In this talk I will attempt to share my experience of over 10 years conducting Web Application security assessments. I will present the current panorama of Web application security practices and talk about what are we doing well and how we can do better. Also, the Web 2.0 has sparked a “social revolution” of the Web, how can security benefit from that revolution?
Presented at https://www.owasp.org/index.php/OWASP_IBWAS10
Man vs Internet - Current challenges and future tendencies of establishing tr...Luis Grangeia
This talk will address a fundamental challenge in information security: Authentication, or how to establish trust between a user and their collection of devices and internet services.
I will start by describing the current state of play: a regular user typically has at least one computer and a smartphone; each individual is then subscribed to tens or sometimes hundreds of Internet services which are accessed using these devices. Even these services are interconnected with trust relations, such as email accounts that receive password reset tokens. Some of these relations are not so obvious...
The complexity of this arrangement is rising so fast that it's getting harder for end users (even power users) to cope with all of its security implications. Most users will not have any strategy to manage their security, using the same password for all services and devices; but even most power users such as infosec professionals make mistakes that can be exploited.
I will illustrate the current scenario with a dissection of the Mat Honan hack and my own experience mapping the interconnections between my own devices and services.
I will then attempt to provide a strategy to schematize and improve the level of trust between users and devices / services, analysing ad-hoc strategies by power users and provide the tools to create a personal strategy.
Finally I’ll look into what the future of authentication, and what this Tangled Web might bring us: mutual authentication between devices, the future of two factor, the role of social networks, location based authentication, behaviour based trust, trust federation.
Matt Nelson, SpecterOps
A persistent "enlightened" attacker will invest the required resources to bypass any and all security features that might stand between them and their objective, regardless if these features are guaranteed to be serviced as security boundaries or not. This includes researching and developing attacks against Windows security features that may impose a hurdle in their attack chain. This talk will outline recent research into features such as User Account Control (UAC), the Antimalware Scan Interface (AMSI) and Device Guard and how these bypasses are useful to attackers in an operational context.
Some examples include:
UAC: If an attacker compromises a user that is running as a split-token administrator, bypassing UAC is required in order to perform any administrative actions; such as dumping credentials from memory.
AMSI: With in-memory attacks becoming more prevalent via scripting languages, AMSI is the next logical step to facilitate detection. An attacker will need to bypass AMSI in order to safely operate in memory when using PowerShell, VBScript, or JScript.
Device Guard: As organizations begin to consider whitelisting solutions, an attacker is required to adapt and develop a bypass to these technologies. One such solution is Device Guard, which can be used to heavily restrict what is allowed to execute on the system. In order to accomplish their objective, an attacker would need to bypass User Mode Code Integrity (UMCI). Such research can find novel ways to execute code in ways that are not likely to be detected.
I will also cover some of the fixes that have been implemented in newer versions of the Windows Operating System. Fixing these bypasses will not only make Windows safer, but it will begin to disrupt attackers by raising the cost associated with successfully executing an attack.
Kymberlee Price and Sam Vaughan, Microsoft
Many developers today are turning to well established third-party open source components and libraries to speed the development process and realize quality improvements over creating an in-house proprietary font parsing or image rendering library from the ground up. Efficiency comes at a cost though: a single OSS component may have multiple additional OSS subcomponents, and an application or service may have dozens of different third party libraries implemented. The result is that third-party and open source libraries have the ability to spread a single vulnerability across multiple products - exposing enterprises and requiring software vendors and IT organizations to patch the same vulnerability repeatedly. This presentation will dive deep into vulnerability data and explore the source and spread of OSS vulnerabilities through products – as well as actions developers, the security research community, and enterprise customers can take to address this problem.
Man vs Internet - Current challenges and future tendencies of establishing tr...Luis Grangeia
This talk will address a fundamental challenge in information security: Authentication, or how to establish trust between a user and their collection of devices and internet services.
I will start by describing the current state of play: a regular user typically has at least one computer and a smartphone; each individual is then subscribed to tens or sometimes hundreds of Internet services which are accessed using these devices. Even these services are interconnected with trust relations, such as email accounts that receive password reset tokens. Some of these relations are not so obvious...
The complexity of this arrangement is rising so fast that it's getting harder for end users (even power users) to cope with all of its security implications. Most users will not have any strategy to manage their security, using the same password for all services and devices; but even most power users such as infosec professionals make mistakes that can be exploited.
I will illustrate the current scenario with a dissection of the Mat Honan hack and my own experience mapping the interconnections between my own devices and services.
I will then attempt to provide a strategy to schematize and improve the level of trust between users and devices / services, analysing ad-hoc strategies by power users and provide the tools to create a personal strategy.
Finally I’ll look into what the future of authentication, and what this Tangled Web might bring us: mutual authentication between devices, the future of two factor, the role of social networks, location based authentication, behaviour based trust, trust federation.
Matt Nelson, SpecterOps
A persistent "enlightened" attacker will invest the required resources to bypass any and all security features that might stand between them and their objective, regardless if these features are guaranteed to be serviced as security boundaries or not. This includes researching and developing attacks against Windows security features that may impose a hurdle in their attack chain. This talk will outline recent research into features such as User Account Control (UAC), the Antimalware Scan Interface (AMSI) and Device Guard and how these bypasses are useful to attackers in an operational context.
Some examples include:
UAC: If an attacker compromises a user that is running as a split-token administrator, bypassing UAC is required in order to perform any administrative actions; such as dumping credentials from memory.
AMSI: With in-memory attacks becoming more prevalent via scripting languages, AMSI is the next logical step to facilitate detection. An attacker will need to bypass AMSI in order to safely operate in memory when using PowerShell, VBScript, or JScript.
Device Guard: As organizations begin to consider whitelisting solutions, an attacker is required to adapt and develop a bypass to these technologies. One such solution is Device Guard, which can be used to heavily restrict what is allowed to execute on the system. In order to accomplish their objective, an attacker would need to bypass User Mode Code Integrity (UMCI). Such research can find novel ways to execute code in ways that are not likely to be detected.
I will also cover some of the fixes that have been implemented in newer versions of the Windows Operating System. Fixing these bypasses will not only make Windows safer, but it will begin to disrupt attackers by raising the cost associated with successfully executing an attack.
Kymberlee Price and Sam Vaughan, Microsoft
Many developers today are turning to well established third-party open source components and libraries to speed the development process and realize quality improvements over creating an in-house proprietary font parsing or image rendering library from the ground up. Efficiency comes at a cost though: a single OSS component may have multiple additional OSS subcomponents, and an application or service may have dozens of different third party libraries implemented. The result is that third-party and open source libraries have the ability to spread a single vulnerability across multiple products - exposing enterprises and requiring software vendors and IT organizations to patch the same vulnerability repeatedly. This presentation will dive deep into vulnerability data and explore the source and spread of OSS vulnerabilities through products – as well as actions developers, the security research community, and enterprise customers can take to address this problem.
Dean Wells, Microsoft
Witness a whipper-snapper of an admin conduct a series of progressively more sneaky attacks against unsuspecting & ill-prepared virtualized workloads. Little did the whipper-snapper know, this was a guarded Hyper-V host--and guarded hosts come pre-loaded with anti-whipper-snapper technology. Stated another way: watch as Hyper-V defends itself against a series of fabric-level attacks by leveraging Windows Server 2016's remote attestation, key protection/release, hypervisor-enforced code integrity and shielded virtual machine technologies.
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
When it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.
We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.
Casey Smith, Red Canary
Application whitelisting is a great defense. It really is. As difficult as it may be to implement, it gives organizations a strong defense to turn the tide against malicious binaries. The trouble is, administrators often trust all things that are signed by Microsoft. And... All binaries from Microsoft are signed in the same manner. This talk seeks to be a discussion of what Microsoft signs, how these binaries can be abused, and propose new strategies to move forward. How can we discover these binaries? What are capabilities that can be abused? What should Microsoft be signing? Should the same certificate be used for all binaries emitted from Microsoft? This talk will present a recent binary discovered to bypass Device Guard as a case study.
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
Did "cloud computing" and "big data" buzzwords bring new challenges for security testers?
Apart from complexity of Hadoop installations and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security and encryption at rest. We tested popular Hadoop environments and found a few critical vulnerabilities, which for sure cast a shadow on big data security.
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
Between limited resources and a lack of trained professionals on one hand and the increasing quantity and quality of attacks on the other, securing enterprises and responding to incidents has placed defenders on the losing end of a digital arms race. Even managing the amounts of threat data and open-source intelligence has become a challenge.
This talk will cover the possibilities and perils of integrating all the various sources of threat intelligence data to protect an organization. With all the various open-source and paid-source data, simply dumping it all into a firewall or DNS RPZ zone can be problematic. What to do about compromised websites or shared hosting environments? What about DGA domains that use full words and may collide with actual innocent websites? What about how to handle threat data that is lacking in context to make appropriate decisions on its validity and accuracy? This talk will present several case studies in how these problems can be tackled and how using multi-domain analysis can help reduce the risk and maximize the value of automated protection using these types of data.
[Portuguese] Slides de uma aula de forense em sistemas de informação que dei como convidado na cadeira de Cibersegurança Forense no Mestrado Mestrado em Segurança de Informação e Direito no Ciberespaço (MSIDC): https://fenix.tecnico.ulisboa.pt/cursos/msidc
A maioria dos informáticos, incluíndo os que trabalham em segurança, tem apenas noções básicas sobre criptografia assimétrica. A maioria de nós sabe utilizar os vários algoritmos, embora desconheça como operam. Nesta talk pretendo falar um pouco mais em detalhe sobre estes algoritmos, em particular o RSA. Irei falar sobre aplicações práticas de criptografia assimétrica (desde o SSL, passando pela Playstation 3 até ao Cartão do Cidadão), limitações dos algoritmos, ataques aos mesmos e falhas de implementação recentemente conhecidas. O objectivo principal desta talk é desmistificar esta "vaca sagrada" que é a criptografia assimétrica, demonstrando que não é uma panaceia: também tem falhas e limitações.
Dean Wells, Microsoft
Witness a whipper-snapper of an admin conduct a series of progressively more sneaky attacks against unsuspecting & ill-prepared virtualized workloads. Little did the whipper-snapper know, this was a guarded Hyper-V host--and guarded hosts come pre-loaded with anti-whipper-snapper technology. Stated another way: watch as Hyper-V defends itself against a series of fabric-level attacks by leveraging Windows Server 2016's remote attestation, key protection/release, hypervisor-enforced code integrity and shielded virtual machine technologies.
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
When it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.
We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.
Casey Smith, Red Canary
Application whitelisting is a great defense. It really is. As difficult as it may be to implement, it gives organizations a strong defense to turn the tide against malicious binaries. The trouble is, administrators often trust all things that are signed by Microsoft. And... All binaries from Microsoft are signed in the same manner. This talk seeks to be a discussion of what Microsoft signs, how these binaries can be abused, and propose new strategies to move forward. How can we discover these binaries? What are capabilities that can be abused? What should Microsoft be signing? Should the same certificate be used for all binaries emitted from Microsoft? This talk will present a recent binary discovered to bypass Device Guard as a case study.
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
Did "cloud computing" and "big data" buzzwords bring new challenges for security testers?
Apart from complexity of Hadoop installations and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security and encryption at rest. We tested popular Hadoop environments and found a few critical vulnerabilities, which for sure cast a shadow on big data security.
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
Between limited resources and a lack of trained professionals on one hand and the increasing quantity and quality of attacks on the other, securing enterprises and responding to incidents has placed defenders on the losing end of a digital arms race. Even managing the amounts of threat data and open-source intelligence has become a challenge.
This talk will cover the possibilities and perils of integrating all the various sources of threat intelligence data to protect an organization. With all the various open-source and paid-source data, simply dumping it all into a firewall or DNS RPZ zone can be problematic. What to do about compromised websites or shared hosting environments? What about DGA domains that use full words and may collide with actual innocent websites? What about how to handle threat data that is lacking in context to make appropriate decisions on its validity and accuracy? This talk will present several case studies in how these problems can be tackled and how using multi-domain analysis can help reduce the risk and maximize the value of automated protection using these types of data.
[Portuguese] Slides de uma aula de forense em sistemas de informação que dei como convidado na cadeira de Cibersegurança Forense no Mestrado Mestrado em Segurança de Informação e Direito no Ciberespaço (MSIDC): https://fenix.tecnico.ulisboa.pt/cursos/msidc
A maioria dos informáticos, incluíndo os que trabalham em segurança, tem apenas noções básicas sobre criptografia assimétrica. A maioria de nós sabe utilizar os vários algoritmos, embora desconheça como operam. Nesta talk pretendo falar um pouco mais em detalhe sobre estes algoritmos, em particular o RSA. Irei falar sobre aplicações práticas de criptografia assimétrica (desde o SSL, passando pela Playstation 3 até ao Cartão do Cidadão), limitações dos algoritmos, ataques aos mesmos e falhas de implementação recentemente conhecidas. O objectivo principal desta talk é desmistificar esta "vaca sagrada" que é a criptografia assimétrica, demonstrando que não é uma panaceia: também tem falhas e limitações.
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device.
This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried.
Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon
Confraria Security And IT - End Point SecurityLuis Grangeia
Reflexões sobre segurança "client side"
Breve descritivo: Reflexões sobre a segurança e auditabilidade de um "end point" (seja este um laptop ou smartphone). Pensar no end point como um dos componentes mais importantes de uma aplicação (o cliente!). Como manter os níveis de segurança em ambientes heterogéneos de end points não geridos? Quais as implicações de segurança do modelo "Appstore" em que nem o cliente nem a organização têm controlo total sobre o end point (iphone, android, ipad)? Será possível usar de forma segura uma aplicação assumindo a falibilidade da segurança do end point?
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
Second presentation of my research into reverse engineering a TomTom Runner GPS watch. In this I explain how I got running code inside an unfamiliar device and proceeded to bypass its security measures and extract firmware keys and code from the device.
More details on my personal blog, at http://grangeia.io
Presented in October 2015 at "Confraria de Segurança da Informação" in Lisbon
New attack vectors for heartbleed: Enterprise wireless (and wired) networks.
This talk exposes a relatively obscure use of the heartbleed flaw: exploiting EAP-PEAP | EAP-TLS | EAP-TTLS network authentication protocols.
Update (02-06-2014): This blog post gives out more details and contains links to the cupid patch.
http://www.sysvalue.com/heartbleed-cupid-wireless/
The Hardcore Stuff I Hack:
This talk is going to give a run through of some of the technical challenges paul and his team have overcome over the years - in as much hardcore detail as possible
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
Java application security the hard way - a workshop for the serious developerSteve Poole
Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but it’s hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here
This presentation by Christopher Grayson covers some lessons learned as a security professional that has made his way into software engineering full time.
Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive.
Key Takeaways:
-Great places in the user journey to inject security tests
- Ways to augment existing test approaches to cover security concerns
- Typical security tools that are free, cheap, and easy for software testers
Using KeyLines 3.0 to visualize your cyber data at scale
Cyber security analysts face data overload. They work with information on a massive scale, generated at millisecond levels of resolution detailing increasingly complex attacks.
To make sense of this data, analysts need an intuitive and engaging way to explore it: that’s where graph visualization plays a role.
During this session, Corey will show examples of how graph visualization can help users explore, understand and derive insight from real-world cyber security datasets.
You will learn:
• How graph visualization can help you extract insight from cyber data
• How to visualize your cyber security graph data at scale using WebGL
• Why KeyLines 3.0 is the go-to tool for large-scale cyber graph visualization.
This session is suitable for a non-technical audience.
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
Uncover What's Inside the Mind of a HackerIBM Security
View On-demand Webinar: https://securityintelligence.com/events/uncover-whats-inside-mind-hacker/
A simple software vulnerability can make the bad guys very wealthy. A bustling new market for software vulnerabilities is emerging. An operating system vulnerability can be worth as much as $1 million on the black market.
Ethical Hacker Paul Ionescu aims to put a dent in the bad guys’ pockets by helping developers to “put their hackers’ hats on” and prevent software vulnerabilities.
During this presentation, Paul:
- Demos common software programming flaws
- Discusses notable security breaches that were caused by vulnerabilities such as SQL Injection
- Examines ways to implement software defenses that prevent security flaws from re-emerging
Similar to IBWAS 2010: Web Security From an Auditor's Standpoint (20)
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
IBWAS 2010: Web Security From an Auditor's Standpoint
1. Web Security From an Auditor's
Standpoint
What works, what doesn’t, what might.
IBWAS „10
Luis Grangeia
lgrangeia@sysvalue.com
2. About Me
• IT Security Auditor since 2001
• First at SideStep, now at SysValue
• Working mostly with Telco, Finance and Government sectors
• Performed Web App Security Testing on:
• Online banking
• Stock brokerage
• Online stores
• Corporate Web sites
• Internal Web apps
3. What will be covered today
• Prologue: Web Application Security
• Security Countermeasures, working or not?
1. SQL Injection
2. Cross Site Scripting
3. Virtual Keyboards
• Welcome to the Social Web
• Social Security, anyone?
5. Applications vs Infrastructure
• Applications are the reason we go Online
• Network infrastructure is just a means to that end
• Infrastructure security is easy now (in comparison)
Infrastructure security is now almost fully commoditized
6.
7. The Web is Where it‟s At
“The data used for this study shows that in 86% of all
attacks, a weakness in a web interface was exploited.”
UK Security Breach Investigations Report 2010
An Analysis of Data Compromise Cases,
7Safe
8. Web Application Security is Hard
No turn key products
No easy solutions
Every Application is different
… That‟s why it‟s fun
11. SQL Injection: Context
• Still leading the OWASP Top Ten
• Eight years ago it was much worse:
• But the problem was not actively exploited
• Not many knew how (good and bad guys alike)
• There was lower hanging fruit
• Now it‟s in the spotlight
12. SQL Injection: Analysis
• Hard to detect:
• Good error handling prevents confident detection by automated tools
• Web Application Firewalls mask the problem
(attack pattern blacklisting)
• Easy to exploit:
• Automated attacks are possible
(SQL Injection worms)
• Even Blind SQLi can be attacked easily
(eg. SQL Power Injector)
• This makes it a easier do make a point
13. SQL Injection: Countermeasures
Prevention | Mitigation is easy:
• Possible to easily distinguish between Data (variables) and Control (code):
• Use parameterized queries / prepared statements
• New Web Development platforms are already performing Database
Abstraction
• Makes it a Platform problem, not a Developer‟s problem
14. SQL Injection: Conclusions
• Problems that are easy to exploit, are easy to understand by
customers/developers
• Problems that are understood are more likely to get solved
• Especially when the solution is easy to understand and easy to implement
15. SQL Injection: Conclusions
We will eradicate the problem, because we have understood it completely and
have a working simple solution that addresses the root cause
16. 2. Cross Site Scripting
We risk losing this battle unless we address its root cause.
17. Cross Site Scripting: Context
• Second in the OWASP Top Ten
• Like SQL Injection, eight years ago it was much worse:
• But the problem was not actively exploited
• Not many knew how (good and bad guys alike)
• There was lower hanging fruit
• Now it‟s in the spotlight
18. Misconceptions abound
(not just around Web developers, also around some parts of the security community)
“Oh, it triggers an alert() box, is that it?”
“The user must click on a link in order to trigger the XSS attack.”
“Sure, this attack might steal our customers sessions, but we use second-level
authentication for financial transactions, so we’re safe.”
19. Cross Site Scripting: Risks
• Useful for realistic phishing attacks
• Cross site request forgery “boosts” the impact of XSS instances
• Web Applications are increasingly multi-domain:
• Facebook “like” buttons
• Google maps iframes
• Google analytics
• Advertising banners
• Etc.
• A good exploitation means total control of all aspects of the
communication between victim and Application.
20. Cross Site Scripting: Analysis
• (Somewhat) Easier to detect:
• In fact, good Web App Scanners do it quite well, with low false
positives and low false negatives
• More complex instances are still hard to spot and may be missed
• Hard to exploit effectively:
• While easy to trigger, good proof of concept code can be hard to write
• The attack always depends of the “anatomy” of the Web App
21. Proving the Impact of XSS
• We‟re not doing our best
• We must prove to the developers the true impact of the problem
• It‟s not easy, but it pays off!
22. Cross Site Scripting: Countermeasures
Prevention | Mitigation is hard:
• Also, it is a problem of distinguishing between Data (variables) and
Control (code)
• But there is no way to clearly make that distinction in HTML /
Javascript
• Input / Output sanitization is the only way, but it is hard:
• Escaping output is dependent of document context:
• HTML Content Elements, Common Attributes, Javascript Data
Values, HTML Style Properties, etc.
23. Cross Site Scripting: Countermeasures
(cont.)
• There is no possible way of addressing the root cause unless we change
the protocol (won‟t happen):
• Remember, the root cause isn‟t malicious input/output, it‟s mixing
user supplied data with control code
• HTML5 won‟t really help:
• Actually XSS will turn into a feature in HTML5
• See HTML5‟s “Channel Messaging” and “Cross-document
messaging”
• In fairness, there is one thing that might help against XSS in HTML5:
• Sandboxed iframes
24. Cross Site Scripting: Countermeasures
(cont.)
• The solution is complex, take it out of the hands of Developers:
• Seriously, do you expect a developer to remember this?
• http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
• Incorporate good, context aware output filtering in development
platforms with template systems:
• Google‟s “Automatic Context-Aware Escaping”
• Ivan Ristić‟s “Canoe”
• How long before .NET and Java adoption?
• In the meantime, use Microsoft‟s Web Protection Library,
AntiXSS
• Consider changes to the underlying protocol to promote better distinction
of Code and Data (I won‟t go there, for now )
25. Cross Site Scripting: Conclusions
• Security Problems that are:
• Somewhat easy to detect, but…
• Hard to prove their real impacts, and…
• Have a difficult to execute and hard to understand solution…
…will be swept under the carpet!
And Cross site scripting falls squarely into this category.
26. Cross Site Scripting: Conclusion
This is a platform and protocol problem that is not well understood by developers.
We are fighting a losing battle, unless we spend time developing platform-wide
solutions, and at the same time, as auditors, make better proof-of-concept code, to
drive research forward.
28. Virtual Keyboards: Context
• Introduced around summer 2003
in Portugal
• Implemented by most major
online banks
• Response to a specific threat:
• Malware that logged
keystrokes in order to steal
credentials
30. Virtual Keyboards: Problems
• Mitigates only a specific instance of an attack:
• “Key-logging malware” as opposed to “online credential stealing malware”
• Fails to look at the big picture
• Result of bad/outdated threat assessment
• No “half-decent” malware uses key-logging anymore
• In fact, key-logging results in a lot of useless data for the attacker
31. Virtual Keyboards: Threat not mitigated
• Form grabbing is the method of choice for grabbing credentials;
• All credentials end up in a Web form
• Some banks try to mask the POST‟ed credentials using Javascript
encryption
• doesn‟t really work, the key is in the previous HTTP response
• Typical behavior (ex. W32/Qhost.JE):
• Trojan injects a DLL into Internet Explorer
• The DLL hooks HttpSendRequestA
• The hook grabs POST data and uploads it to a FTP server
All of this works with or without SSL, with or without a virtual keyboard.
32. Virtual Keyboards
More of a problem than a solution:
• Fails to protect against current attack methods
• Gives a false sense of security
• Introduce new attack vectors:
• Shoulder surfing
• Induces the user to choose a weaker (easier to “type”) password
33. Virtual Keyboards: Threats Mitigated
(for completeness sake)
To be fair, virtual keyboards protect against this:
• Wireless keyboard sniffing
• Use encryption, corded keyboards
• Hardware key-loggers
• Look at your hardware ports, don‟t leave
computer unattended in insecure locations
34. Virtual Keyboards: Conclusion
Don‟t be afraid to remove a security countermeasure that doesn‟t work.
Educate the public so that this “security theater” is exposed.
37. The Social Revolution – Facebook
• Facebook connects over 500 million users
• That‟s around 30% of all Internet users worldwide
It‟s more than 7% of the World‟s Population (est.)
38. Before talking infosec…
• Before talking about possible security uses for the social graph, we must
be able to decentralize it
• Too much power is concentrated on a single organization
• Either use Facebook‟s graph alongside other tools, or build a distributed
social graph altogether:
• Possible and doable: check the Diaspora Project
39. How can security benefit from the social graph
Facebook is already showing us how:
• Facebook Messages:
• Spam filtering by looking at your friend
connections
• Has the potential to be virtually foolproof
mitigating spam.
• There are still possible bumps down the road, but the
idea has potential
40. Using the Social Graph to Improve SSL
Warning: crazy idea ahead.
41. SSL is OK, but Already Shows Age
Two roles of SSL/TLS:
• Authenticating the endpoints
• Providing transport integrity and confidentiality through encryption
• The authentication is based on the trust of organizations that are
organized in a hierarchy, originating in root CA‟s that are “imposed” on
us
42. The confidence issue
“Directly or indirectly, there are more than 650 different organizations that
function as trusted CA‟s for either Internet Explorer or Firefox”
(source: EFF SSL Observatory)
All you need is to break the security of one to break the SSL model…
43. SSL: What are the threats
• There are reports stating that MiTM attacks against SSL are being
performed using certificates generated by rogue CAs:
• By governments (espionage)
• By Law Enforcement
• “Certified Lies: Detecting and Defeating Government Interception Attacks
Against SSL”
• Christopher Soghoian and Sid Stammy, April 2010
• “Law Enforcement Appliance Subverts SSL”
• Wired Threat Level, March 24, 2010
44. Challenge:
Defeating Local MiTM Attacks
“You can fool some of the people all of the time, and all of the people some of the
time, but you cannot fool all of the people all of the time.”
Abraham Lincoln
45. Defeating Local MiTM Attacks by
“Friendsourcing”
• Assuming no malicious entity is omnipotent on the Internet (not even
governments):
• SSL MiTM attacks will always be localized (to an ISP or a specific
country)
• So, in order to validate the authenticity of a Web site, one can request that
an online friend (or a random group, or all of them) visits the same site
and checks the certificate for us.
• In geographically distinct locations
• Using different computers and ISP‟s
• We only authenticate if all (or most) our friends data matches up.
46. Defeating Local MiTM Attacks by
“Friendsourcing”
• The devil is in the details…
• Just an idea for discussion, for now
• Assumes we can securely authenticate friends and pass private messages
along the social graph
• Can be complemented by historic data:
• “the certificate has changed even though the previous certificate had
an expiry date well in the future”
• The general idea is to create the possibility of a custom security model for
authentication based on a Web of Trust, and not on a hierarchy of “Trusted
Authorities”
• There are endless opportunities for the social graph…
47. Thank You
Q&A
Luis Grangeia, SysValue
lgrangeia@sysvalue.com