A talk about the importance of Web security, tailored towards IT people of local municipalities.
This was an invited talk at the information day on online security for the municipalities of Flemish Brabant (Belgium).
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
Splunk products provide a flexible and fast security intelligence platform that makes security personnel and processes more efficient by providing quick and flexible access to all of the data and information needed to detect, investigate and remediate threats. This presentation will discuss best practices for building out or enhancing an analytics based security strategy and how Splunk products can make people, process, and technology work better together.
This document discusses using deep neural networks to profile malicious users based on log data. It proposes moving from rule-based detection to AI-based detection using machine learning models like CNNs. The CNN model is trained on process lists from honeypot VMs to learn patterns distinguishing malicious from benign activity. It represents processes as embeddings to handle new/random names. When trained on Linux audit logs, the CNN can identify suspicious sequences of events that single-event detectors may miss. Overall, the approach aims to better detect attacks by leveraging AI to find complex patterns in log data.
This document discusses Windows Credential Manager and how attackers can target it. It provides an overview of Credential Manager, how it stores login credentials, and how applications interface with it. It then outlines how the Windows Defender ATP security solution protects credentials by collecting Windows event logs and other telemetry, using its cloud-based machine learning to detect anomalies and known threat patterns that could indicate credential theft.
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
NOTES
--
Slide 8
Some of the categories we will discuss are very broad like this one.
Untrusted command – get / post / rest style params
Clicks
Surprise inputs
Slide 13
Very broad too
Little or no auth
Auth with some bypass possibilities
Some problem with how session is generated, managed, expired
Insufficient sessionID protection
Slide 18
When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser.
Slide 27
Security hardening throughout Application Stack
Unnecessary features enabled or installed?
ports, services, pages, accounts, privileges
Security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values?
Default accounts/ passwords still enabled and unchanged?
Error handling reveal stack traces or other overly informative error messages to users?
Software out of date?
OS, Web Server, DBMS, applications, code libraries
Slide 41
sign up for updates or do regular audits to see versions
there might be technical dependencies
easily exploited by attackers using metaspoilt, info gathering using headers & responses, etc.
Slide 47
We can look at the architecture, give you tips around what you could use, what would be good. This would avoid making any major changes when the product is ready which would save everyone’s time in the long run.
Have sprints with dedicated security features and use those as a selling point for our security conscious customers
Slide 48
Carefully look at the license to make sure you can use it in your type of product. Ask Fallon if you are not sure
Research how much support it gets, how popular it is
Look to find out any vulnerabilities in it before you start using it
Maintain it; Sign up for CVE updates
Ask us if you need to get something reviewed
Slide 50
Not only better and more features
Security vulnerabilities get patched in new versions
New versions get most attention by the companies and old ones stop getting support after some time fully
Most Security Support by the community
Turn on auto updates for Chrome; always look at updates on AppStore
Slide 51
Use different passwords for different sites
Password managers let you set complexity, generate random passwords, etc.
Slide 52
Only grant access to whats needed to get the job done
employee leaves; mistakes; vulnerabilities in other s/w which leverages this;
Don’t install redundant software, plugins, etc.
This opens up so much risk
People forget to uninstall them; s/w doesn't get much attention from community; open ports are left; boom exploited by attackers;
Slide 55
To prevent unintended execution actions
e.g., fail open auth errors
Leak minimal info about infrastructure as this info is leveraged by attackers to carry out further attacks
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
Standardizing and Strengthening Security to Lower CostsOpenDNS
Your managed service includes anti-virus, an email filter and a firewall. So why do you still find yourself wasting resources on cleaning up and re-imaging infected customer endpoints? Learn how top MSPs are lowering costs, gaining efficiencies and fueling growth by leveraging cloud-delivered predictive security.
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun YenCODE BLUE
Two years after the release of our paper regarding SCADA HMI security , SCADA systems are still a challenge to secure. This is not only due to their rigid connection requirements (hence "control and data acquisition"), but also the burden of needing to interface with legacy systems. Such legacy systems are so foundational to OT configurations that SCADA systems are frequently difficult to modernize. As a result of recent stories in the media, the potential devastation of a successful SCADA attack is well-known. As adversaries only have to successfully penetrate through one of many potential weaknesses in a system, these potential weaknesses and attack surfaces must be carefully considered and safeguarded.
HMIs are a common target, since they're usually installed in a configuration that enables connection to both the OT network and the Internet (or Intranet), meaning they can easily be made to function as a sort of gateway. This runs contrary to the common assumption that HMIs should only be installed in an air-gapped or otherwise isolated configuration.
Despite a lack of public information regarding OT network infiltration via HMI, our research reveals that HMIs are frequently a soft and easily accessible vector for attacks. In a large percentage of OT setups, the consequences of HMI compromise could be disastrous -- allowing theft of operational information, property damage, and the creation of a foothold for infiltrating the infrastructure.
In the past, vendors have been able to assume that older technology would support stable operation and that they could rely on 'security through obscurity'. In recent investigations we found that in some devices, "security" is merely an illusion created by limited and inconsistent data of the legacy systems which are still used actively today. In this submission, we introduce our in-progress research regarding security in HMI devices, and show how we totally pwn one such device. The research presented here shows only a small amount of the insecurities that we've uncovered.
Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
Splunk products provide a flexible and fast security intelligence platform that makes security personnel and processes more efficient by providing quick and flexible access to all of the data and information needed to detect, investigate and remediate threats. This presentation will discuss best practices for building out or enhancing an analytics based security strategy and how Splunk products can make people, process, and technology work better together.
This document discusses using deep neural networks to profile malicious users based on log data. It proposes moving from rule-based detection to AI-based detection using machine learning models like CNNs. The CNN model is trained on process lists from honeypot VMs to learn patterns distinguishing malicious from benign activity. It represents processes as embeddings to handle new/random names. When trained on Linux audit logs, the CNN can identify suspicious sequences of events that single-event detectors may miss. Overall, the approach aims to better detect attacks by leveraging AI to find complex patterns in log data.
This document discusses Windows Credential Manager and how attackers can target it. It provides an overview of Credential Manager, how it stores login credentials, and how applications interface with it. It then outlines how the Windows Defender ATP security solution protects credentials by collecting Windows event logs and other telemetry, using its cloud-based machine learning to detect anomalies and known threat patterns that could indicate credential theft.
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
NOTES
--
Slide 8
Some of the categories we will discuss are very broad like this one.
Untrusted command – get / post / rest style params
Clicks
Surprise inputs
Slide 13
Very broad too
Little or no auth
Auth with some bypass possibilities
Some problem with how session is generated, managed, expired
Insufficient sessionID protection
Slide 18
When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser.
Slide 27
Security hardening throughout Application Stack
Unnecessary features enabled or installed?
ports, services, pages, accounts, privileges
Security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values?
Default accounts/ passwords still enabled and unchanged?
Error handling reveal stack traces or other overly informative error messages to users?
Software out of date?
OS, Web Server, DBMS, applications, code libraries
Slide 41
sign up for updates or do regular audits to see versions
there might be technical dependencies
easily exploited by attackers using metaspoilt, info gathering using headers & responses, etc.
Slide 47
We can look at the architecture, give you tips around what you could use, what would be good. This would avoid making any major changes when the product is ready which would save everyone’s time in the long run.
Have sprints with dedicated security features and use those as a selling point for our security conscious customers
Slide 48
Carefully look at the license to make sure you can use it in your type of product. Ask Fallon if you are not sure
Research how much support it gets, how popular it is
Look to find out any vulnerabilities in it before you start using it
Maintain it; Sign up for CVE updates
Ask us if you need to get something reviewed
Slide 50
Not only better and more features
Security vulnerabilities get patched in new versions
New versions get most attention by the companies and old ones stop getting support after some time fully
Most Security Support by the community
Turn on auto updates for Chrome; always look at updates on AppStore
Slide 51
Use different passwords for different sites
Password managers let you set complexity, generate random passwords, etc.
Slide 52
Only grant access to whats needed to get the job done
employee leaves; mistakes; vulnerabilities in other s/w which leverages this;
Don’t install redundant software, plugins, etc.
This opens up so much risk
People forget to uninstall them; s/w doesn't get much attention from community; open ports are left; boom exploited by attackers;
Slide 55
To prevent unintended execution actions
e.g., fail open auth errors
Leak minimal info about infrastructure as this info is leveraged by attackers to carry out further attacks
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
Standardizing and Strengthening Security to Lower CostsOpenDNS
Your managed service includes anti-virus, an email filter and a firewall. So why do you still find yourself wasting resources on cleaning up and re-imaging infected customer endpoints? Learn how top MSPs are lowering costs, gaining efficiencies and fueling growth by leveraging cloud-delivered predictive security.
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun YenCODE BLUE
Two years after the release of our paper regarding SCADA HMI security , SCADA systems are still a challenge to secure. This is not only due to their rigid connection requirements (hence "control and data acquisition"), but also the burden of needing to interface with legacy systems. Such legacy systems are so foundational to OT configurations that SCADA systems are frequently difficult to modernize. As a result of recent stories in the media, the potential devastation of a successful SCADA attack is well-known. As adversaries only have to successfully penetrate through one of many potential weaknesses in a system, these potential weaknesses and attack surfaces must be carefully considered and safeguarded.
HMIs are a common target, since they're usually installed in a configuration that enables connection to both the OT network and the Internet (or Intranet), meaning they can easily be made to function as a sort of gateway. This runs contrary to the common assumption that HMIs should only be installed in an air-gapped or otherwise isolated configuration.
Despite a lack of public information regarding OT network infiltration via HMI, our research reveals that HMIs are frequently a soft and easily accessible vector for attacks. In a large percentage of OT setups, the consequences of HMI compromise could be disastrous -- allowing theft of operational information, property damage, and the creation of a foothold for infiltrating the infrastructure.
In the past, vendors have been able to assume that older technology would support stable operation and that they could rely on 'security through obscurity'. In recent investigations we found that in some devices, "security" is merely an illusion created by limited and inconsistent data of the legacy systems which are still used actively today. In this submission, we introduce our in-progress research regarding security in HMI devices, and show how we totally pwn one such device. The research presented here shows only a small amount of the insecurities that we've uncovered.
Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
Alban Diquet, Data Theorem
Thomas Sileo, Data Theorem
Over the last two years, we've received and analyzed more than three million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.
We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.
First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.
Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.
Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.
From ATT&CKcon 3.0
By Jared Stroud, Lacework
Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.
The presentation is on Persistent Cookies and LDAP Injection. Persistent cookies stay on your hard drive (one of your browser's subfolders) until they expire or get deleted. The session will cover introduction to Persistent Cookies and applicable test-cases with respect to Web Application Penetration Testing. In LDAP Injection section, the presentation will cover: Understanding Active Directory, Understanding LDAP and How does LDAP Injection work.
Network Intelligence for a secured Network (2014-03-12)Andreas Taudte
This document discusses BlueCat Network Intelligence's threat protection solution for securing network infrastructure. It describes typical attacks that leverage DNS, and how BlueCat protects against these attacks by downloading lists of known malicious sites and blocking queries and traffic to these sites. The document also outlines challenges with external DNS and how BlueCat's hosted DNS solution addresses these with features like DNSSEC, response rate limiting, and anycast architecture. It positions BlueCat as providing a single management platform for on-premise and external DNS/DHCP services through components like Address Manager and Automation Manager.
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
The presentation focuses on the whole process of security testing and present it by analogies to the web applications which are quite well-known. It covers the whole SDLC and show the similarities and differences in the arsenal of vulnerabilities, security tools and standards between the smart contracts and web applications on each step. Even though there exist a lot of great security projects for smart contracts, we do not have single, widely accepted security standard (such as ASVS in web apps world). That is why we introduce SCSVS (Smart Contract Security Verification Standard), a open-source 13-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.
Identity theft: Developers are key - JFokus 2017Brian Vermeer
Identity theft is perhaps the most concerning kind of Cybercrime nowadays. The most concerning aspect of identity theft is that once you are a victim it is hard to get rid of the consequences. Although as developers we are probably well aware of the risks towards cybercrime and identity theft in particular, in many parts we as developers play a big role in making identity theft happen. It is not only about how secure is your program, but how aware are you? Or better said how naive are we in practice as developers in this big bad world.
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
ATT&CK is valuable for those of us who are heads down in security day in and day out. But what about using ATT&CK to each college interns about security?
This presentation details how Tripwire used ATT&CK to build- out a new training regimen for summer interns. By going through and finding quick wins, Tripwire’s interns were actively engaged in learning about security. The detailed break downs of ATT&CK were greatly beneficial in helping teach security concepts to those who were not yet familiar with them. This session shows the program details and how you might be able to adapt it to your requirements.
From ATT&CKcon 3.0
By Matt Snyder, VMWare
Insider threats are some of the most treacherous and every organization is susceptible: it's estimated that theft of Intellectual Property alone exceeds $600 billion a year. Armed with intimate knowledge of your organization and masked as legitimate business, often these attacks go unnoticed until it's too late and the damage is done. To make matters worse, threat actors are now trying to lure employees with the promise of large paydays to help carry out attacks.
These advanced attacks require advanced solutions, and we are going to demonstrate how we are using the MITRE ATT&CK framework to proactively combat these threats. Armed with these tactics and techniques, we show you how to build intelligent detections to help secure even the toughest of environments.
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019kieranjacobsen
The document discusses common issues with email security such as spam, phishing, spear phishing, whaling and impersonation. It then provides an example of an email header from the Have I Been Pwned service, highlighting the various authentication and security details contained within the header such as SPF, DKIM and DMARC validation. The header is used to demonstrate how threat actors may spoof legitimate email domains and services to conduct phishing attacks.
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
This document discusses Opera Software's process for preventing secrets and sensitive information from being committed to code repositories. It describes the problem of secrets in codebases, various tools for identifying and managing secrets like HashiCorp Vault and detect-secrets, and Opera's implementation which uses Vault for secret storage and detect-secrets for identifying secrets in code. The process involves creating a secrets baseline, enabling detect-secrets hooks to prevent pushes with new secrets, auditing the codebase history, and updating the baseline over time.
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity.
The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control.
DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control?
This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
The document describes MITRE's Threat Report Automated Mapper (TRAM) tool, which uses machine learning to automatically map cyber threat reports to MITRE ATT&CK techniques. TRAM aims to streamline the process of analyzing reports and adding information to ATT&CK, though challenges remain around prediction accuracy and identifying new techniques. The document outlines TRAM's development process and discusses balancing automation with human analysis to better integrate cyber threat intelligence into ATT&CK.
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
The document discusses security issues with pull printing solutions. It provides three examples of security assessments conducted on different vendor products. In the first example, the proprietary protocol was reverse engineered and vulnerabilities like weak encryption were found. The second vendor took security seriously and responded quickly to reported issues. The third example showed vulnerabilities like a lack of encryption that could allow print job tampering. The document emphasizes that pull printing solutions require thorough security testing.
Gerald Z. Villorente presents on the topic of web security. He discusses security levels including server, network, application, and user levels. Some common web application threats are also outlined such as cross-site scripting, SQL injection, and denial-of-service attacks. The presentation provides an overview of aspects of data security, principles of secure development, and best practices for web security.
This topic will cover key concepts in android application security testing by employing a variety of tools and techniques to fasten the testing process.
This was presented at Null Bangalore Chapter (Saturday April 26 2014, 11:00 AM)
Attacker's Perspective of Active DirectorySunny Neo
This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders.
Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
The document summarizes the OWASP 2013 top 10 list of web application security risks. It provides descriptions and examples for each of the top 10 risks: 1) Injection, 2) Broken Authentication and Session Management, 3) Cross-Site Scripting (XSS), 4) Insecure Direct Object References, 5) Cross-Site Request Forgery (CSRF), 6) Security Misconfiguration, 7) Sensitive Data Exposure, 8) Missing Function Level Access Control, 9) Using Components with Known Vulnerabilities, and 10) Unvalidated Redirects and Forwards. Protection strategies are also outlined for each risk.
Alban Diquet, Data Theorem
Thomas Sileo, Data Theorem
Over the last two years, we've received and analyzed more than three million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.
We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.
First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.
Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.
Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.
From ATT&CKcon 3.0
By Jared Stroud, Lacework
Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.
The presentation is on Persistent Cookies and LDAP Injection. Persistent cookies stay on your hard drive (one of your browser's subfolders) until they expire or get deleted. The session will cover introduction to Persistent Cookies and applicable test-cases with respect to Web Application Penetration Testing. In LDAP Injection section, the presentation will cover: Understanding Active Directory, Understanding LDAP and How does LDAP Injection work.
Network Intelligence for a secured Network (2014-03-12)Andreas Taudte
This document discusses BlueCat Network Intelligence's threat protection solution for securing network infrastructure. It describes typical attacks that leverage DNS, and how BlueCat protects against these attacks by downloading lists of known malicious sites and blocking queries and traffic to these sites. The document also outlines challenges with external DNS and how BlueCat's hosted DNS solution addresses these with features like DNSSEC, response rate limiting, and anycast architecture. It positions BlueCat as providing a single management platform for on-premise and external DNS/DHCP services through components like Address Manager and Automation Manager.
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
The presentation focuses on the whole process of security testing and present it by analogies to the web applications which are quite well-known. It covers the whole SDLC and show the similarities and differences in the arsenal of vulnerabilities, security tools and standards between the smart contracts and web applications on each step. Even though there exist a lot of great security projects for smart contracts, we do not have single, widely accepted security standard (such as ASVS in web apps world). That is why we introduce SCSVS (Smart Contract Security Verification Standard), a open-source 13-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.
Identity theft: Developers are key - JFokus 2017Brian Vermeer
Identity theft is perhaps the most concerning kind of Cybercrime nowadays. The most concerning aspect of identity theft is that once you are a victim it is hard to get rid of the consequences. Although as developers we are probably well aware of the risks towards cybercrime and identity theft in particular, in many parts we as developers play a big role in making identity theft happen. It is not only about how secure is your program, but how aware are you? Or better said how naive are we in practice as developers in this big bad world.
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
ATT&CK is valuable for those of us who are heads down in security day in and day out. But what about using ATT&CK to each college interns about security?
This presentation details how Tripwire used ATT&CK to build- out a new training regimen for summer interns. By going through and finding quick wins, Tripwire’s interns were actively engaged in learning about security. The detailed break downs of ATT&CK were greatly beneficial in helping teach security concepts to those who were not yet familiar with them. This session shows the program details and how you might be able to adapt it to your requirements.
From ATT&CKcon 3.0
By Matt Snyder, VMWare
Insider threats are some of the most treacherous and every organization is susceptible: it's estimated that theft of Intellectual Property alone exceeds $600 billion a year. Armed with intimate knowledge of your organization and masked as legitimate business, often these attacks go unnoticed until it's too late and the damage is done. To make matters worse, threat actors are now trying to lure employees with the promise of large paydays to help carry out attacks.
These advanced attacks require advanced solutions, and we are going to demonstrate how we are using the MITRE ATT&CK framework to proactively combat these threats. Armed with these tactics and techniques, we show you how to build intelligent detections to help secure even the toughest of environments.
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019kieranjacobsen
The document discusses common issues with email security such as spam, phishing, spear phishing, whaling and impersonation. It then provides an example of an email header from the Have I Been Pwned service, highlighting the various authentication and security details contained within the header such as SPF, DKIM and DMARC validation. The header is used to demonstrate how threat actors may spoof legitimate email domains and services to conduct phishing attacks.
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
This document discusses Opera Software's process for preventing secrets and sensitive information from being committed to code repositories. It describes the problem of secrets in codebases, various tools for identifying and managing secrets like HashiCorp Vault and detect-secrets, and Opera's implementation which uses Vault for secret storage and detect-secrets for identifying secrets in code. The process involves creating a secrets baseline, enabling detect-secrets hooks to prevent pushes with new secrets, auditing the codebase history, and updating the baseline over time.
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity.
The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control.
DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control?
This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
The document describes MITRE's Threat Report Automated Mapper (TRAM) tool, which uses machine learning to automatically map cyber threat reports to MITRE ATT&CK techniques. TRAM aims to streamline the process of analyzing reports and adding information to ATT&CK, though challenges remain around prediction accuracy and identifying new techniques. The document outlines TRAM's development process and discusses balancing automation with human analysis to better integrate cyber threat intelligence into ATT&CK.
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
The document discusses security issues with pull printing solutions. It provides three examples of security assessments conducted on different vendor products. In the first example, the proprietary protocol was reverse engineered and vulnerabilities like weak encryption were found. The second vendor took security seriously and responded quickly to reported issues. The third example showed vulnerabilities like a lack of encryption that could allow print job tampering. The document emphasizes that pull printing solutions require thorough security testing.
Gerald Z. Villorente presents on the topic of web security. He discusses security levels including server, network, application, and user levels. Some common web application threats are also outlined such as cross-site scripting, SQL injection, and denial-of-service attacks. The presentation provides an overview of aspects of data security, principles of secure development, and best practices for web security.
This topic will cover key concepts in android application security testing by employing a variety of tools and techniques to fasten the testing process.
This was presented at Null Bangalore Chapter (Saturday April 26 2014, 11:00 AM)
Attacker's Perspective of Active DirectorySunny Neo
This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders.
Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
The document summarizes the OWASP 2013 top 10 list of web application security risks. It provides descriptions and examples for each of the top 10 risks: 1) Injection, 2) Broken Authentication and Session Management, 3) Cross-Site Scripting (XSS), 4) Insecure Direct Object References, 5) Cross-Site Request Forgery (CSRF), 6) Security Misconfiguration, 7) Sensitive Data Exposure, 8) Missing Function Level Access Control, 9) Using Components with Known Vulnerabilities, and 10) Unvalidated Redirects and Forwards. Protection strategies are also outlined for each risk.
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
The document discusses the OWASP Top 10 list, which is periodically updated by the Open Web Application Security Project to compile the top 10 most common security vulnerabilities found in web applications. It provides details on the top vulnerabilities, including Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities, Broken Access Control, Security Misconfiguration, Cross-Site Scripting, and Insecure Deserialization. For each vulnerability, it describes examples, grading based on exploitability, prevalence and detectability, and recommendations for prevention.
Oracle database threats - LAOUC WebinarOsama Mustafa
This document discusses database security and how databases can be hacked. It begins by introducing the presenter and their qualifications. It then discusses why database security is important for protecting financial, customer and organizational data. Common ways databases are hacked include gathering information through search engines or social media, scanning for vulnerabilities, gaining unauthorized access, and maintaining that access. Specific attacks on Oracle databases and the most common database security threats are outlined, such as weak authentication, denial of service attacks, and SQL injection. The document provides examples of how to test for and exploit SQL injection vulnerabilities. It emphasizes the importance of securing databases to prevent data theft and protect sensitive information.
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
This document discusses penetration testing approaches from the past compared to today. It notes that in the past, penetration testing was easier because networks had fewer security controls like firewalls and patches. The document then provides tips and techniques for identifying security controls like load balancers, intrusion prevention systems, and web application firewalls that may be in place on modern networks. It also discusses ways to potentially bypass these controls like using encryption, proxies, or virtual private networks.
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes
Widespread security flaws in web application development 2015mahchiev
Widespread security flaws in web application development
*SQL Injection - Hands-On Example
*Cross - Site Scripting (XSS)
*Cross Site Request Forgery
*HTTP Strict Transport Security
The document provides guidelines for secure coding. It discusses the evolution of software markets and increased security threats. Common web attacks like injection, broken authentication, and sensitive data exposure are explained. The OWASP Top 10 list of vulnerabilities is reviewed. The document emphasizes the importance of secure coding practices like input validation, output encoding, and using components with no known vulnerabilities. Following a secure coding lifestyle can help developers write more secure code and protect against attacks.
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
This document discusses how hackers may attempt to exploit APIs and outlines strategies for using HATEOAS to improve API security. It notes that hackers will automatically fuzz APIs using tools to find vulnerabilities. It recommends using HATEOAS to enforce state-based navigation through the API, adding tracking data to links, and having a "front door" endpoint to validate requests and limit guessable paths, reducing opportunities for exploitation. Overall, the document argues that while HATEOAS aims to help clients, naively implementing it does not improve security, and the engine of application state concept should be used thoughtfully to enforce valid request flows and detect unexpected behavior.
In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up this year (e.g. Referrer Policy, Subresource Integrity). In addition to getting familiar with these, a number of recent high-profile bugs in the SSL/TLS protocol and implementations have forced developers to learn more about TLS ciphers and to start worrying about mixed content on their pages.
As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2015. This talk will give an overview of the security and privacy landscape on the web as well as pointers to what developers need to know to secure their applications.
https://2015.rmll.info/security-and-privacy-on-the-web-in-2015?lang=en
This document summarizes a presentation on web application security and the OWASP Top 10. It discusses the motivation for securing web apps, common causes of data breaches, and an overview of the OWASP Top 10 project and the most critical web application security flaws. The presentation recommends ways to address these issues, such as keeping software updated, using automated scanning tools, and implementing input validation and authorization checks. Specific attacks covered include cross-site scripting, insecure direct object references, and broken authentication and session management.
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes PeopleSoft Architecture and provides several internal and external attack vectors. Let’s look at the most dangerous one. PeopleSoft systems are often accessible from the Internet. And some parts of the system have to be available before registration, for example, job application forms or “Forgot your password?” forms. For this purpose, there is a special user with minimal rights in PeopleSoft systems. When you enter, the system automatically authenticates you as this user. It is an opportunity to perform a privilege escalation attack by bruteforcing the authentication cookie called TokenID. TokenID is generated based on SHA1 hashing algorithm, and according to the latest information, 8-characters alpha-numeric password can be decrypted within one day on latest GPUs that cost about $ 500.
In The Middle of Printers –The (In)Security of Pull Printing SolutionsSecuRing
Big corporations and financial institutions need secure pull printing services which guarantee a proper encryption, data access control and accountability. This research aimed to perform a MITM attack on multifunction printers with embedded software from the most popular vendors. The results are staggering - similar vulnerabilities have been found in multiple solutions which are exposed to breaking the encryption, collecting any prints from the server and printing at others' expense.
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
This document discusses the top 10 web application security vulnerabilities as identified by OWASP (Open Web Application Security Project). It provides an overview of each vulnerability, examples, and recommendations for countermeasures. The vulnerabilities covered are injection, broken authentication and session management, cross-site scripting (XSS), insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery (CSRF), using components with known vulnerabilities, and unvalidated redirects and forwards. The document emphasizes using features in Oracle Application Development Framework (ADF) to help address many of these vulnerabilities.
The document discusses database security and SQL injection attacks. It provides an overview of access control in SQL and MySQL, including the use of views and privileges. It then describes SQL injection attacks, giving examples of how attackers can exploit vulnerabilities to view sensitive data or delete tables. The best defense is using prepared statements with bound parameters rather than embedding user input directly into SQL. Other defenses include input validation, output encoding, limiting permissions, and configuring error reporting.
The document discusses database security and SQL injection attacks. It provides an overview of access control in SQL and MySQL, views, and limitations of SQL security. It defines SQL injection attacks and gives examples of how attacks work by inserting malicious SQL statements into user input. The document recommends best practices for prevention, including using prepared statements with bound variables, input validation, output encoding, and limiting database permissions.
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
View the on-demand recording: http://securityintelligence.com/events/avoiding-application-attacks/
Your organization is running fast to build your business. You are developing new applications faster than ever and utilizing new cloud-based development platforms. Your customers and employees expect applications that are powerful, highly usable, and secure. Yet this need for speed coupled with new development techniques is increasing the likelihood of security issues.
How can you meet the needs of speed to market with security? Hear Paul Ionescu, IBM Security, Ethical Hacking Team Lead discuss:
- How application attacks work
- Open Web Application Security Project (OWASP) goals
- How to build defenses into your applications
- The 10 most common web application attacks, including demos of the infamous Shellshock and Heartbleed vulnerabilities
- How to test for and prevent these types of threats
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
In this presentation I'm trying to describe the "Top 10 Vulnerabilities in Web Application" according to OWASP (Open Web Application Security Project).
--The top 10 security mistakes that developers make
--How to design software with an assurance of security
Are you botching the security of your AngularJS applications? (DevFest 2016)Philippe De Ryck
If you make a list of popular JavaScript MVC frameworks, AngularJS is probably at the top of the list. Developers around the world are crazy about the Angular way of doing things, and love how easy it is to write AngularJS applications. However, few people know that AngularJS packs a lot security features, right out of the box. Unfortunately, because many developers are not aware of these security features, they are often unintentionally circumvented, or not used to their full potential. For example, think about common advice on Stack Overflow to turn off the protection against cross-site scripting (XSS) attacks, just so you can directly bind HTML data to a variable.
In this session, you will learn how to leverage AngularJS' security features to their full potential. Specifically, you will learn how AngularJS applies Strict Contextual Escaping (SCE) against XSS attacks, and how to relax that protection in a safe way (instead of turning it off). We also cover the advanced Content Security Policy (CSP). We mainly focus on AngularJS 1.x, but also relate the concepts to AngularJS 2 where relevant.
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
The slides from an overview presentation of how the Web, and Web security, have changed in the last few years. This talk has been given at various public and private venues. Get in touch if you want to invite me to your company or tech group!
This document discusses securing EmberJS applications. It begins by introducing the author and their background working on client-side web security. It then provides an overview of the topics covered, which include cross-site request forgery (CSRF), cross-site scripting (XSS), and content security policy (CSP). It explains the architecture of single-page applications like EmberJS applications. It also illustrates common web attacks like CSRF and XSS, and describes approaches to mitigate these attacks in EmberJS applications, including the use of tokens and CSP.
This document provides an overview of securing single page applications presented by Philippe De Ryck. It discusses traditional web application architecture compared to single page applications and outlines some of the key security challenges in single page applications including session management, cross-site scripting, content security policy, and cross-origin resource sharing. The presentation also provides details on defending against cross-site request forgery and the use of tokens as an alternative to cookies for session management.
Subresource Integrity (SRI) allows websites to specify a cryptographic hash for external scripts and stylesheets to verify their integrity before loading. A study found 88% of top websites include external JavaScript libraries. SRI helps prevent attacks from compromised CDNs by only loading resources that match the expected hash value. SRI also uses the crossorigin attribute to implement Cross-Origin Resource Sharing (CORS) and prevent data leakage when checking external resources. CORS headers must be present for SRI integrity checks to prevent loading alternative scripts. SRI provides more control over included external content and is supported by libraries like Ember.js.
The tools at our disposal today for deploying HTTPS are tremendously powerful, and easy to use. Initiatives like Let's Encrypt offer certificates, and new security policies like HSTS and HPKP allow you to protect against extremely powerful attacks. HTTPS, Here and Now!
This was an invited talk at the ICT Security Happening, organized by the VDAB Competence Center in Leuven.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
4. About Me – Philippe De Ryck
§ Postdoctoral Researcher @ DistriNet (KU Leuven)
§ Focus on (client-side) Web security
§ Responsible for the Web Security training program
§ Dissemination of knowledge and research results
§ Target audiences include industry and researchers
§ Main author of the Primer on Client-Side Web Security
§ 7 attacker models, broken down in 10 capabilities
§ 13 attacks and their countermeasures
§ Overview of security best practices
8. What Happens when You Submit a Form
8
GET login.html
200 OK
Html page
Fill out form POST login.php
username: Philippe
password: ...
200 OK
Html page
Open site
12. Network Sniffing Is Straightforward
12
§ Sniffing can be a completely passive attack
§ Just listen to the traffic and analyze it later
§ HTTPS protects you against network-based attacks
§ It encrypts the traffic, so that nobody else can read it
19. SSL Stripping
19
GET http://websec.be
200 OK
Response page
POST http://www.websec.be
GET http://…
301 Moved
GET https://…
200 OK
Rewrite
HTTPS
URLs
User: philippe & pass: pazzw0rd
POST https://…
websec.be
20. Preventing SSL Stripping with HSTS
20
GET https://websec.be
websec.be
200 OK
Response page
Strict-Transport-Security: max-age=31536000;
GET https://websec.be
200 OK
Response page
Strict-Transport-Security: max-age=31536000;
websec.be
GET https://www.websec.be
200 OK
Response page
Strict-Transport-Security: max-age=31536000;
21. HTTPS Is Really Worth the Effort
21
§ An attacker on the network level can
§ Read all unprotected traffic, regardless of which application
§ Modify content from the browser to the server
§ Modify content form the server to the browser
§ Remove HTTPS if only used for specific pages or form submissions
• This attack is called SSL Stripping and is very dangerous
§ Essentially take full control of the Web page
§ All of these attacks are invisible for most users
§ Even security experts fall for these if not paying attention
§ But a correct HTTPS deployment counters all of this …
22. How to Deploy HTTPS Correctly
22
§ Configure your HTTPS with a valid certificate
§ These used to be expensive, but now there are free options
§ Let’s encrypt is backed by the EFF and offers free HTTPS certs
§ Deploy your entire website over HTTPS
§ Partial HTTPS still leaves you vulnerable against numerous attacks
§ The performance impact is very limited nowadays
§ Many major sites have switched to full HTTPS
§ Use state-of-the-art security techniques
§ HTTP Strict Transport Security (HSTS)
23. Back to the Video with Weird Usernames
23
http://nieuws.vtm.be/binnenland/60632-overheidssites-gehackt-2-minuten
24. Verifying a User’s Credentials
24
GET login.html
200 OK
Html page
POST login.php
username: Philippe
password: …
200 OK
Html page
Lookup User
Check Password
Load User Info
25. Communicating with a Database
25
§ Application data is generally stored in a database
§ Most common technology is a relational database
§ Can be queried using SQL (Structured Query Language)
ID username password email role
1 Administrator au28sj348aj2 administrator@gmail.com admin
2 Philippe secret philippe.deryck@cs.kuleuven.be Editor
3 … … … …
26. Communicating with a Database
26
§ Application data is generally stored in a database
§ Most common technology is a relational database
§ Can be queried using SQL (Structured Query Language)
§ When a user logs in, the application verifies his credentials
SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘
Username: philippe Password: secret
SELECT * FROM users WHERE username = ‘philippe‘ AND password = ‘secret‘
Philippe – secret – philippe.deryck@cs.kuleuven.be – editor
27. Communicating with a Database
27
§ Application data is generally stored in a database
§ Most common technology is a relational database
§ Can be queried using SQL (Structured Query Language)
§ When a user logs in, the application verifies his credentials
SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘
Username: superman Password: kryptonite
SELECT * FROM users WHERE username = ‘superman‘ AND password = ‘kryptonite‘
28. Communicating with a Database
28
§ Application data is generally stored in a database
§ Most common technology is a relational database
§ Can be queried using SQL (Structured Query Language)
§ When a user logs in, the application verifies his credentials
SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘
Username: administrator Password: luckyguess
SELECT * FROM users WHERE username = ‘administrator‘AND password = ‘luckyguess‘
29. Communicating with a Database
29
§ Application data is generally stored in a database
§ Most common technology is a relational database
§ Can be queried using SQL (Structured Query Language)
§ When a user logs in, the application verifies his credentials
SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘
Username: administrator’-- Password: luckyguess
SELECT * FROM users WHERE username = ‘administrator’--
Administrator– au28sj348aj2– administrator@gmail.com – admin
30. Communicating with a Database
30
§ Application data is generally stored in a database
§ Most common technology is a relational database
§ Can be queried using SQL (Structured Query Language)
§ When a user logs in, the application verifies his credentials
SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘
Username: ‘ OR ‘1’ = ‘1’-- Password:
SELECT * FROM users WHERE username = ‘‘ OR ‘1’ = ‘1’--
Administrator – au28sj348aj2– administrator@gmail.com – admin
Philippe – secret – philippe.deryck@cs.kuleuven.be – editor
…
31. SQL Injection Attacks Are Problematic
31
§ Injection problems are ranked #1 in the OWASP Top 10
§ SQL injection a very common attack
https://blog.sucuri.net/2015/10/joomla-sql-injection-attacks-in-the-wild.html
32. SQL Injection Attacks Are Problematic
32
§ Injection problems are ranked #1 in the OWASP Top 10
§ SQL injection a very common attack
§ The problem stretches beyond login forms
§ Everywhere where data is used in a query, injection exists
§ The payload that is injected can be anything …
UPDATE users SET email = ‘ + email + ‘ WHERE username = ‘ + username + ‘
Email: philippe@gmail.com Username: philippe’; DROP DATABASE website;--
UPDATE users SET email = ‘philippe@gmail.com‘ WHERE username = ‘philippe‘;
DROP DATABASE website;--
34. Prepared Statements against SQL Injection
34
§ An injection attack is caused by confusing data and code
§ The database cannot distinguish the query and the data anymore
§ It does not know what the intended behavior of the query was
§ Prepared statements declare the query up front
§ Data is inserted separately, and will never be interpreted as code
SELECT * FROM users WHERE username = ‘?‘ AND password = ‘?‘
Username: administrator’-- Password: luckyguess
SELECT * FROM users WHERE username = ‘administrator’--’AND password = ‘luckyguess’
SELECT * FROM users WHERE username = ‘administrator’--
35. Preventing SQL Injection Attacks
35
§ The only correct defense is using Prepared Statements
§ Every language supports prepared statements
§ Is only a small effort to do this right in the application’s code
§ Escaping is often considered as an alternative defense
§ Dangerous characters (like ‘ and --) are replaced with safe versions
§ This approach is less effective and more error prone
§ Defending against SQL injection is technically not difficult
§ But it requires explicit action from the developer
36.
37. A Quick Recap …
37
§ Mobile computers and Wifi networks have changed the Web
§ Enabler of astonishing scenarios and applications
§ But security has become a lot more important as well
§ Network-level attacks have become much easier
§ Anyone sitting nearby can target a wireless user
§ Users are not necessarily the victim, but their employer may be
§ HTTPS offers protection against network-level attacks
§ Realize that it is important, and switch everything to HTTPS
§ Deploy it correctly, and keep your configuration up to date
38. A Quick Recap …
38
§ SQL injection is a very old vulnerability
§ But it’s still very relevant today, as aptly illustrated in this talk
§ SQL injection can be very harmful
§ One of the major sources of data leaks
§ Can even give the attacker full control over your database
§ Preventing SQL injection is not difficult
§ Requires a bit of effort from the developer, but not very much
§ But you need to explicitly protect against these attacks
39. Managing Your Application’s Security
39
§ You are not a security expert, and nobody expects you to be
§ Be knowledgeable about basic Web security concepts
§ Be involved in building the threat model of your application
§ Be aware of the contemporary Web security landscape
§ Find trustworthy people for the technical security aspects
§ Instruct your contractor to explicitly take security into account
§ Ask for evidence that they are knowledgeable about security
§ Verify the list of technical goals with a knowledgeable person
40. Managing Your Application’s Security
40
§ Make security goals an explicit requirement
§ Contractors should deliver projects that follow current best practices
§ Plenty of resources available, for example from OWASP
§ Think about liability, and see if you can transfer it
§ Verify the security of your applications
§ Many companies can perform security reviews of your applications
§ Should be mandatory for critical systems
• Passing a security review as a final requirement before delivering a project
41. Why Web Security Matters!
Philippe De Ryck
philippe.deryck@cs.kuleuven.be
/in/philippederyck
https://distrinet.cs.kuleuven.be/events/websecurity/
@PhilippeDeRyck