A presentation on using alternate ways to reference file names and paths in Windows systems to bypass security measures.
There's a relevant haiku on every slide, so if you get bored, you can always read the haiku.
This document describes a web cache deception attack where an attacker can exploit how web servers and caching mechanisms handle requests for non-existent files. Specifically, if a request is made for a page plus a non-existent file extension, like http://www.example.com/account.php/stylesheet.css, some systems will return the content of the page rather than a 404. This allows an authenticated user's private page to be cached and then accessed by an attacker. The document provides examples of frameworks like Django and servers like IIS that can be exploited this way. It also discusses how caching services like Cloudflare have addressed this issue. Mitigations are proposed like only caching files if headers allow it and returning 302/404
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK
From ATT&CKcon 4.0
By Ozan Olali, IBM Security
The Electronic Flight Bag (EFB) has become an indispensable tool in modern aviation, providing pilots with digital resources and critical flight information. However, the increased reliance on EFB systems running on operating systems, introduces various security challenges. In this session, a technical assessment approach with MITRE ATT&CK framework to perform a comprehensive threat analysis of an EFB solution, will be presented. The potential attack vectors and relation with the risks for business/ flight operations will be demonstrated.
The is to accumulate the secret keys / secret materials related to various web frameworks, that are publicly available and potentially used by developers. These secrets will be utilized by the Blacklist3r tools to audit the target application and verify the usage of these pre-published keys.
Volatility is an open source memory forensics tool that analyzes RAM dumps to detect malware. It supports Windows, Linux, Mac and Android and uses plugins to parse memory images and extract useful information. Some key things Volatility can do include detecting injected code, unpacked files, hooks, and kernel driver modifications left by malware in memory. It allows analyzing ransomware locked systems, unpacking encrypted files, and dumping executable content of running processes for further reverse engineering.
Managing Personally Identifiable Information (PII)KP Naidu
This document discusses personally identifiable information (PII) and provides guidance on managing PII. It defines PII as information that can be used to identify an individual. The document notes that data breaches involving PII are common and outlines legal issues related to PII. It recommends assessing the confidentiality impact of PII and implementing appropriate controls based on the impact level. Specific steps are outlined to help organizations properly manage PII.
Introduction to Linux Privilege Escalation MethodsBishop Fox
So you’ve managed to get a foothold into the web server — now what? Privilege escalation can be an intimidating process for those unfamiliar with Linux systems or advanced penetration testing techniques. Servers are often cluttered with utilities, backups, and files; how do you find your way through to a root shell? Where are the first places an attacker might look for exploitable vulnerabilities? This slide deck will help you learn about common privilege escalation paths on Linux systems, including sticky bits, shell escapes, wildcard injections, and how to identify vulnerable services. Furthermore, it will illustrate several techniques for those looking to improve their security skills, with time for discussion afterward.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
The document discusses techniques for obfuscating PowerShell commands to evade detection. It begins by motivating the need for improved PowerShell logging and detection capabilities as PowerShell is increasingly used by attackers. It then outlines ways to prepare systems for PowerShell investigations through process auditing and command line logging. One section focuses on obfuscating the common technique of using New-Object Net.WebClient to perform remote downloads. It demonstrates how this command can be broken up and variables used to avoid detection based solely on the presence of certain strings.
Introduction to Linux Exploit Developmentjohndegruyter
The document provides an introduction to Linux exploit development. It discusses the speaker's background and certifications. It then covers compiling a simple "Hello World" program in C and examining the resulting executable file format and memory layout. The presentation examines the stack and how functions, arguments, and return addresses are managed using stack frames and instructions like PUSH, POP, CALL, and RET. It demonstrates the prologue and epilogue sections of a function that save and restore registers and stack pointers.
This document describes a web cache deception attack where an attacker can exploit how web servers and caching mechanisms handle requests for non-existent files. Specifically, if a request is made for a page plus a non-existent file extension, like http://www.example.com/account.php/stylesheet.css, some systems will return the content of the page rather than a 404. This allows an authenticated user's private page to be cached and then accessed by an attacker. The document provides examples of frameworks like Django and servers like IIS that can be exploited this way. It also discusses how caching services like Cloudflare have addressed this issue. Mitigations are proposed like only caching files if headers allow it and returning 302/404
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK
From ATT&CKcon 4.0
By Ozan Olali, IBM Security
The Electronic Flight Bag (EFB) has become an indispensable tool in modern aviation, providing pilots with digital resources and critical flight information. However, the increased reliance on EFB systems running on operating systems, introduces various security challenges. In this session, a technical assessment approach with MITRE ATT&CK framework to perform a comprehensive threat analysis of an EFB solution, will be presented. The potential attack vectors and relation with the risks for business/ flight operations will be demonstrated.
The is to accumulate the secret keys / secret materials related to various web frameworks, that are publicly available and potentially used by developers. These secrets will be utilized by the Blacklist3r tools to audit the target application and verify the usage of these pre-published keys.
Volatility is an open source memory forensics tool that analyzes RAM dumps to detect malware. It supports Windows, Linux, Mac and Android and uses plugins to parse memory images and extract useful information. Some key things Volatility can do include detecting injected code, unpacked files, hooks, and kernel driver modifications left by malware in memory. It allows analyzing ransomware locked systems, unpacking encrypted files, and dumping executable content of running processes for further reverse engineering.
Managing Personally Identifiable Information (PII)KP Naidu
This document discusses personally identifiable information (PII) and provides guidance on managing PII. It defines PII as information that can be used to identify an individual. The document notes that data breaches involving PII are common and outlines legal issues related to PII. It recommends assessing the confidentiality impact of PII and implementing appropriate controls based on the impact level. Specific steps are outlined to help organizations properly manage PII.
Introduction to Linux Privilege Escalation MethodsBishop Fox
So you’ve managed to get a foothold into the web server — now what? Privilege escalation can be an intimidating process for those unfamiliar with Linux systems or advanced penetration testing techniques. Servers are often cluttered with utilities, backups, and files; how do you find your way through to a root shell? Where are the first places an attacker might look for exploitable vulnerabilities? This slide deck will help you learn about common privilege escalation paths on Linux systems, including sticky bits, shell escapes, wildcard injections, and how to identify vulnerable services. Furthermore, it will illustrate several techniques for those looking to improve their security skills, with time for discussion afterward.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
The document discusses techniques for obfuscating PowerShell commands to evade detection. It begins by motivating the need for improved PowerShell logging and detection capabilities as PowerShell is increasingly used by attackers. It then outlines ways to prepare systems for PowerShell investigations through process auditing and command line logging. One section focuses on obfuscating the common technique of using New-Object Net.WebClient to perform remote downloads. It demonstrates how this command can be broken up and variables used to avoid detection based solely on the presence of certain strings.
Introduction to Linux Exploit Developmentjohndegruyter
The document provides an introduction to Linux exploit development. It discusses the speaker's background and certifications. It then covers compiling a simple "Hello World" program in C and examining the resulting executable file format and memory layout. The presentation examines the stack and how functions, arguments, and return addresses are managed using stack frames and instructions like PUSH, POP, CALL, and RET. It demonstrates the prologue and epilogue sections of a function that save and restore registers and stack pointers.
Dangling DNS records pointing to AWS IP addresses were exploited at scale to take over subdomains. By automatically launching EC2 instances in different AWS regions and checking if the public IPs matched any DNS records, over 2900 subdomain takeovers were achieved in 2 days. This worked because AWS reuses public IP addresses when instances are stopped and started, while some DNS records were left dangling without being updated. Indexing the DNS records by value in MongoDB allowed efficient searching to detect matches. Several interesting findings included government phishing sites and common subdomains that should be blacklisted.
This document discusses cloud-native DDoS attack mitigation and provides an overview of how AWS services can help. It describes the evolution from on-premise to cloud-routed to cloud-native DDoS mitigation strategies. It also outlines AWS Shield Standard and Advanced protections that provide automatic DDoS protection for AWS resources. The presentation aims to help users prepare resilient architectures, monitor applications for issues, and respond to DDoS events through demonstrations of AWS services like WAF, CloudFront, Route 53, and more.
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKMITRE ATT&CK
The document discusses how the authors mapped adversary tactics, techniques, and procedures (TTPs) observed in malware infections to the MITRE ATT&CK framework to better understand a Qakbot campaign. It provides examples of specific TTPs used across multiple cases and over time, demonstrating how the framework can help identify trends and behaviors despite changing indicators. Resources and tools for building your own threat library mapped to ATT&CK are also recommended.
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.
.htaccess is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn 'loaded via the Apache Web Server', then the .htaccess file is detected and executed by the Apache Web Server software. These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. These facilities include basic redirect functionality, for instance if a 404 file not found error occurs, or for more advanced functions such as content password protection or image hot link prevention.
This document discusses web cache deception techniques that can be used to exploit vulnerabilities in how web caches handle URLs. It begins with background on web caching and the concept of path confusion. It then explains basic and advanced techniques for web cache deception, including using URL encoding, and discusses observations like bypassing CSRF protections and hijacking sessions. The document concludes that correctly configuring caches is challenging, as complex interactions between technologies can be exploited in unintended ways, and variations of these techniques increase the number of vulnerable sites.
This document discusses file upload vulnerabilities, exploitation, and mitigation. It provides 6 cases of how file uploads can be exploited such as through simple uploads without validation or altering content types. Tools mentioned for exploitation include BurpSuite and proxies. The document recommends mitigation techniques like using .htaccess files outside the upload directory, storing uploads outside the server root, not relying on client-side validation, and renaming files with random names. It concludes with offering a proof of concept demonstration.
The “Privacy Today” presentation was written for the IAPP by Professor Peter Swire of the Moritz College of Law of the Ohio State University. The materials cover the definition of privacy, ways to protect privacy, privacy harms, and fair information practices. The “Privacy Today” presentation is designed for college and university students.
Licensed under Creative Commons Attribution 3.0 Unported
The document discusses various switch security concepts and configuration including:
- Defense in depth with multiple layers of security and controlling network access.
- MAC flooding and spoofing attacks and how switches use MAC address tables to forward traffic.
- Port security features like limiting MAC addresses, locking ports based on violations, and aging secure addresses.
- Storm control to limit broadcast traffic and prevent denial of service attacks.
- DHCP snooping to prevent unauthorized DHCP servers and spoofing of client requests.
- Dynamic ARP inspection to validate ARP packets match the DHCP snooping database.
Reverse proxy & web cache with NGINX, HAProxy and VarnishEl Mahdi Benzekri
Discover the very wide world of web servers, in addition to the basic web deliverance fonctionnality, we will cover the reverse proxy, the resource caching and the load balancing.
Nginx and apache HTTPD will be used as web server and reverse proxy, and to illustrate some caching features we will also present varnish a powerful caching server.
To introduce load balancers we will compare between Nginx and Haproxy.
Checkpointing is used to improve database recovery time. It periodically writes uncommitted transaction logs and dirty database pages to stable storage. This allows transactions committed before the last checkpoint to be ignored during recovery. Recovery involves undoing uncommitted transactions and redoing committed ones since the last checkpoint using the write-ahead logging protocol to ensure crash consistency. Shadow paging is an alternative technique that maintains a shadow page table to recover the pre-transaction state if needed. Automated backups and mirroring can further improve availability.
Wireshark course, Ch 03: Capture and display filtersYoram Orzach
This document provides an overview of capture and display filters in Wireshark. It describes the basics of filter syntax and examples of common filters. The objectives are to understand basic capture and display filters and how to perform packet filtering. It covers the structure and components of capture filters including primitives, operators, and examples. Display filters are explained along with field types, comparison operators, and combining expressions. The document concludes with case studies demonstrating filters for protocols like DCERPC and analyzing network issues like retransmissions.
This document provides an overview of cross-site request forgery (CSRF) attacks. It discusses how CSRF works, forcing victims to perform actions on a website without their knowledge. Common defenses like using nonces or CAPTCHAs are described. The document also covers how to validate if an issue is truly a CSRF vulnerability and lists some example attack vectors. Key takeaways emphasize the importance of validating any potential CSRF issue affects state, is sensitive, and has non-unique requests.
remote-method-guesser - BHUSA2021 Arsenal Tobias Neitzel
Slides from the Black Hat USA 2021 Arsenal presentation of remote-method-guesser.
Recording: https://youtu.be/t_aw1mDNhzI
remote-method-guesser (rmg) is a Java RMI vulnerability scanner that checks for common misconfigurations on Java RMI endpoints.
It combines well known techniques for RMI enumeration with detection capabilities for lesser known attack vectors that are often missed.
Apart from detecting RMI vulnerabilities, remote-method-guesser can perform attack operations for each supported vulnerability type.
The following list shows some of it's currently supported operations:
* List available bound names and their interface class names
* List codebase locations (if exposed by the remote server)
* Check for known vulnerabilities (enabled class loader, missing JEP290, JEP290 bypasses, localhost bypass (CVE-2019-2684))
* Identify existing remote methods by using a bruteforce (wordlist) approach
* Call remote methods with user specified arguments (no manual coding required)
* Call remote methods with ysoserial gadgets within the arguments
* Call remote methods with a client specified codebase (remote class loading attack)
* Perform DGC, registry and activator calls with ysoserial gadgets or a client specified codebase
* Perform bind, rebind and unbind operations against an RMI registry
* Bypass registry deserialization filters by using An Trinhs registry bypass
* Enumerate the unmarshalling behavior of java.lang.String
* Create Java code dynamically to invoke remote methods manually
This document discusses information leakage and data loss prevention. It begins by defining information leakage as the intentional or unintentional disclosure of information to unauthorized parties. Information can leak through external hacking, insider leaks, outsourcing partners, or former employees. This leakage can cause financial and reputational loss for organizations. Frameworks like SOX and tools like DLP suites aim to prevent leakage and loss. The conclusion emphasizes the importance for executives to understand leakage risks and utilize prevention techniques and best practices.
In shared infrastructures such as clouds, sensitive or regulated data—including run-time and archived data—must be properly segregated from unauthorized users. Database and system administrators may have access to multiple clients’ data, and the location of stored data in a cloud may change rapidly. Compliance requirements such as Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA) and others may need to be met. This webinar will discuss how to help protect cloud-based customer information and intellectual property from both external and internal threats.
View the On-demand webinar: https://www2.gotomeeting.com/register/187735186
Someone deployed their application as a Docker container. Then another someone came along and hacked it. Then everyone starts looking at you asking, "How did this happen?"
This talk goes into how to extract the forensics artifacts of a Docker container, both if it was still running on a live system (easy) and if you must start from a cold disk image (harder).
A cheatsheet of the high points of this talk is also available here: https://www.didactic-security.com/resources/docker-forensics-cheatsheet.pdf
The video of this presentation at BSides RDU 2018 is online here: https://youtu.be/esj_NoTsywU?t=3667
[Hitcon 2020 CTI Village] Threat Hunting to Campaign TrackingSu Steve
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 50 mins so we can't covered everything. However through this talk we hope to share our experience and insight in the workshop.
About our CTI Village:
https://docs.google.com/document/d/18Tfaie4t38-_pY2lxB-PhXiBc-kA1vsKw5DIiosiIvk/
CISA usage of ATT&CK in Cybersecurity AdvisoriesMITRE ATT&CK
From ATT&CKcon 4.0
By James Stanley, CISA
"CISA's Adoption of the MITRE ATT&CK Framework
Over the past several years, CISA has worked to incorporate ATT&CK whenever applicable into our Cybersecurity Advisories and other cyber guidance. It has become the universal language for discussing how the adversary operates, and we leverage it for our stakeholders to respond to urgent events in real time, as well as detailed reports on subjects like our Red Team activities to give network defenders proactive guidance on how to harden their networks."
The document provides an overview of techniques for penetrating OS X environments externally, including using the EmPyre remote access Trojan, phishing with OS X payloads, privilege escalation, persistence mechanisms like login hooks and crontab, host and network reconnaissance tools, and lateral movement options like SSH. The challenges of operating in an OS X environment and adapting typical Windows tactics are also discussed.
- Unix is a multi-user networked operating system where every user has different settings and permissions. It handles files, running programs, and input/output.
- The document provides an introduction to Unix compared to Linux and DOS, and describes how to log in, navigate directories, manage files, edit text, compile programs, and get help using man pages.
- It explains basic Unix commands like ls, cd, mkdir, rmdir, rm, cp, and mv for listing, changing directories, creating/removing directories, and manipulating files.
This document provides an overview of the Linux operating system and how to use basic Linux commands. It explains that Linux is a free version of UNIX that is operated through a command line terminal rather than a graphical user interface. It also describes how to access the course Linux server using SSH and SFTP, navigate and manipulate files and directories using commands like ls, cd, cp, and rm, view file contents with cat and more, and get help with commands like man. Finally, it provides a list of common Linux shell commands and how to run and edit programs.
Dangling DNS records pointing to AWS IP addresses were exploited at scale to take over subdomains. By automatically launching EC2 instances in different AWS regions and checking if the public IPs matched any DNS records, over 2900 subdomain takeovers were achieved in 2 days. This worked because AWS reuses public IP addresses when instances are stopped and started, while some DNS records were left dangling without being updated. Indexing the DNS records by value in MongoDB allowed efficient searching to detect matches. Several interesting findings included government phishing sites and common subdomains that should be blacklisted.
This document discusses cloud-native DDoS attack mitigation and provides an overview of how AWS services can help. It describes the evolution from on-premise to cloud-routed to cloud-native DDoS mitigation strategies. It also outlines AWS Shield Standard and Advanced protections that provide automatic DDoS protection for AWS resources. The presentation aims to help users prepare resilient architectures, monitor applications for issues, and respond to DDoS events through demonstrations of AWS services like WAF, CloudFront, Route 53, and more.
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKMITRE ATT&CK
The document discusses how the authors mapped adversary tactics, techniques, and procedures (TTPs) observed in malware infections to the MITRE ATT&CK framework to better understand a Qakbot campaign. It provides examples of specific TTPs used across multiple cases and over time, demonstrating how the framework can help identify trends and behaviors despite changing indicators. Resources and tools for building your own threat library mapped to ATT&CK are also recommended.
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.
.htaccess is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn 'loaded via the Apache Web Server', then the .htaccess file is detected and executed by the Apache Web Server software. These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. These facilities include basic redirect functionality, for instance if a 404 file not found error occurs, or for more advanced functions such as content password protection or image hot link prevention.
This document discusses web cache deception techniques that can be used to exploit vulnerabilities in how web caches handle URLs. It begins with background on web caching and the concept of path confusion. It then explains basic and advanced techniques for web cache deception, including using URL encoding, and discusses observations like bypassing CSRF protections and hijacking sessions. The document concludes that correctly configuring caches is challenging, as complex interactions between technologies can be exploited in unintended ways, and variations of these techniques increase the number of vulnerable sites.
This document discusses file upload vulnerabilities, exploitation, and mitigation. It provides 6 cases of how file uploads can be exploited such as through simple uploads without validation or altering content types. Tools mentioned for exploitation include BurpSuite and proxies. The document recommends mitigation techniques like using .htaccess files outside the upload directory, storing uploads outside the server root, not relying on client-side validation, and renaming files with random names. It concludes with offering a proof of concept demonstration.
The “Privacy Today” presentation was written for the IAPP by Professor Peter Swire of the Moritz College of Law of the Ohio State University. The materials cover the definition of privacy, ways to protect privacy, privacy harms, and fair information practices. The “Privacy Today” presentation is designed for college and university students.
Licensed under Creative Commons Attribution 3.0 Unported
The document discusses various switch security concepts and configuration including:
- Defense in depth with multiple layers of security and controlling network access.
- MAC flooding and spoofing attacks and how switches use MAC address tables to forward traffic.
- Port security features like limiting MAC addresses, locking ports based on violations, and aging secure addresses.
- Storm control to limit broadcast traffic and prevent denial of service attacks.
- DHCP snooping to prevent unauthorized DHCP servers and spoofing of client requests.
- Dynamic ARP inspection to validate ARP packets match the DHCP snooping database.
Reverse proxy & web cache with NGINX, HAProxy and VarnishEl Mahdi Benzekri
Discover the very wide world of web servers, in addition to the basic web deliverance fonctionnality, we will cover the reverse proxy, the resource caching and the load balancing.
Nginx and apache HTTPD will be used as web server and reverse proxy, and to illustrate some caching features we will also present varnish a powerful caching server.
To introduce load balancers we will compare between Nginx and Haproxy.
Checkpointing is used to improve database recovery time. It periodically writes uncommitted transaction logs and dirty database pages to stable storage. This allows transactions committed before the last checkpoint to be ignored during recovery. Recovery involves undoing uncommitted transactions and redoing committed ones since the last checkpoint using the write-ahead logging protocol to ensure crash consistency. Shadow paging is an alternative technique that maintains a shadow page table to recover the pre-transaction state if needed. Automated backups and mirroring can further improve availability.
Wireshark course, Ch 03: Capture and display filtersYoram Orzach
This document provides an overview of capture and display filters in Wireshark. It describes the basics of filter syntax and examples of common filters. The objectives are to understand basic capture and display filters and how to perform packet filtering. It covers the structure and components of capture filters including primitives, operators, and examples. Display filters are explained along with field types, comparison operators, and combining expressions. The document concludes with case studies demonstrating filters for protocols like DCERPC and analyzing network issues like retransmissions.
This document provides an overview of cross-site request forgery (CSRF) attacks. It discusses how CSRF works, forcing victims to perform actions on a website without their knowledge. Common defenses like using nonces or CAPTCHAs are described. The document also covers how to validate if an issue is truly a CSRF vulnerability and lists some example attack vectors. Key takeaways emphasize the importance of validating any potential CSRF issue affects state, is sensitive, and has non-unique requests.
remote-method-guesser - BHUSA2021 Arsenal Tobias Neitzel
Slides from the Black Hat USA 2021 Arsenal presentation of remote-method-guesser.
Recording: https://youtu.be/t_aw1mDNhzI
remote-method-guesser (rmg) is a Java RMI vulnerability scanner that checks for common misconfigurations on Java RMI endpoints.
It combines well known techniques for RMI enumeration with detection capabilities for lesser known attack vectors that are often missed.
Apart from detecting RMI vulnerabilities, remote-method-guesser can perform attack operations for each supported vulnerability type.
The following list shows some of it's currently supported operations:
* List available bound names and their interface class names
* List codebase locations (if exposed by the remote server)
* Check for known vulnerabilities (enabled class loader, missing JEP290, JEP290 bypasses, localhost bypass (CVE-2019-2684))
* Identify existing remote methods by using a bruteforce (wordlist) approach
* Call remote methods with user specified arguments (no manual coding required)
* Call remote methods with ysoserial gadgets within the arguments
* Call remote methods with a client specified codebase (remote class loading attack)
* Perform DGC, registry and activator calls with ysoserial gadgets or a client specified codebase
* Perform bind, rebind and unbind operations against an RMI registry
* Bypass registry deserialization filters by using An Trinhs registry bypass
* Enumerate the unmarshalling behavior of java.lang.String
* Create Java code dynamically to invoke remote methods manually
This document discusses information leakage and data loss prevention. It begins by defining information leakage as the intentional or unintentional disclosure of information to unauthorized parties. Information can leak through external hacking, insider leaks, outsourcing partners, or former employees. This leakage can cause financial and reputational loss for organizations. Frameworks like SOX and tools like DLP suites aim to prevent leakage and loss. The conclusion emphasizes the importance for executives to understand leakage risks and utilize prevention techniques and best practices.
In shared infrastructures such as clouds, sensitive or regulated data—including run-time and archived data—must be properly segregated from unauthorized users. Database and system administrators may have access to multiple clients’ data, and the location of stored data in a cloud may change rapidly. Compliance requirements such as Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA) and others may need to be met. This webinar will discuss how to help protect cloud-based customer information and intellectual property from both external and internal threats.
View the On-demand webinar: https://www2.gotomeeting.com/register/187735186
Someone deployed their application as a Docker container. Then another someone came along and hacked it. Then everyone starts looking at you asking, "How did this happen?"
This talk goes into how to extract the forensics artifacts of a Docker container, both if it was still running on a live system (easy) and if you must start from a cold disk image (harder).
A cheatsheet of the high points of this talk is also available here: https://www.didactic-security.com/resources/docker-forensics-cheatsheet.pdf
The video of this presentation at BSides RDU 2018 is online here: https://youtu.be/esj_NoTsywU?t=3667
[Hitcon 2020 CTI Village] Threat Hunting to Campaign TrackingSu Steve
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 50 mins so we can't covered everything. However through this talk we hope to share our experience and insight in the workshop.
About our CTI Village:
https://docs.google.com/document/d/18Tfaie4t38-_pY2lxB-PhXiBc-kA1vsKw5DIiosiIvk/
CISA usage of ATT&CK in Cybersecurity AdvisoriesMITRE ATT&CK
From ATT&CKcon 4.0
By James Stanley, CISA
"CISA's Adoption of the MITRE ATT&CK Framework
Over the past several years, CISA has worked to incorporate ATT&CK whenever applicable into our Cybersecurity Advisories and other cyber guidance. It has become the universal language for discussing how the adversary operates, and we leverage it for our stakeholders to respond to urgent events in real time, as well as detailed reports on subjects like our Red Team activities to give network defenders proactive guidance on how to harden their networks."
The document provides an overview of techniques for penetrating OS X environments externally, including using the EmPyre remote access Trojan, phishing with OS X payloads, privilege escalation, persistence mechanisms like login hooks and crontab, host and network reconnaissance tools, and lateral movement options like SSH. The challenges of operating in an OS X environment and adapting typical Windows tactics are also discussed.
- Unix is a multi-user networked operating system where every user has different settings and permissions. It handles files, running programs, and input/output.
- The document provides an introduction to Unix compared to Linux and DOS, and describes how to log in, navigate directories, manage files, edit text, compile programs, and get help using man pages.
- It explains basic Unix commands like ls, cd, mkdir, rmdir, rm, cp, and mv for listing, changing directories, creating/removing directories, and manipulating files.
This document provides an overview of the Linux operating system and how to use basic Linux commands. It explains that Linux is a free version of UNIX that is operated through a command line terminal rather than a graphical user interface. It also describes how to access the course Linux server using SSH and SFTP, navigate and manipulate files and directories using commands like ls, cd, cp, and rm, view file contents with cat and more, and get help with commands like man. Finally, it provides a list of common Linux shell commands and how to run and edit programs.
Unix is a multi-user networked operating system that handles files, runs programs, and handles input/output. It is designed for server use and networking is intrinsic. Each user has their own settings and permissions, and multiple users can be logged in simultaneously. The document then provides information about accessing Unix servers from Windows and using basic commands like ls, cd, mkdir and rm to navigate directories and manage files.
The document provides an overview of the contents of a training on the Unix and GNU/Linux command line. It covers topics such as shells and filesystem structure, file handling commands, standard input/output redirection, task control, text editing and system administration basics. The training aims to teach users full control of tasks and how to get help and find resources on the command line.
The document summarizes the contents of a training presentation on the Unix and GNU/Linux command line. It covers shells and command line interpreters, the filesystem structure including common directories, file handling commands like ls, cd, cp, and an introduction to pipes and I/O redirection. Special files and directories like symlinks, devices, and ~ (home directory) are explained. File permissions and ownership are also mentioned.
The document summarizes the contents of a training on the Unix and GNU/Linux command line. It covers shells and command line interpreters, the filesystem structure, file handling commands like ls, cd, cp, and file permissions. It also discusses standard input/output redirection, pipes, process control and environment variables. The training contents are organized into 5 sections covering these topics at an introductory level.
This document provides a summary of the Unix and GNU/Linux command line. It begins with an overview of files and file systems in Unix, including that everything is treated as a file. It then discusses command line interpreters (shells), and commands for handling files and directories like ls, cd, cp, and rm. It also covers redirecting standard input/output, pipes, and controlling processes. The document is intended as training material and provides a detailed outline of its contents.
Unix/Linux is an operating system developed in the 1960s that uses a command line interface. It is the predecessor to Linux, which is now a widely popular open-source variant of Unix. The document provides an overview of basic Unix/Linux commands and concepts for navigating files and directories, editing and manipulating files, running programs, and accessing remote systems. It explains commands like ls, cd, pwd, cat, less, grep, diff, kill, and scp.
This document provides an introduction to using the Linux command shell and basic Linux commands. It discusses what a command shell is, the BASH shell commonly used in Linux, and how it differs from the DOS command prompt. It covers special characters, executing commands, getting help, navigating the Linux filesystem directory structure, piping and redirecting command output, and describes several common Linux commands for working with files and directories and finding files. The document is intended to accompany an instructor-led tutorial and provide a basic overview of Linux command line concepts and usage.
The document discusses canonicalization and directory traversal vulnerabilities. It explains that canonicalization ensures files have a standard name without symlinks or duplicate characters. Directory traversal occurs when a request contains ".." to access files outside the intended directory. The document recommends canonicalizing file paths using OS functions and using chroot jails to limit processes to a subdirectory.
This document provides an overview of common Linux software and how to install additional software. It discusses the major desktop environments GNOME and KDE and default applications like Firefox, Thunderbird, and OpenOffice. It describes the file structure with directories like home, bin, etc. It also outlines several methods for installing software, including via package managers, downloading binaries or source code. The key difference between Linux and Windows is that Linux has a different file structure and installation process which can cause culture shock for new users.
This document provides an overview of Red Hat Linux and Linux fundamentals. It discusses Linux origins with the GNU project and Linus Torvalds' creation of the Linux kernel. It also describes open source software, different Red Hat distributions like Red Hat Enterprise Linux and Fedora, Linux principles like treating everything as a file, and basic Linux commands. The document is divided into units covering Linux usage basics, running commands and getting help, and browsing the filesystem.
The structure of Linux - Introduction to Linux for bioinformaticsBITS
This 3th slide deck of the training 'Introduction to linux for bioinformatics' gives a broad overview of the file system structure of linux. We very gently introducte the command line in this presentation.
The document provides an overview of various operating systems including UNIX, Linux, and Windows. It discusses the history and development of UNIX including early projects at Bell Labs and Berkeley. It also summarizes key features of UNIX such as security, reliability, and multi-user support. The document then describes the UNIX directory structure and common commands like ls, cd, cat, and man.
This document provides an introduction to using the Linux command shell and basic commands. It discusses what a command shell is, how BASH differs from DOS, special characters used in Linux, executing commands, and getting help. The document also summarizes common Linux directory structures like /bin, /boot, /dev, /etc, and /home. Permission is granted to modify and distribute the document under the GNU Free Documentation License.
The document provides an introduction to using the Linux command shell and basic utilities for beginners. It explains what a command shell is, that BASH is the most common shell used on Linux systems, and how BASH differs from the DOS command prompt. It also covers special characters, executing commands, getting help, navigating the Linux filesystem, and commands for working with files and directories.
BITS: Introduction to Linux - Text manipulation tools for bioinformaticsBITS
The document provides an introduction to using the Linux command line for bioinformatics tasks. It covers navigating the file system, manipulating files and directories, input/output redirection, piping commands together, and commonly used text processing tools. The goal is to help users easily use command line tools, automate repetitive tasks, and parse/summarize text-based outputs.
Introduction to command line tools for *NIX (UNIX (like OS X and Solaris/SunOS), BSD, & GNU/Linux) environments. I made this presentation originally for the LUG@UCF when I was an undergrad but still contains valid information. Hope you find it useful.
The document provides information on various DOS commands including their types (internal or external), actions performed, and available command line switches. It discusses file naming conventions in DOS/Windows including the 8.3 naming specification and long filename support. It also describes file types/formats, read only/hidden/system/archive file attributes, and the hierarchy of command execution if multiple files of the same name but different extensions exist.
Linux is an open-source operating system that provides free and secure software. It allows applications and users to access computer devices and functions through the kernel, which manages communication between hardware, software, and processes. Files, directories, programs, and devices are all treated as files in the Linux file system hierarchy, accessed through commands like ls, mkdir, and rmdir.
This document discusses the concept of a "patsy proxy", which is an unwitting third party that can be used to perform attacks or access restricted sites/networks on behalf of another. Some key points:
- A patsy proxy takes advantage of automated services, vulnerabilities, or social engineering to route traffic through an unaware third party.
- This allows the attacker to anonymize their activity, bypass IP filters, or potentially access internal networks they would otherwise not have access to.
- Examples discussed include using URL shorteners, translation services, mail scanners as potential patsy proxies that could be exploited.
- There are also disadvantages like limited attack capabilities depending on the proxy's configuration and logging. Pro
The document summarizes the Universal Plug and Play (UPnP) protocol. It describes how UPnP works through phases like addressing, discovery, description, control, eventing and presentation. While UPnP allows for universal control of devices, it is also terrifying because it has no built-in authentication and exposes devices to security risks like CSRF attacks. The document demonstrates UPnP with Belkin WeMo and BubbleUPnP and provides references for further information.
SQLol is a configurable SQL injection test-bed tool created by Daniel Crowley of Trustwave SpiderLabs that allows for research, education, and testing of SQLi vulnerabilities. Existing test-beds are inflexible and oversimplified compared to real-world scenarios, which can vary widely and be dangerous. SQLol aims to address these issues by allowing users to choose query types, sanitization options, and verbosity to recreate realistic exploit scenarios. It requires a web server with PHP and a database supported by ADODB. Users deploy it by extracting the files, configuring database settings, and running a reset script. Future planned features include custom sanitization, stored procedures, and database privileges.
In this presentation, I discuss four different approaches to merging multiple files of different formats into one, such that it can be read as each type. I then discuss the security implications of this property inherent in many file formats, theorize about attacks which can be launched when developers assume that files can only be one format.
Daniel Crowley - Speaking with Cryptographic OraclesBaronZor
When using cryptography, leaking data about crypto operations can expose the system to powerful attacks. Even if you're using unbroken algorithms, you may expose yourself to attacks which can completely bypass your use of crypto.
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
CAKE: Sharing Slices of Confidential Data on BlockchainClaudio Di Ciccio
Presented at the CAiSE 2024 Forum, Intelligent Information Systems, June 6th, Limassol, Cyprus.
Synopsis: Cooperative information systems typically involve various entities in a collaborative process within a distributed environment. Blockchain technology offers a mechanism for automating such processes, even when only partial trust exists among participants. The data stored on the blockchain is replicated across all nodes in the network, ensuring accessibility to all participants. While this aspect facilitates traceability, integrity, and persistence, it poses challenges for adopting public blockchains in enterprise settings due to confidentiality issues. In this paper, we present a software tool named Control Access via Key Encryption (CAKE), designed to ensure data confidentiality in scenarios involving public blockchains. After outlining its core components and functionalities, we showcase the application of CAKE in the context of a real-world cyber-security project within the logistics domain.
Paper: https://doi.org/10.1007/978-3-031-61000-4_16
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Windows File Pseudonyms
1. Windows File Pseudonyms Strange Filenames and Haiku OR: Pwnage and Poetry Dan Crowley Core Security Technologies dcrowley@coresecurity.com
2. A quick disclaimer Most of the techniques presented here are demonstrated on web-based technologies. HOWEVER, the techniques and principles explained should apply to any application which takes a file path or name of any sort from user input which will be used on a Windows system. (Furthermore, I will provide a bottle of delicious beer to anyone who finds a use for these techniques which isn’t in this presentation!) Each slide of this talk ~ Shall hence be accompanied ~ By clever haiku
3. The Big Problem ™ Applications tend to do string-based analysis of file paths Often, to decide how to handle files Or whether or not files should be served Or whether the file path may be malicious in nature We can reference one file or directory with many different equivalent strings Applications may not expect some of these strings The OS interacts with the filesystem, not the app Developers may not even be aware that their application will accept such names! Some of these names are based on undocumented features One cannot expect ~ To judge books by their covers ~ And find success
4. 8.3 Aliases 8 dot 3 format It’s self explanatory …only to a point
5. 8.3 Aliases In DOS, file names must conform to the 8.3 format, meaning: A basename of (max) 8 characters Followed by one period Followed by a (max) three character extension Windows likes backwards compatibility Each file (and directory!) created on default Windows installations has a DOS-compatible name If the name isn’t 8.3 compatible, a second name (an 8.3 alias or short file name [SFN]) is made Simplified, they are generated as follows: Remove some characters (0x80-0xff) and convert some characters to underscores (like + and space) Start with the first six characters Add a tilde And a digit to distinguish from other files starting with the same characters Add a period And up to the first three characters of the file extension Windows might as well ~ Be backwards-compatible ~ With the abacus
6. Why do I (audience) care? Because “highlight.php” != “HIGHLI~1.PHP” If your IDS is looking for the old PHPBB highlight command exec flaw, it may not find it Because “.htpasswd” != “HTPASS~1” Your forbidden files may no longer be forbidden File type may be determined by user input Whatever follows the last dot is the file extension So perhaps you can upload file.phPWNED And request FILE~1.PHP Use removed characters to force an extension <3 chars And you will know me ~ By the trail of characters ~ After the last dot
7. Web App Authentication Bypass Consider the following scenario: Admin.php checks for authentication If authenticated, several external scripts can be called through Admin.php at the whim of the user DeleteUser.php, AddUser.php, UpdateWebPage.php These external scripts cannot be called directly if($_SERVER[‘PHP_SELF’] == ‘/admin/DeleteUser.php’){ die(‘O RLY?’);}else{ do_something_privileged(); } YA RLY ‘/admin/DeleteUser.php’ != ‘/admin/DELETE~1.PHP’ I’m taking a break ~ From sensible haiku now ~ Tonsillectomy
8. But wait, there’s more! Long file names Maximum length: 255 Approx. char set size: 63000 Approx. possible names:63000^255 = 6.78E+1223 Short file names (8.3 aliases) Maximum length: 12 (-1 for dot) Approx. char set size: 59 Approx. possible names:59^11 = 3.01E+18 If every file on a Windows box has an 8.3 compatible name (and by default, this is the case) we can immensely reduce the time and resources needed to guess filenames when trying to enumerate file names by brute-force. This can be further reduced if the file extension is known, reducing the complexity to 59^8 = 1.46E+14, or approx. 146,000,000,000,000 possibilities! Huge complexities ~ Collapsing conveniently ~ To simplicity
10. Discarded trailing characters Certain characters at the end of file names/paths are silently discarded by Windows! In Windows API calls, the following items are discarded: Periods Spaces The Windows shell will also allow, in specific configurations: Double quotes (as long as they are closed properly) Angle brackets (only in certain configurations) Extraneous current directory markers (“/.”) Extraneous parent directory markers with arbitrary items (fake or real) Trailing characters ~ Of certain varieties: ~ Removed, silently.
11. Equivalent file path examples All of the following paths are valid and equivalent when given to the Windows shell: file.txt file.txt..... file.txt<spaces> file.txt”””” file.txt<<<>><>< file.txt/././././. nonexistant/../file.txt Different technique, similar use “highlight.php” != “highlight.php.” “restricted.txt” != “restricted.txt<space>” Flexibility ~ In Windows nomenclature ~ Borders on silly
12. DOS special device files Ancient dinosaurs Used to redirect data With some devices
13. DOS special device files Similar to device files on *nix Allows file operations to be performed on devices Examples include: CON, the console PRN, a parallel printer COM1, the first serial port NUL, a bit bucket (/dev/null equivalent) Pretty well known already, BUT… When you speak to me ~ I redirect all of it ~ To slash-dev-slash-null.
14. DOS special files quirk #1 They exist “everywhere” Can be accessed from any path, even: In directories which you are denied access to With an existing file as a “directory” which “contains” the file Examples of equivalent paths to CON: CON C:CON C:ON C:.....ON C:estricted_dirON C:xisting_file.txtON Like apparitions ~ They exist in every place ~ And yet in no place
15. DOS special files quirk #2 They can have any file extension, it’s ignored The following examples are equivalent: CON CON.bat CON.php CON.conf CON.thisisalongandarbitraryfileextension CON.<1000x”A”> Mr. Shakespeare knows ~ A rose by another name ~ Still smells just as sweet
16. Denial-of-Service A theoretical application accepts file names and reads the associated files This application blocks any file named “CON”, “AUX”, “PRN” etc. to prevent DoS Applications will generally pause to read from a file until EOF EOF may never arrive from devices like AUX It does NOT block files named, for instance, “AUX.txt” Which we know is equivalent to AUX …And while we’re at it, ~ Since we’re speaking of Shakespeare… ~ All’s well that ends well!
17. Buffer overflow A Windows application takes in a file name The file is verified as existing If it exists, the program does something with the file name And might trust that it doesn’t exceed NTFS limitations What if the file name is “CON.<‘A’x1000>”? Technically, it exists… …but not in the filesystem, so it’s not bound to NTFS limitations Why one needs all this ~ DOS file extension stuff ~ Is just beyond me
18. You should know better! Microsoft Windows ~ Hoist upon its own petard ~ You should know better!
19. Defeating Windows file permissions Normal users have access to CON But not C:enied_direnied_file.txt C:enied_diron_existent_file.txtON No access C:enied_direnied_file.txtON Access to console Now you can check the existence of files which you cannot read in directories you cannot read! It is easiest ~ To acquire forgiveness ~ And not permission
21. Controlling file handling Don’t forget: You can use ANY extension! Files are often handled based on extension DOS special files, then, can often be handled as ANYTHING YOU CHOOSE! http://www.example.com/com1.php What if COM1 was attached to a serial modem? …Or more likely, a Bluetooth dongle? A riddle for you… ~ When is a CON not a CON? ~ When it’s a dot-jar!
23. Namespace prefixes Used when files can’t be referred to with normal paths Because they’re really devices Because they don’t exist on the local filesystem Because they have strange names A distant echo ~ Of a victim, falling dead ~ The hunter shouts “PWNED!”
24. Minimal parsing prefix An invalid name or path can sometimes be used anyway MAX_PATH can be exceeded Some restricted characters can be used Reserved basenames can be used Just precede it with ?br />Must be an absolute path No current directory indicator ( ./ ) No parent directory indicator ( ../ ) You don’t like the rules? ~ Double wack, question mark, wack. ~ You’re welcome, buddy.
25. UNC (Short and Long) Used to refer to files on SMB shares Can be used to refer to files across the Internet server_name_or_iphareile This is “Short UNC” Nothing terribly special ?NCerver_name_or_iphareile This is “Long UNC” Allows for the use of the ?prefix with UNC paths What’s the best thing ~ About SMB traffic? ~ Credential replay!
26. NT device namespace prefix Used to refer to device namespace These paths start with .br />Examples include: .irpcap00br />An AirPcap card .LOBALROOTevicearddiskVolume1br />The first hard disk volume on the machine Might be equivalent to, for instance, C:br />Doesn’t need an assigned drive letter! .dRom0br />The first disc drive on the computer WinObj from Sysinternals will allow you to browse the NT device namespace The device namespace ~ Allows access to devices ~ Using file paths
27. NTLM credential capture When accessing SMB shares, authentication may be requested If an attacker runs the SMB server, you can bet it will The SMB client machine will often send stored credentials automatically And as you may know these credentials can be replayed or cracked And we can trigger a machine to access an SMB share with a UNC path! A replay attack ~ With SMB credentials ~ Should not still succeed!
28. Directory traversal “C: doesn’t match: ?:br />127.0.0.1$br />127.3.13.37$br />?NC27.0.0.1$br />.LOBALROOTevicearddiskVolume1br />…but they’re all equivalent! I ought to mention ~ Directory traversal ~ Ed Skoudis said so!
29. Buffer overflow Minimal parsing prefix allows for the use of paths exceeding MAX_PATH Some developers don’t know you can exceed MAX_PATH …or assume that if the file exists that it can’t exceed MAX_PATH NOP NOPNOPNOPNOP ~ NOP NOPNOPNOPNOPShellcode ~ Pointer to NOP sled
30. Making Windows rootkits deadlier Imagine that you’re a Windows sysadmin Someone creates a file named “CON” with the minimal parsing prefix You try “type CON” at the command line Your command prompt “hangs” None of your programs open it properly Windows Explorer can’t delete it You cry You pretend it doesn’t exist or convince yourself it really should be there My reaction to ~ “Undocumented feature” ~ Is unbridled rage.
31. Defeat AV systems Make files with illegal names (“con.exe”, “lol.exe.”, etc.) Put something malicious in them Execute them ??? PROFIT!!! An AV system ~ Should reliably open ~ All suspect files
32. Client-side Attacks Switching security zones Reference “C:ile.txt” NO THAT’S A LOCAL FILE BAD HACKER Reference 127.0.0.1$ile.txt A UNC path! I know these, they’re Intranet stuff. No prob, Bob. Check out “Internet Explorer turns your personal computer into a public file server” Jorge Luis Alvarez Medina, BH DC 2010 How do I pwn thee? ~ Let me count the ways; No, wait: ~ Just one is enough!