This document discusses risk-based penetration testing and how it differs from traditional penetration testing. Risk-based testing focuses on business risks rather than just technical vulnerabilities. It requires understanding both the technical aspects as well as the business processes. Test cases are developed based on risk scenarios specific to the business, and severity levels are assigned based on risk to the business rather than just technical parameters. The audience for risk-based testing reports also includes business stakeholders not just IT teams. Examples of risk-based testing for different types of organizations are provided.
This slide deck highlights the continued growth and evolution of Core Security Technologies and helps introduce an entirely new product for enterprise security testing andmeasurement - CORE INSIGHT Enterprise.
Malware infiltration, spear phishing, data breaches...these are terrifying words with even more frightening implications. These threats are hitting the technology world hard and fast and can no longer be ignored.
A detailed analysis on the Security Standard goals and requirements. Examples of companies that failed to comply, with emphasis on which part of the security standards they violated and the fines that resulted as a result of their non-compliance.
This slide deck highlights the continued growth and evolution of Core Security Technologies and helps introduce an entirely new product for enterprise security testing andmeasurement - CORE INSIGHT Enterprise.
Malware infiltration, spear phishing, data breaches...these are terrifying words with even more frightening implications. These threats are hitting the technology world hard and fast and can no longer be ignored.
A detailed analysis on the Security Standard goals and requirements. Examples of companies that failed to comply, with emphasis on which part of the security standards they violated and the fines that resulted as a result of their non-compliance.
Emerging Trends in Information Security and Privacylgcdcpas
Malware infiltrations, spear phishing, data breaches these are scary words with even scarier implications. These threats are hitting the interconnected technology world fast and hard and can no longer be ignored.
Are you doing everything you can to avoid having your data compromised and becoming the next security breach horror story?
To help you answer that question, join the security experts at LGC+D for the Emerging Trends in Information Privacy and Security seminar on Wednesday, August 6th. They will be joined by a dream team panel of IT, legal and insurance experts that deal with these threats every day, and have the experience and knowledge to help you make the right security decisions.
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
Reviewing cases ranging in size from your neighborhood bar to the massive TJX case, an ex-QIRA will discuss the dirty inside secrets of the card associations and QSA's. Reviewing lessons learned from dozens of past forensic cases, this presentation will highlight how to prepare for a PCI mandated forensics investigation including; what steps should be taken to limit fines and fees, how to ensure you have proper legal representation, how to limit the scope of the investigation, and what questions to ask before deciding on who will conduct the forensic investigation.
Learn why Capacity Management matters for GDPR compliance and how having a best in class capacity management process helps to ensure availability and security of your data.
Prevent Insider Threats with User Activity MonitoringObserveIT
Gain the visibility and context you need to detect abnormal behavior, get a clear picture of the risk insiders present, and stop them from becoming a threat.
You'll learn how to Prevent Insider Threats with ObserveIT:
Observe who’s doing what and distinguish insider abuse from legitimate use Detect abnormal user behavior indicative of insiders becoming threats Prevent users from putting your business at risk
Bridging the Social Media Implementation/Audit GapJerod Brennen
It's one thing to embrace social media, but it's another thing entirely to embrace it securely. This presentation helps organizations understand what steps should be taken to ensure that their social media properties aren't abused or exploited to attack the organization.
2010 07 BSidesLV Mobilizing The PCI Resistance 1cGene Kim
Properly Mobilizing the PCI Resistance: Lessons Learned From Fighting Prior Wars (SOX-404)"
I have noticed that there is a growing wave of discontent and disenchantment from information security and compliance practitioners around the PCI DSS. Josh Corman has been an effective voice for these concerns, providing an intellectually honest and earnest analysis in his talk “Is PCI The No Child Left Behind Act For Infosec?”
The problem are well-known and significant: too much ambiguity in the PCI DSS, Qualified Security Assessors (QSAs) and consultant using subjective interpretations, existing guidance either too prescriptive or too vague, scope missing critical systems that could risk cardholder data, overly broad scope and excessive testing costs, excessive subjectivity and inconsistency, poor use of scarce resources, no meaningful reduction in risk of data breaches, and so forth.
For years, I have been studying the PCI DSS compliance problem, as well. I have noticed many similarities to the PCI compliance challenges and the “SOX-404 Is The Biggest IT Time Waster” wars in 2005. I was part of the leadership team at the Institute of Internal Auditors (IIA) where we did something about the it. We identified inability to accurately scope the IT portions of SOX-404 as the root cause of the billions of dollars of wasted time and effort, while not reducing the risk of financial misstatements.
I propose to present the two-year success story of the IIA GAIT project and how we changed the state of the IT audit practice in support of SOX-404 financial reporting audits. We defined the four GAIT Principles, which could be used to correctly scope the IT portions of SOX-404. We mobilized over 100K internal auditors, the SEC and PCAOB regulatory and enforcement bodies, as well as the external auditors from the 8 big CPA firms (e.g, Big Four and other firms doing SOX advisory work). In short, we made a difference, in a highly political process that involved many constituencies.
I am attempting to do something similar with the PCI Security Standards Council, through my work as part one of the leaders of the PCI Scoping SIG (Special Interest Group). My personal goal is to find a “third way” to better enable correct scoping of the PCI Cardholder Data Environment, and create a risk-based approach of substantiating the effective controls to ensure that cardholder data breaches can be prevented, and quickly detected and corrected when they do occur.
My desired outcome is to find fellow travelers who also see the pile of dead bodies in PCI compliance efforts, and work with those practitioners to catalyze a similar movement to achieve the spirit and intent of PCI DSS.
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
ControlCase will cover the following:
• Description of "Token Service Provider" (TSP)
• Eligibility and steps to become a TSP
• Scope and implementation
• Review of TSP Standard.
Georgie Collins and Dan Hedley, Irwin Mitchell LLP presented, "Data breaches and the law, a practical guide" at Flight East 2018. For more information on Black Duck by Synopsys, please visit our website at www.blackducksoftware.com.
Insider Threats: Out of Sight, Out of Mind?ObserveIT
Insider Threats represent a major security blind-spot where an increasing number of today’s security incidents occur. Highly publicized insider data theft, such as the recent Morgan Stanley breach or AT&T call center incident, highlight the increasing need for better security practices and solutions to reduce the risks posed by insider threats.
Detecting insider threats has become increasingly difficult with the large volume of data generated through normal user activities and lack of visibility into actual user behavior. Most organizations rely on system logs from applications and devices that typically contain hundreds or thousands of discrete events in obscure technical language, making it nearly impossible to determine what a user actually did.
Watch our webinar “Insider Threats: Out of Sight, Out of Mind?” to learn about the most popular tactics to combat insider threats and how to identify indicators of insiders becoming threats. This webinar will share best practices and how to adopt an early warning system to reduce your risk and strengthen your security posture.
PCI stands for “Payment Card Industry”. which is comprised of representatives from the major card brands (Visa, MasterCard, American Express, Discover, JCB etc.) who came together to set minimum security requirements for protecting cardholder data.
To achieve this, they wrote a framework of security controls known as the PCI DSS. They wrote a number of other directives but this is the main one that applies to the majority of businesses.
The PCI DSS consists of six goals, 12 requirements and 286 controls and must be implemented by any business that processes, stores or transmits credit or debit card holder data. The requirement for PCI DSS compliance is stated in your agreement with the bank that issues you a merchant identification. Your business is required to certify compliance to your bank upon achieving it and annually thereafter. The banks report your compliance to the PCI SCC and can issues fines for non-compliance.
Emerging Trends in Information Security and Privacylgcdcpas
Malware infiltrations, spear phishing, data breaches these are scary words with even scarier implications. These threats are hitting the interconnected technology world fast and hard and can no longer be ignored.
Are you doing everything you can to avoid having your data compromised and becoming the next security breach horror story?
To help you answer that question, join the security experts at LGC+D for the Emerging Trends in Information Privacy and Security seminar on Wednesday, August 6th. They will be joined by a dream team panel of IT, legal and insurance experts that deal with these threats every day, and have the experience and knowledge to help you make the right security decisions.
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
Reviewing cases ranging in size from your neighborhood bar to the massive TJX case, an ex-QIRA will discuss the dirty inside secrets of the card associations and QSA's. Reviewing lessons learned from dozens of past forensic cases, this presentation will highlight how to prepare for a PCI mandated forensics investigation including; what steps should be taken to limit fines and fees, how to ensure you have proper legal representation, how to limit the scope of the investigation, and what questions to ask before deciding on who will conduct the forensic investigation.
Learn why Capacity Management matters for GDPR compliance and how having a best in class capacity management process helps to ensure availability and security of your data.
Prevent Insider Threats with User Activity MonitoringObserveIT
Gain the visibility and context you need to detect abnormal behavior, get a clear picture of the risk insiders present, and stop them from becoming a threat.
You'll learn how to Prevent Insider Threats with ObserveIT:
Observe who’s doing what and distinguish insider abuse from legitimate use Detect abnormal user behavior indicative of insiders becoming threats Prevent users from putting your business at risk
Bridging the Social Media Implementation/Audit GapJerod Brennen
It's one thing to embrace social media, but it's another thing entirely to embrace it securely. This presentation helps organizations understand what steps should be taken to ensure that their social media properties aren't abused or exploited to attack the organization.
2010 07 BSidesLV Mobilizing The PCI Resistance 1cGene Kim
Properly Mobilizing the PCI Resistance: Lessons Learned From Fighting Prior Wars (SOX-404)"
I have noticed that there is a growing wave of discontent and disenchantment from information security and compliance practitioners around the PCI DSS. Josh Corman has been an effective voice for these concerns, providing an intellectually honest and earnest analysis in his talk “Is PCI The No Child Left Behind Act For Infosec?”
The problem are well-known and significant: too much ambiguity in the PCI DSS, Qualified Security Assessors (QSAs) and consultant using subjective interpretations, existing guidance either too prescriptive or too vague, scope missing critical systems that could risk cardholder data, overly broad scope and excessive testing costs, excessive subjectivity and inconsistency, poor use of scarce resources, no meaningful reduction in risk of data breaches, and so forth.
For years, I have been studying the PCI DSS compliance problem, as well. I have noticed many similarities to the PCI compliance challenges and the “SOX-404 Is The Biggest IT Time Waster” wars in 2005. I was part of the leadership team at the Institute of Internal Auditors (IIA) where we did something about the it. We identified inability to accurately scope the IT portions of SOX-404 as the root cause of the billions of dollars of wasted time and effort, while not reducing the risk of financial misstatements.
I propose to present the two-year success story of the IIA GAIT project and how we changed the state of the IT audit practice in support of SOX-404 financial reporting audits. We defined the four GAIT Principles, which could be used to correctly scope the IT portions of SOX-404. We mobilized over 100K internal auditors, the SEC and PCAOB regulatory and enforcement bodies, as well as the external auditors from the 8 big CPA firms (e.g, Big Four and other firms doing SOX advisory work). In short, we made a difference, in a highly political process that involved many constituencies.
I am attempting to do something similar with the PCI Security Standards Council, through my work as part one of the leaders of the PCI Scoping SIG (Special Interest Group). My personal goal is to find a “third way” to better enable correct scoping of the PCI Cardholder Data Environment, and create a risk-based approach of substantiating the effective controls to ensure that cardholder data breaches can be prevented, and quickly detected and corrected when they do occur.
My desired outcome is to find fellow travelers who also see the pile of dead bodies in PCI compliance efforts, and work with those practitioners to catalyze a similar movement to achieve the spirit and intent of PCI DSS.
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
ControlCase will cover the following:
• Description of "Token Service Provider" (TSP)
• Eligibility and steps to become a TSP
• Scope and implementation
• Review of TSP Standard.
Georgie Collins and Dan Hedley, Irwin Mitchell LLP presented, "Data breaches and the law, a practical guide" at Flight East 2018. For more information on Black Duck by Synopsys, please visit our website at www.blackducksoftware.com.
Insider Threats: Out of Sight, Out of Mind?ObserveIT
Insider Threats represent a major security blind-spot where an increasing number of today’s security incidents occur. Highly publicized insider data theft, such as the recent Morgan Stanley breach or AT&T call center incident, highlight the increasing need for better security practices and solutions to reduce the risks posed by insider threats.
Detecting insider threats has become increasingly difficult with the large volume of data generated through normal user activities and lack of visibility into actual user behavior. Most organizations rely on system logs from applications and devices that typically contain hundreds or thousands of discrete events in obscure technical language, making it nearly impossible to determine what a user actually did.
Watch our webinar “Insider Threats: Out of Sight, Out of Mind?” to learn about the most popular tactics to combat insider threats and how to identify indicators of insiders becoming threats. This webinar will share best practices and how to adopt an early warning system to reduce your risk and strengthen your security posture.
PCI stands for “Payment Card Industry”. which is comprised of representatives from the major card brands (Visa, MasterCard, American Express, Discover, JCB etc.) who came together to set minimum security requirements for protecting cardholder data.
To achieve this, they wrote a framework of security controls known as the PCI DSS. They wrote a number of other directives but this is the main one that applies to the majority of businesses.
The PCI DSS consists of six goals, 12 requirements and 286 controls and must be implemented by any business that processes, stores or transmits credit or debit card holder data. The requirement for PCI DSS compliance is stated in your agreement with the bank that issues you a merchant identification. Your business is required to certify compliance to your bank upon achieving it and annually thereafter. The banks report your compliance to the PCI SCC and can issues fines for non-compliance.
Because many organizations don't perform security unless they have to, more than 80% of all web applications are being exposed to vulnerabilities. In comes regulation. There are a number of different industries other than financial and healthcare that deal with PII and PHI but are either not regulated at all or are regulated very loosely. This presentation will discuss the various regulations (PCI, SOX, HIPAA, etc.) and what each does to address web application security, if any, as well as the shortcomings of each. Finally, it will further address industries that need to be more strictly regulated in order to better protect personal information.
Andrew Weidenhamer, Senior Security Consultant, SecureState
Andrew Weidenhamer, Senior Security Consultant, joined SecureState in January 2008. As a former member of the Profiling Team, Andrew performed technical security assessments on a weekly basis. These assessments included Internal and External Attack and Penetration Assessments, Wireless Penetration Assessments, Web Application Security Reviews, Physical Penetration Tests, and Social Engineering Assessments.
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
Passwords, multi-factor authentication, knowledge-based questions/answers, and hard tokens are based on technologies that are now 20 years old. With organizations losing the battle against cyber attacks, it’s clearly time to move beyond these legacy technologies and adopt a modern approach in which awareness and flexibility are king. Authentication must adapt based on the level of risk, so that it can deliver strong security yet be invisible to users most of the time.
Achieving that balance of strong security and appropriate user friction is the basis for modern authentication. This session will explore what modern authentication is and why using it across all users, devices, and services is vital to turning a losing battle into a winning strategy to stop cyber attacks.
Here is a brief description of third-party risk management (TPRM), how to onboard third-party vendors, and what the role of a CISO is in this process. To know more about TPRM and information security management, click here: https://www.eccouncil.org/information-security-management/
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
Penetration Testing is interesting and difficult work.
The main result of this work is Report. It can be used for Customer Presentation, Vulnerabilities Mitigation and Audit Compliance. Report is final proof of completed work and good overall score of Security Status.
In today’s agile world, every organization is prone to cyber-attacks, as most of the applications have been developed and deployed with more focus on functionality, end user experience and with minimal attention given to security risks. http://www.karyatech.com/blog/security-testing-in-the-secured-world/
Slide deck from Webinar 11/07/18 introducing the Third Party Network, shared-evidence network concept and how it can support the maturity of Third Party risk management programs.
Similar to Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009 (20)
Summarising Snowden and Snowden as internal threatClubHack
A quick lookback at snowden's revelation and also lookign at snowden as an insider threat
*This presentation end abruptly because during the talk it ends as food for thought and kickstart of next session*
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
What is FatCat Sql injector: This is an automatic SQL Injection tool called as FatCat.
Fatcat Purpose? : For testing your web application and exploit your application into more deeper.
FatCat Support:
1)Mysql 5.0
FatCat Features?
Union Based Sql Injection
Error Based Sql Injection
MOD Security Bypass (WAF)
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
The paper shall focus on the following:
The paper shall focus on the following:
1) Introduction to the problem: Focus on “security awareness”, not “behavior”
2) Real life case study of why a US$100, 000 “security awareness” project failed
a. Identifying the human component in information security risks
b. Addressing the human component using “awareness” and “behavior”
strategies
4) Sample real-life case studies where quantifiable change has been observed
Original research and Publications
The talk is modeled on the methodology HIMIS (Human Impact Management for Information
Security) authored by Anup Narayanan and published under “Creative Commons,
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...ClubHack
NFC or the Near Field Communication allows cell phones to perform specified actions whenever they detect NFC tags or signals from other NFC enabled device. Most of the recent phones including Samsung Galaxy S3, Nokia Lumia 610, Blackberry Bold etc have NFC enabled with them. NFC even helps enterprise/payment gateways to ease up users actions, such as connecting to a wifi, setting a bookmark, making payments etc.
Gone are the days of sending Android malware links through URL or attachments. In this talk, we will be showing how an attacker could steal the private and sensitive information from one’s phone and even perform malicious actions on user’s phone, using NFC as an attack vector. NFC attack vectors come in two forms : Active(setting attacker’s phone as a proxy between victim’s smartphone and the payment terminal) and Passive(using NFC tags).For our demonstrations, we would be creating malicious NFC tags which when detected by any smartphone(NFC enabled) would steal sensitive informations from the phones (without the users knowledge) as well as trick user to install malicious applications to his phone. Thereafter, we would also be talking about how an attacker could get in close proximity of another NFC-enabled phone, get a remote shell on the victim’s phone and compromise the phone’s security. We would also be discussing how viral an NFC attack could go in future, if proper security measures are not enforced.
Smart grids is an added communication capabilities and intelligence to traditional grids,smart grids are enabled by Intelligent sensors and actuators, Extended data management system,Expanded two way communication between utility operation system facilities and customers,Network security ,National integration ,Self healing and adaptive –Improve distribution and transmission system operation,Allow customers freedom to purchase power based on dynamic pricing ,Improved quality of power-less wastage ,Integration of large variety of generation options.
We have seen the more complex and critical infrastructure the more vulnerable they are. From the Year of 1994 we have seen lots of incidents where SmartGrid were Hacked the latest and booming incident was Stuxnet Worm which targeted Nuclear Power System of Iran and Worldwide.There are different types of Attacks we will see. Security needed for Smart Grid.
Legal Nuances to the Cloud by Ritambhara AgrawalClubHack
This presentation highlights the key legal risks and their implications in cloud computing. Cloud is inherently multi-jurisdictional, encompassing, remote hosting and processing of the data. This gives rise to multiple legal issues including security and privacy of the data, IP Rights, data portability, contractual limitations, risk mitigation and jurisdictional disputes.
As the cloud involves remote hosting and data accessibility by multiple parties, security and privacy remains the biggest concern for the companies. Businesses should look at issues ranging from physical location of the data centers, protection of the data against any adversity and intrusion, and access rights management.
The cloud servers are often located in different countries, which results in trans- border Data Flow. Each country has its own set of legal rules and regulations regarding data protection and privacy policies and the same can bring in complications in form of conflicting laws and jurisdictional disputes. Issues pertaining to IP rights, trade secrets and ownership of the data placed in the cloud require utmost attention. Termination and exit clauses are critical to the contract in the clouds. Interoperability of the data in the event of termination of services of a vendor is an important aspect to be considered in the contracts.
Infrastructure Security by Sivamurthy HiremathClubHack
With the development of technology, the interdependence of various infrastructures has increased, which also enhanced their vulnerabilities. The National Information Infrastructure security concerns the nation’s stability and economic security. So far, the research in Internet security primarily focused on securing the information rather than securing the infrastructure itself.
The pervasive and ubiquitous nature of the Internet coupled with growing concerns about cyber attacks we need immediate solutions for securing the Internet infrastructure. Given the prevailing threat situation, there is a compelling need to develop Hardware redesign architectures, Algorithms, and Protocols to realize a dependable Internet infrastructure. In order to achieve this goal, the first and foremost step is to develop a comprehensive understanding of the security threats and existing solutions. These attempts to fulfil this important step by providing classification of Security attacks are classified into four main categories: DNS hacking, Routing table poisoning, Packet mistreatment, and Denial-of-Service attacks. We are generally discussing on the existing Infrastructure solutions for each of these categories, and also outline a methodology for developing secured Nation.
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanClubHack
Today there is a flood of tools to help with the automation of active scanning and exploitation of web applications. Once you move beyond these two functions the flood reduces down to a trickle. Vulnerability hunting is a fine art that requires a knack for seeing hidden patterns and connections. Tests like hidden parameters guessing are seldom performed by even skilled testers because of the time and effort involved in preparing for and performing them. When was the last time you identified a piece of sensitive data hidden in plain sight because it was hex encoded in to a very inconsequential looking string?
Do you enumerate all possible avenues for stored XSS in an application? A lot of times checks are missed because there is no good tooling available to perform them effectively and efficiently. HAWAS is the tool you have been missing for a long time now. It is an open source tool that is designed for hybrid analysis. It performs automated passive analysis of a web application with no input from the user for some cases and with specific application specific input for some other cases. Based on the initial set of findings the user can perform further checks from within HAWAS. HAWAS will help you hugely increase your test coverage with very little additional effort.
Hacking and Securing iOS Applications by Satish BomissttyClubHack
iOS applications share common set of classes and highly depends on the operating system solutions for data communication, storage and encryption. Solely depending on the Apple implementation made them less complex but it affects security of the applications. Though iOS comes with a great set of security features like code signing, ASLR, DEP, sand boxing and Data Protection, all of them are subject to attack. Relying only on the iOS security could lead to demise the sensitive data stored within the application when the iOS is compromised. Application security can be improved by understanding the weaknesses in the current implementation and incorporating own code that work better.
The presentation illustrates several types of iOS application attacks like run time manipulation, custom code injection, SSL session hijacking and forensic data leakage. It gives an insight into the iOS Keychain & data protection API and explains the techniques to circumvent it. The presentation will provide guidelines and suggests best practices for secure iOS application development.
Critical Infrastructure Security by Subodh BelgiClubHack
Industrial Automation & Control Systems are an integral part of various manufacturing & process industries as well as national critical infrastructure. Concerns regarding cyber-security of control systems are related to both the legacy nature of some of the systems as well as the growing trend to connect industrial control systems to corporate networks. These concerns have led to a number of identified vulnerabilities and have introduced new categories of threats that have not been seen before in the industrial control systems domain. Many of the legacy systems may not have appropriate security capabilities that can defend against modern day threats, and the requirements for availability and performance can preclude using contemporary cyber-security solutions. To address cyber-security issues for industrial control systems, a clear understanding of the security challenges and specific defensive countermeasures is required. The session will highlight some of the latest cyber security risks faced by industrial automation and control systems along with essential security controls & countermeasures.
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaClubHack
With the increased in security awareness it’s very difficult to compromise the network/workstation, as most of network administrator put very restrictive firewalll policy for incoming network traffic i.e. allow only traffic for http/https service and antivirus software can easily detect any virus/worm infected file. This talk is about content type attack that cannot be blocked at network perimeter/firewall and undetectable by antivirus. The discussion also includes demonstration of attack vector to compromise the system. At last it includes analysis of malicious file used to compromise the system.
Abstract of the paper;Cross site scripting (XSS) attacks are considered one of the most dangerous attacks. When an application accepts un-validated user inputs and sends it back to the browser without validation, it provides attackers with an opportunity to execute malicious scripts in victim users’ browsers. By using this attack vector, malicious users can hijack user accounts, deface websites, carry out phishing attacks etc .XSS shell is a cross domain tool to carry out XSS attack in more controlled manner. It is used to setup a channel between attacker and victim’s browser and controlling the victim’s browser.
It gives me immense pleasure to tell you that from 06-02-10 to 06-02-12 our magazine has completed two successful and rejoicing years. We at ClubHack are super excited! I hope you people are enjoying the magazine and would continue doing so it in the coming future too. We enjoy making this for you all.It is said that “A lot can happen over a cup of coffee”. We experienced this amazing moment over a cup of coffee when we had the idea of starting a hacking magazine and it now it has come all this way… :). 2 years looks small when we look back.For this incredible success we at ClubHack would like to thank all our readers, volunteers and authors for giving us such unbelievable support. As we want to keep up the growth and progress therefore we request you all to keep throwing in articles, suggestions, support and your love!
Coming to this issue we have Network Security in Tool Gyan which will put light on how to set up a secured network, Who wants to be a Millionaire in Tool Gyan, check out yourself of what exactly its all about ;)TOR in Mom's guide for all those who thought 'It sounds very complicated to use, I’m not a hacker! I can’t use it!' by our Author- Federico from Italy.
From this month’s issue we plan to start a new section on secure coding. This section will essentially focus on good coding practices and snippets to mitigate various vulnerabilities. To begin with we have an article on PHP based RFI/LFI vulnerability. I hope you will like reading it. We also have some cool articles on XSS attacks, ROT decoding and Matriux section.
Do send us your feedback on abhijeet@chmag.in this will help us improve further.
We are now in mid of 2012. As predicted by many techno geeks, this year is phenomenal for IT related technologies including security, networking and web technologies. In April cloud war is started between two big rivals Microsoft & Google. Both making sure that its going to be secure and useful for smart phone users as well. With introduction of new such technologies we must ensure security over the web. Here HTTPS comes into picture and we brought this topic in CHMag's Mom's guide. Along with it topics like Steganography(Tech Gyan), a new toolkit - Kautilya(Tool Gyan), preventing SQL injections(Code Gyan) are covered.
If you have good write up and topic that you think people should know about it then please share with CHMag. Also if you have suggestions, feedback & articles, send it on info@chmag.in. Keep reading!!
There was a time when mobile phones were of the size of a shoe and had no features other than calling and sms and at that time I used to play the game - Snake on my dads phone :p Now as the time has passed we have reached the age of smart phones which are capable of doing lot of stuff and world wide web of application causing serious concern where an attacker can use this platform to steal data. This issue of CHMag is dedicated Mobile/Telecom Hacking and Security.
The coverpage of this December issue was released at ClubHack 2011, India’s Pioneer International Hacking Conference held last week. Talking about ClubHack Conference, if you missed ClubHack here are the presentations available at - http://www.slideshare.net/clubhack and videos at http://www.clubhack.tv/event/2011/
We recently released CHMag's Collector's Edition Volume II. If you wish to buy the Collectors Editions (vol1 – from issue 1 to 10 & vol2- from issue 11 to 20), please write back to us: info@chmag.in. As of now its on demand printing.
Like the game - Snake, I have played lots of other games too which have reflected in the previous coverpages I have designed and yes I promise another awesome coverpage based on a game on the theme of android security which would be the theme for an upcoming issue, for which send in your articles to info@chmag.in
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
1. What is on your mind, is on your body
Nikhil Wagholikar
Practice Lead | Security Assessments
& Digital Forensics
Member, Mumbai OWASP Chapter
www.niiconsulting.com
nikhil@niiconsulting.com
2. CEH, ISO 27001:LA
Penetration testing, Security Auditing, Digital
Forensics, GRC, Solutions, Performance
Auditing
Numerous India and Middle East based clients
Conducted training on various fields of
Information security like GRC, IT Security,
Green IT, VAPT, Incident Response, Digital
Forensics, Application Security
3. Articles
Dare to Delete my files – Checkmate
Universal Extractor – Checkmate
http://www.niiconsulting.com/checkmate/
Assessing Bandwidth Use as a Function of
Network Performance – ITAudit
http://www.theiia.org/ITAuditArchive/index.cfm?
catid=21&iid=571
Essential Aspects of an Effective Network
Performance Audit – ITAudit
http://www.theiia.org/ITAuditArchive/index.c
fm?iid=575&catid=21&aid=2901
4. Regular pen-testing vs. Risk-based
pentesting
The process of risk-based testing
◦ Understanding the business
◦ Legal & regulatory requirements
◦ Understanding the risks
◦ Examples
◦ Client-side attacks
◦ Beyond hacking technology
Conclusion
5.
6. Lack of Business Risk Perspective – US Department of Homeland Security:
“Most penetration testing processes and tools do little, if anything, to substantively
address the business risks...
This is largely due to the fact that the tools and the testers view the target systems
with “technology blinders” on...
Although many testing tools and services claim to rank vulnerabilities in terms of
technical severity, they do not typically take business risk into account in any
significant sense.
At best, the test teams conduct interviews with the business owners of the
applications and the application architects in an attempt to ascertain some degree
of business impact, but that connection is tenuous.
…the business perspectives, however limited, that these processes can determine are
all post facto. That is, they make their business impact rankings after the test is
completed...This is a key shortcoming of penetration testing practices today.”
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-
practices/penetration/655-BSI.html
Software Security – building security in, Chapter 6 on “Penetration Testing
Today”
“The problem? No clue about security risk. No idea whether the most critical security
risks have been identified, how much more risk remains in the system, and how
many bugs are lurking in the zillions of lines of code”
7. “Penetration testing is dead. The
concept as we know it is on its death
bed, waiting to die and come back as
something else.”
- Brian Chess, Co-Founder, Fortify Software
9. Client: “Please provide quote for black-box
penetration test”
SP: “Please provide list of IP addresses and
URLs, and application test IDs”
Pre-sales Approach - Evolved
Client: “Please provide quote for black-box
penetration test”
SP: “Hang on...”
SP: “I‟d first like to know…”
10. Traditional Pentesting Risk-based Pentesting
Focus is on technical Focus is on business risks
vulnerabilities
Requires strong technical know- Requires both technical and business
how process know-how
Having the right set of tools is Understanding the workings of the
critical business and applications is critical
Is usually zero-knowledge Requires a person who understands
the business process to play a
significant role – usually an insider
Understanding the regulatory Understanding the regulatory
environment is good environment is mandatory
11. Traditional Pentesting Risk-based Pentesting
Severity levels are based on Severity levels are based on risk to
technical parameters the business
Risk levels in report are assigned Risk levels in report reflect the levels
post facto assigned prior to testing
Test cases are build based on Tests cases additionally build on risk
testing methodologies or generic scenarios
testing processes
Audience for the report is usually Audience for the report also includes
the IT and Security teams the business process owners and
heads of departments
12. Corporate Banking Platform – allows 3 logins
◦ Maker who enters the transaction into the system
◦ Verifier who checks the transaction data
◦ Authorizer who authorizes the final payment
Each screen in the web application is different
based on privilege level of logged in user
Security implemented by:
◦ Restricting access to URLs that allow certain
transactions
◦ Parameters that trigger certain transactions
13. RA Phase
◦ Understand business process
◦ Understand business risks
◦ Define test cases
Can maker do what verifier does
Can verifier do what authorizer does
Can client‟s admin do what bank‟s admin does
So forth
Pentesting discovers
◦ http://www.bankPay.co.in/BankPayApp/authorizePaymentA
ction.action is available only to Authorizer
◦ But what if Maker puts it in his browser?
◦ Transaction still doesn‟t get authorized
◦ Further investigation reveals a parameter:
Filter=„block‟
◦ When this value is changed to:
Filter=„submitToPay‟
14. Who are the key actors – employees,
departments, customers, partners, vendors,
investors, brokers, franchisees, resellers?
What applications do they use?
What data do they access through these
applications?
What are the risks if any of these actors turns
bad?
What possibilities exist if an actor should
decide to misuse the data – building fraud
scenarios?
15. PCI DSS
◦ For all credit card processing merchants
◦ Quarterly, semi-annual, annual network scans and
penetration tests
◦ Focus on web application security
◦ Requires high-level of protection of credit card data
◦ There are no fines for non-compliance but breaches
of security could put you out of business
HIPAA
◦ For healthcare and pharma providers
◦ Requires high-level of protection for patient records
and medical history
◦ Fines for non-compliance are usually high
◦ Breaches could put you out of practice/business
16. FDA
FFIEC
SOX
Indian IT Act 2008
RBI / Other Central Bank
Others
18. A local search engine with millions of hits on the
website
Key concerns are:
◦ Growing competition
◦ Need to expand rapidly through resellers and franchisee model
◦ Threat of exposure of data to unscrupulous elements
◦ Low competitive entry barrier - biggest threat of corporate
espionage
External web application test
◦ Running repeated search queries – changing session IDs, changing
source IP addresses
◦ Exploiting other channels – WAP, Toolbar, sub-domains
Internal business applications tested from perspective
of a:
◦ Tele-caller
◦ Marketing agent
◦ Developer
19.
20. Internationally acclaimed publications website
Earns income via paid subscription to researched
publications
Publications are key intellectual property
Membership levels and subscription values differ
based on sensitivity and type of information
accessible
Use of the Google Search appliance leads to
indexing of all data
While members only data is not accessible directly,
it is accessible via the „Text Version‟ link from the
Google search results!
21.
22. Investors use the stock exchange via brokers
However, direct interactions with exchange
include:
◦ Registering with the exchange to obtain investor
IDs
◦ Modifying investor personal data
◦ Nominating others to trade on their behalf
◦ Obtaining trade summaries
◦ Obtaining research reports
One of the key risks identified:
◦ Violation of privacy
23. Website analysis reveals two areas of interest
◦ A local search functionality
◦ Online access to personal trading history and balance
sheets
Each investor has a personal investor number –
National Investor ID (NID)
Website also offers educational games and
documents on how to trade
Guessing passwords for user IDs gives access to
complete trade history and balance sheets
Entering interesting search terms results in
personal details of investors being revealed
24.
25. Driven by business risks and regulatory
requirements
Identify all sensitive data, not just authentication
credentials
PCI DSS requires encryption of credit card data
◦ Between the client and the web server
◦ When stored in the database
◦ Between the web application server and the database server
HIPAA requires securing of all patient data
◦ Prescriptions
◦ Medical history
◦ Diagnostic results
◦ Transcriptions
27. For a procure-2-pay cycle, possible fraud
scenarios could include?
◦ Adding a vendor without proper approval
◦ Changing the banking data of a vendor so that
payments go into the wrong bank account
◦ Approving a quote by violating access rights
◦ Approving an invoice without a goods-received-
note being present
◦ Colluding with another user to perpetrate a fraud
◦ Violating maker-checker controls
28. Main actors involved are:
◦ Brokers
◦ Franchisees
◦ Investors
Possible frauds could occur as follows:
◦ Attacker gathers enough data to social engineer a broker
◦ Attacker places trades on behalf of investors by violating web
application security – jacking up share prices
◦ Attacker is able to determine trading patterns of HNIs – High
Networth Individuals
◦ Attacker violates payment gateway controls to channel money into
his/her own account
◦ Attacker impersonates a broker/franchisee and social engineers
the share trading company
29. Internal audit of a Southern India-based retail store
contracts us to do a „tiger team‟ attack
Objective of the exercise is to determine controls
over financial information
Risks identified:
◦ Access sensitive financial information?
◦ Modify goods prices and accounts information
significantly?
◦ Change tags on goods to buy them at lower price?
33. Social networking website
Value of website derives from focus on
privacy and ease-of-use
Peer-feedback is the key to the popularity
Messages posted privately and on public
„walls‟, „scrapbooks‟, „blogs‟
Integrity of messages is key
Social engineering can be used to trigger
CSRF and XSS attacks
35. Explaining the technicality of the issue to
developers and management
Explaining exploitability and impact of the
issue
Demonstrating practical risk from it
In some situations, explaining it additionally
as HTML injection may help
42. Browser-based exploits
Trojaned MS Office/PDF files
Combine with SE on social networking sites
◦ LinkedIn
◦ Monster.com and job sites
◦ Social networking sites
Phishing attacks
Evil maid attacks
Windows Metafile-type exploits
RSA (2-factor) hacks
43. Fear of the unknown
Client resistance
Simply a checklist item
Cost
Time
44. Real-world hackers are hacking the business, not the
technology – they always have been
Penetration testers need to bring their approach up to
speed – go beyond the norm
Endeavor to obtain greater business know-how and a
larger perspective than “technical blinkers”
Cookie-cutter pen-testing methods don‟t add value
Technical testing needs to be combined with physical
penetration testing and social engineering
Reports and executive summaries should reflect this
deeper understanding of the business perspective
45. Nikhil Wagholikar
Practice Lead | Security Assessments & Digital
Forensics
NII Consulting
nikhil@niiconsulting.com
www.niiconsulting.com