NFC or the Near Field Communication allows cell phones to perform specified actions whenever they detect NFC tags or signals from other NFC enabled device. Most of the recent phones including Samsung Galaxy S3, Nokia Lumia 610, Blackberry Bold etc have NFC enabled with them. NFC even helps enterprise/payment gateways to ease up users actions, such as connecting to a wifi, setting a bookmark, making payments etc.
Gone are the days of sending Android malware links through URL or attachments. In this talk, we will be showing how an attacker could steal the private and sensitive information from one’s phone and even perform malicious actions on user’s phone, using NFC as an attack vector. NFC attack vectors come in two forms : Active(setting attacker’s phone as a proxy between victim’s smartphone and the payment terminal) and Passive(using NFC tags).For our demonstrations, we would be creating malicious NFC tags which when detected by any smartphone(NFC enabled) would steal sensitive informations from the phones (without the users knowledge) as well as trick user to install malicious applications to his phone. Thereafter, we would also be talking about how an attacker could get in close proximity of another NFC-enabled phone, get a remote shell on the victim’s phone and compromise the phone’s security. We would also be discussing how viral an NFC attack could go in future, if proper security measures are not enforced.
À travers de Facebook dynamic product ads, vos produits sont affichés dynamiquement dans un carrousel unique, ce qui permet d’utiliser un seul contenu créatif, sans avoir à configurer chaque publicité. Autre intérêt de Facebook dynamic product ads est qu’il fonctionne aussi bien pour les appareils fixes que les mobiles. Cela permet d’atteindre vos clients en toute situation et cela quel que soit leur point de contact initial avec votre site marchand. Effinity a développé une méthodologie basée sur sa solution de gestion de catalogue produit, Effinity Product Ads, pour être présent en 48 heures sur Facebook dynamic product ads. Nous vous en dévoilons, ici, les 8 étapes clés !
Facebook Dynamic Product Ads - Vos produits sur Facebook en 48h chrono avec E...Effinity
Nouveau levier redoutable pour les e-marchands, Facebook dynamic product ads permet de promouvoir de manière pertinente vos catalogues produits sur Facebook. Cet outil apporte une réelle valeur ajoutée tant pour rétablir un contact avec vos clients, que pour toucher de nouvelles personnes, présentant un profil similaire. Tout cela permet d’obtenir de bons taux de transformation, comme nous l’ont démontré les premières campagnes que nous avons réalisées pour nos clients. Découvrez comment placer vos produits sur Facebook en 48h chrono avec Effinity !
L'internet des objets sera multiple ou ne sera pas.Pierre Metivier
Tour d'horizon de l'internet des objets, présenté au Numa Paris, le 9 Avril 2014, à l'occasion de la journée mondiale de l'Internet des objets. #iotday #iotparis
Innovation 2.0
Introduction et animation des tables rondes par Matin Duval CEO de bluenove spécialisé dans la conduite du changement par l'innovation ouverte, France
TABLE RONDE DE 10h00 : LES SERVICES DE L'INTERNET 3.0
WEB 3.0 : L'INTERNET DES OBJETS QUI
VA CONNECTER LES FLUX
D'INFORMATION A NOS IDENTITEES
REELES POUR FAVORISER NOS
ECHANGES.
Les plateformes logicielles, les bases de données et les services des entreprises et des administrations (e-Government) s'ouvrent de plus en plus en mettant à disposition de Développeurs externes des 'connecteurs' (les APIs: Application Programming Interface) afin de bénéficier de leurs créativité et capacité d'innovation pour étendre et enrichir ces services
Nos identités réelles et virtuelles (professionnelles, bancaires, médicales, réseaux sociaux, loisirs, etc.) se trouvent ainsi de plus en plus connectés à des services nouveaux et interconnectés entre eux
Grâce aux technologies 'sans-contact' (RFID, tags, bluetooth, etc.) nous pouvons nous connecter à un nombre croissant d'objets et d'interfaces dans notre vie réelle au quotidien
Quels enjeux et opportunités pour faciliter notre maitrise et notre utilisation de ces services toujours plus ouverts et connectés ?
- Gilbert Réveillon, Président du GT TIC et Economie Numérique" du CNCCEF" www.cnccef.org
- Philippe Le Fessant, managing director, Innov Asia Research , France
- François Denieul Directeur du Laboratoire Espaces Intelligents , France
- Dominique Sciamma, Directeur "Systèmes et Objets Interactifs" Strate Collège Designers , France
- François Lecomte, Délégué Général Forum des Services Mobiles Sans Contact , Fra nce
- Philippe Latour, Expert en Géomarketing, Spatialist, France
- Gilles Poulardin, CEO de sensities , France
Pour accéder au site de PARIS 2.0 de septembre 2009 : http://www.amiando.com/strategies20aparis.htm
Postmarketing - new principles for the postmarketing agetbarr
We are entering an age where abundance, excess, and accumulation are giving way to thrift, conservation and transparency. Postmarketing seeks to help marketers navigate this fundamental change with a new way to think about marketing strategy. By Todd Barr - marketingfree.typepad.com Feb 2009.
À travers de Facebook dynamic product ads, vos produits sont affichés dynamiquement dans un carrousel unique, ce qui permet d’utiliser un seul contenu créatif, sans avoir à configurer chaque publicité. Autre intérêt de Facebook dynamic product ads est qu’il fonctionne aussi bien pour les appareils fixes que les mobiles. Cela permet d’atteindre vos clients en toute situation et cela quel que soit leur point de contact initial avec votre site marchand. Effinity a développé une méthodologie basée sur sa solution de gestion de catalogue produit, Effinity Product Ads, pour être présent en 48 heures sur Facebook dynamic product ads. Nous vous en dévoilons, ici, les 8 étapes clés !
Facebook Dynamic Product Ads - Vos produits sur Facebook en 48h chrono avec E...Effinity
Nouveau levier redoutable pour les e-marchands, Facebook dynamic product ads permet de promouvoir de manière pertinente vos catalogues produits sur Facebook. Cet outil apporte une réelle valeur ajoutée tant pour rétablir un contact avec vos clients, que pour toucher de nouvelles personnes, présentant un profil similaire. Tout cela permet d’obtenir de bons taux de transformation, comme nous l’ont démontré les premières campagnes que nous avons réalisées pour nos clients. Découvrez comment placer vos produits sur Facebook en 48h chrono avec Effinity !
L'internet des objets sera multiple ou ne sera pas.Pierre Metivier
Tour d'horizon de l'internet des objets, présenté au Numa Paris, le 9 Avril 2014, à l'occasion de la journée mondiale de l'Internet des objets. #iotday #iotparis
Innovation 2.0
Introduction et animation des tables rondes par Matin Duval CEO de bluenove spécialisé dans la conduite du changement par l'innovation ouverte, France
TABLE RONDE DE 10h00 : LES SERVICES DE L'INTERNET 3.0
WEB 3.0 : L'INTERNET DES OBJETS QUI
VA CONNECTER LES FLUX
D'INFORMATION A NOS IDENTITEES
REELES POUR FAVORISER NOS
ECHANGES.
Les plateformes logicielles, les bases de données et les services des entreprises et des administrations (e-Government) s'ouvrent de plus en plus en mettant à disposition de Développeurs externes des 'connecteurs' (les APIs: Application Programming Interface) afin de bénéficier de leurs créativité et capacité d'innovation pour étendre et enrichir ces services
Nos identités réelles et virtuelles (professionnelles, bancaires, médicales, réseaux sociaux, loisirs, etc.) se trouvent ainsi de plus en plus connectés à des services nouveaux et interconnectés entre eux
Grâce aux technologies 'sans-contact' (RFID, tags, bluetooth, etc.) nous pouvons nous connecter à un nombre croissant d'objets et d'interfaces dans notre vie réelle au quotidien
Quels enjeux et opportunités pour faciliter notre maitrise et notre utilisation de ces services toujours plus ouverts et connectés ?
- Gilbert Réveillon, Président du GT TIC et Economie Numérique" du CNCCEF" www.cnccef.org
- Philippe Le Fessant, managing director, Innov Asia Research , France
- François Denieul Directeur du Laboratoire Espaces Intelligents , France
- Dominique Sciamma, Directeur "Systèmes et Objets Interactifs" Strate Collège Designers , France
- François Lecomte, Délégué Général Forum des Services Mobiles Sans Contact , Fra nce
- Philippe Latour, Expert en Géomarketing, Spatialist, France
- Gilles Poulardin, CEO de sensities , France
Pour accéder au site de PARIS 2.0 de septembre 2009 : http://www.amiando.com/strategies20aparis.htm
Postmarketing - new principles for the postmarketing agetbarr
We are entering an age where abundance, excess, and accumulation are giving way to thrift, conservation and transparency. Postmarketing seeks to help marketers navigate this fundamental change with a new way to think about marketing strategy. By Todd Barr - marketingfree.typepad.com Feb 2009.
How does having 30 million songs in our pocket affect how we listen to music? In this data-driven and demo-laden talk we’ll explore the behavior of today’s music listener. We’ll look at how today’s easy and ubiquitous access to nearly all of recorded music is changing how a listener organizes, discovers and experiences music. By exploring big music data being collected by organizations such as Spotify and The Echo Nest we can get a deeper and more nuanced view of how today’s listener really interacts with their music.
This is a presentation about ball bearing manufacturing manufacturing process. There are mainly 6 parts of knowledge included in this presentation. Please visit
Toward Society 3.0: A New Paradigm for 21st century educationJohn Moravec
The convergence of globalization, the emergence of the knowledge society and accelerating change contribute to what might be best termed a New Paradigm of knowledge production in education. The New Paradigm reflects the emerging shifts in thought, beliefs, priorities and practice in regard to education in society. While the three component trends in the new paradigm are not unknown to educational leaders, discussion of the trends as elements of a larger system is largely absent. These new patterns of thought and belief are forming to harness and manage the chaos, indeterminacy, and complex relationships of the postmodern. This lecture provides a macro-level perspective of these three phenomena as they impact education at all levels. Such perspectives provide insight to leaders throughout the world on how educational institutions relate to the New Paradigm of knowledge production. The lecture then explores "what's next" as we build from the New Paradigm to co-construct Education 3.0 to complement Society 3.0.
On the occasion of Baselworld, Digital Luxury Group releases the latest WorldWatchReport™. This edition provides a global perspective on the market, information on pricing and materials as well as a feature on Smartwatches.
Introduction to Mahout and Machine LearningVarad Meru
This presentation gives an introduction to Apache Mahout and Machine Learning. It presents some of the important Machine Learning algorithms implemented in Mahout. Machine Learning is a vast subject; this presentation is only a introductory guide to Mahout and does not go into lower-level implementation details.
The Google Nexus S offers support for Near Field Communication (NFC), an extension to an RFID smart card protocol popularly used for secure access, metro passes (Oyster/Clipper), and electronic money (FeliCa/Octopus). NFC in smartphones promises adding these features to the phone you carry by allowing the it to emulate both RFID tag and reader.
NFC additionally adds new capabilities like exchanging configuration data such as WiFi settings, trading vCard contact information, reading URLs, triggering SMS text messages or initiating calls, and secure bi-directional communication between NFC devices.
This session will cover what NFC and RFID is and is not, what Android on the Nexus S is currently capable of, and some examples of how to add NFC to your apps.
http://where2conf.com/where2011/public/schedule/detail/18443
How does having 30 million songs in our pocket affect how we listen to music? In this data-driven and demo-laden talk we’ll explore the behavior of today’s music listener. We’ll look at how today’s easy and ubiquitous access to nearly all of recorded music is changing how a listener organizes, discovers and experiences music. By exploring big music data being collected by organizations such as Spotify and The Echo Nest we can get a deeper and more nuanced view of how today’s listener really interacts with their music.
This is a presentation about ball bearing manufacturing manufacturing process. There are mainly 6 parts of knowledge included in this presentation. Please visit
Toward Society 3.0: A New Paradigm for 21st century educationJohn Moravec
The convergence of globalization, the emergence of the knowledge society and accelerating change contribute to what might be best termed a New Paradigm of knowledge production in education. The New Paradigm reflects the emerging shifts in thought, beliefs, priorities and practice in regard to education in society. While the three component trends in the new paradigm are not unknown to educational leaders, discussion of the trends as elements of a larger system is largely absent. These new patterns of thought and belief are forming to harness and manage the chaos, indeterminacy, and complex relationships of the postmodern. This lecture provides a macro-level perspective of these three phenomena as they impact education at all levels. Such perspectives provide insight to leaders throughout the world on how educational institutions relate to the New Paradigm of knowledge production. The lecture then explores "what's next" as we build from the New Paradigm to co-construct Education 3.0 to complement Society 3.0.
On the occasion of Baselworld, Digital Luxury Group releases the latest WorldWatchReport™. This edition provides a global perspective on the market, information on pricing and materials as well as a feature on Smartwatches.
Introduction to Mahout and Machine LearningVarad Meru
This presentation gives an introduction to Apache Mahout and Machine Learning. It presents some of the important Machine Learning algorithms implemented in Mahout. Machine Learning is a vast subject; this presentation is only a introductory guide to Mahout and does not go into lower-level implementation details.
The Google Nexus S offers support for Near Field Communication (NFC), an extension to an RFID smart card protocol popularly used for secure access, metro passes (Oyster/Clipper), and electronic money (FeliCa/Octopus). NFC in smartphones promises adding these features to the phone you carry by allowing the it to emulate both RFID tag and reader.
NFC additionally adds new capabilities like exchanging configuration data such as WiFi settings, trading vCard contact information, reading URLs, triggering SMS text messages or initiating calls, and secure bi-directional communication between NFC devices.
This session will cover what NFC and RFID is and is not, what Android on the Nexus S is currently capable of, and some examples of how to add NFC to your apps.
http://where2conf.com/where2011/public/schedule/detail/18443
Basho and Riak at GOTO Stockholm: "Don't Use My Database."Basho Technologies
What are common use cases for NoSQL? When should I avoid NoSQL? When is RDBMS just fine?
This presentation, delivered at the GOTO NoSQL Roadshow events in London and Stockholm in November of 2011 by Basho co-founder and COO, Antony Falco, take a no-BS look at the tradeoffs one must make to gain the advantages offered by distributed databases like Riak.
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
Ever wanted to hack these proximity/contactless cards you use every day, but did not know where to start? This is the talk to attend! I will walk you through the fascinating world of RFID/NFC failures, snake oils and installation gaps - that despite facing well deserved hacks long time ago, still remain unpatched in so many buildings. Besides legacy (but still widespread), more modern (but also broken), and supposedly non-breakable (yet to be tested) systems, I will also share the risks and possible attacks on the new emerging technology - replacing plastic cards with your NFC smartphone in access control systems. How to recognize the card type? What kinds of cards can be cloned? Can you clone a card having just a picture of it? How to build your own card cracking and cloning equipment for less than $10, and when it is worth to invest in a more powerful hardware? How to use a smartphone to crack keys, or emulate a plastic access control card? How to intercept data transmitted from wall reader to backend door controller? How to reverse hotel system and understand the data encoded on cards? Expect highly practical information regarding these and many other topics. Multiple live demos and NFC hacking hardware sets to give away included. After the talk you are also welcome to practice the new skills yourself on our test access control installations onsite.
CONFidence 2018: A 2018 practical guide to hacking RFID/NFC (Sławomir Jasek)PROIDEA
Ever wanted to hack these proximity/contactless cards you use every day, but did not know where to start? This is the talk to attend! I will walk you through the fascinating world of RFID/NFC failures, snake oils and installation gaps - that despite facing well deserved hacks long time ago, still remain unpatched in so many buildings. Besides legacy (but still widespread), more modern (but also broken), and supposedly non-breakable (yet to be tested) systems, I will also share the risks and possible attacks on the new emerging technology - replacing plastic cards with your NFC smartphone in access control systems. How to recognize the card type? What kinds of cards can be cloned? Can you clone a card having just a picture of it? How to build your own card cracking and cloning equipment for less than $10, and when it is worth to invest in a more powerful hardware? How to use a smartphone to crack keys, or emulate a plastic access control card? How to intercept data transmitted from wall reader to backend door controller? How to reverse hotel system and understand the data encoded on cards? Expect highly practical information regarding these and many other topics. Multiple live demos and NFC hacking hardware sets to give away included. After the talk you are also welcome to practice the new skills yourself on our test access control installations onsite.
A 2018 practical guide to hacking RFID/NFCSecuRing
Ever wanted to hack these proximity/contactless cards you use every day, but did not know where to start? This is the talk to attend! I will walk you through the fascinating world of RFID/NFC failures, snake oils and installation gaps - that despite facing well deserved hacks long time ago, still remain unpatched in so many buildings. Besides legacy (but still widespread), more modern (but also broken), and supposedly non-breakable (yet to be tested) systems, I will also share the risks and possible attacks on the new emerging technology - replacing plastic cards with your NFC smartphone in access control systems. How to recognize the card type? What kinds of cards can be cloned? Can you clone a card having just a picture of it? How to build your own card cracking and cloning equipment for less than $10, and when it is worth to invest in a more powerful hardware? How to use a smartphone to crack keys, or emulate a plastic access control card? How to intercept data transmitted from wall reader to backend door controller? How to reverse hotel system and understand the data encoded on cards? Expect highly practical information regarding these and many other topics. Multiple live demos and NFC hacking hardware sets to give away included. After the talk you are also welcome to practice the new skills yourself on our test access control installations onsite.
SFBay OpenStack Meetup // Neutron and SDN in Production – Dec 3 2013Randy Bias
Cloud architects deploying OpenStack have multiple options for virtualizing the network layer. At this meetup, folks who’ve built big clouds and designed the networking fabrics for them will talk about those choices, including those that are native to OpenStack as well as other open source options. They’ll also dig into what’s new in Havana and what’s on tap for Icehouse next spring from a networking standpoint.
Bring your questions about network virtualization and SDN in OpenStack, and we’ll talk about Neutron and more.
Moderator Randy Bias of Cloudscaling will be joined by Rudra Rugge of Juniper Networks, Aaron Rosen of VMware / Nicira, Edgar Magana of PLUMgrid, and Ryu Ishimoto of Midokura.
Replay of the live broadcast can be found (soon) at http://youtube.com/siliconangle
Similar to Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder (20)
Summarising Snowden and Snowden as internal threatClubHack
A quick lookback at snowden's revelation and also lookign at snowden as an insider threat
*This presentation end abruptly because during the talk it ends as food for thought and kickstart of next session*
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
What is FatCat Sql injector: This is an automatic SQL Injection tool called as FatCat.
Fatcat Purpose? : For testing your web application and exploit your application into more deeper.
FatCat Support:
1)Mysql 5.0
FatCat Features?
Union Based Sql Injection
Error Based Sql Injection
MOD Security Bypass (WAF)
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
The paper shall focus on the following:
The paper shall focus on the following:
1) Introduction to the problem: Focus on “security awareness”, not “behavior”
2) Real life case study of why a US$100, 000 “security awareness” project failed
a. Identifying the human component in information security risks
b. Addressing the human component using “awareness” and “behavior”
strategies
4) Sample real-life case studies where quantifiable change has been observed
Original research and Publications
The talk is modeled on the methodology HIMIS (Human Impact Management for Information
Security) authored by Anup Narayanan and published under “Creative Commons,
Smart grids is an added communication capabilities and intelligence to traditional grids,smart grids are enabled by Intelligent sensors and actuators, Extended data management system,Expanded two way communication between utility operation system facilities and customers,Network security ,National integration ,Self healing and adaptive –Improve distribution and transmission system operation,Allow customers freedom to purchase power based on dynamic pricing ,Improved quality of power-less wastage ,Integration of large variety of generation options.
We have seen the more complex and critical infrastructure the more vulnerable they are. From the Year of 1994 we have seen lots of incidents where SmartGrid were Hacked the latest and booming incident was Stuxnet Worm which targeted Nuclear Power System of Iran and Worldwide.There are different types of Attacks we will see. Security needed for Smart Grid.
Legal Nuances to the Cloud by Ritambhara AgrawalClubHack
This presentation highlights the key legal risks and their implications in cloud computing. Cloud is inherently multi-jurisdictional, encompassing, remote hosting and processing of the data. This gives rise to multiple legal issues including security and privacy of the data, IP Rights, data portability, contractual limitations, risk mitigation and jurisdictional disputes.
As the cloud involves remote hosting and data accessibility by multiple parties, security and privacy remains the biggest concern for the companies. Businesses should look at issues ranging from physical location of the data centers, protection of the data against any adversity and intrusion, and access rights management.
The cloud servers are often located in different countries, which results in trans- border Data Flow. Each country has its own set of legal rules and regulations regarding data protection and privacy policies and the same can bring in complications in form of conflicting laws and jurisdictional disputes. Issues pertaining to IP rights, trade secrets and ownership of the data placed in the cloud require utmost attention. Termination and exit clauses are critical to the contract in the clouds. Interoperability of the data in the event of termination of services of a vendor is an important aspect to be considered in the contracts.
Infrastructure Security by Sivamurthy HiremathClubHack
With the development of technology, the interdependence of various infrastructures has increased, which also enhanced their vulnerabilities. The National Information Infrastructure security concerns the nation’s stability and economic security. So far, the research in Internet security primarily focused on securing the information rather than securing the infrastructure itself.
The pervasive and ubiquitous nature of the Internet coupled with growing concerns about cyber attacks we need immediate solutions for securing the Internet infrastructure. Given the prevailing threat situation, there is a compelling need to develop Hardware redesign architectures, Algorithms, and Protocols to realize a dependable Internet infrastructure. In order to achieve this goal, the first and foremost step is to develop a comprehensive understanding of the security threats and existing solutions. These attempts to fulfil this important step by providing classification of Security attacks are classified into four main categories: DNS hacking, Routing table poisoning, Packet mistreatment, and Denial-of-Service attacks. We are generally discussing on the existing Infrastructure solutions for each of these categories, and also outline a methodology for developing secured Nation.
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanClubHack
Today there is a flood of tools to help with the automation of active scanning and exploitation of web applications. Once you move beyond these two functions the flood reduces down to a trickle. Vulnerability hunting is a fine art that requires a knack for seeing hidden patterns and connections. Tests like hidden parameters guessing are seldom performed by even skilled testers because of the time and effort involved in preparing for and performing them. When was the last time you identified a piece of sensitive data hidden in plain sight because it was hex encoded in to a very inconsequential looking string?
Do you enumerate all possible avenues for stored XSS in an application? A lot of times checks are missed because there is no good tooling available to perform them effectively and efficiently. HAWAS is the tool you have been missing for a long time now. It is an open source tool that is designed for hybrid analysis. It performs automated passive analysis of a web application with no input from the user for some cases and with specific application specific input for some other cases. Based on the initial set of findings the user can perform further checks from within HAWAS. HAWAS will help you hugely increase your test coverage with very little additional effort.
Hacking and Securing iOS Applications by Satish BomissttyClubHack
iOS applications share common set of classes and highly depends on the operating system solutions for data communication, storage and encryption. Solely depending on the Apple implementation made them less complex but it affects security of the applications. Though iOS comes with a great set of security features like code signing, ASLR, DEP, sand boxing and Data Protection, all of them are subject to attack. Relying only on the iOS security could lead to demise the sensitive data stored within the application when the iOS is compromised. Application security can be improved by understanding the weaknesses in the current implementation and incorporating own code that work better.
The presentation illustrates several types of iOS application attacks like run time manipulation, custom code injection, SSL session hijacking and forensic data leakage. It gives an insight into the iOS Keychain & data protection API and explains the techniques to circumvent it. The presentation will provide guidelines and suggests best practices for secure iOS application development.
Critical Infrastructure Security by Subodh BelgiClubHack
Industrial Automation & Control Systems are an integral part of various manufacturing & process industries as well as national critical infrastructure. Concerns regarding cyber-security of control systems are related to both the legacy nature of some of the systems as well as the growing trend to connect industrial control systems to corporate networks. These concerns have led to a number of identified vulnerabilities and have introduced new categories of threats that have not been seen before in the industrial control systems domain. Many of the legacy systems may not have appropriate security capabilities that can defend against modern day threats, and the requirements for availability and performance can preclude using contemporary cyber-security solutions. To address cyber-security issues for industrial control systems, a clear understanding of the security challenges and specific defensive countermeasures is required. The session will highlight some of the latest cyber security risks faced by industrial automation and control systems along with essential security controls & countermeasures.
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaClubHack
With the increased in security awareness it’s very difficult to compromise the network/workstation, as most of network administrator put very restrictive firewalll policy for incoming network traffic i.e. allow only traffic for http/https service and antivirus software can easily detect any virus/worm infected file. This talk is about content type attack that cannot be blocked at network perimeter/firewall and undetectable by antivirus. The discussion also includes demonstration of attack vector to compromise the system. At last it includes analysis of malicious file used to compromise the system.
Abstract of the paper;Cross site scripting (XSS) attacks are considered one of the most dangerous attacks. When an application accepts un-validated user inputs and sends it back to the browser without validation, it provides attackers with an opportunity to execute malicious scripts in victim users’ browsers. By using this attack vector, malicious users can hijack user accounts, deface websites, carry out phishing attacks etc .XSS shell is a cross domain tool to carry out XSS attack in more controlled manner. It is used to setup a channel between attacker and victim’s browser and controlling the victim’s browser.
It gives me immense pleasure to tell you that from 06-02-10 to 06-02-12 our magazine has completed two successful and rejoicing years. We at ClubHack are super excited! I hope you people are enjoying the magazine and would continue doing so it in the coming future too. We enjoy making this for you all.It is said that “A lot can happen over a cup of coffee”. We experienced this amazing moment over a cup of coffee when we had the idea of starting a hacking magazine and it now it has come all this way… :). 2 years looks small when we look back.For this incredible success we at ClubHack would like to thank all our readers, volunteers and authors for giving us such unbelievable support. As we want to keep up the growth and progress therefore we request you all to keep throwing in articles, suggestions, support and your love!
Coming to this issue we have Network Security in Tool Gyan which will put light on how to set up a secured network, Who wants to be a Millionaire in Tool Gyan, check out yourself of what exactly its all about ;)TOR in Mom's guide for all those who thought 'It sounds very complicated to use, I’m not a hacker! I can’t use it!' by our Author- Federico from Italy.
From this month’s issue we plan to start a new section on secure coding. This section will essentially focus on good coding practices and snippets to mitigate various vulnerabilities. To begin with we have an article on PHP based RFI/LFI vulnerability. I hope you will like reading it. We also have some cool articles on XSS attacks, ROT decoding and Matriux section.
Do send us your feedback on abhijeet@chmag.in this will help us improve further.
We are now in mid of 2012. As predicted by many techno geeks, this year is phenomenal for IT related technologies including security, networking and web technologies. In April cloud war is started between two big rivals Microsoft & Google. Both making sure that its going to be secure and useful for smart phone users as well. With introduction of new such technologies we must ensure security over the web. Here HTTPS comes into picture and we brought this topic in CHMag's Mom's guide. Along with it topics like Steganography(Tech Gyan), a new toolkit - Kautilya(Tool Gyan), preventing SQL injections(Code Gyan) are covered.
If you have good write up and topic that you think people should know about it then please share with CHMag. Also if you have suggestions, feedback & articles, send it on info@chmag.in. Keep reading!!
There was a time when mobile phones were of the size of a shoe and had no features other than calling and sms and at that time I used to play the game - Snake on my dads phone :p Now as the time has passed we have reached the age of smart phones which are capable of doing lot of stuff and world wide web of application causing serious concern where an attacker can use this platform to steal data. This issue of CHMag is dedicated Mobile/Telecom Hacking and Security.
The coverpage of this December issue was released at ClubHack 2011, India’s Pioneer International Hacking Conference held last week. Talking about ClubHack Conference, if you missed ClubHack here are the presentations available at - http://www.slideshare.net/clubhack and videos at http://www.clubhack.tv/event/2011/
We recently released CHMag's Collector's Edition Volume II. If you wish to buy the Collectors Editions (vol1 – from issue 1 to 10 & vol2- from issue 11 to 20), please write back to us: info@chmag.in. As of now its on demand printing.
Like the game - Snake, I have played lots of other games too which have reflected in the previous coverpages I have designed and yes I promise another awesome coverpage based on a game on the theme of android security which would be the theme for an upcoming issue, for which send in your articles to info@chmag.in
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder
1. STAND CLOSE TO
ME AND YOU ARE
PWNED!
SUBHO HALDER | ADITYA GUPTA
@sunnyrockzzs @adi1391
Sunday, 2 December 12
2. WHO ARE WE !
INFORMATION SECURITY RESEARCHER
MOBILE EXPLOITER
CREATOR OF AFE (ANDROID FRAMEWORK FOR
EXPLOITATION)
PYTHON LOVERS
CO-FOUNDER OF XYSEC.
FOUND BUG IN SOME FAMOUS WEBSITES
INCLUDING GOOGLE, APPLE, MICROSOFT,
SKYPE, ADOBE AND MANY MORE
Sunday, 2 December 12
5. INTRODUCTION TO NFC
SET OF COMMUNICATION PROTOCOLS
BASED ON RFID STANDARDS INCLUDING ISO
14443
13.56 MHZ OPERATING FREQUENCY +/- 7KHZ
OPERATING RANGE LESS THAN 4 CM
Sunday, 2 December 12
6. COMMUNICATION MODES
PASSIVE ( RFID CARDS )
INITIATOR PROVIDES POWER
TARGET REFLECTS BACK THE SIGNAL
ACTIVE ( P2P )
BOTH INITIATOR AND TARGET SIMULATES
Sunday, 2 December 12
8. NFC PROTOCOL LAYER
PROTOCOL LAYER CONSISTS OF A PHYSICAL
LAYER AND RF LAYER
THESE LAYERS ARE FOCUSSED ON PHYSICAL
ASPECT OF STARTING COMMUNICATION
Sunday, 2 December 12
9. NFC PROTOCOL LAYER
Type 1 tags use a format sometimes called the
Topaz protocol. It uses a simple memory model
which is either static for tags with memory size
less than 120 bytes or dynamic for tags with
TYPE 1 (TOPAZ) larger memory. Bytes are read/written to the tag
using commands such as RALL, READ,
WRITE-E, WRITE-NE, RSEG, READ8, WRITE-
E8, WRITE-N8.
MIFARE classic tags are storage devices with
simple security mechanisms for access control.
They use an NXP proprietary security protocol
MIFARE CLASSIC for authentication and ciphering. This
encryption was reverse engineered and broken
in 2007
These tags are similar to Topaz tags. They
have a static memory layout when they have
less than 64 bytes available and a dynamic
layout otherwise. The first 16 bytes of memory
MIFARE-ULTRALIGHT contain metadata like a serial number, access
rights, and capability container. The rest is for
the actual data. Data is accessed using READ
and WRITE commands,
The previous protocol layers have all had
initiators and targets and the protocols are
designed around the initiator being able to read/
LLCP (P2P) write to the target. Logical Link Control Protocol
(LLCP) is different because it establishes
communication between two peer devices.
Sunday, 2 December 12
10. NFC APPLICATION LAYER
NDEF OR NFC DATA EXCHANGE FORMAT
SIMPLE BINARY MESSAGE FORMAT !
SAMPLE NDEF FORMAT FOR TEXT
Sunday, 2 December 12
11. 03 17 d1 01 13 54 02 65 6e 68 65 6c 6c 6f
20 63 6c 75 62 68 61 63 6B 20 21 fe
NDEF Message Start
Payload Length
MB, ME, SR, TNF= ”NFC Forum well-known type”
Type Length
Type “T”
Status Byte - Length of IANA lang code
Lang Code = “en”
“hello clubhack !” - text
NDEF Terminator
Sunday, 2 December 12
12. ANDROID NFC STACK
Kernel NFC Services
(com.android.nfc)
Tags,
libnfc.so MiFare, Topaz,
etc.
libnfc_jni.so
libpn544_fw.so
libnfc_ndef.so
Sunday, 2 December 12
21. LEVERAGING NFC
FOR ANDROID
BASED
VULNERABILITY
Sunday, 2 December 12
22. COM.ANDROID.NFC
FOR WELL KNOWN TYPE TAGS,
APPLICATIONS ARE CALLED AUTOMATICALLY
WWW BASED DATA, FIRES THE BROWSER
MAILTO: PROTOCOL FIRES UP MAIL CLIENT
UNEXPECTED VALUES IN NDEF, CRASHES
NFCSERVICE.JAVA
Sunday, 2 December 12
23. NFC AWARE MALWARES
LEVERAGING THE NFC PROTOCOL, NEW
BREED OF ANDROID MALWARE ARISES
PROXYING ANY REQUEST THROUGH THE
MALWARE WITHOUT INTERACTION !
Sunday, 2 December 12
24. NFC TAG no Instead of opening
interaction the Browser, opens
Any URL needed up an application !
Sunday, 2 December 12
25. LEVERAGING
USSD BASED
ATTACK
USING NFC
Sunday, 2 December 12
26. Opens the
NFC TAG no
malicious link at
interaction
http://xysec.com/
Malicious URL needed
ussd.html
Fires up the browser
and dials the number
in the user’s phone,
without any
interaction!
Sunday, 2 December 12