logo
Dates

Author


Conferences

Tags

Sort by:  

Conference:  Defcon 31
Authors: Trevor Stevado Founding Partner/Hacker @ Loudmouth Security, Sam Haskins Hacker, Loudmouth Security
2023-08-01

Contactless credentials have become increasingly popular for secure authentication and access control systems due to their convenience and efficiency. In this talk, we will discuss a specific weakness in the ISO 14443A protocol that enables replay attacks over moderate latency connections, leading to the potential for long-range relay attacks. During the presentation, we will delve into the history of contactless credential attacks, how manufacturers have adapted, and discuss why we focused on a relay attack. We will provide an overview of the ISO 14443A protocol and explain how the relay attack is executed and the ‘features’ of the underlying protocol that make it possible. Finally, we will demonstrate and release a new tool to make this relay attack feasible with the Proxmark, as we attempt to unlock a door in Ottawa, ON with a card on-stage in Vegas. In addition, we will discuss the response from HID Global following our responsible disclosure against their SEOS readers and suggest mitigations to prevent these attacks on your access control systems.
Authors: Kim Wuyts
2023-02-15

tldr - powered by Generative AI

The presentation discusses the importance of threat modeling in ensuring privacy and security in software development. It highlights the different approaches and resources available for successful threat modeling.
  • Threat modeling is crucial for ensuring privacy and security in software development
  • There are different approaches and resources available for successful threat modeling, such as the Threat Modeling Manifesto, Linden, and Stride
  • Threat modeling should be done early in the development cycle, but it's never too late to do it
  • Threat modeling should be a continuous process and the output should be used as input for subsequent steps
  • Threat modeling can be easy and fun, as illustrated by the example of analyzing a doll's privacy risks
Authors: Aaron Rinehart
2021-09-24

Hope isn’t a strategy. Likewise, perfection isn’t a plan. The systems we are responsible for are failing as a normal function of how they operate, whether we like it or not, whether we see it or not. Security chaos engineering is about increasing confidence that our security mechanisms are effective at performing under the conditions for which we designed them. Through continuous security experimentation, we become better prepared as an organization and reduce the likelihood of being caught off guard by unforeseen disruptions. Security Chaos Engineering serves as a foundation for developing a learning culture around how organizations build, operate, instrument, and secure their systems. The goal of these experiments is to move security in practice from subjective assessment into objective measurement. Chaos experiments allow security teams to reduce the “unknown unknowns” and replace “known unknowns” with information that can drive improvements to security posture. During this session Aaron Rinehart, the O’Reilly Author and pioneer behind Security Chaos Engineering will share how you can implement Security Chaos Engineering as a practice at your organization to proactively discover system weakness before they are an advantage of a malicious adversary. In this session Aaron will introduce a new concept known as Security Chaos Engineering and share some best practices and experiences in applying the emerging discipline to create highly secure, performant, and resilient distributed systems.