Slow Down Online Guessing Attacks with Device Cookies

•Transferir como PPTX, PDF•

1 gostou•532 visualizações

Talk on OWASP Russia Meetup #6, 2017

Slow Down
Online Guessing Attacks
with Device Cookies
Anton Dedov
OWASP Russia Meetup #6, 2017

Anton Dedov
Security Architect
Odin / Ingram Micro
adedov@gmail.com
@brutemorse

Intro: Online guessing attacks

App

App

App

Attacker goals
Password for specific account
Password for any account in a system
Password for any account in any system

Threats for Authentication
Online attacks
Offline attacks
Password leaks

App
user : password1
Online guessing attacks
user : password2
user : password3
...

Authentication attacks: Mitigations
M-FA / M-Step UX!
Password policy Magic 106
Rate limiting 
Authentication parameters e.g. time, location, etc.
Monitoring e.g. haveibeenpwned.com

© Cormac Herley et al. An Administrator’s Guide to Internet Password Research

Rate limiting
CAPTCHA
Account lockout
Exponential timeouts
Proof of work

Account lockout: simple math
5 attempts ⇒ 20 min. lockout
131400 attempts/year

Account lockout
Lock account Effective
Easy DoS
Lock (account, IP) Somewhat DoS mitigation
Botnets
Proxies
IPv6
DoS as a collateral damage

Device Cookie
Distinguish known clients from unknown ones

App
Lockout all unknown
devices at once
Lockout individual user
per device cookie
user : password
user : password
Device Cookie

Set-Cookie: KnownDevice=
LOGIN|NONCE|HMAC(secret-key,LOGIN|NONCE)

Set-Cookie: KnownDevice=JWT
{
"alg": "HS256",
"typ": "JWT”
} . {
"aud": "device-cookie",
"sub": "adedov@odin.com",
"jti": "40e2a97a2ab37406”
}

Threats & Mitigations
Threat Mitigation
Online attack against one user Password policy
Online attack using stolen device cookies Limited, prevent cookie leaks
Online attack against multiple users Not mitigated
Spoof device cookie Crypto
Tamper with existing device cookie Crypto
DoS for specific account OOB device cookie issue
DoS for specific account when client is used by
different accounts
Device cookies per account

Implementation recommendations
Use good crypto, like HMAC-SHA2 or signed JWT.
Prevent cookie leakage with Secure & HttpOnly flags.
Issue cookie for valid reset password link.
Issue new device cookie after each successful login.
Include user ID into cookie name (privacy concerns?).

References
OWASP: Slow Down Online Guessing Attacks with Device Cookies
PasswordsCon, and specific talks from PasswordsCon 14:
• Marc Hause talk Online Password Attacks
• Alec Muffet talk Facebook Password Hashigh & Authentication
An Administrator’s Guide to Internet Password Research

Mais conteúdo relacionado

Mais procurados

Web server security challenges

Web server security challenges

Web server security challenges

Martins Chibuike Onuoha

Introduction to Web Server Security

Introduction to Web Server Security

Introduction to Web Server Security

JITENDRA KUMAR PATEL

Web Server Security Guidelines

Web Server Security Guidelines

Web Server Security Guidelines

Vulnerabilities The larger and more complex information systems are, the greater the possibility of error in logic and loopholes in algorithm. These are weak points that could enable hackers to breach a system and compromise the integrity of information stored. Programmers themselves who are not yet adept in writing software code can unknowingly misuse the code and lead to a vulnerability. A classic example of vulnerabilities that can be exploited is a weak password or its repeated use on various services or software. There are also websites containing malware that installs automatically once visited. Even legitimate software could be a venue for an exploit due to unknown errors (bugs) generated by the program. The end-user or the human element in information systems is arguably the weakest point that hackers easily utilize. 0-day exploits 0-hour or 0-day attack is the exploitation by outside parties of a security hole in a computer program which is unknown from its developers. The term comes from the premise that the attack unfolds on the “day 0, meaning no awareness as of yet from the developers so there is no opportunity and time to issue a fix for the threat. Zero-day exploits are usually shared among hackers even before the developer knew. Programmers could use the vulnerabilities via several avenues: on web browsers and email. Web browsers allow for a wider target. Meanwhile, using email, hackers can send a message that includes an executable file on the attachments, set to run once downloaded. Such 0-day threats are in the time frame where a security hole is exploited up to the time that the program developers issued a patch for it.

Hass and associates cyber security

Hass and associates cyber security

Hass and associates cyber security

Ch # 10 computer security risks and safe guards

Ch # 10 computer security risks and safe guards

Ch # 10 computer security risks and safe guards

MuhammadRobeel3

Web Server Web Site Security

Web Server Web Site Security

Web Server Web Site Security

Client /server security overview

Client /server security overview

Client /server security overview

Web security

KeystrokeGuard_Presentation_20141024

KeystrokeGuard_Presentation_20141024

KeystrokeGuard_Presentation_20141024

Viruses, Biometrics, Encryption

Viruses, Biometrics, Encryption

Viruses, Biometrics, Encryption

Top 10 web server security flaws

Top 10 web server security flaws

Top 10 web server security flaws

Possible security issues with data

Possible security issues with data

Possible security issues with data

Attack chaining for web exploitation

Attack chaining for web exploitation

Attack chaining for web exploitation

n|u - The Open Security Community

Web Application Security

Web Application Security

Web Application Security

assign3.docx

A recent indictment revealed how the GRU (Russia’s Military Intelligence agency) used both influence operations and network intrusions to achieve its policy aims. More precisely, the GRU weaponized the use of the network intrusions in its influence operations. We have used the MITRE ATT&CK framework as our methodology to play back the findings of the indictment. In doing so, we aim to provide key lessons organizations can take away from this indictment.

Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations

Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations

Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations

Digital Shadows

Watch Your Back: Let’s Talk Web Safety and Personal Identity Theft

Watch Your Back: Let’s Talk Web Safety and Personal Identity Theft

Watch Your Back: Let’s Talk Web Safety and Personal Identity Theft

Schipul - The Web Marketing Company

Secure coding checklist

Secure coding checklist

Secure coding checklist

Prabhanshu Saraswat

Security in Computing and IT

Security in Computing and IT

Security in Computing and IT

Sar writingv2

Todd Benson (I.T. SPECIALIST and I.T. SECURITY)

Mais procurados (20)

Web server security challenges

Web server security challenges

Web server security challenges

Introduction to Web Server Security

Introduction to Web Server Security

Introduction to Web Server Security

Web Server Security Guidelines

Web Server Security Guidelines

Web Server Security Guidelines

Hass and associates cyber security

Hass and associates cyber security

Hass and associates cyber security

Ch # 10 computer security risks and safe guards

Ch # 10 computer security risks and safe guards

Ch # 10 computer security risks and safe guards

Web Server Web Site Security

Web Server Web Site Security

Web Server Web Site Security

Client /server security overview

Client /server security overview

Client /server security overview

Web security

KeystrokeGuard_Presentation_20141024

KeystrokeGuard_Presentation_20141024

KeystrokeGuard_Presentation_20141024

Viruses, Biometrics, Encryption

Viruses, Biometrics, Encryption

Viruses, Biometrics, Encryption

Top 10 web server security flaws

Top 10 web server security flaws

Top 10 web server security flaws

Possible security issues with data

Possible security issues with data

Possible security issues with data

Attack chaining for web exploitation

Attack chaining for web exploitation

Attack chaining for web exploitation

Web Application Security

Web Application Security

Web Application Security

assign3.docx

Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations

Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations

Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations

Watch Your Back: Let’s Talk Web Safety and Personal Identity Theft

Watch Your Back: Let’s Talk Web Safety and Personal Identity Theft

Watch Your Back: Let’s Talk Web Safety and Personal Identity Theft

Secure coding checklist

Secure coding checklist

Secure coding checklist

Security in Computing and IT

Security in Computing and IT

Security in Computing and IT

Sar writingv2

Destaque

3Com JE015A

Proyecto jelitza moreira

Proyecto jelitza moreira

Proyecto jelitza moreira

Actividad no. 8 carlos h. muñoz.

Actividad no. 8 carlos h. muñoz.

Actividad no. 8 carlos h. muñoz.

3Com JD008A

3Com 3C17512

5.05 eng

Robert Phillips

Ericsson SXK 109 1293/1

Ericsson SXK 109 1293/1

Ericsson SXK 109 1293/1

Portfolio

Historia del Arte 2

Historia del Arte 2

Historia del Arte 2

Destaque (9)

3Com JE015A

Proyecto jelitza moreira

Proyecto jelitza moreira

Proyecto jelitza moreira

Actividad no. 8 carlos h. muñoz.

Actividad no. 8 carlos h. muñoz.

Actividad no. 8 carlos h. muñoz.

3Com JD008A

3Com 3C17512

5.05 eng

Ericsson SXK 109 1293/1

Ericsson SXK 109 1293/1

Ericsson SXK 109 1293/1

Portfolio

Historia del Arte 2

Historia del Arte 2

Historia del Arte 2

Semelhante a Slow Down Online Guessing Attacks with Device Cookies

IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...

IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...

IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...

As the industry’s first Secure Internet Gateway in the cloud, Cisco Umbrella provides the first line of defense against threats on the internet, protecting all your users within minutes. Cisco Advanced Malware Protection offers global threat intelligence, advanced sandboxing and real-time malware blocking to prevent breaches while it continuously analyzes file activity across your network, so that you can quickly detect, contain and remove advanced malware. Presentation of Cisco Security Architecture and Solutions such as Cisco Advanced Malware Protection (AMP) and Cisco Umbrella during Simplex-Cisco Technology Session that took place at the Londa Hotel in Limassol on 14 March 2018.

Cisco Security Presentation

Cisco Security Presentation

Cisco Security Presentation

Today, a large number of people access internet through their smart phones to login to their bank accounts, social networking accounts and various other blogs. In such a scenario, user authentication has emerged as a major security issue in mobile internet. To date, password based authentication schemes have been extensively used to provide authentication and security. The password based authentication has always been cumbersome for the users because human memory is transient and remembering a large number of long and complicated passwords is impossible. Also, it is vulnerable to various kinds of attacks like brute force, rainbow table, dictionary, sniffing, shoulder surfing and so on. As the main contribution of this paper, a new passwordless authentication scheme for smart phones is presented which not only resolves all the weaknesses of password based schemes but also provide robust security. The proposed scheme relieves users from memorizing and storing long and complicated passwords. The proposed scheme uses ECDSA which is based on Elliptic Curve Cryptography (ECC). ECC has remarkable strength and efficiency advantages in terms of bandwidth, key sizes and computational overheads over other public key cryptosystems. It is therefore suitable for resource constraint devices like smart phone. Furthermore, the proposed scheme incorporate CAPTCHA which play a very important role in protecting the web resources from spamming and other malicious activities. To the best of our knowledge, until now no passwordless user authentication protocol based on ECC has been proposed for smart phones. Finally, the security and functionality analysis shows that compared with existing password based authentication schemes, the proposed scheme is more secure and efficient.

A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...

A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...

A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...

E banking security

E banking security

E banking security

BIOMETRYsso

BIOMETRY.com AG

International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.

Cw4201656660

AppLocker, Windows Information Protection, Device Guard, Windows Defender Application Guard- there are many ways to secure Windows 10. Not all ways are compatible with Enterprise requirements. In the session, we will have a look at what we are able to do and I will add some experiences from the field about what works well and what doesn’t. In addition, we will check how ConfigMgr can support us.

Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...

Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...

Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...

Alexander Benoit

Operations security (OPSEC)

Operations security (OPSEC)

Operations security (OPSEC)

AI is the simulation of human intelligence processes by machines, especially computer systems. These processes include learning, reasoning, and self-correction. Integrating it with Cybersecurity is beneficial because it improves how security experts analyze, study, and understand cyber-crime. In this talk, we will discuss & explain AI and how to integrate it with Cybersecurity to detect many types of attacks. The talk will cover many applications in Cybersecurity in which we can apply AI to improve those applications. Finally, I will present a demo on how to build your development environment with some scripting examples.

The good, the bad, and the ugly on integration ai with cybersecurity

The good, the bad, and the ugly on integration ai with cybersecurity

The good, the bad, and the ugly on integration ai with cybersecurity

Mohammad Khreesha

Time based security for cloud computing

Time based security for cloud computing

Time based security for cloud computing

Jorge Sebastiao

The Immune System of Internet

The Immune System of Internet

The Immune System of Internet

USER AUTHENTICATION DEFENSE AGAINST ONLINE DICTIONARY ATTACKS

USER AUTHENTICATION DEFENSE AGAINST ONLINE DICTIONARY ATTACKS

USER AUTHENTICATION DEFENSE AGAINST ONLINE DICTIONARY ATTACKS

How to 2FA-enable Open Source Applications (Extended Session) Presented at: Open Source 101 at Home 2020 Presented by: Mike Schwartz, Gluu Abstract: Your organization loves open source tools like Wordpress, SuiteCRM, NextCloud, RocketChat, and OnlyOffice... but most of these tools are protected with plain old passwords. You want to use two-factor authentication... but how? In this workshop, you'll learn: - Which 2FA technologies can be used without paying a license; - How to enable users to enroll and delete 2FA credentials; - How to configure open source applications to act as a federated relying party--delegating authentication to a central service - How custom applications can act as a federated relying party

How to 2FA-enable Open Source Applications

How to 2FA-enable Open Source Applications

How to 2FA-enable Open Source Applications

All Things Open

2018 android-security-udacity-morrison chang

2018 android-security-udacity-morrison chang

2018 android-security-udacity-morrison chang

IT109 Microsoft Windows 7 Operating Systems Unit 07 lesson 10

IT109 Microsoft Windows 7 Operating Systems Unit 07 lesson 10

IT109 Microsoft Windows 7 Operating Systems Unit 07 lesson 10

Mobile App Security: Enterprise Checklist

Mobile App Security: Enterprise Checklist

Mobile App Security: Enterprise Checklist

Jignesh Solanki

Google & FIDO Authentication

Google & FIDO Authentication

Google & FIDO Authentication

Windows network security

Windows network security

Windows network security

Information Technology

Key logger,Why? and How to prevent Them?

Key logger,Why? and How to prevent Them?

Key logger,Why? and How to prevent Them?

Real-time Phishing Attack Detection using ML  - Abdul Ghani

Real-time Phishing Attack Detection using ML  - Abdul Ghani

Real-time Phishing Attack Detection using ML  - Abdul Ghani

Semelhante a Slow Down Online Guessing Attacks with Device Cookies (20)

IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...

IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...

IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...

Cisco Security Presentation

Cisco Security Presentation

Cisco Security Presentation

A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...

A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...

A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...

E banking security

E banking security

E banking security

BIOMETRYsso

Cw4201656660

Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...

Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...

Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...

Operations security (OPSEC)

Operations security (OPSEC)

Operations security (OPSEC)

The good, the bad, and the ugly on integration ai with cybersecurity

The good, the bad, and the ugly on integration ai with cybersecurity

The good, the bad, and the ugly on integration ai with cybersecurity

Time based security for cloud computing

Time based security for cloud computing

Time based security for cloud computing

The Immune System of Internet

The Immune System of Internet

The Immune System of Internet

USER AUTHENTICATION DEFENSE AGAINST ONLINE DICTIONARY ATTACKS

USER AUTHENTICATION DEFENSE AGAINST ONLINE DICTIONARY ATTACKS

USER AUTHENTICATION DEFENSE AGAINST ONLINE DICTIONARY ATTACKS

How to 2FA-enable Open Source Applications

How to 2FA-enable Open Source Applications

How to 2FA-enable Open Source Applications

2018 android-security-udacity-morrison chang

2018 android-security-udacity-morrison chang

2018 android-security-udacity-morrison chang

IT109 Microsoft Windows 7 Operating Systems Unit 07 lesson 10

IT109 Microsoft Windows 7 Operating Systems Unit 07 lesson 10

IT109 Microsoft Windows 7 Operating Systems Unit 07 lesson 10

Mobile App Security: Enterprise Checklist

Mobile App Security: Enterprise Checklist

Mobile App Security: Enterprise Checklist

Google & FIDO Authentication

Google & FIDO Authentication

Google & FIDO Authentication

Windows network security

Windows network security

Windows network security

Key logger,Why? and How to prevent Them?

Key logger,Why? and How to prevent Them?

Key logger,Why? and How to prevent Them?

Real-time Phishing Attack Detection using ML  - Abdul Ghani

Real-time Phishing Attack Detection using ML  - Abdul Ghani

Real-time Phishing Attack Detection using ML  - Abdul Ghani

Último

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf

VishalKumarJha10

Investing in AI transformation today The modern business advantage: Uncovering deep insights with AI Organizations around the world have come to recognize AI as the transformative technology that enables them to gain real business advantage. AI’s ability to organize vast quantities of data allows those who implement it to uncover deep business insights, augment human expertise, drive operational efficiency, transform their products, and better serve their customers

Microsoft AI Transformation Partner Playbook.pdf

Microsoft AI Transformation Partner Playbook.pdf

Microsoft AI Transformation Partner Playbook.pdf

Willy Marroquin (WillyDevNET)

10 Trends Likely to Shape Enterprise Technology in 2024

10 Trends Likely to Shape Enterprise Technology in 2024

10 Trends Likely to Shape Enterprise Technology in 2024

Mind IT Systems

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

We specialize in Psychic Readings, Psychic Love Spells, Binding Love Spells, Obsession Spells, Voodoo Spells, Lottery Spells, Marriage Spells, Black Magic Spells, Palm Readings & much more. Are you depressed? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? Do u need to solve any relationship problem? Contact the powerful spells caster chief kule with love spells that work overnight and love spells that really work. Have you found yourself infatuated with a special someone you think could be the one? Are you looking for a spell to provide them with a nudge in the right direction? Or maybe the spell you cast didn’t achieve the results you were hoping for? Whether you’re new or versed in the ways of spell casting, we’re here to help. Today we’re going to provide you with a detailed guide on the types of love spells to cast. Not only that but there’s something for those who wish to find outside advice from more advanced spell casters. We’re also going to provide you with the top sites available to help you with your dilemma. Let’s begin our journey by educating ourselves on love magic and what a real love caster looks like. Love Magic and Love Casters Love magic made its first appearance back in Ancient Egypt and has been an active practice since. This type of magic is a branch of traditional magic and can be practiced in various ways. Typically the more common use of love magic is through the work of spells, but other methods look like Charms Rituals-LOVE Potions-Dolls and even Amulets If you are interested in becoming a love caster, be prepared for what’s to come. A genuine love caster knows that the art of love casting is no easy feat and shouldn’t be done casually. You should know that not only does it require you to be gifted spiritually, but you must be ready to serve others. Someone who is considered a real love caster has experience in all manner of spells, no matter the difficulty. Training yourself in attraction, commitment, and marriage spells is an excellent place to start. But this by no means will make you a professional. Practice your craft and expand your knowledge; understand that you will possess the ability to help others in time truly. Types of Love Spells What better way to start broadening your experiences with love spells than by learning more about them? These spells work like just about any other spell. Simply apply your intention, use a medium (sigils, mantras, candles, or charm bags), and top it off with establishing the belief that you will receive what you want. So what kind of spells are available and which ones suit your needs the best? Let’s take a look at the many options you have at your disposal.

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

Data spaces in distributed environments should be allowed to evolve in agile ways providing data space owners with large flexibility about which data they store. Agility and heterogeneity, however, jeopardize data exchanges because representations may build on varying ontologies and data consumers may not rely on the semantic correctness of their queries in the context of semantically heterogeneous, evolving data spaces. Graph data spaces are one example of a powerful model for representing and querying data whose semantics may change over time. To assert and enforce conditions on individual graph data spaces, shape languages (e.g SHACL) have been developed. We investigate the question of how querying and programming can be guarded by reasoning over SHACL constraints in a distributed setting and we sketch a picture of how a future landscape based on semantically heterogeneous data spaces might look like.

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Generic or specific? Making sensible software design decisions

Generic or specific? Making sensible software design decisions

Generic or specific? Making sensible software design decisions

Bert Jan Schrijver

VTU technical seminar 8Th Sem on Scikit-learn

VTU technical seminar 8Th Sem on Scikit-learn

VTU technical seminar 8Th Sem on Scikit-learn

AmarnathKambale

Technology has taken up space all over the world. From generating content with a single command on ChatGPT to getting your food served by Robots at your favorite restaurant, artificial advancements have ruled every space. Every industry is set to develop top-notch technology in every sector; finance, IT, healthcare, gaming, and banking, with competitive market standards. One of these rapidly growing industries is Mobile App Development. According to the Straits Research report, it is expected to reach USD 583.03 billion at a CAGR OF 12.8% between (2022 and 2030). It clearly shows how mobile app development has become an integral part of the digital landscape and revolutionized technology.

The Top App Development Trends Shaping the Industry in 2024-25 .pdf

The Top App Development Trends Shaping the Industry in 2024-25 .pdf

The Top App Development Trends Shaping the Industry in 2024-25 .pdf

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview

Craft an AI & Machine Learning Pitch with our Editable Professional PowerPoint Template. Ignite your AI & Machine Learning pitch with our cutting-edge PowerPoint template tailored for the industry. Perfect for AI conferences, investor presentations, sales pitches to tech-focused companies, training sessions, and educational programs. - 20+ editable slides: Get a variety of options to choose from for your presentation. - Time-saving solution: Download, replace text/images with a few clicks. - User-friendly customization: Easy to use and personalize. - Modern and attractive design: Captivating visuals, sleek layout. - Tailored to your requirements: Fully alterable for customization. - Well-organized slides: Complete control over content. - Thematic specificity: Reflects healthcare industry with relevant graphics. - Showcase your business idea: Communicate value proposition effectively.

AI & Machine Learning Presentation Template

AI & Machine Learning Presentation Template

AI & Machine Learning Presentation Template

Presentation.STUDIO

8257 interfacing 2 in microprocessor for btech students

8257 interfacing 2 in microprocessor for btech students

8257 interfacing 2 in microprocessor for btech students

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein

%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg

%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg

%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg

Último (20)

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf

Microsoft AI Transformation Partner Playbook.pdf

Microsoft AI Transformation Partner Playbook.pdf

Microsoft AI Transformation Partner Playbook.pdf

10 Trends Likely to Shape Enterprise Technology in 2024

10 Trends Likely to Shape Enterprise Technology in 2024

10 Trends Likely to Shape Enterprise Technology in 2024

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Generic or specific? Making sensible software design decisions

Generic or specific? Making sensible software design decisions

Generic or specific? Making sensible software design decisions

VTU technical seminar 8Th Sem on Scikit-learn

VTU technical seminar 8Th Sem on Scikit-learn

VTU technical seminar 8Th Sem on Scikit-learn

The Top App Development Trends Shaping the Industry in 2024-25 .pdf

The Top App Development Trends Shaping the Industry in 2024-25 .pdf

The Top App Development Trends Shaping the Industry in 2024-25 .pdf

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview

AI & Machine Learning Presentation Template

AI & Machine Learning Presentation Template

AI & Machine Learning Presentation Template

8257 interfacing 2 in microprocessor for btech students

8257 interfacing 2 in microprocessor for btech students

8257 interfacing 2 in microprocessor for btech students

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein

%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg

%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg

%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg

Slow Down Online Guessing Attacks with Device Cookies

1. Slow Down Online Guessing Attacks with Device Cookies Anton Dedov OWASP Russia Meetup #6, 2017

2. Anton Dedov Security Architect Odin / Ingram Micro adedov@gmail.com @brutemorse

3. Intro: Online guessing attacks

7. Attacker goals Password for specific account Password for any account in a system Password for any account in any system

8. Threats for Authentication Online attacks Offline attacks Password leaks

9. App user : password1 Online guessing attacks user : password2 user : password3 ...

10. Authentication attacks: Mitigations M-FA / M-Step UX! Password policy Magic 106 Rate limiting  Authentication parameters e.g. time, location, etc. Monitoring e.g. haveibeenpwned.com

11. © Cormac Herley et al. An Administrator’s Guide to Internet Password Research

12. Rate limiting CAPTCHA Account lockout Exponential timeouts Proof of work

13. Account lockout: simple math 5 attempts ⇒ 20 min. lockout 131400 attempts/year

14. Account lockout Lock account Effective Easy DoS Lock (account, IP) Somewhat DoS mitigation Botnets Proxies IPv6 DoS as a collateral damage

15. Device Cookie Distinguish known clients from unknown ones

16.

17.

18. App Lockout all unknown devices at once Lockout individual user per device cookie user : password user : password Device Cookie

19. Set-Cookie: KnownDevice= LOGIN|NONCE|HMAC(secret-key,LOGIN|NONCE)

20. Set-Cookie: KnownDevice=JWT { "alg": "HS256", "typ": "JWT” } . { "aud": "device-cookie", "sub": "adedov@odin.com", "jti": "40e2a97a2ab37406” }

21. Threats & Mitigations Threat Mitigation Online attack against one user Password policy Online attack using stolen device cookies Limited, prevent cookie leaks Online attack against multiple users Not mitigated Spoof device cookie Crypto Tamper with existing device cookie Crypto DoS for specific account OOB device cookie issue DoS for specific account when client is used by different accounts Device cookies per account

22. Implementation recommendations Use good crypto, like HMAC-SHA2 or signed JWT. Prevent cookie leakage with Secure & HttpOnly flags. Issue cookie for valid reset password link. Issue new device cookie after each successful login. Include user ID into cookie name (privacy concerns?).

23. References OWASP: Slow Down Online Guessing Attacks with Device Cookies PasswordsCon, and specific talks from PasswordsCon 14: • Marc Hause talk Online Password Attacks • Alec Muffet talk Facebook Password Hashigh & Authentication An Administrator’s Guide to Internet Password Research