This paper attempts to look behind the wheels of android and keeping special focus on custom rom’s and basically check for security misconfiguration’s which could yield to device compromise, which may result in malware infection or data theft.
Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components
Hijacking Softwares for fun and profitNipun Jaswal
Presentation for my talk at Global Infosec Summit, LPU (11 Nov 2017). The Presentation demonstrates risk of using outdated and cracked software. Additionally, demonstrates the hand-on approach to finding DLL search order hijacking vulnerabilities. The Presentation is for educational purposes only.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
This paper attempts to look behind the wheels of android and keeping special focus on custom rom’s and basically check for security misconfiguration’s which could yield to device compromise, which may result in malware infection or data theft.
Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components
Hijacking Softwares for fun and profitNipun Jaswal
Presentation for my talk at Global Infosec Summit, LPU (11 Nov 2017). The Presentation demonstrates risk of using outdated and cracked software. Additionally, demonstrates the hand-on approach to finding DLL search order hijacking vulnerabilities. The Presentation is for educational purposes only.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Information Security Professionals who pass the exam and have obtained their OSCP can research the network (information gathering), identify any vulnerabilities, and successfully execute attacks.
As developers, we build great things. The next step is to protect this work and our precious data, sometimes the crown jewels of the company. This extensive presentation is an introduction into information security, with many tips and thoughts for developers. It focuses on the benefits of applying information security, and how to use it in your work.
Michael Boelen has a background in Linux security. He is the developer of several open source tools. This presentation includes some tips specifically for Linux, although most principles are applicable on all platforms.
The Offensive Security Certified Professional (OSCP) is one of the most technical and most challenging certifications for information security professionals.
For More information please contact us : https://www.infosectrain.com/
npm packages are awesome, but also introduce risk.
This presentation explains how packages may introduce known vulnerabilities into your application, explains their impact, and most importantly, shows how to protect yourself.
The few slides were complemented by running several vulnerability exploits against the vulnerable demo app Goof from here: https://github.com/Snyk/goof
Stranger Danger: Securing Third Party Components (Tech2020)Guy Podjarny
Building software today involves more assembly than actual coding. Much of our code is in fact pulled in open source packages, and the applications heavily rely on surrounding third party binaries. These third parties make us more productive - but they also introduce an enormous risk. Each third party component is a potential source of vulnerabilities or malicious code, each third party service a potential door into our system.
This talk contains more information about this risk, create a framework for digesting and tackling it, and lists a myriad of tools that can help.
Have you ever dreamed of getting paid to hack?!
As a Bug Hunter, this is what its all about, you hack and find vulnerabilities in software and websites, then end up with profit and fame.
In this session, I will explain to you how to start your journey in bug hunting, Are you ready?
Some of the very things that make JavaScript awesome can also leave it exposed. Guy Podjarny and Danny Grander walk through some sample security flaws unique to Node’s async nature and surrounding ecosystem (or especially relevant to it)—e.g., memory leaks via the buffer object, ReDoS and other algorithmic DoS attacks (which impact Node due to its single-threaded nature), and timing attacks leveraging the EventLoop—and show how these could occur in your own code or in npm dependencies.
With exponential growth of internet usage and impact it has for our lives nowadays the importance of security becomes extremely more and more valuable, especially if we take into account number of users with closed to zero experience in IT and with limited knowledge in security.
That means we’re as engineers who create modern applications should take responsibility to make them more robust and secure.
In this talk I’m going to explore security topic for broader developers audience and share simple but yet useful strategies, tactics and techniques to help to make applications we create more secure.
This talk by Chris Grayson contains lots of information about how to enter the so-called "hackerspace." From mental approaches to books, movies, and other media to online courses and knowledge repositories, this presentation is intended to be the one-stop-shop for anyone trying to become a penetration tester.
Information Security Professionals who pass the exam and have obtained their OSCP can research the network (information gathering), identify any vulnerabilities, and successfully execute attacks.
As developers, we build great things. The next step is to protect this work and our precious data, sometimes the crown jewels of the company. This extensive presentation is an introduction into information security, with many tips and thoughts for developers. It focuses on the benefits of applying information security, and how to use it in your work.
Michael Boelen has a background in Linux security. He is the developer of several open source tools. This presentation includes some tips specifically for Linux, although most principles are applicable on all platforms.
The Offensive Security Certified Professional (OSCP) is one of the most technical and most challenging certifications for information security professionals.
For More information please contact us : https://www.infosectrain.com/
npm packages are awesome, but also introduce risk.
This presentation explains how packages may introduce known vulnerabilities into your application, explains their impact, and most importantly, shows how to protect yourself.
The few slides were complemented by running several vulnerability exploits against the vulnerable demo app Goof from here: https://github.com/Snyk/goof
Stranger Danger: Securing Third Party Components (Tech2020)Guy Podjarny
Building software today involves more assembly than actual coding. Much of our code is in fact pulled in open source packages, and the applications heavily rely on surrounding third party binaries. These third parties make us more productive - but they also introduce an enormous risk. Each third party component is a potential source of vulnerabilities or malicious code, each third party service a potential door into our system.
This talk contains more information about this risk, create a framework for digesting and tackling it, and lists a myriad of tools that can help.
Have you ever dreamed of getting paid to hack?!
As a Bug Hunter, this is what its all about, you hack and find vulnerabilities in software and websites, then end up with profit and fame.
In this session, I will explain to you how to start your journey in bug hunting, Are you ready?
Some of the very things that make JavaScript awesome can also leave it exposed. Guy Podjarny and Danny Grander walk through some sample security flaws unique to Node’s async nature and surrounding ecosystem (or especially relevant to it)—e.g., memory leaks via the buffer object, ReDoS and other algorithmic DoS attacks (which impact Node due to its single-threaded nature), and timing attacks leveraging the EventLoop—and show how these could occur in your own code or in npm dependencies.
With exponential growth of internet usage and impact it has for our lives nowadays the importance of security becomes extremely more and more valuable, especially if we take into account number of users with closed to zero experience in IT and with limited knowledge in security.
That means we’re as engineers who create modern applications should take responsibility to make them more robust and secure.
In this talk I’m going to explore security topic for broader developers audience and share simple but yet useful strategies, tactics and techniques to help to make applications we create more secure.
This talk by Chris Grayson contains lots of information about how to enter the so-called "hackerspace." From mental approaches to books, movies, and other media to online courses and knowledge repositories, this presentation is intended to be the one-stop-shop for anyone trying to become a penetration tester.
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
This presentation talks about OWASP Mobile Risk M2 i.e. Insecure Data Storage. The agenda of the presentation is to understand the Data Storage and effect of insecure data storage. Then it also had demo's of known insecure data storage flaws. Methods to identify this flaw and various precautions that a developer should take to prevent this flaw.
The presentation was done as part of null/OWASP/G4H Monthly Meet
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
A beginner level presentation made for c0c0n 2013 to talk about some basic modules of python which can be used in routine penetration testing exercises.
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
c0c0n 2015 Presentation. This talk discussed about the impact of using components with known vulnerabilities along with various tips and tools for software developer or administrator to facilitate identification of vulnerable components.
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
This presentation is part of a series focused on OWASP Mobile Top 10 : We discussed about what is data leakage, places where data could be leaked. sample /examples of data leakage and how it differes from M2: Insecure data storage.
an introduction to Lamp stack and how it is beneficial for students, presented by anant shrivastava on behalf of linux academy http://academylinux.com and you can contact anant @ http://anantshri.info
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
This presentation was made at BSides MCR 2014. It tackles the subject of SSL/TLS testing from the viewpoint of a penetration tester. It is a practical guide, broad in scope, focusing on pitfalls and how to check issues manually (as much as possible).
I already have updated material (including SNI and OCSP Stapling) for the next version. Look out for future content @exploresecurity and @NCCGroupInfosec.
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
Join the CASC Wednesday April 30 for a Google+ hangout on the Heartbleed Bug. We’ll cover everything from what the bug does to how to tell if your site is at risk and how certificate authorities are responding.
Panel of CASC members:
• Robin Alden- Comodo
• Jeremy Rowley- DigiCert
• Bruce Morton- Entrust
• Rick Andrews- Symantec
• Wayne Thayer- Go Daddy
Watch the recording: http://bit.ly/1jAQCtk
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
Two years ago enabling your site with SSL was a simple affair, buy a certificate or create your own, install it, then just remember to renew it every couple of years. Then, suddenly security holes are being found in SSL virtually every month , popular browsers stop connecting to your site to protect themselves, and you’re continually being told your users data is at risk. In this session we will discuss how it all went wrong and can go wrong again, then go through each step of requesting, generating and deploying a 4096 SHA-2 certificate to use in a keyfile by Domino, IBM Connections, IBM Sametime and other WebSphere products. If you work with these IBM products and need to secure them with confidence this session will show you how!
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:
-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-OPINT
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
"Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose.
In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day)."
(Source: Black Hat USA 2016, Las Vegas)
An overview of all things that can go wrong when developers attempt to implement a Chain of Trust also called "secure boot". Starting from design mistakes, we look at crypto problems, logical and debug problems and move towards Side Channel Attacks and Fault Injection.
Focused on Automotive, Pay-TV, Gaming and mobile devices.
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/22dytOc.
Adam Wick takes a deep dive into a unikernel implementation of the Tor anonymity system. He discusses what aspects of Tor make it an attractive target for a unikernel, and what aspects of unikernels are particularly interesting when considering Tor. Filmed at qconsf.com.
Adam Wick leads the systems software group at Galois, Inc., an R&D company.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
An introduction to The Heartbleed Vulnerability. Considered to be the worst horror of the internet age, this flaw and its discovery changed the way people thought about implementing Open source standards.
20 years of web cryptography, and its amazing how frequently its configured sub-optimally. We've had numerous encryption algorithms, digests, protocols come, and should have GONE, but everyone has just left them on. Its time to shut out the legacy browser. The vast majority of the worlds browser install base now auto-updates, and with strict (and prescriptive) compliance in force, we get to drop the bloat form the past. In this talk we'll cover the current TRANSITIONS we're going through from a web admins perspective: TLS, Cipher Suites, HTTP Security Headers, CAs, the move to an encrypted-by-default web, and more.
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
Derbycon 2011
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
This paper attempts to look behind the wheels of android and keeping special focus on custom rom’s and basically check for security misconfiguration’s which could yield to device compromise, which may result in malware infection or data theft.
a simple presentation with introduction on hacking, presented by anant shrivastava on behalf of linux academy at rkdf bhopal http://academylinux.com and contact anant at http://anantshri.info
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Essentials of Automations: Optimizing FME Workflows with Parameters
When the internet bleeded : RootConf 2014
1. When the Internet Bleeded
Anant Shrivastava
(@anantshri)
for
RootConf 2014
2. Topic of Discussion
• Various SSL/TLS related issues in public
– Heartbleed
– GNUTLS Bug
– Apple Bug
– Lucky13
– BEAST
– CRIME
• What it means for Developers /
Administrators.
Ref : Pixabay.com
3. GIST of Security
“Most of the Security protocols
are broken“
• SSL == inSecure Socket Layer
7. GOTO FAIL : GNU TLS / Apple
● Functions which verifies x509 certificates. Invalid certificates can be passed off as
genuine, even though they're invalid.
● GNUTLS Details : http://blog.existentialize.com/the-story-of-the-gnutls-bug.html
● Apple : https://www.imperialviolet.org/2014/02/22/applebug.html
● Test yourself : https://gotofail.com/
8. BEAST’s LUCKY13 CRIME
• BEAST (CBC Ciphers)
– Allows retrial of encrypted data by key
guess based on block based ciphers.
• CRIME (compressed connection / SPDY)
– Exploit compression to extract data
●
LUCKY13
– cryptographic timing attack
• RC4
– (http://blog.cryptographyengineering.com/2013/03/attack-of-
week-rc4-is-kind-of-broken-in.html)
9. Status Quo
• SSL 3.0 / TLS 1.0 is broken at nearly
all algorithm / protection level either
reasonable exploits or conceptual
exploitation available.
• Catch 22 : If you protect against
BEAST you are vulnerable to
LUCKY13 and vice-versa
10. Lets Understand Heartbleed
• Massive Effect over INTERNET but
limited to OpenSSL
• Effective Marketing and promotion
• Known not just in Information
Security Community but to the world
• In short a lucky draw worth 64KB
max of data (data =! information)
13. DIY
• Server : heartbleed.anantshri.info
Test Scripts :
• http://heartbleed.anantshri.info/test.txt (Shell)
• http://heartbleed.anantshri.info/hbtest.txt (Python)
• Login Page :
https://heartbleed.anantshri.info/login_post.html
• https://heartbleed.anantshri.info/login.html
• Video Demo
14. Trivia Facts
• First well thought out exploit release where public
presentation had prime focus (domain registered 2 days
before announcement).
• 3 different sources found same issue within a gap of a week.
• Multiple exploits came out based on initial script which only
looked at TLS 1.1 and not of 1.2 and 1.0 hence a lot of the
servers were marked safe even when they were not
• Hugely undervalued exploit even by author. Original founder
didn't expected the private key disclosure.
• Akamai opensourced its solution for key safety and same was
hacked left right center within few hours.
15. Trivia Facts
• Not a protocol fault rather implementation flaw and hence
GNUTLS, Mozilla NSS or Microsoft SSL is not effected.
• 75 of Cisco Products found effected
• Tor among effected products
• OpenSSL 1.0.1 through 1.0.1f
• LibreSSL (stripped down OpenBSD implementation)
• OpenSSL Bugbounty
• According to CloudFlare, GlobalSign’s CRL grew from 22KB
before Heartbleed to 4.9MB afterward.
• The number of revoked certificates on the CRL increased
from 1,492 to 133,243. And that was just GlobalSign’s CRL
17. So What?
●
Administrators
– Patch meticulously
– Monitor religiously
– Co-relate, cross-ref, leverage bigdata identify anomoly and act
on it.
●
Developers
– Not just a admin task
– Start caring about older version of libraries.
– Do not bundle dependencies or maintain updates
– OpenSource MORE EYES != LESS SECURITY BUGS
18. Technical solutions
• Enable TLS 1.1 and 1.2
• Enable forward secrecy
• Change SSL certificate (I know there
is a revocation cost)
• Going forward you are secure till no
one finds a flaw in newer
algorithms
19. Perfect Forward Secrecy
• random public keys per session for
the purposes of key agreement with
generation using non deterministic
algorithm.
• Even if connection is compromised it
makes sure compromise affects only
one connection.
20. Policy based solution
• Fail hard, Fail early : Setup exigency
process in place :Inform customers if you
suspect foul play. Keep them updated.
Block login if required.
• Force password reset : Don’t inform and
ask them to change : force it.
• Don't forget API Keys and other secrets
• Keep hardware support subscriptions
relevant or get lifetime support : it helps