This document summarizes a presentation by Jared Peck on active cyber defense techniques. It discusses the difference between active defense and hacking back, types of decoys that can be used like honeypots and honeytokens, and how and when to deploy them. It also covers detection and alerting methods, adversary infrastructure tracking, legal issues surrounding active defense, and examples of decoys and personas that could be used like fake credentials and social media profiles.
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseDavid Freeman
As the world’s largest professional network, LinkedIn is subject to a barrage of fraudulent and/or abusive activity aimed at its member-facing products. LinkedIn’s Security Data Science team is tasked with detecting bad activity and building proactive solutions to keep it from happening in the first place. In this talk we explore various types of abuse we see at LinkedIn and discuss some of the solutions we’ve built to defend against them. We focus on ways bad actors can enter the site: fake accounts and account takeover. Some common themes include:
- Precision/recall tradeoffs: No model is 100% accurate, so we must always make a call on where to draw the line when flagging accounts or activity as abusive. What’s the cost of labeling a good member as bad vs. labeling a bad member as good?
- Online/offline tradeoffs: Online models can stop fraudulent activity before it has a chance to gain traction; offline models can use more data and cast a wider net, while also requiring less engineering effort to build. For any given abuse pattern, we must consider whether we can detect and stop the activity in real-time and also whether it’s worth the effort to do so.
- Machine learning vs. heuristic rules: Machine-learned models can be very powerful, but they also require sufficient well-labeled training data and are more difficult to maintain. Heuristic (though still data-driven!) rules can often achieve 90% of the goal with 10% of the effort — but how do you tell when this is the case?
Server-Side Second Factors: Approaches to Measuring User AuthenticityDavid Freeman
Passwords are used for user authentication by almost every Internet service today, despite a number of well-known weaknesses: passwords are often simple and easy to guess; they are re-used across sites; and they are susceptible to phishing. Numerous methods to replace or supplement passwords have been proposed, such as two-factor authentication or biometric authentication, but none has been adopted widely, leaving most accounts on most websites protected by a password only.
One approach to strengthening password-based authentication without changing user experience is to classify login attempts into *normal* and *suspicious* activity based on a number of parameters such as source IP, geolocation, browser configuration, time of day, and so on. For the suspicious attempts the service can then require additional verification, e.g., by an additional phone-based authentication step. Systems working along these principles have been deployed by many Internet services but have never been studied publicly.
In this work we propose a statistical framework for measuring the validity of a login attempt. We built a prototype implementation and tested on real login data from LinkedIn using only two features: IP address and browser's useragent. We find that we can achieve good accuracy using only *user login history* and *reputation systems*; in particular, a nascent service with no labeled account takeover data can still use our framework to protect its users. When combined with labeled data, our system can achieve even higher accuracy.
The life of breached data and the attack lifecycleJarrod Overson
OWASP RTP Presentation on Data breaches, credential spills, the lifespan of data, credential stuffing, the attack lifecycle, and what you can do to protect yourself or your users.
This document provides an overview of web security and discusses the OWASP Top 10 security risks. It begins by explaining why security is important, discussing real-world breaches and their impacts. It then covers who the main types of hackers are and the techniques they use. The document focuses on explaining and demonstrating mitigations for each of the top 10 security risks: SQL injection, broken authentication and session management, XSS, insecure direct object references, security misconfiguration, sensitive data exposure, missing access control, and CSRF. Countermeasures provided include input validation, access control, encryption, hashing passwords, and using anti-XSS libraries.
Human: Thank you, that is a concise 3 sentence summary that captures the
2017-01-23-Regulatory Compliance Watch - 6 Cybersecurity for Financial Servic...Raj Goel
Getting firm-wide buy-in for security requires:
1. Getting support from top leadership like the CEO or owner who must champion security.
2. Effective education of all employees using real-life case studies of security breaches.
3. Adopting enterprise-grade security tools and working with an experienced security provider.
Abridged version of my mvc security presentation covering the OWASP Top 10 security vulnerabilities and how they can be mitigated against in the Microsoft Mvc framework. Covers SQL Injection, XSS, CSRF etc. There is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the BSides Columbus Information Security Conference on 03/02/2018 in Columbus, Ohio.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseDavid Freeman
As the world’s largest professional network, LinkedIn is subject to a barrage of fraudulent and/or abusive activity aimed at its member-facing products. LinkedIn’s Security Data Science team is tasked with detecting bad activity and building proactive solutions to keep it from happening in the first place. In this talk we explore various types of abuse we see at LinkedIn and discuss some of the solutions we’ve built to defend against them. We focus on ways bad actors can enter the site: fake accounts and account takeover. Some common themes include:
- Precision/recall tradeoffs: No model is 100% accurate, so we must always make a call on where to draw the line when flagging accounts or activity as abusive. What’s the cost of labeling a good member as bad vs. labeling a bad member as good?
- Online/offline tradeoffs: Online models can stop fraudulent activity before it has a chance to gain traction; offline models can use more data and cast a wider net, while also requiring less engineering effort to build. For any given abuse pattern, we must consider whether we can detect and stop the activity in real-time and also whether it’s worth the effort to do so.
- Machine learning vs. heuristic rules: Machine-learned models can be very powerful, but they also require sufficient well-labeled training data and are more difficult to maintain. Heuristic (though still data-driven!) rules can often achieve 90% of the goal with 10% of the effort — but how do you tell when this is the case?
Server-Side Second Factors: Approaches to Measuring User AuthenticityDavid Freeman
Passwords are used for user authentication by almost every Internet service today, despite a number of well-known weaknesses: passwords are often simple and easy to guess; they are re-used across sites; and they are susceptible to phishing. Numerous methods to replace or supplement passwords have been proposed, such as two-factor authentication or biometric authentication, but none has been adopted widely, leaving most accounts on most websites protected by a password only.
One approach to strengthening password-based authentication without changing user experience is to classify login attempts into *normal* and *suspicious* activity based on a number of parameters such as source IP, geolocation, browser configuration, time of day, and so on. For the suspicious attempts the service can then require additional verification, e.g., by an additional phone-based authentication step. Systems working along these principles have been deployed by many Internet services but have never been studied publicly.
In this work we propose a statistical framework for measuring the validity of a login attempt. We built a prototype implementation and tested on real login data from LinkedIn using only two features: IP address and browser's useragent. We find that we can achieve good accuracy using only *user login history* and *reputation systems*; in particular, a nascent service with no labeled account takeover data can still use our framework to protect its users. When combined with labeled data, our system can achieve even higher accuracy.
The life of breached data and the attack lifecycleJarrod Overson
OWASP RTP Presentation on Data breaches, credential spills, the lifespan of data, credential stuffing, the attack lifecycle, and what you can do to protect yourself or your users.
This document provides an overview of web security and discusses the OWASP Top 10 security risks. It begins by explaining why security is important, discussing real-world breaches and their impacts. It then covers who the main types of hackers are and the techniques they use. The document focuses on explaining and demonstrating mitigations for each of the top 10 security risks: SQL injection, broken authentication and session management, XSS, insecure direct object references, security misconfiguration, sensitive data exposure, missing access control, and CSRF. Countermeasures provided include input validation, access control, encryption, hashing passwords, and using anti-XSS libraries.
Human: Thank you, that is a concise 3 sentence summary that captures the
2017-01-23-Regulatory Compliance Watch - 6 Cybersecurity for Financial Servic...Raj Goel
Getting firm-wide buy-in for security requires:
1. Getting support from top leadership like the CEO or owner who must champion security.
2. Effective education of all employees using real-life case studies of security breaches.
3. Adopting enterprise-grade security tools and working with an experienced security provider.
Abridged version of my mvc security presentation covering the OWASP Top 10 security vulnerabilities and how they can be mitigated against in the Microsoft Mvc framework. Covers SQL Injection, XSS, CSRF etc. There is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the BSides Columbus Information Security Conference on 03/02/2018 in Columbus, Ohio.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
Updated Mvc Web security updated presentationJohn Staveley
OWASP Top 10 threats to web applications and how to conunter the threats using Mvc.net mitigations, first shown at #DDDNorth, contains bonus slides for DDOS and social engineering
Over 1.5 million customer records were stolen from T-Mobile Czech Republic by an employee. The records included names, email addresses, account numbers, but not location or traffic data. T-Mobile claims the perpetrator was caught trying to sell the database.
A hacking group in Russia allegedly used malware called Lurk to steal over 1.7 billion roubles (US $25.4 million) from bank accounts in Russia. Authorities arrested 50 people in connection with the scheme.
Github warned that a number of user accounts had been compromised through a password reuse attack related to recent data breaches at LinkedIn, MySpace, Tumblr and other sites that exposed over 642 million passwords.
Web application security: Threats & CountermeasuresAung Thu Rha Hein
The document discusses security fundamentals, threats and countermeasures for a three-tiered web application. It covers principles of defense in depth and least privilege. It also describes the anatomy of a web attack and categories of threats including STRIDE (spoofing, tampering, etc.). Network, host and application level threats and countermeasures are examined. Input validation, authentication, session management and other areas are identified as needing security measures.
Authentication and session management are important aspects of network security. Authentication verifies a user's identity, while session management maintains user access after authentication. Common authentication methods include passwords, multifactor authentication, and digital signatures. Session management uses session IDs and cookies to track authenticated users and can be vulnerable to hijacking attacks. Developers should implement standard security practices like encryption, complex passwords, and short session timeouts to strengthen authentication and prevent session threats.
The presentation is all about the techniques of website hacking and testing weather website is secure by attacking and or letting know weather the site is being attacked.
10 ways to protect your e commerce site from hacking & fraudWebSitePulse
According to a report, the number of websites compromised by hackers is increasing yearly and cybercrime damages are projected to hit $6 trillion by 2020. The document provides 10 ways for eCommerce sites to enhance security, including using SSL/TLS encryption, defining network access layers, installing firewalls, choosing secure hosting providers, and regularly testing websites for vulnerabilities. It stresses the importance of security given customers trust sites with sensitive financial data.
A brute force attack is a trial-and-error method to decrypt encrypted data like passwords by exhaustively checking all possible combinations without using any intelligent strategies. It is always successful eventually but can require billions of years for systems with long keys. Tools like Brutus and THC-Hydra are used to perform brute force attacks against network services to guess passwords stored in dictionaries. Session IDs, files/directories, credit card information, and password retrieval questions are also potential targets of brute force attacks. While processing intensive, brute force does not require much setup but can take a very long time.
This article discusses the CryptoLocker ransomware threat. CryptoLocker encrypts files on infected systems and demands ransom payments in Bitcoin for the decryption key. It spreads through malicious email attachments and drive-by downloads from compromised websites. The article provides guidance for enterprises to protect themselves, including disabling Flash on untrusted sites, filtering email attachments, disabling Office macros, maintaining backups, and educating users about ransomware risks.
This document discusses how to scale web security programs to enable security at large organizations. It argues that relying solely on security professionals is not scalable, and that security must be embedded throughout the entire software development lifecycle (SDLC). It recommends automating as many security tasks as possible, such training developers, conducting static/dynamic analysis, and defending applications post-release. Security experts should focus on strategic tasks like risk management, architecture design, and tackling new problems. The key is gaining incremental security wins at each stage and building everything with scaling in mind.
A digital identity is the body of information about an individual, organization or electronic device that exists online. Unique identifiers and use patterns make it possible to detect individuals or their devices.
Nicholas Davis gave a presentation on information security in healthcare environments. He discussed HIPAA obligations to protect patient information including confidentiality, integrity and availability. He described common types of controls like technical and administrative controls and ways information can leak, such as through printers or unprotected trash bins. He warned of social engineering threats like pretexting and phishing scams that try to trick users into revealing sensitive information. He provided tips for strong passwords and protecting devices and networks from malware. The talk emphasized the importance of both technical security measures and educating users to identify and avoid social engineering attempts.
This document discusses phishing, which is a form of online fraud that aims to steal users' sensitive information such as usernames, passwords, and credit card details. It does this through deceptive messages that appear to come from legitimate organizations but actually lead to fake websites or download malware. The document provides information on how phishing works, techniques used to detect and prevent it, and tips for users to avoid falling victim to phishing scams.
The document discusses authentication and identity. It covers common authentication factors like passwords, two-factor authentication using a mobile phone, and biometrics. It provides details on securely storing passwords using techniques like salts and hash functions to prevent cracking. It also discusses risks of password reuse across sites and how two-factor authentication helps address this. The document emphasizes the importance of secure authentication and not allowing the security level to be degraded without re-authentication.
Presentation by Jaco van Gaan at IIA in 2001.
This presentation is about the use of ethical hackers in business. The presentation begins with a series of discussions about hackers, what they do, how they do it and the different types of hackers.
An overview of identity theft, the tactics criminals use and how to protect yourself and prevent identity theft in Canada. Created by an IT industry expert.
This document provides an overview and example of getting started with WebAuthn. It discusses the WebAuthn specification and terminology. It then demonstrates how to set up sample code to handle WebAuthn registration and login requests and responses. Specifically, it shows the structure of registration and login options that are sent to clients, and the credential responses that are returned, including parsing the response details. Key areas like challenges, credentials, attestation, and extensions are described. The document aims to help attendees understand how WebAuthn works at a high level and see an example implementation.
OpenID and Information Cards are two of the most prominent emerging identity technologies. It is important that you understand the benefits, usage and differences between them in order prepare for the future, even when not ready to deploy them. During this presentation we will examine what digital identities are and specifically what each of these technologies is.
How To Keep the Grinch From Ruining Your Cyber MondayMichele Chubirka
Ready to avoid crowded stores and online scammers during the holidays? Join Michele Chubirka as she goes through:
-Tips for safe online shopping and securing your banking information
-Protecting yourself from internet scams, phishing and fraud
Safeguard your personal information against identity theft
-How to use Anti-virus and other security software to keep your digital information safe.
Good Secure Development Practices Presented By: Bil Corry lasso.pro Education Project. It recommends validating all user input, distrusting even your own requests, and taking a layered approach to validation, enforcement of business rules, and authentication. Some specific best practices include implementing positive authentication, principle of least privilege, centralized authorization routines, separating admin and user access, and ensuring error handling fails safely.
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
In this presentation I'm trying to describe the "Top 10 Vulnerabilities in Web Application" according to OWASP (Open Web Application Security Project).
--The top 10 security mistakes that developers make
--How to design software with an assurance of security
Updated Mvc Web security updated presentationJohn Staveley
OWASP Top 10 threats to web applications and how to conunter the threats using Mvc.net mitigations, first shown at #DDDNorth, contains bonus slides for DDOS and social engineering
Over 1.5 million customer records were stolen from T-Mobile Czech Republic by an employee. The records included names, email addresses, account numbers, but not location or traffic data. T-Mobile claims the perpetrator was caught trying to sell the database.
A hacking group in Russia allegedly used malware called Lurk to steal over 1.7 billion roubles (US $25.4 million) from bank accounts in Russia. Authorities arrested 50 people in connection with the scheme.
Github warned that a number of user accounts had been compromised through a password reuse attack related to recent data breaches at LinkedIn, MySpace, Tumblr and other sites that exposed over 642 million passwords.
Web application security: Threats & CountermeasuresAung Thu Rha Hein
The document discusses security fundamentals, threats and countermeasures for a three-tiered web application. It covers principles of defense in depth and least privilege. It also describes the anatomy of a web attack and categories of threats including STRIDE (spoofing, tampering, etc.). Network, host and application level threats and countermeasures are examined. Input validation, authentication, session management and other areas are identified as needing security measures.
Authentication and session management are important aspects of network security. Authentication verifies a user's identity, while session management maintains user access after authentication. Common authentication methods include passwords, multifactor authentication, and digital signatures. Session management uses session IDs and cookies to track authenticated users and can be vulnerable to hijacking attacks. Developers should implement standard security practices like encryption, complex passwords, and short session timeouts to strengthen authentication and prevent session threats.
The presentation is all about the techniques of website hacking and testing weather website is secure by attacking and or letting know weather the site is being attacked.
10 ways to protect your e commerce site from hacking & fraudWebSitePulse
According to a report, the number of websites compromised by hackers is increasing yearly and cybercrime damages are projected to hit $6 trillion by 2020. The document provides 10 ways for eCommerce sites to enhance security, including using SSL/TLS encryption, defining network access layers, installing firewalls, choosing secure hosting providers, and regularly testing websites for vulnerabilities. It stresses the importance of security given customers trust sites with sensitive financial data.
A brute force attack is a trial-and-error method to decrypt encrypted data like passwords by exhaustively checking all possible combinations without using any intelligent strategies. It is always successful eventually but can require billions of years for systems with long keys. Tools like Brutus and THC-Hydra are used to perform brute force attacks against network services to guess passwords stored in dictionaries. Session IDs, files/directories, credit card information, and password retrieval questions are also potential targets of brute force attacks. While processing intensive, brute force does not require much setup but can take a very long time.
This article discusses the CryptoLocker ransomware threat. CryptoLocker encrypts files on infected systems and demands ransom payments in Bitcoin for the decryption key. It spreads through malicious email attachments and drive-by downloads from compromised websites. The article provides guidance for enterprises to protect themselves, including disabling Flash on untrusted sites, filtering email attachments, disabling Office macros, maintaining backups, and educating users about ransomware risks.
This document discusses how to scale web security programs to enable security at large organizations. It argues that relying solely on security professionals is not scalable, and that security must be embedded throughout the entire software development lifecycle (SDLC). It recommends automating as many security tasks as possible, such training developers, conducting static/dynamic analysis, and defending applications post-release. Security experts should focus on strategic tasks like risk management, architecture design, and tackling new problems. The key is gaining incremental security wins at each stage and building everything with scaling in mind.
A digital identity is the body of information about an individual, organization or electronic device that exists online. Unique identifiers and use patterns make it possible to detect individuals or their devices.
Nicholas Davis gave a presentation on information security in healthcare environments. He discussed HIPAA obligations to protect patient information including confidentiality, integrity and availability. He described common types of controls like technical and administrative controls and ways information can leak, such as through printers or unprotected trash bins. He warned of social engineering threats like pretexting and phishing scams that try to trick users into revealing sensitive information. He provided tips for strong passwords and protecting devices and networks from malware. The talk emphasized the importance of both technical security measures and educating users to identify and avoid social engineering attempts.
This document discusses phishing, which is a form of online fraud that aims to steal users' sensitive information such as usernames, passwords, and credit card details. It does this through deceptive messages that appear to come from legitimate organizations but actually lead to fake websites or download malware. The document provides information on how phishing works, techniques used to detect and prevent it, and tips for users to avoid falling victim to phishing scams.
The document discusses authentication and identity. It covers common authentication factors like passwords, two-factor authentication using a mobile phone, and biometrics. It provides details on securely storing passwords using techniques like salts and hash functions to prevent cracking. It also discusses risks of password reuse across sites and how two-factor authentication helps address this. The document emphasizes the importance of secure authentication and not allowing the security level to be degraded without re-authentication.
Presentation by Jaco van Gaan at IIA in 2001.
This presentation is about the use of ethical hackers in business. The presentation begins with a series of discussions about hackers, what they do, how they do it and the different types of hackers.
An overview of identity theft, the tactics criminals use and how to protect yourself and prevent identity theft in Canada. Created by an IT industry expert.
This document provides an overview and example of getting started with WebAuthn. It discusses the WebAuthn specification and terminology. It then demonstrates how to set up sample code to handle WebAuthn registration and login requests and responses. Specifically, it shows the structure of registration and login options that are sent to clients, and the credential responses that are returned, including parsing the response details. Key areas like challenges, credentials, attestation, and extensions are described. The document aims to help attendees understand how WebAuthn works at a high level and see an example implementation.
OpenID and Information Cards are two of the most prominent emerging identity technologies. It is important that you understand the benefits, usage and differences between them in order prepare for the future, even when not ready to deploy them. During this presentation we will examine what digital identities are and specifically what each of these technologies is.
How To Keep the Grinch From Ruining Your Cyber MondayMichele Chubirka
Ready to avoid crowded stores and online scammers during the holidays? Join Michele Chubirka as she goes through:
-Tips for safe online shopping and securing your banking information
-Protecting yourself from internet scams, phishing and fraud
Safeguard your personal information against identity theft
-How to use Anti-virus and other security software to keep your digital information safe.
Good Secure Development Practices Presented By: Bil Corry lasso.pro Education Project. It recommends validating all user input, distrusting even your own requests, and taking a layered approach to validation, enforcement of business rules, and authentication. Some specific best practices include implementing positive authentication, principle of least privilege, centralized authorization routines, separating admin and user access, and ensuring error handling fails safely.
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
In this presentation I'm trying to describe the "Top 10 Vulnerabilities in Web Application" according to OWASP (Open Web Application Security Project).
--The top 10 security mistakes that developers make
--How to design software with an assurance of security
This document provides an overview of an information session on internet safety and privacy. The agenda includes understanding common online terms like cookies, IP addresses and metadata. It discusses how to keep personal information private on social media and watch out for phishing scams. The document also covers keeping online accounts secure with strong passwords and staying vigilant by being cautious of email attachments and malware. Privacy laws in Canada are also briefly outlined.
Praesidio CTO, Sean Cassidy presented at FinDEVr New York 2016 on role-based behavior analytics, using patterns and anomalies in user behavior as indicators of attack. View his slides from the presentation here.
Overview:
It is easy for attackers to beat traditional security measures: antivirus, firewalls, and intrusion detection systems. This is because those methods are akin to blacklisting known bad behavior. Attackers need only to modify their behavior slightly to avoid the blacklist. Anomaly detection, instead models normal user behavior and alerts when attackers deviate from that without any humans specifying what normal behavior is.
So what is anomaly detection, how does it work, and how can you apply it to your network?
Securing and Safeguarding Your Library SetupBrian Pichman
We will explore various tools, techniques, & procedures to ensure our environment's safety & security. Leave with a list of ideas you can use today within your library.
I had amde this ppt for my college presentation. It doesnt cover the various faruds in minute detail but this presentation is a very good overview! Enjoy!
Large Enterprises have a surprising number of access credentials un-accounted for. Finding, matching, and deleting excess credentials is a hard problem solved by True_Identity Enterprise Identity Matching.
ISOL536Security Architecture and DesignWeek 6Web Threa.docxvrickens
ISOL536
Security Architecture and Design
Week 6
Web Threats
Cloud Threats
Account Threats
Agenda
• Web threats
• Cloud threats
• Account threats
• Reading: Chapter 13 & 14
Web Threats
• The web is software like other software
• There are specific attack classes like Cross Site
Scripting (XSS)
– In much the same way that stack smashing is a
“feature” of C or other weakly typed languages
– Threat modeling not needed to help find these
– Finding these in TM is a distraction from the
unique threats to your software
Web Site Threats
• Attack surface/Trust boundaries
• Dependencies
• Not showing outbound links
– Is Google analytics safe? (We hope so—it’s on
each page!)
• Model helps you consider
each part &
relationships
Threatmodelingbook.
com
Web hosting
Browser
Google Analytics
Textbook web site
DB
Browser Threats
• Mostly the job of a small number of browser
makers
• Your job when writing a plugin
– Manage security & privacy
• Literature reviews & careful checking of
browser API guidance
Cloud Threats
• New insiders
– At the cloud provider — How do they compare to
other IT outsourcing?
– Co-tennants as threats
• Compliance threats
– Regulation: what needs to be compliant?
– Audit & logging: what’s logged where and how?
– Can your controls migrate?
Cloud Threats (2)
• Legal
– In US, subpoena rules change if you give your data
to others (“3rd party doctrine”)
• Forensic
– Can you get the hard drives, etc for analysis?
• Integrity
– Creation and management of virtual machines
Accounts Agenda
• Intro
• Account creation & maintenance
Accounts (overview)
• Accounts for systems
• Identity management manages accounts across
many systems
– Sometimes used as jargon to mean “account”
• Need to create, maintain and retire accounts
– Close-relationship accounts vs free accounts
• Accounts that don’t map to a person
– Joint bank accounts etc
• Need to authenticate account-holders
– Even when they lose their authenticators
– The hardest problems are here
Account Create/Maintain/Delete
• Mostly “normal” engineering with relatively
few traps
• Who can get an account?
• How do you ensure information stays up to
date?
• What happens when the account-holder
quits/leaves/passes away?
Authentication is Hard
• Traditional authentication factors
– Something you know (including passwords)
– Something you are (biometrics)
– Something you have (Smartcard, ID card)
• Something you forgot, something you were,
something you lost
• Multi-factor/Additional factors
– Originally meant more than one from the list above
– Several things you know are not “multi-factor”
– Someone you know
– Elements like IP address, client fingerprinting
Managing Authentication is Hard
Spoofing a Client
Login Failures
• “Incorrect username or password”
– Comes from a time that identifying accounts was
thought to be hard
– Past its prime; usability win from telling people
which was wrong ...
Similar to Raising the dead to save the living (20)
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
3. Active Defense vs. “Hacking Back”
Types of decoys and how to create them
When and how to deploy decoys
Detection / Alerting Methods
Adversary Infrastructure Tracking
◦ Phishing / ATO
4. I’m not a lawyer…so always check the latest
court opinions and laws before doing anything
active...not to mention company policy!
“Hacking Back” = Reach out and touch someone
“Active Defense” = Booby trapping your own
stuff
5. Carpenter vs. Sandia
◦ Chinese hack of Lockheed Martin
◦ Carpenter assisted FBI, given immunity
◦ Case is wrongful termination - $4.7 Million
◦ National Security
Georgia SB 315 (Vetoed!)
◦ Legal “Hack Back” to get stolen stuff
◦ Trouble for vulnerability researchers
6. Active Cyber Defense Certainty Act (Pending)
◦ Tom Graves, (D) Georgia
“Congress holds that active cyber defense
techniques should only be used by qualified
defenders with a high degree of confidence in
attribution, and that extreme caution should be
taken to avoid impacting intermediary computers
or resulting in an escalatory cycle of cyber
activity.”
10. May act on or run on adversary computers, but
doesn’t have a negative effect.
Disruption is the goal!
Web Bugs
Decoys
Honeypots / Tarpits
Honey Tokens / Honeycreds
13. Just an entry in a table or list
Detection when anyone scans / tries to
connect
No interaction / responses
Easy to detect for an adversary
Many False Positives
14. Real AD Creds
Can be normal user or admin
Can be risky if not set up correctly
User set up with no active login hours
Tougher OPSEC
Have to have right logs
15. Again, real creds
This time no permissions
Detection with Cloudwatch and CloudTrail
Pretty easy to set up
Rapid7 Blog: “Early Warning Detectors Using
AWS Access Keys as Honeytokens”
16. Fake – just detect login attempt
Decoy – can be part of honeypot or tarpit
Real login with fake data to keep attacker
busy
Can salt database with other creds
◦ Account numbers
◦ AD Creds
17. Email
Documents
◦ Workstation, server,
cloud, etc
Databases
Logs
Bash History
Anywhere the bad
guys look
18. Logs!
Be sure to have
what you need
Make sure logs are
together (SIEM)
Think of any place
creds would be
tried
Don’t forget DLP
detections
20. Your own callback server!
Domains and VPS are cheap
◦ $35 a year for both
Custom scripts
Out of band email alerting
Make it believable
◦ Externally hosted pictures
◦ Links in trapped docs
◦ JavaScript calls
22. Low Interaction
◦ Few services
◦ No Data
◦ Easy to figure out
High Interaction
◦ More like a real
system
◦ Still little activity
23. Collection of Honeypots
Segregated on VLAN
More lively
Still feel fake
Higher risk
24. High Interaction
High complexity
Applications
Data Transfers
Logs
Difficult to set up and maintain
25. Web bug
JavaScript
Remote Image
Scatter on shares
Place in email (CEO, SysAdmin, etc)
Unique callback per document
Need both Internal and External network
detection
27. Play pretend
Build some
connections
◦ Twitter
◦ Facebook
◦ Linkedin
◦ IRC
What TOS??
28. Basic Info
Unique info / picture
No connections to your company (unless
decoy)
Don’t friend your fake personas
Post occasionally
Random friend requests are OK
29. Get permission
Make it believable
Positions in:
◦ HR
◦ Finance
◦ Etc.
How about an executive?
30.
31. Phish the Phishers
◦ Infrastructure
Tracking
◦ “HoneyCreds”
◦ Live Credential
Placement
◦ Mule Operations
◦ Physical Drops
32. Customer Reports
WHOIS Registration Tracking
Email Drop tracking
TLS Certificate Transparency Logs
Server Logs
33. Sites like Domain Tools (Paid)
Track new sites as they are registered
◦ GDPR making this difficult*
Predict Phishing Domains based on
registrations
34. Collect Phishing kits
◦ Open directories
Most common kits list address for drop
Track campaigns based on email address
43. Fill out phishing pages
Complete information
Unique Information
Use different proxies
Use a variety of User Agents
Set up detection!
Pastebin?
44. Credential Testing
IP addresses!
Early detection of
compromised creds
Pass to fraud
Block or not?
Don’t delay
takedowns!
45. 175 “Honeycreds” placed
43% Seen tested
80 Testing IPs to monitor
Hundreds of real customer creds
Shortest = <1 minute
Longest = ~ 6 months
Some creds re-tested much later
46. Most credentials were tested within 24 hours
Average (mean)– ~ 9 days
Median – 5 hours
3-4 other customer creds tested with fakes
most times
48. High risk
Need coordination
Known monetary
loss
◦ $500?
Cash back?
Miles?
49. How is your site accessed?
What User Agent Strings are used?
Automated or Manual?
Email Addresses
50. Willing or unwilling
accomplice
“Work from home”
Move money for
laundering
Expendable
Need law
enforcement
51. Place to get the fraudulently purchased items
Again, willing or unwilling
More “Work at home”
◦ Reshipping overseas
◦ May be paid through other fraud
Need local law enforcement
52. Get your basic “Cyber Hygiene” set
Keep it simple
OPSEC!
Build your decoys
Build your detection
Profit!
Dealt with heart attacks, gunshots, stabbings, car accidents, house fires, wildland fires, etc.
I have delivered 3 babies in the ambulance
Now…
Carpenter vs. Sandia
“legal” hack back does not mean authorized by employer
Honepot – real but declassified documents
Tracked back to storage
Turned over to FBI
Assisted with other FBI stuff
Jury awarded him $4.7 million in damages – Acting in the interest of national security
Georgia SB315
Can go after those who attacked you to retrieve stolen material
ACDC Act – Tom Graves, D Georgia
“Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity.”
May 7, 2018 “New Yorker” magazine article
All these techniques require you to run code on the attacker machine
What about cookies? JavaScript? Flash?
Where does escalation stop? Tomahawk missile strike? Stuxnet?
Bad guys doing it to us, why not return the favor?
Why are we the only ones whose systems are affected?
Why cant we disrupt or destroy?
Reality: Just like the cloud, it’s just someone else’s computer
They are the victim too
They don’t know it’s happening
Mirai botnet
Mikrotik routers
Malware dropping proxies
Attribution is hard.
“Light touch”
Disruption of their activities, but not their machines
No persistence
I’m going to say the words. “Cyber Hygiene”. Do this first. Get your shit together.
Active defense is least of worries without patches / logs / detection
Crawl, walk, run – takes time, takes effort, takes coordination
OPSEC is important
False positives – printers / routers / protocols
Need workstation logs along with server logs. This is a LOT of data!!!!
Need server logs – need right logs with logon codes and usernames
This is all good, but what do we do with these credentials / decoys once we create them?
If you can, put these in a Tarpit and have them transmitted on the wire for network sniffing to catch.
The more realistic placement the better
Logs – bad guys love logs
BTW, Can you detect log deletion?
Bash history – full commands so the bad guys can copy / paste
A little better, still not convincing for the seasoned attacker
May have a few systems communicate occasionally, like DNS queries or wget a web page in a cron script.
“Full on” network.
Segregated on VLAN
Can be both physical and virtual
Workstations, servers, switches, coffeepots, etc
“From DNS to Databases” - live apps
Scheduled tasks to run commands – data on the wire
Takes a team to manage?
Callbacks to show when document is opened.
Place on admin machines, on shares / SharePoint , in the CEO’s email, etc..
Detection for callouts internal – maybe insider or haven’[t tried to remove data yet
Detection for calls made outside the network – poor attribution, but a start
May make attacker more cautious next time if they see the callback
Do it yourself - About $35 a year for domain and VPS
Canarytokens.org - Good = they provide the decoys and detection
Bad = Known domain these call back to “canarytokens.com”
Canarytokens.org will do the setup and much of the detection.
They are affiliated with the vendor “Thinkst Canary” which run canary.tools
Canarytokens are free to use but…
They all call back to the same, known site…
There a lot of social media platforms
Maybe have a persona on all of them
Watch for Terms of Service
Oh yeah….
Keep it simple
Don’t use stock or celebrity photos – too fake (Reverse image search)
Don’t have any mentions of your company unless it’s a decoy (later)
Don’t friend from your personal account
Average / generic posts every few days – week
Who are these people? Who cares! Other researchers / bots / FBI?
Get permission from your company before doing this
Mid level job, enough to get attention but not so much they should be known on the company web page.
Maybe get some help from a vendor if you want…especially higher level execs
Unless you are a native Russian speaker with actual connections to the Russian underground….
DON’T try to join the groups
Google translate won’t cut it with all the slang.
The federal agencies with Three Letter Acronyms don’t even do this. They pay an informant.
I know, not really active defense, but this sets it all up
Find the pages pretending to be your company
WHOIS – Going away (maybe) because of GDPR
Track known malicious registrants – email, name, business
Not super useful…
Jerry Gamblin wrote original Python script – Sends keyword matching certstream entry to Slack channel
I modified to use regex – better filtering on common words
“Login.comanyname.anysite.com”
Typically catch one site every day or 2
HIGH bandwidth used in these scripts
Fun to watch bad guy try to figure out how they are being caught so fast…
Who hasn’t put an “F U” in a phishing login?
Some names and info to enter into phishing pages
Unique
No collisions with actual customers (Check, and recheck!)
Made a list of 5 user names
Set up logging detection
Found customer reported phishing page
Entered some creds
Got antsy and checked 2 hours later……
Where was the IP located?
ENHANCE!
Can you be any more cliché?
Proved the theory was sound.
Consumed a lot of my time…
There are a myriad of sources
Older the better – less chance of collisions with actual customers
Anyone know where to get over 3000 names? (Titanic sites)
Use unique proxies!
Change user agents
Look for URI patterns (Same kit or same campaign?) Maybe only put on one site
Pastebin took at least 2weeks to be tried
Gift that keeps giving…seen on at least 4-5 separate occasions
Spaced out by months
Maybe ended up in a list sold or passed around?
If they are testing your fake creds, maybe they have some real ones?
Pass these to your fraud department and have the passwords reset
Watch out, the bad guys can reset too!
Do we block? Stop them from trying creds?
No, too easy to change Ips. Why don’t we keep watching?
Don’t delay takedowns to play with sites
You are going to lose the money
Need lots of coordination-
SOC
Fraud
Business
Local / Federal law enforcement?