From unsalted SHA-1 to bcrypt, from generated passwords sent in e-mails to just links and other stories of securing user passwords at your regular e-commerce site from web developer's point of view.
Video of the talk available at http://www.michalspacek.cz/prednasky/the-problem-with-the-real-world-passwords
I forgot my password – what a secure password reset needs to have and whyMichal Špaček
Users often forget their passwords, so applications often must have a password reset mechanism. There are several options for how to do it; some of them are good, most of them not so good. Generate a password and send it in an email? No. Security questions? No way. Reset passwords via a phone call? Rather not. This talk presents some really creative examples of botched password reset implementations, as well as a proven method for resetting passwords securely.
Operations security (OPSEC) is a term originating in U.S. military jargon. In IT, it says what to do to protect your servers, developers, information, and other resources. Targeting developers, new trend in computer security, is becoming increasingly common because they usually have access to production servers and other critical infrastructure.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
When Ajax Attacks! Web application security fundamentalsSimon Willison
Web application security is hard, and getting harder. New technologies and techniques mean new vulnerabilities, and keeping on top of them all is a significant challenge. This talk will dive deep in to the underbelly of JavaScript security, exploring topics ranging from basic cross-site scripting to CSRF, social network worms, HTML sanitisation, securing JSON, safe cross-domain JavaScript and more besides.
Presented at @media Ajax 2008 on the 16th of September.
From unsalted SHA-1 to bcrypt, from generated passwords sent in e-mails to just links and other stories of securing user passwords at your regular e-commerce site from web developer's point of view.
Video of the talk available at http://www.michalspacek.cz/prednasky/the-problem-with-the-real-world-passwords
I forgot my password – what a secure password reset needs to have and whyMichal Špaček
Users often forget their passwords, so applications often must have a password reset mechanism. There are several options for how to do it; some of them are good, most of them not so good. Generate a password and send it in an email? No. Security questions? No way. Reset passwords via a phone call? Rather not. This talk presents some really creative examples of botched password reset implementations, as well as a proven method for resetting passwords securely.
Operations security (OPSEC) is a term originating in U.S. military jargon. In IT, it says what to do to protect your servers, developers, information, and other resources. Targeting developers, new trend in computer security, is becoming increasingly common because they usually have access to production servers and other critical infrastructure.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
When Ajax Attacks! Web application security fundamentalsSimon Willison
Web application security is hard, and getting harder. New technologies and techniques mean new vulnerabilities, and keeping on top of them all is a significant challenge. This talk will dive deep in to the underbelly of JavaScript security, exploring topics ranging from basic cross-site scripting to CSRF, social network worms, HTML sanitisation, securing JSON, safe cross-domain JavaScript and more besides.
Presented at @media Ajax 2008 on the 16th of September.
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
This slide deck consists of three presentations showing both an overall and detailed view of the new patent pending methods to make Cross-Site Scripting (XSS) detection more accurate and faster as well as the creation of dynamic exploits. It was presented at OWASP AppSecUSA 2015. All Material and Methods Patent Pending Globally. All Rights Reserved.
Please visit: http://xssWarrior.com
My presentation from Framsia.
Topics:
XSS (reflected, stored, dom-based)
CSRF
Clickjacking
Header based approaches (CSP, X-frame-options)
EcmaScript5
HTML5
Some slides borrowed from John Wilander http://www.slideshare.net/johnwilander/application-security-for-rias
WordPress Security Essential Tips & TricksFaraz Ahmed
WordPress essential security guide covers several essential security measures you need to take to protect your WordPress blog from script kiddies and hackers. With this guide you can protect your WordPress blog from malwares, content theft and if you are running e-commerce website you can protect data transmission and security of your web store.
For more tips tricks and updates subscribe to our blog and forums
http://trainings.com.pk
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
How a new HTTP response header can help increase the depth of your web application defenses.
Also includes a few slides on HTTP Strict Transport Security, a header which helps protects HTTPS sites from sslstrip attacks.
Top Ten Web Hacking Techniques of 2008:
"What's possible, not probable"
The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the BSides Cleveland Information Security Conference on 06/23/2018 in Cleveland, Ohio.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
JavaScript is the most widely used language cross platforms. This talk will analyze the security concerns from past to present with a peek to the future of this important language. This talk was presented as Keynote at CyberCamp Espana 2014.
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
A lecture/talk describing how to build and use polyglot payloads for finding vulnerabilities in web applications that traditional payloads can't.
Here's the last slide: http://www.slideshare.net/MathiasKarlsson2/final-slide-36636479
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the 11th Annual Northern Kentucky University Cybersecurity Symposium on 10/12/2018.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the Ohio Information Security Forum (OISF) Anniversary Conference on 07/14/2018 in Dayton, Ohio.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
Přednáška pro PR Klub 5.4.2016
O rozdílech mezi normálním publikem a publikem internetovým. Několik ukázek nezvládnuté krizové komunikace na sociálních sítích. Případ Mondelez a nové, ještě nechutnější piškoty. Plus pár rad, jak vést (krizovou) komunikaci za značku.
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
This slide deck consists of three presentations showing both an overall and detailed view of the new patent pending methods to make Cross-Site Scripting (XSS) detection more accurate and faster as well as the creation of dynamic exploits. It was presented at OWASP AppSecUSA 2015. All Material and Methods Patent Pending Globally. All Rights Reserved.
Please visit: http://xssWarrior.com
My presentation from Framsia.
Topics:
XSS (reflected, stored, dom-based)
CSRF
Clickjacking
Header based approaches (CSP, X-frame-options)
EcmaScript5
HTML5
Some slides borrowed from John Wilander http://www.slideshare.net/johnwilander/application-security-for-rias
WordPress Security Essential Tips & TricksFaraz Ahmed
WordPress essential security guide covers several essential security measures you need to take to protect your WordPress blog from script kiddies and hackers. With this guide you can protect your WordPress blog from malwares, content theft and if you are running e-commerce website you can protect data transmission and security of your web store.
For more tips tricks and updates subscribe to our blog and forums
http://trainings.com.pk
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
How a new HTTP response header can help increase the depth of your web application defenses.
Also includes a few slides on HTTP Strict Transport Security, a header which helps protects HTTPS sites from sslstrip attacks.
Top Ten Web Hacking Techniques of 2008:
"What's possible, not probable"
The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the BSides Cleveland Information Security Conference on 06/23/2018 in Cleveland, Ohio.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
JavaScript is the most widely used language cross platforms. This talk will analyze the security concerns from past to present with a peek to the future of this important language. This talk was presented as Keynote at CyberCamp Espana 2014.
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
A lecture/talk describing how to build and use polyglot payloads for finding vulnerabilities in web applications that traditional payloads can't.
Here's the last slide: http://www.slideshare.net/MathiasKarlsson2/final-slide-36636479
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the 11th Annual Northern Kentucky University Cybersecurity Symposium on 10/12/2018.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the Ohio Information Security Forum (OISF) Anniversary Conference on 07/14/2018 in Dayton, Ohio.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
Přednáška pro PR Klub 5.4.2016
O rozdílech mezi normálním publikem a publikem internetovým. Několik ukázek nezvládnuté krizové komunikace na sociálních sítích. Případ Mondelez a nové, ještě nechutnější piškoty. Plus pár rad, jak vést (krizovou) komunikaci za značku.
Unmanaged Tags - Data Protection in the Age of Mindless Proliferation Eike Pierstorff
Slides for my talk at the Digital AnalyMeetups in Berlin Nov 2017.
Video is here: https://www.youtube.com/watch?v=iFDiRbcmP34&feature=youtu.be&t=1h23m (unrehearsed, sp please excuse the less than graceful delivery).
Jak zlepšit zabezpečení čtvrtiny celého webuMichal Špaček
WordPress prý používá 27 % webu. Na následujících slajdech bych chtěl naznačit, co bychom ve WordPressu mohli zlepšit z pohledu bezpečnosti,protože když to uděláme, tak se zvýší zabezpečení poměrně hodně webů. Já vím, ne všichni aktualizují, ale o tom někdy jindy.
Measuring Quality of Life - Joint Debate SlidesILC- UK
Presentations from ILC-UK and the Actuarial Profession in partnership with ESRC Joint Debate: Measuring Quality of Life
Speakers:
Professor Ann Bowling, St. George's University of London and Kingston University
Mr Paul Allin, Office of National Statistics
Professor Emily Grundy, London School of Hygiene and Tropical Medicine
Mr Paul Cann, Age UK Oxfordshire
Further details can be found on the ILC-UK website: http://ilcuk.org.uk/record.jsp?type=event&ID=78 and http://ilcuk.org.uk/record.jsp?type=publication&ID=83
Would you voluntarily share how your web app stores passwords? Some companies indeed do share, for example Facebook and LastPass to name just a few. Some share involuntarily. Some don't share at all because they feel that it will make them more vulnerable. Here's why you should do that and how.
Anatomy of Java Vulnerabilities - NLJug 2018Steve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting.
We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in reducing security issues in Java.
Roberto Bicchierai - Defending web applications from attacksPietro Polsinelli
Is my web application exposed? We will present a short guide for the "contemporary developer" of web apps: we will survey the critical points of our web apps, the database, session stealing, cookies. We will then review the most common attacks from DOS to XSS to CSRF and ways to defend and / or limit damages.
Advanced phishing for red team assessmentsJEBARAJM
The presentation was about how Office365 can be attacked, and how GSUITE features can be leveraged for phishing and RED Team assessments.
Linkedin: https://www.linkedin.com/in/jebaraj-m-551a091aa/
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
A free application security class delivered by world renowned experts: Eoin Keary and Jim Manico.
This class has been delivered to over 1000 people in 2014 alone.
The current implementation of TLS involves your browser displaying a padlock, and a green bar, after
successfully verifying the digital signature on the TLS certificate. Proposed is a solution where your
browser's response to successful verification of a TLS certificate is to display a login window. That login
window displays the identity credentials from the TLS certificate, to allow the user to authenticate Bob. It
also displays a 'user-browser' shared secret i.e. a specific picture from your hard disk. This is not SiteKey,
the image is shared between the computer user and their browser. It is never transmitted over the internet.
Since sandboxed websites cannot access your hard disk this image cannot be counterfeited by phishing
websites. Basically if you view the installed software component of your browser as an actor in the
cryptography protocol, then the solution to phishing attacks is classic cryptography, as documented in any
cryptography textbook.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is.
This presentation is in English; the announcement (beneath) & talk were in Dutch (NL)
OpenTechTalks | Ethisch hacken met Kali
Overheden, bedrijven en particulieren worden steeds kwetsbaarder voor aanvallen van black hat hackers, criminelen die de lekken in computers uitbuiten voor geldgewin of louter om schade te veroorzaken. Daartegenover staan de white hat hackers: zij testen computersystemen op fouten en dichten de lekken voordat malafide hackers inbreken. Tijl Deneut (UGent/Howest) geeft een overzicht van welke vormen van cybercriminalteit er bestaan en hoe je je ertegen kunt wapenen. De focus ligt op Kali Linux, een besturingssysteem dat honderden beveiligings- en testprogramma's bundelt. Volgende vragen komen aan bod: hoe installeer je Kali Linux? Hoe kun je in een veilige omgeving testen? Is ethisch hacken eigenlijk wel legaal? Algemene IT-kennis is aangewezen. Achteraf drinken we een glas in het café van Vooruit.
A talk about attacks against SSL that have been uncovered in the last 3-4 years. This talk delves into about what exactly was attacked and how it was attacked and how SSL is still a pretty useful piece of technology.
This was given at null Bangalore April Meeting.
Víceúrovňová obrana vysvětlená na Cross-Site ScriptinguMichal Špaček
Jak se pomocí více úrovní obrany bránit proti notoricky známému útoku Cross-Site Scripting (XSS). Jaké vrstvy zabezpečení existují a kdy se používají. O vlastnostech prohlížečů a Content Security Policy (CSP).
Fantom Opery, "VPN" a Secure Proxy v OpeřeMichal Špaček
Jak jsem pomocí prohlížeče přišel na to, že Opera VPN není VPN aneb co všechno na sebe Chrome prozradí v chrome://net-internals/ a jak to můžete použít pro ladění nebo zkoumání různých udělátek a extenzí.
Pár praktických ukázek, ve kterých ukážu, proč se věnovat zabezpečení e-shopů a co se stane, když se na to vykašlete. A že když to budete řešit, až se když se něco bude dít, tak už může být pozdě.
Securitas, res publica.
V posledních pár letech se s bezpečnostními incidenty roztrhl pytel. Tady unikl seznam uživatelů, tady i jejich hesla, tady jen jejich objednávky. V této přednášce spojíme moje dvě oblíbená rčení a to, že každý web je dostatečně dobrý na hacknutí a že opakování je matkou moudrosti. Zopakujeme si, koho už u nás hacknuli a poněvadž by to byla nekonečně dlouhá přednáška, tak se raději zaměříme jen na zveřejněné případy.
Bezpečnost, věc veřejná.
… a chtělo svoje útoky zpět. Útok Cross-Site Scripting (XSS) byl poprvé popsán v roce 1999 a od té doby je tu stále s námi. Proč je tak nebezpečný a jak se mu bránit, když to vývojáři evidentně nezvládají?
Jako odborníci v IT už asi víte, že máte používat nějaký password manager, že? Ale jaký a jaké jsou rozdíly mezi nimi? A v čem se liší 1Password od LastPassu, tedy kromě ceny?
Lehce osvětová přednáška o tom, proč by HTTPS mělo být úplně všude, nejen na přihlašovacím formuláři. A že šifrování není jenom o HTTPS. Jako obvykle si něco i ukážeme.
HTTP Strict Transport Security (HSTS), English versionMichal Špaček
HTTP Strict Transport Security (HSTS) provides secure transport of data, by removing the possibility of HTTPS stripping. HSTS is an HTTP header issued by the server. After receiving such header, the browser will perform internal redirects from http:// to https:// for given amount of seconds.
Základy webové bezpečnosti pro PR a marketingMichal Špaček
Na dotazy ohledně ukládání hesel raději odpovídejte až zhlédnutí této přednášky. Proč je důležité správné ukládání hesel a co se pod tím vlastně skrývá? Nebojte se, do zbytečných technických detailů zabíhat nebudeme. Podíváme se také na šifrovaný přenos přihlašovacích údajů, bezpečnostní otázky a na příkladech si ukážeme špatné odpovědi na různé zapeklité otázky ohledně zabezpečení některých webů. Po této přednášce byste měli vědět, jak na sociálních sítích správně odpovídat nejen na moje dotazy.
Jak vytvářet hesla, co je to password manager a proč ho nutně potřebujete.
Zapomínáte hesla? Já taky ne. Používáte heslo pro přístup k vašemu emailu i pro přístup k jiným službám? Pokud ano, tak to není moc dobrý nápad. Prozradím vám, jak to dělat lépe.
HTTP Strict Transport Security (HSTS), zajistí zabezpečený „převoz“ informací bez možnosti odstranění HTTPS (SSL Strip). HSTS je HTTP hlavička, kterou posílá server. Browser poté bude po X sekund interně přesměrovávat http:// na https://.
Víte, že nevíte, že já vím, že nevíte? (WebTop100 2014)Michal Špaček
Víte, že nevíte, že já vím, že nevíte?
Po přednášce už budete vědět. Ukážu vám pár chyb, které možná již znáte, jen netušíte, že kvůli nim zrovna váš web opouští data vaše nebo vašich uživatelů. A že budete bezpečnost webu řešit až se něco stane a že se ještě nic nestalo? Jasně, tak hlavně přijďte :-)
Jak jsme zlepšili zabezpečení Slevomatu.
Chceš zlepšit zabezpečení webu a nevíš kde začít a kdy skončit? Ukážu ti, co jsme udělali na Slevomatu, co všechno jsme museli vyřešit, čemu jsme se divili a co plánujeme. Třeba tě to trochu taky nakopne.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
1. QUALITY OF LIFEQUALITY OF LIFEMichal ŠpačekMichal Špaček www.michalspacek.comwww.michalspacek.com @spazef0rze@spazef0rze
Yep, that’s me fixing some security issues while on vacation. This talk is about
quality of life, multiple lines of defense, how to implement them in your typical
web app, and why. Explained on passwords and Cross-Site Scripting. This slide
deck contains extra speaker notes not available in the original deck.
2. In September 2016, Yahoo confirmed a 500 million accounts leak. The breach is
said to have occurred in late 2014. It has changed lives of quite a few people.
3. Only three months later, in December 2016, Yahoo released a statement saying
that 1 billion accounts were compromised in a different attack in 2013.
4. I’m not a market expert, but this stock price chart says Yahoo is doing quite fine.
Obviously the breach had no influence on the stock price. But…
5. In July 2016, before the breaches were disclosed, Verizon announced its intent to
acquire Yahoo’s Internet business for $4.8 billion. On February 21, 2017, Verizon
agreed to lower its purchase price for Yahoo by $350 million, and share liabilities
regarding the investigation into the data breaches. Talk about losing money.
6. Russian agents were behind Yahoo hack, U.S. said in March 2017. I don’t want to
go into attribution business but let’s focus on the small text below the picture →
7. Right, that seems quite bad. I’d say Mayer’s quality of life has changed a bit.
8. Blackmailing
Because
Plaintext passwords
A friend of mine called me some time ago, his voice shaking. He told somebody
has hacked a legacy site his company had built. Unfortunately the site stored
user passwords just like this and the attacker said he’d publish the database
unless the company pays a ransom. That friend and his team had to work 24/7
for a few days to fix the app and some others. Life quality reduced. Eventually
they didn’t pay the ransom, and fortunately database was not released.
9. In summer 2015 a group or an individual named The Impact Team released 25 GB
of company and user data taken from Ashley Madison, a Canadian dating site
marketed to people who are married or in committed relationships. Not every user of
the site had an affair, but most of the media presented the incident as „database of
cheaters leaked“. Days after the data was published a lot of Ashley Madison users
started to be blackmailed: „send bitcoinz and we will not tell your partner you had an
account with Ashley Madison,“ or „send bitcoinz and we will tell you whether your
partner had an account, or not.“ The hack made a mess of lot of lives.
10. Supposedly two Ashley Madison users commited suicide because of the hack. One
of them was an american pastor, the other one a man my friend had talked to. Some
other suicides eventually couldn’t be confirmed as events linked to the leak, like the
San Antonio police captain case.
11. In 2012, LeakedIn, I mean LinkedIn lost 6.5 million usernames and hashed
passwords but in May 2016 it became apparent that the leak was much bigger than
originally thought. It was 167 million credenentials in total. The company discovered
the full extent only after somebody tried to sell the whole database dump.
12. This is Mark. Mark runs Facebook. Mark used the same password for LinkedIn,
Pinterest, and Twitter. Don’t be like Mark a don’t use the same password for multiple
services. Use strong unique passwords. Use a password manager to generate and
keep your passwords. Have a backup plan in case you forget the master password.
13. In June 2016 a group called OurMine posted Mark’s password, dadada, on his Twitter.
14. Da in Russian means Yes. And guess what? This guy, Yevgeny Nikulin, a Russian
national detained in downtown Prague, Czech Republic on October 5, 2016, is
accused by American officials of hacking U.S. targets. Coincidence much, da.
16. For weak passwords like dadada, you can even Google the unsalted SHA-1 hash.
17. When a Google search is not enough, or if you want to crack passwords for living,
you’ll need machine full of GPUs, like this one built by Jeremi Gosney and his
company Sagitta HPC. It generates tens of billions of SHA-1 hashes per second.
18. When even a machine full of GPUs is not fast enough, maybe you’ll more machines.
19. These Sagitta HPC guys are crazy. Now they’re ordering their GPUs by kilos. So this
is how 300 kg of NVIDIA GeForce GPUs looks like.
20. https://haveibeenpwned.com
Use Have I been pwned? to see if your account has been compromised in a public
data breach. You can also set up notifications or search across an entire domain.
21. Variable binding
HTTPS
Firewalls
Security is not just “buy this box and plug it in the network”. When transmitting and
receiving, the data goes through several layers. Each of the layers needs their own
protection. A site using HTTPS to encrypt the traffic can still be hacked and have the
database dumped. Users get phished on sites using HTTPS. But we still HTTPS.❤
22. Use Observatory by Mozilla to scan some of the layers, it will offer few hints to make
them more secure. It scans HTTP headers, cookies, etc., and optionally includes
results from third-party scanners, like the SSL Labs Server Test.
23. Password hashing, a second line of defense, protects users and their passwords
when databases leak. Database leaks shouldn’t happen, but they do. Multiple
lines of defense offer protection when something goes wrong. I've actually started
collecting info on how companies store user passwords. The collection is
available at https://pulse.michalspacek.cz/passwords/storages.
24. Here’s a Czech company using bcrypt. Their disclosure has been rated “A”. They
have also provided historical info and some details in their FAQ. I always link to
a public disclosure, so the site is actually more like a collection of links to who said
what. Disclosure: I worked for Slevomat.cz in 2013-2014.
25. Slow password hashes + docs
Slow pw hashes + blog, FB, Twitter
SECURE
My scoring system is inspired by the SSL Labs Server Test rating and it works
like this: the better the hashing algorithm is and the better the disclosure is, the
better score the site gets. So if a site uses bcrypt (or PBKDF2, scrypt, or Argon2)
and they tell us in their docs, they score “A”. If they tell us only in a blog post, talk,
or on a social media they score “B”, because a talk or a blog post is quite
invisible. Both “A” and “B” are scores for safe password storage.
26. Other hashes + salted + iterations
Other hashes + salted
Other hashes, or encrypted
WEAK
A site scores “C” if they use unsuitable hashes like MD5 or SHA-1 with a salt and
multiple iterations. They score “D”, if they hash passwords with one iteration of an
unsuitable hashing function, with a salt. Grade “E” is for when they use plain fast
hashes or encrypt passwords. Users are strongly advised to create unique
passwords for sites with these scores, especially for sites with “D” or “E”.
27. FAILFAILFAILFAILFAILFAIL
UNSAFE
Last but not least, “F” is for total failure, and that's when the site stores passwords
just like this, in plaintext. When signing up for the service, users should, and I
mean SHOULD use a unique password, not used anywhere else.
28. XSS
Cross Site Scripting
The concept of multiple lines of defense could also be demonstrated using Cross-
Site Scripting, an attack on users and their browsers. Using XSS, the attacker can
execute their malicious JavaScript downloaded from some other site in the context
of the vulnerable app.
29. Cross-Site Scripting is not new. According to Open Sourced Vulnerability
Database, the first XSS vulnerability was published in 1999.
30. $1.2 million
Just in 2014-2016 Google has awarded researchers over $1.2 million for reporting
XSS bugs in their applications via Google’s Vulnerability Reward Program. Not bad.
31. A man, left, and $1M in $100 bills, right, according to PageTutor. Feels like it fits in
a shoe box, right? This is roughly what Google has paid for XSS for 2 years.
32. <img src=x onerror=alert(1)>
Cross-Site Scripting happens when a bad guy injects a JavaScript into the page.
They can also inject an img tag with onerror handler, not just a <script> tag.
33. When XSS is demonstrated or reported, it mostly comes as an alert(1). While this
really is a proof that the attacker is able to run JavaScript, it might not be enough to
convince somebody that Cross-Site Scripting is dangerous and deserves a fix.
34. < → <
> → >
" → "
' → '
& → &
When developers forget to convert these special characters, mostly the first four
lines, in user input to HTML entities, that’s when bad things (and XSS) happens.
35. The Browser Exploitation Framework Project
BeEF
But XSS is much more than just alert(1). Meet BeEF, the XSS framework. It
comes with some 300 predefined modules, like fake Flash update notifications,
fake login windows, code to take screenshots of pages, or play an audio file.
36. 2nd
line of
DEFENSEDevelopers quite often forget to escape special characters in input, and will keep
doing so. Because deadlines, bad coffee, or one too many beers. So we need this.
37. A 2nd
line of defense, like this one, might not work for all cases and/or users, but
when primary defense layer fails it might just save your life. Or cookies.
39. To prevent JavaScript from stealing your session cookies, mark them as HTTP-Only
in the app you’ve built. Such cookies will still be sent over the wire, but JavaScript
won’t see them, so an attacker won’t be able to hijack the session using XSS. They
still might be able to sniff the cookie when it’s sent over plain HTTP, though.
40. XSS
Auditor
Yet another 2nd
line of defense is built right into your browser if you use Chrome or
Internet Explorer, or Edge. It’s not built into Firefox, but again, it’s not a primary
defense layer. The XSS auditor, or XSS filter, prevents the reflected variant of XSS.
41. WEB
APP1 2
3
This is how reflected XSS works. The attacker sends a link with some evil JavaScript
in the URL to the user (1), user clicks the link and a request is being sent to the web
application (2). The request includes the JavaScript, which in turn gets injected into
the page and is send back to the user (3) and is executed in their browser. The
browser sees what’s coming back from the application and if it looks like the
JavaScript it sent out with the request then the XSS filter gets triggered, if enabled.
42. X-XSS-Protection: 1; mode=block
You can control the XSS filter by the X-XSS-Protection response header. Using
mode=block is recommended, and will make the browser not display the page at all.
43. mode=block is also the default setting since Chrome 57. Previously, the browser
tried to clean the page. You can test your browser’s XSS auditor on my demo site.
44. Content Security Policy is the latest addition to already existing 2nd
lines of defense
against XSS. It’s a response header which provides a list of allowed URLs for the
browser to load images, JavaScript, CSS, etc. from into the page. So even if in the
attacker is able to inject a <script> tag into the HTML the browser will not load the
code from the specified URL provided the host or path is missing from the whitelist.
45. Content-Security-Policy: default-src 'self'
The Content-Security-Policy response header might look like this basic
example. This will allow JavaScript, images, CSS and some more to be loaded into
the page associated with the header only from 'self', the current origin.
46. Content-Security-Policy:
default-src 'self';
img-src 'self' https://www.google-analytics.com
The header can be extended by allowing images also from https://www.google-
analytics.com for the Google Analytics tracking script to work properly. The script
itself would need to be loaded from current origin now, and that’s not how it works.
47. Content-Security-Policy:
default-src 'self';
img-src 'self' https://www.google-analytics.com;
script-src 'self'
https://www.google-analytics.com 'unsafe-inline'
The origin for the Google Analytics script can be added to the whitelist too. The inline
JavaScript is also allowed here by using the 'unsafe-inline' directive. Yes, the JS
code written directly in the HTML using <script> tags or handlers like onclick
might be dangerous so it is called unsafe. But some libraries and/or tools need it.
48. csp-evaluator.withgoogle.com
Tools like the Google Tag Manager make CSP deployments hard. You need to make
your policy quite open, allow a lot of origins, or hostnames, enable inline JavaScript.
And that’s just making it easier for the attacker to find an opportunity to inject their
code. You can test your policy with CSP Evaluator to see if it can be bypassed. To
make deployments easier, CSP level 3 introduces 'strict-dynamic' which makes
the browser ignore host-based whitelists, and only works with nonces. But enables
the already allowed script to load more scripts without actually extending the policy.
See how 'strict-dynamic' works and test it on my CSP3 demo page.
49. Michal ŠpačekMichal Špaček www.michalspacek.comwww.michalspacek.com @spazef0rze@spazef0rze
To err is human, obviously, so please think about multiple lines of defense when
building apps because even 20 years old attacks are still hot and dangerous.