The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. This talk will look at the history of embedded device insecurity. We’ll explore some real-world example of how devices are exploited (and attackers profited). You will also learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives.
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
In this talk I will quickly bring you up to speed on the history of embedded device insecurity. Next, we will look at a real-world example or two of how devices are exploited (And attackers profited). Finally, you will learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives.
You may have heard about this threat, one that has plagued our lives and networks for well over a decade. A problem so ubiquitous, it can't be ignored. Yet, this threat has a history of hiding in plain sight. Users are, for the most part, unaware of the dangers. Security researchers and the media have attempted to highlight this problem for years, without making an impact on improving security. However, vendors and users are still very much at risk and the problem is still largely being ignored by the masses. The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. The goal of this talk is to enable the audience to help raise awareness and influence the security of embedded systems in a positive way.
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
A robot, a ninja and a pirate get into a fight. The question is: who wins? While we can debate this question until the end of time, likely have fun in the process; it’s a waste of time. Who are the robots, ninjas and pirates in your environment? What roles do they play in the vulnerability management process? We debate how to build a vulnerability management program all the time, however we are still spinning our wheels. Unlike the robot, ninja, pirate battle, there are concrete facts that will help you build a successful program, and avoid smoke bombs, swords, and robot death rays. Who wins? Find out in this presentation and learn how to protect your booty.
Practical Security Assessments of IoT Devices and Systems Ollie Whitehouse
This talk briefly discusses strategies and methodologies than can be employed when assessing IoT devices. We look at how to develop credible threat scenarios for different IoT device and systems, perform static and dynamic attack surface mapping, perform static firmware analysis, perform static hardware analysis, undertake a dynamic device security analysis, sources of supporting information, supporting capability requirements and establishment, Execution of dynamic device analysis and approaches around network protocol analysis.
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
In this talk I will quickly bring you up to speed on the history of embedded device insecurity. Next, we will look at a real-world example or two of how devices are exploited (And attackers profited). Finally, you will learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives.
You may have heard about this threat, one that has plagued our lives and networks for well over a decade. A problem so ubiquitous, it can't be ignored. Yet, this threat has a history of hiding in plain sight. Users are, for the most part, unaware of the dangers. Security researchers and the media have attempted to highlight this problem for years, without making an impact on improving security. However, vendors and users are still very much at risk and the problem is still largely being ignored by the masses. The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. The goal of this talk is to enable the audience to help raise awareness and influence the security of embedded systems in a positive way.
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
A robot, a ninja and a pirate get into a fight. The question is: who wins? While we can debate this question until the end of time, likely have fun in the process; it’s a waste of time. Who are the robots, ninjas and pirates in your environment? What roles do they play in the vulnerability management process? We debate how to build a vulnerability management program all the time, however we are still spinning our wheels. Unlike the robot, ninja, pirate battle, there are concrete facts that will help you build a successful program, and avoid smoke bombs, swords, and robot death rays. Who wins? Find out in this presentation and learn how to protect your booty.
Practical Security Assessments of IoT Devices and Systems Ollie Whitehouse
This talk briefly discusses strategies and methodologies than can be employed when assessing IoT devices. We look at how to develop credible threat scenarios for different IoT device and systems, perform static and dynamic attack surface mapping, perform static firmware analysis, perform static hardware analysis, undertake a dynamic device security analysis, sources of supporting information, supporting capability requirements and establishment, Execution of dynamic device analysis and approaches around network protocol analysis.
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
This is an introduction to Capture The Flag (CTF) hacking competitions. Everything you need to know about CTFs, and how to prepare for them.
This video covers:
Generic CTF prep
Strategic Security CTF prep
Incident Response
System Hardening
System Logging
Intrusion Detection System
Attacking Systems
Maintaining Access
Fragments-Plug the vulnerabilities in your AppAppsecco
Appsecco presented on the common mistakes that developers make when building mobile apps.
This session covered how these mistakes make your app vulnerable to attack and abuse? How an attacker perceives security of mobile app?
https://youtu.be/EzC86gWVPZk
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
Breaking in is easy, real security is hard. Breaching the security of a Casino doesn't have to be as dramatic or dangerous as depicted in the Ocean's Eleven movies. In fact, by simply sitting in a hotel room of a Casino, hackers can find ways to breach the high security that Casino's have been known for. This type of attack has a simple goal: steal the Casino's money and cheat the system. All of this can be done without anyone seeing you and is much easier then walking directly into the Casino vault armed with guns and explosives.
In this presentation Tom Eston from SecureState walks us through some of the more interesting and exciting penetration tests his team have conducted. These include breaking into Casinos, Banks, Energy companies and other high security facilities (with permission of course). Tom's stories not only show how attackers break in but also show important lessons on how businesses can better secure their physical as well as network assets.
When you work with a lot of companies scrutinizing their security, you get to see some amazing things. One of the joys of being a commercial security consultant working for big name firms, is that you get to see a lot of innovation and interesting approaches to common problems.
However, as great as this is, the discrete projects you work on are usually a small representation of the overall company. When you look at the company in its entirety, a familiar pattern of weakness begins to reveal itself. While some companies are obviously better than others, the majority of companies are actually weak in remarkably similar ways.
My work in the attacker modeled pentest and enterprise risk assessment realms focuses on looking at a company as a whole. The premise is that, this is what an attacker would do. They won’t just try to attack your quarterly code reviewed main web site, or consumer mobile app. They won’t directly attack your PCI relevant systems to get to customer credit card data. They won’t limit their attacks to those purely against your IT infrastructure. Instead – they’ll look at your entire company, and they will play dirty.
In this session, I’ll focus on the things that plague us all (well most of us), and I’ll offer some simple advice for how to try and tackle each of these areas:
– Weaknesses in Physical Security
– Susceptibility to Phishing
– Vulnerability Management Immaturity
– Weaknesses in Authentication
– Poor Network Segmentation
– Loose Data Access Control
– Terrible Host / Network Visibility
– Unwise Procurement & Security Spending Decisions
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
The emergence of next generation technology into the cyber security space has added complications and challenges on several levels. When we talk about next generation technologies we should mean those associated directly with artificial intelligence (AI) and associated components such as machine learning (ML). Unfortunately, many organizations opt to hype current generation products as next gen. In this workshop we will begin by exploring what we need to know about AI and its components. We will dispense with the marketing hype and get down to the facts. Then we will look in detail at a few available tools that truly are next gen - and what makes them next gen - followed by a discussion of where the adversary is going with AI, ML and other next gen technologies. We will wrap up with research from my upcoming book which discusses the collision between the law and cyber science. In this section we also will address some governance issues that you need to know
Life as an enterprise security geek from underground. (What enterprises want ...LINE Corporation
SeungJin Lee (beist)
GrayHash / CEO
Grayhash is a security consultant team (i.e. hackers) and used to be a very small firm but has worked with many clients. What we mainly do is finding zero-days from customers' products and infrastructures. We have started working with LINE from April and have learned what's crucial for big companies like LINE. We have identified issues and challenges not only in software but also in infrastructure because Dev teams do make mistakes in both of them. I will talk about our efforts to make LINE more secure with interesting episodes and insightful examples.
Our researcher Aryeh Goretsky took a look at some of the more interesting pieces of malware and threats that have occurred over the first six months of the year 2014. And what a year it has been, with some serious new developments as well as persistence of numerous older threats.
ESET researcher Aryeh Goretsky explains in this presentation why he hates the term Advanced Persitent Threats (APT), what are the common mechanisms of APT and what are the defensive technologies.
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014Chris Nickerson
Ever steal a Boeing 777? How about transfer more than $400,000,000 from an account? Have you ever had one of those bad days where one wrong press of the “enter” key accidently broadcasts an emergency message to the radio station asking an entire city to evacuate? The real destruction of a business doesn’t come from a shell, a picked lock or a simple lie. The REAL threat is when all of the disciplines are combined and the only thing left in the crosshairs is the BUSINESS itself. Red Teaming is not a process of finding “A” vulnerability, but showing how flaws at EVERY level of the program combine to cause devastating effects to the company (or the tester =) ).
After 15 years in the Red Teaming, Pen Testing and Security Testing Business, I have had some of the weirdest things happen. In this 50 min story time, I plan to go over our methodology, some of our BEST and WORST moments on the job, tips/tricks we picked up along the way and hopefully we can have a few laughs at our (mis)fortune(s).
Web application-security-and-why-you-should-review-yoursDavid Busby, CISSP
In this talk we will cover what is an attack surface and what you can do to limit it.
Acronym hell what does all these acronyms associated with security products mean and what do they mean?
Vulnerability media naming stupidity or driving the message home ?
Detection or Prevention avoiding the boy who cried wolf.
Emerging technologies to keep an eye on or even implement yourself to help improve your security posture.
2014 -> 2017 what's been going on, why have there been so many compromises ?
La realización de un Test de Intrusión Físico tiene como finalidad conseguir acceso físico a una determinada ubicación, y no es una tarea sencilla. Requiere preparación, investigación, análisis, coordinación, mucha simulación y la aplicación de una metodología flexible que pueda adaptarse a las condiciones particulares de cada objetivo.
Analizar el entorno, evadir todo tipo de sistemas de seguridad física y colaborar en equipo (Red Team), son aspectos fundamentales para lograr la intrusión, y con ello posteriormente, el acceso a equipos, red y un sinfín de datos en las instalaciones del objetivo.Si quieres saber qué es un Red Team y profundizar en la realización de intrusiones físicas, esta es tu charla.
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
This is an introduction to Capture The Flag (CTF) hacking competitions. Everything you need to know about CTFs, and how to prepare for them.
This video covers:
Generic CTF prep
Strategic Security CTF prep
Incident Response
System Hardening
System Logging
Intrusion Detection System
Attacking Systems
Maintaining Access
Fragments-Plug the vulnerabilities in your AppAppsecco
Appsecco presented on the common mistakes that developers make when building mobile apps.
This session covered how these mistakes make your app vulnerable to attack and abuse? How an attacker perceives security of mobile app?
https://youtu.be/EzC86gWVPZk
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
Breaking in is easy, real security is hard. Breaching the security of a Casino doesn't have to be as dramatic or dangerous as depicted in the Ocean's Eleven movies. In fact, by simply sitting in a hotel room of a Casino, hackers can find ways to breach the high security that Casino's have been known for. This type of attack has a simple goal: steal the Casino's money and cheat the system. All of this can be done without anyone seeing you and is much easier then walking directly into the Casino vault armed with guns and explosives.
In this presentation Tom Eston from SecureState walks us through some of the more interesting and exciting penetration tests his team have conducted. These include breaking into Casinos, Banks, Energy companies and other high security facilities (with permission of course). Tom's stories not only show how attackers break in but also show important lessons on how businesses can better secure their physical as well as network assets.
When you work with a lot of companies scrutinizing their security, you get to see some amazing things. One of the joys of being a commercial security consultant working for big name firms, is that you get to see a lot of innovation and interesting approaches to common problems.
However, as great as this is, the discrete projects you work on are usually a small representation of the overall company. When you look at the company in its entirety, a familiar pattern of weakness begins to reveal itself. While some companies are obviously better than others, the majority of companies are actually weak in remarkably similar ways.
My work in the attacker modeled pentest and enterprise risk assessment realms focuses on looking at a company as a whole. The premise is that, this is what an attacker would do. They won’t just try to attack your quarterly code reviewed main web site, or consumer mobile app. They won’t directly attack your PCI relevant systems to get to customer credit card data. They won’t limit their attacks to those purely against your IT infrastructure. Instead – they’ll look at your entire company, and they will play dirty.
In this session, I’ll focus on the things that plague us all (well most of us), and I’ll offer some simple advice for how to try and tackle each of these areas:
– Weaknesses in Physical Security
– Susceptibility to Phishing
– Vulnerability Management Immaturity
– Weaknesses in Authentication
– Poor Network Segmentation
– Loose Data Access Control
– Terrible Host / Network Visibility
– Unwise Procurement & Security Spending Decisions
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
The emergence of next generation technology into the cyber security space has added complications and challenges on several levels. When we talk about next generation technologies we should mean those associated directly with artificial intelligence (AI) and associated components such as machine learning (ML). Unfortunately, many organizations opt to hype current generation products as next gen. In this workshop we will begin by exploring what we need to know about AI and its components. We will dispense with the marketing hype and get down to the facts. Then we will look in detail at a few available tools that truly are next gen - and what makes them next gen - followed by a discussion of where the adversary is going with AI, ML and other next gen technologies. We will wrap up with research from my upcoming book which discusses the collision between the law and cyber science. In this section we also will address some governance issues that you need to know
Life as an enterprise security geek from underground. (What enterprises want ...LINE Corporation
SeungJin Lee (beist)
GrayHash / CEO
Grayhash is a security consultant team (i.e. hackers) and used to be a very small firm but has worked with many clients. What we mainly do is finding zero-days from customers' products and infrastructures. We have started working with LINE from April and have learned what's crucial for big companies like LINE. We have identified issues and challenges not only in software but also in infrastructure because Dev teams do make mistakes in both of them. I will talk about our efforts to make LINE more secure with interesting episodes and insightful examples.
Our researcher Aryeh Goretsky took a look at some of the more interesting pieces of malware and threats that have occurred over the first six months of the year 2014. And what a year it has been, with some serious new developments as well as persistence of numerous older threats.
ESET researcher Aryeh Goretsky explains in this presentation why he hates the term Advanced Persitent Threats (APT), what are the common mechanisms of APT and what are the defensive technologies.
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014Chris Nickerson
Ever steal a Boeing 777? How about transfer more than $400,000,000 from an account? Have you ever had one of those bad days where one wrong press of the “enter” key accidently broadcasts an emergency message to the radio station asking an entire city to evacuate? The real destruction of a business doesn’t come from a shell, a picked lock or a simple lie. The REAL threat is when all of the disciplines are combined and the only thing left in the crosshairs is the BUSINESS itself. Red Teaming is not a process of finding “A” vulnerability, but showing how flaws at EVERY level of the program combine to cause devastating effects to the company (or the tester =) ).
After 15 years in the Red Teaming, Pen Testing and Security Testing Business, I have had some of the weirdest things happen. In this 50 min story time, I plan to go over our methodology, some of our BEST and WORST moments on the job, tips/tricks we picked up along the way and hopefully we can have a few laughs at our (mis)fortune(s).
Web application-security-and-why-you-should-review-yoursDavid Busby, CISSP
In this talk we will cover what is an attack surface and what you can do to limit it.
Acronym hell what does all these acronyms associated with security products mean and what do they mean?
Vulnerability media naming stupidity or driving the message home ?
Detection or Prevention avoiding the boy who cried wolf.
Emerging technologies to keep an eye on or even implement yourself to help improve your security posture.
2014 -> 2017 what's been going on, why have there been so many compromises ?
La realización de un Test de Intrusión Físico tiene como finalidad conseguir acceso físico a una determinada ubicación, y no es una tarea sencilla. Requiere preparación, investigación, análisis, coordinación, mucha simulación y la aplicación de una metodología flexible que pueda adaptarse a las condiciones particulares de cada objetivo.
Analizar el entorno, evadir todo tipo de sistemas de seguridad física y colaborar en equipo (Red Team), son aspectos fundamentales para lograr la intrusión, y con ello posteriormente, el acceso a equipos, red y un sinfín de datos en las instalaciones del objetivo.Si quieres saber qué es un Red Team y profundizar en la realización de intrusiones físicas, esta es tu charla.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
Presented @ Frederick Linux Users Group (KeyLUG)
May 7, 2016
A presentation on protecting Small Office/Home Office (SOHO) networks that I made at the Frederick Linux Users Group (KeyLUG). I work virtually from my home, and this presentation goes through some of my experiences setting up my home network to be better and more secure. I ditched my consumer-grade NAT router and have installed a firewall, commercial-grade wireless access points, and an intrusion detection system (IDS). I'm not finished yet, but this presentation will give you an idea of some of the things that I've done, where I'm thinking about going, and as some things to consider as you setup your own network.
Sopravviverà il sistema scolastico italiano all'arroganza, all'idiozia, alla prevaricazione, al degrado, generati dall'Invalsi? Sopravviveranno i pochi docenti che, con coraggio, si oppongono all'Invalsi e combattono oggi una battaglia che appare agli occhi dei più solo come una resistenza inutile e una corsa contro i mulini a vento?
FMK2014 FileMaker Security and Database Encryption by Jon ThatcherVerein FM Konferenz
Security issues like the "Heartbleed" bug and data breaches have been occurring all too frequently. Keeping up to date on the many security threats is important, and protecting your or your customers' data from these threats is critical. This session will survey recent security issues and help you understand the threat landscape that your solutions may be exposed to. You will learn about some of the many security features in the FileMaker platform, including "under the hood" details of Database Encryption in FileMaker 13.
Survey of recent security issues
Information security and the threat landscape
Use of security features in the FileMaker platform
"Under the hood" details of Database Encryption
The Internet of Things is the idea that everything around us from cars to ovens can be connected. If everything around us is linked and collecting information, these networks must be able to provide security and privacy to the end-user particularly in low-power lossy networks.
Being aware of online and malware threats is the first step to computer security. In this presentation, we help you understand:
a. Importance of computer security
b. Consequences of ignoring computer security
c. Types of threats that can harm your computer
d. Measures to take to keep your computer safe
e. How can Quick Heal help
IoT Systems provide powerful, flexible features for IT systems — tracking, monitoring, and other data sharing. Today’s IoT devices utilize microservices and APIs that make them easy to put into production. But securing them isn’t as easy.
This webinar will look at security risks of IoT devices, interfaces, and implementations. We’ll provide practical steps and checklists any DevOps team can use to make their IoT components as secure as possible. We’ll also cover some testing best practices that can be done pre- and post-production to verify security and resilience on an ongoing basis.
The latest massive IoT DDoS attack from the Mirai botnet that took major websites like Twitter and Reddit offline for hours – has already gained notoriety as one of the worst DDoS strikes in history.
In this webinar Manish Rai & Ty Powers of Great Bay Software will help you understand exactly how the enterprise IoT landscape is changing, and what it means for the assumptions organizations have been making in regards to safeguarding against IoT cyberattacks. You will:
Gain insights into how the recent IoT-based DDoS attacks were launched
How similar attacks could be launched inside enterprise networks
How to safeguard against IoT device compromises
How to reduce your risk, whose job is it anyway?
Learn about what your peers are doing for IoT device security, relevant findings from the 2016 Great Bay Software IoT Security Survey
Watch this ondemand webinar with this link: https://go.greatbaysoftware.com/owb-safeguarding-against-iot-ddos-attacks
The Hardcore Stuff I Hack:
This talk is going to give a run through of some of the technical challenges paul and his team have overcome over the years - in as much hardcore detail as possible
This is a talk I gave in St. Louis in April 2018 about how businesses need to understand the Internet of Things and how they can better protect themselves.
This Time, It’s Personal: Why Security and the IoT Is DifferentJustin Grammens
Unfortunately, in recent years we’ve seen a host of incidences where IoT devices were compromised. Sometimes these have been minor with little coverage, while others like Mirai affected millions around the globe a produced serious economic impact. When attacks like this occur, they not only erode the trust of the users of these devices, but cause those who are looking to adopt this new technology to pause. With any new technology, security must be thought of as a first class citizen and when we are talking about IoT, the data is personal. As the IoT matures, I’ll share some mistakes that have happened in the past, where we are today and how I believe we are now finally seeing a maturity of devices that are remotely updated, fault tolerant and secure. When it comes to building an IoT device, security is personal.
Similar to The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014 (20)
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
1. The Internet Of Insecure Things:
10 Most Wanted List
!
Paul Asadoorian
Founder & CEO
http://securityweekly.com
2. Things About Paul
http://securityweekly.com Copyright 2014
Work Thing
Podcast thing
Hacks things
Enjoys things
3. Things About This
Presentation
• Yes, I may say “The Internet of Things”
• This is not about “watch me hack this device”
• While this is fun, we’ve established things are vulnerable
• Also, the sky is not falling because someone can hack your
toaster (yet)
http://securityweekly.com Copyright 2014
4. Its More About…
• Real attack vectors against embedded systems
• Some examples of vulnerabilities and attacks (we have to
have some fun!)
• Understanding the different types of systems and
applications
• Most important, what do “we” do about it?
• The manufacturers of embedded systems
• The folks tasked with protecting networks, systems and infrastructure
http://securityweekly.com Copyright 2014
5. Embedded Systems
“An embedded system is
a special-purpose system
in which the computer is
completely encapsulated
by the device it controls.”
!
http://www.ece.ncsu.edu/research/cas/ecs
9. Why Do We Care?
• Who cares if someone hacks my TV, fridge, lights, scale or
treadmill or wireless router?
• Attackers install Adware/Spyware/Ransomware to these devices
• Ads will be displayed on your devices without your permission
http://securityweekly.com Copyright 2014
11. Why Do We Care? Privacy.
• I can see you watching TV
• I know what you eat and drink,
how often you do laundry, and
when you turn your lights/TV on
• I know how long you spend on the
toilet
• I collect all this data and use it to
send targeted ads
• Distribute pictures of you getting a
snack in your underwear at 3AM
http://securityweekly.com Copyright 2014
16. Industrial Control Systems
Turck BL67 Tridium Niagara AX
Text
Siemens SCALANCE X-200
http://securityweekly.com Copyright 2014
Clorius Controls ISC
Magnum MNS-6K
http://www.tenable.com/plugins/index.php?view=all&family=SCADA
17. Why Do We Care?
• Potentially life threatening
• Historically operated on closed networks
• Physical attacks are in play
• Economics still apply, cost is a huge factor
• Devices have to “live” for a really long time
• It costs money to replace them
http://securityweekly.com Copyright 2014
19. Why Do We Care?
• Attackers will use “things” as a jumping off point (ala
Target)
• Attackers will prey on weaknesses, such as POS systems
• Physical access is not the primary concern, but still possible
• The challenge of economics applies, low cost solutions that
solve problems will win over security
http://securityweekly.com Copyright 2014
20. Medical
• IV Pumps / Drug infusion pumps
• Insulin Pumps (Wearable)
• Surgical and anesthesia devices
• Ventilators
• External defibrillators
• Patient monitors
• Laboratory and analysis equipment
Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability
affecting roughly 300 medical devices across approximately 40 vendors. According to their report, the
vulnerability could be exploited to potentially change critical settings and/or modify device firmware.
http://arstechnica.com/security/2013/06/vast-array-of-medical-devices-vulnerable-to-serious-hacks-feds-warn/
http://securityweekly.com Copyright 2014
21. Why Do We Care?
• Life threatening for sure
• Patient care will trump security every time
• Connectivity and ease of use will trump security
• Oh sorry, I can’t give you pain meds, IV pump is updating patches
• Patient confidentiality also trumps security
• More important to be compliant than secure
http://securityweekly.com Copyright 2014
22. Already Happening
• http://www.proofpoint.com/about-us/press-releases/
01162014.php
• “More than 750,000 Phishing and SPAM emails Launched from
"Thingbots" Including Televisions, Fridge”
• Okay, well one fridge, on purpose? By accident? Where is the
data?
• http://thehackernews.com/2014/03/linux-worm-targets-internet-
http://securityweekly.com Copyright 2014
enabled.html
• “A Linux worm named Linux.Darlloz, earlier used to target Internet of
Things (IoT) devices, i.e. Home Routers, Set-top boxes, Security
Cameras, printers and Industrial control systems; now have been
upgraded to mine Crypto Currencies like Bitcoin.”
23. More Already Happening
• https://blog.kaspersky.com/gaming-console-hacks/
• “I also have a bad feeling that the time for gaming malware is now, and I
am not totally sure what it will take to protect ourselves.”
• http://www.wired.com/2014/04/hikvision/
• “Hackers Turn Security Camera DVRs Into Worst Bitcoin Miners Ever”
• “The low-powered ARM chip is one of the worst possible processors
you could pick for the crypto-heavy calculations that make up bitcoin
mining.”
• “The malicious software seems to spread using the default usernames
and passwords for the Hikvision devices”
http://securityweekly.com Copyright 2014
24. If I Had To Pick One
Example….
Of a really insecure embedded system it would be…
45. Even More Attacks
• HD Moore found several flaws in VxWorks, scanned 3.1
billion IP addresses and found 250,000 systems exposed
to the Internet
- http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html
• Craig Heffner discovered a DNS rebinding attack on
several routers allowing attackers to gain control of
administrative interfaces
- http://code.google.com/p/rebind/
http://securityweekly.com Copyright 2014
46. Even More Attacks (2)
• Ki-Chan Ahn and Dong-Joo Ha created malware for
Nintendo Wii and DS systems
- http://games.venturebeat.com/2010/07/31/live-demos-of-hacking-the-nintendo-
ds-and-the-wii-to-spread-malware/
• Barnaby Jack remotely attacked two different ATMs and
“made the money come out” (without a card+pin #)
- http://www.youtube.com/watch?v=qwMuMSPW3bU
http://securityweekly.com Copyright 2014
47. But Why?
Why are embedded systems left out in the cold when it comes to
security?
51. What Do We Do About It?
10 Most Wanted List: A Guide For Embedded Device
Manufacturer and Software Developers
52. 10 Most Wanted List
1. Backdoors inside of firmware
2. Default credentials
3. Insecure Remote management (Defaults & Clear-Text Transmissions)
4. Open-source software and drivers, NOT binary blobs
5. Functions prone to overflow conditions
6. Firmware and configuration encryption
7. Easy-to-use firmware updates (auto-updates)
8. Secure web management interfaces
9. Maintain a CIRT and provide a program for security researchers
10. Implement Protocols Security / Implement Secure Protocols
http://securityweekly.com Copyright 2014
53. 1. Firmware Backdoors
• A “secret” account (or access) created by the vendor that
allows remote management
• Excuse is this is done for support reasons (password
resets)
• The problem is: its not so secret
http://securityweekly.com Copyright 2014
55. 2. Default Credentials
• A known set of credentials used out-of-the-box
• Typically found via Google or in documentation
• The problems: Anyone can discover this value and users/
administrators don’t change it
• Also: Firmware updates sometimes reset it to the default
value
http://securityweekly.com Copyright 2014
56. 3. Insecure Remote
Management
• HTTP & TELNET - Its 2014, why are we still using these
protocols to manage systems?
• HTTPS - Yes, there is a cost for a certificate. And yes,
sometimes vendors will use the same one for every device
• SSH - Same thing here, but easier to enable by default
• Oh, and weak passwords
http://securityweekly.com Copyright 2014
57. 4. Open-Source drivers
• Interoperability is nice, but also begs the security question
• How do I keep my software and hardware up-to-date if
you don’t provide me with a new driver!
• Open-source drivers allow for more eyes, and typically are
patched more quickly
http://securityweekly.com Copyright 2014
58. 5. Functions prone to
overflow
• Wait, we know strcpy() is bad, right?
• Why do we still use it?
• And yes, programmers still use it
• In fact, if you take it out, they will just put it back
!
• https://community.rapid7.com/community/metasploit/blog/2013/11/06/
supermicro-ipmi-firmware-vulnerabilities
http://securityweekly.com Copyright 2014
59.
60.
61. Funny Thing About
Encryption
http://securityweekly.com Copyright 2014
62. 6. Firmware Encryption
• Signing firmware updates makes it harder to backdoor
existing firmware
• Encrypting firmware makes it tougher to reverse engineer
(though don’t let that replace real security)
• Also, XOR is NOT encryption
!
• http://www.darkreading.com/vulnerabilities---threats/hacking-firmware-and-
detecting-backdoors/d/d-id/1139859?
http://securityweekly.com Copyright 2014
63. 7. User Friendly Firmware
Updates
• Take a page right from Microsoft’s playbook (I can’t believe
I just wrote that, but...)
• Step back, most are unaware devices need to be updated
for security, amazed that it actually works
• Even the term “update firmware” is too geeky, we need to
change this
• Smartphones are a great example
http://securityweekly.com Copyright 2014
64. 8. Secure Web Frameworks
• The code behind the web management interface is typically
poorly implemented
• Java, Ruby, Python, .NET - all too “heavy” to implement on
small systems
• Developers typically write their own, similar results to
“Well, I’ll just implement my own encryption algorithm”
http://securityweekly.com Copyright 2014
65. 9. Maintain a CIRT
• Look, this FREE help!
• D-Link has fixed the problems we covered earlier
• Some vulnerabilities never get fixed
• Researchers get frustrated and just post the exploits to
pastebin
• Prezi got hacked, paid the researcher money, and wrote a
nice blog post about it and linked to the researcher’s
presentation (not in Prezi)
• It pays to work and collaborate with security researchers
http://securityweekly.com Copyright 2014
66. 10. Secure Protocols
• UPnP, IPMI, HNLP, DLNA are common protocols on
consumer devices
• Modbus is popular on SCADA devices
• The problem is they offer great functionality
• But security is often left out entirely
• IPMI and HNLP have had huge problems, leading to major
issues and even the “Linksys Router Worm”
• The protocols desperately need security...
http://securityweekly.com Copyright 2014