Shape Security Customer Summit 2018 brings together some of the world’s most innovative people to challenge, inspire and energize each other. Contact your rep for an invitation and details.
Monday, May 21st
Going to FS-ISAC Summit? Join us Monday, May 21st from 9pm-11pm at the Boca Beach Club as we kick off the conference in style – enjoy dessert, open bar, and two live DJ sets as we cap off Day 1. We will be celebrating our new product, Blackfish!
- Ariya Hidayat
- Jarrod Overson
- Michael Ficarra
- Tim Disney
- Lewis Ellis
- Shilpi Jain
- Eli Mattson
- Kevin Gibbons
- and Jamie Moore
Definitely make sure to check Ariya’s and my talks at the conference. I’m really excited to give the security talk and go over some of the insanity we get to work with at Shape.
Ashley Madison data stolen… Twitch.tv breached, passwords need to be reset… 10 million passwords leaked! 13 million! 80 million!
What does this mean to you and your websites? You use secure passwords, your sites haven’t been compromised, and you have safeguards in place to protect your customers, so you don’t need to worry, right?
Jarrod Overson reveals the world where these passwords are traded, sold, verified, and used to exploit your sites. Even if you are diligent, doing everything you can to protect yourself and your users, you can’t protect against legitimate logins. So what can you do? Jarrod explains how you can start exploring how vulnerable you really are, how you might start recognizing malicious traffic, and what you can do to start taking a stand against your attackers.
See you at Fluent!
This week over 1400 software developers are gathering in San Francisco for QCon to share the latest innovations in the developers’ community. The conference highlights best practices in a wide range of emerging technology trends such as microservices, design thinking, and next generation security.
Want more QCon inspirations? Follow #ShapeSecurity and #QConSF on twitter now.
An important web security concept around “A Breach Anywhere is Breach Everywhere,” will be highlighted at Shape’s booth during Black Hat conference this week. Prominent attacks such as Uber account hijackings highlight how spilled credentials obtained from previous breaches can lead to account hijackings on another B2C site.
Make sure to check out Black Hat sessions relevant to escalating web security threats such as password cracking (Cracklord) as well as expanding web attack surface on technologies like EdgeHTML and Node.JS. You can also engage with web security anti-automation experts at the Shape Security booth #558. On Wednesday at 2:30 pm Shape will be hosting Ted Schlein, Partner at Kleiner Perkins (investor in ArcSight, Fortify, Mandiant), former CEO of Fortify and executive at Symantec.
Cracklord – A Friend of Credential Stuffers
If credential stuffing allows criminals to turn lead into gold, hash cracking is the act of digging lead from the Earth. Cracklord, a system designed to crack password hashes, will be explained by researchers from Crowe Horwath. As password cracking tools increase the pool of available credentials, B2C companies need to strengthen their web security defenses to defeat credential stuffing and account hijacking attacks.
New web attack surfaces revealed
Web attack surfaces are constantly expanding as new web technology frameworks and browser technologies continue to be developed and popularized. Those web frameworks offer both the opportunity for built-in security, as well as the risk of a vulnerability affecting the entire user base. In this year’s BlackHat, two briefings on EdgeHTML and Node.JS are particularly relevant.
Researchers from IBM will talk about new attack surfaces within Microsoft’s next generation rendering engine EdgeHTML (codename Project Spartan). Researchers from Checkmarx will talk about different attack methods on Node.JS as well. It’s important for B2C companies to be aware of these new vulnerabilities as attackers are likely to exploit them.
Stop by Shape’s booth #558
Stop by to engage with Shape’s anti-automation specialists to evaluate risks to your website and learn how to protect your web application and mobile API services. On Wednesday, you will get a chance to meet with Ted Schlein, Veteran VC at KPCB (investor in ArcSight, Fortify, Mandiant) and former CEO of Fortify and exec at Symantec.
Have fun and hope you enjoy your week at Black Hat!
Links for relevant sessions on web security
Please follow Shape Security on Twitter – #ShapeSecurity
Shape will be at O’Reilly’s Fluent Conference in a big way next week and we’re hoping to meet a huge round of new faces in the web community. Several of us will be speaking, doing a book signing, and hanging around our booth in the sponsor’s hall. Make sure you stop by and say hello to:
- Ariya Hidayat (@ariyahidayat)
- Wesley Hales (@wesleyhales)
- Michael Ficarra (@jspedant)
- Bei Zhang (@ikarienator)
- Ben Vinegar (@bentlegen)
- Seth McLaughlin (@sethmc)
- Jarrod Overson (@jsoverson)
Definitely stop by to see us if you’re still curious as to what Shape is all about. We’re a quiet company doing some amazing things and we’ll take any opportunity to go into detail in person.
Don’t miss the talks below!
Adding a WebSocket service to an application is often misunderstood to be high performance by default, however there are many more considerations that must be made, both on the client and server, before the best performance can be achieved. Real-time technologies like SPDY, WebSocket, and soon HTTP 2.0 have their own sets of hurdles and anti-patterns to overcome and this talk will provide the checklist you need to fine tune your application’s real-time performance.
High Performance Websites, by Steve Souders, was first released in 2007. The follow-up – Even Faster Web Sites – was published in 2009. These books have served as web optimization canon for a generation of web developers. The problem is: it’s now 2015. Browsers, browser features, internet connectivity – they’ve all changed dramatically. A lot of the best practices from 2007 and 2009 no longer apply. And yet, many developers are still holding on to those practices – advocating for performance tweaks that are no longer relevant.
See you there!
The Emperor’s New Password Manager: Security Analysis of Password Managers
Friday, April 24, 2015
9:00 AM – 9:50 AM
Session abstract: We conducted a security analysis of popular web-based password managers. Unlike local password managers, web-based password managers run in browsers. We identify four key security concerns and representative vulnerabilities. Our attacks are severe: in four out of the five password managers we studied, attackers can learn credentials for arbitrary websites. This work is a wake-up call for developers.
Speaker: Zhiwei Li, Research Scientist @ Shape