SlideShare ist ein Scribd-Unternehmen logo

Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm

Security Bootcamp
Security Bootcamp
Technologie
1 von 40
Downloaden Sie, um offline zu lesen
Timing Info-leak Made Easy Presenter: Quan Minh Tam
Đơn vị tổ chức: Đơn vị tài trợ:
Outline • Review SSL/TLS weaks • BEAST is not beast • CRIME is not crime – Compression – CRIME • TIME is time – CRIME+ 10/22/2013 11:32 PM www.securitybootcamp.vn
Cryptanalysis • • • • • • • Chosen plaintext | ciphertext Adaptive chosen plaintext | ciphertext Side channel attack Bruteforce attack Meet-in-the middle Linear | differential attack Birthday 10/22/2013 11:32 PM www.securitybootcamp.vn
Timeline • • • • • • BEAST - 2011 CRIME - 2012 BREACH - 2013 LUCKY 13 - 2013 TIME - 2013 RC4 biases in TLS 10/22/2013 11:32 PM www.securitybootcamp.vn
CRIME 10/22/2013 11:32 PM www.securitybootcamp.vn
CRIME • Compression Ratio Info-leak Made Easy • Chosen plaintext attack 10/22/2013 11:32 PM www.securitybootcamp.vn
CRIME 10/22/2013 11:32 PM www.securitybootcamp.vn
COMPRESSION 10/22/2013 11:32 PM www.securitybootcamp.vn
COMPRESSION 10/22/2013 11:32 PM www.securitybootcamp.vn
COMPRESSION 10/22/2013 11:32 PM www.securitybootcamp.vn
COMPRESSION http://www.c-sharpcorner.com/uploadfile/shivprasadk/best-practice-no-4-improve-bandwidth-performance-of-asp-net-sites-using-iis-compression/ 10/22/2013 11:32 PM www.securitybootcamp.vn
COMPRESSION • • • • Gzip/Deflate HTTP Respone body HTTP Request body Header compression – SSL/TLS Compression • Servers: Open SSL, others • Clients: Chrome – SPDY • Server: Apache mod_spdy • Client: -IE 10/22/2013 11:32 PM www.securitybootcamp.vn
CRIME demo 10/22/2013 11:32 PM www.securitybootcamp.vn
How can you become a victim of CRIME? • 1st requirement: the attacker can sniff your network traffic. – You share a (W)LAN. – He's hacked your home router. – He's your network admin, ISP or government. https://docs.google.com/presentation/d/11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU/edit#slide=id.g1d134dff_0_165 10/22/2013 11:32 PM www.securitybootcamp.vn
How can you become a victim of CRIME? • 2nd requirement: you visit evil.com. – You click on a link. – Or you surf a nonHTTPS site. https://docs.google.com/presentation/d/11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU/edit#slide=id.g1e3070b2_1_21 10/22/2013 11:32 PM www.securitybootcamp.vn
TIME 10/22/2013 11:32 PM www.securitybootcamp.vn
Review • Round-Trip Time (RTT) • Maximum Transmission Unit (MTU) • Maximum Segment Size (MSS) MSS = MTU - sizeof(TCPHDR) - sizeof(IPHDR) • TCP Sliding Window System 10/22/2013 11:32 PM www.securitybootcamp.vn
http://ulam2.cs.luc.edu/ebook/html/slidingwindows.html 10/22/2013 11:32 PM www.securitybootcamp.vn
TIME • Timing Info-leak Made Easy • Chosen Plaintext Attack • Targets compression and timing information leakage 10/22/2013 11:32 PM www.securitybootcamp.vn
• HTTP request – CRIME for request to extract cookie data • HTTP response – Extended CRIME to extract response data – Access a behind authentication resource for user login status detection – Application specific: e.g. number of digits in bank account balance 10/22/2013 11:32 PM www.securitybootcamp.vn
HTTP payload • HTTP Payload size may carry sensitive information – HTTP payload size differences detection is sufficient to extract the sensitive information • Using timing measurements attacker can distinguish HTTP payload size differences • These timing measurements can be done with javascript on attacker site 10/22/2013 11:32 PM www.securitybootcamp.vn
XHR POC • Create HTTP request with XHR – XHR adheres to SOP • Allows GET requests to flow – If headers allow show response – If not, abort • We don’t care for the response – Timing leaks the request size • Use getTime() on XHR events – onreadystatechange • Noise elimination – Repeat the process (say 10 times) and obtain Minimal time 10/23/2013 2:41 AM www.securitybootcamp.vn
• HTML with Javascript, sending method is XHR • Sends one byte diff requests alternately 10 times – The longer request crosses the send window boundary – The shorter is exactly within • Measures requests time • Outputs length and time • Outputs the minimal timing values for both requests’ length 10/23/2013 2:51 AM www.securitybootcamp.vn
XHR 10/22/2013 11:32 PM www.securitybootcamp.vn
10/23/2013 2:33 AM www.securitybootcamp.vn
10/23/2013 2:35 AM www.securitybootcamp.vn
10/22/2013 11:32 PM www.securitybootcamp.vn
10/23/2013 2:50 AM www.securitybootcamp.vn
Real world SCB 1 10/23/2013 2:53 AM www.securitybootcamp.vn
• Iframe 1 • Use getTime() on iframe events – onLoad – Onreadystatechange(IE) 10/23/2013 3:02 AM www.securitybootcamp.vn
Real world SCB 2 10/23/2013 2:57 AM www.securitybootcamp.vn
• HTTP request with IMG src – It is not a image? Don’t worry – X-Frame-Options? Don’t worry • Use getTime() on img events – onLoad – Onreadystatechange(IE) 10/23/2013 3:07 AM www.securitybootcamp.vn 2
New Risk? 10/23/2013 3:09 AM www.securitybootcamp.vn
New Risk? • Automation attack – via URL – via loadtine • SOP? – data leaked out 10/23/2013 3:12 AM www.securitybootcamp.vn
MITIGATIONS • • • • Adding random timing delays X-Frame-Options Unknown-parameter CAPTCHA, CSRF token 10/22/2013 11:32 PM www.securitybootcamp.vn
MITIGATIONS • Adding random timing delays ineffective 10/23/2013 3:15 AM www.securitybootcamp.vn
MITIGATIONS • X-Frame-Options – Browser should support and respect “XFrame-Options'' header for all content inclusion (not just IFRAME); 10/23/2013 3:23 AM www.securitybootcamp.vn
MITIGATIONS • CSRF protection • Unknow parameter • Captcha 10/23/2013 3:23 AM www.securitybootcamp.vn
That’s all 10/23/2013 3:24 AM www.securitybootcamp.vn

Empfohlen

Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp
 
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp
 
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
Jeremy Brown
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOS
Jeremy Brown
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
Jeremy Brown
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 

Empfohlen

Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp
 
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp
 
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
Jeremy Brown
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOS
Jeremy Brown
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
Jeremy Brown
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
CodeFest
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
David Timothy Strauss
 
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackVelocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attack
Cosimo Streppone
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
UTD Computer Security Group
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
Emily Stark
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
OWASP Russia
 
Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9
thaidn
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
MrArora Arjuna
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga
 
Testing NodeJS Security
Testing NodeJS SecurityTesting NodeJS Security
Testing NodeJS Security
Jose Manuel Ortega Candel
 
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
Paulo Henrique
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
NoNameCon
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
SecurityTube.Net
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
Leszek Mi?
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
ColdFusionConference
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
Jermund Ottermo
 
Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung ThànhSecurity Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp
 
Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...
Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...
Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...
Security Bootcamp
 

Weitere ähnliche Inhalte

Was ist angesagt?

Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
David Timothy Strauss
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
OWASP Russia
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
NoNameCon
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
Leszek Mi?
 

Was ist angesagt? (20)

Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
 
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackVelocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attack
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
 
Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
 
Testing NodeJS Security
Testing NodeJS SecurityTesting NodeJS Security
Testing NodeJS Security
 
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
 

Andere mochten auch

Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung ThànhSecurity Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp
 
Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...
Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...
Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...
Security Bootcamp
 
Security Bootcamp 2013 - OWASP TOP 10- 2013
Security Bootcamp 2013 - OWASP TOP 10- 2013Security Bootcamp 2013 - OWASP TOP 10- 2013
Security Bootcamp 2013 - OWASP TOP 10- 2013
Security Bootcamp
 
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp
 
Security Bootcamp 2013 - Lap trinh web an toan
Security Bootcamp 2013 - Lap trinh web an toanSecurity Bootcamp 2013 - Lap trinh web an toan
Security Bootcamp 2013 - Lap trinh web an toan
Security Bootcamp
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
Eric Lai
 
Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...
Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...
Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...
Security Bootcamp
 
SCB 2013 DLP, công nghệ, và phương pháp triển khai
SCB 2013 DLP, công nghệ, và phương pháp triển khaiSCB 2013 DLP, công nghệ, và phương pháp triển khai
SCB 2013 DLP, công nghệ, và phương pháp triển khai
Security Bootcamp
 

Andere mochten auch (9)

Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung ThànhSecurity Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
Security Bootcamp 2013 - Cach tiep can ISO27001-Lương Trung Thành
 
Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...
Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...
Security Bootcamp 2013 - Thiết bị không dây không chỉ phát sóng không dây - T...
 
Security Bootcamp 2013 - OWASP TOP 10- 2013
Security Bootcamp 2013 - OWASP TOP 10- 2013Security Bootcamp 2013 - OWASP TOP 10- 2013
Security Bootcamp 2013 - OWASP TOP 10- 2013
 
Profile của Võ Thái Lâm
Profile của Võ Thái LâmProfile của Võ Thái Lâm
Profile của Võ Thái Lâm
 
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
Security Bootcamp 2013 - Mô hình ứng dụng hội chẩn mã độc trực tuyến trong ...
 
Security Bootcamp 2013 - Lap trinh web an toan
Security Bootcamp 2013 - Lap trinh web an toanSecurity Bootcamp 2013 - Lap trinh web an toan
Security Bootcamp 2013 - Lap trinh web an toan
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
 
Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...
Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...
Security Bootcamp 2013 - Giải pháp phát hiện xâm nhập mạng không dây - WIDS -...
 
SCB 2013 DLP, công nghệ, và phương pháp triển khai
SCB 2013 DLP, công nghệ, và phương pháp triển khaiSCB 2013 DLP, công nghệ, và phương pháp triển khai
SCB 2013 DLP, công nghệ, và phương pháp triển khai
 

Ähnlich wie Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm

The RED Method: How To Instrument Your Services
The RED Method: How To Instrument Your ServicesThe RED Method: How To Instrument Your Services
The RED Method: How To Instrument Your Services
Kausal
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
NiharikaDubey17
 
Art and Science of Web Sites Performance: A Front-end Approach
Art and Science of Web Sites Performance: A Front-end ApproachArt and Science of Web Sites Performance: A Front-end Approach
Art and Science of Web Sites Performance: A Front-end Approach
Jiang Zhu
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
J.D. Wade
 

Ähnlich wie Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm (20)

Meek and domain fronting public
Meek and domain fronting publicMeek and domain fronting public
Meek and domain fronting public
 
Network
NetworkNetwork
Network
 
The RED Method: How To Instrument Your Services
The RED Method: How To Instrument Your ServicesThe RED Method: How To Instrument Your Services
The RED Method: How To Instrument Your Services
 
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache Headers
 
Covert timing channels using HTTP cache headers
Covert timing channels using HTTP cache headersCovert timing channels using HTTP cache headers
Covert timing channels using HTTP cache headers
 
ssl.ppt
ssl.pptssl.ppt
ssl.ppt
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
Covert timing channels using HTTP cache headers
Covert timing channels using HTTP cache headersCovert timing channels using HTTP cache headers
Covert timing channels using HTTP cache headers
 
Part 7 : HTTP/2, UDP and TCP
Part 7 : HTTP/2, UDP and TCPPart 7 : HTTP/2, UDP and TCP
Part 7 : HTTP/2, UDP and TCP
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 
Web performance mercadolibre - ECI 2013
Web performance mercadolibre - ECI 2013Web performance mercadolibre - ECI 2013
Web performance mercadolibre - ECI 2013
 
Art and Science of Web Sites Performance: A Front-end Approach
Art and Science of Web Sites Performance: A Front-end ApproachArt and Science of Web Sites Performance: A Front-end Approach
Art and Science of Web Sites Performance: A Front-end Approach
 
Http2 in practice
Http2 in practiceHttp2 in practice
Http2 in practice
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
 
Deploy secure, scalable, and highly available web apps with Azure Front Door ...
Deploy secure, scalable, and highly available web apps with Azure Front Door ...Deploy secure, scalable, and highly available web apps with Azure Front Door ...
Deploy secure, scalable, and highly available web apps with Azure Front Door ...
 

Mehr von Security Bootcamp

GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
Security Bootcamp
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
Security Bootcamp
 

Mehr von Security Bootcamp (20)

Ransomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurity
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
 
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
 
Deception change-the-game
Deception change-the-gameDeception change-the-game
Deception change-the-game
 
Giam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrGiam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdr
 
Sbc2019 luong-cyber startup
Sbc2019 luong-cyber startupSbc2019 luong-cyber startup
Sbc2019 luong-cyber startup
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-want
 
Macro malware common techniques - public
Macro malware common techniques - publicMacro malware common techniques - public
Macro malware common techniques - public
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
 
Tim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuTim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cu
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 cost
 
Build SOC
Build SOC Build SOC
Build SOC
 
AD red vs blue
AD red vs blueAD red vs blue
AD red vs blue
 
Securitybox
SecurityboxSecuritybox
Securitybox
 
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
 
Api security-present
Api security-presentApi security-present
Api security-present
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018
 

Kürzlich hochgeladen

Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Skynet Technologies
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 

Kürzlich hochgeladen (20)

Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 

Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm