Certificate pinning in android applicationsArash Ramez
How to do cryptography right in android
Part #4 / How to mitigate MITM attacks in SSL/TLS channels using server certification validation
watch it on youtube:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gZ0mtoAA8JrfFrvOKr1Qlp
Security Automation by integrating SAST(Static Application Security Testing),DAST(Dynamic Application Secuirty Testing) and SIEM (Security Information and Event Management) tools with Jenkins.
By automating Security(SAST,DAST,SIEM) developers can them selves perform VA and monitor on application without going to IT and Security team
Below Tools are used to Automate everything:
SAST - Fortify,CheckMarx
DAST - IBM App Scan,OWASP ZAP,HP Web Inspect
SIEM - Alien Vault
Threat modeling web application: a case studyAntonio Fontes
TAM is a security activity conducted early in the development lifecycle, when we only have ideas, early design specifications and no source code is produced yet. It helps identify major threats to your web application and their appropriate countermeasures.
This session focuses on an introduction to the threat modeling technique through a case study on an online newspaper platform.
Event: Confoo 2011 Montreal
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Certificate pinning in android applicationsArash Ramez
How to do cryptography right in android
Part #4 / How to mitigate MITM attacks in SSL/TLS channels using server certification validation
watch it on youtube:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gZ0mtoAA8JrfFrvOKr1Qlp
Security Automation by integrating SAST(Static Application Security Testing),DAST(Dynamic Application Secuirty Testing) and SIEM (Security Information and Event Management) tools with Jenkins.
By automating Security(SAST,DAST,SIEM) developers can them selves perform VA and monitor on application without going to IT and Security team
Below Tools are used to Automate everything:
SAST - Fortify,CheckMarx
DAST - IBM App Scan,OWASP ZAP,HP Web Inspect
SIEM - Alien Vault
Threat modeling web application: a case studyAntonio Fontes
TAM is a security activity conducted early in the development lifecycle, when we only have ideas, early design specifications and no source code is produced yet. It helps identify major threats to your web application and their appropriate countermeasures.
This session focuses on an introduction to the threat modeling technique through a case study on an online newspaper platform.
Event: Confoo 2011 Montreal
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
Security Incident Event Management
Real time monitoring of Servers, Network Devices.
Correlation of Events
Analysis and reporting of Security Incidents.
Threat Intelligence
Long term storage
NIST 800-92 Log Management Guide in the Real WorldAnton Chuvakin
This presentation will introduce the first ever standard on log management - NIST 800 - 92 guide. It will then offer a guide walk through to highlight the critical areas of standardization. The majority of the remaining time will be spent on explaining how to use the guide in the real world if you are a security manager or a security pro.
SIEM : Security Information and Event Management SHRIYARAI4
SIEM is a tool that collects, aggregates, normalizes the data and analyzes it according to pre-set rules and presents the data in human readable format
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMElasticsearch
Together, Cortex XSOAR and Elastic SIEM deliver a flexible and effective solution for today's security operations teams. Combining Cortex XSOAR's robust orchestration, automation, and case management capabilities with Elastic's open collection, search, and analytics abilities provides the comprehensive end-to-end strategy SOC teams need to gain visibility to stop threats.
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
Cloud Security is critical to Data Security and Application Resilience against CyberAttacks. This talk looks at Security Best Practices that need to be practised.
This talk was presented at AWS Community Day Bengaluru 2019 by Amar Prusty, Cloud-Data Center Consultant Architect, DXC Technology
How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be released?
Traditional application security tools which require lengthy periods of configuration, tuning and
application learning have become irrelevant in these fast-pace environments. Yet, falling back only on
the secure coding practices of the developer cannot be tolerated.
Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes.
Snyk Intro - Developer Security Essentials 2022Liran Tal
Overwhelmed with security issues in your Node.js applications? Not entirely sure how to write secure code? Join us in this workshop where you’ll learn how to improve security without being a security professional. We’ll use Snyk Code’s VS Code extension to catch and find security issues while you code, automatically fix security issues in your open source libraries, and see first-hand how to weaponize vulnerabilities to exploit working Node.js applications. You will also learn about the multiple ways of using Snyk to secure your projects, from the CLI, to CI/CD pipelines with GitHub Actions, and extend your know from secure code and secure dependencies to that of building secure containers to your Node.js apps on Docker.
This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
Security Incident Event Management
Real time monitoring of Servers, Network Devices.
Correlation of Events
Analysis and reporting of Security Incidents.
Threat Intelligence
Long term storage
NIST 800-92 Log Management Guide in the Real WorldAnton Chuvakin
This presentation will introduce the first ever standard on log management - NIST 800 - 92 guide. It will then offer a guide walk through to highlight the critical areas of standardization. The majority of the remaining time will be spent on explaining how to use the guide in the real world if you are a security manager or a security pro.
SIEM : Security Information and Event Management SHRIYARAI4
SIEM is a tool that collects, aggregates, normalizes the data and analyzes it according to pre-set rules and presents the data in human readable format
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMElasticsearch
Together, Cortex XSOAR and Elastic SIEM deliver a flexible and effective solution for today's security operations teams. Combining Cortex XSOAR's robust orchestration, automation, and case management capabilities with Elastic's open collection, search, and analytics abilities provides the comprehensive end-to-end strategy SOC teams need to gain visibility to stop threats.
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
Cloud Security is critical to Data Security and Application Resilience against CyberAttacks. This talk looks at Security Best Practices that need to be practised.
This talk was presented at AWS Community Day Bengaluru 2019 by Amar Prusty, Cloud-Data Center Consultant Architect, DXC Technology
How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be released?
Traditional application security tools which require lengthy periods of configuration, tuning and
application learning have become irrelevant in these fast-pace environments. Yet, falling back only on
the secure coding practices of the developer cannot be tolerated.
Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes.
Snyk Intro - Developer Security Essentials 2022Liran Tal
Overwhelmed with security issues in your Node.js applications? Not entirely sure how to write secure code? Join us in this workshop where you’ll learn how to improve security without being a security professional. We’ll use Snyk Code’s VS Code extension to catch and find security issues while you code, automatically fix security issues in your open source libraries, and see first-hand how to weaponize vulnerabilities to exploit working Node.js applications. You will also learn about the multiple ways of using Snyk to secure your projects, from the CLI, to CI/CD pipelines with GitHub Actions, and extend your know from secure code and secure dependencies to that of building secure containers to your Node.js apps on Docker.
This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
This presentation is part of a series focused on OWASP Mobile Top 10 : We discussed about what is data leakage, places where data could be leaked. sample /examples of data leakage and how it differes from M2: Insecure data storage.
A beginner level presentation made for c0c0n 2013 to talk about some basic modules of python which can be used in routine penetration testing exercises.
Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
c0c0n 2015 Presentation. This talk discussed about the impact of using components with known vulnerabilities along with various tips and tools for software developer or administrator to facilitate identification of vulnerable components.
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
This presentation talks about OWASP Mobile Risk M2 i.e. Insecure Data Storage. The agenda of the presentation is to understand the Data Storage and effect of insecure data storage. Then it also had demo's of known insecure data storage flaws. Methods to identify this flaw and various precautions that a developer should take to prevent this flaw.
The presentation was done as part of null/OWASP/G4H Monthly Meet
This paper attempts to look behind the wheels of android and keeping special focus on custom rom’s and basically check for security misconfiguration’s which could yield to device compromise, which may result in malware infection or data theft.
Configuring SSL on NGNINX and less tricky serversAxilis
Sergej Jakovljev explains how to setup different levels of security over SSL. What's the difference between different SSL certificates and how to set them up on NGINX, Heroku and Node.js.
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
FIWARE Wednesday Webinar - How to Secure IoT Devices (22nd April 2020)
Corresponding webinar recording: https://youtu.be/_87IZhrYo3U
Live coding session and commentary, demonstrating various techniques and methods for securing the interactions between Devices, IoT Agents and the Context Broker
Chapter: Security
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
Managing secrets in a distributed cloud world requires a new approach to security. Applications and systems are now frequently created and destroyed. The network between distributed clouds, applications, and systems is low-trust, furthering the complexities of secrets sprawl. So, what is the solution?
HashiCorp Vault seeks to solve the problem of secret sprawl by centralizing secrets management in a scalable, repeatable workflow to be able to create, manage, and revoke secrets as needed.
Watch this webinar to learn:
- How Vault addresses today’s security threats
- How security teams can use Vault to store and manage all their secrets across their private and public infrastructure, globally.
- How Adobe reduced secret sprawl, increased operational performance of a key security process, and processes 100 trillion transactions with Vault
For full webinar recording: https://hashicorp.com/resources/eliminating-secret-sprawl-in-the-cloud
Securing Network Access with Open Source solutionsNick Owen
My presentation from Atlanta Linux Fest on how to allow users secure access to your network using open source technologies. Examples include how to add two-factor authentication to Apache, OpenVPN, Astaro, NX etc.
Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.
APIs are the building blocks of interoperability on the web and are a key component of scalable and successful technology companies. As externally-consumable APIs expose more information and functionality, ensuring privacy and security of customer data is an increasingly risky proposition. In this session, we’ll talk about some of Slack’s learnings around building Developer APIs and best practices for keeping your APIs safe.
Slides originally for a presentation at the Rocky Mountain Technology Summit. Slightly reduced content.
Introduction to Secure Socket Layer (SSL) and Tunnel Layer Security (TLS). Shows basic principle of SSL and also little bit of practical applicability.
Here you can find the slides that accompany my “SPA Secure Coding Guide”, this presentation go through a set of security best practices specially targeted towards developing Angular applications with ASP.Net Web Api backends.
It comes with a WebApi example project available on GitHub that provides several code examples of how to defend yourself. The example app is based on the famous "Tour of Heroes" Angular app used throughout the Angular documentation.
It first introduce general threat modelling before explaining the most current type of attacks Asp.Net Web API are vulnerable to .
It is designed to serve as a secure coding reference guide, to help development teams quickly understand Asp.Net Core secure coding practices.
As companies move towards offering SaaS products in the cloud, it becomes increasingly important to ensure these products are secured by default. This is because customers are no longer in control of their data, but data now resides on a third-party cloud provider.
Security is everyone's responsibility. It is now imperative that these cloud products be built with security in mind from the beginning.
In this session, Anshuman Bhartiya will discuss ways to build secure applications in the cloud.
Similar to SSL Pinning and Bypasses: Android and iOS (20)
This paper attempts to look behind the wheels of android and keeping special focus on custom rom’s and basically check for security misconfiguration’s which could yield to device compromise, which may result in malware infection or data theft.
an introduction to Lamp stack and how it is beneficial for students, presented by anant shrivastava on behalf of linux academy http://academylinux.com and you can contact anant @ http://anantshri.info
a simple presentation with introduction on hacking, presented by anant shrivastava on behalf of linux academy at rkdf bhopal http://academylinux.com and contact anant at http://anantshri.info
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
4. HOW MITM WORKS
1. Add Root CA of interception proxy in Browser.
2. Divert traffic via interception proxy, proxy handles SSL Connection
Client <--HTTPS--> Interception Proxy <--HTTPS--> Server
1. Browser validates that certificate is issued by Trusted CA and allows
connection
BEFORE AFTER
5. PKI IS BROKEN
1. System Trust all CA in Trust Store (PortSwigger CA)
2. System Trust's ROOT CA not certification chain
3. Any CA can issue certificate to any website (Diginotar, Trustwave, NIC and many
more)
4. Certificate Stolen: Welcome to Revocation hell and CRL Nightmare
5. OCSP to the rescue over port 80
6. and many more
6. SO WHAT SHOULD WE DO
Pin Trust on our own certification chain and validate it at Client Side
7.
8. WHAT'S THE CATCH
1. What if you get new certificate from a different service provider
2. What if your certificate chain changes
3. What if certificate is revoked
4. What if certificate is stolen
5. What is Client is malacious
6. What if .....
Answer:
You need to update the code everytime certificate changes
ITS EASY PUSH AN UPDATE
9. SO WHY SHOULD I BOTHER
1. Developers : This hinders attacker from traffic interception. Adds another layer
for Attacker to look for. Without Rooting devices its nearly imposible to bypass
it so far.
2. Pentesters : This hinders you from inspecting application (be ready for
bypasses section)
11. HOW TO IMPLEMENT SSL PINNING
Multiple ways
1. Store Certificate in sqlite and use it directly
2. Store sha1 hashes and compare
3. Store sha1 hash of one element in chain and compare
12. DEMO DETAILS
1. We have used a helper library called okhttp by square
2. Pins sha1 hashes of entire chain or set of elements in chain
15. HOW BYPASS WORKED
1. Xposed Framework Hooks into all Function Calls
2. Whenever request is made for check function inside
com.squareup.okhttp.CertificatePinner class, return true
Ref: https://github.com/Fuzion24/JustTrustMe/pull/12
18. HOW TO IMPLEMENT SSL PINNING
1. Use Third Party helper like
1. SwiftHTTP
2. TrustKit
2. Or Use SecTrustEvaluate via NSURLConnectionDelegate (third party helper
basicly are wrapper to do this)
20. HOW TO BYPASS
1.
2. (superseeds ios-ssl-kill-switch
works on 9.0.2 also, doesn't work with itunes/appstore by default)
https://github.com/iSECPartners/ios-ssl-kill-switch
https://github.com/nabla-c0d3/ssl-kill-switch2
22. HOW IT WORKS
1. Leverages Cydia substrate
2. Uses to inject on process
3. Hooks on instead of SecTrustEvaluate or NSURL* as The
Secure Transport API is "the lowest-level TLS implementation on iOS"
1. Patch SSLCreateContext(): Disable the built-in certificate validation in all SSL
contexts
2. Patch SSLSetSessionOption(): Remove the ability to re-enable the built-in
certificate validation
3. Patch SSLHandshake(): Force a trust-all custom certificate validation
MobileSubstrate
Secure Trasport API
Reference: https://nabla-c0d3.github.io/blog/2013/08/20/ios-ssl-kill-switch-v0-
dot-5-released/