The document discusses OAuth, an open standard for authorization in REST APIs. It allows users to grant third party applications access to their private data without sharing their usernames and passwords. OAuth uses tokens instead of passwords, allowing users to control what data apps can access and revoke access at any time. The OAuth process involves a consumer obtaining a request token, then redirecting the user to authorize access, and exchanging the request token for an access token to access private resources on the user's behalf according to their authorization.
IDoT: Challenges from the IDentities of Things Landscapekantarainitiative
This is a presentation from the Kantara Initiative Identities of the Things (IDoT) Discussion Group. The presentations summarizes the findings to date of the DG for next steps and industry discussion and innovation.
At Blockchain Council, you will not only get information about Blockchain but also about the implementation of this technology in different fields. With this certification program which is specially designed for the financial system, you can easily pick up how to use Blockchain technology for KYC and other aspects of banking.
Digital signature and certificate authorityKrutiShah114
This presentation will give you a broad view about digital signature and certificate authority. It also explains the difference between digital signature and electronic signature.
IDoT: Challenges from the IDentities of Things Landscapekantarainitiative
This is a presentation from the Kantara Initiative Identities of the Things (IDoT) Discussion Group. The presentations summarizes the findings to date of the DG for next steps and industry discussion and innovation.
At Blockchain Council, you will not only get information about Blockchain but also about the implementation of this technology in different fields. With this certification program which is specially designed for the financial system, you can easily pick up how to use Blockchain technology for KYC and other aspects of banking.
Digital signature and certificate authorityKrutiShah114
This presentation will give you a broad view about digital signature and certificate authority. It also explains the difference between digital signature and electronic signature.
Using externally verified strong identities can reduce the risk of fraud and improve the customer experience in registering and engaging with your services.
Velmie Wallet is a cost-effective white-label platform to enable mobile experience in finance. The platform comes with mobile applications for iOS and Android platforms; web user interface; web admin dashboard and optional Blockchain dashboard to deliver the real-time overview of all the transactions being processed by the platform.
The Wallet was designed to deliver personalized, instantaneously responsive, and increasingly predictive real-time service to its users. Meaningful and consistent interactions with apps are something that is most important for people nowadays. The recent shift of FinTech products confirms that customers are looking for simple and interactive solutions crafted for their specific needs.
Blockchain technology is offering inroads into transforming the healthcare ecosystem by placing the patient at the center of the system. Benefits such as increased security, privacy, and interoperability of health data are on the horizon.
In this slideshare, here's what we explore:
Challenges clouding healthcare operations
Why is it important to secure patient data?
Blockchain: Enabling interoperability
Understanding supply chain integrity
Compliance and regulations
What is Digital Signature, Digital Signature FAQ - eMudhraeMudhra dsc
eMudhra is one of the leading provider of Digital Signature Certificates and is a Licensed Certifying Authority(CA) authorized by the Controller of Certifying Authorities (CCA) and Ministry of Information Technology to issue digital signature Certificates in India.
Automated E-Pin Generator in Banking Sectordbpublications
For the purpose of saving and securing money, to get loans, employers to get wages, to pay bill online, etc., every human being require a bank account. Either it can be savings account or checking account, each one has its own functionalities. In earlier days the person needs to go for bank for account opening or any other transactions, but now through online any functionality can be handled. If a user can able to access the privileges of bank he must have an account. So the initial step of banking is account opening. To open an account in any bank it undergoes several steps. First the user walk in to any bank or he can visit to any bank website then he needs pick up an account opening application and then has to fill his valid personal details in the application, mention the type of account he is going to open and finally provide nominee for his account. After all these process a unique account number is provided to user in a couple of days. Our project is implemented based on the banking system which is going to resolve the delay in providing an account number by the bank that takes a couple of days to process. To avoid this delay we are implementing a banking application that will process the user application day by day with a short period of time the user will get his bank account number more efficiently.
BankChain, the consortium of banking majors including SBI, ICICI Bank and DCB Bank has completed work on its first blockchain project. A blockchain is a decentralised and distributed digital ledger that records transactions across many computers in such a way that the registered transactions cannot be altered retroactively.
Digital signature certificate provider in delhieSign DSC
E-sign DSC has gained the reputation of being the certified digital signature certificate distributor and service provider in Delhi. The significance of DSC can be understood where we can see that there are many government application form in which DSC is mandatory. Get digital signature certificate instantly within 30 minutes after the documents get approved by the certifying controller authority.
Blockchain Account Aggregation oct 2019 rev nciTaras Kuzin
Application of blockchain, distributed ledger, to FI account aggregation. Today, FI account aggregation is handled by a handful of aggregators, which mostly use customers’ credentials. We believe distributed ledger technology could be successfully applied to the account aggregation. The technical implementation is relatively straight forward and would require a private, permission based distributed ledger. Naturally, there is a strong network effect. Therefore, for our model to be successful, we need to create a consortium, which can be comprised of various participants, including (but not limited to) top banks.
Bank Information Share Authorized Through Distributed Ledger Technologies
Patent date Issued Nov 12, 2019 Patent issuer and numberus 10,474,834
For creating electronic signatures, the signer is required to obtain a Digital Signature Certificate (DSC) from a Certifying Authority (CA) licensed by the Controller of Certifying Authorities (CCA) under the Information Technology (IT) Act, 2000. Before a CA issues a DSC, the identity and address of the signer must be verified. The private key used for creating the electronic signature is stored in hardware cryptographic token which is of one time use.
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...Blockchain Worx
Layering a distributed ledger atop core banking systems with open banking API’s creates an agile integrated platform to offer truly next-generation Digital Banking
An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect
Using externally verified strong identities can reduce the risk of fraud and improve the customer experience in registering and engaging with your services.
Velmie Wallet is a cost-effective white-label platform to enable mobile experience in finance. The platform comes with mobile applications for iOS and Android platforms; web user interface; web admin dashboard and optional Blockchain dashboard to deliver the real-time overview of all the transactions being processed by the platform.
The Wallet was designed to deliver personalized, instantaneously responsive, and increasingly predictive real-time service to its users. Meaningful and consistent interactions with apps are something that is most important for people nowadays. The recent shift of FinTech products confirms that customers are looking for simple and interactive solutions crafted for their specific needs.
Blockchain technology is offering inroads into transforming the healthcare ecosystem by placing the patient at the center of the system. Benefits such as increased security, privacy, and interoperability of health data are on the horizon.
In this slideshare, here's what we explore:
Challenges clouding healthcare operations
Why is it important to secure patient data?
Blockchain: Enabling interoperability
Understanding supply chain integrity
Compliance and regulations
What is Digital Signature, Digital Signature FAQ - eMudhraeMudhra dsc
eMudhra is one of the leading provider of Digital Signature Certificates and is a Licensed Certifying Authority(CA) authorized by the Controller of Certifying Authorities (CCA) and Ministry of Information Technology to issue digital signature Certificates in India.
Automated E-Pin Generator in Banking Sectordbpublications
For the purpose of saving and securing money, to get loans, employers to get wages, to pay bill online, etc., every human being require a bank account. Either it can be savings account or checking account, each one has its own functionalities. In earlier days the person needs to go for bank for account opening or any other transactions, but now through online any functionality can be handled. If a user can able to access the privileges of bank he must have an account. So the initial step of banking is account opening. To open an account in any bank it undergoes several steps. First the user walk in to any bank or he can visit to any bank website then he needs pick up an account opening application and then has to fill his valid personal details in the application, mention the type of account he is going to open and finally provide nominee for his account. After all these process a unique account number is provided to user in a couple of days. Our project is implemented based on the banking system which is going to resolve the delay in providing an account number by the bank that takes a couple of days to process. To avoid this delay we are implementing a banking application that will process the user application day by day with a short period of time the user will get his bank account number more efficiently.
BankChain, the consortium of banking majors including SBI, ICICI Bank and DCB Bank has completed work on its first blockchain project. A blockchain is a decentralised and distributed digital ledger that records transactions across many computers in such a way that the registered transactions cannot be altered retroactively.
Digital signature certificate provider in delhieSign DSC
E-sign DSC has gained the reputation of being the certified digital signature certificate distributor and service provider in Delhi. The significance of DSC can be understood where we can see that there are many government application form in which DSC is mandatory. Get digital signature certificate instantly within 30 minutes after the documents get approved by the certifying controller authority.
Blockchain Account Aggregation oct 2019 rev nciTaras Kuzin
Application of blockchain, distributed ledger, to FI account aggregation. Today, FI account aggregation is handled by a handful of aggregators, which mostly use customers’ credentials. We believe distributed ledger technology could be successfully applied to the account aggregation. The technical implementation is relatively straight forward and would require a private, permission based distributed ledger. Naturally, there is a strong network effect. Therefore, for our model to be successful, we need to create a consortium, which can be comprised of various participants, including (but not limited to) top banks.
Bank Information Share Authorized Through Distributed Ledger Technologies
Patent date Issued Nov 12, 2019 Patent issuer and numberus 10,474,834
For creating electronic signatures, the signer is required to obtain a Digital Signature Certificate (DSC) from a Certifying Authority (CA) licensed by the Controller of Certifying Authorities (CCA) under the Information Technology (IT) Act, 2000. Before a CA issues a DSC, the identity and address of the signer must be verified. The private key used for creating the electronic signature is stored in hardware cryptographic token which is of one time use.
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...Blockchain Worx
Layering a distributed ledger atop core banking systems with open banking API’s creates an agile integrated platform to offer truly next-generation Digital Banking
An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect
Enterprise API adoption has gone beyond predictions. It has become the 'coolest' way of exposing business functionalities to the outside world. Both your public and private APIs, need to be protected, monitored and managed.
This session focuses on API Security. There are so many options out there to make someone easily confused. When to select one over the other is always a question - and you need to deal with it quite carefully to identify and isolate the tradeoffs. Security is not an afterthought. It has to be an integral part of any development project - so as for APIs. API security has evolved a lot in last five years. This talk covers best practices in building an API Security Ecosystem with OAuth 2.0, UMA, SCIM, XACML and LDAP.
OAuth2 Implementation Presentation (Java)Knoldus Inc.
The OAuth 2.0 authorization framework is a protocol that allows a user to grant a third-party web site or application access to the user's protected resources, without necessarily revealing their long-term credentials or even their identity. It is commonly used in scenarios such as user authentication in web and mobile applications and enables a more secure and user-friendly authorization process.
The industry is shifting to mobile and wearable devices, and desktop apps are now only a part of the overall application landscape. In this new mobile-first context, security is one of the key concerns for Enterprise Architects. Salesforce has implemented the OAuth 2.0 specification to handle user authentication using industry standards. After reviewing OAuth basics, this session will take you through the different approaches to implement OAuth authentication on the Force.com platform.
Shows how to be an oauth consumer and provider from PHP - OAuth 1 - including handling of tokens, secrets, and handling the workflow for devices. Also covers the workflow for OAuth 2
Cloud Managed Router merupakan hasil dari kombinasi antara perangkat router konvensional dengan teknologi cloud management, yang dikembangkan agar memudahkan pengguna untuk dapat mengatur perangkat router dari jarak jauh. Namun tentu saja dengan penerapan yang kurang tepat, maka hal ini bisa dimanfaatkan oleh orang yang tidak bertanggung jawab, bahkan dapat beresiko akses perangkat router diambil alih. Pada topik ini saya akan sedikit menceritakan bagaimana resiko tersebut bisa terjadi.
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf
Kesiapan infrastruktur terkadang menjadi kendala dalam melaksanakan red team exercise secara internal. Guna memperoleh hasil yang optimal terdapat beberapa strong points yang perlu diadopsi dalam pengembangan infrastruktur yakni rapid deployment, stealth, dan scalability. Melalui Infrastructure as code (IaC) yang dapat mendukung proses automation infrastruktur red team, operator dapat mereduksi waktu deployment dengan komponen yang bersifat disposable per engagement. Infrastruktur terbagi menjadi 4 segmen yakni segmen network memanfaatkan WireGuard yang disederhanakan melalui Headscale “Zero Config”. Segmen C2 dan Segmen Phishing merupakan core sections. Segmen SIEM bertujuan mengagregasi dan memproses log dari berbagai komponen seperti reverse proxy pada redirector ataupun C2 server. Manajemen multi-cloud environment memanfaatkan Terraform dengan provisioning yang di-handle menggunakan Ansible. Python sebagai wrapper kedua platform sehingga penggunaan tetap sederhana. Operator dapat secara fleksibel mendeskripsikan segmen yang hendak di deploy melalui sebuah YAML file.
Dalam dunia keamanan siber, sinergi antara berbagai proses memiliki peran yang sangat penting. Salah satu proses atau framework yang tengah menjadi sorotan dan menarik perhatian luas adalah Detection Engineering. Proses Detection Engineering ini bertujuan untuk meningkatkan struktur dan pengorganisasian dalam pembuatan detection use case atau rules di Security Operation Center (SOC). Detection Engineering bisa dikatakan masih baru dalam dunia keamanan siber, sehingga terdapat banyak peluang untuk membuat keseluruhan prosesnya menjadi lebih baik. Salah satu hal yang masih terlupakan adalah integrasi antara proses Detection Engineering dan Threat Modeling. Biasanya, Threat Modeling lebih berfokus pada solusi pencegahan dan mitigasi resiko secara langsung dan melupakanan komponen deteksi ketika pencegahan dan mitigasi tersebut gagal dalam menjalankan fungsinya. Dalam makalah ini, kami memperkenalkan paradigma baru dengan mengintegrasikan Detection Engineering ke dalam proses Threat Modeling. Pendekatan ini menjadikan Detection sebagai langkah proaktif tambahan, yang dapat menjadi lapisan pertahanan ekstra ketika kontrol pencegahan dan mitigasi akhirnya gagal dalam menghadapi ancaman sesungguhnya.
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf
Smart doorbell atau bel pintar telah menjadi populer dalam sistem keamanan rumah pintar. Namun, banyak dari perangkat ini masih menggunakan protokol yang tidak aman untuk berkomunikasi, protokol yang rentan terhadap serangan keamanan seperti jamming, sniffing dan replay attack. Penelitian ini bertujuan untuk menganalisis kelemahan penggunaan protokol komunikasi pada smart doorbell, serta menginvestigasi potensi pemanfaatan Software Defined Radio (SDR) dan modul arduino dalam mengamati komunikasi gelombang elektronik pada frekuensi 433 MHz. Selain itu penelitian ini ditujukan untuk mengidentifikasi potensi risiko yang dihadapi oleh pengguna pengkat IoT, serta memberikan pandangan tentang perlindungan yang lebih baik.
Modern organizations are facing the severe challenge of effectively countering threats and mitigating Indicators of Compromise (IOCs) within their network environments. The increasing complexity and volume of cyber threats has highlighted the urgency of building robust mechanisms to block specific IOCs independently. While some organizations have adopted Endpoint Detection and Response (EDR) systems, these solutions often have limitations and require manual processes to collect and examine IOCs from multiple sources. These operational barriers prevent organizations from achieving a proactive and efficient defense posture, an obstacle that is particularly important due to the critical role that IOC blocking plays in containing the spread of threats and limiting potential damage. Hence, the need for a solution that orchestrates automated IOC blocking, utilizing tools such as AlienVault Open Threat Exchange (OTX), VirusTotal, CrowdStrike, and Slack. In this presentation, we examine the importance of automated IOC blocking and its potential to strengthen network security, while highlighting the critical role that these tools play in mitigating evolving cyber threats.
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf
Pembahasan ini bertujuan untuk memberikan edukasi tentang mekanisme perlindungan yang diterapkan pada aplikasi android seperti root detection, ssl pinning, anti emulation, tamper detection dan bagaimana teknik yang digunakan untuk melakukan mekanisme bypass proteksi yang diimplementasikan dengan bantuan reverse engineering menggunakan tool seperti frida, ghidra, objection, magisk, dan sebagainya.
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf
Adversary Simulation pada lingkungan cloud memiliki karakteristik unik sehingga memerlukan pendekatan khusus. Stratus menawarkan fleksibilitas dalam melakukan simulasi attack secara native pada lingkungan cloud. Presentasi ini akan memberikan penjelasan tentang penggunaan Stratus dalam adversary simulation dan bagaimana mengembangkan skenario khusus sesuai kebutuhan.
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfidsecconf
Semakin berkembangnya teknologi di aplikasi Desktop terdapat celah keamanan yang dapat menyebabkan dampak langsung atau tidak langsung pada kerahasiaan, Integritas Data yang di bangun menggunakan Framework dari Electron khusus nya aplikasi Desktop di Sistem Operasi MAC. Dalam materi yang di persentasikan akan membahas celah keamanan Security Misconfiguration,RCE,Code Injection, Bypass File Quarantine dan juga bagaiman cara intercept Aplikasi Electron Desktop di system operasi macOS
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...idsecconf
Amazon Web Service (AWS) menjadi pemain besar dalam industri provider cloud, AWS menawarkan berbagai macam layanan yang mempermudah pengguna untuk operasional dan manajemen administrasi cloud computing. Dengan banyaknya layanan yang disediakan oleh Amazon Web Service membuat pengguna lupa akan keamanan dari service yang digunakan, karena bukan hanya Simple Storage Service (S3) saja yang bisa secara tidak sengaja mengekspos data sentitif seperti kredensial Database, SSH Private Key, Source code aplikasi atau bahkan data pribadi lain yang bersifat rahasia. Terdapat banyak service yang secara tidak sengaja terekspos ke public seperti EBS Snapshot, RDS Snapshot, SSM Document, SNS topic dan sebagainya. Malicious Actor bisa memanfaatkan Public shared atau exposed untuk melakukan Initial Access ke lingkungan Amazon Web Service pengguna lalu melakukan eksfiltrasi data internal yang rahasia.
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfidsecconf
Near Field Communication (NFC) saat ini adalah teknologi yang umumnya di gunakan untuk media pembayaran serta akses kontrol untuk keamanan ruangan dan gedung. Tidak terbatas untuk hal itu saja, teknologi NFC juga kerap di implementasikan untuk perangkat IoT. Beberapa perangkat menggunakan NFC tag untuk menyimpan informasi guna sinkronisasi dengan perangkat smartphone. Penggunaan teknologi NFC awalnya dianggap aman karna mengharuskan alat baca dengan tag berada dalam poisisi yang sangat dekat. Sehingga dianggap sulit untuk melakukan penyadapan informasinya. Seiring waktu banyak penilitian mengungkapkan bahwa komunikasi ISO 1443-3 ini bisa di intip dan di terjemahkan ke dalam bentuk perintah serta respon aslinya. Proxmark3 adalah salah satu alat yang dikembangkan untuk keperluan tersebut. Namun ada kondisi dimana perangkat proxmark tidak dapat di fungsikan maksimal lantaran berkurangnya sensititifitas pembaca dan tag ketika ada objek berada diantara keduanya. Di paper ini saya ingin menyajikan hasil penelitian saya tentang penggunaan Dynamic Instrumentation Frida untuk memantau penggunaan modul java nfc dalam platform Android dan menggunakannya untuk melakukan lockpicking pada gembok pintar berbasis NFC.
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...idsecconf
This paper is a documentation of proposed security management for Electronic Health Records which includes security planning and policy, security program, risk management, and protection mechanism. Planning and policy are developed to provide a basic principle of security management at a hospital. The security program in this document includes Risk-Adaptable Access Control (RAdAC) and the implementation of security education, training and awareness (SETA). Regarding risk management, we perform risk identification, inventory of assets, information assets classification, and information assets value assessment, threat identification, and vulnerability assessment. For protection mechanism, we propose biometrics and signature as the authentication methods. The use of firewalls, intrusion detection system and encrypted data transmission is also suggested for securing data, application and network.
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfidsecconf
Menceritakan pengalaman bug hunting kerentanan clickjacking pada beberapa produk Google dan membahas beberapa teknik untuk melakukan bypass terhadap kerentanan tersebut. Serta menjelaskan clickjacking yang benar berdasarkan pengalaman pribadi
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...idsecconf
Pelanggaran privasi merupakan suatu hal yang sering ditemui dewasa ini. Salah satu penyebab pelanggaran privasi adalah adanya data privat milik pengguna yang dikirimkan pada server milik aplikasi tanpa seizin pengguna atau adanya pengumpulan data tertentu tanpa izin. Pada penelitian ini, kami menganalisis aplikasi-aplikasi yang didapatkan dari Google Play Store Indonesia untuk dicari apakah ada data privat milik pengguna yang dilanggar privasinya. Penelitian ini menggunakan tiga jenis metode yang utamanya berbasis static analysis; pendekatan reverse-engineering dengan static analysis untuk melihat apakah ada data yang berpotensi mengganggu privasi pengguna, analisis perizinan dan tracker yang dimiliki oleh aplikasi untuk melihat apakah perizinan dan tracker yang dimiliki oleh aplikasi memang tepat sesuai dengan use-case dari aplikasi tersebut, dan analisis regulasi data dengan mengambil data mengenai keamanan data yang diberikan developer ke Google Play Store. Hasil studi menunjukkan bahwa ada beberapa aplikasi yang memang mengambil data privat pengguna yang tidak relevan dengan use-case aplikasi dan mengirimnya ke server milik aplikasi dan pihak ketiga
Utian Ayuba - Profiling The Cloud Crime.pdfidsecconf
Cloud service is often part of broader strategic initiatives, principally digital transformation (DX) and cloud-first. Despite the continued rapid adoption of cloud services, security remains a crucial issue for cloud users. A majority of organizations confirm they are at least moderately concerned about cloud security. However, there is still a gap between using the cloud and the implementation of cloud security by organizations, so retains the rate of cloud crime high. Eliminating or narrowing the gap is necessary so that organizations can continue to take advantage of the cloud securely. Understanding cloud crime would aid in both cloud crime prevention and protection. The purpose of this presentation is to identify how cloud security incidents can occur from both attacker and victim sides. Organizations can use this presentation's results as a reference to develop or improve cloud security programs and eliminate or narrow the gap between cloud utilization and cloud security implementation.
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
Organization using Adversary Emulation plan to develop an attack emulation and/or simulation and execute it against enterprise infrastructure. These activities leverage real-world attacks and TTPs by Threat Actor, so you can identify and finding the gaps in your defense before the real adversary attacking your infrastructure. Adversary Emulation also help security team to get more visibility into their environment. Performing Adversary Emulation continuously to strengthen and improve your defense over the time.
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidadaidsecconf
UU-ITE pasal 11 melegalkan Tanda Tangan Elektronik, membuat kedudukannya setara dengan tanda tangan basah. Implementasinya mengandalkan Infrastruktur Kunci Publik yang melibatkan beberapa organisasi dan jalinan trust. Akan di bahas gambaran umum implementasi IKP di Indonesia dan berbagai layanan yang telah beroperasi, serta sebagian aspek keamanannya.
Pentesting react native application for fun and profit - Abdullahidsecconf
React Native merupakan framework yang digunakan untuk membuat aplikasi mobile baik itu Android maupun IOS (multi platform). Framework ini memungkinkan developer untuk membuat aplikasi untuk berbagai platform dengan menggunakan basis kode yang sama, yaitu JavaScript.
Dikarenakan aplikasi ini berbasis JavaScript (client side), banyak developer yang tidak memperhatikan celah keamanan pada aplikasi. Terdapat berbagai macam celah keamanan meliputi client side dan server side. Presentasi ini memuat pengalaman saya dalam menemukan celah keamanan pada saat melakukan Penetration Testing pada aplikasi mobile berbasis React Native
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaidsecconf
Pandemi covid-19 melonjak pada gelombang ke-2 di. Untuk mengantisipasi itu pemerintah membagikan oximeter ke puskesmas. Oximeter yang ada dipasaran mengharuskan tenaga kesehatan untuk kontak langsung dengan pasien. Dengan menggunakan Hacked Oxymeter ini dapat mengurangi intensitas bertemu dengan pasien dan mengurangi resiko terpapar covid-19. Secara metodologi, hacking oximeter ini membaca output komunikasi serial pada alat oximeter untuk kemudian diolah oleh mikrokontroler dan dikirim ke MQTT broker untuk diteruskan ke klien yang membutuhkan. Alat ini digunakan oleh pasien yang sedang isoman di hotel, fasilitas Kesehatan atau rumah sakit darurat/lapangan
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
Eksploitasi kerentanan pada hypervisor semakin banyak diperbincangkan di beberapa tahun ini, dimulai dari kompetisi hacking Pwn2Own pada 2017 yang mengadakan kategori Virtual Machine dalam ajang lombanya, dan juga teknologi-teknologi terkini yang banyak menggunakan hypervisor seperti Cloud Computing, Malware Detection, dll. Hal tersebut menjadi ketertarikan bagi sebagian hacker, security researcher untuk mencari kelemahan dan mengeksploitasi hypervisor. Tulisan ini menjelaskan mengenai proses Vulnerability Research dan VM Escape exploitation pada VirtualBox.
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwiantoidsecconf
Proses DevSecOps saat ini banyak digunakan dikalangan industri yang membutuhkan kecepatan baik dalam pengembangan maupun implementasi. Setiap tahapan pada pipeline DevSecOps merupakan tahapan yang harus diperhatikan dan masuk kedalam pantauan SOC (Security Operation Center). Untuk itu diperlukan kemampuan SOC untuk bisa memantau setiap pipeline DevSecOps sehingga dapat memberikan gambaran kondisi keamanan pada organisasi
15. An application programming interface (API)
is an interface implemented by a software program that enables it to interact with other software.
It facilitates interaction between different software programs similar to the way the user interface
facilitates interaction between humans and computers. ( via http://en.wikipedia.org/wiki/API)
16.
17. REST Representational State Transfer
•Provide every resource with a unique ID, for example, a URI
•Link resources with each other, establishing relationships among resources
•Use standard methods (HTTP, media types, XML)
•Resources can have multiple representations that reflect different application states
•The communication should be stateless using the HTTP
22. "Giving your email account password
to a social network site so they can look
up your friends is the same thing as
going to dinner and giving your ATM card
and PIN code to the waiter when it’s time
to pay."
- oauth.net
23. we need an easy,
user-friendly standard
for third party api security
32. OAuth Terminology
• Provider is the application that exposes the secure API and user’s identity
• Consumer is the application that is written against the Provider’s API, intended
for Provider’s users.
• Users or resource owners are registered users of the Provider
• Consumer Key is an identifier for the consumer
• Consumer Secret is a shared-secret between the provider and the consumer
• Signature Methods are encryption methods used by OAuth communication.
Methods suggested are PLAINTEXT, RSA-SHA1 and HMAC-SHA1
• OAuth Endpoints are endpoints exposed by the provider to facilitate OAuth
dance
• Callback URL is an endpoint at the Consumer that is invoked by the Provider
once the user authorizes the Consumer. If none, the value is oob, or Out-of-
Band
33. Tokens
• Request Token
– Short lived identifiers which start the handshake
– Must be converted to Access Token in order to gain access
to a user’s resources
• Access Token
– Long lived identifiers that are tied to the user’s identity
– Are used to access a user’s resources (data) at the Provider
on behalf of the user
35. Get Request Token
• The endpoint provides consumers to get an unauthorized
request token by providing their consumer key and other
parameters as a signed request
• The credentials can be passed via HTTP Header, POST body or
GET QueryString
• The request includes an oauth_signature which is calculated
by following the steps defined in the spec. Use libraries
instead of writing your own signing implementations.
• The response has an unauthorized request token as well as a
token secret, and a flag indicating if the callback was
accepted.
36. Authorize Token
• The step authorizes an unauthorized request token retrieved
via previous request.
• The endpoint takes the unauthorized request token – or the
user can enter one manually if supported.
• The Authorize Token endpoint then redirects the user to the
Provider’s login page
• The user logs in, and is asked to authorize the consumer (and
hence the request token)
• Once the user authenticates, and authorizes access to the
consumer, the provider calls the callback URL provided earlier
with a verifier code. This verifier code, along with other
credentials is used to get an Access Token.
37. Get Access Token
• At this step, the now authorized request token is exchanged
for an access token
• The access token acts as a user’s credential for any further
transactions
• The endpoint takes the request token and the verifier code
returned via the callback, or manually if callback is not
supported. The request is signed with consumer secret and
the request token’s secret.
• The Provider returns an access token and a token secret.
• The token secret is used to sign the requests along with the
consumer secret.
38. Access User’s Resources
• Now that the consumer has the access token,
the user’s resources can be requested via
signed requests to the provider.
• The user should be able to unauthorize the
consumer by revoking the access token.
• The access token has a time to live which is
typically longer than the request token