Insecurity-In-Security version.1 (2010)


Published on

Presentation (version.1) from 2010 describing how Security mechanisms placed to secure us are insecure themselves.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Insecurity-In-Security version.1 (2010)

  1. 1. Do you...●have an User Account on any Computer?●visit unknown web-links from any searchengine?●host a Web Service?●use a Proxy?●log-in to your Web based accounts?●use any Web Service?●access any private data?
  2. 2. You are InSecure if you dont...●apply security policies over your User Account.●use patched Web Browsers.●use Intrusion Detection System.●use trusted SSL Proxy.●log-in to your Web Accounts over encryptedconnection.●use Firewall.●delete and format your storagemedia.
  3. 3. You are InSecureEven if you doall this.
  4. 4. InSecurityIn SecuritySecurity is just maintained, its never achieved.By : (m0727) Abhishek KumarGuide : Mr. Ramdas N. Karmali
  5. 5. O.S. User Account Log-In● O.S. strongly encrypts the user passwordto hash.● These hashes are stored in files withhighly restricted user rights.
  6. 6. O.S. User Account Log-In( Active Mode ) :: Hacks ::Hackers have tools:● Live Boot Discs to steal Password-Hash files(otherwise inaccessible).● Tool “John-The-Ripper” can try crackingpasswords by matching hash of guessedpasswords.● Tool “Rainbow Crack” and “OPHCrack”have precomputed hash tables ofseveral passwords to match thehash in the stolen password file.
  7. 7. O.S. User Account Log-In( Passive Mode ) :: Bypass ::Cracking password consumes a lot of time againststrong passwords.Hackers have tools:● Grub/Lilo (Unix/Linux)● Kon-Boot (Windows, Unix/Linux)● Keyboard (Macintosh only)
  8. 8. Visiting Unknown Websites:: SmbEnum ::Reconnaissance via simple HTML Web Page● IE supports “file://” and “res://” protocol foraccessing local machine resources URI.● Firefox has also started support for a similar“resource://” protocol.● Javascript can use these protocols toenumerate resources.● Could gather User Names using Brute Force.● e.g. if “file:///c:/oracle/ora81/bin/orclcontainer.bmp” loads, means“Oracle 8” is present on system.
  9. 9. Visiting Unknown Websites:: Res Timing Attack- ::The res(ource):// protocol hack using CPU Cycles.● An attacker can even get resources toexecute on your machine.● Could measure CPU Cycles for resourceenumeration, the CPU cycle count forexisting resources is almost twice the CPUcycle count for non-existing resources.● Could even exhaust Victims machineby generating infinite CPU cycles.
  10. 10. Hosting Vulnerable Web Server:: Slowloris ::The slow HTTP Denial-of-Service Attack..● Its a stealth-mode attack.● Allows single machine to attack Web-Serverwith minimal bandwidth.● Uses Partial HTTP Connections to keep WebServer sockets busy, and slowly consumesall the sockets.● It works successfully over Apache 1.x,Apache 2.x, dhttpd, GoAhead,WebSense, etc. but fails againstIIS 6.0, IIS 7.0, lighttpd, squid,nginx, etc.
  11. 11. :: Sidejacking ::Intercept and Hijack an engaged web session.● Websites protect against sniffing ofpasswords by encrypting the log-inmechanism, and create a session for furtherauthenticated access.● But after log-in, if this Session Information istransferred in plain-text, it can be sniffed.● Attackers sniff this session information anduse them to replicate the required cookies orsession state managing file.● Now, an user can access the sameAccount without knowing the password.
  12. 12. :: DeAnonymize Proxy ::Trojan infected proxy tools are the problem.● Onion Proxy is one of the best Anonymizer.● TOR works on it, using a chain of randomproxy servers between the entry node andthe exit node.● According to Research, several TOR exitclients are Trojan-infected, sniffing all thesensitive data passed.● e.g. doing a Reverse DNS Lookupon POP3 packets and harvestingusernames and passwords.
  13. 13. Protector Of Protocols:: SSL (Secure Socket Layer) ::Faulty Design and Poor Implementation.● Earlier it allowed any Digital CertificateOwner to sign any Digital Certificate ( can sign certificate for paypal.comand use itself)● It was patched by specifying signingauthority field in Digital Certificate● If attacker send a forged certificate withexpired validity date, severalapplications ask for date confirmationand perform no more checksfor certificate validation.
  14. 14. Defeating SSL:: SSL Stripping Attack ::Poor Implementation is an easy hack.● Default behaviour of maximum Websites isnon-SSL. SSL is implemented by Redirectingto a SSL Link or let user click the SSLService link.● e.g. opening, opens, here log-in buttonhas https:// link for SSL based Log-in.● Attacker can modify webpage replacinghttps://login link to http://login link● Now log-in credentials transfer inplain-text mode, thus they can be sniffed.
  15. 15. Defeating SSL::SSL Digital Certificate Mod Attack::Faulty Design is hard to find, best to exploit.● Authority grants a digital certificate to anorganisation for all sub-domains it askssay, irrespective of value of X.● If X is “www.PayPal.com0”, then too it issuesthe certificate to Y.orgfor
  16. 16. Defeating SSL::SSL Digital Certificate Mod Attack::Null Character Insertion (except WebKit, Opera) get stored in a Stringand read back only as www.PayPal.com0 .Null Character Escape (for WebKit, Opera)www.Pay0Pal.com0 get stored in a String andread back only as www.PayPal.com0 .Wildcard (*, |) MatchMatching several website certificatesat once.
  17. 17. Defeating SSLs SecurityCertificate RevocationUses OCSP (Online CertificateRevocation Policy)with two fields ResponseStatus andResonseBytes (with signature).Setting “ResponseStatus=3” for “Try Later” hasno ResponseBytes, so no signature and hence thevictim does not see any effect of the attack.Software UpdatesSoftware Updates also work over SSLchannel, which is already compromised.
  18. 18. :: DNS ::The base of all Network Services is Vulnerable.● Man-in-the-Middle attack are a major threatto DNS.● DNS Cache Poisoning is possible even ifmachines are behind a Firewall.When DNS queries about IP of any Domain,attacker spoofs as one of domainsNameServer and answers a specially craftedresponse making the Victim record theattackers IP for requested Domain.
  19. 19. Security over DNS:: DNSSEC ::Does not fulfill the basic requirement of Security.● It provides Origin Authentication, IntegrityProtection, PKI, and even authenticateddenial of existence of data.● But no Confidentiality, and confidentiality isone of the fundamental requirement ofSecurity.● DNS NameServer Enumeration is muchdeeper because of DNSQuery Espionage.● CPU Flooding is possible as it usesexhaustive encryption/decryption.
  20. 20. Forensic eXpert Hackers:: Data Stealing ::You loaded it in Main Memory, Hackers stole it.●Data Carving.●Cold Boot Attack.●Imaging RAM.●Dig Information from O.S.●Dig information from Files.●Timestomp.
  21. 21. :: Countermeasures :: #1O.S. User Account Log-in Hack/Bypass● Restrict any kind of physical access to yourmachine, nothing else can counter it.RES-Timing and SMBEnum Attack● Turning off Javascript is a partial solution,victim is vulnerable till correct patches areprovided by Microsoft and Mozilla.Slowloris Attack● Applying patches to Web Servers &IDSes, but no optimal patch isavailable.
  22. 22. :: Countermeasures :: #2SideJacking● Use private secure VPN.● Dont log-in at any Public Hotspot.DeAnonymize Proxy● Use your own encryption channel for dataexchange over proxy.Defeating SSL● Use secure proxy channel.● Check URL in Certificate with onein Address Bar, do a WHOIS onboth & match them.
  23. 23. :: Countermeasures :: #3DNSSEC Vulnerabilities● Use static address mapping for importantdomains.● Use DNSCurve instead of DNSSEC.Forensic eXpert Hackers● Encrypt your content or even entire disc.● Apply Secure Recursive Delete onsensitive data.● Use ZipBomb to trouble the Hacker.
  24. 24. ConclusionSecurity is just maintained, its never achieved.So keep track of latest vulnerabilities and start/stopusing resources based on them.Refer sites like,, html, etc.Most of the Insecurity In Security comesfrom badly written piece of code and wehave only careless developers to thankfor them.
  25. 25. ReferenceI referred to the work of :Thorkill (piotrbania, KryptosLogic)Billy Rios (Security Engg., Verisign)Robert Hansen (SecTheory)Joshua Jabber Abraham (Rapid7)Robert Graham (Errata Security)Moxy Marlinspike (ThoughtCrime)Dan Kaminsky (Director, IOActive)Adrian Crenshaw (InfoSec Enthu)Presentaions from:● BlackHat 2009● DefCon 17● DefCon 16
  26. 26. Queries...?My Crime is that of Curosity.My Crime is of Judging people by what they say and think,And not by what they look like.