OWASP Top 10 threats to web applications and how to conunter the threats using Mvc.net mitigations, first shown at #DDDNorth, contains bonus slides for DDOS and social engineering
Abridged version of my mvc security presentation covering the OWASP Top 10 security vulnerabilities and how they can be mitigated against in the Microsoft Mvc framework. Covers SQL Injection, XSS, CSRF etc. There is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
Web applications are increasingly targeted by cyber criminals. This document proposes solutions to common web application attacks like SQL injection (SQLIA) and cross-site request forgery (CSRF). It suggests encrypting sensitive data to prevent SQLIA and using secret cross-site request forgery tokens for each request to block unauthorized form submissions and prevent CSRF. An example e-commerce application called Instant Media is presented to demonstrate these vulnerabilities. The proposed solutions aim to enhance web security without additional overhead.
This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.
Your users are almost certainly vulnerable in one way or another. Mike North explores a series of common web app security pitfalls, first demonstrating how to exploit the vulnerability and then recommending a pragmatic and effective defense against the attack. Buckle up, because Mike's about to take some things you love and depend on and smash them to bits.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
This document discusses password managers and their adoption. It begins by outlining the need for secure authentication as online transactions and data sharing increases. While passwords are theoretically secure, users often choose weak passwords and reuse them across accounts. This exposes them to risk if one password is compromised.
The document then describes three types of password managers: browser-based, which are convenient but less secure; desktop-based, which require opening a separate program but offer stronger security; and mobile apps, which provide security and usability on any device. It argues password managers can help users meet best practices for unique, strong passwords without memorization burden, improving security overall.
The document provides an overview of misuse cases as an approach for eliciting security requirements. It begins with some background on the presenter and defines generic, positive, and negative requirements. The main content discusses what misuse cases are, how to develop them, and examples of applying the technique to a web service use case. Key points made are that misuse cases consider how a system could be abused or used in negative ways, and addressing these scenarios can help identify security controls to mitigate risks. The presentation concludes with some additional resources on the topic of misuse cases.
Abridged version of my mvc security presentation covering the OWASP Top 10 security vulnerabilities and how they can be mitigated against in the Microsoft Mvc framework. Covers SQL Injection, XSS, CSRF etc. There is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
Web applications are increasingly targeted by cyber criminals. This document proposes solutions to common web application attacks like SQL injection (SQLIA) and cross-site request forgery (CSRF). It suggests encrypting sensitive data to prevent SQLIA and using secret cross-site request forgery tokens for each request to block unauthorized form submissions and prevent CSRF. An example e-commerce application called Instant Media is presented to demonstrate these vulnerabilities. The proposed solutions aim to enhance web security without additional overhead.
This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.
Your users are almost certainly vulnerable in one way or another. Mike North explores a series of common web app security pitfalls, first demonstrating how to exploit the vulnerability and then recommending a pragmatic and effective defense against the attack. Buckle up, because Mike's about to take some things you love and depend on and smash them to bits.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
This document discusses password managers and their adoption. It begins by outlining the need for secure authentication as online transactions and data sharing increases. While passwords are theoretically secure, users often choose weak passwords and reuse them across accounts. This exposes them to risk if one password is compromised.
The document then describes three types of password managers: browser-based, which are convenient but less secure; desktop-based, which require opening a separate program but offer stronger security; and mobile apps, which provide security and usability on any device. It argues password managers can help users meet best practices for unique, strong passwords without memorization burden, improving security overall.
The document provides an overview of misuse cases as an approach for eliciting security requirements. It begins with some background on the presenter and defines generic, positive, and negative requirements. The main content discusses what misuse cases are, how to develop them, and examples of applying the technique to a web service use case. Key points made are that misuse cases consider how a system could be abused or used in negative ways, and addressing these scenarios can help identify security controls to mitigate risks. The presentation concludes with some additional resources on the topic of misuse cases.
The document discusses web privacy and security breaches. It defines internet privacy and outlines issues like tracking, surveillance, and theft that impact privacy. It provides tips for protecting privacy such as using strong passwords, browsing privately, and using VPNs. The document also defines security breaches as unauthorized access to protected systems. It gives examples of security breaches at Yahoo, Equifax, and Facebook that exploited vulnerabilities in software or phishing emails.
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
The document discusses social enterprise software and associated security risks. It provides an overview of social enterprise software, why organizations use it, and common deployment models. It then discusses some common security risks like data loss, exploitation of vulnerabilities, and social engineering. The document outlines strategies for risk mitigation and examines several case studies of vulnerabilities found in social enterprise software solutions. It emphasizes that even large vendors can overlook application security and stresses the importance of verification testing.
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET Journal
This document proposes enhancements to password security by generating "honeywords" from existing user passwords. Honeywords aim to detect unauthorized access by including fake passwords (honeywords) along with real user passwords. If an attacker cracks the password file and tries logging in with a honeyword, an alarm is triggered. The proposed system would generate honeywords using existing user passwords and track internet protocol addresses and locations to identify attackers. It also introduces a new "video click based captcha" scheme to authenticate humans and prevent machine/robot attacks by having users click on points in a video. This overall architecture is intended to better protect user data and applications on online networks against unauthorized access.
This is an introduction to application security, covering some core concepts and the most important practices when creating secure code.
It was developed by Mike McBryde and Bryant Zadegan (during our day job) and released under the Creative Commons. It was first delivered to OWASP DC on March 4, 2015.
Multi level parsing based approach against phishing attacks with the help of ...IJNSA Journal
The increasing use of internet all over the world, be it in households or in corporate firms, has led to an
unprecedented rise in cyber-crimes. Amongst these the major chunk consists of Internet attacks which are
the most popular and common attacks are carried over the internet. Generally phishing attacks, SSL
attacks and some other hacking attacks are kept into this category. Security against these attacks is the
major issue of internet security in today’s scenario where internet has very deep penetration. Internet has
no doubt made our lives very convenient. It has provided many facilities to us at penny’s cost. For instance
it has made communication lightning fast and that too at a very cheap cost. But internet can pose added
threats for those users who are not well versed in the ways of internet and unaware of the security risks
attached with it. Phishing Attacks, Nigerian Scam, Spam attacks, SSL attacks and other hacking attacks are
some of the most common and recent attacks to compromise the privacy of the internet users. Many a times
if the user isn’t careful, then these attacks are able to steal the confidential information of user (or
unauthorized access). Generally these attacks are carried out with the help of social networking sites,
popular mail server sites, online chatting sites etc. Nowadays, Facebook.com, gmail.com, orkut.com and
many other social networking sites are facing these security attack problems.
This document presents a technique to enhance password-username authentication by addressing SQL injection and online password guessing attacks. The technique combines cryptographic hashing of passwords, recognition-based graphical passwords, and parameterized queries. Users register with a username, password, and graphical password. The password is hashed with a salt during registration. Login allows two attempts with the username and password before requiring the graphical password. IPs are blocked after one failed graphical attempt to prevent brute force attacks while still allowing legitimate users access. Security testing showed the technique prevented SQL injection and online password guessing attacks.
This document discusses security vulnerabilities and the OWASP Top 10. It provides background on why security is important when developing software, costs of data breaches, and an overview of the OWASP organization and Top 10 vulnerabilities. The Top 10 vulnerabilities discussed in more detail include injection, broken authentication and session management, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery, using components with known vulnerabilities, and unvalidated redirects/forwards. Examples are given for each vulnerability.
Cross-site request forgery (CSRF) is an attack where an authenticated user is tricked by a malicious website into performing unwanted actions on a trusted site where they are authenticated. The attack works by exploiting the trusted site's inability to verify whether the requests originated from the user intentionally. Common defenses include using random tokens with each request, checking the referer header, and using same-site cookies to prevent requests from third party sites.
OWASP Top 10 List Overview for Web DevelopersBenjamin Floyd
The OWASP Top 10 List was recently updated for 2013, and many developers still do not know what it is or why they should care. It is a list of the top web security threats developers need to address to produce secure websites. Most developers aren't security experts, so the OWASP Top 10 Project has created resources designed for developers to quickly test their applications. Come hear about the list, why and how you can use it to make your job easier, and learn about resources you can use to quickly determine if your applications are addressing security threats properly.
Caleb Sima is the founder and CTO of SPI Dynamics, a security company. He has over 11 years of experience in security and is a frequent speaker on topics like exploiting web security vulnerabilities and hacking web applications. The document discusses various web application vulnerabilities like SQL injection, cross-site scripting, and session hijacking, and provides examples of exploiting these vulnerabilities on real websites.
A cryptographic mutual authentication scheme for web applicationsIJNSA Journal
The majority of current web authentication is built
on username/password. Unfortunately, password
replacement offers more security, but it is difficult to use and expensive to deploy. In this paper, we propose
a new mutual authentication scheme called StrongAuth which preserves most password authentication
advantages and simultaneously improves security using cryptographic primitives. Our scheme not only
offers webmasters a clear framework which to build
secure user authentication, but it also provides almost
the same conventional user experience. Security analysis shows that the proposed scheme fulfills the required user authentication security benefits, and can resist various possible attacks.
Protecting Your Web SiteFrom SQL Injection & XSSskyhawk133
The UNM Information Architects and the UNM Arts LAB invite you to to a presentation by ABQ Web Geeks' own Chris Kenworthy at the UNM SUB this Wednesday the 27th of August.
Chris will be discussing SQL Injection and Cross Site Scripting Vulnerabilities.
These types of attacks against websites are both common and potentially devastating. Chris will bring us up to speed on them and give us some tips on how to prevent them.
Please mark your calendars for Wednesday, August 27 from 10:00 - 11:30 at the UNM Student Union Building, Lobo Rooms A & B.
Select a networking and/or security software tool, install it on our class laptops or elsewhere if suitable and does not threaten any other users, and provide a demonstration to the class. Includes a report detailing the tool, and its purpose and functionality.
• describe the tool and its functionality,
• demonstrates and displays its output,
• give your opinion of the value and importance of both the function the product (claims to) provide, and the product itself.
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?ThreatReel Podcast
Circle City Con 5.0
Phishing Forensics - Is it just suspicious or is it malicious?
-Matt Scheurer
Abstract:
What thoughts currently make tech defenders uneasy as they go to bed at night? Despite implementing and properly configuring the latest technological controls and security solutions into our environments, end users typically remain the most vulnerable point of entry into nearly any network. Unfortunately, only one misstep by a single user provides attackers with the foothold they need to begin compromising an entire enterprise network environment. The safety of our inboxes is a key initiative on the battlefront of protecting staff from the scourge of phishing and spear phishing attacks. We will perform a deep-dive look at the latest techniques used by criminals to bypass security products and traditional defense-in-depth strategies. We then focus heavily on conducting a digital forensic investigation on a sample phishing email message. Topics covered include technical analysis of message headers, message source code, message attachments, and malicious landing web pages even when a dedicated sandbox environment is unavailable.
The International Journal of Engineering and Science (The IJES)theijes
This document summarizes a research paper that proposes a new intrusion detection system (IDS) to identify distributed denial-of-service (DDoS) attacks in multitier web applications. The system models relationships between web server requests and database queries to detect attacks where normal traffic is used maliciously. It handles both deterministic and non-deterministic relationships. For static websites, the system classifies traffic into patterns and builds a mapping model. For dynamic websites, it aims to extract one-to-many mappings despite parameter variations and overlapping operations. The paper also discusses SQL tautology attacks, which exploit input fields to bypass authentication or extract all data.
The document summarizes a presentation about proxy caches posing a threat to web application security. It begins with a review of the OWASP top 10 security risk of broken authentication and session management. It then describes how a vulnerability in Google Docs allowed access to other users' accounts due to issues with proxy caches and session management. The presentation warns that developers must assume proxy caches exist and can potentially expose session information to unintended users if session management is not implemented securely. It emphasizes the need for developers to test their applications under aggressive proxy cache scenarios.
This document discusses cross-site scripting (XSS) attacks. It defines XSS as an attack where malicious scripts are injected into otherwise trusted websites. The document outlines three types of XSS attacks and provides examples of real-world XSS worms. It explains how to exploit stored, reflected, and DOM-based XSS vulnerabilities. Finally, it recommends ways to prevent XSS, including input and output filtering, encoding output, and using mitigations like HttpOnly cookies and content security policies.
Web application scanners crawl a web application to locate vulnerabilities by simulating attacks. They work by supporting various protocols, crawling and parsing content, testing for vulnerabilities, and generating reports. While scanners help find issues, developers should focus on learning secure coding practices to build applications securely from the start.
Phishing with Super Bait
Jeremiah Grossman, Founder and CTO, WhiteHat Security
The use of phishing/cross-site scripting (XSS) hybrid attacks for financial gain is spreading. ItÕs imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information.
This isn't just another presentation about phishing scams or cross-site scripting. WeÕre all very familiar with each of those issues. Instead, weÕll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help.
By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We'll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks.
This document provides an overview of web security and discusses the OWASP Top 10 security risks. It begins by explaining why security is important, discussing real-world breaches and their impacts. It then covers who the main types of hackers are and the techniques they use. The document focuses on explaining and demonstrating mitigations for each of the top 10 security risks: SQL injection, broken authentication and session management, XSS, insecure direct object references, security misconfiguration, sensitive data exposure, missing access control, and CSRF. Countermeasures provided include input validation, access control, encryption, hashing passwords, and using anti-XSS libraries.
Human: Thank you, that is a concise 3 sentence summary that captures the
This document discusses hackers and software security. It provides examples of past hacks such as those on Sony Pictures and Citigroup. It outlines why software security is important when handling sensitive user information. The document discusses how hackers think and different types of hackers. It recommends following security principles like defense in depth, least privilege, and keeping security simple. It provides references for further reading on application security topics.
The document discusses web privacy and security breaches. It defines internet privacy and outlines issues like tracking, surveillance, and theft that impact privacy. It provides tips for protecting privacy such as using strong passwords, browsing privately, and using VPNs. The document also defines security breaches as unauthorized access to protected systems. It gives examples of security breaches at Yahoo, Equifax, and Facebook that exploited vulnerabilities in software or phishing emails.
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
The document discusses social enterprise software and associated security risks. It provides an overview of social enterprise software, why organizations use it, and common deployment models. It then discusses some common security risks like data loss, exploitation of vulnerabilities, and social engineering. The document outlines strategies for risk mitigation and examines several case studies of vulnerabilities found in social enterprise software solutions. It emphasizes that even large vendors can overlook application security and stresses the importance of verification testing.
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET Journal
This document proposes enhancements to password security by generating "honeywords" from existing user passwords. Honeywords aim to detect unauthorized access by including fake passwords (honeywords) along with real user passwords. If an attacker cracks the password file and tries logging in with a honeyword, an alarm is triggered. The proposed system would generate honeywords using existing user passwords and track internet protocol addresses and locations to identify attackers. It also introduces a new "video click based captcha" scheme to authenticate humans and prevent machine/robot attacks by having users click on points in a video. This overall architecture is intended to better protect user data and applications on online networks against unauthorized access.
This is an introduction to application security, covering some core concepts and the most important practices when creating secure code.
It was developed by Mike McBryde and Bryant Zadegan (during our day job) and released under the Creative Commons. It was first delivered to OWASP DC on March 4, 2015.
Multi level parsing based approach against phishing attacks with the help of ...IJNSA Journal
The increasing use of internet all over the world, be it in households or in corporate firms, has led to an
unprecedented rise in cyber-crimes. Amongst these the major chunk consists of Internet attacks which are
the most popular and common attacks are carried over the internet. Generally phishing attacks, SSL
attacks and some other hacking attacks are kept into this category. Security against these attacks is the
major issue of internet security in today’s scenario where internet has very deep penetration. Internet has
no doubt made our lives very convenient. It has provided many facilities to us at penny’s cost. For instance
it has made communication lightning fast and that too at a very cheap cost. But internet can pose added
threats for those users who are not well versed in the ways of internet and unaware of the security risks
attached with it. Phishing Attacks, Nigerian Scam, Spam attacks, SSL attacks and other hacking attacks are
some of the most common and recent attacks to compromise the privacy of the internet users. Many a times
if the user isn’t careful, then these attacks are able to steal the confidential information of user (or
unauthorized access). Generally these attacks are carried out with the help of social networking sites,
popular mail server sites, online chatting sites etc. Nowadays, Facebook.com, gmail.com, orkut.com and
many other social networking sites are facing these security attack problems.
This document presents a technique to enhance password-username authentication by addressing SQL injection and online password guessing attacks. The technique combines cryptographic hashing of passwords, recognition-based graphical passwords, and parameterized queries. Users register with a username, password, and graphical password. The password is hashed with a salt during registration. Login allows two attempts with the username and password before requiring the graphical password. IPs are blocked after one failed graphical attempt to prevent brute force attacks while still allowing legitimate users access. Security testing showed the technique prevented SQL injection and online password guessing attacks.
This document discusses security vulnerabilities and the OWASP Top 10. It provides background on why security is important when developing software, costs of data breaches, and an overview of the OWASP organization and Top 10 vulnerabilities. The Top 10 vulnerabilities discussed in more detail include injection, broken authentication and session management, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery, using components with known vulnerabilities, and unvalidated redirects/forwards. Examples are given for each vulnerability.
Cross-site request forgery (CSRF) is an attack where an authenticated user is tricked by a malicious website into performing unwanted actions on a trusted site where they are authenticated. The attack works by exploiting the trusted site's inability to verify whether the requests originated from the user intentionally. Common defenses include using random tokens with each request, checking the referer header, and using same-site cookies to prevent requests from third party sites.
OWASP Top 10 List Overview for Web DevelopersBenjamin Floyd
The OWASP Top 10 List was recently updated for 2013, and many developers still do not know what it is or why they should care. It is a list of the top web security threats developers need to address to produce secure websites. Most developers aren't security experts, so the OWASP Top 10 Project has created resources designed for developers to quickly test their applications. Come hear about the list, why and how you can use it to make your job easier, and learn about resources you can use to quickly determine if your applications are addressing security threats properly.
Caleb Sima is the founder and CTO of SPI Dynamics, a security company. He has over 11 years of experience in security and is a frequent speaker on topics like exploiting web security vulnerabilities and hacking web applications. The document discusses various web application vulnerabilities like SQL injection, cross-site scripting, and session hijacking, and provides examples of exploiting these vulnerabilities on real websites.
A cryptographic mutual authentication scheme for web applicationsIJNSA Journal
The majority of current web authentication is built
on username/password. Unfortunately, password
replacement offers more security, but it is difficult to use and expensive to deploy. In this paper, we propose
a new mutual authentication scheme called StrongAuth which preserves most password authentication
advantages and simultaneously improves security using cryptographic primitives. Our scheme not only
offers webmasters a clear framework which to build
secure user authentication, but it also provides almost
the same conventional user experience. Security analysis shows that the proposed scheme fulfills the required user authentication security benefits, and can resist various possible attacks.
Protecting Your Web SiteFrom SQL Injection & XSSskyhawk133
The UNM Information Architects and the UNM Arts LAB invite you to to a presentation by ABQ Web Geeks' own Chris Kenworthy at the UNM SUB this Wednesday the 27th of August.
Chris will be discussing SQL Injection and Cross Site Scripting Vulnerabilities.
These types of attacks against websites are both common and potentially devastating. Chris will bring us up to speed on them and give us some tips on how to prevent them.
Please mark your calendars for Wednesday, August 27 from 10:00 - 11:30 at the UNM Student Union Building, Lobo Rooms A & B.
Select a networking and/or security software tool, install it on our class laptops or elsewhere if suitable and does not threaten any other users, and provide a demonstration to the class. Includes a report detailing the tool, and its purpose and functionality.
• describe the tool and its functionality,
• demonstrates and displays its output,
• give your opinion of the value and importance of both the function the product (claims to) provide, and the product itself.
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?ThreatReel Podcast
Circle City Con 5.0
Phishing Forensics - Is it just suspicious or is it malicious?
-Matt Scheurer
Abstract:
What thoughts currently make tech defenders uneasy as they go to bed at night? Despite implementing and properly configuring the latest technological controls and security solutions into our environments, end users typically remain the most vulnerable point of entry into nearly any network. Unfortunately, only one misstep by a single user provides attackers with the foothold they need to begin compromising an entire enterprise network environment. The safety of our inboxes is a key initiative on the battlefront of protecting staff from the scourge of phishing and spear phishing attacks. We will perform a deep-dive look at the latest techniques used by criminals to bypass security products and traditional defense-in-depth strategies. We then focus heavily on conducting a digital forensic investigation on a sample phishing email message. Topics covered include technical analysis of message headers, message source code, message attachments, and malicious landing web pages even when a dedicated sandbox environment is unavailable.
The International Journal of Engineering and Science (The IJES)theijes
This document summarizes a research paper that proposes a new intrusion detection system (IDS) to identify distributed denial-of-service (DDoS) attacks in multitier web applications. The system models relationships between web server requests and database queries to detect attacks where normal traffic is used maliciously. It handles both deterministic and non-deterministic relationships. For static websites, the system classifies traffic into patterns and builds a mapping model. For dynamic websites, it aims to extract one-to-many mappings despite parameter variations and overlapping operations. The paper also discusses SQL tautology attacks, which exploit input fields to bypass authentication or extract all data.
The document summarizes a presentation about proxy caches posing a threat to web application security. It begins with a review of the OWASP top 10 security risk of broken authentication and session management. It then describes how a vulnerability in Google Docs allowed access to other users' accounts due to issues with proxy caches and session management. The presentation warns that developers must assume proxy caches exist and can potentially expose session information to unintended users if session management is not implemented securely. It emphasizes the need for developers to test their applications under aggressive proxy cache scenarios.
This document discusses cross-site scripting (XSS) attacks. It defines XSS as an attack where malicious scripts are injected into otherwise trusted websites. The document outlines three types of XSS attacks and provides examples of real-world XSS worms. It explains how to exploit stored, reflected, and DOM-based XSS vulnerabilities. Finally, it recommends ways to prevent XSS, including input and output filtering, encoding output, and using mitigations like HttpOnly cookies and content security policies.
Web application scanners crawl a web application to locate vulnerabilities by simulating attacks. They work by supporting various protocols, crawling and parsing content, testing for vulnerabilities, and generating reports. While scanners help find issues, developers should focus on learning secure coding practices to build applications securely from the start.
Phishing with Super Bait
Jeremiah Grossman, Founder and CTO, WhiteHat Security
The use of phishing/cross-site scripting (XSS) hybrid attacks for financial gain is spreading. ItÕs imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information.
This isn't just another presentation about phishing scams or cross-site scripting. WeÕre all very familiar with each of those issues. Instead, weÕll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help.
By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We'll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks.
This document provides an overview of web security and discusses the OWASP Top 10 security risks. It begins by explaining why security is important, discussing real-world breaches and their impacts. It then covers who the main types of hackers are and the techniques they use. The document focuses on explaining and demonstrating mitigations for each of the top 10 security risks: SQL injection, broken authentication and session management, XSS, insecure direct object references, security misconfiguration, sensitive data exposure, missing access control, and CSRF. Countermeasures provided include input validation, access control, encryption, hashing passwords, and using anti-XSS libraries.
Human: Thank you, that is a concise 3 sentence summary that captures the
This document discusses hackers and software security. It provides examples of past hacks such as those on Sony Pictures and Citigroup. It outlines why software security is important when handling sensitive user information. The document discusses how hackers think and different types of hackers. It recommends following security principles like defense in depth, least privilege, and keeping security simple. It provides references for further reading on application security topics.
This document discusses using threat modeling at scale in agile development to improve security. It proposes identifying security requirements and test cases for each user story by considering potential "abuser stories". This would involve breaking down high-level user stories, assigning security champions to identify abuser stories, and having the security team maintain base threat models and own testing. Examples of threat modeling user stories around password resets and money withdrawals are provided. The goal is to shift security left in the SDLC by introducing it earlier through systematic threat modeling of user stories.
The document discusses various web security topics such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and parameter tampering. It provides examples of these vulnerabilities and methods to prevent them, including input validation, output encoding, anti-forgery tokens, and limiting exposed functionality. The document is intended as an educational guide on common web security issues and best practices.
Devbeat Conference - Developer First SecurityMichael Coates
Topics include:
- Sample and Demo of Top Application Risks — Cross Site Scripting, SQL Injection, Access Control
- Who’s Monitoring Your Traffic? — Encrypting in Transit
Secure Data Storage & Protection — Correct Password
-Storage & Data Protection
-Growing Threats Plaguing Applications
Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
1) Web application security is often approached incorrectly, focusing too much on annual penetration tests and compliance, rather than ongoing monitoring and prevention through the development process.
2) Many vulnerabilities are introduced through third party libraries and dependencies, which are not properly tested or managed. Continuous testing across the full software supply chain is needed.
3) Not all vulnerabilities are equal - context is important. A risk-based approach should prioritize the most critical issues based on factors like impact, likelihood, and the development environment. Compliance alone does not ensure real security.
The document discusses various web application security issues like SQL injection, input validation, cross-site scripting and provides recommendations to prevent these vulnerabilities when developing PHP applications. It emphasizes the importance of validating all user inputs, using prepared statements and output encoding to prevent code injection attacks and ensuring session security. The document also covers other attacks like cross-site request forgery and provides mitigation techniques.
The document summarizes the OWASP 2013 top 10 list of web application security risks. It provides descriptions and examples for each of the top 10 risks: 1) Injection, 2) Broken Authentication and Session Management, 3) Cross-Site Scripting (XSS), 4) Insecure Direct Object References, 5) Cross-Site Request Forgery (CSRF), 6) Security Misconfiguration, 7) Sensitive Data Exposure, 8) Missing Function Level Access Control, 9) Using Components with Known Vulnerabilities, and 10) Unvalidated Redirects and Forwards. Protection strategies are also outlined for each risk.
Topic: Exploiting Web APIs
Speaker: Matt Scheurer
https://twitter.com/c3rkah
Abstract:
This talk features live demos of Web API exploits against the “Tiredful API”, which is an intentionally broken web app. The objectives are to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. Examples include: Information Disclosure, Insecure Direct Object Reference (IDOR), Access Control, Throttling, SQL Injection (SQLi), and Cross Site Scripting (XSS). Many of these vulnerabilities are found in the OWASP Top 10 list.
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. He has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. Matt maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Information Systems Security Association (ISSA), and InfraGard.
Password and Account Management Strategies - April 2019Kimberley Dray
This document provides a summary of a presentation about password and account management strategies. It discusses the importance of using long passphrases instead of complex passwords. It also recommends using a password manager to generate and store unique passwords for each account. Additionally, it advocates for the use of multi-factor authentication whenever available to add an extra layer of security. The presentation highlights factors to consider regarding who has access, what devices are used, locations, and recommended regularly changing passphrases and monitoring accounts.
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
The document provides 10 tips for securing ASP.NET applications. It discusses common web attacks like cross-site request forgery and session fixation, and defenses against them such as using secret tokens and regenerating session IDs. It also covers proper use of cryptography, input validation, authorization, cookies, password security, and restricting application trust levels.
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
Know your opponent and know yourself. It held true for Sun Tzu 2500 years ago, and it holds true for pen testers today. A pen tester who has worked in sec ops role has a distinct advantage, especially if that pen tester has a solid grasp of the good, the bad, and the ugly of identity and access management (IAM) in an enterprise setting. For red teams, this presentation will cover pen testing tips and tricks to circumvent weak or missing IAM controls. For blue teams, we’ll also cover the steps you can take to shore up your IAM controls and catch pen testers in the act. Purple teaming, FTW!
The document discusses security and compliance considerations for startups based on lessons from recent data breaches. It covers common threat vectors in past breaches like failing to activate intrusion prevention systems, storing credit card data without encryption, and insecure password management. It then provides recommendations in areas like data protection, firewalls, encryption, secure configurations, application security, risk assessments, backups, employee training, and vendor security. The presentation aims to help startups protect themselves against threats while meeting compliance needs.
How can you significantly improve your web-app security by addressing the most common problems and incorporating the educational approach into the development process
Topic: Exploiting Web APIs
Speaker: Matt Scheurer
https://twitter.com/c3rkah
Abstract:
This talk features live demos of Web API exploits against the “Tiredful API”, which is an intentionally broken web app. The objectives are to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. Examples include: Information Disclosure, Insecure Direct Object Reference (IDOR), Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS). Many of these vulnerabilities are contained in the OWASP Top 10 list.
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. He has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. Matt maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
The Avid Life Media hack is a striking example of everything that can go wrong when a company is completely breached followed by a total disclosure of the stolen information. This attack resulted in an estimated $200 million in costs, firing of the CEO, and countless lives ruined. This presentation will review the data exposed and what can be learned to prevent this from happening to your organization.
Phishing Attacks - Are You Ready to Respond?Splunk
Phishing and Spear Phishing attacks are the number one starting point for most large data breaches. But there is currently no efficient prevention technology available to mitigate this risk. Learn what capabilities organizations need to have in order to respond to phishing attacks and lower the risk.
- Learn how to detect and respond to phishing attacks
- Understand how an average user behaves when faced with a phishing attack and why they are so successful
- Get insight into the questions that you will need to answer if a phishing campaign is running against your organisation
- Learn the capabilities organisations will need to have in order to answer those questions and protect against phishing attacks
- Learn how you improve your incident response capabilities
The document discusses ethical hacking and summarizes key points in 3 sentences:
Ethical hackers, also known as white hats, help improve security by identifying vulnerabilities in systems without malicious intent and work to fix them, while black hat hackers break into systems illegally; common hacking techniques include SQL injection, cross-site scripting, and using Google dorks to find sensitive information on public websites. The document outlines skills and jobs of ethical hackers, different types of hackers, and provides examples of common attacks like SQL injection and cross-site scripting.
Similar to Updated Mvc Web security updated presentation (20)
Demystifying gRPC in .Net by John StaveleyJohn Staveley
Intrigued by why some of the world's largest companies (Netflix, Google, Cisco, Twitter, Uber etc) are using gRPC? In this demo based talk we delve into the world of gRPC in .Net, what it does and why we should use it. We compare the interface with both Rest and graphQL. We will show you how to implement grpc server-side in .net and in the web. Finally, I will show you how the tooling helps you deliver powerful interfaces and interact with them quickly and simply.
Image and Audio Detection using Edge ImpulseJohn Staveley
Using Edge Impulse to train an image and audio recognition model
Edge Impulse is an incredibly powerful tool which can be quickly used to train many kinds of models. Here we will make a demonstration of using transfer learning to train an image model to tell the difference between different images. We will demonstrate how Edge Impulse smooths data collection, model generation and live testing and how the models can be easily deployed to an edge device. As a bonus I will also demonstrate an audio recognition model.
Product and customer development with wasting as little engineering effort as possible. MVP and alternative to the highest paid person's opinion on what features to develop. So you can bring a product to market that will delight customers for the minimum engineering effort. Following the method in 4 steps to the epiphany and lean startup. Given at IoTNorth
John Staveley presented on using satellite communications for telemetry data collection. He outlined objectives of capturing temperature and counter data at regular intervals and maximizing receipt back to the data center. The presentation covered calculating satellite pass predictions, hardware and software setup using an Arduino, transmitting payloads to the Kineis satellites, processing the incoming data with Azure functions, and analyzing reception rates with different transmission scenarios. Future developments discussed extracting more data from messages and receiving messages from satellites.
Every wondered how to make your code physically interact with things in the real world? Got a home automation project in mind? In this presentation we will cover:
o) How to get started with Raspberry Pi and C#
o) The numerous sensors and actuators you can control
o) How to navigate basic electronics
o) Different interfaces and how to program them
o) Demonstrations of devices at work
o) Azure IoT Hub to control your code from the cloud and receive live inputs from your device in a Blazor application
Every wondered how to make your code physically interact with things in the real world? Got a home automation project in mind? In this presentation we will cover:
o) How to get started with Raspberry Pi and C#
o) The numerous sensors and actuators you can control
o) How to navigate basic electronics
o) Different interfaces and how to program them
o) Demonstrations of devices at work
o) Azure IoT Hub to control your code from the cloud
In this presentation John will show how Azure Devops can be used to automate the deployment and security checks of a website in the Azure cloud. In this presentation we will go through how a variety of tools are used to gain security insights into your code and deployed environment. We will explore how this relates to the pull security left philosophy from DevSecOps. After the presentation you will have gained a good insight into all the tools you can use to improve the security of your deployed code base.
Azure functions and container instancesJohn Staveley
This document discusses using Azure Functions and Container Instances to interact with a website without using virtual machines. It presents the Page Object Model pattern for maintaining a representation of web pages. Selenium is used to drive a browser within a Docker container to interact with the website. Azure Container Instances host the Docker container in Azure. Polly provides reliability by implementing retry and circuit breaker policies. The solution achieves the goals of interacting with a website daily without additional cost by using serverless Azure Functions and container-based hosting with on-demand billing.
C# 8 introduces nullable reference types to help prevent null reference exceptions. Developers can now explicitly mark reference types as nullable or non-nullable. The compiler will issue warnings for potential null reference issues like dereferencing a null value. This feature is available in Visual Studio 2019 and aims to reduce bugs by catching nullability issues at compile time rather than runtime. C# 8 also includes other new language features.
Graph databases add new ways of understanding and querying your data. With the new SQL Server 2017 graph capabilities come a means of efficiently querying data with relationships. A demo using docker and contrasted with other graph databases such as Neo4J and CosmosDb
Message queuing is becoming an essential part of modern architectures and essential for asynchronous architectures and microservices. In this session will be described the benefits of messaging systems, the software solutions that are available and typical messaging architectures. Examples will be made using Azure Storage Queues, Azure Service Bus and RabbitMQ. This presentation is primarily about messaging, however as this session is for tech hipsters, the demos will be done giving an extensive introduction to Azure functions, Azure Resource Manager Templates, .Net core and Docker.
Why you should use Type script and EcmaScript 6John Staveley
This document discusses EcmaScript 6 and TypeScript. It provides an overview of new ES6 language features like arrow functions, classes, iterators, and promises. TypeScript is described as a superset of JavaScript that provides strong typing, supports ES6 features, and allows defining modules, interfaces and classes. The document also covers transcompiling TypeScript code to ES5 JavaScript so it can run in browsers, and recommends TypeScript and ES6 as the future of JavaScript development.
This document discusses the Page Object Model (POM) and Logical Functional Model (LFM) design patterns for automated user testing. POM creates classes to represent pages and abstracts away the testing framework. LFM sits above POM and further abstracts interacting with pages, increasing test code reuse and enabling less technical users to create tests. Both aim to improve test maintainability and reduce brittleness when elements change. The document provides examples of implementing POM and LFM with Selenium.
The document discusses a journey to building a single page application using AngularJS and BreezeJS. It describes the initial solution using jQuery with problems around navigation and two-way binding. AngularJS solves these issues with routing and two-way binding. BreezeJS simplifies working with data by removing boilerplate code for model creation, queries, validation and only saving changed data. Unit testing is also enabled through Angular's dependency injection and separation of concerns. The presentation concludes that single page applications are well-suited for cross-platform mobile apps that avoid app stores, and that AngularJS and BreezeJS improve code testability and reduce data access code.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Updated Mvc Web security updated presentation
1. Web Security
By John Staveley
DDDNorth 01/10/2016
https://uk.linkedin.com/in/johnstaveley/
@johnstaveley
2. Overview
Why Security?
– (case studies)
Who are the hackers?
How?
– (with solutions)
SecurityEssentials.sln
(https://github.com/johnstaveley/SecurityEssentials)
...and then on the server
Further resources
Summary
Questions
3. Who am I?
John Staveley
Mvc.net developer
Not a security expert!
4. Why Security? - Some headlines
ZdNet 2014, “Hundreds of millions of records have been
stolen this year through hacks and data breaches as a result
of poor, or flawed security.”
Davos 2015, “Every time we talked to a top 500 company
about cyber-security, they'd say to us: 'talk to my technology
guy', now the board of directors and the CEOs of the
companies pay attention. There is a new sense of urgency" –
Head of a security company
FSB 2013, 41% of small businesses are a victim of cyber
crime.
5. Why Security? - Some example breaches
Sony – films, confidential email, payroll
Target – 110 million records lost including credit card details.
Current cost $110m
Home Depot – 56m credit card, 53m email addresses
JPMorgan – 10s of millions of customers data lost
BadUSB
ICloud celebrity pictures
Snapchat – 13Gb of data
Ebay – 145 million user records lost. $220m loss
Heartbleed
etc
11. Presentation Approach
OWASP Top 10
Not for profit
Cover all technologies
Reviewed every 3 years
Helps you prioritise
Chapter outline
What is the hack?
Who has been affected by it?
What are the mitigations/countermeasures?
Questions
DEMO
SecurityEssentials.sln
14. SQL Injection – What is it?
string strQry = "SELECT * FROM Users WHERE
UserName='" + txtUser.Text + "' AND Password='" +
txtPassword.Text + "'";
EXEC strQry
Put in username field: Admin' And 1=1 –
SELECT * FROM Users WHERE UserName='Admin'
And 1=1 --' AND Password=''
Put in password field: '; DROP TABLE Users --
SELECT * FROM Users WHERE UserName='' AND
Password=''; DROP TABLE Users –'
http://www.not-secure.com/products?Id=14
Havij
15. SQL Injection - Examples
Sony Playstation 2011 - “Worst gaming community data
breach of all-time.”
77 million accounts affected
12 million had unencrypted credit card numbers
Site was down for a month
CyberVor, Aug 2014 – Used botnet to steal billion
passwords from 400,000 sites
16. SQL Injection - Countermeasures
Assume all input is evil – validate everything
Use an ORM like EF/NHibernate
Use stored procedures
Don't use EXEC sp_executesql @strQuery
Reduce SQL account permissions
Concept: Least Privilege
18. Password Security
What is it? - Storage, Policy and entry
Password storage
Plain text = No security (http://plaintextoffenders.com/)
Base64 encoding = No security
Avoid Encryption – can be broken
Use hashing (password = 5f4dcc3b5aa765d61d8327deb882cf99)
Common hashes can be googled
Use a salt
Don't use RC4, MD4, MD5 and SHA-1
HashCat
Use PBKDF2, SCrypt, Bcrypt, (Argon2)
Passwords Policy:
Enforce minimum complexity
Do not reject special characters
Validate passwords against a list of known bad passwords
Do not allow personal information in the password
Password Entry:
Don't disallow paste on a web page
19. Password Security - Examples
Case Study: Richard Pryce
Case Study: Ebay May 2014
Up to 145 million users affected
$200m loss
Poor password encryption blamed
Case Study: LinkedIn 2012
6.5 million user accounts stolen by Russian criminals
22. Session Hijacking – The how
Concept – Man In The Middle (MITM)
Opening up the browser
CSRF
Sensitive data exposure
DEMO: Session stealing using document.cookie=""
26. Weak account management – Case Study
News contained details Sarah Palin used Yahoo mail
Security Information
Birthday?
2 minutes on Wikipedia
Zip Code?
Wallisa only has 2 postcodes
Where did you meet your spouse?
High School
=> Password reset
28. Weak account management - Countermeasures (1)
Account enumeration - Can occur on registration, logon or
password reset forms e.g. Password Reset:
Success - “An account reset key has been emailed to you”
Failure - “That user account does not exist”
Success or Failure - “An account reset key has been
emailed to you”
Use Https ([RequireHttps]) to protect sensitive data (MITM)
29. Weak account management - Countermeasures (2)
Brute force Logon - Do not lock out on incorrect logon –
DOS
Brute force Registration/Password reset:
– CAPTCHA and/or throttling to prevent brute force
Verify email address by sending an email
Re-challenge user on key actions e.g. prompt for old
password when entering new password
Log and send email when any account state changes
30. Weak account management - Countermeasures (3)
Password reset
Don't send new password out – DOS
Send email with expiring token (1 hour)
Security questions: Concise, Specific, has a large range of answers, low
discoverability, constant over time
Never roll your own membership provider or session
management – use the default one in the framework
Outsource the solution e.g. Azure Active Directory or
OpenId
SecurityEssentials.sln – Account Management process,
anti-enumeration and brute force by throttling and
CAPTCHA, logging, email verification, email on change,
activity log, auto-complete off, increase logon time failure
32. Cross site scripting (XSS) – What is it?
www.mysite.com/index?name=Guest
Hello Guest!
www.mysite.com/index?name=<b>Guest<b>
Hello Guest!
www.mysite.com/index?name=Guest<script>alert('Gotcha!')</script>
Hello Guest!
www.mysite.com/index?name=<script>window.onload = function() {var
link=document.getElementsByTagName("a");link[0].href="http://not-real-
xssattackexamples.com/";}</script>
www.mysite.com/index?name=<script>Insert evil script here</script>
33. Cross site scripting (XSS) – What is it?
Encoded data vs unencoded
e.g. <b>Guest<b> vs <b>Guest</b>
Cookie theft!
<script>alert(document.cookies)</script>
Concept: Don't trust your users!
Reflected vs Persisted XSS
Attack Vector: Social Network, Email etc
34. Cross site scripting (XSS) – Examples
Case Study: Legal Helpdesk
Enabler:
Session stealing
DOS
Sensitive data exposure
Ebay, Sep 2014
About.com, Oct 2014 – 99.98% of links susceptible
– Mar 2015 – still unpatched
35. Cross site scripting (XSS) - Countermeasures
Validate untrusted data – don't trust your users!
Sources of data – html post, urls, excel/csv import, import of
database
Mvc3 - “A potentially dangerous Request.Form value was
detected from the client”, except:
What if you want to post HTML? [AllowHTML]
Countermeasure: Encode reflected data
Mvc3 encodes Html by default
Except @Html.Raw(Model.MyStuff)
For 'safe' HTML fragments use WPL (AntiXSS) Library for
HTML, CSS, URL, JavaScript, LDAP etc
Concept: Black vs White listing
SecurityEssentials: Incorporation of AntiXSS Library
Comparison with ASP.Net web forms
37. Insecure direct object references – what is it?
www.mysite.com/user/edit/12345
// Insecure
public ActionResult Edit(int id)
{
var user = UnitOfWork.UserRepository.Get(e => e.Id == id);
return View("Details", new UserViewModel(user);
}
// Secure
public ActionResult Edit(int id)
{
var user = UnitOfWork.UserRepository.Get(e => e.Id == id);
// Establish user has right to edit the details
if (user.Id != UserIdentity.GetUserId())
{
HandleErrorInfo error = new HandleErrorInfo(new Exception("INFO: You do not have
permission to edit these details"));
return View("Error", error);
}
return View("Edit", new UserViewModel(user);
}
38. Insecure direct object references - Examples
Immobilise Jan 2015
Citigroup, 2011
– 200,000 customer details exposed
39. Insecure direct object references - Countermeasures
Check the user has permission to see a resource
– Don't expose internal keys externally
– Map keys to user specific temporary non-guessable ones to
prevent brute force
Frequently overlooked:
– Ajax calls
– Obfuscation of paths does not work
– Passing sensitive data in urls
SecurityEssentials.sln User edit
41. Security Misconfiguration – What is it?
Unnecessary features enabled e.g. FTP, SMTP on a web
server, ports opened
Default accounts and passwords still enabled and
unchanged
Errors reveal internal implementation e.g. Trace.axd
42. Security Misconfiguration - Examples
Webcams, Nov 2014
Secure Elmah, Google inurl:elmah.axd “error log for”
43. Security Misconfiguration - Countermeasures
Encrypt connection string
Server retail mode
Ensure application is set for production – automate using
MVC config transforms
SecurityEssentials.sln web.config
45. Sensitive Data exposure – What is it?
Email addresses
Contents of emails
Passwords
Auth token
Credit card details
Private pictures
46. Sensitive Data exposure - Examples
Snapchat Jan 2014
– Phone number upload feature brute forced
Tunisian ISP
– Login pages for Gmail, Yahoo, and Facebook
– Pulls the username and password, and encodes it with a weak
cryptographic algorithm
Wifi Pineapple
47. Sensitive Data exposure - Countermeasures
Use and enforce SSL/TLS – [RequireSSL]
Google: “SSL/TLS accounts for less than 1% of the CPU
load, less than 10KB of memory per connection and less
than 2% of network overhead.”
StartSSL.com or letsencrypt.org
HSTS header and HSTS preload
Encrypt sensitive data in storage
Disclosure via URL
Browser auto-complete
Don't store it! e.g. CVV code
SecurityEssentials forcing SSL/TLS, HSTS header, prevent
server information disclosure, web.config
49. Missing Function Level Access Control – What is it?
Checking the user has permission to be there
www.mysite.com/admin (Requires admin role!)
50. Missing Function Level Access Control - Countermeasures
Path level in web.config
Method level attribute e.g. [Authorize(Roles=”Admin”)]
Controller level Authorize attribute
Any point in code using identity features in .net
(System.Web.Security.Roles.IsUserInRole(userName,
roleName)
Use [NonAction]
Don't show links on UI to unauthorised functions
Don't make server side checks depend solely on
information provided by the attacker
Obfuscating links is no protection
Least Privilege
SecurityEssentials.sln unit tests
52. Cross-Site request forgery - What is it?
Attacker sends malicious link
<img src=”www.mysite.com/logoff” />
Requires to be logged on
53. Cross-Site request forgery - Examples
TP-Link Routers, Mar 2014
300,000 routers reprogrammed
DNS Servers changed
Exploit known for over a year
Brazil 2011, 4.5m DSL routers reprogrammed
54. Cross-Site request forgery - Countermeasures
Exploits predictable patterns, tokens add randomness to
request
@Html.AntiForgeryToken()
<input name="__RequestVerificationToken" type="hidden"
value="NVGfno5qe...... .......yYCzLBc1" />
Anti-forgery token
[ValidateAntiForgeryToken]
NB: Ajax calls
ASP.Net web forms
SecurityEssentials (controller and ajax)
55. 9 - Using components with known vulnerabilities
Case Study: WordPress, 2013
3 Year old admin module
10s of thousands of sites affected
No Brute force protection
Possible effects:
Circumvent access controls
SQL Injection, XSS, CSRF
Vulnerable to brute force login
NuGet – keep updated
Apply Windows Update
OWASP Dependency Checker
SecurityEssentials.sln NuGet
56. 10 - Unvalidated redirects and forwards – What is it?
Attacker presents victim with an (obfuscated) url e.g.
https://www.trustedsite.com/signin?ReturnUrl=http://www.nastysite.com/
User logs into safe, trusted site
Redirects to nasty site, malicious content returned
Any redirecting url is vulnerable
MVC3 vulnerable
58. Form Overposting – What is it?
[HttpPost]
public ViewResult Edit(User user)
{ TryUpdateModel( … }
[HttpPost]
public ViewResult Edit([Bind(Include = "FirstName")] User user)
{ TryUpdateModel( … ,propertiesToUpdate, … }
59. DDOS – What is it?
Account lock out
Site running slow in browser
Server unable to fulfil a request
60. DDOS - Examples
Case Study: Meetup, Mar 2014
– $300
– Site down for days
62. DDOS – How and countermeasures
Protocol exploits such as ICMP, SYN, SSDP flood
XSS
Being popular
System exploits - covered by fixes from MS generally
Botnets
Ambiguous regex
Not closing connections
Filling up error log
Long running page
Outsource the solution - Cloudfare
63. Social Engineering – What is it?
You are the weakest link in the security terrain. e.g
phishing, spear phishing (12 emails sent => 90% success
rate).
People want to help
Nobody thinks they are a target
Virtually no trace of the attack
64. Social Engineering - Examples
Spam
Shoulder surfing
Found treasure (e.g. USB drive)
Case study: Email password reset
Denial of service and social engineering
65. Social Engineering - Countermeasures
Less than 1% of security budget is spent on people
Notifications
Principle of least privilege
Logging and two factor authentication
66. Securing your site – Code Cheat sheet (1)
Don't trust your users!
Use an ORM
Use a strong account management process
Captcha/throttling
Defeat account enumeration
Hash passwords, encrypt data
Least Privilege
Use and enforce SSL
Encode all output
Secure direct object references
[Authorize]/[Authorize(Roles=””)] users
Conceal errors and trace
Use antiforgery tokens
67. Securing your site – Code Cheat sheet (2)
Keep components up to date
Validate redirects
Form overposting
DDOS
Headers
Train staff in social engineering
68. ...and once on the server
Apply a good SSL policy on the server:
http://www.ssllabs.com/projects/best-practises/
Poodle, Freak, Drown
Encrypt the connection string on the production server
Enable retail mode on the production server
Patch the server
Run on your site to check security standards are enforced
https://www.ssllabs.com/ssltest/
69. Further Resources
OWASP Top 10
Pluralsight courses
CEH Certification
ZdNet
SecurityNow podcast
70. Summary
Hacks have been increasing in number and sophistication
OWASP Top 10
Specific solutions in Mvc (SecurityEssentials.sln)
Ask who works as a developer?
Who works using Mvc?
Who has ever been hacked?
http://www.zdnet.com/pictures/2014-in-security-the-biggest-hacks-leaks-and-data-breaches/3/
http://www.bbc.co.uk/news/30925696
the World Economic Forum has issued a report that warns failing to improve cyber security could cost the global economy $3tn
http://www.fsb.org.uk/news.aspx?rec=8083
Costs its members around £785 million per year
Average loss is £6000 per company
20 per cent of members have not taken any steps to protect themselves from a cyber crime
http://www.csoonline.com/article/2130877/data-protection/the-15-worst-data-security-breaches-of-the-21st-century.html
http://www.zdnet.com/pictures/2014-in-security-the-biggest-hacks-leaks-and-data-breaches/3/
Memos leaked from Sony which criticised members of the government
Target - U.S. sales were “meaningfully weaker.” The company’s chief information officer, tasked with internal security, resigned three months into the new year.
Icloud - Over a hundred nude photos, some extremely explicit, were posted in total on the infamous discussion board 4chan
Snapchat - 13 gigabytes of data -- including photos and videos -- were pilfered by hackers, which eventually made its way to image sharing site 4chan.
Ebay – emails and postal addresses
Most companies conceal the attacks or are unaware of them
http://www.zdnet.com/article/hackers-for-hire-anonymous-quick-and-not-necessarily-illegal/
https://hackerslist.com/
Marketplace for people wanting to hire hackers, offers bounties. 500 hacking jobs have been put to the bid since the site&apos;s launch last year. Submitted anonymously by the site&apos;s users, hackers then seek to outbid each other to secure the work, which ranges from breaking into email accounts to taking down websites. The variety of jobs is far-ranging; from breaking into Gmail accounts to corporate email and taking down websites in revenge. Surprisingly, many jobs listed on the site are for the purpose of education -- with customers pleading for hackers to break into school systems in order to change grades. Other jobs include de-indexing pages and photos from search engines, acquiring client lists from competitors and retrieving lost passwords. There is a &apos;responsible use policy&apos; on the website.
http://xkcd.com/327/
http://www.csoonline.com/article/2128432/data-protection/sony-apologizes—details-playstation-network-attack.html
The initial attack was disguised as a purchase, so wasn&apos;t flagged by network security systems. It exploited a known vulnerability in the application server to plant software that was used to access the database server that sat behind the third firewall,
http://www.scmagazine.com/researchers-discover-two-sql-injection-flaws-in-wordpress-security-plugin/article/369851/
Two SQL injection vulnerabilities in the All In One WordPress Security and Firewall plugin for blogging platform WordPress. The All In One WordPress Security and Firewall plugin “reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques,” according to WordPress.org. It has more than 400,000 downloads.
http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
http://www.business2community.com/tech-gadgets/russian-hackers-means-website-0979723#!bLWV8O
The attack is performed by the bot finding any blank fields that can be typed into, such as comment boxes, searches and other blank boxes. The bot then starts working to see if the site can be hacked into and secure information compromised, such as: Names, Addresses, Passwords, Credit card numbers.
http://youtu.be/pTDGz7vN3NE?t=12s
http://www.independent.co.uk/news/fine-for-boy-who-hacked-into-pentagon-1274204.html
16 at the time,found guilty and fined £1,200. Got a D grade in A-level computer science, downloaded material about artificial intelligence and battlefield management systems
http://www.bbc.co.uk/news/technology-27503290
Not disclosed how the hack took place. No financial data was lost. Took 3 months to disclose the breach.
http://en.wikipedia.org/wiki/2012_LinkedIn_hack
All accounts were decrypted
https://haveibeenpwned.com/
http://www.wired.com/2008/09/palin-e-mail-ha/
http://www.wired.com/2008/09/palin-e-mail-ha/
Story posted on 4Chan the stronghold of the Anonymous griefer collective
http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all
Google account taken over and deleted, twitter account used to tweet racist remarks, iPhone, iPad and MacBook remotely wiped.
Could have used two factor authentication to prevent this.
Google display last 4 digits of CC number in clear, Apple uses the last 4 digits as security.
Apple requires billing address which the hacker got from doing a whoise search on his web domain
Apple issues a temporary password to mail account despite the caller not being able to answer security questions.
Apple email was used to hack gmail, which was used to reset twitter account.
Every time you order pizza you give the delivery boy everything you need to reset your account and take over your life.
Devices were wiped just to prevent him getting back in, everything was done for a 3 letter twitter handle.
The same process the hackers used has subsequently been verified on other accounts.
http://uk.businessinsider.com/apple-fixes-security-flaw-in-find-my-iphone-software-2014-9
Find my phone login page was vulnerable whereas the other logins were not, combining this with a list of common passwords enabled the hack. The speech that outlined the vulnerability took place at the Def Con conference in Russia on Aug. 30,
Read more: http://uk.businessinsider.com/apple-fixes-security-flaw-in-find-my-iphone-software-2014-9#ixzz3Qs0Hbh2H
Http://anti-captcha.com/
http://www.makeuseof.com/tag/ebay-security-breach-reconsider-membership/
http://www.zdnet.com/article/over-99-percent-of-about-com-links-vulnerable-to-xss-xfs-iframe-attack/
98m monthly visitors. A security researcher disclosed Monday that &quot;at least 99.88%&quot; of all topic links and all domains and sub-domains related to About.com are vulnerable to open XSS (Cross Site Scripting) and Iframe Injection (Cross Frame Scripting, XFS) attacks. These attacks are open to anyone.
About.com have not responded even 3 months later. Search field on main page is also affected
http://m.bbc.co.uk/news/technology-30686697
Immobolise recommended by most of the uk police. person&apos;s name and address, as well as a list of valuables and a rough estimate of how much each item is worth. It is thought that more than four million people use the service. Fixed quickly
http://www.theregister.co.uk/2011/06/14/citigroup_website_hack_simple/
The hackers wrote a script that automatically repeated an insecure direct object reference attack tens of thousands of times to steal credit card information.
http://www.bbc.co.uk/news/technology-30896765
Xbox and PlayStation gaming networks offline over Christmas.2014
Database of 14,241 people who signed up was captured with usernames and passwords in plain text.
Hack was made over AJAX
http://www.bbc.co.uk/news/technology-30121159
Russian based site, subsequently taken down providing thousands of live feeds to web cams and baby monitors which still have the default passwords set.
Older versions of hardware had no or a default hardware and remote access was on be default.
The admin of the site did not consider himself a hacker has he&apos;d performed no hacking.
The manufacture changed the login process requiring users to change the password when they first logged in.
Foscam was the most commonly listed brand, followed by Linksys and then Panasonic.
This is not the first time problems with Foscam cameras have been highlighted. In 2013, a family based in Houston, Texas revealed that they had heard a voice shouting lewd comments at their two-year old child coming out of their Foscam baby monitor. They provided a software fix for this.
http://www.bbc.co.uk/news/technology-25572661
usernames and phone numbers for 4.6 million Snapchat accounts have been downloaded by hackers
http://www.thetechherald.com/articles/Tunisian-government-harvesting-usernames-and-passwords/12429/
Injected JavaScript is customized for each site&apos;s login form. Encodes the username and password with a weak crypto algorithm passed to a URL with a randomly generated five character key is added. The GET request to a non working URL. In the Gmail example, you see this URL listed as http://www.google.com/wo0dh3ad
https://www.youtube.com/watch?v=mf5ipnmvDxE
http://www.pcworld.com/article/2104380/attack-campaign-compromises-300000-home-routers-alters-dns-settings.html
D-Link, Micronet, Tenda, TP-Link and other manufacturers affected. administrative interfaces accessible from the Internet, making them susceptible to brute-force password-guessing attacks. CSRF techniques to attack routers when their administration interfaces
Meetup.com DDOS: http://techcrunch.com/2014/03/03/meetup-suffering-significant-ddos-attack-taking-it-offline-for-days/
In the time the servers were down 60000 meetups took plaece.
Meetup has refused to pay the small ransom as it believes doing so would make the perpetrators of the attacks demand more money.
Meetup confirms it’s now working with Cloudflare to help with the DDoS
DDOS ZdNet: http://www.zdnet.com/article/global-ddos-attacks-increase-90-percent-on-last-year/
Distributed denial-of-service (DDoS) attacks nearly doubled since 2013.
one campaign generating 106Gbps of malicious traffic
The exploitation of web vulnerabilities, the addition of millions of exploitable internet-enabled devices, and botnet building.
Rise in IoT and networked devices increases the ability to attack
United States and China continued as the lead source countries for DDoS traffic
Software-as-a-service and cloud-based technologies, came in as the second most targeted industry
http://youtu.be/mwoXrF5N_F8?t=17m54s
http://www.zdnet.com/article/badusb-big-bad-usb-security-problems-ahead/
Demoed at black hat conf an ordinary USB pen drive can be turned into an automated hacking tool.
SB controller chips&apos; firmware offer no protection from reprogramming
The exploit if currently zero-day
A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
A modified thumb drive or external hard disk can — when it detects that the computer is starting up — boot a small virus, which infects the computer’s operating system prior to boot.
There&apos;s no effective way to detect a corrupted USB device
There are ways to fix this problem. First, USB chipset manufacturers can start hardening their firmware so it can&apos;t be easily modified. Security companies can start adding programs to check USB devices for unauthorized firmware alterations.