Slides for Building Better Backdoors with WMI - DerbyCon 2017 - Legacy
Code:
https://github.com/0xbadjuju/PowerProvider/
https://github.com/0xbadjuju/WheresMyImplant
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Description : Organizations have spent massive amounts of money to protect the perimeter of their networks, but if your business exists on the internet, there really is no perimeter. In this presentation, we'll discuss Digital Footprints in understanding your company’s external attack surface. We will discuss social, mobile, web attacks and analyze and review lessons learned recently publicized attacks (Polish banking institutions, Apache Struts Vulnerability or WannaCry ransomware. The speed of business and cybercrime isn't slowing down, so how can you be prepared to address and defend against these types of threats? Attend our session to find out how.
Reducing Your Digital Attack Surface and Mitigating External Threats - What, Why, How:
What is a Digital Footprint?
Breakdown of External Threats (Social, Mobile, Web)
What are blended attacks?
What is actually being targeting at your company?
How are your brands, customers, and employees being attack outside of your company?
How to become proactive in threat monitoring on the internet?
Considerations in External Threat solutions
Threat correspondence tracking considerations
Is legal cease and desist letters adequate in stopping attacks?
Examination of a phishing attack campaign
How phishing kits work
Analysis and lesson learned from recent published attacks
What are the most important capability in a digital risk monitoring solution?
Slides for Building Better Backdoors with WMI - DerbyCon 2017 - Legacy
Code:
https://github.com/0xbadjuju/PowerProvider/
https://github.com/0xbadjuju/WheresMyImplant
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Description : Organizations have spent massive amounts of money to protect the perimeter of their networks, but if your business exists on the internet, there really is no perimeter. In this presentation, we'll discuss Digital Footprints in understanding your company’s external attack surface. We will discuss social, mobile, web attacks and analyze and review lessons learned recently publicized attacks (Polish banking institutions, Apache Struts Vulnerability or WannaCry ransomware. The speed of business and cybercrime isn't slowing down, so how can you be prepared to address and defend against these types of threats? Attend our session to find out how.
Reducing Your Digital Attack Surface and Mitigating External Threats - What, Why, How:
What is a Digital Footprint?
Breakdown of External Threats (Social, Mobile, Web)
What are blended attacks?
What is actually being targeting at your company?
How are your brands, customers, and employees being attack outside of your company?
How to become proactive in threat monitoring on the internet?
Considerations in External Threat solutions
Threat correspondence tracking considerations
Is legal cease and desist letters adequate in stopping attacks?
Examination of a phishing attack campaign
How phishing kits work
Analysis and lesson learned from recent published attacks
What are the most important capability in a digital risk monitoring solution?
Getting Started in Pentesting the Cloud: AzureBeau Bullock
Webcast Recording: https://www.youtube.com/watch?v=fCbVMWvncuw
Increasingly, more organizations are migrating resources to being hosted in the cloud. With this comes a greater potential for misconfiguration if there isn’t a solid understanding of the attack surface. While there are many similarities between traditional on-premises pentesting and cloud-based pentesting, the latter is an animal of its own. This webcast will attempt to clear up some of the fogginess around cloud-based pentesting, specific to Microsoft Azure environments, including Microsoft 365.
In order to adequately determine the attack surface, the appropriate coverage areas will be highlighted. Differences between Azure resources and Microsoft 365 can oftentimes be confusing but knowing these differences is key to helping you pivot and escalate privileges. Conditional access policies are great for defining different scenarios for how users can authenticate securely but can also be misconfigured. There are security protections for stopping certain password attacks but some of these can be bypassed. Ultimately, a methodology for testing Azure environments along with tools and techniques will be presented in this talk.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
bWAPP, or a buggy web application, is a free and open source deliberately insecure web application.It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.bWAPP prepares one to conduct successful penetration testing and ethical hacking projects.
Attacking ADFS Endpoints with PowerShell Karl Fosaaen - @kfosaaen Active Directory Federation Services (ADFS) has become increasingly popular in the last few years. As a penetration tester, I'm seeing organizations opening themselves up to attacks on ADFS endpoints across the Internet. Manually completing attacks against these endpoints can be tedious. The current native Microsoft management tools are handy, but what if we weaponized them. During this talk, I will show you how to identify domains that support ADFS, confirm email addresses for users of the domain, and help you guess passwords for those users. We'll cover how you can set up your own hosted ADFS domain (on the cheap), and use it to attack other federated domains. On top of that, we'll show you how you can wrap all of the native functionality with PowerShell to automate your attacks. This talk should give penetration testers an overview on how they can start leveraging ADFS endpoints during a penetration test.
https://www.derbycon.com/events/attacking-adfs-endpoints-with-powershell/
Getting Started in Pentesting the Cloud: AzureBeau Bullock
Webcast Recording: https://www.youtube.com/watch?v=fCbVMWvncuw
Increasingly, more organizations are migrating resources to being hosted in the cloud. With this comes a greater potential for misconfiguration if there isn’t a solid understanding of the attack surface. While there are many similarities between traditional on-premises pentesting and cloud-based pentesting, the latter is an animal of its own. This webcast will attempt to clear up some of the fogginess around cloud-based pentesting, specific to Microsoft Azure environments, including Microsoft 365.
In order to adequately determine the attack surface, the appropriate coverage areas will be highlighted. Differences between Azure resources and Microsoft 365 can oftentimes be confusing but knowing these differences is key to helping you pivot and escalate privileges. Conditional access policies are great for defining different scenarios for how users can authenticate securely but can also be misconfigured. There are security protections for stopping certain password attacks but some of these can be bypassed. Ultimately, a methodology for testing Azure environments along with tools and techniques will be presented in this talk.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
bWAPP, or a buggy web application, is a free and open source deliberately insecure web application.It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.bWAPP prepares one to conduct successful penetration testing and ethical hacking projects.
Attacking ADFS Endpoints with PowerShell Karl Fosaaen - @kfosaaen Active Directory Federation Services (ADFS) has become increasingly popular in the last few years. As a penetration tester, I'm seeing organizations opening themselves up to attacks on ADFS endpoints across the Internet. Manually completing attacks against these endpoints can be tedious. The current native Microsoft management tools are handy, but what if we weaponized them. During this talk, I will show you how to identify domains that support ADFS, confirm email addresses for users of the domain, and help you guess passwords for those users. We'll cover how you can set up your own hosted ADFS domain (on the cheap), and use it to attack other federated domains. On top of that, we'll show you how you can wrap all of the native functionality with PowerShell to automate your attacks. This talk should give penetration testers an overview on how they can start leveraging ADFS endpoints during a penetration test.
https://www.derbycon.com/events/attacking-adfs-endpoints-with-powershell/
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
Dominic Chell presents "Breaking Secure Mobile Applications" at Hack In The Box 2014.
This presentation details common vulnerabilities that can be found in supposedly secure applications, including BYOD and MDM apps. It also provides an overview of the binary protections that can be implemented to complicate these types of attacks.
Grab the Secure Mobile Application Development Reference here - http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
Are you looking to build a program to ensure maximum mobile security coverage?
If you are tasked with putting together a security testing program to address risk with internally developed mobile applications, there is no shortage of technical and process factors to consider. It is also critical to balance the security with a positive end-user experience, helping propel the overall brand forward - safely. Without proper mobile security, one significant loss can quickly destroy the trust foundation your company has worked years to craft.
This webinar will provide the security leader an overview of the challenges associated with mobile testing, certain technologies that one can use to identify mobile application vulnerabilities, and repeatable process strategies that will help build the foundation for a recurring testing program.
The session will provide attendees a broad understanding of mobile technologies, as well as a mobile testing launch checklist that will help your organization go from ground floor to a fully-functioning testing program in 30 days.
The session will also include:
An overview of the major mobile technologies and their defining attributes
An overview of how iOS and Android handle certain security issues differently via the Denim Group Mobile Development Reference Guide
An overview of a typical mobile application architecture and how it differs from a web application environment
How important web services are to a typical mobile architecture
The limitations of automated testing and how to augment security reviews to overcome testing gaps
How to make a program repeatable and economically feasible without disrupting the software development process
Though the potential of the IoT is vast, adoption can easily be curtailed by security worries. No company wants their products to be a victim of a hack, yet many do not appear to consider security as a primary driver of design decisions. This presentation will look at IoT security and describe what product designers – regardless of platform – need to be aware of if they want to build a secure and successful device.
IoT security encompasses requirements that are new for many product designers – such as provisioning, authentication, OTA upgrades and link encryption – and weaknesses in any one could potentially be used to compromise the security of the end product. From physical attacks to analysis of communications channels, there are many possible attack vectors that need to be considered.
From hacked routers to refrigerators sending spam email, there have been a lot of scary news stories about Internet of Things (IoT) security, or lack of it. According to the 2014 Hewlett-Packard Internet of Things Research Study, 70% of Internet connected devices they surveyed didn’t even use encrypted network connections. The US Federal Trade Commission (FTC) recently weighed in on the issue too, releasing a report that outlines potential IoT security risks, ranging from unauthorized access and misuse of personal information, to facilitation of attacks on other systems and risks to personal safety.
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
This presentation is part of a series focused on OWASP Mobile Top 10 : We discussed about what is data leakage, places where data could be leaked. sample /examples of data leakage and how it differes from M2: Insecure data storage.
Expand Your Control of Access to IBM i Systems and DataPrecisely
Controlling all the ways your company’s data is being accessed, especially given the proliferation of open source software and other non-traditional data-access methods, is critical to ensuring security and regulatory compliance. This webinar reviews the different ways your data can be accessed, discusses how exit points work and how they can be managed, and why a global data access control strategy is especially important to efficiently protect sensitive data against unwanted access.
Topics include:
• IBM i access methods and risks
• Using exit programs to block traditional and modern access methods
• Real life examples and perspectives
When you work with a lot of companies scrutinizing their security, you get to see some amazing things. One of the joys of being a commercial security consultant working for big name firms, is that you get to see a lot of innovation and interesting approaches to common problems.
However, as great as this is, the discrete projects you work on are usually a small representation of the overall company. When you look at the company in its entirety, a familiar pattern of weakness begins to reveal itself. While some companies are obviously better than others, the majority of companies are actually weak in remarkably similar ways.
My work in the attacker modeled pentest and enterprise risk assessment realms focuses on looking at a company as a whole. The premise is that, this is what an attacker would do. They won’t just try to attack your quarterly code reviewed main web site, or consumer mobile app. They won’t directly attack your PCI relevant systems to get to customer credit card data. They won’t limit their attacks to those purely against your IT infrastructure. Instead – they’ll look at your entire company, and they will play dirty.
In this session, I’ll focus on the things that plague us all (well most of us), and I’ll offer some simple advice for how to try and tackle each of these areas:
– Weaknesses in Physical Security
– Susceptibility to Phishing
– Vulnerability Management Immaturity
– Weaknesses in Authentication
– Poor Network Segmentation
– Loose Data Access Control
– Terrible Host / Network Visibility
– Unwise Procurement & Security Spending Decisions
Modern design is crucial in today's digital environment, and this is especially true for SharePoint intranets. The design of these digital hubs is critical to user engagement and productivity enhancement. They are the cornerstone of internal collaboration and interaction within enterprises.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Your Digital Assistant.
Making complex approach simple. Straightforward process saves time. No more waiting to connect with people that matter to you. Safety first is not a cliché - Securely protect information in cloud storage to prevent any third party from accessing data.
Would you rather make your visitors feel burdened by making them wait? Or choose VizMan for a stress-free experience? VizMan is an automated visitor management system that works for any industries not limited to factories, societies, government institutes, and warehouses. A new age contactless way of logging information of visitors, employees, packages, and vehicles. VizMan is a digital logbook so it deters unnecessary use of paper or space since there is no requirement of bundles of registers that is left to collect dust in a corner of a room. Visitor’s essential details, helps in scheduling meetings for visitors and employees, and assists in supervising the attendance of the employees. With VizMan, visitors don’t need to wait for hours in long queues. VizMan handles visitors with the value they deserve because we know time is important to you.
Feasible Features
One Subscription, Four Modules – Admin, Employee, Receptionist, and Gatekeeper ensures confidentiality and prevents data from being manipulated
User Friendly – can be easily used on Android, iOS, and Web Interface
Multiple Accessibility – Log in through any device from any place at any time
One app for all industries – a Visitor Management System that works for any organisation.
Stress-free Sign-up
Visitor is registered and checked-in by the Receptionist
Host gets a notification, where they opt to Approve the meeting
Host notifies the Receptionist of the end of the meeting
Visitor is checked-out by the Receptionist
Host enters notes and remarks of the meeting
Customizable Components
Scheduling Meetings – Host can invite visitors for meetings and also approve, reject and reschedule meetings
Single/Bulk invites – Invitations can be sent individually to a visitor or collectively to many visitors
VIP Visitors – Additional security of data for VIP visitors to avoid misuse of information
Courier Management – Keeps a check on deliveries like commodities being delivered in and out of establishments
Alerts & Notifications – Get notified on SMS, email, and application
Parking Management – Manage availability of parking space
Individual log-in – Every user has their own log-in id
Visitor/Meeting Analytics – Evaluate notes and remarks of the meeting stored in the system
Visitor Management System is a secure and user friendly database manager that records, filters, tracks the visitors to your organization.
"Secure Your Premises with VizMan (VMS) – Get It Now"
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
2. About me
!
!
!
@mgianarakis
Practice Manager at Securus Global
Application security for most of the last decade
Good guy that thinks like a bad guy
3. This presentation
• Aims to give a good overview of how to design
secure iOS applications
• Focuses on the key security issues commonly
found in iOS applications
• Not a guide to hacking iOS applications
4. Topics
• Overview of the iOS attack surface
• Common iOS security issues
• Secure iOS application design principles
• Secure development approaches for key security
iOS issues
6. Other
Apps
Your App
3rd Party
Services
Network
iOS
Device
Your
Backend
IPC,
iOS 8
Extensions
WiFi, LTE
7. Other
Apps
Your App
3rd Party
Services
Network
iOS
Device
Your
Backend
Malicious apps
Jailbroken or
compromised
device
Man in the
middle attacks
Server
compromise
and
web attacks
8. Understanding the risk
profile of your app
• Important first step that is often overlooked.
• Drives the security design of your application
• Key considerations:
• What information is in the app and how sensitive/valuable is it?
• Who are the likely threat actors? How capable are they?
• What are the likely attack scenarios for each threat actor?
• What is your tolerance for risk?
• Regulatory requirements?
10. Common Issues
• Based on working with a range of companies and a variety of
applications including:
• Mobile banking and trading apps
• Board paper apps
• Internal business apps
• Retail apps
• Social networking apps
• Games
11. Common Issues
• Binary and Runtime Security Issues
• Transport Layer Security Issues
• Data Security Issues
12. Get these right and you are well
and truly ahead of the pack
18. Binary and Runtime
Security
• As a reflective language, Objective-C can observe
and modify it’s own behaviour at runtime.
• Can be great from a development perspective
• Not so much from a security perspective
19. Binary and Runtime
Security
• The ability to create and call ad hoc classes and methods on the fly
allows attackers to manipulate and abuse the runtime of the application:
• Bypass security locks
• Break logic checks
• Escalate privilege
• Steal information from memory.
• Implementing runtime security checks significantly increases the
security of your application
• You should always assume that your application will run on a
compromised device
21. Myths surrounding
jailbreaking
• Generally speaking, iOS is one of the most secure
operating systems available
• One of the defining security features of iOS is the
chain of trust. Every bit of code is signed and
approved by Apple.
• Break that trust and all bets are off
22. Myths surrounding
jailbreaking
• Some of the security issues discussed in this
presentation will require a compromised device
• This is usually the cause of a lot of
misunderstanding when it comes to assessing the
impact of these issue
23. Myth 1 - Public jailbreaks
are the only jailbreaks
• I often hear “but there is no jailbreak for version
x.x.x so we are safe”
• FACT: Public jailbreaks for every version of iOS
released so far
• FACT: Not all users update to the latest firmware
• FACT: iOS vulnerabilities are extremely valuable,
there are many more exploits than just those that
people give out for free on the internet
24. Myth 2 - Jailbreaks require
physical access to the device
• I often hear “well someone would need to steal the device to compromise
it”
• FACT: Not all exploits require physical access.
• jailbreakme.com TIF image processing vulnerability and PDF
processing vulnerability required only a user visit a web page in Safari
• Remote code execution via SMS found by Charlie Miller (https://
www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-
Miller-FuzzingPhone-PAPER.pdf)
• Nitro JIT vulnerability to download and execute unsigned code via
POC app that was approved also found by Charlie Miller (http://
reverse.put.as/wp-content/uploads/2011/06/
syscan11_breaking_ios_code_signing.pdf)
25. Myth 3 - Jailbreaks are
always obvious to the user
• It is a commonly held misconception that if Cydia
is not on the device then it is not jailbroken.
• Cydia is an app that is commonly installed with
public jailbreaks but is certainly not a prerequisite
or in any way required for a jailbreak.
• In fact, any kind of targeted exploit is unlikely to
install Cydia in the first place.
26. Myth 4 - Jailbreaking is
Apple’s problem
• FACT: The security of your app, your data and your
users is your responsibility.
• FACT: The security risk to your organisation is your
responsibility. You will be the one that suffers the
impact if your app is compromised and you should
be actively managing that risk.
• FACT: Apple won’t secure your app for you.
27. Myth 5 - You can completely
protect against jailbreaking
• FACT: Unfortunately you will never be able to
completely secure an application.
• The idea is to raise the bar for the security of your
app so that it becomes too difficult or costly to
attack.
29. Debug Check
• A simple and effective method of securing the
runtime is to implement anti-debugging control.
• There may be reasons to allow an application to
run on a jailbroken device but there are no
legitimate reasons for debugging a production
application
30. Debug Check
• Debugging protection can be implemented using the following
techniques:
• Periodically monitoring the process state flag to determine if
application process is being debugged and then terminating
the process.
• Using the ptrace request PT_DENY_ATTACH two prevent
future tracing of the process. This can be done with the
following function call from within the application:
• ptrace(31,0,0,0)
• These techniques should be used in conjunction with each other to
provide a more robust anti-debugging control.
31. Jailbreak Detection
• There are multiple ways to implement jailbreak
detection but the two most common methods are:
• File system check
• Sandbox integrity check
!
32. Jailbreak Detection
• File system checks test for the presence of files that are typically
found on jailbroken devices.
• Some examples of files to look for:
• /Library/MobileSubstrate/MobileSubstrate.dylib
• /var/cache/apt
• /var/lib/apt
• /bin/bash and /bin/sh
• /usr/sbin/sshd and /etc/ssh/sshd_config
33. Jailbreak Detection
• When implementing a file system check you
should ensure you check for multiple files using
different methods such as fileExistsAtPath
and isReadableFileAtPath
!
!
34. Jailbreak Detection
• A sandbox integrity check tests that the integrity of
Apple’s sandbox is intact on the device, and that the
application is running inside it.
• A sandbox integrity check works by attempting to
perform an operation that would not typically
succeed on a device that has not been jailbroken.
• A common test is to attempt to use the fork function
to spawn a new child process which will succeed if
the sandbox has been compromised or if the
application is running outside of the sandbox
35. Jailbreak Detection
• Check out the IMAS project’s Security Check
module https://github.com/project-imas/
security-check
!
!
!
36. Inline Functions
• Any sensitive functions such as the security
checks should be compiled as inline functions
• Inlining functions complicates attacks that involve
editing memory and patching the application by
forcing an attacker to find and patch all
occurrences of the code.
• Specify a function as inline using the
__attribute__((always_inline)) compiler
directive.
37. Inline Functions
• This directive may not always be honoured however. To
minimise the chance that this will happen configure the
following:
• Set the -finline-limit compiler flag high enough to
allow for inlining of your code (e.g. 5000)
• Set the optimisation level at least -O1
• Don’t use -unit-at-a-time (note this is automatically
set at -O3 and above
• Don’t use -keep-inline-functions if your functions
are static
38. Address Space Validation
• Any time malicious code is injected into your
application it must be loaded into an address
space
• Validating the address space adds complexity to
attacks as it forces an attacker to inject the
malicious code into the existing address space
with the valid code or attacking dynamic linker
39. Address Space Validation
• The dladdr function in the dynamic linker library
returns information about the address space a
particular function belongs to.
• Passing it the function pointer of a class’s method
implementation can determine whether it came
from your app, Apple’s frameworks, or an
unknown/malicious source
40. Avoid Simple Logic
• Simple logic checks for security functions and
business logic are susceptible to to manipulation.
• Examples include:
• - (BOOL) isLoggedIn
• BOOL isJailbroken = YES
• - (void) setDebugFlag
42. Securing Memory
• Instance variables stored within Objective-C objects
can be easily mapped inside the Objective-C runtime.
• Never store anything in memory until the user has
authenticated and data has been decrypted.
• Manually allocate memory for sensitive data rather
than storing the data (or pointers to this data) inside
Objective-C instance variables.
• Wipe sensitive data from memory when it’s not
needed.
45. Transport Layer Security
• Users will connect their devices to untrusted
networks
• If your app handles sensitive data you should be
encrypting all traffic between the app and the
back end.
46. Protocol Version
• If using NSURLSession you can specify the
minimum supported TLS protocol version by
setting the TLSMinimumSupportedProtocol
property in the NSURLSessionConfiguration
!
!
47. Cipher Suites
• You should disable support for low and medium strength
cipher suites on the server
• Medium:
!
!
• Low:
!
48. Certificate Validation
!
• Always perform certificate validation checks
• When using Apple frameworks iOS will accept a
certificate if it’s signed by a CA in the trust store
• Certificate validation checks will often be overridden
in development to avoid issues with self-signed certs.
• Typically this is encapsulated in a variable somewhere
or in some other simple logic that can be subverted.
50. Certificate Validation
!
• To avoid having to do this, use valid certs in
development (e.g. free certs)
• If you do need to disable validation, ensure that the
production builds essentially “hard code” validation.
• Consider certificate pinning.
51. Certificate Pinning
• Mobile apps are great candidates for certificate
pinning as they only need to communicate with a
small, clearly defined set of servers
• Certificate pinning improves security by removing
the need to trust the certificate authorities.
• iSEC partners have a great library for
implementing certificate pinning https://
github.com/iSECPartners/ssl-conservatory
53. Two types of data security
issues….
• Sensitive data stored on the device by the
application that was not secured appropriately by
the developer
• Unintended data leakage via system functionality
!
54. Insecure Data Storage
• It’s common to find sensitive data stored
insecurely on the device.
• As a general rule sensitive information should not
be stored on the device at all.
• Really consider the need to store sensitive
information on the device. Generally it is
functionally and technically possible to not store
the data at all.
55. Property List Files
• Don’t store sensitive information using
NSUserDefaults. Plist files are unencrypted and
can easily be retrieved from the device and backups
!
!
!
56. SQLite Databases
• Avoid storing sensitive information in SQLite
databases if at all possible.
• If you need to store sensitive information encrypt
the database using SQLCipher https://github.com/
sqlcipher/sqlcipher
• If you are using Core Data the Encrypted Core Data
module of the IMAS project leverages SQLCipher
to encrypt all data that is persisted https://
github.com/project-imas/encrypted-core-data/
57. Data Protection APIs
• If you need to write files with sensitive information to
the device (not credentials) at a minimum write files
with an appropriate data protection attribute
• If you don’t need to access the file in the
background use NSFileProtectionComplete
(for NSFileManager) or
NSDataWritingFileComplete (for NSData).
• With this attribute set the file is encrypted on the file
system and inaccessible when the device is locked.
58. Data Protection APIs
• If you need to access the file in the background use
NSFileProtectionCompleteUnlessOpen for
(NSFileManager) or
NSDataWritingFileProtectionCompleteUnlessOp
en (for NSData)
• With this attribute set the file is encrypted on the file
system and inaccessible while closed.
• When a device is unlocked an app can maintain an open
handle to the file even after it is subsequently locked,
however during this time the file will not be encrypted.
59. Unintended Data
Leakage
• Sensitive data captured and stored automatically
by the operating system.
• Oftentimes developers are unaware that the OS is
storing this information.
60. Background Screenshot
Cache
• Every time an application suspends into the
background, a snapshot is taken to facilitate the
launch animation.
• Stored unencrypted in the app container.
• This allows attackers to view the last thing a user
was looking at when the application was
backgrounded.
62. Background Screenshot
Cache
• Place content clearing code in the state transition
methods applicationDidEnterBackground and
applicationWillResignActive
• The simplest way to clear the screen contents is to
set the key window’s hidden property to YES.
!
!
63. Background Screenshot
Cache
• Be careful, if there are any other views behind the
current view, these may become visible when the key
window is hidden.
• Other methods:
• Manually clearing sensitive info from the current
view
• Placing the launch image in the foreground
• Note: ingoreSnapshotOnNextApplicationLaunch
will not prevent the screenshot from being taken
64. URL Caching
• iOS automatically caches requests and responses
for protocols that support caching (e.g. HTTP/
HTTPS) and stores them unencrypted in a SQLite
database in the app container.
• Make sure to configure the server to send the
appropriate cache control headers:
!
65. URL Caching
• Can also control caching in the client.
• For NSURLConnection implement the
connection:willCacheResponse: delegate method
!
!
• For NSURLSession set the URLCache property to
NULL
66. Logging
• Less of an issue since iOS 7
• Pre-iOS 7 any app was able to view the device
console and thus any sensitive data that was
logged.
• Still a good idea to make sure nothing sensitive is
logged.
67. Logging
• If you must log sensitive information in
development for debugging purposes special
care should be taken to ensure that this code is
not pushed to production.
• One way to do this is to redefine NSLog with a pre-processor
macro such as #define NSLog(…)
68. Pasteboard
• When the Cut or Copy buttons are tapped, a
cached copy of the data stored on the device’s
clipboard -/private/var/mobile/Library/
Caches/com.apple.UIKit.pboard/
pasteboard.
• If the application handles sensitive data that may
be copied to the pasteboard consider disabling
Copy/Paste functionality for sensitive text fields
(note this is done by default for password fields)
69. Pasteboard
• To disable pasteboard operations for sensitive
fields subclass UITextView and override the
canPerformAction:withSender: method to
return NO for actions that you don’t want to allow
or just disable the menu completely
!
!
70. Autocorrect Cache
• iOS keeps a binary keyboard cache containing ordered
phrases of text entered by the user – /private/var/
mobile/Library/Keyboard/dynamic-text.dat
• To avoid writing data to this cache you should turn
autocorrect off in text fields whose input should remain
private.
• To turn autocorrect off, the developer should set
textField.autocorrectionType to
UITextAutocorrectionTypeNo for all sensitive text
fields
72. Cryptography
• Getting cryptography right in mobile apps is
difficult.
• The primary challenge is key management.
• Most apps fall prey to storing the key with the lock.
• Need to use a key derivation function.
73. Key Management
• Don’t hard code an encryption key in the binary as it
can easily be retrieved running strings on the binary.
• Storing an encryption key in the Keychain is not
secure on compromised devices.
• On a compromised device encryption keys can also
be retrieved from memory. You should manually
allocate memory for encryption keys rather than
storing them in Objective-C instance variables.
• Wipe keys from memory when not needed.
74. Key Management
• Use a key derivation function to derive a key to
use to encrypt the master key.
• Should be based on a secret input such as the
user’s password.
• Don’t just use a cryptographic hash of the key.
• Use a sensible salt such as the
identifierForVendor
75. Insecure Algorithms
• MD5, SHA1, RC4, MD4 algorithms are weak and
should not be used.
!
!
!