Search results “Non cryptography vulnerabilities of cloud”
Efficient Cryptography for the Next Generation Secure Cloud
Peer-to-peer (P2P) systems, and client-server type storage and computation outsourcing constitute some of the major applications that the next generation cloud schemes will address. Since these applications are just emerging, it is the perfect time to design them with security and privacy in mind. Furthermore, considering the high-churn characteristics of such systems, the cryptographic protocols employed must be efficient and scalable. In this talk, I will focus on an efficient and scalable fair exchange protocol that can be used for exchanging files between participants of a P2P file sharing system. It has been shown that fair exchange cannot be done without a trusted third party (called the Arbiter). Yet, even with a trusted Arbiter, it is still non-trivial to come up with an efficient solution, especially one that can be used in a P2P file sharing system with a high volume of data exchanged. Our protocol is optimistic, removing the need for the Arbiter's involvement unless a dispute occurs. While the previous solutions employ costly cryptographic primitives for every file or block exchanged, our protocol employs them only once per peer, therefore achieving O(n) efficiency improvement when n blocks are exchanged between two peers. In practice, this corresponds to one-two orders of magnitude improvement in terms of both computation and communication (42 minutes vs. 40 seconds, 225 MB vs. 1.8 MB). Thus, for the first time, a provably secure (and privacy respecting when payments are made using e-cash) fair exchange protocol is being used in real bartering applications (e.g., BitTorrent) without sacrificing performance. Finally, if time permits, I will briefly mention some of our other results on cloud security including ways to securely outsource computation and storage to untrusted entities, official arbitration in the cloud, impossibility results on distributing the Arbiter, and keeping the user passwords safe (joint work at Microsoft Research). I will also be available to talk on these other projects after the presentation.
Views: 178 Microsoft Research
USENIX Security '17 - Hacking in Darkness: Return-oriented Programming against Secure Enclaves
Jaehyuk Lee and Jinsoo Jang, KAIST; Yeongjin Jang, Georgia Institute of Technology; Nohyun Kwak, Yeseul Choi, and Changho Choi, KAIST; Taesoo Kim, Georgia Institute of Technology; Marcus Peinado, Microsoft Research; Brent Byunghoon Kang, KAIST Intel Software Guard Extensions (SGX) is a hardware-based Trusted Execution Environment (TEE) that is widely seen as a promising solution to traditional security threats. While SGX promises strong protection to bug-free software, decades of experience show that we have to expect vulnerabilities in any non-trivial application. In a traditional environment, such vulnerabilities often allow attackers to take complete control of vulnerable systems. Efforts to evaluate the security of SGX have focused on side-channels. So far, neither a practical attack against a vulnerability in enclave code nor a proof-of-concept attack scenario has been demonstrated. Thus, a fundamental question remains: What are the consequences and dangers of having a memory corruption vulnerability in enclave code? To answer this question, we comprehensively analyze exploitation techniques against vulnerabilities inside enclaves. We demonstrate a practical exploitation technique, called Dark-ROP, which can completely disarm the security guarantees of SGX. Dark-ROP exploits a memory corruption vulnerability in the enclave software through return-oriented programming (ROP). However Dark-ROP differs significantly from traditional ROP attacks because the target code runs under solid hardware protection. We overcome the problem of exploiting SGX-specific properties and obstacles by formulating a novel ROP attack scheme against SGX under practical assumptions. Specifically, we build several oracles that inform the attacker about the status of enclave execution. This enables him to launch the ROP attack while both code and data are hidden. In addition, we exfiltrate the enclave’s code and data into a shadow application to fully control the execution environment. This shadow application emulates the enclave under the complete control of the attacker, using the enclave (through ROP calls) only to perform SGX operations such as reading the enclave’s SGX crypto keys. The consequences of Dark-ROP are alarming; the attacker can completely breach the enclave’s memory protections and trick the SGX hardware into disclosing the enclave’s encryption keys and producing measurement reports that defeat remote attestation. This result strongly suggests that SGX research should focus more on traditional security mitigations rather than on making enclave development more convenient by expanding the trusted computing base and the attack surface (e.g., Graphene, Haven). View the full program: https://www.usenix.org/sec17/program
Views: 927 USENIX
Saving the elephant—now, not later
Big data security challenges are bit different from traditional client-server applications and are distributed in nature, introducing unique security vulnerabilities. Cloud Security Alliance (CSA) has categorized the different security and privacy challenges into four different aspects of the big data ecosystem. These aspects are infrastructure security, data privacy, data management and, integrity and reactive security. Each of these aspects are further divided into following security challenges: 1. Infrastructure security a. Secure distributed processing of data b. Security best practices for non-relational data stores 2. Data privacy a. Privacy-preserving analytics b. Cryptographic technologies for big data c. Granular access control 3. Data management a. Secure data storage and transaction logs b. Granular audits c. Data provenance 4. Integrity and reactive security a. Endpoint input validation/filtering b. Real-time security/compliance monitoring In this talk, we are going to refer above classification and identify existing security controls, best practices, and guidelines. We will also paint a big picture about how collective usage of all discussed security controls (Kerberos, TDE, LDAP, SSO, SSL/TLS, Apache Knox, Apache Ranger, Apache Atlas, Ambari Infra, etc.) can address fundamental security and privacy challenges that encompass the entire Hadoop ecosystem. We will also discuss briefly recent security incidents involving Hadoop systems. Speakers KRISHNA PANDEY Staff Software Engineer Hortonworks KUNAL RAJGURU Premier Support Enginner Hortonworks
Views: 64 DataWorks Summit
What is SIDE-CHANNEL ATTACK? What does SIDE-CHANNEL ATTACK mean? SIDE-CHANNEL ATTACK meaning - SIDE-CHANNEL ATTACK definition - SIDE-CHANNEL ATTACK explanation. Source: Wikipedia.org article, adapted under https://creativecommons.org/licenses/by-sa/3.0/ license. SUBSCRIBE to our Google Earth flights channel - https://www.youtube.com/channel/UC6UuCPh7GrXznZi0Hz2YQnQ In cryptography, a side-channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms (compare cryptanalysis). For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited to break the system. Some side-channel attacks require technical knowledge of the internal operation of the system on which the cryptography is implemented, although others such as differential power analysis are effective as black-box attacks. Many powerful side-channel attacks are based on statistical methods pioneered by Paul Kocher. Attempts to break a cryptosystem by deceiving or coercing people with legitimate access are not typically called side-channel attacks: see social engineering and rubber-hose cryptanalysis. For attacks on computer systems themselves (which are often used to perform cryptography and thus contain cryptographic keys or plaintexts), see computer security. The rise of Web 2.0 applications and software-as-a-service has also significantly raised the possibility of side-channel attacks on the web, even when transmissions between a web browser and server are encrypted (e.g., through HTTPS or WiFi encryption), according to researchers from Microsoft Research and Indiana University. General classes of side channel attack include: Cache attack — attacks based on attacker's ability to monitor cache accesses made by the victim in a shared physical system as in virtualized environment or a type of cloud service. Timing attack — attacks based on measuring how much time various computations take to perform. Power-monitoring attack — attacks that make use of varying power consumption by the hardware during computation. Electromagnetic attack — attacks based on leaked electromagnetic radiation, which can directly provide plaintexts and other information. Such measurements can be used to infer cryptographic keys using techniques equivalent to those in power analysis or can be used in non-cryptographic attacks, e.g. TEMPEST (aka van Eck phreaking or radiation monitoring) attacks. Acoustic cryptanalysis — attacks that exploit sound produced during a computation (rather like power analysis). Differential fault analysis — in which secrets are discovered by introducing faults in a computation. Data remanence — in which sensitive data are read after supposedly having been deleted. Row hammer — in which off-limits memory can be changed by accessing adjacent memory. Optical - in which secrets and sensitive data can be read by visual recording using a high resolution camera, or other devices that have such capabilities (see examples below). In all cases, the underlying principle is that physical effects caused by the operation of a cryptosystem (on the side) can provide useful extra information about secrets in the system, for example, the cryptographic key, partial state information, full or partial plaintexts and so forth. The term cryptophthora (secret degradation) is sometimes used to express the degradation of secret key material resulting from side-channel leakage. A cache side-channel attack works by monitoring security critical operations such as AES T-table entry or modular exponentiation multiplicand accesses. Attacker then is able to recover the secret key depending on the accesses made (or not made) by the victim, deducing the encryption key. Also, unlike some of the other side-channel attacks, this method does not create a fault in the ongoing cryptographic operation and is invisible to the victim.
Views: 3200 The Audiopedia
DEFCON 20: Scylla: Because There's no Patch for Human Stupidity
Speakers: SERGIO 'FLACMAN' VALDERRAMA CONSULTING MANAGER, 2SECURE CARLOS ALBERTO RODRIGUEZ CO-FOUNDER, 2SECURE When there's no technical vulnerability to exploit, you should try to hack what humans left for you, and believe me, this always works. Scylla provides all the power of what a real audit, intrusion, exclusion and analysis tool needs, giving the possibility of scanning misconfiguration bugs dynamically. Scylla aims to be a better tool for security auditors, extremely fast, designed based on real scenarios, developed by experienced coders and constructed with actual IT work methods. The words "Configuration Tracer" are the best definition for Scylla, a tool to help on IT audits. Sergio 'flacman' Valderrama has been a coder and hacker since he was in school (15 Years old?). Consulting Manager of 2Secure S.A.S, he has worked as security consultant for more than 6 years. Founder of ColombiaUnderground Team, he studied Computer Engineer at the Universidad de los Andes... (lot of non interesting crap about titles and experience). And of course, he's the main developer of Scylla. Carlos Alberto Rodriguez is Co-Founder at 2Secure, a Colombia-based company that provides specialized security services for multiple sector companies. Senior Developer focused in security development with emphasis in cryptographic algorithms, Senior Security Consultant, R&D Manager and Security Applications Leader for 2Secure with over 7 years of experience in security and incident handling. Twitter: @_S_aint_Iker For more information visit: http://bit.ly/defcon20_information To download the video visit: http://bit.ly/defcon20_videos Playlist DEFCON 20: http://bit.ly/defcon20_playlist
Views: 1533 Christiaan008
SSL Certificate Explained
Views: 798277 dtommy1979
Compliance and Frameworks - CompTIA Security+ SY0-501 - 3.1
Security+ Training Course Index: http://professormesser.link/sy0501 Professor Messer’s Course Notes: http://professormesser.link/501cn Frequently Asked Questions: http://professormesser.link/faq - - - - - Many organizations require compliance with a standard set of rules and regulations. In this video, you’ll learn about compliance requirements, non-regulatory best practices, and IT frameworks. - - - - - Subscribe to get the latest videos: http://professormesser.link/yt Calendar of live events: http://www.professormesser.com/calendar/ FOLLOW PROFESSOR MESSER: Professor Messer official website: http://www.professormesser.com/ Twitter: http://www.professormesser.com/twitter Facebook: http://www.professormesser.com/facebook Instagram: http://www.professormesser.com/instagram Google +: http://www.professormesser.com/googleplus
Views: 11000 Professor Messer
Crypto Defenses for Real-World System Threats - Kenn White - Ann Arbor
Modern encryption techniques provide several important security properties, well known to most practitioners. Or are they? What are in fact the guarantees of, say, HTTPS TLS cipher suites using authenticated encryption, IPSec vs. SSL VPNs, Property Preserving Encryption, or token vaults? We live in an era of embedded Hardware Security Modules that cost less than $1 in volume, and countless options now exist for encrypting streaming network data, files, volumes, and even entire databases. Let's take a deep dive into the edge of developed practice to discuss real-world threat scenarios to public cloud and IoT data, and look closely at how we can address specific technical risks with our current encryption toolkits. Advanced math not required. Bio: Kenneth White is a security researcher whose work focuses on networks and global systems. He is co-director of the Open Crypto Audit Project (OCAP), currently managing a large-scale audit of OpenSSL on behalf of the Linux Foundation's Core Infrastructure Initiative. Previously, White was Principal Scientist at Washington DC-based Social & Scientific Systems where he led the engineering team that designed and ran global operations and security for the largest clinical trial network in the world, with research centers in over 100 countries. White co-founded CBX Group which provides security services to major organizations including World Health, UNICEF, Doctors without Borders, the US State Department, and BAO Systems. Together with Matthew Green, White co-founded the TrueCrypt audit project, a community-driven initiative to conduct the first comprehensive cryptanalysis and public security audit of the widely used TrueCrypt encryption software. White holds a Masters from Harvard and is a PhD candidate in neuroscience and cognitive science, with applied research in real-time classification and machine learning. His work on network security and forensics and been cited by media including the Wall Street Journal, Forbes, Reuters, Wired and Nature. White is a technical reviewer for the Software Engineering Institute, and publishes and speaks frequently on computational modeling, security engineering, and trust. He tweets @kennwhite.
Views: 820 Duo Security
Vulnerability Scanning - CompTIA Security+ SY0-501 - 1.5
Security+ Training Course Index: http://professormesser.link/sy0501 Professor Messer’s Course Notes: http://professormesser.link/501cn Frequently Asked Questions: http://professormesser.link/faq - - - - - A vulnerability scan can tell you a lot about potential threats. In this video, you’ll learn about different vulnerability scan types, the results of a vulnerability scan, and how to deal with false positives. - - - - - Subscribe to get the latest videos: http://professormesser.link/yt Calendar of live events: http://www.professormesser.com/calendar/ FOLLOW PROFESSOR MESSER: Professor Messer official website: http://www.professormesser.com/ Twitter: http://www.professormesser.com/twitter Facebook: http://www.professormesser.com/facebook Instagram: http://www.professormesser.com/instagram Google +: http://www.professormesser.com/googleplus
Views: 18771 Professor Messer
Blockchain security
Jon Geater, CTO Thales e-Security, talks about blockchain security and distributed ledgers.
Views: 5798 Thales eSecurity
Hacken | $HKN | Whitehat Cyber Security
"#Hacken is a community-powered #cybersecurity ecosystem for white-hat hacking or” ethical hacking”. White hat hackers are expert, ethical hackers that specialize in testing and enhancing the security of an entity’s IT system, through exposing certain flaws or vulnerabilities inherent within the system." Hacken Links: Website: https://hacken.io/ Roadmap: https://hackenproof.com/roadmap Products: https://hub.hacken.io/ Twitter: https://twitter.com/hacken_io?lang=en Reddit: https://www.reddit.com/r/hacken/ Telegram: https://t.me/hackenio HackIT Countdown: Comingsoon.Hackit.ua Crypto Exchange Ranks: cryptoexchangeranks.com $HKN Donation Address: 0x4294BBB927FbB90ddD6e826701bb89226312Bb0d Sources: http://bit.ly/2IqW21N. http://bit.ly/2ryDMZW http://bit.ly/2IGUa4W http://bit.ly/2GffYQ2 http://bit.ly/2jWty1X Thanks for taking the time to check out my channel! If you're interested in any other #cryptocurrency content head over to my playlist section or get lost in all my #crypto videos! ✅Join my #discord!: https://discord.gg/CpQy99C ✅ Pick up some merch: http://bit.ly/Candor_Merch ✅ Check out my #redbubble store!: https://rdbl.co/2ORXOIV ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬● ►Check out LiveCoinWatch for your market movement! https://www.livecoinwatch.com/ ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬● 👇🏼Follow me 👇🏼 Patreon: https://www.patreon.com/cryptocandor Twitter: https://twitter.com/cryptocandor Steemit: https://steemit.com/@cryptocandor Instagram: https://www.instagram.com/cryptocandor/ Website: https://www.cryptocandor.com My other vlog: https://www.youtube.com/awproductions ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬● 🔊 Listen to my favorite crypto podcast!: http://bit.ly/CryptoBasic 🔺Referral Links! #Ledger: https://www.ledgerwallet.com/r/1f08 #Trezor: https://shop.trezor.io?a=9phpyoh #CoolWalletS: http://bit.ly/2LFcSMS #KeepKey: http://keepkey.go2cloud.org/SHDC #Binance: https://www.binance.com/?ref=10265072 ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬● 🔺 If you're feeling generous- Tip Jars: #ethereum: 0x3b97C664a9DAf6c79d6d577E0048a412BaAe68dE #bitcoin: 1K2Qjrf5KUxMpLqfmXLWJxwBnPzayoiGGL #bitcoincash: 1ECdtoqg3RcWkt4JY9bb1BrvBpLsm7h3ho ADA: DdzFFzCqrhtCK3FGLqHmUpuyQaUk4pADjHJyMxg3CnM7LQiKaTsqTvBa4haDJ8Rvw68SFUjKyWKy1f9XJhihXKeVonksR6qvCRSJe3vo ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬● DISCLAIMER: The information provided is not to be considered as a recommendation to buy or invest in certain assets or currencies and is provided solely as an educational and information resource to help traders make their own decisions. Past performance is no guarantee of future success. It is important to note that no system or methodology has ever been developed that can guarantee profits or ensure freedom from losses. No representation or implication is being made that using the attached material will guarantee profits or ensures freedom from losses. CryptoCandor shall not be liable to the participant for any damages, claims, expenses or losses of any kind (whether direct or indirect) suffered by the participant arising from or in connection with the information obtained this website or directly from the website owner.v/
Views: 2919 CryptoCandor
Common Security Issues - CompTIA Security+ SY0-501 - 2.3
Security+ Training Course Index: http://professormesser.link/sy0501 Professor Messer’s Course Notes: http://professormesser.link/501cn Frequently Asked Questions: http://professormesser.link/faq - - - - - The most common security issues can create some of the most uncommon security breaches. In this video, you’ll learn about the most common security problems and how to avoid becoming falling into these common traps. - - - - - Subscribe to get the latest videos: http://professormesser.link/yt Calendar of live events: http://www.professormesser.com/calendar/ FOLLOW PROFESSOR MESSER: Professor Messer official website: http://www.professormesser.com/ Twitter: http://www.professormesser.com/twitter Facebook: http://www.professormesser.com/facebook Instagram: http://www.professormesser.com/instagram Google +: http://www.professormesser.com/googleplus
Views: 16604 Professor Messer
Printer vulnerability (CVE-2016-3238): Internet infection overview and demo
The malicious printer driver on an infected host opens a connection back to the remote attacker, who uses it to set up a fake printer or compromise a network printer so it spreads malware to other hosts. For more information about this critical Windows vulnerability go to http://info.vectranetworks.com/understanding-printer-vulnerabilities
L1TF (AKA Foreshadow) Explained in 3 Minutes from Red Hat
L1 Terminal Fault (L1TF)--also known as Foreshadow--is a security vulnerability that allows unauthorized users to access information from Intel processor based servers including deployments in cloud environments. This vulnerability takes advantage of the way Intel processors handle page tables (the maps that translate between physical and virtual memory resources). Like Spectre and Meltdown in early 2018, L1TF allows unauthorized users to access data from speculative operations. What makes L1TF even more dangerous is that malicious users can steal secrets across multi-tenant cloud environments. This 3-minute video provides a high-level primer on what L1TF is and how it works. For more technical information about the vulnerability and what your company should do about it, please visit: https://red.ht/2MpetWt
Views: 32259 Red Hat Videos
On the Practicality of Cryptographically Enforcing Dynamic Access Control Policies in the Cloud
On the Practicality of Cryptographically Enforcing Dynamic Access Control Policies in the Cloud William C. Garrison III (University of Pittsburgh) Presented at the 2016 IEEE Symposium on Security & Privacy May 23–25, 2016 San Jose, CA http://www.ieee-security.org/TC/SP2016/ ABSTRACT The ability to enforce robust and dynamic access controls on cloud-hosted data while simultaneously ensuring confidentiality with respect to the cloud itself is a clear goal for many users and organizations. To this end, there has been much cryptographic research proposing the use of (hierarchical) identity-based encryption, attribute-based encryption, predicate encryption, functional encryption, and related technologies to perform robust and private access control on untrusted cloud providers. However, the vast majority of this work studies static models in which the access control policies being enforced do not change over time. This is contrary to the needs of most practical applications, which leverage dynamic data and/or policies. In this paper, we show that the cryptographic enforcement of dynamic access controls on untrusted platforms incurs computational costs that are likely prohibitive in practice. Specifically, we develop lightweight constructions for enforcing role-based access controls (i.e., RBAC0) over cloud-hosted files using identity-based and traditional public-key cryptography. This is done under a threat model as close as possible to the one assumed in the cryptographic literature. We prove the correctness of these constructions, and leverage real-world RBAC datasets and recent techniques developed by the access control community to experimentally analyze, via simulation, their associated computational costs. This analysis shows that supporting revocation, file updates, and other state change functionality is likely to incur prohibitive overheads in even minimally-dynamic, realistic scenarios. We identify a number of bottlenecks in such systems, and fruitful areas for future work that will lead to more natural and efficient constructions for the cryptographic enforcement of dynamic access controls. Our findings naturally extend to the use of more expressive cryptographic primitives (e.g., HIBE or ABE) and richer access control models (e.g., RBAC1 or ABAC).
8. Web Security Model
MIT 6.858 Computer Systems Security, Fall 2014 View the complete course: http://ocw.mit.edu/6-858F14 Instructor: James Mickens In this lecture, Professor Mickens introduces the concept of web security, specifically as it relates to client-side applications and web browser security models. License: Creative Commons BY-NC-SA More information at http://ocw.mit.edu/terms More courses at http://ocw.mit.edu
Views: 16979 MIT OpenCourseWare
AAA and Authentication - CompTIA Security+ SY0-501 - 4.1
Security+ Training Course Index: http://professormesser.link/sy0501 Professor Messer’s Course Notes: http://professormesser.link/501cn Frequently Asked Questions: http://professormesser.link/faq - - - - - The authentication process is a foundational aspect of network security. In this video, you’ll learn about AAA, authentication factors, federation, single sign-on, and more. - - - - - Subscribe to get the latest videos: http://professormesser.link/yt Calendar of live events: http://www.professormesser.com/calendar/ FOLLOW PROFESSOR MESSER: Professor Messer official website: http://www.professormesser.com/ Twitter: http://www.professormesser.com/twitter Facebook: http://www.professormesser.com/facebook Instagram: http://www.professormesser.com/instagram Google +: http://www.professormesser.com/googleplus
Views: 10301 Professor Messer
Emerging Security Vulnerabilities & the Impact to Business
Google Tech Talks November, 12 2007 ABSTRACT This talk discusses how IT professionals can go about learning what they need to know to prevent the most significant emerging data security vulnerabilities, and the impact these vulnerabilities are having on electronic commerce. In this talk, I will review how attacks such as XSRF (Cross-Site-Request-Forgery) and SQL Injection work, and how to properly defend against them. Then, I will present some industry-wide statistics on software security vulnerabilities reported to various databases, and emerging trends in the field of software security. Finally, it will discuss the current state of security education, and provide pointers to certification programs, books, and organizations where you can learn more. Speaker: Neil Daswani Neil has served in a variety of research , development, teaching, and managerial roles at Google, Stanford University , DoCoMo USA Labs, Yodlee, and Bellcore (now Telcordia Technologies). His areas of expertise include security, wireless data technology, and peer-to-peer systems. He has published extensively in these areas, frequently is invited to give talks at industry and academic conferences, and has been granted several U.S. patents. He received a Ph.D. and a master's in computer science from Stanford University , and earned a bachelor's in computer science with honors with distinction from Columbia University.
Views: 11363 GoogleTechTalks
Crypto News: EOS, Waves, IOTA, Genesis Vision, Tezos, Citigroup (10th-16th of September)
Crypto News: EOS, Waves, IOTA, Genesis Vision, Tezos, Citigroup (10th-16th of September) Citigroup potentially enters cryptocurrency On 10th of September some sources mentioned that U.S. multinational bank Citigroup is developing a cryptocurrency product to give institutional investors access to crypto markets without owning cryptoassets directly. Citigroup have over US$71B in revenue and over 200k employees. Citigroup, which had previously taken a centralized approach to cryptocurrency, will reportedly use a revamped version of the American Depositary Receipts (ADR) – a type of security issued since the 1920s that represents securities of a non-U.S. company – to let investors indirectly trade crypto as Digital Asset Receipt (DAR) which gives U.S. investors a way to own foreign stocks or currencies that don't otherwise trade on U.S. exchanges. EOS dapp issues On 14th of September it was annouced that a gambling application EOSBet that is based on the EOS blockchain has had a flaw in its smart contract system exploited. Hackers were able to make off with $200,000 worth of EOS due to the vulnerability. An EOSBet spokesperson has stated: “[…] A few hours ago, we were attacked, and about 40,000 EOS was taken from our bankroll… This bug was not minor as was stated previously, and we are still doing forensics and piecing together what happened.” This is following the attack from 10th of September, where it emerged that DEOSGames, another EOS-based betting platform was hit with a smart contract attack, leading to a series of strange payouts including 24 jackpot payments in less than one hour. If it turns out that there is a common backdoor for EOS DApps, this could be a major problem so hopefully developers can sort it out. Waves update On 13th of September the corporation Rostec, the Russian state-owned manufacturing conglomerate, is entering the blockchain fray via partnership with Waves. Rostec was established in 2007 and has a revenue of $18.9 billion and over 450k employees The project will look into the application of blockchain technology to Rostec's operations – specifically, for standardizing, collecting and analyzing data about the products manufactured under Rostec's supervision, which include both military and civilian goods. They will also seek to develop solutions for so-called smart cities, which leverage data to manage urban resources more efficiently. To that end, the project would facilitate the sharing of data via blockchain between governments and citizens. Waves also annouced that they is engaged in negotiations with the Maltese government in an effort to gain all the proper accreditation in order to run their operations on the island. IOTA Qubic roadmap On 12th of September IOTA has published the roadmap update for the Qubic project. Qubic enables Smart Contracts, Oracles, Outsourced Computing and lots more on IOTA. It provides general-purpose, cloud- or fog-based, permissionless, multiprocessing capabilities on the Tangle. It will basically be the foundation of plenty more projects using IOTA and also a platform for the greater community and ecosystem. IOTA team recently provided a lot of details on the Qubic programming language Abra. The roadmap shows Abra specification, compliers, development and libraries. On top of that the roadmap covers qubic protocol, qubic tangle and the oracles. All of that information includes also progress level so project followers. On top of that IOTA provides regular blog updates. Genesis Vision Updates On 11th of September Genesis Vision has announced the release date of their platform. The platform will go live 30th of October. Genesis vision is a platform for the private trust management market, built on Blockchain technology and Smart Contracts. They are trying to combine exchanges, brokers, traders and investors into a decentralized, open and honest network The platform uses GVT token which recently increased in price but is still not in top 100. Tezos Updates On 14th of September Tezos has annouced that their mainnet will arrive on 17th of September. Tezos is a platform for smart contracts and decentralized applications that will allow for On-Chain Governance meaning a formal process through which stakeholders can efficiently govern the protocol and implement future innovations. The betanet went live on 30th of June. It was a fully functional version of the network but still "experimental" in nature, with downtime and even emergency hard forks of the network possible. This however means that the main network should work without any major issues. The team also published update on 10th where the president of the Tezos Foundation published an update about the last 6 months. XTZ token has been doing quite well recently and is currently in the top 20. Not a financial advice.
Views: 539 Crypto Coins
Hacking a Site on Adobe Experience Manager
The report is devoted to security testing of web applications based on Adobe Experience Manager (AEM). The speaker will share his experience of searching and exploiting vulnerabilities he came across during his work (vulnerabilities that lead to sensitive data leakage, DoS attacks, XSS, XXE and even RCE) and demonstrate self-developed tools, which can help automate security testing of AEM-based web applications. Author: Mikhail Egorov More: http://www.phdays.com/program/40870/
Views: 4211 Positive Technologies
DEFCON 19: Three Generations of DoS Attacks (with Audience Participation, as Victims)
Speaker: Sam Bowne Instructor, City College San Francisco Denial-of-service (DoS) attacks are very common. They are used for extortion, political protest, revenge, or just LULz. Most of them use old, inefficient methods like UDP Floods, which require thousands of attackers to bring down a Web server. The newer Layer 7 attacks like Slowloris and Rudy are more powerful, and can stop a Web server from a single attacker with incomplete Http requests. The newest and most powerful attack uses IPv6 multicasts, and can bring down all the Windows machines on an entire network from a single attacker. I will explain and demonstrate these tools: Low Orbit Ion Cannon, OWASP Http DoS Tool, and flood_router6 from the thc-ipv6 attack suite. This deadly IPv6 Router Advertisement Flood attack is a zero-day attack--Microsoft has known about it since June 2010 but has not patched it yet (as of May 4, 2011). Audience Participation: Bring a device to test for vulnerability to the Router Advertisement Flood! Some cell phones and game consoles have been reported to be vulnerable--let's find out! If your device crashes, please come to the Q&A room so we can video-record it and arrange disclosure to the vendor. For more information visit: http://bit.ly/defcon19_information To download the video visit: http://bit.ly/defcon19_videos Playlist Defcon 19: http://bit.ly/defcon19_playlist
Views: 320657 Christiaan008
CRYPTERRA/X-MINING - Fake Login Animation Proved Right, Warning! Fake Vulnerability Test || Crypto B
Follow me on Twatter: https://twitter.com/Crypto_Blz Free Mining(MinerGate): https://minergate.com/a/427bcd9ae1beec56322f839b Try TubeBuddy for Free: https://www.tubebuddy.com/blz CRYPTERRA/X-MINING - Fake Login Animation Proved Right, Warning! Fake Vulnerability Test || Crypto B Join Nano-Miner: https://nano-miner.com/?11yt Join WazirX: https://wazirx.com/#/invite/dqbvm Join Koinex: https://koinex.in/?ref=f7eec1 Join Unocoin: https://www.unocoin.com/?referrerid=622800 Join Hashflare: https://hashflare.io/r/D706959D Subscribe me for more updates :D https://www.youtube.com/channel/UCb2b0usjSr5niWyYLvmMrQA?disable_polymer=true **DISCLAIMER**: I am not a financial adviser nor am I giving financial advice. I am sharing my biased opinion based off speculation. You should not take my opinion as financial advice. You should always do your research before making any investment. You should also understand the risks of investing. This is all speculative based investing.
Views: 454 Crypto B
States of Data - CompTIA Security+ SY0-401: 4.4
Security+ Training Course Index: http://professormesser.link/sy0401 Professor Messer’s Course Notes: http://professormesser.link/sy0401cn Frequently Asked Questions: http://professormesser.link/faq - - - - - The state of a piece of data will assist in determining the best way to secure it. In this video, you’ll learn about securing data in-transit, at-rest, and in-use. - - - - - Download entire video course: http://professormesser.link/401adyt Get the course on MP3 audio: http://professormesser.link/401vdyt Subscribe to get the latest videos: http://professormesser.link/yt Calendar of live events: http://www.professormesser.com/calendar/ FOLLOW PROFESSOR MESSER: Professor Messer official website: http://www.professormesser.com/ Twitter: http://www.professormesser.com/twitter Facebook: http://www.professormesser.com/facebook Instagram: http://www.professormesser.com/instagram Google +: http://www.professormesser.com/googleplus
Views: 16335 Professor Messer
Cognia - World’s first QSA-validated, PCI DSS Level 1 on a secure global cloud platform
Cognia is a leader in the provision of cloud-based communications and interaction intelligence solutions for enterprises and service providers. A single platform provides secure capture, storage, compliance and analytics solutions for multi-channel communications, including fixed-line and mobile, as well as all IP communications. Cognia's solutions include cloud based call recording, the world’s first QSA-validated, PCI DSS Level 1 service on a secure global cloud platform and interaction analytics that form part of its communications intelligence suite. This replaces the high upfront capital and support costs of on-premise systems, with the flexibility to lower TCO to a level never before possible with traditional solutions. Many organizations have, or are legally required to hold, vast legacy archives of calls and communications. These can pose a serious data security risk if they contain card credentials. Inadequate storage, inappropriate access controls or data analysis could inadvertently expose such toxic data. Leaving the organization at risk of a data breach or a non-compliance fine. Moving legacy archives to a secure, encrypted, offsite cloud location removes the risk. Cognia offers such a service to its customers and can cleanse the data, where potentially non-compliant data is redacted. Following this process Cognia can archive the data within its cloud or make the clean data once again available on-premise for use. Cognia's solutions are used world-wide by of 100 financial institutions, enterprises and services providers including Vodafone. Cognia has over 28 million media assets under management in its cloud.
Views: 313 Cognia Cloud Ltd
Crypto News | Bitcoin Runs! Sustainable? EOS Controversy! If Ripple Not Security = Coinbase Listing?
Hey guys, I know many of you weren't able to sign up to the technical analysis course due to issues with the page. Currently that's fixed and can be found here: http://bullandbearcrypto.com/crypto-ta-course/ If you want to learn TA tailored to the crypto space this course is for you. ---------------------------------------------------------------------------------------------------------- ⚡Links https://cointelegraph.com/news/india-former-legislator-in-bitcoin-extortion-case-declared-proclaimed-offender https://cointelegraph.com/news/us-federal-employees-to-disclose-crypto-holdings-following-new-guidance https://www.ccn.com/eos-vulnerability-will-lead-to-massive-exchange-hack-predicts-cornell-blockchain-researcher/ https://cointelegraph.com/news/square-receives-ny-bitlicense-cash-app-now-offers-btc-trading-for-new-york-users https://dailyhodl.com/2018/06/17/ripples-deal-with-us-treasury-defines-xrp-as-a-currency-not-a-security/ ---------------------------------------------------------------------------------------------------------- ⚡Connect With Me! Blog Posts/Updates/Insights/Thoughts: https://goo.gl/ngBDjd Updates Of Coins Ready To Break Out: https://goo.gl/3ZfehK Public Telegram Group: https://t.me/bullandbearcrypto Twitter.com: http://twitter.com/_bullandbear ---------------------------------------------------------------------------------------------------------- ⚡Support The Channel SUPPORT From As Little As $1 & Get EXCLUSIVE EXTRA'S Patreon: http://patreon.com/bullandbear DONATE BTC - 1BFEFPG6ngis1J8WcoSp72jPAxqsNtmPJ3 ETH - 0x24C9b9555DD741CD39A004b758eC691A0e6Ea0bD LTC - LQnpKsvANZZe9ZoX6eMQpejxgogQs1kGpA DASH - Xi1Z2wVeCRGRtX4PvLUs4C8oVo1c7b22yr SECURE YOUR CRYPTO OFFLINE - Ledger Wallet: Grab A Ledger Hardware Wallet: https://www.ledgerwallet.com/r/df82 JOIN COINBASE - Buy Bitcoin, Ethereum, & Litecoin Buy Bitcoin & Get $10usd FREE by joining COINBASE https://www.coinbase.com/join/54cb9ac9e97f506b9600007e JOIN BINANCE - Buy Your Altcoins Looking to trade altcoins? I recommend BINANCE https://www.binance.com/register.html?ref=10967978 JOIN KUCOIN - Get Up And Coming Coins Before They List On Big Exchanges https://www.kucoin.com/#/?r=1g62w TRADING VIEW Want to look at the charts and do technical analysis. I reommend TRADING VIEW http://tradingview.go2cloud.org/aff_c?offer_id=2&aff_id=7172&url_id=23 ---------------------------------------------------------------------------------------------------------- ⚡Disclaimer: Read the Bull & Bear Financial Disclaimer Here: http://www.bullandbearcrypto.com/disclaimer
34C3 -  Unleash your smart-home devices: Vacuum Cleaning Robot Hacking
https://media.ccc.de/v/34c3-9147-unleash_your_smart-home_devices_vacuum_cleaning_robot_hacking Why is my vacuum as powerful as my smartphone? Did you ever want to run your own IoT cloud on your IoT devices? Or did you ever wonder what data your vacuum cleaning robot is transmitting to the vendor? Why a vacuum cleaning robot needs tcpdump? Nowadays IoT devices are getting more and more powerful and contain a lot of sensors. As most devices are connected directly to the vendor and transmit all data encrypted to the cloud, this may result in privacy issues. An IoT device with no internet connection lacks numerous features or is even unusable. We want to change that. We show you how to root a Xiaomi vacuum cleaning robot in order to get access to the underlying Linux operating system(Ubuntu 14.04 LTS), **without opening the device or tampering the warranty seals**. Furthermore, we will have a look into the vendors cloud interface and its commands, and will show you how to de-attach the device from the cloud and connect it to your local Smart Home system. Finally, we will demonstrate how to run Smart Home software directly on the vacuum cleaning robot itself. We will give you a detailed tour through the hardware and software components of the Xiaomi vacuum robot (generation 1). We will also publish a non-invasive method to get root access to your vacuum robot. After talking about the rooting procedure, we will discuss the internals of the robot. For example, the robot uses a so called SLAM (Simultaneous Localization and Mapping) system with LIDAR (Light Detection And Ranging) and various other sensors to create maps of your apartment. These maps are used, among other things, to calculate the best cleaning path. We will show you what these maps look like and how they are stored in the robot. At the end, we will discuss which data are created and uploaded to the vendor, and why this may be a big privacy issue. We will also prove why it is a bad idea to leave IoT devices in an unconfigured state. Dennis Giese DanielAW https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9147.html
Views: 10452 media.ccc.de
Network Security - Public Key Infrastructure
Fundamentals of Computer Network Security Launch you career in cyber security. This specialization in intended for IT professionals, computer programmers, managers, IT security professionals who like to move up ladder, who are seeking to develop network system security skills. Through four courses, we will cover the Design and Analyze Secure Networked Systems, Develop Secure Programs with Basic Cryptography and Crypto API, Hacking and Patching Web Applications, Perform Penetration Testing, and Secure Networked Systems with Firewall and IDS, which will prepare you to perform tasks as Cyber Security Engineer, IT Security Analyst, and Cyber Security Analyst. Course 1 - Design and Analyze Secure Networked Systems University of Colorado System About this Course In this MOOC, we will learn the basic cyber security concepts, how to identify vulnerabilities/threat in a network system. We will apply CIA basic security services in the triage of recent cyberattack incidents, such as OPM data breach. We will learn the risk management framework for analyzing the risks in a network system, and apply the basic security design principles to protect the data and secure computer systems. We will examine the trustworthiness of programs and data installed in our systems and show the proper way to verify their integrity and authenticity. We will apply principle of least privileges for controlling the shared access given to different groups of users and system processes. On Amazon Cloud instances, we will use GnuPG software to generate public/private key pair for signing/verifying documents and open source software, and for encrypting documents. We will learn how to publish software, the related signature and release key on web server and publish public key to PGP key server for others to retrieve. We will learn Public Key Infrastructure (PKI) and Linux utility to serve as a CA for an organization, learn how to sign certificate request for clients or servers in secure email and web applications. Module 4 - Be a CA, Setup Secure Server and Client Certificate Edward Chow In this module, we will learn the Public Key Infrastructure (PKI), how CA operates, and the certificates signing and verification process. We will utilize the utility command in a Linux system to serve as a CA for an organization, learn how to sign certificate request for clients or servers both secure email or secure web access purpose. We will earn how to generate server certificate requests as a webmaster, send them to CA for signing and install the signed certificates in Apache web server for secure web access. We will also set up apache web server for requiring clients to present their client certificates for mutual authentication. We will also guide you to set client certificate on browser for mutual authentication and on a mail client for signing and encrypting emails. Learning Objectives • By the end of this module, you should be able to setup PKI using Linux. • By the end of this module, you should be able to serve a CA to sign certificate for your own organization. • By the end of this module, you should be able to be setup secure web server certificate as a webmaster. • By the end of this module, you should be able to setup client browser with client certificate and set up server for mutual authentication.
Views: 348 intrigano
Resiliency and Automation - CompTIA Security+ SY0-501 - 3.8
Security+ Training Course Index: http://professormesser.link/sy0501 Professor Messer’s Course Notes: http://professormesser.link/501cn Frequently Asked Questions: http://professormesser.link/faq - - - - - In the cloud, things happen fast. In this video, you’ll learn resiliency and automation can be used to maintain the uptime and availability of these dynamic computing platforms. - - - - - Subscribe to get the latest videos: http://professormesser.link/yt Calendar of live events: http://www.professormesser.com/calendar/ FOLLOW PROFESSOR MESSER: Professor Messer official website: http://www.professormesser.com/ Twitter: http://www.professormesser.com/twitter Facebook: http://www.professormesser.com/facebook Instagram: http://www.professormesser.com/instagram Google +: http://www.professormesser.com/googleplus
Views: 6761 Professor Messer
Understanding L1 Terminal Fault (aka Foreshadow) from Red Hat
L1 Terminal Fault (L1TF)--also known as Foreshadow--is a security vulnerability that allows unauthorized users to access information from Intel processor based servers and cloud environments. In this video, Red Hat computer architect Jon Masters provides a technical overview on how the flaw works and what companies can do about it. To read Jon’s full blog post on L1TF, visit: https://red.ht/2MpetWt
Views: 11534 Red Hat Videos
DEFCON 19: Hacking Google Chrome OS
Speakers: Kyle 'Kos' Osborn Application Security Specialist, WhiteHat Security | Matt Johanson Application Security Specialist, WhiteHat Security Google recently announced Chrome OS powered computers, called Chromebooks, at Google I/O and the company is getting ready to market them to businesses as well as consumers. What's different about Chrome OS and Chromebooks, other than the entire user-experience taking place exclusively in a Web browser (Google Chrome), is everything takes place in the cloud. Email, document writing, calendaring, social networking - everything. From a security perspective this means that all website and Web browser attack techniques, such as like Cross-Site Scripting, Cross-Site Request, and Clickjacking, have the potential of circumventing Chrome OS's security protections and exposing all the users data. Two members of the WhiteHat Security's Threat Research Center, Matt Johansen and Kyle Osborn, have spent months hacking away on Google's Cr-48 prototype laptops. They discovered a slew of serious and fundamental security design flaws that with no more than a single mouse-click may victimize users by: • Exposing of all user email, contacts, and saved documents. • Conduct high speed scans their intranet work and revealing active host IP addresses. • Spoofing messaging in their Google Voice account. • Taking over their Google account by stealing session cookies, and in some case do the same on other visited domains. While Chrome OS and Chromebooks has some impressive and unique security features, they are not all encompassing. Google was informed of the findings, some vulnerabilities were addressed, bounties generously awarded, but many of the underlying weaknesses yet remain -- including for evil extensions to be easily made available in the WebStore, the ability for payloads to go viral, and javascript malware survive reboot. With the cloud and web-based operating systems poised to make an impact on our computing future, Matt and Kyle ready to share all their never-before-seen research through a series of on-stage demonstrations. For more information visit: http://bit.ly/defcon19_information To download the video visit: http://bit.ly/defcon19_videos Playlist Defcon 19: http://bit.ly/defcon19_playlist
Views: 6176 Christiaan008
Confidential Computing
Confidential computing allows users to upload encrypted code and data to the cloud and get encrypted results back with guaranteed privacy. Confidential computing means cloud providers can’t see customers’ secrets even if cloud administrators are malicious or hackers have exploited kernel bugs in hosts. This session discusses research on confidential computing, including secure hardware containers, operating systems, compilers for secure code generation, cryptography, and redesigning cloud services. See more at https://www.microsoft.com/en-us/research/video/confidential-computing/
Views: 363 Microsoft Research
Defcon 19: Panel: Is it 0-day or 0-care?
This video is part of the Infosec Video Collection at SecurityTube.net: http://www.securitytube.net Vulnerability Databases (VDBs) have provided information about security vulnerabilities for over 10 years. This has put VDBs in a unique position to understand and analyze vulnerability trends and changes in the security industry. This panel presentation will examine vulnerability information over the past several years with an emphasis on understanding security researchers, quality of research, vendors, disclosure trends and the value of security vulnerabilities. The emotional debate surrounding Full Disclosure has raged on for decades. This panel will use grounded data to discuss salient points of the debate to hopefully determine trends that may influence the debate. Maybe even in a positive fashion! Jake Kouns is the co-founder, CEO, and CFO of the Open Security Foundation (OSF), a non-profit organization that oversees the operations of the Open Source Vulnerability Database (OSVDB.org) and Cloutage.org DataLossDB. All projects are independent and open source databases that provide detailed and unbiased technical information on security vulnerabilities, cloud security and data loss incidents world-wide. Mr. Kouns has presented at many well-known security conferences including RSA, CISO Executive Summit, EntNet IEEE GlobeCom, CanSecWest and SyScan. He is the co-author of the book Security in an IPv6 Environment, Francis and Taylor, 2009, and Information Technology Risk Management in Enterprise Environments, Wiley, 2010. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT. Brian Martin has been maintaining or contributing to vulnerability databases since 1993. As the content manager for the Open Source Vulnerability Database (OSVDB), he is constantly exposed to new challenges in vulnerability management. A long-time advocate of vulnerability database evolution, he has helped push VDBs forward and challenged them to become more useful and more thorough. No degree or certifications; just 18 years working with vulnerabilities as part of the day job and hobbies. He remains a champion of small misunderstood creatures. Steve Christey is a Principal Information Security Engineer in the Security and Information Operations Division at The MITRE Corporation. He is the editor of the Common Vulnerabilities and Exposures (CVE) list, Chair of the CVE Editorial Board, and technical lead for the Common Weakness Enumeration (CWE), CWSS, and the CWE/SANS Top 25 Software Most Dangerous Software Errors. He has been an active contributor to other efforts including NIST's Static Analysis Tool Exposition (SATE), the Common Vulnerability Scoring System (CVSS), the SANS Secure Programming exams, and a co-author of the influential "Responsible Vulnerability Disclosure Process" IETF draft with Chris Wysopal in 2002. His current interests include secure software development and testing, consumer-friendly software security metrics, the theoretical underpinnings of vulnerabilities, and vulnerability research. He holds a B.S. in Computer Science from Hobart College. Carsten Eiram comes from a esrever engineering background and is a vulnerability connoisseur during the day with extensive experience in the fields of vulnerability research and Vulnerability Intelligence. At night, he's a binary ninja having successfully stalked, found, and killed many critical vulnerabilities in popular software from major software vendors. Carsten is currently the Chief Security Specialist at Secunia and holds the dual responsibility of developing and managing the Secunia Research unit as well as maintaining close dialogue with software vendors and the security community, thereby ensuring both the quality and integrity of Secunia's work. He is often referred to as the Security Beast, but has yet to manage getting that title on to his business c
Views: 309 SecurityTubeCons
How Enterprises Migrate (Securely) to Cloud (Google Cloud Next '17)
In this video, Leonard Law, Sol Cates, Roy Feintuch, and Patrick Lecuyer discuss common concerns and solutions for enterprises who are starting their Cloud migration journey. They discuss strategies that customers can adopt to keep their data safe, retain operational control, and integrate with existing infrastructure and applications. Missed the conference? Watch all the talks here: https://goo.gl/c1Vs3h Watch more talks about Infrastructure & Operations here: https://goo.gl/k2LOYG
Views: 8639 Google Cloud Platform
International Journal on Cryptography and Information Security ( IJCIS)
Scope & Topics International Journal on Cryptography and Information Security ( IJCIS) is an open access peer reviewed journal that focuses on cutting-edge results in applied cryptography and Information security. It aims to bring together scientists, researchers and students to exchange novel ideas and results in all aspects of cryptography, coding and Information security. Topics of interest include but are not limited to, the following Cryptographic protocols Cryptography and Coding Untraceability Privacy and authentication Key management Authentication Trust Management Quantum cryptography Computational Intelligence in Security Artificial Immune Systems Biological & Evolutionary Computation Intelligent Agents and Systems Reinforcement & Unsupervised Learning Autonomy-Oriented Computing Coevolutionary Algorithms Fuzzy Systems Biometric Security Trust models and metrics Regulation and Trust Mechanisms Data Integrity Models for Authentication, Trust and Authorization Wireless Network Security Information Hiding Data & System Integrity E- Commerce Access Control and Intrusion Detection Intrusion Detection and Vulnerability Assessment Authentication and Non-repudiation Identification and Authentication Insider Threats and Countermeasures Intrusion Detection & Prevention Secure Cloud Computing Security Information Systems Architecture and Design and Security Patterns Security Management Security Requirements (threats, vulnerabilities, risk, formal methods, etc.) Sensor and Mobile Ad Hoc Network Security Service and Systems Design and QoS Network Security Software Security Security and Privacy in Mobile Systems Security and Privacy in Pervasive/Ubiquitous Computing Security and Privacy in Web Sevices Security and Privacy Policies Security Area Control Security Deployment Security Engineering Security for Grid Computing Security in Distributed Systems Paper Submission Authors are invited to submit papers for this journal through Submission system. Submissions must be original and should not have been published previously or be under consideration for publication while being evaluated for this Journal. For paper format download the template in this page.
Views: 9 ijcis journal
1. Introduction, Threat Models
MIT 6.858 Computer Systems Security, Fall 2014 View the complete course: http://ocw.mit.edu/6-858F14 Instructor: Nickolai Zeldovich In this lecture, Professor Zeldovich gives a brief overview of the class, summarizing class organization and the concept of threat models. License: Creative Commons BY-NC-SA More information at http://ocw.mit.edu/terms More courses at http://ocw.mit.edu
Views: 329944 MIT OpenCourseWare
USENIX Security '17 - CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management
Adrian Tang, Simha Sethumadhavan, and Salvatore Stolfo, Columbia University Distinguished Paper Award Winner! The need for power- and energy-efficient computing has resulted in aggressive cooperative hardware-software energy management mechanisms on modern commodity devices. Most systems today, for example, allow software to control the frequency and voltage of the underlying hardware at a very fine granularity to extend battery life. Despite their benefits, these software-exposed energy management mechanisms pose grave security implications that have not been studied before. In this work, we present the CLKSCREW attack, a new class of fault attacks that exploit the security-obliviousness of energy management mechanisms to break security. A novel benefit for the attackers is that these fault attacks become more accessible since they can now be conducted without the need for physical access to the devices or fault injection equipment. We demonstrate CLKSCREW on commodity ARM/Android devices. We show that a malicious kernel driver (1) can extract secret cryptographic keys from Trustzone, and (2) can escalate its privileges by loading self-signed code into Trustzone. As the first work to show the security ramifications of energy management mechanisms, we urge the community to re-examine these security-oblivious designs. View the full program: https://www.usenix.org/sec17/program
Views: 2219 USENIX
DEF CON 22 - Jim Denaro and Tod Beardsley - How to Disclose an Exploit Without Getting in Trouble
Slides Here: https://www.defcon.org/images/defcon-22/dc-22-presentations/Denaro-Beardsley/DEFCON-22-Jim-Denaro-Tod-Beardsley-How-to-Disclose-and-Exploit-UPDATED.pdf How to Disclose an Exploit Without Getting in Trouble Jim Denaro CIPHERLAW Tod Beardsley ENGINEERING MANAGER, METASPLOIT PROJECT You have identified a vulnerability and may have developed an exploit. What should you do with it? You might consider going to the vendor, blogging about it, or selling it. There are risks in each of these options. This session will cover the risks to security researchers involved in publishing or selling information that details the operation of hacks, exploits, vulnerabilities and other techniques. This session will provide practical advice on how to reduce the risk of legal action and suggest several approaches to responsible disclosure. Jim Denaro (@CipherLaw) is the founder of CipherLaw, a Washington, D.C.-based consultancy and focuses his practice on the legal, technical, and ethical issues faced by innovators in information security. Jim is a frequent speaker and writer on legal issues in information security and has experience in a wide range of technologies, including intrusion detection and prevention, botnet investigation, malware discovery and remediation, and cryptography. Jim is a regular consultant on responsible disclosure policies and is involved in programs to shield researchers who disclose responsibly. Jim has completed professional coursework at MIT and Stanford in computer security and cryptography. He also holds technical certifications from the Cloud Security Alliance (CCSK) and Cisco Systems (CCENT), and has passed the CISSP examination (pending certification). Before becoming an attorney, Jim spent obscene amounts of time looking at PPC assembly in MacsBug. Tod Beardsley (@todb) is engineering manager for the open source Metasploit project, as well as one of the core developers on the framework. His background is primarily in intrusion prevention, vulnerability assessment and identification, anti-fraud/anti-phishing countermeasures, penetration testing and compliance auditing, intrusion detection and response, protocol analysis, and host hardening. He is also interested in computer crime forensics and recovery, reverse engineering and binary analysis, steganographic communication channels, and cryptography in general. Tod’s technical specialties include protocol analysis and reverse engineering, intrusion detection and prevention, phishing and online fraud, open source software engineering collaboration, and application vulnerability research and exploitation.
Views: 3077 DEFCONConference
Super Simple Application Security with Apache Shiro
Learn about the benefits of the Apache Shiro security framework, from the founder of the project himself, Les Hazlewood. This event was held on September 12, 2010 by the San Francisco Java User Group. In his talk, Les covers: - the benefits of Shiro over alternatives like JAAS or Spring Security - thee core architectural concepts of the framework - how to enable all four cornerstones for any application (standalone, mobile phone, web based, etc) - an overview of Shiro's innovative web support module and security filtering capabilities - a short Shiro-based application demo Check out marakana.com to learn more about Java and open source. Goto marakana.com/techtv to watch more educational videos on open source.
Views: 25419 UserGroupsatGoogle
:3rd BIU Winter School on Cryptography: Anonymous Credentials and eCash - Anna Lysyanskaya
The 3rd Bar-Ilan Winter School on Cryptography: Bilinear Pairings in Cryptography, which was held between February 4th - 7th, 2013. The event's program: http://crypto.biu.ac.il/winterschool2013/schedule2013.pdf For All 2013 Winter school Lectures: http://www.youtube.com/playlist?list=PLXF_IJaFk-9C4p3b2tK7H9a9axOm3EtjA&feature=mh_lolz Dept. of Computer Science: http://www.cs.biu.ac.il/ Bar-Ilan University: http://www1.biu.ac.il/indexE.php
Views: 977 barilanuniversity
Defcon 2012: Cryptohaze Cloud Cracking by Bitweasil
This is the official Defcon 2012 video from Bitweasil's Cryptohaze Cloud Cracking talk. It covers using the Cryptohaze password cracking suite in various cloud settings and discusses WebTables for remote rainbow table access without having to download tables. https://www.cryptohaze.com/ Slides: https://cryptohaze.com/slides/Cryptohaze%20DC20%20Final%20Slides.pdf Writeup: http://blog.cryptohaze.com/2012/08/cryptohaze-cloud-cracking-slides-writeup.html WebTables: https://webtables.cryptohaze.com/
Views: 6239 Bitweasil
Application Patch Management - CompTIA Security+ SY0-301: 4.1
See our entire index of CompTIA Security+ videos at http://www.FreeSecurityPlus.com - For the best security, you'll want to always keep your applications and operating systems up-to-date. In this video, you'll learn about application patch management, OS updates, and some of the challenges associated with application patch management.
Views: 11478 Professor Messer
DEF CON 24 - Alex Chapman and Paul Stone - Toxic Proxies: Bypassing HTTPS
Rogue access points provide attackers with powerful capabilities, but in 2016 modern privacy protections such as HTTPS Everywhere, free TLS certificates and HSTS are de-facto standards. Surely our encrypted traffic is now safe on the local coffee shop network? If not, my VPN will definitely protect me… right? In this talk we’ll reveal how recent improvements in online security and privacy can be undermined by decades old design flaws in obscure specifications. These design weakness can be exploited to intercept HTTPS URLs and proxy VPN tunneled traffic. We will demonstrate how a rogue access point or local network attacker can use these new techniques to bypass encryption, monitor your search history and take over your online accounts. No logos, no acronyms; this is not a theoretical crypto attack. We will show our techniques working on $30 hardware in under a minute. Online identity? Compromised. OAuth? Forget about it. Cloud file storage? Now we’re talking. Bio: Alex Chapman is a Principal Security Researcher at Context Information Security in the UK, where he performs vulnerability discovery, exploit development, bespoke protocol analysis and reverse engineering. He has been credited in security advisories for a number of major software products for vendors such as Citrix, Google, Mozilla and VMware, and has presented his research at security conferences around the world. He has spent the past several months making things (for a change), poking holes in old technologies, and pointing out security flaws which have no place in modern day software. Paul Stone is a Principal Security Researcher at Context Information Security in the UK where he performs vulnerability research, reverse engineering, and tool development. He has a focus on browser security and has reported a number of vulnerabilities in the major web browsers including Chrome, Internet Explorer, Firefox, and Safari. He has spoken at a number of Black Hat conferences, presenting the well-received ‘Pixel-Perfect Timing Attacks’ and ‘Next Generation Clickjacking’ talks. Paul’s recent obsession has been Bluetooth LE and has helped create the RaMBLE Android app for collecting and analyzing BLE data.
Views: 2508 DEFCONConference
Webinar: Identity-Defined Networking Makes Networking & Security Less Complex
Transform how you network, provision, and secure IP resources across your remote, enterprise and cloud infrastructures. Our Identity-Defined Networking (IDN) fabric lets you dynamically connect anything, anywhere – even private and non-routable resources - across physical, virtual, cloud or cellular networks. Tempered Networks’ game-changing architecture, based on cryptographic identities, makes networking and security easy, scalable, and seamless. Through our unified secure networking platform, complexity is abolished and point product investments are eliminated. #IDNFabric #CryptographicIdentity For more information, please visit: https://www.temperednetworks.com/solutions Watch More Videos Like This: https://www.youtube.com/channel/UCjclzutRqQ_pBdbyAQRW5sQ Learn More: Twitter: https://twitter.com/TemperedNW Facebook: https://www.facebook.com/temperednetworks/ LinkedIn: https://www.linkedin.com/company/tempered-networks/
Views: 484 Tempered Networks
How To PAY LESS FEES for Bitcoin transactions with JAXX WALLET
How to customize your fees with Jaxx Wallet Official website: https://jaxx.io/ Fees stats: https://bitcoinfees.earn.com/ Fees accelerator : https://pushtx.btc.com/ Fee Helper : https://twitter.com/CoreFeeHelper If you are new to Bitcoin, you will find it hard to get your hands on some at first so here is a list of the most popular websites to buy Bitcoin. 🚩 Get $10 worth of Bitcoin on your first $100 crypto purchase from Coinbase with my link: https://bit.ly/2I21PqS 🚩 Mining: I use the services of Genesis Mining since 2016. Use the code 28Xwzx and get a discount every time you purchase hashpower to mine Bitcoin or Ethereum, Monero, Lite, Dash and more at: https://www.genesis-mining.com/ 🚩🚩Discount Code - 28Xwzx (apply at the point of purchase) 💎Popular websites to BUY: •BitPanda (BTC, ETH, DASH) https://web.bitpanda.com/user/register/2639074542341382013 •Coinbase (BTC, ETH, LTC) https://www.coinbase.com/join/571eee3ad3a90931e9000055 •Coinmama (BTC, ETH) https://www.coinmama.com/?ref=busyjordy •Local Bitcoins - localbitcoins.com •Payeer : https://payeer.com/?partner=2567274 •Kraken - https://www.kraken.com/ 🏆 Other popular Crypto Exchanges : •Binance http://bit.ly/2AMfkXA •Kucoin http://bit.ly/2Fq9FKc •HitBtc: https://bit.ly/2rcvpE1 •Changelly http://bit.ly/2wB4g1D (good for instant coins swaps) NEW : Decentralized exchange - register here: 📄https://www.altcoin.io?kid=KQZ7C 💎Useful wallets with instant-exchange features: ►Coinomi : https://coinomi.com (android mobile app) ►Exodus : https://www.exodus.io/ (desktop app) ►Jaxx : https://jaxx.io/ (chrome ext; desktop app; mobile app) ►Coinpayments : http://bit.ly/2gkpJ3Z 💻Find me on social media: ►Facebook : https://goo.gl/7fRuDH ►Twitter: https://twitter.com/busyjordy
Views: 329 OJ Jordan
Symmetric Key Encryption and Data Authentication
Dig a little deeper into symmetric key encryption to find out about one of the basic methods of encrypting data and a simple algorithm for checking that the data is authentic.
Views: 477 Vidder, Inc.
VPN Concentrators - CompTIA Security+ SY0-501 - 2.1
Security+ Training Course Index: http://professormesser.link/sy0501 Professor Messer’s Course Notes: http://professormesser.link/501cn Frequently Asked Questions: http://professormesser.link/faq - - - - - A virtual private network (VPN) is a valuable security technique that’s commonly used to protect data sent across insecure networks. In this video, you’ll learn about VPN technologies, types of VPN implementations, and how IPsec protocols are used to protect your data at the packet level. - - - - - Subscribe to get the latest videos: http://professormesser.link/yt Calendar of live events: http://www.professormesser.com/calendar/ FOLLOW PROFESSOR MESSER: Professor Messer official website: http://www.professormesser.com/ Twitter: http://www.professormesser.com/twitter Facebook: http://www.professormesser.com/facebook Instagram: http://www.professormesser.com/instagram Google +: http://www.professormesser.com/googleplus
Views: 22191 Professor Messer
Social Encryption with Keybase.io, Hak5 1715
This time on the show, Shannon and Darren explore Keybase.io - a cross between a social network and a crypto keyserver. All that and more, this time on Hak5. Keybase is a website, and open source command line program, that allows you to get a public key safely, just by knowing a person's username on a social network. When signing up your keybase passphrase is never sent to keybase servers, rather it's salted and stretched with s-crypt in the browser. It's currently in alpha so you must get an invite from another Keybase user. When you sign up, you can create your profile via the website or the command line program. You should update your profile with a photo, bio, and a public key. If you don't have a public key you can create one via Keybase. It'll create a 4096 bit key pair. Your public key pair will be created for you, and your encrypted private key will be made available to you as well. Why is it so cool? Keybase can match up the keybase user, like Darren, with his true public key, his social network identities, and any public posts about his public key. Once you're satisfied that the person, Darren, is actually the real Darren, you can encrypt a message to him and paste it in your email or wherever. GPG takes care of the encryption, using the verified public key. What's great is that I don't need to know Darren's username on Keybase to encrypt a message for him. If I know his Twitter username, and he has verified his public key via Twitter and Keybase, I can use @hak5darren to send him an encrypted message. If he has verified his reddit, github, etc, I can use those usernames too. Verifying your identity on various platforms like Twitter, Github, Reddit, your own site, and Coinbase. How do you get verified? Here's what I did on Twitter: https://keybase.io/shannonmorse/sigs/FxRDWvEK2ZJfw9wJ2ZgVydZapcollBUMPUWV You can sign, verify, encrypt, and decrypt through Keybase. You can also "track" people: Each time you want to encrypt something for Darren, or Verify his signed message, Keybase will need to prove his identity each time. You may see people start "tracking" you on your profile. The more people you have tracking you, the more verifiable your account is. Think of it like twitter "following," but it checks his proofs and then, if you're happy, it signs a snapshot of those proofs with your private key for portability and non-malleability. This allows you to move from machine to machine and have his information proven along the way, so you don't have to re-prove his identity every time. -~-~~-~~~-~~-~- Please watch: "Bash Bunny Primer - Hak5 2225" https://www.youtube.com/watch?v=8j6hrjSrJaM -~-~~-~~~-~~-~-
Views: 15693 Hak5
DEF CON 22 - Dan Kaminsky - Secure Random by Default
Secure Random By Default Dan Kaminsky Chief Scientist, White Ops As a general rule in security, we have learned that the best way to achieve security is to enable it by default. However, across operating systems and languages, random number generation is always exposed via two separate and most assuredly unequal APIs -- insecure and default, and secure but obscure. Why not fix this? Why not make JavaScript and PHP and Java and Python and even libc rand() return strong entropy? What are the issues stopping us? Should we just shell back to /dev/urandom, or is there merit to userspace entropy gathering? How does fork() and virtualization impact the question? What of performance, and memory consumption, and headless machines? Turns out the above questions are not actually rhetorical. Just because a change might be a good idea doesn't mean it's a simple one. This will be a deep dive, but one that I believe will actually yield a fix for the repeated *real world* failures of random number generation systems. Dan Kaminsky has been a noted security researcher for over a decade, and has spent his career advising Fortune 500 companies such as Cisco, Avaya, and Microsoft.Dan spent three years working with Microsoft on their Vista, Server 2008, and Windows 7 releases. Dan is best known for his work finding a critical flaw in the Internet’s Domain Name System (DNS), and for leading what became the largest synchronized fix to the Internet’s infrastructure of all time. Of the seven Recovery Key Shareholders who possess the ability to restore the DNS root keys, Dan is the American representative. Dan is presently developing systems to reduce the cost and complexity of securing critical infrastructure.
Views: 24585 DEFCONConference
Security News 29/03/2015: Barbie, Rowhammer, FREAK, Android encryption, Panda anti-malware
Some recent news news stories: Android Lollipop will not encrypt by default FREAK *Factoring attack on RSA-EXPORT Keys *Many implementations of SSL contain both strong encryption algorithms and weak encryption algorithms (export grade encryption) *This attack works by forcing a weak option, then cracking it Rowhammer *Vulnerability in Dynamic Random Access Memory (DRAM) : repeatedly access a certain row of transistors, causes a change in the next row of transistors *Bit flips in page table entries (PTEs) to gain write access to its own page table, and hence gain read-write access to all of physical memory. Panda Antivirus Flags itself as Malware Eavesdropping Barbie *Voice recordings sent to the cloud for processing *For providing a chat-bot AI