This document summarizes an information security presentation about keeping secrets in the Internet of Things era. It discusses increasing vulnerabilities and dependencies, limitations of current security approaches, and motivations for lack of trust. It then covers secure software development best practices including threat modeling techniques. Lastly, it discusses solutions for organizations and end users, including encryption, authentication, firewalls, intrusion detection and more. Specific examples of security breaches like Heartbleed, Snapchat, and PlaceRaider are also summarized.
This presentation will take a high level look at the malware life cycle and the role that both hackers and IT professionals play in it. It should be interesting to IT professionals as well as individuals interested in learning more about the general approach used by hackers to gain unauthorized access to systems, applications, and sensitive data.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITEe2-labs
CGG and TiE "Officially Supported" by Department of Communications and IT, Government of Andhra Pradesh along with E2labs, Asia's first Anti - Hacking Academy is jointly organizing a 5 days Advanced Program on "Learn - Breaking Down the Security of a Website, Web Application or Company for Real" from Monday, 22nd October to Friday, 26th October at CGG (Centre of Good Governance),Rd# 25,Jubilee Hills, Hyderabad.
This document provides an overview of the CISSP Mentor Program session #1. It introduces Evan Francen and Brad Nigh, who lead the program. It discusses the severe talent shortage problem in cybersecurity, noting projections of millions of unfilled jobs by 2021 and factors contributing to this problem. It also outlines the agenda, schedule, and structure for the mentor program classes, which will cover CISSP domains and preparation for the exam.
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
SaaS and IaaS are new frontiers for a lot of security teams. We'll explore some thoughts at how you might approach some of these areas of your environment from a hunting or IR perspective. This was from a Sans webinar on 2019-09-25.
- The document discusses a major hack that showed existing security tools and next-generation tools have limitations and can be bypassed. It notes how easily malware can detect sandboxes and analyzes new attack surfaces like the Internet of Things. It advocates for building defenses in key "hot zones" like endpoints, networks, data in transit, and cloud infrastructure. It provides best practices around gaining situational awareness, operational excellence, and deploying appropriate countermeasures. The overall message is that security must be a strategic priority requiring budget, skills, vigilance and alliance between security and IT teams.
Malware and the risks of weaponizing codeStephen Cobb
Slides based on a paper by Andrew Lee and Stephen Cobb of ESET, delivered at the 6th Annual Conference on Cyber Conflict, NATO Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia. June 2014.
Malware is software created to disrupt systems or steal information. This document discusses the malware lifecycle including development, deployment, detection, correction, and protection. It notes that malware creators range from organized crime to hackers and state actors. Their motivations include financial gain, espionage, and hacktivism. While advanced malware requires programming skills, malware kits allow less skilled users to cause damage. The document emphasizes that detecting and responding to malware is challenging for security teams due to the increasing sophistication and volume of malware.
We are surrounding with technology. The more we surround and integrate with technology the more we will be in risk our privacy data/online/internet/cyber. Not only you are in risk, your family and friend alos in risk. If we think I am not important person then that would be your great mistake. You are important to someone in somewhere in this world.
Mind it your daily life is watched by someone. So be conscious… remember Prevention is Better than cure.
This presentation will take a high level look at the malware life cycle and the role that both hackers and IT professionals play in it. It should be interesting to IT professionals as well as individuals interested in learning more about the general approach used by hackers to gain unauthorized access to systems, applications, and sensitive data.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITEe2-labs
CGG and TiE "Officially Supported" by Department of Communications and IT, Government of Andhra Pradesh along with E2labs, Asia's first Anti - Hacking Academy is jointly organizing a 5 days Advanced Program on "Learn - Breaking Down the Security of a Website, Web Application or Company for Real" from Monday, 22nd October to Friday, 26th October at CGG (Centre of Good Governance),Rd# 25,Jubilee Hills, Hyderabad.
This document provides an overview of the CISSP Mentor Program session #1. It introduces Evan Francen and Brad Nigh, who lead the program. It discusses the severe talent shortage problem in cybersecurity, noting projections of millions of unfilled jobs by 2021 and factors contributing to this problem. It also outlines the agenda, schedule, and structure for the mentor program classes, which will cover CISSP domains and preparation for the exam.
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
SaaS and IaaS are new frontiers for a lot of security teams. We'll explore some thoughts at how you might approach some of these areas of your environment from a hunting or IR perspective. This was from a Sans webinar on 2019-09-25.
- The document discusses a major hack that showed existing security tools and next-generation tools have limitations and can be bypassed. It notes how easily malware can detect sandboxes and analyzes new attack surfaces like the Internet of Things. It advocates for building defenses in key "hot zones" like endpoints, networks, data in transit, and cloud infrastructure. It provides best practices around gaining situational awareness, operational excellence, and deploying appropriate countermeasures. The overall message is that security must be a strategic priority requiring budget, skills, vigilance and alliance between security and IT teams.
Malware and the risks of weaponizing codeStephen Cobb
Slides based on a paper by Andrew Lee and Stephen Cobb of ESET, delivered at the 6th Annual Conference on Cyber Conflict, NATO Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia. June 2014.
Malware is software created to disrupt systems or steal information. This document discusses the malware lifecycle including development, deployment, detection, correction, and protection. It notes that malware creators range from organized crime to hackers and state actors. Their motivations include financial gain, espionage, and hacktivism. While advanced malware requires programming skills, malware kits allow less skilled users to cause damage. The document emphasizes that detecting and responding to malware is challenging for security teams due to the increasing sophistication and volume of malware.
We are surrounding with technology. The more we surround and integrate with technology the more we will be in risk our privacy data/online/internet/cyber. Not only you are in risk, your family and friend alos in risk. If we think I am not important person then that would be your great mistake. You are important to someone in somewhere in this world.
Mind it your daily life is watched by someone. So be conscious… remember Prevention is Better than cure.
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
Passwords, multi-factor authentication, knowledge-based questions/answers, and hard tokens are based on technologies that are now 20 years old. With organizations losing the battle against cyber attacks, it’s clearly time to move beyond these legacy technologies and adopt a modern approach in which awareness and flexibility are king. Authentication must adapt based on the level of risk, so that it can deliver strong security yet be invisible to users most of the time.
Achieving that balance of strong security and appropriate user friction is the basis for modern authentication. This session will explore what modern authentication is and why using it across all users, devices, and services is vital to turning a losing battle into a winning strategy to stop cyber attacks.
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
De nombreux entreprises, à travers leurs responsables informatiques et DSI ne reconnaissent toujours pas les logiciels malveillants mobiles comme une menace imminente. Selon une étude de Duo Security, un tiers des utilisateurs mobiles Android n'utilisent ne verrouillent pas l'écran de leurs appareils à l'aide d'un Mot de Passe, et la plupart ne prennent aucunes mesures de sécurité. En outre, les responsables informatiques et DSI déploient de nouvelles applications vers leurs clients et employés sans y intégrer de mesure de sécurité favorisant l'authentification et la mitigation des menaces.
Cependant, les logiciels malveillants mobiles ont évolué au fil des dernières années et constituent aujourd'hui des menaces réelle. Business Insider a noté que ces menaces sont désormais équivalentes à celles des PC en terme de distribution et de niveau de risque.
This document discusses how HTML5 features can be used for authentication purposes and addresses some security challenges. It describes APIs like local storage, canvas, geolocation, and notifications that could be leveraged for authentication factors like passwords, patterns, and one-time passwords. However, it also notes risks like storing sensitive data on devices, spoofing locations, and notifications not being reliable. The document advocates using HTML5 responsibly and understanding privacy and user behavior when designing authentication solutions.
For Business's Sake, Let's focus on AppSecLalit Kale
Slide-Deck for session on Application Security at Limerick DotNet-Azure User Group on 15th Feb, 2018
Event URL: https://www.meetup.com/Limerick-DotNet/events/hzctdpyxdbtb/
The document discusses key concepts in computer security including confidentiality, integrity, and availability. It defines computer security as preserving authorized restrictions on information access and defines threats such as unauthorized disclosure, deception, disruption, and usurpation. It also discusses cryptographic tools used to provide security including symmetric encryption algorithms like DES, Triple DES, and AES. Symmetric encryption uses a shared secret key to encrypt and decrypt data between two parties and can be vulnerable to brute force and cryptanalytic attacks if the key is compromised or algorithms are weak. Modes of operation are also discussed to securely encrypt large data using block ciphers.
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeStephen Cobb
Slideshare friendly version of presentation delivered at 6th Annual Conference on Cyber Conflict, NATO Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia (there are no builds in the slides, use the other version if you want to download .pptx).
An Introduction To IT Security And Privacy - Servers And MoreBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on servers and review the previous 3 weeks. Librarians and anyone else in a library
An Introduction To IT Security And Privacy In LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
Security professionals have years of experience logging and tracking network security events to identify unauthorized or malicious activity on a corporate network. Unfortunately, many of today's attacks are focused on the application layer, where the fidelity of logging for security events is less robust. Most application logs are typically used to see errors and failures and the internal state of the system, not events that might be interesting from a security perspective. Security practitioners are concerned with understanding patterns of user behavior and, in the event of an attack, being able to see an entire user’s session. How are application events different from network events? What type of information should security practitioners ensure software developers log for event analysis? What are the types of technologies that enable application-level logging and analysis? In this presentation, John Dickson will discuss what should be present in application logs to help understand threats and attacks, and better guard against them.
This document discusses the future of information security based on Netflix's experience and perspective. It predicts that social, mobile, and cloud computing will drive new security challenges as traditional controls become lacking. Netflix relies heavily on cloud computing and aims to be fully cloud-based. It uses various "monkey" programs to test systems and identify weaknesses. Looking ahead, the document predicts that security teams will take more of an advisory role using analytics and automation. Device, network, and data security will need new approaches as boundaries shift. Security will rely more on continuous testing, monitoring, and automated protection.
Imperva's dedicated research organization, the Application Defense Center (ADC), constantly monitors hackers - and their attack methods - to isolate the most relevant attack campaigns. Based on this research data, the ADC has identified the top trends poised to have the most significant impact on the security landscape in 2014. This presentation outlines the trends that will resonate across the globe in the upcoming year like the return of compromised web servers, the rise of cloud platform breaches, and the spread of 3rd party application vulnerabilities.
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library. There's a focus on practical ways to secure yourself, browsers and other things. Also some dicussion on privacy
Threat modeling is a way of viewing the world, and so what's changing in threat modeling reflects that. There's a global pandemic. The ways we build software are changing. The threats are evolving, and attacks through systems are growing in importance.
Chris Haley - Understanding Attackers' Use of Covert Communicationscentralohioissa
Today’s cyber attackers survive by hiding their attack communications from the prying eyes of network security. It’s a critical part of an attacker’s arsenal and it lets them patiently manage and propagate attacks throughout network, while remaining undetected.
• The latest techniques attackers use to hide their traffic in plain sight
• Why simple techniques like signatures and reputations of domains or IPs come up short in finding these evolving forms of communication
• Why this isn’t really just a malware problem
• What techniques can be used to systematically identity these forms of communication and to treat them as a strong indicator of compromise
What's in your personal threat model? What assets are you trying to protect? Learn how to improve your personal security and privacy online through best practices and security tips. This talk is for everyone, whether your a seasoned security professional or complete novice hopefully you will take away a few areas where you can better protect your personal information.
Video Link: https://www.youtube.com/watch?v=PIwvxSZj5e8
Applications are constantly under attack. Unfortunately, nearly all applications have no capability of detecting an attacker or responding before a breach occurs. Those applications sit passively and allow the attacker to constantly unleash attack after attack. Let's change the game and equip our application with the resources to detect an attack with high accuracy and respond in real time to prevent a compromise by eliminating the threat from the system.
In this talk we'll cover the OWASP AppSensor project – a project that details how to instrument an application to become attack aware and immediately respond to neutralize threats. This project is backed by multiple talented security experts that have been advancing the project for the past three years. AppSensor has been featured in the Department of Defense Cross Talk journal, presented at the US Department of Homeland Security resilient software conference and at security conferences around the world.
Security in an Interconnected and Complex World of SoftwareMichael Coates
Michael Coates discusses security challenges in today's complex software world. Cybercrime costs over $100 billion annually. Most data breaches are caused by hacking rather than accidents. The security landscape is evolving with new technologies like cloud computing and the internet of things. Traditional security approaches like standards and hiring more people do not scale well. Instead, security needs to be integrated throughout the entire software development lifecycle and automated where possible to effectively secure systems at the speed and scale of modern development.
Companies are struggling to deal with the unstoppable growth of cyber-attacks as hackers get faster, sneakier and more creative. The bad news is - no company is immune, no matter how big or small you are. Without a proper understanding of zero-day threats, companies have no way of exposing the gaps of overhyped security solutions.
Zero-day exploit leaves NO opportunity for detection. This presentation will highlight critical insights combating zero-day threats.
2019 FRSecure CISSP Mentor Program: Class OneFRSecure
The document summarizes the first session of a CISSP mentor program. It introduces the instructors and provides an agenda for the session. It discusses the history of the mentor program and the severe talent shortage facing the cybersecurity industry. It notes that while some claim the shortage is overhyped, most estimates indicate there will be millions of unfilled cybersecurity jobs in coming years. The document explores reasons for the shortage, including barriers to entry, lack of educational opportunities, and challenges with acquisition, retention and the male-dominated culture of the industry.
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
Passwords, multi-factor authentication, knowledge-based questions/answers, and hard tokens are based on technologies that are now 20 years old. With organizations losing the battle against cyber attacks, it’s clearly time to move beyond these legacy technologies and adopt a modern approach in which awareness and flexibility are king. Authentication must adapt based on the level of risk, so that it can deliver strong security yet be invisible to users most of the time.
Achieving that balance of strong security and appropriate user friction is the basis for modern authentication. This session will explore what modern authentication is and why using it across all users, devices, and services is vital to turning a losing battle into a winning strategy to stop cyber attacks.
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
De nombreux entreprises, à travers leurs responsables informatiques et DSI ne reconnaissent toujours pas les logiciels malveillants mobiles comme une menace imminente. Selon une étude de Duo Security, un tiers des utilisateurs mobiles Android n'utilisent ne verrouillent pas l'écran de leurs appareils à l'aide d'un Mot de Passe, et la plupart ne prennent aucunes mesures de sécurité. En outre, les responsables informatiques et DSI déploient de nouvelles applications vers leurs clients et employés sans y intégrer de mesure de sécurité favorisant l'authentification et la mitigation des menaces.
Cependant, les logiciels malveillants mobiles ont évolué au fil des dernières années et constituent aujourd'hui des menaces réelle. Business Insider a noté que ces menaces sont désormais équivalentes à celles des PC en terme de distribution et de niveau de risque.
This document discusses how HTML5 features can be used for authentication purposes and addresses some security challenges. It describes APIs like local storage, canvas, geolocation, and notifications that could be leveraged for authentication factors like passwords, patterns, and one-time passwords. However, it also notes risks like storing sensitive data on devices, spoofing locations, and notifications not being reliable. The document advocates using HTML5 responsibly and understanding privacy and user behavior when designing authentication solutions.
For Business's Sake, Let's focus on AppSecLalit Kale
Slide-Deck for session on Application Security at Limerick DotNet-Azure User Group on 15th Feb, 2018
Event URL: https://www.meetup.com/Limerick-DotNet/events/hzctdpyxdbtb/
The document discusses key concepts in computer security including confidentiality, integrity, and availability. It defines computer security as preserving authorized restrictions on information access and defines threats such as unauthorized disclosure, deception, disruption, and usurpation. It also discusses cryptographic tools used to provide security including symmetric encryption algorithms like DES, Triple DES, and AES. Symmetric encryption uses a shared secret key to encrypt and decrypt data between two parties and can be vulnerable to brute force and cryptanalytic attacks if the key is compromised or algorithms are weak. Modes of operation are also discussed to securely encrypt large data using block ciphers.
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeStephen Cobb
Slideshare friendly version of presentation delivered at 6th Annual Conference on Cyber Conflict, NATO Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia (there are no builds in the slides, use the other version if you want to download .pptx).
An Introduction To IT Security And Privacy - Servers And MoreBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on servers and review the previous 3 weeks. Librarians and anyone else in a library
An Introduction To IT Security And Privacy In LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
Security professionals have years of experience logging and tracking network security events to identify unauthorized or malicious activity on a corporate network. Unfortunately, many of today's attacks are focused on the application layer, where the fidelity of logging for security events is less robust. Most application logs are typically used to see errors and failures and the internal state of the system, not events that might be interesting from a security perspective. Security practitioners are concerned with understanding patterns of user behavior and, in the event of an attack, being able to see an entire user’s session. How are application events different from network events? What type of information should security practitioners ensure software developers log for event analysis? What are the types of technologies that enable application-level logging and analysis? In this presentation, John Dickson will discuss what should be present in application logs to help understand threats and attacks, and better guard against them.
This document discusses the future of information security based on Netflix's experience and perspective. It predicts that social, mobile, and cloud computing will drive new security challenges as traditional controls become lacking. Netflix relies heavily on cloud computing and aims to be fully cloud-based. It uses various "monkey" programs to test systems and identify weaknesses. Looking ahead, the document predicts that security teams will take more of an advisory role using analytics and automation. Device, network, and data security will need new approaches as boundaries shift. Security will rely more on continuous testing, monitoring, and automated protection.
Imperva's dedicated research organization, the Application Defense Center (ADC), constantly monitors hackers - and their attack methods - to isolate the most relevant attack campaigns. Based on this research data, the ADC has identified the top trends poised to have the most significant impact on the security landscape in 2014. This presentation outlines the trends that will resonate across the globe in the upcoming year like the return of compromised web servers, the rise of cloud platform breaches, and the spread of 3rd party application vulnerabilities.
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library. There's a focus on practical ways to secure yourself, browsers and other things. Also some dicussion on privacy
Threat modeling is a way of viewing the world, and so what's changing in threat modeling reflects that. There's a global pandemic. The ways we build software are changing. The threats are evolving, and attacks through systems are growing in importance.
Chris Haley - Understanding Attackers' Use of Covert Communicationscentralohioissa
Today’s cyber attackers survive by hiding their attack communications from the prying eyes of network security. It’s a critical part of an attacker’s arsenal and it lets them patiently manage and propagate attacks throughout network, while remaining undetected.
• The latest techniques attackers use to hide their traffic in plain sight
• Why simple techniques like signatures and reputations of domains or IPs come up short in finding these evolving forms of communication
• Why this isn’t really just a malware problem
• What techniques can be used to systematically identity these forms of communication and to treat them as a strong indicator of compromise
What's in your personal threat model? What assets are you trying to protect? Learn how to improve your personal security and privacy online through best practices and security tips. This talk is for everyone, whether your a seasoned security professional or complete novice hopefully you will take away a few areas where you can better protect your personal information.
Video Link: https://www.youtube.com/watch?v=PIwvxSZj5e8
Applications are constantly under attack. Unfortunately, nearly all applications have no capability of detecting an attacker or responding before a breach occurs. Those applications sit passively and allow the attacker to constantly unleash attack after attack. Let's change the game and equip our application with the resources to detect an attack with high accuracy and respond in real time to prevent a compromise by eliminating the threat from the system.
In this talk we'll cover the OWASP AppSensor project – a project that details how to instrument an application to become attack aware and immediately respond to neutralize threats. This project is backed by multiple talented security experts that have been advancing the project for the past three years. AppSensor has been featured in the Department of Defense Cross Talk journal, presented at the US Department of Homeland Security resilient software conference and at security conferences around the world.
Security in an Interconnected and Complex World of SoftwareMichael Coates
Michael Coates discusses security challenges in today's complex software world. Cybercrime costs over $100 billion annually. Most data breaches are caused by hacking rather than accidents. The security landscape is evolving with new technologies like cloud computing and the internet of things. Traditional security approaches like standards and hiring more people do not scale well. Instead, security needs to be integrated throughout the entire software development lifecycle and automated where possible to effectively secure systems at the speed and scale of modern development.
Companies are struggling to deal with the unstoppable growth of cyber-attacks as hackers get faster, sneakier and more creative. The bad news is - no company is immune, no matter how big or small you are. Without a proper understanding of zero-day threats, companies have no way of exposing the gaps of overhyped security solutions.
Zero-day exploit leaves NO opportunity for detection. This presentation will highlight critical insights combating zero-day threats.
2019 FRSecure CISSP Mentor Program: Class OneFRSecure
The document summarizes the first session of a CISSP mentor program. It introduces the instructors and provides an agenda for the session. It discusses the history of the mentor program and the severe talent shortage facing the cybersecurity industry. It notes that while some claim the shortage is overhyped, most estimates indicate there will be millions of unfilled cybersecurity jobs in coming years. The document explores reasons for the shortage, including barriers to entry, lack of educational opportunities, and challenges with acquisition, retention and the male-dominated culture of the industry.
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
Vulnerability Assessment is, by some, regarded as one of the least “sexy” capabilities in information security. However, it is the presenter’s view that it is also a key component of any successful infosec program, and one that is often overlooked. Doing so serves an injustice to the organization and results in many missed opportunities to help ensure success in protecting critical information assets. The presenter will explore how Vulnerability Assessment can be leveraged “Beyond the Scan” and provide tangible value to not only the security team, but the entire business that it supports.
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
The document provides guidance on implementing simple yet effective security defenses to thwart cyber attacks. It recommends building security programs with key components like policies, baselines, risk acceptance models and checklists for application security reviews. Specific defenses include user awareness training, least privileged access, patching, network segmentation, input validation, logging and encryption. The document argues that with the right foundations, organizations do not need large budgets for security and can prevent common hacking techniques.
The state of web applications (in)security @ ITDays 2016Tudor Damian
The global security landscape is changing, now more than ever. With cloud computing gaining momentum and advanced persistent threats becoming a common occurrence, the industry is taking a more focused and serious approach, especially after some of last years' heavily publicized cyber breaches. Join this session for a high-level overview on the industry trends in the area of web application security, and find out why security is bound to become a hot topic in any organization developing or using web applications.
In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.
Expand Your Control of Access to IBM i Systems and DataPrecisely
This document discusses expanding control of access to IBM i systems and data. It begins with some logistical information about the webcast. The presentation will discuss myths about IBM i security, exit points and access methods, examples of security issues, and how Syncsort can help with security. The agenda includes discussing the myth that IBM i is secure by nature, reviewing exit points and access methods, providing examples, and explaining how Syncsort can help manage security risks. Overall, the document aims to educate about security risks on IBM i and how third party solutions can help address vulnerabilities from various access methods and improve overall security.
The Presentation is about the Basic Introduction to Cybersecurity that talks about introduction and what is security means. Also the presentation talks about CIA Triad i.e confidentiality, integrity and availability
CNIT 160 4e Security Program Management (Part 5)Sam Bowne
This document provides an overview of topics related to information security program development and management, including security program operations, secure engineering and development, network protection, endpoint protection and management, and identity and access management. It discusses key concepts for each topic such as firewalls, intrusion prevention systems, malware prevention techniques, and centralized identity and access management. The document also outlines processes for managing access governance, conducting privileged account audits, and performing user behavior analytics.
This document discusses mobile security and provides an overview of attacks and defenses. It begins with an introduction to common mobile security issues like weak storage of sensitive data. Examples are given covering threats to mobile e-commerce, banking, and social applications. The document also outlines the mobile threat landscape, including attacks that don't require jailbreaking, and privacy risks. It concludes with a discussion of technology trends in mobile architectures and the complexity of securing the mobile environment.
Software runs today’s business; however, security implications are often misunderstood, creating significant organizational risk. Poorly configured servers, 3rd-party software, and continuous release cycles put additional pressure on already stressed teams.
Hackers no longer just exploit vulnerabilities in code -- faulty cloud deployments, weak database structures, and business logic problems are also easy targets for attackers. To reduce risk, you’ve got to audit your system in the same way an attacker would.
This presentation demonstrates how attackers compromise the modern enterprise. For each attack demonstrated, mitigation practices will be discussed. WARNING: software will be harmed during this presentation. Viewer discretion advised.
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
Keynote on why you should make Infosec a board level strategic item, how you should raise it to this level and how to approach Information Security strategically
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
This document discusses strategies for improving security awareness and practices among employees and organizations. It addresses issues like uninformed employees falling for phishing scams, securing home networks and devices, and ensuring new applications developed during business pivots are secure. The key recommendations are to educate employees and software teams, implement defense in depth with tools like two-factor authentication and encryption, and address security throughout the software development lifecycle when creating new applications and integrating third-party software.
Threats from cyber attacks are increasing and becoming more sophisticated. Existing security tools and even next-generation tools are often ineffective at detecting advanced persistent threats. It is an asymmetrical conflict where defenders must focus on fundamentals like training employees, prioritizing security over compliance, and implementing defense-in-depth across endpoints, networks, data in transit, cloud systems, and internal systems to build a more defensible infrastructure and gain situational awareness of attacks. Continuous improvement is needed to counter evolving adversary techniques.
1. Contain the breach to prevent further access or theft of data. Isolate compromised systems.
2. Determine the scope of data exposure and who was impacted. Conduct an investigation.
3. Notify impacted individuals as soon as possible of the breach and what data was exposed. Provide guidance on next steps.
4. Offer identity protection services or credit monitoring to impacted individuals. Consider legal obligations for notification.
5. Review security measures and response plans. Patch vulnerabilities and strengthen defenses to prevent future incidents.
The typical process for investigating security-related alerts is labor intensive and largely manual. To make the situation more difficult, as attacks increase in number and diversity, there is an increasing array of detection systems deployed and generating even more alerts for security teams to investigate.
Netflix, like all organizations, has a finite amount of resources to combat this phenomenon, so we built FIDO to help. FIDO is an orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats.
Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive.
Key Takeaways:
-Great places in the user journey to inject security tests
- Ways to augment existing test approaches to cover security concerns
- Typical security tools that are free, cheap, and easy for software testers
Defcon 23 - damon small - beyond the scanFelipe Prado
The document discusses the value of vulnerability assessments beyond just identifying vulnerabilities. It argues that assessments provide three key benefits:
1. They identify potential vulnerabilities and missing patches, but also reveal issues with documentation, processes, legacy requirements, and lack of understanding of the environment.
2. They provide remediation information on how to address vulnerabilities.
3. They support asset and software management by identifying active but undocumented assets, comparing scans to configuration management databases, and aiding in software license management.
Similar to Keeping Secrets on the Internet of Things - Mobile Web Application Security (20)
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...Luigi Fugaro
Vector databases are transforming how we handle data, allowing us to search through text, images, and audio by converting them into vectors. Today, we'll dive into the basics of this exciting technology and discuss its potential to revolutionize our next-generation AI applications. We'll examine typical uses for these databases and the essential tools
developers need. Plus, we'll zoom in on the advanced capabilities of vector search and semantic caching in Java, showcasing these through a live demo with Redis libraries. Get ready to see how these powerful tools can change the game!
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISTier1 app
Are you ready to unlock the secrets hidden within Java thread dumps? Join us for a hands-on session where we'll delve into effective troubleshooting patterns to swiftly identify the root causes of production problems. Discover the right tools, techniques, and best practices while exploring *real-world case studies of major outages* in Fortune 500 enterprises. Engage in interactive lab exercises where you'll have the opportunity to troubleshoot thread dumps and uncover performance issues firsthand. Join us and become a master of Java thread dump analysis!
Enhanced Screen Flows UI/UX using SLDS with Tom KittPeter Caitens
Join us for an engaging session led by Flow Champion, Tom Kitt. This session will dive into a technique of enhancing the user interfaces and user experiences within Screen Flows using the Salesforce Lightning Design System (SLDS). This technique uses Native functionality, with No Apex Code, No Custom Components and No Managed Packages required.
🏎️Tech Transformation: DevOps Insights from the Experts 👩💻campbellclarkson
Connect with fellow Trailblazers, learn from industry experts Glenda Thomson (Salesforce, Principal Technical Architect) and Will Dinn (Judo Bank, Salesforce Development Lead), and discover how to harness DevOps tools with Salesforce.
Using Query Store in Azure PostgreSQL to Understand Query PerformanceGrant Fritchey
Microsoft has added an excellent new extension in PostgreSQL on their Azure Platform. This session, presented at Posette 2024, covers what Query Store is and the types of information you can get out of it.
What to do when you have a perfect model for your software but you are constrained by an imperfect business model?
This talk explores the challenges of bringing modelling rigour to the business and strategy levels, and talking to your non-technical counterparts in the process.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
React.js, a JavaScript library developed by Facebook, has gained immense popularity for building user interfaces, especially for single-page applications. Over the years, React has evolved and expanded its capabilities, becoming a preferred choice for mobile app development. This article will explore why React.js is an excellent choice for the Best Mobile App development company in Noida.
Visit Us For Information: https://www.linkedin.com/pulse/what-makes-reactjs-stand-out-mobile-app-development-rajesh-rai-pihvf/
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...kalichargn70th171
Visual testing plays a vital role in ensuring that software products meet the aesthetic requirements specified by clients in functional and non-functional specifications. In today's highly competitive digital landscape, users expect a seamless and visually appealing online experience. Visual testing, also known as automated UI testing or visual regression testing, verifies the accuracy of the visual elements that users interact with.
Malibou Pitch Deck For Its €3M Seed Roundsjcobrien
French start-up Malibou raised a €3 million Seed Round to develop its payroll and human resources
management platform for VSEs and SMEs. The financing round was led by investors Breega, Y Combinator, and FCVC.
Orca: Nocode Graphical Editor for Container OrchestrationPedro J. Molina
Tool demo on CEDI/SISTEDES/JISBD2024 at A Coruña, Spain. 2024.06.18
"Orca: Nocode Graphical Editor for Container Orchestration"
by Pedro J. Molina PhD. from Metadev
DevOps Consulting Company | Hire DevOps Servicesseospiralmantra
Spiral Mantra excels in providing comprehensive DevOps services, including Azure and AWS DevOps solutions. As a top DevOps consulting company, we offer controlled services, cloud DevOps, and expert consulting nationwide, including Houston and New York. Our skilled DevOps engineers ensure seamless integration and optimized operations for your business. Choose Spiral Mantra for superior DevOps services.
https://www.spiralmantra.com/devops/
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...kalichargn70th171
In today's fiercely competitive mobile app market, the role of the QA team is pivotal for continuous improvement and sustained success. Effective testing strategies are essential to navigate the challenges confidently and precisely. Ensuring the perfection of mobile apps before they reach end-users requires thoughtful decisions in the testing plan.
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
Manyata Tech Park Bangalore_ Infrastructure, Facilities and Morenarinav14
Located in the bustling city of Bangalore, Manyata Tech Park stands as one of India’s largest and most prominent tech parks, playing a pivotal role in shaping the city’s reputation as the Silicon Valley of India. Established to cater to the burgeoning IT and technology sectors
Manyata Tech Park Bangalore_ Infrastructure, Facilities and More
Keeping Secrets on the Internet of Things - Mobile Web Application Security
1. Keeping Secrets
In the vast Internet of Things
Zisher Mob::Web::Sec
Ipsilon Group
Kelly Robertson
2. Agenda
M-Days
Part One
• What are the stakes today?
• We are vulnerable and dependent
• Current InfoSec cannot reach the New Reality
• Motivations for mis-trust
• As the world turns…
Part Two
• Software Development – Secure by Design
Part Three
• Solutions for organizations and end users
3. The sun rises and sets the same on
the Good and the Bad
• Brightest Flashlight Free
• Jekyll on iOS
• Pinskimmer
• FireSheep and Faceniff
4. The Heartbleed Bug
• SSL/TLS is used for email, banking, e-commerce
and privacy throughout the Internet
• Attackers could eavesdrop on communications,
steal identities and data
• Leave-no-trace, long exposure, ease-of-exploit
5. SnapChat
• 4.6 Million usernames and phone numbers
• Anonymous posted this information and said:
“You are downloading 4.6 million users’ phone number
information, along with their usernames. People tend to use the
same username around the web so you can use this information
to find phone number information associated with Facebook and
Twitter accounts, or simply to figure out the phone numbers of
people you wish to get in touch with.”
6. PlaceRaider
• Very Scary Smartphone Malware
• US Naval Surface Warfare Center and
University of Indiana
• An Android app that secretly records and
reconstructs a user’s environment as a 3D
virtual model
7. The Mask
• 380+ Targets in 31 countries over 7 years
• One of the most sophisticated attacks ever
• Intercepts network traffic, Skype, PGP Keys, Wi-Fi traffic,
keystrokes, screen captures, encryption keys, and more
• Three separate backdoors in Win 32/64 + Mac OS using
sophisticated Malware, a bootkit and a rootkit
• The iPad and Android versions are very difficult to trace:
<b>Date: </b>Wed, 15 May 2013 23:34:01 +0000<br /> <b>Remote IP Address:</b> 200.x.x.x<br /><br /><h2>
** User Agent</h2><strong>Browser User Agent String:</strong>
<br/><br/>
<strong>Browser Name:</strong> iPad<br/>
8. Information Security Today
• Encryption
• Authentication
• DNSsec
• VPN
• SoftToken
• Anti-virus
• Anti-Malware
• Biometrics
• NG Firewalls
• Intrusion Detection
• Threat Feeds
• Manned SOCs
• Forensics
• And so forth…
9. Information Security Today
• Encryption
• Authentication
• DNSsec
• VPN
• SoftToken
• Anti-virus
• Anti-Malware
• Biometrics
• NG Firewalls
• Intrusion Detection
• Threat Feeds
• Manned SOCs
• Forensics
• And so forth…
10. Mobile Web Apps
• Porous trust boundaries
– Inherit trust/data from other components
• App store curator, Operating Systems and APIs
• Physically vulnerable to booted-rooted attack
• Lots of sensors and sensitive user data
• User’s unwarranted trust
• Client server paradigm – no control from server
• Bluetooth, Baseband, Wi-Fi, RF “always on”
• Jailbroken or rooted phones subvert controls
11. Mobile Web Apps
Platform Details
• iOS apps run on Objective C
– Hybrid C++ and a message parser
– Introduces data leakage vulnerability
– Special ‘extractors’ can harvest logic and class
declarations – details that hackers exploit
– The end user can decompile an app for symmetric
keys – a component of secure transactions
– Anti-tamper, use C++ wherever possible and generic
declarations can mitigate much
12. Mobile Web Apps
Platform Details
• Android runs on Java and Dalvik
• Susceptible to ‘repackaging’ exploit
• Vulnerable to web proxy spoofing
• Allows SD cards
• But, Java is a type-safe language
• Class library is well-established
• Secure mobile abstraction when coded right
13. – Automotive
• 100 million lines of code per car now
• 100 + ECUs
– Body-borne computing
• Health monitoring
• Behavior monitoring
• Vision
• Fashion
– Eyeglasses
– Nanorobotics – molecular scale
Science Fiction
is now…
15. Keeping Secrets
In the vast Internet of Things
Zisher Mob::Web::Sec
Ipsilon Group
Kelly Robertson
16. Secure Software Development LifeCycle
“Enemies may face off for years, only to have
the outcome decided in a single day.”
Sun Tzu
The Art of War
17. Secure Software Development LifeCycle
“The totally awakened warrior can freely utilize all
of the elements contained in Heaven and
Earth…with enlightened wisdom and deep calm.”
Morihei Ushiba
The Art of Peace
Vibrant and Joyful
19. Developing Developers
Align with your business goals
From the Book of Five Rings:
• Empty as space
• Hard as a diamond
• Flexible as a willow in the wind
• Smooth flowing like water
Be organized, but take it easy
Two stages: Document, then Prioritize
20. The Seven Pernicious Kingdoms
Taxonomy of SW Security Errors
OWASP
• Input validation and response
• API Abuse
• Security Features
• Time and State
• Error Handling
• Code Quality
• Encapsulation
21. Threat Modeling Techniques
Secure software does only it’s job
Top down and bottom up
Scoping attack surfaces and trust
Threat priority = Severity + Probability
Movie Plotting
22.
23. Threat Modeling Techniques
Scoping attack surfaces and trust boundaries
Secure software does only it’s job
Top down and bottom up
Threat + Severity + Probability
• Movie Plotting
• Attack Trees
24.
25. Threat Modeling Techniques
Scoping attack surfaces and trust boundaries
Secure software does only it’s job
Top down and bottom up
Threat + Severity + Probability
• Movie Plotting
• Attack Trees
• S.T.R.I.D.E.
– Spoofing, Tampering, Repudiation, InfoLeak,
Denial of Service and Elevation of Privilege
30. Denial of Service
Difficult to monetize, easier to defend than ever
• Brute force (amplified)
• Persistent (under the radar)
• Logic tripwires can alert
31. Elevation of Privilege
Always a top goal
• Bugs
• Configurations
• Authentication
• Corrupted process
• Memory
• Session hijacking
32. The Four Pillars of Priority
Quantified, now qualified
• Resolve it - Mitigate
• Get rid of it - Eliminate
• Deflect it - Transfer
• Live with it - Accept the risk and move on…
33. Education
Computer based training – SCORM compliant
On-line resources – OWASP and SlideShare
Universities – more and more, but still light
Security and other Vendors
Conferences
Boutique Educators, Specialists and Authors
35. Static Code Analysis
The process of assessing code without executing it.
“No single technique is a Silver Bullet. The best
that a code review can uncover is about 50% of
the security problems”
Gary McGraw, Ph.D
Cigital
36. SAST
The Good, The Bad and The Ugly
• Thorough, consistent analysis
• Finds root cause much of the time
• Can catch security flaws early
• Great for checking lots of lines of code and branches
But..
• Signal to noise ratio can dull the effectiveness
• Can interrupt creativity and workflow
• Can’t analyze architectural problems
And…
• Algorithms cannot cannot completely analyze algorithms
• Writing for language parsers is hard – dialects make it worse
37. Static Code Analysis
What to look for. . .
• Alignment with workflow, creativity, culture
• Ultimate cost savings and revenue generation
• Source code versus compiled code
• Simultaneous analysis, multi-branch, languages
• Dependency injection
• Configuration files
• Service-oriented architecture (SOA)
• Trade off between speed and depth/accuracy
• Can code be developed while under analysis?
38. Static Code Analysis
What to do with the output…
• Must be vetted by a human analyst
– Bug filing, reporting, taint analysis, training
• Compliance officer can be very helpful
• Most effective and least costly during development
• Should drive education, training and coaching
39. Call-to-Action
Institutional
Integrate a Web Application Firewall into the SDLC
• WAF in this case is a network-based proxy
• Usually an appliance but can be Cloud or SW
• PCI standards considered WAF as an
acceptable alternative to securing the code
• Often run by network engineers or network
security practitioners, not developers
40. WAF
The Good, The Bad and The Ugly
• Web apps are accessed by legitimate traffic only
• Reconnaissance, application behavior and forensics
• Excellent for compliance and information assurance
But..
• Legitimate traffic can be malicious
• Susceptible to protocol-level evasions of many types and classes
• Automated vulnerability scanning alone is not enough
• Manual analysis is required to ensure accuracy
• APT and Business Logic often require human intervention
And…
• Continuous & accurate tuning is hard
41. Call-to-Action
Institutional
Employ Mobile Device Management
• Data containers
• Black listing
• Remote wipe
• Find a device
• Secure provisioning
• Corporate app store
• Compliance reporting
• Jailbreak detection
• Patch management
• Crypto libraries
• Authentication
• CA integration
• Firewall
• Anti-virus
42. MDM
The Good, The Bad and The Ugly
• MDM evolved from mobile network operators
• Agent-based with a control server
• Audit for compliance
• Provisioning is key, including bricking, wiping
But..
• BYOD means anything goes
• Users are a very big problem
And…
• Variances between vendors are wildly different
• User behavior is usually tracked
43. Call-to-Action
Personally, what can you do for yourself?
Choose the source of your application carefully
Question the app’s need to share location/contact
Why does this app want to login with FB, et. al.?
Don’t: Keep me logged in OR remember me
Don’t save passwords
Do: use a secure browser – WhiteHat Aviator
Don’t click on the dancing pig…
44. Click on the
Dancing Pig!
"The applet DANCING PIGS
could contain malicious code that might do permanent damage
to your computer, steal your life's savings, and impair your ability
to have children.”
46. Bibliograhpy
• Secure Programming with Static Analysis – Chess and West
• The Tangled Web - A guide to securing modern web applications –
Michael Zalewski
• Threat Modeling – Designing for Security – Adam Shostack
• Mobile Hacking Exposed – Bergman, Stanfield, Rouse, Scambray
• Application Security for the Android Platform – Jeff Six
• Hacking and Securing iOS Applications – Jonathan Zdziarski
• Mobile Application Security – Dwivedi, Clark, Thiel
• The Art of War – Sun Tzu
• The Art of Peace – Morihei Ushiba
• The Book of Five Rings - Myyamoto Musashi
• Chinese Industrial Espionage: Technology Acquisition and Military
Modernisation – Hannas, Mulvenon, Puglisi
Welcome to today’s broadcast: Keeping Secrets in the vast Internet of Things. I’m Kelly Robertson with Zisher Mob:Web:Sec in the Silicon Valley and this presentation is brought to you in collaboration with the Ipsilon Group in Frankfurt, Germany. In part one, we will be discussing security issues relative to the Mobile Revolution that is sweeping the planet. In part two, we will explore end-to-end countermeasures from the Software Development LifeCycle to Application Firewalls and Mobile Device Management tools.
In the first place, we’ll take a look at the landscape today in terms of research, theory and actual exploits. We’ll then take a look at a novel approach to developing applications for mobile platforms more securely. Finally, we’ll briefly talk about solutions that organizations are using today, and some of the considerations that are important when choosing your tactics for defending information assets.
Brightest Flashlight Free:
December 2013 Goldenshores Technology, creator of a tens-of-millions-plus downloaded app collected private information and passed it off to third parties, and deceived the customer about it – the Federal Trade Commission stepped in
Jekyll on iOS - Georgia Tech Attack that evaded mandatory app signing and code signing mechanisms in the AppStore – by rearranging the signed code. Successful
PinsKimmer - Two guys from the University of Cambridge created a a side-channel attack that makes use of the video camera and microphone to infer PINs entered on a number-only soft key- board on a smartphone. The microphone is used to detect touch events, while the camera is used to estimate the smart- phone’s orientation, and correlate it to the position of the digit tapped by the user. It is undetectable by the end user and had both a mobile app and a server component.
Firesheep and Faceniff – packet surfing extension to Mozilla Firefox that wasn’t blacklisted because it was intended to be used for good: to illustrate security risks in encryption during login, but had nothing to do with cookies. When used with a tool such as Ettercap, Firesheep was used to compromise a wi-fi environment, like an Internet cafe and harvest sensitive information all day long…examples were unencrypted cookies from Twitter and FaceBook, who have since addressed the issue.
Brightest Flashlight Free:
Heartbleed bug, so called because it relates to the heartbeat extension of the SSL/TLS protocol, is an implementation problem that has left large numbers of secrets on the Internet exposed…it actually leaks the secret keys that are used to secure transactions.
The Heartbleed Bug is a serious, leave-no-trace vulnerability in the popular OpenSSL cryptographic software library that ships with over 14 popular operating systems and is very widely used across the Internet to provide privacy for financial transactions. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
How bad is it? You are likely affected somehow…governments, banks, entertainment and social sites often use encryption to keep your secrets.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.
Fixed OpenSSL has been released and now it has to be deployed, and it’s not trivial as one can imagine.
1/1/14
Snapchat –the disappearing message service… Twice last year, Gibson Security advised Snapchat that usernames and sensitive information were vulnerable to leakage…eek!
On January 1st of this year, Anonymous hackers posted a file on Snapchatdb.info with 4.6 million SnapChat usernames and phone numbers
Instructions on the pages say, “You are downloading 4.6 million users’ phone number information, along with their usernames. People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with.”
It is clear that the hackers are trying to prod Snapchat to acknowledge the severity of their security holes and make the needed patches. They claim that the database “contains username and phone number pairs of a vast majority of the Snapchat users.” They used the security exploits documented last week by Gibson Security that Snapchat “dismissed.” SnapchatDB claims that this information “is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”
Facebook, which had made an offer on SnapChat previously, turned around and bought Whatsapp – for $19B. SnapChat has no source of revenue so acquisition was the likely exit strategy.
The very scary Placeraider Smartphone malware
The Naval Surface Warfare Center in Crane, Indiana, and a few pals at Indiana University reveal an entirely new class of ‘visual malware’ capable of recording and reconstructing a user’s environment in 3D by running in the background of just about any smartphone. This then allows the theft of virtual objects such as financial information, data on computer screens and identity-related information.
In theory, it goes something like this: The user downloads an app which grants the malware access to the camera, and the malware suppresses the shound of the shutter while it takes random pictures and records the position of the phone and the time and location. Pictures are filtered and stitched together to give a 3D model of the user’s environment. The theory was tested on 20 unsuspecting people and then other random people were asked to harvest data from the images: Checks, calendars, QR codes and personal information were among the booty.
Today Robert Templeman at the Naval Surface Warfare Center in Crane, Indiana, and a few pals at Indiana University reveal an entirely new class of ‘visual malware’ capable of recording and reconstructing a user’s environment in 3D. This then allows the theft of virtual objects such as financial information, data on computer screens and identity-related information.
Templeman and co call their visual malware PlaceRaider and have created it as an app capable of running in the background of any smartphone using the Android 2.3 operating system.
Their idea is that the malware would be embedded in a camera app that the user would download and run, a process that would give the malware the permissions it needs to take photos and send them.
PlaceRaider then runs in the background taking photos at random while recording the time, location and orientation of the phone. (The malware mutes the phone as the photos are taken to hide the shutter sound, which would otherwise alert the user.)
The malware then performs some simple image filtering to get rid of blurred or dark images taken inside a pocket for example, and sends the rest to a central server. Here they are reconstructed into a 3D model of the user’s space, using additional details such as the orientation and location of the camera.
A malicious user can then browse this space looking for objects worth stealing and sensitive data such as credit card details, identity data or calender details that reveal when the user might be away.
Templeman and co have carried out detailed tests of the app to see how well it works in realistic situations. They gave their infected phone to 20 individuals who were unaware of the malware and asked them to use it for various ordinary purposes in an office environment.
They then evaluated the resulting photos by asking a group of other users to see how much information they could glean from them. Some of these users studied the raw images while the others studied the 3D models, both groups looking for basic information such as the number of walls in the room as well as more detailed info such as QR codes and personal checks lying around.
Templeman and co say the tests went well. They were able to build detailed models of the room from all the data sets. What’s more, the 3D models made it vastly easier for malicious users to steal information from the personal office space than from the raw photos alone.
That’s an impressive piece of work that reveals some of the vulnerabilities of these powerful devices.And although the current version of the malware runs only on the Android platform, there is no reason why it couldn’t be adapted for other systems. “We implemented on Android for practical reasons, but we expect such malware to generalize to other platforms such as iOS and Windows Phone,” say Templeman and co.
They go on to point out various ways that the operating systems could be made more secure. Perhaps the simplest would be to ensure that the shutter sound cannot be muted, so that the user is always aware when the camera is taking a picture.
However that wouldn’t prevent the use of video to record data in silence. Templeman and co avoid this because of the huge amount of data it would produce but it’s not hard to imagine that this would be less of a problem in the near future.
Another option would be a kind of antivirus app for smartphones which actively looks for potential malware and alerts the user.
The message is clear–this kind of malware is a clear and present danger. It’s only a matter of time before this game of cat and mouse becomes more serious.
Careto, the ugly mask is a really, really interesting Advanced Persistent Threat for a number of reasons.
It is really sophisticated and long term cyber-espionage with outstanding tools
It was caught by Kaspersky researchers as they observed five year old evasion techniques being used that they had already mitigated.
It is a Spanish-language assault
380+ Targets in 31 countries over 7 years
One of the most sophisticated attacks ever
Intercepts network traffic, Skype, PGP Keys, Wi-Fi traffic, keystrokes, screen captures, encryption keys, and more
Three separate backdoors in Win 32/64 + Mac OS using sophisticated Malware, a bootkit and a rootkit
The impact on mobility platforms is yet unknown…
What do legacy infosec tools provide to combat the mobility threats?
Well,
Next generation firewalls do put unknown applications into a sandbox and analyze them.
Intrusion detection can pick up some anomalous behaviors, but usually just known problems as compared to zero –day attacks.
Threat feeds are services that provide tsunami warnings from the larger Internet community, think Security Data Warehouse and big data analytics, to predict problems.
The top tier security vendors all have threat research centers with some type of incident response and early warning for customers.
And, after the fact, improvements in the ease-of-use for forensics tools helps to determine if advanced persistent threats or insider-driven attacks are present.
All are necessary, but not sufficient. So, let’s take a look at Mobile Web Applications and see how they are fundamentally different even from web applications and discuss what can be done about securing the Mobility Revolution.
Information disclosure – leaking data can come from any layer, but can be error codes that tell the attacker versions of components, file names that can be guessed, data flow that reveals trust boundaries
Data flow is particularly vulnerable over radio networks,
DoS is a threat to availability.
EoP is literally the keys to the kingdom
Containers, buffers,
Mitigate
Eliminate
Transfer
Accept
How do we learn this stuff?
CBTs are good, try to get one that works with SCORM which is a spec for distributed learning – it helps to keep track of progress across lots of people and may help with compliance requirements
There’s lots of self-help, but that takes discipline and it’s hard to maintain cohesion unless the team attends them together. Of course, a team may train a trainer
Uni’s are lighter than one would think still
Vendors and organizations such as SANS have very specific training
Conferences are usually expensive in that there is travel and expense, time out of office (and usually not convenient to the development cycle) and a pretty hefty fee…but go through the syllabus and it it’s right up your alley, it’s probably invaluable
Smaller specialists are more likely to come to you, develop a curricula for your environment, coach you through labs that really make it all stick and tend to be cost effective –you are paying one person’s T&E and at your convenience. Quality may vary.
Sharable Content Object Reference Model
Southern New Hampshire Universtity but not Southern Utah, Saitn Louis U, Stanford
McAfee, Akamai,
RSA Security, Infosec, SANS
Denim Group, Manico
How can you keep the dialog going and make it stick?
Building a culture of communication for secure coding can definitely be helped along by having our team play a game of EoP once a week. This tricks-and-trumps card game is available for download free and was developed by Adam Shostack and his team at Microsoft. EoP illuminates, inspires and builds an organization’s skills…and it aligns directly with STRIDE
Let’s talk about solutions for analyzing the code. Static Code Analysis, also known as SAST, is an automated software program that analyzes source code or object code ,usually after the code has been compiled. Code review is the same process done by humans. In either case, as Dr. McGraw states here, a program can only catch so much. We’ll examine just why that is in a moment, but for now let’s just say that we want to develop the best process that we can that aligns with our business goals and our culture.
Prone to false positives – the developers or independent analysts are the only thing that really works here
The Turing halting problem and Rice’s Theorom – static analysis cannot be perfect
In the first place, we need to consider how the team works together and make a decision based in part on how much overhead SAST may involve.
Alignment with worklow, creativity, culture
Ultimate cost savings and revenue generation – SAST should be less expensive than the alternative. For example, an open-source SAST set on default may be way too noisy to be useful as developers may begin to ignore results after a short time. A commercial offering with professional services or a manned NOC may cost more up front yet save money due to risk.
Source code versus compiled code. Compiled code may need to be sent off-site and this may not be acceptable for some development teams. If just snippets of the source code are sent off site, then reverse engineering by someone trying to steal intellectual property is unrealistic.
Simultaneous analysis, multi-branch, languages. A boutique or in-house SAST service may not be able to analyze more that a single application at a time which may not be in the best interests of the team. Also, some SAST offerings charge by the branch, which can become a bit pricey. And, some SASTs are limited in their language coverage. Remember, too, that dialects can be difficult and time consuming if a language has been forked.
Dependency injection is a method of making a service part of an object’s state, which can make testing easier and makes the code a bit more modular and easier to work with. It also allows multiple teams to work in parallel. DI also helps with configuration management using external config files, but sometimes it also makes tracing behavior a little more complicated. Not all application frameworks support support DI but the SAST should.
Configuration files – the SAST may need to trace the dependency back to the external configuration files and the question should be brought up to the SAST vendor.
Service-oriented architecture – SOA broadly defines how two programs can communicate so that one program can perform operations for another. Think SOAP. Because there is a lot of flexibility in how SOA is implemented, a SAST data sheet won’t likely have a check box stating that SOA is supported, but SOA is sufficiently popular to be something to ask about from a SAST, and especially a SAST service.
The question of how deep to go into security analytics really should be answered by the threat modeling exercises but there is a fair amount of common sense involved as well. It’s best that business pressures don’t unduly affect this decision just as the hard cost of analysis should be justified with regard to the risk.
Can code be developed while under analysis? If the code has to be compiled and development halted while the analysis is undertaken, it will likely disrupt the creative flow and, if coders are idle, may cost a fair amount of money. Sure, the coders can study or work on other projects, but when the results of the scan come back, they will likely need to go back to the analyzed code to fix security-related flaws so the disruption happens twice. Fortunately, many SAST vendors will analyze while the product is under development, think spell checkers advising you along the way of potential mistakes that you may be making. Another consideration that is very important has to do with the dependencies of code as it is built. If code from three weeks ago needs to have a fundamental flaw fixed, it may require re-engineering many other parts of the code that have been built since based on assumptions that the flawed code was, in fact, not flawed. So it’s wise to insist on a SAST Tool that allows analysis while code is being built.
SAST Solutions are good and getting better all the time. SAST will quickly go through all of the lines of code and usually make tracing problems back to the cause in the tree quick work. Patterns that come up usually are propagated on several branches and much can be learned by the development team by seeing the results. But, false positive abound in any automatic scanner at default settings and tuning is a black art. Also, SAST does not deal with architectural issues or business logic flaws, generally. These need to be addresses by human analysts. Let’s look at some suggestion of what to look for in a SAST product or service.
Configuration files really help to perform behavior modeling
Source code is more clear, can be faster, may lack reality like an emulator does
System-oriented – binding between URI and code will help to determine which input parameters are associated with each vuln
Speed and depth could be the difference between professional service/research and automation, so be very clear on your ideals
Binary analysis has to be mapped into useful code for developers to work with it
Very diffiicult to decode once you’ve built on top of vulns