This document discusses common defensive strategies and how attackers bypass them. It notes that while best practices like passwords, patching, and anti-virus are important, they also introduce commonalities that attackers learn to exploit. The document recommends that defenders study attack techniques to prioritize risks and design defenses that differentiate from standard approaches in order to limit widespread exploitation.
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
A supporting slide deck for SensePost's Defcon 22 talk. It contains more useful written information, that the picture heavy version we presented at the conference. You can see the conference video at https://www.youtube.com/watch?v=i2-jReLBSVk and can get the code at https://github.com/sensepost/mana
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
A supporting slide deck for SensePost's Defcon 22 talk. It contains more useful written information, that the picture heavy version we presented at the conference. You can see the conference video at https://www.youtube.com/watch?v=i2-jReLBSVk and can get the code at https://github.com/sensepost/mana
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
New attack vectors for heartbleed: Enterprise wireless (and wired) networks.
This talk exposes a relatively obscure use of the heartbleed flaw: exploiting EAP-PEAP | EAP-TLS | EAP-TTLS network authentication protocols.
Update (02-06-2014): This blog post gives out more details and contains links to the cupid patch.
http://www.sysvalue.com/heartbleed-cupid-wireless/
The vast majority of cloud security threats are from misconfigured IaaS instances, compromised accounts, and insider threats but there's emerging threats on the rise as well. And you’ll need deep visibility into your workloads and containers to fight back.
Join us for a live webinar with James Condon, Director of Research at Lacework on the current and emerging threats to public cloud and how best to automate security and compliance across AWS, Azure, and GCP, including:
Current and emerging threats to AWS, Azure, and Google Cloud environments
Recommendations on how to prevent, detect, analyze, and respond to cloud cyber attacks
How to move away from a network-centric mindset and adopt a cloud approach
How Lacework can help you automate security and compliance across AWS, Azure, GCP, and private clouds
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
kali operating system LINUX UNIX MAC Window presentation ubanto MAC KAli features compare of kali and unix in hindi easy present ppt slideshare tolls hacking penetration ethical hacking KALI top ten feature best hacking tool
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...Imperva Incapsula
Mondrian, MySQL, Mongo, Casandra, Lucene. You name it, we tried it. As a startup looking for cost-efficient and scalable solutions to power our event processing and statistics backend, we gave almost every Big Data technology out there a go. What we learned from these experiences is that doing it yourself is better than using plug-and-play black box solutions.
This presentation details the building of Incapsula’s Big Data system as a case study, examining the requirements and the different evolutionary phases it went through before becoming what it is today.
Chaz Lever, Georgia Institute of Technology
Both the operational and academic security communities have used dynamic analysis sandboxes to execute malware samples for roughly a decade. Network information derived from dynamic analysis is frequently used for threat detection, network policy, and incident response. Despite these common and important use cases, the efficacy of the network detection signal derived from such analysis has yet to be studied in depth. This paper seeks to address this gap by analyzing the network communications of 26.8 million samples that were collected over a period of five years.
Using several malware and network datasets, our large-scale study makes three core contributions. (1) We show that dynamic analysis traces should be carefully curated and provide a rigorous methodology that analysts can use to remove potential noise from such traces. (2) We show that Internet miscreants are increasingly using potentially unwanted programs (PUPs) that rely on a surprisingly stable DNS and IP infrastructure. This indicates that the security community is in need of better protections against such threats, and network policies may provide a solid foundation for such protections. (3) Finally, we see that, for the vast majority of malware samples, network traffic provides the earliest indicator of infection—several weeks and often months before the malware sample is discovered. Therefore, network defenders should rely on automated malware analysis to extract indicators of compromise and not to build early detection systems.
Pentest Apocalypse-That's when you hire a pentester, and they walk all over your network. To avoid this, organizations need to be prepared before the first packet is sent in order to get the most value from the tester. There is no excuse for pentesters to find critical vulnerabilities that are six years old on an assessment. And who needs a zero-day when employees leave credentials on wide-open shares? Just like how Doomsday Preppers helps you prepare for the apocalypse, this presentation will help you prepare for, and avoid, a pentest apocalypse by describing common vulnerabilities found on many assessments. Being prepared for common pentester activities will not only help add value to a pentest but will also help prevent attackers from using the same tactics to compromise your organization.
For More Information Please Visit:- http://bsidestampa.net
http://www.irongeek.com/i.php?page=videos/bsidestampa2015/104-pentest-apocalypse-beau-bullock
APNIC Senior Security Specialist Adli Wahid presented on the APNIC Honeynet Project, interesting observations, mitigation and multistakeholder collaboration at Threat Con 2021, held online from 8 to 11 September 2021.
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
On June, thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment. Kaspersky Lab researcher Ido Naor and Dani Goland, CEO & founder of Undot, decided to investigate. They quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating its legitimate session and replacing it with a malicious one that captured their entire web traffic. The second stage included a highly sophisticated script that took over victims Facebook and Google Drive accounts. After puzzling the script, they managed to extract the proverbial needle from a haystack: an unknown Facebook vulnerability that allowed an attacker to exploit the notifications functionality.
In this talk, Dani and Ido will dive into the bites and bytes of the campaign and explaining how the attackers exploited Facebook to spread the malware.
--- Ido Naor
Ido is a senior security researcher at the Global Research & Analysis Team (GReAT), Kaspersky Lab. He joined Kaspersky two years ago and is leading the regional research in Israel.
Ido specializes in malware analysis, penetration testing and software reverse engineering and has been credited for his work by major enterprises such as: Google, Facebook, Linkedin, Alibaba and more.
Aside from research, Ido is a martial arts expert and a father of two daughters.
--- Dani Goland
Dani is the CEO and founder of Undot, an Israeli-based startup that developed a unified remote-control application to control home appliances.
Dani has more than a decade of experience in programming on a variety of frameworks and languages.
Aside from managing Undot, Dani is a frequent competitor in Hackathons (programming competitions) and won 1st places at HackTrackTLV 2016 and eBay Hackathon 2015.
Presentation by Grorg Christian Pranschkle at ZaCon 2 in 2010.
This presentation is about SNMP security The presentation begins with an overview of SNMP. SNMP security weaknesses and SNMP security in cisco apps are discussed. Frisk-0 a tool for SNMP Hacking developed by the presenter is also discussed.
New attack vectors for heartbleed: Enterprise wireless (and wired) networks.
This talk exposes a relatively obscure use of the heartbleed flaw: exploiting EAP-PEAP | EAP-TLS | EAP-TTLS network authentication protocols.
Update (02-06-2014): This blog post gives out more details and contains links to the cupid patch.
http://www.sysvalue.com/heartbleed-cupid-wireless/
The vast majority of cloud security threats are from misconfigured IaaS instances, compromised accounts, and insider threats but there's emerging threats on the rise as well. And you’ll need deep visibility into your workloads and containers to fight back.
Join us for a live webinar with James Condon, Director of Research at Lacework on the current and emerging threats to public cloud and how best to automate security and compliance across AWS, Azure, and GCP, including:
Current and emerging threats to AWS, Azure, and Google Cloud environments
Recommendations on how to prevent, detect, analyze, and respond to cloud cyber attacks
How to move away from a network-centric mindset and adopt a cloud approach
How Lacework can help you automate security and compliance across AWS, Azure, GCP, and private clouds
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
kali operating system LINUX UNIX MAC Window presentation ubanto MAC KAli features compare of kali and unix in hindi easy present ppt slideshare tolls hacking penetration ethical hacking KALI top ten feature best hacking tool
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...Imperva Incapsula
Mondrian, MySQL, Mongo, Casandra, Lucene. You name it, we tried it. As a startup looking for cost-efficient and scalable solutions to power our event processing and statistics backend, we gave almost every Big Data technology out there a go. What we learned from these experiences is that doing it yourself is better than using plug-and-play black box solutions.
This presentation details the building of Incapsula’s Big Data system as a case study, examining the requirements and the different evolutionary phases it went through before becoming what it is today.
Chaz Lever, Georgia Institute of Technology
Both the operational and academic security communities have used dynamic analysis sandboxes to execute malware samples for roughly a decade. Network information derived from dynamic analysis is frequently used for threat detection, network policy, and incident response. Despite these common and important use cases, the efficacy of the network detection signal derived from such analysis has yet to be studied in depth. This paper seeks to address this gap by analyzing the network communications of 26.8 million samples that were collected over a period of five years.
Using several malware and network datasets, our large-scale study makes three core contributions. (1) We show that dynamic analysis traces should be carefully curated and provide a rigorous methodology that analysts can use to remove potential noise from such traces. (2) We show that Internet miscreants are increasingly using potentially unwanted programs (PUPs) that rely on a surprisingly stable DNS and IP infrastructure. This indicates that the security community is in need of better protections against such threats, and network policies may provide a solid foundation for such protections. (3) Finally, we see that, for the vast majority of malware samples, network traffic provides the earliest indicator of infection—several weeks and often months before the malware sample is discovered. Therefore, network defenders should rely on automated malware analysis to extract indicators of compromise and not to build early detection systems.
Pentest Apocalypse-That's when you hire a pentester, and they walk all over your network. To avoid this, organizations need to be prepared before the first packet is sent in order to get the most value from the tester. There is no excuse for pentesters to find critical vulnerabilities that are six years old on an assessment. And who needs a zero-day when employees leave credentials on wide-open shares? Just like how Doomsday Preppers helps you prepare for the apocalypse, this presentation will help you prepare for, and avoid, a pentest apocalypse by describing common vulnerabilities found on many assessments. Being prepared for common pentester activities will not only help add value to a pentest but will also help prevent attackers from using the same tactics to compromise your organization.
For More Information Please Visit:- http://bsidestampa.net
http://www.irongeek.com/i.php?page=videos/bsidestampa2015/104-pentest-apocalypse-beau-bullock
APNIC Senior Security Specialist Adli Wahid presented on the APNIC Honeynet Project, interesting observations, mitigation and multistakeholder collaboration at Threat Con 2021, held online from 8 to 11 September 2021.
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
On June, thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment. Kaspersky Lab researcher Ido Naor and Dani Goland, CEO & founder of Undot, decided to investigate. They quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating its legitimate session and replacing it with a malicious one that captured their entire web traffic. The second stage included a highly sophisticated script that took over victims Facebook and Google Drive accounts. After puzzling the script, they managed to extract the proverbial needle from a haystack: an unknown Facebook vulnerability that allowed an attacker to exploit the notifications functionality.
In this talk, Dani and Ido will dive into the bites and bytes of the campaign and explaining how the attackers exploited Facebook to spread the malware.
--- Ido Naor
Ido is a senior security researcher at the Global Research & Analysis Team (GReAT), Kaspersky Lab. He joined Kaspersky two years ago and is leading the regional research in Israel.
Ido specializes in malware analysis, penetration testing and software reverse engineering and has been credited for his work by major enterprises such as: Google, Facebook, Linkedin, Alibaba and more.
Aside from research, Ido is a martial arts expert and a father of two daughters.
--- Dani Goland
Dani is the CEO and founder of Undot, an Israeli-based startup that developed a unified remote-control application to control home appliances.
Dani has more than a decade of experience in programming on a variety of frameworks and languages.
Aside from managing Undot, Dani is a frequent competitor in Hackathons (programming competitions) and won 1st places at HackTrackTLV 2016 and eBay Hackathon 2015.
Presentation by Grorg Christian Pranschkle at ZaCon 2 in 2010.
This presentation is about SNMP security The presentation begins with an overview of SNMP. SNMP security weaknesses and SNMP security in cisco apps are discussed. Frisk-0 a tool for SNMP Hacking developed by the presenter is also discussed.
Major global information security trends - a summarySensePost
Presentation by Luc de Graeve at internetix in 2004.
This presentation is a summery of global information security trends in the business environment .The presentation begins with an introduction to major global trends. Legal Issues, threats, technologies and solutions are discussed
Putting the tea back into cyber terrorismSensePost
Presentation by Charl van der Walt, Roelof Temmingh and Haroon Meer at BlackHat USA 2003.
This presentation is about targeted, effective, automated attacks that could be used in countrywide cyberterrorism. A worm that targets internal networks is discussed as an example of such an attack.
Introduction to metasploit that we presented to the 4th year compsci students at Rhodes university.Covering the basic functionality of metasploit, and penetration testing.
The practical section that Etienne made (with Ponies) will come soon.
reaction to stressful experiences. the normal reactions and psychological disorders related to it. short discussion of PTSD, acute stress reaction and Adjustment disorder along with treatment options.
very summarized management of each condition. good for medical students
Information Security: Advanced SIEM TechniquesReliaQuest
Joe Parltow, CISO, ReliaQuest (www.reliaquest.com) -We’ve all heard it before; SIEM is dead, defense is boring, logs suck, etc. The fact is having total visibility into what’s happening on your network is absolutely necessary and keeps you from having to answer questions like “How did you not know we were compromised for the past 6 months!” This talk focuses on advanced tips and tricks you can implement with your SIEM to give you better visibility into all areas of your environment. Also includes top secret, 1337 (ok maybe just average) code snippets.
Keynote on why you should make Infosec a board level strategic item, how you should raise it to this level and how to approach Information Security strategically
When you work with a lot of companies scrutinizing their security, you get to see some amazing things. One of the joys of being a commercial security consultant working for big name firms, is that you get to see a lot of innovation and interesting approaches to common problems.
However, as great as this is, the discrete projects you work on are usually a small representation of the overall company. When you look at the company in its entirety, a familiar pattern of weakness begins to reveal itself. While some companies are obviously better than others, the majority of companies are actually weak in remarkably similar ways.
My work in the attacker modeled pentest and enterprise risk assessment realms focuses on looking at a company as a whole. The premise is that, this is what an attacker would do. They won’t just try to attack your quarterly code reviewed main web site, or consumer mobile app. They won’t directly attack your PCI relevant systems to get to customer credit card data. They won’t limit their attacks to those purely against your IT infrastructure. Instead – they’ll look at your entire company, and they will play dirty.
In this session, I’ll focus on the things that plague us all (well most of us), and I’ll offer some simple advice for how to try and tackle each of these areas:
– Weaknesses in Physical Security
– Susceptibility to Phishing
– Vulnerability Management Immaturity
– Weaknesses in Authentication
– Poor Network Segmentation
– Loose Data Access Control
– Terrible Host / Network Visibility
– Unwise Procurement & Security Spending Decisions
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
We presented our work at Northrop Grumman Cybersecurity Research Consortium (CRC) spring event at Washington, DC. This is part of the "Deception Group" work at Purdue. Our group is investigating how deception can be used to improve the security of computers and networks.
Vulnerabilities in TN3270 based ApplicationSensePost
A talk given at Hack in the Box Amsterdam and later DerbyCon in 2014 about a new class of vulnerabilities in TN3270 exposed applications by @singe (Dominic White). A video of the talk is available at https://www.youtube.com/watch?v=3HFiv7NvWrM and code can be found at https://github.com/sensepost
Home automation systems provide a centralized control and monitoring function for heating, ventilation and air conditioning (HVAC), lighting and physical security systems. The central control panel and various household devices such as security sensors and alarm systems are connected with each other to form a mesh network over wireless or wired communication links and act as a “smart home”. As you arrive home, the system can automatically open the garage door, unlock the front door and disable the alarm, light the downstairs, and turn on the TV. According to a study by the consulting firm AMA Research, in 2011, the UK home automation market was worth around £65 million with 12% increase on the previous year. The total number of home automation system installations in the UK is estimated to be 189000 by now. The home automation market in the US was worth approximately $3.2 billion in 2010 and is expected to exceed $5.5 billion in 2016.
Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems. Zigbee is based on an open specification (IEEE 802.15.4) and has been the subject of several academic and practical security researches. Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). It transmits on the 868.42 MHz (Europe) and 908.42MHz (United States) frequencies designed for low-bandwidth data communications in embedded devices such as security sensors, alarms and home automation control panels. Unlike Zigbee, no public security research on Z-Wave protocol was available before our work. Z-wave protocol was only mentioned once during a DefCon 2011 talk when the presenter pointed the possibility of capturing the AES key exchange phase without a demonstration.
The Z-Wave protocol is gaining momentum against the Zigbee protocol with regards to home automation. This is partly due to a faster, and somewhat simpler, development process. Another benefit is that it is less subjected to signal interference compared to the Zigbee protocol, which operates on the widely populated 2.4 GHz band shared by both Bluetooth and Wi-Fi devices.
Z-wave chips have 128-bit AES crypto engines, which are used by access control systems, such as door locks, for authenticated packet encryption. An open source implementation of the Z-wave protocol stack, openzwave , is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks.
Presentation by Jaco van Gaan at IIA in 2001.
This presentation is about the use of ethical hackers in business. The presentation begins with a series of discussions about hackers, what they do, how they do it and the different types of hackers.
Presentation by Haroon Meer at ReCon in 2005.
This presentation is about web application security. Various web application attacks like XSS, SQLi and directory traversal are discussed. The wikto and crowbar tools developed by sensepost are also discussed.
Presentation by Marco Slaviero at the University of Pretoria to the Tuks Linux User Group in 2010.
The aim of this presentation is to promote information security. The presentation begins with a look at a few recent attacks. Cloud computing is briefly discussed. The presentation ends with a discussion on Amazon web services and its security.
Presentation by Charl der Walt and Francesco Geremla at The ITweb security summit in 2009.
This presentation is about the methodology behind version 2 of Sensepost's threat modeling tool, the corporate threat modeller.
Presentation by Marco Slaviero at the University of Pretoria to their masters class of 2008.
This presentation is an introduction to information security. The presentation starts with a look at the past and current state of network security. Penetration testing is discussed. SQL injection and XSS demonstrations are given
Presentaion by Charl van der Walt at the ITweb security summit 2010.
This presentation is an introduction to the security summit 2010. It introduces all the speakers.
Presentation by Charl de Walt in 2001.
The presentation aims to educate people that IT security is relevant to SA business. The presentation begins with examples of defaced SA company websites. Various attacks such as DDoS and semantic attacks are discussed. The presentation ends with a discussion on IP manipulation
Presentation by Luc de Graeve at the Gordon institute of business science in 2001.
This presentation is about security in e-commerce and is aimed at making people aware of what hackers do, how they do it and the financial implications of their actions. The presentation begins with a few examples of defaced websites and ends with a discussion on risk and assessment.
Penetration testing and social engineeringSensePost
Presentation by Yvette du Toit to the University Of Pretoria's honors class of 2011.
This presentation is about penetration testing and social engineering. A walkthrough of a social engineering attack is given in this presentation
Presentation by Ian de Villiers at ZaCon 2 about exploiting java.
This presentation is about instrumenting java applications. it begins with an explanation of what a jar file is. The difficulties in attacking java, such as signing and obfuscation are discussed. How to overcome these difficulties is also discussed. The presentation ends with a walkthrough example of how to instrument a java application.
Presentation by Junaid Loonat at the 2010 internet show South Africa.
The presentation is about the insecurities of the Web 2.0 server. The presentation begins by looking at how the likely targets of an attack have changed from Web 1.0 to Web 2.0 servers. Other Changes from web 1.0 to web 2.0 such as authentication enforcement and CAPCHA validation are also discussed. The presentation ends with a brief discussion on how to limit your own risk when deploying a web application
Presentation by Haroon Meer at IDC in 2006.
The presentation begins with a discussion on google hacking. There is a brief discussion on Kernel-rootkits. The presentation ends with a discussion
on web application hacking.
Presentation by Haroon Meer and Charl van der Walt at ISSA in 2006.
The presentation begins with an explanation of a stack overflow attack and format string vulnerability, both with example code. Dangerous integers are also explained. The presentation ends with a discussion on ActiveX control.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
2. This talk is about …
• Understanding how attackers attack
– acknowledging the problem
– allows more innovative defence
• Common defences allow common bypasses
– Best practises introduce commonality that is
exploited
– Common defences lose out over time as
attackers adapt
• Many “security basics” are honestly hard
– knowing the attacks help to prioritise
3. Why listen to us?
• We attack networks and systems as our day
(night) job
– They’re often quite similar
• We care about making them harder to attack
• We spend time studying how others attack
networks and systems
– Other pentesters
– Real bad guys (“APT” campaigns)
• SensePost has been doing it since 2000
– Possibly more insight into .za infosec practises than
any other
5. Truth is …
• Those defences don’t
– Block actual attacks
– Move to counter the bypasses used to side-step them
• Risk Management
– Hard to link risk-based priorities to meaningful technical
priorities
• Compliance
– “teach the test”
– Little incentive to create contradictory measurements
• Best Practice
– We can’t honestly say we know how to defend
– Some practises are hard/impossible to do
– Common best practises have common bypasses
6. The Wall
• Your defences are a wall
• We get to evaluate the wall, figure out how to get
over it, and do it
– Attackers can often evaluate your defences before
getting to you
• Once we’ve done it, we have the
capability/technique/tool we can do it again, with
much less effort
– Attackers can keep building their toolchain
– Attackers are good at sharing
• Defenders now need to build an increasingly huge
wall as “the basics” become by-passable with tools
7. And so …
• Popular defensive design patterns lead to
popular attack patterns to bypass them
– Knowing these can help you avoid or rejigger
them
• Some stuff has been recommended for
decade+, are we really just too lazy?
– Let’s just admit that some stuff, will never be
done, and come up with a prioritisation strategy
that works
– Although, you shouldn’t need a pentest/breach to
be reminded, design for them
9. Corporate Passwords
• Best Practice
– Enforce password complexity
– Expire them monthly
• Belief
– Passwords will be more complex & harder to guess/crack
– Passwords have a shelf life
• Reality:
– Users employ coping methods
• Password1 or June2013 or Password8
• <Capital><rest of word><number>
• Call centre resets to same password every time
– Most organisations pick the same policy
– Cracking common storage formats is efficient
• NTLM / LanMan
10. Corporate Passwords
• Best Practice: Lock an account after X failed
login attempts
• Belief: People won’t be able to guess
passwords
• Reality
– Lockout period has a timeout, just try one
password across all accounts (horizontal brute)
• Bonus
– Find an Internet-facing auth point & brute there
for ext->int win
– Executives get exceptions
11. So what?
• Best practises created the vulnerability
• Everybody doing the same thing lets
attackers optimise
• The actual attacks aren’t being looked for
12. Defend!
• Differentiate yourself from the optimised
attack
– Blacklist common passwords
– Enforce length rather than complexity (15+
bonus)
– Extend password expiry
• Crack your own passwords (or look for
duplicate hashes)
– Operationalise this as a metric
• Monitor for horizontal brutes
• Canary accounts
• Two factor authentication
14. Service/Default Accounts
• Best Practice:
– Change all vendor supplied/service passwords from
the default or disable
• Belief:
– Requires attackers to guess the password or can’t
use the account
• Reality:
– The rate of developer new app use exceeds security
capacity to secure
– Complexity across application stack
– Belief about network controls/development boxes
lead to exceptions
15. Patching
• Best Practice:
– Ensure systems are fully patched
• Belief:
– Known vulnerabilities will not be exploitable
• Reality:
– Known systems are(?), unknown aren’t
– Some software is easier to patch than others
– Unknown vulnerabilities & patch window are
realities
16. Baselines & Homogonaity
• Best practice:
– Ensure all systems are configured the same
• Belief:
– All systems will have the same security baseline
• Reality:
– A flaw in one is a flaw in all, Mistakes scale
against you
– Management agents are remote access methods
– Local admin passwords …
17. So what?
• 100% compliance for every piece of software, on
every machine, for all time …
– You need to do the basics, but let’s admit
100% as impossible
– 99% on 1k machines, still gives 10 vuln hosts
• Attackers are good at finding the 1%
• Attackers care about exploitation, missing
language packs not so much
18. Defend!
• Admit you’ll never hit 100%
• Use attacker tools/methods to find the 1%
– Find the machines your risk/compliance based focus
didn’t care about
– Scope be damned!
• Prioritise based on ease of exploitation
– Availability/popularity/stability/ease of exploit
• Make hard choices – do you need that software
there?
• Defence in depth
– Check out hardening tools EMET/PAX (grsec)
– Have a plan for once exploited
20. Anti-Virus
• Best practice:
– All systems must make use of Anti-virus to protect
against malware
• Belief:
– Malware/attacks will be blocked
– Malicious e-mail will be blocked
– We don’t need to follow up if AV said it blocked
• Reality:
“All of us had missed detecting this malware for
two years. That's a spectacular failure for the
antivirus industry in general. We were out of our
league, in our own game.” Mikko Hypponen
21. The truth
• Mikko was talking about Flame (APT)
• Is it that hard?
• R600 will buy you access to a great
“crypter”
– Will make any file undetectable by AV,
updated regularly
• 20 lines of code to implement my own
– Currently bypasses all AV, with a delay &
custom file template
23. So what?
• You wouldn’t run without it, but guaranteed
bypassable
• We need to do something, AV is something,
do AV
• Attackers can test their attacks
• Do we just keep building the wall & run all of
them?
• A lot of money at stake in perpetuating the
problem
– “I've never seen _single_ report when modern
updated AV with all features was bypassed.”
Jindrich Kubec Director of Threat Intelligence @
avast!
24. Defence!
• AV isn’t useless, a signature may only be
added a year from now, but it’ll tell you, you
missed something – investigate
• Push your vendor to do better, don’t accept
lame signatures, get them to block
techniques
• Watch the logs, alerts then silent is a bypass
pattern
• Run multiple AV engines at different layers
26. Network Pivoting & DMZs
• Best Practice:
– Separate your Internet-facing systems into their
own network, then only allow connections into the
DMZ, not out
• Belief:
– Contingency plan; even if your Internet-facing
servers get hacked, hackers can’t get to your
internal network
• Reality:
– “Lateral movement” is a regular action by so-
called APT actors
27. DMZ – Screw ups
• (lame) Web servers in the DMZ, DB in the internal net
• Attack
– SQLi on the DB (with command exec) gets you onto the internal
network
• (less lame) Web server & DB in DMZ/s, but on the domain
• Attack
– Get command exec, get domain account, connect to DC
• (least lame) A connection can be initiated to the internal
network
• Attack
– Move around until you can find something you can own, that has
access to the internal network
– Often not as hard as it sounds
30. The toolchain
• “Pushing a camel through the eye of a needle”
– 2008 BH/Defcon talk by Haroon Meer & Marco Slaviero
• Released reDuh by haroon/marco/glenn/ian/gert
@sensepost
31. Defend!
• DMZs must disallow connections from being initiated
to internal
– Check for yourself, plugin and portscan
• But, stuff’s not architected to make that easy
• Web services provide hope
– Expose integration services in the DMZ, have a worker
from internal consume it
• Other important advice we don’t have time for
– Needs separate/disconnected management infrastructure
– Don’t share with VPN – fundamentally different purposes
– Actually, if you can, stick every machine in it’s own DMZ
ala AP isolation
– Don’t forget egress filtering & split DNS
32. Account Pivoting & Escalation
• “When in doubt, attack the control plane.
When certain, attack the data plane.” -David
Ulevitch
• Belief:
– Centralised user management makes systems
more secure.
• Reality:
– In some ways, yes, but it gives us organisation
wide administrative accounts, and it’s easy(ish) to
do.
33. Lateral Movement
• Windows is *terrible* at passwords & keeping secrets
– Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft
Techniques
• Attackers have gotten really good at post-exploitation
• Attacks
– Digest auth gives clear-text creds! (wce/mimikatz)
– Windows security tokens work well too (incognito)
– Still passing-the-hash 16 years later (wce/pth-toolkit)
– SMB/NTLM relay attacks (metasploit)
– NTLM/LM unsalted, Kerberos can’t do IP, crack away (john/hashcat)
– Cached logins (at least they’re salted)
• Lateral opportunities – if it works on one …
– Local accounts (local admin)
– Domain accounts (admin or service)
– Apps & Agents (VNC, DBs etc.)
– Connected shares
34. So what?
• Good advice is blindly implemented, and the
original point missed
– DMZs are a great idea, but must not allow
connections initiated in low trust network
• Advanced protections have well understood
bypasses and haven't grown
– Tunnelling & windows cred extraction sound
hard, but the tools are there
• Your exposure is greater than the sum of the
parts, you can't look at vulns in isolation, or at
entry-only
35. Defend!
• Use specialised/separate DA, server admin & user
accounts
– Only use the relevant account when required
– Limit DAs to login from management network &
management jump box (not laptop)
• Monitor *all* your AD groups
– Administrators, Enterprise Admins, Domain Admins,
Shared Trust, Sub-Group inheritance
• Beware of the tokens
• Check out RODC & Attribute/Account Filters
• Read MS’ paper
37. This talk was about …
• Understanding how attackers attack
– acknowledging the problem
– allows more innovative defence
• Common defences allow common bypasses
– Best practises introduce commonality that is
exploited
– Common defences lose out over time as
attackers adapt
• Many “security basics” are honestly hard
– knowing the attacks help to prioritise
H highlighted the risk that pentesters stop emulating bad guys, and start emulating other pentesters. We agreed. Helpfully, the amount of campaign analysis available today means we can study real attacker methods in ways we couldn’t before, and it turns out, they do a lot of the same things we find ourselves doing when faced with the same constraints. Different tools maybe, but similar tactics.
Risk management e.g. if we take a log monitoring box, is it obvious that that provides access to critical system x
The conclusion here, is we need something more than just building the wall. And Lockheed showed us with the kill chain, that investigation-lead based on understanding of actual attacks, can give you that.
e.g. anti-virus or ASLRAttackers keep building their toolchain (ref H in pushing a camel through the eye of a needle)Defenders “we need to do something, x is something, let’s do x”When attackers encounter something new, they need to spend time to figure it out and bypass it, this looks like alert, alert, nothing. Assuming stuff is blocked, is the wrong approach.Obscure defences, specific to your org or use, are less likely to have been seen before, and will generate a detection, a detection can be turned into an investigation if you move up and down the process, knowing it.
Highlight upcoming examples
Attackers know the coping methods, study passwords, and optimise.Example of phoning call centre and asking what they reset your account to.
Thing to stop bruting, doesn’t stop bruting.Citrix, OWA, any ad-auth point
Passwords longer than 15 can’t be cracked by hashcat, and LM is disabled
We call this massploitation, because we have scripts to take advantage of the risks we highlight, to automatically pwn as many boxes as we can. At one stage, we have 40k meterpreter sessions.
Remind people of the subtelty here. We’re not saying you can pwn through missing patched, we’re saying everyone knows that, but we’ve never stopped it, so why do we keep pursuing the impossibleMaybe you remember to do sql, but wahat about tomcat/hp management/axis2/postgres/mysql/firebird/etc. etc.
Result: passwords are left to defaults, blank or just fuggin easy. Maybe you remember to do sql, but wahat about tomcat/hp management/axis2/postgres/mysql/firebird/etc. etc.
Management agents; splunk, intel, hp system management, nagios
A flaw in one, is a flaw in all.
Remind people of the subtelty here. We’re not saying you can pwn through missing patched, we’re saying everyone knows that, but we’ve never stopped it, so why do we keep pursuing the impossible
Hard choices – all software comes at a cost, if you aren’t actively managing it (cost), then it’s making you vulnerable (cost)
You don’t have to test your payloads on a live client, test them against their AV before you get there. Attackers can test climbing the wall.
The problem is, people aren’t disciplined in how they build their DMZs, it’s also honestly hard
Dominic made this, not Panda. If you see this attributed to panda, it’s because he is a plagariser.
Hope someone gets the Star Trek reference. The trouble with tribbles was an episode of Star Trek in 1967. They bring a tribble (a small furry alien that purrs) onto the ship, they soon multiply exponentially and infiltrate all the ships systems.
HBGary referred to reDUH as “insidious”.There are many ways to skin this cat, and it can get pretty sneaky e.g. timingDNS exfil used to be niche (e.g. squeeza) not it’s everywhere sqlmap, sqlninja, metasploit, iodine
As pentesters, we’re timebound more than any other constraint, so we go for the control plane. Going for the data/app plane requires more business knowledge. But I know IT and I know IT people need a way to manage lots of boxes. If I crack that, I can get access to anything else, it’s just a matter of time.
Info leakage findings are lame, except the domain gives you *so much* of it. It makes it too easy for finding admins. Mention Etienne’s PsLoggedOn
Microsoft published a doc about defending againstpth attacks this yearTruthfully,unix suffers from similar flaws at scale – ssh keys, world readable config files, bash history. It’s just that AD is the default paradigm for this stuff.
Two points here. The obvious is, maybe someone should build it. But the other is that you could likely automate this and win in most cases. Some of it has been done before e.g. conficker (ms08-067 & creds). We send juniors in for internals a lot of the time, because we know they can pwn these things.
Cargo-cult DMZ implementations
We need a way to clear all tokens (of logged out users?). The group thing is a big one. It’s easy to hide an admin account 5 group levels down. Or hide it in Administrators which is where Domain Admins inherits its status from.
If you walk away thinking any of these attacks are novel, then you’ve missed the point. These attacks are so common/well understood that they are second nature to an attacker. We need novel ways of defending.Understand Passwords -> horiz brute, monitor for itMassploitation -> prioritise the ones you find with stable/easy exploitable vulns AV -> know what you get, don’t blindly trust it Lateral -> Attack result is greater than the sum of it’s parts