This document describes the architecture and design of OpenDNS's DNS query logging and analytics system. Key points:
- Billions of DNS queries are processed daily and stored in distributed databases and analytics systems.
- A map-reduce style processing system ingests logs, aggregates data by network, and stores results.
- Data is partitioned by network to keep tables small and optimize performance.
- A multi-stage system processes raw logs, calculates statistics, and prunes old data to optimize storage. The results are accessed via API and dashboard.
The document discusses various methods of cracking salted password hashes, including determining the hashing algorithm used based on hash length, brute forcing hashes when the salt is known, and exploiting situations where the salt is constant rather than random to facilitate cracking multiple hashes. It provides examples of insecure password hashing implementations and advises using unique random salts with each hashed password for proper security.
In 2016, the presenters co-founded the ‘nomoreransom’ platform to provide an answer to victims of ransomware. Supported by Amazon’s AWS and Barracuda technology, they never estimated that they had created the largest honeypot ever. In this presentation they will share in short what nomoreransom is, how victims can use it, but moreover insights in the daily attacks we are facing.
This document discusses different types of honeypots used to detect unauthorized access and malware. It provides statistics on attacks detected by the Dionaea, Kippo, and Honeydrive honeypots, including top attacking IP addresses and malware captured. Interactive portions allow the reader to access honeypot systems to observe attacks firsthand. The author analyzes the data collected and shares insights into cyber threats and how honeypots can help security analysts.
This document discusses various honeypot tools and the findings from deploying them. It begins with an introduction to honeypots and what they are used for. It then discusses specific low and high interaction honeypots like Dionaea, Kippo, Amun and Thug. For each honeypot, it provides statistics on IP addresses, login attempts, files uploaded and malware captured. It also analyzes these findings through tools like Wireshark and virus total. Overall, the document aims to educate about honeypot tools and share the results from the author's own honeypot deployments.
Doing Horrible Things with DNS - Web Directions SouthTom Croucher
Doing horrible things to DNS involves using CNAME records to create multiple domain names that resolve to the same IP addresses. This allows making a single DNS query but receiving responses for multiple domains, enabling more parallel HTTP requests. The technique involves creating a chain of CNAME records that ultimately resolve to a single canonical name, gaining the ability to load resources from different apparent hostnames while only requiring one DNS lookup.
The document discusses various cybersecurity threats such as spam, exploits, botnets, packet sniffing, scanning, social engineering, spyware, denial-of-service attacks, DNS poisoning, and brute force attacks. It then provides examples of SQL and SMTP injections and outlines steps programmers can take to help prevent code injections and other vulnerabilities.
The document discusses using Google hacking techniques to locate vulnerabilities on websites. It describes what Google hacking is, which is using Google to find sensitive information that may have been exposed due to poor web application security. It provides examples of what attackers can do with vulnerable websites, such as file inclusion, SQL injection, and arbitrary file uploads. It also discusses the Google Hacking Database (GHDB), which is a collection of Google dorks or search queries that have revealed vulnerabilities. Finally, it covers some basics of Google hacking like using the Google cache to crawl website information and using Google as a proxy server.
This document describes the architecture and design of OpenDNS's DNS query logging and analytics system. Key points:
- Billions of DNS queries are processed daily and stored in distributed databases and analytics systems.
- A map-reduce style processing system ingests logs, aggregates data by network, and stores results.
- Data is partitioned by network to keep tables small and optimize performance.
- A multi-stage system processes raw logs, calculates statistics, and prunes old data to optimize storage. The results are accessed via API and dashboard.
The document discusses various methods of cracking salted password hashes, including determining the hashing algorithm used based on hash length, brute forcing hashes when the salt is known, and exploiting situations where the salt is constant rather than random to facilitate cracking multiple hashes. It provides examples of insecure password hashing implementations and advises using unique random salts with each hashed password for proper security.
In 2016, the presenters co-founded the ‘nomoreransom’ platform to provide an answer to victims of ransomware. Supported by Amazon’s AWS and Barracuda technology, they never estimated that they had created the largest honeypot ever. In this presentation they will share in short what nomoreransom is, how victims can use it, but moreover insights in the daily attacks we are facing.
This document discusses different types of honeypots used to detect unauthorized access and malware. It provides statistics on attacks detected by the Dionaea, Kippo, and Honeydrive honeypots, including top attacking IP addresses and malware captured. Interactive portions allow the reader to access honeypot systems to observe attacks firsthand. The author analyzes the data collected and shares insights into cyber threats and how honeypots can help security analysts.
This document discusses various honeypot tools and the findings from deploying them. It begins with an introduction to honeypots and what they are used for. It then discusses specific low and high interaction honeypots like Dionaea, Kippo, Amun and Thug. For each honeypot, it provides statistics on IP addresses, login attempts, files uploaded and malware captured. It also analyzes these findings through tools like Wireshark and virus total. Overall, the document aims to educate about honeypot tools and share the results from the author's own honeypot deployments.
Doing Horrible Things with DNS - Web Directions SouthTom Croucher
Doing horrible things to DNS involves using CNAME records to create multiple domain names that resolve to the same IP addresses. This allows making a single DNS query but receiving responses for multiple domains, enabling more parallel HTTP requests. The technique involves creating a chain of CNAME records that ultimately resolve to a single canonical name, gaining the ability to load resources from different apparent hostnames while only requiring one DNS lookup.
The document discusses various cybersecurity threats such as spam, exploits, botnets, packet sniffing, scanning, social engineering, spyware, denial-of-service attacks, DNS poisoning, and brute force attacks. It then provides examples of SQL and SMTP injections and outlines steps programmers can take to help prevent code injections and other vulnerabilities.
The document discusses using Google hacking techniques to locate vulnerabilities on websites. It describes what Google hacking is, which is using Google to find sensitive information that may have been exposed due to poor web application security. It provides examples of what attackers can do with vulnerable websites, such as file inclusion, SQL injection, and arbitrary file uploads. It also discusses the Google Hacking Database (GHDB), which is a collection of Google dorks or search queries that have revealed vulnerabilities. Finally, it covers some basics of Google hacking like using the Google cache to crawl website information and using Google as a proxy server.
This document discusses computer crime laws and definitions related to cybercrime. It defines key terms like computer systems, networks, and digital data. It also describes different types of cybercrimes such as viruses, hacking, unauthorized access, and data theft. Cybercrimes can damage systems, steal information, and interfere with networks. The document emphasizes legal protections for data privacy, security, and unauthorized interception of electronic communications.
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
Cyber Security & Defense is the emerging topic of the IT industry these days. A secure environment is no longer just a well-maintained firewall or a well-managed network. Rather, it is made up of several layers. However, most companies are „reactive“ instead of „proactive“, or neither, when it comes to securing their IT environments and detecting security breaches. In addition to this, the product portfolio and the security market is changing rapidly, and these changes make our jobs as IT Professionals significantly more difficult. But how can we deal with this challenge? In my session I will take a look into supposed “obvious“ security threats and how the Microsoft Cyber security stack can help to detect attackers and threats that have evaded our defenses.
The document discusses passwords and password security. It summarizes that common password practices like complexity rules and frequent changes actually decrease security by making passwords harder to remember. Instead, it recommends using very long, easy to remember passwords and only changing them when truly necessary. It also discusses how password cracking tools like rainbow tables and hashcat can crack hashed passwords, but proper defenses like salting and slow hashing functions provide effective protection.
The document discusses the upcoming release of Python 3.3, which includes a number of changes and improvements compared to previous versions. Key dates are listed for alpha, beta, and final releases of Python 3.3 between March 2012 and August 2012. Several new features or changes are briefly mentioned, such as simplifying the IOError hierarchy, adding yield from to allow subgenerators, and distinguishing between byte strings and Unicode strings.
This document summarizes key points from a presentation on password security best practices and weaknesses. It discusses how passwords are cracked using tools like hashcat that can generate billions of hashes per second on GPUs. It also explains how practices like complex rules, frequent changes and plaintext storage undermine security. The presentation argues for using long, easy to remember passwords and storing hashed passwords with salts instead of complex rules and frequent changes.
REST est devenu un standard pour les APIs web. Mais malgré sa popularité, il est plein de défauts. Son successeur existe et il vient de Facebook. Venez découvrir en détail le principe, la mise en oeuvre et l’écosystème de GraphQL.
07 application security fundamentals - part 2 - security mechanisms - data ...appsec
This document discusses data validation concepts and best practices. It covers four core concepts: 1) whitelisting and blacklisting known good/bad values, 2) validating data length and format, 3) validating data before use in SQL, eval functions, or writing to buffers, and 4) encoding output to prevent XSS. Real world examples demonstrate how failing to validate data can enable SQL injection, XSS attacks, buffer overflows, and more. The document advocates restricting input length, whitelisting valid characters, encoding output, and using safe functions like strncpy() to avoid security issues.
Astec Australia proudly distributes the Breaker Technology Inc (BTI) line of underground mobile equipment in Australia, New Zealand, Papua New Guinea and the Weatern Pacific.
A name synonymous with quality and dependability, BTI (formerly Teledyne Equipment) is one of the heavy hitters when it comes to rock breaking and mobile equipment. Their line of underground mobile equipment meets all existing Tier and DPM requirements. Please see the brief descriptions of their underground mobile equipment below - accompanied by downloadable PDF brochures.
BTI's rugged, economical and utilitarian service vehicles support mine maintenance, safety, and production functions. They are configured as stand alone service vehicles (Low Profile - LP Series) or as interchangeable cassette/carrier combinations (Multi Purpose Vehicle - MPV Series).
Shotcrete Transmix Vehicle
Mine Runner
TM Series Mobile Rockbreaker
ANFO Loader
QS Series Mobile Scaler
Crane Utility Vehicle
Fuel Transfer Vehicle
Fuel Lube Truck
Personnel Carrier Vehicle
Scissor Lift Vehicle
MPV Carrier Cassette Series
Solving the Mobile Mystery: Tips for Achieving Your Content Goals on an Evolv...Taboola
Webinar led by Taboola's Senior Content Strategist, Inbar Yagur, on the challenges that come with promoting content on mobile, and a few tips and tricks to overcome them. She'll be sharing mobile best practices related to testing strategies, engagement and conversion.
The IT security landscape is littered with events where cryptography was not properly used, leading to leaked sensitive data and major problems for organizations. Learn how to encrypt and hash data using cryptography features in PHP, including password hashing, mcrypt, openssl, cracklib, and CSPRNG. Refresh on current industry standards, review cryptographic algorithms, and discuss concepts including password salts, algorithm costs, and attacks from timing, brute force, and rainbow tables.
The document discusses penetration testing of iOS applications. It provides an overview of the key aspects of testing including:
- Setting up the testing environment with tools like Xcode, Instruments, Burp Suite, and SQLite Manager.
- Performing whitebox testing through source code analysis, identifying HTTP/WS calls, file system interactions, and manual code review.
- Proxying the iOS simulator to intercept and analyze network traffic.
- Exploring various data storage mechanisms like plists, SQLite databases, and the keychain for sensitive data.
Troubleshooting Complex Performance issues - Oracle SEG$ contentionTanel Poder
From Tanel Poder's Troubleshooting Complex Performance Issues series - an example of Oracle SEG$ internal segment contention due to some direct path insert activity.
Risk management in banking sector project report mba financeBabasab Patil
This document discusses risk management in the banking sector. It introduces the concepts of risk management and provides definitions of key risk types including credit risk, market risk, operational risk, and regulatory risk. It also summarizes Basel II, the international banking accord that introduced a risk-based capital adequacy framework. The framework has three pillars: minimum capital requirements, supervisory review, and market discipline. Effective risk management and maintaining adequate capital are important for banking stability and soundness.
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
If they made movies about the most important software security issues, they could be put into five titles: Insecure Interface, Insufficient Authentication, Security Misconfiguration, Lack of Transport Encryption and Privacy Concerns. What are the action, comedy and drama parts in software security nowadays? A talk presented on IT-Weekend event in Ruse, Bulgaria (2017)
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
Andy Watson gave a presentation on properly using cryptography in applications. He discussed random number generation, hashing, salting passwords, key derivation functions, symmetric encryption, and common mistakes made with cryptography. The presentation covered topics like cryptographically secure random number generation, choosing secure hash functions, adding salts to hashes, using functions like PBKDF2 for key derivation, different encryption modes like ECB and GCM, and real examples of cryptography mistakes from companies like LinkedIn.
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
The document discusses adding time context to threat intelligence. It introduces the concept of indicators of compromise (IoCs) and describes common threat intelligence formats. It also outlines the Collective Intelligence Framework for gathering and analyzing threat data over time. The presentation emphasizes using Logstash to normalize security logs, applying threat intelligence translations, and generating reports in Kibana. Next steps include integrating more security tools with threat intelligence and refining workflows.
The document discusses security vulnerabilities related to regular expressions (RegExp) and cryptography. Regarding RegExp, it describes how long/complex patterns can cause denial of service attacks by consuming significant processing time. It also provides an example of how differences in RegExp engines between programming languages can enable attacks. Regarding cryptography, it warns about improper uses of hash functions and weaknesses that can arise from custom implementations versus established standards. The key recommendations are to use RegExp cautiously to avoid performance issues, understand how different engines work, and rely only on proven cryptography algorithms and implementations.
Andy Watson, an employee of Ionic Security, gave a presentation on properly using cryptography in applications. The presentation covered topics such as random number generation, hashing, salting passwords, key derivation functions, symmetric encryption algorithms and common mistakes made with cryptography. The goal was to help people avoid vulnerabilities like unsalted hashes, hardcoded keys, weak random number generation and improper encryption modes.
The 7th June 2012 Linkedin was hacked. More than 6 million LinkedIn passwords was compromised. The real shocking news was not the theft but the fact that the attackers were able to decrypt many of these passwords. Why it happened? The answer is simple: a bad design of the password security. In this talk I presented how to choose "secure" user's passwords and how to safely store it from a programmer's perspective.
This talk has been presented during the MOCA 2012, http://moca.olografix.org/moca2012
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
En los últimos años, el término "side-channel" a pasado de ser un concepto únicamente conocido en el sector de hardware hacking a ser un término popular dentro de la industria debido a las vulnerabilidades que se han ido publicando. CRIME, BREACH o FIESTA son claros ejemplos de vulnerabilidades que explotan un side-channel en TLS. Más recientemente, también hemos visto vulnerabilidades empleando este mismo concepto en procesadores, como Spectre o Meltdown.
En esta charla, repasaremos el concepto de "side-channel" y haremos un repaso por las diferentes vulnerabilidades que se han ido publicando a lo largo de estos últimos años, explicando en que consisten y que limitaciones tienen.
This document discusses techniques for brute forcing passwords online in a short amount of time. It recommends generating targeted wordlists by analyzing common password patterns and rules, such as capitalization variations, number/special character suffixes, and prefixes drawn from personal information. Wordlists should balance completeness with brevity to avoid detection. The author cracked over 20 passwords within a minute by heuristically guessing variations on an initial default password.
This document discusses computer crime laws and definitions related to cybercrime. It defines key terms like computer systems, networks, and digital data. It also describes different types of cybercrimes such as viruses, hacking, unauthorized access, and data theft. Cybercrimes can damage systems, steal information, and interfere with networks. The document emphasizes legal protections for data privacy, security, and unauthorized interception of electronic communications.
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
Cyber Security & Defense is the emerging topic of the IT industry these days. A secure environment is no longer just a well-maintained firewall or a well-managed network. Rather, it is made up of several layers. However, most companies are „reactive“ instead of „proactive“, or neither, when it comes to securing their IT environments and detecting security breaches. In addition to this, the product portfolio and the security market is changing rapidly, and these changes make our jobs as IT Professionals significantly more difficult. But how can we deal with this challenge? In my session I will take a look into supposed “obvious“ security threats and how the Microsoft Cyber security stack can help to detect attackers and threats that have evaded our defenses.
The document discusses passwords and password security. It summarizes that common password practices like complexity rules and frequent changes actually decrease security by making passwords harder to remember. Instead, it recommends using very long, easy to remember passwords and only changing them when truly necessary. It also discusses how password cracking tools like rainbow tables and hashcat can crack hashed passwords, but proper defenses like salting and slow hashing functions provide effective protection.
The document discusses the upcoming release of Python 3.3, which includes a number of changes and improvements compared to previous versions. Key dates are listed for alpha, beta, and final releases of Python 3.3 between March 2012 and August 2012. Several new features or changes are briefly mentioned, such as simplifying the IOError hierarchy, adding yield from to allow subgenerators, and distinguishing between byte strings and Unicode strings.
This document summarizes key points from a presentation on password security best practices and weaknesses. It discusses how passwords are cracked using tools like hashcat that can generate billions of hashes per second on GPUs. It also explains how practices like complex rules, frequent changes and plaintext storage undermine security. The presentation argues for using long, easy to remember passwords and storing hashed passwords with salts instead of complex rules and frequent changes.
REST est devenu un standard pour les APIs web. Mais malgré sa popularité, il est plein de défauts. Son successeur existe et il vient de Facebook. Venez découvrir en détail le principe, la mise en oeuvre et l’écosystème de GraphQL.
07 application security fundamentals - part 2 - security mechanisms - data ...appsec
This document discusses data validation concepts and best practices. It covers four core concepts: 1) whitelisting and blacklisting known good/bad values, 2) validating data length and format, 3) validating data before use in SQL, eval functions, or writing to buffers, and 4) encoding output to prevent XSS. Real world examples demonstrate how failing to validate data can enable SQL injection, XSS attacks, buffer overflows, and more. The document advocates restricting input length, whitelisting valid characters, encoding output, and using safe functions like strncpy() to avoid security issues.
Astec Australia proudly distributes the Breaker Technology Inc (BTI) line of underground mobile equipment in Australia, New Zealand, Papua New Guinea and the Weatern Pacific.
A name synonymous with quality and dependability, BTI (formerly Teledyne Equipment) is one of the heavy hitters when it comes to rock breaking and mobile equipment. Their line of underground mobile equipment meets all existing Tier and DPM requirements. Please see the brief descriptions of their underground mobile equipment below - accompanied by downloadable PDF brochures.
BTI's rugged, economical and utilitarian service vehicles support mine maintenance, safety, and production functions. They are configured as stand alone service vehicles (Low Profile - LP Series) or as interchangeable cassette/carrier combinations (Multi Purpose Vehicle - MPV Series).
Shotcrete Transmix Vehicle
Mine Runner
TM Series Mobile Rockbreaker
ANFO Loader
QS Series Mobile Scaler
Crane Utility Vehicle
Fuel Transfer Vehicle
Fuel Lube Truck
Personnel Carrier Vehicle
Scissor Lift Vehicle
MPV Carrier Cassette Series
Solving the Mobile Mystery: Tips for Achieving Your Content Goals on an Evolv...Taboola
Webinar led by Taboola's Senior Content Strategist, Inbar Yagur, on the challenges that come with promoting content on mobile, and a few tips and tricks to overcome them. She'll be sharing mobile best practices related to testing strategies, engagement and conversion.
The IT security landscape is littered with events where cryptography was not properly used, leading to leaked sensitive data and major problems for organizations. Learn how to encrypt and hash data using cryptography features in PHP, including password hashing, mcrypt, openssl, cracklib, and CSPRNG. Refresh on current industry standards, review cryptographic algorithms, and discuss concepts including password salts, algorithm costs, and attacks from timing, brute force, and rainbow tables.
The document discusses penetration testing of iOS applications. It provides an overview of the key aspects of testing including:
- Setting up the testing environment with tools like Xcode, Instruments, Burp Suite, and SQLite Manager.
- Performing whitebox testing through source code analysis, identifying HTTP/WS calls, file system interactions, and manual code review.
- Proxying the iOS simulator to intercept and analyze network traffic.
- Exploring various data storage mechanisms like plists, SQLite databases, and the keychain for sensitive data.
Troubleshooting Complex Performance issues - Oracle SEG$ contentionTanel Poder
From Tanel Poder's Troubleshooting Complex Performance Issues series - an example of Oracle SEG$ internal segment contention due to some direct path insert activity.
Risk management in banking sector project report mba financeBabasab Patil
This document discusses risk management in the banking sector. It introduces the concepts of risk management and provides definitions of key risk types including credit risk, market risk, operational risk, and regulatory risk. It also summarizes Basel II, the international banking accord that introduced a risk-based capital adequacy framework. The framework has three pillars: minimum capital requirements, supervisory review, and market discipline. Effective risk management and maintaining adequate capital are important for banking stability and soundness.
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
If they made movies about the most important software security issues, they could be put into five titles: Insecure Interface, Insufficient Authentication, Security Misconfiguration, Lack of Transport Encryption and Privacy Concerns. What are the action, comedy and drama parts in software security nowadays? A talk presented on IT-Weekend event in Ruse, Bulgaria (2017)
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
Andy Watson gave a presentation on properly using cryptography in applications. He discussed random number generation, hashing, salting passwords, key derivation functions, symmetric encryption, and common mistakes made with cryptography. The presentation covered topics like cryptographically secure random number generation, choosing secure hash functions, adding salts to hashes, using functions like PBKDF2 for key derivation, different encryption modes like ECB and GCM, and real examples of cryptography mistakes from companies like LinkedIn.
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
The document discusses adding time context to threat intelligence. It introduces the concept of indicators of compromise (IoCs) and describes common threat intelligence formats. It also outlines the Collective Intelligence Framework for gathering and analyzing threat data over time. The presentation emphasizes using Logstash to normalize security logs, applying threat intelligence translations, and generating reports in Kibana. Next steps include integrating more security tools with threat intelligence and refining workflows.
The document discusses security vulnerabilities related to regular expressions (RegExp) and cryptography. Regarding RegExp, it describes how long/complex patterns can cause denial of service attacks by consuming significant processing time. It also provides an example of how differences in RegExp engines between programming languages can enable attacks. Regarding cryptography, it warns about improper uses of hash functions and weaknesses that can arise from custom implementations versus established standards. The key recommendations are to use RegExp cautiously to avoid performance issues, understand how different engines work, and rely only on proven cryptography algorithms and implementations.
Andy Watson, an employee of Ionic Security, gave a presentation on properly using cryptography in applications. The presentation covered topics such as random number generation, hashing, salting passwords, key derivation functions, symmetric encryption algorithms and common mistakes made with cryptography. The goal was to help people avoid vulnerabilities like unsalted hashes, hardcoded keys, weak random number generation and improper encryption modes.
The 7th June 2012 Linkedin was hacked. More than 6 million LinkedIn passwords was compromised. The real shocking news was not the theft but the fact that the attackers were able to decrypt many of these passwords. Why it happened? The answer is simple: a bad design of the password security. In this talk I presented how to choose "secure" user's passwords and how to safely store it from a programmer's perspective.
This talk has been presented during the MOCA 2012, http://moca.olografix.org/moca2012
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
En los últimos años, el término "side-channel" a pasado de ser un concepto únicamente conocido en el sector de hardware hacking a ser un término popular dentro de la industria debido a las vulnerabilidades que se han ido publicando. CRIME, BREACH o FIESTA son claros ejemplos de vulnerabilidades que explotan un side-channel en TLS. Más recientemente, también hemos visto vulnerabilidades empleando este mismo concepto en procesadores, como Spectre o Meltdown.
En esta charla, repasaremos el concepto de "side-channel" y haremos un repaso por las diferentes vulnerabilidades que se han ido publicando a lo largo de estos últimos años, explicando en que consisten y que limitaciones tienen.
This document discusses techniques for brute forcing passwords online in a short amount of time. It recommends generating targeted wordlists by analyzing common password patterns and rules, such as capitalization variations, number/special character suffixes, and prefixes drawn from personal information. Wordlists should balance completeness with brevity to avoid detection. The author cracked over 20 passwords within a minute by heuristically guessing variations on an initial default password.
High Secure Password Authentication SystemAkhil Nadh PC
Muti Server Password Authentication system. Split the password and store it in multiple server for increasing the degree of security of the data. The technique is used in storing the login information securely
This document discusses techniques for finding duplicate records in large datasets. It describes a machine learning framework with two steps: candidate selection and candidate scoring. The candidate selection step uses domain knowledge, information retrieval techniques like "more like this" queries, and approximate nearest neighbors to find candidate duplicates. The candidate scoring step then uses machine learning models trained on pairwise record comparisons to identify true duplicates among the candidates. Features for the models include differences in fields, text similarity measures, image hashes and embeddings. Approximate techniques like locality sensitive hashing allow scaling these methods to very large datasets.
The document discusses best practices for securely implementing cryptography and discusses common cryptography algorithms and implementations such as hashing, symmetric encryption, asymmetric encryption, and password hashing. It emphasizes using proven implementations like those in Django and OpenSSL and enabling HTTPS to securely transmit data. The document also cautions that securely managing cryptographic keys is critical for encryption to provide security.
String Comparison Surprises: Did Postgres lose my data?Jeremy Schneider
Comparisons are fundamental to computing - and comparing strings is not nearly as straightforward as you might think. Come learn about the history, nuance and surprises of “putting words in order” that you never knew existed in computer science, and how that nuance impacts both general programming and SQL programming. Next, walk through a few actual scenarios and demonstrations using PostgreSQL as a user and administrator, which you can re-run yourself later for further study, including one way you could easily corrupt your self-managed PostgreSQL database if you aren't prepared. Finally we’ll dive into an explanation of the surprising behaviors we saw in PostgreSQL, and learn more about user and administrative features PostgreSQL provides related to localized string comparison.
Have you ever wondered “Should I log this?” or “What should I put in this log statement?” or ”What level should I log this at?” If so, you are not alone. Logging is often an afterthought, and usually when you are having a production issue that lacks sufficient logging. If the proper things are logged, lots of value can be unlocked from them. You can help answer a variety of questions: “Is this functionality even being used?”, “Have we seen this before, and if so, under what conditions?”. Questions that can be answered from all perspectives: development, operations and the actual business users themselves!
Larry Shatzer
In this talk, I will demonstrate the use of Chef Inspec for testing all your infrastructure with Inspec, no matter how you build it.
I will cover traditional testing, and also compliance testing on servers, plus how you can verify the state of other types of Infrastructure using APIs.
Passwords are often reused and breached, exposing users to risk. While hashing passwords provides some protection, attackers can still crack passwords using GPUs, ASICs, and password lists from previous breaches. Public-key cryptography avoids sending passwords over networks but early approaches were still vulnerable. New password-authenticated key exchange (PAKE) protocols use blinding techniques and oblivious transfers to allow password-derived keys while preventing offline cracking. Implementation requires integration with operating systems and browsers, but proof-of-concepts demonstrate the potential to significantly improve password security.
Browser hijacking malware uses various techniques to modify users' browser settings and inject malicious code or modify webpage content without permission. Examples provided include SilentBanker, Sinowal, and Wnspoem which employ real-time HTML injection, configuration files, and HTTP forwarding to target banking websites, steal login credentials and other private data, and spread further. The malware can install browser helper objects, modify registry settings, and hijack common API calls to achieve their aims.
Defcon 20 stamp out hash corruption crack all the thingsclaudijd
This is the presentation that @reynolds and @claudijd presented at DEFCON, which demonstrates how password extraction tools yield corrupted hashes, how the flaw was identified and the fix.
This document discusses best practices for securely storing passwords. It notes that passwords are often stored insecurely, such as in plain text. To securely store passwords, it recommends encrypting them using cryptographic hash functions with salts. Specifically, it advises using functions such as SHA-2, bcrypt, and scrypt, which can include salts and be slowed down through key stretching to make passwords very difficult to hack or crack. Following these guidelines helps protect users and companies by securing password data.
Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.
Similar to PDX Tech Meetup - The changing landscape of passwords (20)
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Things to Consider When Choosing a Website Developer for your Website | FODUUFODUU
Choosing the right website developer is crucial for your business. This article covers essential factors to consider, including experience, portfolio, technical skills, communication, pricing, reputation & reviews, cost and budget considerations and post-launch support. Make an informed decision to ensure your website meets your business goals.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
PDX Tech Meetup - The changing landscape of passwords
1. Passwords
Changing times
Two ways forward
The Changing Landscape of Passwords
Ryan Smith, Ph.D.
Data Scientist
August 18, 2014
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
3. nition
A hash function is a 'one way' function that scrambles the input so
that a) it's infeasible to guess the input from the output, and b)
slight changes to the input have a large eect on the output.
Input Hashed Output
password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
Password 8be3c943b1609fbfc51aad666d0a04adf83c9d
1234 7110eda4d09e062aa5e4a390b0a572ac0d2c0220
DB+U44@5wK83g*6 df3c73999cc44aabbba6c7167cc8a846a7425f43
Table: Hashes using the SHA-1 algorithm
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
5. nition
A hash function is a 'one way' function that scrambles the input so
that a) it's infeasible to guess the input from the output, and b)
slight changes to the input have a large eect on the output.
Input Hashed Output
password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
Password 8be3c943b1609fbfc51aad666d0a04adf83c9d
1234 7110eda4d09e062aa5e4a390b0a572ac0d2c0220
DB+U44@5wK83g*6 df3c73999cc44aabbba6c7167cc8a846a7425f43
Table: Hashes using the SHA-1 algorithm
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
6. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
How do hash functions aect your life?
Data integrity
Bitcoin
All password-based authentication
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
7. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
How do hash functions aect your life?
Data integrity
Bitcoin
All password-based authentication
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
8. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
How do hash functions aect your life?
Data integrity
Bitcoin
All password-based authentication
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
9. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
How password authentication works
1 User enters their password
2 Server computes the hash of their password
3 Server compares the hashed password to a master list
[root@localhost ~]# cat /etc/shadow
root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7:::
bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7:::
sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7
4 User is authenticated or denied.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
10. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
How password authentication works
1 User enters their password
2 Server computes the hash of their password
3 Server compares the hashed password to a master list
[root@localhost ~]# cat /etc/shadow
root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7:::
bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7:::
sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7
4 User is authenticated or denied.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
11. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
How password authentication works
1 User enters their password
2 Server computes the hash of their password
3 Server compares the hashed password to a master list
[root@localhost ~]# cat /etc/shadow
root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7:::
bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7:::
sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7
4 User is authenticated or denied.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
12. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
How password authentication works
1 User enters their password
2 Server computes the hash of their password
3 Server compares the hashed password to a master list
[root@localhost ~]# cat /etc/shadow
root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7:::
bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7:::
sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7
4 User is authenticated or denied.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
13. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
... because that's where the money is
How do attackers compromise password lists?
SQL injection attacks
Cross-site scripting
Buer over
ows
: : :
Avoid single points of failure
Password policies should assume that an attacker has access to the
list of hashed master passwords.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
14. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
... because that's where the money is
How do attackers compromise password lists?
SQL injection attacks
Cross-site scripting
Buer over
ows
: : :
Avoid single points of failure
Password policies should assume that an attacker has access to the
list of hashed master passwords.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
15. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
Guess and check
Example
Suppose the hash of Laura's password is d83f445224a58355b13.
Password Hash
cat 3389fc855f142c3d40f
uy e1e986bc62f6c988dd
whiskers 8ae5f0c19282e29f203
: : : : : :
kitten42 d83f445224a58355b13
We know that Laura's password was kitten42
Danger
These are not hypothetical attacks! John the Ripper and Hashcat
are both widely available.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
16. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
Guess and check
Example
Suppose the hash of Laura's password is d83f445224a58355b13.
Password Hash
cat 3389fc855f142c3d40f
uy e1e986bc62f6c988dd
whiskers 8ae5f0c19282e29f203
: : : : : :
kitten42 d83f445224a58355b13
We know that Laura's password was kitten42
Danger
These are not hypothetical attacks! John the Ripper and Hashcat
are both widely available.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
17. Passwords
Changing times
Two ways forward
Enter the GPU
The Cloud
Order of magnitude comparisons
De
18. nition
Embarrassingly parallel problems scale perfectly with more
processor power
Device Cores NTLM hashes per second
Intel Core i5 4 5-15 million attempts per second
NVIDIA GTX 690 3072 12-14 billion of attempts per second
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
19. Passwords
Changing times
Two ways forward
Enter the GPU
The Cloud
Order of magnitude comparisons
De
20. nition
Embarrassingly parallel problems scale perfectly with more
processor power
Device Cores NTLM hashes per second
Intel Core i5 4 5-15 million attempts per second
NVIDIA GTX 690 3072 12-14 billion of attempts per second
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
21. Passwords
Changing times
Two ways forward
Enter the GPU
The Cloud
GPU computing
A cluster of 25 AMD Radeon
HD6990s achieved:
350 billion guesses per
second using NTLM
hashing,
a complete search of all
eight character passwords
with uppercase, lower case,
letters, digits, and symbols
in six hours!
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
22. Passwords
Changing times
Two ways forward
Enter the GPU
The Cloud
Remark
Why run one GPU for 100 hours, when you could run 100 GPU's
for one hour?
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
23. Passwords
Changing times
Two ways forward
Repeated hash functions
Third party authentication
Repeated hash functions
Apply a hash function more than once
SHA1(SHA1(doge)) = SHA1(aa3cca7d : : :)
= 59c77262 : : :
This is not always such a bad idea, encrypted .dmg
24. les on OS X
use 250,000 iterations of SHA1.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
25. Passwords
Changing times
Two ways forward
Repeated hash functions
Third party authentication
Repeated hash functions
Apply a hash function more than once
SHA1(SHA1(doge)) = SHA1(aa3cca7d : : :)
= 59c77262 : : :
This is not always such a bad idea, encrypted .dmg
26. les on OS X
use 250,000 iterations of SHA1.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
27. Passwords
Changing times
Two ways forward
Repeated hash functions
Third party authentication
Let someone else solve the problem for you
Build your websites to use a third party authentication
OpenID - Google, Yahoo, Twitter
Facebook Connect
OAuth 2.0
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords