Home
Search results “Elliptic curve cryptography vulnerabilities and threats”
Vulnerabilities, Threat Vectors, and Probability - CompTIA Security+ SY0-401: 2.1
 
04:27
Security+ Training Course Index: http://professormesser.link/sy0401 Professor Messer’s Course Notes: http://professormesser.link/sy0401cn Frequently Asked Questions: http://professormesser.link/faq - - - - - The bad guys are very good at infiltrating our computer systems. In this video, you’ll learn about system vulnerabilities, examples of threat vectors, and how to calculate the probability of a security risk. - - - - - Download entire video course: http://professormesser.link/401adyt Get the course on MP3 audio: http://professormesser.link/401vdyt Subscribe to get the latest videos: http://professormesser.link/yt Calendar of live events: http://www.professormesser.com/calendar/ FOLLOW PROFESSOR MESSER: Professor Messer official website: http://www.professormesser.com/ Twitter: http://www.professormesser.com/twitter Facebook: http://www.professormesser.com/facebook Instagram: http://www.professormesser.com/instagram Google +: http://www.professormesser.com/googleplus
Views: 55254 Professor Messer
Cryptography Basics for Embedded Developers by Eystein Stenberg
 
49:19
Cryptography Basics for Embedded Developers - Eystein Stenberg, Mender Many vulnerabilities and breaches happen due to incorrect use of cryptographic mechanisms like encryption. This talk will cover the basic mechanisms of cryptography, like encryption, signatures, and key storage, looking at how these are used to create important security properties like authentication, confidentiality and integrity. Performance is particularly important for embedded development and we will cover which cryptographic operations are computationally expensive and why. We will highlight implementations of cryptographic mechanisms that help meet the performance needs of embedded devices, including Elliptic Curve Cryptography. We will wrap up with common pitfalls, libraries and tools relevant for secure use of cryptography for embedded devices. Eystein Stenberg has over 7 years of experience in security and systems management as a developer, a support engineer, a technical account manager, and now as a product manager. He has been in the front line of some of the largest production environments in various roles and has in-depth knowledge of the challenges in systems security in a real-world context. His holds a Master’s degree in cryptography and his writing credits include “Distributing a Private Key Generator in Ad Hoc Networks."
Cryptography Concepts - CompTIA Security+ SY0-501 - 6.1
 
07:52
Security+ Training Course Index: http://professormesser.link/sy0501 Professor Messer’s Course Notes: http://professormesser.link/501cn Frequently Asked Questions: http://professormesser.link/faq - - - - - The basics of cryptography are valuable fundamentals for building a secure network. In this video, you’ll learn about cryptographic terms, the value of the key, the concepts of confusion and diffusion, and more. - - - - - Subscribe to get the latest videos: http://professormesser.link/yt Calendar of live events: http://www.professormesser.com/calendar/ FOLLOW PROFESSOR MESSER: Professor Messer official website: http://www.professormesser.com/ Twitter: http://www.professormesser.com/twitter Facebook: http://www.professormesser.com/facebook Instagram: http://www.professormesser.com/instagram Google +: http://www.professormesser.com/googleplus
Views: 16346 Professor Messer
Initialization Vector Attacks - CompTIA Security+ SY0-301: 3.4
 
07:34
See our entire index of CompTIA Security+ videos at http://www.FreeSecurityPlus.com - Initialization vectors are important to build strong encryption, but historical 802.11 WEP vulnerabilities were partly related to poor IV implementations.
Views: 19953 Professor Messer
Cryptography Primer Session 4 Primes, Elliptic Curves, & Lattices
 
01:01:55
This will be the fourth of six cryptography primer sessions exploring the basics of modern cryptography. In this session, we’ll explore primality testing, elliptic curve cryptosystems, and lattice-based cryptosystems. Subsequent sessions (on alternating Fridays) are expected to include the following topics. Depending on the interests of the participants, other topics may be included or substituted. Attacks, vulnerabilities, and practical considerations Applications including zero-knowledge, secret sharing, homomorphic encryption, and election protocols.
Views: 388 Microsoft Research
Format String Vulnerabilities Primer (Part 1 The Basics)
 
10:21
Full Video Details: http://www.securitytube.net/video/343
Views: 9628 TheSecurityTube
Perfect Forward Secrecy Side Effects
 
10:23
Perfect Forward Secrecy (PFS) is a great security feature that protects client and server data from being decrypted in the future. In this video, John discusses a few of the things to keep in mind as you move toward PFS ciphers.
Views: 3289 F5 DevCentral
Assessing And Exploiting BigNum Vulnerabilities
 
49:01
by Ralf-Philipp Weinmann The majority of deployed asymmetric cryptography implementations (RSA, DH, ECDH/ECDSA with GF(p) curves) need to perform calculations on integers that are larger than a single machine word. Just like every software package, implementations of multi-precision integer arithmetic sometimes have bugs. This talk investigates the implications of these bugs and shows how they can be used by attackers to exploit asymmetric cryptographic primitives. Isolating bug patterns and understanding exploitation requirements allows us to develop strategies for automated bug hunting.
Views: 459 Black Hat
APPSEC Cali 2018 - What's New in TLS 1.3
 
52:10
Abstract: TLS 1.3 is just about here ! This talk will cover the more notable attacks against prior versions of TLS and examine their applicability to TLS 1.3. In doing so, important security related design decisions of TLS 1.3, which thwart these attacks, will be highlighted. We will also highlight the new protocol handshakes and how they can give rise to 0-RTT resumption. Finally, potential pitfalls of deploying TLS 1.3 and ways to avoid them will be discussed. Alex Balducci is a Principal Security Consultant at NCC Group's Cryptography Services. His experience includes security research, source code auditing, application security assessments, and software development - but his expertise is in cryptographic security including analysis and design of cryptographic protocols. Alex has given numerous presentations at several industry conferences. In 2015-2017 he delivered NCC Group's "Beyond the Beast: Deep Dives in Cryptography" course at Blackhat USA as well as at Blackhat EU in 2015. This two day course examines modern issues affecting cryptographic implementations and protocols and delves into the nitty gritty implementation details. At BlackHat USA 2014 he spoke on the topic of practical cryptographic vulnerabilities in application software covering RSA padding oracles and subgroup confinement attacks on elliptic curve Diffie-Hellman. Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
Views: 2385 OWASP
How RSA Works
 
14:19
RSA is an extremely popular cryptosystem used to secure Internet communications today. In this video, John describes RSA encryption and shows a real example of how to encrypt and decrypt using RSA.
Views: 9108 F5 DevCentral
Cryptography for JavaScript Developers - Nakov @ JS.Talks() 2018
 
01:12:44
Title: Cryptography for JavaScript Developers Speaker: Svetlin Nakov, PhD Conference: js.talks() 2018 Most developers believe they know cryptography, just because they store their passwords hashed instead of in plaintext and because have once configured SSL. In this talk the speaker fills the gaps by explaining some cryptographic concepts with examples in JavaScript. The talk covers: - Hashes, HMAC and key derivation functions (Scrypt, Argon2) with examples in JavaScript - Encrypting passwords: from plain text to Argon2 - Symmetric encryption at the client-side: AES, block modes, CTR mode, KDF, HMAC, examples in JavaScript - Digital signatures, ECC, ECDSA, EdDSA, signing messages, verifying signatures, examples in JavaScript - Why client-side JavaScript cryptography might not be safe? Man-in-the-browser attacks, Cross-Site Scripting (XSS) / JavaScript injection, etc. More info, slides and video: http://www.nakov.com/blog/2018/11/18/cryptography-for-javascript-developers-nakov-js-talks-2018/
Views: 161 Svetlin Nakov
Asymmetric Authentication ECDSA
 
01:47
Asymmetric Authentication ECDSA step by step
Views: 1014 CryptoAuthentication
Injection Vulnerabilities - or: How I got a free Burger
 
03:57
One night I ordered food and I accidentally injected a Burger into the order. The delivery guy confused a comment as another item on the order list and made it. Even though no price was attached to it. -------------------------------------- Twitter: https://twitter.com/LiveOverflow Website: http://liveoverflow.com/ Subreddit: https://www.reddit .com/r/LiveOverflow/ Facebook: https://www.facebook.com/LiveOverflow
Views: 223211 LiveOverflow
Logjam and Breaking Diffie-Hellman Key Exchange
 
10:00
Overview of Diffie-Hellman Key Exchange, the Logjam Attack, and the current state of web security.
Views: 389 Devan Singh
Vulnerability Scanning - CompTIA Security+ SY0-501 - 1.5
 
05:55
Security+ Training Course Index: http://professormesser.link/sy0501 Professor Messer’s Course Notes: http://professormesser.link/501cn Frequently Asked Questions: http://professormesser.link/faq - - - - - A vulnerability scan can tell you a lot about potential threats. In this video, you’ll learn about different vulnerability scan types, the results of a vulnerability scan, and how to deal with false positives. - - - - - Subscribe to get the latest videos: http://professormesser.link/yt Calendar of live events: http://www.professormesser.com/calendar/ FOLLOW PROFESSOR MESSER: Professor Messer official website: http://www.professormesser.com/ Twitter: http://www.professormesser.com/twitter Facebook: http://www.professormesser.com/facebook Instagram: http://www.professormesser.com/instagram Google +: http://www.professormesser.com/googleplus
Views: 26138 Professor Messer
Buffer Overflow Attack - Computerphile
 
17:30
Making yourself the all-powerful "Root" super-user on a computer using a buffer overflow attack. Assistant Professor Dr Mike Pound details how it's done. The Stack: https://youtu.be/7ha78yWRDlE Botnets: https://youtu.be/UVFmC178_Vs The Golden Key: iPhone Encryption: https://youtu.be/6RNKtwAGvqc 3D Stereo Vision: https://youtu.be/O7B2vCsTpC0 Brain Scanner: https://youtu.be/TQ0sL1ZGnQ4 http://www.facebook.com/computerphile https://twitter.com/computer_phile This video was filmed and edited by Sean Riley. Computer Science at the University of Nottingham: http://bit.ly/nottscomputer Computerphile is a sister project to Brady Haran's Numberphile. More at http://www.bradyharan.com
Views: 645794 Computerphile
#231 Ajay Prakash & Gavin Brennen: Qubit Protocol – Quantum Computing & The Coming Threat to Crypto
 
01:12:52
Support the show, consider donating: BTC: 1CD83r9EzFinDNWwmRW4ssgCbhsM5bxXwg (https://epicenter.tv/tipbtc) BCC: 1M4dvWxjL5N9WniNtatKtxW7RcGV73TQTd (http://epicenter.tv/tipbch) ETH: 0x8cdb49ca5103Ce06717C4daBBFD4857183f50935 (https://epicenter.tv/tipeth) With the advent of mature quantum technologies, many of the critical cryptographic protocols which secure the Internet, financial transactions and even military secrets may become susceptible to new attack vectors. For instance, while it may take a computer millions of years to decipher a public key’s corresponding private key, a sufficiently powerful quantum computer might achieve this in a reasonable amount of time. With this reality looming over us, many in the blockchain space worry that someone with access to a quantum computer might one day have the ability to steal their hard-earned crypto. We’re joined by Ajay Prakash and Gavin Brennen, founders of the Qubit Protocol, a decentralized blockchain-enabled governance protocol that is meant to select and fund the best startups in the quantum world. As a co-author of the recent paper “Quantum attacks on Bitcoin, and how to protect against them,” Gavin walks us through the primary threats that quantum computing poses on Bitcoin. Among the major vulnerabilities are hashing functions and Elliptic Curve algorithms used for digital signatures, both fundamental components of Bitcoin, as well as many other blockchain protocols. Topics discussed in this episode: - What are quantum technologies and how they differ from the existing paradigm - The areas and industries which are to benefit most from quantum computing - A refresher on hashing algorithms as one-way functions - What a quantum attack on Bitcoin mining might look like - How Elliptic Curve digital signature algorithms work and how public and private keys are generated - The three types of attacks a quantum computer could perform digital signatures - The expected timelines for these attacks to be viable - The potential countermeasures which could circumvent quantum attacks on Bitcoin - The Qubit Protocol as a DAO to fund quantum technology startups and the challenges of investing in the quantum space - The project’s roadmap and upcoming ICO Sponsors: - Shapeshift: Buy and sell alt coins instantly and securely without a centralized exchange - http://epicenter.tv/shapeshift This episode is also available on : - Epicenter.tv: https://epicenter.tv/231 - YouTube: http://youtu.be/sqfiNy27Fz0 - Souncloud: http://soundcloud.com/epicenterbitcoin/eb-231 Watch or listen, Epicenter is available wherever you get your podcasts. Epicenter is hosted by Brian Fabian Crain, Sébastien Couture & Meher Roy.
Views: 1337 Epicenter
Tor Network Key Exchange - Curve25519
 
05:18
https://asecuritysite.com/encryption/curve
Views: 605 Bill Buchanan OBE
PGP Encryption Explained
 
05:57
DISCLAIMER: Researchers have recently discovered a major vulnerability with PGP encryption. We recommend that you stop relying on PGP for encrypted communications and switch to a different secure communications method for now. More on the PGP vulnerability here: https://www.eff.org/deeplinks/2018/05... ---- PGP stands for Pretty Good Privacy. It’s an encryption standard that is used worldwide to encrypt email communications. In this tutorial we will see how PGP works before looking at simple ways to use it on a daily email exchange.
RSA, DSA, ECC: The SSL Encryption Algorithms by SSL247®
 
01:39
Since our launch in 2003, we've been dedicated to ensuring the continuity of your business on the internet. Online threats are becoming more and more sophisticated, this is why we offer a full range of products to secure, protect and monitor your online presence. Contact our fully accredited, dedicated experts on +44 (0)20 3582 9195 or at [email protected] For more information, visit our website at: www.SSL247.co.uk
Views: 922 SSL247
Cryptanalysis of AES and SHA-2: how far we are from compromising worldwide encryption
 
56:42
Modern cryptanalysis typically deal with basic cryptographic primitives where a vulnerability might imply an unavoidable threat to a full cryptosystem. The cipher AES and the hash family SHA-2 are used in numerous theoretical constructions and applications. They were designed over 10 years ago and survived intensive cryptanalytic efforts. Despite hundreds of papers written on the subject, no weakness was discovered in either design. Only recently it was announced that the secret key of the AES cipher can be found faster than by exhaustive search by a small but noticeable factor. At about the same time the SHA-2 shortened by as little as 25 was found to be not a one-way function.
Views: 389 Microsoft Research
CSS Keylogger - old is new again
 
11:29
This is "well known" research that resurfaces every other year. Let me tell you a story how I have heard about this in 2012 and putting it into perspective. Research "Scriptless Attacks – Stealing the Pie Without Touching the Sill" (2012): + Paper: https://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf + Slides: https://www.slideshare.net/x00mario/stealing-the-pie + Talk recording: https://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Security-Briefings-Fall-2012-Sessions/BH1203 CSS Keylogger: https://github.com/maxchehab/CSS-Keylogging Stealing Data With CSS - Attack and Defense: https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense Twitter: + https://twitter.com/0x6D6172696F + https://twitter.com/sirdarckcat + https://twitter.com/garethheyes + https://twitter.com/thornmaker + https://twitter.com/mlgualtieri -------------------------------------- Twitter: https://twitter.com/LiveOverflow Website: http://liveoverflow.com/ Subreddit: https://www.reddit.com/r/LiveOverflow/ Facebook: https://www.facebook.com/LiveOverflow/
Views: 179686 LiveOverflow
Breaking AES with ChipWhisperer - Piece of scake (Side Channel Analysis 100)
 
14:09
Terrible DPA explanation and sharing my experience solving the side channel analysis challenge "piece of scake" from the rhme2 CTF. A real DPA tutorial by Colin O'Flynn: https://www.youtube.com/watch?v=OlX-p4AGhWs The ChipWhisperer AES tutorial: http://www.newae.com/sidechannel/cwdocs/tutorial.html ChipWhsiperer: http://newae.com/tools/chipwhisperer/ The DPA paper: https://www.rambus.com/introduction-to-differential-power-analysis-and-related-attacks/ rhme2 challenge files: https://github.com/Riscure/Rhme-2016 -------------------------------------- Twitter: https://twitter.com/LiveOverflow Website: http://liveoverflow.com/ Subreddit: https://www.reddit.com/r/LiveOverflow/
Views: 33332 LiveOverflow
Recover RSA private key from public keys - rhme2 Key Server (crypto 200)
 
12:42
Using the greatest common divisor (GCD) to factorize the public modulo into the secret primes, so we can forge a RSA signature. Source for the rhme2 challenges: https://github.com/Riscure/Rhme-2016 -------------------------------------- Twitter: https://twitter.com/LiveOverflow Website: http://liveoverflow.com/ Subreddit: https://www.reddit.com/r/LiveOverflow/
Views: 36278 LiveOverflow
ShmooCon 2014: Malicious Threats, Vulnerabilities in Mobile Instant Messaging Platforms
 
38:21
For more information visit: http://bit.ly/shmooc14 To download the video visit: http://bit.ly/shmooc14_down Playlist Shmoocon 2014: http://bit.ly/shmooc14_pl Speakers: Jaime Sanchez | Pablo San Emeterio Global surveillance emerged as a phenomenon since the late 1940s and Internet and mobile technology are being developed with such pace that it is impossible to guarantee electronic privacy and nobody should expect it. How strong are the actual Instant Messaging Platforms? Do they take care of our security and privacy? We'll look inside the security of several clients (like BBM, Snapchat, and Line) and will put our focus on WhatsApp. WhatsApp might not be as widely known as Twitter, but the company announced that it has passed 350 million active monthly users. WhatsApp has been plagued by several security issues in the past, so we decided to start the research. We've discovered several vulnerabilities more that we'll disclosure (with proof of concept code), including encryption flaws, remote DOS (making the client crash by sending a custom message), or how to spoof messages manipulating sender address information. We'll also release a new version of our tool with different protection layers: encryption, anonymity, and using a custom XMPP server. It's necessary to implement additional measures until WhatsApp decides to take security seriously.
Views: 851 Christiaan008
ToorCon XX — RANSOMWARE VERSUS CRYPTOJACKING: LATEST TRENDS IN MODERN MALWARE - Pranshu Bajpai
 
52:03
Ransomware and cryptojacking have been recognized as the top malware threats in 2018. Financially motivated cybercriminals are attracted to both since both remain viable means of generating illicit income. In this talk, we delve deep into the latest characteristics observed in ransomware and cryptojacking attacks. Modern ransomware go beyond mere data encryption and come bundled with other threats, while cryptojacking attacks exploit unsuspecting web users by deploying embedded JavaScript miners concealed in websites. We discuss the intricate characteristics of sophisticated modern ransomware variants, cryptojacking attacks, and the results of our web crawl identifying websites involved in cryptojacking. Finally, we compare ransomware and cryptojacking in terms of their potential to generate illicit income for cybercriminals versus the levels of sophistication required to implement their respective campaigns. Modern malware present multi-faceted threats that leverage a variety of attack vectors. Leading the malware threatscape in 2018 are ransomware and cryptojacking attacks, and the more evolved variants are now implementing targeted attacks against organizations (e.g. SamSam). These modern ransomware include a hybrid cryptosystem that uses a combination of symmetric and asymmetric cryptography. In recent practice, ransomware are going beyond mere data encryption and come bundled with other threats. We present real-world cases of ransomware where we observed these cryptoviral extortions drop trojan horses (e.g. RAA dropping pony) and cryptominers (e.g. BlackRuby). Our research shows that these secondary infections remain active on host even after the ransom is paid. During this talk, we will also discuss how elliptic curve cryptography (ECIES) is deployed in modern ransomware (e.g. Petya and PetrWrap) and the tactical advantages it provides (over RSA) to ransomware operators. We will show how many ransomware variants purge shadow copies (via vssadmin), encrypt network backups (using WNetAddConnection2), and use the latest anti-virus circumvention techniques such as “process doppelganging” (e.g. SynAck ransomware). In addition, we will discuss the results of our preliminary web crawl that identified cryptojacking scripts embedded across a variety of websites. We will discuss just how cryptojacking works, why it is rampantly spreading, how it effects organizations and individuals and how to effectively protect an organization and its employees against it. In conclusion, we will discuss the future of the most potent ransomware and cryptojacking malware as predicted via analysis of real-world malware samples observed lately in the wild. We will also explore new attack vectors (besides phishing) deployed by these malware such as exploiting critical vulnerabilities (e.g. the infamous EternalBlue) or brute forcing remote services (e.g. RDP or SSH). All arguments presented during the talk will be backed by empirical evidence in form of system snapshots, code snippets, and network packet dumps as collected from real-world malware.
Views: 79 ToorCon
EB50 – BTC2B Conference: Nicolas Courtois & potential security vulnerabilities in Bitcoin ECDSA
 
45:59
Support the show, consider donating: 39rFJA7bHRREpgghnZKzKbYrQEPVX9P3Fj (http://bit.ly/1wl0Ivn) Nicolas Courtois is a cryptographer and senior lecturer at University College London. He has been studying cryptocurrencies for some time and has written a number of papers on bitcoin. His talk is titled "Cryptographic Security of ECDSA in bitcoin" in which he exposes the security vulnerabilities in the specific variation of the Elliptic Curve digital Signature Algorithm used in bitcoin. Links mentioned in this episode: - Slides for this presentation: http://www.nicolascourtois.com/bitcoin/paycoin_ECDSA_survey_Brussels_2014_3abcd.pdf - Nicolas Courtois’s Wikipedia Page: http://en.wikipedia.org/wiki/Nicolas_Courtois - Personal blog: http://blog.bettercrypto.com/ - On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies paper: http://arxiv.org/abs/1405.0534 - Nicolas’s Bitcoin Publications: http://blog.bettercrypto.com/?page_id=63 Show notes: http://epicenterbitcoin.com/podcast/050 YouTube: http://youtu.be/-nHKhN4XpMw SoundCloud: http://soundcloud.com/epicenterbitcoin/eb-050 Epicenter Bitcoin is hosted by Brian Fabian Crain & Sébastien Couture. - Visit our website: http://epicenterbitcoin.com - Subscribe to our newsletter: http://epicenterbitcoin.com/newsletter - Twitter: http://twitter.com/epicenterbtc
Views: 262 Epicenter
16. Side-Channel Attacks
 
01:22:16
MIT 6.858 Computer Systems Security, Fall 2014 View the complete course: http://ocw.mit.edu/6-858F14 Instructor: Nickolai Zeldovich In this lecture, Professor Zeldovich discusses side-channel attacks, specifically timing attacks. License: Creative Commons BY-NC-SA More information at http://ocw.mit.edu/terms More courses at http://ocw.mit.edu
Views: 10116 MIT OpenCourseWare
Whiteboard Wednesday: Logjam Vulnerability
 
10:21
John Wagnon discusses the high level details of the Logjam vulnerability and why BIG-IP's default ssl profiles protect against it. Read David Holmes blog on remediating logjram for non-offloaded ssl traffic with iRules here: https://devcentral.f5.com/articles/remediating-logjam-an-irule-countermeasure
Views: 3557 F5 DevCentral
Format string exploit on an arduino - rhme2 Casino (pwn 150)
 
07:41
Solving the casino challenge of rhme2 abusing a format string vulnerability. The challenge: https://github.com/Riscure/Rhme-2016 -------------------------------------- Twitter: https://twitter.com/LiveOverflow Website: http://liveoverflow.com/ Subreddit: https://www.reddit.com/r/LiveOverflow/
Views: 9128 LiveOverflow
Bruce Schneier: Building Cryptographic Systems
 
11:20
Security guru Bruce Schneier talks with Charles Severance about security from the perspectives of both the National Security Agency and the National Institute of Standards and Technology. From Computer's April 2016 issue: www.computer.org/csdl/mags/co/2016/04/index.html. Subscribe to the Computing Conversations podcast on iTunes at https://itunes.apple.com/us/podcast/computing-conversations/id731495760.
Views: 1771 ieeeComputerSociety
What would happen to Bitcoin if Discrete Log were broken?
 
04:55
Discrete Log is one of those assumptions that Bitcoin rests on and there's at least one known vulnerability using Quantum Computing using Shor's Algorithm. How would this breaking affect Bitcoin? -------------------------- Seminar: http://programmingblockchain.com/ Newsletter: http://eepurl.com/cZr_Aj Medium: https://medium.com/@jimmysong Twitter: https://twitter.com/jimmysong Github: https://github.com/jimmysong
OpenSSL DSA Vulnerability - Daily Security Byte EP. 209
 
03:18
In this short, daily video post, Corey Nachreiner, CISSP and CTO for WatchGuard Technologies, shares the biggest InfoSec story from the day -- often sharing useful security tips where appropriate. Visit our blog post for full details: http://watchguardsecuritycenter.com
Views: 771 Corey Nachreiner
SSL Certificates Behaving Badly
 
11:54
In the world of secure websites, it's critical to maintain proper ownership of the certificate that helps protect your site. Certificates hold the encryption keys that allow users to securely interact with your site. When a certificate expires or changes ownership, it is important (and even required) that it be revoked and replaced with a new, updated certificate. This ensures that the current owner of the certificate is the only one who can offer legitimate access to that specific website. Some really smart guys (Ian Foster and Dylan Ayrey) found what they have termed "Bygone SSL" where one person can hold a valid certificate for a website that someone else owns! This interesting phenomenon is not necessarily a result of nefarious behavior, but rather the reality of how certificates work today. In this video, John explains the issue and outlines the reason this is happening. https://devcentral.f5.com/articles/lightboard-lessons-ssl-certificates-behaving-badly-32347 .
Views: 844 F5 DevCentral
Identifying another exploit mitigation and find bypass. stack0: part 2 - bin 0x22
 
09:36
In part 2 we have a closer look at stack0 on a modern system. We are trying to plan an exploit that works in case we can guess the stack cookie. We have to be a bit creative here. stack0: https://liveoverflow.com/binary_hacking/protostar/stack0.html -------------------------------------- Twitter: https://twitter.com/LiveOverflow Website: http://liveoverflow.com/ Subreddit: https://www.reddit.com/r/LiveOverflow/ Facebook: https://www.facebook.com/LiveOverflow/
Views: 12307 LiveOverflow
Discussion on The Birthday Attack
 
04:03
This is a discussion video on the birthday attack, the birthday paradox and the maths around the attack using MD5. All Links and Slides will be in the description. Subscribe for more cool stuff! Slides & files - http://www.mediafire.com/view/vdbpbrabj6j50x2/BirthdayAttack.pptx Python - http://python.org/ Ubuntu - http://www.ubuntu.com/ If you like what you see be sure to subscribe and thumbs up!
Views: 25399 DrapsTV
Cryptography Primer Session 3 – Integral Asymmetric Functions
 
01:04:22
This will be the third of six cryptography primer sessions exploring the basics of modern cryptography. In this session, we’ll explore integral asymmetric functions including Diffie-Hellman and RSA with an emphasis on how and why they work and the properties they enjoy. Subsequent sessions (on alternating Fridays) are expected to include the following topics. Depending on the interests of the participants, other topics may be included or substituted. Non-integer asymmetric functions including elliptic curves and lattice-based systems Cryptosystem properties, attacks, and vulnerabilities Applications including zero-knowledge, secret sharing, homomorphic encryption, and election protocols
Views: 102 Microsoft Research
What is DDoS?
 
09:57
Over the last quarter, there were approximately 500 DDoS attacks around the world with some lasting as long as 300 hours. In this Lightboard Lesson Peter Silva light up some #basics about DoS and DDoS attacks.
Views: 6395 F5 DevCentral
Bitcoin Q&A: Schnorr signatures and the privacy roadmap
 
16:29
How important are privacy improvements to Bitcoin in the roadmap? How will second layers and atomic swaps help with this? When will Schnorr signatures / signature aggregation be added to Bitcoin? What are Taproot and Graftroot? Will it be done through a soft or hard fork? Should we keep transaction transparency instead of adding privacy features? Watch Pieter Wuille's presentation - https://youtu.be/YSUVRj8iznU Schnorr signature BIP - https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki CORRECTION / CLARIFICATION: At 3:47, I mention that Schnorr signatures had to overcome "patent encumbrances" and guessed that the patent expired somewhere around 2010. The precise expiration date of the U.S. Patent (No. 4,995,082) was February 2008. At 4:22, I say that ECDSA and EC-Schnorr are based on the difficulty of solving the discrete logarithm problem over a prime-order field. While this is true for the digital signature algorithm (DSA), ECDSA and Schnorr are based on the discrete log problem over an elliptic curve group. (h/t Daira Hopwood) These questions were part of the monthly live Patreon Q&A session in July and the Denver event as part of 'The Internet of Money Tour' at the Hilton Denver Inverness, which took place on July 28th and August 6th 2018 respectively. If you want early-access to talks and a chance to participate in the monthly live Q&As with Andreas, become a patron: https://www.patreon.com/aantonop RELATED: Worse than Useless: Financial Surveillance - https://youtu.be/n4F-h4xuXMk Money as a System-of-Control - https://youtu.be/FyK4P7ZdOK8 The Stories We Tell About Money - https://youtu.be/ONvg9SbauMg Bitcoin: Privacy, Identity, Surveillance and Money - https://youtu.be/Vcvl5piGlYg ADISummit: Self-Sovereign Identity Panel - https://youtu.be/DZbyiJqKT8c How is fungibility tied to privacy? - https://youtu.be/VuI-8EwqIS8 Public keys versus addresses - https://youtu.be/8es3qQWkEiU Re-using addresses - https://youtu.be/4A3urPFkx8g Coin selection and privacy - https://youtu.be/3Ck683CQGAQ Airdrop coins and privacy implications - https://youtu.be/JHRnqJJ0rhc Wallet design and mass adoption - https://youtu.be/WbZX6BDZJHc How do I choose a wallet? - https://youtu.be/tN6b62sEpsY Using paper wallets - https://youtu.be/cKehFazo8Pw Exchanges, identity, and surveillance - https://youtu.be/TVFy8xXfxAA The price of losing privacy - https://youtu.be/2G8IgiLbT_4 Layered scaling and privacy - https://youtu.be/4w-bjUhpf_Q Lightning and onion routing - https://youtu.be/D-nKuInDq6g What is the roadmap? - https://youtu.be/5Eoj_sKyC90 SegWit and fork research - https://youtu.be/OorLoi01KEE MimbleWimble and Schnorr signatures - https://youtu.be/qloq75ekxv0 Block capacity and embedded data - https://youtu.be/JXt0v54nojI Mixing services - https://youtu.be/rKoMvOH4zoY Borderless money - https://youtu.be/EZh1-ZqffOw Andreas M. Antonopoulos is a technologist and serial entrepreneur who has become one of the most well-known and respected figures in bitcoin. Follow on Twitter: @aantonop https://twitter.com/aantonop Website: https://antonopoulos.com/ He is the author of two books: “Mastering Bitcoin,” published by O’Reilly Media and considered the best technical guide to bitcoin; “The Internet of Money,” a book about why bitcoin matters. THE INTERNET OF MONEY, v1: https://www.amazon.co.uk/Internet-Money-collection-Andreas-Antonopoulos/dp/1537000454/ref=asap_bc?ie=UTF8 [NEW] THE INTERNET OF MONEY, v2: https://www.amazon.com/Internet-Money-Andreas-M-Antonopoulos/dp/194791006X/ref=asap_bc?ie=UTF8 MASTERING BITCOIN: https://www.amazon.co.uk/Mastering-Bitcoin-Unlocking-Digital-Cryptocurrencies/dp/1449374042 [NEW] MASTERING BITCOIN, 2nd Edition: https://www.amazon.com/Mastering-Bitcoin-Programming-Open-Blockchain/dp/1491954388 Translations of MASTERING BITCOIN: https://bitcoinbook.info/translations-of-mastering-bitcoin/ Subscribe to the channel to learn more about Bitcoin & open blockchains! Music: "Unbounded" by Orfan (https://www.facebook.com/Orfan/) Outro Graphics: Phneep (http://www.phneep.com/) Outro Art: Rock Barcellos (http://www.rockincomics.com.br/)
Views: 10487 aantonop
DEF CON CTF 2018 Finals
 
16:04
Vlog about the Attack and Defense DEF CON 2018 CTF Finals in Las Vegas. -------------------------------------- Twitter: https://twitter.com/LiveOverflow Website: http://liveoverflow.com/ Subreddit: https://www.reddit.com/r/LiveOverflow/ Facebook: https://www.facebook.com/LiveOverflow/
Views: 41372 LiveOverflow
Tor de-anonymization techniques (SHA2017)
 
01:01:07
How people have lost their anonymity? Let's study real-world cases and try to learn how to avoid these errors. Tor offers great anonymity and privacy for millions of people. However, there are some Tor de-anonymization techniques that work. This presentation demonstrates de-anonymization of Tor hidden services and users. #NetworkSecurity Juha Nurmi
Views: 1384 SHA2017
Assessment Types - CompTIA Security+ SY0-301: 3.7
 
09:06
See our entire index of CompTIA Security+ videos at http://www.FreeSecurityPlus.com - There are many different ways to assess your network security. In this video, you'll learn about quantitative and qualitative risk assessments, threat assessments, and vulnerability assessments.
Views: 10942 Professor Messer
eXploit X : "Give Me Root" - Computerphile
 
11:37
One line of code can get root access on many Linux systems. Dr Steve Bagley demos the exploit. More info from The Register (updated link): https://bit.ly/2AAQnRT On the subject of the 'censored' part, we fully appreciate that anyone can find out what that code is, but we're demoing & explaining it, not giving a resource for those who want to do it. If anyone wants to know the code simply look in the comments! hth -Sean SHA: Secure Hashing Algorithm https://www.youtube.com/watch?v=DMtFhACPnTY Hardware Hacking: https://www.youtube.com/watch?v=eOPLQxGNmHA https://www.facebook.com/computerphile https://twitter.com/computer_phile This video was filmed and edited by Sean Riley. Computer Science at the University of Nottingham: https://bit.ly/nottscomputer Computerphile is a sister project to Brady Haran's Numberphile. More at http://www.bradyharan.com
Views: 103450 Computerphile
Peerlyst Community TV Episode 9: Is ECC a Better Choice than RSA?
 
04:45
Guest Expert: Nathan McMahon Avi Networks , speaking about ECC vs. RSA
Views: 70 Peerlyst Inc
Daniel J. Bernstein - How to manipulate standards - project bullrun
 
30:15
Daniel J. Bernstein - How to manipulate standards - project bullrun Daniel Julius Bernstein (sometimes known simply as djb; born October 29, 1971) is a German-American[2] mathematician, cryptologist, programmer, and professor of mathematics and computer science at the Eindhoven University of Technology and research professor at the University of Illinois at Chicago. His computer software programs qmail, publicfile, and djbdns were released as license-free software. This was used by some of the people that were offended by his criticism to stop the distribution of his software, so that Linux distributions such as Debian which used qmail internally did not distribute qmail. OpenBSD a security focused operating system had the majority of its security exploits as a result of its decision to stay with Sendmail and BIND and removed qmail and djbdns from its ports as part of the license dispute. This issue was resolved when Bernstein released the source code of his projects into public domain software in 2007. Bernstein designed his Salsa20 stream cipher in 2005 and submitted to eSTREAM for review, another variant, ChaCha20, is published by him in 2008. He also designed Curve25519, a public key cryptography scheme based on elliptic curve in 2005, and worked as the lead researcher on its Ed25519 implementation of EdDSA. Without any adoptions at first, after nearly a decade later, Edward Snowden's disclosure about the mass surveillance by the National Security Agency, especially a backdoor inside Dual_EC_DRBG, suspicions of the NIST's P curve constants[3] led to concerns[4] that the NSA had chosen values that gave them an advantage in factoring[5] public keys.[6] Since then Curve25519 and EdDSA has attracted much attention and became the de facto replacement of NIST P curve. Google has also selected ChaCha20 along with Bernstein's Poly1305 message authentication code as a replacement for RC4 in TLS, which is used for Internet security.[7] Many protocols based on his works have now standardized and used in a variety of applications, such as Apple iOS,[8] Linux kernel,[9] OpenSSH,[10][11] and Tor.[12]
Views: 359 Thomas D
Triple DES
 
06:31
Cyber Attack Countermeasures Module 3 Introducing Conventional Cryptography This module introduces the foundations of conventional cryptography along with its practical application in Kerberos. Learning Objectives • Recall the S/KEY protocol and its cryptanalytic properties • Summarize the basic architecture of Kerberos • Identify the detailed steps of Kerberos including key distribution • Describe conventional cryptography • Describe DES and its basic properties • Examine how triple-DES maintains compatibility with DES through key management Subscribe at: https://www.coursera.org/learn/intro-cyber-attacks/home/welcome https://www.coursera.org
Views: 658 intrigano
How WanaCrypt Encrypts Your Files - Computerphile
 
17:22
Wanacrypt works super fast and even when you're offline. Dr Pound explains how hybrid ransomware systems work. Original Wana Decrypt0r video: https://youtu.be/88jkB1V6N9w The Perfect Code: https://youtu.be/WPoQfKQlOjg http://www.facebook.com/computerphile https://twitter.com/computer_phile This video was filmed and edited by Sean Riley. Computer Science at the University of Nottingham: http://bit.ly/nottscomputer Computerphile is a sister project to Brady Haran's Numberphile. More at http://www.bradyharan.com
Views: 265356 Computerphile
Cryptography Primer Session 5 Attacks, Vulnerabilities, & Practical Considerations
 
01:08:18
This will be the fifth of six cryptography primer sessions exploring the basics of modern cryptography. In this session, we'll explore a variety of attacks including padding attacks, length-extension attacks, fault-injection attacks, timing attacks, and cache attacks. In doing so, we'll explore some of the practical considerations which create the vulnerabilities that enable these attacks. The final session (on May 30) is expected to focus on applications including zero-knowledge, secret sharing, homomorphic encryption, and election protocols.
Views: 114 Microsoft Research
HTTPS & TLS in 2016: Security practices from the front lines - AppSecUSA 2016
 
01:01:12
Recorded at AppSecUSA 2016 in Washington, DC https://2016.appsecusa.org/ HTTPS & TLS in 2016: Security practices from the front lines Implementing strong security for Internet‐facing services has grown more challenging and more complex over the past two years. With protocol‐level vulnerabilities like FREAK, BEAST, CRIME, POODLE, & LOGJAM, Ops teams are forced to reevaluate long‐held assumptions about foundation system network code. What are the right tradeoffs between modern network security requirements versus widespread legacy client and user interoperability? How do we apply these to traditional Apache and Nginx servers, mobile app web services, and non‐browser infrastructure like libcurl, proxies, API endpoints, and load balancers? And what's the deal with Curve25519, ChaCha/Poly1305, LibSodium, BoringSSL, and LibreSSL? Here, we present a practitioner's crash guide to modern site and web service endpoint encryption using HTTPS. We cover the "TLS 101" (and 201) fundamentals of certificates: ECDSA vs RSA, 2K vs 4K, ephemeral Diffie‐ Hellman (elliptic curve versus static), Domain Validation vs Extended Validation. We'll talk about intermediate and root authorities (and why Superfish is such a problem), and then look at some best practices around https including certificate transparency (CT), pinning (HPKP), and strict transport security (HSTS). Lastly, we'll give updates from the OpenSSL 1.1 audit, and point to well curated configuration guides and recipes for https and TLS. Speakers Eric Mill Eric Mill is a software engineer and advocate for a web that is safe and secure for all of its users. Eric is currently an advisor and engineer in a federal government agency, and has previously worked at the Sunlight Foundation on open data infrastructure and policy. Kenneth White Director, Open Crypto Audit Project Kenneth White is a security researcher whose work focuses on networks and global systems. He is Director of the Open Crypto Audit Project (OCAP), currently managing a large‐scale audit of OpenSSL on behalf of the Linux Foundation's Core Infrastructure Initiative. In his day job, White leads an applied R&D team for Dovel Labs, working with federal clients on mission system security and cloud automation. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
Views: 2265 OWASP
Black Hat USA 2013 - The Factoring Dead: Preparing for the Cryptopocalypse
 
54:12
By: Alex Stamos, Tom Ritter, Thomas Ptacek & Javed Samuel The last several years has seen an explosion of practical exploitation of widespread cryptographic weaknesses, such as BEAST, CRIME, Lucky 13 and the RC4 bias vulnerabilities. The invention of these techniques requires a lot of hard work, deep knowledge and the ability to generate a pithy acronym, but rarely involves the use of a completely unknown weakness. Cryptography researchers have known about the existence of compression oracles, RC4 biases and problems with CBC mode for years, but the general information security community has been unaware of these dangers until fully working exploits were demonstrated. In this talk, the speakers will explain the latest breakthroughs in the academic crypto community and look ahead at what practical issues could arise for popular cryptosystems. Specifically, we will focus on the latest breakthroughs in discrete mathematics and their potential ability to undermine our trust in the most basic asymmetric primitives, including RSA. We will explain the basic theories behind RSA and the state-of-the-art in large numbering factoring, and how several recent papers may point the way to massive improvements in this area. The talk will then switch to the practical aspects of the doomsday scenario, and will answer the question "What happens the day after RSA is broken?" We will point out the many obvious and hidden uses of RSA and related algorithms and outline how software engineers and security teams can operate in a post-RSA world. We will also discuss the results of our survey of popular products and software, and point out the ways in which individuals can prepare for the zombi^H^H^H crypto apocalypse.
Views: 2964 Black Hat