5. Top talks
● Keynote
● How to wear your Password
● Web and Mail Filtering
● Hack all the Things
● Deception in Cyber
● Pivoting in Amazon Clouds
● Call to arms a tale of weakness of current client side XSS filtering
● Survey-of-Remote-Attack-Surfaces
● Panel: API Security
● Third Party Libraries and Dependencies
● Security in CI
● Memcached Injections
6. What happens if you abandon your car on the
side of the road?
- Someone else will eventually take
ownership, why shouldn’t the same be true
of software?
8. How secure is the average password?
- 8 bits of security, very quick to crack
- biometric fingerprint is 30 bits of data, but
even less of security due to similarities
between people’s prints
9. Wear Your Password
● Computational power
● Increase authentication difficulty, but limit
its use
● A device to represent you
10. Do we have web and email filtering?
- Yes and Yes
Does it protect us from phishing?
11. Enumeration of Web/Mail Filter Policy
● Using non existent emails you can learn a
lot about email servers
● Client side javascript can be used to test
any number of policy options
12. In what ways can a system be compromised?
- Physically (UART, EMMC readers)
- Software Vulnerabilities (XSS, Command
Injection)
13. Hack All the Things
Three main vectors of attack generally used
● Software Vulnerability (XSS, command
injection)
● Emmcs/Memory dumps
● UART - onboard serial connection
Don’t ever give physical access to anything!
14. What countries are the most practiced in
deception?
- China
- Russia
- Ukrain
15. Deception in Cyber
● Strength in words, developing a lexicon
● History of deception
16. Question Time
Name some well known companies that are already on the cloud
Amazon AT&T Google Microsoft Salesforce.com
What are some security vulnerabilities with cloud based services?
Losing security keys. Don’t share keys with anyone! even your provider
Techniques on preventing attacks?
split key encryptions.
provider will give you the infrastructure but you are responsible for security
knowing your application inside and out and not simply
17. Lessons
Providers give you the infrastructure but you are
responsible for making sure you dont lose your
secrets!
“The specific challenges differ for the three cloud delivery models,
but in all cases the difficulties are created by the very nature of
utility computing, which is based on resource sharing and resource
virtualization and requires a different trust model than the ubiquitous
user-centric model that has been the standard for a long time.”
18. Pivoting in Amazon Clouds
● AWS credentials stored in meta-data servers
for each instance server
● IAM profile management strategies
o divide up
● code demo for nimbostratus
o includes hacking into AWS for credentials
o provides a sample environment AWS setup to hack
19. Question Time
What is XSS?
cross site scripting
What are the different types of XSS attacks?
reflected and stored
What are some techniques to prevent XSS attacks?
Regular-expression-based Approaches: NoScript Internet Explorer
20. Call to Arms XSS
● basics of XSS: reflected and stored
● Ways to prevent attacks:
o Chrome XSS Auditor
o libraries
o choice of framework
● Demo of hacking through Chrome XSS
Auditor
21. Question Time
What kinds of cars can be hacked?
any car that relies on software to control parts
of the car. “if you can write a web based exploit you can hack into a car!” quote from talk
Define cyber physical attacks
attacks that result in physical control of various aspects of the automobile
23. A Survey of Remote Automotive
Attack Surfaces
Most hackable:
1. 2014 Jeep Cherokee
2. 2015 Cadillac Escalade
3. 2014 Infiniti Q50
Least hackable:
1. 2014 Dodge Viper
2. 2014 Audi A8
3. 2014 Honda Accord
24. Demo Time!
Attack against test env
Bonus Question:
What does CVSS stand for?
25. Third Party Library and Dependencies
CVSS - Common
Vulnerability Scoring
System
OpenSSL - Heartbleed
Destroyed the idea of
security for the average
person
26. Question Time!
Name two of the most common types of
attacks
⅔ - XSS, DDoS, SqlInjection
Name the open source Linux Distro that helps
you test vulnerabilities
Kali Linux
27. Security in CI
Can’t wait for something to happen
Technologies that test for external
dependency vulnerabilities - SensioLabs,
OWASP
Request for Security Minded people
28. Rugged Manifesto
I am rugged and, more importantly, my code is rugged.
I recognize that software has become a foundation of our modern world.
I recognize the awesome responsibility that comes with this foundational role.
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever
intended.
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and
national security.
I recognize these things - and I choose to be rugged.
I am rugged because I refuse to be a source of vulnerability or weakness.
I am rugged because I assure my code will support its mission.
I am rugged because my code can face these challenges and persist in spite of them.
I am rugged, not because it is easy, but because it is necessary and I am up for the challenge.
29. Start Doing...
● hackweek projects that involve hacking and prevention
improvements
● considering possible security breaches when looking at
teammates pull requests
● security lunch and learns
● capture the flag
● Monthly Security Hacking sessions (front end, back
end)
30. Stop Doing...
Waiting for a problem to arise
Trusting security to other people
What do you see wrong?
31. Thoughts Provoked by Talks at the
Conference
We are responsible for our security even if we
are using third party services
32. Links to Blackhat Material
List of Blackhat Talks
2014 Slides, Whitepapers and Source Code
Call to arms XSS Whitepaper
Call to arms XSS Slides
Pivoting in Amazon Clouds Whitepaper
Pivoting in Amazon Clouds Slides
Survey of Remote Attack Surfaces
Amazon AT&T Google Microsoft Salesforce.com
The water hole attack is a 3-step process. First, the attacker does some reconnaissance and research on its target, in which they find trusted websites often visited by employees of the target company. Second, attackers insert an exploit into the trusted sites. Finally, when your employees visit the trusted site, the exploit takes advantage of their system vulnerabilities.
The solution? Vulnerability shielding: update and patch all software regularly to limit possible access points.
What are some security vulnerabilities with cloud based services? Losing security keys. Don’t share keys with anyone! even your provider
Techniques on preventing attacks!
y
What are some security vulnerabilities with cloud based services?
What is XSS
Cross site scripting
What are the different types of XSS attacks
Reflected XSS denotes all non-persistent XSS issues,
which occur when the web application blindly echos parts of the HTTP request in the respec- tive HTTP response’s HTML. In order to successfully exploit a reflected XSS vulnerability, the adversary has to trick the victim into sending a fabricated HTTP request. This can be done by, for instance, sending the victim a malicious link, or including a hidden Iframe into an attacker controlled page.
Stored XSS refers to all XSS vulnerabilities,
where the adversary is able to permanently inject the malicious script in the vulnerable application’s storage. This way every user that accesses the poisoned web page receives the injected script without further actions by the adversary.
DOM Based XSS (AKA Type-0)
As defined by Amit Klein, who published the first article about this issue[1], DOM Based XSS is a form of XSS where the entire tainted data flow from source to sink takes place in the browser, i.e., the source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser. For example, the source (where malicious data is read) could be the URL of the page (e.g., document.location.href), or it could be an element of the HTML, and the sink is a sensitive method call that causes the execution of the malicious data (e.g., document.write)."
Techniques to prevent XSS attacks: Regular-expression-based Approaches: NoScript Internet Explorer
Reflected XSS denotes all non-persistent XSS issues, which occur when the web application blindly echos parts of the HTTP request in the respec- tive HTTP response’s HTML. In order to successfully exploit a reflected XSS vulnerability, the adversary has to trick the victim into sending a fabricated HTTP request. This can be done by, for instance, sending the victim a malicious link, or including a hidden Iframe into an attacker controlled page.
Stored XSS refers to all XSS vulnerabilities, where the adversary is able to permanently inject the malicious script in the vulnerable application’s storage. This way every user that accesses the poisoned web page receives the injected script without further actions by the adversary.
“if you can write a web based exploit you can hack into a car!” quote from talk
attacks that result in physical control of various aspects of the automobile
“if you can write a web based exploit you can hack into a car!” quote from talk
attacks that result in physical control of various aspects of the automobile
“if you can write a web based exploit you can hack into a car!” quote from talk
attacks that result in physical control of various aspects of the automobile
Have everyone repeat the “Rugged Manifesto”. It is important for everyone to say it outloud.