So 2FA was supposed to save the world from passwords, huh? This review of a wide range of 2FA plugins looks at issues within security, usability, scalability, and administrative features.
Per is an independent security adviser and the founder of PasswordsCon. He was a finalist for the annual Rosing IT security award in 2012, and was awarded the Commanding General of the Norwegian Armed Forces Cyber Defence Coin in spring 2014 for his contributions to information security... Read More →
Tuesday August 4, 2015 11:00 - 11:25 PDT
PasswordsTuscany
The gap between the effort needed to withstand online and offline password guessing attacks is enormous, and there's a large gap where increasing cracking resistance leads to no change in outcomes. On many networks there's also a snowball effect, where an attacker with x% of credentials controls much more than x% of network resources; this also gives a large region where increasing cracking resistance accomplishes nothing. This talk examines the administrator's task of defending a population of users from password cracking, what does and doesn't make sense, and where we are wasting our time (spoiler alert: almost everywhere.)
Cormac is a Principal Researcher at Microsoft Research, where he has been since 1999. He has published widely in information theory,and networking and security. He is an inventor of 70+ US patents, and has shipped technologies used by hundreds of millions of users. He holds a PhD... Read More →
Tuesday August 4, 2015 14:00 - 14:55 PDT
PasswordsTuscany
KoreLogic will demonstrate how one enterprise was able to dramatically minimize their risk posed by password cracking attacks -- from 85% cracked down to only 50% cracked -- through regular password auditing.
Dale is a Security Consultant with KoreLogic, where he performs penetration testing and password audits for Fortune 500 companies and developed KoreLogic's Password Recovery Service. An avid password cracker, Dale also helps run the annual "Crack Me If You Can" contest at DEF CON... Read More →
Rick, aka Minga, has over 16 years of experience as a penetration tester, and runs KoreLogic's Password Recovery Service. He also runs the annual "Crack Me If You Can" contest at DEF CON. He has provided numerous contributions to the password-cracking community, and has previously... Read More →
Tuesday August 4, 2015 15:00 - 15:25 PDT
PasswordsTuscany
This presentation will demonstrate a large number of Maltego Remote Transforms that achieve a significant reduction with password cracking that leverage the APIs from Abusix, haveibeenpwned, and BreachAlarm of compromised credentials posted to Pastebin.
Daniel Cuthbert is the Chief Operating Officer at SensePost and has been a penetration tester since the mid 90's. He has an obsession with tracking down Internet Jihadi's, is the original author of the OWASP Testing guide, now is the author of the OWASP ASVS and holds two masters... Read More →
Christian Heinrich has presented at OWASP conferences on three continents, and has also presented at ToorCon, Shmoocon, SecTor, CONFidence, Hack In The Box, SyScan, RUXCON, and AusCERT.
Tuesday August 4, 2015 15:30 - 15:55 PDT
PasswordsTuscany
You are predictable, your passwords are predictable, and so are your PINs. This simple fact is often exploited by hackers, as well as the agencies watching you. But what about your Android lock patterns? Can who you are reveal what patterns you create? This talk will present the results from a study of 3400 users and their selected lock patterns. Will being left-handed and having experience with security affect the way you create your lock patterns? Full Disk Encryption won't save you if your lock pattern is L - as in "loser".
Marte has recently obtained a Masters in Computer Science from the Norwegain University of Science and Technology (lol NUTS), and is currently employed as a full-time as a software developer for a Norwegian consulting firm. She likes passwords and colors, resulting in a special interest... Read More →
Tuesday August 4, 2015 17:00 - 17:25 PDT
PasswordsTuscany
This presentation discusses a strategy for reverse-engineering router firmware to analyze algorithms used to generate default WPA2 PSKs, and demonstrates how such passwords can be recovered within minutes. Further, we describe a procedure that can instantly gather a complete wireless authentication trace, which enables an off-line password recovery attack.
Student at Radboud Nijmegen, Security Analyst at Riscure
Eduardo is a Security Analyst who specializes in embedded device security. He is known for messing around with wireless routers, and has published research on EMV-CAP and WirelessHART during his studies. He holds a BS in CS from Universitat Politécnica de Valencia (Spain), and a... Read More →
This presentation demonstrates how open source tools can be used to bypass modern digital locks found in smart phone applications and other PIN interfaces.
This presentation presents insights from a recently-conducted study on the exposure of networks to credential theft attacks and privileged accounts exploitation, and discusses the effectiveness of mitigations. This session will present some of the best practices needed to manage these privileged accounts, and highlights the need for automation in order to achieve effective privileged password management.
Andrey Dulkin has over 15 years of experience in information security research and development, both in technical and leadership positions. In his current position, Andrey heads the CyberArk Labs, where his research focuses on targeted attacks mitigation, critical infrastructure security... Read More →
Tuesday August 4, 2015 18:30 - 18:55 PDT
PasswordsTuscany
Many sites require users to provide answers to "security questions," which are typically used as part of the account recovery process. This talk will explore the nature of these questions and answers, and present problems associated with this practice.
Jim Fenton is a consultant and researcher with a focus on user-centric identity, messaging, and Internet privacy and security issues. His primary consulting focus is currently in the area of user authentication standards, currently supporting the National Institute of Standards and... Read More →
Wednesday August 5, 2015 10:00 - 10:25 PDT
PasswordsTuscany
Users often forget their passwords, so applications often must have a password reset mechanism. There are several options for how to do it; some of them are good, most of them not so good. Generate a password and send it in an email? No. Security questions? No way. Reset passwords via a phone call? Rather not. This talk presents some really creative examples of botched password reset implementations, as well as a proven method for resetting passwords securely.
Michal, aka spazef0rze, is an application security engineer who's on a mission to show developers how & why to write secure code, and is the discoverer of the PHP "md5(QNKCDZO)" bug. Michal has worked for small and big, local and multinational, and is currently freelancing.
Wednesday August 5, 2015 10:30 - 10:55 PDT
PasswordsTuscany
This presentation will discuss post-exploitation methods for harvesting passwords from source code, scripts, code repositories, shell history, log files, and other locations. Two new tools will be released during this presentation.
Philippe has 20+ years of experience in the video game industry, developing anti-tampering, anti-debugging, and various DRM technologies. He has multiple patents and has published several papers.
Wednesday August 5, 2015 11:00 - 11:55 PDT
PasswordsTuscany
This talk compares the performance of numerous guessing approaches and human experts to understand how they impact password research. A new tool to standardize security analyses by researchers will be released during this presentation.
Sean is a PhD student at Carnegie Mellon University, where he conducts and publishes studies on password security and usability. He and Blase Ur will be representing the entire passwords research group at CMU, which comprises three faculty and more than 10 students.
Password-based encryption needs all the help it can get to withstand brute-force attacks. We repurpose an old idea to encrypt data so that each password guess requires processing all of the encrypted data. Then, we'll look at some use cases to see how the costs change for the attacker and defender. In a brute force attack, this can mean a large increase in attacker I/O, with little cost increase to defenders, who must process all of the data anyway.
Greg is a software engineer in the MSR Security and Cryptography group at Microsoft. He performs research in applied cryptography, implements cryptographic primitives, and helps product teams use cryptography securely. Prior to joining Microsoft, Greg worked on applied research, standardization... Read More →
Wednesday August 5, 2015 14:00 - 14:25 PDT
PasswordsTuscany
This presentation will discuss several bad designs for encrypting data stored in the cloud, and presents a new method for authenticating to an encrypted service.
Dubbed 'Security by Obesity' on Reddit, Blind Hashing entangles password hashes with a massive pool of completely random data. The data pool acts as a common defense fund to completely protect passwords against offline password cracking attacks.
Jeremy is the inventor of Blind Hashing and the first micropayment channel implementation in Bitcoin. He aims to create technology which measurably improves our security and privacy against the most well-provisioned hackers and corporate interests, deeply believing that everyone has... Read More →
Wednesday August 5, 2015 15:00 - 15:25 PDT
PasswordsTuscany
Structural problems in how PBKDF2 was originally described mean almost all implementations give attackers an accidental advantage. This talk describes the problem and surveys several implementations.
Joseph, aka ctz, has 7 years of experience with Hardware Security Module firmware development and phone authentication solutions. He spends the rest of his time complaining about how awful computers and electronic security are.
Wednesday August 5, 2015 15:30 - 15:55 PDT
PasswordsTuscany
Password Alert is a free, open-source Chrome extension that protects your Google and Google Apps for Work Accounts. Once you've installed it, Password Alert will show you a warning if you type your Google password into a site that isn't a Google sign-in page. This protects you from phishing attacks, and also encourages you to use different passwords for different sites a security best practice.
Drew is an Information Security Engineer, Staff Software Engineer at Google. He's the creator of Google Password Alert. His main focus is protecting Google and its users from targeted threats. His team has helped discover and kill 30+ 0day exploits being used in the wild by attackers... Read More →
Wednesday August 5, 2015 17:00 - 17:25 PDT
PasswordsTuscany
What have we accomplished with passwords in the last fifty years? Embarrassingly little. We are on the brink of an explosion of authentication technologies, but so far much of what we see is the same flawed ideas repeated over and over. It is time for the community to step up and start leading the world to better authentication security. This presentation will look at where we are with passwords, biometrics, tokens, and other authentication solutions, and will also look at the big problems we still haven't solved.
Mark Burnett is an infosec consultant and author. He has spent most of the last twenty years researching, consulting, writing, and sometimes just ranting about how to secure the software and operating systems we work with every day. Mark has written several books, published numerous... Read More →
Wednesday August 5, 2015 17:30 - 17:55 PDT
PasswordsTuscany
Passphrases in the style of XKCD 936 or Diceware have gained popularity, but are they secure enough and practical to use? They seem like a good compromise between security and memorability, but why did Bruce Schneier say using them is "no longer good advice"? This session investigates popular password generation schemes, and examines the characteristics that determine the passphrase strength. We will also review whether the average person finds these passphrases easier to use than passwords, and if they're practical to use in most cases.
Bruce is a security consultant that founded the PasswordResearch.com web site over a decade ago. He aims to introduce more professionals to new and existing authentication research so they can better justify secure system design and policy choices. He has previously shared his experiences... Read More →
Our mission is to remove username/password from internet. We are fools enough to think that the current auth paradigm can be much safer, simpler and secure if only it were completely reversed. We shouldn't manually type our data into a form; those who want our data should ask permission to read them from our smartphones.
Björn is an angel investor and entrepreneur, and is the co-founder and CEO of SingleID. He holds law degrees from Bonn University and the University of Texas School of Law. He previously co-founded Novum Capital, and has been on the board of IVC Venture Capital since 2003. Björn... Read More →
Daniel is a security consultant, programmer, systems administrator, and entrepreneur, who has over 15 years of experience and is passionate about cryptography.