An expert discusses best practices for securing an AWS account, including disabling root access keys and secrets, enabling multi-factor authentication for IAM users, using least privilege policies, rotating keys regularly, and more. Examples are given of real breaches that occurred due to exposed keys and misconfigured security groups and S3 buckets. Scripts for finding publicly accessible S3 buckets and exploiting server side request forgery vulnerabilities are also mentioned.
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
Smartphones are commonly used as the controller and Internet gateway for BLE-enabled IoT devices. Designing a strong authentication protocol between them is the key part of IoT security. However mobile app design has many challenges such as limited input & output interfaces as well as user privacy protection features. Due to these restrictions, many vendors has given-up BLE's build-in security manager protocol and choose to build their own authentication protocols.
This study focused on a generalized method to analyze these BLE authentication protocols, discovering and solving challenges mentioned above. We applied this method on commercial products, including popular Gogoro Smart Scooter from Taiwan. We will demo under some certain circumstances it is possible to dump key used to unlock your Gogoro Scooter and send fake BLE authentication protocol packets to steal the scooter.
--- Chen-yu Dai [GD]
Chen-yu Dai (GD) is CTO at Team T5 Research, providing Digital Forensics & Incident Response services, developing Threat Intelligence Program and Platforms, consulting enterprise cyber defenses.
He is studying at the graduate school of Department of Information Management in the National Taiwan University of Science and Technology.
He also volunteered as deputy coordinator of HITCON, the largest hacker community and security conference in Taiwan.
He has received many prizes from domestic and international CTFs, as well as bug bounty programs.
--- Shi-Cho Cha [CSC]
Professor Shi-Cho Cha [CSC]
Shi-Cho Cha (CSC) is currently an associate professor at the Department of Information Management in the National Taiwan University of Science and Technology, where he has been a faculty member since 2006. He received his B.S. and Ph.D. in Information Management from the National Taiwan University in 1996 and 2003. He is a certified PMP, CISSP, CCFP and CISM. From 2000~2003.
He was a senior consultant in eLand technologies and played the role of project leaders to develop several systems about e-marketing. From 2003~2006, he was a manager at PricewaterhouseCoopers, Taiwan and helped several major government agencies to develop their information security management systems.
Recently, he helped NTUST to establish security analysis workforce and help several organizations to evaluate their system security. His current research interests are in the area information security management, identity management, smartphone security, and IoT security.
Your Blacklist is Dead: Why the Future of Command and Control is the CloudCloudVillage
"What happens when attackers start taking advantage of whitelisted APIs as a form of obfuscated command and control? Companies both large and small are moving workloads to the cloud and are very concerned with how to secure their resources which actually live in AWS, GCP, and Azure. However, they don’t address how enabling this access changes their internal attack surface and weakens their defenses.
In this talk, we demonstrate that attackers no longer have any reason to rely on conventional CNC, being able to outsource their costs and infrastructure management to the likes of Slack, Github, Pastebin, Dropbox, Google, and social media sites. Using these sorts of techniques, URL blacklisting becomes obsolete, IDS becomes less effective, and attackers no longer have to waste their time writing domain generation algorithms.
Specifically, I will demo a proof-of-concept malware which uses multiple SaaS services, social networks, and more conventional “cloud infrastructure” (S3) that would be extremely difficult to mitigate generically with today’s IPS solutions, and we discuss how the same techniques can be used by red teams and attackers to quietly maintain persistence and exfiltrate data."
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
This slide is all about Google bug hunting.
How you should report the bug?
What things you should consider while reporting?
Life cycle of your Vulnerability report submission
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityCloudVillage
The cloud is compelling and in many cases necessary for organizations to effectively operate.
Cloud security, on the other hand, is not as clear. Many cloud services need a hook into the on-premises environment in order to synchronize users and groups. Additionally, cloud security controls vary by the provider in availability, capability, and cost. This results in a disjointed view of user authentication, security, and potential configuration issues.
This talk explores some common cloud configuration scenarios and associated security issues.
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
Smartphones are commonly used as the controller and Internet gateway for BLE-enabled IoT devices. Designing a strong authentication protocol between them is the key part of IoT security. However mobile app design has many challenges such as limited input & output interfaces as well as user privacy protection features. Due to these restrictions, many vendors has given-up BLE's build-in security manager protocol and choose to build their own authentication protocols.
This study focused on a generalized method to analyze these BLE authentication protocols, discovering and solving challenges mentioned above. We applied this method on commercial products, including popular Gogoro Smart Scooter from Taiwan. We will demo under some certain circumstances it is possible to dump key used to unlock your Gogoro Scooter and send fake BLE authentication protocol packets to steal the scooter.
--- Chen-yu Dai [GD]
Chen-yu Dai (GD) is CTO at Team T5 Research, providing Digital Forensics & Incident Response services, developing Threat Intelligence Program and Platforms, consulting enterprise cyber defenses.
He is studying at the graduate school of Department of Information Management in the National Taiwan University of Science and Technology.
He also volunteered as deputy coordinator of HITCON, the largest hacker community and security conference in Taiwan.
He has received many prizes from domestic and international CTFs, as well as bug bounty programs.
--- Shi-Cho Cha [CSC]
Professor Shi-Cho Cha [CSC]
Shi-Cho Cha (CSC) is currently an associate professor at the Department of Information Management in the National Taiwan University of Science and Technology, where he has been a faculty member since 2006. He received his B.S. and Ph.D. in Information Management from the National Taiwan University in 1996 and 2003. He is a certified PMP, CISSP, CCFP and CISM. From 2000~2003.
He was a senior consultant in eLand technologies and played the role of project leaders to develop several systems about e-marketing. From 2003~2006, he was a manager at PricewaterhouseCoopers, Taiwan and helped several major government agencies to develop their information security management systems.
Recently, he helped NTUST to establish security analysis workforce and help several organizations to evaluate their system security. His current research interests are in the area information security management, identity management, smartphone security, and IoT security.
Your Blacklist is Dead: Why the Future of Command and Control is the CloudCloudVillage
"What happens when attackers start taking advantage of whitelisted APIs as a form of obfuscated command and control? Companies both large and small are moving workloads to the cloud and are very concerned with how to secure their resources which actually live in AWS, GCP, and Azure. However, they don’t address how enabling this access changes their internal attack surface and weakens their defenses.
In this talk, we demonstrate that attackers no longer have any reason to rely on conventional CNC, being able to outsource their costs and infrastructure management to the likes of Slack, Github, Pastebin, Dropbox, Google, and social media sites. Using these sorts of techniques, URL blacklisting becomes obsolete, IDS becomes less effective, and attackers no longer have to waste their time writing domain generation algorithms.
Specifically, I will demo a proof-of-concept malware which uses multiple SaaS services, social networks, and more conventional “cloud infrastructure” (S3) that would be extremely difficult to mitigate generically with today’s IPS solutions, and we discuss how the same techniques can be used by red teams and attackers to quietly maintain persistence and exfiltrate data."
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
This slide is all about Google bug hunting.
How you should report the bug?
What things you should consider while reporting?
Life cycle of your Vulnerability report submission
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityCloudVillage
The cloud is compelling and in many cases necessary for organizations to effectively operate.
Cloud security, on the other hand, is not as clear. Many cloud services need a hook into the on-premises environment in order to synchronize users and groups. Additionally, cloud security controls vary by the provider in availability, capability, and cost. This results in a disjointed view of user authentication, security, and potential configuration issues.
This talk explores some common cloud configuration scenarios and associated security issues.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
Getting Started in Pentesting the Cloud: AzureBeau Bullock
Webcast Recording: https://www.youtube.com/watch?v=fCbVMWvncuw
Increasingly, more organizations are migrating resources to being hosted in the cloud. With this comes a greater potential for misconfiguration if there isn’t a solid understanding of the attack surface. While there are many similarities between traditional on-premises pentesting and cloud-based pentesting, the latter is an animal of its own. This webcast will attempt to clear up some of the fogginess around cloud-based pentesting, specific to Microsoft Azure environments, including Microsoft 365.
In order to adequately determine the attack surface, the appropriate coverage areas will be highlighted. Differences between Azure resources and Microsoft 365 can oftentimes be confusing but knowing these differences is key to helping you pivot and escalate privileges. Conditional access policies are great for defining different scenarios for how users can authenticate securely but can also be misconfigured. There are security protections for stopping certain password attacks but some of these can be bypassed. Ultimately, a methodology for testing Azure environments along with tools and techniques will be presented in this talk.
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
Speaker 1: Olaf Hartong
Speaker 2: Edoardo Gerosa
Azure Sentinel, Microsoft's new cloud SIEM solution, was recently released on the market. Notwithstanding its strengths Sentinel offers limited threat hunting capabilities out of the box and setting up an effective hunting solution is not straightforward. The Sentinel ATT&CK GitHub project is designed to provide guidance on setting up an ATT&CK-driven process monitoring solution within Sentinel; giving DFIR professionals a tool to effectively hunt in the Azure cloud.
The project, building on previous work from the open source DFIR community, provides instructions on how to properly configure Sysmon to monitor and detect specific processes in alignment with MITRE's ATT&CK framework. Secondly it provides clarity on how to onboard Sysmon logs from Windows virtual machines, shedding light on some poorly documented areas, while also offering an open source parser to correctly ingest Sysmon data in conformity with the Open Source Security Event Metadata information model. Thirdly it offers around 120 open source Kusto Query Language alerts ready for deployment; each mapped to a unique MITRE ATT&CK technique. Fourthly it provides a dedicated threat hunting dashboard to help DFIR professionals monitor their environment and execute precise hunts. Finally, Sentinel ATT&CK provides ready-made hunting queries to be leveraged when responding to alert notifications raised by the threat hunting dashboard.
This talk delivers an overview of how the Sentinel ATT&CK project can help organisations establish an effective threat hunting capability in Azure as well as an opportunity to share with the community the strengths and shortcomings of Sentinel when it comes to hunting adversaries within the Microsoft cloud.
Speaker 1: Ashwin Vamshi
Speaker 2: Abhinav Singh
Cloud services are built for increased collaboration and productivity, and provide capabilities like auto sync and API level communication. This has led enterprises to exclusively use SaaS, PaaS and IaaS services for storing and sharing critical and confidential data. End users as well as security products tend to place implicit trust in cloud vendors such as Microsoft, AWS, Google, and SaaS app vendors such as Box, Salesforce, DropBox. As a result, cybercriminals have started launching their attacks from these trusted cloud services. This talk will focus on how attackers are abusing these trusted cloud services to create Phishing attacks that are highly effective and hard to detect.
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Beau Bullock
Does the blue team got you feeling down because they are on you like Windows Defender on a Mimikatz binary? Have you lost sleep at night because their logging and alerting levels are so well tuned that if they were vocals, auto-tune couldn’t make them any better? Do you like surprises? Well you are in luck!
Over the last few months we’ve been doing a bit of research around various Microsoft “features”, and have mined a few interesting nuggets that you might find useful if you’re trying to be covert on your red team engagements. This talk will be “mystery surprise box” style as we’ll be weaponizing some things for the first time. There will be demos and new tools presented during the talk. So, if you want to win at hide-n-seek with the blue team, come get your covert attack mystery box!
Speaker: Chris Le Roy
Containers,Cloud,DevOps and SDLC are all terms that are increasing in terms of usage in the InfoSec world. In this talk, we discuss how a container exploitation tool (BOtB) was developed to identify and autopwn common vulnerabilities in container technologies such as Docker and LXC and how this tool was used in a modern SDLC environment using common CI/CD technologies to identify, exploit and remediate container vulnerabilities before releases were made to production.
In this talk we elaborate on how and why BOtB was built to be used by pentesters to exploit container vulnerabilities and how BOtB can be used by engineers to secure their container environments. The talk will also explain the technical details around the vulnerabilities that can be exploited by BOtB.
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...ProgrammableWeb
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Priority)
David Berlind, Editor-in-Chief, ProgrammableWeb
In the last year, the users of various social media services have had their accounts compromised due to API security related issues. ProgrammableWeb’s investigations into these transgressions reveals a degree of hacker sophistication that could never have been anticipated. The attacks were layered and complicated and one can only guess at the final objectives (but we have our hunches). In this presentation, ProgrammableWeb editor-in-chief reveals the sophistication of these attacks with a step-by-step walkthrough of what the perpetrators did and then offers a a layered-security prescription for preventing your organization, APIs, and applications from being similarly compromised.
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
Your vulnerability scanner reports that there are no issues on your network. A pentester has spent the last week trying to exploit every system your organization owns with no luck. The check box for this year's compliance audit has been checked. While it is good that these things occurred, they do not complete the picture in regards to true risk.
Real attackers do not solely rely on software exploits to compromise an environment. In almost every breach you hear about the root of the compromise came from a phishing attack. This is why additional tests, post-infection, should be performed to assess just how far an attacker can go after gaining a foothold into your environment.
What command and control channels are available for an attacker to utilize to communicate with your internal systems? How easy is it for an attacker to move laterally within your environment and gain access to other systems? What are your detection capabilities when it comes to sensitive data being exfiltrated out of your environment? How do you test these attacker techniques using open-source tools?
This lecture will address these questions and more, including a showcase of attacker methodologies.
TABLETOP SCENARIO: Your organization regularly patches, uses application whitelisting, has NextGen-NG™ firewalls/IDS’s, and has the latest Cyber-APT-Trapping-Blinky-Box™. You were just made aware that your entire customer database was found being sold on the dark web. Go.
Putting too much trust in security products alone can be the downfall of an organization. In the 2015 BSides Tampa talk “Pentest Apocalypse” Beau discussed 10 different pentesting techniques that allow attackers to easily compromise an organization. These techniques still work for many organizations but occasionally more advanced tactics and techniques are required. This talk will continue where “Pentest Apocalypse” left off and demonstrate a number of red team techniques that organizations need to be aware of in order to prevent a “Red Team Apocalypse” as described in the tabletop scenario above.
Pwning Windows Mobile applications by Ankit GiriOWASP Delhi
Mobile Platform Operating Systems
Windows Phone Overview
What we can test?
Challenges
Approach & Prerequisites
Methodology
Application File Structure
Tools for Penetration Testing
Security Features
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
Getting Started in Pentesting the Cloud: AzureBeau Bullock
Webcast Recording: https://www.youtube.com/watch?v=fCbVMWvncuw
Increasingly, more organizations are migrating resources to being hosted in the cloud. With this comes a greater potential for misconfiguration if there isn’t a solid understanding of the attack surface. While there are many similarities between traditional on-premises pentesting and cloud-based pentesting, the latter is an animal of its own. This webcast will attempt to clear up some of the fogginess around cloud-based pentesting, specific to Microsoft Azure environments, including Microsoft 365.
In order to adequately determine the attack surface, the appropriate coverage areas will be highlighted. Differences between Azure resources and Microsoft 365 can oftentimes be confusing but knowing these differences is key to helping you pivot and escalate privileges. Conditional access policies are great for defining different scenarios for how users can authenticate securely but can also be misconfigured. There are security protections for stopping certain password attacks but some of these can be bypassed. Ultimately, a methodology for testing Azure environments along with tools and techniques will be presented in this talk.
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
Speaker 1: Olaf Hartong
Speaker 2: Edoardo Gerosa
Azure Sentinel, Microsoft's new cloud SIEM solution, was recently released on the market. Notwithstanding its strengths Sentinel offers limited threat hunting capabilities out of the box and setting up an effective hunting solution is not straightforward. The Sentinel ATT&CK GitHub project is designed to provide guidance on setting up an ATT&CK-driven process monitoring solution within Sentinel; giving DFIR professionals a tool to effectively hunt in the Azure cloud.
The project, building on previous work from the open source DFIR community, provides instructions on how to properly configure Sysmon to monitor and detect specific processes in alignment with MITRE's ATT&CK framework. Secondly it provides clarity on how to onboard Sysmon logs from Windows virtual machines, shedding light on some poorly documented areas, while also offering an open source parser to correctly ingest Sysmon data in conformity with the Open Source Security Event Metadata information model. Thirdly it offers around 120 open source Kusto Query Language alerts ready for deployment; each mapped to a unique MITRE ATT&CK technique. Fourthly it provides a dedicated threat hunting dashboard to help DFIR professionals monitor their environment and execute precise hunts. Finally, Sentinel ATT&CK provides ready-made hunting queries to be leveraged when responding to alert notifications raised by the threat hunting dashboard.
This talk delivers an overview of how the Sentinel ATT&CK project can help organisations establish an effective threat hunting capability in Azure as well as an opportunity to share with the community the strengths and shortcomings of Sentinel when it comes to hunting adversaries within the Microsoft cloud.
Speaker 1: Ashwin Vamshi
Speaker 2: Abhinav Singh
Cloud services are built for increased collaboration and productivity, and provide capabilities like auto sync and API level communication. This has led enterprises to exclusively use SaaS, PaaS and IaaS services for storing and sharing critical and confidential data. End users as well as security products tend to place implicit trust in cloud vendors such as Microsoft, AWS, Google, and SaaS app vendors such as Box, Salesforce, DropBox. As a result, cybercriminals have started launching their attacks from these trusted cloud services. This talk will focus on how attackers are abusing these trusted cloud services to create Phishing attacks that are highly effective and hard to detect.
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Beau Bullock
Does the blue team got you feeling down because they are on you like Windows Defender on a Mimikatz binary? Have you lost sleep at night because their logging and alerting levels are so well tuned that if they were vocals, auto-tune couldn’t make them any better? Do you like surprises? Well you are in luck!
Over the last few months we’ve been doing a bit of research around various Microsoft “features”, and have mined a few interesting nuggets that you might find useful if you’re trying to be covert on your red team engagements. This talk will be “mystery surprise box” style as we’ll be weaponizing some things for the first time. There will be demos and new tools presented during the talk. So, if you want to win at hide-n-seek with the blue team, come get your covert attack mystery box!
Speaker: Chris Le Roy
Containers,Cloud,DevOps and SDLC are all terms that are increasing in terms of usage in the InfoSec world. In this talk, we discuss how a container exploitation tool (BOtB) was developed to identify and autopwn common vulnerabilities in container technologies such as Docker and LXC and how this tool was used in a modern SDLC environment using common CI/CD technologies to identify, exploit and remediate container vulnerabilities before releases were made to production.
In this talk we elaborate on how and why BOtB was built to be used by pentesters to exploit container vulnerabilities and how BOtB can be used by engineers to secure their container environments. The talk will also explain the technical details around the vulnerabilities that can be exploited by BOtB.
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...ProgrammableWeb
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Priority)
David Berlind, Editor-in-Chief, ProgrammableWeb
In the last year, the users of various social media services have had their accounts compromised due to API security related issues. ProgrammableWeb’s investigations into these transgressions reveals a degree of hacker sophistication that could never have been anticipated. The attacks were layered and complicated and one can only guess at the final objectives (but we have our hunches). In this presentation, ProgrammableWeb editor-in-chief reveals the sophistication of these attacks with a step-by-step walkthrough of what the perpetrators did and then offers a a layered-security prescription for preventing your organization, APIs, and applications from being similarly compromised.
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
Your vulnerability scanner reports that there are no issues on your network. A pentester has spent the last week trying to exploit every system your organization owns with no luck. The check box for this year's compliance audit has been checked. While it is good that these things occurred, they do not complete the picture in regards to true risk.
Real attackers do not solely rely on software exploits to compromise an environment. In almost every breach you hear about the root of the compromise came from a phishing attack. This is why additional tests, post-infection, should be performed to assess just how far an attacker can go after gaining a foothold into your environment.
What command and control channels are available for an attacker to utilize to communicate with your internal systems? How easy is it for an attacker to move laterally within your environment and gain access to other systems? What are your detection capabilities when it comes to sensitive data being exfiltrated out of your environment? How do you test these attacker techniques using open-source tools?
This lecture will address these questions and more, including a showcase of attacker methodologies.
TABLETOP SCENARIO: Your organization regularly patches, uses application whitelisting, has NextGen-NG™ firewalls/IDS’s, and has the latest Cyber-APT-Trapping-Blinky-Box™. You were just made aware that your entire customer database was found being sold on the dark web. Go.
Putting too much trust in security products alone can be the downfall of an organization. In the 2015 BSides Tampa talk “Pentest Apocalypse” Beau discussed 10 different pentesting techniques that allow attackers to easily compromise an organization. These techniques still work for many organizations but occasionally more advanced tactics and techniques are required. This talk will continue where “Pentest Apocalypse” left off and demonstrate a number of red team techniques that organizations need to be aware of in order to prevent a “Red Team Apocalypse” as described in the tabletop scenario above.
Pwning Windows Mobile applications by Ankit GiriOWASP Delhi
Mobile Platform Operating Systems
Windows Phone Overview
What we can test?
Challenges
Approach & Prerequisites
Methodology
Application File Structure
Tools for Penetration Testing
Security Features
IDC Analysts predict that the market for public cloud consulting services will grow 10x faster than overall IT professional services. This session will cover how AWS consulting partners have built successful AWS practices by investing in sales, delivery, training, and building AWS specific methodologies. We will cover best practices in each functional area, and provide a 6-12 month roadmap for building your AWS practice.
"Running enterprise workloads with sensitive data in AWS is hard and requires an in-depth understanding about software-defined security risks. At re:Invent 2014, Intuit and AWS presented ""Enterprise Cloud Security via DevSecOps"" to help the community understand how to embrace AWS features and a software-defined security model. Since then, we've learned quite a bit more about running sensitive workloads in AWS.
We've evaluated new security features, worked with vendors, and generally explored how to develop security-as-code skills. Come join Intuit and AWS to learn about second-year lessons and see how DevSecOps is evolving. We've built skills in security engineering, compliance operations, security science, and security operations to secure AWS-hosted applications. We will share stories and insights about DevSecOps experiments, and show you how to crawl, walk, and then run into the world of DevSecOps."
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayAWS Germany
Vortrag "Leveraging the Security of AWS's Own APIs for Your App" von Brian Wagner beim AWS Serverless Web Day. Alle Videos und Präsentationen finden Sie hier: http://amzn.to/28QIaxM
Securing Serverless Architectures - AWS Serverless Web DayAWS Germany
Vortrag "Securing Serverless Architectures" von Dave Walker beim AWS Serverless Web Day. Alle Videos und Präsentationen finden Sie hier: http://amzn.to/28QIaxM
First for Cloud AWS partner webinar 20 July 2016Russell Warne
Slides and notes from send webinar in our series. Includes detail on how partners can package solutions and make margin from AWS usage, partner opportunities based on feedback from client engagements at the AWS Summit and other useful stuff.
AWS Summit 2014 Brisbane - Breakout 1
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.
Presenter: Stephen Quigg, Solutions Architect, APAC, Amazon Web Services
Security Boundaries and Functions of Services for Serverless Architectures on...AWS Germany
Vortrag "Security Boundaries and Functions of Services for Serverless Architectures on AWS" von Bertram Dorn beim AWS Serverless Web Day. Alle Videos und Präsentationen finden Sie hier: http://amzn.to/28QIaxM
Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013Amazon Web Services
Yelp is evolving from a purely hosted infrastructure environment to running many systems in AWS—paving the way for their growth to 108 million monthly visitors (source: Google Analytics). Embracing a cloud culture reduced reliability issues, sped up the pace of innovation, and helped them support dozens of data-intensive Yelp features, including search relevance, usage graphs, review highlights, spam filtering, and advertising optimizations. Today, Yelp runs 7+ TB hosted databases, 250+ GB compressed logs per day in Amazon S3, and hundreds of Amazon Elastic MapReduce jobs per day. In this session, Yelp engineers share the secrets of their success and show how they achieved big wins with Amazon EMR and open source libraries, policies around development, privacy, and testing.
Bob Jones, CERN on PICSE: Procurement of cloud services in EuropeSLA-Ready Network
Using the cloud in research can help accelerate the time to discovery and the time to publish. However, many large
research institutes have to procure the services using specific procedures. The procurement of cloud services is a new
experience for many such institutes. Dr Robert Jones, CERN, talks us through PICSE Wizard, an on-line, easy-to-use web-based services to help public research organisations make more informed decisions when procuring cloud services.
AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.
by Michael St. Onge, Global Cloud Security Architect, AWS
Join us for this hands-on lab where you will learn about the new service Amazon GuardDuty by walking through its capabilities and some real-world attack scenarios. You will need an AWS account to do the lab. This should be your own personal account and not an account through your company given the activity in the lab. AWS Credits will be provided to help cover any costs incurred in the lab. Level 300
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...Lacework
Join the Lacework team for AWS Security Week at the AWS Loft in New York for a hands-on demonstration of Lacework. See how behavioral analysis can be applied at scale for continuous security and compliance monitoring of your AWS infrastructure. Chris Pedigo, Senior SE at Lacework, will walk attendees through Lacework with a specific focus on how we automatically analyze AWS CloudTrail and AWS Config data to ensure that security best practices are in place and that data anomalies are detected to help prevent ransomware, Bitcoin mining, or container security issues. The session will be interactive; attendees should come prepared for hands-on work on AWS accounts and console and have a Linux shell available in order to get the most from the workshop. Attendees will have access to the Lacework team to get individual attention for trial account set-up after the session.
by Jeff Puchalski, Application Security Engineer, AWS
Insider threat detection! How do we use AWS products to find an insider threat. We will cover Macie, GuardDuty and lambda to review a production account actions and remediate findings as they arise . We will also cover the utilization of CloudWatch to unify our finds into a single pane of glass.
It's a information security use case in which I takeover an AWS cloud account of a company. This presentation includes my views information security and the lesson I learned from this use case.
AWS Partner Webcast - Use Your AWS CloudTrail Data and Splunk Software To Imp...Amazon Web Services
With AWS CloudTrail, you can get log files of AWS API calls for your account. CloudTrail enables you to perform security analysis, track resource changes, and aid in compliance reporting.
In this webinar you will learn how CloudTrail collects and stores your AWS log files so that software from AWS Technology Partner Splunk can be used as a Big Data Security Information and Event Management (SIEM) system. You will hear how AWS log files are made available for many security use cases, including incident investigations, security and compliance reporting, and threat detection/alerting. You will also hear from a joint Splunk/AWS customer, FINRA, who will explain how they leverage Splunk in AWS to support their cloud efforts.
What you'll learn:
• Why the machine data from AWS CloudTrail is relevant to security and compliance
• How to visualize data from AWS CloudTrail to monitor and audit security-related activity
• How AWS CloudTrail data can be combined with machine data from other sources in your IT infrastructure, including the OS and apps in your AWS images, for a wide range of operational and security use cases
• How the combination of AWS CloudTrail and Splunk Software improve your uptime, accelerate security and operational investigations, and simplify compliance.
by Nathan Case, Sr. Consultant, AWS
Insider threat detection! How do we use AWS products to find an insider threat. We will cover Macie, GuardDuty and lambda to review a production account actions and remediate findings as they arise . We will also cover the utilization of CloudWatch to unify our finds into a single pane of glass. Level 400
Office 365 environments are very attractive targets for attackers. So, it's never been more important to understand how its security structure works, and how to best configure it.
In this in-depth session, we'll run through real-time attack scenarios and examine common attack vectors. And then we'll explore the various defense capabilities of Office 365, the MS Graph API, and Azure AD. We'll deep-dive into external sharing, authentication options, third-party application security (what apps should and shouldn't be able to do), and even some do's and don'ts regarding Azure AD endpoints and authorization mechanisms.
You'll walk away with a solid understanding of how to use the Office 365 defense tools at your disposal, such as the Attack Simulator and Threat Intelligence, as well as how they relate to real-world attacks.
Lab-4 Reconnaissance and Information Gathering A hacker.docxLaticiaGrissomzz
Lab-4: Reconnaissance and Information Gathering
A hacker uses many tools and methods to gather information about the target. There are two broad categories of information gathering methods: passive and active. These methods are detailed in the table below. In this lab, you will perform passive information gathering (gray-shaded column). In Lab 5, you will be performing active information gathering. Please review the table before starting this lab.
Information Gathering
Passive (Reconnaissance and Information Gathering) – This Week
Active (Scanning and Enumeration) – Next Week
Is the hacker contact with the target directly?
No direct contact with the target
Direct contact with the target
Are the activities logged?
No audit records on the target
Audit record might be created
What kind of tools has been used?
Web archives, Whois service, DNS servers, Search Engines
Port scanners, network scanners, vulnerability scanners (Nessus, Nmap)
What information can a hacker collect?
IP addresses, network range, telephone numbers, E-mail addresses, active machines, operating system version, network topology
Live hosts on a network, network topology, OS version, open ports on hosts, services running on hosts, running applications and their versions, patching level, vulnerabilities.
In passive information gathering, the hacker does not directly contact the target; therefore, no audit logs have been created. Both non-technical (such as employee names, birth dates, e-mail addresses) and technical information (IP addresses, domain names) can be gathered. This information can be used in many ways in the subsequent steps of the attack. For example, the phone numbers or e-mail addresses you discovered can be used in social engineering attacks. DNS records or subdomain names can be used to leverage specific attacks against hosts or URLs.
More notes on Reconnaissance and Information Gathering :
1) In this phase, an attacker may collect a lot of information without being noticed.
2) In some cases, an attacker may even discover vulnerabilities.
3) The information collected in this phase can be quite valuable when evaluated together with the information collected in the scanning and enumeration phase. For example, you might find the phone number and name of an employee in this phase, and you may find the computer IP address in the active scanning phase. You can use these two pieces of information together to leverage a social engineering attack. An attacker will increase the chance of gaining trust when s/he calls the victim's name and talk some specific about the victim's computer.
4) Companies should also perform reconnaissance and information gathering against themselves so that they can discover -before hackers- what kind of information the company and company employees disclose.
In this lab, you will practice 6 passive methods of Reconnaissance and Information Gathering. You have to use Kali VM in Sections 3, 5, and 6 of the lab. You may use Kali.
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
View the on-demand recording: http://securityintelligence.com/events/avoiding-application-attacks/
Your organization is running fast to build your business. You are developing new applications faster than ever and utilizing new cloud-based development platforms. Your customers and employees expect applications that are powerful, highly usable, and secure. Yet this need for speed coupled with new development techniques is increasing the likelihood of security issues.
How can you meet the needs of speed to market with security? Hear Paul Ionescu, IBM Security, Ethical Hacking Team Lead discuss:
- How application attacks work
- Open Web Application Security Project (OWASP) goals
- How to build defenses into your applications
- The 10 most common web application attacks, including demos of the infamous Shellshock and Heartbleed vulnerabilities
- How to test for and prevent these types of threats
Have you ever run a vulnerability scanner and thought "Okay...so now what?". This talk explores how to go beyond running a vulnerability scanner by walking through a penetration test with examples and tips along the way.
Cloud Security Engineering - Tools and TechniquesGokul Alex
Cloud Security Engineering Education Materials prepared by Gokul Alex. It covers the essential tools and techniques to protect cloud enterprise architectures and cloud information systems.
DIY guide to runbooks, incident reports, and incident responseNathan Case
In this session, we explore the cost of incidents and consider creative ways to look at future threats. We walk you through the threat landscape, looking at what has happened over the last year. Learn about the best open-source tools to have in your security arsenal now and in the future to help you detect and deal with the threats of today and tomorrow. Finally, learn how to identify where these threats are coming from and how to detect them more easily. The information in this session is provided by various teams and sources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://youtu.be/BQWcUjzxJE0
Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.
Securing dns records from subdomain takeoverOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://www.youtube.com/watch?v=C0LQJTXFosI
The speaker will be speaking upon the following abstract -
Basics of DNS records
Introduction to DNS record takeovers
Different types of DNS takeovers
Its impact
How to protect DNS records from takeover
Demo
Q&A
This talk will be for product security folks/ people on defending side. The speaker will also be covering the concept behind subdomain takeovers and its impact.
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 31st May.
Watch the webinar here - https://www.youtube.com/watch?v=22Hccp-7UDU
A person's assessment/ investigation is only as good as the report that supports it.
A good quality or effective report is a presentation of you as an assessor, analyst, or consultant.
The speaker discusses here the important points to keep in mind while preparing a Cyber Security Report. A must know webinar for all - freshers, professionals, bug bounty hunters and the C- level entities.
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 24th May.
Watch the webinar here - https://www.youtube.com/watch?v=jmzfdw-UYC0
An air gapped environment is described as “computer or network that has
no network interfaces, either wired or wireless, connected to outside network.” In this case, side channels and proximity are leveraged to eavesdrop air gapped systems. A case study showing practical use case of sniffing is also discussed.
Link to the Webinar - https://youtu.be/jmzfdw-UYC0
Combined (NullDelhi + OWASPDelhi) Webinar on UDP Hunter by Savan Gadhiya on 10th May, 2020.
For the full video, please visit - https://www.youtube.com/watch?v=yLEL5XrzFyE
The speaker discussed the docker attack surface. Furthermore, he demonstrated how an attacker can escape the docker container and gain access to the host machine.
Companies and organizations have been following many traditional strategies for deploying WAF (web application firewall) in their infrastructure where most of the work is done. manually. Every ACL, every rule entry, every signature, and every other configuration was created and managed by hand. It could have various flaws: flaw of wrong ACL, flaw of accidental misconfiguration, flaw of bad signature, and other various things. The good news is that thanks to the DevOps Rebel Alliance, we now have a better way to do things: Infrastructure-as-Code (IAC).
Instead of clicking around a web UI or manually executing commands and setting up rules and configuration, the idea behind IAC is to write code to define, provision, and manage your WAF. You can validate each WAF change through code reviews and automated tests and you can create/use a library of reusable, documented, battle-tested code that makes it easier to scale and evolve your WAF. In this talk by Avinash Jain, we will have a quick on the various concept of what, how and why of "Automating AWS WAF using Terraform".
Discussion on traditional threat intelligence model, explore advanced approaches to reduce manual intervention and convert it into actionable threat intelligence.
Slides of the talk delivered by Chandra Ballabh in the August, 2019 Meetup of Combined OWASP Delhi and nullDelhi at Thoughtworks, Delhi
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
Network attacks in wired Lan environments
Protection in wired Lan
Layout of modern networks ( wired + wireless )
Difference between wired and wireless security
Most powerful situation to acquire in any network
Wireless attacks
Why NTP ?
Captive portal attacks
Conclusion and some wild thoughts
For complete data to perform this attack please go to the Github link below:
https://github.com/mohitrajain/Wireless_security_beyond_password_cracking
IETF's Role and Mandate in Internet Governance by Mohit BatraOWASP Delhi
1. Internet Governance (IG) Primer
2. I-* Organizations
3. IANA function -Names, Numbers and Protocol Parameters
4. IANA Transition
5. WHOIS for names and numbers
6. Need for Standardization and Standardization Bodies
7. How IETF Works
8. TLS Protocol
9. Increasing Indian participation in global Internet Governance activities and structures
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
Agenda
Hypervisor : what, how and why?
Hypervisor in linux
Capsule course on hypervisor (Intel VT-x, AMD - V, KVM)
Spawning a bare-bone VM
Injection code in VM
I/O Between Host and Guest
Converting C Code to Shellcode
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
2. About Myself:
● Ankit Giri (@aankitgiri)
● Associate Security Consultant | TO THE NEW Digital
● Web and Mobile Application Security Researcher
● Bug Hunter (Hall of Fame: EFF, GM, HTC,Sony, Mobikwik, Pagerduty and some
more )
● Blogger, Orator and an active contributor to OWASP and null Community
● The Most Viewed Writer in Web application Security, Network Security and
Penetration Testing on Quora
3. About Today's Talk:
● Cloud Security:
● Some interesting instances of breach
● Best practices to protect AWS account from unauthorized access and usage
● What and How to look for security loopholes
● Audit scripts
● What one should learn to safeguard Cloud application?
4. Few instances of breach (Live examples)
Account compromise via leak of AWS Keys on GitHub :
I woke up one morning, only to find few emails and a missed phone call from an ISD Number (it was
from Amazon AWS) - something about 140 servers running on my AWS account.
5. Few instances of breach (Live examples)
Account compromise via leak of AWS Keys on GitHub :
What was my mistake in this case?
"I only had keys in some of my scripts I had written for some client. And we had a habit of pushing
the code to GitHub. And they were gone within five minutes!!
"As it turns out, through the API calls you can actually spin up EC2 instances, and my key had been
spotted by a bot that continually searches GitHub for API keys."
Amazon support staff told me that such bot exploits were increasingly common with hackers running
algorithms to perpetually search for GitHub for API keys.
Once it finds one it spins up max instances of EC2 servers to farm itself Bitcoins.
6. The root cause :
The secret keys are issued by Amazon Web Services when users open an account and provide
applications access to AWS resources.
When opening an account, users are told to “store the keys in a secure location” and are warned that
the key needs to remain “confidential in order to protect your account”.
AWS reminds subscribers that "anyone who has your access key has the same level of access to your
AWS resources that you do. Consequently, we go to significant lengths to protect your access keys,
and in keeping with our shared-responsibility model, you should as well."
However, a search on GitHub reveals thousands of results where code containing AWS secret keys
can be found in plain text, which means anyone can access those accounts.
Search it on your own (But after this presentation gets over :) )
7. Another Case where this happened!
Dev Factor founder Andrew Hoffman said he used Figaro to secure Rails apps which published his
Amazon S3 keys to his GitHub account.
He noticed the blunder and pulled the keys within five minutes, but that was enough for a bot to
pounce and spin up instances for Bitcoin mining.
"When I woke up the next morning, I had four emails and a missed phone call from Amazon AWS -
something about 140 servers running on my AWS account," Hoffman said.
"I only had S3 keys on my GitHub and they were gone within five minutes!"
"As it turns out, through the S3 API you can actually spin up EC2 instances, and my key had been
spotted by a bot that continually searches GitHub for API keys."
Amazon (he said) told him such bot exploits were increasingly common with hackers running
algorithms to perpetually search for GitHub for API keys.
8. Few instances of breach (Live examples)
❖ Several bloggers have admitted getting a shock after receiving a large bills for bandwidth usage
they didn't initiate. For example, Luke Chadwick was hit with a US$3493 (A$3842) bill in
December, because of unauthorised activity. To his relief, this was later refunded by AWS.
❖ Earlier this year, AWS contacted Rich Mogull, analyst and CEO of Securosis after three days of
unusual activity on his account had run up US$500 in charges. In a blog post from January,
Mogull said he had mistakenly published his AWS secret key on GitHub.
"I did not completely scrub my code before posting to GitHub. I did not have billing alerts enabled ...
This was a real mistake ... I paid the price for complacency," he admitted in his blog.
9. What AWS thinks of these breaches?
In a statement, AWS told iTnews it "takes security very seriously and provides many resources,
guidelines and mechanisms to help customers configure AWS services and develop applications using
security best practices."
"However, developers are responsible for following our guidance and utilising those mechanisms.
When we become aware of potentially exposed credentials, we proactively notify the affected
customers and provide guidance on how to secure their access keys," the statement said.
10. What is SSRF Attack ?
Server Side Request Forgery (SSRF) is a vulnerability
that appears when an attacker has the ability to create
requests from the vulnerable server.
Usually, Server Side Request Forgery (SSRF) attacks
target internal systems behind the firewall that are
normally inaccessible from the outside world (but using
SSRF it’s possible to access these systems). With SSRF
it’s also possible to access services from the same server
that is listening on the loopback interface.
Using Server Side Request Forgery attacks it’s
possible to:
➢ Scan and attack systems from the internal network
that are not normally accessible
➢ Enumerate and attack services that are running on
these hosts
➢ Exploit host-based authentication services
11. SSRF Attack (Live Example)
Recently a client got a mail from some organization complaining about random request on their
servers from one of the client’s IP. On investigating the issue, we found out that the complaint was
correct. And there have been a increased number of Network Out data from our instances, and hence
resulting in high billing on the account.
The approach followed was:
● Search for the unrecognised Process in the server as at this time "chaos" named process was
found
● Run the command: http://freecode.com/projects/lsof/
● lsof -p <pid of that process>
● Look whether this process is hitting some IP on the network.
● Now look for IP on the Net, at this time IP was found and the IP was of Hong Kong Trade
Center.
● Don't try to kill the process as this process will restart again as, this copies of this process would
be present anywhere on the server.
● Just Terminate this instance and launch a new server.
● Look for the Security Group
● Close all the ports except 80 which are opened for all
12. A similar issue was reported in “Pocket”
Here is the link:
https://news.ycombinator.com/item?id=10078967
13. There's a Hole in 1,951 Amazon S3 Buckets
We discovered 12,328 unique buckets with the following breakdown:
Public: 1,951
Private: 10,377
Approximately 1 in 6 buckets of the 12,328 identified were left open for the perusal of anyone that's
interested.
These 12,328 buckets were skewed towards those we could identify based on domain name, word list,
or use within web sites. From the 1,951 public buckets we gathered a list of over 126 billion files. The
sheer number of files made it unrealistic to test the permissions of every single object, so a random
sampling was taken instead. All told, we reviewed over 40,000 publicly visible files, many of which
contained sensitive data.
14. ❖ Some specific examples of the data found are listed below:
➢ Personal photos from a medium-sized social media service
➢ Sales records and account information for a large car dealership
➢ Affiliate tracking data, click-through rates, and account information for an ad company’s
clients
➢ Employee personal information and member lists across various spreadsheets
➢ Unprotected database backups containing site data and encrypted passwords
➢ Video game source code and development tools for a mobile gaming firm
➢ PHP source code including configuration files, which contain usernames and passwords
➢ Sales “battlecards” for a large software vendor
15. Root Cause :
The root of the problem isn't a security hole in Amazon's storage cloud, according to Vandevanter.
Rather, he credited Amazon S3 account holders who have failed to set their buckets to private -- or to
put it more bluntly, organizations that have embraced the cloud without fully understanding it. The
fact that all S3 buckets have predictable, publicly accessible URLs doesn't help, though.
What makes it a common vulnerability?
Just because a file is listed in a bucket doesn't mean it can be downloaded, buckets and objects have
their own access control lists (ACLs). However, if a user does lock down files within a public bucket,
a data thief could still glean potentially sensitive information from the file names, including
customer names or the frequency which with applications are backed up
Contributing to the problem may be the fact that all S3 buckets have a unique, predictable, and
publicly accessible URL, which makes it easy to track down buckets and determine which are private
and which are public. By default this URL will be either
http://s3.amazonaws.com/[bucket_name]/ or http://[bucket_name].s3.amazonaws.com/.
If you enter the URL and receive an Access Denied response, the bucket is private. If it's public, you'll
be presented with the first 1,000 objects stored therein.
17. Publicly accessible S3 Bucket, folders
and files :
Hi All,
I know that hackerone-attachments is used for file uploads on reports and so I did a quick
scan for similar buckets and found ████████████████. While I can't confirm if you
own it or not, it appears that it is publicly writable using the aws cli.
When I tried to write to hackerone-attachments, I get:
"move failed: ./test.txt to s3://hackerone-attachements/test.txt A client error
(AccessDenied) occurred when calling the PutObject operation: Access Denied.
However, when I write to ████████████████, I get:
move: ./test.txt to s3://████████████████/test.txt
Hopefully the bucket is yours and this isn't a waste of time. If you do own it, a good thing
is the bucket is not publicly readable and the file appears private by default after being
written. However, assuming you own it, the security issue would be someone writing
something malicious and someone on your team unknowingly opening it.
Pete
Security Researcher
https://hackerone.com/reports/128088
18. Publicly accessible S3 Bucket, folders
and files :
HackerOne rewarded yaworsk with a $2,500 bounty. Apr 4th (6 days
ago)
Thanks again for the great report, @yaworsk.
It's always great to see researchers thinking outside the normal web app confines and
considering other parts of technical infrastructure that could affect a company. While you
weren't able to read any contents from that bucket (and even if you would, everything is
encrypted using AES-256), an attacker could theoretically post a file into that bucket that
may at some point be accessed by a HackerOne staff member, thinking it's been
uploaded by another staff member or some automated system.
This issue also led us to audit some of our additional S3 buckets (we have quite a few),
and we found some similar issues among several of them. As such, we are increasing the
bounty to take those additional mitigations into account, even though they weren't
discovered by you.
Look forward to seeing what you find next! Happy hacking. :-)
19. Another Case where this happened!
Recently an Amazon S3 bucket (http://shopify.com.s3.amazonaws.com/) was
unintentionally left with directory listing enabled. Even though the files in the bucket were
all publicly accessible, it was not intended for the directory listing to be visible
https://hackerone.com/reports/57505
20. Bucket Finder script :
How to use and exploit scenario:
http://hackoftheday.securitytube.net/2013/04/finding-publicly-readable-files-in-your.html
https://digi.ninja/projects/bucket_finder.php
21. I was recently searching for something on Google and came across this instance of what might be a logical
vulnerability prevailing across multiple web applications. I was searching for publicly accessible Jenkins
console through Google Dorking. My search query listed some of the websites that had Jenkins as a part of
their domain name. Although this itself is not a security issue but it reveals the fact that Jenkins is being
used as a CI (Continuous Integration) tool and it’s console is publicly accessible. The following
information may be used to plan a chain of attacks.
Jenkins can lead to a disaster?
22. What took me by surprise is that I found many Jenkins console with no authentication mechanism enabled
on them. I can easily open the console, read the usernames, the build history, logs of builds and much
more. This made me think about the necessity of having proper security implemented on a Jenkins
console. So, this blog post will be covering the devastating effect of a compromised Jenkins server and
how to protect this from happening.
Jenkins can lead to a disaster?
23. Treasure of credentials such as AWS Access keys and Secret key.
Impact: Anyone can use the AWS account linked to the Access keys and Secret keys to launch resources
which will lead to the owner getting billed for it. A person possessing these credentials gets full access to
the AWS account
The server’s pem files, IP addresses, usernames, email address etc.
Impact: The disclosure of the above mentioned information will lead to logging into the server
(remember there may be a hundred of servers accessible from this console), running arbitrary commands
on it, getting access to users and their respective password ( and what not! ).
The revealed username and email address will also enable the attacker to plan much more sophisticated
attacks on the organization as he is now much more aware of the developer and other accounts that are
present. This can also result in him brute forcing other applications such as the Admin, CMS portal of the
application.
Why compromised Jenkins can
lead to a disaster?
24. GitHub SSH Key
SSH keys are used to identify trusted computers, without involving passwords. Since, Jenkins has
availability of Git plugin which enables us to run Git commands from the Jenkins console itself. So, the
publicly accessible Jenkins console will enable an attacker to view, modify, update the code of the
production application. In the worst scenario possible, the attacker can issue a “git branch -m production”
command and delete all the existing code and thus bring the application down by deleting the
“production” branch containing the code of the application.
S3 Bucket
The Jenkins console might have access to private S3 buckets containing content such as images, log files,
code backups etc. This access to essential data can be abused to delete important files and folders.
25. A public cloud is one based on the standard cloud computing model, in which a service provider makes
resources, such as applications and storage, available to the general public over the Internet. Public cloud
services may be free or offered on a pay-per-usage model.
The main benefits of using a public cloud service are:
# Easy & inexpensive set-up because hardware, application & BW costs are covered by provide
# Scalability to meet needs.
# No wasted resources because you pay for what you use.
AWS - Public Cloud
26. The term "public cloud" arose to differentiate between the standard model and the private
cloud, which is a proprietary network or data center that uses cloud computing technologies,
such as virtualization. A private cloud is managed by the organization it serves. A third
model, the hybrid cloud, is maintained by both internal and external providers.
Examples of public clouds include Amazon Elastic Compute Cloud (EC2), IBM's Blue Cloud,
Sun Cloud, Google AppEngine and Windows Azure Services Platform.
AWS - Public Cloud
27. Amazon VPC
•Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the
Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that
you define. You have complete control over your virtual networking environment, including selection
of your own IP address range, creation of subnets, and configuration of route tables and network
gateways.
•You can easily customize the network configuration for your Amazon Virtual Private Cloud. For
example, you can create a public-facing subnet for your webservers that has access to the Internet, and
place your backend systems such as databases or application servers in a private-facing subnet with no
Internet access. You can leverage multiple layers of security, including security groups and network
access control lists, to help control access to Amazon EC2 instances in each subnet.
•Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your
corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate
datacenter.
28. ● Disable root access key and secret key.
● Enable MFA tokens for each IAM user.
● Have minimum IAM users with Admin rights.
● Use Roles for EC2 instances for access permissions wherever possible.
● Provide least privileges and limit IAM entities actions with strong/explicit policies.
● Rotate all the keys on a regular basis (say 60 days).
● Use IAM roles with STS AssumeRole wherever possible.
● Do not allow 0.0.0.0/0 for any EC2/ELB security group.
● Apply proper S3 bucket policies with public access to only files instead of sharing a
bucket/folder.
● Create all resources within a VPC.
● Make sure only required ports are open.
Best practices to protect AWS account from unauthorized
access and usage:
29. ●Ensure all Back-end servers i.e. database servers are accessible via web servers only.
●Having separate IAM user for each team member.
●Attach all policies on groups and include users in a group as per access requirement.
●Avoid making server_Status page accessible publicly.
●Ensure all SSL certificates follow SHA2 encryption.
●For details about migrating to SHA2 :
Set alarms on billing using Amazon CloudWatch.
This practice can be very useful to detect DDoS attacks and high data transfer occurrences.
For steps to set alerts on billing:
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/free-tier-alarms.html
Some more Best practices to protect AWS account
30. ● Make sure bash terminal on all servers are ShellShock proof.
● Following is a command test to check if our Bash is vulnerable to ShellShock:
○ env var='() { ignore this;}; echo vulnerable' bash -c /bin/true
○ A vulnerable version of bash will give a output “vulnerable”.
● If any patch has been applied, the same command test will return:
○ bash: warning: var: ignoring function definition attempt
bash: error importing function definition for 'var'
31. •Using AWS WAF to block malicious requests
Best practices to protect AWS account from
unauthorized access and usage:
32. ● There is an Audit script that scans our AWS infrastructure for Security loopholes.
● Description and its need
● Center for Internet Security compliance and best practices
● Hardened AMIs provided by CIS:
https://aws.amazon.com/marketplace/search/results/ref=dtl_navgno_search_box?page=1&s
earchTerms=center+for+internet+security
● AWS Whitepaper
Some in-house solutions:
33. Best practices to protect AWS account
from unauthorized access and usage: