Security isn’t deploying some overbearing big brother of a hardware or software solution; it’s not running scanning software which tells you you’re safe; because in reality in these type of setups you’re not.
Security is akin to high availability you deploying multiple redundancies to ensure you can still operate, the same can and should be applied to security; identify the potential areas of attack, reduces this attack surface and deploy multiple redundancies to secure your deployments.
Security isn’t deploying some overbearing big brother of a hardware or software solution; it’s not running scanning software which tells you you’re safe; because in reality in these type of setups you’re not.
Security is akin to high availability you deploying multiple redundancies to ensure you can still operate, the same can and should be applied to security; identify the potential areas of attack, reduces this attack surface and deploy multiple redundancies to secure your deployments.
In this session we'll wade through F.U.D
Discuss what an attack surface is, including some not so well known examples of exploitation of said surface, demo of malicious HID devices and lock picking; discuss IoT (internet of things) and how commodity internet connected devices are racing ahead of any measures of security
Discretionary vs Mandatory access controls, IPS vs IDS.
Cover the recent trend in vulnerability naming, and some of the more ridiculous examples.
Discuss attack detection and prevention, question why there's still a view that there needs to be a separation of the two.
Cover some emerging technologies of note to aid in hardening infrastructure.
The focus here is to promote an attitude change to thinking about points of vulnerability, and promote better security as a whole
Cloud security, sounds like a myth does it not? Many organizations still cling to the belief that cloud services can not be used in a secure infrastructure in this session I'll cover emerging and available technologies which can help abate some of these concerns.
Threat models
- What's a side channel attack?
- What's a co-residency attack?
Amazon
- Available amazon AWS compliance documentation and how it is relevant to secure infrastructure
- Available amazon AWS services such as KSM and how they may be used to secure your deployments, VPC and netowrk isolation, IAM.
Openstack
- What's openstack bandit and why should I care?
- What options do I have in my openstack deployment to secure my infrastructure and how are they relevant to my needs?
Federated cloud infrastructure
- What is it?
- Why you need one
- Ensuring secure "chain of custody" through to deployment
Docker / LXC
- What is container virtualization and how does it differ to regular virtualization?
- How does this affect my attack surface?
- Should I have this in production ?
Security CI
- How can security be part of your CI process?
Emerging technologies
- pki.oio
- vaultproject.io
- haka
Telemetry processing
- Why your logs are your most important data source
- Handling thousands, millions or more lines per second
- Using the right components
Building the castle
- Thoughts in putting this all together to produce infrastructure hardened from developer though to production.
Web application security and why you should review yours, is a whole stack look skydive without a parachute, let's try not to die as we explore what is an attack surface, Arcronym hell, Vulnerability naming, Detection or provention is there a place for both or none, emerging oss technologies which can help you, a firehose review of compromises 2014 through 2018, and finally a live compromise demo covering everything we've discussed as being 'bad' ... or as often happens the backup video.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
The goal of this talk is to provide the results of passive and active fingerprinting for SD-WAN systems using a common threat intelligence approach. We explore Internet-based and cloud-based publicly available SD-WAN systems using the well-known «Shodan» and «Censys» search engines and custom developed automation tools and show that most of the SD-WAN systems have known vulnerabilities related to outdated software and insecure configuration.
Anton Nikolaev, Denis Kolegov, Oleg Broslavsky
Security isn’t deploying some overbearing big brother of a hardware or software solution; it’s not running scanning software which tells you you’re safe; because in reality in these type of setups you’re not.
Security is akin to high availability you deploying multiple redundancies to ensure you can still operate, the same can and should be applied to security; identify the potential areas of attack, reduces this attack surface and deploy multiple redundancies to secure your deployments.
Security isn’t deploying some overbearing big brother of a hardware or software solution; it’s not running scanning software which tells you you’re safe; because in reality in these type of setups you’re not.
Security is akin to high availability you deploying multiple redundancies to ensure you can still operate, the same can and should be applied to security; identify the potential areas of attack, reduces this attack surface and deploy multiple redundancies to secure your deployments.
In this session we'll wade through F.U.D
Discuss what an attack surface is, including some not so well known examples of exploitation of said surface, demo of malicious HID devices and lock picking; discuss IoT (internet of things) and how commodity internet connected devices are racing ahead of any measures of security
Discretionary vs Mandatory access controls, IPS vs IDS.
Cover the recent trend in vulnerability naming, and some of the more ridiculous examples.
Discuss attack detection and prevention, question why there's still a view that there needs to be a separation of the two.
Cover some emerging technologies of note to aid in hardening infrastructure.
The focus here is to promote an attitude change to thinking about points of vulnerability, and promote better security as a whole
Cloud security, sounds like a myth does it not? Many organizations still cling to the belief that cloud services can not be used in a secure infrastructure in this session I'll cover emerging and available technologies which can help abate some of these concerns.
Threat models
- What's a side channel attack?
- What's a co-residency attack?
Amazon
- Available amazon AWS compliance documentation and how it is relevant to secure infrastructure
- Available amazon AWS services such as KSM and how they may be used to secure your deployments, VPC and netowrk isolation, IAM.
Openstack
- What's openstack bandit and why should I care?
- What options do I have in my openstack deployment to secure my infrastructure and how are they relevant to my needs?
Federated cloud infrastructure
- What is it?
- Why you need one
- Ensuring secure "chain of custody" through to deployment
Docker / LXC
- What is container virtualization and how does it differ to regular virtualization?
- How does this affect my attack surface?
- Should I have this in production ?
Security CI
- How can security be part of your CI process?
Emerging technologies
- pki.oio
- vaultproject.io
- haka
Telemetry processing
- Why your logs are your most important data source
- Handling thousands, millions or more lines per second
- Using the right components
Building the castle
- Thoughts in putting this all together to produce infrastructure hardened from developer though to production.
Web application security and why you should review yours, is a whole stack look skydive without a parachute, let's try not to die as we explore what is an attack surface, Arcronym hell, Vulnerability naming, Detection or provention is there a place for both or none, emerging oss technologies which can help you, a firehose review of compromises 2014 through 2018, and finally a live compromise demo covering everything we've discussed as being 'bad' ... or as often happens the backup video.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
The goal of this talk is to provide the results of passive and active fingerprinting for SD-WAN systems using a common threat intelligence approach. We explore Internet-based and cloud-based publicly available SD-WAN systems using the well-known «Shodan» and «Censys» search engines and custom developed automation tools and show that most of the SD-WAN systems have known vulnerabilities related to outdated software and insecure configuration.
Anton Nikolaev, Denis Kolegov, Oleg Broslavsky
This talk is a collection of my thoughts and observations since my early infosec days - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to talk about my journey in the information security industry, from the fledgling years in the late 90s where I was still entrenched in academia to the present day where infosec is redefining the world's political boundaries, literally and figuratively.
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]RootedCON
Describimos cómo mediante programación sencilla realizamos un ataque MITM (Man-in-the-middle) sobre un equipo y cómo tratamos de conseguir que pase de manera sigilosa.
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec JourneySaumil Shah
I started my company, Net-Square, 12 years ago. This talk is a collection of 13 thoughts and observations from the past 12 years - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to talk about my journey in the information security industry, from the fledgling years in the late 90s where I was still entrenched in academia to the present day where infosec is redefining the world's political boundaries, literally and figuratively. This talk is not a rant, not a venting session and certainly not a criticism of sorts as many infosec talks have now become.
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
Ever wanted to hack these proximity/contactless cards you use every day, but did not know where to start? This is the talk to attend! I will walk you through the fascinating world of RFID/NFC failures, snake oils and installation gaps - that despite facing well deserved hacks long time ago, still remain unpatched in so many buildings. Besides legacy (but still widespread), more modern (but also broken), and supposedly non-breakable (yet to be tested) systems, I will also share the risks and possible attacks on the new emerging technology - replacing plastic cards with your NFC smartphone in access control systems. How to recognize the card type? What kinds of cards can be cloned? Can you clone a card having just a picture of it? How to build your own card cracking and cloning equipment for less than $10, and when it is worth to invest in a more powerful hardware? How to use a smartphone to crack keys, or emulate a plastic access control card? How to intercept data transmitted from wall reader to backend door controller? How to reverse hotel system and understand the data encoded on cards? Expect highly practical information regarding these and many other topics. Multiple live demos and NFC hacking hardware sets to give away included. After the talk you are also welcome to practice the new skills yourself on our test access control installations onsite.
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games?
Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!
Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then?
We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. This talk will look at the history of embedded device insecurity. We’ll explore some real-world example of how devices are exploited (and attackers profited). You will also learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives.
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
In this talk I will quickly bring you up to speed on the history of embedded device insecurity. Next, we will look at a real-world example or two of how devices are exploited (And attackers profited). Finally, you will learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives.
You may have heard about this threat, one that has plagued our lives and networks for well over a decade. A problem so ubiquitous, it can't be ignored. Yet, this threat has a history of hiding in plain sight. Users are, for the most part, unaware of the dangers. Security researchers and the media have attempted to highlight this problem for years, without making an impact on improving security. However, vendors and users are still very much at risk and the problem is still largely being ignored by the masses. The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. The goal of this talk is to enable the audience to help raise awareness and influence the security of embedded systems in a positive way.
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
How to Build Your Own Physical Pentesting Go-bagBeau Bullock
Whenever an attacker decides to attempt to compromise an organization they have a few options. They can try to send phishing emails, attempt to break in through an externally facing system, or if those two fail, an attacker may have to resort to attacks that require physical access. Having the right tools in the toolkit can determine whether a physical attacker is successful or not. In this talk we will discuss a number of different physical devices that should be in every physical pentester’s go-bag.
Stealing credentials from a locked computer, getting command and control access out of a network, installing your own unauthorized devices, and cloning access badges are some of the topics we will highlight. We will demo these devices from our own personal go-bags live. Specific use cases for each of the various devices will be discussed including build lists for some custom hardware devices.
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
Hacktivity 2011 presentation about IPv6 Teredo protocol, Windows pass-the-hash attack
Original video in Hungarian: http://vimeo.com/31359639
Translated version: http://vimeo.com/31360814
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
A robot, a ninja and a pirate get into a fight. The question is: who wins? While we can debate this question until the end of time, likely have fun in the process; it’s a waste of time. Who are the robots, ninjas and pirates in your environment? What roles do they play in the vulnerability management process? We debate how to build a vulnerability management program all the time, however we are still spinning our wheels. Unlike the robot, ninja, pirate battle, there are concrete facts that will help you build a successful program, and avoid smoke bombs, swords, and robot death rays. Who wins? Find out in this presentation and learn how to protect your booty.
Graph databases are an "emerging" technology useful in the field of cybersecurity, especially in the detection of new threats based on the correlation of diverse sources of information. However, insufficient attention has been spent in terms of its security. In this talk, it will be reviewed the state of art of this kind of databases and its desing security problems, specially for Neo4J and OrientDB. We will release a hacking tool for testing and detecting graph databases and will show several examples of information leak in the real world.
Tool: https://github.com/grafscan/GraFScaN
Web application-security-and-why-you-should-review-yoursDavid Busby, CISSP
In this talk we will cover what is an attack surface and what you can do to limit it.
Acronym hell what does all these acronyms associated with security products mean and what do they mean?
Vulnerability media naming stupidity or driving the message home ?
Detection or Prevention avoiding the boy who cried wolf.
Emerging technologies to keep an eye on or even implement yourself to help improve your security posture.
2014 -> 2017 what's been going on, why have there been so many compromises ?
Your data is much safer at home than it is letting some corporation "take care of it" for you, right? Security reviews for some of the top vendors' devices reveal many interesting findings. Like everything else, there are bugs. But knowing what kinds of bugs and how the vendors have responded will allow you to better understand the impact of plugging these devices into your network. Jeremy will show you just how low access control and least privilege are their list of priorities. He'll also explore the amount of test collateral and debug interfaces sloppily left shipping to consumers. From remote roots to stealing social network tokens to just plain weird stuff, he'll expand on how it's not just about what they do, but also what they don't do. And, he'll give you some useful guidelines on how to close the gaps yourself.
This talk is a collection of my thoughts and observations since my early infosec days - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to talk about my journey in the information security industry, from the fledgling years in the late 90s where I was still entrenched in academia to the present day where infosec is redefining the world's political boundaries, literally and figuratively.
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]RootedCON
Describimos cómo mediante programación sencilla realizamos un ataque MITM (Man-in-the-middle) sobre un equipo y cómo tratamos de conseguir que pase de manera sigilosa.
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec JourneySaumil Shah
I started my company, Net-Square, 12 years ago. This talk is a collection of 13 thoughts and observations from the past 12 years - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to talk about my journey in the information security industry, from the fledgling years in the late 90s where I was still entrenched in academia to the present day where infosec is redefining the world's political boundaries, literally and figuratively. This talk is not a rant, not a venting session and certainly not a criticism of sorts as many infosec talks have now become.
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
Ever wanted to hack these proximity/contactless cards you use every day, but did not know where to start? This is the talk to attend! I will walk you through the fascinating world of RFID/NFC failures, snake oils and installation gaps - that despite facing well deserved hacks long time ago, still remain unpatched in so many buildings. Besides legacy (but still widespread), more modern (but also broken), and supposedly non-breakable (yet to be tested) systems, I will also share the risks and possible attacks on the new emerging technology - replacing plastic cards with your NFC smartphone in access control systems. How to recognize the card type? What kinds of cards can be cloned? Can you clone a card having just a picture of it? How to build your own card cracking and cloning equipment for less than $10, and when it is worth to invest in a more powerful hardware? How to use a smartphone to crack keys, or emulate a plastic access control card? How to intercept data transmitted from wall reader to backend door controller? How to reverse hotel system and understand the data encoded on cards? Expect highly practical information regarding these and many other topics. Multiple live demos and NFC hacking hardware sets to give away included. After the talk you are also welcome to practice the new skills yourself on our test access control installations onsite.
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games?
Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!
Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then?
We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. This talk will look at the history of embedded device insecurity. We’ll explore some real-world example of how devices are exploited (and attackers profited). You will also learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives.
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
In this talk I will quickly bring you up to speed on the history of embedded device insecurity. Next, we will look at a real-world example or two of how devices are exploited (And attackers profited). Finally, you will learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives.
You may have heard about this threat, one that has plagued our lives and networks for well over a decade. A problem so ubiquitous, it can't be ignored. Yet, this threat has a history of hiding in plain sight. Users are, for the most part, unaware of the dangers. Security researchers and the media have attempted to highlight this problem for years, without making an impact on improving security. However, vendors and users are still very much at risk and the problem is still largely being ignored by the masses. The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. The goal of this talk is to enable the audience to help raise awareness and influence the security of embedded systems in a positive way.
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
How to Build Your Own Physical Pentesting Go-bagBeau Bullock
Whenever an attacker decides to attempt to compromise an organization they have a few options. They can try to send phishing emails, attempt to break in through an externally facing system, or if those two fail, an attacker may have to resort to attacks that require physical access. Having the right tools in the toolkit can determine whether a physical attacker is successful or not. In this talk we will discuss a number of different physical devices that should be in every physical pentester’s go-bag.
Stealing credentials from a locked computer, getting command and control access out of a network, installing your own unauthorized devices, and cloning access badges are some of the topics we will highlight. We will demo these devices from our own personal go-bags live. Specific use cases for each of the various devices will be discussed including build lists for some custom hardware devices.
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
Hacktivity 2011 presentation about IPv6 Teredo protocol, Windows pass-the-hash attack
Original video in Hungarian: http://vimeo.com/31359639
Translated version: http://vimeo.com/31360814
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
A robot, a ninja and a pirate get into a fight. The question is: who wins? While we can debate this question until the end of time, likely have fun in the process; it’s a waste of time. Who are the robots, ninjas and pirates in your environment? What roles do they play in the vulnerability management process? We debate how to build a vulnerability management program all the time, however we are still spinning our wheels. Unlike the robot, ninja, pirate battle, there are concrete facts that will help you build a successful program, and avoid smoke bombs, swords, and robot death rays. Who wins? Find out in this presentation and learn how to protect your booty.
Graph databases are an "emerging" technology useful in the field of cybersecurity, especially in the detection of new threats based on the correlation of diverse sources of information. However, insufficient attention has been spent in terms of its security. In this talk, it will be reviewed the state of art of this kind of databases and its desing security problems, specially for Neo4J and OrientDB. We will release a hacking tool for testing and detecting graph databases and will show several examples of information leak in the real world.
Tool: https://github.com/grafscan/GraFScaN
Web application-security-and-why-you-should-review-yoursDavid Busby, CISSP
In this talk we will cover what is an attack surface and what you can do to limit it.
Acronym hell what does all these acronyms associated with security products mean and what do they mean?
Vulnerability media naming stupidity or driving the message home ?
Detection or Prevention avoiding the boy who cried wolf.
Emerging technologies to keep an eye on or even implement yourself to help improve your security posture.
2014 -> 2017 what's been going on, why have there been so many compromises ?
Your data is much safer at home than it is letting some corporation "take care of it" for you, right? Security reviews for some of the top vendors' devices reveal many interesting findings. Like everything else, there are bugs. But knowing what kinds of bugs and how the vendors have responded will allow you to better understand the impact of plugging these devices into your network. Jeremy will show you just how low access control and least privilege are their list of priorities. He'll also explore the amount of test collateral and debug interfaces sloppily left shipping to consumers. From remote roots to stealing social network tokens to just plain weird stuff, he'll expand on how it's not just about what they do, but also what they don't do. And, he'll give you some useful guidelines on how to close the gaps yourself.
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
Derbycon 2011
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
DrupalCamp London 2017 - Web site insecurity George Boobyer
Common threats to web security with real world case studies of compromised sites,
- A 'dissection' of a typical common exploit tool and how it operates,
- Simple approaches to mitigating common threats/vulnerabilities,
- Defence in depth – an overview of the various components of web security,
- Drupal specific measures that standard penetration testing often does not account for.
An overview of how to benefit from:
- Security monitoring and log analysis
- Intrusion Detection Systems & Firewalls
- Security headers and Content Security Policies (CSP).
see Drupal Camp London for full details:
http://drupalcamp.london/session/web-site-insecurity-how-your-cms-site-will-get-hacked-and-how-prevent-it
Public facing web sites are constantly under attack and keeping websites protected is an arms race, yet security rarely gets a look-in at specification and budget allocation stages of delivering a web site - or at best is an afterthought. Yet everyone has an expectation of security and QOS that implies it is central to every project.
Security considerations should pervade all stages of a project from initial specification, throughout development and testing and on to ongoing hosting and maintenance.
In this session I will cover:
* Common threats to web security with real world case studies of compromised sites,
* Simple approaches to mitigating common threats/vulnerabilities,
* Defence in depth – an overview of the various components of web security,
* Drupal specific measures that standard penetration testing often does not account for.
* An overview of how to benefit from:
* Security monitoring and log analysis
* Intrusion Detection Systems & Firewalls
* Security headers and Content Security Policies (CSP).
Comments: https://joind.in/talk/8bbea
In this PowerPoint, learn how a security policy can be your first line of defense. Servers running AIX and other operating systems are frequent targets of cyberattacks, according to the Data Breach Investigations Report. From DoS attacks to malware, attackers have a variety of strategies at their disposal. Having a security policy in place makes it easier to ensure you have appropriate controls in place to protect mission-critical data.
Covers building a malware analysis environment for enterprises that don't currently have a dedicated team for such purposes. Presented at Blackhat DC 2010.
Live Memory Forensics on Android devicesNikos Gkogkos
This presentation deals with some RAM forensics on the Android OS using the LiME tool for getting a RAM dump and the Volatility framework for the analysis part!
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
Threat Modelling - It's not just for developersMITRE ATT&CK
From ATT&CKcon 3.0
By Tim Wadhwa-Brown, Cisco
The purpose of this session will be to look at how you can take public information about threat actors, vulnerabilities, and incidents and use them to build better defenses, utilizing ATT&CK along the way to align your security organization to the people and assets that matter.
Stories are critical to how humans learn, so this session will leverage a story book approach to give the audience some ideas on approaches they could use. Tim will take the audience through 3 real world examples where he has leveraged ATT&CK to drive operational improvement. The premise of each story will be real, although some of the details will be apocryphal to protect the innocent.
One story will focus on defending a network, one will look at adversary detection, while the final one will look at responding to an active attack and in each case, Tim will guide the audience to think about the kinds of data sources that ATT&CK tracks, that they might call upon to achieve a successful outcome.
Nate Warfield, Microsoft
Ben Ridgway, Microsoft
MongoDB, Redis, Elastic, Hadoop, SMBv1, IIS6.0, Samba. What do they all have in common? Thousands of them were pwned. In Azure. In 2017. Attackers have shifted tactics, leveraged nation-state leaked tools and are leveraging ransomware to monetize their attacks. Cloud networks are prime targets; the DMZ is gone, the firewall doesn't exist and customers may not realize they've exposed insecure services to the internet until it's too late. In this talk we'll discuss hunting, finding and remediating compromised customer systems in Azure - a non-trivial task with 1.59million exposed hosts and counting. Remediating system compromise is only the first stage so we'll also cover how we applied the lessons learned to proactively secure Azure Marketplace.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
Similar to PLMCE - Security and why you need to review yours (20)
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
JMeter webinar - integration with InfluxDB and Grafana
PLMCE - Security and why you need to review yours
1. Security
and why you need to review yours.
David Busby
Percona Remote DBA EMEA team lead / RDBA Security lead
2014-04-02
2. Who am I?
• David Busby
– Remote DBA for Percona since January 2013
– 14 some years as a sysadmin
– Paranoid about security and legal agreements.
– Ju-Jitsu instructor for a UK based not for profit club.
– Help to teach computing at a UK Secondary school to children. (volunteer)
2
3. Agenda
• What is an “attack surface” ?
• Why password complexity is important.
• Why GRANT ALL is a bad idea.
• SELinux `setenforce 1`
• What is a CVE?
• 0-days dispelling the F.U.D
• 5.6 Security
• Q&A
3
4. What is an “attack surface” ?
• Points at which your system could be attacked.
– Application
– Database
– Physical systems
– Network
– Your employees
– Hosting provider
4
5. Reducing your “attack surface”
• Application
– Sanitize ALL user inputs
– CSRF / XSRF tokens
– W.A.F e.g. mod_security
– I.P.S (do not leave in I.D.S. mode!)
– Recurring audit procedures
– Mandatory Access Controls (e.g. SELinux)
– Ingress and Egress controls
5
6. Reducing your “attack surface”
• Database
– Network segregation from application where possible
– Selective GRANT
– Complex passwords
– Avoid “... IDENTIFIED BY 'plaintext_password'” SQL
– Mandatory Access Controls (e.g. SELinux)
– Ingress and Egress controlls
6
7. Reducing your “attack surface”
• Physical systems
– Limit physical access to hardware
– Barclays £1.3M “haul” could have been avoided (Image credit BBC UK)
– “Social engineering” just a new term for con artistry.
– Challenge “implied trust” a Badge / Uniform != identification
– Don't rely only on biometrics (just ask the
Mythbusters about “unbeatable fingerprint readers”)
– Remove unneeded service and devices from your hardware (You're rackmount system
probably doesn't need bluetooth).
7
8. Reducing your “attack surface”
• Network
– Selective ACL (even if it's only iptables)
iptables -N MySQL
iptables -I INPUT -j MySQL
iptables -A MySQL -s aaa.bbb.ccc.ddd/CIDR -p tcp –dport 3306 -m comment –comment “application range access to MySQL” -j ACCEPT
– MySQL doesn't need to be accessible from everywhere on the internet
– Lest we forget CVE-2012-2122
– Segregation
– I.P.S
– I.D.S
8
9. Reducing your “attack surface”
• Employees (Layer 8 / Meat ware)
– Awareness training
– Social media betrays a wealth of information
– B.Y.O.D your “smart” phone is perhaps the single largest repository of personal
information you own.
– Physical attacks: Theft “Wanna see a magic trick with your phone?”, lock screen
bypasses, debug abuse (p2p-adb, vendor “hidden” USB host debug), NFC
– Remote attacks: Karma / Jassegar, App (e.g. crafted apk) malware, Bluetooth (
android remote bluetooth (bluedroid) crash)
9
10. Reducing your “attack surface”
• Employees (Layer 8 / Meat ware) cont.
– Malicious H.I.D devices: Teensy Duino HID , DLP Bypass ,
– Malicious Thunderbolt chain devices (still theory at the time of writing).
– Challenge identity and “implied trust”
It's OK to ask for ID!
– “Hello I'm calling from the computer security center we're receiving alerts about the
virus on your windows machine ...”
– “Wouldn't you like a christmas tree in your bankaccount sir?” (Fonejacker)
10
13. Reducing your “attack surface”
• Certain allowances must be made.
– Trust in Service / Hosting provide (ensuring you're done your own due diligence).
– You want to know about their upt ime S.L.A. why not ask about any regulatory
compliance they have been subject to as well?
PCI, SOX, HIPAA ... etc.
– Trust in mobile networks .. however GSM is broken and there's lots of
“fun” to be had with femtocells.
13
14. Why rigid grants are important
• How often do you see:
– “ALL PRIVILEGES ON *.*”?
e.g. cacti, phpmyadmin
– “WITH GRANT OPTION” aka “The Keymaker”
– Also need to be concerned about Super_priv, Create_routine, Insert_priv, FILE.
14
15. Why rigid grants are important
• SUPER
– Kill any process
– Stop/reset slaves
– Write regardless of read_only
– Part of “ALL”
• FILE && Create_routine
– We're going to abuse this shortly to inject a malicious UDF.
• INSERT_Priv: could be used to insert directly into mysql schema tables, create users + access.
15
16. Why rigid grants are important
• WITH GRANT OPTION
– Get's it's very own slide.
– “The keymaker”
– “keys to the kingdom”
– No internet facing application should need to create grants.
16
17. Why password complexity is important
• Consider the following
– I've compromised your application.
– Application MySQL users does not have sufficent privileges to escalate the compromise
into the DB server.
– However it does have privileges to select on mysql.user and obtain a “hashdump”
– So now I want to go after an account with more privileges.
17
18. Why password complexity is important
• We're going to “recover” the passwords for the following
ACA068D24BC58DB72E9D3C2D8D29D43FB6F674D9
B415DD9C4FB5EF59FE80C4FEBC1F9C715E6E97C4
F469EBEEF4AD5F9DE9A0703EABF87DD88A7AF52D
CB7DFF0540F8C51BF178A1502A286FB8F4A2691E
F49091CCA44CEC66E65D3D97EA2C3F92D7636734
– Don't believe me?
18
20. Why password complexity is important
• We've going to “recovered” the passwords
MUCH: ACA068D24BC58DB72E9D3C2D8D29D43FB6F674D9
PASS: B415DD9C4FB5EF59FE80C4FEBC1F9C715E6E97C4
SUCH: F469EBEEF4AD5F9DE9A0703EABF87DD88A7AF52D
BAD: CB7DFF0540F8C51BF178A1502A286FB8F4A2691E
WOW: F49091CCA44CEC66E65D3D97EA2C3F92D7636734
Fedora 19 x64, AMD catalyst 13.11, oclHashcat 1.01 Kernel 3.12.9-201 2 x AMD 7750
20
21. Why password complexity is important
• Alternative methods
– “sniff” network packets hoping to capture a privileged user MySQL handshake
SHA1(password) XOR SHA1(salt <concat> SHA1(SHA1(password)))
– MySQL 5.5 password hash is simply SHA1(SHA1(password))
21
22. Why password complexity is important
• Know what you're up against.
– oclHashcat (from the demo) uses openCL for GPU base hash calculation
In the demo we just used “brute force” which easily does 270M/s
– pre-computed hash tables (database / file with computed hashes with their original
counterpart).
– Skullsecurity.org is a great resource for lists
22
23. Why password complexity is important
• Conclusion? The greater the complexity of the password:
– The longer it takes to derive from its hash.
– The less likely it is to be on any pre-computed list.
– Increases the time for “privilege escalation” (via the demoed method).
– Increases the potential for remediation to occur “before things get worse”.
23
24. SELinux: `setenforce 1`
• The what before the why
– SELinux is a M.A.C which uses “labels”
– I'll cover in brief the “targeted” policy (not MLS / Strict)
– /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted
24
25. SELinux: `setenforce 1`
• Labels
– SELinux contexts applied to files, ports, etc.
“user:role:type:level” level is optional and the targeted policy is only really
interested in the “type”
– Type enforcement (policies)
– A process is running in context X
– X is allowed access to a resource with context Y
– But not context Z
25
26. SELinux: `setenforce 1`
• Context X (mysqld_t)
– Context Y: You want this process to be able to access
/var/lib/mysql (mysqld_db_t)
/var/log/mysql (mysql_log_t)
*:3306 (mysql_port_t)
– Context Z: But probably not
/etc/passwd (passwd_file_t)
/etc/shadow (shadow_file_t)
http_port_t, ssh_port_t, etc.
26
27. SELinux: `setenforce 1`
• Many standard linux utilizes take the -Z argument.
– ls -Z /var/lib/mysql/ibdata1
-rw-rw----. mysql mysql unconfined_u:object_r:mysqld_db_t:s0
/var/lib/mysql/ibdata1
– ps -Z (system_u_system_r_mysqld_t:s0)
– id -Z (unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023)
27
29. SELinux: `setenforce 1`
• `setenforce 0`
– Permissive, not OFF
useful for debugging but always ensure you got back to `setenforce 1`
– New tools make things easier
setroubleshoot-server, libselinux-python
– “Most” issues are just incorrect labeling.
– A couple “gotchas”: New files / Dirs inherit contexts, Moved/copied files / dirs keep
their original contexts.
29
30. SELinux: `setenforce 1`
• So it's useable, why should I care?
– Additional layer of security
– Arrests “out of context” behavior
– Unlike D.A.C which “trusts running software” - assumes it should have access to
everything the user it is running as can.
– We're going to see just how bad things can get
30
31. The worst case scenario
• “Perfect storm” example
– Command line injection present in web app or CVE-2012-1823 PHP CGI cli injection.
– `setenforce 0`
– “BAD” Grants: ALL PRIVILEGES ON *.*
– “BAD” File (D.A.C) Permissions
– Attack flow:
1. Deploy PHP shell to web server and “pop” a reverse shell
2. Deploy UDF to the MySQL server and “pop” a reverse shell
31
32. The worst case scenario
• DISCLAIMER!
– We're showing abused of everything we have already noted as being “bad”
– This isn't a “how to hack” (legal wouldn't let me do that :-()
– You can repeat everything here yourself! (GPL code + resources @ Github (current code
will be committed after the conference))
– This demo is on a local VM environment purposely made vulnerable only.
– For informational purposes only.
– Use at your own risk.
32
35. What is a CVE?
• Common Vulnerabilities and Exposures
– Common classification and notation of known vulnerabilities.
– $vendors and $researchers use this to classify vulnerabilities (along with CVSS scoring)
– Not always used as intended however, may “Unspecified vulnerability … unknown
vectors” e.g. CVE-2013-3826
– A CVE filing can be used to check for patches releases.
– Or contact a vendor requested a patch.
– Even where enough detail exists use J.I.T. methods to mitigate. e.g. CVE-2013-2094
could be mitigated using SELinux
35
36. What is a CVE?
• Syntax from Jan 2014 changed
36
37. What is a CVE?
• Additional resources
– Open Source Vulnerability Database
– Secunia
– National vulnerability Database
– Exploit DB
– /r/netsec
– Full disclosure list has unfortunately closed
37
38. 0-days dispelling the F.U.D.
• Zero Day / Oh Day
– An attack / exploit using an unknown vulnerability
– Beware of “claims” which are just posturing.
– Proof or S.T.*.* (look for p.o.c code and test in a lab environment)
– “hardening” is the best defense you can take against the “unknown”
– Reducing your attack surface is essential.
– Prepare for the worst and hope for the best.
– “By failing to prepare, you are preparing to fail.” - Benjamin Franklin
38
39. 0-days dispelling the F.U.D.
• It's all about being prepared
– Build “hardened” systems from the “ground up”
– Avoid the “foolish man who build his house on the sand”
– Orchestration tools make management EASY! (Ansible, puppet, chef, salt … etc.)
39
40. 5.6 Security
• Password Expiration policy
• Password Validate plugin
– validate_password_policy = LEVEL
– LOW
>= 8 chars
– MEDIUM
LOW && >=1 number && >=1 upper case
– STRONG
MEDIUM && substrings >=4 chars must not appear in defined dictionary.
40
Image is a KVM over WiFi device, installed by thieves pretenting to be IT technicians servicng computers at the branch.
Social engineering is just a fancy term for con artistry; an infamous exampl of conartistry would be Victor Lusting the many whom sold the eiffle tower for scap … twice.
ACL: Ensure Only hosts that need access to a service have it.
ACL: Recurring audits of access
Segregation: Hardware and/or VLAN
CVE-2012-2122: Nasty bug in the handshake where rapidly using invalid password allowed login, akin to children and parents “please no please no please no but please ... oh fine here you go ...” for what it&apos;s worth I tested Percona server at the time of the disclosure of this bug (a full 7 months before I started working for percona) it was not vulnerable, Oracle MySQL and MariaDB were ... take from that what you will.
Awarness: social networks are gold mine for information which used to be hard to retrieve; Linkedin, Facebook etc ... tools have been written to aid this such as Maltego.
Gif: As per the animated gif above “implied trust” can be a powerful thing to abuse, fictional scenario of performing magic which is being recorded on camera “has anyone got a phone?” ... “sure here&apos;s mine” ... “k thanks BYE!”
Remote attacks: Karma / Jassegar abuse WiFi inherent functionality when looking for known networks, “I&apos;m looking for these networks are any of you them” ... Jassegar replies yes to all of these requests.”
If anyone wants a demo on Karam / Jassegar see me after the talk I have some “toys”
Malicious human interface devices, I&apos;ve included links in the slides which will be made available.
Irongeek gave a great talk on malicious HID devices, even went to far as ot embed one in a mouse with RGB led to pose as a litteral trojan horse device.
DLP: Data Leak Prevention
This is my very own Teensy HID device I have it with me if anyone wants to discuss after the talk.
Alt tab out to word processor, plug in teensy
Password expiration: drops user into sandbox to change password
Circumventable: Pass a pre generated sha1(sha1()) hash of a weakpassword and it goes right through.
Circumventable: Pass a pre generated sha1(sha1()) hash of a weakpassword and it goes right through.
Circumventable: Pass a pre generated sha1(sha1()) hash of a weakpassword and it goes right through.