Increasing resistance to brute force attacks + Security changes in virtual envs

  • June 13, 2013 · 6:00 PM

Talk 1. Secure Password Storage: Increasing Resistance to Brute Force Attacks

In the event that your password table gets into the wild, how long will it take an attacker to expose the plaintext passwords? The recent set of well publicized disclosures of user passwords raised the question of whether current best practices adequately protect passwords from brute force attacks by many of our clients. In addition, with the advent of GPU-based (or FPGA) computing where GPUs are used for general purpose computing, are the current defenses and practices built for brute-force attacks sufficient?

This talk discusses the pros and cons of the current practices such as salted-hashes, adaptive hashes and proposes an alternative solution for strengthening these existing practices. The talk will discuss the cryptographic properties of the current practices, but does not require a PhD in mathematics to understand the details.


Bio

Dawn Carroll is currently a Senior Security Consultant for Cigital in Boston.  She possesses a master's degree in Computer Science with a concentration in Security from Boston University.  Dawn’s roles throughout her career have ranged from developer to senior security analyst for both corporate and business organizations.  Prior to joining Cigital she worked for a Department of Defense (DoD) contractor and an educational company giving her experience in a variety of industry standards and processes.  Her favorite security task is pen-testing –from traditional web apps to web services to mobile apps (iOS and Android).

Dawn recently created a Twitter account which she is “learning” to use – here’s an attempt: follow her @evilDwn.

 

 

 

Talk 2. Five security changes in a post-virtualized environment

The manner in which IT organizations deliver technology services is changing in most organizations.  Specifically, surveys already suggest that more than half of IT shops already leverage virtualization extensively -- and the use of virtualization is showing no signs of decreasing.  For those of us in security, this changes the game somewhat on the practical steps we take to secure the environment.  For example, it means that previously-complicated efforts (e.g. patch management) can become easier – but it can also mean that some efforts become harder.

This discussion will discuss five security "game changers" enterprises should watch out for as they increase their use of virtualization technologies.  These include areas where virtualization introduces new challenges (e.g. sprawl, image deprecation, data aggregation) but also areas where existing investments and controls might need to be rethought.

 

Bio

Ed Moyle is currently a Senior Security Strategist with Savvis’ information security practice providing advisory services, solutions, and consulting to clients worldwide as well as a founding partner of Security Curve.  Ed was previously a Senior Manager with CTG’s global security practice and prior to that served as Vice President and Information Security Officer to Merrill Lynch Investment Managers. Ed is co-author of "Cryptographic Libraries for Developers", and a frequent contributor to the Information Security industry as author, public speaker, and analyst.

 

 

How to find us

 


Schedule
6:00 - 6:30: Networking

6:30 - 6:45: Lulzy News by Akshat

6:45 - 7:00: Tool of the Month by Roy

7:00 - 7:30: Increasing Resistance to Brute Force Attacks

7:30 - 8:00: 5 Sec changes in post virtualized environment

8:00+ Craft beer @ Meadhall

Join or login to comment.

  • Nabil H.

    The time Dawn had to present her talk was quite short, and it was challenging to dig deep into this topic. If there's enough interest, I'd be happy to co-present with Dawn a much deeper talk where we discuss the algorithms and their draw-backs. Ultimately, developers have to find the right balance between security and usability for their users, and discussing the different options can help find the right balance.

    I leave it up to the organizers to see if we can schedule another session to have this discussion.

    1 · June 17, 2013

    • Eve

      I'd be interested in the deeper discussion.

      June 17, 2013

  • Albert W.

    Good meeting; like the new location. Good topics worth discussing. However, given that this was the first meeting after the information regarding the NSA, everything else seemed slightly anti-climatic. This is easily the biggest story of the year, but we could’t really get into it regarding how we as programmers, ninjas, pirates, etc. might respond to it.

    I thought the talk regarding resisting brute force attacks felt rushed. And also, the scenario was a little contrived regarding the overhead of using some of the techniques that were outlined. Not every situation is 100,000 users needing to login simultaneously, which was mentioned.

    With affordable ASICs now available (https://products.butterflylabs.com) you can compute 500 billion SHA256 hashes per second. And with $199, 64-core 90 GFLOP computers coming soon (http://www.kickstarter.com/projects/adapteva/parallella-a-supercomputer-for-everyone) it won't require a nation-state's resources for sophisticated attacks.

    1 · June 16, 2013

  • mike v.

    Fantastic learning experience.

    June 16, 2013

  • Kelly

    Excellent

    June 14, 2013

  • Bethany B.

    The meeting and speakers were fun and informative. I'll attend the next Meetup.

    June 14, 2013

  • Kelly

    I thoroughly enjoyed both talks and the new location is very convenient for me! Thanks to the speakers and organizers!

    June 14, 2013

  • Dawn C.

    Thanks everyone for attending. As always BSM was a great way to spend an evening!

    1 · June 14, 2013

  • Ed M.

    Really enjoyed the meetup! Thanks to everyone for being so pleasant and welcoming!

    June 14, 2013

  • Pranav

    In light of varied opinions and rebuttals, the speaker defended her concept of adding a layer of defense to make brute-forcing pretty well. The prospect seems exciting, and would like to see some metrics which prove their theories

    June 14, 2013

  • Lucy M.

    Thanks Dawn and Ed for the great talks tonight! I enjoyed both topics a lot.

    1 · June 13, 2013

    • Ed M.

      Thanks! Enjoyed meeting everyone. I'm totally going to start going to this. The meetup format was great and really enjoyed the experience! Great community!

      June 14, 2013

  • Cho

    great talks!

    June 13, 2013

  • Pete S.

    Sorry I missed this one but my new job has kept me working quite late. Love the new location though since I work right in the Kendall Sq area. :-)

    June 13, 2013

  • Albert W.

    Butterfly Labs makes ASIC hardware that does SHA256 (which Bitcoin and related cryptocurrencies use) hashing at high rates, starting at $249: https://products.butterflylabs.com

    1 · June 13, 2013

  • Ori

    Kid's not feeling well, regretfully missing this meetup. Any chance of it being recorded for those of us missing it?

    1 · June 13, 2013

  • Dmitry B.

    Hate to cancel, but work is very likely running over...

    June 13, 2013

  • Frank Q.

    Sorry to have to cancel, but feeling under the weather.
    Wish there was a video! See you at the next one! Cheers, Frank

    June 13, 2013

  • Steven T.

    Something has come up :(

    June 13, 2013

  • Joseph D

    Can't make this one. Enjoy!

    June 13, 2013

  • jim w.

    looks like you have plenty of content but I can do a short pres on Tabnabbing - or save it for later

    June 13, 2013

  • Rob R.

    I have to drive to the meeting. Is there suggested parking nearby? Maybe free? Thanks.

    June 12, 2013

    • Lucy M.

      Kendall Square has a good amount of metered parking. Just allow a little bit of extra time to go a block or two if needed.

      1 · June 12, 2013

  • Bethany B.

    This will be my first Meetup. Looking to meet some people in the field, and expand my security knowledge. On another note, I am also looking for a new job.

    June 12, 2013

  • Mike C.

    Across the river we go...

    1 · June 7, 2013

  • Brian S.

    +1

    June 7, 2013

  • Thomas H.

    Always informative sessions and a pleasure to MeetUp with folks.

    June 2, 2013

  • Anthony P.

    Very interested and can't wait!

    May 10, 2013

  • Ed M.

    Looking forward to it!

    April 18, 2013

52 went

Our Sponsors

  • Google

    Generously providing hosting and support for the BSM events.

  • ComplianceChimp

    Generously providing funding and support for the BSM events.

People in this
Meetup are also in:

Create a Meetup Group and meet new people

Get started Learn more
Henry

I decided to start Reno Motorcycle Riders Group because I wanted to be part of a group of people who enjoyed my passion... I was excited and nervous. Our group has grown by leaps and bounds. I never thought it would be this big.

Henry, started Reno Motorcycle Riders

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy