Conference:  Defcon 31

Authors: Trevor Stevado Founding Partner/Hacker @ Loudmouth Security, Sam Haskins Hacker, Loudmouth Security

2023-08-01

Contactless credentials have become increasingly popular for secure authentication and access control systems due to their convenience and efficiency. In this talk, we will discuss a specific weakness in the ISO 14443A protocol that enables replay attacks over moderate latency connections, leading to the potential for long-range relay attacks. During the presentation, we will delve into the history of contactless credential attacks, how manufacturers have adapted, and discuss why we focused on a relay attack. We will provide an overview of the ISO 14443A protocol and explain how the relay attack is executed and the ‘features’ of the underlying protocol that make it possible. Finally, we will demonstrate and release a new tool to make this relay attack feasible with the Proxmark, as we attempt to unlock a door in Ottawa, ON with a card on-stage in Vegas. In addition, we will discuss the response from HID Global following our responsible disclosure against their SEOS readers and suggest mitigations to prevent these attacks on your access control systems.

Conference:  Global AppSec Dublin 2023

Authors: Kim Wuyts

2023-02-15

The presentation discusses the importance of threat modeling in ensuring privacy and security in software development. It highlights the different approaches and resources available for successful threat modeling.

• Threat modeling is crucial for ensuring privacy and security in software development
• There are different approaches and resources available for successful threat modeling, such as the Threat Modeling Manifesto, Linden, and Stride
• Threat modeling should be done early in the development cycle, but it's never too late to do it
• Threat modeling should be a continuous process and the output should be used as input for subsequent steps
• Threat modeling can be easy and fun, as illustrated by the example of analyzing a doll's privacy risks

Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Alolita Sharma, Matt Young

2022-10-26

The CNCF Technical Advisory Group (TAG) on Observability serves as a discussion forum for topics related to observability of cloud native systems and workloads. We also produce supporting material and best practices for end users and provide guidance and coordination for CNCF observability projects working within the TAG’s scope. This session will provide an update on major observability projects in the CNCF, technology updates from these projects and opportunities to get involved in the TAG to build momentum on cross-collaboration across observability projects, data protocols and new areas. We also invite observability practitioners, developers and contributors to join in for this session to discuss features, gaps and open source solutions for end-users.

Conference:  Transform X 2022

Authors: Curtis Huang, Tony Jebara

2022-10-19

The speakers discuss the challenges and future of recommendation engines, including the importance of data, privacy, and explainability.

• Online adaptive learning is important for quickly adapting to user needs
• Great data is necessary for building a machine learning recommendation engine
• Understanding user journeys and causal impact is important for effective recommendations
• Long-term metrics, predictive metrics, and short-term metrics are all important for measuring success
• Privacy and fairness are ongoing challenges for the ML community
• Explainability is important for user control and understanding of recommendations

Conference:  OWASP 20th Anniversary Event

Authors: Aaron Rinehart

2021-09-24

Hope isn’t a strategy. Likewise, perfection isn’t a plan. The systems we are responsible for are failing as a normal function of how they operate, whether we like it or not, whether we see it or not. Security chaos engineering is about increasing confidence that our security mechanisms are effective at performing under the conditions for which we designed them. Through continuous security experimentation, we become better prepared as an organization and reduce the likelihood of being caught off guard by unforeseen disruptions. Security Chaos Engineering serves as a foundation for developing a learning culture around how organizations build, operate, instrument, and secure their systems. The goal of these experiments is to move security in practice from subjective assessment into objective measurement. Chaos experiments allow security teams to reduce the “unknown unknowns” and replace “known unknowns” with information that can drive improvements to security posture. During this session Aaron Rinehart, the O’Reilly Author and pioneer behind Security Chaos Engineering will share how you can implement Security Chaos Engineering as a practice at your organization to proactively discover system weakness before they are an advantage of a malicious adversary. In this session Aaron will introduce a new concept known as Security Chaos Engineering and share some best practices and experiences in applying the emerging discipline to create highly secure, performant, and resilient distributed systems.