Our thanks to BSides Sofia for publishing their presenter’s tremendous BSides Sofia 2023 content on the organizations’ YouTube channel.

Our thanks to BSides Knoxville for publishing their presenter’s outstanding BSides Knoxville 2023 content on the organizations’ YouTube channel.

Our thanks to both the OWASP® Foundation and the OWASP Global AppSec US 2021 Virtual Conference for publishing their well-crafted application security videos on the organization’s’ YouTube channel.

via Adam Hastings (Adam is a PhD student at Columbia University) and Simha Sethumadhavan - Associate Professor at Columbia University, writing at the Association for Computing Machinery's (ACM) Computer Architecture Special Interest Group (SIGARCH) comes this well crafted piece asking 'Are Computer Architects to Blame for the State of Security Today?' Today's Must Read.

Note: Portions of the referenced matter includes original research and have been adapted from class notes on a grad class on Computer Architecture (Source) at Columbia University.

Thanks to USENIX for publishing the USENIX Enigma 2019

outstanding conference videos on their YouTube Channel

Dan Blum, writing at Security-Architect, regales us with a - frankly - superb explanatory post regarding FIDO, also known as Fast Identity Online. His article is highly regarded around here, and I recommend visting the site, straight-away!

'The core FIDO2 speification are:

FIDO Client To Authenticator Protocol (CTAP): CTAP specifies a protocol for communication between a personal device with cryptographic capabilities (aka authenticator) and a host computer that wishes to use these capabilities for security functions including strong user authentication...!”

FIDO Web API (WebAuthn): Defines how to use the WebCrypto APIs to allow web pages to access strong credentials through browser JavaScript, in a way that is easy to use for developers to code...

FIDO Attestation: Defines attestation formats used to validate FIDO Authenticators, uses of FIDO 2.0 credentials, and associated user verification methods. FIDO attestation could be mapped as authentication context to federation servers or other conditional/adaptive authentication systems.'

Kelby Ludwig - writing at Duo Lab's has just posted a fascinating blog entry detailing their recent discovery of SAML vulns potentially affecting a range of implementations and deployments. In this case, the vulnerability appears to be a zero knowledge scenario (of the attributes of the target's password). H/T

"This blog post describes a new vulnerability class that affects SAML-based single sign-on (SSO) systems. This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password. - via Duo Lab's Kelby Ludwig

Oops.

BSides Sofia 2023 - Radoslav Gerganov - Hyundai Head Unit Hacking →

BSides Sofia 2023 - Vangelis Stykas And Felipe Solferin - Stalking The Stalkers →

BSides Sofia 2023 - Daniela Shalev - Hunting Unsigned DLLs To Find APT →

BSides Sofia 2023 - Evgeni Saber - Advanced Enterprise Vulnerability →

BSides Sofia 2023 - Vasil Velichkov - Hacking Attacks Against Government Institutions →

BSides Sofia 2023 - Peter Kirkov, e-Government - Keynote →

BSides Sofia 2023 - Deputy Minister Atanas Maznev e-Government, Rosen Kirilov, PhD, UNWE - Conference Opening →

BSides Sofia 2023 Intro →

BSides Knoxville 2023 - Patterson Cake - 10 Things I Wish Every CISO Knew Before An Incident: A View From The IR Trenches →

BSides Knoxville 2023 - Sara Anstey - Educating Your Guesses: How To Quantify Risk and Uncertainty →

BSides Knoxville 2023 - Chris Koehnecke - Minimum Viable Security for Cloud Native Stacks →

BSides Knoxville 2023 - Connor Gannon - Summoning Angels In The Modern Age: Digitizing The Methods Of Steganographia →

BSides Knoxville 2023 - Hudson Bush - Enterprise Security Architecture Isn’t Just For Enterprises Anymore →

OWASP® Global AppSec US 2021 Virtual - Fraser Scott's 'Automating Architectural Risk Analysis With The Open Threat Model Format' →

OWASP® Global AppSec US 2021 Virtual - Joern Freydank's 'Security Design Anti-Patterns – Creating Awareness To Limit Security Debt' →

Are Hardware Architects To Blame For The Current Abysmal State of Security?

USENIX Enigma 2019, Daniel Zappala's 'Using Architecture And Abstractions To Design A Security Layer For TLS' →

CircleCity Con 2018, Bryan McAninch's 'The FaaS And The Curious: AWS Lambda Threat Modeling' →

FIDO, Carry-On →

SAML Flaws Discovered With SSO Implications →