SlideShare a Scribd company logo

On hacking & security

Ange Albertini
Ange Albertini

a security 101, targeted at beginners released as is (never presented publicly)

Technology
1 of 100
Download to read offline
on hacking & security Ange Albertini @angealbertini ✉ ange@corkami.com http://www.corkami.com
Preamble
Error is human, so programs have bugs. Some bugs can be exploited to hack into a system.
Java, August 2008 Privilege escalation via hand-made object → silent remote execution private static final String ser = "ACED00057372001B6A6176612E [...]"; ObjectInputStream oin = new ObjectInputStream( new ByteArrayInputStream( PayloadX.StringToBytes( ser ) ) );
MySQL, June 2012 Invalid authentication check → instant login as root for i in `seq 1 1000`; do mysql -u root --password= bad -h < remote host > 2>/dev/null ; done
Skype, November 2012 Password reset loophole → hijack account with just e-mail address 1. enter target e-mail 2. create associated dummy account 3. login with dummy 4. request password reset for target account → access contacts + conversations!
Uhlmann & Zacher lock, 2008 electronic lock. uses current to unlock 1. rotate ring magnet a. generates current 2. open lock
Kaba E-Plex 5800 lock, 2011 US Government approved (FIPS 201) ● insert pin under the light cover ○ short-circuiting ● open lock
Apple's iPhone ● the biggest company ○ focusing on a handful of products ● their flagship product ○ fully controlled, software & hardware ● yet repeatedly hacked ○ for fame(?) only
knitting machine, tamagotchis, cars, CPUs
Hacked compagnies ● Sony, Microsoft, Facebook, Google, LinkedIn.. ● T.J. Maxx ○ 45.7 million CCs stolen ○ obsolete Wi-Fi encryption ● NIST's National Vulnerability Database ● Certificate authorities ○ to enable more hacks ● Equifax ○ after their "blind" CISO's keynote
With enough resources, any-thing/one can be hacked. No ready-made software will save you: your attacker can have it too, and has time to prepare
"but I have an anti-virus!" repeat { 1. modify(virus) 2. check(www.VirusTotal.com) } until (NOT detected) think "Great wall of china"
Ready-made software can only help against generic attacks!
think about jails ● guards ○ avoid routine, plannification ● reduce points of entry ● increase visibility
just xored with "RANDOM STRING"
Power Pwn & PwnPlug ● ● ● ● Wireless, Bluetooth, Ethernet, GSM internal storage stealth mode pre-loaded with offensive tools
Removing advanced malware 1. re-flash bios ○ infecting BIOS is a reality 2. hardware wiping ○ encrypted & hidden FileSystem is a reality 3. re-install everything
Introduction
"hackers"?
↕
"hackers", for hackers ● explorer, inventor, finder ● freedom, curiosity, experiment, technical ● use things in an unexpected way ○ get extraordinary results, out of normal things
"hackers", for others (media) ● system intruder ● illegal, malicious, thief, perpetrator ● script kiddie, defacing, "Anonymous"
Why 2 definitions? before ● a culture → intruders = experts now ● a business → many 1-click tools exist → trivial to hack a weak system
Agenda
Agenda 1. 2. 3. 4. 5. A hacking glossary Why hacking? Who are the actors? What/how to hack? A word on viruses
A hacking glossary 1. bug 2. vuln a. CVE 3. exploit a. 0-day i. 1-day 4. cyber weapon ● full/responsible disclosure
"bug" ● a problem in a software/hardware ○ 180 official bugs in Intel's i7 ● an unwanted path of execution ● to be fixed? ○ maybe one day, maybe "WontFix"
"vulnerability" (vuln) ● a bug that creates some weakness ○ a security bug ● crash/hang/information leak ● NOT always an exploit ● a single vuln might be enough for a hack ● minor vulns can be combined
ad published in "Hack In The Box magazine"
"Common Vulnerabilities & Exposures" ● a universal ID for a specific vuln ○ ex: CVE-2012-0217 = "Xen Escape" ● booked in advance ○ not all IDs are documented ● other companies have their own IDs ○ ex: Microsoft's MS12-042 ● not all vulns have IDs
"exploit" ● using one or more vulnerabilities at your advantage, in a user-controllable way. ○ "it's like getting random pieces at IKEA, and try to make a piece of furniture out of it" Thomas Dullien ● it's hard! ○ exact configuration ■ OS/software version ○ escape sandbox ○ avoid compiler/system mitigations
Many vulnerabilities are not exploitable! ↕ Several innocent bugs might be combined into a fully-working exploit!
"Proof of Concept" ● binary/source ● triggers the exploit ○ proves it's real ○ might not work reliably
"to pwn" ● to own, to take control, to defeat ● hacked/exploited = pwned = game over
"0-day" ● an exploit not publicly known yet ○ $5,000 - $600,000 ○ In The Wild ● no documentation or PoC
"1-day" ● exploit is now known ● likely not patched everywhere yet ● generate exploit ○ from before/after patching comparison ○ from PoCs ○ from write-ups → exploitation is much easier
PATCHING IS CRITICAL! removing/isolating obsolescence too!
"cyber weapon" an exploit with a well built payload (pseudo-hype word) ● stealth ○ anti-forensics ○ self-encryption to avoid memory/disk footprint ○ decrypts necessary parts only on final target
Full/responsible disclosure report to everybody or the vendor only? ● give the vendor time to react ○ maybe the vendor will never patch, or sue you, leaving users vulnerable ● some vulns are known yet hidden for years ○ until exploited ITW full disclosure is: ● bad for PR ● 'good' for security ○ force people to act
Why hacking?
For fun / fame! ● "because I can" ● cool/clever ○ dark magic ■ Super Mario World stack overflow via joypad! ● not necessary over-complex ○ we exploit kids' mind all the time ☺
For money! it takes time and skill to generate an exploit. ● why for free? ○ try to feed your family with 'thank you'... ● bug bounties ○ pwn us, tell us how, get paid ○ Facebook hiring former security employees ● pen-testing ○ try to pwn us for XX days
Why buying exploits? ● which company/country wouldn't want to get secrets "magically"? a. buy exploit b. pwn your competitor c. profit
Why attacking me? ● customer informations a. bank accounts ● financial informations ● internal developments a. research project
0-day prices $600K? remote iPhone (2nd JailbreakMe) CanSecWest's Pwn2own 2013 ● ● ● ● ● $100K Chrome + W7 / IE 10 + W8 $75K IE 9 + W7 $65K Safari + Mountain Lion $60K Firefox + W7 plugins, IE9 + Win7 ● $70K Reader 11 / Flash ● $20K Java Google's Pwnium 3 on ChromeOS ● $150K remote + device persistence ● $110K remote
Bounties ● the original error bounty: Donald Knuth ○ $2.56 per error/mistake/suggestion ■ worth much more than the money! ● qmail ○ $500 per exploit, since 1997! ● Google, Mozilla, Avast, IDA, twitter, FB, github ○ slowly becoming mainstream
No money for you 'thank you' only ☹ ● Microsoft, Nokia... report for free, get lawyers' threats ● sadly too many vendors ☹
Who are the actors?
Independant researcher ● whitehat/'ethical hacker' ○ for bug bounties ● blackhat ○ to get it sold via a broker the only difference? ● if vendors gets informed ○ which doesn't mean it will be patched
Private exploit sellers ● to any customer ○ Core, ZDI, Exodus, Immunity ■ many others, 'undercover' or not ● to governments ○ VUPEN not sellers, but active private developers ● defense contractors ○ Northrop Grumman, Crystal Clear, EndGame
Open-source scene ● metasploit ● freedom to check for exploits ITW
What/how can you hack?
Hack what? anything (that can execute code)! ● computers, browsers, processors ● (smart)phones (SIM unlock, jailbreak) ● printers, conference phones ● routers ● ● ● ● hotel room locks, cars, TV, camera tamagotchi, calculator, knitting machine, toys SCADA, Step 7 keyboard, network card, floppy drive
How is it possible? ● error is human ● nobody controls the whole process anymore ○ CPUs and OSes are documented ○ manufacturers want developers to use their product ○ 3rd parties APIs and libraries everywhere ● everything gets more complex ○ increasing attack surface ■ more applications, more libraries, more protocols ■ web browser: CSS 3D, WebGL, MathML
How do you find vulnerabilities? ● pure accident ○ "it just crashed" ● happy accident ○ unexpected crash while researching a topic ● monitor official sources/bug trackers ● (smart) bruteforcing ○ fuzzing, gathering crash info ○ a silent crash might do the trick ● analysis ○ disassembly (very time consuming)
Methodology "it's like reviewing a paper: just look for errors" "if you rely on public tools or approach, you will limit yourself like everyone else before"
Notable vulnerabilities Pentium's LOCK CMPXCHG8B ● computer crash in one instruction Tavis Ormandy's KiRaiseAssertion ● Windows crash in 2 instructions ○ patched in one instruction my own example ● researching on PE. accidental BSOD
Why turning vulns into exploit? people don't move until they're pwned ● "I personally consider security bugs to be just 'normal bugs' " Linus Torvald ● Oracle: critical vuln known for months until exploited for malware exploit = vulns + control + defeating mitigations! (+ anti-forensics if weaponized)
Notable exploits ● Sergei Golubchik's MySQL CVE-2012-2122 ○ keep knocking until (admin) door wide open ● Sergey Glazunov's Chrome Pwnium ○ 14 chained vulnerabilities ■ including downgrading privileges ○ $60K ● Tavis Ormandy's CVE-2010-0232 ○ 17 year old, all 32b NT versions affected
Exploit effects parameter checking ● sql injection (blind) ○ customer/banking information? ○ add malware contents to websites ● browser vulnerabilities ○ bypass authentication, steal token, exfiltrate files foreign code execution ● download malware ● privilege escalation ● host escape
Mitigations ● separation ○ process: sandbox ○ network ● predictability ○ OS randomization ○ configuration randomization (difficult) ○ hardcoded passwords
Software targets ● the OS itself most common software ● Java ● PDF ● Flash ● Office anything else? ● lowest hanging fruit ○ any installed software increases the attack surface
Why is Java the most targeted? ● Oracle is like Adobe 5 years ago ○ no patch until public ○ started hiring known hackers only recently ● Java exploitation is (very) easy ○ hardly no mitigations ■ no mitigations at OS level ○ just a missing 'if (access==granted)' somewhere ● it's a reality ○ a "Java every-day" ■ last 0-day really went unnoticed ○ Just Another Vulnerability Announcement ○ hacked 4 times at Pwn2Own
How do you hack a company ? (1/3) ● gather information ○ ○ ○ ○ ○ search credentials via google scan network hack wifi visit and plug your notebook buy a used laptop/hard disk on e-bay
How do you hack a company ? (2/3) ● exploit information ○ any obsolete software? ■ ex: PC Anywhere ○ any internal software? ○ anyone vulnerable? ■ buy, bribe, convince ■ take hostage ☺ ● exploit humanity ○ drop USB keys ○ send targeted e-mails ■ most companies have clueless employees ■ the worst the better ☺ ○ waterhole attack
How do you hack a company ? (3/3) ● attack ○ use known attack ■ NMap, Nessus, AutoPwn... ○ develop your own attack ○ buy/trade a 0-day ■ "hackers' standard currency" ○ get in. elevate privileges. get further. ● stay in, stay stealth ○ in the printer,...? ● exfiltrate information ○ random copy metadata on USB sticks ○ visit again
Advanced physical attacks "evil maid attack" ● bios/iPXE (Brossard's Rakshasa) ● boot from other drive (Bania's Kon-Boot) ● firewire/thunderbolt access (Inception) ○ bypass password + elevates privilege ● network card (Delugre) ● keyboard controller (Gazet's Sticky Finger)
Physical access = pwned
Commercial solutions failure (1/2) bound to fail against targeted attacks! ● predictability ○ everybody's copy is identical ● limitations ○ can't be exhaustive ■ compared like washing powders on scanning speed. ● time ● modify binary until not detected ● use VirusTotal to check ○ or black market equivalent to avoid sharing
Commercial solutions failure (2/2) might increase the attack surface! ● deeply integrated into the OS ○ present in each process ● remote connection ● trusted → useable as a trampoline for attack ● Tavis Ormandy's Sophail ○ "installing Sophos Antivirus exposes machines to considerable risk" ● Kasperky's remote DoS (March 2013)
A word on viruses
Viruses (virii) glossary how they spread 1. trojan 2. worm 3. infector 4. rootkit ○ bootkit what they do 1. ransomware 2. fakeAV 3. infostealer 4. zombie (→ botnet)
"virus" (malware) ● malware for professional ○ virus for others ● generic name, no implication
"trojan [horse]" ● pretends to be clean ● contains ill-intentioned greek soldiers 1. hack a known open-source site 2. backdoor binaries
"worm" ● just replicates to survive ○ network, usb key, 0-days, mail, p2p ○ standard modern feature Slammer ● one single packet containing a. packet infos b. MS02-039 server exploitation ■ yet patched 6 months before! c. replication
"infectors" ● adds itself to target to spread ○ may be hard/impossible to repair ○ file or disk infectors ● true definition of a virus? ○ not trendy anymore ○ technically advanced ● known file is not innocent anymore ○ tricky for compiling environments
"infostealer/spyware" ● steals (banking/gaming/login) information
banking infostealers technics ● ● ● ● login → keylogger virtual keypad → take screenshot Tan → hook display / fake page mTan ○ Bochum's Nokia ○ smartphone → infect smartphone ● chipTan → fake transaction message ■ there's no patch for human stupidity
"ransomware" ● pay to unlock your system ● either ○ prevent booting ■ usually (very) easy ○ encrypt your personal documents ■ can be hard ■ or impossible if buggy
"rootkit" ● hider, cloaker ○ used by Sony, Blizzard,... ● just a component to hide the main part
"zombie" ● a device (most likely PC) ● pwned by a generic malware "botnet" a set of zombies connected together typically in a P2P way. "sinkholing" exploit a botnet to it take over
standard malware ● a bit of everything ● just rent services ○ ○ ○ ○ binary obfuscation credit card checking captcha solvers hosting ● uses of a botnet ○ ○ ○ ○ ○ ○ spying distributed parallel filestorage (child pornography) anonymous proxy spam, DDOS click ads bitcoin mining
"exploit kit" ● ready-made malware infection kit ● complete infection and maintenance software ● from a single script on a page to full remote management of the botnet easy 0-days (java/pdf/html/flash) → download
"bootkit" ● boot infector + on-the-fly patcher ● the OS is modified during loading ○ no file footprint ● originally used to install rootkit ● bootkit-based tools ○ Piotr Bania's Kon-Boot ■ bypass log-in+elevate rights ○ Saferbytes x86 memory bootkit ■ enable more memory usage
"Advanced Persistant Threat" ● hype ○ created by US AirForce in 2005 ■ public for operation Aurora, 3/2010 ○ you're just pwned, but your company is famous ● targeted attack? not even always StuxNet, Flame = awesome most others are just 'standard'
resilient yet ITW ● bootkit + encrypted FS at the end of the drive ● no visible file from the system ○ yet updateable ● resist formatting
state-sponsorised spyware ● a reality ○ Finfisher ○ Bundestrojan ○ got a job offer for that! ● stealth ○ low footprint (Duqu) ○ no replication ● recent laws make it possible ○ public french regrets ■ for not having one!
generic vs targeted Generic:quick and efficient, avoid AV ● malicious from the start ● evades AVs, infect Targeted: stealth ● look 100% clean ○ even at 2nd look (integrate in existing software) ○ does nothing on non-target ■ might be impossible to get it working ○ don't disclose any information
Conclusion
security is hard! secure = powered off not good for business ☹
"secure" = resisting to attack
the more predictable, the more manageable... ...and the more hackable!
Face reality error is human software have bugs hardware have bugs → you will be pwned, if someone really wants ● but for how long? ○ kill the time factor ● and to what extend? ○ kill the predictability factor ● anything can be a target ○ any minor hack will lead to "X has been hacked"
Thank YOU! Questions? @angealbertini ✉ ange@corkami.com

Recommended

Crypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardCrypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardPositive Hack Days
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
The art of android hacking
The art of android hackingThe art of android hacking
The art of android hackingAbhinav Mishra
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Zoltan Balazs
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
サイバー犯罪・サイバースパイ活動とアイデンティティ_11-04-2011
サイバー犯罪・サイバースパイ活動とアイデンティティ_11-04-2011サイバー犯罪・サイバースパイ活動とアイデンティティ_11-04-2011
サイバー犯罪・サイバースパイ活動とアイデンティティ_11-04-2011Gohsuke Takama
 

Recommended

Crypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardCrypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardPositive Hack Days
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
The art of android hacking
The art of android hackingThe art of android hacking
The art of android hackingAbhinav Mishra
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Zoltan Balazs
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
サイバー犯罪・サイバースパイ活動とアイデンティティ_11-04-2011
サイバー犯罪・サイバースパイ活動とアイデンティティ_11-04-2011サイバー犯罪・サイバースパイ活動とアイデンティティ_11-04-2011
サイバー犯罪・サイバースパイ活動とアイデンティティ_11-04-2011Gohsuke Takama
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAndroid "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAbhinav Mishra
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
Android Attacks
Android AttacksAndroid Attacks
Android AttacksMichael Scovetta
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupEC-Council
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!Amit Gundiyal
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveZoltan Balazs
 
Peerlyst Delhi NCR Chapter Meet
Peerlyst Delhi NCR Chapter MeetPeerlyst Delhi NCR Chapter Meet
Peerlyst Delhi NCR Chapter MeetAbhinav Mishra
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botGroup of company MUK
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busbyDavid Busby, CISSP
 
Why we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malwareWhy we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malwarePositive Hack Days
 

More Related Content

What's hot

Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAndroid "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAbhinav Mishra
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupEC-Council
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!Amit Gundiyal
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveZoltan Balazs
 
Peerlyst Delhi NCR Chapter Meet
Peerlyst Delhi NCR Chapter MeetPeerlyst Delhi NCR Chapter Meet
Peerlyst Delhi NCR Chapter MeetAbhinav Mishra
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botGroup of company MUK
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 

What's hot (20)

Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAndroid "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security way
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
 
Peerlyst Delhi NCR Chapter Meet
Peerlyst Delhi NCR Chapter MeetPeerlyst Delhi NCR Chapter Meet
Peerlyst Delhi NCR Chapter Meet
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving bot
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012
 

Similar to On hacking & security

Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busbyDavid Busby, CISSP
 
Why we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malwareWhy we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malwarePositive Hack Days
 
Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learnedB.A.
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Security for Data Scientists
Security for Data ScientistsSecurity for Data Scientists
Security for Data ScientistsDavid Arcos
 
The Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdfThe Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdfHacken
 
Online Privacy & Computer Security Basics (September 2017)
Online Privacy & Computer Security Basics (September 2017)Online Privacy & Computer Security Basics (September 2017)
Online Privacy & Computer Security Basics (September 2017)Kit O'Connell
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzDeepanshu Gajbhiye
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Hyper Island - 2012
Hyper Island - 2012Hyper Island - 2012
Hyper Island - 2012Detectify
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser AliHackIT Ukraine
 
HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!F _
 
Privacy is a UX problem (David Dahl)
Privacy is a UX problem (David Dahl)Privacy is a UX problem (David Dahl)
Privacy is a UX problem (David Dahl)Future Insights
 
Advanced googling
Advanced googlingAdvanced googling
Advanced googlingsonuagain
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillageagmoneyy
 

Similar to On hacking & security (20)

Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busby
 
Why we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malwareWhy we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malware
 
Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Security for Data Scientists
Security for Data ScientistsSecurity for Data Scientists
Security for Data Scientists
 
The Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdfThe Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdf
 
Online Privacy & Computer Security Basics (September 2017)
Online Privacy & Computer Security Basics (September 2017)Online Privacy & Computer Security Basics (September 2017)
Online Privacy & Computer Security Basics (September 2017)
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Hyper Island - 2012
Hyper Island - 2012Hyper Island - 2012
Hyper Island - 2012
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali
 
HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!
 
Privacy is a UX problem (David Dahl)
Privacy is a UX problem (David Dahl)Privacy is a UX problem (David Dahl)
Privacy is a UX problem (David Dahl)
 
Advanced googling
Advanced googlingAdvanced googling
Advanced googling
 
Google Hacking
Google HackingGoogle Hacking
Google Hacking
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillage
 

More from Ange Albertini

Technical challenges with file formats
Technical challenges with file formatsTechnical challenges with file formats
Technical challenges with file formatsAnge Albertini
 
Relations between archive formats
Relations between archive formatsRelations between archive formats
Relations between archive formatsAnge Albertini
 
Abusing archive file formats
Abusing archive file formatsAbusing archive file formats
Abusing archive file formatsAnge Albertini
 
You are *not* an idiot
You are *not* an idiotYou are *not* an idiot
You are *not* an idiotAnge Albertini
 
Improving file formats
Improving file formatsImproving file formats
Improving file formatsAnge Albertini
 
An introduction to inkscape
An introduction to inkscapeAn introduction to inkscape
An introduction to inkscapeAnge Albertini
 
The challenges of file formats
The challenges of file formatsThe challenges of file formats
The challenges of file formatsAnge Albertini
 
Exploiting hash collisions
Exploiting hash collisionsExploiting hash collisions
Exploiting hash collisionsAnge Albertini
 
Connecting communities
Connecting communitiesConnecting communities
Connecting communitiesAnge Albertini
 
TASBot - the perfectionist
TASBot - the perfectionistTASBot - the perfectionist
TASBot - the perfectionistAnge Albertini
 
Caring for file formats
Caring for file formatsCaring for file formats
Caring for file formatsAnge Albertini
 
Trusting files (and their formats)
Trusting files (and their formats)Trusting files (and their formats)
Trusting files (and their formats)Ange Albertini
 
Let's write a PDF file
Let's write a PDF fileLet's write a PDF file
Let's write a PDF fileAnge Albertini
 

More from Ange Albertini (20)

Technical challenges with file formats
Technical challenges with file formatsTechnical challenges with file formats
Technical challenges with file formats
 
Relations between archive formats
Relations between archive formatsRelations between archive formats
Relations between archive formats
 
Abusing archive file formats
Abusing archive file formatsAbusing archive file formats
Abusing archive file formats
 
TimeCryption
TimeCryptionTimeCryption
TimeCryption
 
You are *not* an idiot
You are *not* an idiotYou are *not* an idiot
You are *not* an idiot
 
Improving file formats
Improving file formatsImproving file formats
Improving file formats
 
KILL MD5
KILL MD5KILL MD5
KILL MD5
 
No more dumb hex!
No more dumb hex!No more dumb hex!
No more dumb hex!
 
Beyond your studies
Beyond your studiesBeyond your studies
Beyond your studies
 
An introduction to inkscape
An introduction to inkscapeAn introduction to inkscape
An introduction to inkscape
 
The challenges of file formats
The challenges of file formatsThe challenges of file formats
The challenges of file formats
 
Exploiting hash collisions
Exploiting hash collisionsExploiting hash collisions
Exploiting hash collisions
 
Infosec & failures
Infosec & failuresInfosec & failures
Infosec & failures
 
Connecting communities
Connecting communitiesConnecting communities
Connecting communities
 
TASBot - the perfectionist
TASBot - the perfectionistTASBot - the perfectionist
TASBot - the perfectionist
 
Caring for file formats
Caring for file formatsCaring for file formats
Caring for file formats
 
Hacks in video games
Hacks in video gamesHacks in video games
Hacks in video games
 
Trusting files (and their formats)
Trusting files (and their formats)Trusting files (and their formats)
Trusting files (and their formats)
 
Let's write a PDF file
Let's write a PDF fileLet's write a PDF file
Let's write a PDF file
 
PDF: myths vs facts
PDF: myths vs factsPDF: myths vs facts
PDF: myths vs facts
 

Recently uploaded

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Recently uploaded (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

On hacking & security

  • 1. on hacking & security Ange Albertini @angealbertini ✉ ange@corkami.com http://www.corkami.com
  • 3. Error is human, so programs have bugs. Some bugs can be exploited to hack into a system.
  • 4. Java, August 2008 Privilege escalation via hand-made object → silent remote execution private static final String ser = "ACED00057372001B6A6176612E [...]"; ObjectInputStream oin = new ObjectInputStream( new ByteArrayInputStream( PayloadX.StringToBytes( ser ) ) );
  • 5. MySQL, June 2012 Invalid authentication check → instant login as root for i in `seq 1 1000`; do mysql -u root --password= bad -h < remote host > 2>/dev/null ; done
  • 6. Skype, November 2012 Password reset loophole → hijack account with just e-mail address 1. enter target e-mail 2. create associated dummy account 3. login with dummy 4. request password reset for target account → access contacts + conversations!
  • 7.
  • 8. Uhlmann & Zacher lock, 2008 electronic lock. uses current to unlock 1. rotate ring magnet a. generates current 2. open lock
  • 9.
  • 10. Kaba E-Plex 5800 lock, 2011 US Government approved (FIPS 201) ● insert pin under the light cover ○ short-circuiting ● open lock
  • 11.
  • 12. Apple's iPhone ● the biggest company ○ focusing on a handful of products ● their flagship product ○ fully controlled, software & hardware ● yet repeatedly hacked ○ for fame(?) only
  • 14. Hacked compagnies ● Sony, Microsoft, Facebook, Google, LinkedIn.. ● T.J. Maxx ○ 45.7 million CCs stolen ○ obsolete Wi-Fi encryption ● NIST's National Vulnerability Database ● Certificate authorities ○ to enable more hacks ● Equifax ○ after their "blind" CISO's keynote
  • 15. With enough resources, any-thing/one can be hacked. No ready-made software will save you: your attacker can have it too, and has time to prepare
  • 16. "but I have an anti-virus!" repeat { 1. modify(virus) 2. check(www.VirusTotal.com) } until (NOT detected) think "Great wall of china"
  • 17. Ready-made software can only help against generic attacks!
  • 18. think about jails ● guards ○ avoid routine, plannification ● reduce points of entry ● increase visibility
  • 19. just xored with "RANDOM STRING"
  • 20.
  • 21. Power Pwn & PwnPlug ● ● ● ● Wireless, Bluetooth, Ethernet, GSM internal storage stealth mode pre-loaded with offensive tools
  • 22.
  • 23. Removing advanced malware 1. re-flash bios ○ infecting BIOS is a reality 2. hardware wiping ○ encrypted & hidden FileSystem is a reality 3. re-install everything
  • 26.
  • 27. "hackers", for hackers ● explorer, inventor, finder ● freedom, curiosity, experiment, technical ● use things in an unexpected way ○ get extraordinary results, out of normal things
  • 28. "hackers", for others (media) ● system intruder ● illegal, malicious, thief, perpetrator ● script kiddie, defacing, "Anonymous"
  • 29. Why 2 definitions? before ● a culture → intruders = experts now ● a business → many 1-click tools exist → trivial to hack a weak system
  • 31. Agenda 1. 2. 3. 4. 5. A hacking glossary Why hacking? Who are the actors? What/how to hack? A word on viruses
  • 32. A hacking glossary 1. bug 2. vuln a. CVE 3. exploit a. 0-day i. 1-day 4. cyber weapon ● full/responsible disclosure
  • 33. "bug" ● a problem in a software/hardware ○ 180 official bugs in Intel's i7 ● an unwanted path of execution ● to be fixed? ○ maybe one day, maybe "WontFix"
  • 34. "vulnerability" (vuln) ● a bug that creates some weakness ○ a security bug ● crash/hang/information leak ● NOT always an exploit ● a single vuln might be enough for a hack ● minor vulns can be combined
  • 35. ad published in "Hack In The Box magazine"
  • 36. "Common Vulnerabilities & Exposures" ● a universal ID for a specific vuln ○ ex: CVE-2012-0217 = "Xen Escape" ● booked in advance ○ not all IDs are documented ● other companies have their own IDs ○ ex: Microsoft's MS12-042 ● not all vulns have IDs
  • 37. "exploit" ● using one or more vulnerabilities at your advantage, in a user-controllable way. ○ "it's like getting random pieces at IKEA, and try to make a piece of furniture out of it" Thomas Dullien ● it's hard! ○ exact configuration ■ OS/software version ○ escape sandbox ○ avoid compiler/system mitigations
  • 38. Many vulnerabilities are not exploitable! ↕ Several innocent bugs might be combined into a fully-working exploit!
  • 39. "Proof of Concept" ● binary/source ● triggers the exploit ○ proves it's real ○ might not work reliably
  • 40. "to pwn" ● to own, to take control, to defeat ● hacked/exploited = pwned = game over
  • 41. "0-day" ● an exploit not publicly known yet ○ $5,000 - $600,000 ○ In The Wild ● no documentation or PoC
  • 42. "1-day" ● exploit is now known ● likely not patched everywhere yet ● generate exploit ○ from before/after patching comparison ○ from PoCs ○ from write-ups → exploitation is much easier
  • 44. "cyber weapon" an exploit with a well built payload (pseudo-hype word) ● stealth ○ anti-forensics ○ self-encryption to avoid memory/disk footprint ○ decrypts necessary parts only on final target
  • 45. Full/responsible disclosure report to everybody or the vendor only? ● give the vendor time to react ○ maybe the vendor will never patch, or sue you, leaving users vulnerable ● some vulns are known yet hidden for years ○ until exploited ITW full disclosure is: ● bad for PR ● 'good' for security ○ force people to act
  • 47. For fun / fame! ● "because I can" ● cool/clever ○ dark magic ■ Super Mario World stack overflow via joypad! ● not necessary over-complex ○ we exploit kids' mind all the time ☺
  • 48. For money! it takes time and skill to generate an exploit. ● why for free? ○ try to feed your family with 'thank you'... ● bug bounties ○ pwn us, tell us how, get paid ○ Facebook hiring former security employees ● pen-testing ○ try to pwn us for XX days
  • 49. Why buying exploits? ● which company/country wouldn't want to get secrets "magically"? a. buy exploit b. pwn your competitor c. profit
  • 50. Why attacking me? ● customer informations a. bank accounts ● financial informations ● internal developments a. research project
  • 51. 0-day prices $600K? remote iPhone (2nd JailbreakMe) CanSecWest's Pwn2own 2013 ● ● ● ● ● $100K Chrome + W7 / IE 10 + W8 $75K IE 9 + W7 $65K Safari + Mountain Lion $60K Firefox + W7 plugins, IE9 + Win7 ● $70K Reader 11 / Flash ● $20K Java Google's Pwnium 3 on ChromeOS ● $150K remote + device persistence ● $110K remote
  • 52. Bounties ● the original error bounty: Donald Knuth ○ $2.56 per error/mistake/suggestion ■ worth much more than the money! ● qmail ○ $500 per exploit, since 1997! ● Google, Mozilla, Avast, IDA, twitter, FB, github ○ slowly becoming mainstream
  • 53. No money for you 'thank you' only ☹ ● Microsoft, Nokia... report for free, get lawyers' threats ● sadly too many vendors ☹
  • 54. Who are the actors?
  • 55. Independant researcher ● whitehat/'ethical hacker' ○ for bug bounties ● blackhat ○ to get it sold via a broker the only difference? ● if vendors gets informed ○ which doesn't mean it will be patched
  • 56. Private exploit sellers ● to any customer ○ Core, ZDI, Exodus, Immunity ■ many others, 'undercover' or not ● to governments ○ VUPEN not sellers, but active private developers ● defense contractors ○ Northrop Grumman, Crystal Clear, EndGame
  • 57. Open-source scene ● metasploit ● freedom to check for exploits ITW
  • 59. Hack what? anything (that can execute code)! ● computers, browsers, processors ● (smart)phones (SIM unlock, jailbreak) ● printers, conference phones ● routers ● ● ● ● hotel room locks, cars, TV, camera tamagotchi, calculator, knitting machine, toys SCADA, Step 7 keyboard, network card, floppy drive
  • 60. How is it possible? ● error is human ● nobody controls the whole process anymore ○ CPUs and OSes are documented ○ manufacturers want developers to use their product ○ 3rd parties APIs and libraries everywhere ● everything gets more complex ○ increasing attack surface ■ more applications, more libraries, more protocols ■ web browser: CSS 3D, WebGL, MathML
  • 61. How do you find vulnerabilities? ● pure accident ○ "it just crashed" ● happy accident ○ unexpected crash while researching a topic ● monitor official sources/bug trackers ● (smart) bruteforcing ○ fuzzing, gathering crash info ○ a silent crash might do the trick ● analysis ○ disassembly (very time consuming)
  • 62. Methodology "it's like reviewing a paper: just look for errors" "if you rely on public tools or approach, you will limit yourself like everyone else before"
  • 63. Notable vulnerabilities Pentium's LOCK CMPXCHG8B ● computer crash in one instruction Tavis Ormandy's KiRaiseAssertion ● Windows crash in 2 instructions ○ patched in one instruction my own example ● researching on PE. accidental BSOD
  • 64. Why turning vulns into exploit? people don't move until they're pwned ● "I personally consider security bugs to be just 'normal bugs' " Linus Torvald ● Oracle: critical vuln known for months until exploited for malware exploit = vulns + control + defeating mitigations! (+ anti-forensics if weaponized)
  • 65. Notable exploits ● Sergei Golubchik's MySQL CVE-2012-2122 ○ keep knocking until (admin) door wide open ● Sergey Glazunov's Chrome Pwnium ○ 14 chained vulnerabilities ■ including downgrading privileges ○ $60K ● Tavis Ormandy's CVE-2010-0232 ○ 17 year old, all 32b NT versions affected
  • 66. Exploit effects parameter checking ● sql injection (blind) ○ customer/banking information? ○ add malware contents to websites ● browser vulnerabilities ○ bypass authentication, steal token, exfiltrate files foreign code execution ● download malware ● privilege escalation ● host escape
  • 67. Mitigations ● separation ○ process: sandbox ○ network ● predictability ○ OS randomization ○ configuration randomization (difficult) ○ hardcoded passwords
  • 68. Software targets ● the OS itself most common software ● Java ● PDF ● Flash ● Office anything else? ● lowest hanging fruit ○ any installed software increases the attack surface
  • 69. Why is Java the most targeted? ● Oracle is like Adobe 5 years ago ○ no patch until public ○ started hiring known hackers only recently ● Java exploitation is (very) easy ○ hardly no mitigations ■ no mitigations at OS level ○ just a missing 'if (access==granted)' somewhere ● it's a reality ○ a "Java every-day" ■ last 0-day really went unnoticed ○ Just Another Vulnerability Announcement ○ hacked 4 times at Pwn2Own
  • 70. How do you hack a company ? (1/3) ● gather information ○ ○ ○ ○ ○ search credentials via google scan network hack wifi visit and plug your notebook buy a used laptop/hard disk on e-bay
  • 71. How do you hack a company ? (2/3) ● exploit information ○ any obsolete software? ■ ex: PC Anywhere ○ any internal software? ○ anyone vulnerable? ■ buy, bribe, convince ■ take hostage ☺ ● exploit humanity ○ drop USB keys ○ send targeted e-mails ■ most companies have clueless employees ■ the worst the better ☺ ○ waterhole attack
  • 72. How do you hack a company ? (3/3) ● attack ○ use known attack ■ NMap, Nessus, AutoPwn... ○ develop your own attack ○ buy/trade a 0-day ■ "hackers' standard currency" ○ get in. elevate privileges. get further. ● stay in, stay stealth ○ in the printer,...? ● exfiltrate information ○ random copy metadata on USB sticks ○ visit again
  • 73. Advanced physical attacks "evil maid attack" ● bios/iPXE (Brossard's Rakshasa) ● boot from other drive (Bania's Kon-Boot) ● firewire/thunderbolt access (Inception) ○ bypass password + elevates privilege ● network card (Delugre) ● keyboard controller (Gazet's Sticky Finger)
  • 75. Commercial solutions failure (1/2) bound to fail against targeted attacks! ● predictability ○ everybody's copy is identical ● limitations ○ can't be exhaustive ■ compared like washing powders on scanning speed. ● time ● modify binary until not detected ● use VirusTotal to check ○ or black market equivalent to avoid sharing
  • 76. Commercial solutions failure (2/2) might increase the attack surface! ● deeply integrated into the OS ○ present in each process ● remote connection ● trusted → useable as a trampoline for attack ● Tavis Ormandy's Sophail ○ "installing Sophos Antivirus exposes machines to considerable risk" ● Kasperky's remote DoS (March 2013)
  • 77. A word on viruses
  • 78. Viruses (virii) glossary how they spread 1. trojan 2. worm 3. infector 4. rootkit ○ bootkit what they do 1. ransomware 2. fakeAV 3. infostealer 4. zombie (→ botnet)
  • 79. "virus" (malware) ● malware for professional ○ virus for others ● generic name, no implication
  • 80. "trojan [horse]" ● pretends to be clean ● contains ill-intentioned greek soldiers 1. hack a known open-source site 2. backdoor binaries
  • 81. "worm" ● just replicates to survive ○ network, usb key, 0-days, mail, p2p ○ standard modern feature Slammer ● one single packet containing a. packet infos b. MS02-039 server exploitation ■ yet patched 6 months before! c. replication
  • 82. "infectors" ● adds itself to target to spread ○ may be hard/impossible to repair ○ file or disk infectors ● true definition of a virus? ○ not trendy anymore ○ technically advanced ● known file is not innocent anymore ○ tricky for compiling environments
  • 84. banking infostealers technics ● ● ● ● login → keylogger virtual keypad → take screenshot Tan → hook display / fake page mTan ○ Bochum's Nokia ○ smartphone → infect smartphone ● chipTan → fake transaction message ■ there's no patch for human stupidity
  • 85. "ransomware" ● pay to unlock your system ● either ○ prevent booting ■ usually (very) easy ○ encrypt your personal documents ■ can be hard ■ or impossible if buggy
  • 86. "rootkit" ● hider, cloaker ○ used by Sony, Blizzard,... ● just a component to hide the main part
  • 87. "zombie" ● a device (most likely PC) ● pwned by a generic malware "botnet" a set of zombies connected together typically in a P2P way. "sinkholing" exploit a botnet to it take over
  • 88. standard malware ● a bit of everything ● just rent services ○ ○ ○ ○ binary obfuscation credit card checking captcha solvers hosting ● uses of a botnet ○ ○ ○ ○ ○ ○ spying distributed parallel filestorage (child pornography) anonymous proxy spam, DDOS click ads bitcoin mining
  • 89. "exploit kit" ● ready-made malware infection kit ● complete infection and maintenance software ● from a single script on a page to full remote management of the botnet easy 0-days (java/pdf/html/flash) → download
  • 90. "bootkit" ● boot infector + on-the-fly patcher ● the OS is modified during loading ○ no file footprint ● originally used to install rootkit ● bootkit-based tools ○ Piotr Bania's Kon-Boot ■ bypass log-in+elevate rights ○ Saferbytes x86 memory bootkit ■ enable more memory usage
  • 91. "Advanced Persistant Threat" ● hype ○ created by US AirForce in 2005 ■ public for operation Aurora, 3/2010 ○ you're just pwned, but your company is famous ● targeted attack? not even always StuxNet, Flame = awesome most others are just 'standard'
  • 92. resilient yet ITW ● bootkit + encrypted FS at the end of the drive ● no visible file from the system ○ yet updateable ● resist formatting
  • 93. state-sponsorised spyware ● a reality ○ Finfisher ○ Bundestrojan ○ got a job offer for that! ● stealth ○ low footprint (Duqu) ○ no replication ● recent laws make it possible ○ public french regrets ■ for not having one!
  • 94. generic vs targeted Generic:quick and efficient, avoid AV ● malicious from the start ● evades AVs, infect Targeted: stealth ● look 100% clean ○ even at 2nd look (integrate in existing software) ○ does nothing on non-target ■ might be impossible to get it working ○ don't disclose any information
  • 96. security is hard! secure = powered off not good for business ☹
  • 98. the more predictable, the more manageable... ...and the more hackable!
  • 99. Face reality error is human software have bugs hardware have bugs → you will be pwned, if someone really wants ● but for how long? ○ kill the time factor ● and to what extend? ○ kill the predictability factor ● anything can be a target ○ any minor hack will lead to "X has been hacked"