NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю

•

1 gefällt mir•1,558 views

Positive Hack Days

Ведущий: Маттео Беккаро (Matteo Beccaro) Доклад посвящен общим вопросам транспортной безопасности, мошенничества и технологических сбоев и будет интересен как профессиональным пентестерам, так и любителям. Докладчик рассмотрит несколько серьезных уязвимостей в реальных транспортных системах, в которых используется технология NFC, и продемонстрирует открытое приложение для тестирования таких систем со смартфона.

NFC
Naked Fried Chicken
Matteo Beccaro || Opposing Force
phdays 2016 – May 18, 2016
© Opposing Force. All right reserved.

Who ||
Matteo Beccaro
Founder || Chief Technology Officer at Opposing Force, the first
Italian company specialized in offensive physical security
Twitter: @_bughardy_
© Opposing Force. All right reserved.

Agenda ||
 NFC: What are we talking about?
 Transport system structure
 Our tool
 Pentesting methodology
 Attack Surface
 Analyzing the elements
 Vulnerabilities
 Case studies
© Opposing Force. All right reserved.

Agenda ||
 NFC: What are we talking about?
 Transport system structure
 Our tool
 Pentesting methodology
 Attack Surface
 Analyzing the elements
 Vulnerabilities
 Case studies
© Opposing Force. All right reserved.

NFC: What are we talking about?||
© Opposing Force. All right reserved.
What is NFC?
• NFC stands for Near Field Communication
• Frequency at 13.56 MHz
• 3-5 cm of range
• Widely used in:
– Access Control systems
– Ticketing
– Mobile phones

NFC: What are we talking about?||
© Opposing Force. All right reserved.
NFC most notorious families:
• MIFARE
– MIFARE Classic
– MIFARE Ultralight
– MIFARE DesFire
• HID iClass
• Calypso
• FeliCa

NFC: What are we talking about?||
© Opposing Force. All right reserved.
MIFARE Classic
• Memory storage device ( 1K or 4K )
• Strong access control mechanisms
– A key is required to access data sector
– Use of Crypto1 Crapto1 algorithm
– Broken…
– .. But widely used ( RFID Door token, transport ticket, etc )

NFC: What are we talking about?||
© Opposing Force. All right reserved.
MIFARE Ultralight
• Memory storage device ( 64 bytes )
• Basic security mechanism
– OTP ( One-Time-Programmable ) sector
– Lock bytes sector
– Mostly used for disposable tickets
– It has some more secure children:

NFC: What are we talking about?||
© Opposing Force. All right reserved.
MIFARE DesFire
• Advanced security mechanisms ( 3DES, AES, etc )
• File system structure
• 2KB, 4KB or 8KB memory size
• Several variant:
– DESFIRE, DESFIRE EV1 and DESFIRE EV2

NFC: What are we talking about?||
© Opposing Force. All right reserved.
HID iClass
• Same encryption and authentication keys are shared across
all HID iCLASS Standard Security installations.
• Keys are already been extracted
• Two variants:
– iClass Standard ( common )
– iClass High Secure ( less common )
Both broken

Agenda ||
 NFC: What are we talking about?
 Transport system structure
 Our tool
 Pentesting methodology
 Attack Surface
 Analyzing the elements
 Vulnerabilities
 Case studies
© Opposing Force. All right reserved.

Transport system structure||
© Opposing Force. All right reserved.
 Defining a transportation system:
 We need to create a common methodology
 We need to have tools
 We need to be able to use schemas to help our works

Transport system structure||
© Opposing Force. All right reserved.
 Defining a schema

Transport system structure||
© Opposing Force. All right reserved.
 Defining a schema
Local
Remot
e

Transport system structure||
© Opposing Force. All right reserved.
 More in details…

Transport system structure||
© Opposing Force. All right reserved.
 Token:
 Usually a NFC card
• MIFARE ULTRALIGHT
• MIFARE CLASSIC
• CALYPSO
 Can store:
• multiple rides or subscriptions
• timestamp of last stamping
• details of where it has been used
• other data

Transport system structure||
© Opposing Force. All right reserved.
 Token:
 MIFARE CLASSIC
• Just broken
 MIFARE ULTRALIGHT
• Lock attack
• Time attack
• Reply attack
 Calypso
• All documentation is under NDA

Transport system structure||
© Opposing Force. All right reserved.
 Reader|Controller:
 Can operate offline or online
 Can be wire or wireless connected to the controller
 Usually supports multiple standards
 Its purpose is to check if a ticket is valid and stamp it
 It can stores secrets and keys

Transport system structure||
© Opposing Force. All right reserved.
 Backend
 Sometimes known as “Cloud”
 It can perform several operations:
 Statistics
 OTA updates
 Fraud detection
 Fraud prevention

Agenda ||
 NFC: What are we talking about?
 Transport system structure
 Our tool(s)
 Pentesting methodology
 Attack Surface
 Analyzing the elements
 Vulnerabilities
 Case studies
© Opposing Force. All right reserved.

Our tool(s)||
© Opposing Force. All right reserved.
 What tools we can use:
 HydraNFC
 Proxmark3
 ChameleonMini
 NFCulT

Our tool(s)||
© Opposing Force. All right reserved.
HydraNFC ( ~ 90 € )
• Use Texas Instrument TRF7970A NFC chipset ( 13.56MHz only
)
• MIFARE 1k and 14443A UID emulation
• ISO 14443A sniffing ( also autonomous mode )
• 2 different raw modes
• Still in development ( @hydrabus )
• More info at http://hydrabus.com/hydranfc-1-0-
specifications/

Our tool(s)||
© Opposing Force. All right reserved.
Proxmark3 ( ~ 200 € )
• HF e LF capabilities
• Big community
• Supports almost all known RFID tags
• Supports sniffing
• Supports emulation
• More info at http://proxmark.org/forum/index.php

Our tool(s)||
© Opposing Force. All right reserved.
ChameleonMini ( ~ 100 € )
• HF ( 13.56MHz ) only
• Almost same capabilities of HydraNFC
• Different chipset
• Firmware available only for the old revision at the moment
• More info at http://kasper-oswald.de/gb/chameleonmini/

Our tool(s)||
© Opposing Force. All right reserved.
NFCulT ( ~ 0 € )
• Mobile application for NFC-enabled Android smartphones
• Its aim is to provide quick help during assessment of ticketing
systems
• Implements Lock, Time and Reply attacks
• It has a custom edit mode to edit bit by bit the ticket data
• Supports MIFARE ULTRALIGHT and planned support for
CLASSIC

Our tool(s)||
© Opposing Force. All right reserved.
NFCulT
• Lock Attack
• Set the OTP page in Read-Only mode
• Operation irreversible
• If the reader does not check if it can write
the OTP sector: free rides

Our tool(s)||
© Opposing Force. All right reserved.
NFCulT
• Time Attack
• If you find and decode the timestamp
you can stamp the ticket by yourself.
• Again, free rides

Our tool(s)||
© Opposing Force. All right reserved.
NFCulT
• Reply Attack
• Use of UID magic ticket ( ~ 15 € )
• Can bypass all offline anti fraud prevention
mechanisms
• Guess what? Free rides

Our tool(s)||
© Opposing Force. All right reserved.
NFCulT
• Custom edit
• Useful for understanding the architecture
of the data saved on the ticket ( e.g. for
finding the correct timestamp )
• You can quickly transform from hex to bin
and viceversa
• You can edit bit by bit the data and write
back on the ticket

Agenda ||
 NFC: What are we talking about?
 Transport system structure
 Our tool(s)
 Pentesting methodology
 Attack Surface
 Analyzing the elements
 Vulnerabilities
 Case studies
© Opposing Force. All right reserved.

Pentesting methodology||
© Opposing Force. All right reserved.
What are we looking for?

Pentesting methodology||
© Opposing Force. All right reserved.
Stamping machine
Attack Surface Attacks to Perform Impact
NFC Interface Analyze the stamping
mechanisms
Free tickets
Hardware board Analyze the exposed interface (
JTAG, UART, etc )
Firmware / secrets dumping
GSM/GPRS/Eth Interface Is MITM possible?
Intercepting the data
Intercepting secrets / sensitive
data

Pentesting methodology||
© Opposing Force. All right reserved.
Vending machine
Attack Surface Attacks to Perform Impact
NFC Interface Analyze the recharging
mechanisms
Free tickets, for everyone
Hardware board Analyze the exposed interface (
JTAG, UART, etc )
Firmware / secrets dumping
GSM/GPRS/Eth Interface Is MITM possible?
Intercepting the data
Intercepting secrets / sensitive
data
( e.g. credit card details, etc )
Computer Application Analyzing network services
exposed
Complete control of the machine

Pentesting methodology||
© Opposing Force. All right reserved.
The backend
Attack Surface Attacks to Perform Impact
Web application(s) Web app pentesting Various
Network services Network pentesting Various
Physical location Try to get physical access to the
servers
Pwned

Agenda ||
 NFC: What are we talking about?
 Transport system structure
 Our tool(s)
 Pentesting methodology
 Attack Surface
 Analyzing the elements
 Vulnerabilities
 Case studies
© Opposing Force. All right reserved.

Case studies ||
© Opposing Force. All right reserved.
A MIFARE ULTRALIGHT ticketing system

Case studies ||
© Opposing Force. All right reserved.
A MIFARE ULTRALIGHT ticketing system

Case studies ||
© Opposing Force. All right reserved.
A MIFARE ULTRALIGHT ticketing system
Lock bit for the OTP sector
is not checked by the
stamping machine
Absence of a UID blacklist
in the backend
Timestamp are not
encrypted nor signed

Case studies ||
© Opposing Force. All right reserved.
A MIFARE CLASSIC door lock

Case studies ||
© Opposing Force. All right reserved.
A MIFARE CLASSIC door lock

Case studies ||
© Opposing Force. All right reserved.
A MIFARE hotel door lock
Card’s UID
Room number:
int(0x17ea, 16) =
6122

ThanksOpposing Force - challenging your security - @_opposingforce
https://www.opposingforce.it | engage@opposingforce.it
© Opposing Force. All right reserved.

Q&A Time!Opposing Force - challenging your security - @_opposingforce
© Opposing Force. All right reserved.
https://www.opposingforce.it | engage@opposingforce.it

Weitere ähnliche Inhalte

Was ist angesagt?

Attacking Embedded Devices (No Axe Required)

Attacking Embedded Devices (No Axe Required)

Attacking Embedded Devices (No Axe Required)

Security Weekly

KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha

KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha

KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha

Ведущий: Маттео Беккаро Мастер-класс посвящен эксплуатации уязвимостей электронных систем контроля доступа. Ведущий расскажет о наиболее распространенных технологиях, их уязвимостях и возможных способах атаки. Участникам, которым удастся провести атаку, достанутся аппаратные гаджеты Opposing Force.

Electronic Access Control Security / Безопасность электронных систем контроля...

Electronic Access Control Security / Безопасность электронных систем контроля...

Electronic Access Control Security / Безопасность электронных систем контроля...

Positive Hack Days

Why is it so hard to make secure chips?

Why is it so hard to make secure chips?

Why is it so hard to make secure chips?

La realización de un Test de Intrusión Físico tiene como finalidad conseguir acceso físico a una determinada ubicación, y no es una tarea sencilla. Requiere preparación, investigación, análisis, coordinación, mucha simulación y la aplicación de una metodología flexible que pueda adaptarse a las condiciones particulares de cada objetivo. Analizar el entorno, evadir todo tipo de sistemas de seguridad física y colaborar en equipo (Red Team), son aspectos fundamentales para lograr la intrusión, y con ello posteriormente, el acceso a equipos, red y un sinfín de datos en las instalaciones del objetivo.Si quieres saber qué es un Red Team y profundizar en la realización de intrusiones físicas, esta es tu charla.

Physical Penetration Testing - RootedCON 2015

Physical Penetration Testing - RootedCON 2015

Physical Penetration Testing - RootedCON 2015

Yunusov babin 7 sins pres atm v2

Yunusov babin 7 sins pres atm v2

Yunusov babin 7 sins pres atm v2

Beginner’s Guide on How to Start Exploring IoT Security 1st Session

Beginner’s Guide on How to Start Exploring IoT Security 1st Session

Beginner’s Guide on How to Start Exploring IoT Security 1st Session

veerababu penugonda(Mr-IoT)

The most common story that we hear: something happens with ATM that makes it empty, leaving no forensic evidence. No money and no logs. We have collected huge number of cases on how ATMs could be hacked during our researches, incidents responses and security assessments. A lot of malware infects ATM through the network or locally. There are black boxes, which connect to communications port of devices directly. There are also network attacks, such as rogue processing center or MiTM. How to stop the ATMs fraud? How to protect ATMs from attacks such as black box jackpotting? How to prevent network hijacking such as rogue processing center or MiTM? Some of these issues can be fixed by configuration means, some fixed by compensation measures, but many only by vendor. We will tell you about what bank can do now and what we as a community of security specialists should force to vendors. Before we spoke about vulnerabilities and fraud methods used by criminals. Now we would like to combine our expertise to help financial and security society with more direct advices how to implement security measures or approaches to make ATMs more secure. --- Olga Kochetova Olga is interested in how various devices interact with cash or plastic cards. She is a senior specialist for the penetration testing team at Kaspersky Lab. Olga has authored multiple articles and webinars about ATM security. She is also the author of advisories about various vulnerabilities for major ATM vendors and has been a speaker at international conferences, including Black Hat Europe, Hack in Paris, Positive Hack Days, Security Analyst Summit, Nuit Du Hack, Hack In The Box Singapore and others. --- Alexey Osipov Lead Expert on a Penetration Testing Team at Kaspersky Lab. An author of variety of techniques and utilities exploiting vulnerabilities in XML protocols and telecom equipment security. Author of advisories for various vulnerabilities for major ATM vendors. A speaker at international security conferences: Black Hat, Hack in Paris (presenting the paper on ATM vulnerabilities), NoSuchCon Paris, Nuit du Hack, Hack In The Box Singapore, Positive Hack Days, Chaos Communication Congress.

[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...

[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...

[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...

How to secure HCE

How to secure HCE

How to secure HCE

Kochetova+osipv atm how_to_make_the_fraud__final

Kochetova+osipv atm how_to_make_the_fraud__final

Kochetova+osipv atm how_to_make_the_fraud__final

Defcon 22-weston-hecker-burner-phone-ddos

Defcon 22-weston-hecker-burner-phone-ddos

Defcon 22-weston-hecker-burner-phone-ddos

Firmware analysis 101

Firmware analysis 101

Firmware analysis 101

veerababu penugonda(Mr-IoT)

Current mobile gadgets includes of rich devices (high resolution video camera, microphone, GPS, etc) which enable high quantity communication (Video conference, current location data, etc). Unfortunately, the rich devices make easy to conduct cyber espionage. For example, a high resolution video is used to read the text on a display. A GPS device is used to track the user's location ("Cerberus" and "mSpy" are famous. Japanese application named "karelog" became social issues). These devices are not used in company's office or factory and computer administrators want to prohibit these devices. Unfortunately, the devices are embedded in a mobile gadget and most of them cannot be disenabled by BIOS or EFI. In order to In order to solve this problem, we propose a thin hypervisor called "DeviceDisEnabler (DDE)", which hides some devices from OS. DDE is a lightweight hypervisor and can be inserted to a pre-installed OS. Although the OS uses "IN" instruction to get the device information on PCI and USB (Vendor ID, Device Class, etc), the "IN" instruction is hooked by DDE and the device information is hidden if the devices is prohibited in the company. Unfortunately, not only attackers but also employees want to bypass the DDE because they want to use the devices. In order to protect bypassing the DDE, it encrypts the disk image of the OS. It means the OS cannot be used without the help of DDE. In order to hide the encryption key, the DDE has three types of key managements (A technique gets a key from the Internet with a secure communication. A technique hides the key into a TPM chip and obtains it at a certain state of boot time only. A technique obfuscates the key into the code using Whitebox Cryptography technique). Current implementation is based on BitVisor 1.4 and the target is a mobile gadget which has Intel CPU. I will talk about the requirements for ARM CPU based implementation.

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...

Making and breaking security in embedded devices

Making and breaking security in embedded devices

Making and breaking security in embedded devices

Yashin Mehaboobe

The firmware executed by components found in a car provide a starting point for adversaries to obtain confidential information and discover potential vulnerabilities. However, the process of reverse engineering a specific component is typically considered a complex and time-consuming task. In this paper we discuss several techniques which we used to significantly increase the efficiency of reverse engineering the firmware of an instrument cluster.

Efficient Reverse Engineering of Automotive Firmware

Efficient Reverse Engineering of Automotive Firmware

Efficient Reverse Engineering of Automotive Firmware

640-554 IT Certification and Career Paths

640-554 IT Certification and Career Paths

640-554 IT Certification and Career Paths

How to secure electronic passports

How to secure electronic passports

How to secure electronic passports

We'll hear from a few local industry experts on the war stories, design considerations and best practices of NAC (Network Admission Control / 802.1x ) deployments. Each lightning talk will feature different point of views and vendors. After the talks, we'll host a Q/A panel with questions from our audience. Please come with some questions! Feel free to enter them in the RSVP or post on the meetup page. Talks and Q/A panel will be done by: Kyeyeon Kim, Andy Richter, Josh Trivilino

BOSNOG NAC stack 2018

BOSNOG NAC stack 2018

BOSNOG NAC stack 2018

Pki 201 Key Management

Pki 201 Key Management

Pki 201 Key Management

The hardware security instructional class acquaints you with an assortment of cryptographic processor and preparing overhead, side-channel assaults, physically unclonable capacities, hardware-based genuine random number generator, watermaking of IPS, FPGA security, uninvolved and dynamic metering and hardware based secure program execution. Trainees Also Will Learn about: Counterfeit detection, criminal activities, detection standards and physical analysis in hardware security. This course gives you the sufficient knowledge to identify the hardware threats, methods of hardware metering, unclonable identifiers and ending piracy of integrated circuits (ICs). The fault injection attacks in hardware security, classification of attacks, invasive attacks, countermeasures, exploits, and data remanence. How a physical hardware attacks harm the hardware security by learning tamper resistance, classification of physical attacks, automated decapsulation, deprocessing methods, side channel attacks, or microprobing. Who Would Benefit From This Training? If you are an IT professional who specialize in system, you will benefit the presentations, examples, case studies, discussions, and individual activities upon the completion of hardware security training and will prepare yourself for your career. Finally, the hardware security training will introduce the hardware Trojans which decrease the hardware system reliability and leads you to the basics of crypto processor design techniques. Training Objectives: Learn the state of the art security methods and devices Integrate the security as a design metric Explain the common hardware trojans Design secured hardware FPGA Understand the attacks in embedded system Explain the design procedures of crypto processor Protect the design intellectual property against privacy Understand the physical attacks in hardware security Understand hardware attacks and providing countermeasures Training outline: Introduction to Hardware Security Hardware Cryptography Basics of VLSI Counterfeit Detection Hardware Metering Fault Injection Attacks in Hardware Physical Hardware Attacks Side Channel Attacks Secure Hardware Design for FPGAs Embedded System Security Security of Radio Frequency Identification (RFID) Hardware Trojans Crypto Processor Design Hands-on and In-Class Activities Sample Workshops Labs for Hardware Security Training Visit Tonex website for more information. Hardware Security Training By #TONEX https://www.tonex.com/training-courses/hardware-security-training-by-tonex/

Hardware Security Training By TONEX

Hardware Security Training By TONEX

Hardware Security Training By TONEX

Was ist angesagt? (20)

Attacking Embedded Devices (No Axe Required)

Attacking Embedded Devices (No Axe Required)

Attacking Embedded Devices (No Axe Required)

KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha

KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha

KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha

Electronic Access Control Security / Безопасность электронных систем контроля...

Electronic Access Control Security / Безопасность электронных систем контроля...

Electronic Access Control Security / Безопасность электронных систем контроля...

Why is it so hard to make secure chips?

Why is it so hard to make secure chips?

Why is it so hard to make secure chips?

Physical Penetration Testing - RootedCON 2015

Physical Penetration Testing - RootedCON 2015

Physical Penetration Testing - RootedCON 2015

Yunusov babin 7 sins pres atm v2

Yunusov babin 7 sins pres atm v2

Yunusov babin 7 sins pres atm v2

Beginner’s Guide on How to Start Exploring IoT Security 1st Session

Beginner’s Guide on How to Start Exploring IoT Security 1st Session

Beginner’s Guide on How to Start Exploring IoT Security 1st Session

[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...

[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...

[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...

How to secure HCE

How to secure HCE

How to secure HCE

Kochetova+osipv atm how_to_make_the_fraud__final

Kochetova+osipv atm how_to_make_the_fraud__final

Kochetova+osipv atm how_to_make_the_fraud__final

Defcon 22-weston-hecker-burner-phone-ddos

Defcon 22-weston-hecker-burner-phone-ddos

Defcon 22-weston-hecker-burner-phone-ddos

Firmware analysis 101

Firmware analysis 101

Firmware analysis 101

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...

Making and breaking security in embedded devices

Making and breaking security in embedded devices

Making and breaking security in embedded devices

Efficient Reverse Engineering of Automotive Firmware

Efficient Reverse Engineering of Automotive Firmware

Efficient Reverse Engineering of Automotive Firmware

640-554 IT Certification and Career Paths

640-554 IT Certification and Career Paths

640-554 IT Certification and Career Paths

How to secure electronic passports

How to secure electronic passports

How to secure electronic passports

BOSNOG NAC stack 2018

BOSNOG NAC stack 2018

BOSNOG NAC stack 2018

Pki 201 Key Management

Pki 201 Key Management

Pki 201 Key Management

Hardware Security Training By TONEX

Hardware Security Training By TONEX

Hardware Security Training By TONEX

Andere mochten auch

Ведущие: Ольга Кочетова и Алексей Осипов Доклад посвящен наиболее популярным атакам на банкоматы, а также методам их предотвращения. Докладчик продолжит тему своих прошлых презентаций, однако с более глубоким проникновением в технические детали. Основное внимание будет уделено проблемам безопасности в архитектуре банкоматов и недостаткам защищенности взаимодействия банкоматов с процессинговым центром.

Magic Box, или Как пришлось сломать банкоматы, чтобы их спасти

Magic Box, или Как пришлось сломать банкоматы, чтобы их спасти

Magic Box, или Как пришлось сломать банкоматы, чтобы их спасти

Positive Hack Days

Ведущий: Лев Денисов Система общественного транспорта Москвы — одна из крупнейших в мире. Выпущено больше 5 млн карт «Тройка», с помощью которых пассажиры оплачивают проезд в метро и наземном транспорте. Развиваются сервисы, позволяющие пополнить баланс карты с помощью мобильного телефона с NFC. Ведущий расскажет об уязвимостях, эксплуатируя которые можно получить доступ к секретным данным карты и с минимальными затратами клонировать ее, чтобы бесплатно пользоваться общественным транспортом.

Псевдобезопасность NFC-сервисов

Псевдобезопасность NFC-сервисов

Псевдобезопасность NFC-сервисов

Positive Hack Days

Ведущий: Илья Сафронов Докладчик расскажет о различных технико-организационных схемах, которые позволяют злоумышленникам обогащаться за счет телеком-оператора. Речь пойдет о манипуляции с номерами, биллингом, настройками коммутации и межоператорских стыков. Будут описаны принципы работы SIM-боксов и схем с петлями трафика.

Страх и ненависть в телеком-операторах

Страх и ненависть в телеком-операторах

Страх и ненависть в телеком-операторах

Positive Hack Days

Ведущие: Сергей Пузанков и Дмитрий Курбатов Сети любого оператора мобильной связи содержат уязвимости, доставшиеся от старых технологий. Докладчики расскажут об уровне защищенности операторов на основе данных, полученных при исследовании реальных сетей.

Мобильная связь небезопасна. Аргументы, подкрепленные фактами

Мобильная связь небезопасна. Аргументы, подкрепленные фактами

Мобильная связь небезопасна. Аргументы, подкрепленные фактами

Positive Hack Days

Ведущий: Терренс Гаро В докладе рассказывается о том, как создать ханипот (ловушку) и организовать сервис с обновляемыми данными о попавшихся DDoS-ботах с помощью Kibana, Elasticsearch, Logstash и AMQP. Докладчик откроет исходный код системы мониторинга и сбора внешней статистики DDoS-атак, над которой он работал со своей командой последние два года.

Строим ханипот и выявляем DDoS-атаки

Строим ханипот и выявляем DDoS-атаки

Строим ханипот и выявляем DDoS-атаки

Positive Hack Days

Ведущий: Николай Анисеня Подавляющее большинство использует не случайно сгенерированные пароли, а словарные слова, видоизмененные по определенным правилам. В интернете можно найти подборки таких правил, но они обычно составляются и сортируются в полуавтоматическом или ручном режиме с использованием утекших баз с хешами паролей, без учета некоторых особенностей (например, как пользователи используют свои личные данные — имя, год рождения — при создании пароля). Ведущий мастер-класса опишет атаку перебора, основанную на правилах преобразования паролей. Предложит способ сокращения списка правил для оптимизации атаки и сравнит свой метод с уже существующими подходами.

Угадываем пароль за минуту

Угадываем пароль за минуту

Угадываем пароль за минуту

Positive Hack Days

Ведущий: Сергей Кавун Докладчик расскажет о способе выявления инсайдеров на любом предприятии. Разработанная методика представляет собой математический аппарат, который программируется и закладывается в различные системы безопасности.

Аспекты деятельности инсайдеров на предприятии

Аспекты деятельности инсайдеров на предприятии

Аспекты деятельности инсайдеров на предприятии

Positive Hack Days

Author: Babak Javadi For over 100 years, the modern pin tumbler lock has been used as the gold standard of physical security. Unique designs have come and gone over the years, but only the pin tumbler lock has remained constant. Almost just as constant is a neat hack-turned-standard feature that is commonly referred to as Master Keying. Master Keying allows the use of "unique" permissions-based mechanical keys in large systems and remains in use in large business and government installations in every country in the world. Unfortunately, the oldest authentication system in the world still in wide use today is vulnerable to what many consider to be the original privilege escalation attack, predating digital computer systems completely. Known by a handful of locksmiths for decades and first publicly disclosed in 2003, this un-patched vulnerability remains one of the most dangerous and under-protected physical security weaknesses still present today. This talk will discuss a highly optimized attack method against common master keyed systems as it applies to modern locks, and will cover a couple of options for mitigating and defending against the attack.

Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation

Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation

Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation

Positive Hack Days

Ведущие: Эмиль Олейников и Юрий Гуркин Как медицинские, так и SCADA-системы обладают возможностью удаленного управления, настройки и наблюдения. Зачастую их подключают к интернету. В докладе рассказывается об уязвимостях в специализированном ПО, используемом в медицине и промышленности, которые были исследованы с помощью отечественного пентест-фреймворка EAST (exploits and security tools). Аналогично Metasploit, он позволяет автоматизировать и облегчить поиск уязвимостей и иллюстрацию уровня риска.

Восток — дело тонкое, или Уязвимости медицинского и индустриального ПО

Восток — дело тонкое, или Уязвимости медицинского и индустриального ПО

Восток — дело тонкое, или Уязвимости медицинского и индустриального ПО

Positive Hack Days

Ведущие: Дмитрий Частухин и Дмитрий Юдин Бла-бла-бла SAP. Бла-бла-бла крупные компании. Бла-бла-бла взлом на миллионы долларов. Вот так обычно начинается любой доклад о SAP. Но в этот раз все будет по-другому. Давненько не было рассказов о жестокой эксплуатации и необычных уязвимостях. Пришло время пуститься во все тяжкие! Докладчики расскажут (и покажут), как получить полный контроль над системой, используя ряд незначительных уязвимостей в службах SAP.

Эксплуатируем неэксплуатируемые уязвимости SAP

Эксплуатируем неэксплуатируемые уязвимости SAP

Эксплуатируем неэксплуатируемые уязвимости SAP

Positive Hack Days

Автор: Артур Гарипов Доклад посвящен общим аспектам применения SDR (software-defined radio) в анализе радиоэфира. Ведущий покажет, как происходят поиск и определение беспроводных устройств, анализ протоколов и их спуфинг, перехват управления беспроводным оборудованием, атака Mousejack.

Перехват беспроводных гаджетов — от квадрокоптеров до мышек

Перехват беспроводных гаджетов — от квадрокоптеров до мышек

Перехват беспроводных гаджетов — от квадрокоптеров до мышек

Positive Hack Days

Ведущие: Роман Казанцев, Максим Вафин и Андрей Сомсиков Разработка чит-кодов к различным сетевым играм со временем превратилась в прибыльный бизнес. С помощью внедренных чит-кодов можно анализировать данные памяти и собирать статистику об игроках. На примерах из игры Unreal Tournament 4 докладчики расскажут о методах борьбы с подобным читерством, основанных на запутывании кода.

Боремся с читингом в онлайн-играх

Боремся с читингом в онлайн-играх

Боремся с читингом в онлайн-играх

Positive Hack Days

Ковбой Энди, Рик Декард и другие охотники за наградой

Ковбой Энди, Рик Декард и другие охотники за наградой

Ковбой Энди, Рик Декард и другие охотники за наградой

Positive Hack Days

Ведущий: Пол Викси Система доменных имен (DNS) предлагает отличный вид на локальную и глобальную сети, что дает возможность исследовать действия киберпреступников и методы атак. В докладе будет показано, как обезопасить DNS и использовать ее для защиты других подключенных объектов. Докладчик подробно расскажет о подмене кэша DNS, расширениях защиты для протокола DNS (DNSSEC), DDoS-атаках, ограничении скорости передачи, межсетевом экране DNS и пассивном DNS-мониторинге.

DNS как линия защиты/DNS as a Defense Vector

DNS как линия защиты/DNS as a Defense Vector

DNS как линия защиты/DNS as a Defense Vector

Positive Hack Days

Ведущий: Ольга Зиненко Уральский центр систем безопасности проводит независимое тестирование мобильных антивирусов, разработанных для платформы Android (в том числе Dr.Web, Kaspersky, Norton, ESET). Доклад посвящен результатам исследования. Показатели, которые оцениваются в первую очередь: выполнение заявленных функций, уровень защиты, возможности обхода, наличие уязвимостей, полезность и значимость дополнительных функций.

Вирусы есть? А если найду?

Вирусы есть? А если найду?

Вирусы есть? А если найду?

Positive Hack Days

Ведущий: Александр Попов В настоящем докладе будет рассмотрен успешный опыт использования отладочного механизма KASan (Kernel address sanitizer) для автономного гипервизора. Докладчик расскажет, как удалось усилить KASan по сравнению с его реализацией в ядре Linux.

Использование KASan для автономного гипервизора

Использование KASan для автономного гипервизора

Использование KASan для автономного гипервизора

Positive Hack Days

Ведущий: Михаил Якшин В докладе будут рассмотрены современные подходы к обратной разработке бинарных файлов: с чего начинают, что хотят получить на выходе, какими инструментами традиционно пользуются. Будет продемонстрирован новый проект— Kaitai Struct, представляющий собой инструментарий для декларативного описания бинарных структур данных с выводом результата в виде готовых библиотек на языках C++, Java, JavaScript, Python и Ruby. Несколько практических примеров использования обратной разработки помогут участникам лучше ознакомиться с проблематикой.

Обратная разработка бинарных форматов с помощью Kaitai Struct

Обратная разработка бинарных форматов с помощью Kaitai Struct

Обратная разработка бинарных форматов с помощью Kaitai Struct

Positive Hack Days

Ведущий: Алексей Черепанов Скорость взлома хешей растет. Растет и количество алгоритмов хеширования. Объем задач для поддержки универсального инструмента для взлома тоже увеличивается. В ответ на это был разработан john-devkit — улучшенный генератор кода к известному приложению для взлома паролей John the Ripper. john-devkit содержит более 100 типов хешей. Ведущий рассмотрит ключевые аспекты его использования: разделение алгоритмов, оптимизация и вывод данных для различных устройств, простое промежуточное представление алгоритмов хеширования, трудности оптимизации для человека и машины, bitslicing, сравнение скорости обработки.

john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later

john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later

john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later

Positive Hack Days

Ведущий: Асука Накадзима (Asuka Nakajima) Практика повторного использования исходного кода позволяет сократить расходы на разработку программного обеспечения. Тем не менее, если в оригинальном исходном коде кроется уязвимость, она будет перенесена и в новое приложение. Докладчик расскажет о необычном способе обнаружения «наследуемых» уязвимостей в бинарных файлах без необходимости обращаться к исходному коду или символьным файлам.

Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...

Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...

Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...

Positive Hack Days

Ведущий: Эльдар Бейбутов Интернет приложения - это интерфейс взаимодействия человеческого сознания с информационной системой. Процесс коммуникации людей и машинного кода не поддается формализации, невозможно учесть все возможные состояния системы в ручную, для этого необходимы интеллектуальные средства защиты, которые будут способны к самостоятельному обучению и принятию решений на основе многофакторных моделей. На докладе поговорим о эвристических механизмах обнаружения атак, автоматическом создании позитивной модели и поведенческом анализе.

Application security? Firewall it!

Application security? Firewall it!

Application security? Firewall it!

Positive Hack Days

Andere mochten auch (20)

Magic Box, или Как пришлось сломать банкоматы, чтобы их спасти

Magic Box, или Как пришлось сломать банкоматы, чтобы их спасти

Magic Box, или Как пришлось сломать банкоматы, чтобы их спасти

Псевдобезопасность NFC-сервисов

Псевдобезопасность NFC-сервисов

Псевдобезопасность NFC-сервисов

Страх и ненависть в телеком-операторах

Страх и ненависть в телеком-операторах

Страх и ненависть в телеком-операторах

Мобильная связь небезопасна. Аргументы, подкрепленные фактами

Мобильная связь небезопасна. Аргументы, подкрепленные фактами

Мобильная связь небезопасна. Аргументы, подкрепленные фактами

Строим ханипот и выявляем DDoS-атаки

Строим ханипот и выявляем DDoS-атаки

Строим ханипот и выявляем DDoS-атаки

Угадываем пароль за минуту

Угадываем пароль за минуту

Угадываем пароль за минуту

Аспекты деятельности инсайдеров на предприятии

Аспекты деятельности инсайдеров на предприятии

Аспекты деятельности инсайдеров на предприятии

Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation

Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation

Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation

Восток — дело тонкое, или Уязвимости медицинского и индустриального ПО

Восток — дело тонкое, или Уязвимости медицинского и индустриального ПО

Восток — дело тонкое, или Уязвимости медицинского и индустриального ПО

Эксплуатируем неэксплуатируемые уязвимости SAP

Эксплуатируем неэксплуатируемые уязвимости SAP

Эксплуатируем неэксплуатируемые уязвимости SAP

Перехват беспроводных гаджетов — от квадрокоптеров до мышек

Перехват беспроводных гаджетов — от квадрокоптеров до мышек

Перехват беспроводных гаджетов — от квадрокоптеров до мышек

Боремся с читингом в онлайн-играх

Боремся с читингом в онлайн-играх

Боремся с читингом в онлайн-играх

Ковбой Энди, Рик Декард и другие охотники за наградой

Ковбой Энди, Рик Декард и другие охотники за наградой

Ковбой Энди, Рик Декард и другие охотники за наградой

DNS как линия защиты/DNS as a Defense Vector

DNS как линия защиты/DNS as a Defense Vector

DNS как линия защиты/DNS as a Defense Vector

Вирусы есть? А если найду?

Вирусы есть? А если найду?

Вирусы есть? А если найду?

Использование KASan для автономного гипервизора

Использование KASan для автономного гипервизора

Использование KASan для автономного гипервизора

Обратная разработка бинарных форматов с помощью Kaitai Struct

Обратная разработка бинарных форматов с помощью Kaitai Struct

Обратная разработка бинарных форматов с помощью Kaitai Struct

john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later

john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later

john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later

Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...

Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...

Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...

Application security? Firewall it!

Application security? Firewall it!

Application security? Firewall it!

Ähnlich wie NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю

NFC: Naked Fried Chicken (PHDays VI)

NFC: Naked Fried Chicken (PHDays VI)

NFC: Naked Fried Chicken (PHDays VI)

Opposing Force S.r.l.

Electronic Access Control Security

Electronic Access Control Security

Electronic Access Control Security

Opposing Force S.r.l.

Securing Internet of Things

Securing Internet of Things

Securing Internet of Things

Intercept product

Intercept product

Intercept product

Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...

Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...

Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...

Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...

Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...

Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...

Sniffing is the process of monitoring and capturing all the packets passing through a given network using sniffing tools. It is a form of “tapping phone wires” and get to know about the conversation. It is also called wiretapping applied to the computer networks. There is so much possibility that if a set of enterprise switch ports is open, then one of their employees can sniff the whole traffic of the network. Anyone in the same physical location can plug into the network using Ethernet cable or connect wirelessly to that network and sniff the total traffic. In other words, Sniffing allows you to see all sorts of traffic, both protected and unprotected. In the right conditions and with the right protocols in place, an attacking party may be able to gather information that can be used for further attacks or to cause other issues for the network or system owner.

Module 7 (sniffers)

Module 7 (sniffers)

Module 7 (sniffers)

Machine Learning Based Attack Vector Modeling for CyberSecurity: Connections have behavioural patterns that are unique to protocols, loads, window sizes, bandwidth, and mainly the type of traffic. A CDN enterprise behaves completely differently than how a Cloud service company would behave and they both would be different from a corporation. This also means that attack vectors and attack landscapes are different in all these places. In this talk we speak about modeling different kinds of attacks and build a model that is able to identify these different kinds of attacks using ML. The method we use is to identify different profiles based on many variables that specifically but robustly identify attacks of different kinds. The variables are specific to business, network profile, traffic. The variables are also high-level i.e. aggregate, and packet-level. This way the models are specifically picking up on constant variations in traffic, and create machine learning models to identify these attacks. Using the power of H2O these analyses are not just limited to a research and analysis of the traffic and concluding with a “OH, this was what it was.” moment but to actually deploy code, besides existing IDS and IPS, or deploying highly optimized, independent programs that can handle high thruputs at the rate of 1.2 Million decisions per second making it one of the fastest implementations of ML to identify, defend and protect critical infrastructure that are potentially under threat.

Ashrith Barthur, Security Scientist, H2o.ai, at MLconf 2017

Ashrith Barthur, Security Scientist, H2o.ai, at MLconf 2017

Ashrith Barthur, Security Scientist, H2o.ai, at MLconf 2017

50120140501013

IAEME Publication

Internet of things security "Hardware Security"

Internet of things security "Hardware Security"

Internet of things security "Hardware Security"

Ahmed Mohamed Mahmoud

Cyber security

A presentation given in April 2019 in London during ICS Cyber Security Conference. I discuss an anonymized investigation conducted by our team to identify a real malware infection on a production network, the tools and techniques used to contain this threat and how to use threat intelligence and visibility to stay ahead of cyber adversaries. Asset visibility and network baselining Continuous network monitoring Threat intelligence ingestion Thorough incident response plans

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks

Angeloluca Barba

In this webinar we look at how the majority of today’s networks are vulnerable to a set of advanced attacks which can go undetected by many security systems. Advanced Evasion Techniques exist which can pass through firewalls and intrusion prevention systems, allowing an attacker to deliver a malicious payload to a vulnerable device, undetected. Stonesoft’s Alan Cottom will demonstrate a live attack on an IPS-protected system using their Predator tool and how this attack can be blocked via the Stonesoft security suite of products. Intergence will be demonstrating their cutting edge 3D visualisation tool Hyperglance which integrates with a number of network management and security systems including the Stonesoft products. Hyperglance will be used to visualise the IT infrastructure and identify where systems are vulnerable and pinpoint real time attacks, allowing administrators to take immediate action to secure their network.

Webinar on identifying, preventing and securing against the unidentifiable at...

Webinar on identifying, preventing and securing against the unidentifiable at...

Webinar on identifying, preventing and securing against the unidentifiable at...

Intergence Ltd.

Cyber warfare introduction

Cyber warfare introduction

Cyber warfare introduction

jagadeesh katla

Domain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptx

Domain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptx

Domain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptx

DSS ITSEC Conference 2012 - Forescout NAC #1

DSS ITSEC Conference 2012 - Forescout NAC #1

DSS ITSEC Conference 2012 - Forescout NAC #1

Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we try to make a rare OT targeting , open source adversary emulation tool as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process. We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to build automatic adversary emulation tool. Now the tool already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested it on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation.

[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...

[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...

[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...

Security for automation in Internet of Things by using one time password

Security for automation in Internet of Things by using one time password

Security for automation in Internet of Things by using one time password

SHASHANK WANKHADE

Metasploit

Ryan Wilson - ryanwilson.com - IoT Security

Ryan Wilson - ryanwilson.com - IoT Security

Ryan Wilson - ryanwilson.com - IoT Security

Ähnlich wie NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю (20)

NFC: Naked Fried Chicken (PHDays VI)

NFC: Naked Fried Chicken (PHDays VI)

NFC: Naked Fried Chicken (PHDays VI)

Electronic Access Control Security

Electronic Access Control Security

Electronic Access Control Security

Securing Internet of Things

Securing Internet of Things

Securing Internet of Things

Intercept product

Intercept product

Intercept product

Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...

Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...

Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...

Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...

Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...

Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...

Module 7 (sniffers)

Module 7 (sniffers)

Module 7 (sniffers)

Ashrith Barthur, Security Scientist, H2o.ai, at MLconf 2017

Ashrith Barthur, Security Scientist, H2o.ai, at MLconf 2017

Ashrith Barthur, Security Scientist, H2o.ai, at MLconf 2017

50120140501013

Internet of things security "Hardware Security"

Internet of things security "Hardware Security"

Internet of things security "Hardware Security"

Cyber security

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks

Webinar on identifying, preventing and securing against the unidentifiable at...

Webinar on identifying, preventing and securing against the unidentifiable at...

Webinar on identifying, preventing and securing against the unidentifiable at...

Cyber warfare introduction

Cyber warfare introduction

Cyber warfare introduction

Domain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptx

Domain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptx

Domain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptx

DSS ITSEC Conference 2012 - Forescout NAC #1

DSS ITSEC Conference 2012 - Forescout NAC #1

DSS ITSEC Conference 2012 - Forescout NAC #1

[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...

[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...

[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...

Security for automation in Internet of Things by using one time password

Security for automation in Internet of Things by using one time password

Security for automation in Internet of Things by using one time password

Metasploit

Ryan Wilson - ryanwilson.com - IoT Security

Ryan Wilson - ryanwilson.com - IoT Security

Ryan Wilson - ryanwilson.com - IoT Security

Mehr von Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes

Инструмент ChangelogBuilder для автоматической подготовки Release Notes

Инструмент ChangelogBuilder для автоматической подготовки Release Notes

Positive Hack Days

Как мы собираем проекты в выделенном окружении в Windows Docker

Как мы собираем проекты в выделенном окружении в Windows Docker

Как мы собираем проекты в выделенном окружении в Windows Docker

Positive Hack Days

Типовая сборка и деплой продуктов в Positive Technologies

Типовая сборка и деплой продуктов в Positive Technologies

Типовая сборка и деплой продуктов в Positive Technologies

Positive Hack Days

1. Что такое BI. Зачем он нужен. 2. Что такое Qlik View / Sense 3. Способ интеграции. Как это работает. 4. Метрики, KPI, планирование ресурсов команд, ретроспектива релиза продукта, тренды. 5. Подключение внешних источников данных (Excel, БД СКУД, переговорные комнаты).

Аналитика в проектах: TFS + Qlik

Аналитика в проектах: TFS + Qlik

Аналитика в проектах: TFS + Qlik

Positive Hack Days

Использование анализатора кода SonarQube

Использование анализатора кода SonarQube

Использование анализатора кода SonarQube

Positive Hack Days

Развитие сообщества Open DevOps Community

Развитие сообщества Open DevOps Community

Развитие сообщества Open DevOps Community

Positive Hack Days

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...

Positive Hack Days

Approof — статический анализатор кода для проверки веб-приложений на наличие уязвимых компонентов. В своей работе анализатор основывается на правилах, хранящих сигнатуры искомых компонентов. В докладе рассматривается базовая структура правила для Approof и процесс автоматизации его создания.

Автоматизация построения правил для Approof

Автоматизация построения правил для Approof

Автоматизация построения правил для Approof

Positive Hack Days

Задумывались ли вы когда-нибудь о том, как устроены современные механизмы защиты приложений? Какая теория стоит за реализацией WAF и SAST? Каковы пределы их возможностей? Насколько их можно подвинуть за счет более широкого взгляда на проблематику безопасности приложений? На мастер-классе будут рассмотрены основные методы и алгоритмы двух основополагающих технологий защиты приложений — межсетевого экранирования уровня приложения и статического анализа кода. На примерах конкретных инструментов с открытым исходным кодом, разработанных специально для этого мастер-класса, будут рассмотрены проблемы, возникающие на пути у разработчиков средств защиты приложений, и возможные пути их решения, а также даны ответы на все упомянутые вопросы.

Мастер-класс «Трущобы Application Security»

Мастер-класс «Трущобы Application Security»

Мастер-класс «Трущобы Application Security»

Positive Hack Days

Формальные методы защиты приложений

Формальные методы защиты приложений

Формальные методы защиты приложений

Positive Hack Days

Эвристические методы защиты приложений

Эвристические методы защиты приложений

Эвристические методы защиты приложений

Positive Hack Days

Теоретические основы Application Security

Теоретические основы Application Security

Теоретические основы Application Security

Positive Hack Days

Разработка наукоемкого программного обеспечения отличается тем, что нет ни четкой постановки задачи, ни понимания, что получится в результате. Однако даже этом надо программировать то, что надо, и как надо. Докладчик расскажет о том, как ее команда успешно разработала и вывела в промышленную эксплуатацию несколько наукоемких продуктов, пройдя непростой путь от эксперимента, результатом которого был прототип, до промышленных версий, которые успешно продаются как на российском, так и на зарубежном рынках. Этот путь был насыщен сложностями и качественными управленческими решениями, которыми поделится докладчик

От экспериментального программирования к промышленному: путь длиной в 10 лет

От экспериментального программирования к промышленному: путь длиной в 10 лет

От экспериментального программирования к промышленному: путь длиной в 10 лет

Positive Hack Days

Немногие разработчики закладывают безопасность в архитектуру приложения на этапе проектирования. Часто для этого нет ни денег, ни времени. Еще меньше — понимания моделей нарушителя и моделей угроз. Защита приложения выходит на передний план, когда уязвимости начинают стоить денег. К этому времени приложение уже работает и внесение существенных изменений в код становится нелегкой задачей. К счастью, разработчики тоже люди, и в коде разных приложений можно встретить однотипные недостатки. В докладе речь пойдет об опасных ошибках, которые чаще всего допускают разработчики Android-приложений. Затрагиваются особенности ОС Android, приводятся примеры реальных приложений и уязвимостей в них, описываются способы устранения.

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Positive Hack Days

Разработка любого софта так или иначе базируется на требованиях. Полный перечень составляют бизнес-цели приложения, различные ограничения и ожидания по качеству (их еще называют NFR). Требования к безопасности ПО относятся к последнему пункту. В ходе доклада будут рассматриваться появление этих требований, управление ими и выбор наиболее важных. Отдельно будут освещены принципы построения архитектуры приложения, при наличии таких требований и без, и продемонстрировано, как современные (и хорошо известные) подходы к проектированию приложения помогают лучше строить архитектуру приложения для минимизации ландшафта угроз.

Требования по безопасности в архитектуре ПО

Требования по безопасности в архитектуре ПО

Требования по безопасности в архитектуре ПО

Positive Hack Days

Доклад посвящен разработке корректного программного обеспечения с применением одного из видов статического анализа кода. Будут освещены вопросы применения подобных методов, их слабые стороны и ограничения, а также рассмотрены результаты, которые они могут дать. На конкретных примерах будет продемонстрировано, как выглядят разработка спецификаций для кода на языке Си и доказательство соответствия кода спецификациям.

Формальная верификация кода на языке Си

Формальная верификация кода на языке Си

Формальная верификация кода на языке Си

Positive Hack Days

Механизмы предотвращения атак в ASP.NET Core

Механизмы предотвращения атак в ASP.NET Core

Механизмы предотвращения атак в ASP.NET Core

Positive Hack Days

SOC для КИИ: израильский опыт

SOC для КИИ: израильский опыт

SOC для КИИ: израильский опыт

Positive Hack Days

Honeywell Industrial Cyber Security Lab & Services Center

Honeywell Industrial Cyber Security Lab & Services Center

Honeywell Industrial Cyber Security Lab & Services Center

Positive Hack Days

Credential stuffing и брутфорс-атаки

Credential stuffing и брутфорс-атаки

Credential stuffing и брутфорс-атаки

Positive Hack Days

Mehr von Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes

Инструмент ChangelogBuilder для автоматической подготовки Release Notes

Инструмент ChangelogBuilder для автоматической подготовки Release Notes

Как мы собираем проекты в выделенном окружении в Windows Docker

Как мы собираем проекты в выделенном окружении в Windows Docker

Как мы собираем проекты в выделенном окружении в Windows Docker

Типовая сборка и деплой продуктов в Positive Technologies

Типовая сборка и деплой продуктов в Positive Technologies

Типовая сборка и деплой продуктов в Positive Technologies

Аналитика в проектах: TFS + Qlik

Аналитика в проектах: TFS + Qlik

Аналитика в проектах: TFS + Qlik

Использование анализатора кода SonarQube

Использование анализатора кода SonarQube

Использование анализатора кода SonarQube

Развитие сообщества Open DevOps Community

Развитие сообщества Open DevOps Community

Развитие сообщества Open DevOps Community

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...

Автоматизация построения правил для Approof

Автоматизация построения правил для Approof

Автоматизация построения правил для Approof

Мастер-класс «Трущобы Application Security»

Мастер-класс «Трущобы Application Security»

Мастер-класс «Трущобы Application Security»

Формальные методы защиты приложений

Формальные методы защиты приложений

Формальные методы защиты приложений

Эвристические методы защиты приложений

Эвристические методы защиты приложений

Эвристические методы защиты приложений

Теоретические основы Application Security

Теоретические основы Application Security

Теоретические основы Application Security

От экспериментального программирования к промышленному: путь длиной в 10 лет

От экспериментального программирования к промышленному: путь длиной в 10 лет

От экспериментального программирования к промышленному: путь длиной в 10 лет

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Требования по безопасности в архитектуре ПО

Требования по безопасности в архитектуре ПО

Требования по безопасности в архитектуре ПО

Формальная верификация кода на языке Си

Формальная верификация кода на языке Си

Формальная верификация кода на языке Си

Механизмы предотвращения атак в ASP.NET Core

Механизмы предотвращения атак в ASP.NET Core

Механизмы предотвращения атак в ASP.NET Core

SOC для КИИ: израильский опыт

SOC для КИИ: израильский опыт

SOC для КИИ: израильский опыт

Honeywell Industrial Cyber Security Lab & Services Center

Honeywell Industrial Cyber Security Lab & Services Center

Honeywell Industrial Cyber Security Lab & Services Center

Credential stuffing и брутфорс-атаки

Credential stuffing и брутфорс-атаки

Credential stuffing и брутфорс-атаки

Kürzlich hochgeladen

Exploring Multimodal Embeddings with Milvus

Exploring Multimodal Embeddings with Milvus

Exploring Multimodal Embeddings with Milvus

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Corporate and higher education May webinar.pptx

Corporate and higher education May webinar.pptx

Rustici Software

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

AWS Community Day CPH - Three problems of Terraform

AWS Community Day CPH - Three problems of Terraform

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

MS Copilot expands with MS Graph connectors

MS Copilot expands with MS Graph connectors

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

MINDCTI Revenue Release Quarter One 2024

MINDCTI Revenue Release Quarter One 2024

MINDCTI Revenue Release Quarter One 2024

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Introduction to Multilingual Retrieval Augmented Generation (RAG)

ICT role in 21st century education and its challenges

ICT role in 21st century education and its challenges

ICT role in 21st century education and its challenges

rafiqahmad00786416

Strategies for Landing an Oracle DBA Job as a Fresher

Strategies for Landing an Oracle DBA Job as a Fresher

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Vector Search -An Introduction in Oracle Database 23ai.pptx

Vector Search -An Introduction in Oracle Database 23ai.pptx

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

presentation ICT roal in 21st century education

presentation ICT roal in 21st century education

presentation ICT roal in 21st century education

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Architecting Cloud Native Applications

Architecting Cloud Native Applications

Architecting Cloud Native Applications

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Bhuvaneswari Subramani

Kürzlich hochgeladen (20)

Exploring Multimodal Embeddings with Milvus

Exploring Multimodal Embeddings with Milvus

Exploring Multimodal Embeddings with Milvus

Corporate and higher education May webinar.pptx

Corporate and higher education May webinar.pptx

Corporate and higher education May webinar.pptx

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

AWS Community Day CPH - Three problems of Terraform

AWS Community Day CPH - Three problems of Terraform

AWS Community Day CPH - Three problems of Terraform

MS Copilot expands with MS Graph connectors

MS Copilot expands with MS Graph connectors

MS Copilot expands with MS Graph connectors

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

MINDCTI Revenue Release Quarter One 2024

MINDCTI Revenue Release Quarter One 2024

MINDCTI Revenue Release Quarter One 2024

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Introduction to Multilingual Retrieval Augmented Generation (RAG)

ICT role in 21st century education and its challenges

ICT role in 21st century education and its challenges

ICT role in 21st century education and its challenges

Strategies for Landing an Oracle DBA Job as a Fresher

Strategies for Landing an Oracle DBA Job as a Fresher

Strategies for Landing an Oracle DBA Job as a Fresher

Vector Search -An Introduction in Oracle Database 23ai.pptx

Vector Search -An Introduction in Oracle Database 23ai.pptx

Vector Search -An Introduction in Oracle Database 23ai.pptx

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

presentation ICT roal in 21st century education

presentation ICT roal in 21st century education

presentation ICT roal in 21st century education

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Architecting Cloud Native Applications

Architecting Cloud Native Applications

Architecting Cloud Native Applications

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Elevate Developer Efficiency & build GenAI Application with Amazon Q

NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю

1. NFC Naked Fried Chicken Matteo Beccaro || Opposing Force phdays 2016 – May 18, 2016 © Opposing Force. All right reserved.

2. Who || Matteo Beccaro Founder || Chief Technology Officer at Opposing Force, the first Italian company specialized in offensive physical security Twitter: @_bughardy_ © Opposing Force. All right reserved.

3. Agenda ||  NFC: What are we talking about?  Transport system structure  Our tool  Pentesting methodology  Attack Surface  Analyzing the elements  Vulnerabilities  Case studies © Opposing Force. All right reserved.

4. Agenda ||  NFC: What are we talking about?  Transport system structure  Our tool  Pentesting methodology  Attack Surface  Analyzing the elements  Vulnerabilities  Case studies © Opposing Force. All right reserved.

5. NFC: What are we talking about?|| © Opposing Force. All right reserved. What is NFC? • NFC stands for Near Field Communication • Frequency at 13.56 MHz • 3-5 cm of range • Widely used in: – Access Control systems – Ticketing – Mobile phones

6. NFC: What are we talking about?|| © Opposing Force. All right reserved. NFC most notorious families: • MIFARE – MIFARE Classic – MIFARE Ultralight – MIFARE DesFire • HID iClass • Calypso • FeliCa

7. NFC: What are we talking about?|| © Opposing Force. All right reserved. MIFARE Classic • Memory storage device ( 1K or 4K ) • Strong access control mechanisms – A key is required to access data sector – Use of Crypto1 Crapto1 algorithm – Broken… – .. But widely used ( RFID Door token, transport ticket, etc )

8. NFC: What are we talking about?|| © Opposing Force. All right reserved. MIFARE Ultralight • Memory storage device ( 64 bytes ) • Basic security mechanism – OTP ( One-Time-Programmable ) sector – Lock bytes sector – Mostly used for disposable tickets – It has some more secure children:

9. NFC: What are we talking about?|| © Opposing Force. All right reserved. MIFARE DesFire • Advanced security mechanisms ( 3DES, AES, etc ) • File system structure • 2KB, 4KB or 8KB memory size • Several variant: – DESFIRE, DESFIRE EV1 and DESFIRE EV2

10. NFC: What are we talking about?|| © Opposing Force. All right reserved. HID iClass • Same encryption and authentication keys are shared across all HID iCLASS Standard Security installations. • Keys are already been extracted • Two variants: – iClass Standard ( common ) – iClass High Secure ( less common ) Both broken

11. Agenda ||  NFC: What are we talking about?  Transport system structure  Our tool  Pentesting methodology  Attack Surface  Analyzing the elements  Vulnerabilities  Case studies © Opposing Force. All right reserved.

12. Transport system structure|| © Opposing Force. All right reserved.  Defining a transportation system:  We need to create a common methodology  We need to have tools  We need to be able to use schemas to help our works

13. Transport system structure|| © Opposing Force. All right reserved.  Defining a schema

14. Transport system structure|| © Opposing Force. All right reserved.  Defining a schema Local Remot e

15. Transport system structure|| © Opposing Force. All right reserved.  More in details…

16. Transport system structure|| © Opposing Force. All right reserved.  Token:  Usually a NFC card • MIFARE ULTRALIGHT • MIFARE CLASSIC • CALYPSO  Can store: • multiple rides or subscriptions • timestamp of last stamping • details of where it has been used • other data

17. Transport system structure|| © Opposing Force. All right reserved.  Token:  MIFARE CLASSIC • Just broken  MIFARE ULTRALIGHT • Lock attack • Time attack • Reply attack  Calypso • All documentation is under NDA

18. Transport system structure|| © Opposing Force. All right reserved.  Reader|Controller:  Can operate offline or online  Can be wire or wireless connected to the controller  Usually supports multiple standards  Its purpose is to check if a ticket is valid and stamp it  It can stores secrets and keys

19. Transport system structure|| © Opposing Force. All right reserved.  Backend  Sometimes known as “Cloud”  It can perform several operations:  Statistics  OTA updates  Fraud detection  Fraud prevention

20. Agenda ||  NFC: What are we talking about?  Transport system structure  Our tool(s)  Pentesting methodology  Attack Surface  Analyzing the elements  Vulnerabilities  Case studies © Opposing Force. All right reserved.

21. Our tool(s)|| © Opposing Force. All right reserved.  What tools we can use:  HydraNFC  Proxmark3  ChameleonMini  NFCulT

22. Our tool(s)|| © Opposing Force. All right reserved. HydraNFC ( ~ 90 € ) • Use Texas Instrument TRF7970A NFC chipset ( 13.56MHz only ) • MIFARE 1k and 14443A UID emulation • ISO 14443A sniffing ( also autonomous mode ) • 2 different raw modes • Still in development ( @hydrabus ) • More info at http://hydrabus.com/hydranfc-1-0- specifications/

23. Our tool(s)|| © Opposing Force. All right reserved. Proxmark3 ( ~ 200 € ) • HF e LF capabilities • Big community • Supports almost all known RFID tags • Supports sniffing • Supports emulation • More info at http://proxmark.org/forum/index.php

24. Our tool(s)|| © Opposing Force. All right reserved. ChameleonMini ( ~ 100 € ) • HF ( 13.56MHz ) only • Almost same capabilities of HydraNFC • Different chipset • Firmware available only for the old revision at the moment • More info at http://kasper-oswald.de/gb/chameleonmini/

25. Our tool(s)|| © Opposing Force. All right reserved. NFCulT ( ~ 0 € ) • Mobile application for NFC-enabled Android smartphones • Its aim is to provide quick help during assessment of ticketing systems • Implements Lock, Time and Reply attacks • It has a custom edit mode to edit bit by bit the ticket data • Supports MIFARE ULTRALIGHT and planned support for CLASSIC

26. Our tool(s)|| © Opposing Force. All right reserved. NFCulT • Lock Attack • Set the OTP page in Read-Only mode • Operation irreversible • If the reader does not check if it can write the OTP sector: free rides

27. Our tool(s)|| © Opposing Force. All right reserved. NFCulT • Time Attack • If you find and decode the timestamp you can stamp the ticket by yourself. • Again, free rides

28. Our tool(s)|| © Opposing Force. All right reserved. NFCulT • Reply Attack • Use of UID magic ticket ( ~ 15 € ) • Can bypass all offline anti fraud prevention mechanisms • Guess what? Free rides

29. Our tool(s)|| © Opposing Force. All right reserved. NFCulT • Custom edit • Useful for understanding the architecture of the data saved on the ticket ( e.g. for finding the correct timestamp ) • You can quickly transform from hex to bin and viceversa • You can edit bit by bit the data and write back on the ticket

30. Agenda ||  NFC: What are we talking about?  Transport system structure  Our tool(s)  Pentesting methodology  Attack Surface  Analyzing the elements  Vulnerabilities  Case studies © Opposing Force. All right reserved.

31. Pentesting methodology|| © Opposing Force. All right reserved. What are we looking for?

32. Pentesting methodology|| © Opposing Force. All right reserved. Stamping machine Attack Surface Attacks to Perform Impact NFC Interface Analyze the stamping mechanisms Free tickets Hardware board Analyze the exposed interface ( JTAG, UART, etc ) Firmware / secrets dumping GSM/GPRS/Eth Interface Is MITM possible? Intercepting the data Intercepting secrets / sensitive data

33. Pentesting methodology|| © Opposing Force. All right reserved. Vending machine Attack Surface Attacks to Perform Impact NFC Interface Analyze the recharging mechanisms Free tickets, for everyone Hardware board Analyze the exposed interface ( JTAG, UART, etc ) Firmware / secrets dumping GSM/GPRS/Eth Interface Is MITM possible? Intercepting the data Intercepting secrets / sensitive data ( e.g. credit card details, etc ) Computer Application Analyzing network services exposed Complete control of the machine

34. Pentesting methodology|| © Opposing Force. All right reserved. The backend Attack Surface Attacks to Perform Impact Web application(s) Web app pentesting Various Network services Network pentesting Various Physical location Try to get physical access to the servers Pwned

35. Agenda ||  NFC: What are we talking about?  Transport system structure  Our tool(s)  Pentesting methodology  Attack Surface  Analyzing the elements  Vulnerabilities  Case studies © Opposing Force. All right reserved.

36. Case studies || © Opposing Force. All right reserved. A MIFARE ULTRALIGHT ticketing system

37. Case studies || © Opposing Force. All right reserved. A MIFARE ULTRALIGHT ticketing system

38. Case studies || © Opposing Force. All right reserved. A MIFARE ULTRALIGHT ticketing system Lock bit for the OTP sector is not checked by the stamping machine Absence of a UID blacklist in the backend Timestamp are not encrypted nor signed

39. Case studies || © Opposing Force. All right reserved. A MIFARE CLASSIC door lock

40. Case studies || © Opposing Force. All right reserved. A MIFARE CLASSIC door lock

41. Case studies || © Opposing Force. All right reserved. A MIFARE hotel door lock Card’s UID Room number: int(0x17ea, 16) = 6122

42. ThanksOpposing Force - challenging your security - @_opposingforce https://www.opposingforce.it | engage@opposingforce.it © Opposing Force. All right reserved.

43. Q&A Time!Opposing Force - challenging your security - @_opposingforce © Opposing Force. All right reserved. https://www.opposingforce.it | engage@opposingforce.it