The document discusses security challenges and approaches for IoT networks and ecosystems. It provides an overview of common IoT communication protocols like Zigbee, Bluetooth Low Energy, and IEEE 802.15.4. It then demonstrates hands-on exercises attacking these protocols by sniffing and manipulating packets. It also discusses securing the AWS IoT platform and introduces the security development lifecycle approach for securing IoT products throughout the development process.
Advanced threat security - Cyber Security For The Real WorldCisco Canada
Cisco delivers intelligent cybersecurity for the real world, providing one of the industry's most comprehensive advanced threat protection portfolio of solutions and services that are integrated, pervasive, continuous and open.
Cisco's threat-centric approach to security reduces complexity, while providing unmatched visibility, continuous control and advanced threat protection across the entire attack continuum, allowing customers to act smarter and more quickly -- before, during, and after an attack.
More information on security here: http://bit.ly/1paUnZV
As the industry’s first Secure Internet Gateway in the cloud, Cisco Umbrella provides the first line of defense against threats on the internet, protecting all your users within minutes.
Cisco Advanced Malware Protection offers global threat intelligence, advanced sandboxing and real-time malware blocking to prevent breaches while it continuously analyzes file activity across your network, so that you can quickly detect, contain and remove advanced malware.
Presentation of Cisco Security Architecture and Solutions such as Cisco Advanced Malware Protection (AMP) and Cisco Umbrella during Simplex-Cisco Technology Session that took place at the Londa Hotel in Limassol on 14 March 2018.
This presentation provides overview about the different threat modeling approach with examples from Automotive. This presentation was given in IEEE VTS Event on 4 Sep - "Safe and Secure Automotive" Workshop
Cloud security is must for any of the IaaS, PaaS, SaaS or CaaS initiative. this presentation aims to simplify the concept of cloud security with clear steps to achieve it. It also summarize the controls required to implement cloud security.
Advanced threat security - Cyber Security For The Real WorldCisco Canada
Cisco delivers intelligent cybersecurity for the real world, providing one of the industry's most comprehensive advanced threat protection portfolio of solutions and services that are integrated, pervasive, continuous and open.
Cisco's threat-centric approach to security reduces complexity, while providing unmatched visibility, continuous control and advanced threat protection across the entire attack continuum, allowing customers to act smarter and more quickly -- before, during, and after an attack.
More information on security here: http://bit.ly/1paUnZV
As the industry’s first Secure Internet Gateway in the cloud, Cisco Umbrella provides the first line of defense against threats on the internet, protecting all your users within minutes.
Cisco Advanced Malware Protection offers global threat intelligence, advanced sandboxing and real-time malware blocking to prevent breaches while it continuously analyzes file activity across your network, so that you can quickly detect, contain and remove advanced malware.
Presentation of Cisco Security Architecture and Solutions such as Cisco Advanced Malware Protection (AMP) and Cisco Umbrella during Simplex-Cisco Technology Session that took place at the Londa Hotel in Limassol on 14 March 2018.
This presentation provides overview about the different threat modeling approach with examples from Automotive. This presentation was given in IEEE VTS Event on 4 Sep - "Safe and Secure Automotive" Workshop
Cloud security is must for any of the IaaS, PaaS, SaaS or CaaS initiative. this presentation aims to simplify the concept of cloud security with clear steps to achieve it. It also summarize the controls required to implement cloud security.
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Cisco Security
Cognitive Threat Analytics is a technology that analyzes web requests to identify Command & Control traffic, identifying threats that are currently present in a network. It is currently available across the entire Cisco Web Security portfolio, including Cloud Web Security (CWS) and the Web Security Appliance (WSA). To learn more, watch this webinar: http://cs.co/9000BuggO
How to Overcome Network Access Control Limitations for Better Network SecurityCryptzone
This eBook discusses network access control (NAC) limitations offering details on why a Software-Defined Perimeter delivers better network security for today's enterprise.
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionShah Sheikh
Mohamed Bedewi, Offense Security Division Head and Sr. Penetration Testing Consultant at DTS presented also during one of the security sessions titled - "Your Network in the Eyes of a Hacker – The 0ff3ns!v3 Version" which raised a few eyebrows to say the least. The presentation slides can be found here….
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Skycure
How can mobile device data be protected? This SANS webcast reviews the current and emerging services and practices designed to help secure and protect the data on these devices, and identifies areas where solutions are needed to fill the remaining gaps and provides recommendations for a holistic approach including mobile threat protection.
Cloud security From Infrastructure to People-wareTzar Umang
Understand Cloud Security in every level from infrastructure to people ware via understanding threats, hardening your servers and creating policies that will users be guided on securing themselves.
The era of cloud and mobility has changed the way we work and transformed the internet into the transport network for most enterprises. Even so, many continue to rely on security technologies designed for the old world, when users and data were on the network and applications were housed in the data center.
ESG believes that the challenge of using legacy security methods in the cloud era will be a key catalysts for the adoption of a new user- and application-centric approach known as zero trust security. The zero trust model is enabled by the software-defined perimeter (SDP), delivering secure anywhere access to internal applications without the use of VPN technology.
Arshan Dabirsiaghi, Contrast Security
Matt Austin, Contrast Security
Nothing in the security industry has moved the needle like Data Execution Prevention and it's sister protections like ASLR.
The availability of secure APIs, the training of developers around the world, and the efforts of security practitioners all produced practically nothing compared to the practical gains produced by DEP, ASLR and other "automatic" protections provided by the tool chain and OS itself.
Where is the equivalent in the Application Layer? Can we use these same techniques and approaches to stop SQL Injection and Deserialization attacks? Can we give developers a "secure stack by default" for any application?
In this talk we'll show you the promising results of our research into this space using binary instrumentation, including the release of free tools that developers can use to protect their applications today from several bug classes, instantly, and without any code changes.
Your network holds the key to defending your organization. The Cisco switches, routers, and wireless solutions you deploy can complement and empower your security systems. Cisco provides a broad portfolio of capabilities to improve your defenses across the entire attack continuum. This presentation outlines how you can use your network as a sensor to protect your data, your customers, and your reputation.
Register to Watch Webcast: http://cs.co/9003CRsH
Join the Conversation: http://cs.co/9008CRt6
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesSkybox Security
“How secure are we?” “What's our strategy for advanced threats?” “How do we manage changes?” “What should we focus on?” “How is risk changing over time?” These are the difficult questions that IT security and network operations professionals face daily. The answer is in your data. Risk analytics is critical to answering the questions you face every day, opening new paths to find and prioritise vulnerabilities, quickly find firewall rule errors, and determine potential threats before they can be exploited.
This presentation is targeted at enterprise IT professionals looking to add security metrics and analytics into their security program.
- Understand why the existing approaches, processes and technologies for IT security get less effective over time
- Know what metrics and analytics are missing from your current strategy
- Recognise how risk analytics can be used to automate and secure your network devices
- Understand how vulnerability management process can be optimized with risk analytics - See how a risk analytics platform can impact an organisation
Cryptzone: What is a Software-Defined Perimeter?Cryptzone
Cryptzone explains a Software-Defined Perimeter, a new network security model that dynamically creates 1:1 network connections between users and the data they access.
TechWiseTV Workshop: OpenDNS and AnyConnectRobb Boyd
Join this in-depth look and detailed demonstration of the OpenDNS Umbrella integration with AnyConnect and how it really can stop most threats before they become serious problems, protecting users anywhere they go, even when the VPN is off.
Watch the workshop replay: http://bit.ly/2bPT1ax
Watch the Video: http://bit.ly/2c60obv
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Cisco Security
Cognitive Threat Analytics is a technology that analyzes web requests to identify Command & Control traffic, identifying threats that are currently present in a network. It is currently available across the entire Cisco Web Security portfolio, including Cloud Web Security (CWS) and the Web Security Appliance (WSA). To learn more, watch this webinar: http://cs.co/9000BuggO
How to Overcome Network Access Control Limitations for Better Network SecurityCryptzone
This eBook discusses network access control (NAC) limitations offering details on why a Software-Defined Perimeter delivers better network security for today's enterprise.
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionShah Sheikh
Mohamed Bedewi, Offense Security Division Head and Sr. Penetration Testing Consultant at DTS presented also during one of the security sessions titled - "Your Network in the Eyes of a Hacker – The 0ff3ns!v3 Version" which raised a few eyebrows to say the least. The presentation slides can be found here….
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Skycure
How can mobile device data be protected? This SANS webcast reviews the current and emerging services and practices designed to help secure and protect the data on these devices, and identifies areas where solutions are needed to fill the remaining gaps and provides recommendations for a holistic approach including mobile threat protection.
Cloud security From Infrastructure to People-wareTzar Umang
Understand Cloud Security in every level from infrastructure to people ware via understanding threats, hardening your servers and creating policies that will users be guided on securing themselves.
The era of cloud and mobility has changed the way we work and transformed the internet into the transport network for most enterprises. Even so, many continue to rely on security technologies designed for the old world, when users and data were on the network and applications were housed in the data center.
ESG believes that the challenge of using legacy security methods in the cloud era will be a key catalysts for the adoption of a new user- and application-centric approach known as zero trust security. The zero trust model is enabled by the software-defined perimeter (SDP), delivering secure anywhere access to internal applications without the use of VPN technology.
Arshan Dabirsiaghi, Contrast Security
Matt Austin, Contrast Security
Nothing in the security industry has moved the needle like Data Execution Prevention and it's sister protections like ASLR.
The availability of secure APIs, the training of developers around the world, and the efforts of security practitioners all produced practically nothing compared to the practical gains produced by DEP, ASLR and other "automatic" protections provided by the tool chain and OS itself.
Where is the equivalent in the Application Layer? Can we use these same techniques and approaches to stop SQL Injection and Deserialization attacks? Can we give developers a "secure stack by default" for any application?
In this talk we'll show you the promising results of our research into this space using binary instrumentation, including the release of free tools that developers can use to protect their applications today from several bug classes, instantly, and without any code changes.
Your network holds the key to defending your organization. The Cisco switches, routers, and wireless solutions you deploy can complement and empower your security systems. Cisco provides a broad portfolio of capabilities to improve your defenses across the entire attack continuum. This presentation outlines how you can use your network as a sensor to protect your data, your customers, and your reputation.
Register to Watch Webcast: http://cs.co/9003CRsH
Join the Conversation: http://cs.co/9008CRt6
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesSkybox Security
“How secure are we?” “What's our strategy for advanced threats?” “How do we manage changes?” “What should we focus on?” “How is risk changing over time?” These are the difficult questions that IT security and network operations professionals face daily. The answer is in your data. Risk analytics is critical to answering the questions you face every day, opening new paths to find and prioritise vulnerabilities, quickly find firewall rule errors, and determine potential threats before they can be exploited.
This presentation is targeted at enterprise IT professionals looking to add security metrics and analytics into their security program.
- Understand why the existing approaches, processes and technologies for IT security get less effective over time
- Know what metrics and analytics are missing from your current strategy
- Recognise how risk analytics can be used to automate and secure your network devices
- Understand how vulnerability management process can be optimized with risk analytics - See how a risk analytics platform can impact an organisation
Cryptzone: What is a Software-Defined Perimeter?Cryptzone
Cryptzone explains a Software-Defined Perimeter, a new network security model that dynamically creates 1:1 network connections between users and the data they access.
TechWiseTV Workshop: OpenDNS and AnyConnectRobb Boyd
Join this in-depth look and detailed demonstration of the OpenDNS Umbrella integration with AnyConnect and how it really can stop most threats before they become serious problems, protecting users anywhere they go, even when the VPN is off.
Watch the workshop replay: http://bit.ly/2bPT1ax
Watch the Video: http://bit.ly/2c60obv
Developing Interoperable Components for an Open IoT Foundation Eurotech
In this presentation Eurotech and Red Hat present Kapua, a modular cloud platform that provides management for Internet of Things (IoT) gateways and smart edge devices. It represents a key milestone towards the development of a truly open, end-to-end foundation for IoT and its ecosystem of partners and solutions. Kapua provides a core integration framework with services for device registry, data and device management, message routing, and applications.
Security Plus Training Event for ITProcamp Jacksonville 2016. Helping those new to the IT Security get prepared. Understand how to complete your DOD 8570.m requirements.. Discussion about Exam Objectives
2.4 GHz Open band
Globally available
Other devices include microwave ovens, cordless phones
Frequency hopping and Time Division Multiplexing
10 – 100 meter range
Up to 8 active devices can be in the same piconet
In IT industry – You going to need a security certification
In the US Military or a government contractor- required in most cases
(DoD 8570.01-M) / State Department Skills Incentive Program
Short Video about Security +
Exam Objectives
Exam Content
Taking the exam
Practice Questions
Tips to Prepare
Industrial IoT Mayhem? Java IoT Gateways to the RescueEurotech
Industrial IoT comes with great expectations for operational efficiency, promising improved asset utilization and productivity gains. IIoT challenges include reliability, security, low maintenance, long lifecycle, and integration into heterogeneous and fragmented systems. This session proposes some architectural patterns that can be leveraged to overcome these challenges. It introduces, at the center of the solution, Java-powered IoT gateways and modular IoT application frameworks such as the open source Eclipse Kura. Incorporating a live demonstration, the presentation highlights some of the latest Eclipse Kura features such as a pluggable device model for fieldbus protocols, visual data flow, and connectivity across various IoT cloud service providers.
JavaOne 2016 - Presentation by Dave Woodard and Walt Bowers
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
1. Designing IoT Networks & Ecosystems
to thwart low power communication
protocol attacks
Sumanth Naropanth & Nitin Lakshmanan
DEEP
ARMOR
2. Agenda
• Technical overview of an IoT/wearable ecosystem
• Building blocks
• Communication Protocols
• Hands-on Exercises
• IEEE 802.15.4/ZigBee
• Bluetooth and BLE
• AWS IoT Core
• Security Development Lifecycle (SDL) overview
3. Instructors
• Nitin Lakshmanan
• Security Analyst — Deep Armor
• Aujas Networks, Aricent/Intel
• Sumanth Naropanth
• Founder and CEO — Deep Armor
• Intel, Palm/HP, Sun Microsystems
• Security consulting, vulnerability testing, SDL and training services for
emerging technologies
• www.deeparmor.com | @deep_armor
10. Zigbee
• Low data rate wireless applications
• Smart energy, medical, home automation, IIoT
• Two bands of operation: 868/915MHz and 2450MHz
• Simpler & less expensive than Bluetooth
• 10-100m range
• Zigbee Alliance
11. Zigbee Security Model
• Open Trust model (Device Trust Boundary)
• Crypto protection
• Network Key
• Link Key (App Support Sublayer)
• Secure key storage assumptions
• Transmission of network key for new nodes
• Hard-coded Trust Center Link Keys
13. 802.15.4
• IEEE standard for low-rate
wireless personal area
networks (LR-WPANs)
• 6LoWPAN for IPv6 over
WPANs
• Zigbee extends 802.15.4
(wrapper services)
Application
Presentation
Session
Transport
Network
Data Link
Physical
Logical Link Control
Media Access Control
30. Hardening Wireless Sensor Networks
• Integrity of the packet is maintained
• HMAC implemented for integrity protection
• With Cryptographic hash function like SHA256
• Key provisioning can be via many ways - DH, for
example
32. GAP
Defines how devices discover, connect and
create bonding between them
SMP
Protocol for pairing and key distribution and
authenticating other device
Shared secrets can be managed and hence
speed-up the reconnection process
L2CAP
Multiplexing layer for BLE
GATT
Describes characteristics, services and type of
attributes/ their usage
ATT
Simple Client/ Server stateless protocol with rules
for accessing data on a peer device
Overview: Bluetooth Stack
33. Intro to BLE
• Wireless protocol for short range data exchange (~10 to
100 m)
• Light-weight subset of classic Bluetooth with low power
consumption
• Operates in radio frequencies between 2.4 to 2.485 GHz
• Managed by the Bluetooth Special Interest Group (SIG)
• Use cases include wearable devices, smart pay systems,
smart security systems etc
35. Pairing Algorithms
Secure Simple Pairing
• Just Works: very limited/ no user interface
• Numeric Comparison: devices with display plus
yes/no button
• Passkey Entry: 6 digit pin as the pass key
• Out Of Band: Use of an out of the band channel
against MITM attacks
36. Security weaknesses in BT/BLE
• Security of the communication link depends on
pairing algorithm
• Eaves dropping on pairing mechanism compromises
encryption keys
• ‘Just works’ mode prone to MITM attacks
• Apps (on the same phone as the companion app)
snooping on encrypted BLE traffic – Let’s explore this!
37. BT/BLE Security - Tools
• Ubertooth
• Bluefruit LE sniffer
• NRFsniffer (Nordic BLE sniffer)
• Ellisys sniffer
39. Overview
• Market products for fitness tracking
• Use Bluetooth Low Energy
• Packet sniffing, capture and cracking LE encryption
• Goals:
• BLE traffic eavesdropping
• Tools to crack the basic security offered by BLE spec
43. Understanding BLE
pcaps
• Protocol Data Unit
• PDU length determines —> advertising packet
or not
•pdu_type == 5 [connection request by
bluetooth device ]
47. Options
• Basic security- Switch on LE encryption
• Crackle can break it!
• Holistic Security — Application level encryption on top of
network-level encryption
• LE Privacy Mode
49. BT/BLE problems with Android
and iOS
Device Commands:
• Put device into
recovery mode
• Do a FW update
• Change Device (BLE)
name
Notifications:
• Social apps
• Calls and texts
Information:
• User activity data
• User profile updates
• Application action (calls,
music control)
• Call/text/social updates
(sometimes)
ATTACKER
51. Root Cause
All applications on Android and iOS can subscribe to the BT service
and get the data on the same BT channels or BLE characteristics as
the legitimate app
• Android
• android.permission.BLUETOOTH
• android.permission.BLUETOOTH_ADMIN – quote:
• iOS
• Core Bluetooth (CB) Framework
• Centrals (client/phone) and Peripherals (server/wearable)
classes
54. LTK-Encryption
What happened there?
Decrypted (Step
Count, Distance &
Calories)
Decrypted
((Encrypted(Step Count,
Distance & Calories))
LTK-Encrypted (Step Count,
Distance & Calories)
Wrapper Service B
Wrapper Service A
Encryption
BLE Link Layer
57. What is it?
• Managed cloud service for connected devices
to interact with cloud applications
• Connect and manage devices
• Secure the communication
• Process and Act
• Monitor
58. Demo & Exercise
• Setup
AWS IoT
core
Policy
Thing
Certs
IoT
Device
Simulat
or
MQTT
• Creating Policy/Thing/Certificates and attaching them to certificate
• Run IoT device simulators from laptops
• Observe traffic in Wireshark
59. Topics of Interest
• Review of overly permissive policies
• Wild card should be avoided [iot : *]
• iot:Publish/UpdateJobExecution/GetThingShadow
• Must specify ARN of resource [wildcard * should not be used]
60. Topics of Interest
• AWS forces MQTT over TLS
• All traffic to and from AWS IoT must be encrypted over
Transport Layer Security (TLS).
• AWS Authentication
• X.509 certificates
• IAM users, groups, and roles
• Amazon Cognito identities
• Federated identities
62. Need for SDL
• Next-gen SDL
• For IoT, wearable and cloud technologies.
• Especially when they all come together
• Ecosystem security
• Agile
• Security, Privacy and Legal woven into the development cycle
• Leveraging industry standards
63. Security
Architecture,
Privacy
Requirements
Threat
Modeling,
Attack Trees &
Data Access
Reviews
Focused
Security Code
Reviews &
Privacy Planning
Fuzzing,
Penetration
Testing, Privacy
Sign-off
Fix verification,
Incident
Response
Planning
Delta Security
Assessment,
Security for
Continuous
Integration/Deliv
ery
Program Conception Design Implementation Pre-Launch Deployment Maintenance
Reviews
Reviews &
Reports
Reports
Resolution &
Sign-off
Reports
IoT
Mobil
e
Cloud
Security Development Lifecycle Approach
65. Challenges: Securing a never-
before gadget
• Lack of tactical SDL frameworks for rapid time-to-market products with
constantly evolving requirements
• Diverse, non-standard and evolving communication protocols
• Weaknesses in adoption of protocol specifications
• Long lives for IoT products
• Privacy
• Nascent research in IoT security
66. Challenges - Technical
• Collection of personal data and PII is higher
• Geo-location information
• Biometric data
• Sensor data
• Payment services
• Limited SW stack —> security may get
compromised
• Often FW running on micro-controllers
• Field updates are difficult
• Asymmetric key crypto, TEEs, etc. are heavy
• Multi-tier, multi-tenant product architecture
• Cross-domain flows
• Multiple exposure points as a consequence
67. Privacy
• Why worry?
• Global Markets
• Country-specific guidelines
• Ecosystems and overlapping policies
68. Summary
• Plethora of protocols (and standards)
• Custom hardware & software for IoT comms penetration
testing
• RZUSBStick works great. Also, APImote
• Not much else
• BT/BLE sniffing is still sketchy
• SDL/SPDL and Shift-left
Mobil
e
Clou
d
IoT
devic
e
Communicatio
n channel