Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
internet security
Past, present and future
Tamaghna Basu
tamaghna.basu@gmail.com
www.tbasu.com
Weekendsecurity.org
Disclaimer!
 The content of this presentation and techniques showed
here are for educational purpose only The organizers ...
http://www.slideshare.net/AnkamKarthik/zion-se
http://www.slideshare.net/AnkamKarthik/zion-se
 Confidentiality- data security
 Integrity- digital signature and audit trails
 Availability- load balancing, throttlin...
You are being watched - CCTV
•Weak or no authentication on
CCTVs
•Easily accessible
CCTV
How ?
• IP addresses and the links of the
CCTVs’ pages are found in
Google search results.
• Even CCTVs inside homes
...
CCTV
Web Cams &Video Chat
Clickjacking -
 A new threat to all browsers (IE, Firefox,
Safari, Opera, Chrome etc) except non-
in...
Why Hacking?
 Hacking for fun & profit
 Capture The Flag
 0’day
 Underground economy
 Bug Bounty
Types of hackers
BlackHat
•Malicious, destructive
WhiteHat
•Security professionals
ScriptKiddie
•Sometimes referred to as ...
Hacktivism
Anonymous
Wiki Leaks
CyberWar
India-Pakistan
India-China
Pivoting
What do they want?
Credentials
PII information
PCI Data
Intellectual Property
OSINT
Why heart bleed?
 TLS HearBeat Extension.
The vulnerability lies in the implementation of TLS
Heartbeat extension. There ...
Why heart bleed?
 buffer = OPENSSL_malloc(1 + 2 + payload +
padding);
SOURCE :
https://github.com/openssl/openssl/commit/...
• We can leak 64 kb of memory and that
could easily have usernames/password,
private keys etc.
• Constant HB request could...
Vulnerable versions
Fix
• The fix to this bug was to simply bound
check the payload + padding length to
not exceed 16 bytes .
What’s happening in the wild?
What’s happening in the wild?
Chromebleed
chromebleed
And My contribution as well 
Is that all?
Not really…
http://filippo.io/Heartbleed/
Summary
Port Status
21 TLS Error
22 Connection Refused
25 TLS Error
53 Connection Refused
80 Large Record Received
443 Cer...
Summary
Port Status
21 TLS Error
22 Connection
Refused
25 TLS Error
53 Connection
Refused
80 Large
Record
Received
443 Cer...
Port Status
21 TLS Error
22 Connection
Refused
25 TLS Error
53 Connection
Refused
80 Large
Record
Received
443 Certificate...
42
Thank you
 tamaghna.basu@gmail.com
 twitter.com/titanlambda
 linkedin.com/in/tamaghnabasu
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu
Upcoming SlideShare
Loading in …5
×

Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu

660 views

Published on

Published in: Technology, Education
  • Be the first to comment

Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna Basu

  1. 1. internet security Past, present and future Tamaghna Basu tamaghna.basu@gmail.com www.tbasu.com
  2. 2. Weekendsecurity.org
  3. 3. Disclaimer!  The content of this presentation and techniques showed here are for educational purpose only The organizers and presenters do not encourage the attendees to use this knowledge learned here for any malicious and illegal purpose.  If the attendees use this knowledge for any kind of real hacking or illegal activity which violates the law, then we, the organizers and the presenters will not be responsible for that or any further consequences.
  4. 4. http://www.slideshare.net/AnkamKarthik/zion-se
  5. 5. http://www.slideshare.net/AnkamKarthik/zion-se
  6. 6.  Confidentiality- data security  Integrity- digital signature and audit trails  Availability- load balancing, throttling CIA Triad Integrity
  7. 7. You are being watched - CCTV •Weak or no authentication on CCTVs •Easily accessible
  8. 8. CCTV How ? • IP addresses and the links of the CCTVs’ pages are found in Google search results. • Even CCTVs inside homes could be visible.
  9. 9. CCTV
  10. 10. Web Cams &Video Chat Clickjacking -  A new threat to all browsers (IE, Firefox, Safari, Opera, Chrome etc) except non- interactive browsers like Lynx.  Hijacking your click. Clicking on something hidden to the users.  Enable webcam, microphone.  Get your credentials.  Mostly a flash and iframe based vulnerability.  Discussed in OWASP - 2008
  11. 11. Why Hacking?  Hacking for fun & profit  Capture The Flag  0’day  Underground economy  Bug Bounty
  12. 12. Types of hackers BlackHat •Malicious, destructive WhiteHat •Security professionals ScriptKiddie •Sometimes referred to as n00bz ????
  13. 13. Hacktivism Anonymous Wiki Leaks CyberWar India-Pakistan India-China Pivoting
  14. 14. What do they want? Credentials PII information PCI Data Intellectual Property OSINT
  15. 15. Why heart bleed?  TLS HearBeat Extension. The vulnerability lies in the implementation of TLS Heartbeat extension. There is common necessity in an established ssl session to maintain the connection for a longer time. The HeartBeat protocol extension is added to TLS for this reason. The HTTP keep-alive feature does the same but HB protocol allows a client to perform this action in much higher rate. The client can send a Heart-Beat request message and the server has to respond back with a HearBeat response .
  16. 16. Why heart bleed?  buffer = OPENSSL_malloc(1 + 2 + payload + padding); SOURCE : https://github.com/openssl/openssl/commit/96db9023b881d7cd9f3 79b0c154650d6c108e9a3#diff-2
  17. 17. • We can leak 64 kb of memory and that could easily have usernames/password, private keys etc. • Constant HB request could be made to the server leaking (random memory) any amount of data from the server .
  18. 18. Vulnerable versions
  19. 19. Fix • The fix to this bug was to simply bound check the payload + padding length to not exceed 16 bytes .
  20. 20. What’s happening in the wild?
  21. 21. What’s happening in the wild?
  22. 22. Chromebleed
  23. 23. chromebleed
  24. 24. And My contribution as well 
  25. 25. Is that all?
  26. 26. Not really… http://filippo.io/Heartbleed/
  27. 27. Summary Port Status 21 TLS Error 22 Connection Refused 25 TLS Error 53 Connection Refused 80 Large Record Received 443 Certificate error
  28. 28. Summary Port Status 21 TLS Error 22 Connection Refused 25 TLS Error 53 Connection Refused 80 Large Record Received 443 Certificate error
  29. 29. Port Status 21 TLS Error 22 Connection Refused 25 TLS Error 53 Connection Refused 80 Large Record Received 443 Certificate error
  30. 30. 42 Thank you  tamaghna.basu@gmail.com  twitter.com/titanlambda  linkedin.com/in/tamaghnabasu

×