Discover and read the best of Twitter Threads about #usesec19
Most recents (4)
Last in this session at #usesec19: "The Web's Identity Crisis: Understanding the Effectiveness of Website Identity Indicators" by Christopher Thompson, Martin Shelton, Emily Stark, Maximilian Walker, Emily Schechter, and Adrienne Porter Felt, Google
[ delay while they try to make the slides not trigger a seizure for anybody. ow. ]
This talk is about the problems we face in explaining website identity to users.
The principal form of website identity is like google.com
Also show extra information through Extended Validation certs, like show cert is associated with a legal entity
The principal form of website identity is like google.com
Also show extra information through Extended Validation certs, like show cert is associated with a legal entity
Next up at #usesec19: "Protecting accounts from credential stuffing with password breach alerting", Kurt Thomas speaking
Want to test this technology live? Download the Google password check extension from the Chrome store
Want to test this technology live? Download the Google password check extension from the Chrome store
Billions of credentials have become widely available. This makes trivial for attackers to access user accounts.
How do you protect the long-tail of sites across the web? Attackers have access to billions of usernames of passwords. User don't have resources to address this.
How do you protect the long-tail of sites across the web? Attackers have access to billions of usernames of passwords. User don't have resources to address this.
Bridging the knowledge gap, like "have I been pwned" site.
* But may not be accurate because only uses username.
* Privacy risk, even if sharing only SHA-1 hash of password -- what if the site is an attacker?
* But may not be accurate because only uses username.
* Privacy risk, even if sharing only SHA-1 hash of password -- what if the site is an attacker?
Next up at #usesec19 is Passwords: "Birthday, Name and Bifacial-security: Understanding Passwords of Chinese Web Users" by Ding Wang and Ping Wang, Peking University; Debiao He, Wuhan University; Yuan Tian, University of Virginia
Turns out that the passwords of Chinese users are really different than English-speaking user passwords, which means that we may need different protection mechanisms.
Passwords are influenced by one's native language. Unfortunately most studies are performed in English.
Passwords are influenced by one's native language. Unfortunately most studies are performed in English.
Used 9 password datasets from high-profile sites which were breached (6 Chinese, 3 English) across different types of sites (gaming, dev forum)
Next up at #usesec19: Yueqi Chen will speak about "Toward the Detection of Inconsistencies in Public Security Vulnerability Reports"
Challenges Faced by Security Operations Engineer:
1. Keep an eye on new vulns that affect their systems
2. Patch vulnerable software as soon as possible
1. Keep an eye on new vulns that affect their systems
2. Patch vulnerable software as soon as possible
So you check NVD, CVE, other databases like Exploit Database, Security Focus, Red Hat bugnzilla...
