Open Directories: Sensitive data (not) hiding in plain sight

•

0 likes•238 views

Jan Kopriva in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The videos and other presentations can be found on https://def.camp/archive

Technology

Open Directories
Sensitive data (not) hiding in plain sight
TLP: GREEN
Jan Kopřiva
ALEF CSIRT
jan.kopriva@alef.com

• Timeframe: Q3 2018
• Thousands of open directories analysed
(mostly manually)
• Sensitive data found on 185 domains
Analysis of .CZ a .SK

22%
Personal Data
15%
Highly Sensitive Data
Personal and Highly Sensitive Data

18%
SW/Warez
14%
Audiovisual Content
SW/Warez and Audiovisual Content

23%
Music
9%
e-Books/Audiobooks
Music and e-Books

Photography and Pornography
16%
Photos
5%
Pornography

Passwords and Databases
3%
Passwords
1%
Databases

Results
0,00
5,00
10,00
15,00
20,00
25,00
%

Results
• Contact of affected subjects
– Help from CZ.NIC (and others)
• Quite a lot of sensitive data found
• Good research opportunity for junior analysts

The document discusses analyzing and visualizing real-time Twitter data. It motivates the research by describing Twitter's growth and issues with analyzing event-based Twitter data. It then reviews existing Twitter analysis tools and outlines a new tool called TwitterSuitcase that categorizes and visualizes Twitter data during events. TwitterSuitcase is demonstrated on Twitter data related to a MOOCs conference, extracting information like popular hashtags, users, links, and software used. The conclusion discusses expanding TwitterSuitcase to better analyze and visualize geotagged tweets and retweets.

Remote Yacht Hacking

DefCamp

Mobile, IoT, Clouds… It’s time to hire your own risk manager!

DefCamp

The Charter of Trust

DefCamp

Internet Balkanization: Why Are We Raising Borders Online?

DefCamp

Bridging the gap between CyberSecurity R&D and UX

DefCamp

(1) The document discusses bridging the gap between research and development (R&D) and user experience (UX) in product development. (2) It emphasizes the importance of asking questions to understand user needs, focusing on user feelings over features, and ensuring users understand how to use products easily. (3) The key lessons are to thoroughly question requirements, balance R&D and UX priorities, focus on satisfying core users, understand what users truly value, and make products feel intuitive and fast to use.

Secure and privacy-preserving data transmission and processing using homomorp...

DefCamp

Drupalgeddon 2 – Yet Another Weapon for the Attacker

DefCamp

This document discusses multi-factor authentication (MFA) and methods for bypassing it. It defines MFA as requiring more than one validation procedure to authenticate individuals. It describes the different factors of authentication as something you know, something you have, and something you are. It outlines various deployment modules for each factor type, including passwords, tokens, biometrics. It also covers challenges of MFA implementation and methods attackers could use to bypass MFA security, such as email filtering or legacy protocol exploitation.

Threat Hunting: From Platitudes to Practical Application

DefCamp

This document discusses threat hunting and practical approaches to threat hunting. It defines threat hunting as proactively searching through data to detect threats that evaded traditional security measures. It argues that threat hunting is more effective than reacting to incidents. The document provides guidance on log collection, developing situational awareness, hunting hosts and networks, maintaining a flexible mindset, and sharing findings. It suggests starting with small data collection and focusing on important systems and network areas. The goal is to understand normal behavior and detect anomalies.

Building application security with 0 money down

DefCamp

Implementation of information security techniques on modern android based Kio...

DefCamp

Lattice based Merkle for post-quantum epoch

DefCamp

The challenge of building a secure and safe digital environment in healthcare

DefCamp

Timing attacks against web applications: Are they still practical?

DefCamp

This document discusses the practicality of timing attacks against web applications. It begins by explaining what a timing attack is and detailing the author's plan to conduct one against a target application. The plan involved studying the application's code, pinpointing an exploitable function, collecting timing data, filtering noise, and reducing the search space. The author was able to measure response times and identify spikes but encountered challenges averaging server performance. They demonstrate conducting a timing attack to recover hashed credentials over many requests. Ultimately, while timing attacks can be efficient, they are difficult to execute remotely and most applications and servers have protections that render the attacks impractical. Constant-time algorithms and rate limiting are presented as solutions to prevent these types of attacks.

Tor .onions: The Good, The Rotten and The Misconfigured

DefCamp

Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...

DefCamp

We will charge you. How to [b]reach vendor’s network using EV charging station.

DefCamp

This document summarizes a presentation about vulnerabilities found in electric vehicle charging stations. The presentation covered: 1) Several vulnerabilities were found in the Bluetooth and Wi-Fi stacks that could allow access to the vendor's internal network, including arbitrary file writes, command injection, and buffer overflows. 2) The vulnerabilities were disclosed responsibly to the vendor, who developed a detailed plan and released updated firmware within a few months to address all issues. 3) Electric vehicles and charging stations are an important area for continued security research given the protocols for wireless communication, transactions, and vehicle-to-charger interfaces.

Connect & Inspire Cyber Security

DefCamp

The lions and the watering hole

DefCamp

This document discusses watering hole attacks, a type of cyber attack where hackers compromise frequently visited websites to infect visitors' devices through drive-by exploits. It describes how watering hole attacks work, why they are difficult to detect, and introduces DEKENEAS, an AI-based solution developed by the author to detect watering hole attacks through analyzing obfuscated JavaScript. DEKENEAS trains on over 40,000 malicious redirect samples to recognize behavioral patterns and classify code as malicious or not. When tested on 10,000 new samples and top websites, it achieved 100% detection of unknown implants with no false negatives and a very low false positive rate of 0.00023%.

Catch Me If You Can - Finding APTs in your network

DefCamp

WiFi practical hacking "Show me the passwords!"

DefCamp

OSSTMM: The “Measure, Don’t Guess” Security Testing Methodology

DefCamp

Year of the #WiFiCactus

DefCamp

How to Fuzz like a Hacker

DefCamp

CPU vulnerabilities - where are we now?

DefCamp

Mobile signaling threats and vulnerabilities - real cases and statistics from...

DefCamp

Demystifying Knowledge Management through Storytelling

Enterprise Knowledge

The Department of Veteran Affairs (VA) invited Taylor Paschal, Knowledge & Information Management Consultant at Enterprise Knowledge, to speak at a Knowledge Management Lunch and Learn hosted on June 12, 2024. All Office of Administration staff were invited to attend and received professional development credit for participating in the voluntary event. The objectives of the Lunch and Learn presentation were to: - Review what KM ‘is’ and ‘isn’t’ - Understand the value of KM and the benefits of engaging - Define and reflect on your “what’s in it for me?” - Share actionable ways you can participate in Knowledge - - Capture & Transfer

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

akankshawande

Recently uploaded

Demystifying Knowledge Management through Storytelling

Enterprise Knowledge

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

akankshawande

Dandelion Hashtable: beyond billion requests per second on a commodity server

Antonios Katsarakis

This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).

Session 1 - Intro to Robotic Process Automation.pdf

UiPathCommunity

👉 Check out our full 'Africa Series - Automation Student Developers (EN)' page to register for the full program: https://bit.ly/Automation_Student_Kickstart In this session, we shall introduce you to the world of automation, the UiPath Platform, and guide you on how to install and setup UiPath Studio on your Windows PC. 📕 Detailed agenda: What is RPA? Benefits of RPA? RPA Applications The UiPath End-to-End Automation Platform UiPath Studio CE Installation and Setup 💻 Extra training through UiPath Academy: Introduction to Automation UiPath Business Automation Platform Explore automation development with UiPath Studio 👉 Register here for our upcoming Session 2 on June 20: Introduction to UiPath Studio Fundamentals: https://community.uipath.com/events/details/uipath-lagos-presents-session-2-introduction-to-uipath-studio-fundamentals/

zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...

Alex Pruden

Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security. Paper Link: https://eprint.iacr.org/2024/257

Must Know Postgres Extension for DBA and Developer during Migration

Mydbops

Mydbops Opensource Database Meetup 16 Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting Date & Time: 8th June | 10 AM - 1 PM IST Venue: Bangalore International Centre, Bangalore Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle. Key Takeaways: * Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities. * Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom. * Discover how these key extensions can empower both developers and DBAs during the migration process. * Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends. Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL. Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability. Contact us: info@mydbops.com Visit: https://www.mydbops.com/ Follow us on LinkedIn: https://in.linkedin.com/company/mydbops For more details and updates, please follow up the below links. Meetup Page : https://www.meetup.com/mydbops-databa... Twitter: https://twitter.com/mydbopsofficial Blogs: https://www.mydbops.com/blog/ Facebook(Meta): https://www.facebook.com/mydbops/

Choosing The Best AWS Service For Your Website + API.pptx

Brandon Minnick, MBA

Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API? Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose? Which one is cheapest? Which one is fastest? Which one will scale to meet our needs? Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!

5th LF Energy Power Grid Model Meet-up Slides

DanBrown980551

5th Power Grid Model Meet-up It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology. Power Grid Model The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services. Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability. Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization. What to expect For the upcoming meetup we are organizing, we have an exciting lineup of activities planned: -Insightful presentations covering two practical applications of the Power Grid Model. -An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024. -An interactive brainstorming session to discuss and propose new feature requests. -An opportunity to connect with fellow Power Grid Model enthusiasts and users.

Skybuffer SAM4U tool for SAP license adoption

Tatiana Kojar

Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool. SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.

PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx

christinelarrosa

Astute Business Solutions | Oracle Cloud Partner |

AstuteBusiness

Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels

Northern Engraving

Taking AI to the Next Level in Manufacturing.pdf

ssuserfac0301

Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as: 1. How quickly AI is being implemented in manufacturing. 2. Which barriers stand in the way of AI adoption. 3. How data quality and governance form the backbone of AI. 4. Organizational processes and structures that may inhibit effective AI adoption. 6. Ideas and approaches to help build your organization's AI strategy.

Northern Engraving | Nameplate Manufacturing Process - 2024

Northern Engraving

Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!

High performance Serverless Java on AWS- GoTo Amsterdam 2024

Vadym Kazulkin

Java is for many years one of the most popular programming languages, but it used to have hard times in the Serverless community. Java is known for its high cold start times and high memory footprint, comparing to other programming languages like Node.js and Python. In this talk I'll look at the general best practices and techniques we can use to decrease memory consumption, cold start times for Java Serverless development on AWS including GraalVM (Native Image) and AWS own offering SnapStart based on Firecracker microVM snapshot and restore and CRaC (Coordinated Restore at Checkpoint) runtime hooks. I'll also provide a lot of benchmarking on Lambda functions trying out various deployment package sizes, Lambda memory settings, Java compilation options and HTTP (a)synchronous clients and measure their impact on cold and warm start times.

Columbus Data & Analytics Wednesdays - June 2024

Jason Packer

Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency

ScyllaDB

Y-Combinator seed pitch deck template PP

c5vrf27qcz

A Deep Dive into ScyllaDB's Architecture

ScyllaDB

"Scaling RAG Applications to serve millions of users", Kevin Goedecke

Fwdays

Recently uploaded (20)

Demystifying Knowledge Management through Storytelling

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

Dandelion Hashtable: beyond billion requests per second on a commodity server

Session 1 - Intro to Robotic Process Automation.pdf

zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...

Must Know Postgres Extension for DBA and Developer during Migration

Choosing The Best AWS Service For Your Website + API.pptx

5th LF Energy Power Grid Model Meet-up Slides

Skybuffer SAM4U tool for SAP license adoption

PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx

Astute Business Solutions | Oracle Cloud Partner |

Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels

Taking AI to the Next Level in Manufacturing.pdf

Northern Engraving | Nameplate Manufacturing Process - 2024

High performance Serverless Java on AWS- GoTo Amsterdam 2024

Columbus Data & Analytics Wednesdays - June 2024

Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency

Y-Combinator seed pitch deck template PP

A Deep Dive into ScyllaDB's Architecture

"Scaling RAG Applications to serve millions of users", Kevin Goedecke