New reports on PHDays III: from APCS safety to analysis of zero-day exploits in Java
How to create your own Stuxnet? Is it safe software security tools themselves? How easy is it to keep track of people and why is physical security the basis of any security? Today we bring to your attention some of the more than 30 reports of the main technical program of the Forum Positive Hack Days III.
Travis Goodspeed talks about how, using the open source Facedancer framework, you can create user-space emulators for the Mass Storage, Human Interface, FTDI, and Device Firmware Update protocols in Python. Sockets function a little differently, and the protocols do not use ASCII, but the general principle of operation and libraries is no more complicated than in HTTP.
As an example of the implementation of the author's method, a tool for intercepting firmware updates by impersonalizing the DFU protocol and a prototype hard drive that will actively protect itself against forensic analysis and cloning tools will be demonstrated.
')
Continuous deployment (Continuous Deployment) helps to avoid long development cycles, because of which developers often do not pay enough attention to the safety of their product. When properly applied, this method can change the software life cycle and turn the team of security personnel from the incident response team into an internal security consulting service that developers can access.
IPONWEB Vice President of Technology Nick Gelbret will talk about how to proceed with the implementation of the continuous development method, as well as the tools and processes that will ensure a successful transition to a new level of security.
Collecting and analyzing publicly available information about the target (Open Source Inteligence, or OSINT) is a mandatory step in the modern penetration test. However, despite its importance, many skip this stage and immediately begin scanning for vulnerabilities. They make a mistake: collecting information about systems and personnel in the field of testing often plays a crucial role in security audits, and is also a critical factor in the success of an audit using social engineering techniques.
Vladimir Styran is a leading consultant at BMS Consulting, the head of the IS systems testing sector.
Today, any modern browser can recognize potentially dangerous web pages that require attention (requests to download a file, install a software module, issue privileges to third-party sites) and ask the user to explicitly confirm the operation in a separate window or in the notification panel. This increases the level of user protection, but notification mechanisms do not guarantee 100% security.
An information security specialist with twelve years of experience, Rosario Valotta, during her speech, will show how using a minimal set of social engineering techniques (or even without them) can disrupt user safety and even execute simple code on the victim’s computer using popular browser notification panels (Chrome 24 , IE9, IE10).
Mobile phone or RFID card can be tracked. Members of the OpenBeacon project, Jeff Katz and aestetix, will present their latest discoveries during their presentation, as well as a system that tracks the location of objects in real time. Presenters will demonstrate the visualization examples they created and show how an innocuous device easily turns into a powerful tool.
The report will look at the concept of an aggressive trap (“Defense can be rough”) and options for exploiting such a trap. The topics covered will include information on attacking, filtering and detecting manual attacks, determining the level of technical training of an attacker, and gaining control over the attacker.
Alexey Sintsov, Nokia’s senior information security engineer, will demonstrate real examples of attacks and the results of using original protection technologies. Other interesting topics will also be considered: can we use, for example, the vulnerabilities of third-party services or only client-side vulnerabilities?
“Five Nightmares for Telecom” - these are five stories about how to break into the operator’s network and launch an attack on packet services, gain control over the infrastructure, make money on VoIP or self-service portals. Some attacks have had precedents in the past, while some remain a fantasy, which, hopefully, will not become a reality.
Speaker - Dmitry Kurbatov, information security specialist, Positive Technologies.
The report of Vladimir Vorontsov, the founder, leader and leading expert of ONsec, is devoted to the analysis of the principles of the work of modern solutions to recognize attacks against Web applications (Web Application Firewalls). The author compares the main algorithms for detecting attacks, points out their advantages and disadvantages. Concrete examples of circumvention of protective mechanisms are given. The author of the report points out the need to identify a universal method of masking the attack vector through WAF for different algorithms.
The report will present the results of a system analysis of all zero-day vulnerabilities that were found in Java in 2012 and 2013 (CVE-2013-1493, CVE-2013-0431, CVE-2013-0422, CVE-2012-5076, CVE-2012 -4681, CVE-2012-1723, CVE-2012-1507). The purpose of the study is to identify patterns that indicate a common source or a common method for finding these vulnerabilities.
Speaker - Boris Ryutin, co-author - Alisa Shevchenko.
While others are looking for missing links in the evolution of cyber weapons, experts from Positive Technologies suggest looking into the near future, in which to create a ready-made worm for SCADA, you only need the latest version of Metasploit and a bit of VBScript programming skills.
The report, based on the safety studies of the Siemens SIMATIC series (TIA Portal, WinCC, S7 PLC), will deal with vulnerabilities that can be exploited to break the process control system. Presenters will demonstrate the worm's propagation paths and its harmful effect on the system - from the network layer (S7 / Profinet) to the web management interfaces and WinCC project files. New vulnerabilities in Siemens products will be presented, as well as tools used to analyze security and search for new vulnerabilities in the process control system.
In the technological world, physical security as a component of system security as a whole is often ignored, but it is no less important than timely installation of updates, correct password policies, and user rights. You may have the most secure servers and the most inaccessible network, but this does not help if someone gets direct access to the keyboard or, worse, steals your hardware.
Listeners waiting for a story about how to protect buildings and territories from unauthorized access. Examples of serious incidents will be considered, many of which can easily be repeated without special training. Deviant Ollam, Babak Javadi, Keith Howell will tell you what to look for when choosing locks and safes and how to invest in systems that are easiest to manage in large networks.
Evader, introduced at Black Hat 2012, can be used to detect security vulnerabilities and implement penetration testing and security checks. Well-known information security specialist Olli-Pekka Niemi (Opi) will talk about the technical aspects of Evader’s work and how to use this program to bypass most of the modern security tools.
Did you know that many process control systems are controlled remotely and therefore can be detected on the Internet (for example, using the SHODAN search engine). Johan Click and Daniel Marcin created their own search engine, the SCADACS Search Engine (SSE), and are going to present a comparison of the first results obtained with the results of SHODAN.
They will demonstrate the worldwide distribution of SCADA / PLC systems on an Industrial Risk Assessment Map (IRAM). The map, among other things, provides information on the vulnerabilities contained in the systems and possible methods of operation. Speakers also speculate about what can happen if you combine IRAM, SSE and exploits in one application.
Michel Osterhof (CISSP, CISM, CISA, GCIH) is the lead systems engineer of the RSA division of the EMC company dealing with information security. Any modern company invests heavily in the protection of information resources, brand, intellectual property. However, incidents still occur, because the attackers also do not spare money on developing the means and methods of conducting attacks. RSA knows this firsthand, because the company is constantly under the gun of the intruders.
The speaker will share experiences and best practices in the field of preventing, detecting and minimizing the effects of APT attacks on corporate and government infrastructures. Based on real-world examples (incidents at Lockheed Martin and other large corporations), he will talk about the concept of Cyber ​​Kill Chain, touch upon typical attack patterns and possible methods for reducing the risks associated with industrial espionage and cyber attacks. In addition, the report will include a story about the work of the RSA division for operational counteracting cyber attacks (CIRC, Critical Incident Response Center), which protects the internal network infrastructure of EMC.
A full list of speeches that will take place at Positive Hack Days can be found on the official forum website. In addition to the standard reports in the PHDays III program, there is a rich Fast Track, consisting of more than 20 short but very interesting fifteen-minute stand-ups, the authors of which will cover a variety of fascinating topics, from “reducing the brain” to a car to a dozen methods of bypassing DLP systems.
Besides! One of the keynote speakers this year will be Mark van Hauser Heuze, the famous researcher, author Hydra, Amap and SuSEFirewall.
PS By the way, we have compiled Twitter accounts of PHDays speakers into a separate list . Subscribe! :)
PPS Registration to the forum continues!
Can you create a web server? So you can create a flash drive.
Travis Goodspeed talks about how, using the open source Facedancer framework, you can create user-space emulators for the Mass Storage, Human Interface, FTDI, and Device Firmware Update protocols in Python. Sockets function a little differently, and the protocols do not use ASCII, but the general principle of operation and libraries is no more complicated than in HTTP.As an example of the implementation of the author's method, a tool for intercepting firmware updates by impersonalizing the DFU protocol and a prototype hard drive that will actively protect itself against forensic analysis and cloning tools will be demonstrated.
')
Continuous Deployment Method - for fast, secure software development
Continuous deployment (Continuous Deployment) helps to avoid long development cycles, because of which developers often do not pay enough attention to the safety of their product. When properly applied, this method can change the software life cycle and turn the team of security personnel from the incident response team into an internal security consulting service that developers can access.IPONWEB Vice President of Technology Nick Gelbret will talk about how to proceed with the implementation of the continuous development method, as well as the tools and processes that will ensure a successful transition to a new level of security.
Prelude to attack: OSINT practice and automation
Collecting and analyzing publicly available information about the target (Open Source Inteligence, or OSINT) is a mandatory step in the modern penetration test. However, despite its importance, many skip this stage and immediately begin scanning for vulnerabilities. They make a mistake: collecting information about systems and personnel in the field of testing often plays a crucial role in security audits, and is also a critical factor in the success of an audit using social engineering techniques.Vladimir Styran is a leading consultant at BMS Consulting, the head of the IS systems testing sector.
Exploiting browser user interfaces for fun and profit
Today, any modern browser can recognize potentially dangerous web pages that require attention (requests to download a file, install a software module, issue privileges to third-party sites) and ask the user to explicitly confirm the operation in a separate window or in the notification panel. This increases the level of user protection, but notification mechanisms do not guarantee 100% security.An information security specialist with twelve years of experience, Rosario Valotta, during her speech, will show how using a minimal set of social engineering techniques (or even without them) can disrupt user safety and even execute simple code on the victim’s computer using popular browser notification panels (Chrome 24 , IE9, IE10).
Who is watching you, baby?
Mobile phone or RFID card can be tracked. Members of the OpenBeacon project, Jeff Katz and aestetix, will present their latest discoveries during their presentation, as well as a system that tracks the location of objects in real time. Presenters will demonstrate the visualization examples they created and show how an innocuous device easily turns into a powerful tool.Pitfalls know how to bite: reverse penetration
The report will look at the concept of an aggressive trap (“Defense can be rough”) and options for exploiting such a trap. The topics covered will include information on attacking, filtering and detecting manual attacks, determining the level of technical training of an attacker, and gaining control over the attacker.Alexey Sintsov, Nokia’s senior information security engineer, will demonstrate real examples of attacks and the results of using original protection technologies. Other interesting topics will also be considered: can we use, for example, the vulnerabilities of third-party services or only client-side vulnerabilities?
Five Nightmares for Telecom
“Five Nightmares for Telecom” - these are five stories about how to break into the operator’s network and launch an attack on packet services, gain control over the infrastructure, make money on VoIP or self-service portals. Some attacks have had precedents in the past, while some remain a fantasy, which, hopefully, will not become a reality.Speaker - Dmitry Kurbatov, information security specialist, Positive Technologies.
Lie Theory: Bypassing Modern WAF
The report of Vladimir Vorontsov, the founder, leader and leading expert of ONsec, is devoted to the analysis of the principles of the work of modern solutions to recognize attacks against Web applications (Web Application Firewalls). The author compares the main algorithms for detecting attacks, points out their advantages and disadvantages. Concrete examples of circumvention of protective mechanisms are given. The author of the report points out the need to identify a universal method of masking the attack vector through WAF for different algorithms.Java Everyday. System analysis of zero-day exploits in Java
The report will present the results of a system analysis of all zero-day vulnerabilities that were found in Java in 2012 and 2013 (CVE-2013-1493, CVE-2013-0431, CVE-2013-0422, CVE-2012-5076, CVE-2012 -4681, CVE-2012-1723, CVE-2012-1507). The purpose of the study is to identify patterns that indicate a common source or a common method for finding these vulnerabilities.Speaker - Boris Ryutin, co-author - Alisa Shevchenko.
SCADA Strangelove: how to create your own Stuxnet
While others are looking for missing links in the evolution of cyber weapons, experts from Positive Technologies suggest looking into the near future, in which to create a ready-made worm for SCADA, you only need the latest version of Metasploit and a bit of VBScript programming skills.The report, based on the safety studies of the Siemens SIMATIC series (TIA Portal, WinCC, S7 PLC), will deal with vulnerabilities that can be exploited to break the process control system. Presenters will demonstrate the worm's propagation paths and its harmful effect on the system - from the network layer (S7 / Profinet) to the web management interfaces and WinCC project files. New vulnerabilities in Siemens products will be presented, as well as tools used to analyze security and search for new vulnerabilities in the process control system.
Lockpeaking and physical security
In the technological world, physical security as a component of system security as a whole is often ignored, but it is no less important than timely installation of updates, correct password policies, and user rights. You may have the most secure servers and the most inaccessible network, but this does not help if someone gets direct access to the keyboard or, worse, steals your hardware.Listeners waiting for a story about how to protect buildings and territories from unauthorized access. Examples of serious incidents will be considered, many of which can easily be repeated without special training. Deviant Ollam, Babak Javadi, Keith Howell will tell you what to look for when choosing locks and safes and how to invest in systems that are easiest to manage in large networks.
Bypassing DPI
Evader, introduced at Black Hat 2012, can be used to detect security vulnerabilities and implement penetration testing and security checks. Well-known information security specialist Olli-Pekka Niemi (Opi) will talk about the technical aspects of Evader’s work and how to use this program to bypass most of the modern security tools.To find all, put together together ... - ACS TP on the Internet
Did you know that many process control systems are controlled remotely and therefore can be detected on the Internet (for example, using the SHODAN search engine). Johan Click and Daniel Marcin created their own search engine, the SCADACS Search Engine (SSE), and are going to present a comparison of the first results obtained with the results of SHODAN.They will demonstrate the worldwide distribution of SCADA / PLC systems on an Industrial Risk Assessment Map (IRAM). The map, among other things, provides information on the vulnerabilities contained in the systems and possible methods of operation. Speakers also speculate about what can happen if you combine IRAM, SSE and exploits in one application.
Protecting organizations from APT (with examples from RSA)
Michel Osterhof (CISSP, CISM, CISA, GCIH) is the lead systems engineer of the RSA division of the EMC company dealing with information security. Any modern company invests heavily in the protection of information resources, brand, intellectual property. However, incidents still occur, because the attackers also do not spare money on developing the means and methods of conducting attacks. RSA knows this firsthand, because the company is constantly under the gun of the intruders.The speaker will share experiences and best practices in the field of preventing, detecting and minimizing the effects of APT attacks on corporate and government infrastructures. Based on real-world examples (incidents at Lockheed Martin and other large corporations), he will talk about the concept of Cyber ​​Kill Chain, touch upon typical attack patterns and possible methods for reducing the risks associated with industrial espionage and cyber attacks. In addition, the report will include a story about the work of the RSA division for operational counteracting cyber attacks (CIRC, Critical Incident Response Center), which protects the internal network infrastructure of EMC.
A full list of speeches that will take place at Positive Hack Days can be found on the official forum website. In addition to the standard reports in the PHDays III program, there is a rich Fast Track, consisting of more than 20 short but very interesting fifteen-minute stand-ups, the authors of which will cover a variety of fascinating topics, from “reducing the brain” to a car to a dozen methods of bypassing DLP systems.
Besides! One of the keynote speakers this year will be Mark van Hauser Heuze, the famous researcher, author Hydra, Amap and SuSEFirewall.
PS By the way, we have compiled Twitter accounts of PHDays speakers into a separate list . Subscribe! :)
PPS Registration to the forum continues!
Source: https://habr.com/ru/post/179653/
All Articles