MySQL security is not trivial. This presentation will walk you trough some of the more important decisions you have to take, when configuring a MySQL server instance
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and NagiosNagios
Sheeri Cabral's presentation on Alerting With MySQL and Nagios.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was presented at the OWASP Belgium Chapter Meeting in May 2017.
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.
In a dynamic infrastructure world, let's stop pretending credentials aren't public knowledge in an organization and just assume that they have already been leaked, now what?
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was updated and presented at the FSEC conference in Croatia, September 2017.
Your SSH server configs are secure, right? If you search for hardening SSH, you can read all day about how this or that option is dangerous, or never use that flag, etc. But what really is the risk of compromise? This talk will explore various (mis)configurations and ways to use the client that perhaps have been deemed risky, but also walk through how exactly to attack them to bypass restrictions on the server or even get a shell. We'll also discuss some options that sound really bad, but more nuance is required to fully grasp what it takes to exploit the issue. You might even learn about some new features that let SSH do things you didn't think were really possible, or worse case you'll get a refresher on many attacks that have been mostly forgotten or ignored. Instead of just looking at a config or script and saying "that's bad, shouldn't do that", after this talk you should be able to demo various attacks yourself.
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and NagiosNagios
Sheeri Cabral's presentation on Alerting With MySQL and Nagios.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was presented at the OWASP Belgium Chapter Meeting in May 2017.
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.
In a dynamic infrastructure world, let's stop pretending credentials aren't public knowledge in an organization and just assume that they have already been leaked, now what?
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was updated and presented at the FSEC conference in Croatia, September 2017.
Your SSH server configs are secure, right? If you search for hardening SSH, you can read all day about how this or that option is dangerous, or never use that flag, etc. But what really is the risk of compromise? This talk will explore various (mis)configurations and ways to use the client that perhaps have been deemed risky, but also walk through how exactly to attack them to bypass restrictions on the server or even get a shell. We'll also discuss some options that sound really bad, but more nuance is required to fully grasp what it takes to exploit the issue. You might even learn about some new features that let SSH do things you didn't think were really possible, or worse case you'll get a refresher on many attacks that have been mostly forgotten or ignored. Instead of just looking at a config or script and saying "that's bad, shouldn't do that", after this talk you should be able to demo various attacks yourself.
In this talk, we'll break down how one can exploit an ecosystem that enables management, querying, processing, and storage of, yes you guessed it, copious amounts of data. Hadoop and its many friends have been making their way into companies analyzing (sometimes, after massively collecting...) such data for years now, but they also make it easy to find organizations deploying things internally with security either off by default or otherwise exposed to various critical misconfigurations and access control issues.
If you're running engagements, this should also give you a headstart on what to look for, how to attack networks where these products are running along with a few good ways to make them more defendable. Because if you want to defend well, you need to optimize towards mitigating actual risk vs theoretical, and there's no better way to determine if attacks are real than trying them out yourself. Let's say you just want to better understand how to shell out on servers running Apache Cassandra, Drill, Mesos... well, it may add a few pages to your playbook.
(FYI this is the version of the slides without a conference template-- hopefully NoConName will share the templated version online as well)
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.
User Credential handling in Web Applications done righttladesignz
In my work I often see very bad practices how the users' passwords are treated in web applications. This is a short summary of the current state of the art, how to do it the right way.
Caution: This is a dated presentation; uploaded for reference. While the principles remain valid, specifics may have changed.
This presentation was made for software developers in Chandigarh - as a part of the NULL & OWASP Chandigarh Chapter activities.
It covers the basics of secure software development and secure coding using OWASP Top 10 as a broad guide.
"Web Application Security" by Lee Christense at Utah Code Camp in March 2014. Covers SQL injection(SQLi), cross-site scripting(XSS), cross-site request forgery(CSRF), and password hashing.
This presentation was used in OWASP Taiwan Week 2017 at Taipei & Kaohsiung. It talks about what Cross Site Request Forgery is, what are different ways to prevent it. And how it can be mitigated with OWASP CSRF Protector with just two lines of codes.
The presentation was delivered by Alexander Lyamin, CEO of HLL (Qrator network), at the RIPE 64 Meeting on 16 – 20 April 2012 in Ljubljana.
DDoS mitigation techniques: poor mans version (low rate HTTP attacks). Every solution works. Not always. Not for everyone.
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity (http://www.w3.org/TR/SRI/). Both Firefox and Chrome have initial implementations of this new specification and a few early adopters such as Github are currently evaluating this feature.
In-depth list of attacks against various crypto implementations. Developers seem to have gotten the message not to design their own ciphers. Now, we're trying to get the message out that you shouldn't be implementing your own crypto protocols or constructions, using low-level crypto libraries. Instead, developers should work at a higher level, using libraries like GPGME, Keyczar, or cryptlib. If you do end up designing/implementing your own construction, getting it reviewed by a third party is an expensive but vital task.
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
Watch the slides of our webinar on “How to secure MongoDB with ClusterControl” and find out about the essential steps necessary to secure MongoDB and how to verify if your MongoDB instance is safe.
The recent MongoDB ransom hack caused a lot of damage and outages, while it could have been prevented with maybe two or three simple configuration changes. MongoDB offers a lot of security features out of the box, however it disables them by default.
In this webinar, we explain which configuration changes are necessary to enable MongoDB’s security features, and how to test if your setup is secure after enablement. We also demonstrate how ClusterControl enables security on default installations. And we cover how to leverage the ClusterControl advisors and the MongoDB Audit Log to constantly scan your environment, and harden your security even more.
AGENDA
What is the MongoDB ransom hack?
What other security threats are valid for MongoDB?
How to enable authentication / authorisation
How to secure MongoDB from ransomware
How to scan your system
ClusterControl MongoDB security advisors
Live Demo
SPEAKER
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
JavaFest. Nanne Baars. Web application security for developersFestGroup
Security is an important topic for developers however security is often an afterthought in a project. This presentation will focus on practices which developers need to be aware of, and make security fun again. This is an in depth talk about 10 topics not an overview for security best practices.
This is my presentation from Denver Startup Week 2016 on security for applications and servers. This presentation covers everything you need to know about securing a Linux server and your application.
In this talk, we'll break down how one can exploit an ecosystem that enables management, querying, processing, and storage of, yes you guessed it, copious amounts of data. Hadoop and its many friends have been making their way into companies analyzing (sometimes, after massively collecting...) such data for years now, but they also make it easy to find organizations deploying things internally with security either off by default or otherwise exposed to various critical misconfigurations and access control issues.
If you're running engagements, this should also give you a headstart on what to look for, how to attack networks where these products are running along with a few good ways to make them more defendable. Because if you want to defend well, you need to optimize towards mitigating actual risk vs theoretical, and there's no better way to determine if attacks are real than trying them out yourself. Let's say you just want to better understand how to shell out on servers running Apache Cassandra, Drill, Mesos... well, it may add a few pages to your playbook.
(FYI this is the version of the slides without a conference template-- hopefully NoConName will share the templated version online as well)
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.
User Credential handling in Web Applications done righttladesignz
In my work I often see very bad practices how the users' passwords are treated in web applications. This is a short summary of the current state of the art, how to do it the right way.
Caution: This is a dated presentation; uploaded for reference. While the principles remain valid, specifics may have changed.
This presentation was made for software developers in Chandigarh - as a part of the NULL & OWASP Chandigarh Chapter activities.
It covers the basics of secure software development and secure coding using OWASP Top 10 as a broad guide.
"Web Application Security" by Lee Christense at Utah Code Camp in March 2014. Covers SQL injection(SQLi), cross-site scripting(XSS), cross-site request forgery(CSRF), and password hashing.
This presentation was used in OWASP Taiwan Week 2017 at Taipei & Kaohsiung. It talks about what Cross Site Request Forgery is, what are different ways to prevent it. And how it can be mitigated with OWASP CSRF Protector with just two lines of codes.
The presentation was delivered by Alexander Lyamin, CEO of HLL (Qrator network), at the RIPE 64 Meeting on 16 – 20 April 2012 in Ljubljana.
DDoS mitigation techniques: poor mans version (low rate HTTP attacks). Every solution works. Not always. Not for everyone.
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity (http://www.w3.org/TR/SRI/). Both Firefox and Chrome have initial implementations of this new specification and a few early adopters such as Github are currently evaluating this feature.
In-depth list of attacks against various crypto implementations. Developers seem to have gotten the message not to design their own ciphers. Now, we're trying to get the message out that you shouldn't be implementing your own crypto protocols or constructions, using low-level crypto libraries. Instead, developers should work at a higher level, using libraries like GPGME, Keyczar, or cryptlib. If you do end up designing/implementing your own construction, getting it reviewed by a third party is an expensive but vital task.
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
Watch the slides of our webinar on “How to secure MongoDB with ClusterControl” and find out about the essential steps necessary to secure MongoDB and how to verify if your MongoDB instance is safe.
The recent MongoDB ransom hack caused a lot of damage and outages, while it could have been prevented with maybe two or three simple configuration changes. MongoDB offers a lot of security features out of the box, however it disables them by default.
In this webinar, we explain which configuration changes are necessary to enable MongoDB’s security features, and how to test if your setup is secure after enablement. We also demonstrate how ClusterControl enables security on default installations. And we cover how to leverage the ClusterControl advisors and the MongoDB Audit Log to constantly scan your environment, and harden your security even more.
AGENDA
What is the MongoDB ransom hack?
What other security threats are valid for MongoDB?
How to enable authentication / authorisation
How to secure MongoDB from ransomware
How to scan your system
ClusterControl MongoDB security advisors
Live Demo
SPEAKER
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
JavaFest. Nanne Baars. Web application security for developersFestGroup
Security is an important topic for developers however security is often an afterthought in a project. This presentation will focus on practices which developers need to be aware of, and make security fun again. This is an in depth talk about 10 topics not an overview for security best practices.
This is my presentation from Denver Startup Week 2016 on security for applications and servers. This presentation covers everything you need to know about securing a Linux server and your application.
Training Slides: 302 - Securing Your Cluster With SSLContinuent
Watch this 41min training session on how to secure your Tungsten Cluster with SSL, looking at internal cluster communications as well as how to deploy SSL for the Tungsten Connector. It all starts off with some background information on what SSL is all about.
TOPICS COVERED
- What is SSL?
- Deploying SSL for Cluster communications
- Deploying SSL for Tungsten Connector
Describes in detail the security architecture of Apache Cassandra. We discuss encryption at rest, encryption on the wire, authentication and authorization and securing JMX and management tools
Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
The 7th June 2012 Linkedin was hacked. More than 6 million LinkedIn passwords was compromised. The real shocking news was not the theft but the fact that the attackers were able to decrypt many of these passwords. Why it happened? The answer is simple: a bad design of the password security. In this talk I presented how to choose "secure" user's passwords and how to safely store it from a programmer's perspective.
This talk has been presented during the MOCA 2012, http://moca.olografix.org/moca2012
Security is often an afterthought; configured and applied at the last minute before rolling out a new system. Instaclustr has deployed Cassandra for customers with many different requirements.
From deployments in Heroku requiring total public access through to private data centres, we will walk you through securing Cassandra the right way.
Security is often an afterthought; configured and applied at the last minute before rolling out a new system. Instaclustr has deployed Cassandra for customers with many different requirements.
From deployments in Heroku requiring total public access through to private data centres, we will walk you through securing Cassandra the right way.
How to implement PassKeys in your applicationMarian Marinov
PassKeys is relatively new way of authentication. This presentation aims to provide a bit of guidance on how you can implement them in your own application.
Management of system administrators and devops teams is different then managing Developers.
This presentation shows key differences and what to worry about :)
Event Management System Vb Net Project Report.pdfKamal Acharya
In present era, the scopes of information technology growing with a very fast .We do not see any are untouched from this industry. The scope of information technology has become wider includes: Business and industry. Household Business, Communication, Education, Entertainment, Science, Medicine, Engineering, Distance Learning, Weather Forecasting. Carrier Searching and so on.
My project named “Event Management System” is software that store and maintained all events coordinated in college. It also helpful to print related reports. My project will help to record the events coordinated by faculties with their Name, Event subject, date & details in an efficient & effective ways.
In my system we have to make a system by which a user can record all events coordinated by a particular faculty. In our proposed system some more featured are added which differs it from the existing system such as security.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSEDuvanRamosGarzon1
AIRCRAFT GENERAL
The Single Aisle is the most advanced family aircraft in service today, with fly-by-wire flight controls.
The A318, A319, A320 and A321 are twin-engine subsonic medium range aircraft.
The family offers a choice of engines
Courier management system project report.pdfKamal Acharya
It is now-a-days very important for the people to send or receive articles like imported furniture, electronic items, gifts, business goods and the like. People depend vastly on different transport systems which mostly use the manual way of receiving and delivering the articles. There is no way to track the articles till they are received and there is no way to let the customer know what happened in transit, once he booked some articles. In such a situation, we need a system which completely computerizes the cargo activities including time to time tracking of the articles sent. This need is fulfilled by Courier Management System software which is online software for the cargo management people that enables them to receive the goods from a source and send them to a required destination and track their status from time to time.
Forklift Classes Overview by Intella PartsIntella Parts
Discover the different forklift classes and their specific applications. Learn how to choose the right forklift for your needs to ensure safety, efficiency, and compliance in your operations.
For more technical information, visit our website https://intellaparts.com
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
16. Chrooting will:Chrooting will:
➢ restrict FS access to the chroot dir
➢ prevent read/write to system files
➢ require SSL certs in the chroot dir
➢ restrict, where the temporary files can be
created
➢ restrict the pid and log file locations
17. Firewalling the MySQLFirewalling the MySQL
➢ DO NOT PUT MySQL on unrestricted public
interfaces
# iptables -N mysql
# iptables -A mysql -j ACCEPT -s IP_1
# iptables -A mysql -j ACCEPT -s NET_1
# iptables -A mysql -j DROP
# iptables -A INPUT -j mysql -p tcp --dport 3306
19. Firewalling the MySQLFirewalling the MySQL
➢ or more then one user, but not everyone:
# iptables -N mysql_out
# iptables -A mysql_out -j ACCEPT -m owner --uid-owner
app_user1app_user1
# iptables -A mysql_out -j ACCEPT -m owner --uid-owner
app_user2app_user2
# iptables -A mysql_out -j DROP
# iptables -I OUTPUT -j mysql_out -p tcp --dport 3306
22. The effects of:The effects of:
# chmod 600 /var/lib/mysql/mysql.sock# chmod 600 /var/lib/mysql/mysql.sock
- Only root & mysql have access to it- Only root & mysql have access to it
- restrict all users- restrict all users
- use sudo for devs- use sudo for devs
dev_user1 ALL=(mysql) PASSWD:/usr/bin/mysqldev_user1 ALL=(mysql) PASSWD:/usr/bin/mysql
23. The socket protection:The socket protection:
Your app needs access to the socket, so:Your app needs access to the socket, so:
# groupadd# groupadd web_appweb_app
# usermod -a -G# usermod -a -G web_appweb_app mysqlmysql
# usermod -a -G# usermod -a -G web_appweb_app app_userapp_user
# chmod 660 /var/lib/mysql/mysql.sock# chmod 660 /var/lib/mysql/mysql.sock
# chgrp# chgrp web_appweb_app /var/lib/mysql/mysql.sock/var/lib/mysql/mysql.sock
24. MySQL authenticationMySQL authentication
➢ never leave a user without a password
➢ try not use the % in the host part of an account
➢ hostnames instead of IPs for user
authentication and set skip_name_resolve
➢ do not set old_passwords=0
➢ (pre mysql 4.1, hashing func. was producing
16bytes hash string)
27. The mysqlunsha1 attack
y = SHA1(password)
On every connection the server sends
a salt(s) and the client computes a
session token(x)
x = y XOR SHA1(s + SHA1(y) )
the server will verify it with:
SHA1(x XOR SHA1(s + SHA1(y) )) =
SHA1(y)
MySQL authenticationMySQL authentication
38. Other limitationsOther limitations
➢ Galera gcache is not encrypted
➢ .frm files are not encrypted
➢ mysqlbinlogs can no longer read the files
➢ Percona XtraBackup can't backup encrypted
data
➢ Audit plugin can't create encrypted output
➢ general and slow logs, can't be encrypted
➢ error.log is not encrypted