Tag Archives: Security

Speaking at NDC London 2017

Stephen Haunts Speaking at NDC London 2017

Stephen Haunts Speaking at NDC London 2017

I am pleased to announce that I will be speaking again at NDC London in January 2017. For this conference my talk is called Hacking Humans : Social Engineering Techniques and How to Protect Against Them.

Social engineering is one of the biggest threats to our organisations as attackers use manipulation techniques to coerce people into revealing secrets about our companies to allow attackers to gain access to critical systems.

In this talk we will look at some of the techniques used in social engineering and look at how to guard yourself against them. We will cover subjects like pre-texting, elicitation and body language as techniques for manipulating people.

I am really looking forward to doing this talk and I think it will be a lot of fun for the audience as we explore techniques for manipulating people and then how to protect against them.

Slides for my NDC Oslo Talk : .NET Data Security – Hope is not a Strategy

Stephen Haunts Presenting at NDC Oslo

Stephen Haunts Presenting at NDC Oslo

I have just finished my talk at NDC Oslo on .Net Data Security. I have made the slides available on this blog. You can also grab some Sample Code in C# that goes along with the talk. Feel free to use any of the code in your own solutions.

The talk went very well to a packed room that had to have people standing as there were no seats left. I am very pleased with the result.

I covered a lot of ground in the talk, but if anyone is interested in following up on the techniques I discussed, then I have a course called Practical Cryptography in .NET which goes into a lot more detail than the talk.

If you don’t have access to Pluralsight but would like to watch the course, then please get in touch with me via the contact page on this blog and I can sort you out with a 30 day, unlimited access trial card for Pluralsight.

My Cryptography Talk at NDC London

The Video recording of my talk at NDC London is now available to watch on-line. This was my first major conference so it was a little scary, but I really enjoyed the experience. The room was about 2 thirds full and I got an excellent speaker rating at the end so I must have done something right.

Limiting Windows 10 Privacy Concerns

The release of Windows 10 has been very successful for Microsoft, but there are growing concerns from people about the level of data and telemetry that Microsoft is capturing from key logging data, usage telemetry and data about application you are running (both legitimate and pirated).

There have been many articles and tips scattered around the internet about how to limit this, but I found a useful video on Youtube that talks you through tweaking Windows 10 to limit this data capture. This includes simple and obvious tweaks to the Windows 10 settings through to deleting specific windows services, modifying group policy, tweaking the registry and updating your host file to stop Microsoft calling out to their servers.

Whether you apply all of these, or just some of them it is up to you and how bothered you are by this. If you do all of these tips then you loose things like Cortana. It’s up to you and how paranoid you are about such privacy concerns.

EDIT: If you are running Windows 10 Home edition then you will not have access to the group policy editing tool.

EDIT: I have tried all these changes out on my Surface 3 (apart from the group policy bit as I am running home edition) and everything still seems to be working OK,

Password Based Key Derivation Function Iteration Counts

I have already spoken about Password Based Key Derivation Functions before on this blog and I have discussed secure password storage with PBKDF2 at length in my Pluralsight course, Practical Cryptography in .NET, but in this post I want to expand this a bit and talk about picking suitable iteration lengths for the PBKDF2 key derivation process.

Choosing a good number of iterations for PBKDF2

Choosing a good number of iterations for PBKDF2

A reader of this blog, Geoff Hirst, gave me a heads up to an episode of the Security Now podcast and specifically episode 512 where the recent security breach at LastPass was discussed. Luckily no one’s data was actually at risk due to their security policies and good use  of encryption, but the podcast talked about something that was interesting and that was, what should you set your PBKDF2 iteration count too?

I must admit I have always used round numbers like 50,000 or 100,000 but the podcast says this isn’t a good idea and you should use 5 figure number, beginning with a number larger than 2, but a random number which isn’t rounded up to specific whole number, as in 50,000 or 100,000.

By making this a random number that you do not disclose you are making an attackers life much harder as they have to get the iteration count correct. Of course you shouldn’t rely on this as a main piece of security information, but anything that can make an attackers life a little harder has to be a good thing.

If you are dealing with a system that has multiple users, why not randomly generate different iteration counts per user. Then if one user does get compromised and their password recovered, your other users are still safe as the attacker would still need to guess their number of iterations.

Secret Files Decrypted by the Russians and Chinese

It was reported in the press today that a series of files contained in the files stolen by Edward Snowden have been decrypted by the Russians and the Chinese which has given up vital strategic intelligence information forcing SIS (MI6) to move under cover agents out of potential harms way. This story interest me particularly especially with my interest in Cryptography and releasing a Pluralsight course about Cryptography.

Edward Snowden : Secret Files Decrypted by the Russians and Chinese

Edward Snowden : Secret Files Decrypted by the Russians and Chinese

There are a couple of things I am wondering. From a technical perspective, how were the files protected? Was it using AES, RSA, a combination of both? Where the files broken using a Brute force attack? Where the keys particularly weak. These are questions that I am sure I won’t get answers too, but I am curious none the less.

Aside from my own technical geeky curiosity, the other thing running through my mind is why is this even in the news in the first place. It is quite strange that we would hear anything about MI6 operations in the press, which leads me and many others like Former Conservative cabinet minister Andrew Mitchell from wondering if the news story was very well timed to coincide with the Anderson Report.

Continue reading

Practical Cryptography in .NET Course Released by Pluralsight

I am pleased to announce that my latest course, Practical Cryptography in .NET has been released by Pluralsight.

The course description is as follows:

As a software developer you have a duty to your employer to secure and protect their data. In this course you will learn how to use the .NET Framework to protect your data to satisfy confidentiality, integrity, non-repudiation and authentication.

This course covers random number generation, hashing, authenticated hashing and password based key derivation functions. The course also covers both symmetric and asymmetric encryption using DES, Triple DES, AES and RSA. You then learn how to combine these all together to product a hybrid encryption scheme which includes AES, RSA, HMACS and Digital Signatures.

The course is aimed at teaching developers about the importance of protecting sensitive data within their systems.

Practical Cryptography in .NET Coming Soon to Pluralsight

Practical Cryptography in .NET Coming Soon to Pluralsight

As-well as giving lots of technical background, the course will be very practical with lots of live code demonstrations. The course will be split into the following modules.

1. Course Outline and Introduction
2. Cryptographic Random Numbers
3. Hashing Algorithms
4. Secure Password Storage
5. Symmetric Encryption
6. Asymmetric Encryption
7. Hybrid Encryption
8. Digital Signatures
9. Secure String
10. Course Summary

Modules 2 – 6 covers a lot of theory and practical advice on using what is built into the .NET Framework. Module 7 on Hybrid Cryptography takes this a step further to combine a lot of the cryptographic primitives discussed into a cryptography scheme that gives the flexible key management benefits of RSA with the benefits and speed of algorithms like AES which includes full authenticated integrity checking.

Practical Cryptography in .NET Coming Soon to Pluralsight

Practical Cryptography in .NET Coming Soon to Pluralsight

This then gets expanded on further by introducing the concept of Digital Signatures to build in non-repudiation into the system.

Practical Cryptography in .NET Coming Soon to Pluralsight

Practical Cryptography in .NET Coming Soon to Pluralsight

The course has been a lot of fun to produce and I hope you find it useful. Protecting data is something that every developer should take very seriously and this course gives you all the tools you need to protect your companies data from ex-filtration by hackers or anyone else that wants to cause organisations harm.