Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu

530 views
424 views

Published on

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
530
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
2
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu

  1. 1. internet security Past, present and future Tamaghna Basu tamaghna.basu@gmail.com www.tbasu.com
  2. 2. Weekendsecurity.org
  3. 3. Disclaimer!  The content of this presentation and techniques showed here are for educational purpose only The organizers and presenters do not encourage the attendees to use this knowledge learned here for any malicious and illegal purpose.  If the attendees use this knowledge for any kind of real hacking or illegal activity which violates the law, then we, the organizers and the presenters will not be responsible for that or any further consequences.
  4. 4. http://www.slideshare.net/AnkamKarthik/zion-se
  5. 5. http://www.slideshare.net/AnkamKarthik/zion-se
  6. 6.  Confidentiality- data security  Integrity- digital signature and audit trails  Availability- load balancing, throttling CIA Triad Integrity
  7. 7. You are being watched - CCTV •Weak or no authentication on CCTVs •Easily accessible
  8. 8. CCTV How ? • IP addresses and the links of the CCTVs’ pages are found in Google search results. • Even CCTVs inside homes could be visible.
  9. 9. CCTV
  10. 10. Web Cams &Video Chat Clickjacking -  A new threat to all browsers (IE, Firefox, Safari, Opera, Chrome etc) except non- interactive browsers like Lynx.  Hijacking your click. Clicking on something hidden to the users.  Enable webcam, microphone.  Get your credentials.  Mostly a flash and iframe based vulnerability.  Discussed in OWASP - 2008
  11. 11. Why Hacking?  Hacking for fun & profit  Capture The Flag  0’day  Underground economy  Bug Bounty
  12. 12. Types of hackers BlackHat •Malicious, destructive WhiteHat •Security professionals ScriptKiddie •Sometimes referred to as n00bz ????
  13. 13. Hacktivism Anonymous Wiki Leaks CyberWar India-Pakistan India-China Pivoting
  14. 14. What do they want? Credentials PII information PCI Data Intellectual Property OSINT
  15. 15. Why heart bleed?  TLS HearBeat Extension. The vulnerability lies in the implementation of TLS Heartbeat extension. There is common necessity in an established ssl session to maintain the connection for a longer time. The HeartBeat protocol extension is added to TLS for this reason. The HTTP keep-alive feature does the same but HB protocol allows a client to perform this action in much higher rate. The client can send a Heart-Beat request message and the server has to respond back with a HearBeat response .
  16. 16. Why heart bleed?  buffer = OPENSSL_malloc(1 + 2 + payload + padding); SOURCE : https://github.com/openssl/openssl/commit/96db9023b881d7cd9f3 79b0c154650d6c108e9a3#diff-2
  17. 17. • We can leak 64 kb of memory and that could easily have usernames/password, private keys etc. • Constant HB request could be made to the server leaking (random memory) any amount of data from the server .
  18. 18. Vulnerable versions
  19. 19. Fix • The fix to this bug was to simply bound check the payload + padding length to not exceed 16 bytes .
  20. 20. What’s happening in the wild?
  21. 21. What’s happening in the wild?
  22. 22. Chromebleed
  23. 23. chromebleed
  24. 24. And My contribution as well 
  25. 25. Is that all?
  26. 26. Not really… http://filippo.io/Heartbleed/
  27. 27. Summary Port Status 21 TLS Error 22 Connection Refused 25 TLS Error 53 Connection Refused 80 Large Record Received 443 Certificate error
  28. 28. Summary Port Status 21 TLS Error 22 Connection Refused 25 TLS Error 53 Connection Refused 80 Large Record Received 443 Certificate error
  29. 29. Port Status 21 TLS Error 22 Connection Refused 25 TLS Error 53 Connection Refused 80 Large Record Received 443 Certificate error
  30. 30. 42 Thank you  tamaghna.basu@gmail.com  twitter.com/titanlambda  linkedin.com/in/tamaghnabasu

×