
– User gets to decide if they want to share data
– …wait a second…
• Fix: Don’t transmit data ahead of authorization, even if the user interface won’t expose it. If it
goes over the wire, it’s out of your control now.
30. Vulnerability Handling & Disclosure
• Vendors fail to get it, or just simply don’t know
– “But, why would anyone want to hack this device? And why would they
want to tell us or talk about it publicly?”
• Few-to-no resources for small vendors to handle this
• Nascency of “IoT” means researchers may not know either
– And we’d like for them to stay out of jail!