Why is proper password hashing essential in protecting your users? And what is proper hashing, anyway?
I was talking at the Passwords13 Las Vegas, USA, a conference focused only on passwords & PIN codes, about various ways of storing users' passwords in a database. I was the first web developer ever to speak at this conference.
I also presented one real world example by using a dumped dataset with several hundred hashed passwords from a small local (Czech) online shop for a major clothing brand. I demonstrated that it's possible to take over user's mailbox (including a gmail.com mailbox with additional protection) by cracking passwords from this dataset simply by using an online cracking tool. That is few dozens of active mailboxes in several minutes with just a browser. I presented some stats gathered while working with this dataset – how many passwords were successfully cracked by this online tool and how many were additionally cracked using a tool called hashcat on a regular laptop. I recommended better hashing algos than just a plain SHA-1, like scrypt and bcrypt. As a bonus I added few tips like don't send passwords by email.
http://www.michalspacek.cz/prednasky/hash-store-profit-passwords
http://www.youtube.com/watch?v=5RX-qUQ0iN4
Jak jsme zlepšili zabezpečení Slevomatu.
Chceš zlepšit zabezpečení webu a nevíš kde začít a kdy skončit? Ukážu ti, co jsme udělali na Slevomatu, co všechno jsme museli vyřešit, čemu jsme se divili a co plánujeme. Třeba tě to trochu taky nakopne.
Presenting an informal lunch talk on using a password manager to handle personal internet accounts securely. Also discussing 2-factor authentication a bit. Discussion features Lastpass a little bit.
Adopting hybrid cryptography technique for reduction of network overhead in m...eSAT Journals
Abstract Mobile Ad Hoc Network is a infrastructure less network it is one of the most important and highly unusual application, which is famous among critical operations like warfare use, emergency recovery because of its self configuring nature of nodes. MANETs does not require any centralized administration, it dynamically forms a temporary network with the changing topology. Due to its open environment and irregular distribution of nodes MANET is vulnerable to malicious attack hence a new intrusion detection system named EAACK is introduced. This scheme demonstrates the complexity of malicious behavior detection rate in certain situations without greatly affecting the network performance. EAACK is a acknowledgment based intrusion detection system it is required to ensure that all the acknowledgment packets are authentic and unattained hence all the packets are signed digitally before they are sent out and till the receiver accepts, due to the usage of both digital signature and acknowledgment packet it causes a great network overhead. This paper proposes and enforces a hybrid cryptography technique in order to minimize the network overhead caused by digital signature. Keywords: EAACK, Hash algorithm, Wi_max 802.16, Caesar cipher, XOR cipher, XTEA.
Jak jsme zlepšili zabezpečení Slevomatu.
Chceš zlepšit zabezpečení webu a nevíš kde začít a kdy skončit? Ukážu ti, co jsme udělali na Slevomatu, co všechno jsme museli vyřešit, čemu jsme se divili a co plánujeme. Třeba tě to trochu taky nakopne.
Presenting an informal lunch talk on using a password manager to handle personal internet accounts securely. Also discussing 2-factor authentication a bit. Discussion features Lastpass a little bit.
Adopting hybrid cryptography technique for reduction of network overhead in m...eSAT Journals
Abstract Mobile Ad Hoc Network is a infrastructure less network it is one of the most important and highly unusual application, which is famous among critical operations like warfare use, emergency recovery because of its self configuring nature of nodes. MANETs does not require any centralized administration, it dynamically forms a temporary network with the changing topology. Due to its open environment and irregular distribution of nodes MANET is vulnerable to malicious attack hence a new intrusion detection system named EAACK is introduced. This scheme demonstrates the complexity of malicious behavior detection rate in certain situations without greatly affecting the network performance. EAACK is a acknowledgment based intrusion detection system it is required to ensure that all the acknowledgment packets are authentic and unattained hence all the packets are signed digitally before they are sent out and till the receiver accepts, due to the usage of both digital signature and acknowledgment packet it causes a great network overhead. This paper proposes and enforces a hybrid cryptography technique in order to minimize the network overhead caused by digital signature. Keywords: EAACK, Hash algorithm, Wi_max 802.16, Caesar cipher, XOR cipher, XTEA.
Would you voluntarily share how your web app stores passwords? Some companies indeed do share, for example Facebook and LastPass to name just a few. Some share involuntarily. Some don't share at all because they feel that it will make them more vulnerable. Here's why you should do that and how.
Ukládáš hesla do databáze jen tak, v čitelné podobě? Nebo používáš MD5? Nebo snad SHA-1? Vsadím se, že nevíš, co je to salt. Taky tajně doufám, že neposíláš hesla e-mailem. Jednoho krásného dne se někde na webu objeví obsah databáze tvojí webové aplikace a její uživatelé nebudou mít radost. Nevystavuj je zbytečnému nebezpečí a raději si rezervuj místo v první řadě a já ti ukážu, jak se se svým webem nedostat do hlavního zpravodajství TV Nova.
Zajímá vás správné ukládání hesel? Přijďte si o tom popovídat na školení Bezpečnost PHP aplikací: http://www.michalspacek.cz/skoleni/bezpecnost-php-aplikaci
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5Michal Špaček
Útoků na webové aplikace existují desítky. Představíme si tři základní, ukážeme si, jak takový útok provést a jak webovou aplikaci proti danému útoku zabezpečit. Na závěr si ukážeme, jak bezpečně ukládat uživatelská hesla a pár špeků, kterým byste se měli obloukem vyhnout.
Hybrid Cryptography with examples in Ruby and GoEleanor McHugh
The document describes hybrid cryptography, which combines asymmetric and symmetric encryption. It provides an example workflow of how hybrid encryption works, including encrypting a message with a symmetric key, encrypting the symmetric key with the receiver's public key, sending both to the receiver, decrypting the symmetric key with their private key, and decrypting the message with the symmetric key. It then provides a Ruby code example to demonstrate hybrid encryption of a text string.
Este documento proporciona instrucciones para configurar Exchange 2010 con Thunderbird y DavMail. Explica cómo configurar los parámetros de DavMail, incluidas las opciones de correo electrónico, calendario, libreta de direcciones y registro. También describe cómo configurar Thunderbird para usar IMAP, SMTP, CalDAV y LDAP a través de DavMail para acceder a Exchange.
Información sobre los proyectos de introducción de alimentos agroecológicos en comedores escolares en las Islas Canarias, relacionados con el III Seminario de Experiencias en Circuitos Cortos de Comercialización organizado por Ecologistas en Acción en octubre de 2014 en Rivas Vaciamadrid (Madrid)
El documento es una invitación a un bautizo el 13 de diciembre de 6-9pm en 345 3rd Street, Red Suite en Altington, Washington. Se solicita confirmar la asistencia antes del 23 de noviembre contactando a Stephanie Bourne por correo electrónico o teléfono.
El documento habla sobre la música y cómo puede transmitir emociones y sentimientos. Invita al lector a compartir la presentación con amigos si les gustó y también ofrece la opción de suscribirse a un boletín para recibir más presentaciones de forma gratuita por correo electrónico.
The document discusses how life has become more dependent on internet-connected devices and online services. It introduces Onubha as a communications gateway that can manage internet traffic, content delivery, security, and infrastructure resources. Onubha's components include a deep packet analyzer, bandwidth controller, firewall, SMS and voice capabilities. It aims to help organizations navigate the changing context of digital communications.
Introdução aos escritos de Francisco de Assis. Extraído de http://www.estef.edu.br/arno/wp-content/uploads/2011/07/Escritos-o-caminho-at%C3%A9-Francisco.pdf acesso em 22 jul. 2011.
Mibelle AG Bioquímica tiene el producto "Extract 800B323.I" que podría tener un efecto en la vida útil de los folículos pilosos humanos.
BIOalternatives llevaron a cabo un ensayo experimental con el fin de estudiar los efectos de supervivencia de pelo utilizando folículos pilosos humanos obtenidos por microdisección a partir de fragmentos de piel humana (lifting facial). la viabilidad, la longitud y la morfología de la raíz del pelo se analizaron en diversos momentos.
The document provides information about Bhartiya Pashupalan Nigam Limited (BPNL), an organization established by the Government of India to promote commercialization of traditional animal husbandry. [BPNL] aims to set up Pashu Seva Kendras (PSKs) or Animal Service Centers across villages in India to provide livestock farmers training, quality inputs, and healthcare services. PSK managers will play a key role in operating the centers, creating awareness about modern practices, and ensuring access to inputs for farmers. The application form seeks details from interested individuals to set up and manage PSKs to achieve BPNL's goals.
Víceúrovňová obrana vysvětlená na Cross-Site ScriptinguMichal Špaček
Jak se pomocí více úrovní obrany bránit proti notoricky známému útoku Cross-Site Scripting (XSS). Jaké vrstvy zabezpečení existují a kdy se používají. O vlastnostech prohlížečů a Content Security Policy (CSP).
Fantom Opery, "VPN" a Secure Proxy v OpeřeMichal Špaček
Jak jsem pomocí prohlížeče přišel na to, že Opera VPN není VPN aneb co všechno na sebe Chrome prozradí v chrome://net-internals/ a jak to můžete použít pro ladění nebo zkoumání různých udělátek a extenzí.
Jak zlepšit zabezpečení čtvrtiny celého webuMichal Špaček
WordPress prý používá 27 % webu. Na následujících slajdech bych chtěl naznačit, co bychom ve WordPressu mohli zlepšit z pohledu bezpečnosti,protože když to uděláme, tak se zvýší zabezpečení poměrně hodně webů. Já vím, ne všichni aktualizují, ale o tom někdy jindy.
Would you voluntarily share how your web app stores passwords? Some companies indeed do share, for example Facebook and LastPass to name just a few. Some share involuntarily. Some don't share at all because they feel that it will make them more vulnerable. Here's why you should do that and how.
Ukládáš hesla do databáze jen tak, v čitelné podobě? Nebo používáš MD5? Nebo snad SHA-1? Vsadím se, že nevíš, co je to salt. Taky tajně doufám, že neposíláš hesla e-mailem. Jednoho krásného dne se někde na webu objeví obsah databáze tvojí webové aplikace a její uživatelé nebudou mít radost. Nevystavuj je zbytečnému nebezpečí a raději si rezervuj místo v první řadě a já ti ukážu, jak se se svým webem nedostat do hlavního zpravodajství TV Nova.
Zajímá vás správné ukládání hesel? Přijďte si o tom popovídat na školení Bezpečnost PHP aplikací: http://www.michalspacek.cz/skoleni/bezpecnost-php-aplikaci
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5Michal Špaček
Útoků na webové aplikace existují desítky. Představíme si tři základní, ukážeme si, jak takový útok provést a jak webovou aplikaci proti danému útoku zabezpečit. Na závěr si ukážeme, jak bezpečně ukládat uživatelská hesla a pár špeků, kterým byste se měli obloukem vyhnout.
Hybrid Cryptography with examples in Ruby and GoEleanor McHugh
The document describes hybrid cryptography, which combines asymmetric and symmetric encryption. It provides an example workflow of how hybrid encryption works, including encrypting a message with a symmetric key, encrypting the symmetric key with the receiver's public key, sending both to the receiver, decrypting the symmetric key with their private key, and decrypting the message with the symmetric key. It then provides a Ruby code example to demonstrate hybrid encryption of a text string.
Este documento proporciona instrucciones para configurar Exchange 2010 con Thunderbird y DavMail. Explica cómo configurar los parámetros de DavMail, incluidas las opciones de correo electrónico, calendario, libreta de direcciones y registro. También describe cómo configurar Thunderbird para usar IMAP, SMTP, CalDAV y LDAP a través de DavMail para acceder a Exchange.
Información sobre los proyectos de introducción de alimentos agroecológicos en comedores escolares en las Islas Canarias, relacionados con el III Seminario de Experiencias en Circuitos Cortos de Comercialización organizado por Ecologistas en Acción en octubre de 2014 en Rivas Vaciamadrid (Madrid)
El documento es una invitación a un bautizo el 13 de diciembre de 6-9pm en 345 3rd Street, Red Suite en Altington, Washington. Se solicita confirmar la asistencia antes del 23 de noviembre contactando a Stephanie Bourne por correo electrónico o teléfono.
El documento habla sobre la música y cómo puede transmitir emociones y sentimientos. Invita al lector a compartir la presentación con amigos si les gustó y también ofrece la opción de suscribirse a un boletín para recibir más presentaciones de forma gratuita por correo electrónico.
The document discusses how life has become more dependent on internet-connected devices and online services. It introduces Onubha as a communications gateway that can manage internet traffic, content delivery, security, and infrastructure resources. Onubha's components include a deep packet analyzer, bandwidth controller, firewall, SMS and voice capabilities. It aims to help organizations navigate the changing context of digital communications.
Introdução aos escritos de Francisco de Assis. Extraído de http://www.estef.edu.br/arno/wp-content/uploads/2011/07/Escritos-o-caminho-at%C3%A9-Francisco.pdf acesso em 22 jul. 2011.
Mibelle AG Bioquímica tiene el producto "Extract 800B323.I" que podría tener un efecto en la vida útil de los folículos pilosos humanos.
BIOalternatives llevaron a cabo un ensayo experimental con el fin de estudiar los efectos de supervivencia de pelo utilizando folículos pilosos humanos obtenidos por microdisección a partir de fragmentos de piel humana (lifting facial). la viabilidad, la longitud y la morfología de la raíz del pelo se analizaron en diversos momentos.
The document provides information about Bhartiya Pashupalan Nigam Limited (BPNL), an organization established by the Government of India to promote commercialization of traditional animal husbandry. [BPNL] aims to set up Pashu Seva Kendras (PSKs) or Animal Service Centers across villages in India to provide livestock farmers training, quality inputs, and healthcare services. PSK managers will play a key role in operating the centers, creating awareness about modern practices, and ensuring access to inputs for farmers. The application form seeks details from interested individuals to set up and manage PSKs to achieve BPNL's goals.
Víceúrovňová obrana vysvětlená na Cross-Site ScriptinguMichal Špaček
Jak se pomocí více úrovní obrany bránit proti notoricky známému útoku Cross-Site Scripting (XSS). Jaké vrstvy zabezpečení existují a kdy se používají. O vlastnostech prohlížečů a Content Security Policy (CSP).
Fantom Opery, "VPN" a Secure Proxy v OpeřeMichal Špaček
Jak jsem pomocí prohlížeče přišel na to, že Opera VPN není VPN aneb co všechno na sebe Chrome prozradí v chrome://net-internals/ a jak to můžete použít pro ladění nebo zkoumání různých udělátek a extenzí.
Jak zlepšit zabezpečení čtvrtiny celého webuMichal Špaček
WordPress prý používá 27 % webu. Na následujících slajdech bych chtěl naznačit, co bychom ve WordPressu mohli zlepšit z pohledu bezpečnosti,protože když to uděláme, tak se zvýší zabezpečení poměrně hodně webů. Já vím, ne všichni aktualizují, ale o tom někdy jindy.
Pár praktických ukázek, ve kterých ukážu, proč se věnovat zabezpečení e-shopů a co se stane, když se na to vykašlete. A že když to budete řešit, až se když se něco bude dít, tak už může být pozdě.
Securitas, res publica.
V posledních pár letech se s bezpečnostními incidenty roztrhl pytel. Tady unikl seznam uživatelů, tady i jejich hesla, tady jen jejich objednávky. V této přednášce spojíme moje dvě oblíbená rčení a to, že každý web je dostatečně dobrý na hacknutí a že opakování je matkou moudrosti. Zopakujeme si, koho už u nás hacknuli a poněvadž by to byla nekonečně dlouhá přednáška, tak se raději zaměříme jen na zveřejněné případy.
Bezpečnost, věc veřejná.
… a chtělo svoje útoky zpět. Útok Cross-Site Scripting (XSS) byl poprvé popsán v roce 1999 a od té doby je tu stále s námi. Proč je tak nebezpečný a jak se mu bránit, když to vývojáři evidentně nezvládají?
Jako odborníci v IT už asi víte, že máte používat nějaký password manager, že? Ale jaký a jaké jsou rozdíly mezi nimi? A v čem se liší 1Password od LastPassu, tedy kromě ceny?
Operations security (OPSEC) is a term originating in U.S. military jargon. In IT, it says what to do to protect your servers, developers, information, and other resources. Targeting developers, new trend in computer security, is becoming increasingly common because they usually have access to production servers and other critical infrastructure.
Lehce osvětová přednáška o tom, proč by HTTPS mělo být úplně všude, nejen na přihlašovacím formuláři. A že šifrování není jenom o HTTPS. Jako obvykle si něco i ukážeme.
HTTP Strict Transport Security (HSTS), English versionMichal Špaček
HTTP Strict Transport Security (HSTS) provides secure transport of data, by removing the possibility of HTTPS stripping. HSTS is an HTTP header issued by the server. After receiving such header, the browser will perform internal redirects from http:// to https:// for given amount of seconds.
Základy webové bezpečnosti pro PR a marketingMichal Špaček
Na dotazy ohledně ukládání hesel raději odpovídejte až zhlédnutí této přednášky. Proč je důležité správné ukládání hesel a co se pod tím vlastně skrývá? Nebojte se, do zbytečných technických detailů zabíhat nebudeme. Podíváme se také na šifrovaný přenos přihlašovacích údajů, bezpečnostní otázky a na příkladech si ukážeme špatné odpovědi na různé zapeklité otázky ohledně zabezpečení některých webů. Po této přednášce byste měli vědět, jak na sociálních sítích správně odpovídat nejen na moje dotazy.
I forgot my password – what a secure password reset needs to have and whyMichal Špaček
Users often forget their passwords, so applications often must have a password reset mechanism. There are several options for how to do it; some of them are good, most of them not so good. Generate a password and send it in an email? No. Security questions? No way. Reset passwords via a phone call? Rather not. This talk presents some really creative examples of botched password reset implementations, as well as a proven method for resetting passwords securely.
Jak vytvářet hesla, co je to password manager a proč ho nutně potřebujete.
Zapomínáte hesla? Já taky ne. Používáte heslo pro přístup k vašemu emailu i pro přístup k jiným službám? Pokud ano, tak to není moc dobrý nápad. Prozradím vám, jak to dělat lépe.
HTTP Strict Transport Security (HSTS), zajistí zabezpečený „převoz“ informací bez možnosti odstranění HTTPS (SSL Strip). HSTS je HTTP hlavička, kterou posílá server. Browser poté bude po X sekund interně přesměrovávat http:// na https://.
Víte, že nevíte, že já vím, že nevíte? (WebTop100 2014)Michal Špaček
Víte, že nevíte, že já vím, že nevíte?
Po přednášce už budete vědět. Ukážu vám pár chyb, které možná již znáte, jen netušíte, že kvůli nim zrovna váš web opouští data vaše nebo vašich uživatelů. A že budete bezpečnost webu řešit až se něco stane a že se ještě nic nestalo? Jasně, tak hlavně přijďte :-)
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/how-axelera-ai-uses-digital-compute-in-memory-to-deliver-fast-and-energy-efficient-computer-vision-a-presentation-from-axelera-ai/
Bram Verhoef, Head of Machine Learning at Axelera AI, presents the “How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-efficient Computer Vision” tutorial at the May 2024 Embedded Vision Summit.
As artificial intelligence inference transitions from cloud environments to edge locations, computer vision applications achieve heightened responsiveness, reliability and privacy. This migration, however, introduces the challenge of operating within the stringent confines of resource constraints typical at the edge, including small form factors, low energy budgets and diminished memory and computational capacities. Axelera AI addresses these challenges through an innovative approach of performing digital computations within memory itself. This technique facilitates the realization of high-performance, energy-efficient and cost-effective computer vision capabilities at the thin and thick edge, extending the frontier of what is achievable with current technologies.
In this presentation, Verhoef unveils his company’s pioneering chip technology and demonstrates its capacity to deliver exceptional frames-per-second performance across a range of standard computer vision networks typical of applications in security, surveillance and the industrial sector. This shows that advanced computer vision can be accessible and efficient, even at the very edge of our technological ecosystem.
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Password hash, store, profit - Passwords13
1. Michal Špaček, Passwords13, Las Vegas
www.michalspacek.cz @spazef0rze
1.1. HashHash
2.2. StoreStore
3.3. ……
4.4. Profit!Profit!
2. Why is proper password hashing essential in protecting your users? And what is proper
hashing, anyway? Every year we see a major web site exposing user accounts including e-mails
and passwords due to various security issues. Besides these big names there's a lot of smaller
leaks which nobody really cares about. Except the guys looking for accounts to have fun with.
Leaking users login credentials has fatal consequences and I'll show you why and how
to avoid it. Let's have a look at a website of a local though expanding Czech outdoor wear brand.
3. Michal Špaček @spazef0rze
One of the websites this company runs once had a robots.txt file which looked exactly like this.
The tmp directory had listing enabled so humans (not robots) could download the files including
a backup of the user database. No SQL injection attack needed, it's passwords on a silver platter.
4. Michal Špaček @spazef0rze
323 usernames & emails
+
passwords (SHA-1, no salt)
The total amount of user accounts was quite low, nothing to compare to the 32 million
passwords from the infamous RockYou leak from 2009. Unlike the RockYou passwords which
were stored in readable plaintext form, these passwords were hashed using SHA-1 but not salted.
5. Michal Špaček @spazef0rze
323 usernames & emails
+
passwords (SHA-1, no salt)
crackstation.net
Instead of cracking the passwords myself I took a different approach. Is it possible to crack the
passwords using just a browser and some third-party service so that anyone with access to
the leaked data and virtually no knowledge of how to crack passwords can actually crack them?
6. Michal Špaček @spazef0rze
crackstation.net
111 cracked passwords
Using one such online service I was able to recover 111 passwords from the whole data set in
few minutes thanks to massive pre-computed lookup tables the site uses. The site employs
CAPTCHA which renders the site unusable for cracking larger data sets, but that wasn't the case.
7. Michal Špaček @spazef0rze
exoddus
Tbvfs1
9plams
P1ll3d
Neznašov
These are some of the passwords the CrackStation site was able to find in its huge dictionary of
words and other strings. The last one is a name of a Czech village and the P1ll3d password meets
password criteria for most of the web sites: has at least 6 characters, one capital and some digits.
8. Michal Špaček @spazef0rze
111 cracked passwords
52 accounts with
…@seznam.cz
Out of that 111 cracked passwords 52 belonged to accounts having an e-mail address hosted at
seznam.cz. Seznam is a major local search engine in the Czech Republic and also provides e-mail
services. Actually, Czech Republic is one of the few countries where local player beats Google.
9. Michal Špaček @spazef0rze
52 accounts with …@seznam.cz
How many passwords to the
…@seznam.cz mailbox itself?
In total there were 165 accounts with e-mail hosted at seznam.cz and I wanted to find out how
many of those 52 cracked passwords were used also to access the mailboxes. Worth noting is
that after finding the data I've notified the owner of the site and recommended them to tell their
users to change their passwords and that I first ran this test 6 months after the data leaked. I've
re-run the same test 10 months after the leak only to find out that not a single user actually have
changed their password. Whether they were really told to do so is something I don't know.
10. Out of 52 passwords I've recovered using the CrackStation service, 9 of them were also used
to access the mailbox hosted at seznam.cz. That's 9 users re-using their e-mail password
elsewhere and especially to sign in to this e-shop. Gaining access to the mailbox is fatal
because it contains messages from other sites sending login credentials after signing up (which
nobody changes afterwards) and also because most sites send password reset links via e-mail
or even send the password itself so hijacking or getting access to other services is quite possible.
11. Michal Špaček @spazef0rze
…@email.cz 2 out of 9
…@centrum.cz 3 out of 9
…@gmail.com 1 out of 15
And with access to 9 seznam.cz mailboxes it does not stop. Out of 9 email.cz users just a few
were re-using the password. Accessing the Gmail account was bit challenging as Google has
correctly detected that by using Tor anonymising tool I've come from an unusual location.
12. So Gmail asked for some confirmation that it's really me trying to sign in and wanted me to
provide a phone number of that particular user. Well, who else than me would be me, so I said
"Google, maybe you already know" and googled that number right away. Nice try, Google.
13. Michal Špaček @spazef0rze
hashcat
164 more cracked passwords
I've run the rest of the passwords through the hashcat password cracker and I got 164 more
cracked passwords leaving 48 of them uncracked. The tool was running for a week or so before
I've interrupted it. My cracking rig was a regular laptop so hashcat used only the CPU with AVX.
14. Michal Špaček @spazef0rze
164 more cracked passwords
2 also used for mailbox
Interesting fact is that out of these hashcat-cracked passwords, only 2 of them were used also
for mailbox access. Seems that majority of people and mainly mailboxes in this case used
passwords which are already known and added to a dictionary used by the CrackStation service.
15. Email Password!
The reason why people are re-using their e-mail password at other web sites might be the web
applications themselves. Look at the sign-up fields above. Users will enter their e-mail password
just because the form says so. It'd better have a note saying "Don't use your email password".
16. Storing user passwords in your database in a wrong way will put your users in real danger. The
attacker can gain access to multiple web sites by attacking just one unsafe password storage. My
wild guess is that 50% of you are storing the passwords in a bad way. No, not you. The other you.
17. Michal Špaček @spazef0rze
in readable form
(in plaintext form)
But what does it mean, to store passwords in a wrong way? The simplest form of unsafe
password storage is plaintext storage. That is to store the password just like it arrived from the
browser. No hashing, that's a rude word. "The application is fully secured". Yeah, no worries.
18. If you store passwords just like that then this friendly guy will drop by your web application one
day. Just don't do it, don't store passwords just like that, in readable plaintext form.
If somebody will somehow access your database or find backups, your users' data are in danger.
19. Michal Špaček @spazef0rze
MD5(password)
SHA-1(password)
CRC32(password)
By now you've definitely heard about password hashing – running a password through a hashing
function before storing it to a database. That's the right thing to do although not entirely. There
are better and worse password hashing functions. And even the better ones can be used wrongly.
20. So MD5, SHA-1 and CRC32 are not the password hashing functions you are looking for, especially
when used as shown before. You've seen a case in the beginning where passwords were hashed
using SHA-1 but it wasn't enough to keep them safe and passwords were easily cracked. So it's no.
21. And it's no not just because MD5 and SHA-1 can be quickly cracked but also because there are
online pre-computed lookup tables of different MD5 and SHA-1 hashes mapped to their original
strings. If your hashes are not salted, a lot of passwords can be recovered by just googling them.
22. If these pre-computed lookup tables are not enough to recover the password then maybe a special
password cracker utilizing a GPU or two will help. In 2012, Jeremi Gosney built a cluster with 25
GPUs capable of trying 180 billion combinations/sec against the MD5 hash. Yes, that's a computer.
23. This year Jeremi got his Christmas presents early. Looking at the massive computing power he's
got there on the table almost ready to crack your passwords one by one we can only assume that
storing MD5 or SHA-1 hashed passwords equals to storing them in plaintext. Don't. Do. That.
25. The function call loop should be executed at least several thousand times. It also much depends
on the algorithm used. If you use MD5 for multiple hashing the total count of collisions found by
method called tunnelling gets higher. And I hate tunnels. You know, they're too underground.
26. From all the things presented so far it's obvious that we need a slow hashing function. Well,
kinda slow. The time required for hashing a password should be long enough to make brute-force
attack take forever but short enough so that the server can respond to other requests as well.
27. Michal Špaček @spazef0rze
MD5(password + salt)
SHA-1(password + salt)
If you've heard about password hashing, you've definitely heard about a salt too. Using salt
when hashing passwords is essential. Random and unique salt can be stored in readable form in
the database and the main purpose of salting is to prevent the attacker to use pre-computed hash
lookup tables and to make finding users with same passwords impossible. With no salt, two
identical passwords would have identical hashes and that's easy to spot, so salted hashes prevent
a Birthday Attack. The example above is a common way of salting, but still uses fast hashes.
28. Password cracking tools like the Hashcat directly support this simple concatenation and as the
attacker has both hash and the salt from the database, cracking salted passwords by brute-force or
dictionary attacks means no real problem for them. Speed-wise, it's just like there was no salt
used. But as stated earlier the main task for the salt is to prevent Birthday Attacks and querying
pre-computed lookup tables and that means it does not matter that much. Just a lil bit.
29. Michal Špaček @spazef0rze
HMAC(password, salt)
hash_hmac(sha512, password, salt)
Slightly better salting is implemented in HMAC (Hash-based Message Authentication Code)
algorithm. First, XOR is applied to the salt, then the salt is concatenated to the password, hashed
and then once again. It could be used for password hashing if slow hashing function is used.
30. The choice of slow hashing function is important but even the SHA-512 is just 10× slower than
SHA-256, 30× slower than SHA-1 and 80× slower than MD5. So not that slow. Ultimately, HMAC is
not the best choice for secure password hashing. But… there must be something better.
31. Michal Špaček @spazef0rze
bcrypt!
Blowfish hashing
Oh, yeah, there is! One such algorithm is bcrypt, sometimes also called Blowfish hashing. The
function is relatively slow, has built-in support for salt and even multiple hashing. The algorithm
has a parameter called cost which says how long the whole password hashing thing should take.
32. Michal Špaček @spazef0rze
crypt() salt=$2y$…
password_hash()
password_verify()
In PHP, bcrypt is supported by the crypt(), if salt is prefixed with $2y$. This prefix is supported
starting with PHP 5.3.7, don't use earlier versions. Also, don't use $2a$ and $2x$ prefixes.
PHP 5.5 brings nice functions for password hashing, also available as a library for older versions.
33. Michal Špaček @spazef0rze
scrypt
PBKDF2
Some other good password hashing algorithms include scrypt and PBKDF2 (Password-Based
Key Derivation Function 2). scrypt is far more secure against hardware brute-force attacks than
bcrypt by using much more memory, but is available for PHP only as a third-party extension or
library. Beginning with PHP 5.5 built-in function hash_pbkdf2() is also available but the rule
here is to use scrypt for password hashing whenever you can. If you can't, use bcrypt. Use
PBKDF2 only if you can't use bcrypt (and you always can) and don't use anything else.
34. Never send passwords in e-mail messages. Never, not even after sign-up. Users don't change
passwords, they use the original generated one and they keep them in their mailbox. And as
you've seen, mailbox is not a secure storage in the long term. All a user has to do to get into
troubles is to lose their smartphone or laptop. Also, e-mails are routed through servers with
mostly unencrypted drives and they usually talk to each other using unencrypted connections.
To add an extra layer of protection encrypt the hash and the salt with a symmetric cipher
such as AES-256. Once the application is hit with an SQL Injection or similar attack the key stored
in the configuration remains secret and the hashes can't be decrypted easily so passwords cannot
be cracked. Encryption won't help if the system is fully compromised and attacker gains access to
the key as well but that's not the case very often. Passwords in your database are still properly
hashed making them safe, but anything you can do to make attacker's life harder is a good thing.
35. There's more than just a password hashing to make passwords secure. Never transmit passwords
from the browser over plain HTTP, use HTTPS to prevent wiretapping. Also use a certificate signed
by a trusted certification authority so that users don't see those strange warnings. The form with
a password input field should also be transferred over HTTPS to make sure the attacker can't
change the action attribute of the form or inject some malicious JavaScript stealing passwords.
36. Never send passwords in e-mail messages. Never, not even after sign-up. Users don't change
passwords, they use the original generated one and they keep them in their mailbox. And as
you've seen, mailbox is not a secure storage in the long term. All a user has to do to get into
troubles is to lose their smartphone or laptop. Also, e-mails are routed through servers with
mostly unencrypted drives and they usually talk to each other using unencrypted connections.
37. If your site has a Forgotten password feature never send the password by e-mail. You don't know
the password anyway because you keep only hashes in your database, right? Only send a link
which will expire in one hour, with a random token which is different for every password reset
attempt. The link will take the user to a page where they can set their new password. Again, do not
send the new password by e-mail. If your site allows users to register multiple accounts with one
e-mail address always display the same message whenever user enters correct e-mail address for
resetting the password or not. This way the attacker can't enumerate e-mails in your database.
Rychlosti hashovacích funkcí viz oclHashcat benchmarking: http://thepasswordproject.com/oclhashcat_benchmarking
CRYPT_BLOWFISH security fix details: http://www.php.net/security/crypt_blowfish.php password_* funkce pro PHP 5.3.7 a novější: https://github.com/ircmaxell/password_compat