This document discusses many topics related to cybersecurity including common security mistakes, the importance of trust and how it can be broken, lessons learned from security breaches, and strategies for improving security practices. It notes that most software has security issues, encryption and hashing should not be implemented without understanding, and outlines approaches like patching strategies, training, and monitoring to help build more secure systems. The overall message is that security requires a holistic, ongoing approach rather than one-time fixes.
This document discusses security theatre and common mistakes made in application security. It summarizes that many security practices are ineffective because they treat security in isolation rather than taking a holistic view. It also outlines some common mistakes such as weak password hashing, encryption issues, information disclosure in logs, and poor session management. The document advocates focusing on areas like patching, access control, monitoring, and training to improve security.
The document discusses various security issues and mistakes made by users, developers, and organizations. It covers topics like weak security practices, implementation flaws, trusting the wrong things, disclosure of too much information, and the challenges of social engineering. Specific examples are provided around password hashing, encryption, sessions, randomness, and log files to illustrate common mistakes. The overall message is that security is difficult and mistakes are often made due to a lack of understanding, convenience prioritized over security, and misplaced trust. Holistic security involving people, process and technology is advocated for along with constant awareness and mitigation of risks.
Application security is often an afterthought for developers, as we concentrate on the next shiny new feature for our projects. In this talk, we’ll highlight the importance of application security and explore some simple and practical ways that we as developers can defend our services from intrusion.
We’ll look at how my team at the BBC approached security concerns when creating the new BBC ID applications, and dive into some code examples to explore the best practices for Node.js server security.
Talk originally given at JavaScript North West meetup. https://www.meetup.com/JavaScript-North-West/events/239152184/
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
The document discusses the CryptoLocker ransomware threat and strategies to defend against it. CryptoLocker infects systems by tricking users into executing malicious files, then encrypts files using a randomly generated key. It threatens to delete the encryption key unless a ransom is paid. The best defenses include application whitelisting, limiting administrator privileges, firewalls, intrusion detection systems and keeping systems patched and backed up. In the event of infection, the affected machine should be isolated while restoring data from backups. Ongoing user education and security policies are also important to mitigate the ransomware risk.
The document discusses web server architectures and market shares. It provides an overview of the most commonly used web servers, with Apache being the dominant platform at 64.6%. Microsoft IIS is the second most popular at 17.4%. The document then illustrates the basic components of an open source web server architecture, including Linux, Apache, MySQL, PHP, and applications. It also shows the architecture of Microsoft's IIS web server.
This document is the contents page for issue 9/2010 of the magazine "Practical Protection IT Security Magazine". It lists the titles and authors of articles in the issue, including pieces on email security issues, VoIP technology, web malware techniques, IPv6 security implications, session riding attacks, and the biggest hacking breach in cyber history. The contents page also provides information about the magazine's editors and production team.
This document discusses security theatre and common mistakes made in application security. It summarizes that many security practices are ineffective because they treat security in isolation rather than taking a holistic view. It also outlines some common mistakes such as weak password hashing, encryption issues, information disclosure in logs, and poor session management. The document advocates focusing on areas like patching, access control, monitoring, and training to improve security.
The document discusses various security issues and mistakes made by users, developers, and organizations. It covers topics like weak security practices, implementation flaws, trusting the wrong things, disclosure of too much information, and the challenges of social engineering. Specific examples are provided around password hashing, encryption, sessions, randomness, and log files to illustrate common mistakes. The overall message is that security is difficult and mistakes are often made due to a lack of understanding, convenience prioritized over security, and misplaced trust. Holistic security involving people, process and technology is advocated for along with constant awareness and mitigation of risks.
Application security is often an afterthought for developers, as we concentrate on the next shiny new feature for our projects. In this talk, we’ll highlight the importance of application security and explore some simple and practical ways that we as developers can defend our services from intrusion.
We’ll look at how my team at the BBC approached security concerns when creating the new BBC ID applications, and dive into some code examples to explore the best practices for Node.js server security.
Talk originally given at JavaScript North West meetup. https://www.meetup.com/JavaScript-North-West/events/239152184/
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
The document discusses the CryptoLocker ransomware threat and strategies to defend against it. CryptoLocker infects systems by tricking users into executing malicious files, then encrypts files using a randomly generated key. It threatens to delete the encryption key unless a ransom is paid. The best defenses include application whitelisting, limiting administrator privileges, firewalls, intrusion detection systems and keeping systems patched and backed up. In the event of infection, the affected machine should be isolated while restoring data from backups. Ongoing user education and security policies are also important to mitigate the ransomware risk.
The document discusses web server architectures and market shares. It provides an overview of the most commonly used web servers, with Apache being the dominant platform at 64.6%. Microsoft IIS is the second most popular at 17.4%. The document then illustrates the basic components of an open source web server architecture, including Linux, Apache, MySQL, PHP, and applications. It also shows the architecture of Microsoft's IIS web server.
This document is the contents page for issue 9/2010 of the magazine "Practical Protection IT Security Magazine". It lists the titles and authors of articles in the issue, including pieces on email security issues, VoIP technology, web malware techniques, IPv6 security implications, session riding attacks, and the biggest hacking breach in cyber history. The contents page also provides information about the magazine's editors and production team.
Network security consists of the policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources.
SafeBreach is a continuous security validation platform that can identify vulnerabilities in a company's network by simulating cyberattacks. It deploys agents across all systems to map the network and monitor for attacks without affecting the systems. The article describes how SafeBreach was tested on a large virtual network, quickly finding hundreds of potential entry points and paths to sensitive data. It also discusses how SafeBreach can be used to run security scenarios and wargames to help train IT teams to respond to attacks.
The document discusses five common mistakes organizations make when responding to security incidents: 1) Not having an incident response plan, 2) Failing to increase monitoring and surveillance after an incident, 3) Being unprepared for potential legal battles, 4) Simply restoring systems to their original state without identifying and addressing the root cause, and 5) Not learning from past incidents to improve the response process. It emphasizes the importance of proper planning, thorough investigation, documentation, and applying lessons learned to prevent future incidents.
This 5-day Certified Ethical Hacker training course teaches students how to scan, test, hack, and secure their own systems by learning the techniques used by hackers. The course covers topics like footprinting, scanning, enumeration, system hacking, viruses, sniffers, denial of service attacks, session hijacking, web server hacking, web application vulnerabilities, password cracking, SQL injection, and wireless and cryptography attacks. The goal is to help security professionals and network administrators enhance cybersecurity by thinking like an attacker in order to defend systems from real-world threats.
1) The document discusses basic steps to secure your computer and protect against identity theft, including using a firewall, keeping systems patched, using virus protection, and being wary of email scams.
2) It provides tips for securing your information like encrypting data, using strong passwords, and shredding documents.
3) Common ways identity thieves obtain personal details are through dumpster diving, unsecured wi-fi, public records, hacking, and untrustworthy individuals who have access to your information. The document recommends monitoring accounts and reports to protect yourself.
Session hijacking refers to an attacker taking over a valid computer session between two systems by stealing the session ID. This allows the attacker to gain access since authentication only occurs at the start of the TCP session. The attacker can then view data transmitted in the session like a man-in-the-middle. Common techniques include sniffing packets to find session details, source routing, or causing packet loss to hijack responses.
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
Cyber Security & Defense is the emerging topic of the IT industry these days. A secure environment is no longer just a well-maintained firewall or a well-managed network. Rather, it is made up of several layers. However, most companies are „reactive“ instead of „proactive“, or neither, when it comes to securing their IT environments and detecting security breaches. In addition to this, the product portfolio and the security market is changing rapidly, and these changes make our jobs as IT Professionals significantly more difficult. But how can we deal with this challenge? In my session I will take a look into supposed “obvious“ security threats and how the Microsoft Cyber security stack can help to detect attackers and threats that have evaded our defenses.
All of the endpoint protection products tested were unable to fully block the Internet Explorer zero-day exploit, with some blocking URL access or detecting malware payloads after exploitation. Kaspersky blocked and warned on URL access while Sophos warned but did not properly block. For exploit blocking, only Kaspersky was able to fully block the exploit code from executing. Malware detection abilities varied, with some products quarantining payloads after execution.
The document discusses how synchronized security products from Sophos can automatically share information to improve an organization's cybersecurity posture. Key capabilities highlighted include discovering unknown threats, enabling real-time incident analysis and cross-system reporting, and allowing adaptive policies to automatically respond to infections and incidents. Examples are provided of how synchronized products could prevent coordinated attacks by instantly isolating infected devices, restricting network access, and cleaning infections.
3 a investigating_conti_ransomware_using_vision_one_16359328114513641JairdanBabac
It discusses how Cobalt Strike beacons (detected as
Backdoor.<architecture>.COBEACON.SMA) is now being used for this and
how we used the Trend Micro Vision One platform to track this threat.
We believe that researchers at Sophos also encountered this particular
group of threat actors; the attack they encountered and this one show
similarities in the techniques used.
The document is a series of tweets discussing various topics related to cybersecurity. It touches on issues with security practices of companies, developers, and users. It notes that most security practices are ineffective when taken in isolation and advocates for a holistic, layered approach to security with an emphasis on understanding where trust is misplaced. It also highlights common mistakes made with sessions, encryption, and hashing and emphasizes the importance of not rolling your own implementations for these.
A talk about attacks against SSL that have been uncovered in the last 3-4 years. This talk delves into about what exactly was attacked and how it was attacked and how SSL is still a pretty useful piece of technology.
This was given at null Bangalore April Meeting.
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
Recently we’ve seen many vulnerabilities related to improper certificate validation. Those vulnerabilities come from developers’ ignorance or misunderstanding of basic knowledge of certificate validation or insufficient testing of validation code. This presentation starts with the basics of the certificate validation process, surveys several vulnerabilities in the real world, and concludes with lessons learned from real-world vulnerabilities.
This is presented on JavaOne2015.
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna BasuLounge47
This document summarizes internet security over time. It discusses past vulnerabilities like weak authentication on CCTV systems and clickjacking attacks. It then covers the Heartbleed vulnerability, which allowed memory leaks in TLS implementations. This vulnerability affected OpenSSL versions and allowed stealing of usernames, passwords, private keys and other sensitive data. The document discusses how the vulnerability worked and how it was fixed with a bounds check. It also notes the vulnerability's impact in the real world and references further technical information.
This document discusses public key infrastructure (PKI) and digital certificates. It covers how certificates enable authentication, confidentiality, integrity and non-repudiation. It also discusses certificate authorities, self-signed certificates, common uses of certificates including TLS and code signing, and risks associated with certificates like compromised certificate authorities and vulnerable algorithms. The document provides recommendations around treating certificates as assets, establishing policies, being aware of issues for embedded systems, and monitoring for malware that targets certificates.
Here are the discussions that are mentioned in P19 of "Fend Off Cyberattack with Episodic Memory"
https://www.slideshare.net/HitoshiKokumai/fend-off-cyberattack-with-episodic-memory-24feb2023
This document discusses SSL/TLS protocols and how to set up your own certificate authority (CA) or use Let's Encrypt for free SSL certificates.
It provides a brief history of SSL and TLS protocols, outlines the key differences between versions, and lists common TLS implementations like OpenSSL. It then explains how to set up your own CA by generating root and intermediate certificates and signing server/client certificates.
Finally, it introduces Let's Encrypt as a free and automated CA that aims to promote SSL security. It explains how Let's Encrypt validates domain ownership and issues certificates to ensure communications are private, integrity is maintained, and parties can be trusted.
Avoiding damage, shame and regrets data protection for mobile client-server a...Stanfy
Prepared by Anastasiia, iOS Engineer at Stanfy for speaking at do {iOS} Amsterdam 2015.
We will talk a bit about avoiding snake oil, getting rid of cognitive biases when planning application security, and how to avoid becoming cryptography professor when you only need to protect your app.
Co Speaker: Cheryl Biswas
Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
The document discusses different aspects of becoming an IT security expert, including various fields within IT security, common security certifications, and ways to gain expertise in specific areas. It outlines fields like security design/implementation, monitoring, management, prevention, and damage control. It also lists many security certifications offered by companies like CompTIA, Cisco, (ISC)2, GIAC, RSA, and EC-Council that can help professionals specialize and prove their expertise in different IT security domains.
This document summarizes recent cybersecurity news and events in the information security field. It discusses several security conferences that recently occurred including Brucon, Derbycon, and HITB as well as the arrest of members of the hacker group Lulzsec. It also covers recent vulnerabilities including a chosen plaintext attack against AES in SSL/TLS, the compromise of the mysql.com website, and an Apache reverse proxy bypass issue. Lastly, it mentions new security tools releases, recent malware activity including new Android threats, and recommended security reading materials.
Network security consists of the policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources.
SafeBreach is a continuous security validation platform that can identify vulnerabilities in a company's network by simulating cyberattacks. It deploys agents across all systems to map the network and monitor for attacks without affecting the systems. The article describes how SafeBreach was tested on a large virtual network, quickly finding hundreds of potential entry points and paths to sensitive data. It also discusses how SafeBreach can be used to run security scenarios and wargames to help train IT teams to respond to attacks.
The document discusses five common mistakes organizations make when responding to security incidents: 1) Not having an incident response plan, 2) Failing to increase monitoring and surveillance after an incident, 3) Being unprepared for potential legal battles, 4) Simply restoring systems to their original state without identifying and addressing the root cause, and 5) Not learning from past incidents to improve the response process. It emphasizes the importance of proper planning, thorough investigation, documentation, and applying lessons learned to prevent future incidents.
This 5-day Certified Ethical Hacker training course teaches students how to scan, test, hack, and secure their own systems by learning the techniques used by hackers. The course covers topics like footprinting, scanning, enumeration, system hacking, viruses, sniffers, denial of service attacks, session hijacking, web server hacking, web application vulnerabilities, password cracking, SQL injection, and wireless and cryptography attacks. The goal is to help security professionals and network administrators enhance cybersecurity by thinking like an attacker in order to defend systems from real-world threats.
1) The document discusses basic steps to secure your computer and protect against identity theft, including using a firewall, keeping systems patched, using virus protection, and being wary of email scams.
2) It provides tips for securing your information like encrypting data, using strong passwords, and shredding documents.
3) Common ways identity thieves obtain personal details are through dumpster diving, unsecured wi-fi, public records, hacking, and untrustworthy individuals who have access to your information. The document recommends monitoring accounts and reports to protect yourself.
Session hijacking refers to an attacker taking over a valid computer session between two systems by stealing the session ID. This allows the attacker to gain access since authentication only occurs at the start of the TCP session. The attacker can then view data transmitted in the session like a man-in-the-middle. Common techniques include sniffing packets to find session details, source routing, or causing packet loss to hijack responses.
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
Cyber Security & Defense is the emerging topic of the IT industry these days. A secure environment is no longer just a well-maintained firewall or a well-managed network. Rather, it is made up of several layers. However, most companies are „reactive“ instead of „proactive“, or neither, when it comes to securing their IT environments and detecting security breaches. In addition to this, the product portfolio and the security market is changing rapidly, and these changes make our jobs as IT Professionals significantly more difficult. But how can we deal with this challenge? In my session I will take a look into supposed “obvious“ security threats and how the Microsoft Cyber security stack can help to detect attackers and threats that have evaded our defenses.
All of the endpoint protection products tested were unable to fully block the Internet Explorer zero-day exploit, with some blocking URL access or detecting malware payloads after exploitation. Kaspersky blocked and warned on URL access while Sophos warned but did not properly block. For exploit blocking, only Kaspersky was able to fully block the exploit code from executing. Malware detection abilities varied, with some products quarantining payloads after execution.
The document discusses how synchronized security products from Sophos can automatically share information to improve an organization's cybersecurity posture. Key capabilities highlighted include discovering unknown threats, enabling real-time incident analysis and cross-system reporting, and allowing adaptive policies to automatically respond to infections and incidents. Examples are provided of how synchronized products could prevent coordinated attacks by instantly isolating infected devices, restricting network access, and cleaning infections.
3 a investigating_conti_ransomware_using_vision_one_16359328114513641JairdanBabac
It discusses how Cobalt Strike beacons (detected as
Backdoor.<architecture>.COBEACON.SMA) is now being used for this and
how we used the Trend Micro Vision One platform to track this threat.
We believe that researchers at Sophos also encountered this particular
group of threat actors; the attack they encountered and this one show
similarities in the techniques used.
The document is a series of tweets discussing various topics related to cybersecurity. It touches on issues with security practices of companies, developers, and users. It notes that most security practices are ineffective when taken in isolation and advocates for a holistic, layered approach to security with an emphasis on understanding where trust is misplaced. It also highlights common mistakes made with sessions, encryption, and hashing and emphasizes the importance of not rolling your own implementations for these.
A talk about attacks against SSL that have been uncovered in the last 3-4 years. This talk delves into about what exactly was attacked and how it was attacked and how SSL is still a pretty useful piece of technology.
This was given at null Bangalore April Meeting.
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
Recently we’ve seen many vulnerabilities related to improper certificate validation. Those vulnerabilities come from developers’ ignorance or misunderstanding of basic knowledge of certificate validation or insufficient testing of validation code. This presentation starts with the basics of the certificate validation process, surveys several vulnerabilities in the real world, and concludes with lessons learned from real-world vulnerabilities.
This is presented on JavaOne2015.
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna BasuLounge47
This document summarizes internet security over time. It discusses past vulnerabilities like weak authentication on CCTV systems and clickjacking attacks. It then covers the Heartbleed vulnerability, which allowed memory leaks in TLS implementations. This vulnerability affected OpenSSL versions and allowed stealing of usernames, passwords, private keys and other sensitive data. The document discusses how the vulnerability worked and how it was fixed with a bounds check. It also notes the vulnerability's impact in the real world and references further technical information.
This document discusses public key infrastructure (PKI) and digital certificates. It covers how certificates enable authentication, confidentiality, integrity and non-repudiation. It also discusses certificate authorities, self-signed certificates, common uses of certificates including TLS and code signing, and risks associated with certificates like compromised certificate authorities and vulnerable algorithms. The document provides recommendations around treating certificates as assets, establishing policies, being aware of issues for embedded systems, and monitoring for malware that targets certificates.
Here are the discussions that are mentioned in P19 of "Fend Off Cyberattack with Episodic Memory"
https://www.slideshare.net/HitoshiKokumai/fend-off-cyberattack-with-episodic-memory-24feb2023
This document discusses SSL/TLS protocols and how to set up your own certificate authority (CA) or use Let's Encrypt for free SSL certificates.
It provides a brief history of SSL and TLS protocols, outlines the key differences between versions, and lists common TLS implementations like OpenSSL. It then explains how to set up your own CA by generating root and intermediate certificates and signing server/client certificates.
Finally, it introduces Let's Encrypt as a free and automated CA that aims to promote SSL security. It explains how Let's Encrypt validates domain ownership and issues certificates to ensure communications are private, integrity is maintained, and parties can be trusted.
Avoiding damage, shame and regrets data protection for mobile client-server a...Stanfy
Prepared by Anastasiia, iOS Engineer at Stanfy for speaking at do {iOS} Amsterdam 2015.
We will talk a bit about avoiding snake oil, getting rid of cognitive biases when planning application security, and how to avoid becoming cryptography professor when you only need to protect your app.
Co Speaker: Cheryl Biswas
Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
The document discusses different aspects of becoming an IT security expert, including various fields within IT security, common security certifications, and ways to gain expertise in specific areas. It outlines fields like security design/implementation, monitoring, management, prevention, and damage control. It also lists many security certifications offered by companies like CompTIA, Cisco, (ISC)2, GIAC, RSA, and EC-Council that can help professionals specialize and prove their expertise in different IT security domains.
This document summarizes recent cybersecurity news and events in the information security field. It discusses several security conferences that recently occurred including Brucon, Derbycon, and HITB as well as the arrest of members of the hacker group Lulzsec. It also covers recent vulnerabilities including a chosen plaintext attack against AES in SSL/TLS, the compromise of the mysql.com website, and an Apache reverse proxy bypass issue. Lastly, it mentions new security tools releases, recent malware activity including new Android threats, and recommended security reading materials.
Gavin Hill - Lessons From the Human Immune Systemcentralohioissa
All signs point to a future world of more complex, harder to detect cyber threats. Our adversaries are exploiting what seems to be our strengths. Intel predicts the next big hacker marketplace to be in the sale of digital certificates – already selling for more than $1000 each on Russian marketplaces. Gartner expects 50% of network attacks to use encrypted SSL/TLS in less than 2 years. What’s to do? The human immune system has evolved to defend and destroy complex and oftentimes overwhelming attacks. What can we learn from it? How can we create a future that’s more resistant as we use more software, more clouds, more apps, and more connected devices.
The CDO Agenda - Data Security and EncryptionDATAVERSITY
If you're not terrified, you're not paying attention.
Every organization in the world, large and small, should be concerned about Data Security. Virtually every week there’s a well-publicized and embarrassing data breach that serves to remind how important it is to protect both customer and enterprise information.
Tools and techniques exist to help, for managing identity, authentication, and authorization. Encryption is also an effective way of making it harder for people to steal your secrets. But it isn't magical, it isn't fool proof and, depending on how you are using it, may be completely useless. You don't have to understand the math (although that will help), but you do have to understand what encryption will and won't do for you.
Data and web security today
Protecting data in transit
Protecting data at rest
What advantage does Encryption provide?
How can you build encrypted data protection into your software and systems?
Are there business trade-offs?
Implications for specific industries (financial, health)
More and more IoT vulnerabilities are found and showcased at security events. From connected thermostats to power plants!
Insecurity became the favorite subject for creating catchy IoT headlines: "Connected killer toaster", "Fridges changed into spamming machines","Privacy concerns around connected home".
We will explore the five challenges one has to face when building a secure IoT solution:
- hardware security: how to avoid rogue firmwares and keep your security keys safe?
- upgrade strategy: you can't secure what you can't update!
- secure transport: no security without secure transports.
- security credentials distribution: how to distribute security keys to a fleet with millions of devices?
- cloud vulnerability mitigation, how to keep your fleet of devices safe from the next Heartbleed?
Current enterprise infrastructure provides solutions for handling application security but are they really matching the IoT challenge? Could running a PKI client on a low power wireless sensor node be an option?
Despite those difficulties, we will show how a modern IoT device management standard like Lightweight M2M with DTLS is the way for building a secur-first IoT solutions. It provides a solution for upgrading your device, distributing your security keys and comes with a full range of cryptography cipher suites, from PSK algorithm for very constrained devices to high level of security using X.509 certificates.
Furthermore for adding security to your solution we will present you ready to use opensource libraries for implementing secure IoT servers and devices. The way for quickly releasing your next catchy connected product.!
Ultimately we will showcase Wakaama and Leshan, the Eclipse IoT Lightweight M2M implementation maybe your next best friend in the troubled water of Internet-Of-Things security!
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...mdevtalk
This document provides an overview of key considerations for implementing cryptography and securing an application. It discusses topics like avoiding plaintext secrets, implementing secure authentication and transport, managing third party libraries, and best practices like not overstating an app's security. The goal is to help developers protect user privacy and security throughout the development process.
This document discusses computer and network security. It begins by defining security and explaining why security is needed to protect vital information, provide access control, and ensure availability of resources. It then covers common security attacks like firewalls, intrusion detection systems, denial of service attacks, TCP attacks and packet sniffing. It emphasizes the importance of encryption, authentication, firewalls, antivirus software and regular backups in defending against these attacks. It also notes that social engineering attacks on users can bypass technical security measures.
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Edureka!
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Interview Questions and Answers" consists of 50 questions from multiple cybersecurity domains which will help you in preparation of your interviews.
This document summarizes the history of encryption protocols and attacks against them, beginning with the early SSL and TLS protocols in the 1990s. It describes numerous attacks published over the years that exploited vulnerabilities in the protocols, such as padding oracle attacks, timing attacks, traffic analysis attacks, and attacks against specific algorithms like RC4. Each attack paved the way for new, more secure versions of the protocols to be developed. The document outlines advances like TLS 1.1, 1.2, and the removal of insecure or broken algorithms, as well as high-profile security incidents at CAs like DigiNotar and Comodo.
Presentation at Networkshop46.
Phishing simulation exercises, by Michael Jenkins, Brunel University.
Rogue wifi - by Danny Moules, professional security services: security assessment specialist, Jisc
Implementing cyber essentials - Ged Nicholson, Hartlepool College of FE
Personal Internet Security System or "PISS" doesn't exist. It's a mindset that comes from knowledge. Stop looking for someone else's and handle your own. You have an Antivirus? Firewall? Great! But the real threat comes from YOU! The user. That takes knowledge. I attached briefing slides for the typical user with minimal IT knowledge. Sometimes we all need a reminder that we are the ones who is the greatest threat to our networks. It's not a country states or actor. But we are the ones who inadvertently let them walk in.
I put on my mink and wizard behat - Confoo Canadaxsist10
This document discusses front end testing using Behat and Mink. It provides an overview of Behat and Mink, how they work together using the Cucumber syntax, and examples of setting up tests to validate features on a website. Context classes are demonstrated which implement step definitions to automate browser interactions and assertions. The challenges of testing JavaScript functionality are also addressed through the use of different browser driver extensions.
An indepth dive into using Behat/Mink/Selenium for BDD testing.
* http://behat.org
* http://mink.behat.org/
* http://docs.seleniumhq.org/
In this talk I'll cover:
* why and when to use Behat (and when not)
* Installation and configuration of Behat and Mink
* Building Behat Contexts
* Avoiding data deadlocks and "test user account" syndrome
* Introduction to Selenium and testing JavaScript
* Best practises for writing tests (what to avoid, what to aspire for, writing stories like you mean it, how to get your product owners to write them)
* Common gotchas
I put on my mink and wizard behat (tutorial)xsist10
An indepth dive into using Behat/Mink/Selenium for BDD testing.
* http://behat.org
* http://mink.behat.org/
* http://docs.seleniumhq.org/
In this talk I'll cover:
* why and when to use Behat (and when not)
* Installation and configuration of Behat and Mink
* Building Behat Contexts
* Avoiding data deadlocks and "test user account" syndrome
* Introduction to Selenium and testing JavaScript
* Best practises for writing tests (what to avoid, what to aspire for, writing stories like you mean it, how to get your product owners to write them)
* Common gotchas
An indepth dive into using Behat/Mink/Selenium for BDD testing.
* http://behat.org
* http://mink.behat.org/
* http://docs.seleniumhq.org/
In this talk I'll cover:
* why and when to use Behat (and when not)
* Installation and configuration of Behat and Mink
* Building Behat Contexts
* Avoiding data deadlocks and "test user account" syndrome
* Introduction to Selenium and testing JavaScript
* Best practises for writing tests (what to avoid, what to aspire for, writing stories like you mean it, how to get your product owners to write them)
* Common gotchas
PHP SA 2014 - Releasing Your Open Source Projectxsist10
The document provides guidance on releasing open source projects. It discusses security, hosting, managing source code, package management, design patterns, testing, and resources. The key recommendations are to focus on security, use GitHub for hosting, manage versions with SemVer, use Composer for dependencies, implement common design patterns, write unit tests with at least 80% coverage, and wrap resources to allow for mocking in tests.
PHP SA 2013 - The weak points in our PHP projectsxsist10
The document discusses weaknesses in web application security, specifically regarding dependencies on third party libraries, frameworks, and content management systems. It notes that many of these systems are outdated and vulnerable due to lack of updates by developers. Specific issues mentioned include SQL injection, unsalted password hashing, and a backdoor found in the OpenX library. Data is presented showing the average and median ages of versions for 43 popular open source projects, indicating that vulnerabilities increase significantly with older versions. Suggestions are made for improving awareness of updates and using tools that facilitate easier updating of dependencies.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
7. If you are hacked via OWASP Top
10, you’re not allowed to call it
“advanced” or “sophisticated”
@thegrugq
Reference: https://twitter.com/thegrugq/status/658991205816995840
51. Private industry keep
threatening security researchers
List of well referenced situations of the above: http://attrition.org/errata/legal_threats/
52.
53.
54.
55.
56.
57. "How many Fortune 500
companies are hacked right now?
Answer, 500."
Mikko Hypponen, CRO of F-Secure
Reference: https://twitter.com/mikko/status/184329161257652227
63. Fine… no backdoor in E2E
encryption.
Julian King, Security Commissioner, EU
Reference: https://www.theregister.co.uk/2017/10/19/eu_crypto_cracking/
64. Fine… no backdoor in E2E
encryption. But store everything
in plaintext.
Rod Rosenstein, Deputy Attorney General, USA
Reference: https://www.theregister.co.uk/2017/10/30/encryption_backdoors_plaintext_deputy_ag/
66. But what if we installed
advanced IDSs, WAFs and
specialised network hardware
67. We probably only knew about
one of the two backdoors in our
system
Juniper Networks
Dec 2015
http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-governmen
t-backdoors/
70. Infosec - A profession that turns
normal people into whiskey drinking,
swearing, paranoid, disheartened
curmudgeons with no hope for the
future of computers or humanity.
@mzbat
Reference: https://www.urbandictionary.com/define.php?term=Infosec
109. Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
110. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_close();
session_id($session_to_unset);
session_start();
$_SESSION = array();
session_write_close();
session_destroy();
exit;
}
Mistakes
Deep understanding of the language
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
C
O
D
E
SAM
PLE
111. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_close();
session_id($session_to_unset);
session_start();
$_SESSION = array();
session_write_close();
session_destroy();
exit;
}
Mistakes
Deep understanding of the language
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
Writes $_SESSION to
disk
C
O
D
E
SAM
PLE
112. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_close();
session_id($session_to_unset);
session_start();
$_SESSION = array();
session_write_close();
session_destroy();
exit;
}
Mistakes
Deep understanding of the language
C
O
D
E
SAM
PLE
Extracts URL parameters into
the namespace.
session_to_unset=a becomes
$session_to_unset = “a”;
Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
114. Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
115.
116. Avoid old tutorials on
encryption
https://gist.github.com/paragonie-scott/e93
19254c8ecbad4f227
117. Failed: Error Number: 60. Reason: SSL certificate problem, verify that
the CA cert is OK. Details: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
// Many old tutorials and posts suggest disabling peer verifications
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
// Thankfully PHP 5.6+ handles CA certificate location automatically
// thanks to https://wiki.php.net/rfc/improved-tls-defaults and
// Daniel Lowrey
Avoid advice like this
Weakening security for convenience
C
O
D
E
SAM
PLE
123. $password = 'rasmuslerdorf';
$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Is this call safe?
if (crypt($password, $hash) === $hash) {
echo 'Password is correct';
}
// What about this one?
if (password_verify($password, $hash)) {
echo 'Password is correct';
}
Bad implementation
Where is the weakness?
C
O
D
E
SAM
PLE
125. $string1 = 'abcd';
$string2 = 'abce';
$string3 = 'acde';
for ($i=0; $i<10000; $i++) { ($string1 === $string2); }
// Time taken: 0.008344
for ($i=0; $i<10000; $i++) { ($string1 === $string3); }
// Time taken: 0.006923
Timing Attacks
How it works
C
O
D
E
SAM
PLE
126. Timing attacks can be used to
work out if an account exists [...].
@troyhunt, haveibeenpwned.com
Reference: https://t.co/5WkQ48suj7
127. Well actually
Amount of randomness matters
Reference: http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html
128. $password = 'rasmuslerdorf';
$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Check the password
if (password_verify($password, $hash)) {
echo 'Password is correct';
if (password_needs_rehash($hash, PASSWORD_DEFAULT)) {
// Rehash and store in database
$new_password = password_hash($password, PASSWORD_DEFAULT);
}
}
Rehash
Build it into your flow
C
O
D
E
SAM
PLE
133. // NOT cryptographically secure
rand();
// Cryptographically secure (uses OS-specific source)
random_int();
// Cryptographically secure (uses OS-specific source)
random_bytes();
// Cryptographically secure (uses OpenSSL library)
openssl_random_pseudo_bytes();
Random in code
Know the source
C
O
D
E
SAM
PLE
135. HEAD http://example.com/index.php
200 OK
Connection: close
Date: Sat, 26 Dec 2015 13:52:01 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Sat, 26 Dec 2015 13:52:01 GMT
Client-Peer: 192.168.0.101:80
Client-Response-Num: 1
X-Powered-By: PHP/5.5.11
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE
136. HEAD http://example.com/index.php
200 OK
Connection: close
Date: Sat, 26 Dec 2015 13:52:01 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Sat, 26 Dec 2015 13:52:01 GMT
Client-Peer: 192.168.0.101:80
Client-Response-Num: 1
X-Powered-By: PHP/5.5.11
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE
137. Warning: require(assets/includes/footer.php) [function.require]: failed
to open stream: No such file or directory in
/home/user/path/to/assets/includes/operations.php on line 38
Fatal error: require() [function.require]: Failed opening required
'assets/includes/footer.php'
(include_path='.:/usr/lib/php:/usr/local/lib/php') in
/home/user/path/to/assets/includes/operations.php on line 38
Information Disclosure
Every piece of information can be leveraged
LO
G
SAM
PLE