SlideShare une entreprise Scribd logo

Insecurity-In-Security version.2 (2011)

Abhishek Kumar
Abhishek Kumar

Presentation (version.2) from 2011 describing how Security mechanisms placed to secure us are insecure themselves.

Technologie
1  sur  23
Télécharger pour lire hors ligne
““Hacker's WorkHacker's Work isis a Form Ofa Form Of ParticipationParticipation in the Work ofin the Work of God in CreationGod in Creation.”.” -by,-by, Father Antonio Sapadaro (Vatican)Father Antonio Sapadaro (Vatican) Recent New s
Do You?Do You? + O.S. User Accounts + Browse Web + Use Web Services + Use Computer Networks Any Way + Have Any Form Of Binary Data
You Are Not Secure If You Don't...You Are Not Secure If You Don't... + Use Strong Passwords 'n Keep Them Safe + Browse Web In Safe Browsers + Use SSL-ified Web Services + Use Patched Name Servers + Keep Your Data Protected
You Are InSecure Even If You Did...You Are InSecure Even If You Did...
IInnSSecurityecurity SSecurityecurity IInn Security is just maintained... it's never achieved.
First Some history from VersionFirst Some history from Version 11
O.S. User AccountsO.S. User Accounts
Bypass Account ProtectionBypass Account Protection
Vaccinated BrowsersVaccinated Browsers
Browsing <Unknown> WWWBrowsing <Unknown> WWW [+] SMBEnum |=+ using 'file ://', 'res ://', 'resource ://' Say, if it gains success accessing 'file:///c:/oracle/ora81/bin/orclcontainer.bmp' [+] ResTiming Attack |=+ using 'res ://', 'resource ://' to execute So, gains timing for different binaries & Identify which exists
Protector of AllProtector of All
Defeating SSLDefeating SSL [] “Signing Authority” field in Digital Certificates [] Tricking SSL Libraries with NULL Mod Certificates [] Online Certificate Revocation Policy {ResponseStatus=3, ResponseBytes='' || SSL}
Basis Of All NetworksBasis Of All Networks
DNSSEC ain't all GOODDNSSEC ain't all GOOD [] Provides 'Origin Auth', 'Integrity Protection', PKI & even Auth. Denial of Data Existence [] Still No 'Confidentiality' {basics of security} AND CPU-flooding is possible due to exhaustive cryptography [] Variation of DNS Rebinding Attack presented at BH2010 still affected network
Data ForensicsData Forensics
Data Forensic HackersData Forensic Hackers [] Data Carving (Imaging RAM, Dig O.S.) [] Dig Information from Files [] Timestomp, Zipbomb -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- [] Mining Network Traffic for Files/Sessions
Now Some Mystery for VersionNow Some Mystery for Version 22
Hash-Crack on SteroidsHash-Crack on Steroids http://hashcat.net/oclhashcat/
'RSA' Theft & Threat'RSA' Theft & Threat http://www.schneier.com/blog/archives/2011/03/rsa_security_in.html
Comodo Pwn3d CertSComodo Pwn3d CertS Janam Fadaye Rahbar http://www.wired.com/threatlevel/2011/03/comodo_hack/
OpenBSD 'n BackdoorsOpenBSD 'n Backdoors []10yrs back FBI consulted NETSEC, CTO Perry []Lotz of code commit by NETSEC developers []Few daz back, Perry's NDA expired with FBI []Alleged backdoors in IPSEC Stack []FreeBSD inherited lotz code from OpenBSD http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
Samsung Key-loG ConflictSamsung Key-loG Conflict http://arstechnica.com/hardware/news/2011/03/samsung-laptop-keylogger- almost-certainly-a-false-positive.ars
Who Is This Guy?Who Is This Guy? Family Named: AbhishekKr Friends Call: ABK g33k Handle: aBionic {@Twitter, @LinkedIn, @Facebook} Itweet : http://www.twitter.com/aBionic iBlog: http://abhishekkr.wordpress.com Security Enthusiast; Working for ThoughtWorks Inc.; OpenSource Lover My Crime Is That Of CurosityMy Crime Is That Of Curosity ANY QUESTIONS?ANY QUESTIONS?

Recommandé

Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
David Timothy Strauss
 
Security Basics For Developers Knowledge
Security Basics For Developers KnowledgeSecurity Basics For Developers Knowledge
Security Basics For Developers Knowledge
Siva Sankar
 
Defense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesDefense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 Sites
Pantheon
 
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Emily Stark
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDB
MongoDB
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
Emily Stark
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 

Recommandé

Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
David Timothy Strauss
 
Security Basics For Developers Knowledge
Security Basics For Developers KnowledgeSecurity Basics For Developers Knowledge
Security Basics For Developers Knowledge
Siva Sankar
 
Defense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesDefense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 Sites
Pantheon
 
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Emily Stark
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDB
MongoDB
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
Emily Stark
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
rsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczrsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewicz
ZuzannaKornecka
 
Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql Injection
NSConclave
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
RootedCON
 
MongoDB Security Introduction - Presentation
MongoDB Security Introduction - PresentationMongoDB Security Introduction - Presentation
MongoDB Security Introduction - Presentation
Habilelabs
 
Container Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security SummitContainer Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security Summit
David Timothy Strauss
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
Leszek Mi?
 
Security Features in MongoDB 2.4
Security Features in MongoDB 2.4Security Features in MongoDB 2.4
Security Features in MongoDB 2.4
MongoDB
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
iMasters
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
Philippe De Ryck
 
Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1
Hai Dinh Tuan
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Paula Januszkiewicz
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry Ransomware
Kaspersky
 
Real world blockchains
Real world blockchainsReal world blockchains
Real world blockchains
Dmitry Meshkov
 
Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013
Matt Johansen
 
Vault
VaultVault
Vault
Jean-Philippe Bélanger
 
WannaCry / Wannacrypt Ransomware
WannaCry / Wannacrypt RansomwareWannaCry / Wannacrypt Ransomware
WannaCry / Wannacrypt Ransomware
Ayoub Rouzi
 
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Severalnines
 
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPSWPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
Paul Schreiber
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 

Contenu connexe

Tendances

Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
Leszek Mi?
 
Security Features in MongoDB 2.4
Security Features in MongoDB 2.4Security Features in MongoDB 2.4
Security Features in MongoDB 2.4
MongoDB
 
Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1
Hai Dinh Tuan
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry Ransomware
Kaspersky
 
Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013
Matt Johansen
 
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Severalnines
 

Tendances (20)

rsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczrsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewicz
 
Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql Injection
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
 
MongoDB Security Introduction - Presentation
MongoDB Security Introduction - PresentationMongoDB Security Introduction - Presentation
MongoDB Security Introduction - Presentation
 
Container Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security SummitContainer Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security Summit
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
 
Security Features in MongoDB 2.4
Security Features in MongoDB 2.4Security Features in MongoDB 2.4
Security Features in MongoDB 2.4
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
 
Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry Ransomware
 
Real world blockchains
Real world blockchainsReal world blockchains
Real world blockchains
 
Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013
 
Vault
VaultVault
Vault
 
WannaCry / Wannacrypt Ransomware
WannaCry / Wannacrypt RansomwareWannaCry / Wannacrypt Ransomware
WannaCry / Wannacrypt Ransomware
 
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
 
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPSWPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
 

Similaire à Insecurity-In-Security version.2 (2011)

PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint Security
Alexander Benoit
 

Similaire à Insecurity-In-Security version.2 (2011) (20)

PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
 
Protecting Customer Confidential Information
Protecting Customer Confidential InformationProtecting Customer Confidential Information
Protecting Customer Confidential Information
 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the Cloud
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
Wi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu ExploitationWi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu Exploitation
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint Security
 
Enumerating Windows Users
Enumerating Windows UsersEnumerating Windows Users
Enumerating Windows Users
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
SSL/TLS for Mortals (JAX DE 2018)
SSL/TLS for Mortals (JAX DE 2018)SSL/TLS for Mortals (JAX DE 2018)
SSL/TLS for Mortals (JAX DE 2018)
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
 
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)
 

Plus de Abhishek Kumar

An Express Guide ~ Zabbix for IT Monitoring
An Express Guide ~ Zabbix for IT Monitoring An Express Guide ~ Zabbix for IT Monitoring
An Express Guide ~ Zabbix for IT Monitoring
Abhishek Kumar
 
Presentation on "XSS Defeating Concept in (secure)SiteHoster" : 'nullcon-2011'
Presentation on "XSS Defeating Concept in (secure)SiteHoster" : 'nullcon-2011'Presentation on "XSS Defeating Concept in (secure)SiteHoster" : 'nullcon-2011'
Presentation on "XSS Defeating Concept in (secure)SiteHoster" : 'nullcon-2011'
Abhishek Kumar
 

Plus de Abhishek Kumar (16)

DevOps?!@
DevOps?!@DevOps?!@
DevOps?!@
 
xml-motor ~ What,Why,How
xml-motor ~ What,Why,Howxml-motor ~ What,Why,How
xml-motor ~ What,Why,How
 
XML-Motor
XML-MotorXML-Motor
XML-Motor
 
DevOps with Sec-ops
DevOps with Sec-opsDevOps with Sec-ops
DevOps with Sec-ops
 
Syslog Centralization Logging with Windows ~ A techXpress Guide
Syslog Centralization Logging with Windows ~ A techXpress GuideSyslog Centralization Logging with Windows ~ A techXpress Guide
Syslog Centralization Logging with Windows ~ A techXpress Guide
 
Squid for Load-Balancing & Cache-Proxy ~ A techXpress Guide
Squid for Load-Balancing & Cache-Proxy ~ A techXpress GuideSquid for Load-Balancing & Cache-Proxy ~ A techXpress Guide
Squid for Load-Balancing & Cache-Proxy ~ A techXpress Guide
 
Ethernet Bonding for Multiple NICs on Linux ~ A techXpress Guide
Ethernet Bonding for Multiple NICs on Linux ~ A techXpress GuideEthernet Bonding for Multiple NICs on Linux ~ A techXpress Guide
Ethernet Bonding for Multiple NICs on Linux ~ A techXpress Guide
 
Solaris Zones (native & lxbranded) ~ A techXpress Guide
Solaris Zones (native & lxbranded) ~ A techXpress GuideSolaris Zones (native & lxbranded) ~ A techXpress Guide
Solaris Zones (native & lxbranded) ~ A techXpress Guide
 
An Express Guide ~ "dummynet" for tweaking network latencies & bandwidth
An Express Guide ~ "dummynet" for tweaking network latencies & bandwidthAn Express Guide ~ "dummynet" for tweaking network latencies & bandwidth
An Express Guide ~ "dummynet" for tweaking network latencies & bandwidth
 
An Express Guide ~ Zabbix for IT Monitoring
An Express Guide ~ Zabbix for IT Monitoring An Express Guide ~ Zabbix for IT Monitoring
An Express Guide ~ Zabbix for IT Monitoring
 
An Express Guide ~ Cacti for IT Infrastructure Monitoring & Graphing
An Express Guide ~ Cacti for IT Infrastructure Monitoring & GraphingAn Express Guide ~ Cacti for IT Infrastructure Monitoring & Graphing
An Express Guide ~ Cacti for IT Infrastructure Monitoring & Graphing
 
An Express Guide ~ SNMP for Secure Rremote Resource Monitoring
An Express Guide ~ SNMP for Secure Rremote Resource MonitoringAn Express Guide ~ SNMP for Secure Rremote Resource Monitoring
An Express Guide ~ SNMP for Secure Rremote Resource Monitoring
 
Presentation on "XSS Defeating Concept in (secure)SiteHoster" : 'nullcon-2011'
Presentation on "XSS Defeating Concept in (secure)SiteHoster" : 'nullcon-2011'Presentation on "XSS Defeating Concept in (secure)SiteHoster" : 'nullcon-2011'
Presentation on "XSS Defeating Concept in (secure)SiteHoster" : 'nullcon-2011'
 
XSS Defeating Concept - Part 2
XSS Defeating Concept - Part 2XSS Defeating Concept - Part 2
XSS Defeating Concept - Part 2
 
XSS Defeating Trick ~=ABK=~ WhitePaper
XSS Defeating Trick ~=ABK=~ WhitePaperXSS Defeating Trick ~=ABK=~ WhitePaper
XSS Defeating Trick ~=ABK=~ WhitePaper
 
FreeSWITCH on RedHat, Fedora, CentOS
FreeSWITCH on RedHat, Fedora, CentOSFreeSWITCH on RedHat, Fedora, CentOS
FreeSWITCH on RedHat, Fedora, CentOS
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Dernier (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Insecurity-In-Security version.2 (2011)

  • 1. ““Hacker's WorkHacker's Work isis a Form Ofa Form Of ParticipationParticipation in the Work ofin the Work of God in CreationGod in Creation.”.” -by,-by, Father Antonio Sapadaro (Vatican)Father Antonio Sapadaro (Vatican) Recent New s
  • 2. Do You?Do You? + O.S. User Accounts + Browse Web + Use Web Services + Use Computer Networks Any Way + Have Any Form Of Binary Data
  • 3. You Are Not Secure If You Don't...You Are Not Secure If You Don't... + Use Strong Passwords 'n Keep Them Safe + Browse Web In Safe Browsers + Use SSL-ified Web Services + Use Patched Name Servers + Keep Your Data Protected
  • 4. You Are InSecure Even If You Did...You Are InSecure Even If You Did...
  • 6. First Some history from VersionFirst Some history from Version 11
  • 7. O.S. User AccountsO.S. User Accounts
  • 8. Bypass Account ProtectionBypass Account Protection
  • 10. Browsing <Unknown> WWWBrowsing <Unknown> WWW [+] SMBEnum |=+ using 'file ://', 'res ://', 'resource ://' Say, if it gains success accessing 'file:///c:/oracle/ora81/bin/orclcontainer.bmp' [+] ResTiming Attack |=+ using 'res ://', 'resource ://' to execute So, gains timing for different binaries & Identify which exists
  • 12. Defeating SSLDefeating SSL [] “Signing Authority” field in Digital Certificates [] Tricking SSL Libraries with NULL Mod Certificates [] Online Certificate Revocation Policy {ResponseStatus=3, ResponseBytes='' || SSL}
  • 13. Basis Of All NetworksBasis Of All Networks
  • 14. DNSSEC ain't all GOODDNSSEC ain't all GOOD [] Provides 'Origin Auth', 'Integrity Protection', PKI & even Auth. Denial of Data Existence [] Still No 'Confidentiality' {basics of security} AND CPU-flooding is possible due to exhaustive cryptography [] Variation of DNS Rebinding Attack presented at BH2010 still affected network
  • 16. Data Forensic HackersData Forensic Hackers [] Data Carving (Imaging RAM, Dig O.S.) [] Dig Information from Files [] Timestomp, Zipbomb -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- [] Mining Network Traffic for Files/Sessions
  • 17. Now Some Mystery for VersionNow Some Mystery for Version 22
  • 18. Hash-Crack on SteroidsHash-Crack on Steroids http://hashcat.net/oclhashcat/
  • 19. 'RSA' Theft & Threat'RSA' Theft & Threat http://www.schneier.com/blog/archives/2011/03/rsa_security_in.html
  • 20. Comodo Pwn3d CertSComodo Pwn3d CertS Janam Fadaye Rahbar http://www.wired.com/threatlevel/2011/03/comodo_hack/
  • 21. OpenBSD 'n BackdoorsOpenBSD 'n Backdoors []10yrs back FBI consulted NETSEC, CTO Perry []Lotz of code commit by NETSEC developers []Few daz back, Perry's NDA expired with FBI []Alleged backdoors in IPSEC Stack []FreeBSD inherited lotz code from OpenBSD http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
  • 22. Samsung Key-loG ConflictSamsung Key-loG Conflict http://arstechnica.com/hardware/news/2011/03/samsung-laptop-keylogger- almost-certainly-a-false-positive.ars
  • 23. Who Is This Guy?Who Is This Guy? Family Named: AbhishekKr Friends Call: ABK g33k Handle: aBionic {@Twitter, @LinkedIn, @Facebook} Itweet : http://www.twitter.com/aBionic iBlog: http://abhishekkr.wordpress.com Security Enthusiast; Working for ThoughtWorks Inc.; OpenSource Lover My Crime Is That Of CurosityMy Crime Is That Of Curosity ANY QUESTIONS?ANY QUESTIONS?