Slides for talk given at PasswordsCon Sweden 2019. Credentials Stuffing is an automated attack that exploits users who reuse passwords by taking breached credentials and replaying them across sites.
The document is a seminar report that discusses approaches for generating fake passwords or "honeywords" to detect when a password database has been breached. It summarizes four existing honeyword generation methods: chaffing-by-tweaking, chaffing-with-a-password-model, chaffing with "tough nuts", and a hybrid method. It then proposes a new approach that selects honeywords from existing user passwords in the system in order to reduce storage costs and improve the realism of the honeywords.
Understanding Information Security Assessment TypesHackerOne
This document summarizes Daniel Miessler's blog post describing different types of security assessments. It discusses vulnerability assessments, penetration tests, red team assessments, audits, white/grey/black box assessments, risk assessments, threat assessments, threat modeling, and bug bounties. For each type, it provides a definition, what they are commonly confused with, and what they are best used for. The key messages are that vulnerability assessments aim to find all issues while penetration tests validate security, and organizations should perform assessments before tests to identify and fix issues.
Lend me your IR's!
-Matt Scheurer
BSides Columbus
August 21, 2020
Abstract:
Have you ever felt compelled to tip your cap to a malicious threat actor? Protecting systems and networks as a tech defender means withstanding a constant barrage of unsophisticated attacks from automated tools, botnets, crawlers, exploit kits, phish kits, and script kiddies; oh my! Once in a while we encounter attacks worthy of style points for creativity or new twists on old attack techniques. This talk features live demo reenactments from some advanced attacks investigated by the presenter. The live demos showcase technical deep dives of the underpinnings from both the attacker and investigator sides of these attacks. Attendee key takeaways are strategies, freely available tools, and techniques helpful during incident response investigations.
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG), a former Ambassador for Bugcrowd, and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.
This document discusses sandboxing untrusted JavaScript from third parties to improve security. It proposes a two-tier sandbox architecture that uses JavaScript libraries and wrappers, without requiring browser modifications. Untrusted code is executed in an isolated environment defined by policy code, and can only access approved APIs. This approach aims to mediate access between code and the browser securely and efficiently while maintaining compatibility with existing third-party scripts.
The document discusses various web security topics such as Google hacking, session hijacking, cross-site scripting, and SQL injection. It provides an agenda covering vulnerability types, mitigation strategies, and tools for testing each vulnerability. Recommendations are given for securing websites against common attacks discovered through search engines.
The document outlines 10 mistakes hackers want developers to make when building applications. The mistakes include: 1) Using dependencies with known vulnerabilities; 2) Unsanitized user input which can enable injection attacks; 3) Unsafe regex patterns that can allow denial of service attacks; 4) Failure to implement rate limiting and prevent abusive requests. The document provides examples and solutions for avoiding each mistake to help developers build more secure applications.
Bug bounty programs involve paying security researchers rewards for finding vulnerabilities in companies' products. To participate, researchers need to understand the target company's products and domains, know which companies offer bounties, and find bugs that are in scope like XSS, SQL injection, or authentication bypasses. Rewards can range from $100 to $20,000. Major companies like Google, Facebook, and Mozilla run bounty programs and have collectively paid over $1 million to researchers. Examples are shown of real bugs found and reported through bounty programs. The conclusion encourages reporting bugs to companies rather than selling vulnerabilities.
Hackers and developers are compared in the document. Hackers are described as skillful with deep technical understanding but often unsocial and focused on breaking systems. Developers are portrayed as true professionals who work with people to build applications and believe they can change the world. The document then provides examples of how hacking can look simple, such as cross-site scripting attacks on websites. It offers suggestions for prevention including input sanitization and access control. Later it discusses hacking in Node.js and risks of SQL and NoSQL injection. Finally it addresses how hacking and development skills could be applied for social good or security testing.
Lend me your IR's!
-Matt Scheurer
Circle City Con
CircleCityCon 7.0 Apocalypse
June 13, 2020
Abstract:
Have you ever felt compelled to tip your cap to a malicious threat actor? Protecting systems and networks as a tech defender means withstanding a constant barrage of unsophisticated attacks from automated tools, botnets, crawlers, exploit kits, phish kits, and script kiddies; oh my! Once in a while we encounter attacks worthy of style points for creativity or new twists on old attack techniques. This talk features live demo reenactments from some advanced attacks investigated by the presenter. The live demos showcase technical deep dives of the underpinnings from both the attacker and investigator sides of these attacks. Attendee key takeaways are strategies, freely available tools, and techniques helpful during incident response investigations.
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG), an Ambassador for Bugcrowd, and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
This paper presents a machine learning approach to identify malicious URLs. The researchers use URL lexical features, JavaScript source code features, and payload size as inputs to an SVM classifier. They achieve an accuracy of 0.81 and an F1 score of 0.74 when combining all feature types. Future work could involve testing on more malicious URLs and incorporating additional JavaScript and network features to improve detection of evolving attacks. The goal is to develop a real-time system for classifying URLs on mobile devices.
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
The document discusses security issues with pull printing solutions. It provides three examples of security assessments conducted on different vendor products. In the first example, the proprietary protocol was reverse engineered and vulnerabilities like weak encryption were found. The second vendor took security seriously and responded quickly to reported issues. The third example showed vulnerabilities like a lack of encryption that could allow print job tampering. The document emphasizes that pull printing solutions require thorough security testing.
AppSecCali - How Credential Stuffing is EvolvingJarrod Overson
This talk was given at AppSec California, January 2020.
Credential stuffing and other automated attacks are evolving passed every defense thrown in their way. CAPTCHAs don't work, Fingerprints don't work, Magical AI-whatevers don't work. The value is just too great.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
Jarrod Overson discusses the evolution of credential stuffing attacks and where they may go in the future. He summarizes that credential stuffing started as basic automated login attempts but has evolved through generations as defenses were put in place, such as CAPTCHAs and behavior analysis. The next generation involves more sophisticated imitation attacks that flawlessly emulate human behavior using real device fingerprints to blend in. Beyond credential stuffing, malware may start scraping user accounts and environments directly from infected machines. As defenses raise the cost of attacks, fraudsters will diversify methods to preserve the value of valid accounts and user data.
This document discusses using threat modeling at scale in agile development to improve security. It proposes identifying security requirements and test cases for each user story by considering potential "abuser stories". This would involve breaking down high-level user stories, assigning security champions to identify abuser stories, and having the security team maintain base threat models and own testing. Examples of threat modeling user stories around password resets and money withdrawals are provided. The goal is to shift security left in the SDLC by introducing it earlier through systematic threat modeling of user stories.
The life of breached data and the attack lifecycleJarrod Overson
OWASP RTP Presentation on Data breaches, credential spills, the lifespan of data, credential stuffing, the attack lifecycle, and what you can do to protect yourself or your users.
Slides from a workshop titled Data Privacy for Activists on January 29th, 2017 for the Data Privacy PDX Meetup group.
Workshop included presentation and live demos of:
- leaked credentials
- metadata fingerprinting
- VPN use
- Encrypted Email
This document discusses 3D passwords as an authentication method. It begins by describing traditional authentication methods like knowledge-based, token-based, and biometric authentication. It then introduces the concept of 3D passwords, which combine recognition, recall, tokens, and biometrics within a 3D virtual environment. The document outlines the advantages of 3D passwords and potential applications. It also discusses threats like brute force, shoulder surfing, and timing attacks along with countermeasures. In conclusion, the document argues that 3D passwords can improve authentication by making passwords difficult to crack.
A biometric technology is use full for authentication process in nowadays.In this presentation i have explained the use of 3d finger authentication, face recognisation,tokens authentication and knowledge authentication.
Implementing a comprehensive application security progaram - Tawfiq OWASP-Qatar Chapter
The document discusses implementing a comprehensive application security program. It begins with an overview of advanced persistent threats (APTs) and how they systematically target networks over long periods of time to achieve political, economic, technical and military objectives. It then details how the RSA security company was hacked through a targeted email attack and credential theft. The document emphasizes that application vulnerabilities are a major entry point for APTs and stresses the importance of addressing the OWASP Top 10 security risks like injection flaws and cross-site scripting. It argues that without a risk-based approach, traditional penetration testing provides limited business value by focusing only on technical issues.
Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive.
Key Takeaways:
-Great places in the user journey to inject security tests
- Ways to augment existing test approaches to cover security concerns
- Typical security tools that are free, cheap, and easy for software testers
Make Every Spin Count: Putting the Security Odds in Your FavorDavid Perkins
Cerdant’s Director of Engineering, Joshua Skeens, presented the best ‘bets’ to increase your security odds. Josh warned customers to stop gambling with their data, and cautioned against weak, guessable passwords stating, “Use 2-Factor Authentication everywhere!” The first step in creating the best security posture possible for your business will always be just getting started, and to keep momentum Josh suggests implementing 1 new security practice each week.
Malware's most wanted-zberp-the_financial_trojanCyphort
Zbot + Carberp = Zberp, an online banking trojan that is reported to have impacted 450 financial institutions around the world in the first month since discovery. In addition to its malicious capabilities, the Zberp Trojan uses a combination of evasion techniques that it inherited from both the Zeus, also known as Zbot, and Carberp. Add in the ‘invisible persistence’ feature and you have one nasty piece of malware.
Defeating online fraud and abuse – Continuous Intelligence in actionThoughtworks
Dr Gerald Hartig, Principal Data Scientist at Arkose Labs discusses Continuous Intelligence approaches and how they can be applied to protect some of the world’s largest web properties.
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingSoftware Guru
Sesión presentada en SG Virtual 11a. edición.
Por: Gilberto Sánchez.
En esta charla veremos ¿qué es el Penetration Testing?, ¿Porque hacerlo?, los tipos de Pen testing que existen, además veremos el pre-ataque, ataque y el post-ataque así como los estándares que existen en la actualidad..
The document provides an overview of penetration testing basics from a presentation by The Internet Storm Center, SANS Institute, and GIAC Certification Program. It discusses the Internet Storm Center, SANS/GIAC training and certifications, common cyber threats, the methodology for penetration testing, tools used for various stages like reconnaissance, scanning, exploitation, and analysis, and the importance of reporting and mitigation strategies.
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelJakub "Kuba" Sendor
From the moment of the threat detection, first response throughout the analysis, and the final resolution, we make sure that we can catch as many incidents as possible and properly sanitize the environment so that the potential problems are cut short. All this in an automated and orchestrated fashion, eliminating the manual repetition as much as possible thanks to the in-house built tools like AIR (Automated Incident Response), OSXCollector (Mac OS X forensics collection) and ElastAlert (alerting out of Elasticsearch). We also complement the pipeline with some available open source tools, like osquery and other proprietary threat detection technologies. This adds up to a balanced ecosystem that helps us leverage the current assets, learn about the potential problems quickly and respond to them in a timely fashion.
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
This document summarizes CrowdStrike's endpoint security product Falcon and argues that it provides more effective protection than legacy antivirus solutions. It notes that antivirus has an efficacy rate of only 45% against modern threats and is ineffective at stopping sophisticated attacks. CrowdStrike's Falcon uses techniques like machine learning, IOAs, and threat intelligence to prevent a wider range of attacks while having a smaller system footprint than antivirus. It also provides detection capabilities like endpoint detection and response to eliminate attack dwell time. The document aims to convince readers to replace their legacy antivirus with CrowdStrike's Falcon.
Similar to How Credential Stuffing is Evolving - PasswordsCon 2019 (20)
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...Jarrod Overson
This document summarizes an analysis of an exploited NPM package called event-stream. It describes how an attacker gained control of the package and added malicious code that was downloaded by thousands of projects whenever their dependencies were updated. The malicious code stole cryptocurrency from wallets containing large amounts. It highlights the risks of supply chain attacks and emphasizes the importance of auditing dependencies, locking versions, and thinking carefully before adding new dependencies to avoid compromising entire projects and their users.
Analysis of an OSS supply chain attack - How did 8 millions developers downlo...Jarrod Overson
Jarrod Overson presented on a supply chain attack that occurred in 2018 through the compromise of the event-stream Node.js package. An unauthorized developer gained commit access and introduced malicious code through new dependencies that was then installed by millions of users. The malware harvested cryptocurrency private keys from the Copay wallet app. While the community responded quickly, such attacks demonstrate vulnerabilities in open source software supply chains and dependency management that will continue to be exploited if not properly addressed through changes to practices and tooling.
Deepfakes - How they work and what it means for the futureJarrod Overson
Deepfakes originally started as cheap costing but believable video effects and have expanded into AI-generated content of every format. This session dove into the state of deepfakes and how the technology highlights an exciting but dangerous future.
Workshop slides originally given at the WOPR Summit in Atlantic City. Use JavaScript parsers and generators like Shift combined with Puppeteer and Chrome to reverse engineer web applications
Shape Security analyzes 1.5 billion logins per week and protects 350 million user accounts. In 2016 alone, 1.6 billion credentials were leaked and sold or traded by criminals on dark web markets. Shape uses headless browsers like PhantomJS to automatically test leaked credentials on other sites, stopping over $1 billion in fraud losses in 2016. However, captchas intended to prevent automated attacks do not work and ruin the user experience.
Talk given at Mozilla's first View Source Conference in Portland, 2015. Details out the parallels between graphics and game developments compared to traditional web development.
This document discusses the dark side of web security, including automated threats from bots and attackers. It notes that traditional security like flossing is difficult to measure effectiveness. It outlines the OWASP top 10 vulnerabilities and automated threats attackers use. While captchas are meant to stop bots, services have made bypassing captchas easier. If a site has value like money, data, or content, there is value in exploiting it. Detection of attacks is difficult as attackers use many proxies and fingerprints to avoid detection. Patching is not enough, and spikes in traffic from many IPs could indicate an attack.
This was a talk given at HTML5DevConf SF in 2015.
Ever wanted to write your own Browserify or Babel? Maybe have an idea for something new? This talk will get you started understanding how to use a JavaScript AST to transform and generate new code.
This document discusses ECMAScript 2015 (ES2015), also known as ES6. It provides examples of new ES2015 features like arrow functions, template literals, classes, and modules. It also discusses how to set up a development environment to use ES2015, including transpiling code to ES5 using Babel, linting with Eslint, testing with Mocha, and generating coverage reports with Istanbul. The document emphasizes that while ES2015 is fun to explore, proper tooling like linting and testing is needed for serious development. It concludes by noting ES2015 marks a transition and thanks the audience.
The document discusses achieving maintainability in code through examining code quality with linters, generating visual reports on metrics like complexity and coverage, and automating processes like builds, linting, and testing through tools like Grunt and Gulp. It emphasizes setting limits on metrics like complexity, enforcing code style through automation, and treating documentation as important as code.
1) The document discusses achieving maintainability in code through analysis, automation, and enforcement of standards.
2) It recommends setting up linting, code coverage, and other analysis tools to examine code quality and automatically enforcing code style through build processes.
3) The key is to automate as many processes as possible like testing, linting, and documentation to make the code easy to work with and prevent issues from being introduced.
Riot on the web - Kenote @ QCon Sao Paulo 2014Jarrod Overson
Slides for the keynote given at QCon Sao Paulo 2014. Talk goes into the problems scaling Riot and how we've tried to solve them as well as what we've learned from the web and what lies in store next.
Managing JavaScript Complexity in Teams - FluentJarrod Overson
This document discusses managing complexity in JavaScript projects. It addresses coming to terms with the challenges of dynamic languages being messy, having an immature tooling ecosystem, and rapid evolution. It emphasizes respecting code style conventions, enforcing linting rules, documenting code, and using metrics like cyclomatic complexity to reduce testing difficulty. The overall message is that perseverance is needed to tame JavaScript's complexity through automation, visualization, honesty and acceptance of its challenges and opportunities.
The document discusses web components, which include HTML templates, custom elements, shadow DOM, and HTML imports. Web components allow the creation of reusable custom elements with their own styles and DOM structure. They provide encapsulation and help avoid issues with global namespaces. While browser support is still emerging for some features, polyfills exist and frameworks like Polymer make web components accessible today. Web components represent an important evolution of the web that will improve how code is structured and shared.
This talk was given on Oct 23 at HTML5DevConf in San Francisco. The topic was Continuous Delivery as it relates to JavaScript applications, using tools like grunt and jenkins.
Have you ever built a sandcastle at the beach, only to see it crumble when the tide comes in? In the digital world, our information is like that sandcastle, constantly under threat from waves of cyberattacks. A cybersecurity course is like learning to build a fortress for your information!
This course will teach you how to protect yourself from sneaky online characters who might try to steal your passwords, photos, or even mess with your computer. You'll learn about things like:
* **Spotting online traps:** Phishing emails that look real but could steal your info, and websites that might be hiding malware (like tiny digital monsters).
* **Building strong defenses:** Creating powerful passwords and keeping your software up-to-date, like putting a big, strong lock on your digital door.
* **Fighting back (safely):** Learning how to identify and avoid threats, and what to do if something does go wrong.
By the end of this course, you'll be a cybersecurity champion, ready to defend your digital world and keep your information safe and sound!
Megalive99 Situs Betting Online Gacor TerpercayaMegalive99
Megalive99 telah menetapkan standar tinggi untuk platform taruhan online. Berbagai macam permainan, desain ramah pengguna, dan transaksi aman menjadikannya pilihan utama para petaruh.
10th International Conference on Networks, Mobile Communications and Telema...ijp2p
10th International Conference on Networks, Mobile Communications and
Telematics (NMOCT 2024)
Scope
10th International Conference on Networks, Mobile Communications and Telematics (NMOCT 2024) is a forum for presenting new advances and research results in the fields of Network, Mobile communications, and Telematics. The aim of the conference is to provide a platform to the researchers and practitioners from both academia as well as industry to meet and share cutting-edge development in the field.
Authors are solicited to contribute to the conference by submitting articles that illustrate research results, projects, surveying works, and industrial experiences that describe significant advances in the following areas but are not limited to.
Topics of interest include, but are not limited to, the following:
Mobile Communications and Telematics Mobile Network Management and Service Infrastructure Mobile Computing Integrated Mobile Marketing Communications Efficacy of Mobile Communications Mobile Communication Applications Critical Success Factors for Mobile Communication Diffusion Metric Mobile Business Enterprise Mobile Communication Security Issues and Requirements Mobile and Handheld Devices in the Education Telematics Tele-Learning Privacy and Security in Mobile Computing and Wireless Systems Cross-Cultural Mobile Communication Issues Integration and Interworking of Wired and Wireless Networks Location Management for Mobile Communications Distributed Systems Aspects of Mobile Computing Next Generation Internet Next Generation Web Architectures Network Operations and Management Adhoc and Sensor Networks Internet and Web Applications Ubiquitous Networks Wireless Multimedia Systems Wireless Communications
Heterogeneous Wireless Networks Operating System and Middleware Support for Mobile Computing Interaction and Integration in Mobile Communications Business Models for Mobile Communications E-Commerce & E-Governance
Nomadic and Portable Communication Wireless Information Assurance Mobile Multimedia Architecture and Network Management Mobile Multimedia Network Traffic Engineering & Optimization Mobile Multimedia Infrastructure Developments Mobile Multimedia Markets & Business Models Personalization, Privacy and Security in Mobile Multimedia Mobile Computing Software Architectures Network & Communications Network Protocols & Wireless Networks Network Architectures High Speed Networks Routing, Switching and Addressing Techniques Measurement and Performance Analysis Peer To Peer and Overlay Networks QOS and Resource Management Network-Based Applications Network Security Self-organizing networks and Networked Systems Mobile & Broadband Wireless Internet Recent Trends & Developments in Computer Networks
Paper Submission
Authors are invited to submit papers through the conference Submission System by July 06, 2024. Submissions must be original and
Book dating , international dating phgrathomaskurtha9
International dating programhttps: please register here and start to meet new people todayhttps://www.digistore24.com/redir/384521/godtim/.
get started. https://www.digistore24.com/redir/384521/godtim/
How Credential Stuffing is Evolving - PasswordsCon 2019
1. Jarrod Overson
Director of Engineering at Shape Security
HOW CREDENTIAL STUFFING IS EVOLVING
And where do we go from here?
2. cre·den·'al stuff·ing
/krəˈden(t)SHəl ˈstəfiNG/
The tes'ng of previously breached username
and password pairs across sites to find
accounts where passwords have been reused.
CREDENTIAL STUFFING
Photo by Nine Köpfer on Unsplash
3. Who am I?
And should you trust me?
• Director of Engineering at Shape Security
• Google Developer Expert.
• Old school video game hacker.
• @jsoverson everywhere
4. Why credential stuffing is evolving
How credential stuffing has evolved
Where do we go from here?
1
2
3
6. If there are no defenses in place, the cost is nearly zero.
valuecost
Jarrod Overson
7. Any defense increases the cost by forcing a generational shift.
valuecost
Generation 1
Jarrod Overson
8. Enough defenses will tip cost/value in your favor
valuecost
Generation 1
Generation 2
Generation 3
Jarrod Overson
9. The cost of entry for all technology decreases over time.
valuecost
All technology gets cheaper as it becomes better understood and more generalized.
Jarrod Overson
10. While the value of successful attacks only goes up.
valuecost
Jarrod Overson
11. MANUAL WORK AUTOMATION
Sufficient when
value is high
Can’t scale when
value is reduced
Can’t scale when
cost is increased
Sufficient when
value is low
12. CREDENTIAL STUFFING: A HOW-TO GUIDE
1 Get Credentials
2 Automate Login
3
4
Defeat Existing Defenses
Distribute Globally
19. $0
2.3 billion credentials
$0-50
For tool configuration
$0-139
For 100,000 solved
CAPTCHAs
$0-10
For 1,000 global IPs
100,000 ATO attempts can be tried for less than $200 USD
<$0.002
per ATO attempt.
Jarrod Overson
20. $2 - $150+
Typical range of account values.
The rate of return is between 100% and 150,000%+
0.2% - 2%
Success rate of a typical credential
stuffing attack.
$0.002
Cost per individual attempt.
Value * Success Rate
Cost
– 100% = Rate of Return
32. Iteration 4: Scriptable Consumer Browsers
Selenium & Puppeteer
Selenium is a free, open source testing tool
that scripts popular browsers.
Puppeteer is a Google project that
automates Firefox and Chromium based
browsers.
33. Browser Fingerprinting
High-entropy data points are collected to
produce an acceptably unique fingerprint.
Data points like screen size, fonts, plugins,
hardware profiles, et al.
This identifies the source of traffic even
when tunneling through proxies.
Defense: Browser Fingerprinting
34. Iteration 5: Randomizing Fingerprint Data Sources
FraudFox & AntiDetect
FraudFox is a VM-Based
anti-fingerprinting
solution.
AntiDetect randomizes
the data sources that are
commonly used to
fingerprint modern
browsers.
35. Behavior Analysis
Naive bots give themselves away by
ignoring normal human behavior.
Humans don't always click in the upper left
hand corner and don't type out words all at
once.
Capturing basic behavior can make naive
automation easy to knock down.
Defense: Behavior Analysis for Negative Traits
36. Iteration 6: Human Behavior Emulation
Browser Automation Studio
BAS is an automation tool that
combines CAPTCHA solving,
proxy rotation, and emulated
human behavior.
37. Validating Fingerprint Data
Good Users don't lie much.
Attackers lie a lot. They use a
handful of clients but need to
look like they are coming from
thousands.
Those lies add up.
Defense: Browser Consistency Checks
38. Iteration 7: Use real device data
Using Real Values
Bablosoft's Fingerprint
Switcher allows a user to cycle
through a real browser's
fingerprintable data points,
reducing the number of lies
present in the data.
39. This keeps going but the direction is clear.
We're calling these Imitation Attacks
Imitation attacks indicate sophisticated fraud from dedicated adversaries.
The aim is to blend in and bypass risk & automation defenses.
Not all automation is an imitation attack, not all imitation attacks are automated.
The end goal is perfect emulation of humans and their environments.
41. The value in our accounts is not going away.
As we raise the cost of credential stuffing there is greater incentive to diversify attacks.
Valid Accounts
Credential Stuffing ???
42. Genesis is an early example of what's next.
Malware that resides on the victim to scrape account and environment details.
51. And load it into the Genesis Security Plugin
Voila! You are now your target.
93970994-EC4E-447B-B2BD-DE2F4215A44E
52. Malware that scrapes, learns, imitates, and proxies through its victim is next
We've started seeing the signs in ad fraud.
53. This is a human problem, not a technical problem.
Advanced credential stuffing is sophisticated fraud. It is more than simple
automation. Fraud teams aren't staffed for this, they need help.
Imitation attacks are designed to blend in. Look deeply even if you think you don't
have a problem.
Attackers are economically driven. We need to attack the economics. Every defense
will fail if the value is still there.
There are no silver bullet solutions against humans. (Except literal silver bullets, but...)