QCon SF 2016 security talk about who uses data from massive breaches (like Yahoo, Target), what tools they use, and what damage they inflict.
My talk from Digital Elite Day 2020 (Conversion Elite track). I go over the main changes in browser tracking protections since as early as 2003 (Safari version 1). Then I discuss the impact these tracking protections have on digital analytics, advertising, and experimentation.
Using private proxy software can protect your personal information and online activity from criminals and companies by hiding your IP address and encrypting your data. Without seeing your actual IP address and online data, criminals cannot steal your identity and companies cannot create detailed profiles about you to target advertising. Private proxy software allows you to browse anonymously and securely online by routing your traffic through an encrypted proxy server to conceal your digital tracks from potential threats.
We all use passwords; for our banking cards, for our emails, to log into our work environment, to access our computers and mobile devices and for all the various apps on those devices, for our social media account, and more. They have become commonplace in our society, yet provide us with a false sense of security. This presentation will discuss the inherent failures when using passwords, how they are now being used against us to commit cyber-crimes, what we need to be doing currently to protect ourselves, and what the future of passwords may hold. Main points covered: • How criminals are using our passwords to commit cyber-crimes • Managing passwords and current ways to protect your data • What the future may hold for our passwords Presenter: Ryan Duquette is passionate about digital forensic investigations and with keeping others from being victimized. He's a seasoned digital forensic examiner with many years of experience in law enforcement and the private sector. He founded Hexigent Consulting which is a firm focusing on digital investigations, cyber security consulting services and litigation support. Ryan works closely with clients involved in workplace investigations and civil litigation matters including intellectual property theft, HR investigation and data breaches He is a sessional lecturer at the University of Toronto teaching digital forensics, holds a Master of Science degree in Digital Forensics Management, and several digital forensics and fraud certifications. Ryan is a director for the Toronto chapter of the Association of Certified Fraud Examiners, has been qualified as an “expert witness” on numerous occasions, and is a frequent presenter at fraud, digital forensics, cybersecurity and investigative conferences worldwide. Recorded webinar: https://youtu.be/WTIImiEu078
Penetration tests of iOS applications usually require jailbreak. On the other hand, software developers often enforce a new version of iOS to run the application. Unfortunately, as history shows, with the release of subsequent versions of the iOS system, pentesters have to wait longer and longer for a stable jailbreak. Finally, by testing iDevices, we become participants of the Russian roulette - remain with an out-of-date iOS with the hope that there won’t be an application requiring a newer version; or take the risk of updating and maybe never get the new jailbreak version? During my presentation, I will show you that it is not necessary to put iRevolver to the head and I will present the techniques of conducting the penetration tests without the need to have a jailbreak. The presentation will also include a live demo presenting the solution to the problem of access to protected application resources on the latest version of iOS.
This is the slides for what I presented at Texas Linux Fest 2013 (http://2013.texaslinuxfest.org/content/gpu-based-password-recovery-linux).
This document discusses various methods of encrypting and cracking passwords, including hashing functions, salted hashes, and multiple encryption algorithms. It provides examples of how to crack passwords hashed with PHP crypt() using known salts, and how adding random salts per password improves security but requires storing the salt. It also describes a distributed password cracking tool and an algorithm bruter tool to identify unknown multiple encryption algorithms.
This document describes a penetration test where the attacker was able to execute commands on users' machines by exploiting an Excel export vulnerability in a web application. The attacker was able to retrieve NTLM hashes from low-level users and crack the hashes to obtain domain credentials. The attacker then explored ways to improve the attack by bypassing warnings in Excel and identifying alternative commands besides CMD.exe that could be executed without warnings.
In this presentation I talked about how Windows user account passwords can be cracked using methods described in Philippe Oechslin's paper "Making a Faster Cryptanalytic Time-Memory Trade-Off" and demonstrated the ideas by stealing hashes using fgdump or Ophcrack and using Rainbow Tables (Cain with RainbowCrack) to actually crack the passwords of students present at the talk. There is some interesting stuff about secure passwords along with bunch of other things.
Cyber security and ethical hacking, in this lecture we discussed about different types of password cracking attack.
in this presentation we have discussed about different methodology in password cracking. Password bruteforce, social engineering attack , phishing attack, windows login cracking, web login cracking, application password cracking, Gmail password and facebook password extracting
Password Cracking , Password Penetration Testing , Website Login Cracking , Router Login Cracking , Windows Login Cracking , Gmail Pasword extraction
OWASP RTP Presentation on Data breaches, credential spills, the lifespan of data, credential stuffing, the attack lifecycle, and what you can do to protect yourself or your users.
This document discusses fraud engineering at Etsy. It begins by introducing the author, Nick Galbreath, and his background in security. It then provides context about Etsy as an online marketplace. It outlines different types of risk like fraud, security threats, and business continuity. It emphasizes thinking about risk from both a fraud and security perspective. The document then provides examples of how different parts of the organization like technical operations, quality assurance, product, business operations, engineering, and customer service can work together on fraud prevention and leverages their existing tools and resources. It also provides a case study example of investigating mysterious data center logins. The overall message is about taking a holistic organizational approach to fraud engineering.
Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive. Key Takeaways: -Great places in the user journey to inject security tests - Ways to augment existing test approaches to cover security concerns - Typical security tools that are free, cheap, and easy for software testers
These days, web apps are increasingly becoming integral to our lives as they are used everywhere in the world. However, they often lack the kind of protection that traditional software and operating systems have, making them vulnerable to both internal and external sources. As per Cyber Security crimes, the rate of cybercrimes is to cost the world $10.5 trillion by 2025. The rise of ransomware, XSS attacks have become a nightmare for established business enterprises worldwide. However, with the right strategy, you can effectively escape cyber threats. In this blog, we will discuss the top 9 tips on making your web app safe and secured. It’s better to take precautions than to feel sorry later. Implement the top tips listed above with the help of the best web development company in India.
Cerdant’s Director of Engineering, Joshua Skeens, presented the best ‘bets’ to increase your security odds. Josh warned customers to stop gambling with their data, and cautioned against weak, guessable passwords stating, “Use 2-Factor Authentication everywhere!” The first step in creating the best security posture possible for your business will always be just getting started, and to keep momentum Josh suggests implementing 1 new security practice each week.
This presentation is part of the ConnXus myCBC Webinar Series. Tom Moore, Process and Technology Innovation at Altabos, covers the essentials of cybersecurity and how to minimize risks. Tom covers how to identify risks, evaluate the solutions, and ensure your company is prepared.
This document provides an overview of cybersecurity topics including the importance of cybersecurity, leading threats such as viruses, worms, and social engineering, best practices to avoid threats such as using strong passwords and antivirus software, and what to do if a cybersecurity incident is suspected. Key points covered include the risks of identity theft and data loss if security is not followed, common vectors for vulnerabilities exploited by cyber criminals, and the need to protect systems in the same way doors are secured at home.
This document provides an overview of cybersecurity topics including the importance of cybersecurity, leading threats such as viruses, worms, and social engineering, best practices to avoid threats such as using strong passwords and antivirus software, and what to do if a cybersecurity incident is suspected. Key points covered include the risks of identity theft and data loss if security is not followed, common vectors for vulnerabilities exploited by cyber criminals, and the need to protect systems using multiple layers of defense.
Cybersecurity is important to protect individuals and organizations from threats on the internet. The top threats include viruses, worms, Trojan horses, social engineering, rootkits, and botnets. To avoid these threats, best practices include using strong passwords, keeping systems updated, using firewalls and antivirus software, avoiding suspicious emails and downloads, and practicing cybersecurity awareness. Following guidelines for passwords, software updates, and caution with emails and downloads can help reduce cybersecurity risks.
This document provides an overview of cybersecurity topics including the importance of cybersecurity, leading threats such as viruses, worms, and social engineering, best practices to avoid threats such as using strong passwords and antivirus software, and what to do if a cybersecurity incident is suspected. Key points covered include the risks of identity theft and data loss if security is not followed, common vectors for vulnerabilities exploited by cyber criminals, and the need to protect systems in the same way doors are secured at home.
Slides for the Webinar on Data Loss Prevention in SharePoint 2016 that I did with Crow Canyon on March 16th, 2016
The document discusses identity and access management trends from the past to present to future. It covers the history of passwords and early single sign-on systems. It then summarizes key standards and protocols like SAML, OAuth, OpenID Connect, and FIDO. It discusses how these have enabled single sign-on to SaaS applications and stronger authentication. Emerging trends discussed include biometrics, token binding, and mobile devices playing a role in authentication.
Why the legal services industry is a target for cybercriminals. A practical guide for legal practitioners.
Slides for talk given at PasswordsCon Sweden 2019. Credentials Stuffing is an automated attack that exploits users who reuse passwords by taking breached credentials and replaying them across sites.
This document outlines the key points from a presentation on online security and privacy issues. It discusses the growing security landscape including major data breaches in 2012. It covers how cybercrime has become a profitable business and ways identities and financial data are sold on the black market. The presentation demonstrates common vulnerabilities like SQL injection and explains how even small businesses are at risk. It provides an overview of strategies to minimize risk, including secure coding practices, scanning tools, and compliance with standards like PCI DSS.
The document discusses cybersecurity risks and provides advice on how to protect against threats. It notes that 5 out of 6 advanced attacks target large companies, while 60% target small and medium businesses. The STRIDE model is described as a framework for categorizing different types of threats. Input validation, authentication, authorization, and applying defense in depth are recommended strategies. The document emphasizes that no software is 100% secure and the goal should be to minimize vulnerabilities and reduce the chances of successful attacks.
In this presentation, Java Developer Evangelist Micah Silverman demystifies HTTP Authentication and explains how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale. Topics Covered: Security Concerns for Modern Web Apps Cross-Site Scripting Prevention Working with 'Untrusted Clients' Securing API endpoints Cookies Man in the Middle (MitM) Attacks Cross-Site Request Forgery Session ID Problems Token Authentication JWTs Working with the JJWT library End-to-end example with Spring Boot
Jarrod Overson discusses the evolution of credential stuffing attacks and where they may go in the future. He summarizes that credential stuffing started as basic automated login attempts but has evolved through generations as defenses were put in place, such as CAPTCHAs and behavior analysis. The next generation involves more sophisticated imitation attacks that flawlessly emulate human behavior using real device fingerprints to blend in. Beyond credential stuffing, malware may start scraping user accounts and environments directly from infected machines. As defenses raise the cost of attacks, fraudsters will diversify methods to preserve the value of valid accounts and user data.
This document provides an agenda and overview for a presentation on cybersecurity game planning for success using Cisco Advanced Malware Protection (AMP). The presentation discusses the industrialization of hacking and growing threats, limitations of traditional point-in-time security solutions, and how AMP provides both point-in-time and retrospective protection across networks, endpoints, email, and web using continuous analysis in the cloud. The presentation demonstrates AMP's threat intelligence capabilities and integration across the Cisco security portfolio.
The document provides tips on how businesses can protect themselves from cyber attacks. It begins by introducing common hacker tactics like phishing, exploiting wireless networks, and scanning for website vulnerabilities. It then discusses the types of attackers and their motives, usually to steal financial information or damage a company's reputation. Several specific attack vectors are outlined, including using default passwords, vulnerable websites, insecure wireless networks, flaws in internet banking, and social engineering through phishing emails. The presentation emphasizes adopting a "protect, detect, correct" mindset and classifying sensitive data, as well as following security best practices like enabling two-factor authentication, using strong unique passwords, and keeping software updated. The key message is that businesses of any size can take
This All Things Open 2022 talk shows how to use current-gen WebAssembly to build complex applications out of components.
This talk was given at AppSec California, January 2020. Credential stuffing and other automated attacks are evolving passed every defense thrown in their way. CAPTCHAs don't work, Fingerprints don't work, Magical AI-whatevers don't work. The value is just too great.
This document summarizes an analysis of an exploited NPM package called event-stream. It describes how an attacker gained control of the package and added malicious code that was downloaded by thousands of projects whenever their dependencies were updated. The malicious code stole cryptocurrency from wallets containing large amounts. It highlights the risks of supply chain attacks and emphasizes the importance of auditing dependencies, locking versions, and thinking carefully before adding new dependencies to avoid compromising entire projects and their users.
Jarrod Overson presented on a supply chain attack that occurred in 2018 through the compromise of the event-stream Node.js package. An unauthorized developer gained commit access and introduced malicious code through new dependencies that was then installed by millions of users. The malware harvested cryptocurrency private keys from the Copay wallet app. While the community responded quickly, such attacks demonstrate vulnerabilities in open source software supply chains and dependency management that will continue to be exploited if not properly addressed through changes to practices and tooling.
Deepfakes originally started as cheap costing but believable video effects and have expanded into AI-generated content of every format. This session dove into the state of deepfakes and how the technology highlights an exciting but dangerous future.
Workshop slides originally given at the WOPR Summit in Atlantic City. Use JavaScript parsers and generators like Shift combined with Puppeteer and Chrome to reverse engineer web applications
Talk given at Mozilla's first View Source Conference in Portland, 2015. Details out the parallels between graphics and game developments compared to traditional web development.
This was a talk given at HTML5DevConf SF in 2015. Ever wanted to write your own Browserify or Babel? Maybe have an idea for something new? This talk will get you started understanding how to use a JavaScript AST to transform and generate new code.
This document discusses ECMAScript 2015 (ES2015), also known as ES6. It provides examples of new ES2015 features like arrow functions, template literals, classes, and modules. It also discusses how to set up a development environment to use ES2015, including transpiling code to ES5 using Babel, linting with Eslint, testing with Mocha, and generating coverage reports with Istanbul. The document emphasizes that while ES2015 is fun to explore, proper tooling like linting and testing is needed for serious development. It concludes by noting ES2015 marks a transition and thanks the audience.
The document discusses achieving maintainability in code through examining code quality with linters, generating visual reports on metrics like complexity and coverage, and automating processes like builds, linting, and testing through tools like Grunt and Gulp. It emphasizes setting limits on metrics like complexity, enforcing code style through automation, and treating documentation as important as code.
1) The document discusses achieving maintainability in code through analysis, automation, and enforcement of standards. 2) It recommends setting up linting, code coverage, and other analysis tools to examine code quality and automatically enforcing code style through build processes. 3) The key is to automate as many processes as possible like testing, linting, and documentation to make the code easy to work with and prevent issues from being introduced.
Slides for the keynote given at QCon Sao Paulo 2014. Talk goes into the problems scaling Riot and how we've tried to solve them as well as what we've learned from the web and what lies in store next.
This document discusses managing complexity in JavaScript projects. It addresses coming to terms with the challenges of dynamic languages being messy, having an immature tooling ecosystem, and rapid evolution. It emphasizes respecting code style conventions, enforcing linting rules, documenting code, and using metrics like cyclomatic complexity to reduce testing difficulty. The overall message is that perseverance is needed to tame JavaScript's complexity through automation, visualization, honesty and acceptance of its challenges and opportunities.
The document discusses web components, which include HTML templates, custom elements, shadow DOM, and HTML imports. Web components allow the creation of reusable custom elements with their own styles and DOM structure. They provide encapsulation and help avoid issues with global namespaces. While browser support is still emerging for some features, polyfills exist and frameworks like Polymer make web components accessible today. Web components represent an important evolution of the web that will improve how code is structured and shared.
These are the slides for the talk "Managing and Visualizing JavaScript Complexity" given at QCon SF 2013 by Jarrod Overson
This talk was given on Oct 23 at HTML5DevConf in San Francisco. The topic was Continuous Delivery as it relates to JavaScript applications, using tools like grunt and jenkins.
Everything that I found interesting about machines behaving intelligently during June 2024
As a popular open-source library for analytics engineering, dbt is often used in combination with Airflow. Orchestrating and executing dbt models as DAGs ensures an additional layer of control over tasks, observability, and provides a reliable, scalable environment to run dbt models. This webinar will cover a step-by-step guide to Cosmos, an open source package from Astronomer that helps you easily run your dbt Core projects as Airflow DAGs and Task Groups, all with just a few lines of code. We’ll walk through: - Standard ways of running dbt (and when to utilize other methods) - How Cosmos can be used to run and visualize your dbt projects in Airflow - Common challenges and how to address them, including performance, dependency conflicts, and more - How running dbt projects in Airflow helps with cost optimization Webinar given on 9 July 2024
Everything that I found interesting about engineering leadership last month
The integration of programming into civil engineering is transforming the industry. We can design complex infrastructure projects and analyse large datasets. Imagine revolutionizing the way we build our cities and infrastructure, all by the power of coding. Programming skills are no longer just a bonus—they’re a game changer in this era. Technology is revolutionizing civil engineering by integrating advanced tools and techniques. Programming allows for the automation of repetitive tasks, enhancing the accuracy of designs, simulations, and analyses. With the advent of artificial intelligence and machine learning, engineers can now predict structural behaviors under various conditions, optimize material usage, and improve project planning.
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge. You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter. The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
Recent advancements in the NIST-JARVIS infrastructure: JARVIS-Overview, JARVIS-DFT, AtomGPT, ALIGNN, JARVIS-Leaderboard
YOUR RELIABLE WEB DESIGN & DEVELOPMENT TEAM — FOR LASTING SUCCESS WPRiders is a web development company specialized in WordPress and WooCommerce websites and plugins for customers around the world. The company is headquartered in Bucharest, Romania, but our team members are located all over the world. Our customers are primarily from the US and Western Europe, but we have clients from Australia, Canada and other areas as well. Some facts about WPRiders and why we are one of the best firms around: More than 700 five-star reviews! You can check them here. 1500 WordPress projects delivered. We respond 80% faster than other firms! Data provided by Freshdesk. We’ve been in business since 2015. We are located in 7 countries and have 22 team members. With so many projects delivered, our team knows what works and what doesn’t when it comes to WordPress and WooCommerce. Our team members are: - highly experienced developers (employees & contractors with 5 -10+ years of experience), - great designers with an eye for UX/UI with 10+ years of experience - project managers with development background who speak both tech and non-tech - QA specialists - Conversion Rate Optimisation - CRO experts They are all working together to provide you with the best possible service. We are passionate about WordPress, and we love creating custom solutions that help our clients achieve their goals. At WPRiders, we are committed to building long-term relationships with our clients. We believe in accountability, in doing the right thing, as well as in transparency and open communication. You can read more about WPRiders on the About us page.
The DealBook is our annual overview of the Ukrainian tech investment industry. This edition comprehensively covers the full year 2023 and the first deals of 2024.
Jindong Gu, Zhen Han, Shuo Chen, Ahmad Beirami, Bailan He, Gengyuan Zhang, Ruotong Liao, Yao Qin, Volker Tresp, Philip Torr "A Systematic Survey of Prompt Engineering on Vision-Language Foundation Models" arXiv2023 https://arxiv.org/abs/2307.12980
Our Linux Web Hosting plans offer unbeatable performance, security, and scalability, ensuring your website runs smoothly and efficiently. Visit- https://onliveserver.com/linux-web-hosting/
Stream processing is a crucial component of modern data infrastructure, but constructing an efficient and scalable stream processing system can be challenging. Decoupling compute and storage architecture has emerged as an effective solution to these challenges, but it can introduce high latency issues, especially when dealing with complex continuous queries that necessitate managing extra-large internal states. In this talk, we focus on addressing the high latency issues associated with S3 storage in stream processing systems that employ a decoupled compute and storage architecture. We delve into the root causes of latency in this context and explore various techniques to minimize the impact of S3 latency on stream processing performance. Our proposed approach is to implement a tiered storage mechanism that leverages a blend of high-performance and low-cost storage tiers to reduce data movement between the compute and storage layers while maintaining efficient processing. Throughout the talk, we will present experimental results that demonstrate the effectiveness of our approach in mitigating the impact of S3 latency on stream processing. By the end of the talk, attendees will have gained insights into how to optimize their stream processing systems for reduced latency and improved cost-efficiency.