Strong Authentication (Michal Sobiegraj)
8 likes1,277 views
This document discusses strong authentication methods that use two factors of identification. It describes traditional methods like ATM cards that use something you have (the card) and something you know (the PIN). Modern methods discussed include one-time passwords, smart cards, and out-of-band authentication using a mobile phone for an extra layer of security beyond just a password. The document analyzes the security and weaknesses of various knowledge-based and ownership-based authentication approaches.
1 of 84
Recommended
Passwords
PasswordsKevin OBrien
Ìý
The subject of passwords is important today since they protect all of your accounts, and are frequently attacked by crackers. In this presentation I examine the technology used to handle and protect passwords, and make recommendations for what the user can do to protect themselves online.C:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarTechBiz Forense Digital
Ìý
The document discusses advanced fraud detection challenges in the financial sector. Cybercrime is growing more sophisticated as attacks now come from smart hackers targeting high-value systems and users. Traditional defenses using signatures are ineffective against modern threats like spear phishing, coordinated hacker attacks, malware, and insider threats. The document argues a new approach is needed that can detect patterns across networked systems, privileged users, and applications to spot fraud early. It provides examples of how advanced detection techniques can identify attacks including botnets, man-in-the-browser, and compromised insider accounts.HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureAdaCore
Ìý
Formal security analysis methods like the applied pi calculus and ProVerif tool can help analyze critical infrastructure systems by finding vulnerabilities. The speaker discusses past work analyzing e-passports, EMV cards, basic access control for passports, and contactless payments. Formal modeling of a European train control system found issues like messages could be replayed or delayed without detection. The conclusion emphasizes that formal methods help analysts thoroughly examine systems and have found issues missed by other analyses, especially for proprietary crypto.Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundJim Geovedi
Ìý
This document discusses security issues with publicly accessible wireless hotspot networks. It begins with an overview of how wireless hotspots work and then explores various ways hackers could exploit vulnerabilities, including using default or guessable credentials, tunneling to bypass restrictions, hijacking active sessions, and discovering private user information by guessing room numbers. It demonstrates tools and techniques a hacker could use to decrypt passwords, access administrative interfaces, and steal credit card details from poorly secured hotspot systems. The goal is to raise awareness of inherent security flaws in hotspot networks and promote safer mobile computing practices.Os Nightingale
Os Nightingaleoscon2007
Ìý
The document discusses improving security user interfaces (UIs) on web browsers. It proposes replacing the ubiquitous padlock icon with an identity indicator called "Larry" that clearly shows website identity using extended validation certificates. Larry is evaluated against five rules for good security UI ("MRRAB"): meaningful, relevant, robust, available, and brave. The document also considers other aspects of security UI and explores ideas like using social connections and past browsing history to help users identify legitimate websites. It aims to spark discussion on making security indicators more understandable and effective for users.Smartcards and Authentication Tokens
Smartcards and Authentication Tokenssaniacorreya
Ìý
Authentication tokens are used to prove one's identity electronically. They can be hardware or software based, and use passwords, cryptographic keys, or biometric data to authenticate users. Time-synchronized one-time password tokens generate new passwords constantly, while algorithm-based tokens use complex math to generate unguessable one-time passwords. Connected tokens transmit authentication data automatically when connected, while disconnected tokens require manual entry of generated passwords. Smart cards are a type of disconnected token that store and process data using an embedded microchip, providing secure multi-factor authentication through passwords, cryptography, and potentially biometric data.Cyber Safety 101
Cyber Safety 101Jeff Niebaum, M.A
Ìý
Learn about basic cybersecurity tips for protecting your computes, accounts and personal information. Topics include passwords and authentication, proactive defense against unwanted software and how to keep your devices current with security updates. Atm using finger print
Atm using finger printManoranjan Roy
Ìý
This document proposes adding fingerprint authentication to ATM security to address weaknesses in traditional PIN-based security. The objective is to provide biometric security through fingerprint scanning. Fingerprints provide highly accurate identification compared to traditional security methods. Advantages include ease of use, inability to forget or lose fingerprints, and standardization. Disadvantages include potential for misidentification, high cost, and difficulties for some users like those with injuries affecting fingerprints. The conclusion is that fingerprint security provides stability, reliability, and ease of use for ATM access.Authentication Technologies
Authentication TechnologiesNicholas Davis
Ìý
This document provides an overview of authentication topics, including:
- Defining authentication and the three main electronic authentication factors: something you know, something you have, something you are.
- Discussing common authentication methods like usernames/passwords and their benefits and drawbacks.
- Covering other authentication methods such as one-time passwords, biometrics, digital certificates, and knowledge-based authentication.
- Identifying issues with initial credentialing and key concepts regarding the state of digital authentication.Authentication technologies
Authentication technologiesNicholas Davis
Ìý
This document provides an overview of authentication topics, including:
- Defining authentication and the three main electronic authentication factors: something you know, something you have, something you are.
- Discussing common authentication methods like usernames/passwords and their benefits and drawbacks.
- Explaining one-time password devices, biometric authentication, and digital certificates.
- Identifying issues with current authentication techniques and outlining key concepts regarding authentication.Web Security
Web SecurityBharath Manoharan
Ìý
Web security involves protecting information transmitted over the internet from attacks like viruses, worms, trojans, ransomware, and keyloggers. Users can help secure themselves by using antivirus software, avoiding phishing scams, and reporting spam. Larger attacks often involve botnets, which are networks of infected computers that can overwhelm websites and services with traffic through distributed denial of service attacks.More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)Hitoshi Kokumai
Ìý
Here are the discussions that are mentioned in P19 of "Fend Off Cyberattack with Episodic Memory"
/HitoshiKokumai/fend-off-cyberattack-with-episodic-memory-24feb2023
Cryptographic authentication
Cryptographic authenticationnirmal08
Ìý
This document discusses user authentication and host-to-host authentication. It describes several methods of user authentication including passwords, one-time passwords, smart cards, and biometrics. It also discusses network-based authentication and cryptographic techniques for host-to-host authentication, noting that cryptographic authentication provides stronger authentication but requires solutions to issues like securing the key distribution center and protecting hosts' cryptographic keys.Beyond Security Theater -- With a CTF
Beyond Security Theater -- With a CTFSam Bowne
Ìý
A talk for the CCSF CyberClub by Sam Bowne
Nov 13, 2018
CTF at https://samsclass.info/141/proj/ob-ctf.htmWorkshop on 03 11-2012
Workshop on 03 11-2012Gaurav Gautam
Ìý
The document summarizes a workshop on cryptography and ethical hacking. It discusses several modules that will be covered, including cryptography concepts, Windows password hacking, phishing and data security, SQL injection and webcam hacking, and batch programming and viruses. For the first module on cryptography concepts, the document provides an overview of topics like threats to electronic communications, cryptography principles, message digests, symmetric and asymmetric cryptography, practical cryptography implementation, the role of public authorities, and conclusions. Examples of cryptographic algorithms and standards like DES, RSA, and digital certificates are also outlined.Secrets of Top Pentesters
Secrets of Top Pentestersamiable_indian
Ìý
This document outlines tips and techniques used by penetration testers. It begins with an introduction explaining that penetration testing involves both standardized methodologies as well as improvisation. The document then provides several tips related to reconnaissance, scanning, networking, passwords, and reporting from penetration tests. Each tip is meant to help save time, enable hacks that otherwise wouldn't be possible, or better help clients understand security risks. Overall, the tips suggest using common tools and techniques creatively to find and exploit security vulnerabilities.Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UImozilla.presentations
Ìý
Johnathan Nightingale of Mozilla Corporation presents ideas for improving browser security user interfaces (UI). He argues that existing security UIs like padlocks are sparse, incomprehensible, and not carefully designed. He proposes five rules for good security UI: be meaningful, relevant, robust, available, and brave. As an example, he suggests replacing padlocks with "Larry", an identity indicator that clearly shows website identity and is based on standardized Extended Validation certificates. The presentation concludes by discussing additional aspects of security UI and soliciting further ideas and discussion.How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AlivePositive Hack Days
Ìý
Sergey Gordeychik gave a presentation on how to hack telecom networks and stay alive. He discussed that telecom networks have many perimeters including subscribers, partners, offices, and technology networks. He outlined specific attacks such as gaining unauthorized access to subscriber self-service portals or exploiting vulnerabilities in VoIP infrastructure. Gordeychik emphasized that telecom networks are complex with many third-party systems, exotic technologies, and administrative issues that can enable attacks if not properly secured. Forensics after an attack can also be very challenging in these large, dynamic networks.Computer Security
Computer SecurityFrederik Questier
Ìý
F. Questier, Computer security, workshop for Lib@web international training program 'Management of Electronic Information and Digital Libraries', university of Antwerp, October 2015Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sOlga Kochetova
Ìý
The document discusses vulnerabilities in ATM systems that can allow attackers to steal cash or users' financial information. It provides examples of past malware attacks on ATMs and describes technical methods attackers have used to gain unauthorized access and control of ATM components like card readers, cash dispensers, and PIN pads. The authors argue that current security measures are insufficient and that vendors prioritize profits over fixing issues. They call for implementing stronger authentication of ATM devices and transactions to help address ongoing threats.How to secure electronic passports
How to secure electronic passportsRiscure
Ìý
The document discusses how to secure electronic passports. It outlines passport threats like forgery and look-alike fraud. It then summarizes available protection mechanisms under ICAO standards, including storing certificates and biometrics on chips. It analyzes security challenges for inspection terminals and accessing personal data. It concludes that while electronic passports improve forgery protection, look-alike fraud remains an issue without reliable biometrics, and contactless chips introduce privacy concerns.Trends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursMotherGuardians
Ìý
The USSS discusses its dual mission of presidential protection and investigating financial crimes such as counterfeiting, identity theft, and cyber crimes. It outlines current cyber crime trends like skimming devices, network intrusions, point of sale breaches, targeted malware, and data breaches. It then provides a case study of how a network intrusion investigation may proceed, from initial detection to identifying compromised systems and retrieving stolen data.DEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malwareFelipe Prado
Ìý
This document summarizes a talk given by Weston Hecker on his new open source anti-malware software called Skimbad. Hecker has over 11 years experience in security research and penetration testing. Skimbad aims to stop credit card data exfiltration by malware by generating fake credit card numbers that will make any batches of stolen numbers unusable. The software works by monitoring memory for credit card numbers and replacing real numbers with randomized fake numbers on the point-of-sale system before the data can be sent to a server by malware. Hecker believes this approach could be built into all point-of-sale systems to help prevent credit card data breaches.Masabi Rail Ticketing ITS
Masabi Rail Ticketing ITSMasabi
Ìý
ºÝºÝߣs from Ben Whitaker's talk about new mobile ticketing approaches for public transport including mobile payments via credit card this month at the UK's ITS Passenger Information Interest Group's seminar on Options for Ticketing and Standards in Ticketing on the 27th May 2009 in London.
Highlights of new features in the UK's Rail Barcode Ticket standard, and a brief summary of the lower capital expenditure soft-rollout of visual barcode ticketing on paper and mobile versus the large up-front costs of smartcard. Finally a summary of selling tickets from the mobile phone, and the benefits it brings to the operator.Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsMasabi
Ìý
This document discusses the challenges of building secure mobile applications. It covers why security is important for mobile, how to secure applications in an insecure mobile environment, and case studies of mobile security implementations. Some key points discussed include using HTTPS for end-to-end security, securing the key exchange process, ensuring strong entropy for keys, implementing message integrity checks, and supporting a wide range of mobile devices and networks.Protecting Customer Confidential Information
Protecting Customer Confidential InformationWilliam McBorrough
Ìý
This document discusses protecting customer confidential information and cybersecurity for small and medium-sized businesses. It outlines common data breaches, regulations around privacy, and strategies for securing data through technical controls and policies for people, including restricting access, encryption, training, and disposal of old data. The presentation emphasizes assessing risks and building security into daily operations, not as an extra task.Token Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
Ìý
Everyone building a web application that supports user login is concerned with security. How do you securely authenticate users and keep their identity secure? With the huge growth in Single Page Applications (SPAs), JavaScript and mobile applications, how do you keep users safe even though these are 'unsafe' client environments?
This presentation will demystify HTTP Authentication and explain how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale.How to implement PassKeys in your application
How to implement PassKeys in your applicationMarian Marinov
Ìý
PassKeys is relatively new way of authentication. This presentation aims to provide a bit of guidance on how you can implement them in your own application. ![[ISSA] Zagrożenia na 2008 rok](https://cdn.slidesharecdn.com/ss_thumbnails/incydenty-1215003078652209-9-thumbnail.jpg?width=560&fit=bounds)
![[ISSA] IDS](https://cdn.slidesharecdn.com/ss_thumbnails/wojtek-wirkijowski-ids-1211453894279804-8-thumbnail.jpg?width=560&fit=bounds)
More Related Content
Similar to Strong Authentication (Michal Sobiegraj) (20)
Authentication Technologies
Authentication TechnologiesNicholas Davis
Ìý
This document provides an overview of authentication topics, including:
- Defining authentication and the three main electronic authentication factors: something you know, something you have, something you are.
- Discussing common authentication methods like usernames/passwords and their benefits and drawbacks.
- Covering other authentication methods such as one-time passwords, biometrics, digital certificates, and knowledge-based authentication.
- Identifying issues with initial credentialing and key concepts regarding the state of digital authentication.Authentication technologies
Authentication technologiesNicholas Davis
Ìý
This document provides an overview of authentication topics, including:
- Defining authentication and the three main electronic authentication factors: something you know, something you have, something you are.
- Discussing common authentication methods like usernames/passwords and their benefits and drawbacks.
- Explaining one-time password devices, biometric authentication, and digital certificates.
- Identifying issues with current authentication techniques and outlining key concepts regarding authentication.Web Security
Web SecurityBharath Manoharan
Ìý
Web security involves protecting information transmitted over the internet from attacks like viruses, worms, trojans, ransomware, and keyloggers. Users can help secure themselves by using antivirus software, avoiding phishing scams, and reporting spam. Larger attacks often involve botnets, which are networks of infected computers that can overwhelm websites and services with traffic through distributed denial of service attacks.More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)Hitoshi Kokumai
Ìý
Here are the discussions that are mentioned in P19 of "Fend Off Cyberattack with Episodic Memory"
/HitoshiKokumai/fend-off-cyberattack-with-episodic-memory-24feb2023
Cryptographic authentication
Cryptographic authenticationnirmal08
Ìý
This document discusses user authentication and host-to-host authentication. It describes several methods of user authentication including passwords, one-time passwords, smart cards, and biometrics. It also discusses network-based authentication and cryptographic techniques for host-to-host authentication, noting that cryptographic authentication provides stronger authentication but requires solutions to issues like securing the key distribution center and protecting hosts' cryptographic keys.Beyond Security Theater -- With a CTF
Beyond Security Theater -- With a CTFSam Bowne
Ìý
A talk for the CCSF CyberClub by Sam Bowne
Nov 13, 2018
CTF at https://samsclass.info/141/proj/ob-ctf.htmWorkshop on 03 11-2012
Workshop on 03 11-2012Gaurav Gautam
Ìý
The document summarizes a workshop on cryptography and ethical hacking. It discusses several modules that will be covered, including cryptography concepts, Windows password hacking, phishing and data security, SQL injection and webcam hacking, and batch programming and viruses. For the first module on cryptography concepts, the document provides an overview of topics like threats to electronic communications, cryptography principles, message digests, symmetric and asymmetric cryptography, practical cryptography implementation, the role of public authorities, and conclusions. Examples of cryptographic algorithms and standards like DES, RSA, and digital certificates are also outlined.Secrets of Top Pentesters
Secrets of Top Pentestersamiable_indian
Ìý
This document outlines tips and techniques used by penetration testers. It begins with an introduction explaining that penetration testing involves both standardized methodologies as well as improvisation. The document then provides several tips related to reconnaissance, scanning, networking, passwords, and reporting from penetration tests. Each tip is meant to help save time, enable hacks that otherwise wouldn't be possible, or better help clients understand security risks. Overall, the tips suggest using common tools and techniques creatively to find and exploit security vulnerabilities.Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UImozilla.presentations
Ìý
Johnathan Nightingale of Mozilla Corporation presents ideas for improving browser security user interfaces (UI). He argues that existing security UIs like padlocks are sparse, incomprehensible, and not carefully designed. He proposes five rules for good security UI: be meaningful, relevant, robust, available, and brave. As an example, he suggests replacing padlocks with "Larry", an identity indicator that clearly shows website identity and is based on standardized Extended Validation certificates. The presentation concludes by discussing additional aspects of security UI and soliciting further ideas and discussion.How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AlivePositive Hack Days
Ìý
Sergey Gordeychik gave a presentation on how to hack telecom networks and stay alive. He discussed that telecom networks have many perimeters including subscribers, partners, offices, and technology networks. He outlined specific attacks such as gaining unauthorized access to subscriber self-service portals or exploiting vulnerabilities in VoIP infrastructure. Gordeychik emphasized that telecom networks are complex with many third-party systems, exotic technologies, and administrative issues that can enable attacks if not properly secured. Forensics after an attack can also be very challenging in these large, dynamic networks.Computer Security
Computer SecurityFrederik Questier
Ìý
F. Questier, Computer security, workshop for Lib@web international training program 'Management of Electronic Information and Digital Libraries', university of Antwerp, October 2015Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sOlga Kochetova
Ìý
The document discusses vulnerabilities in ATM systems that can allow attackers to steal cash or users' financial information. It provides examples of past malware attacks on ATMs and describes technical methods attackers have used to gain unauthorized access and control of ATM components like card readers, cash dispensers, and PIN pads. The authors argue that current security measures are insufficient and that vendors prioritize profits over fixing issues. They call for implementing stronger authentication of ATM devices and transactions to help address ongoing threats.How to secure electronic passports
How to secure electronic passportsRiscure
Ìý
The document discusses how to secure electronic passports. It outlines passport threats like forgery and look-alike fraud. It then summarizes available protection mechanisms under ICAO standards, including storing certificates and biometrics on chips. It analyzes security challenges for inspection terminals and accessing personal data. It concludes that while electronic passports improve forgery protection, look-alike fraud remains an issue without reliable biometrics, and contactless chips introduce privacy concerns.Trends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursMotherGuardians
Ìý
The USSS discusses its dual mission of presidential protection and investigating financial crimes such as counterfeiting, identity theft, and cyber crimes. It outlines current cyber crime trends like skimming devices, network intrusions, point of sale breaches, targeted malware, and data breaches. It then provides a case study of how a network intrusion investigation may proceed, from initial detection to identifying compromised systems and retrieving stolen data.DEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malwareFelipe Prado
Ìý
This document summarizes a talk given by Weston Hecker on his new open source anti-malware software called Skimbad. Hecker has over 11 years experience in security research and penetration testing. Skimbad aims to stop credit card data exfiltration by malware by generating fake credit card numbers that will make any batches of stolen numbers unusable. The software works by monitoring memory for credit card numbers and replacing real numbers with randomized fake numbers on the point-of-sale system before the data can be sent to a server by malware. Hecker believes this approach could be built into all point-of-sale systems to help prevent credit card data breaches.Masabi Rail Ticketing ITS
Masabi Rail Ticketing ITSMasabi
Ìý
ºÝºÝߣs from Ben Whitaker's talk about new mobile ticketing approaches for public transport including mobile payments via credit card this month at the UK's ITS Passenger Information Interest Group's seminar on Options for Ticketing and Standards in Ticketing on the 27th May 2009 in London.
Highlights of new features in the UK's Rail Barcode Ticket standard, and a brief summary of the lower capital expenditure soft-rollout of visual barcode ticketing on paper and mobile versus the large up-front costs of smartcard. Finally a summary of selling tickets from the mobile phone, and the benefits it brings to the operator.Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsMasabi
Ìý
This document discusses the challenges of building secure mobile applications. It covers why security is important for mobile, how to secure applications in an insecure mobile environment, and case studies of mobile security implementations. Some key points discussed include using HTTPS for end-to-end security, securing the key exchange process, ensuring strong entropy for keys, implementing message integrity checks, and supporting a wide range of mobile devices and networks.Protecting Customer Confidential Information
Protecting Customer Confidential InformationWilliam McBorrough
Ìý
This document discusses protecting customer confidential information and cybersecurity for small and medium-sized businesses. It outlines common data breaches, regulations around privacy, and strategies for securing data through technical controls and policies for people, including restricting access, encryption, training, and disposal of old data. The presentation emphasizes assessing risks and building security into daily operations, not as an extra task.Token Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
Ìý
Everyone building a web application that supports user login is concerned with security. How do you securely authenticate users and keep their identity secure? With the huge growth in Single Page Applications (SPAs), JavaScript and mobile applications, how do you keep users safe even though these are 'unsafe' client environments?
This presentation will demystify HTTP Authentication and explain how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale.How to implement PassKeys in your application
How to implement PassKeys in your applicationMarian Marinov
Ìý
PassKeys is relatively new way of authentication. This presentation aims to provide a bit of guidance on how you can implement them in your own application. More from msobiegraj (12)
![[ISSA] Web Appication Firewall](https://cdn.slidesharecdn.com/ss_thumbnails/edward-weinert-web-appication-firewall-1211402920028578-9-thumbnail.jpg?width=560&fit=bounds)
![[ISSA] Incident Responce](https://cdn.slidesharecdn.com/ss_thumbnails/issa-incident-responce-1205409194816616-3-thumbnail.jpg?width=560&fit=bounds)
Minor Mistakes In Web Portals
Minor Mistakes In Web Portalsmsobiegraj
Ìý
The document discusses various security issues that can occur on web portals, including cross-site scripting (XSS) vulnerabilities that allow altering of content or stealing cookies, and cross-site request forgery (CSRF) attacks. It provides examples of how these attacks can be carried out, such as using XSS to change website branding or send a user's cookies to an attacker. The document recommends mitigation techniques like input filtering, consistency checks, and tying sessions to IP addresses to help prevent these types of attacks.
Drobne błędy w portalach WWW -- prawdziwe studium przypadku
Drobne błędy w portalach WWW -- prawdziwe studium przypadkumsobiegraj
Ìý
Michal Sobiegraj
Borys Lacki
Jak maszyny rozpoznajÄ… ludzi? Odwrotny test Turinga i jego skutki uboczne
Jak maszyny rozpoznajÄ… ludzi? Odwrotny test Turinga i jego skutki ubocznemsobiegraj
Ìý
How do machines tell humans and bots apart? Reverse Turing test and its side effects