SlideShare a Scribd company logo

Ple18 web-security-david-busby

Download as PPTX, PDF
David Busby, CISSP
David Busby, CISSP

Web application security and why you should review yours, is a whole stack look skydive without a parachute, let's try not to die as we explore what is an attack surface, Arcronym hell, Vulnerability naming, Detection or provention is there a place for both or none, emerging oss technologies which can help you, a firehose review of compromises 2014 through 2018, and finally a live compromise demo covering everything we've discussed as being 'bad' ... or as often happens the backup video.

Technology
1 of 44
Web Application Security And Why You Need To Review Yours David Busby Percona
2 Who am I? ● David Busby ○ Contracting for Percona since January 2013 ○ 18+ years as sysadmin / devops / security ○ Volunteer work: ■ Assistant Scout Leader ■ Assistant Instructure (computing for children) ■ ex-Assistant coach Ju-Jitsu (Nidan) ○ Security “nut” ○ Lifetime member of the “tinfoil hat” club ○ C.I.S.S.P ■ 581907
3 Talk Agenda ● What we will cover ○ What is an “attack surface”? ○ Acronym hell, just what do those mean ? ○ Vulnerability naming, new trend or benefit ? ○ Detection, Prevention, or both ? ○ Emerging technologies / projects. ○ 2014 -> 2018 highlights ○ Live compromise demo covering everything we’ve discussed as ‘bad’ ■ Or most likely the backup video (if anything goes wrong or we’re out of time).
What is an attack surface ?
5 What is an attack surface ? Assessing your attack surface can feel like...
6 What is an attack surface ? I built an awesome SaaS everyone will like! Failed to consider data privacy Fined in EU court for GDPR violation Built an awesome web application for hosting cat pictures unaware of the dangers of user- content Web app now full of ‘adult’ content. Just ship it now! Who cares about security anyway ? Breach / hack ? We’ve got insurance! What it really is ...
7 What is an attack surface ? ● An attack surface is any point in which your org, person, application, provider may be attacked. ○ Your web application ○ Your database ○ Your physical systems ■ Yes we’re also including your laptops, cellular device and the all B.Y.O.D ○ Your network ○ Your staff! ○ Your hosting, processing, other providers. ■ You’re only insured if you can prove you have taken commercialy reasonable measures to protect your organisation.
8 What is an attack surface ? ● Application ○ Sanitize ALL user inputs. ○ Implement audit logs! ■ An audit log should contain enough detail to reverse the actions taken. ■ An audit log should contain accurate time keeping. ■ An audit log MUST be shipped OFF the device on which it is generated. ○ Recurring audit procedures. ■ Logs are GREAT! Unless no one is looking at them ... ○ Mandatory access controls ○ Ingress and Egress filtering ○ Web Application Firewalls ■ Layer 7 firewall ○ Intrusion Prevention Systems ○ Implement CSRF / XSRF protections ■ E.g. csrf_tokens in cookies.
9 What is an attack surface ? ● Database ○ Network Isolation! ■ Only allow access form known web app nodes! ■ Default (on most RDBMS) is to bind to 0.0.0.0:$DB_PORT (which is listen to all interfaces) ■ ~5M MySQL hosts noted on shodan.io ● 5.0, 5.1, both forks are EOL! ○ Selective permissions ■ STOP giving “ALL ON *.*” Please! ○ Password complexity ■ Still important today! ■ Unless you have a kick-a** PKI setup and are using client certs or vault with ephemeral credentials ○ Mandatory Access Control ■ SELinux in enforcing mode please! ■ GRSecurity, AppArmor etc.
10 What is an attack surface ? ● Physical Systems ○ LIMIT physical access to your systems ○ Barclays bank 2014 had £1.3m stolen ■ Adversaries used KVM over 2.4Ghz wifi after posing as a service company ■ No one checked, and they were allowed unchallenged access to workstations. ■ Social engineering ? This is nothing new this is con-artistry. ○ Deploy multiple layers of protection for physical assets. ■ 2FA - (yes even on laptops) ■ Encryption (LUKS,eCryptFS,Bitlocker,Filevault) - especially on laptops! ○ Disable unneeded services / functionality ■ Your 1u rackmount likely does not need bluetoothd! ○ Do not rely on a single measure for protection such as biometrics. ■ The mythbusters defeated a >$10k biometric lock with a photocopier ... ○ Challenge “implied trust” a badge or uniform != ID ■ It is OK to ask for ID and check for authorization, we do this with systems without thinking about it, we should apply this to people too!
11 What is an attack surface ? ● Network ○ Isolation! (A.C.L) ■ Your web app needs to talk to your database service. ■ It doesn’t need to talk to SSH on the server. ■ Iptables, if nothing else works! ○ Your chosen DBMS DOES NOT need to be accessible from everywhere! ■ MongoDB, Elasticsearch -> Ransomware ? ● No! Malicious users taking advantage of DBMS left open! ○ Network Intrusion Detection System - NIDS / Network Intrusion Prevention System (NIPS) ■ Suricata, Bro, Snort, are all great and OSS! ● (I use suricata) ○ Segregation ■ Implement vlans and ACLs that prevent cross-vlan traffic unless implicitly allowed!
12 What is an attack surface ? ● Your staff (layer 8, meatware, P.E.B.K.A.C ...) ○ Awareness training ○ Social media training and policy ■ It _used_ to be hard to find out about an organisation now it’s all open for all to see in most cases. ○ B.Y.O.D ■ Your “smart” phone is the single most valuable asset to an adversary as. ● It’s unlikely to have any hardening, D.L.P protection upon it ● It’s likely to have access to Mail, Cloud files, calendars, VPN, SSH, RDP, VNC, etc ... ● It’s likely to be running an out of date OS ○ Remote (wireless) attacks ■ WiFi: Karma (was Jasager), Rogue A.P. (hostapd), etc... ■ Bluetooth: bluesnark, snoopi, BtleJuice, etc ...
14 “High tech gadgets” ● The BBC Article on the Barclays £1.3m “haul” noted the use of “high tech” gadgets. ○ They are now commodity gadgets ■ RubberDucky $45 ■ bashBunny $100 ■ Maldunio £13.00 / £24.00 (Elite) ■ usbNinja $99 ■ WiFi pineapple ● Nano $100 ■ You also can use a PiZero and some soldering for all this. ○ Accessing the tools to demonstrate “Edge case black hat nonsense” has never been easier. ○ Use a wireless mouse / keyboard ? About that ...
15 “High tech gadgets”
16 “High tech gadgets” ● Let’s talk about malicious HID... ○ Because I didn’t want to fly my quad in here... ■ Or try to fly with it. ■ Live demo time!
Acronym Hell Just what do they mean?
18 Acronym hell?
19 Acronym hell? ● In Security we <3 acronyms as much (if not more) than DevOps, Sysadmins, DevSec ... ○ I.P.S ■ Intrusion Prevention System (Can be Host based, Network Based or both) ● H.I.P.S, N.I.P.S ■ Host Based: ● File Consistency Enforcement ○ I.D.S ■ Intrusion Detection system (Again can be host based, network based or both) ● H.I.D.S, N.I.D.S ■ File Consistency Monitoring ● Auditd can do this! ● Inotify events ○ W.A.F ■ Web Application firewall ● Layer 7 protection against SQLi, XSS, and other known attacks ● mod_security
20 Acronym hell? ● Continued ... ○ S.C.A.D.A ■ Supervisory Control And Data Acquisition ● Industrial foundries, nuclear power plants, hydroelectric dams, diesel engine testing facilities, point of sale, Hospital beds ... ■ I.o.T ● Internet of Things ● If there can be a thing, and you can put a webserver on the thing; should you put a webserver on the thing ? - Viss ■ A.C.L ● Access Control Lists ■ P.O.L.P ● Path of Least Privilege ■ M.A.C + D.A.C ● Mandatory Access Control ● Discretionary Access Control ○ There’s plenty more ...
Vulnerability naming Stupidity or ... ?
22 Vulnerability naming ● MeltDown ○ CVE-2017-5715,CVE-2017-5753 ● Spectre ○ CVE-2017-5754 ● P.O.O.D.L.E ○ CVE-2014-3556 ● C.R.I.M.E ○ CVE-2012-4929 ● B.E.A.S.T ○ CVE-2011-3389 ● HeartBleed ○ CVE-2014-0160 ● DirtyCow ○ CVE-2016-5195
Detection, Prevention, Both ?
25 Detection, Prevention, Both ? ● Detection ○ I.D.S ■ Can be on your hosts / servers ● Hostbased Intrusion Detection System ● Aka File consistency monitoring ■ Can be on your hosts / servers / firewalls network ● Monitors network for known intrusions ● Rule based.
26 Detection, Prevention, Both ? ● Detection ○ I.D.S
27 Detection, Prevention, Both ? ● Prevention ○ I.P.S ■ Can be on your hosts / servers ● Hostbased Intrusion Prevention System ● Aka File consistency enforcement ■ Can be on your hosts / servers / firewalls network ● Monitors and prevents network for known intrusions ● Rule based.
28 Detection, Prevention, Both ?
29 Detection, Prevention, Both ? ● On single solution is going to cover all your use cases. ● I.D.S is great ○ _IF_ someone/something is watching the logs 24x7 and responding to them ● I.P.S is great ○ _until_ it blocks your staff trying to do something and they use an insecure network to do it anyway. ● Choose what fits your use case ○ I.P.S on webapps makes sense if you don’t expect file edits. ■ They are really easy to write (I wrote one in python using gamin to hook inotify events, to work with SCM to produce diff and revert php files ON_WRITECLOSE) ○ I.P.S makes sense on the network edge ■ RUN RECURRING TESTS! ■ Aka. tabletop exercises, simulate an attacker and observe the effectiveness of the IPS & (blue)team.
Emerging technologies
31 Emerging Technologies ● Hashicorp - vault ○ AES256-GCM, API ○ Highly available secrets store, with third party testing now completed! ○ Key:value storage for secrets (now supports versioning!) ○ Full audit logs ○ LDAP, DUO, Okta, Github, etc ..., support for user auth. ○ _MANY_ secret backends for ephemeral credentials supported ■ AD, AliCloud, AWS, Azure, Consul, Cubbyhole, Databases (many support in MySQL, MongoDB, PostGres, MSSQL ...), GC + KMS, K:V, Identity, Nomad, PKI, RabbitMQ, SSH, TOTP, Transit (send data, get encrypted /decrypted data). ■ Pluggable secrets backend! ■ Percona Server 5.7 has vault keyring plugin available!
32 Emerging Technologies ● Haka security ○ LUA DSL Syntax ‘devops’ firewall project. ■ Can be run against pcap files for integration tests! ● Fidosecurity.org ○ Universal Second Factor (U2F) ■ Google has their own named ‘Titan’ (only available in US at this time) ● Keybase.io ○ Social identities as proof of ID, E2E encryption, Encryption git repositories, OTR chats, Slack-like chats with rooms, groups etc ● Suricata ○ OSS NIPS & NIDS, JSON Output (easily imported into ELK stack), packet craving features, works with SNORT ruleset. ● OSQuery ○ Powerful endpoint metrics collection, used by facebook.
2014 -> 2018 Highlights in security (or lowlights depending on your perspective)
34 2014 -> 2018
35 2014 -> 2018 ● iCloud breach ○ 2014 iCloud copies of photos & videos are leaked to the public this includes many celebrities more intimate photos / videos. ● Hospira drug pump ○ 2015 admin credentials allowed researchers to access complete control over the device which in normal operation would control doses of IV drugs for the patient. ● Data Breaches (various years) ○ Ashley Madison, Wonga.com, Geekdin, Adobe, Facebook cambridge analytica, Facebook 50m accounts exposed 2018, Google kills google+ was this due to a breach? ... MANY more ... ● NSA spying exposed. ○ Vault 7 documents, NSA ANT Catalog etc... ● GCHQ spying deemed violation of human rights ○ 2018 EU court rules GCHQ spying a violation of human rights
36 2014 -> 2018 ● Ransomware ○ WannaCry, EternalBlue, MySQL, Elasticsearch, MongoDB, etc ... ● BroadPwn ○ 2017 affects almost all cellular devices, allows remote code execution. ● Target breach ○ Malware came in through a laptop used to service the H.V.A.C system. ● May 25th 2018 GDPR became law ○ The privacy rights for all EU citizens made into a common legal framework. ■ I am not a lawyer; but I will happily answer questions on how best-practises can help with GDPR.
Live Compromise (Or backup video if everything goes wrong...)
38 Live Compromise ● DISCLAIMER ○ This is not a ‘how to’ though this exploits everything we’ve covered as ‘bad practise’ ○ This will use _some_ automation ‘toys’ (USB HID) ■ Just so that I can speak about what’s going on. ○ Everything you will need to recreate this is on Github! ■ Hooray for open source! ○ This whole demonstration is run on local virtual machines and does not touch anyone else’s network or infrastructure ○ NOTHING SHOWN HERE CAN BE DIRECTLY APPLIED TO A PRODUCTION WEB APPLICATION ■ This requires multiple failures to exploit ■ Setting SELinux to enforcing also prevents this from working (` setenforce 1` )
39 Live Compromise
40 Live Compromise
41 Live Compromise ● Everything wrong ○ Application has Remote Code Execution ■ No compensating controls ○ M.A.C is in permissive mode (setenforce 0) ○ MySQL permissions too broad ○ D.A.C permissions on plugin directory too broad ○ Attack Flow: ■ Generate PHP malicious payload, stage and execute on webserver to connect back to CnC(C2) system ■ Setup port forwarding to use web app server as pivot to reach DB server from CnC system (as direct 3306/tcp is not possible) ■ Stage sys_eval UDF into schema table, abuse FILE permissions to write this data out to a file in the global plugin directory ■ Abuse CREATE_ROUTINE permissions to setup the sys_eval UDF for use ■ Abuse lack of Egress controls to execute a reverse shell back to CnC system
42 Live Compromise ● Attack evolution ○ RCE -> MySQL access -> MySQL shell execution access -> Reverse Shell on both web application and database server to CnC system. ■ “Post Exploitation Lateral Movement” ○ Noted old kernels running, exploit old kernel gain root level access install persistence of access moving from exploitation to Advanced Persistent Threat. ■ Install cryptominer and ...
43 Thank You ● For attending this talk ○ For not going insane ○ For not breaking down sobbing uncontrollably ● Questions ○ Please see me after this talk, believe or not I am a friendly person! ■ I can also go over the live demo in greater detail should want to discuss. ○ You can also reach me: ■ email : david.busby{at}percona.com, ■ Twitter: https://twitter.com/icleus ■ Keybase: https://keybase.io/oneiroi
44 ● With Tyler Duzan, Michael Coburn, and Alexander Rubin ● Share feedback ● Get to see the product roadmaps Wednesday @ the reserved area in back of Gaia Restaurant Join the Percona Product Managers for Lunch!
45 Thank You Sponsors!!
46 Please Rate My Session

Recommended

PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursDavid Busby, CISSP
 
Cumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloudCumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloudDavid Busby, CISSP
 
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]RootedCON
 
15 years through Infosec
15 years through Infosec15 years through Infosec
15 years through InfosecSaumil Shah
 
Hyper Island - 2012
Hyper Island - 2012Hyper Island - 2012
Hyper Island - 2012Detectify
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Free Mobile - when Android is not enough
Free Mobile - when Android is not enoughFree Mobile - when Android is not enough
Free Mobile - when Android is not enoughSebastian Krzyszkowiak
 
Secure Token Storage
Secure Token StorageSecure Token Storage
Secure Token StorageEric Muyser
 

Recommended

PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursDavid Busby, CISSP
 
Cumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloudCumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloudDavid Busby, CISSP
 
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]RootedCON
 
15 years through Infosec
15 years through Infosec15 years through Infosec
15 years through InfosecSaumil Shah
 
Hyper Island - 2012
Hyper Island - 2012Hyper Island - 2012
Hyper Island - 2012Detectify
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Free Mobile - when Android is not enough
Free Mobile - when Android is not enoughFree Mobile - when Android is not enough
Free Mobile - when Android is not enoughSebastian Krzyszkowiak
 
Secure Token Storage
Secure Token StorageSecure Token Storage
Secure Token StorageEric Muyser
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...CloudOps2005
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Crypto OpSec - How to Securely Store Bitcoin and Other Crypto Assets
Crypto OpSec - How to Securely Store Bitcoin and Other Crypto AssetsCrypto OpSec - How to Securely Store Bitcoin and Other Crypto Assets
Crypto OpSec - How to Securely Store Bitcoin and Other Crypto AssetsThatCrypto
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
DevSecCon Boston 2018: Busted computing by Conor Walsh
DevSecCon Boston 2018: Busted computing by Conor WalshDevSecCon Boston 2018: Busted computing by Conor Walsh
DevSecCon Boston 2018: Busted computing by Conor WalshDevSecCon
 
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]RootedCON
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
 
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...RootedCON
 
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...Security Bootcamp
 
2008 07-17-nnedv-presentation
2008 07-17-nnedv-presentation2008 07-17-nnedv-presentation
2008 07-17-nnedv-presentationAndrew Lewman
 
(In) Security graph database in real world
(In) Security graph database in real world (In) Security graph database in real world
(In) Security graph database in real world Miguel Hernández Boza
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
Ripple Effect (preso @s4)
Ripple Effect (preso @s4)Ripple Effect (preso @s4)
Ripple Effect (preso @s4)Ping Yan
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]RootedCON
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.Leszek Mi?
 
On hacking & security
On hacking & security On hacking & security
On hacking & security Ange Albertini
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Neo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneNeo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneSebastian Krzyszkowiak
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
Internet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightInternet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightAndy Gelme
 

More Related Content

What's hot

Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...CloudOps2005
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Crypto OpSec - How to Securely Store Bitcoin and Other Crypto Assets
Crypto OpSec - How to Securely Store Bitcoin and Other Crypto AssetsCrypto OpSec - How to Securely Store Bitcoin and Other Crypto Assets
Crypto OpSec - How to Securely Store Bitcoin and Other Crypto AssetsThatCrypto
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
DevSecCon Boston 2018: Busted computing by Conor Walsh
DevSecCon Boston 2018: Busted computing by Conor WalshDevSecCon Boston 2018: Busted computing by Conor Walsh
DevSecCon Boston 2018: Busted computing by Conor WalshDevSecCon
 
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]RootedCON
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
 
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...RootedCON
 
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...Security Bootcamp
 
2008 07-17-nnedv-presentation
2008 07-17-nnedv-presentation2008 07-17-nnedv-presentation
2008 07-17-nnedv-presentationAndrew Lewman
 
(In) Security graph database in real world
(In) Security graph database in real world (In) Security graph database in real world
(In) Security graph database in real world Miguel Hernández Boza
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
Ripple Effect (preso @s4)
Ripple Effect (preso @s4)Ripple Effect (preso @s4)
Ripple Effect (preso @s4)Ping Yan
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]RootedCON
 

What's hot (16)

Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
 
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
Crypto OpSec - How to Securely Store Bitcoin and Other Crypto Assets
Crypto OpSec - How to Securely Store Bitcoin and Other Crypto AssetsCrypto OpSec - How to Securely Store Bitcoin and Other Crypto Assets
Crypto OpSec - How to Securely Store Bitcoin and Other Crypto Assets
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
 
DevSecCon Boston 2018: Busted computing by Conor Walsh
DevSecCon Boston 2018: Busted computing by Conor WalshDevSecCon Boston 2018: Busted computing by Conor Walsh
DevSecCon Boston 2018: Busted computing by Conor Walsh
 
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
 
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
 
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
 
2008 07-17-nnedv-presentation
2008 07-17-nnedv-presentation2008 07-17-nnedv-presentation
2008 07-17-nnedv-presentation
 
(In) Security graph database in real world
(In) Security graph database in real world (In) Security graph database in real world
(In) Security graph database in real world
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Ripple Effect (preso @s4)
Ripple Effect (preso @s4)Ripple Effect (preso @s4)
Ripple Effect (preso @s4)
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
 

Similar to Ple18 web-security-david-busby

May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.Leszek Mi?
 
On hacking & security
On hacking & security On hacking & security
On hacking & security Ange Albertini
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
Internet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightInternet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightAndy Gelme
 
Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learnedB.A.
 
Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!Dwolla
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.David Busby, CISSP
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillageagmoneyy
 
The Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdfThe Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdfHacken
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectTamas K Lengyel
 
Web application-security-and-why-you-should-review-yours
Web application-security-and-why-you-should-review-yoursWeb application-security-and-why-you-should-review-yours
Web application-security-and-why-you-should-review-yoursDavid Busby, CISSP
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOSJeremy Brown
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugsDmitry Vyukov
 
Voxxed Days Villnius 2015 - Burning Marshmallows
Voxxed Days Villnius 2015 - Burning MarshmallowsVoxxed Days Villnius 2015 - Burning Marshmallows
Voxxed Days Villnius 2015 - Burning MarshmallowsRon Munitz
 
Shodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San FranciscoShodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San Franciscoshawn_merdinger
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows Ron Munitz
 

Similar to Ple18 web-security-david-busby (20)

May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
 
On hacking & security
On hacking & security On hacking & security
On hacking & security
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Neo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneNeo900: Crafting The Private Phone
Neo900: Crafting The Private Phone
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-about
 
Internet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightInternet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! night
 
Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned
 
Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillage
 
The Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdfThe Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdf
 
Comprehensive guide for compromising network devices.
Comprehensive guide for compromising network devices.Comprehensive guide for compromising network devices.
Comprehensive guide for compromising network devices.
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
 
Web application-security-and-why-you-should-review-yours
Web application-security-and-why-you-should-review-yoursWeb application-security-and-why-you-should-review-yours
Web application-security-and-why-you-should-review-yours
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOS
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
 
Voxxed Days Villnius 2015 - Burning Marshmallows
Voxxed Days Villnius 2015 - Burning MarshmallowsVoxxed Days Villnius 2015 - Burning Marshmallows
Voxxed Days Villnius 2015 - Burning Marshmallows
 
Shodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San FranciscoShodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San Francisco
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

Ple18 web-security-david-busby

  • 1. Web Application Security And Why You Need To Review Yours David Busby Percona
  • 2. 2 Who am I? ● David Busby ○ Contracting for Percona since January 2013 ○ 18+ years as sysadmin / devops / security ○ Volunteer work: ■ Assistant Scout Leader ■ Assistant Instructure (computing for children) ■ ex-Assistant coach Ju-Jitsu (Nidan) ○ Security “nut” ○ Lifetime member of the “tinfoil hat” club ○ C.I.S.S.P ■ 581907
  • 3. 3 Talk Agenda ● What we will cover ○ What is an “attack surface”? ○ Acronym hell, just what do those mean ? ○ Vulnerability naming, new trend or benefit ? ○ Detection, Prevention, or both ? ○ Emerging technologies / projects. ○ 2014 -> 2018 highlights ○ Live compromise demo covering everything we’ve discussed as ‘bad’ ■ Or most likely the backup video (if anything goes wrong or we’re out of time).
  • 4. What is an attack surface ?
  • 5. 5 What is an attack surface ? Assessing your attack surface can feel like...
  • 6. 6 What is an attack surface ? I built an awesome SaaS everyone will like! Failed to consider data privacy Fined in EU court for GDPR violation Built an awesome web application for hosting cat pictures unaware of the dangers of user- content Web app now full of ‘adult’ content. Just ship it now! Who cares about security anyway ? Breach / hack ? We’ve got insurance! What it really is ...
  • 7. 7 What is an attack surface ? ● An attack surface is any point in which your org, person, application, provider may be attacked. ○ Your web application ○ Your database ○ Your physical systems ■ Yes we’re also including your laptops, cellular device and the all B.Y.O.D ○ Your network ○ Your staff! ○ Your hosting, processing, other providers. ■ You’re only insured if you can prove you have taken commercialy reasonable measures to protect your organisation.
  • 8. 8 What is an attack surface ? ● Application ○ Sanitize ALL user inputs. ○ Implement audit logs! ■ An audit log should contain enough detail to reverse the actions taken. ■ An audit log should contain accurate time keeping. ■ An audit log MUST be shipped OFF the device on which it is generated. ○ Recurring audit procedures. ■ Logs are GREAT! Unless no one is looking at them ... ○ Mandatory access controls ○ Ingress and Egress filtering ○ Web Application Firewalls ■ Layer 7 firewall ○ Intrusion Prevention Systems ○ Implement CSRF / XSRF protections ■ E.g. csrf_tokens in cookies.
  • 9. 9 What is an attack surface ? ● Database ○ Network Isolation! ■ Only allow access form known web app nodes! ■ Default (on most RDBMS) is to bind to 0.0.0.0:$DB_PORT (which is listen to all interfaces) ■ ~5M MySQL hosts noted on shodan.io ● 5.0, 5.1, both forks are EOL! ○ Selective permissions ■ STOP giving “ALL ON *.*” Please! ○ Password complexity ■ Still important today! ■ Unless you have a kick-a** PKI setup and are using client certs or vault with ephemeral credentials ○ Mandatory Access Control ■ SELinux in enforcing mode please! ■ GRSecurity, AppArmor etc.
  • 10. 10 What is an attack surface ? ● Physical Systems ○ LIMIT physical access to your systems ○ Barclays bank 2014 had £1.3m stolen ■ Adversaries used KVM over 2.4Ghz wifi after posing as a service company ■ No one checked, and they were allowed unchallenged access to workstations. ■ Social engineering ? This is nothing new this is con-artistry. ○ Deploy multiple layers of protection for physical assets. ■ 2FA - (yes even on laptops) ■ Encryption (LUKS,eCryptFS,Bitlocker,Filevault) - especially on laptops! ○ Disable unneeded services / functionality ■ Your 1u rackmount likely does not need bluetoothd! ○ Do not rely on a single measure for protection such as biometrics. ■ The mythbusters defeated a >$10k biometric lock with a photocopier ... ○ Challenge “implied trust” a badge or uniform != ID ■ It is OK to ask for ID and check for authorization, we do this with systems without thinking about it, we should apply this to people too!
  • 11. 11 What is an attack surface ? ● Network ○ Isolation! (A.C.L) ■ Your web app needs to talk to your database service. ■ It doesn’t need to talk to SSH on the server. ■ Iptables, if nothing else works! ○ Your chosen DBMS DOES NOT need to be accessible from everywhere! ■ MongoDB, Elasticsearch -> Ransomware ? ● No! Malicious users taking advantage of DBMS left open! ○ Network Intrusion Detection System - NIDS / Network Intrusion Prevention System (NIPS) ■ Suricata, Bro, Snort, are all great and OSS! ● (I use suricata) ○ Segregation ■ Implement vlans and ACLs that prevent cross-vlan traffic unless implicitly allowed!
  • 12. 12 What is an attack surface ? ● Your staff (layer 8, meatware, P.E.B.K.A.C ...) ○ Awareness training ○ Social media training and policy ■ It _used_ to be hard to find out about an organisation now it’s all open for all to see in most cases. ○ B.Y.O.D ■ Your “smart” phone is the single most valuable asset to an adversary as. ● It’s unlikely to have any hardening, D.L.P protection upon it ● It’s likely to have access to Mail, Cloud files, calendars, VPN, SSH, RDP, VNC, etc ... ● It’s likely to be running an out of date OS ○ Remote (wireless) attacks ■ WiFi: Karma (was Jasager), Rogue A.P. (hostapd), etc... ■ Bluetooth: bluesnark, snoopi, BtleJuice, etc ...
  • 13. 14 “High tech gadgets” ● The BBC Article on the Barclays £1.3m “haul” noted the use of “high tech” gadgets. ○ They are now commodity gadgets ■ RubberDucky $45 ■ bashBunny $100 ■ Maldunio £13.00 / £24.00 (Elite) ■ usbNinja $99 ■ WiFi pineapple ● Nano $100 ■ You also can use a PiZero and some soldering for all this. ○ Accessing the tools to demonstrate “Edge case black hat nonsense” has never been easier. ○ Use a wireless mouse / keyboard ? About that ...
  • 15. 16 “High tech gadgets” ● Let’s talk about malicious HID... ○ Because I didn’t want to fly my quad in here... ■ Or try to fly with it. ■ Live demo time!
  • 16. Acronym Hell Just what do they mean?
  • 18. 19 Acronym hell? ● In Security we <3 acronyms as much (if not more) than DevOps, Sysadmins, DevSec ... ○ I.P.S ■ Intrusion Prevention System (Can be Host based, Network Based or both) ● H.I.P.S, N.I.P.S ■ Host Based: ● File Consistency Enforcement ○ I.D.S ■ Intrusion Detection system (Again can be host based, network based or both) ● H.I.D.S, N.I.D.S ■ File Consistency Monitoring ● Auditd can do this! ● Inotify events ○ W.A.F ■ Web Application firewall ● Layer 7 protection against SQLi, XSS, and other known attacks ● mod_security
  • 19. 20 Acronym hell? ● Continued ... ○ S.C.A.D.A ■ Supervisory Control And Data Acquisition ● Industrial foundries, nuclear power plants, hydroelectric dams, diesel engine testing facilities, point of sale, Hospital beds ... ■ I.o.T ● Internet of Things ● If there can be a thing, and you can put a webserver on the thing; should you put a webserver on the thing ? - Viss ■ A.C.L ● Access Control Lists ■ P.O.L.P ● Path of Least Privilege ■ M.A.C + D.A.C ● Mandatory Access Control ● Discretionary Access Control ○ There’s plenty more ...
  • 21. 22 Vulnerability naming ● MeltDown ○ CVE-2017-5715,CVE-2017-5753 ● Spectre ○ CVE-2017-5754 ● P.O.O.D.L.E ○ CVE-2014-3556 ● C.R.I.M.E ○ CVE-2012-4929 ● B.E.A.S.T ○ CVE-2011-3389 ● HeartBleed ○ CVE-2014-0160 ● DirtyCow ○ CVE-2016-5195
  • 23. 25 Detection, Prevention, Both ? ● Detection ○ I.D.S ■ Can be on your hosts / servers ● Hostbased Intrusion Detection System ● Aka File consistency monitoring ■ Can be on your hosts / servers / firewalls network ● Monitors network for known intrusions ● Rule based.
  • 24. 26 Detection, Prevention, Both ? ● Detection ○ I.D.S
  • 25. 27 Detection, Prevention, Both ? ● Prevention ○ I.P.S ■ Can be on your hosts / servers ● Hostbased Intrusion Prevention System ● Aka File consistency enforcement ■ Can be on your hosts / servers / firewalls network ● Monitors and prevents network for known intrusions ● Rule based.
  • 27. 29 Detection, Prevention, Both ? ● On single solution is going to cover all your use cases. ● I.D.S is great ○ _IF_ someone/something is watching the logs 24x7 and responding to them ● I.P.S is great ○ _until_ it blocks your staff trying to do something and they use an insecure network to do it anyway. ● Choose what fits your use case ○ I.P.S on webapps makes sense if you don’t expect file edits. ■ They are really easy to write (I wrote one in python using gamin to hook inotify events, to work with SCM to produce diff and revert php files ON_WRITECLOSE) ○ I.P.S makes sense on the network edge ■ RUN RECURRING TESTS! ■ Aka. tabletop exercises, simulate an attacker and observe the effectiveness of the IPS & (blue)team.
  • 29. 31 Emerging Technologies ● Hashicorp - vault ○ AES256-GCM, API ○ Highly available secrets store, with third party testing now completed! ○ Key:value storage for secrets (now supports versioning!) ○ Full audit logs ○ LDAP, DUO, Okta, Github, etc ..., support for user auth. ○ _MANY_ secret backends for ephemeral credentials supported ■ AD, AliCloud, AWS, Azure, Consul, Cubbyhole, Databases (many support in MySQL, MongoDB, PostGres, MSSQL ...), GC + KMS, K:V, Identity, Nomad, PKI, RabbitMQ, SSH, TOTP, Transit (send data, get encrypted /decrypted data). ■ Pluggable secrets backend! ■ Percona Server 5.7 has vault keyring plugin available!
  • 30. 32 Emerging Technologies ● Haka security ○ LUA DSL Syntax ‘devops’ firewall project. ■ Can be run against pcap files for integration tests! ● Fidosecurity.org ○ Universal Second Factor (U2F) ■ Google has their own named ‘Titan’ (only available in US at this time) ● Keybase.io ○ Social identities as proof of ID, E2E encryption, Encryption git repositories, OTR chats, Slack-like chats with rooms, groups etc ● Suricata ○ OSS NIPS & NIDS, JSON Output (easily imported into ELK stack), packet craving features, works with SNORT ruleset. ● OSQuery ○ Powerful endpoint metrics collection, used by facebook.
  • 31. 2014 -> 2018 Highlights in security (or lowlights depending on your perspective)
  • 33. 35 2014 -> 2018 ● iCloud breach ○ 2014 iCloud copies of photos & videos are leaked to the public this includes many celebrities more intimate photos / videos. ● Hospira drug pump ○ 2015 admin credentials allowed researchers to access complete control over the device which in normal operation would control doses of IV drugs for the patient. ● Data Breaches (various years) ○ Ashley Madison, Wonga.com, Geekdin, Adobe, Facebook cambridge analytica, Facebook 50m accounts exposed 2018, Google kills google+ was this due to a breach? ... MANY more ... ● NSA spying exposed. ○ Vault 7 documents, NSA ANT Catalog etc... ● GCHQ spying deemed violation of human rights ○ 2018 EU court rules GCHQ spying a violation of human rights
  • 34. 36 2014 -> 2018 ● Ransomware ○ WannaCry, EternalBlue, MySQL, Elasticsearch, MongoDB, etc ... ● BroadPwn ○ 2017 affects almost all cellular devices, allows remote code execution. ● Target breach ○ Malware came in through a laptop used to service the H.V.A.C system. ● May 25th 2018 GDPR became law ○ The privacy rights for all EU citizens made into a common legal framework. ■ I am not a lawyer; but I will happily answer questions on how best-practises can help with GDPR.
  • 35. Live Compromise (Or backup video if everything goes wrong...)
  • 36. 38 Live Compromise ● DISCLAIMER ○ This is not a ‘how to’ though this exploits everything we’ve covered as ‘bad practise’ ○ This will use _some_ automation ‘toys’ (USB HID) ■ Just so that I can speak about what’s going on. ○ Everything you will need to recreate this is on Github! ■ Hooray for open source! ○ This whole demonstration is run on local virtual machines and does not touch anyone else’s network or infrastructure ○ NOTHING SHOWN HERE CAN BE DIRECTLY APPLIED TO A PRODUCTION WEB APPLICATION ■ This requires multiple failures to exploit ■ Setting SELinux to enforcing also prevents this from working (` setenforce 1` )
  • 39. 41 Live Compromise ● Everything wrong ○ Application has Remote Code Execution ■ No compensating controls ○ M.A.C is in permissive mode (setenforce 0) ○ MySQL permissions too broad ○ D.A.C permissions on plugin directory too broad ○ Attack Flow: ■ Generate PHP malicious payload, stage and execute on webserver to connect back to CnC(C2) system ■ Setup port forwarding to use web app server as pivot to reach DB server from CnC system (as direct 3306/tcp is not possible) ■ Stage sys_eval UDF into schema table, abuse FILE permissions to write this data out to a file in the global plugin directory ■ Abuse CREATE_ROUTINE permissions to setup the sys_eval UDF for use ■ Abuse lack of Egress controls to execute a reverse shell back to CnC system
  • 40. 42 Live Compromise ● Attack evolution ○ RCE -> MySQL access -> MySQL shell execution access -> Reverse Shell on both web application and database server to CnC system. ■ “Post Exploitation Lateral Movement” ○ Noted old kernels running, exploit old kernel gain root level access install persistence of access moving from exploitation to Advanced Persistent Threat. ■ Install cryptominer and ...
  • 41. 43 Thank You ● For attending this talk ○ For not going insane ○ For not breaking down sobbing uncontrollably ● Questions ○ Please see me after this talk, believe or not I am a friendly person! ■ I can also go over the live demo in greater detail should want to discuss. ○ You can also reach me: ■ email : david.busby{at}percona.com, ■ Twitter: https://twitter.com/icleus ■ Keybase: https://keybase.io/oneiroi
  • 42. 44 ● With Tyler Duzan, Michael Coburn, and Alexander Rubin ● Share feedback ● Get to see the product roadmaps Wednesday @ the reserved area in back of Gaia Restaurant Join the Percona Product Managers for Lunch!
  • 44. 46 Please Rate My Session