Hash Table, as the most fundamental Data Structure in Computer Science, is extensively applied in Software Architecture to store data in an associative manner. However, its architecture makes it prone to Collision Attacks. To deal with this problem, 25 years ago, Microsoft designed its own Dynamic Hashing algorithm and applied it everywhere in IIS, the Web Server from Microsoft, to serve various data from HTTP Stack. As Hash Table is everywhere, isn't the design from Microsoft worth scrutinizing?
We dive into IIS internals through months of Reverse-Engineering efforts to examine both the Hash Table implementation and the use of Hash Table algorithms. Several types of attacks are proposed and uncovered in our research, including (1) A specially designed Zero-Hash Flooding Attack against Microsoft's self-implemented algorithm. (2) A Cache Poisoning Attack based on the inconsistency between Hash-Keys. (3) An unusual Authentication Bypass based on a hash collision.
By understanding this talk, the audience won't be surprised why we can destabilize the Hash Table easily. The audience will also learn how we explore the IIS internals and will be surprised by our results. These results could not only make a default installed IIS Server hang with 100% CPU but also modify arbitrary HTTP responses through crafted HTTP request. Moreover, we'll demonstrate how we bypass the authentication requirement with a single, crafted password by colliding the identity cache!
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we try to make a rare OT targeting , open source adversary emulation tool as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process.
We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to build automatic adversary emulation tool.
Now the tool already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested it on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
As the security industry has grown we've seen every aspect of our world become more complicated and more overwhelming. We're consistently promised solutions and technology to make our lives easier, to stop the attacker, to catch them quicker, to automate the pain away, but the reality falls flat. Frankly, it's underwhelming. Understanding where your program stands today, where you should spend time and resources, and how best to reduce risk to your organization are key aspects of any program. Join us to discuss and discover what some of the largest organizations in the world are doing to try to make sense of it all, and how they got there.
Book Preview: A Practical Introduction to the Xilinx Zynq-7000 Adaptive SoCDerek Murray
Preview document for my first book: https://www.amazon.com/Practical-Introduction-Xilinx-Zynq-7000-Adaptive-ebook/dp/B09DZRYFRD/
Note that while color illustrations are used in this preview, all currently available editions use grayscale images.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
This document discusses the results of long-term scanning and analysis of Winnti 4.0 and ShadowPad malware command and control (C2) protocols. It finds that Winnti 4.0 C2s primarily use TLS, HTTPS, and HTTP, while ShadowPad variants primarily use TCP, HTTPS, and HTTP. Analysis of the protocols reveals encryption methods, packet structures, and server-side functionality. Over time, the number and distribution of active C2s changed, likely in response to research publications and incident response actions. The document advocates for anonymization techniques and merits and risks of future research publications.
The document provides an overview of malicious software including viruses, worms, Trojan horses, and distributed denial of service (DDoS) attacks. It defines viruses as self-replicating code that attaches itself to other programs and executes when the host program runs. Worms are independent programs that replicate themselves across networks to infect other computers. The document also describes other types of malicious software like backdoors, logic bombs, and Trojan horses, and explains how DDoS attacks are constructed to overwhelm servers.
A Trojan horse is a type of malware that disguises itself as legitimate software to trick users into installing it. There are two main types: programs with malicious code inserted by hackers, and standalone files masquerading as something harmless like a game. Trojans can carry various payloads like time bombs, logic bombs, or droppers. To avoid infection, users should only download software from trusted sources, use antivirus tools, and avoid unexpected file attachments.
Presentation for Roadshow of Cyber Security Marathon 2018
Mozilla Community Space
Jakarta, 2018-01-20
How many of you know firmware?
Then how many of you know that firmware can be reversed?
Let's see how can we do that.
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we try to make a rare OT targeting , open source adversary emulation tool as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process.
We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to build automatic adversary emulation tool.
Now the tool already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested it on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
As the security industry has grown we've seen every aspect of our world become more complicated and more overwhelming. We're consistently promised solutions and technology to make our lives easier, to stop the attacker, to catch them quicker, to automate the pain away, but the reality falls flat. Frankly, it's underwhelming. Understanding where your program stands today, where you should spend time and resources, and how best to reduce risk to your organization are key aspects of any program. Join us to discuss and discover what some of the largest organizations in the world are doing to try to make sense of it all, and how they got there.
Book Preview: A Practical Introduction to the Xilinx Zynq-7000 Adaptive SoCDerek Murray
Preview document for my first book: https://www.amazon.com/Practical-Introduction-Xilinx-Zynq-7000-Adaptive-ebook/dp/B09DZRYFRD/
Note that while color illustrations are used in this preview, all currently available editions use grayscale images.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
This document discusses the results of long-term scanning and analysis of Winnti 4.0 and ShadowPad malware command and control (C2) protocols. It finds that Winnti 4.0 C2s primarily use TLS, HTTPS, and HTTP, while ShadowPad variants primarily use TCP, HTTPS, and HTTP. Analysis of the protocols reveals encryption methods, packet structures, and server-side functionality. Over time, the number and distribution of active C2s changed, likely in response to research publications and incident response actions. The document advocates for anonymization techniques and merits and risks of future research publications.
The document provides an overview of malicious software including viruses, worms, Trojan horses, and distributed denial of service (DDoS) attacks. It defines viruses as self-replicating code that attaches itself to other programs and executes when the host program runs. Worms are independent programs that replicate themselves across networks to infect other computers. The document also describes other types of malicious software like backdoors, logic bombs, and Trojan horses, and explains how DDoS attacks are constructed to overwhelm servers.
A Trojan horse is a type of malware that disguises itself as legitimate software to trick users into installing it. There are two main types: programs with malicious code inserted by hackers, and standalone files masquerading as something harmless like a game. Trojans can carry various payloads like time bombs, logic bombs, or droppers. To avoid infection, users should only download software from trusted sources, use antivirus tools, and avoid unexpected file attachments.
Presentation for Roadshow of Cyber Security Marathon 2018
Mozilla Community Space
Jakarta, 2018-01-20
How many of you know firmware?
Then how many of you know that firmware can be reversed?
Let's see how can we do that.
This document contains an agenda for a presentation that includes topics such as exploit development, web application hacking methodology, SQLMap, vulnerability assessment, malware analysis, reverse engineering, and cybersecurity conferences. It also addresses frequently asked questions about capture the flag events, bug bounty programs, and security certifications. Resources like exploit code examples, tool documentation, hacking forums, and malware repositories are listed.
Jemalloc can help debug memory leaks in ATS plugins. It provides memory profiling by sampling memory allocations and dumping profiles to files. These profiles can then be viewed as gifs to analyze the call graph. The author provides two case studies where jemalloc helped identify leaks - a leak over months in ATS fronting APIs, and a 12 hour leak from a bug in their Brotli plugin. Jemalloc also improved ATS scalability by addressing issues with memory operations and plugins stressing the CPU to higher utilization.
This document discusses modern malware threats and techniques. It defines malware and describes traditional vs modern malware approaches. Modern malware uses stealthy techniques like obfuscation and rootkits to avoid detection. It communicates through various protocols and services to command and control systems. The document outlines threat actors like cybercriminals, nation-states and hacktivists and recommends defenses like antivirus, firewalls, and employee training to mitigate risks.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
The cyber kill chain describes cyber attacks from an attacker's perspective through distinct phases: (1) reconnaissance, (2) weaponization, (3) delivery, (4) exploitation, (5) installation, (6) command and control, and (7) actions on objectives. Each phase of the kill chain can be mapped to defensive tools and actions to prevent attacks. Understanding the kill chain stages gives analysts insight into what is being attempted and how to respond appropriately. The kill chain was developed by Lockheed Martin as a method to describe intrusions and prevent advanced persistent threats by highly trained adversaries targeting sensitive information.
This document discusses techniques for analyzing malware samples without executing them. It covers static analysis methods like identifying the file type and architecture, fingerprinting with hashes, scanning for known signatures, extracting strings, analyzing the PE header, and comparing samples. The goal of static analysis is to learn as much as possible about the malware before executing it, in order to focus subsequent dynamic analysis efforts. Manual and automated tools are described throughout for performing static analysis tasks like string extraction, unpacking obfuscated files, and classifying samples.
The document discusses secure boot, trusted boot, and their differences. It provides an overview of standard boot processes, secure boot processes where each step is cryptographically signed, and trusted boot which records measurements to the TPM for later verification. It also proposes a solution for secure boot in 5G plugin units using platform keys, key exchange keys, and allowed/forbidden signature databases.
This document summarizes the history of L0phtCrack from 1997 to early 2016. It describes the origins and early releases of L0phtCrack by Mudge and others in 1997-2000. It then discusses later versions released by @stake from 2001-2004. After being purchased back by the original developers in 2009, L0phtCrack saw updates through 2015. An early 2016 release completely overhauled the codebase and added support for GPU, Unix, and open plugins. The document outlines future plans like Mac support, integration with other tools, and expanded reporting.
This document summarizes updates to CompTIA A+, Network+, and Security+ certification exams. It discusses the addition of performance-based questions to these exams starting in late 2012/early 2013. These will involve simulated environments to test hands-on troubleshooting skills, and will reduce the number of multiple choice questions. The goal is for the exams to better measure practical skills required for IT jobs.
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
I'm Cuckoo for Malware provides an introductory overview to Cuckoo Sandbox and Malware Analysis. This talk walks through discussing different types of malware and what they do, to explaining how Cuckoo Sandbox works and how to get the best results from it. The talk will cover how to harden your sandbox against Malware authors attempts to avoid analysis and give ideas for listeners wanting to set up custom environments of their own. The goal of the talk is to allow listeners with enough information so that they can begin analyzing malware in their own Cuckoo-based sandbox environment.
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
This document summarizes a presentation about finding vulnerabilities in the Windows kernel network stack. It discusses how exploiting complex and uncommon features like IPv6 packet fragmentation can lead to vulnerabilities. Specifically, it describes CVE-2014-9383, a remote code execution vulnerability discovered in a Bitdefender NDIS filter driver through an IPv6 packet defragmentation bug. The presentation outlines techniques for kernel bug hunting such as intercepting packets and overwriting packet data buffers to cause memory overflows. It also notes tools that can help with reverse engineering NDIS drivers like NDISaster.
A talk on ZAP Automation in CI/CD given remotely to OWASP Switzerland on 9th Febrary 2021 by Simon Bennetts.
Full video: https://www.youtube.com/watch?v=5oMp5O9CeSg
The SQL Slammer worm exploited a buffer overflow bug in Microsoft's SQL Server to spread rapidly on January 25, 2003, infecting over 75,000 computers within the first 10 minutes and causing internet slowdowns. It functioned as a worm and denial of service attack by replicating itself and overloading vulnerable systems. Users could protect themselves by updating to the latest SQL Server service pack or downloading patches from security companies.
This document provides a cheat sheet of best practices for hardening sandboxes against detection by malware. It lists techniques used by malware to detect sandbox environments, such as checking registry keys, processes, files, and assembly instructions. It also discusses methods used to avoid detection like masking analysis tools, reproducing normal user behavior, and dealing with timing attacks. A number of open source tools are recommended for testing a sandbox's defenses.
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Fuzzing has become a cheap and fast process for any entity looking to test the robustness of a system. In this talk we will consider the Windows Subsystem for Linux, which is a brand new subsystem implemented in the Windows Kernel. It features a compatibility interface with most of the Linux Kernel’s APIs and File systems that allows Linux developers to run their code directly on Windows. Due to the complexity and the originality of this attack surface, Microsoft has thoroughly put it under Trinity’s stress testing. Our purpose will be to provide insights on how to improve upon previous attempts in order to discover new bugs and review the architecture of WSL for further research.
In Memory Database In Action by Tanel Poder and Kerry OsborneEnkitec
The document discusses Oracle Database In-Memory option and how it improves performance of data retrieval and processing queries. It provides examples of running a simple aggregation query with and without various performance features like In-Memory, vector processing and bloom filters enabled. Enabling these features reduces query elapsed time from 17 seconds to just 3 seconds by minimizing disk I/O and leveraging CPU optimizations like SIMD vector processing.
Oracle Database In-Memory Option in ActionTanel Poder
The document discusses Oracle Database In-Memory option and how it improves performance of data retrieval and processing queries. It provides examples of running a simple aggregation query with and without various performance features like In-Memory, vector processing and bloom filters enabled. Enabling these features reduces query elapsed time from 17 seconds to just 3 seconds by minimizing disk I/O and leveraging CPU optimizations like SIMD vector processing.
This document contains an agenda for a presentation that includes topics such as exploit development, web application hacking methodology, SQLMap, vulnerability assessment, malware analysis, reverse engineering, and cybersecurity conferences. It also addresses frequently asked questions about capture the flag events, bug bounty programs, and security certifications. Resources like exploit code examples, tool documentation, hacking forums, and malware repositories are listed.
Jemalloc can help debug memory leaks in ATS plugins. It provides memory profiling by sampling memory allocations and dumping profiles to files. These profiles can then be viewed as gifs to analyze the call graph. The author provides two case studies where jemalloc helped identify leaks - a leak over months in ATS fronting APIs, and a 12 hour leak from a bug in their Brotli plugin. Jemalloc also improved ATS scalability by addressing issues with memory operations and plugins stressing the CPU to higher utilization.
This document discusses modern malware threats and techniques. It defines malware and describes traditional vs modern malware approaches. Modern malware uses stealthy techniques like obfuscation and rootkits to avoid detection. It communicates through various protocols and services to command and control systems. The document outlines threat actors like cybercriminals, nation-states and hacktivists and recommends defenses like antivirus, firewalls, and employee training to mitigate risks.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
The cyber kill chain describes cyber attacks from an attacker's perspective through distinct phases: (1) reconnaissance, (2) weaponization, (3) delivery, (4) exploitation, (5) installation, (6) command and control, and (7) actions on objectives. Each phase of the kill chain can be mapped to defensive tools and actions to prevent attacks. Understanding the kill chain stages gives analysts insight into what is being attempted and how to respond appropriately. The kill chain was developed by Lockheed Martin as a method to describe intrusions and prevent advanced persistent threats by highly trained adversaries targeting sensitive information.
This document discusses techniques for analyzing malware samples without executing them. It covers static analysis methods like identifying the file type and architecture, fingerprinting with hashes, scanning for known signatures, extracting strings, analyzing the PE header, and comparing samples. The goal of static analysis is to learn as much as possible about the malware before executing it, in order to focus subsequent dynamic analysis efforts. Manual and automated tools are described throughout for performing static analysis tasks like string extraction, unpacking obfuscated files, and classifying samples.
The document discusses secure boot, trusted boot, and their differences. It provides an overview of standard boot processes, secure boot processes where each step is cryptographically signed, and trusted boot which records measurements to the TPM for later verification. It also proposes a solution for secure boot in 5G plugin units using platform keys, key exchange keys, and allowed/forbidden signature databases.
This document summarizes the history of L0phtCrack from 1997 to early 2016. It describes the origins and early releases of L0phtCrack by Mudge and others in 1997-2000. It then discusses later versions released by @stake from 2001-2004. After being purchased back by the original developers in 2009, L0phtCrack saw updates through 2015. An early 2016 release completely overhauled the codebase and added support for GPU, Unix, and open plugins. The document outlines future plans like Mac support, integration with other tools, and expanded reporting.
This document summarizes updates to CompTIA A+, Network+, and Security+ certification exams. It discusses the addition of performance-based questions to these exams starting in late 2012/early 2013. These will involve simulated environments to test hands-on troubleshooting skills, and will reduce the number of multiple choice questions. The goal is for the exams to better measure practical skills required for IT jobs.
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
I'm Cuckoo for Malware provides an introductory overview to Cuckoo Sandbox and Malware Analysis. This talk walks through discussing different types of malware and what they do, to explaining how Cuckoo Sandbox works and how to get the best results from it. The talk will cover how to harden your sandbox against Malware authors attempts to avoid analysis and give ideas for listeners wanting to set up custom environments of their own. The goal of the talk is to allow listeners with enough information so that they can begin analyzing malware in their own Cuckoo-based sandbox environment.
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
This document summarizes a presentation about finding vulnerabilities in the Windows kernel network stack. It discusses how exploiting complex and uncommon features like IPv6 packet fragmentation can lead to vulnerabilities. Specifically, it describes CVE-2014-9383, a remote code execution vulnerability discovered in a Bitdefender NDIS filter driver through an IPv6 packet defragmentation bug. The presentation outlines techniques for kernel bug hunting such as intercepting packets and overwriting packet data buffers to cause memory overflows. It also notes tools that can help with reverse engineering NDIS drivers like NDISaster.
A talk on ZAP Automation in CI/CD given remotely to OWASP Switzerland on 9th Febrary 2021 by Simon Bennetts.
Full video: https://www.youtube.com/watch?v=5oMp5O9CeSg
The SQL Slammer worm exploited a buffer overflow bug in Microsoft's SQL Server to spread rapidly on January 25, 2003, infecting over 75,000 computers within the first 10 minutes and causing internet slowdowns. It functioned as a worm and denial of service attack by replicating itself and overloading vulnerable systems. Users could protect themselves by updating to the latest SQL Server service pack or downloading patches from security companies.
This document provides a cheat sheet of best practices for hardening sandboxes against detection by malware. It lists techniques used by malware to detect sandbox environments, such as checking registry keys, processes, files, and assembly instructions. It also discusses methods used to avoid detection like masking analysis tools, reproducing normal user behavior, and dealing with timing attacks. A number of open source tools are recommended for testing a sandbox's defenses.
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Fuzzing has become a cheap and fast process for any entity looking to test the robustness of a system. In this talk we will consider the Windows Subsystem for Linux, which is a brand new subsystem implemented in the Windows Kernel. It features a compatibility interface with most of the Linux Kernel’s APIs and File systems that allows Linux developers to run their code directly on Windows. Due to the complexity and the originality of this attack surface, Microsoft has thoroughly put it under Trinity’s stress testing. Our purpose will be to provide insights on how to improve upon previous attempts in order to discover new bugs and review the architecture of WSL for further research.
In Memory Database In Action by Tanel Poder and Kerry OsborneEnkitec
The document discusses Oracle Database In-Memory option and how it improves performance of data retrieval and processing queries. It provides examples of running a simple aggregation query with and without various performance features like In-Memory, vector processing and bloom filters enabled. Enabling these features reduces query elapsed time from 17 seconds to just 3 seconds by minimizing disk I/O and leveraging CPU optimizations like SIMD vector processing.
Oracle Database In-Memory Option in ActionTanel Poder
The document discusses Oracle Database In-Memory option and how it improves performance of data retrieval and processing queries. It provides examples of running a simple aggregation query with and without various performance features like In-Memory, vector processing and bloom filters enabled. Enabling these features reduces query elapsed time from 17 seconds to just 3 seconds by minimizing disk I/O and leveraging CPU optimizations like SIMD vector processing.
Using Apache Spark and MySQL for Data AnalysisSveta Smirnova
The document discusses using Apache Spark and MySQL for data analysis. It provides examples of loading Wikipedia usage statistics (Wikistats) data into both MySQL and Spark for analysis. Loading the full 10+ TB of Wikistats data into MySQL took over a month, while Spark was able to scan and analyze the entire dataset in under an hour by leveraging its ability to perform distributed, parallel processing across multiple nodes. The document compares key differences between Spark and MySQL for big data processing, such as Spark's lack of indexes but ability to perform full scans in parallel across nodes.
Oracle Open World Thursday 230 ashmastersKyle Hailey
This document discusses database performance tuning using Oracle's ASH (Active Session History) feature. It provides examples of ASH queries to identify top wait events, long running SQL statements, and sessions consuming the most CPU. It also explains how to use ASH data to diagnose specific problems like buffer busy waits and latch contention by tracking session details over time.
This document discusses third party patches for MySQL that provide quick wins and new features. It summarizes five such patches: 1) Slow query filtering which helps identify expensive queries, 2) Index statistics which helps determine unused indexes, 3) An InnoDB dictionary limit which constrains memory usage, 4) A global long query time setting, and 5) A "fix" for InnoDB group commit performance regressions in MySQL 5.0. The document encourages using third party patches to gain features and improvements not yet available in the MySQL core.
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...Altinity Ltd
ClickHouse is a powerful open source analytics database that provides fast, scalable performance for data warehousing and real-time analytics use cases. It can handle petabytes of data and queries and scales linearly on commodity hardware. ClickHouse is faster than other databases for analytical workloads due to its columnar data storage and parallel processing. It supports SQL and integrates with various data sources. ClickHouse can run on-premises, in the cloud, or in containers. The ClickHouse operator makes it easy to deploy and manage ClickHouse clusters on Kubernetes.
DOAG Security Day 2016 Enterprise Security ReloadedLoopback.ORG
The document discusses security at the DOAG Security Day conference on March 17, 2016. It includes an agenda for the conference with topics on database security, password hashes, LDAP directory integration, PKI authentication, enterprise user security (EUS), Oracle Unified Directory (OUD) and Kerberos authentication. Tables show default Oracle database accounts and passwords. Diagrams illustrate Kerberos and PKI authentication workflows between clients, databases and directories.
This document discusses using Active Session History (ASH) to analyze and troubleshoot performance issues in an Oracle database. It provides an example of using ASH to identify the top CPU-consuming session over the last 5 minutes. It shows how to group and count ASH data to calculate metrics like average active sessions (AAS) and percentage of time spent on CPU. The document also discusses using ASH to identify top waiting sessions and analyze specific wait events like buffer busy waits.
Михаил Епихин — Бутылочное горлышко. как найти узкие места сервиса и увеличит...Yandex
Узкие места (bottlenecks) — главное, что ограничивает производительность любой системы. Мы расскажем, как быстро находить «бутылочное горлышко», какие метрики хороши, а какие — непригодны для мониторинга производительности. Рассмотрим классификации метрик, методы и инструменты анализа производительности. Вы узнаете, как сделать так, чтобы сервис эффективно использовал производственные мощности.
Beyond PHP - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just writing PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
This document provides instructions for using the gdb debugger to profile C function sequences in Oracle. It outlines the goals of learning how to use gdb for profiling and lists prerequisites. It then provides step-by-step instructions for tracing an Oracle query using native Oracle tracing mechanisms and the Linux strace utility to include system call information.
There are some things in Stacki that you can only do with Remove commands. This tutorial takes you over the most common remove commands and offers an overview of how they work.
Download Stacki: www.stacki.com
Uncover the hidden challenges that plague production environments in this eye-opening session. Join us as we explore the five most common performance problems that emerge in live systems. Gain invaluable insights into detecting these issues early on, before they wreak havoc on your operations. Discover practical solutions that empower you to address these challenges head-on, ensuring optimal performance and seamless user experiences.
An experimental and advanced usage of Oracle Event Histogram and ASH data to answer the question: has ASH sampled any latency outlier events? We use Event Histogram to characterize the probability distribution of event latencies and then join with ASH to find if high significance (low probability) events have been sampled. Presented at UKOUG in 2011.
This document discusses profiling an Oracle database executable on Linux to analyze the performance of a SQL query. It provides examples of using Oracle's SQL trace facility and the strace system call tracing tool to monitor the database process and identify which operations it is performing. The SQL trace output shows events like parsing, execution and waits during a full table scan query. Strace shows the system calls the database makes, like reads, writes and memory mapping. Combining the two tracing methods can provide more insight into how the database interacts with the operating system during query execution.
The document discusses several architectural patterns for distributed systems in the cloud, including sharding, indexing, caching, and event sourcing. It provides examples of how these patterns can be implemented using Azure services and explains some of their advantages like improving scalability and availability. Key patterns covered include sharding data across multiple nodes to distribute load, using index tables to improve read performance, and storing an immutable record of events to provide resilience.
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020Sandesh Rao
This session will focus on 19 troubleshooting tips and tricks for DBAs covering tools from the Oracle Autonomous Health Framework (AHF) like Trace file Analyzer (TFA) to collect , organize and analyze log data , Exachk and orachk to perform mass best practices analysis and automation , Cluster Health Advisor to debug node evictions and calibrate the framework , OSWatcher and its analysis engine , oratop for pinpointing performance issues and many others to make one feel like a rockstar DBA
Scaling infrastructure is tricky,
I will try to explain what methods I use when dealing with this issue, and demonstrate an approach which can be applied to almost any type of work load.
Similar to [cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by Orange Tsai (20)
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
An expert in mobile network security provided a summary of hacking 5G networks. Some key points include:
1) Standard IT security techniques uncovered issues when applied to upgraded legacy 4G networks, such as unpatched operating systems, weak configurations, and lack of encryption.
2) Future 5G networks introduce new security risks due to increased complexity from virtualization and automation layers, as well as a continuously evolving attack surface extending into cloud infrastructure.
3) Red team exercises show that hacking mobile networks has become a multi-step process, where initial access through one vulnerability can enable lateral movement and privilege escalation to compromise critical systems or customer data.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
[cb22] What I learned from the direct confrontation with the adversaries who ...CODE BLUE
In November 2019, I started monitoring the Bitcoin operation by the adversaries who hid IP addresses of their C&C server in the blockchain. In June 2020, I started collaborating with Professor Christian Doerr of the Hasso Plattner Institute based on the idea of redirecting C&C server communication to a sinkhole server (called takeover), and we successfully achieved this in August. However, the adversaries quickly took evasive action, where they managed to implement an evasion mechanism in only two weeks and restarted their attack. Although we could not conduct our takeover, our monitoring system could worked well. The end of their attack was brought upon by the surge in Bitcoin prices. Due to the fees for the Bitcoin miners, a transaction had reduced the adversaries' profits, and we confirmed the last C&C update was in January 2021 and the abandonment of the attack infrastructure came in March. Since then, no similar attacks have been observed by my monitoring system.
Although this attack has already concluded and is unlikely to restart unless the value of Bitcoin declines, I would like to share the know-how I have learned through the direct confrontation with the adversaries. That is, at the time of the confrontation with them, this attack was highly novel, and the adversaries themselves did not fully understand the best solution for its' operation. They needed to evolve their tactics, techniques, and procedures (TTPs) while operating the system. We carefully analyzed their TTPs and tried to catch them off their guard. Even more troublesome was the need to understand as quickly as possible what they intended to do each time they were affected by the Bitcoin halving or making a simple operational error. This presentation is a culmination my insights learned from interactions with these adversaries and I am looking forward to sharing this information with everyone.
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...CODE BLUE
Smartian is a tool that enhances smart contract fuzzing with static and dynamic data-flow analyses. It integrates static analysis to identify promising sequences of function calls for generating initial fuzzing seeds. It then uses dynamic analysis to mutate function arguments to realize expected data flows across functions. Smartian implements bug oracles for 13 classes of smart contract bugs. Evaluation shows Smartian outperforms other fuzzers and symbolic executors on benchmarks with known bugs, demonstrating the effectiveness of integrating static and dynamic analyses for smart contract fuzzing.
XP 2024 presentation: A New Look to Leadershipsamililja
Presentation slides from XP2024 conference, Bolzano IT. The slides describe a new view to leadership and combines it with anthro-complexity (aka cynefin).
This presentation by OECD, OECD Secretariat, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
This presentation by Thibault Schrepel, Associate Professor of Law at Vrije Universiteit Amsterdam University, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
This presentation by Katharine Kemp, Associate Professor at the Faculty of Law & Justice at UNSW Sydney, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
This presentation by Yong Lim, Professor of Economic Law at Seoul National University School of Law, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
This presentation by Professor Giuseppe Colangelo, Jean Monnet Professor of European Innovation Policy, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
This presentation by Professor Alex Robson, Deputy Chair of Australia’s Productivity Commission, was made during the discussion “Competition and Regulation in Professions and Occupations” held at the 77th meeting of the OECD Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found at oe.cd/crps.
This presentation was uploaded with the author’s consent.
This presentation by OECD, OECD Secretariat, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
This presentation by Tim Capel, Director of the UK Information Commissioner’s Office Legal Service, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdfBen Linders
Psychological safety in teams is important; team members must feel safe and able to communicate and collaborate effectively to deliver value. It’s also necessary to build long-lasting teams since things will happen and relationships will be strained.
But, how safe is a team? How can we determine if there are any factors that make the team unsafe or have an impact on the team’s culture?
In this mini-workshop, we’ll play games for psychological safety and team culture utilizing a deck of coaching cards, The Psychological Safety Cards. We will learn how to use gamification to gain a better understanding of what’s going on in teams. Individuals share what they have learned from working in teams, what has impacted the team’s safety and culture, and what has led to positive change.
Different game formats will be played in groups in parallel. Examples are an ice-breaker to get people talking about psychological safety, a constellation where people take positions about aspects of psychological safety in their team or organization, and collaborative card games where people work together to create an environment that fosters psychological safety.
The importance of sustainable and efficient computational practices in artificial intelligence (AI) and deep learning has become increasingly critical. This webinar focuses on the intersection of sustainability and AI, highlighting the significance of energy-efficient deep learning, innovative randomization techniques in neural networks, the potential of reservoir computing, and the cutting-edge realm of neuromorphic computing. This webinar aims to connect theoretical knowledge with practical applications and provide insights into how these innovative approaches can lead to more robust, efficient, and environmentally conscious AI systems.
Webinar Speaker: Prof. Claudio Gallicchio, Assistant Professor, University of Pisa
Claudio Gallicchio is an Assistant Professor at the Department of Computer Science of the University of Pisa, Italy. His research involves merging concepts from Deep Learning, Dynamical Systems, and Randomized Neural Systems, and he has co-authored over 100 scientific publications on the subject. He is the founder of the IEEE CIS Task Force on Reservoir Computing, and the co-founder and chair of the IEEE Task Force on Randomization-based Neural Networks and Learning Systems. He is an associate editor of IEEE Transactions on Neural Networks and Learning Systems (TNNLS).
This presentation by OECD, OECD Secretariat, was made during the discussion “Competition and Regulation in Professions and Occupations” held at the 77th meeting of the OECD Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij
This is a workshop about communication and collaboration. We will experience how we can analyze the reasons for resistance to change (exercise 1) and practice how to improve our conversation style and be more in control and effective in the way we communicate (exercise 2).
This session will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
Abstract:
Let’s talk about powerful conversations! We all know how to lead a constructive conversation, right? Then why is it so difficult to have those conversations with people at work, especially those in powerful positions that show resistance to change?
Learning to control and direct conversations takes understanding and practice.
We can combine our innate empathy with our analytical skills to gain a deeper understanding of complex situations at work. Join this session to learn how to prepare for difficult conversations and how to improve our agile conversations in order to be more influential without power. We will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
In the session you will experience how preparing and reflecting on your conversation can help you be more influential at work. You will learn how to communicate more effectively with the people needed to achieve positive change. You will leave with a self-revised version of a difficult conversation and a practical model to use when you get back to work.
Come learn more on how to become a real influencer!
Carrer goals.pptx and their importance in real lifeartemacademy2
Career goals serve as a roadmap for individuals, guiding them toward achieving long-term professional aspirations and personal fulfillment. Establishing clear career goals enables professionals to focus their efforts on developing specific skills, gaining relevant experience, and making strategic decisions that align with their desired career trajectory. By setting both short-term and long-term objectives, individuals can systematically track their progress, make necessary adjustments, and stay motivated. Short-term goals often include acquiring new qualifications, mastering particular competencies, or securing a specific role, while long-term goals might encompass reaching executive positions, becoming industry experts, or launching entrepreneurial ventures.
Moreover, having well-defined career goals fosters a sense of purpose and direction, enhancing job satisfaction and overall productivity. It encourages continuous learning and adaptation, as professionals remain attuned to industry trends and evolving job market demands. Career goals also facilitate better time management and resource allocation, as individuals prioritize tasks and opportunities that advance their professional growth. In addition, articulating career goals can aid in networking and mentorship, as it allows individuals to communicate their aspirations clearly to potential mentors, colleagues, and employers, thereby opening doors to valuable guidance and support. Ultimately, career goals are integral to personal and professional development, driving individuals toward sustained success and fulfillment in their chosen fields.
This presentation by Nathaniel Lane, Associate Professor in Economics at Oxford University, was made during the discussion “Pro-competitive Industrial Policy” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/pcip.
This presentation was uploaded with the author’s consent.
This presentation by OECD, OECD Secretariat, was made during the discussion “Pro-competitive Industrial Policy” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/pcip.
This presentation was uploaded with the author’s consent.
5. Orange Tsai
• Specialize in Web and Application Vulnerability Research
• Principal Security Researcher of DEVCORE
• Speaker at Conferences: Black Hat USA/ASIA, DEFCON, HITB AMS/GSEC, POC,
CODE BLUE, Hack.lu, WooYun and HITCON
• Former Captain of HITCON CTF Team
• Selected Awards and Honors:
• 2017 - 1st place of Top 10 Web Hacking Techniques
• 2018 - 1st place of Top 10 Web Hacking Techniques
• 2019 - Winner of Pwnie Awards "Best Server-Side Bug"
• 2021 - Champion and "Master of Pwn" of Pwn2Own
• 2021 - Winner of Pwnie Awards "Best Server-Side Bug"
22. TREE_HASH_TABLE
• The most standard code you have seen in your textbook
• Use chaining through Linked-List as the collision resolution
• Rehash all records at once when the table is unhealthy
• Combine DJB-Hash with LCGs as its Hash Function
23. LKRHash Table
• A successor of Linear Hashing, which aims to build a scalable
Hash Table on high-concurrent machines.
• Invented at Microsoft in 1997 (US Patent 6578131)
• Paul Larson - from Microsoft Research
• Murali Krishnan - from IIS Team
• George Reilly - from IIS Team
• Allow applications to customize their table-related functions such as
Key-Extractor, Hash-Calc and Key-Compare operations.
24. Outline
1. Introduction
2. Our Research
a) Hash Table Implementation
b) Hash Table Usage
c) IIS Cache Mechanism
3. Vulnerabilities
4. Recommendations
25. Hash Table Implementation
• Memory corruption bugs
• Logic bugs
• E.g. CVE-2006-3017 discovered by Stefan Esser - PHP didn't
distinguish the type of hash-key leads to unset() a wrong element.
• Algorithmic Complexity Attack such as Hash-Flooding Attack
26. Hash Table Usage
• Since LKRHash is designed to be a customizable implementation that
can be applied to various scenarios, applications have to configure
their own table-related functions during initialization.
• Is the particular function good?
• Is the logic of the Key-Calculation good?
• Is the logic of the record selection good?
• More and more…
41. Hash Flooding Attack on IIS
• The Spoiler:
• TREE_HASH_TABLE: Vulnerable to Hash Flooding DoS by default.
• LKRHash: Vulnerable only If a poor Hash Function is configured.
42.
43. UriCacheModule
• Cache URI information and configuration
• Accessible by default
• Every URL access triggers a Hash Table Lookup / Insert / Delete
• Use TREE_HASH_TABLE
44.
45. 0
50
100
150
200
250
5k 10k 15k 20k 25k 30k 35k 40k 45k 50k 55k 60k 65k 70k 75k 80k 85k 90k 95k 100k
Random Collision
Time of Every 1000 New Records
s
s
s
s
s
s
46. Why there are Jitters?
0
50
100
150
200
250
5k 10k 15k 20k 25k 30k 35k 40k 45k 50k 55k 60k 65k 70k 75k 80k 85k 90k 95k 100k
Random Collision
s
47. 1 bool TREE_HASH_TABLE::InsertRecord(TREE_HASH_TABLE *this, void *record) {
2 /* omitting */
3 hashKey = this->vt->GetHashKey(this, record);
4 sig = TREE_HASH_TABLE::CalcHash(this, hashKey);
5 bucket = this->_ppBuckets[sig % this->_nBuckets];
6
7 /* check for duplicates */
8 while ( !bucket->_pNext ) {
9 /* traverse the linked-list */
10 }
11
12 /* add to the table */
13 ret = TREE_HASH_TABLE::AddNodeInternal(this, key, sig, keylen, bucket, &bucket);
14 if ( ret >= 0 ) {
15 TREE_HASH_TABLE::RehashTableIfNeeded(this);
16 }
17 }
48. 1 bool TREE_HASH_TABLE::InsertRecord(TREE_HASH_TABLE *this, void *record) {
2 /* omitting */
3 hashKey = this->vt->GetHashKey(this, record);
4 sig = TREE_HASH_TABLE::CalcHash(this, hashKey);
5 bucket = this->_ppBuckets[sig % this->_nBuckets];
6
7 /* check for duplicates */
8 while ( !bucket->_pNext ) {
9 /* traverse the linked-list */
10 }
11
12 /* add to the table */
13 ret = TREE_HASH_TABLE::AddNodeInternal(this, key, sig, keylen, bucket, &bucket);
14 if ( ret >= 0 ) {
15 TREE_HASH_TABLE::RehashTableIfNeeded(this);
16 }
17 }
49. 1 void TREE_HASH_TABLE::RehashTableIfNeeded(TREE_HASH_TABLE *this) {
2
3 if ( this->_nItems > TREE_HASH_TABLE::GetPrime(2 * this->_nBuckets) ) {
4 CReaderWriterLock3::WriteLock(&this->locker);
5 Prime = TREE_HASH_TABLE::GetPrime(2 * this->_nBuckets);
6
7 if ( this->_nItems > Prime && Prime < 0x1FFFFFFF ) {
8 ProcessHeap = GetProcessHeap();
9 newBuckets = HeapAlloc(ProcessHeap, HEAP_ZERO_MEMORY, 8 * Prime);
10
11 for ( i = 0 ; i < this->_nBuckets; i++ ) {
12 /* move all records to new table*/
13 }
14
15 this->_ppBuckets = newBuckets;
16 this->_nBuckets = Prime;
17 }
18 /* omitting */
19 }
20 }
50. Before Exploiting…
1. How much of the Hash-Key we can control?
2. How easy the Hash Function is collide-able?
51. Cache-Key Calculation
• For the given URL: http://server/foobar
MACHINE/WEBROOT/APPHOST/DEFAULT WEB SITE/FOOBAR
Site Name
Config Path Absolute Path
58. 1 import requests
2 from itertools import product
3
4 MAGIC_TABLE = [
5 "XR39M083", "B94OS5T0", "R04I46KN", "DIO137NY", # ...
6 ]
7
8 for i in product(MAGIC_TABLE, repeat=8):
9 request.get( "http://iis/" + "".join(i) )
59.
60. Obstacles to make this not-
so-practical…
1. The increment is too slow
2. The Cache Scavenger
• A thread used to delete unused records every 30 seconds
61.
62. 1 bool TREE_HASH_TABLE::InsertRecord(TREE_HASH_TABLE *this, void *record) {
2
3 /* omitting */
4
5 while ( i <= KeyLength ) {
6 if ( !SubKey[i] ) {
7 SubKeySig = TREE_HASH_TABLE::CalcHash(this, SubKey);
8 record = 0;
9 if ( i == KeyLength )
10 record = OrigRecord;
11
12 ret = TREE_HASH_TABLE::AddNodeInternal(this, SubKey, SubKeySig, record, ...);
13 if ( ret != 0x800700B7 )
14 break;
15 SubKey[i] = Key[i]; // Substitute the NUL-byte to slash
16 }
17 i = i + 1;
18 }
19 /* omitting */
20 }
Bad implementation for a rescue!
67. Amplify the attack 10-times at least
by a slight modification
1 import requests
2 from itertools import product
3
4 ZERO_HASH_TABLE = [
5 "/HYBCPQOG", "/XOCZE29I", "/HWYDXRYR", "/289MICAP", # ...
6 ]
7
8 for i in ZERO_HASH_TABLE:
9 request.get( "http://iis/" + "2BDCKV6" + i*12 )
68. The Result
• Denial-of-Service on default installed Microsoft IIS
• About 30 requests per-second can make a 8-core and 32GB-ram server
unresponsive
• Awarded $30,000 by Windows Insider Preview Bounty Program
73. You might be thinking…
• What's the root cause?
• How do I get those passwords?
• Which scenarios are vulnerable?
74. The login result cache…?
• Logon is an expensive operation so… Let's cache it!
• IIS by default cache windows security tokens for password-based
authentications such as Basic Auth or Client-Certificate Auth…
• A scavenger deletes unused records every 15 minutes :(
• Use LKRHash Table
75. Initializing a LKRHash Table
CLKRHashTable::CLKRHashTable(
this,
"TOKEN_CACHE", // An identifier for debugging
pfnExtractKey, // Extract key from record
pfnCalcKeyHash, // Calculate hash signature of key
pfnEqualKeys, // Compare two keys
pfnAddRefRecord, // AddRef in FindKey, etc
4.0, // Bound on the average chain length.
1, // Initial size of hash table.
0, // Number of subordinate hash tables.
0 // Allow multiple identical keys?
);
76. fnCalcKeyHash for Token Cache
1 DWORD pfnCalcKeyHash(wchar_t *Username, wchar_t *Password) {
2 DWORD i = 0, j = 0;
3
4 for ( ; *Username; ++Username)
5 i = i * 101 + *Username;
6
7 for ( ; *Password; ++Password)
8 j = j * 101 + *Password;
9
10 return i ^ j;
11 }
81. You can reuse another logged-in
token with random passwords
1. Every password has the success rate of Τ
1 232
2. Unlimited attempts during the 15-minutes time window.
82. Winning the Lottery
1. Increase the odds of the collision!
2. Exploit without user interaction - Regain the initiative!
3. Defeat the 15-minutes time window!
83. 1. Increase the Probability
• 4.2 billions hashes under the key space of a 32-Bit Integer
• LKRHash Table uses LCGs to scramble the result
• The LCG is not one-to-one mapping under the key space of a 32-bit integer
DWORD CLKRHashTable::_CalcKeyHash(IHttpCacheKey *key) {
DWORD dwHash = this->pfnCalcKeyHash(key)
return ((dwHash * 1103515245 + 12345) >> 16)
| ((dwHash * 69069 + 1) & 0xffff0000);
}
84. 13% of Success Rate
13% of Key Space
by pre-computing the password
85. 2. Regain the Initiative
• The "Connect As" feature is commonly used in Virtual Hosting
or Web Hosting
86. Experiment Run!
• Windows Server is able to handle about 1,800 logins per-second
• Running for all day - (1800 × 86400) ÷ (232
× (1 − 0.13)) = 4.2%
87. The odds are already higher than an SSR
(Superior Super Rare) in Gacha Games…
88. Experiment Run!
• Windows Server is able to handle about 1,800 logins per-second
• Running for all day - (1800 × 86400) ÷ (232
× (1 − 0.13)) = 4.2%
• Running for 5 days - (1800 × 86400 × 5) ÷ (232
× (1 − 0.13)) = 20.8%
• Running for 12 days - (1800 × 86400 × 10) ÷ (232
× (1 − 0.13)) = 49.9%
• Running for 24 days - (1800 × 86400 × 24) ÷ (232
× (1 − 0.13)) = 100%
89.
90. 3. Defeat the Time Window!
• In sophisticated modern applications, it's common to see:
1. background daemons that check the system health
2. background cron-jobs that poke internal APIs periodically
91. 3. Defeat the Time Window!
• The token will be cached in the memory forever if:
1. The operations attach a credential
2. The time gap between each access is less than 15 minutes
93. Microsoft Exchange Server
• Active Monitoring Service:
• An enabled-by-default service to check the health of all services
• Check Outlook Web Access and ActiveSync with a credential
every 10 minutes!
98. Recommendation
• About the Hash Table design
• Use PRFs such as SipHash/HighwayHash
• About the Cache Design
• The inconsistency is the king.
• Learn from history
• ❌ Limit the input size
• ❌ A secret to randomize the Hash Function