This document summarizes security issues with single sign-on systems like OpenID and provides recommendations. It describes 7 attacks that can occur: (1) observing username/password combinations, (2) choosing misleading URLs, (3) exploiting weaknesses in crypto protocols, (4) phishing through malicious sites, (5) privacy issues from sharing login data, (6) replay attacks despite nonces, and (7) cross-site request forgery. While having a single sign-on is useful, the document argues flexibility must be reduced and security strengthened to prevent these attacks, such as using client certificates. Overall, OpenID can work but needs more focus on privacy and security issues.
In my interactions in various cyber security seminars and meets,I always come across a set of users who have a "I Don't care attitude" if I try to tell them to avoid getting hacked.They say that "I don't have anything to loose..they can take my pics and passwords...their is nothing I will loose if my PC is compromised".So this presentation is for info to such guys of how deep the effect is in your life!!!!!!!
As long as we’ve been using the internet, and way before that, we have been authenticating through some sort of username and password combination. It has become the standard. With the ever increasing number of web-apps, we’re seeing more and more data breaches as well. What if we could build our authentication processes in a way the user doesn’t need a password?
In my interactions in various cyber security seminars and meets,I always come across a set of users who have a "I Don't care attitude" if I try to tell them to avoid getting hacked.They say that "I don't have anything to loose..they can take my pics and passwords...their is nothing I will loose if my PC is compromised".So this presentation is for info to such guys of how deep the effect is in your life!!!!!!!
As long as we’ve been using the internet, and way before that, we have been authenticating through some sort of username and password combination. It has become the standard. With the ever increasing number of web-apps, we’re seeing more and more data breaches as well. What if we could build our authentication processes in a way the user doesn’t need a password?
Talk written in partnership with Guy Podjarny
When a user opens Facebook, he wants to post a picture. When she logs into her bank, she wants to see her balance. For our users, security is not front of mind. If it gets in their way – they’re likely to look for a shortcut or skip it entirely. And yet, we consistently push security decisions to users, ranging from passwords to security warnings, usually resulting in an experience that’s neither usable nor secure.
This talk shares examples that aspire to solve the problem, best practices, and discusses how to provide a secure experience that doesn’t alienate users.
As long as we’ve been using the internet, and way before that, we have been authenticating through some sort of username and password combination. It has become the standard. With the ever increasing number of web-apps, we’re seeing more and more data breaches as well. What if we could build our authentication processes in a way the user doesn’t need a password?
As long as we’ve been using the internet, and way before that, we have been authenticating through some sort of username and password combination. It has become the standard. With the ever increasing number of web-apps, we’re seeing more and more data breaches as well. What if we could build our authentication processes in a way the user doesn’t need a password?
BROWSEO is a web app that allows you to view any webpage without distractions caused by styles. It also highlights parts of a page that are relevant for SEO.
This presentation covers a lot of topics related to personal internet security. Among the topics that are covered are:
- Password Management and how to create strong passwords
- Two factor authentication and bio-metrics
- Social Engineering and Personalized Attacks
- Online Trackers
- Instant Messaging Apps
- WIFI Security
- Mobile Security
- Online Payments
Présentation concise de OpenId et comment l'utiliser. Ce document est sous licence Creative Commons Canada http://creativecommons.org/licenses/by-nc-sa/2.5/ca/
SAML, Open ID et CAS dans un seul WebSSO : LemonLDAP::NGClément OUDOT
SAML, Open ID et CAS dans un seul WebSSO : LemonLDAP::NG
at Solutions Linux / Open Source
LemonLDAP::NG est un logiciel libre de WebSSO et de contrôle d'accès aux applications Web. C'est également un fournisseur d'identités SAML, CAS et OpenID.
Vous découvrirez lors de cette conférence comment il est possible de s'affranchir de la gestion du mot de passe de ses utilisateurs, en déléguant l'authentification et les contrôle d'accès à une application à un produit de WebSSO.
Cela permet d'intégrer l'application sans effort dans des systèmes d'informations hétérogènes, en reposant sur des méthodes aussi diverses que les annuaires LDAP, les bases de données, les certificats SSL, Kerberos, etc.
La fonctionnalité de fournisseur d'identité permet également d'établir un cercle de confiance, pour par exemple propager l'authentification des utilisateurs aux applications “cloud”, comme Google Apps ou SalesForce.
Don't miss the next year of Marketing Festival Brno - http://www.marketingfestival.cz
You can also buy a video of this presentation at marketingfestival.cz
Talk written in partnership with Guy Podjarny
When a user opens Facebook, he wants to post a picture. When she logs into her bank, she wants to see her balance. For our users, security is not front of mind. If it gets in their way – they’re likely to look for a shortcut or skip it entirely. And yet, we consistently push security decisions to users, ranging from passwords to security warnings, usually resulting in an experience that’s neither usable nor secure.
This talk shares examples that aspire to solve the problem, best practices, and discusses how to provide a secure experience that doesn’t alienate users.
As long as we’ve been using the internet, and way before that, we have been authenticating through some sort of username and password combination. It has become the standard. With the ever increasing number of web-apps, we’re seeing more and more data breaches as well. What if we could build our authentication processes in a way the user doesn’t need a password?
As long as we’ve been using the internet, and way before that, we have been authenticating through some sort of username and password combination. It has become the standard. With the ever increasing number of web-apps, we’re seeing more and more data breaches as well. What if we could build our authentication processes in a way the user doesn’t need a password?
BROWSEO is a web app that allows you to view any webpage without distractions caused by styles. It also highlights parts of a page that are relevant for SEO.
This presentation covers a lot of topics related to personal internet security. Among the topics that are covered are:
- Password Management and how to create strong passwords
- Two factor authentication and bio-metrics
- Social Engineering and Personalized Attacks
- Online Trackers
- Instant Messaging Apps
- WIFI Security
- Mobile Security
- Online Payments
Présentation concise de OpenId et comment l'utiliser. Ce document est sous licence Creative Commons Canada http://creativecommons.org/licenses/by-nc-sa/2.5/ca/
SAML, Open ID et CAS dans un seul WebSSO : LemonLDAP::NGClément OUDOT
SAML, Open ID et CAS dans un seul WebSSO : LemonLDAP::NG
at Solutions Linux / Open Source
LemonLDAP::NG est un logiciel libre de WebSSO et de contrôle d'accès aux applications Web. C'est également un fournisseur d'identités SAML, CAS et OpenID.
Vous découvrirez lors de cette conférence comment il est possible de s'affranchir de la gestion du mot de passe de ses utilisateurs, en déléguant l'authentification et les contrôle d'accès à une application à un produit de WebSSO.
Cela permet d'intégrer l'application sans effort dans des systèmes d'informations hétérogènes, en reposant sur des méthodes aussi diverses que les annuaires LDAP, les bases de données, les certificats SSL, Kerberos, etc.
La fonctionnalité de fournisseur d'identité permet également d'établir un cercle de confiance, pour par exemple propager l'authentification des utilisateurs aux applications “cloud”, comme Google Apps ou SalesForce.
Don't miss the next year of Marketing Festival Brno - http://www.marketingfestival.cz
You can also buy a video of this presentation at marketingfestival.cz
BlackHat USA 2009 - Your Mind: Legal Status, Rights and Protecting YourselfJames Arlen
James Arlen and Tiffany Rad
As a participant in the information economy, you no longer exclusively own material originating from your organic brain; you leave a digital trail with your portable device's transmitted communications and when your image is captured by surveillance cameras. Likewise, if you Tweet or blog, you have outsourced a large portion of your memory and some of your active cognition to inorganic systems. U.S. and International laws relating to protection of intellectual property and criminal search and seizure procedures puts into question protections of these ephemeral communications and memoranda stored on your personal computing devices, in cloud computing networks, on off-shore "subpoena proof" server platforms, or on social networking sites.
Although once considered to be futuristic technologies, as we move our ideas and memories onto external devices or are subjected to public surveillance with technology (Future Attribute Screening Technology) that assesses pre-crime thoughts by remotely measuring biometric data such as heart rate, body temperature, pheromone responses, and respiration, where do our personal privacy rights to our thoughts end and, instead, become public expressions with lesser legal protections? Similarly, at what state does data in-transit or stored in implantable medical devices continuously connected to the Internet become searchable? In a society in which there is little differentiation remaining between self/computer, thoughts/stored memoranda, and international boundaries, a technology lawyer/computer science professor and a security professional will recommend propositions to protect your data and yourself.
A talk about attacks against SSL that have been uncovered in the last 3-4 years. This talk delves into about what exactly was attacked and how it was attacked and how SSL is still a pretty useful piece of technology.
This was given at null Bangalore April Meeting.
Roberto Bicchierai - Defending web applications from attacksPietro Polsinelli
Is my web application exposed? We will present a short guide for the "contemporary developer" of web apps: we will survey the critical points of our web apps, the database, session stealing, cookies. We will then review the most common attacks from DOS to XSS to CSRF and ways to defend and / or limit damages.
Account Entrapment: Forcing a Victim into an Attacker's Account. This talk answers the questions: why would anyone do this, wouldn't the victim notice, how does it work, and how do we protect against it.
Account Entrapment - Forcing a Victim into an Attacker’s AccountDenim Group
Account Entrapment: Forcing a Victim into an Attacker's Account. This talk answers the questions: why would anyone do this, wouldn't the victim notice, how does it work, and how do we protect against it. Presented by Ben Broussard, CISSP of Denim Group
Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
Do you think your home-based enterprise is too small to attract attention of hackers and cyber criminals? A hacker would be sitting behind you and follow your password over your shoulder as you are using a public Wi-Fi at Starbucks! Did you know that a pacemaker could be hacked to get personal and medical information to exploit against you for vandalism or monetary gain? The more you are unsuspecting and off-the-guard, the more you are prone to fall prey to devious schemes of cyber attacks. That’s why we created this presentation to present you everything you need to know to detect signs of cyber attacks including
- all possible risks of cyber attacks
- what’s your chances of getting hit by a hacker,
- who is targeting you
- What hackers can do?
- what type of information they are trying to steal
- Are you an Instagram addict? Get to know how your favorite social networking sites and other web-based services are exposing you to hackers
- Different types of cyber attacks
- Different types of baits, techniques and tools used by hackers
- How each type of cyber attacks works
- Do you know group of password crackers are at work in cracking your netbanking password? Check out if your password is strong and hard to crack
- What tools are they using to crack your password?
- How to verify all those banking email communications are NOT FROM YOUR BANK, but cyber attackers? Look out for these signs to distinguish between a phishing and a genuine email message.
- Are you choosing the right browser? Is your browser a staple target of hackers – here is how to choose the right browser before you get online
- Is your router doubling as a gateway for hackers to pass your information? Here is how to spot and prevent cyber attacks carried out through the router
- How to identify if you are opening a genuine or fake website? Here is how you can safeguard yourself before revealing your personal or financial data on a genuine-looking
fake website.
And many more scary facts and trends of cyber attacks covered in this presentation which can be a small handy 101 guide to keep you alert and safe online. In addition to the information and tips, we have a powerful and really effective tool to help you dodge and combat against hackers as you use Internet. If you needed an active watchdog to monitor, block and guard you from all types of online malicious activities in the background, then you cannot possibly give this a miss to find the best online safety partner for you.
Surf through the slides to find out everything you need to know and never thought you actually need… and let us know what you think. We are waiting!
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
9. One login to rule them all… … a story about reducing complexity
10.
11. Answers the who? question (authentication) are you john.doe.name? Does NOT answer the what? (authorization) is john.doe.name allowed to access this page?
29. Attack #3 - Diffie-Hellman is vulnerable to man-in-the-middle attacks! So what’s the point of using DH in the first place? The spec suggests running DH over https to improve protocol security
30. Observation #3 Home brewed crypto is a no no (or, why you should stick to https)
44. Problems with Nonces a. Not part of the OpenID spec (v1) b. Do not actually protect against active attackers!
45. Observation #6 Nonces are nonsense (or, why you must be drinking absolut kool-aid if you believe nonces will protect you against an active attacker)
46. I am secure once I am logged in though, right?
![Single Sign-On for the Internet: A Security Story [email_address] [email_address] BlackHat USA, Las Vegas 2007](https://image.slidesharecdn.com/openid-security4030/85/OpenID-Security-1-320.jpg)
![[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)