https://media.ccc.de/c/god2024 This feed contains all events from god2024 as webm see video outro Thu, 23 Jan 2025 18:45:44 -0000 https://static.media.ccc.de/media/events/god/2024/logo.jpg https://media.ccc.de/c/god2024 https://media.ccc.de/v/god2024-56287-closing Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 17:25:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56287-eng-Closing_webm-sd.webm?1731517252 53320cbf-383d-4103-a809-b225ca1ae27d 2024-11-13T17:25:00+01:00 OWASP German Chapter No 56287, god2024, god2024, OWASP, Saal 1, 2024, Day 1 Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:04:01 https://media.ccc.de/v/god2024-56286-modern-solutions-against-c Web security is increasingly an opt-in approach, leaving developers with both the opportunity and the responsibility to protect their applications. This talk will explore why and how developers can secure their sites against evolving threats. We'll delve into the nuances of cross-site leaks (xs-leaks) and discuss the Cross-Origin Resource Policy (CORP) as well as the abstractions provided by. Learn how these tools can empower you to build custom defenses and proactively safeguard your web applications. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 17:00:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56286-eng-Modern_solutions_against_Cross-Site_Attacks_webm-sd.webm?1731517694 f5faa8fc-8506-46c9-bce0-51bbd85a0898 2024-11-13T17:00:00+01:00 Frederik Braun No 56286, god2024, god2024, OWASP, Saal 1, 2024, Day 1 Web security is increasingly an opt-in approach, leaving developers with both the opportunity and the responsibility to protect their applications. This talk will explore why and how developers can secure their sites against evolving threats. We'll delve into the nuances of cross-site leaks (xs-leaks) and discuss the Cross-Origin Resource Policy (CORP) as well as the abstractions provided by. Learn how these tools can empower you to build custom defenses and proactively safeguard your web applications. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:27:11 https://media.ccc.de/v/god2024-56283-double-edged-crime-how-bro Browser extensions are powerful tools that enhance the web browsing experience, offering their users a wide range of functionalities. However, these features can also introduce security and privacy issues for their users, mainly through a technique known as extension fingerprinting — where malicious websites track users based on the extensions they have installed. This is particularly interesting since many websites rely on advertising-based revenue for their existence, and the cookie-less form of tracking is also increasingly getting traction on the Web. Popular libraries such as FingerprintJS and Castle have already incorporated extensions as identifiable sources in their armor. In this talk, we will present the growing threat of browser extension fingerprinting, shedding light on how extensions can inadvertently expose both users and the extension to certain risks. Our recent research uncovers that over 3,000 Chrome and Firefox extensions are vulnerable to fingerprinting through techniques such as JavaScript namespace pollution and other observable side effects despite existing defense mechanisms [1]. The audience will takeaway the following: What are some of the ways by which browser extensions can be fingerprinted. The risks for both user privacy and extensions' behavior. Insights from recent research on vulnerable extensions. Potential strategies to mitigate fingerprinting risks. And, of course, how to keep your extensions from being the "most wanted" on the Web! [1] Agarwal, Shubham, Aurore Fass, and Ben Stock. "Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions." (To appear at) Proceedings of the 31st ACM SIGSAC Conference on Computer and Communications Security. 2024. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 16:35:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56283-eng-Double-Edged_Crime_How_Browser_Extension_Fingerprinting_Might_Endanger_Users_and_Extensions_Alike_webm-sd.webm?1731515651 e1d77911-dc73-45b3-aebd-b06a56680d30 2024-11-13T16:35:00+01:00 Shubham Agarwal No 56283, god2024, god2024, OWASP, Saal 1, 2024, Day 1 Browser extensions are powerful tools that enhance the web browsing experience, offering their users a wide range of functionalities. However, these features can also introduce security and privacy issues for their users, mainly through a technique known as extension fingerprinting — where malicious websites track users based on the extensions they have installed. This is particularly interesting since many websites rely on advertising-based revenue for their existence, and the cookie-less form of tracking is also increasingly getting traction on the Web. Popular libraries such as FingerprintJS and Castle have already incorporated extensions as identifiable sources in their armor. In this talk, we will present the growing threat of browser extension fingerprinting, shedding light on how extensions can inadvertently expose both users and the extension to certain risks. Our recent research uncovers that over 3,000 Chrome and Firefox extensions are vulnerable to fingerprinting through techniques such as JavaScript namespace pollution and other observable side effects despite existing defense mechanisms [1]. The audience will takeaway the following: What are some of the ways by which browser extensions can be fingerprinted. The risks for both user privacy and extensions' behavior. Insights from recent research on vulnerable extensions. Potential strategies to mitigate fingerprinting risks. And, of course, how to keep your extensions from being the "most wanted" on the Web! [1] Agarwal, Shubham, Aurore Fass, and Ben Stock. "Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions." (To appear at) Proceedings of the 31st ACM SIGSAC Conference on Computer and Communications Security. 2024. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:23:43 https://media.ccc.de/v/god2024-56282-protecting-web-application Recent developments in web technologies have seen a paradigm shift from monolithic server-based applications to REST-based microservices with feature-rich browser-based frontends. This progression has brought with it novel classes of security flaws. In this talk we review how client-side variants of injection vulnerabilities such as cross-site scripting (XSS), cross-site request forgery (CSRF) and the recently discovered client-side request hijacking, arise and how traditional defense mechanisms are ineffective. We summarize recent research in this area which shows that such issues are widespread and can have a diverse range of consequences. We go on to show how dynamic taint-tracking has proved to be an effective technique for the discovery of vulnerabilities in client-side JavaScript. The initial overhead in implementing tainting is, however, extremely high, as it typically involves delving into the inner workings of modern web browsers and JavaScript interpreters. We show how Project Foxhound (https://github.com/SAP/project-foxhound/) can help to reduce this burden by providing a flexible, open-source tool which can be fully integrated into browser automation frameworks such as Playwright. Foxhound is gaining traction in the community as the go-to tool for client-side vulnerability studies. We finish the talk by showing how Foxhound can also be used in privacy studies, an update on upcoming features, and how the community use and contribute to the project to help build a safer web! Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 16:25:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56282-eng-Protecting_Web_Applications_with_Project_Foxhound_webm-sd.webm?1731514135 aa6a62cf-f0b8-472f-90a4-4abb2e96a928 2024-11-13T16:25:00+01:00 Thomas Barber No 56282, god2024, god2024, OWASP, Saal 1, 2024, Day 1 Recent developments in web technologies have seen a paradigm shift from monolithic server-based applications to REST-based microservices with feature-rich browser-based frontends. This progression has brought with it novel classes of security flaws. In this talk we review how client-side variants of injection vulnerabilities such as cross-site scripting (XSS), cross-site request forgery (CSRF) and the recently discovered client-side request hijacking, arise and how traditional defense mechanisms are ineffective. We summarize recent research in this area which shows that such issues are widespread and can have a diverse range of consequences. We go on to show how dynamic taint-tracking has proved to be an effective technique for the discovery of vulnerabilities in client-side JavaScript. The initial overhead in implementing tainting is, however, extremely high, as it typically involves delving into the inner workings of modern web browsers and JavaScript interpreters. We show how Project Foxhound (https://github.com/SAP/project-foxhound/) can help to reduce this burden by providing a flexible, open-source tool which can be fully integrated into browser automation frameworks such as Playwright. Foxhound is gaining traction in the community as the go-to tool for client-side vulnerability studies. We finish the talk by showing how Foxhound can also be used in privacy studies, an update on upcoming features, and how the community use and contribute to the project to help build a safer web! Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:11:31 https://media.ccc.de/v/god2024-56281-ssrf-attacks-defense-and-s Web apps use Server-Side Requests to request data from other servers, e.g., for link previews. However, they are exploited by attackers who might request internal resources or non-public services. This attack is called Server-Side Request Forgery (SSRF). The talk explains what SSRF is, how it can be used to exploit servers, and how to defend against it, which is surprisingly complex. Finally, we will discuss our research on the prevalence of countermeasures in the wild. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 16:15:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56281-eng-SSRF_Attacks_Defense_and_Status_Quo_webm-sd.webm?1731513516 38ba35b7-c49c-47ea-b04e-c9c247af6e76 2024-11-13T16:15:00+01:00 Malte Wessels No 56281, god2024, god2024, OWASP, Saal 1, 2024, Day 1 Web apps use Server-Side Requests to request data from other servers, e.g., for link previews. However, they are exploited by attackers who might request internal resources or non-public services. This attack is called Server-Side Request Forgery (SSRF). The talk explains what SSRF is, how it can be used to exploit servers, and how to defend against it, which is surprisingly complex. Finally, we will discuss our research on the prevalence of countermeasures in the wild. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:10:25 https://media.ccc.de/v/god2024-56279-well-what-would-you-say-if The need for comprehensive measurements of security and privacy risks on the Web is undeniable as it helps developers in focusing on emerging trends in security. However, large-scale scans for server-side vulnerabilities remains a sensitive topic, due to their potential to harm servers, disrupt services, and incur financial losses. Even smaller, singular tests can be controversial, as demonstrated by incidents like the CSU scandal around Lilith Wittmann in 2021 or the Modern Solution case in 2023. The gray area surrounding the legality, ethics, and industry perspectives on server-side scanning has led to hesitancy among researchers and ethical hackers, creating a critical gap in our understanding of how to conduct such scans responsibly. In this talk, we investigate and interactively discuss the murky boundaries of vulnerability scanning by exploring five typical scanning scenarios that researchers face on the Web. Drawing from We give insights into 23 in-depth interviews we conducted with legal experts, research ethics committee members, and website/server operators to identify what types of scanning practices are acceptable and where the red lines are drawn. We further substantiate these insights with findings from an online survey conducted with 119 server operators. Attendees will gain great insights into the current state of Web scanning, including the lack of judicial clarity and the ethical dilemmas researchers and ethical hackers face. This interactive session also offers a platform for audience members to challenge their own understanding of ethics, share opinions, and contribute to shaping the future of responsible Web security scans. In this talk, the audience will: Get an in-depth understanding of the legal and ethical challenges associated with large-scale server-side scanning research. Learn current best practices for conducting responsible Web security scans (at scale). See firsthand insights from legal experts, ethics committees, and operators on acceptable security research practices. Get an opportunity to engage in an interactive discussion to voice opinions and help influence future research Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 14:55:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56279-eng-Well_What_Would_You_Say_if_I_Said_That_You_Could_-_Scanning_for_Vulnerabilities_Without_Getting_Into_Trouble_webm-sd.webm?1731512202 fc198c3e-aa26-4d94-a491-a5e5851a6474 2024-11-13T14:55:00+01:00 Florian Hantke, Sebastian Roth No 56279, god2024, god2024, OWASP, Saal 1, 2024, Day 1 The need for comprehensive measurements of security and privacy risks on the Web is undeniable as it helps developers in focusing on emerging trends in security. However, large-scale scans for server-side vulnerabilities remains a sensitive topic, due to their potential to harm servers, disrupt services, and incur financial losses. Even smaller, singular tests can be controversial, as demonstrated by incidents like the CSU scandal around Lilith Wittmann in 2021 or the Modern Solution case in 2023. The gray area surrounding the legality, ethics, and industry perspectives on server-side scanning has led to hesitancy among researchers and ethical hackers, creating a critical gap in our understanding of how to conduct such scans responsibly. In this talk, we investigate and interactively discuss the murky boundaries of vulnerability scanning by exploring five typical scanning scenarios that researchers face on the Web. Drawing from We give insights into 23 in-depth interviews we conducted with legal experts, research ethics committee members, and website/server operators to identify what types of scanning practices are acceptable and where the red lines are drawn. We further substantiate these insights with findings from an online survey conducted with 119 server operators. Attendees will gain great insights into the current state of Web scanning, including the lack of judicial clarity and the ethical dilemmas researchers and ethical hackers face. This interactive session also offers a platform for audience members to challenge their own understanding of ethics, share opinions, and contribute to shaping the future of responsible Web security scans. In this talk, the audience will: Get an in-depth understanding of the legal and ethical challenges associated with large-scale server-side scanning research. Learn current best practices for conducting responsible Web security scans (at scale). See firsthand insights from legal experts, ethics committees, and operators on acceptable security research practices. Get an opportunity to engage in an interactive discussion to voice opinions and help influence future research Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:27:07 https://media.ccc.de/v/god2024-56278-sap-from-an-attackers-pers As organizations increasingly rely on SAP systems to manage critical business processes, the security of these environments is an increasing challenge for companies and has also been recognized by the OWASP Core Business Application Security (CBAS) project. This talk will explore the security of SAP systems from an attacker's perspective, uncovering common vulnerabilities and pitfalls and their respective impact. Drawing from extensive penetration testing experience, this presentation will provide a deep dive into how attackers might exploit SAP vulnerabilities and offer practical guidance on mitigating these threats. We will begin by highlighting prevalent SAP vulnerabilities discovered during real-world pentesting engagements, covering key attack techniques used against SAP systems that exploit misconfigurations, insecure coding practices, and authentication flaws. As an example, we will illustrate the configuration options of SNC, the proprietary protocol for transport layer encryption in SAP environments. Using the open-source tool sncscan, security professionals and administrators alike can assess the encryption and signing settings of SAP systems, ensuring the confidentiality and integrity of sensitive data. The session will also provide actionable guidance on mitigating these vulnerabilities, focusing on best practices and tools that can significantly enhance the security posture of SAP systems. By raising awareness of common vulnerabilities and pitfalls we aim to empower security professionals and SAP administrators to better protect their systems against potential exploitation. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 14:30:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56278-eng-SAP_from_an_Attackers_Perspective_-_Common_Vulnerabilities_and_Pitfalls_webm-sd.webm?1731511375 d5e8aa57-cb38-4ef6-ad4c-c46f3222396b 2024-11-13T14:30:00+01:00 Nicolas Schickert, Tobias Hamann No 56278, god2024, god2024, OWASP, Saal 1, 2024, Day 1 As organizations increasingly rely on SAP systems to manage critical business processes, the security of these environments is an increasing challenge for companies and has also been recognized by the OWASP Core Business Application Security (CBAS) project. This talk will explore the security of SAP systems from an attacker's perspective, uncovering common vulnerabilities and pitfalls and their respective impact. Drawing from extensive penetration testing experience, this presentation will provide a deep dive into how attackers might exploit SAP vulnerabilities and offer practical guidance on mitigating these threats. We will begin by highlighting prevalent SAP vulnerabilities discovered during real-world pentesting engagements, covering key attack techniques used against SAP systems that exploit misconfigurations, insecure coding practices, and authentication flaws. As an example, we will illustrate the configuration options of SNC, the proprietary protocol for transport layer encryption in SAP environments. Using the open-source tool sncscan, security professionals and administrators alike can assess the encryption and signing settings of SAP systems, ensuring the confidentiality and integrity of sensitive data. The session will also provide actionable guidance on mitigating these vulnerabilities, focusing on best practices and tools that can significantly enhance the security posture of SAP systems. By raising awareness of common vulnerabilities and pitfalls we aim to empower security professionals and SAP administrators to better protect their systems against potential exploitation. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:22:35 https://media.ccc.de/v/god2024-56277-network-fingerprinting-for Network fingerprinting exists for a while and some methods such as JA3 have achieved wide adoption across the industry. Introducing network fingerprinting into login flows can help you stave off attackers. However, there are various challenges that you need to overcome: technical, organizational and regulatory. In this talk we will take a look at the opportunities that network fingerprinting provides us. We will go through the various challenges that can arise and discuss possible ways of tackling them. I will draw from insights gathered at 1&1 Mail & Media - the company behind web.de, GMX and mail.com. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 14:05:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56277-eng-Network_Fingerprinting_for_Securing_User_Accounts_-_Opportunities_and_Challenges_webm-sd.webm?1731507004 b3d3e361-a623-4c26-94c1-5d7a2a94acea 2024-11-13T14:05:00+01:00 Stephan Pinto Spindler No 56277, god2024, god2024, OWASP, Saal 1, 2024, Day 1 Network fingerprinting exists for a while and some methods such as JA3 have achieved wide adoption across the industry. Introducing network fingerprinting into login flows can help you stave off attackers. However, there are various challenges that you need to overcome: technical, organizational and regulatory. In this talk we will take a look at the opportunities that network fingerprinting provides us. We will go through the various challenges that can arise and discuss possible ways of tackling them. I will draw from insights gathered at 1&1 Mail & Media - the company behind web.de, GMX and mail.com. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:25:00 https://media.ccc.de/v/god2024-56276-the-debian-openssl-bug-and In early 2024, hundreds of DKIM setups still used cryptographic keys vulnerable to a bug from 2008 in Debian's OpenSSL package. Vulnerable hosts included prominent names like Cisco, Oracle, Skype, and Github. In 2022, it was discovered that printers generated TLS keys that could be trivially broken with an over 300-year-old algorithm by Pierre de Fermat. Vulnerabilities in public/private key generation are amongst the most severe ones in cryptographic software. The speaker has developed the open-source tool badkeys, a tool to check cryptographic keys for known vulnerabilities. The talk will cover some of the findings and plans for future improvements in badkeys. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 13:40:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56276-eng-The_Debian_OpenSSL_bug_and_other_Public_Private_Keys_webm-sd.webm?1731505122 a308e387-da07-431e-b50a-04f06250d30e 2024-11-13T13:40:00+01:00 Hanno Böck No 56276, god2024, god2024, OWASP, Saal 1, 2024, Day 1 In early 2024, hundreds of DKIM setups still used cryptographic keys vulnerable to a bug from 2008 in Debian's OpenSSL package. Vulnerable hosts included prominent names like Cisco, Oracle, Skype, and Github. In 2022, it was discovered that printers generated TLS keys that could be trivially broken with an over 300-year-old algorithm by Pierre de Fermat. Vulnerabilities in public/private key generation are amongst the most severe ones in cryptographic software. The speaker has developed the open-source tool badkeys, a tool to check cryptographic keys for known vulnerabilities. The talk will cover some of the findings and plans for future improvements in badkeys. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:21:50 https://media.ccc.de/v/god2024-56285-genai-im-threat-modeling Viele Teams stehen vor der Herausforderung, beim Threat Modeling relevante Bedrohungen zu identifizieren, insbesondere wenn nur wenig Security-Expertise vorhanden ist. Die Auswahl und Bewertung von potenziellen Risiken kann für Nicht-Experten schwierig sein. Dieser Lightning Talk zeigt, wie Generative AI (GenAI) hier unterstützen kann, indem sie Bedrohungsszenarien basierend auf bestehenden Daten und Modellen vorschlägt und hilft, erste Entscheidungen zu treffen. Der Vortrag gibt einen kurzen Überblick, wie GenAI als Hilfestellung den Threat-Modeling-Prozess effizienter und zugänglicher machen kann - und welche Einschränkungen es gibt. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 12:30:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56285-eng-GenAI_im_Threat_Modeling_webm-sd.webm?1731500924 f4180e9b-91a8-404a-ad4a-f9008067b65d 2024-11-13T12:30:00+01:00 Clemens Hübner No 56285, god2024, god2024, Saal 1, 2024, Day 1 Viele Teams stehen vor der Herausforderung, beim Threat Modeling relevante Bedrohungen zu identifizieren, insbesondere wenn nur wenig Security-Expertise vorhanden ist. Die Auswahl und Bewertung von potenziellen Risiken kann für Nicht-Experten schwierig sein. Dieser Lightning Talk zeigt, wie Generative AI (GenAI) hier unterstützen kann, indem sie Bedrohungsszenarien basierend auf bestehenden Daten und Modellen vorschlägt und hilft, erste Entscheidungen zu treffen. Der Vortrag gibt einen kurzen Überblick, wie GenAI als Hilfestellung den Threat-Modeling-Prozess effizienter und zugänglicher machen kann - und welche Einschränkungen es gibt. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:09:57 https://media.ccc.de/v/god2024-56275-genai-in-the-battle-of-sec The presentation explores the security challenges and opportunities posed by Generative AI (GenAI). While GenAI offers tremendous potential, it also has a darker side, such as its use in creating deepfakes that can spread misinformation, manipulate political events, or facilitate fraud, as demonstrated in a live deepfake example. Malicious variants of GenAI, are used in phishing attacks, social engineering schemes, and the creation of malware. Additionally, GenAI enables more intelligent network attacks through autonomous botnets decreasing the risk of exposure. Despite these risks, GenAI also provides defensive advantages by enhancing security measures, such as improving threat detection, strengthening access control, and identifying code vulnerabilities. This is exemplified in a live demo showcasing deepfake and AI-based content detection. The presentation also examines the different types of attacks that AI models, including GenAI, are susceptible to, across any task, model, or modality. This includes adversarial attacks, where inputs are specifically crafted to deceive AI systems. Additionally, attacks such as Prompt Injection and Visual Prompt Injection manipulate inputs to mislead models. However, navigating the complex landscape of AI compliance is essential. Organizations must adhere to regulations like the EU AI Act and standards such as ISO 27090, while also following guidelines from bodies like OWASP to ensure the security, transparency, and ethical use of AI systems. The OWASP AI Exchange plays a key role in modeling threats to GenAI, addressing risks and point out solutions. To defend against these threats, various detection and mitigation techniques have been developed and will briefly be presented. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 12:05:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56275-eng-GenAI_in_the_Battle_of_Security_Attacks_Defenses_and_the_Laws_Shaping_AIs_Future_webm-sd.webm?1731500940 17a8c1a3-a7d9-4f6b-93b5-90045f45ad7b 2024-11-13T12:05:00+01:00 Niklas Bunzel, Raphael Antonius Frick No 56275, god2024, god2024, OWASP, Saal 1, 2024, Day 1 The presentation explores the security challenges and opportunities posed by Generative AI (GenAI). While GenAI offers tremendous potential, it also has a darker side, such as its use in creating deepfakes that can spread misinformation, manipulate political events, or facilitate fraud, as demonstrated in a live deepfake example. Malicious variants of GenAI, are used in phishing attacks, social engineering schemes, and the creation of malware. Additionally, GenAI enables more intelligent network attacks through autonomous botnets decreasing the risk of exposure. Despite these risks, GenAI also provides defensive advantages by enhancing security measures, such as improving threat detection, strengthening access control, and identifying code vulnerabilities. This is exemplified in a live demo showcasing deepfake and AI-based content detection. The presentation also examines the different types of attacks that AI models, including GenAI, are susceptible to, across any task, model, or modality. This includes adversarial attacks, where inputs are specifically crafted to deceive AI systems. Additionally, attacks such as Prompt Injection and Visual Prompt Injection manipulate inputs to mislead models. However, navigating the complex landscape of AI compliance is essential. Organizations must adhere to regulations like the EU AI Act and standards such as ISO 27090, while also following guidelines from bodies like OWASP to ensure the security, transparency, and ethical use of AI systems. The OWASP AI Exchange plays a key role in modeling threats to GenAI, addressing risks and point out solutions. To defend against these threats, various detection and mitigation techniques have been developed and will briefly be presented. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:28:56 https://media.ccc.de/v/god2024-56274-overview-of-owasp-ai-excha The OWASP AI Exchange provides a comprehensive framework to address the evolving security challenges presented by AI systems. As artificial intelligence continues to transform industries, securing these systems against emerging threats has become a top priority. This presentation will offer an in-depth overview of the OWASP AI Exchange, focusing on its mission to foster collaboration and align AI security standards across various industries. Attendees will explore the major security risks in AI, such as model poisoning, data theft, adversarial attacks, and vulnerabilities in machine learning algorithms. The session will also delve into the controls and countermeasures highlighted in the OWASP AI Exchange, offering mitigating risks throughout the AI lifecycle. Additionally, the session will address how organizations can use the AI Exchange to improve governance, implement best practices, and protect the confidentiality, integrity, and availability of AI systems. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 11:40:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56274-eng-Overview_of_OWASP_AI_Exchange_A_Comprehensive_Guide_to_AI_Security_webm-sd.webm?1731498655 68eadd0f-8415-4e85-a2f2-451dc69a2428 2024-11-13T11:40:00+01:00 Behnaz Karimi No 56274, god2024, god2024, OWASP, Saal 1, 2024, Day 1 The OWASP AI Exchange provides a comprehensive framework to address the evolving security challenges presented by AI systems. As artificial intelligence continues to transform industries, securing these systems against emerging threats has become a top priority. This presentation will offer an in-depth overview of the OWASP AI Exchange, focusing on its mission to foster collaboration and align AI security standards across various industries. Attendees will explore the major security risks in AI, such as model poisoning, data theft, adversarial attacks, and vulnerabilities in machine learning algorithms. The session will also delve into the controls and countermeasures highlighted in the OWASP AI Exchange, offering mitigating risks throughout the AI lifecycle. Additionally, the session will address how organizations can use the AI Exchange to improve governance, implement best practices, and protect the confidentiality, integrity, and availability of AI systems. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:21:46 https://media.ccc.de/v/god2024-56273-nis2-entmystifiziert-was-u Die NIS2-Richtlinie (Network and Information Security Directive) der Europäischen Union stellt eine Weiterentwicklung der bestehenden Cybersicherheitsanforderungen dar und zielt darauf ab, die Resilienz und Sicherheit kritischer Infrastrukturen in der EU zu stärken. In Deutschland liegt derzeit mit dem NIS2UmsuCG (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz) ein Regierungsentwurf zur konkreten Ausprägung auf nationaler Ebene vor. Im Vergleich zur ursprünglichen NIS-Richtlinie erweitert NIS2 den Anwendungsbereich und verpflichtet mehr Unternehmen und Sektoren, strenge Cybersicherheitsmaßnahmen zu implementieren. Unternehmen müssen sich nun auf umfassendere Risikomanagementanforderungen, Meldepflichten bei Sicherheitsvorfällen und Sanktionen bei Nichteinhaltung einstellen. Doch was heißt das konkret für Unternehmen, sicherheitsverantwortliche Stellen und EntwicklerInnen in Unternehmen? Der Vortrag entmystifiziert die wesentlichen Neuerungen der NIS2 und zeigt, welche konkreten Schritte Unternehmen jetzt unternehmen müssen, um Compliance zu erreichen. Dazu gehören unter anderem die Etablierung robuster Cybersicherheitsstrategien, die Anpassung interner Prozesse und die Einführung effektiver Meldeverfahren. Angesichts strengerer Vorgaben und verstärkter Kontrollen wird es für Unternehmen entscheidend, die richtigen Maßnahmen rechtzeitig umzusetzen, um Bußgelder und Reputationsverluste zu vermeiden. Im Rahmen des Vortrages wird insbesondere praxisnah auf den aktuellen Stand des Gesetzgebungsverfahrens und relevante Pflichten für Unternehmen eingegangen. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 10:45:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56273-deu-NIS2_entmystifiziert_-_Was_Unternehmen_nun_tun_muessen_webm-sd.webm?1731497505 096a9297-01b7-4bdf-8c6d-06f96a5cab24 2024-11-13T10:45:00+01:00 Tim Philipp Schäfers No 56273, god2024, god2024, OWASP, Saal 1, 2024, Day 1 Die NIS2-Richtlinie (Network and Information Security Directive) der Europäischen Union stellt eine Weiterentwicklung der bestehenden Cybersicherheitsanforderungen dar und zielt darauf ab, die Resilienz und Sicherheit kritischer Infrastrukturen in der EU zu stärken. In Deutschland liegt derzeit mit dem NIS2UmsuCG (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz) ein Regierungsentwurf zur konkreten Ausprägung auf nationaler Ebene vor. Im Vergleich zur ursprünglichen NIS-Richtlinie erweitert NIS2 den Anwendungsbereich und verpflichtet mehr Unternehmen und Sektoren, strenge Cybersicherheitsmaßnahmen zu implementieren. Unternehmen müssen sich nun auf umfassendere Risikomanagementanforderungen, Meldepflichten bei Sicherheitsvorfällen und Sanktionen bei Nichteinhaltung einstellen. Doch was heißt das konkret für Unternehmen, sicherheitsverantwortliche Stellen und EntwicklerInnen in Unternehmen? Der Vortrag entmystifiziert die wesentlichen Neuerungen der NIS2 und zeigt, welche konkreten Schritte Unternehmen jetzt unternehmen müssen, um Compliance zu erreichen. Dazu gehören unter anderem die Etablierung robuster Cybersicherheitsstrategien, die Anpassung interner Prozesse und die Einführung effektiver Meldeverfahren. Angesichts strengerer Vorgaben und verstärkter Kontrollen wird es für Unternehmen entscheidend, die richtigen Maßnahmen rechtzeitig umzusetzen, um Bußgelder und Reputationsverluste zu vermeiden. Im Rahmen des Vortrages wird insbesondere praxisnah auf den aktuellen Stand des Gesetzgebungsverfahrens und relevante Pflichten für Unternehmen eingegangen. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:23:14 https://media.ccc.de/v/god2024-56272-the-crucial-role-of-web-pr In the coming years, all EU member states will be required to provide their citizens with a digital identity wallet, as mandated by the European Union. The EU Digital Identity Wallet (EUDI Wallet) represents the largest implementation of its kind to date and brings with it significant challenges, particularly in terms of security, privacy, and interoperability. To address these challenges, the EU has chosen to leverage open standards widely adopted in the web ecosystem — such as OpenID for Verifiable Presentations (OpenID4VP) based the widely-used web standard OAuth 2.0, and Selective Disclosure JWT (SD-JWT) built on the JSON Web Token (JWT) framework. However, wallet ecosystems operate quite differently from the traditional web, requiring adaptations to these protocols to meet the unique demands of secure, decentralized identity management. This talk will provide a comprehensive overview of the EUDI Wallet's architecture and the key challenges posed by adapting native web protocols for wallet ecosystems. It will also explore the crucial role browser vendors will play in ensuring the security and smooth functioning of this new digital identity landscape. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 10:15:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56272-eng-The_Crucial_Role_of_Web_Protocols_and_Standards_in_Digital_Wallet_Ecosystems_webm-sd.webm?1731496766 51036d08-9e96-4f7a-98ad-7848bccb2ef9 2024-11-13T10:15:00+01:00 Kristina Yasuda No 56272, god2024, god2024, OWASP, Saal 1, 2024, Day 1 In the coming years, all EU member states will be required to provide their citizens with a digital identity wallet, as mandated by the European Union. The EU Digital Identity Wallet (EUDI Wallet) represents the largest implementation of its kind to date and brings with it significant challenges, particularly in terms of security, privacy, and interoperability. To address these challenges, the EU has chosen to leverage open standards widely adopted in the web ecosystem — such as OpenID for Verifiable Presentations (OpenID4VP) based the widely-used web standard OAuth 2.0, and Selective Disclosure JWT (SD-JWT) built on the JSON Web Token (JWT) framework. However, wallet ecosystems operate quite differently from the traditional web, requiring adaptations to these protocols to meet the unique demands of secure, decentralized identity management. This talk will provide a comprehensive overview of the EUDI Wallet's architecture and the key challenges posed by adapting native web protocols for wallet ecosystems. It will also explore the crucial role browser vendors will play in ensuring the security and smooth functioning of this new digital identity landscape. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:31:29 https://media.ccc.de/v/god2024-56271-how-not-to-use-oauth-in-20 OAuth 2.0 has become the backbone of secure delegated authorization on the web, enabling users to grant third-party applications access to their data without revealing their credentials. It's also foundational for federated authentication via OpenID Connect and plays a critical role in emerging technologies like wallet ecosystems. However, despite its wide adoption, OAuth implementations are fraught with risks — many of which can lead to serious security breaches. The challenges arise from OAuth's use in contexts far more dynamic and high-stakes than what was originally envisioned. Today, OAuth protects sensitive financial APIs, powers identity verification systems, and secures modern app ecosystems — yet, many implementations remain vulnerable to attack. Even with the guidance from RFC6749 and RFC6819, subtle misconfigurations and outdated practices are still common, often due to the complexities of real-world deployments. To address these evolving security needs, the IETF is finalizing the OAuth 2.0 Security Best Current Practice (BCP), an updated set of recommendations designed to mitigate common vulnerabilities and improve OAuth implementations across industries. This new RFC introduces stronger security measures and deprecates insecure approaches like the Implicit Grant, while also tackling new threats such as the Authorization Server Mix-Up Attack. In this talk, we will dive into the core challenges of securing OAuth in today's dynamic and high-stakes environments. Attendees will learn about the most critical updates from the Security BCP, including the MUSTs, MUST NOTs, and SHOULDs that are essential for robust OAuth implementations. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 09:35:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56271-eng-How_Not_to_Use_OAuth_in_2024_webm-sd.webm?1731494104 f364d6f6-ab49-4577-80a3-167e577904e1 2024-11-13T09:35:00+01:00 Daniel Fett No 56271, god2024, god2024, OWASP, Saal 1, 2024, Day 1 OAuth 2.0 has become the backbone of secure delegated authorization on the web, enabling users to grant third-party applications access to their data without revealing their credentials. It's also foundational for federated authentication via OpenID Connect and plays a critical role in emerging technologies like wallet ecosystems. However, despite its wide adoption, OAuth implementations are fraught with risks — many of which can lead to serious security breaches. The challenges arise from OAuth's use in contexts far more dynamic and high-stakes than what was originally envisioned. Today, OAuth protects sensitive financial APIs, powers identity verification systems, and secures modern app ecosystems — yet, many implementations remain vulnerable to attack. Even with the guidance from RFC6749 and RFC6819, subtle misconfigurations and outdated practices are still common, often due to the complexities of real-world deployments. To address these evolving security needs, the IETF is finalizing the OAuth 2.0 Security Best Current Practice (BCP), an updated set of recommendations designed to mitigate common vulnerabilities and improve OAuth implementations across industries. This new RFC introduces stronger security measures and deprecates insecure approaches like the Implicit Grant, while also tackling new threats such as the Authorization Server Mix-Up Attack. In this talk, we will dive into the core challenges of securing OAuth in today's dynamic and high-stakes environments. Attendees will learn about the most critical updates from the Security BCP, including the MUSTs, MUST NOTs, and SHOULDs that are essential for robust OAuth implementations. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:36:48 https://media.ccc.de/v/god2024-56270-owasp-juice-shop-10th-anni Once upon a time, developers and security experts relied on mostly server-side rendered vulnerable applications to train their web hacking skills. In 2014 the Juice Shop entered the stage as one of the first Rich Internet Application representatives. What started as a personal pet project with two dozen hacking challenges, became an OWASP Flagship project shortly after and grew in size, scope and use case coverage significantly over the years. Join us on a 10th anniversary tour through the origins, history and evolution of OWASP Juice Shop from 2014 to 2024, including new juicy hacking delicacies as well as some crazy shenanigans happening in and around the project. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 09:10:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56270-eng-OWASP_Juice_Shop_10th_anniversary_Is_it_still_fresh_webm-sd.webm?1731490376 8dc955ca-f97e-41f5-a943-ba6f24291e6e 2024-11-13T09:10:00+01:00 Jannik Hollenbach No 56270, god2024, god2024, OWASP, Saal 1, 2024, Day 1 Once upon a time, developers and security experts relied on mostly server-side rendered vulnerable applications to train their web hacking skills. In 2014 the Juice Shop entered the stage as one of the first Rich Internet Application representatives. What started as a personal pet project with two dozen hacking challenges, became an OWASP Flagship project shortly after and grew in size, scope and use case coverage significantly over the years. Join us on a 10th anniversary tour through the origins, history and evolution of OWASP Juice Shop from 2014 to 2024, including new juicy hacking delicacies as well as some crazy shenanigans happening in and around the project. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:31:59 https://media.ccc.de/v/god2024-56269-begruung Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 13 Nov 2024 09:00:00 +0100 https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56269-Begruessung_webm-sd.webm?1731488302 0f02fe5e-8c72-4d82-b858-909cbbc8e4d5 2024-11-13T09:00:00+01:00 OWASP German Chapter No 56269, god2024, god2024, OWASP, Saal 1, 2024, Day 1 Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:04:16 media.ccc.de / RSS 0.3.1 CCC media team media@c3voc.de CCC media team No CCC Congress Hacking Security Netzpolitik A wide variety of video material distributed by the CCC. All content is taken from cdn.media.ccc.de and media.ccc.de A wide variety of video material distributed by the Chaos Computer Club. This feed contains all events from god2024 as webm