Presentation on topics beyond the conventional ethical hacking , discusses job factors and scope in the security field :) this was presented in LPU (Lovely Professional University) as a Seminar with attendees over 200. Meet m e at FB if u want it fb/nipun.jaswal
The presentation demonstrates basics of antivirus evasion on the payloads created using metasploit. The aim of this presentation is to aid penetration testers during a professional VAPT and is for educational purposes only.
Presentation on topics beyond the conventional ethical hacking , discusses job factors and scope in the security field :) this was presented in LPU (Lovely Professional University) as a Seminar with attendees over 200. Meet m e at FB if u want it fb/nipun.jaswal
The presentation demonstrates basics of antivirus evasion on the payloads created using metasploit. The aim of this presentation is to aid penetration testers during a professional VAPT and is for educational purposes only.
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budgetchrissanders88
This presentation was originally given as a lightning talk for a Charleston ISSA meeting. I talk briefly about malware analysis, and how to get started with malware analysis on a budget using virtualization.
Malware varies mostly in the visible payloads that they manifest. We can see them infecting files, un-installing antimalware applications, stealing important documents, controlling our computers remotely, and other malicious activities.
What we don’t see is how they are implemented within the malware code. Modern malware uses different techniques to protect themselves from detection, analysis, and eradication. Some malware uses layers to even obfuscate the way they use these protections.Layers in malware are defense mechanisms against deep analysis. Within these layers, different malware tricks are also deployed.
In this presentation, we are going to look into Scieron and Vawtrak. Two different malware that implements layers differently. We will see some video demo on how some of the malware code are executed within the context of a debugger.
Finally, we are going to leverage Volatility, a memory forensic tool, to detect the presence of layers in an infected system.
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
In the presentation that threat intel vendors do not want you to see, open source and internal data meets home grown resources to produce actionable threat intelligence that your organization can leverage to stop the bad guys. This presentation discusses and shows examples of using what your already have to bootstrap this capability using existing data management platforms with open and flexible schemas to ease identification of advanced threats. Specific topics covered include the advantages of using open and flexible platforms that can be molded into a data repository, a case tracking system, an indicator database, and more. By analyzing this data organizations can discovery trends across attacks that help them understand their adversaries. An example nosql schema will be release to help attendees create their own implementations.
This presentation will demonstrate a complete end-to-end analysis of an Android bot. This will include the decompilation and static analysis of bot code and the dynamic analysis of the bot’s behavior in a controlled sandboxed environment. The session will provide details of the lab environment and tools used for the analysis.
(Source: RSA USA 2016-San Francisco)
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...GeekPwn Keen
Youtube: https://www.youtube.com/watch?v=SDg5FzTvyPM
Since the malware come out,there is a fight between malware and AV. So more and more methods based on machine learning apply to detect malware. We will share how to detect polymorphic malware based on CNN,then we will introduce a method use generative adversarial network to generate adversarial malware examples to bypass machine learning based detection models.
Zhuang Zhang, Bo Shi, Hangfeng Dong, from Tencent Yunding Lab(Tweet@YDLab9)
This session is about Android Serialization vulnerabilities. We revisit two vulns found in Android (CVE-2014-7911, CVE-2015-3837) which allowed for privilege escalation. We also present vulns found in third-party SDKs (CVE-2015-2000/1/2/3/4/20) which allowed for arbitrary code execution in apps which used them. But what has been done to prevent similar vulns? The session will answer this question.
(Source: RSA USA 2016-San Francisco)
Using Canary Honeypots for Network Security Monitoringchrissanders88
In this presentation I talk about how honeypots that have more traditionally been used for research purposes can also be used as an effective part of a network security monitoring strategy.
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
On June, thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment. Kaspersky Lab researcher Ido Naor and Dani Goland, CEO & founder of Undot, decided to investigate. They quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating its legitimate session and replacing it with a malicious one that captured their entire web traffic. The second stage included a highly sophisticated script that took over victims Facebook and Google Drive accounts. After puzzling the script, they managed to extract the proverbial needle from a haystack: an unknown Facebook vulnerability that allowed an attacker to exploit the notifications functionality.
In this talk, Dani and Ido will dive into the bites and bytes of the campaign and explaining how the attackers exploited Facebook to spread the malware.
--- Ido Naor
Ido is a senior security researcher at the Global Research & Analysis Team (GReAT), Kaspersky Lab. He joined Kaspersky two years ago and is leading the regional research in Israel.
Ido specializes in malware analysis, penetration testing and software reverse engineering and has been credited for his work by major enterprises such as: Google, Facebook, Linkedin, Alibaba and more.
Aside from research, Ido is a martial arts expert and a father of two daughters.
--- Dani Goland
Dani is the CEO and founder of Undot, an Israeli-based startup that developed a unified remote-control application to control home appliances.
Dani has more than a decade of experience in programming on a variety of frameworks and languages.
Aside from managing Undot, Dani is a frequent competitor in Hackathons (programming competitions) and won 1st places at HackTrackTLV 2016 and eBay Hackathon 2015.
After my offensive presentation "Testing iOS Apps without Jailbreak in 2018" it is time to focus also on building not just breaking. This talk will cover the most important milestones in reaching secure iOS/macOS apps. I'm going to show you how to develop modern & secure iOS/macOS apps using new security features presented at the latest Apple's Worldwide Developers Conference. Hackers will be satisfied as well, since I'm going to cover also pen tester's perspective. What's more - I will share with you details of multiple vulnerabilities (*including not disclosed previously*) that I found during security assessments and my research of Apple's applications.
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budgetchrissanders88
This presentation was originally given as a lightning talk for a Charleston ISSA meeting. I talk briefly about malware analysis, and how to get started with malware analysis on a budget using virtualization.
Malware varies mostly in the visible payloads that they manifest. We can see them infecting files, un-installing antimalware applications, stealing important documents, controlling our computers remotely, and other malicious activities.
What we don’t see is how they are implemented within the malware code. Modern malware uses different techniques to protect themselves from detection, analysis, and eradication. Some malware uses layers to even obfuscate the way they use these protections.Layers in malware are defense mechanisms against deep analysis. Within these layers, different malware tricks are also deployed.
In this presentation, we are going to look into Scieron and Vawtrak. Two different malware that implements layers differently. We will see some video demo on how some of the malware code are executed within the context of a debugger.
Finally, we are going to leverage Volatility, a memory forensic tool, to detect the presence of layers in an infected system.
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
In the presentation that threat intel vendors do not want you to see, open source and internal data meets home grown resources to produce actionable threat intelligence that your organization can leverage to stop the bad guys. This presentation discusses and shows examples of using what your already have to bootstrap this capability using existing data management platforms with open and flexible schemas to ease identification of advanced threats. Specific topics covered include the advantages of using open and flexible platforms that can be molded into a data repository, a case tracking system, an indicator database, and more. By analyzing this data organizations can discovery trends across attacks that help them understand their adversaries. An example nosql schema will be release to help attendees create their own implementations.
This presentation will demonstrate a complete end-to-end analysis of an Android bot. This will include the decompilation and static analysis of bot code and the dynamic analysis of the bot’s behavior in a controlled sandboxed environment. The session will provide details of the lab environment and tools used for the analysis.
(Source: RSA USA 2016-San Francisco)
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...GeekPwn Keen
Youtube: https://www.youtube.com/watch?v=SDg5FzTvyPM
Since the malware come out,there is a fight between malware and AV. So more and more methods based on machine learning apply to detect malware. We will share how to detect polymorphic malware based on CNN,then we will introduce a method use generative adversarial network to generate adversarial malware examples to bypass machine learning based detection models.
Zhuang Zhang, Bo Shi, Hangfeng Dong, from Tencent Yunding Lab(Tweet@YDLab9)
This session is about Android Serialization vulnerabilities. We revisit two vulns found in Android (CVE-2014-7911, CVE-2015-3837) which allowed for privilege escalation. We also present vulns found in third-party SDKs (CVE-2015-2000/1/2/3/4/20) which allowed for arbitrary code execution in apps which used them. But what has been done to prevent similar vulns? The session will answer this question.
(Source: RSA USA 2016-San Francisco)
Using Canary Honeypots for Network Security Monitoringchrissanders88
In this presentation I talk about how honeypots that have more traditionally been used for research purposes can also be used as an effective part of a network security monitoring strategy.
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
On June, thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment. Kaspersky Lab researcher Ido Naor and Dani Goland, CEO & founder of Undot, decided to investigate. They quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating its legitimate session and replacing it with a malicious one that captured their entire web traffic. The second stage included a highly sophisticated script that took over victims Facebook and Google Drive accounts. After puzzling the script, they managed to extract the proverbial needle from a haystack: an unknown Facebook vulnerability that allowed an attacker to exploit the notifications functionality.
In this talk, Dani and Ido will dive into the bites and bytes of the campaign and explaining how the attackers exploited Facebook to spread the malware.
--- Ido Naor
Ido is a senior security researcher at the Global Research & Analysis Team (GReAT), Kaspersky Lab. He joined Kaspersky two years ago and is leading the regional research in Israel.
Ido specializes in malware analysis, penetration testing and software reverse engineering and has been credited for his work by major enterprises such as: Google, Facebook, Linkedin, Alibaba and more.
Aside from research, Ido is a martial arts expert and a father of two daughters.
--- Dani Goland
Dani is the CEO and founder of Undot, an Israeli-based startup that developed a unified remote-control application to control home appliances.
Dani has more than a decade of experience in programming on a variety of frameworks and languages.
Aside from managing Undot, Dani is a frequent competitor in Hackathons (programming competitions) and won 1st places at HackTrackTLV 2016 and eBay Hackathon 2015.
After my offensive presentation "Testing iOS Apps without Jailbreak in 2018" it is time to focus also on building not just breaking. This talk will cover the most important milestones in reaching secure iOS/macOS apps. I'm going to show you how to develop modern & secure iOS/macOS apps using new security features presented at the latest Apple's Worldwide Developers Conference. Hackers will be satisfied as well, since I'm going to cover also pen tester's perspective. What's more - I will share with you details of multiple vulnerabilities (*including not disclosed previously*) that I found during security assessments and my research of Apple's applications.
Feasibility of Security in Micro-Controllersardiri
Is it possible to secure micro-controllers used within IoT?
With the introduction of micro controllers such as the Arduino, Raspberry Pi and BeagleBone – it has become easy to connect sensors to gather information and utilise network connections to build an IoT ecosystem. Strong encryption schemes like RSA/AES/SHA and ecliptic curves cryptography (ECC) have been difficult to introduce due to limited performance and memory capabilities of the micro controllers used and using standard libraries just isn’t feasible – we find that designated and optimised software is the only feasible way forward.
The 7th June 2012 Linkedin was hacked. More than 6 million LinkedIn passwords was compromised. The real shocking news was not the theft but the fact that the attackers were able to decrypt many of these passwords. Why it happened? The answer is simple: a bad design of the password security. In this talk I presented how to choose "secure" user's passwords and how to safely store it from a programmer's perspective.
This talk has been presented during the MOCA 2012, http://moca.olografix.org/moca2012
Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.
User Credential handling in Web Applications done righttladesignz
In my work I often see very bad practices how the users' passwords are treated in web applications. This is a short summary of the current state of the art, how to do it the right way.
"Crypto wallets security. For developers", Julia PotapenkoFwdays
From a security perspective, cryptocurrency wallets are just applications. Similar to banking apps, wallets operate users’ funds and allow making transactions. But are they as secure as banking apps? Let’s talk about the risks and threats of crypto wallets, then move to design concerns and implementation issues. What types of data should be protected? What are the most common vulnerabilities? And why encrypting data is not as trivial as it may seem?
Is your crypto secure? Let's take a look at what main issues there are in modern cryptography that software developers and architects have to be aware of.
This presentation covers common cryptographic attacks, secure cryptographic implementation requirements, an overview of FIPS 140-2 and secure crypto implementation guidelines
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
6. Random Number Generators
RNG: A computational or physical device designed to
generate a sequence of numbers that lack any pattern
High quality generators depend on an entropy source like
radioactive decay or radio frequency noise
For cryptographic functions, higher levels of entropy are
required to work properly
9. What is a Salt?
Random data added to your input to create
better output from one way functions
Useful for defending against dictionary and rainbow table
attacks.
12. Hashing Function (n.)
A Function that represents data of arbitrary size as data of
a fixed size.
$ echo 'Hello POSSCON 2015!' | md5
81ad0b0ba5f98e0f584c1cd9a2c324a3
$ echo 'Hello POSSCON 2015' | md5
0c9c470f340aedaba625908939ba3c7b
13. When to Hash
Use hashing functions when saving the original data
would be a liability you have no business dealing with
For Example: Linux Passwords
$6$pWVzxN/iFRstrZ/.$TNBvzXhc8b9SBkl1q36YNvF2DwuS
4/7LsICepYgaWCKzM1MS.OBK5TvxrUQ4.
I5x5NtqidhBTGobQLOqxBAFe1
14. Don’t Store The Clear
Credentials should be salted and hashed when
stored
During login, salt and hash the password
entered and check it against the result you
stored
15. When Hashes Collide
These two blocks have the same md5 hash of
79054025255fb1a26e4bc422aef54eb4
This is called a collision
d131dd02c5e6eec4693d9a0698aff95c 2fcab58712467eab4004583eb8fb7f89
55ad340609f4b30283e488832571415a 085125e8f7cdc99fd91dbdf280373c5b
d8823e3156348f5bae6dacd436c919c6 dd53e2b487da03fd02396306d248cda0
e99f33420f577ee8ce54b67080a80d1e c69821bcb6a8839396f9652b6ff72a70
d131dd02c5e6eec4693d9a0698aff95c 2fcab50712467eab4004583eb8fb7f89
55ad340609f4b30283e4888325f1415a 085125e8f7cdc99fd91dbd7280373c5b
d8823e3156348f5bae6dacd436c919c6 dd53e23487da03fd02396306d248cda0
e99f33420f577ee8ce54b67080280d1e c69821bcb6a8839396f965ab6ff72a70
16. Taste the Rainbow Table
A rainbow table is a precomputed table for reversing
cryptographic hash functions, usually for cracking
password hashes.
Password MD5 Hash
123456 e10adc3949ba59abbe56e057f20f883e
password 5f4dcc3b5aa765d61d8327deb882cf99
17. You. Must. Hash. Securely.
Cryptographically Secure Hash Function (n.)
A hash function which is infeasible to reverse back to the
original message and not subject to collisions
$ echo "hello POSSCON 2015" | shasum -a 512
0d294c5140972735a80131eca426da4838cf5de1b3eb1c8cb51c4bb24823e389
d22a36be76be597a5c5a934dd5fada8b75e0986fb6e89329a820c22d96c4be17
19. Key Derivation Functions
KDF create new secret keys from a secret
value and a known value - like a password
Key Derivation Functions can be used in a “key stretching”
routing to enhance hashing functions to provide much
more protection from rainbow tables and brute force
attacks
20. Original KDF: crypt
● Invented in 1978 to protect UNIX
passwords
● Used only a 12 bit salt
● Limited passwords to 8 characters
21. Modern KDFs
PDKDF2
● 64 bit random salt
● 5000 iterations of SHA1 (hashing function)
SCRYPT
● Consumes large amounts of memory on
purpose
22. PBKDF2 In A Nutshell™
Password
SALT +
Password
Prepend SALT
Intermediate
Hash
SHA1
REPEAT SHA1
5000 TIMES
Final Hash
23. Save the Salt
Store the salt, the resulting hash and the
number of iterations in your datastore
You’ll have to calculate the derived key of the
credential again to verify it is correct
25. Symmetric Encryption
Used when your application needs to protect data at rest
(on disk etc) but will need to use those values later
The most common algorithm for symmetric encryption is
AES (Advanced Encryption Standard)
It can operate in multiple modes like ECB, CBC, CTR and
GCM - each suited to different uses
27. Comparing ECB to other modes
http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
28. Galois Counter Mode (GCM)
Authenticates and Encrypts Messages
Reduces the opportunity for interference with
messages to go undetected
29. It’s Complicated
Use a well known, well tested cryptographic
library / framework - do not write your own!
Do research before shipping your code - make
sure you’re using the right primitives / modes
for your application
32. Le Sigh.
My password is stored in their
database.
It was not hashed or they could
not have emailed it to me!
33. Which is bad because...
A lot of people use the same password
everywhere and use their email address as
their login!
34. So...
An attacker that gets this password list can try
to log in to all kinds of things as you!
1. email
2. banks
3. credit reporting
4. even NetFlix!
35. Adobe Hack
Millions of “encrypted” passwords stolen
Hashed with MD5
Large numbers of them found in rainbow tables
Most Common Password: 123456
http://stricture-group.com/files/adobe-top100.txt
36.
37. Beware The Default Settings
Default settings for Android Bouncy Castle
starting in 2.1 were not good
Defaulted to ECB mode!
38. Empirical Study of Android Apps
11,748 applications analyzed
5,656 used ECB mode by default
3,644 used a constant symmetric key
2,000 used ECB mode EXPLICITLY!
1,932 used a constant IV
1,629 seeded PRNG with static value
39. Seeding the Pseudo
In 2006 a bug in Debian and Ubuntu caused
the PID to be used as the output of the PRNG -
only 32,768 possible values!
(hint: that’s not enough!)
40. UnSalted Hashes
In 2012, LinkedIn password hashes were
stolen
They were not salted so 60% of them were
cracked
41. Crisis Averted at Slack
User profile data stolen in February 2015
Passwords hashed with bcrypt and random
salts
Change your password anyway...
42. Unlocking Your Prius
System uses rotating codes in a small range
Some built in (pre-shared) keys for repair use
No protection from replaying codes
Brute force attacks possible
Still under investigation...