Dates
Conferences
Tags
Sort by:
Most recent
Conference: Defcon 31
Authors: Trevor Stevado Founding Partner/Hacker @ Loudmouth Security, Sam Haskins Hacker, Loudmouth Security
2023-08-01
Contactless credentials have become increasingly popular for secure authentication and access control
systems due to their convenience and efficiency. In this talk, we will discuss a specific weakness in the
ISO 14443A protocol that enables replay attacks over moderate latency connections, leading to the
potential for long-range relay attacks.
During the presentation, we will delve into the history of contactless credential attacks, how
manufacturers have adapted, and discuss why we focused on a relay attack. We will provide an
overview of the ISO 14443A protocol and explain how the relay attack is executed and the ‘features’
of the underlying protocol that make it possible. Finally, we will demonstrate and release a new tool
to make this relay attack feasible with the Proxmark, as we attempt to unlock a door in Ottawa, ON
with a card on-stage in Vegas.
In addition, we will discuss the response from HID Global following our responsible disclosure against
their SEOS readers and suggest mitigations to prevent these attacks on your access control systems.
Conference: Defcon 31
Authors: Miana Ella Windall
2023-08-01
RFID implants are basically RFID credentials that can be installed under your skin. When I discovered there was nothing on the market that worked with my employers badging system I decided that I would just have to make my own. This talk will cover the basics of RFID implants, my journey to design my own implant despite having no electronics experience, and some of the future implications of this technology.
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Daniel Feldman, Andres Vega
2023-04-20
tldr - powered by Generative AI
Spire and Spiffy are cloud-native security projects that aim to provide automated, API-driven verification of identities for every component of a system, enabling fine-grained access control and zero trust security.
- Observing the evolution of software architectures and the need for zero trust security in cloud-native systems led to the development of Spire and Spiffy
- Fine-grained workload identity is crucial for achieving zero trust security
- Automating security and offloading it as a function of the platform can improve developer productivity and operational efficiency
- Short-lived, cryptographically verifiable identities can solve the problem of protecting key material
- Spire and Spiffy provide a plug-in interface for changing credential details and advanced authorization rules engines for access control
Conference: Global AppSec Dublin 2023
Authors: Skip Hovsmith
2023-02-16
tldr - powered by Generative AI
The speaker proposes an architecture for securing applications by moving all secrets off the app and into the cloud, minimizing the amount of functionality in the app, and delegating security decisions to an outside entity.
- Observing and detecting information in an application is important for security
- Secrets should not be hard-coded into the application
- Minimizing functionality in the app reduces impact on the application
- Delegating security decisions to an outside entity is more secure
- Proposed architecture involves an App authentication service that makes security decisions and returns a JWT token to the app
- The SDK installed in the app only contains measurement capabilities
- The JWT token is added to networking calls to authenticate the app
Conference: Cloud Native SecurityCon North America 2022
Authors: Kenneth DuMez
2022-10-24
This talk will focus on the problems of credentials for machines in moderninfrastructure and why it’s imperative you treat your bots the same way you treatyour humans. Typically when using automation for CI/CD or Microservices, teamswill have vaulted credentials shared between worker nodes. This introduceschallenges as these credentials are often long-lived, requiring frequent rotation,introducing both toil and security threats. Open-source Teleport Machine ID mitigatesthese problems by assigning a unique identity with attached RBAC roles baked intounique, short-lived certificates enabling bot users to connect to remote hosts whilecentrally audit-logging all of the machine’s activity. This identity-based access controlplane works seamlessly with all your cloud infrastructure including K8s clusters,databases, and any other remote compute resource. The talk will include anassessment of current legacy automated access solutions, an overview of Teleport,a Machine ID demo, and an in-depth discussion of the technology behind it. Withopen-source Teleport, managing and rotating shared credentials is a thing of thepast. Give the machines rights! Secure your infrastructure.