This document discusses techniques for countering online surveillance and protecting private communications. It begins by outlining common surveillance methods used by governments and companies, such as wiretapping and exploiting software vulnerabilities. It then discusses using cryptography to counter surveillance and keep data safe, such as encrypting files and filling volumes with cryptographically secure random data. Secure authentication techniques are presented that allow verifying credentials without revealing passwords. Finally, the document details a method for encrypting and authenticating private messages between two parties using Diffie-Hellman key exchange and digital signatures to provide encryption, authentication, deniability and perfect forward secrecy.
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://youtu.be/BQWcUjzxJE0
Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.
Securing dns records from subdomain takeoverOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://www.youtube.com/watch?v=C0LQJTXFosI
The speaker will be speaking upon the following abstract -
Basics of DNS records
Introduction to DNS record takeovers
Different types of DNS takeovers
Its impact
How to protect DNS records from takeover
Demo
Q&A
This talk will be for product security folks/ people on defending side. The speaker will also be covering the concept behind subdomain takeovers and its impact.
More Related Content
Similar to Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://youtu.be/BQWcUjzxJE0
Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.
Securing dns records from subdomain takeoverOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://www.youtube.com/watch?v=C0LQJTXFosI
The speaker will be speaking upon the following abstract -
Basics of DNS records
Introduction to DNS record takeovers
Different types of DNS takeovers
Its impact
How to protect DNS records from takeover
Demo
Q&A
This talk will be for product security folks/ people on defending side. The speaker will also be covering the concept behind subdomain takeovers and its impact.
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 31st May.
Watch the webinar here - https://www.youtube.com/watch?v=22Hccp-7UDU
A person's assessment/ investigation is only as good as the report that supports it.
A good quality or effective report is a presentation of you as an assessor, analyst, or consultant.
The speaker discusses here the important points to keep in mind while preparing a Cyber Security Report. A must know webinar for all - freshers, professionals, bug bounty hunters and the C- level entities.
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 24th May.
Watch the webinar here - https://www.youtube.com/watch?v=jmzfdw-UYC0
An air gapped environment is described as “computer or network that has
no network interfaces, either wired or wireless, connected to outside network.” In this case, side channels and proximity are leveraged to eavesdrop air gapped systems. A case study showing practical use case of sniffing is also discussed.
Link to the Webinar - https://youtu.be/jmzfdw-UYC0
Combined (NullDelhi + OWASPDelhi) Webinar on UDP Hunter by Savan Gadhiya on 10th May, 2020.
For the full video, please visit - https://www.youtube.com/watch?v=yLEL5XrzFyE
The speaker discussed the docker attack surface. Furthermore, he demonstrated how an attacker can escape the docker container and gain access to the host machine.
Companies and organizations have been following many traditional strategies for deploying WAF (web application firewall) in their infrastructure where most of the work is done. manually. Every ACL, every rule entry, every signature, and every other configuration was created and managed by hand. It could have various flaws: flaw of wrong ACL, flaw of accidental misconfiguration, flaw of bad signature, and other various things. The good news is that thanks to the DevOps Rebel Alliance, we now have a better way to do things: Infrastructure-as-Code (IAC).
Instead of clicking around a web UI or manually executing commands and setting up rules and configuration, the idea behind IAC is to write code to define, provision, and manage your WAF. You can validate each WAF change through code reviews and automated tests and you can create/use a library of reusable, documented, battle-tested code that makes it easier to scale and evolve your WAF. In this talk by Avinash Jain, we will have a quick on the various concept of what, how and why of "Automating AWS WAF using Terraform".
Discussion on traditional threat intelligence model, explore advanced approaches to reduce manual intervention and convert it into actionable threat intelligence.
Slides of the talk delivered by Chandra Ballabh in the August, 2019 Meetup of Combined OWASP Delhi and nullDelhi at Thoughtworks, Delhi
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
Network attacks in wired Lan environments
Protection in wired Lan
Layout of modern networks ( wired + wireless )
Difference between wired and wireless security
Most powerful situation to acquire in any network
Wireless attacks
Why NTP ?
Captive portal attacks
Conclusion and some wild thoughts
For complete data to perform this attack please go to the Github link below:
https://github.com/mohitrajain/Wireless_security_beyond_password_cracking
IETF's Role and Mandate in Internet Governance by Mohit BatraOWASP Delhi
1. Internet Governance (IG) Primer
2. I-* Organizations
3. IANA function -Names, Numbers and Protocol Parameters
4. IANA Transition
5. WHOIS for names and numbers
6. Need for Standardization and Standardization Bodies
7. How IETF Works
8. TLS Protocol
9. Increasing Indian participation in global Internet Governance activities and structures
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
Agenda
Hypervisor : what, how and why?
Hypervisor in linux
Capsule course on hypervisor (Intel VT-x, AMD - V, KVM)
Spawning a bare-bone VM
Injection code in VM
I/O Between Host and Guest
Converting C Code to Shellcode
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
2. Who am I?
●
Contributor to n|u
●
Head of R&D, Skarpsinne Labs, London, UK
●
I am a hobbyist programmer with some interest
in information security domain. My primary
areas of interest are cryptography and malware.
●
Blog: http://adhokshajmishraonline.in
●
Email: me@adhokshajmishraonline.in
3. Agenda
●
Crooked activities by government
●
Why counter-surveillance?
●
Common surveillance methods
●
Counter -surveillance and cryptography
●
Keeping your data safe
●
Secure authentication
●
Private messages (chats, calls etc...)
●
Countermeasures for counter-surveillance
4. Crooked Activities
●
PRISM Program from NSA
●
Attempt to backdoor LINUX kernel
●
Backdoor in hard disk firmware
●
SuperFish in recent Lenovo laptops
●
Cryptographic keys for SIM stolen by NSA for
mass spying without warrant or permission
●
Cryptographic backdoor in MS Windows
5. Why counter-surveillance?
●
Because crooked practices by governments and
companies is unacceptable.
●
To recover from the damage done by gov agencies
under name of surveillance.
●
To make a balance between surveillance efforts
and privacy protection efforts
6. Common surveillance methods
●
By tapping the wire
●
By exploiting 0-day vulnerabilities (Tailored
Access Operation)
●
By paying the big boys to put backdoor in
software (MS Windows)
●
By weakening the cryptography (Dual EC_DRBG)
●
And many more......
7. Counter-surveillance & Cryptography
●
Mathematics is our friend. Let us trust it.
●
NSA cannot break good cryptography.
●
Cryptography allows all sorts of cool stuff, like
communicating in such a way that nothing can be
proved :D
●
All you need some cryptography skills and some
programming skills to get the things done.
8. Keeping The Data Safe
●
Encrypting the files is not enough
●
Encrypted volume is not enough
●
Even “hidden volume” of TrueCrypt is not enough
9. Keeping The Data Safe (2)
●
Fill entire volume with output of a good
cryptographically secure pseudo-random bit
stream generator.
●
Create multiple encrypted file systems at
different offsets in same volume.
●
Every I/O action should modify slack space at
random locations in all the file systems, as well as
host volume.
10. Keeping The Data Safe (3)
●
Put some genuine looking data in one of the file
systems, and secret data in other. Keep good
balance between them.
●
Output of a good cryptosystem cannot be
distinguished from output of a good pseudo-
random bit stream generator.
●
Claim the data to be just random stream. Proving
otherwise will be very difficult.
11. Secure Authentication
●
CA will protect you only from those it is not
willing to take money from.
●
“Secure channel” can be intercepted by
mechanism used by Superfish.
●
You can authenticate yourself without revealing
your password.
●
Time to move to crypto magic ….
12. Secure Authentication (2)
●
Alice has a secret s which he wants to prove to
Bob.
●
Three values y, g, and p are shared. P is large
prime. Also
g^s mod p = y
●
Alice will generate a random number r, and
calculate C = g^r mod p. C is sent to Bob.
●
Bob will request either r or (s + r) mod (p - 1)
13. Secure Authentication (3)
●
Verifying the knowledge
in case of r:
C = g^r mod p
in case of (s + r) mod (p -1)
g ^ ((s+r) mod (p-1)) mod p = C.y mod p
●
Repeat the request – verification cycle multiple times.
Select the request randomly each time.
●
In all cases, only a random number is sent, therefore
no knowledge of secret is leaked.
15. Authentication in Private Messaging
●
Shared values: g and p. P is prime.
●
Bob
picks random value r(128 bits)
picks random value x (320 bits minimum)
●
Calculates
v1 = g ^ x mod p; A = AES(key = r, v1); H = Hash (v)
●
Sends A and H to Alice
16. Authentication in Private Messaging
●
Alice picks random value y (320 bits minimum)
Calculates v2 = g ^ y mod p
Sends v2 to Bob
●
Bob calculates s = v2 ^ x mod p
●
Hashes s in different ways to generate c, c', m1,
m1', m2, m2'. C, c' are AES keys, others are MAC
keys
17. Authentication in Private Messaging
●
Shared values: g and p. P is prime.
●
Bob
picks random value r(128 bits)
picks random value x (320 bits minimum)
●
Calculates
v1 = g ^ x mod p; A = AES(key = r, v1); H = Hash (v)
●
Sends A and H to Alice
18. Authentication in Private Messaging
●
Bob picks keyid_B, a serial number for his DH key
g ^ x mod p
●
Calculates
Mb = MAC(m1)(g^x, g^y, pub_B, keyid_B)
Xb = pub_B, keyid_B, sig(B, Mb)
●
Sends to Alice
r, AES(key=c, Xb), MAC(m2)(AES(key=c, Xb))
19. Authentication in Private Messaging
●
Alice uses r to decrypt A (received from Bob)
●
Verifies H by recalculating it
●
Calculates s = v1 ^ y mod p (s → same as Bob)
●
Calculates AES and MAC keys from s (same as
Bob)
●
Uses m2 to verify MAC(m2)(AES(key=c, Xb))
●
Uses c to decrypt AES(key=c, Xb)
20. Authentication in Private Messaging
●
Calculates Mb, and verifies sig(B, Mb) using pub_B
●
Picks keyid_A, a serial number for his DH Key
●
Calculates
Ma = MAC(m1')(g^y, g^x, pub_A, keyid_A)
Xa = pub_A, keyid_A, sig(A, Ma)
●
Sends to Bob: AES(key=c', Xa), MAC(m2')
(AES(key=c', Xa))
21. Authentication in Private Messaging
●
Bob
uses m2' to verify MAC(m2')(AES(key=c', Xa))
uses c' to decrypt AES(key=c', Xa)
calculates Ma = MAC(m1')(g^y, g^x, pub_A,
keyid_A)
uses pub_A to verify sig(A, Ma)
●
Now Alice and Bob have s, pub_A and pub_B
22. Encryption in Private Messaging
●
Alice is assured that s is known by someone with
access to the private key corresponding to pub_B,
and similarly for Bob.
●
All messages are encrypted using symmetric
cipher with shared DH key as encryption key.
●
DH protocol is re-initiated to generate new key
for next message.
23. Authentication in Private Messaging
●
Alice and Bob know each others public key
●
Alice and Bob have one more shared secret s1.
●
To detect impersonation or MITM attack, public
key fingerprints as well as shared secret s1 can be
verified using “secure authentication” as
discussed previously.