Insecurity-In-Security version.2 (2011)


Published on

Presentation (version.2) from 2011 describing how Security mechanisms placed to secure us are insecure themselves.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Insecurity-In-Security version.2 (2011)

  1. 1. ““Hackers WorkHackers Workisis a Form Ofa Form OfParticipationParticipationin the Work ofin the Work ofGod in CreationGod in Creation.”.”-by,-by,Father Antonio Sapadaro (Vatican)Father Antonio Sapadaro (Vatican)RecentNews
  2. 2. Do You?Do You?+ O.S. User Accounts+ Browse Web+ Use Web Services+ Use Computer Networks Any Way+ Have Any Form Of Binary Data
  3. 3. You Are Not Secure If You Dont...You Are Not Secure If You Dont...+ Use Strong Passwords n Keep Them Safe+ Browse Web In Safe Browsers+ Use SSL-ified Web Services+ Use Patched Name Servers+ Keep Your Data Protected
  4. 4. You Are InSecure Even If You Did...You Are InSecure Even If You Did...
  5. 5. IInnSSecurityecuritySSecurityecurityIInnSecurity is just maintained... its never achieved.
  6. 6. First Some history from VersionFirst Some history from Version 11
  7. 7. O.S. User AccountsO.S. User Accounts
  8. 8. Bypass Account ProtectionBypass Account Protection
  9. 9. Vaccinated BrowsersVaccinated Browsers
  10. 10. Browsing <Unknown> WWWBrowsing <Unknown> WWW[+] SMBEnum|=+ using file ://, res ://, resource ://Say, if it gains success accessingfile:///c:/oracle/ora81/bin/orclcontainer.bmp[+] ResTiming Attack|=+ using res ://, resource :// to executeSo, gains timing for different binaries &Identify which exists
  11. 11. Protector of AllProtector of All
  12. 12. Defeating SSLDefeating SSL[] “Signing Authority” field in Digital Certificates[] Tricking SSL Libraries with NULL Mod Certificates[] Online Certificate Revocation Policy {ResponseStatus=3, ResponseBytes= || SSL}
  13. 13. Basis Of All NetworksBasis Of All Networks
  14. 14. DNSSEC aint all GOODDNSSEC aint all GOOD[] Provides Origin Auth, IntegrityProtection, PKI & even Auth. Denial of DataExistence[] Still No Confidentiality {basics of security}AND CPU-flooding is possible due to exhaustivecryptography[] Variation of DNS Rebinding Attackpresented at BH2010 still affected network
  15. 15. Data ForensicsData Forensics
  16. 16. Data Forensic HackersData Forensic Hackers[] Data Carving (Imaging RAM, Dig O.S.)[] Dig Information from Files[] Timestomp, Zipbomb-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-[] Mining Network Traffic for Files/Sessions
  17. 17. Now Some Mystery for VersionNow Some Mystery for Version 22
  18. 18. Hash-Crack on SteroidsHash-Crack on Steroids
  19. 19. RSA Theft & ThreatRSA Theft & Threat
  20. 20. Comodo Pwn3d CertSComodo Pwn3d CertSJanamFadayeRahbar
  21. 21. OpenBSD n BackdoorsOpenBSD n Backdoors[]10yrs back FBI consulted NETSEC, CTO Perry[]Lotz of code commit by NETSEC developers[]Few daz back, Perrys NDA expired with FBI[]Alleged backdoors in IPSEC Stack[]FreeBSD inherited lotz code from OpenBSD
  22. 22. Samsung Key-loG ConflictSamsung Key-loG Conflict
  23. 23. Who Is This Guy?Who Is This Guy?Family Named: AbhishekKrFriends Call: ABKg33k Handle: aBionic {@Twitter, @LinkedIn, @Facebook}Itweet : http://abhishekkr.wordpress.comSecurity Enthusiast; Working for ThoughtWorks Inc.; OpenSource LoverMy Crime Is That Of CurosityMy Crime Is That Of CurosityANY QUESTIONS?ANY QUESTIONS?