Stephen Ridley - Greyhat Ruby
•
1 like•2,828 views
This document discusses automated HTTP verb tampering. It provides links to GitHub repositories containing code for modifying HTTP requests in Ruby, including changing the verb type and adding custom payloads. Specifically, it links to code that allows modifying the user32 library in Ruby, generating TLV packets to embed data, and a presentation on Ruby meta-fuzzing techniques and another GitHub project for HTTP request manipulation in Ruby.
Report
Share
Report
Share
Download to read offline
Recommended
Mp26 : Tachyon, sloppiness is bliss
This document describes Tachyon, an offensive tool for penetration testers to discover hidden files and folders on web servers through intelligent scanning. It utilizes a plugin architecture and multi-threading to quickly scan sites. The document outlines Tachyon's features like Tor support, path and file databases, plugin system, and false positive detection methods. It notes limitations and plans for future improvements like faster speeds, cleaner output, and a plugin documentation system.
PSR-3 logs using Monolog and Graylog
Advantages of using PSR-3 logger. How to use Monolog in Symfony projects sending logs to Graylog.
Presented by Mateusz Wadoń
Intro to grunt
This document provides an introduction and demos for using Grunt, a JavaScript task runner. It discusses installing Grunt and the core files needed, gruntfile.js and package.json. It then demonstrates several common Grunt tasks like uglifying JS, compiling CoffeeScript, Sass, and watching files. The document also covers configuring Grunt tasks, targets, options, files, custom filters, and templates to automate common development workflows.
Vimm
This document discusses Uji IMproved, a Vim plugin created by Tatsuhiro Ujihisa. It allows users to modify Vim keybindings to use more convenient shortcuts. It also includes plugins for quick running code, interacting with Git, and autocompletion. The creator thanks other developers for additional plugins included.
Kettunen, miaubiz fuzzing at scale and in style
This document summarizes information about fuzzing and discusses bugs found through fuzzing browsers like Chromium and Firefox in 2012. It describes AddressSanitizer output that reveals crashes, mentions 50 duplicate bugs found by two fuzzing groups, and outlines tips for smarter fuzzing like generating inputs based on specifications and minimizing reproducible test cases.
Creating qmgr and allowing remote authorization
IBM MQ V8, Enable Remote Access on Queue Manager, Allowing Remote connections, Connecting Remote Queue manager in Windows using MQ Explorer step by step process, Implementing enable Remote connections on Queue manager using commands, IBM MQ commands for creating Queue manager and creating objects in Linux
MongoDB World 2019 Builder's Fest - Open source command line power tools for ...
Notes from a short session at MongoDB World 2019 Builder's Fest.
Learn how to install and use some command-line tools for DBAs including creating local test deployments, proof of concept load testing, and extracting insights from MongoDB log files.
Http2 on go1.6rc2
This document discusses HTTP/2 support in Go 1.6. It notes that the net/http package now supports HTTP/2 out of the box. It provides code samples showing how a server can be configured with and without HTTP/2 support. It also describes how HTTP/2 functionality like HPACK header compression, server push, flow control, and priority are implemented in Go net/http. Finally, it summarizes the current level of HTTP/2 specification compliance and areas still in development.
Recommended
Mp26 : Tachyon, sloppiness is bliss
This document describes Tachyon, an offensive tool for penetration testers to discover hidden files and folders on web servers through intelligent scanning. It utilizes a plugin architecture and multi-threading to quickly scan sites. The document outlines Tachyon's features like Tor support, path and file databases, plugin system, and false positive detection methods. It notes limitations and plans for future improvements like faster speeds, cleaner output, and a plugin documentation system.
PSR-3 logs using Monolog and Graylog
Advantages of using PSR-3 logger. How to use Monolog in Symfony projects sending logs to Graylog.
Presented by Mateusz Wadoń
Intro to grunt
This document provides an introduction and demos for using Grunt, a JavaScript task runner. It discusses installing Grunt and the core files needed, gruntfile.js and package.json. It then demonstrates several common Grunt tasks like uglifying JS, compiling CoffeeScript, Sass, and watching files. The document also covers configuring Grunt tasks, targets, options, files, custom filters, and templates to automate common development workflows.
Vimm
This document discusses Uji IMproved, a Vim plugin created by Tatsuhiro Ujihisa. It allows users to modify Vim keybindings to use more convenient shortcuts. It also includes plugins for quick running code, interacting with Git, and autocompletion. The creator thanks other developers for additional plugins included.
Kettunen, miaubiz fuzzing at scale and in style
This document summarizes information about fuzzing and discusses bugs found through fuzzing browsers like Chromium and Firefox in 2012. It describes AddressSanitizer output that reveals crashes, mentions 50 duplicate bugs found by two fuzzing groups, and outlines tips for smarter fuzzing like generating inputs based on specifications and minimizing reproducible test cases.
Creating qmgr and allowing remote authorization
IBM MQ V8, Enable Remote Access on Queue Manager, Allowing Remote connections, Connecting Remote Queue manager in Windows using MQ Explorer step by step process, Implementing enable Remote connections on Queue manager using commands, IBM MQ commands for creating Queue manager and creating objects in Linux
MongoDB World 2019 Builder's Fest - Open source command line power tools for ...
Notes from a short session at MongoDB World 2019 Builder's Fest.
Learn how to install and use some command-line tools for DBAs including creating local test deployments, proof of concept load testing, and extracting insights from MongoDB log files.
Http2 on go1.6rc2
This document discusses HTTP/2 support in Go 1.6. It notes that the net/http package now supports HTTP/2 out of the box. It provides code samples showing how a server can be configured with and without HTTP/2 support. It also describes how HTTP/2 functionality like HPACK header compression, server push, flow control, and priority are implemented in Go net/http. Finally, it summarizes the current level of HTTP/2 specification compliance and areas still in development.
From DNA Sequence Variation to .NET Bits and Bobs
Mathieu Letourneau, Andrei Saygo, Eoin Ward, Microsoft
This talk will present our research project on .Net file clustering based on their respective basic blocks and the parallel that can be made with DNA sequence variation analysis. We implemented a system that extracts the basic blocks on each file and creates clusters based on them. We also developed an IDA plugin to make use of that data and speed up our analysis of .Net files.
Andrei Saygo, Eoin Ward and Mathieu Letourneau all work as Anti-Malware Security Engineers in the AM Scan team of Microsoft’s Product Release & Security Services group in Dublin, Ireland.
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
This document summarizes a presentation about building bridges between hackers and business to improve security. It outlines the differing perspectives of security professionals ("the view from the trenches") and business leaders ("the view from the business") on issues like cost, scope, patching, and disclosure. Both sides are presented as having valid concerns. The presentation argues both groups must find common ground and businesses must support their security teams to effectively address challenges like compliance vs security.
Advanced Data Exfiltration The Way Q Would Have Done It
The document appears to be a presentation by Iftach Ian Amit from November 2011 about advanced data exfiltration techniques. It includes sections on using emails, web links and phishing to extract data, as well as utilizing social engineering techniques to manipulate targets. Automating parts of the process with tools like SET is also mentioned. The presentation suggests using both aggressive and ingratiating social behaviors when interacting with targets. It diagrams extracting data by routing it through third parties and the internet.
Advanced (persistent) binary planting
This document discusses binary planting techniques such as DLL hijacking. It provides examples of binary planting issues found in Real Player and Opera on Windows XP, where they load unexpected DLLs and EXEs during execution. It warns that downloading files can leave computers vulnerable if installers load DLLs from the Downloads folder, allowing for "persistent mines" to be planted months later when applications are launched. It provides guidelines for researchers and developers to prevent binary planting issues in their own software.
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
This document discusses legal and technical strategies for addressing data security risks when controls shift to the cloud. It outlines various legislative and regulatory targets relating to data breaches, both malicious and benign. It provides guidance on security, data transfer, disposition of data upon termination, and access to data when using cloud services.
Dan Guido SOURCE Boston 2011
SOURCE Boston 2011
Exploit Intelligence Report
Dan's data and analysis of attacker capabilities and methods.
Wendy Nather - Building a Rube Goldberg Application Security Program
The document summarizes how application security programs often work in reality compared to the ideal. It notes that training is often not fully effective due to costs and scheduling issues. Threat modeling and security requirements are rarely fully implemented due to lack of prioritization and changing project scopes. Security testing tools have limitations and face resistance from developers and testers concerned with deadlines. Legacy application remediation is difficult due to lack of ongoing budgets and prioritization of security compared to new features. Effectively running an application security program requires balancing technical and social aspects to overcome cultural and process barriers.
Don Bailey - A Million Little Tracking Devices
This document discusses how embedded devices with cellular connectivity and GPS capabilities could potentially be exploited and used to track individuals without their consent. It describes how an attacker could send commands via SMS to intercept location data from compromised tracking devices. It also explains how an attacker could potentially impersonate targets by spoofing location data responses over HTTP. The document recommends ways for companies to better secure such devices, such as using encrypted communications and restricting device access.
How To: Find The Right Amount Of Security Spend
This document provides guidance on how to determine the right amount to spend on security. It recommends first formalizing mandatory, discretionary, and risk-based security spending. Prioritize assets and risks using a structured process involving business owners. Consider likelihood and impact ranges to evaluate risks. Prioritize risks based on business value and cost. Define security services and align spending with maturity targets. Start with quick wins and metrics to gain support for an ongoing process.
Adam Meyers - Obfuscation And Communications
This document discusses obfuscation techniques used in malware to conceal code and communications. It begins with an introduction and disclaimer, then covers various obfuscation methods like string encryption, code obfuscation, and command and control channel obfuscation. Examples are given of how malware authors use techniques like XOR encryption and function call obfuscation. The document notes that while obfuscation can delay analysis, determined reverse engineers and memory analysis can eventually deobfuscate malware.
Ken Smith - Tokenization
The document discusses tokenization as an alternative to encryption for protecting sensitive data. It notes some of the benefits of tokenization, such as addressing issues with encryption, while also cautioning against common misconceptions about how easy tokenization is to implement properly. Effective implementation requires careful planning, scope definition, ongoing risk assessment and compliance management.
Forensic Memory Analysis of Android's Dalvik Virtual Machine
This document summarizes a presentation on analyzing the memory of the Dalvik virtual machine used in Android. It discusses acquiring Android phone memory, locating key data structures in Dalvik like loaded classes and instance fields, and analyzing specific Android applications to recover data like call histories, text messages, browser sessions, and wireless network information. The goal is to extract runtime information and data from Android apps through memory forensics.
Extracting Forensic Information From Zeus Derivatives
The document discusses extracting forensic information from Zeus and its derivatives. It outlines goals like determining what data was stolen, where it was sent, and who the attackers were. It then describes how to achieve these goals by extracting information like command and control addresses, stolen data, and configuration files from variants like Zeus 2.0.8.9, IceIX, Citadel, Gameover, and KINS through analyzing their encryption routines, configuration retrieval methods, and automated analysis.
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
The document discusses vulnerability response programs and processes. It outlines key roles and responsibilities, such as finders who discover vulnerabilities and vendors who must address them. Typical vulnerability response procedures are described, including root cause analysis, regression testing, and public disclosure of information after a remedy is released. Guiding principles for an effective program include simultaneously publishing vulnerabilities and remedies, maintaining good finder relationships, and protecting companies' reputations.
Banking Fraud Evolution
This document discusses banking fraud techniques used by malware. It describes banking trojans like Zeus and SpyEye that steal credentials through man-in-the-browser attacks. A new trojan called Tatanga is profiled that records videos and has many modules. Anatomy of a fraud incident is explained involving infecting a system, stealing credentials, and laundering money. Real examples of Zeus conducting man-in-the-mobile attacks via SMS are provided to steal one-time passwords. The document concludes that successful attacks rely more on social engineering than specific malware and stresses the importance of monitoring for and sharing information about injection attacks.
Sebastian Porst - Reverse-Engineering Flash Files with SWFRETools
The document discusses SWFRETools, a set of tools for reverse engineering Flash files (SWF). It introduces four tools: a parser that extracts metadata and tags from SWF files, a dissector that analyzes the parsed data, a tracer/debugger that allows dynamic analysis of SWF files, and a minimizer that reduces SWF files to their minimal form. The talk encourages participation in the open source SWFRETools project on GitHub to further develop and improve the tools.
Men in the Server Meet the Man in the Browser
The document discusses techniques for detecting "man in the browser" (MitB) attacks, where malware running in a user's browser is able to intercept and modify traffic between the browser and web applications. It describes shape-based tests that examine requests for unusual changes typical of malware, and content-based tests where the server embeds a random value in content and the browser verifies it was not altered to detect tampering by malware. The overall goal is to identify infected client sessions to protect businesses from the risks posed by consumers being attacked.
Security Goodness with Ruby on Rails
This document provides an overview and introduction to Ruby on Rails. It begins with an agenda and introduction to the speaker. It then provides a brief introduction to Rails, including what industries use it, examples of popular websites built with Rails, and an explanation of its model-view-controller architecture and RESTful design philosophy. The document continues with sections on auditing Rails applications, identifying common vulnerabilities like mass assignment and cross-site scripting, and recommendations for removing vulnerabilities.
Million Browser Botnet
Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
iBanking - a botnet on Android
Stephen Doherty, Symantec - iBanking is a relative newcomer to the mobile malware scene whose use was first identified in August of 2013. The Trojan targets Android devices and can be remotely controlled over SMS and HTTP. iBanking began life as a simple SMS stealer and call redirector, but has undergone significant development since then. iBanking is available for purchase on a private underground forum for between $4k - $5k, with the next release expected to include a 0-day exploit for the Android operating system. This presentation will discuss iBanking - it's capabilities and the reasons for targeting mobile devices.
I want the next generation web here SPDY QUIC
The document discusses the SPDY and QUIC protocols which aim to improve upon HTTP. SPDY focuses on multiplexing, prioritization, header compression, and server push/hints. QUIC aims to eliminate head-of-line blocking, support 0RTT connections, recover lost packets, and survive network changes. Both protocols aim to improve web performance but also face security challenges around things like certificate revocation and content inspection. The future may see both protocols widely adopted in web clients, servers, and network infrastructure.
How to Like Social Media Network Security
Brian Honan, IRISSCERT
Social media networks provide individuals and businesses with exciting opportunities to communicate and collaborate with others throughout the world. But with these opportunities come a number of security challenges and risks. This talk will outline how social media networks can pose various threats to businesses, from information leakage, reputational damage, to social engineering profiling, and vectors for enabling compromise of corporate systems. Social media networks also enable the rapid dissemination of news which in the event of an information security breach could either save or destroy an organisations reputation. Understanding and dealing with these challenges will enable companies to like and favourite social media networks in a secure way.
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland's first CERT. He is a Special Advisor to Europol's Cybercrime Centre (EC3), an adjunct lecturer on Information Security in University College Dublin. He is the author of the book "ISO 27001 in a Windows Environment" and co-author of "The Cloud Security Rules", and regularly speaks at major industry conferences. In 2013 Brian was awarded SC Magazine's Information Security Person of the year for his contribution to the computer security industry.
More Related Content
Viewers also liked
From DNA Sequence Variation to .NET Bits and Bobs
Mathieu Letourneau, Andrei Saygo, Eoin Ward, Microsoft
This talk will present our research project on .Net file clustering based on their respective basic blocks and the parallel that can be made with DNA sequence variation analysis. We implemented a system that extracts the basic blocks on each file and creates clusters based on them. We also developed an IDA plugin to make use of that data and speed up our analysis of .Net files.
Andrei Saygo, Eoin Ward and Mathieu Letourneau all work as Anti-Malware Security Engineers in the AM Scan team of Microsoft’s Product Release & Security Services group in Dublin, Ireland.
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
This document summarizes a presentation about building bridges between hackers and business to improve security. It outlines the differing perspectives of security professionals ("the view from the trenches") and business leaders ("the view from the business") on issues like cost, scope, patching, and disclosure. Both sides are presented as having valid concerns. The presentation argues both groups must find common ground and businesses must support their security teams to effectively address challenges like compliance vs security.
Advanced Data Exfiltration The Way Q Would Have Done It
The document appears to be a presentation by Iftach Ian Amit from November 2011 about advanced data exfiltration techniques. It includes sections on using emails, web links and phishing to extract data, as well as utilizing social engineering techniques to manipulate targets. Automating parts of the process with tools like SET is also mentioned. The presentation suggests using both aggressive and ingratiating social behaviors when interacting with targets. It diagrams extracting data by routing it through third parties and the internet.
Advanced (persistent) binary planting
This document discusses binary planting techniques such as DLL hijacking. It provides examples of binary planting issues found in Real Player and Opera on Windows XP, where they load unexpected DLLs and EXEs during execution. It warns that downloading files can leave computers vulnerable if installers load DLLs from the Downloads folder, allowing for "persistent mines" to be planted months later when applications are launched. It provides guidelines for researchers and developers to prevent binary planting issues in their own software.
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
This document discusses legal and technical strategies for addressing data security risks when controls shift to the cloud. It outlines various legislative and regulatory targets relating to data breaches, both malicious and benign. It provides guidance on security, data transfer, disposition of data upon termination, and access to data when using cloud services.
Dan Guido SOURCE Boston 2011
SOURCE Boston 2011
Exploit Intelligence Report
Dan's data and analysis of attacker capabilities and methods.
Wendy Nather - Building a Rube Goldberg Application Security Program
The document summarizes how application security programs often work in reality compared to the ideal. It notes that training is often not fully effective due to costs and scheduling issues. Threat modeling and security requirements are rarely fully implemented due to lack of prioritization and changing project scopes. Security testing tools have limitations and face resistance from developers and testers concerned with deadlines. Legacy application remediation is difficult due to lack of ongoing budgets and prioritization of security compared to new features. Effectively running an application security program requires balancing technical and social aspects to overcome cultural and process barriers.
Don Bailey - A Million Little Tracking Devices
This document discusses how embedded devices with cellular connectivity and GPS capabilities could potentially be exploited and used to track individuals without their consent. It describes how an attacker could send commands via SMS to intercept location data from compromised tracking devices. It also explains how an attacker could potentially impersonate targets by spoofing location data responses over HTTP. The document recommends ways for companies to better secure such devices, such as using encrypted communications and restricting device access.
How To: Find The Right Amount Of Security Spend
This document provides guidance on how to determine the right amount to spend on security. It recommends first formalizing mandatory, discretionary, and risk-based security spending. Prioritize assets and risks using a structured process involving business owners. Consider likelihood and impact ranges to evaluate risks. Prioritize risks based on business value and cost. Define security services and align spending with maturity targets. Start with quick wins and metrics to gain support for an ongoing process.
Adam Meyers - Obfuscation And Communications
This document discusses obfuscation techniques used in malware to conceal code and communications. It begins with an introduction and disclaimer, then covers various obfuscation methods like string encryption, code obfuscation, and command and control channel obfuscation. Examples are given of how malware authors use techniques like XOR encryption and function call obfuscation. The document notes that while obfuscation can delay analysis, determined reverse engineers and memory analysis can eventually deobfuscate malware.
Ken Smith - Tokenization
The document discusses tokenization as an alternative to encryption for protecting sensitive data. It notes some of the benefits of tokenization, such as addressing issues with encryption, while also cautioning against common misconceptions about how easy tokenization is to implement properly. Effective implementation requires careful planning, scope definition, ongoing risk assessment and compliance management.
Forensic Memory Analysis of Android's Dalvik Virtual Machine
This document summarizes a presentation on analyzing the memory of the Dalvik virtual machine used in Android. It discusses acquiring Android phone memory, locating key data structures in Dalvik like loaded classes and instance fields, and analyzing specific Android applications to recover data like call histories, text messages, browser sessions, and wireless network information. The goal is to extract runtime information and data from Android apps through memory forensics.
Extracting Forensic Information From Zeus Derivatives
The document discusses extracting forensic information from Zeus and its derivatives. It outlines goals like determining what data was stolen, where it was sent, and who the attackers were. It then describes how to achieve these goals by extracting information like command and control addresses, stolen data, and configuration files from variants like Zeus 2.0.8.9, IceIX, Citadel, Gameover, and KINS through analyzing their encryption routines, configuration retrieval methods, and automated analysis.
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
The document discusses vulnerability response programs and processes. It outlines key roles and responsibilities, such as finders who discover vulnerabilities and vendors who must address them. Typical vulnerability response procedures are described, including root cause analysis, regression testing, and public disclosure of information after a remedy is released. Guiding principles for an effective program include simultaneously publishing vulnerabilities and remedies, maintaining good finder relationships, and protecting companies' reputations.
Banking Fraud Evolution
This document discusses banking fraud techniques used by malware. It describes banking trojans like Zeus and SpyEye that steal credentials through man-in-the-browser attacks. A new trojan called Tatanga is profiled that records videos and has many modules. Anatomy of a fraud incident is explained involving infecting a system, stealing credentials, and laundering money. Real examples of Zeus conducting man-in-the-mobile attacks via SMS are provided to steal one-time passwords. The document concludes that successful attacks rely more on social engineering than specific malware and stresses the importance of monitoring for and sharing information about injection attacks.
Sebastian Porst - Reverse-Engineering Flash Files with SWFRETools
The document discusses SWFRETools, a set of tools for reverse engineering Flash files (SWF). It introduces four tools: a parser that extracts metadata and tags from SWF files, a dissector that analyzes the parsed data, a tracer/debugger that allows dynamic analysis of SWF files, and a minimizer that reduces SWF files to their minimal form. The talk encourages participation in the open source SWFRETools project on GitHub to further develop and improve the tools.
Men in the Server Meet the Man in the Browser
The document discusses techniques for detecting "man in the browser" (MitB) attacks, where malware running in a user's browser is able to intercept and modify traffic between the browser and web applications. It describes shape-based tests that examine requests for unusual changes typical of malware, and content-based tests where the server embeds a random value in content and the browser verifies it was not altered to detect tampering by malware. The overall goal is to identify infected client sessions to protect businesses from the risks posed by consumers being attacked.
Security Goodness with Ruby on Rails
This document provides an overview and introduction to Ruby on Rails. It begins with an agenda and introduction to the speaker. It then provides a brief introduction to Rails, including what industries use it, examples of popular websites built with Rails, and an explanation of its model-view-controller architecture and RESTful design philosophy. The document continues with sections on auditing Rails applications, identifying common vulnerabilities like mass assignment and cross-site scripting, and recommendations for removing vulnerabilities.
Viewers also liked (18)
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security Program
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
Sebastian Porst - Reverse-Engineering Flash Files with SWFRETools
Sebastian Porst - Reverse-Engineering Flash Files with SWFRETools
More from Source Conference
Million Browser Botnet
Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
iBanking - a botnet on Android
Stephen Doherty, Symantec - iBanking is a relative newcomer to the mobile malware scene whose use was first identified in August of 2013. The Trojan targets Android devices and can be remotely controlled over SMS and HTTP. iBanking began life as a simple SMS stealer and call redirector, but has undergone significant development since then. iBanking is available for purchase on a private underground forum for between $4k - $5k, with the next release expected to include a 0-day exploit for the Android operating system. This presentation will discuss iBanking - it's capabilities and the reasons for targeting mobile devices.
I want the next generation web here SPDY QUIC
The document discusses the SPDY and QUIC protocols which aim to improve upon HTTP. SPDY focuses on multiplexing, prioritization, header compression, and server push/hints. QUIC aims to eliminate head-of-line blocking, support 0RTT connections, recover lost packets, and survive network changes. Both protocols aim to improve web performance but also face security challenges around things like certificate revocation and content inspection. The future may see both protocols widely adopted in web clients, servers, and network infrastructure.
How to Like Social Media Network Security
Brian Honan, IRISSCERT
Social media networks provide individuals and businesses with exciting opportunities to communicate and collaborate with others throughout the world. But with these opportunities come a number of security challenges and risks. This talk will outline how social media networks can pose various threats to businesses, from information leakage, reputational damage, to social engineering profiling, and vectors for enabling compromise of corporate systems. Social media networks also enable the rapid dissemination of news which in the event of an information security breach could either save or destroy an organisations reputation. Understanding and dealing with these challenges will enable companies to like and favourite social media networks in a secure way.
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland's first CERT. He is a Special Advisor to Europol's Cybercrime Centre (EC3), an adjunct lecturer on Information Security in University College Dublin. He is the author of the book "ISO 27001 in a Windows Environment" and co-author of "The Cloud Security Rules", and regularly speaks at major industry conferences. In 2013 Brian was awarded SC Magazine's Information Security Person of the year for his contribution to the computer security industry.
Wfuzz para Penetration Testers
WFUZZ is a web application brute forcing and fuzzing tool that allows penetration testers to perform complex brute force attacks on various parts of web applications like parameters, authentication, forms, directories, files, and headers. It has features like multiple injection points, advanced payload management, multi-threading, encodings, result filtering, and proxy support. New features include HEAD method scanning, fuzzing HTTP methods, following redirects, a plugin framework, and result filtering. It uses a modular architecture with payloads, encoders, iterators, plugins, and printers to perform brute force tests quickly and efficiently.
Securty Testing For RESTful Applications
This document discusses security testing for RESTful applications. It begins with an introduction to RESTful web services and how they differ from SOAP web services in using HTTP methods to indicate actions and embedding parameters in requests. It notes challenges in testing RESTful applications including that documentation may not reveal the full attack surface and requests can be dynamically generated. It recommends using documentation, proxies, and fuzzing to determine parameters and potential vulnerabilities. The document concludes by discussing how automated pen testing works by crawling to determine the attack surface through both links and emulated JavaScript to find dynamic requests.
Esteganografia
Este documento proporciona una introducción a la esteganografía, que es la técnica de ocultar información dentro de otro contenido como imágenes, documentos u otros archivos. Explica que la esteganografía se ha utilizado desde la antigua Grecia y Roma, y que a lo largo de la historia se han empleado diferentes métodos como tablas de cera, tatuajes, tinta invisible y filigranas en papel. También describe brevemente algunas técnicas más recientes como los micropuntos y los métodos digitales basados en bits
Adapting To The Age Of Anonymous
Joshua Corman gave a presentation about adapting to Anonymous in the age of chaotic actors. He began by providing background on himself and his research interests. He then discussed understanding Anonymous by deconstructing it and looking at its rise, different sects, and levels of involvement. Corman addressed adapting to Anonymous by looking at escalation risks and the need for improved security strategies. He concluded by discussing the possibility of building a better version of Anonymous that is focused on positive goals.
Are Agile And Secure Development Mutually Exclusive?
The document discusses agile and secure software development. It provides an overview of traditional waterfall and agile project methods. Agile practices like working in short cycles, customer collaboration, and responding to change are highlighted. The roles of project managers, quality assurance teams, and security practices within agile development are also examined. Finally, the document questions whether agile and secure development can be mutually exclusive.
Who should the security team hire next?
The document discusses sources of data on security breaches and where to find qualified security personnel. It analyzes breach data trends from vendors, incident response firms, and mandatory disclosure databases. The analysis finds that while common problems still exist, attacks are becoming more advanced, and good security experts can be found in a variety of companies and roles, not just large firms or traditional security jobs. Hiring should focus on technical skills rather than titles or certifications.
The Latest Developments in Computer Crime Law
The document summarizes recent developments in computer crime law, specifically regarding interpretations of the federal Computer Fraud and Abuse Act. It discusses how courts have broadly interpreted what constitutes unauthorized access, including violating an employer's computer use policies. It also notes problems with prosecutors trying to double-count penalties for unauthorized access by charging it as a felony in furtherance of another crime when it is essentially the same conduct. The future could see legislative changes enhancing penalties for computer crimes.
JSF Security
This document discusses several techniques for validating user input and preventing cross-site scripting (XSS) attacks in JavaServer Faces (JSF) applications. It covers built-in JSF validators, custom validators, output encoding tags, and using OWASP ESAPI to properly encode output. The document also discusses using an AccessController for authorization and injecting anti-CSRF tokens to defend against cross-site request forgery attacks.
Everything you should already know about MS-SQL post-exploitation
Rob Beck, Director of Assessment at Attack Research, gave a presentation on MS-SQL post exploitation. He explained that SQL post exploitation involves the steps an attacker takes after gaining SQL access or command execution on a database. He outlined several techniques attackers use, including utilizing stored procedures to attack the host system, harvesting credentials from the database that may be valid elsewhere, and using the database as an attack framework by loading compiled code or scripts. He emphasized that many SQL instances remain vulnerable because they are run as privileged accounts like SYSTEM and have advanced options enabled without additional security configurations.
Keynote
Eric Cowperthwaite became the CSO of Providence Health & Services in May 2006 after they had experienced several data security incidents including stolen laptops containing patient data. As the new CSO, he had to establish an information security program from the ground up amid middle management resistance and a decentralized IT environment. Over several years, he implemented new security controls, became transparent with regulators investigating HIPAA violations, and signed a resolution agreement to establish specific requirements. More recently, he has focused on building sustainability through an enterprise risk management program with governance separated from operations and independent oversight of the chief risk officer.
Reputation Digital Vaccine: Reinventing Internet Blacklists
The document discusses HP TippingPoint's Reputation Digital Vaccine (Reputation DV) service, which aims to rapidly counteract advanced Internet attacks by classifying hosts along a reputable-disreputable continuum. It does this through novel methods to identify and track Internet hosts, providing intelligence feeds that enable customers to actively enforce reputation-based security policies. The service implements a multi-step approach including gathering intelligence from various sources, analyzing hosts through active and passive techniques, applying machine learning algorithms to classify hosts and assign reputation scores, and distributing the intelligence to customers. Observations made in developing the system and ideas for further improving reputation-based security are also discussed.
Threat Modeling: Best Practices
This document provides best practices and guidance for threat modeling. It discusses key concepts like taxonomy, timing of threat modeling, contributors, audience, and tools. Common pitfalls discussed include not making it a collaborative effort, poor presentation of results, deleting threats, failing to identify assets properly, making unreasonable threats, digging too deep initially, and not versioning threat modeling results. The overall aim is to help people understand how to effectively incorporate threat modeling into their projects and security development lifecycle.
Geer - Hutton - Shannon - A Pilot Project On The Use Of Prediction Markets I...
The document discusses a pilot project to use prediction markets to collect informed opinions from security professionals on future security events. Prediction markets aggregate anonymous predictions from a crowd to forecast outcomes. The pilot will test various security-related contracts over 60 days with 20-30 participants to see if the consensus opinions are useful for participants, organizations, and the security industry. The goal is to accelerate sharing of actionable security information from diverse sources using prediction markets.
More from Source Conference (17)
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet Blacklists
Geer - Hutton - Shannon - A Pilot Project On The Use Of Prediction Markets I...
Geer - Hutton - Shannon - A Pilot Project On The Use Of Prediction Markets I...
Recently uploaded
From Natural Language to Structured Solr Queries using LLMs
This talk draws on experimentation to enable AI applications with Solr. One important use case is to use AI for better accessibility and discoverability of the data: while User eXperience techniques, lexical search improvements, and data harmonization can take organizations to a good level of accessibility, a structural (or “cognitive” gap) remains between the data user needs and the data producer constraints.
That is where AI – and most importantly, Natural Language Processing and Large Language Model techniques – could make a difference. This natural language, conversational engine could facilitate access and usage of the data leveraging the semantics of any data source.
The objective of the presentation is to propose a technical approach and a way forward to achieve this goal.
The key concept is to enable users to express their search queries in natural language, which the LLM then enriches, interprets, and translates into structured queries based on the Solr index’s metadata.
This approach leverages the LLM’s ability to understand the nuances of natural language and the structure of documents within Apache Solr.
The LLM acts as an intermediary agent, offering a transparent experience to users automatically and potentially uncovering relevant documents that conventional search methods might overlook. The presentation will include the results of this experimental work, lessons learned, best practices, and the scope of future work that should improve the approach and make it production-ready.
"What does it really mean for your system to be available, or how to define w...
We will talk about system monitoring from a few different angles. We will start by covering the basics, then discuss SLOs, how to define them, and why understanding the business well is crucial for success in this exercise.
Apps Break Data
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
Discover how AI is transforming the workplace and learn strategies for reskilling and upskilling employees to stay ahead. This comprehensive guide covers the impact of AI on jobs, essential skills for the future, and successful case studies from industry leaders. Embrace AI-driven changes, foster continuous learning, and build a future-ready workforce.
Read More - https://bit.ly/3VKly70
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Direct losses from downtime in 1 minute = $5-$10 thousand dollars. Reputation is priceless.
As part of the talk, we will consider the architectural strategies necessary for the development of highly loaded fintech solutions. We will focus on using queues and streaming to efficiently work and manage large amounts of data in real-time and to minimize latency.
We will focus special attention on the architectural patterns used in the design of the fintech system, microservices and event-driven architecture, which ensure scalability, fault tolerance, and consistency of the entire system.
Astute Business Solutions | Oracle Cloud Partner |
Your goto partner for Oracle Cloud, PeopleSoft, E-Business Suite, and Ellucian Banner. We are a firm specialized in managed services and consulting.
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
This is a session that details how PostgreSQL's features and Azure AI Services can be effectively used to significantly enhance the search functionality in any application.
In this session, we'll share insights on how we used PostgreSQL to facilitate precise searches across multiple fields in our mobile application. The techniques include using LIKE and ILIKE operators and integrating a trigram-based search to handle potential misspellings, thereby increasing the search accuracy.
We'll also discuss how the azure_ai extension on PostgreSQL databases in Azure and Azure AI Services were utilized to create vectors from user input, a feature beneficial when users wish to find specific items based on text prompts. While our application's case study involves a drug search, the techniques and principles shared in this session can be adapted to improve search functionality in a wide range of applications. Join us to learn how PostgreSQL and Azure AI can be harnessed to enhance your application's search capability.
Northern Engraving | Nameplate Manufacturing Process - 2024
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Introducing BoxLang : A new JVM language for productivity and modularity!
Just like life, our code must adapt to the ever changing world we live in. From one day coding for the web, to the next for our tablets or APIs or for running serverless applications. Multi-runtime development is the future of coding, the future is to be dynamic. Let us introduce you to BoxLang.
Dynamic. Modular. Productive.
BoxLang redefines development with its dynamic nature, empowering developers to craft expressive and functional code effortlessly. Its modular architecture prioritizes flexibility, allowing for seamless integration into existing ecosystems.
Interoperability at its Core
With 100% interoperability with Java, BoxLang seamlessly bridges the gap between traditional and modern development paradigms, unlocking new possibilities for innovation and collaboration.
Multi-Runtime
From the tiny 2m operating system binary to running on our pure Java web server, CommandBox, Jakarta EE, AWS Lambda, Microsoft Functions, Web Assembly, Android and more. BoxLang has been designed to enhance and adapt according to it's runnable runtime.
The Fusion of Modernity and Tradition
Experience the fusion of modern features inspired by CFML, Node, Ruby, Kotlin, Java, and Clojure, combined with the familiarity of Java bytecode compilation, making BoxLang a language of choice for forward-thinking developers.
Empowering Transition with Transpiler Support
Transitioning from CFML to BoxLang is seamless with our JIT transpiler, facilitating smooth migration and preserving existing code investments.
Unlocking Creativity with IDE Tools
Unleash your creativity with powerful IDE tools tailored for BoxLang, providing an intuitive development experience and streamlining your workflow. Join us as we embark on a journey to redefine JVM development. Welcome to the era of BoxLang.
Demystifying Knowledge Management through Storytelling
The Department of Veteran Affairs (VA) invited Taylor Paschal, Knowledge & Information Management Consultant at Enterprise Knowledge, to speak at a Knowledge Management Lunch and Learn hosted on June 12, 2024. All Office of Administration staff were invited to attend and received professional development credit for participating in the voluntary event.
The objectives of the Lunch and Learn presentation were to:
- Review what KM ‘is’ and ‘isn’t’
- Understand the value of KM and the benefits of engaging
- Define and reflect on your “what’s in it for me?”
- Share actionable ways you can participate in Knowledge - - Capture & Transfer
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
These are the slides for the presentation, "Component Testing: Bridging the gap between frontend applications" that was presented at QA or the Highway 2024 in Columbus, OH by Zachary Hamm.
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation Functions to Prevent Interaction with Malicious QR Codes.
Aim of the Study: The goal of this research was to develop a robust hybrid approach for identifying malicious and insecure URLs derived from QR codes, ensuring safe interactions.
This is achieved through:
Machine Learning Model: Predicts the likelihood of a URL being malicious.
Security Validation Functions: Ensures the derived URL has a valid certificate and proper URL format.
This innovative blend of technology aims to enhance cybersecurity measures and protect users from potential threats hidden within QR codes 🖥 🔒
This study was my first introduction to using ML which has shown me the immense potential of ML in creating more secure digital environments!
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
Session 1 - Intro to Robotic Process Automation.pdf
👉 Check out our full 'Africa Series - Automation Student Developers (EN)' page to register for the full program:
https://bit.ly/Automation_Student_Kickstart
In this session, we shall introduce you to the world of automation, the UiPath Platform, and guide you on how to install and setup UiPath Studio on your Windows PC.
📕 Detailed agenda:
What is RPA? Benefits of RPA?
RPA Applications
The UiPath End-to-End Automation Platform
UiPath Studio CE Installation and Setup
💻 Extra training through UiPath Academy:
Introduction to Automation
UiPath Business Automation Platform
Explore automation development with UiPath Studio
👉 Register here for our upcoming Session 2 on June 20: Introduction to UiPath Studio Fundamentals: https://community.uipath.com/events/details/uipath-lagos-presents-session-2-introduction-to-uipath-studio-fundamentals/
AppSec PNW: Android and iOS Application Security with MobSF
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Recently uploaded (20)
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Stephen Ridley - Greyhat Ruby
- 41. Automated HTTP Verb Tampering Usage
- 43. https://github.com/s7ephen/Tamatebako/blob/master/ user32.rb
- 54. #declarations long typeop; long_lc pkt_len; #byte length calculator string dgram; structure tlv_packet; #assignments typeop = 0x0D030A0D; pkt_len = tlv_packet; dgram = “This is userdatarm” push(tlv_packet, typeop, pkt_len, dgram);
- 55. http://www.slideshare.net/d0cs4vage/ruby-meta-fuzzing https://github.com/tqbf/ruckus