Vídeos De Usenix 17

USENIX 17 Además del material de USENIX 17, ya están disponibles también los vídeos de las charlas. Aquí tenéis la lista completa: Opening Remarks and Awards When Your Threat Model Is “Everything”: Defensive Security in Modern Newsrooms How Double-Fetch Situations turn into Double-Fetch Vulnerabilities… Postmortem Program Analysis with Hardware-Enhanced Post-Crash Artifacts Ninja: Towards Transparent Tracing and Debugging on ARM Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX On the effectiveness of mitigations against floating-point timing channels Constant-Time Callees with Variable-Time Callers Neural Nets Can Learn Function Type Signatures From Binaries CAn’t Touch This… Efficient Protection of Path-Sensitive Control Security Digtool: A Virtualization-Based Framework for Detecting Kernel Vulnerabilities kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Venerable Variadic Vulnerabilities Vanquished Towards Practical Tools for Side Channel Aware Software Engineering… Strong and Efficient Cache Side-Channel Protection… CacheD: Identifying Cache-Based Timing Channels in Production Software An Ant in a World of Grasshoppers From Problems to Patterns to Practice… BinSim: Trace-based Semantic Binary Diffing… PlatPal: Detecting Malicious Documents with Platform Diversity Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART Global Measurement of DNS Manipulation Characterizing the Nature and Dynamics of Tor Exit Blocking DeTor: Provably Avoiding Geographic Regions in Tor SmartAuth: User-Centered Authorization for the Internet of Things AWare: Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 6thSense: A Context-aware Sensor-based Attack Detector for Smart Devices Identifier Binding Attacks and Defenses in Software-Defined Networks HELP: Helper-Enabled In-Band Device Pairing… Attacking the Brain: Races in the SDN Control Plane Detecting Credential Spearphishing in Enterprise Settings SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data When the Weakest Link is Strong… Hacking in Darkness: Return-oriented Programming against Secure Enclaves vTZ: Virtualizing ARM TrustZone Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing AuthentiCall: Efficient Identity and Content Authentication for Phone Calls Picking Up My Tab… TrustBase: An Architecture to Repair and Strengthen… Transcend: Detecting Concept Drift in Malware Classification Models Syntia: Synthesizing the Semantics of Obfuscated Code Predicting the Resilience of Obfuscated Code… Differential Privacy: From Theory to Deployment OSS-Fuzz - Google’s continuous fuzzing service for open source software Extension Breakdown… CCSP: Controlled Relaxation of Content Security Policies… Same-Origin Policy: Evaluation in Modern Browsers Locally Differentially Private Protocols for Frequency Estimation BLENDER: Enabling Local Search with a Hybrid Differential Privacy Model Computer Security, Privacy, and DNA Sequencing… BootStomp: On the Security of Bootloaders in Mobile Devices Seeing Through The Same Lens… Oscar: A Practical Page-Permissions-Based Scheme… PDF Mirage: Content Masking Attack Against Information-Based Online Services Loophole: Timing Attacks on Shared Event Loops in Chrome Game of Registrars… Speeding up detection of SHA-1 collision attacks… Phoenix: Rebirth of a Cryptographic Password-Hardening Service Vale: Verifying High-Performance Cryptographic Assembly Code Exploring User Perceptions of Discrimination in Online Targeted Advertising Measuring the Insecurity of Mobile Deep Links of Android How the Web Tangled Itself Towards Efficient Heap Overflow Discovery DR.
Leer más

Material De Usenix Security 17, sesiones técnicas y talleres

Hace una semana se celebró en Canadá la conferencia “académica” sobre ciber seguridad Usenix junto a un puñado de talleres. Todo el material está disponible de forma gratuita para descarga de ambos eventos: Sesiones Técnicas y Talleres. Aquí tenéis la lista completa de las charlas y sus correspondientes enlaces: Sesiones técnicas de Usenix Security ‘17 When Your Threat Model Is “Everything”: Defensive Security in Modern Newsrooms Erinn Clark, Lead Security Architect, First Look Media/The Intercept How Double-Fetch Situations turn into Double-Fetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel Paper Slides Postmortem Program Analysis with Hardware-Enhanced Post-Crash Artifacts Paper Ninja: Towards Transparent Tracing and Debugging on ARM Paper Slides Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX Paper On the effectiveness of mitigations against floating-point timing channels Paper Slides Constant-Time Callees with Variable-Time Callers Paper Slides Neural Nets Can Learn Function Type Signatures From Binaries Paper CAn’t Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory Paper Efficient Protection of Path-Sensitive Control Security Paper Digtool: A Virtualization-Based Framework for Detecting Kernel Vulnerabilities Paper kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Paper Venerable Variadic Vulnerabilities Vanquished Paper Towards Practical Tools for Side Channel Aware Software Engineering: ‘Grey Box’ Modelling for Instruction Leakages Paper Slides Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory Paper Slides CacheD: Identifying Cache-Based Timing Channels in Production Software Paper An Ant in a World of Grasshoppers Ellen Cram Kowalczyk, Microsoft From Problems to Patterns to Practice: Privacy and User Respect in a Complex World Lea Kissner, Google BinSim: Trace-based Semantic Binary Diffing via System Call Sliced Segment Equivalence Checking Paper PlatPal: Detecting Malicious Documents with Platform Diversity Paper Slides Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART Paper Global Measurement of DNS Manipulation Paper Characterizing the Nature and Dynamics of Tor Exit Blocking Paper DeTor: Provably Avoiding Geographic Regions in Tor Paper SmartAuth: User-Centered Authorization for the Internet of Things Paper AWare: Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings Paper Slides 6thSense: A Context-aware Sensor-based Attack Detector for Smart Devices Paper Identifier Binding Attacks and Defenses in Software-Defined Networks Paper HELP: Helper-Enabled In-Band Device Pairing Resistant Against Signal Cancellation Paper Attacking the Brain: Races in the SDN Control Plane Paper Detecting Credential Spearphishing in Enterprise Settings Paper SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data Paper When the Weakest Link is Strong: Secure Collaboration in the Case of the Panama Papers Paper Slides Hacking in Darkness: Return-oriented Programming against Secure Enclaves Paper vTZ: Virtualizing ARM TrustZone Paper Slides Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Paper AuthentiCall: Efficient Identity and Content Authentication for Phone Calls Paper Picking Up My Tab: Understanding and Mitigating Synchronized Token Lifting and Spending in Mobile Payment Paper Slides TrustBase: An Architecture to Repair and Strengthen Certificate-based Authentication Paper Transcend: Detecting Concept Drift in Malware Classification Models Paper Syntia: Synthesizing the Semantics of Obfuscated Code Paper Predicting the Resilience of Obfuscated Code Against Symbolic Execution Attacks via Machine Learning Paper Differential Privacy: From Theory to Deployment Abhradeep Guha Thakurta, University of California, Santa Cruz OSS-Fuzz - Google’s continuous fuzzing service for open source software Slides Kostya Serebryany, Google Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies Paper CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition Paper Same-Origin Policy: Evaluation in Modern Browsers Paper Locally Differentially Private Protocols for Frequency Estimation Paper BLENDER: Enabling Local Search with a Hybrid Differential Privacy Model Paper Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More Paper BootStomp: On the Security of Bootloaders in Mobile Devices Paper Slides Seeing Through The Same Lens: Introspecting Guest Address Space At Native Speed Paper Oscar: A Practical Page-Permissions-Based Scheme for Thwarting Dangling Pointers Paper PDF Mirage: Content Masking Attack Against Information-Based Online Services Paper Loophole: Timing Attacks on Shared Event Loops in Chrome Paper Game of Registrars: An Empirical Analysis of Post-Expiration Domain Name Takeovers Paper Speeding up detection of SHA-1 collision attacks using unavoidable attack conditions Paper Phoenix: Rebirth of a Cryptographic Password-Hardening Service Paper Vale: Verifying High-Performance Cryptographic Assembly Code Paper Exploring User Perceptions of Discrimination in Online Targeted Advertising Paper Measuring the Insecurity of Mobile Deep Links of Android Paper How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security Paper Towards Efficient Heap Overflow Discovery Paper DR.
Leer más

Presentaciones de DEF CON 25

DEF CON 25 Pues ahora le toca el turno a DEF CON, en este caso la edición 25 que se acaba de celebrar y ya tienes también acceso a las presentaciones: 5A1F/ 5A1F-Demystifying-Kernel-Exploitation-By-Abusing-GDI-Objects-WP.pdf 5A1F-Demystifying-Kernel-Exploitation-By-Abusing-GDI-Objects.pdf Cheng Lei/ Cheng-Lei-The-Spear-to-Break-the-Security-Wall-of-S7CommPlus-WP.pdf Cheng-Lei-The-Spear-to-Break-the-Security-Wall-of-S7CommPlus.pdf Denton Gentry/ Denton-Gentry-I-Know-What-You-Are-By-The-Smell-Of-Your-Wifi-WP.pdf Denton-Gentry-I-Know-What-You-Are-By-The-Smell-Of-Your-Wifi.pdf Dimitry Snezhkov/ Dimitry Snezhkov - Extras/ Dimitry-Snezhkov-Abusing-Web-Hooks.pdf Dor Azouri/ Dor-Azouri-BITSInject-WP.pdf Dor-Azouri-BITSInject.pdf Duncan Woodbury and Nicholas Haltmeyer/ Woodbury-and-Haltmeyer-Linux-Stack-Based-V2X-Framework-Hack-Connected-Vehicles-WP.
Leer más

Presentaciones de Black Hat USA 2017

BlackHat 2017 Ya están disponible las presentaciones de Black Hat USA 2017: Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone ‘Ghost Telephonist’ Link Hijack Exploitations in 4G LTE CS Fallback Yuwei-Ghost-Telephonist-Link-Hijack-Exploitations-In-4G-LTE-CS-Fallback.pdf (in)Security in Building Automation: How to Create Dark Buildings with Light Speed Brandstetter-insecurity-In-Building-Automation-How-To-Create-Dark-Buildings-With-Light-Speed.pdf Brandstetter-insecurity-In-Building-Automation-How-To-Create-Dark-Buildings-With-Light-Speed-wp.pdf A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!
Leer más

Vídeos de OWASP AppSec Europa 2017

OWASP AppSec EU 2017 Perfecto para el fin de semana si no tienes nada planeado, ya están disponibles los vídeos de la OWASP AppSec Europa 2017: Conference Opening Address by Gary Robinson The Gift Of Feedback by Shannon Lietz Boosting The Security Of Your Angular 2 Application by Philippe De Ryck Don’t Trust The DOM: Bypassing XSS Mitigations Via Script Gadgets by Sebastian Lekies The Key Under The Doormat by Stephan Huber and Steven Arzt OWASP Juice Shop by Björn Kimminich Printer Security by Jens Müller and Vladislav Mladenov 2017: Rise Of The Machines by Kev D’Arcy, Nicholas Raite and Rohini Sulatycki Looking Back To Look Ahead by Brian Honan Making Vulnerability Management Suck Less With DefectDojo by Greg Ande Don’t Get Caught Em-bed by Aaron Guzman So We Broke All CSPs You Won’t Guess What Happened Next by Michele Spagnuolo Long Term Study On SSL TLS Certificates by Enrico Branca What Is A DevSecOps Engineer?
Leer más

Presentaciones de Black Hat Asia 2017

Black Hat Asia 2017 Ya podemos acceder a muchas de las presentaciones de la edición asiática de Black Hat de este año: The Seven Axioms of Security Why We are Not Building a Defendable Internet Man-in-the-SCADA: Anatomy of Data Integrity Attacks in Industrial Control Systems 24 Techniques to Gather Threat Intel and Track Actors 3G/4G Intranet Scanning and its Application on the WormHole Vulnerability All Your Emails Belong to Us: Exploiting Vulnerable Email Clients via Domain Name Collision Anti-Plugin: Don’t Let Your App Play as an Android Plugin asia-17-Luo-Anti-Plugin-Don’t-Let-Your-App-Play-As-An-Android-Plugin.
Leer más

Vídeos de Usenix Enigma 2017

Aquí tenéis los charlas (vídeos y algunas diapositivas) de la edición de este año de la conferencia Usenix Enigma: Human Computation with an Application to Passwords Moving Account Recovery beyond Email and the “Secret” Question Secrets at Scale: Automated Bootstrapping of Secrets & Identity in the Cloud Inside “MOAR TLS:” How We Think about Encouraging External HTTPS Adoption on the Web Ghost in the Machine: Challenges in Embedded Binary Security LLC Cache Attacks: Applicability and Countermeasures IoT, a Cybercriminal’s Paradise Hacking Sensors Test Driven Security in Continuous Integration As We May Code Leveraging the Power of Automated Reasoning in Security Analysis of Web Applications and Beyond Startups + Industry: How Everyone Can Win Behaviors and Patterns of Bulletproof and Anonymous Hosting Providers StreamAlert: A Serverless, Real-time Intrusion Detection Engine Neural and Behavioral Insights on Trust What Does the Brain Tell Us about Usable Security?
Leer más

Vídeos de RSA USA 2017

Si no tienes nada que hacer este fin de semana, aquí tienes lo vídeos de la conferencia RSA USA 2017. Hello False Flags! The Art of Deception in Targeted Attack Attribution The Blockchain Identity Crisis From Boot-to-Root: A Method for Successful Security Training CISO as Change Agent: Getting to Yes Deconstructing Identity Analytics for Higher Risk Awareness IoT: End of Shorter Days Workplace Violence and IT Sabotage: Two Sides of the Same Coin?
Leer más

Vídeos de ekoparty 12 - 2016

Si no tienes nada planeado para este fin de semana, aquí tienes algo de distracción, los vídeos de las charlas de la pasada conferencia sobre seguridad informática celebrada en Buenos Aires, Argentina, Ekoparty 12. Tyler Curtis - Encryption out of LINE Juan Berner - Exploiting A/B Testing for Fun and Profit Nahuel Cayetano Riva - Getting fun with Frida Rodrigo Cetera y Javier Bassi - #KillTheHashes - El Gran Libro para Colorear Malware Ezequiel Fernandez y Sergio Viera - Multiple Vulnerabilities in SE PLC Joernchen - Let Me GitHub That For You (2016 Argentinian Edition) Martin Gendler - Juegos Online, Sociedad y Privacidad: un recorrido socio-histórico Sheila Berta y Claudio Caracciolo - Backdooring CAN Bus for Remote Car Hacking Nahuel Sánchez y Sergio Abraham - SAP HANA under the hood Enrique Nissim - I Know Where Your Page Lives: De-randomizing the Windows 10 Kernel Sebastian Garcia - Stratosphere IPS.
Leer más

Vídeos del Chaos Communication Congress (33c3)

Aunque el congreso sobre hacking/seguridad, Chaos Communication Congress todavía no ha terminado, los vídeos de las charlas que ya se han dado están disponibles. En los momentos de escribir estas líneas, estos son los vídeos disponibles: 33C3 Closing Ceremony Security Nightmares 0x11 Surveilling the surveillers 33C3 Infrastructure Review Virtual Secure Boot The Ultimate Game Boy Talk Privatisierung der Rechtsdurchsetzung Warum in die Ferne schweifen, wenn das Ausland liegt so nah?
Leer más