This document summarizes a talk given by Clare Nelson at OWASP on why some multi-factor authentication technology is irresponsible. Nelson discusses issues with the outdated NIST definition of multi-factor authentication and how some vendors rely on weak factors like SMS, biometrics, or location data. The talk argues for updated definitions of authentication factors and more responsible choices by vendors to better secure user accounts.
Stealth Mango and the Prevalence of Mobile SurveillancewarePriyanka Aash
In this talk, we will unveil the new in-house capabilities of a nation state actor who has been observed deploying both Android and iOS surveillance tooling, known as Stealth Mango and Tangelo. The actor behind these offensive capabilities has successfully compromised the devices of government officials and military personnel in numerous countries with some directly impacting Western interests. Our research indicates this capability has been created by freelance developers who primarily release commodity spouse-ware but moonlight by selling their own custom surveillanceware to state actors. One such state actor has been observed deploying Stealth Mango and this presentation will unveil the depth and breadth of their campaigns, detailing not only how we watched them grow and develop, test, QA, and deploy their offensive tooling, but also how operation security mistakes ultimately led to their attribution.
In the near future, privacy-preserving authentication methods will flood the market, and they will be based on Zero-Knowledge Proofs. IBM and Microsoft invested in these solutions many years ago.
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
In the final installment of our mobile penetration testing trilogy, we dive deep to find security flaws in mobile apps by dissecting the code with reverse-engineering and code analysis.
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
Open Source Intelligence Gathering (OSINT) is growing in popularity among attackers and defenders alike. When an attacker comes knocking on your network's front door, the warning lights go off in multiple systems (IDS, IPS, SIEM, WAF). More sophisticated attackers, however, spend considerable time gathering information using tools and techniques that never touch any of your systems. As a result, these attackers are able to execute their attacks and make off with proprietary data before you even know they are there. This presentation provides an introduction to many OSINT tools and techniques, as well as methods you can use to minimize your exposure.
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
This is Episode 1 of a trilogy on mobile penetration testing - forensic analysis of data at rest on the device.
Episode 2 - Return of the Network/Back-end
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-ii-attack-of-the-code
Episode 3 - Attack of the Code
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-iii-attack-of-the-code
Stealth Mango and the Prevalence of Mobile SurveillancewarePriyanka Aash
In this talk, we will unveil the new in-house capabilities of a nation state actor who has been observed deploying both Android and iOS surveillance tooling, known as Stealth Mango and Tangelo. The actor behind these offensive capabilities has successfully compromised the devices of government officials and military personnel in numerous countries with some directly impacting Western interests. Our research indicates this capability has been created by freelance developers who primarily release commodity spouse-ware but moonlight by selling their own custom surveillanceware to state actors. One such state actor has been observed deploying Stealth Mango and this presentation will unveil the depth and breadth of their campaigns, detailing not only how we watched them grow and develop, test, QA, and deploy their offensive tooling, but also how operation security mistakes ultimately led to their attribution.
In the near future, privacy-preserving authentication methods will flood the market, and they will be based on Zero-Knowledge Proofs. IBM and Microsoft invested in these solutions many years ago.
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
In the final installment of our mobile penetration testing trilogy, we dive deep to find security flaws in mobile apps by dissecting the code with reverse-engineering and code analysis.
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
Open Source Intelligence Gathering (OSINT) is growing in popularity among attackers and defenders alike. When an attacker comes knocking on your network's front door, the warning lights go off in multiple systems (IDS, IPS, SIEM, WAF). More sophisticated attackers, however, spend considerable time gathering information using tools and techniques that never touch any of your systems. As a result, these attackers are able to execute their attacks and make off with proprietary data before you even know they are there. This presentation provides an introduction to many OSINT tools and techniques, as well as methods you can use to minimize your exposure.
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
This is Episode 1 of a trilogy on mobile penetration testing - forensic analysis of data at rest on the device.
Episode 2 - Return of the Network/Back-end
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-ii-attack-of-the-code
Episode 3 - Attack of the Code
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-iii-attack-of-the-code
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
This is an encore presentation of NowSecure CEO Andrew Hoog’s talk “How Android and iOS Security Enhancements Complicate Threat Detection” from RSA Conference 2017. You'll learn about:
+ Five security enhancements in the Android and iOS platforms that present obstacles to defenders and incident responders
+ Tips on overcoming those challenges
+ The open-source Mobile Triage toolset that facilitates the collection of mobile threat and vulnerability data
According to Matthew Green, Zero-Knowledge Proofs are the most powerful tool cryptographers have ever devised. Find out why. Find out how ZKPs apply to identity proofing and authentication.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
This talk will introduce Zero-Knowledge Proofs (ZKPs) and explain why they are a key element in a growing number of privacy-preserving, digital-identity platforms. Clare will provide basic illustrations of ZKPs and leave the necessary mathematics foundations to the readers.
After this talk you will understand that there is a variety of ZKPs, it’s still early days, and why ZKP is such a perfect tool for digital identity platforms. This talk includes significant updates from the newly-organized ZKProof Standardization organization plus a signal of maturity: one of the first known ZKP vulnerabilities.
Clare will explain why ZKPs are so powerful, and why they are building blocks for a range of applications including privacy-preserving cryptocurrency such as Zcash, Ethereum, Artificial Intelligence, and older versions of Trusted Platform Modules (TPMs). The presentation includes many backup slides for future learning and researching, including four slides of references.
OWASP AppSec USA 2015, San Francisco
How do you stump a multi-factor authentication vendor? Ask for a threat model.
This talk will help developers as well as CISOs make better authentication decisions. When we raise the bar, everyone wins.
Open Source Intelligence Gathering (OSINT) is growing in popularity among attackers and defenders alike. When an attacker comes knocking on your network's front door, the warning lights go off in multiple systems (IDS, IPS, SIEM, WAF). More sophisticated attackers, however, spend considerable time gathering information using tools and techniques that never touch any of your systems. As a result, these attackers are able to execute their attacks and make off with proprietary data before you even know they are there. This presentation provides an introduction to many OSINT tools and techniques, as well as methods you can use to minimize your exposure.
HACKING DIVERSITY
We talk a lot about why diversity is important and we are all familiar with the woeful inclusion stats. In this talk we will discuss why diversity is important from both the perspective of an organization’s bottom line and the individual contributor.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Dr. Fengmin Gong, Co-Founder and Chief Strategy Officer, presents why an ecosystem-based approach is necessary to defend against modern malware threats. Discussion continues with what it takes to implement cybersecurity using this approach. He also presents a number of use cases where multi-vendor products interacting in a security ecosystem provide the most effective protection for enterprises.
Presentation from 2018 RSA Conference
2018 could be the year we see the first battle of the AI bots… Cyber-Criminals build systems that can ‘learn’ and adapt to defenses… o NachiWorm –RPC vulnerability, Blaster removal and installed patches o Mirai-a zombie malware strain that enslaved “Internet of Things” (IoT) o Reaper and IoTroop-computer worms; built to spread automatically, still to be unleashed… o Artificial intelligence researchers warn re: internet-connected robots, with hundreds calling on governments to ban weaponized robots. Bots are becoming one of the fastest growing trends with intelligent reasoning, messaging and conversational interfaces
OSINT Black Magic: Listen who whispers your name in the dark!!!Nutan Kumar Panda
Open Source Intelligence is the art of collecting information which is scattered on publicly available sources. With evolution of social media and digital marketplaces a huge amount of information is constantly generated on the Internet (sometimes even without our conscious consent). This is of great concern for organizations and businesses as chances of confidential data floating in the public domain may seriously harm their business integrity. All recent hacks are related to internal source code disclosure, API keys leakage, known vulnerability in third party plugin, data dump leaks etc. Based on experience and robust research in this domain, for this talk the speakers have created a tool which will help all kind of organizations to monitor cyberspace effectively without much investment. This tool is simple but an effective solution which is capable of hearing digital whispers which are usually missed or ignored but shouldn’t be.
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
This is an encore presentation of NowSecure CEO Andrew Hoog’s talk “How Android and iOS Security Enhancements Complicate Threat Detection” from RSA Conference 2017. You'll learn about:
+ Five security enhancements in the Android and iOS platforms that present obstacles to defenders and incident responders
+ Tips on overcoming those challenges
+ The open-source Mobile Triage toolset that facilitates the collection of mobile threat and vulnerability data
According to Matthew Green, Zero-Knowledge Proofs are the most powerful tool cryptographers have ever devised. Find out why. Find out how ZKPs apply to identity proofing and authentication.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
This talk will introduce Zero-Knowledge Proofs (ZKPs) and explain why they are a key element in a growing number of privacy-preserving, digital-identity platforms. Clare will provide basic illustrations of ZKPs and leave the necessary mathematics foundations to the readers.
After this talk you will understand that there is a variety of ZKPs, it’s still early days, and why ZKP is such a perfect tool for digital identity platforms. This talk includes significant updates from the newly-organized ZKProof Standardization organization plus a signal of maturity: one of the first known ZKP vulnerabilities.
Clare will explain why ZKPs are so powerful, and why they are building blocks for a range of applications including privacy-preserving cryptocurrency such as Zcash, Ethereum, Artificial Intelligence, and older versions of Trusted Platform Modules (TPMs). The presentation includes many backup slides for future learning and researching, including four slides of references.
OWASP AppSec USA 2015, San Francisco
How do you stump a multi-factor authentication vendor? Ask for a threat model.
This talk will help developers as well as CISOs make better authentication decisions. When we raise the bar, everyone wins.
Open Source Intelligence Gathering (OSINT) is growing in popularity among attackers and defenders alike. When an attacker comes knocking on your network's front door, the warning lights go off in multiple systems (IDS, IPS, SIEM, WAF). More sophisticated attackers, however, spend considerable time gathering information using tools and techniques that never touch any of your systems. As a result, these attackers are able to execute their attacks and make off with proprietary data before you even know they are there. This presentation provides an introduction to many OSINT tools and techniques, as well as methods you can use to minimize your exposure.
HACKING DIVERSITY
We talk a lot about why diversity is important and we are all familiar with the woeful inclusion stats. In this talk we will discuss why diversity is important from both the perspective of an organization’s bottom line and the individual contributor.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Dr. Fengmin Gong, Co-Founder and Chief Strategy Officer, presents why an ecosystem-based approach is necessary to defend against modern malware threats. Discussion continues with what it takes to implement cybersecurity using this approach. He also presents a number of use cases where multi-vendor products interacting in a security ecosystem provide the most effective protection for enterprises.
Presentation from 2018 RSA Conference
2018 could be the year we see the first battle of the AI bots… Cyber-Criminals build systems that can ‘learn’ and adapt to defenses… o NachiWorm –RPC vulnerability, Blaster removal and installed patches o Mirai-a zombie malware strain that enslaved “Internet of Things” (IoT) o Reaper and IoTroop-computer worms; built to spread automatically, still to be unleashed… o Artificial intelligence researchers warn re: internet-connected robots, with hundreds calling on governments to ban weaponized robots. Bots are becoming one of the fastest growing trends with intelligent reasoning, messaging and conversational interfaces
OSINT Black Magic: Listen who whispers your name in the dark!!!Nutan Kumar Panda
Open Source Intelligence is the art of collecting information which is scattered on publicly available sources. With evolution of social media and digital marketplaces a huge amount of information is constantly generated on the Internet (sometimes even without our conscious consent). This is of great concern for organizations and businesses as chances of confidential data floating in the public domain may seriously harm their business integrity. All recent hacks are related to internal source code disclosure, API keys leakage, known vulnerability in third party plugin, data dump leaks etc. Based on experience and robust research in this domain, for this talk the speakers have created a tool which will help all kind of organizations to monitor cyberspace effectively without much investment. This tool is simple but an effective solution which is capable of hearing digital whispers which are usually missed or ignored but shouldn’t be.
A session on ' Public Policy' with the entrepreneurship club in IIT Delhi. This session was more of experience sharing than the theoretical perspective. Focused on the budding talents interested in public policy research
-
As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked. So can facial and other biometrics. Why, then, is biometric-based authentication so fashionable? Why did one of the largest insurance companies just announce it is rolling out fingerprint and facial recognition for its customers (while it uses Symantec VIP for internal employees)? Did product management and marketing conduct a study that concluded customers feel safer with fingerprint and facial?
Apple’s Touch ID, and VISA’s integration with it are shaping the fashionable trend faster than a Milan runway. Hopefully these short hemlines will fade soon. Apple’s senior vice president, Dan Riccio, irresponsibly claims, “Fingerprints are one of the best passwords in the world.” He probably understands it is easy to reset a password. He probably does not understand how hard it is to reset his fingerprints. Truly the inmates are running the asylum.
Did you know that today's cyber threat landscape costs companies BILLIONS in damages each year?
We want to help protect your company, employees and customers from the rising threat landscape!
This presentation includes:
• The state of cybersecurity and the threat landscape
• How a threat-focused approach is changing the ability to detect and respond to breaches
• How to develop a security game plan around a proven process
• How to automatically defend your network with Cisco’s Advanced Malware Protection (AMP)
http://www.utgsolutions.com/solutions/security-compliance
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Ending the Tyranny of Expensive Security ToolsSolarWinds
A long time ago, in a galaxy far far away, AV was invented. Then firewalls and IDS and SIEM and NAC and DLP and on and on. With all these products, it seems like a career in information security is really more about managing tools than defeating a galactic empire of hackers and miscreants. But like the Rebel Alliance, you can take back your enterprise, because many of our existing monitoring systems and network devices also have security functionality. Moreover, there are many excellent open source applications that work just as well as commercial ones.
You don't always have to buy something expensive to provide security functionality. After all, a security professionals job isn't to manage tools, but solve problems. This presentation talks about how to use open source and existing monitoring tools to meet an organization's security needs.
BSides Boston and RI 2013
Video (BSides RI: http://www.irongeek.com/i.php?page=videos/bsidesri2013/2-0-booting-the-booters-stressing-the-stressors-allison-nixon-and-brandon-levene)
Abstract: This presentation discusses multi-factor authentication, and what to look for if you are planning a product refresh, or implementing a solution for the first time. Since there are over 200 vendors, it is not easy to select the best solution for your needs. The goal of this presentation is to arm you with questions to ask, plus identify some suboptimal technologies to avoid. Your feedback to vendors will help them provide better, more secure products and services.
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
Splunk products provide a flexible and fast security intelligence platform that makes security personnel and processes more efficient by providing quick and flexible access to all of the data and information needed to detect, investigate and remediate threats. This presentation will discuss best practices for building out or enhancing an analytics based security strategy and how Splunk products can make people, process, and technology work better together.
Splunk for Enterprise Security Featuring UBASplunk
This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.
This talk revisits the 2016 Mirai attack which targeted IoT devices including IP cameras, WiFi-connected refrigerators, home routers, and more. The resulting botnet was used to attack Dyn’s DNS platform, which affected many websites including Twitter, SoundCloud, Airbnb, and Spotify.
You will learn and discuss the answers to these questions and more:
• What is the current state of Mirai and Mirai variants?
• What Distributed Denial of Service (DDoS) defenses do you have in place?
• How can you prepare to detect and defend against them botnet malware?
• What is recommended in the September 2018 NISTIR Draft,
Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.
Presentation for September 2017 ISC2 Security Congress
Biometric Recognition for Multi-Factor Authentication
- Biological and Behavioral Biometrics
- Benefits and Issues
- What Every CISO Should Know
- Laws, Standards, and Guidelines
- How to Measure Biometric Recognition
- Attack Vectors
- Multimodal Biometric Recognition
- Continuous Authentication with Biometrics
- Face ID Update
- The Future
Talk for Austin ISSA
What’s more accurate, face or iris?
What’s more secure, password or biometrics?
Is the US legal system up to the challenge?
Impact of EU GDPR and PSD2
Does NIST provide quantitative anti-spoofing requirements?
Will ISO/IEC define how to evaluate anti-spoofing for mobile devices?
Panel 4: Beyond Bugs: Embracing Security Features
How can startups go beyond bug hunting to implementing security features? This panel will consider how startups can overcome development challenges, such as impacts on performance, to embrace security features — like site-wide SSL/TLS, Content Security Policy, and multifactor authentication — that can protect consumers from threats proactively and help eliminate entire classes of vulnerabilities.
Moderator:
Katherine McCarron
Division of Privacy and Identity Protection, FTC
Panelists:
Robert Hansen
Vice President of WhiteHat Labs
WhiteHat Security
Clare Nelson
CEO
ClearMark Consulting
Caleb Queern
Manager
KPMG Cyber
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
LASCON 2015
1. www.owasp.org
The
Inmates
Are
Running
the
Asylum
Why
Some
Mul,-‐Factor
Authen,ca,on
Technology
is
Irresponsible
Clare
Nelson,
CISSP
clare.nelson@owasp.org
@Safe_SaaS
October
22,
2015
AusFn,
TX
2. www.owasp.org
Clare
Nelson,
CISSP
Independent:
not
an
analyst,
not
with
a
vendor
• Scar
Fssue
– Encrypted
TCP/IP
variants
for
NSA
– Product
Management
at
DEC
(HP),
EMC2
– Director
Global
Alliances
at
Dell,
Novell
(IAM)
– VP
Business
Development,
MetaIntelli
(Mobile
Security)
– CEO
ClearMark,
MFA
Technology
and
Architecture
• 2001
CEO
ClearMark
ConsulFng
• 2014
Co-‐founder
C1ph3r_Qu33ns
• 2015
April,
ISSA
Journal,
Mul,-‐Factor
Authen,ca,on:
What
to
Look
For
• Talks:
OWASP
AppSec
USA,
HackFormers,
BSides,
LASCON;
clients
including
Fortune
500
financial
services,
IdenFty
Management
• B.S.
MathemaFcs
3. www.owasp.org
Scope
• External
customers,
consumers
– Not
internal
employees,
no
hardware
tokens
– IoT
preview
• No
authenFcaFon
protocols
– OAuth,
OpenID,
UMA,
SCIM,
SAML
• United
States
– EU
regulaFons
o France:
legal
constraints
for
biometrics
§ Need
authorizaFon
from
NaFonal
Commission
for
InformaFcs
and
Liberty
(CNIL)1
– India:
e-‐commerce
Snapdeal,
Reserve
Bank
of
India
o Move
from
two-‐factor
to
single-‐factor
authenFcaFon
for
transacFons
less
than
Rs.
3,0002
1Source:
h+p://www.diva-‐portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl
2Source:
h+p://economicFmes.indiaFmes.com/industry/services/retail/snapdeal-‐for-‐single-‐factor-‐authenFcaFon-‐for-‐low-‐value-‐
deals/arFcleshow/46251251.cms
4. www.owasp.org
NIST
DefiniFon1
Origin
of
definiFon?
• NIST:
might
be
Gene
Spafford,
or
“ancient
lore”2
– @TheRealSpaf,
“Nope
—
that's
even
older
than
me!”3
– 1970s?
NSA?
Academia?
1Source:
h+p://nvlpubs.nist.gov/nistpubs/SpecialPublicaFons/NIST.SP.800-‐63-‐2.pdf
2Source:
February
26,
2015
email
response
from
a
NIST
SP
800-‐63-‐2
author
3Source:
February
27,
2015
response
from
@TheRealSpaf
(Gene
Spafford)
5. www.owasp.org
How
can
one
write
a
guide
based
on
a
defini,on
of
unknown,
ancient
origin?
How
can
you
implement
MFA
without
a
current,
coherent
defini,on?
Photo:
The
Thinker
by
Auguste
Rodin,
h+ps://commons.wikimedia.org/wiki/File:Auguste_Rodin-‐The_Thinker-‐Legion_of_Honor-‐Lincoln_Park-‐San_Francisco.jpg
6. www.owasp.org
NIST
versus
New
DefiniFons
MulF-‐Factor
AuthenFcaFon
(MFA)
Factors:
• Knowledge
• Possession
– Mobile
device
idenFficaFon
• Inherence
– Biometrics:
Physical
or
Behavioral
• LocaFon
– GeolocaFon
– Geofencing
– Geovelocity
• Time1
1Source:
h+p://searchsecurity.techtarget.com/definiFon/mulFfactor-‐authenFcaFon-‐MFA
2Source:
h+p://nvlpubs.nist.gov/nistpubs/SpecialPublicaFons/NIST.SP.800-‐63-‐2.pdf
NIST:
Device
idenFficaFon,
Fme,
and
geo-‐
locaFon
could
be
used
to
challenge
an
idenFty;
but
“they
are
not
considered
authenFcaFon
factors”2
7. www.owasp.org
Authen,ca,on
in
an
Internet
Banking
Environment
• OUT:
Simple
device
idenFficaFon
• IN:
Complex
device
idenFficaFon,
“digital
fingerprinFng”
use
PC
configuraFon,
IP
address,
geo-‐locaFon,
other
factors
– Implement
Fme
of
day
restricFons
for
funds
transfers
– Consider
keystroke
dynamics,
biometric-‐based
responses1
1Source:
hjps://www.fdic.gov/news/news/press/2011/pr11111a.pdf
“…virtually
every
authenFcaFon
technique
can
be
compromised”
8. www.owasp.org
Why
200+
MFA
Vendors?
Authen,ca,on
has
been
the
Holy
Grail
since
the
early
days
of
the
Web.1
The
iPhone
of
Authen,ca,on
has
yet
to
be
invented.2
1Source:
h+p://sciencewriters.ca/2014/03/26/will-‐your-‐brain-‐waves-‐become-‐your-‐new-‐password/
2Source:
Clare
Nelson,
February
2015.
9. www.owasp.org
SubopFmal
Choices
AuthenFcaFon
Factors/Technology
1. Biometrics,
2D
fingerprint
2. Short
Message
Service
(SMS)
– One-‐Time
Password
(OTP)
3. Quick
Response
(QR)
codes
4. JavaScript
(behavioral
biometrics)
5. Overreliance
on
GPS,
insufficient
geolocaFon
data
6. Weak,
arcane,
account
recovery
7. AssumpFon
mobile
devices
are
secure
8. EncrypFon
(without
disclaimers)
– Quantum
compuFng
may
break
RSA
or
ECC
by
20301
• Update
on
NSA’s
$80M
Penetra,ng
Hard
Targets
project2
– EncrypFon
backdoors,
is
it
NSA-‐free
and
NIST-‐free
cryptography?
– No
mysterious
constants
or
“magic
numbers”
of
unknown
provenance”3
1Source:
January
18,
2015:
Ralph
Spencer
Poore,
cryptologist,
AusFn
ISSA
guest
lecturer
2Source:
h+p://www.washingtonpost.com/world/naFonal-‐security/nsa-‐seeks-‐to-‐build-‐quantum-‐computer-‐that-‐could-‐crack-‐most-‐
types-‐of-‐encrypFon/2014/01/02/8fff297e-‐7195-‐11e3-‐8def-‐a33011492df2_story.html
3Source:
h+ps://www.grc.com/sqrl/sqrl.htm
10. www.owasp.org
Juniper
Research:
• By
2019,
770
million
apps
that
use
biometric
authenFcaFon
will
be
downloaded
annually
- Up
from
6
million
in
2015
• Fingerprint
authenFcaFon
will
account
for
an
overwhelming
majority
- Driven
by
increase
of
fingerprint
scanners
in
smartphones1
IrraFonal
Exuberance
of
Biometric
AdopFon
Samsung
Pay
1Source:
h+p://www.nfcworld.com/2015/01/22/333665/juniper-‐forecasts-‐biometric-‐authenFcaFon-‐market/
13. www.owasp.org
2D
Fingerprint
Hacks
• Starbug,
aka
Jan
Krissler
• 2014:
Cloned
fingerprint
of
German
Defense
Minister,
Ursula
Von
der
Leyen
– From
photographs1,2
• 2013:
Hacked
Apple’s
Touch
ID
on
iPhone
5S
~24
hours
ater
release
in
Germany
– Won
IsTouchIDHackedYet.com
compeFFon3
• 2006:
Published
research
on
hacking
fingerprint
recogniFon
systems4
1Source:
h+ps://www.youtube.com/watch?v=vVivA0eoNGM
2Source:
h+p://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-‐clones-‐fingerprint-‐from-‐photograph/
3Source:
h+p://istouchidhackedyet.com
4Source:
h+p://berlin.ccc.de/~starbug/talks/0611-‐pacsec-‐hacking_fingerprint_recogniFon_systems.pdf
15. www.owasp.org
Android:
Remote
Fingerprint
Thet
at
Scale1
“…hackers
can
remotely
steal
fingerprints
without
the
owner
of
the
device
ever
knowing
about
it.
Even
more
dangerous,
this
can
be
done
on
a
“large
scale.”2
1Source:
h+ps://www.blackhat.com/docs/us-‐15/materials/us-‐15-‐Zhang-‐Fingerprints-‐On-‐Mobile-‐Devices-‐Abusing-‐And-‐Leaking-‐
wp.pdf
2Source:
h+p://www.forbes.com/sites/thomasbrewster/2015/04/21/samsung-‐galaxy-‐s5-‐fingerprint-‐a+acks/
Hardware
User
Space
Kernel
Space
16. www.owasp.org
Krissler
versus
Riccio
“Don't
use
fingerprint
recogniFon
systems
for
security
relevant
applicaFons!”1
–
Jan
Krissler
(Starbug)
“Fingerprints
are
one
of
the
best
passwords
in
the
world.”2
–
Dan
Riccio
SVP,
Apple
1Source:
h+p://berlin.ccc.de/~starbug/talks/0611-‐pacsec-‐hacking_fingerprint_recogniFon_systems.pdf
2Source:
h+p://www.imore.com/how-‐touch-‐id-‐works
Photo:
h+p://www.mirror.co.uk/news/world-‐news/revealed-‐ni-‐believed-‐legendary-‐fight-‐3181991
18. www.owasp.org
Behavioral
Biometrics:
Invisible
Challenge
• Analyze
hundreds
of
bio-‐
behavioral,
cogniFve
and
physiological
parameters
– Invisible
challenge
– No
user
interacFon
for
step-‐up
authenFcaFon
– How
you
find
missing
cursor1
1Source:
h+p://www.biocatch.com
1Source:
h+p://www.biocatch.com
19. www.owasp.org
Biometrics:
In
Use,
Proposed
• Fingerprints
2D,
3D
via
ultrasonic
waves
• Palms,
its
prints
and/or
the
whole
hand
(feet?)
• Signature
• Keystroke,
art
of
typing,
mouse,
touch
pad
• Voice
• Iris,
reFna,
features
of
eye
movements
• Face,
head
–
its
shape,
specific
movements
• Ears,
lip
prints
• Gait,
Odor,
DNA,
• ECG
(Bionym’s
Nymi
wristband,
smartphone,
laptop,
car,
home
security)
• EEG1
• Methods:
Pills,
Tajoos
• Smartphone/behavioral:
AirSig
authenFcates
based
on
g-‐sensor
and
gyroscope,
how
you
write
your
signature
in
the
air2
1Source:
h+p://www.optel.pl/arFcle/future%20of%20biometrics.pdf
2Source:
h+p://www.airsig.com
Digital
Ta+oo:
h+p://motorola-‐blog.blogspot.com/2014/07/-‐unlock-‐your-‐moto-‐x-‐with-‐a-‐digital-‐ta+oo.html
20. www.owasp.org
“Thought
Auth”1
EEG
Biosensor
• MindWave™
headset2
• Measures
brainwave
signals
• EEG
monitor
• InternaFonal
Conference
on
Financial
Cryptography
and
Data
Security3
1Source:
Clare
Nelson,
March
2015
2Source:
h+p://neurosky.com/biosensors/eeg-‐sensor/biosensors/
3Source:
h+p://www.technewsworld.com/story/77762.html
22. www.owasp.org
How
do
you
stump
an
MFA
vendor?
Ask
for
a
threat
model.
Photo:
h+p://www.huffingtonpost.co.uk/2015/08/09/parents-‐reveal-‐why-‐quesFon-‐woes_n_7963152.html
23. www.owasp.org
“…
biometrics
cannot,
and
absolutely
must
not,
be
used
to
authen,cate
an
iden,ty”1
–
DusFn
Kirkland,
Ubuntu
Cloud
SoluFons
Product
Manager
and
Strategist
at
Canonical
1Source:
h+p://blog.dusFnkirkland.com/2013/10/fingerprints-‐are-‐user-‐names-‐not.html
“Fingerprints
are
Usernames,
Not
Passwords”
24. www.owasp.org
@drfuture
on
Biometrics
1Source:
h+ps://www.blackhat.com/docs/us-‐15/materials/us-‐15-‐Keenan-‐Hidden-‐Risks-‐Of-‐Biometric-‐IdenFfiers-‐And-‐How-‐
To-‐Avoid-‐Them.pdf
Diagram
Source:
h+p://security.stackexchange.com/quesFons/57589/determining-‐the-‐accuracy-‐of-‐a-‐biometric-‐system
Hidden
Risks
• Biometric
reliability
and
the
percep,on
of
it
• Lack
of
discussion
of
the
consequences
of
errors
• Biometric
data’s
irreversibility
and
the
implicaFons
• Our
biometrics
can
be
grabbed
without
our
consent
• Our
behavior
can
rat
us
out
–
someFmes
incorrectly
• Giving
our
biometric
and
behavioral
data
may
be
(de
facto)
mandatory
• Biometric
data
thieves
and
aggregators1
Threshold
25. www.owasp.org
1. Difficult
to
reset,
revoke
2. Exist
in
public
domain,
and
elsewhere
(56M+
fingerprints
stolen
in
2015
OPM
breach1)
3. May
undermine
privacy,
make
idenFty
thet
more
likely2
4. Persist
in
government
and
private
databases,
accreFng
informaFon
whether
we
like
it
or
not3
5. Hygiene
(e.g.,
Bank
of
America
hand
geometry
scanner
for
safe
deposit
box
room
entry)
6. User
acceptance
or
preference
varies
by
geography,
demographic
What
Will
Cause
Biometric
Backlash?
1Source:
h+p://money.cnn.com/2015/07/10/technology/opm-‐hack-‐fingerprints/index.html
2Source:
h+p://www.diva-‐portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl
3Source:
h+p://www.pbs.org/wgbh/nova/next/tech/biometrics-‐and-‐the-‐future-‐of-‐idenFficaFon/
Photo:
h+p://www.rineypackard.com/facial-‐recogniFon.php
26. www.owasp.org
• Intel’s
Dmientrienko,
et
al
- Circumvented
SMS
OTP
of
4
large
banks1
• Northeastern
University
and
Technische
Universität
Berlin
- “SMS
OTP
systems
cannot
be
considered
secure
anymore”2
• SMS
OTP
threat
model
- Physical
access
to
phone
- SIM
swap
ajack
- Wireless
intercepFon
- Mobile
phone
trojans3
SMS
OTP
Ajacks
1Source:
h+p://www.chrisFan-‐rossow.de/publicaFons/mobile2FA-‐intel2014.pdf
2,3Source:
h+ps://www.eecs.tu-‐berlin.de/fileadmin/f4/TechReports/2014/tr_2014-‐02.pdf
29. www.owasp.org
QR
Code
Risks1
Example:
two-‐factor
authenFcaFon
• User
captures
QR
code
with
mobile
device
• User
enters
PIN
code
to
log
on,
or
validate
transacFon2
QR
code
redirects
user
to
URL
• Even
if
the
URL
is
displayed,
not
everyone
reads
• Could
link
to
a
malicious
website
1Source:
h+p://www.csoonline.com/arFcle/2133890/mobile-‐security/the-‐dangers-‐of-‐qr-‐codes-‐for-‐security.html
2Source:
h+ps://www.vasco.com/products/client_products/sotware_digipass/digipass_for_mobile.aspx
30. www.owasp.org
GeolocaFon
• Are
laFtude
and
longitude
sufficient?
• Digital
AuthenFcaFon
Technologies:
Contextual
LocaFon
Fingerprint™1
– Not
based
on
geo-‐locaFon
• Issues
in
buildings
• Error
rates
• GPS
spoofing2
• Cellphone
power
meter
can
be
turned
into
a
GPS3
• PowerSpy:
Android
phone’s
geolocaFon
by
tracking
its
power
use
over
Fme
– Unlike
GPS
or
Wi-‐Fi
locaFon
tracking,
available
to
any
installed
app
without
user’s
permission4
1Source:
h+p://www.dathq.com/OurStrategy.aspx
2Source:
h+p://news.utexas.edu/2013/07/29/ut-‐ausFn-‐researchers-‐successfully-‐spoof-‐an-‐80-‐million-‐yacht-‐at-‐sea
3Source:
Dan
Boneh,
quoted
in
h+p://cacm.acm.org/magazines/2015/9/191171-‐qa-‐a-‐passion-‐for-‐pairings/abstract
4Source:
h+p://www.wired.com/2015/02/powerspy-‐phone-‐tracking/
33. www.owasp.org
What’s
Wrong
with
Mobile
Device
as
AuthenFcaFon
Device?
MetaIntelli
research:
sample
of
38,000
mobile
apps,
67%
had
M32
Source:
h+ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks
Source:
h+p://metaintelli.com/blog/2015/01/06/industry-‐first-‐metaintelli-‐research-‐discovers-‐large-‐number-‐of-‐mobile-‐
apps-‐affected-‐by-‐owasp-‐mobile-‐top-‐10-‐risks/
34. www.owasp.org
MFA
Double
Standard
Consumers
• Facial
and
voice
for
mobile
login2
Employees
• Symantec
VIP3
1Source:
h+p://cdn.themetapicture.com/media/funny-‐puppy-‐poop-‐double-‐standards.jpg
2Source:
h+p://www.americanbanker.com/news/bank-‐technology/biometric-‐Fpping-‐point-‐usaa-‐deploys-‐face-‐voice-‐
recogniFon-‐1072509-‐1.html
3Source:
h+p://www.slideshare.net/ExperianBIS/70-‐006idenFtyauthenFcaFonandcredenFalinginpracFce
1
36. www.owasp.org
FIDO
Alliance
• Fast
ID
Online
(FIDO)
Alliance
• Proponent
of
interoperability
– Universal
2nd
Factor
(U2F)
– Universal
AuthenFcaFon
Framework
(UAF)
• Triumph
of
markeFng
over
technology
• Store
secrets
on
device
(Android
phone),
versus
hardened
server
• Network-‐resident
versus
device-‐resident
biometrics
– FIDO
advocates
device-‐resident
• Problems,
especially
with
voice1
1Source:
January
2015,
“Network
vs
Device
Resident
Biometrics,”
ValidSot
37. www.owasp.org
“Legacy
thinking
subverts
the
security
of
a
well-‐constructed
system”1
–
David
Birch,
Digital
Money
and
IdenFty
Consultant,
Author
of
IdenFty
is
the
New
Money2
1Source:
h+ps://www.ted.com/talks/david_birch_idenFty_without_a_name?language=en#t-‐112382
2Source:
h+p://www.amazon.com/IdenFty-‐Is-‐New-‐Money-‐PerspecFves/dp/1907994122
39. www.owasp.org
OWASP
IoT
Top
10
1Source:
h+p://www.slideshare.net/SebasFenGioria/clusir-‐infonord-‐owasp-‐iot-‐2014
A1:
Insecure
Web
Interface
A2:
Insufficient
AuthenFcaFon,
AuthorizaFon
A3:
Insecure
Network
Services
A4:
Lack
of
Transport
EncrypFon
A5:
Privacy
Concern
A6
:
Insecure
Cloud
Interface
A8:
Insecure
Security
Configurability
A10:
Poor
Physical
Security
A7:
Insecure
Mobile
Interface
A9:
Insecure
Sotware
/
Firmware
40. www.owasp.org
IoT
PredicFons
Crea,ve
Cryptography,
Uneven
Protocol
Adop,ons
• Enhanced
Privacy
ID
(EPID®)
–
"ImplemenFng
Intel
EPID
offers
IoT
designers
…proven
security
opFons”1
• PKI:
instead
of
one-‐to-‐one
mapping
public
and
private
key
pairs,
uses
one-‐to-‐many
mapping
of
public
to
private
keys
• Autobahn
to
dirt
road
– E.g.,
HTTPS
to
Constrained
ApplicaFon
Protocol
(CoAP)
with
OAuth2,
OpenID,
UMA
– Different
implementaFon
constraints
– “Security
of
these
…
mechanisms
is
highly
dependent
on
the
ability
of
the
programmers
creaFng
it.”2
1Source:
h+p://www.prnewswire.com/news-‐releases/atmel-‐collaborates-‐with-‐intel-‐on-‐epid-‐technology-‐to-‐enable-‐more-‐secure-‐iot-‐
applicaFons-‐300130062.html
2Source:
Using
OAuth
for
Access
Control
on
the
Internet
of
Things,
Windley,
2015
41. www.owasp.org
Consider
Risk-‐Based
AuthenFcaFon
(aka
Context-‐Based
AuthenFcaFon,
AdapFve
AuthenFcaFon)
• Device
registraFon
and
fingerprinFng
• Source
IP
reputaFon
data
• IdenFty
store
lookup
• Geo-‐locaFon,
geo-‐fencing,
geo-‐velocity
• Behavioral
analysis1
• AnalyFcs,
machine
learning,
conFnuous
authenFcaFon2
1Source:
h+p://www.darkreading.com/endpoint/authenFcaFon/moving-‐beyond-‐2-‐factor-‐authenFcaFon-‐with-‐
context/a/d-‐id/1317911
2Source:
Clare
Nelson,
August
2015
Layer
mulFple
contextual
factors.
Build
a
risk
profile.
42. www.owasp.org
What
You
Can
Do
(1
of
2)
• Request
threat
models
from
MFA
vendors
• Beware
– 2D
fingerprints
– Already-‐hacked
biometrics
– QR
codes
– SMS
OTP
– JavaScript
requirements
– Overreliance
on
geolocaFon
– Weak
account
recovery
– Lack
of
mobile
device
risk
analysis
– EncrypFon
with
backdoors
Comic:
Greg
Larson,
h+ps://www.pinterest.com/pin/418834834066762730/
43. www.owasp.org
What
You
Can
Do
(2
of
2)
• Do
not
be
swayed
by
latest
InfoSec
fashion
trends
– Apple
Touch
ID
• IntegraFon
with
VISA
• Samsung
Pay
– FIDO
Alliance
• Rethink
MFA
definiFon
– Beware
of
odd
interpretaFons
• AuthenFcaFon
as
a
conFnuous
process
– Not
just
login
and
transacFons
– Cross-‐channel
risk
• Depending
on
risk
and
use
case,
chain
or
combine
– MFA
+
(locaFon,
Fme,
device
ID)
+
context-‐
based
analyFcs
Photo:
h+p://northonharper.com/2014/04/wish-‐list-‐mini-‐midi-‐maxi/
44. www.owasp.org
QuesFons?
Clare
Nelson,
CISSP
clare.nelson@owasp.org
@Safe_SaaS
October
22,
2015
AusFn,
TX
s
46. www.owasp.org
AddiFonal
References
(1
of
3)
• Stanislav,
Mark;
Two-‐Factor
Authen9ca9on,
IT
Governance
Publishing
(2015)
• Wouk,
Kristofer;
Flaw
in
Samsung
Galaxy
S5
Could
Give
Hackers
Access
to
Your
Fingerprints,
h+p://www.digitaltrends.com/mobile/galaxy-‐s5-‐fingerprint-‐scanner-‐flaw/
(April
2015)
• IDC
Technology
Spotlight,
sponsored
by
SecureAuth,
Dynamic
AuthenFcaFon:
Smarter
Security
to
Protect
User
AuthenFcaFon
(September
2014)
Six
technologies
that
are
taking
on
the
password.
—
UN/
HACKABLE
—
Medium
• Barbir,
Abbie,
Ph.D;
Mul9-‐Factor
Authen9ca9on
Methods
Taxonomy,
h+p://docslide.us/documents/mulF-‐factor-‐authenFcaFon-‐methods-‐taxonomy-‐
abbie-‐barbir.html
(2014)
• Nelson,
Clare,
Mul9-‐Factor
Authen9ca9on:
What
to
Look
For,
InformaFon
Systems
Security
AssociaFon
(ISSA)
Journal
hJp://www.bluetoad.com/publica9on/?i=252353
(April
2015)
47. www.owasp.org
AddiFonal
References
(2
of
3)
• Keenan,
Thomas;
Hidden
Risks
of
Biometric
Iden9fiers
and
How
to
Avoid
Them,
University
of
Calgary,
Black
Hat
USA,
h+ps://www.blackhat.com/docs/us-‐15/materials/us-‐15-‐Keenan-‐Hidden-‐Risks-‐Of-‐
Biometric-‐IdenFfiers-‐And-‐How-‐To-‐Avoid-‐Them-‐wp.pdf
(August
2015)
• Pagliery,
Jose;
OPM’s
hack’s
unprecedented
haul:
1.1
million
fingerprints:
h+p://money.cnn.com/2015/07/10/technology/opm-‐hack-‐fingerprints/index.html
(July
2015)
• Bonneau,
Joseph,
et
al,
Passwords
and
the
Evolu9on
of
Imperfect
Authen9ca9on,
CommunicaFons
of
the
ACM,
Vol.
58,
No.
7
(July
2015)
• White,
Conor;
CTO
Doan,
Biometrics
and
Cybersecurity,
h+p://www.slideshare.net/karthihaa/biometrics-‐and-‐cyber-‐security
(2009,
published
2013)
• Gloria,
SébasFen,
OWASP
IoT
Top
10,
the
life
and
the
universe,
h+p://www.slideshare.net/SebasFenGioria/clusir-‐infonord-‐owasp-‐iot-‐2014
(December
2014)
49. www.owasp.org
"A
rose
by
any
other
name
would
smell
as
sweet”1
• AdapFve
authenFcaFon
• MulF-‐modal
authenFcaFon
• ConFnuous
authenFcaFon
• 2FA,
TFA,
Two-‐factor
authenFcaFon
• MulF-‐factor
authenFcaFon
• Strong
authenFcaFon
– United
States:
Many
interpretaFons,
depends
on
context
– European
Central
Bank
(ECB):
strong
authenFcaFon,
or
strong
customer
authenFcaFon,
set
of
specific
recommendaFons2
• Apple:
Two-‐step
authenFcaFon
• MulF-‐step
authenFcaFon
• SecureAuth:
AdapFve,
risk-‐based,
context-‐based
authenFcaFon
• IDC:
advanced
authenFcaFon,
dynamic
user
authenFcaFon,
mulFform
authenFcaFon,
mulFframe
authenFcaFon,
standard
authenFcaFon,
tradiFonal
authenFcaFon
– TradiFonal
authenFcaFon:
authenFcate
at
beginning
of
session
– Dynamic
authenFcaFon:
users
may
be
asked
to
authenFcate
at
“various
points
during
a
session,
for
various
reasons”3
• Step-‐up
authenFcaFon
• Re-‐AuthenFcaFon
• Out-‐of-‐Band
AuthenFcaFons
1Source:
Shakespeare,
Romeo
and
Juliet,
h+p://shakespeare.mit.edu/romeo_juliet/romeo_juliet.2.2.html
1Source:
IDC
Technology
Spotlight,
sponsored
by
SecureAuth,
Dynamic
AuthenFcaFon:
Smarter
Security
to
Protect
User
AuthenFcaFon
(September
2014)
2Source:
h+ps://www.ecb.europa.eu/press/pr/date/2013/html/pr130131_1.en.html
50. www.owasp.org
Advice
for
Startups
• For
startup
internal
employees:
– www.gluu.org,
100%
open
source
and
open
standards
– Many
offer
free
service
for
a
small
team
• Apersona
free
up
to
5
users:
h+p://www.apersona.com/#!pricing/c1c8c
• Duo
free
up
to
10
users:
h+ps://www.duosecurity.com/
• Build
authenFcaFon
into
your
products
– Originally
cars
did
not
have
seat
belts.
In
the
future,
authenFcaFon
will
be
designed
in.