A machine learning model, specifically a recurrent neural network, can be trained on large datasets of passwords and personal details to generate targeted password guessing lists that leverage common human-used password construction schemes. While the model is able to learn patterns and generate password candidates matching 80% of schemes in lists of 100 passwords, mitigation strategies could treat passwords identified as likely human-generated as insecure or integrate a human password classifier on servers to warn of risks.
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
This document summarizes the analysis of a domain generating algorithm (DGA) malware family. Key points include:
- The malware uses inline code obfuscation and encrypted strings to hide its functionality and communication domains. Researchers were able to deobfuscate the code and decrypt the strings to analyze the malware.
- Clues in decrypted strings suggest the malware author is Romani, including references to Romani singers in template strings.
- The malware generates domain names by concatenating two randomly selected words from a dictionary and appending ".net". This allows it to generate many domain variations to communicate with its command and control servers.
- The DGA algorithm uses a 15-bit seed value derived from the
This PPT Gives Information about:
1. Database basics,
2. Indexes,
3. PHP MyAdmin Connect & Pconnect,
4. MySQL Create,
5. MySQL Insert,
6. MySQL Select,
7. MySQL Update,
8. MySQL Delete,
9. MySQL Truncate,
10.MySQL Drop
This document summarizes cryptography concepts including symmetric and asymmetric encryption algorithms, hashing algorithms, and attacks on cryptosystems. Symmetric algorithms like AES and Blowfish use a single key for encryption and decryption while asymmetric algorithms like RSA and ECC use public/private key pairs. Hashing algorithms like SHA-1 produce a digest to ensure message integrity. Cryptanalysis studies breaking encryption while brute force involves testing all possible keys.
When will passwords die? Research challenges and opportunities in user authen...Shujun Li
13 January 2020: invited talk at the 2020 UK PhD Winter School on Cyber Security, organised by the University of Newcastle, the University of Bristol, NCSC and EPSRC
Andy Watson, an employee of Ionic Security, gave a presentation on properly using cryptography in applications. The presentation covered topics such as random number generation, hashing, salting passwords, key derivation functions, symmetric encryption algorithms and common mistakes made with cryptography. The goal was to help people avoid vulnerabilities like unsalted hashes, hardcoded keys, weak random number generation and improper encryption modes.
cyber crime & information security is most famous in the world..day by day increase cyber crime in internet world. that see. the detail about of cyber security.
This document provides an overview of hacking, including its history and common techniques. It begins with early "phone freaks" who experimented with hacking phone systems using blue boxes and Captain Crunch whistles. It then outlines the stages of a typical penetration test: reconnaissance, scanning/enumeration, gaining access, privilege escalation, maintaining access covertly, and covering tracks. Common hacking methods like password cracking, man-in-the-middle attacks, Trojans, and keyloggers are also summarized. The document concludes by noting that nothing is truly secure and that risk is a balance of attack cost and information value.
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
This document summarizes the analysis of a domain generating algorithm (DGA) malware family. Key points include:
- The malware uses inline code obfuscation and encrypted strings to hide its functionality and communication domains. Researchers were able to deobfuscate the code and decrypt the strings to analyze the malware.
- Clues in decrypted strings suggest the malware author is Romani, including references to Romani singers in template strings.
- The malware generates domain names by concatenating two randomly selected words from a dictionary and appending ".net". This allows it to generate many domain variations to communicate with its command and control servers.
- The DGA algorithm uses a 15-bit seed value derived from the
This PPT Gives Information about:
1. Database basics,
2. Indexes,
3. PHP MyAdmin Connect & Pconnect,
4. MySQL Create,
5. MySQL Insert,
6. MySQL Select,
7. MySQL Update,
8. MySQL Delete,
9. MySQL Truncate,
10.MySQL Drop
This document summarizes cryptography concepts including symmetric and asymmetric encryption algorithms, hashing algorithms, and attacks on cryptosystems. Symmetric algorithms like AES and Blowfish use a single key for encryption and decryption while asymmetric algorithms like RSA and ECC use public/private key pairs. Hashing algorithms like SHA-1 produce a digest to ensure message integrity. Cryptanalysis studies breaking encryption while brute force involves testing all possible keys.
When will passwords die? Research challenges and opportunities in user authen...Shujun Li
13 January 2020: invited talk at the 2020 UK PhD Winter School on Cyber Security, organised by the University of Newcastle, the University of Bristol, NCSC and EPSRC
Andy Watson, an employee of Ionic Security, gave a presentation on properly using cryptography in applications. The presentation covered topics such as random number generation, hashing, salting passwords, key derivation functions, symmetric encryption algorithms and common mistakes made with cryptography. The goal was to help people avoid vulnerabilities like unsalted hashes, hardcoded keys, weak random number generation and improper encryption modes.
cyber crime & information security is most famous in the world..day by day increase cyber crime in internet world. that see. the detail about of cyber security.
This document provides an overview of hacking, including its history and common techniques. It begins with early "phone freaks" who experimented with hacking phone systems using blue boxes and Captain Crunch whistles. It then outlines the stages of a typical penetration test: reconnaissance, scanning/enumeration, gaining access, privilege escalation, maintaining access covertly, and covering tracks. Common hacking methods like password cracking, man-in-the-middle attacks, Trojans, and keyloggers are also summarized. The document concludes by noting that nothing is truly secure and that risk is a balance of attack cost and information value.
The document discusses hackers and hacking tools. It provides a list of the latest hacking tools, top 10 hackers in the world along with brief descriptions of each, categories of hackers based on their motives (gray hat, black hat, white hat), and an extensive list of chapters covering different aspects of ethical hacking like Bluetooth hacking, databases, exploit tools, networks, patch management, and more. It aims to be a comprehensive resource for ethical hackers.
Tutorial on Privacy Preserving Speech Processing prepared by Gérard CHOLLET, Jean-Jacques QUISQUATER and Bhiksha RAJ for IEEE-ICASSP and given on March 5th 2017 in New Orleans
Password Cracking is a technique to gain the access to an organisation.
In this slide, I will tell you the possible ways of cracking and do a live example for Gmail Password Cracking.
This lecture discusses principles of secure coding and lessons learned from past security incidents. It covers topics like:
- Design principles like least privilege and complete mediation.
- Common coding errors that led to vulnerabilities like buffer overflows.
- The importance of input validation, logging, and avoiding risky functions.
- Lessons from fuzz testing programs and the need for secure development practices.
- Authentication techniques like hashing passwords and limiting privileges.
- The role of policy, usability, and social aspects in security.
The document provides guidance on properly storing passwords in a database. It recommends using cryptographically secure hash functions with salts to hash passwords before storage. It discusses approaches like PBKDF2, BCrypt, and SCRYPT that can be used to hash passwords and make brute force attacks more difficult. The document stresses that security should be a higher priority for developers than new frameworks, and provides other recommendations like using standard authentication when possible and limiting database access.
Nicholas Dorans discusses the history and evolution of passwords from their introduction in 1961 to current practices and future directions. Passwords were first used at MIT and initially stored in plain text before the development of hashing in the 1970s. While passwords remain common, best practices include using unique, strong passwords for each account and password managers. Biometrics and two-factor authentication are gaining adoption to improve security beyond passwords alone.
This document summarizes session #5 of a CISSP mentor program. It provides an overview of symmetric encryption techniques like DES, AES, and their modes of operation. It also discusses the history and weaknesses of DES, as well as how Triple DES aims to strengthen it. The session includes quizzes on these topics and cryptographic concepts.
For a college class in Ethical Hacking and Network Defense at CCSF, by Sam Bowne. More info at https://samsclass.info/123/123_F17.shtml
Based on this book
Hands-On Ethical Hacking and Network Defense, Third Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
Updated 11-22-17 12:15 PM
The document provides guidance on establishing a strong password policy for a financial institution. It discusses threats like brute force attacks and outlines guidelines for enforcing strong passwords, including minimum length of 8 characters, requiring multiple character sets, and not allowing dictionary words or usernames in passwords. It also covers topics like default passwords, credential harvesting, idle accounts, password storage, changing passwords, security questions, and moving beyond passwords to other forms of authentication.
Techniques for password hashing and crackingNipun Joshi
This document discusses techniques for securely storing passwords using hashing and preventing cracking. It recommends using algorithms like bcrypt and PBKDF2 that include salts and key stretching to make passwords very difficult to brute force or dictionary attack by requiring extensive time and computing resources. The document provides examples of hashing best practices and measures organizations and users can take to better protect against leaks and unauthorized access.
Video (at YouTube) - http://bit.ly/19TNSTF
Big Data Security Analytics, Data Science and Machine Learning are a few of the new buzzwords that have invaded out industry of late. Most of what we hear are promises of an unicorn-laden, silver-bullet panacea by heavy-handed marketing folks, evoking an expected pushback from the most enlightened members of our community.
This talk will help parse what we as a community need to know and understand about these concepts and help understand where the technical details and actual capabilities of those concepts and also where they fail and how they can be exploited and fooled by an attacker.
The talk will also share results of the author's current ongoing research (on MLSec Project) of applying machine learning techniques to information secuirty monitoring.
1. The document discusses the topics of security and cryptography. It covers authentication, encryption algorithms like RSA public-key encryption, and digital signatures.
2. RSA public-key cryptography is described as the most widely used system, where users have public and private keys to encrypt and decrypt messages. It relies on the assumption that factoring large numbers is computationally difficult.
3. Digital signatures are explained as a way for a user to sign a message using their private key so that others can verify it came from that user by decrypting it with the public key.
This document discusses unique identifier generation in distributed systems. It notes that sequential IDs are not always feasible in distributed systems. While GUIDs are universally unique, they are too long at 36 characters. The document explores balancing ID length with collision probability. It models collision probability based on ID length and number of IDs. Simulation results show an 8 character ID has low collision probability currently but this may increase with more IDs. The document concludes an 8 character ID is sufficient now but length may need to increase to accommodate future growth.
these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slide
Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure the contents have not been altered. We continue to use block ciphers because they are comparatively fast, and because we know a fair amount about how to design them.
This document discusses the history of computer security breaches and issues. It mentions several high-profile hacking incidents from the 1980s to 1990s where hackers were able to gain unauthorized access to military and banking computers. The document also notes that today nearly half of companies report financial losses due to security incidents, with estimated losses totaling over $66 million. Computer security threats include financial losses, data theft, and system malfunctions.
This document describes how the author conducted an OSINT investigation and subsequent phishing campaign. It begins by explaining what OSINT is and some common tools used for open source intelligence gathering like Maltego, Shodan, and Google dorks. Next, it discusses how to use the information found through OSINT to craft a targeted phishing email. The document walks through setting up a phishing site using tools like Modlishka and GoPhish. It then tells a story of a actual phishing campaign the author conducted, changing details to protect privacy. The document concludes by emphasizing the importance of managing one's online presence and digital footprint.
This document provides an overview of cryptography concepts including symmetric and asymmetric encryption algorithms, hashing, digital signatures, and public key infrastructure (PKI). Symmetric algorithms like AES use a shared secret key for encryption and decryption while asymmetric algorithms like RSA use separate public and private keys. Digital signatures combine hashing and asymmetric encryption to provide data integrity, non-repudiation and authentication. PKI establishes trust in public keys through a system of digital certificates issued by a trusted certification authority.
Stephan Gerling in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
The document discusses hackers and hacking tools. It provides a list of the latest hacking tools, top 10 hackers in the world along with brief descriptions of each, categories of hackers based on their motives (gray hat, black hat, white hat), and an extensive list of chapters covering different aspects of ethical hacking like Bluetooth hacking, databases, exploit tools, networks, patch management, and more. It aims to be a comprehensive resource for ethical hackers.
Tutorial on Privacy Preserving Speech Processing prepared by Gérard CHOLLET, Jean-Jacques QUISQUATER and Bhiksha RAJ for IEEE-ICASSP and given on March 5th 2017 in New Orleans
Password Cracking is a technique to gain the access to an organisation.
In this slide, I will tell you the possible ways of cracking and do a live example for Gmail Password Cracking.
This lecture discusses principles of secure coding and lessons learned from past security incidents. It covers topics like:
- Design principles like least privilege and complete mediation.
- Common coding errors that led to vulnerabilities like buffer overflows.
- The importance of input validation, logging, and avoiding risky functions.
- Lessons from fuzz testing programs and the need for secure development practices.
- Authentication techniques like hashing passwords and limiting privileges.
- The role of policy, usability, and social aspects in security.
The document provides guidance on properly storing passwords in a database. It recommends using cryptographically secure hash functions with salts to hash passwords before storage. It discusses approaches like PBKDF2, BCrypt, and SCRYPT that can be used to hash passwords and make brute force attacks more difficult. The document stresses that security should be a higher priority for developers than new frameworks, and provides other recommendations like using standard authentication when possible and limiting database access.
Nicholas Dorans discusses the history and evolution of passwords from their introduction in 1961 to current practices and future directions. Passwords were first used at MIT and initially stored in plain text before the development of hashing in the 1970s. While passwords remain common, best practices include using unique, strong passwords for each account and password managers. Biometrics and two-factor authentication are gaining adoption to improve security beyond passwords alone.
This document summarizes session #5 of a CISSP mentor program. It provides an overview of symmetric encryption techniques like DES, AES, and their modes of operation. It also discusses the history and weaknesses of DES, as well as how Triple DES aims to strengthen it. The session includes quizzes on these topics and cryptographic concepts.
For a college class in Ethical Hacking and Network Defense at CCSF, by Sam Bowne. More info at https://samsclass.info/123/123_F17.shtml
Based on this book
Hands-On Ethical Hacking and Network Defense, Third Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
Updated 11-22-17 12:15 PM
The document provides guidance on establishing a strong password policy for a financial institution. It discusses threats like brute force attacks and outlines guidelines for enforcing strong passwords, including minimum length of 8 characters, requiring multiple character sets, and not allowing dictionary words or usernames in passwords. It also covers topics like default passwords, credential harvesting, idle accounts, password storage, changing passwords, security questions, and moving beyond passwords to other forms of authentication.
Techniques for password hashing and crackingNipun Joshi
This document discusses techniques for securely storing passwords using hashing and preventing cracking. It recommends using algorithms like bcrypt and PBKDF2 that include salts and key stretching to make passwords very difficult to brute force or dictionary attack by requiring extensive time and computing resources. The document provides examples of hashing best practices and measures organizations and users can take to better protect against leaks and unauthorized access.
Video (at YouTube) - http://bit.ly/19TNSTF
Big Data Security Analytics, Data Science and Machine Learning are a few of the new buzzwords that have invaded out industry of late. Most of what we hear are promises of an unicorn-laden, silver-bullet panacea by heavy-handed marketing folks, evoking an expected pushback from the most enlightened members of our community.
This talk will help parse what we as a community need to know and understand about these concepts and help understand where the technical details and actual capabilities of those concepts and also where they fail and how they can be exploited and fooled by an attacker.
The talk will also share results of the author's current ongoing research (on MLSec Project) of applying machine learning techniques to information secuirty monitoring.
1. The document discusses the topics of security and cryptography. It covers authentication, encryption algorithms like RSA public-key encryption, and digital signatures.
2. RSA public-key cryptography is described as the most widely used system, where users have public and private keys to encrypt and decrypt messages. It relies on the assumption that factoring large numbers is computationally difficult.
3. Digital signatures are explained as a way for a user to sign a message using their private key so that others can verify it came from that user by decrypting it with the public key.
This document discusses unique identifier generation in distributed systems. It notes that sequential IDs are not always feasible in distributed systems. While GUIDs are universally unique, they are too long at 36 characters. The document explores balancing ID length with collision probability. It models collision probability based on ID length and number of IDs. Simulation results show an 8 character ID has low collision probability currently but this may increase with more IDs. The document concludes an 8 character ID is sufficient now but length may need to increase to accommodate future growth.
these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slides include software project managment. these slide
Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure the contents have not been altered. We continue to use block ciphers because they are comparatively fast, and because we know a fair amount about how to design them.
This document discusses the history of computer security breaches and issues. It mentions several high-profile hacking incidents from the 1980s to 1990s where hackers were able to gain unauthorized access to military and banking computers. The document also notes that today nearly half of companies report financial losses due to security incidents, with estimated losses totaling over $66 million. Computer security threats include financial losses, data theft, and system malfunctions.
This document describes how the author conducted an OSINT investigation and subsequent phishing campaign. It begins by explaining what OSINT is and some common tools used for open source intelligence gathering like Maltego, Shodan, and Google dorks. Next, it discusses how to use the information found through OSINT to craft a targeted phishing email. The document walks through setting up a phishing site using tools like Modlishka and GoPhish. It then tells a story of a actual phishing campaign the author conducted, changing details to protect privacy. The document concludes by emphasizing the importance of managing one's online presence and digital footprint.
This document provides an overview of cryptography concepts including symmetric and asymmetric encryption algorithms, hashing, digital signatures, and public key infrastructure (PKI). Symmetric algorithms like AES use a shared secret key for encryption and decryption while asymmetric algorithms like RSA use separate public and private keys. Digital signatures combine hashing and asymmetric encryption to provide data integrity, non-repudiation and authentication. PKI establishes trust in public keys through a system of digital certificates issued by a trusted certification authority.
Stephan Gerling in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Stefan Zarinschi in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Bridging the gap between CyberSecurity R&D and UXDefCamp
(1) The document discusses bridging the gap between research and development (R&D) and user experience (UX) in product development.
(2) It emphasizes the importance of asking questions to understand user needs, focusing on user feelings over features, and ensuring users understand how to use products easily.
(3) The key lessons are to thoroughly question requirements, balance R&D and UX priorities, focus on satisfying core users, understand what users truly value, and make products feel intuitive and fast to use.
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
Radu-Emanuel Chiscariu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
This document discusses multi-factor authentication (MFA) and methods for bypassing it. It defines MFA as requiring more than one validation procedure to authenticate individuals. It describes the different factors of authentication as something you know, something you have, and something you are. It outlines various deployment modules for each factor type, including passwords, tokens, biometrics. It also covers challenges of MFA implementation and methods attackers could use to bypass MFA security, such as email filtering or legacy protocol exploitation.
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
This document discusses threat hunting and practical approaches to threat hunting. It defines threat hunting as proactively searching through data to detect threats that evaded traditional security measures. It argues that threat hunting is more effective than reacting to incidents. The document provides guidance on log collection, developing situational awareness, hunting hosts and networks, maintaining a flexible mindset, and sharing findings. It suggests starting with small data collection and focusing on important systems and network areas. The goal is to understand normal behavior and detect anomalies.
Building application security with 0 money downDefCamp
Muhammad Mudassar Yamin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Implementation of information security techniques on modern android based Kio...DefCamp
Muhammad Mudassar Yamin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
The challenge of building a secure and safe digital environment in healthcareDefCamp
Jelena Milosevic in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Timing attacks against web applications: Are they still practical?DefCamp
This document discusses the practicality of timing attacks against web applications. It begins by explaining what a timing attack is and detailing the author's plan to conduct one against a target application. The plan involved studying the application's code, pinpointing an exploitable function, collecting timing data, filtering noise, and reducing the search space. The author was able to measure response times and identify spikes but encountered challenges averaging server performance. They demonstrate conducting a timing attack to recover hashed credentials over many requests. Ultimately, while timing attacks can be efficient, they are difficult to execute remotely and most applications and servers have protections that render the attacks impractical. Constant-time algorithms and rate limiting are presented as solutions to prevent these types of attacks.
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
Ionut-Cristian Bucur in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
Ioan Constantin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
This document summarizes a presentation about vulnerabilities found in electric vehicle charging stations. The presentation covered:
1) Several vulnerabilities were found in the Bluetooth and Wi-Fi stacks that could allow access to the vendor's internal network, including arbitrary file writes, command injection, and buffer overflows.
2) The vulnerabilities were disclosed responsibly to the vendor, who developed a detailed plan and released updated firmware within a few months to address all issues.
3) Electric vehicles and charging stations are an important area for continued security research given the protocols for wireless communication, transactions, and vehicle-to-charger interfaces.
Cristian Pațachia-Sultănoiu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
This document discusses watering hole attacks, a type of cyber attack where hackers compromise frequently visited websites to infect visitors' devices through drive-by exploits. It describes how watering hole attacks work, why they are difficult to detect, and introduces DEKENEAS, an AI-based solution developed by the author to detect watering hole attacks through analyzing obfuscated JavaScript. DEKENEAS trains on over 40,000 malicious redirect samples to recognize behavioral patterns and classify code as malicious or not. When tested on 10,000 new samples and top websites, it achieved 100% detection of unknown implants with no false negatives and a very low false positive rate of 0.00023%.
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
The Department of Veteran Affairs (VA) invited Taylor Paschal, Knowledge & Information Management Consultant at Enterprise Knowledge, to speak at a Knowledge Management Lunch and Learn hosted on June 12, 2024. All Office of Administration staff were invited to attend and received professional development credit for participating in the voluntary event.
The objectives of the Lunch and Learn presentation were to:
- Review what KM ‘is’ and ‘isn’t’
- Understand the value of KM and the benefits of engaging
- Define and reflect on your “what’s in it for me?”
- Share actionable ways you can participate in Knowledge - - Capture & Transfer
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
This talk will cover ScyllaDB Architecture from the cluster-level view and zoom in on data distribution and internal node architecture. In the process, we will learn the secret sauce used to get ScyllaDB's high availability and superior performance. We will also touch on the upcoming changes to ScyllaDB architecture, moving to strongly consistent metadata and tablets.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Session 1 - Intro to Robotic Process Automation.pdfUiPathCommunity
👉 Check out our full 'Africa Series - Automation Student Developers (EN)' page to register for the full program:
https://bit.ly/Automation_Student_Kickstart
In this session, we shall introduce you to the world of automation, the UiPath Platform, and guide you on how to install and setup UiPath Studio on your Windows PC.
📕 Detailed agenda:
What is RPA? Benefits of RPA?
RPA Applications
The UiPath End-to-End Automation Platform
UiPath Studio CE Installation and Setup
💻 Extra training through UiPath Academy:
Introduction to Automation
UiPath Business Automation Platform
Explore automation development with UiPath Studio
👉 Register here for our upcoming Session 2 on June 20: Introduction to UiPath Studio Fundamentals: https://community.uipath.com/events/details/uipath-lagos-presents-session-2-introduction-to-uipath-studio-fundamentals/
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
2. Georg Knabl
• self-employed IT-Consultant &
Software Engineer at
• based in Graz, Austria
• areas of expertise
• machine learning implementations
• web development
• information security
2
5. A Human Attack Vector
• people use password creation schemes
• types
• machine-random (&CtAEaCp?b&v"s%)
• human-general (123456)
• human-individual (John1970!)
• human-random (randomly typed, 34ghjk34f3hjkHGFC)
• What about correct horse battery staple?
• issues
• reduced entropy
• attacker: knowing scheme (+ personal data) => password
• humans limited in creativity
somebody else might have come up with same scheme
schemes publicly available in password leaks
5
7. Traditional Approaches
Hybrid or rule-
based
•dictionaries
•word-
mangling
rules
Markov Models
•high-
probability
character
sequences
Masks
•reduce set to
typical
structures
Brute-force
•try every
possible
combination
7
key space (Dunning, 2016)
• tool support:
hashcat, John-the-Ripper, PACK, CeWL, CUPP, …
10. Neural Networks
10
• analyze huge datasets
• learn hidden structures
• reproduce structures
on new data
• supervised learning process:
train on data generate model
use model to
analyze/generate
11. Recurrent Neural Networks (RNN)
• learn, analyze, reproduce sequences
• password = sequence of characters
• password list: next password
n: just another character
11
(Olah, 2015)
12. RNN Tokenization
12
0 a
1 b
2 c
3 d
4 e
… …
92 n
„abc“
source
data
training generation
target
data
„cde“0, 1, 2 2, 3, 4
13. char-rnn
• RNN predicts character sequences based on
training text
• by Andrej Karpathy
• https://github.com/karpathy/char-rnn
13
(Karpathy, 2015)
17. General Human Passwords Guessing
• Neural
Networks
outperform
other methods
at above 10^10
guesses
• (almost) infinite
number of
passwords
17
(Melicher et. al., 2016)
19. Relevance
• most passwords have
individual context
• individual details publicly
available (OSINT)
• social media
harvester scripts
• website user tables
leaked database dumps
• …
19
exploit.in
20. Tailored Password Lists
20
training output
John2050
180374
09091958
06031982
160883
soni
John!
john!
j0hn.5m17h
john.smith
Smith866
asdfghj
John50
21. Data Protection Compliance
• EU-GDPR (General Data Protection Regulation)
• significant fines
• up to 20 mio. € or 4% of worldwide annual revenue
• processing personal data requires consent
• password lists contain personal information
• publicly available leaked data illegal
• imbalance
• info-sec researcher:
has to comply & find (less ideal) alternatives
• attacker:
ignores regulations & trains on best available data
21
22. Data Protection Compliance
• compliant solutions to collect data
• general passwords:
• use e.g. top-100,000 passwords list
no personal details contained
• individual details + passwords:
• compliance based on "public interest"? (GDPR Art. 6 (1) (e))
• collect consent from users
requires broad access to user data
a) directly store & relate data until training is finished
requires password storage in plaintext (!!!)
b) only store tokenized password schemes without user relation
requires all relatable personal data to be known at password
hashing time
22
23. Challenges
• generate password sequences ✓
• GDPR compliance ?
• recognize & relate individual structures ?
• How to relate personal data?
• same scheme, different character sequences
<first name><year of birth>!
John1985!, Jane1992!
• dealing with obfuscations ?
• e.g. Leetspeak, all upper/lower case
j0hn1985!, JOHN1985!, john1985!
23
24. Generating a Dataset Containing
Individual Details
• starting point: any password leak that contains
a personal identifier
• char-rnn requires > 50,000 entries for proper
results
• e.g. exploit.in (797 mio. credentials):
<email address>:<password>
• collect, match and attach personal details to
entries
• e.g. using social media harvester
24
25. Generating a Dataset Containing
Individual Details
25
Gender Username First Name Last Name Year of Birth Password
f margarete Judy Wells 1972 Wells106
f sondra Lucia Morrow 1950 cvbnm
f zakia Gale Weiss 1999 syndikat
f eada Ana Elliott 1994 Ana94
f karalee Denise Hanson 1965 OLIVER
m agatha Edmond Daniels 1956 Agatha
…
• example result:
26. Password Schemes Used
• Random: random choice of top-X password list (e.g. 123456)
• Easy to Type: nearby characters on keyboard (e.g. qwerty)
• Username: use person‘s username (e.g. smithy)
• First Name + „!“: use person‘s first name plus exclamation mark (e.g.
John!)
• Lowercased First Name + „!“: use person‘s lowercased first name plus
exclamation mark (e.g. john!)
• Last Name + Random Int: use person‘s last name plus a three digit integer
at the end (e.g. Smith758)
• Username Leetspeak: use person‘s username in Leetspeak (e.g. 5m17hy)
• First Name + Year of Birth (4 digits): use person‘s first name plus their year
of birth (e.g. John1985)
• First Name + Year of Birth (2 digits): use person‘s first name plus their year
of birth in two digits (e.g. John85)
26
27. Tokenization
• replace personal details with column id
• column id is just another character
• problem: exact matching fails to match
obfuscations or abbreviations
• John != j0hn
• 1986 != 86
27
# First Name Year of Birth Password Resulting Password Tokens
1 Max 1983 Max1983! column: First Name, column: Year of Birth, !
2 John 1986 John86! column: First Name, 8, 6, !
3 Max 1987 123456 1, 2, 3, 4, 5, 6
28. Support Matching Using Data
Variations
• add on-the-fly word mangling rules to columns
• Leetspeak
• lowercase
• uppercase
• …
28
f f f F tania 74n14 tania TANIA Kara k4r4 kara KARA Rosales r054135 rosales ROSALES
…
f tania Kara Rosales
…
32. Attacking the Target
• collect data about victim & generate dataset
• use trained model to generate a tailored
password list
• quality of list depends heavily on
• selected training data
• hyperparameter configuration
32
Gender Username First Name Last Name Year of Birth
m john.smith John Smith 2050
34. Scheme Adoption
34
John2050
180374
09091958
06031982
160883
soni
John!
John!
[skipped until line 14]
john!
[skipped until line 23]
j0hn.5m17h
[skipped until line 30]
john.smith
[skipped until line 80]
Smith866
[skipped until line 85]
asdfghj
[skipped until line 514]
John50
[...]
Random:
stochastic character generation
(mostly human dates)
First Name + Year of Birth (4 digits):
learned
Username Leetspeak:
learned using word mangling
Last Name + Random Int:
partially learned + stochastic generation
Lowercased First Name + „!“:
learned using word mangling
First Name + „!“:
learned
Easy to Type:
learned
Username:
learned
First Name + Year of Birth (2 digits):
partially learned + stochastic generation
Duplicate because of
few available rules
Gender Username First Name Last Name Year of Birth
m john.smith John Smith 2050
35. Proving Password Scheme Adoption
1. use new fake dataset with same schemes
2. loop through each entry and generate a
individual password list (1000 entries)
3. check if password is on that list
35
Gender Username First Name Last Name Year of Birth Password
f margarete Judy Wells 1972 Wells106
?
36. Results
• 6 models with different
configurations
• all models match about
70% in password lists of
only ~100 lines
• optimized configurations
increase matching
efficiency
• recreated distributions
of schemes
36
38. Mitigation Strategies
• generating own model and check user‘s password
against generated lists
• attacker‘s model and dataset not available
password lists will differ
• long or complex passwords
• passwords might still be guessed if they contain
personal information
• e.g. JohnSmith1985 is actually
<column: firstname><column: lastname><column: year of birth>
• treating all human-like passwords as insecure
• requires classification of human likeliness
38
39. Human Password Classification
• using machine learning to classify human likeliness
• dataset (80k human + 80k machine labeled passwords)
• classifiers
• Logistic Regression
• Multinomial Naïve Bayes
• Linear Support Vector Machine
• Random Forest
• vectorizers
• TFIDF
• Count
39
&CtAEaCp?b&v"s% m
-SUuf4TLtF m
mallrats h
bP0.}BO/L&{: m
^=c.rgH$z m
boxers h
j&uzHCutff_A{ m
656565 h
6>IB|~@4^n}K m
forever1 h
…
43. Conclusion
• machine learning can be used to efficiently
attack passwords created by humans
• mitigation
• treat human passwords as insecure
• warn users or provide password policy
use machine learning model to identify human
passwords
integrate on web servers & password storage
services
43
44. Resources
• Thesis Machine Learning-driven Password
Lists:
• https://www.researchgate.net/publication/328719
001_Machine_Learning-driven_Password_Lists
• Human Password Classifier:
• https://github.com/georgknabl/human-password-
classifier
• ready-to-use trained models available via e-mail
44
45. 45
"The only secure password is the one you can't remember."
Troy Hunt (haveibeenpwned.com)
46. Contact
46
DI (FH) Georg Knabl, MSc
IT-Consultant & Software Engineer
georg.knabl@pageonstage.at
47. Sources
• Dunning, Julian (2016). Statistics Will Crack Your Password. Available
from: https://p16.praetorian.com/blog/statistics-will-crack-
yourpassword-mask-structure [Mar. 3, 2018]
• Karpathy, Andrej (2015). The Unreasonable Effectiveness of
Recurrent Neural Networks. Available from:
http://karpathy.github.io/2015/05/21/rnn-effectiveness/ [Nov. 10,
2017]
• Melicher, William, Blase Ur, Sean M Segreti, Saranga Komanduri,
Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor (2016). „Fast,
Lean, and Accurate: Modeling Password Guessability Using Neural
Networks“. In: 25th {USENIX} Security Symposium ({USENIX} Security
16). Vancouver: {USENIX} Association, pp. 175–191.
• Olah, Christopher (2015). Understanding LSTM Networks. Available
from: http://colah.github.io/posts/2015- 08-Understanding- LSTMs/
[Nov. 10, 2017]
47