A review of the paper "Vanish: Increasing Data Privacy with Self-destructing Data"
Presentation Layout:
- Vanish Data Object (VDO)
- Encapsulation/Decapsulation
- Architecture
- Major issues
- Final Thoughts
A self destruction system for dynamic group data sharing in cloudeSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
This is my presentation from Finse 2011, a 3.5 hour presentation on passwords. The audience is PhD students & professors, mostly within crypto, access control, biometrics and similar areas.
A self destruction system for dynamic group data sharing in cloudeSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
This is my presentation from Finse 2011, a 3.5 hour presentation on passwords. The audience is PhD students & professors, mostly within crypto, access control, biometrics and similar areas.
Open Source and Security: Engineering Security by Design - Prague, December 2011Jeremy Brown
This was a talk I did at the International Conference ITTE 2011 - Cyber Security and Defense in Prague - http://www.afcea.cz/
Originally a colleague, Richard Morrell, was to give this talk and my slides are based on his but heavily modified.
The audience was a military audience who were at the conference to discuss Cyber Security.
You can't detect what you can't see illuminating the entire kill chainFidelis Cybersecurity
Organizations receive an overwhelming amount of alerts every day from their SIEMs, IPS/IDS, next gen firewalls, etc. Result is too many alerts and not enough manpower, visibility across the organization or enough context to make the right decisions.
We look at every stage of the attack lifecycle…and on every port and protocol. With Fidelis there’s no place for attackers to hide.
Asset Discovery in India – Redhunt LabsRedhuntLabs2
Leading Asset Discovery Company Redhunt Labs provides a variety of solutions to assist companies in India in securing their online assets and guarding against cyber threats. Our Agent less Platform NVADR has been successful for many of our customers in locating significant data leaks across publicly exposed Docker containers. NVADR has the capability to continually monitor your exposed Docker Assets from across the globe.
We also provide a Free Scan if you'd like to examine the Attack Surface of your company. Here to visit our page for more information.
Adobe Hacked Again: What Does It Mean for You? Lumension
Last time it was Adobe’s code signing servers. This time it’s 2.9 million (let’s just call it 3) customers’ data and lots and lots of source code – including that of Acrobat. Adobe products already require constant patching but offer no enterprise level solution for patching. In this presentation by Ultimate Windows Security, we’ll present why this will likely lead to more and we’ll look at what we know about this latest Adobe breach.
But more importantly I’ll show what you can do in advance to protect yourself against zero-day exploits in Adobe products and programs. After all this won’t be the last time a software vendor is hacked. In this day and age we have to protect ourselves from the failures of our software providers.
I’ll present 3 ways you can go on the offensive to protect yourself from the constant vulnerabilities discovered in Adobe Reader, Acrobat, Flash and Oracle Java. Here’s what we’ll discuss:
*Alternatives to Adobe and Java
*Different ways to containing vulnerable apps in a sandbox
* Using advanced memory protection technologies to detect and stop buffer overflows and other memory based attacks
Patching and AV only helps you close the window on hacker opportunity. To prevent the window from opening in the first place you have to prevent untrusted code from ever running in the first place. That requires application whitelisting and memory protection against code injection – a growing menace that bypasses controls based on file system and EXE scanning.
That’s why Lumension is sponsoring this event. I think you’ll be interested seeing 2 of their end-point security technologies that will help protect you from the new exploits on their way as a result of this hack as well as the constant stream of exploits discovered every day.
This is going to be a really cool presentation with practical tips that you can apply. Learn how to protect your systems from other software vendor vulnerabilities.
It comes to no surprise, that any micro-services, any security controls you use to build applications – will eventually be broken (or fail). Under certain pressure, some components will fail together.
The question is – how do we build our systems in a way that security incidents won't happen even if some components fail. And the data leaks won't occur even if penetration tests are successful. "Defense in depth is a security engineering pattern, that suggests building an independent set of security controls aimed at mitigating more risks even if the attacker crosses the outer perimeter. During the talk, we will model threats and risks for the modern web application, and improve it by building multiple lines of defense. We will overview high-level patterns and exact tools from the security engineering world and explain them to the modern web devs ;)
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
Cyberattacks on the Rise: Is Your Nonprofit Prepared?TechSoup
Cyberattacks against small and midsize organizations have increased from 11 percent to 15 percent in 2020, according to an Avast survey. Nonprofits are no exception to this alarming trend, which results in lost productivity, damaged reputations, and serious financial implications. Whether you’re a one-person IT team or a nontechnical concerned stakeholder, this webinar will help you
- Protect your organization from common malware attacks
- Set up a strong cybersecurity strategy for your organization
- Identify solutions to help minimize cyberattack risks
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
This session addresses the technology challenges of continuous security testing to “deliver securely,” and discusses best practices and tooling based on first hand experience in both enterprise and startup environment.
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
The UNC School of Medicine suffered a security breach last summer that required notification of over 100,000 patients that their information had been exposed. This presentation will talk about the scope of damage that is caused by a breach of this
magnitude and the many steps that are necessary for damage control and recovery.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Open Source and Security: Engineering Security by Design - Prague, December 2011Jeremy Brown
This was a talk I did at the International Conference ITTE 2011 - Cyber Security and Defense in Prague - http://www.afcea.cz/
Originally a colleague, Richard Morrell, was to give this talk and my slides are based on his but heavily modified.
The audience was a military audience who were at the conference to discuss Cyber Security.
You can't detect what you can't see illuminating the entire kill chainFidelis Cybersecurity
Organizations receive an overwhelming amount of alerts every day from their SIEMs, IPS/IDS, next gen firewalls, etc. Result is too many alerts and not enough manpower, visibility across the organization or enough context to make the right decisions.
We look at every stage of the attack lifecycle…and on every port and protocol. With Fidelis there’s no place for attackers to hide.
Asset Discovery in India – Redhunt LabsRedhuntLabs2
Leading Asset Discovery Company Redhunt Labs provides a variety of solutions to assist companies in India in securing their online assets and guarding against cyber threats. Our Agent less Platform NVADR has been successful for many of our customers in locating significant data leaks across publicly exposed Docker containers. NVADR has the capability to continually monitor your exposed Docker Assets from across the globe.
We also provide a Free Scan if you'd like to examine the Attack Surface of your company. Here to visit our page for more information.
Adobe Hacked Again: What Does It Mean for You? Lumension
Last time it was Adobe’s code signing servers. This time it’s 2.9 million (let’s just call it 3) customers’ data and lots and lots of source code – including that of Acrobat. Adobe products already require constant patching but offer no enterprise level solution for patching. In this presentation by Ultimate Windows Security, we’ll present why this will likely lead to more and we’ll look at what we know about this latest Adobe breach.
But more importantly I’ll show what you can do in advance to protect yourself against zero-day exploits in Adobe products and programs. After all this won’t be the last time a software vendor is hacked. In this day and age we have to protect ourselves from the failures of our software providers.
I’ll present 3 ways you can go on the offensive to protect yourself from the constant vulnerabilities discovered in Adobe Reader, Acrobat, Flash and Oracle Java. Here’s what we’ll discuss:
*Alternatives to Adobe and Java
*Different ways to containing vulnerable apps in a sandbox
* Using advanced memory protection technologies to detect and stop buffer overflows and other memory based attacks
Patching and AV only helps you close the window on hacker opportunity. To prevent the window from opening in the first place you have to prevent untrusted code from ever running in the first place. That requires application whitelisting and memory protection against code injection – a growing menace that bypasses controls based on file system and EXE scanning.
That’s why Lumension is sponsoring this event. I think you’ll be interested seeing 2 of their end-point security technologies that will help protect you from the new exploits on their way as a result of this hack as well as the constant stream of exploits discovered every day.
This is going to be a really cool presentation with practical tips that you can apply. Learn how to protect your systems from other software vendor vulnerabilities.
It comes to no surprise, that any micro-services, any security controls you use to build applications – will eventually be broken (or fail). Under certain pressure, some components will fail together.
The question is – how do we build our systems in a way that security incidents won't happen even if some components fail. And the data leaks won't occur even if penetration tests are successful. "Defense in depth is a security engineering pattern, that suggests building an independent set of security controls aimed at mitigating more risks even if the attacker crosses the outer perimeter. During the talk, we will model threats and risks for the modern web application, and improve it by building multiple lines of defense. We will overview high-level patterns and exact tools from the security engineering world and explain them to the modern web devs ;)
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
Cyberattacks on the Rise: Is Your Nonprofit Prepared?TechSoup
Cyberattacks against small and midsize organizations have increased from 11 percent to 15 percent in 2020, according to an Avast survey. Nonprofits are no exception to this alarming trend, which results in lost productivity, damaged reputations, and serious financial implications. Whether you’re a one-person IT team or a nontechnical concerned stakeholder, this webinar will help you
- Protect your organization from common malware attacks
- Set up a strong cybersecurity strategy for your organization
- Identify solutions to help minimize cyberattack risks
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
This session addresses the technology challenges of continuous security testing to “deliver securely,” and discusses best practices and tooling based on first hand experience in both enterprise and startup environment.
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
The UNC School of Medicine suffered a security breach last summer that required notification of over 100,000 patients that their information had been exposed. This presentation will talk about the scope of damage that is caused by a breach of this
magnitude and the many steps that are necessary for damage control and recovery.
Similar to Vanish: Increasing Data Privacy with Self-destructing Data (20)
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Vanish: Increasing Data Privacy with Self-destructing Data
1. Increasing Data Privacy with
Self-Destructing Data
Roxana Geambasu, Amit Levy, Tadayoshi Kohno,
Arvind Krishnamurthy, Henry M. Levy
Andreas Georgiou
11. Vanish Architecture
VDO via Email
DHT
VDO Creation {C, L, N, Threshold}
VDO {C, L, N, Threshold}
L : Locator Key
L : Locator Key
C= EK (Data)
K : Random Enc Key
Reconstruction
Encryption Key
Data = DK (C)
13. Identified Problems I
No security before timeout
Anyone can access to the VDO
Legal issues (UK & US)
14. Identified Problems I
No security before timeout
All users have access to the VDO
Legal issues
15. Identified Problems II
Not Practical
No commercial value.
No user studies (interface/usability/confidence)
No security (Sybil Attack)
16. Identified Problems II
Not Practical
No commercial value.
"Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs" (2009) Scott Wolchok, Owen S. Hofmann, Nadia Heninger, Edward W. Felten, J. Alex Halderman, Christopher J. Rossbach,
Brent Waters, Emmett Witchel
No user studies (interface/usability/confidence)
No security (Sybil Attack)
17. Final Thoughts
Use of DHT in Information Security
Followed the Scientific Method (Experiments)
Most goals were accomplished
Suggested solutions to weaknesses
18. Final Thoughts
Use of DHT in Information Security
Followed the Scientific Method (Experiments)
Most goals were accomplished
Suggested solutions to weaknesses
19. Thank You for Listening
Andreas Georgiou 2014
andreas.georgiou.13@ucl.ac.uk
Editor's Notes
driveUniversity of Washington in 2009 A group of researchers in order to tackle the privacy issues related to sensitive data left on your hard disk they developed a system that
Vanish : is a system that creates a key for the encrypted text. The generated key is stored in a distributed network called DHT. After an amount of time specified the key is dissolved in the network and there is no way to recover it.They claimed that, there is no feasible attack against their system. That the adversary will required to use an amount of resources that only a powerful organisation like nation agencies have.Goals : Destruction after Timeout, the software must ensure that data will be unrecoverable after timeout without any explicit action Accessible until timeout, ensure that the system can provide lifetime of VDO objects. They also tried to leverage existing infastructures , no special hardware. No connectivity required, either you are online or offline after midnight the data should be self destructed Introduce no other privacy issues.Threat Model :- In their thread model do not include local users, assuming that legitimate users only can have access to their personal machines. Does not include DDOs attacks on the network based on their assumptions that a distributed network is hard to be attacked.- They also did not take any consideration adversaries that are able to intercept future emails send between two parties or any adversary that can get hold of a warrant, stating that such an adversary has an arsenal of forensic tools in his disposal.
Vansish research team implemented this technology by developing two applications, a firefoxplugin called FireVanish.They also tested a prototype that uses vanish technology to encrypt local word documents, by wrapping the contents of the File in a Vanish Data object and shredding the local file.The vanish software is easy to install. After installation the user is not required to use any password or Crypto keys to encrypt and decrypt messages.After timeout the data are self destructed without any action required by the user, software or any special hardware.
Shamir's Secret Sharing is an algorithm in cryptography created by Adi Shamir. It is a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret.Secret Sharing : N : Number of shares, Threshold
Is a class of decentralised distributed systems that provides a lookup service similar to a Hash Table; [Key, Value] pairs are stored randomly in any node in the network.Anyone participating in the network can perform the lookup operation and providing the key retrieve the value associatedIn order to understand this better, imagine how a Bittorent network works but instead of having a torrent tracker, you have hash tables stored in each node that provides a path for each key. Fault Tolerance (No Single point of failure) – It is resistant to DDoS attacks Scalable by the mean, is efficient either you run a network with 1,000 or 1,000,000 million. DHTs use 128-bit or 160-bit key space Here I will also like to point out that they put quite an effort to study how the number of nodes, secret shares and the threshold affects the system. By carrying out a set of experiments they manipulated these variable to discover what is their relationship to properties like availability, latency and security of the system.They concluded that the optimal configuration is N=50 threshold 90% provide a balance between performance and security160-bit Idbased on its IP and port, which determines the index ranges that it will store.To store an (index,value) pair in the DHT, a client looksup 20 nodes with Ids clos-est to the specified index and then sends store messages to them.
e-discovery law : Preserving the original content and metadata for electronically stored information is required in order to eliminate claims of spoliation or tampering with evidence later in the litigation.
Regulation of Investigatory Powers Act 2000, which states if the authorities want to access any protected information then you should hand them over the password. But what if you don’t remember the password or forgot it or you don’t even have the password, Then you should convince them that the password was self destruct a few hours ago, Good luck with that.
In my opinion the software has many security flaws and is not practical to be used in the everyday life. For example when FireVanishTherefore it has no real commercial value and can not be used for further development or distribution.The did not carry out any formal user studies of how the user interface of the software should look like, what are the expectations of the users, if it does match the real needs of a user who wants to exchange sensitive information.It turned out that there is no security after all either before or after timeout and can be only used when a series of assumptions are valid.
They did some strong assertions that their system is only vulnerable to adversaries that are willing to spend 860k (Amazon EC2 services) but this attack is measured that it will reach 59k dollars using arround 80-90k nodesUniversity of Texas & Michigan in 2009 published a paper that describes a feasible attack on the vanish system. Vanish authors claim it is exceptionally difficult for an eavesdropper to collect all the pieces of the key necessary to reassemble the key because it is never held in a single location.Adversary puts a small number of computers to join a network and act like is a very large number of computers by faking their identities.Unvanish shows how insecure vanish is by recovering parts of the key and decrypting the original message even after the timeout. [In the expirements they did, they were able almost close to 100% to recover the message.http://z.cs.utexas.edu/users/osa/unvanish/
Distributed Hash Tables were an innovative idea and the use DHTs in a global scale of them in the information security field I found it quite interesting. It is an innovative idea, They followed they followed the scientific method strictly : Evaluated the capabilities of DHT networks in terms of performance and security Identify the research problem Specify purpose of research - Determine hypotheses/research question They stated their assumptions, conducted many experiments to locate the threshold of secret sharing that ensured availability and security. They provided with security evaluation of their prototype. Suggested solutions to increase confidentiality and defeat man in the middle attacks, like proposing the use of strong encryprtion algorithms like GPG or PGP. Although they failed to identify many of scheme’s weaknesses, I believe this paper should be accepted and published. Your judgement should not be biased with the today’s discoveries and progress, if I put myself back in 2005 when BitTorrent was
Distributed Hash Tables were an innovative idea and the use of them in the information security field I found it quite interesting. It is an innovative idea, They followed they followed the scientific method strictly : Identify the research problem Specify purpose of research - Determine hypotheses/research question They stated their assumptions, conducted many experiments to locate the threshold of secret sharing that ensured availability and security. They provided with security evaluation of their prototype.Suggested solutions : De capsulation before timeout they suggested further encryption like PGP or GPG. Man in the Middle attack : set up a system of key exchange between nodes so they encrypt their communication between nodes Sybil attack : the economics of the attack make it not feasible but unvanish supports the opposite Although they failed to identify many of scheme’s weaknesses, I believe this paper should be accepted and published. Your judgement should not be biased with the today’s discoveries and progress, if