Conference:  Defcon 31

Authors: Trevor Stevado Founding Partner/Hacker @ Loudmouth Security, Sam Haskins Hacker, Loudmouth Security

2023-08-01

Contactless credentials have become increasingly popular for secure authentication and access control systems due to their convenience and efficiency. In this talk, we will discuss a specific weakness in the ISO 14443A protocol that enables replay attacks over moderate latency connections, leading to the potential for long-range relay attacks. During the presentation, we will delve into the history of contactless credential attacks, how manufacturers have adapted, and discuss why we focused on a relay attack. We will provide an overview of the ISO 14443A protocol and explain how the relay attack is executed and the ‘features’ of the underlying protocol that make it possible. Finally, we will demonstrate and release a new tool to make this relay attack feasible with the Proxmark, as we attempt to unlock a door in Ottawa, ON with a card on-stage in Vegas. In addition, we will discuss the response from HID Global following our responsible disclosure against their SEOS readers and suggest mitigations to prevent these attacks on your access control systems.

Conference:  Global AppSec Dublin 2023

Authors: Marine du Mesnil

2023-02-16

In 2019, users of the Ameli, the french welfare website, could read other users' messages and attachments containing confidential information by trivially changing a parameter in the URL. Unfortunately, this flaw is much more common than we think and access control has been listed as the Top 1 flaw by OWASP.Historically, developers manage permissions directly in code and the product team is not always well aware of the conditions which leads to flaws in access control. It is also one of the most complex vulnerabilities to manage and it is easy for a developer to forget a condition in their API and open up access to sensitive data to anyone.On a fund management site using django-admin, we needed very fine-grained management of vertical (permission levels) and horizontal (compartmentalisation between users) permissions with a need for some administrators to manage their own teams independently.We were able to implement an extremely easy-to-use and manageable system using both Django's internal permissions management and a SaaS: Okta.During this talk, I will cover the following topics:- Vertical and Horizontal Permissions using a django-admin example- Adding a SaaS for login and permissions- The pros and cons of OktaAt the end of this talk, you will know the best practices for implementing and using permissions with django-admin example. You will also understand the pros and cons of using a SaaS to outsource permissions management and simplify it for your administrators.

Conference:  Global AppSec San Francisco 2022

Authors: Jim Manico, semgrep.dev

2022-11-18

The presentation discusses the history and progress of information security testing and the role of OWASP in promoting application security.

• The history of security testing dates back to the Polish researchers who built the first security testing tool to crack Enigma during World War II.
• The first security testing device in modern history is the bomb.
• The OWASP foundation is a non-profit international foundation dedicated to helping people and organizations make informed decisions about application security risk.
• OWASP has released several free guides and tools to promote application security, including the OWASP Top 10 and the Application Security Verification Standard.
• Cross-site scripting is a complicated vulnerability category that requires attention in application security.

Conference:  Cloud Native SecurityCon North America 2022

Authors: Asaf Cohen

2022-10-25

The presentation discusses best practices for managing policy in DevOps and cybersecurity, including decoupling policy from code, using GitOps for policy, and planning ahead for future demands.

• Decoupling policy from code is important for flexibility and scalability
• GitOps for policy allows for auditable and testable policy management
• Planning ahead for future demands ensures that the system can grow without needing to be rewritten from scratch