There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
When it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.
We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
Did "cloud computing" and "big data" buzzwords bring new challenges for security testers?
Apart from complexity of Hadoop installations and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security and encryption at rest. We tested popular Hadoop environments and found a few critical vulnerabilities, which for sure cast a shadow on big data security.
The prevalence of computers in form of so called "smart" devices embedded in our everyday environment is inevitable. From pentester's perspective, the adjective "smart" at first glance can hardly be used to describe their inventors and ambassadors.
Based on a few examples (i.a. BTLE beacons, smart meters, security cameras...) I will show how easily "smart" devices can be outsmarted. Sometimes you don't even need any 'hacking' skills, or the default configuration is wide-open. But are we doomed? What are the conditions for real threat? Can the vulnerabilities be exploited anonymously and as easily as in web application? Where is the physical border the intruder would be likely to cross? The risks involved are usually different, but does it mean we don't have to worry? Are we sure how to use securely the emerging technology?
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
Second presentation of my research into reverse engineering a TomTom Runner GPS watch. In this I explain how I got running code inside an unfamiliar device and proceeded to bypass its security measures and extract firmware keys and code from the device.
More details on my personal blog, at http://grangeia.io
Presented in October 2015 at "Confraria de Segurança da Informação" in Lisbon
Rob Turner, Qualcomm Technologies
Almost three decades since the Morris worm and we're still plagued by memory corruption vulnerabilities in C and C++ software. Exploit mitigations aim to make the exploitation of these vulnerabilities impossible or prohibitively expensive. However, modern exploits demonstrate that currently deployed countermeasures are insufficient.
In ARMv8.3, ARM introduces a new hardware security feature, pointer authentication. With ARM and ARM partners, including Microsoft, we helped to design this feature. Designing a processor extension is challenging. Among other requirements, changes should be transparent to developers (except compiler developers), support both system and application code, interoperate with legacy software, and provide binary backward compatibility. This talk discusses the processor extension and explores the design trade-offs, such as the decision to prefer authentication over encryption and the consequences of small tags.
Also, this talk provides a security analysis, and examines how these new instructions can robustly and efficiently implement countermeasures.
Countering Innovative Sandbox Evasion Techniques Used by MalwareTyler Borosavage
Presented at the 2017 FIRST Conference by VMRay's Frederic Belser.
Learn more about VMRay - www.vmray.com
Automated behavior-based malware analysis is the core function of security solutions defined as “network sandboxing”. It came to the fore for analyzing and detecting advanced threats over a decade ago. Back then, malware authors had already found ways to evade tools like traditional antivirus, which rely on static analysis, by using techniques such as polymorphism, metamorphism, encryption, obfuscation and anti-reversing protection. Malware analysis sandboxes are now considered the last line of defense against advanced threats.
It is important to note, however, that the success of behavior-based malware detection hinges on the behavior exhibited by the file during analysis. If, for some reason, no malicious operations are performed by the file during the analysis, the sandbox concludes that the file under examination is benign. Malware authors are always looking for new, innovative ways to evade sandbox detection by concealing the real behavior of malicious files during analysis.
In order to cope with the omnipresent threat posed by malware, we must upgrade our defensive tools to succeed in the ongoing cat-and-mouse game of evasion and detection. We therefore must understand what evasion techniques are successfully employed in the wild.
This presentation provides an overview of the state-of-the-art evasion approaches used by malware. We divide these approaches into three categories and explore the various evasion techniques associated with each of these:
Evasion by detecting the presence of a sandbox: The first approach uses several techniques to detect the existence of a sandbox. Once a malicious file determines that it is being executed in a sandbox, it alters its behavior in an effort to avoid being detected.
Evasion by exploiting weaknesses in the underlying sandbox technology: The second approach directly exploits weaknesses in the underlying sandbox technology or in the surrounding ecosystem.
Evasion using time, event or environment based triggers: The third approach exploits the natural shortcomings arising from the fact that sandboxes are automated systems. In an effort to deal with the sheer volume of malware, sandboxes usually only spend a few minutes analyzing each file. By delaying the execution of a malicious payload by a certain amount of time, only becoming active on certain triggers, etc., malware can remain undetected.
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
When it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.
We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
Did "cloud computing" and "big data" buzzwords bring new challenges for security testers?
Apart from complexity of Hadoop installations and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security and encryption at rest. We tested popular Hadoop environments and found a few critical vulnerabilities, which for sure cast a shadow on big data security.
The prevalence of computers in form of so called "smart" devices embedded in our everyday environment is inevitable. From pentester's perspective, the adjective "smart" at first glance can hardly be used to describe their inventors and ambassadors.
Based on a few examples (i.a. BTLE beacons, smart meters, security cameras...) I will show how easily "smart" devices can be outsmarted. Sometimes you don't even need any 'hacking' skills, or the default configuration is wide-open. But are we doomed? What are the conditions for real threat? Can the vulnerabilities be exploited anonymously and as easily as in web application? Where is the physical border the intruder would be likely to cross? The risks involved are usually different, but does it mean we don't have to worry? Are we sure how to use securely the emerging technology?
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
Second presentation of my research into reverse engineering a TomTom Runner GPS watch. In this I explain how I got running code inside an unfamiliar device and proceeded to bypass its security measures and extract firmware keys and code from the device.
More details on my personal blog, at http://grangeia.io
Presented in October 2015 at "Confraria de Segurança da Informação" in Lisbon
Rob Turner, Qualcomm Technologies
Almost three decades since the Morris worm and we're still plagued by memory corruption vulnerabilities in C and C++ software. Exploit mitigations aim to make the exploitation of these vulnerabilities impossible or prohibitively expensive. However, modern exploits demonstrate that currently deployed countermeasures are insufficient.
In ARMv8.3, ARM introduces a new hardware security feature, pointer authentication. With ARM and ARM partners, including Microsoft, we helped to design this feature. Designing a processor extension is challenging. Among other requirements, changes should be transparent to developers (except compiler developers), support both system and application code, interoperate with legacy software, and provide binary backward compatibility. This talk discusses the processor extension and explores the design trade-offs, such as the decision to prefer authentication over encryption and the consequences of small tags.
Also, this talk provides a security analysis, and examines how these new instructions can robustly and efficiently implement countermeasures.
Countering Innovative Sandbox Evasion Techniques Used by MalwareTyler Borosavage
Presented at the 2017 FIRST Conference by VMRay's Frederic Belser.
Learn more about VMRay - www.vmray.com
Automated behavior-based malware analysis is the core function of security solutions defined as “network sandboxing”. It came to the fore for analyzing and detecting advanced threats over a decade ago. Back then, malware authors had already found ways to evade tools like traditional antivirus, which rely on static analysis, by using techniques such as polymorphism, metamorphism, encryption, obfuscation and anti-reversing protection. Malware analysis sandboxes are now considered the last line of defense against advanced threats.
It is important to note, however, that the success of behavior-based malware detection hinges on the behavior exhibited by the file during analysis. If, for some reason, no malicious operations are performed by the file during the analysis, the sandbox concludes that the file under examination is benign. Malware authors are always looking for new, innovative ways to evade sandbox detection by concealing the real behavior of malicious files during analysis.
In order to cope with the omnipresent threat posed by malware, we must upgrade our defensive tools to succeed in the ongoing cat-and-mouse game of evasion and detection. We therefore must understand what evasion techniques are successfully employed in the wild.
This presentation provides an overview of the state-of-the-art evasion approaches used by malware. We divide these approaches into three categories and explore the various evasion techniques associated with each of these:
Evasion by detecting the presence of a sandbox: The first approach uses several techniques to detect the existence of a sandbox. Once a malicious file determines that it is being executed in a sandbox, it alters its behavior in an effort to avoid being detected.
Evasion by exploiting weaknesses in the underlying sandbox technology: The second approach directly exploits weaknesses in the underlying sandbox technology or in the surrounding ecosystem.
Evasion using time, event or environment based triggers: The third approach exploits the natural shortcomings arising from the fact that sandboxes are automated systems. In an effort to deal with the sheer volume of malware, sandboxes usually only spend a few minutes analyzing each file. By delaying the execution of a malicious payload by a certain amount of time, only becoming active on certain triggers, etc., malware can remain undetected.
Ведущий: Макс Мороз
Обзор системы ClusterFuzz, позволяющей осуществить проверку браузера Chrome на наличие уязвимостей в режиме реального времени и получить воспроизводимые результаты исследования каждого конкретного сбоя. Будут продемонстрированы преимущества использования различных санитайзеров и LibFuzzer, библиотеки для направленного фаззинга. Будет приведена подробная статистика видов уязвимостей, найденных в Chrome. Слушатели узнают о подводных камнях распределенного фаззинга; о том, как можно запустить свои собственные фаззеры в инфраструктуре Google и получить вознаграждение за найденные уязвимости.
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
APNIC Senior Security Specialist Adli Wahid presented on the APNIC Honeynet Project, interesting observations, mitigation and multistakeholder collaboration at Threat Con 2021, held online from 8 to 11 September 2021.
Mobile Facebook ADS: ideale per promuovere un'app di Saverio Bruno durante la giornata Digital Advertising svoltasi il 29 maggio 2014 a Torino nell'ambito del Digital Festival
Ведущий: Макс Мороз
Обзор системы ClusterFuzz, позволяющей осуществить проверку браузера Chrome на наличие уязвимостей в режиме реального времени и получить воспроизводимые результаты исследования каждого конкретного сбоя. Будут продемонстрированы преимущества использования различных санитайзеров и LibFuzzer, библиотеки для направленного фаззинга. Будет приведена подробная статистика видов уязвимостей, найденных в Chrome. Слушатели узнают о подводных камнях распределенного фаззинга; о том, как можно запустить свои собственные фаззеры в инфраструктуре Google и получить вознаграждение за найденные уязвимости.
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
APNIC Senior Security Specialist Adli Wahid presented on the APNIC Honeynet Project, interesting observations, mitigation and multistakeholder collaboration at Threat Con 2021, held online from 8 to 11 September 2021.
Mobile Facebook ADS: ideale per promuovere un'app di Saverio Bruno durante la giornata Digital Advertising svoltasi il 29 maggio 2014 a Torino nell'ambito del Digital Festival
Nanotechnology, ubiquitous computing and the internet of thingsKarlos Svoboda
The aim of this report is to provide a review of current developments in nanotechnology, ubiquitous
computing and what is increasingly being referred to as “domotics” – the integration of domestic architectures (domus) with information systems and devices (imformatics). The report will also provide a preliminary analysis of the potential impacts of these developments on the right to privacy and to data protection.
These areas of technological development represent the convergence of two domains of current research – nanoscience and distributed computing. Much of the existing literature suggests that advances in nanotechnology are likely to operate as a underlying suite of techniques that will enable the development of miniaturised and distributed information systems and the integration of informatics devices into a range of everyday consumer goods and household architectures. As we outline below the convergence of nanotechnology and research in ubiquitous and distributed systems is likely to result in the development of a range of new sensor technologies and advances in surveillance and monitoring techniques, deployed in civilian, military and security contexts. For these reasons advances in nanotechnology and ubiquitous computing are likely to intensify existing concerns associated with data collection and the right to privacy.
In order to provide some background to our review of these issues in this section of the report we outline definitions of the field and current trends in surveillance, data-mining and monitoring.
From "Stand by Your Man" to "Stand by Your Suntan:" Women in boardsports from...Cori Schumacher
Takes a closer look at the mythology of female surfing as represented by the surf industry (e.g. surf brands/companies; surf media). The key is not to deny forthright the sexuality of women, but to ensure that women are not simply narrowly defined as passive objects for another's sexual pleasure. This is especially important in sports where we find a powerful paradigm of health and mitigating the negative social influences of the media and peers.
IDENTIFIES the opportunity of Sports, specifically boardsports, as a social institution that mitigates the influence of media and peers in the sexualization of girls and women; DEFINES the problem of how women and girls (and female athletes) are represented by the majority of surf companies through their websites and advertising and how the surf media narrowly portrays and marginalizes female surfers using sociological concepts; EXPLORES the sponsorship dynamic and how it creates and maintains the internalization of the sexualization, learned helplessness and negative body image of young girls in surfing despite the rhetoric of surf brands claiming to be "authentic" depictions of the life of sponsored athletes; TARGETS three areas which require attention to FIX the problems illustrated, with an added emphasis on the need for the visibility of positive role models who are not narrowly defined by their sexuality.
To celebrate CadSoft turning 25, we surveyed engineers involved in the field of PCB design to get a snapshot of the industry trends in 2013.
Here we present our findings.
http://www.opitz-consulting.com
In this session our experts and Oracle ACE Directors Danilo Schmiedel and Torsten Winterberg have presented an in-depth discussion of Oracles new Internet of Things (IoT) Cloud Service from an architectural perspective. They have presented a reference architecture that also includes Oracles Integration, Process, Big Data, and Mobile Cloud Services. During the session they have demonstrated highlights and lessons learned from their first implementations with IoT Cloud Service.
The core of the story has been a live demo showing the development of a vending machine case. The vending machine is simulated by a Pi, which calls the IoT cloud, routes data to BI cloud and some ERP in the cloud. The way back is initiated by an iBeacon placed on the vending machine, which triggers a mobile app that simulates payment and talks via IoT Cloud directly with the vending machine to complete the purchase.
http://www.opitz-consulting.com
Charla impartida por Juan Garrido de Informática 64, en el I Curso de Verano de Informática Forense de la Facultad de Informática de la Universidad de A Coruña.
CC-4005, Performance analysis of 3D Finite Difference computational stencils ...AMD Developer Central
Presentation CC-4005, Performance analysis of 3D Finite Difference computational stencils on Seamicro fabric compute systems, by Joshua Mora from the AMD Developer Summit (APU13) November 2013.
66% of IT decision makers, including C-suite executives, believe that Chip and Signature does not offer credit card holders sufficient security and that Chip and PIN should be required, according to a new survey on EMV readiness from Randstad Technologies, a leading technology talent and solutions provider. By October 15, 2015, the majority of U.S. businesses must transition to EMV-capable technologies or become liable for any costs incurred from fraud using old magnetic strip technologies.
When Attention is not Scarce – Detecting Boredom from Mobile Phone UsageMartin Pielot
Slides from the presentation at ACM UbiComp 2015
When Attention is not Scarce – Detecting Boredom from Mobile Phone Usage (best-paper award).
Martin Pielot, Tilman Dingler, Jose San Pedro, and Nuria Oliver
UbiComp’ 15: ACM International Joint Conference on Pervasive and Ubiquitous Computing, 2015.
Shameful secrets of proprietary network protocolsSlawomir Jasek
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
More and more IoT vulnerabilities are found and showcased at security events. From connected thermostats to power plants!
Insecurity became the favorite subject for creating catchy IoT headlines: "Connected killer toaster", "Fridges changed into spamming machines","Privacy concerns around connected home".
We will explore the five challenges one has to face when building a secure IoT solution:
- hardware security: how to avoid rogue firmwares and keep your security keys safe?
- upgrade strategy: you can't secure what you can't update!
- secure transport: no security without secure transports.
- security credentials distribution: how to distribute security keys to a fleet with millions of devices?
- cloud vulnerability mitigation, how to keep your fleet of devices safe from the next Heartbleed?
Current enterprise infrastructure provides solutions for handling application security but are they really matching the IoT challenge? Could running a PKI client on a low power wireless sensor node be an option?
Despite those difficulties, we will show how a modern IoT device management standard like Lightweight M2M with DTLS is the way for building a secur-first IoT solutions. It provides a solution for upgrading your device, distributing your security keys and comes with a full range of cryptography cipher suites, from PSK algorithm for very constrained devices to high level of security using X.509 certificates.
Furthermore for adding security to your solution we will present you ready to use opensource libraries for implementing secure IoT servers and devices. The way for quickly releasing your next catchy connected product.!
Ultimately we will showcase Wakaama and Leshan, the Eclipse IoT Lightweight M2M implementation maybe your next best friend in the troubled water of Internet-Of-Things security!
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
In my topic I’ll share my experience in analysis of most popular open and vendor’s specific proprietary industrial protocols.
For each protocol I will present packet structure, real examples, (in)secure features and possible hacks.
At the end of the topic I’ll share my practial approach, methodology and useful scripts.
During the presentation we will talk about:
Well-known protocols: Profinet, Modbus, DNP3
IEC 61850-8-1 (MMS)
IEC 61870-5-101/104
FTE (Fault Tolerant Ethernet)
Siemens S7
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Having been a Penetration Tester for the last 15+ years I have seen many environments and technologies. I have had the pleasure / hell of testing systems I’ve never even heard of and the agony of defeat on a major scale. Instead of just going over the what we used to work our way in, I want to go over the tricks the BLUE team used to keep us out! We will go over the technologies and techniques that have turned our traditional paths to root from minutes to months and the tricks that got us “caught” along the way. Not all pentests are a dream and the nightmares CAN / DO happen. So, let’s talk about how YOUR environment can become an attackers worst nightmare instead of their favorite playground
An overview of all things that can go wrong when developers attempt to implement a Chain of Trust also called "secure boot". Starting from design mistakes, we look at crypto problems, logical and debug problems and move towards Side Channel Attacks and Fault Injection.
Focused on Automotive, Pay-TV, Gaming and mobile devices.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
1. Shameful secrets of
proprietary protocols
Sławomir Jasek
Jakub Kałużny
SecuRing
Photo: https://www.flickr.com/photos/ektogamat/2687444500
2. Who are we
● Pentesters @
● Security assessments of applications, networks, systems...
Sławomir Jasek Jakub Kałużny
3. Agenda
● Case studies – proprietary protocols
– Home automation
– Pull printing #1
– Remote desktop
– Pull printing #2
– Trading
● Cheatsheet for architects & developers
● How to hack it
4. Proprietary network protocols
• A pentester will encounter one.
• Don’t have the protocol specs nor
tools to attack it
• How to hack it?
• decompile the client?
• search for some tools?
• watch the raw packets?
• Let’s try!
https://www.flickr.com/photos/canonsnapper/2566562866
5. Home automation remote control
● „Plug the device, configure your router for port forwarding
(and dynamic dns if necessary), set password.”
● Proprietary TCP protocol, direct connection from Internet
to device, password protected access
http://www.flickr.com/photos/99832244@N07/9436065073/
6. Protocol – a few packets
ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126
02 01 00 00 a9 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126
aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126
ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126
0c 02 00 00 a4 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126
aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126
aa 53 41 02 01 01 f0 f1 f1 f1 f1 00 be f1 f1 00 .SA..... ........
c4 00 e1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 ........ ........
f1 f1 f1 00 64 00 00 00 01 00 f0 f0 0a f1 00 02 ....d... ........
0f 0f e7
S
E
R
V
E
R
C
L
I
E
N
T
7. And what if we change the password?
Password 1:
Password 2
Password 3
8. Home automation protocol
Internal command (5 bytes) MD5(password) – first 10 bytes
Status returned by the appliance (sensors, settings, etc).
9. Home automation - failures
● Sniffing
● MITM
● Connect directly to the appliance - sniffed
hash is enough
● Recommendation: SSL!
10. Home automation - SSL
● Vendor: OK, we have added SSL support!
sslcontext = SSLContext.getInstance("TLS");
atrustmanager = new TrustManager[1];
atrustmanager[0] = new EasyX509TrustManager(null);
sslcontext.init(null, atrustmanager, null);
• Empty TrustManager – accepts all certificates
11. Side effect
How to build your own appliance:
socat tcp4-listen:1234,fork,readbytes=5
/dev/ttyUSB0,vmin=51
And for the new version with SSL support:
socat openssl-listen:1234,key=s.key,
cert=s.crt,verify=0,fork,readbytes=5
/dev/ttyUSB0,vmin=51
15. Attack vectors
Other users’ data
Access to other
print queues
Sniffing, MITM
Authorization bypass
User/admin interface
vulnerabilities
16. Pull Printing #1 – access control
“With its roots in education and the full
understanding that college kids “like to
hack”, our development processes
continually focus on security.”
“Secure print release (…) can integrate
card-swipe user authentication at devices
(…) ensuring jobs are only printed when the
collecting user is present.”
17. Pull Printing #1 – binary protocol
S
E
R
V
E
R
P
R
I
N
T
E
R
HELLO
USER: user1
token
HASH(password + token)
Password ok
Release my print queue
OK
Just copied 100 pages
18. Charge user “guest-xyz” for copying 100 pages
Pull Printing #1 – closer look
Release my print queue
Just copied 100 pages
User permissions
beginDeviceTransaction
(…) guest-xyz
Release print queue for user “guest-xyz”
S
E
R
V
E
R
P
R
I
N
T
E
R
20. Pull printing #1 - vendor gets notified
• Gave access to KB and support service
• And all versions of software
• Responded in few hours and patched in
few days
• Was happy to be pentested
21. Remote desktop protocol
● X-win „on steroids” (encryption, compression, access
control...)
● Mainframe access for critical business operations
● „More than 100,000 users around the world”
● „Prevents unauthorized eavesdropping
FIPS 140-2 Validated
End-to-end data encryption”
http://en.wikipedia.org/wiki/X_Window_System_protocols_and_architecture
24. Remote Desktop - SSL
C
L
I
E
N
T
CLIENTHELLO!
cipher suites:
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_DSS_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
(...)
default configuration
SERVERHELLO!
I don’t have any certificate!
cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA
OK, no problem! You have to be the right server if you say so, don’t you?
25. Remote Desktop - SSL
C
L
I
E
N
T
CLIENTHELLO!
certificates configured
SERVERHELLO!
Certificate
Non-anonymous cipher suites: (...)
1st connection:
OK, certificate stored!
Following connections:
OK, certificate valid / ALERT: MITM ATTACK!
SERVERHELLO!
I don’t have any certificate!
cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA
I have your certificate, but since you don’t offer
it any more, I won’t check it. OK, let’s connect!
26. Remote desktop protocol - vendor
● „We don’t know PGP, use zip with our CEO’s name
as password”
● Do not plan to solve the issues (?)
● > /dev/null 2>&1
● Full disclosure!
● ... and a few weeks later the mysterious shut down
of our beloved ;)
27. Pull Printing #2 - encryption
“is a modern printing solution that
safeguards document confidentiality and
unauthorized access to print, scan, copy and
e-mail functions. Its user-authentication
provides air-tight security on your shared
MFPs that function as personal printers.”
28. Vendor ensures
„Documents are delivered only into the right hands”
„Information is kept confidential. No risk of being left
unattended at the printer”
„Document collection is safe anytime and anywhere —
no “print and sprint”.”
„Integration with other enterprise applications and
workflows is kept secure through single sign-on”
29. Pull Printing #2 – binary protocol
First look on communication:
• TCP, 2 ports
• No cleartext, no SSL
• Seems to follow some scheme…
30. Ex1: Deeper sight on traffic
S
E
R
V
E
R
P
R
I
N
T
E
R
constant 263B
96B, “X” B, 128B
always different 64 B
many identical 16B blocks
HELLO
HELLO, CERTIFICATE
SESSION KEY
PostScript, ECB mode
https://en.wikipedia.org/wiki/ECB_mode
31. Pull Printing #2 - Reverse-engineered
• Hardcoded RSA certificate in printer
embedded software
• No trust store
• AES-128 ECB used for traffic
encryption
• Same protocol in admin interface
33. “Many of the devices do not have the CPU
power that allows a fast login response and
at the same time establish a high security
level”
For example changing ECB to CBC mode
encryption will be more CPU intensive and
introducing that may cause slower
performance of the devices, which the
customers are very reluctant to see
implemented.”
Pull Printing #1 - vendor gets notified
“(…) system has been deployed at many
high security customers and has passed
internal audits.”
34. Trading protocol
● An online application for
instant financial operations
● A proprietary, binary
protocol, designed in order
to minimise delays
● TCP in SSL tunnel
https://www.flickr.com/photos/tradingrichmom/5571144428/
43. Cheat sheet – owners
While deploying a proprietary solution:
• Get it pentested
• Verify vendor claims
• Ask the vendor for secure development
lifecycle, procedures of addressing
vulnerabilities, previous bugs
44. Cheat sheet - developers
● Protocol is NOT secure by its secrecy
● Proper encryption. Use known standards,
implement them with care.
● Input validation, access control, many layers
of security, least privilege principle...
45. How to hack protocols?
Decompile client?
Inject code?
Search for the specs?
Use some tools?
Watch the packets?
https://www.flickr.com/photos/nkphillips/2865781749
46. Decompile client
● Sometimes easy – e.g. not obfuscated Android
application
byte abyte3[] = pass.getBytes();
byte abyte4[] = MessageDigest.getInstance("MD5").digest(abyte3);
● Sometimes really hard & time consuming.
● May be fun, but often leads astray:
Sywek1?-# 45Schtirlitz&Pianistka
47. Look for the fine manual
● There may be an unofficial client, or e.g. wireshark
plugin
● Ask for the docs
● Search for them
– Yes, we have found internal protocol specification by
google hacking!
48. Watch the packets
● Various tools to analyze proprietary protocols
– time consuming, usually do not work
● Raw, just try to spot some scheme
– of course with a little help of your friends: wireshark,
tcpdump, ssldump etc.
● Your favourite scripting language