Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Kiwicon 2038AD Day 2 Summary

0
0
Moving Fast and Securing Things - Kelly Ann @kellyxvx Talking about Slack secure development lifecycle (SDL) and tooling 1300 employees 700 engineers 400 developers 30 security engineers 5 product security engineers At peak, deploys to prod were happening 100-150 times daily Not any more, changed to increase stability. Relationship between security and devops…
Kiwicon 2038AD Day 2 Summary
Make the engineering team to be security self-sufficient Without having to be security experts Host weekly security office hours Don’t facilitate an adversarial relationship Team runs internal “hacktober”, the security awareness month. Make security approachable and easy Allows the devs to type /go SDL to begin the SDL cycle Will be provided a form to request details of the project/feature Sends the dev through to a risk assessment form which feeds back to product security “Checklisting for basic items drastically increases the chance that they’ll get done” The Checklist Manifesto Aviation industry noted performing pre-flight checklist prevented plane crashes. Doctors with a checklist have a 50% less likelihood of killing a patient. After dev completes checklists, prodsec team performs their review. As SDL process has taken effect, bug bounty program has been receiving less severe submissions. Cyber defence exercises - how to make it cool? - Raimo Peterson NATO Co-op Cyber Defence Center of Excellence (CCDCOE) performs Research Trainings Exercises Locked Shields One week exercise run every year since 2010 30 nations, 1000 people attending/contributing Live fire exercise Real, live red and blue teams. Complex, and includes ICS/SCADA. Primarily an exercise for the defenders. Allows blue teams to test defenses that are difficult to test otherwise “Gamified” - Everything is scored, which motivates teams to do better Red team balances their attacks arcoss all 24 blue teams. Blue teams are VPN’d in from their nation’s capital city. Broad, realistic network deployed for each team to defend Includes many devices with vulnerabilties
Kiwicon 2038AD Day 2 Summary
Need to cooperate with SMEs from other areas e.g. power station/distribution guys Build a simplified version of the environment, on servers configured in realistic ways Use representative examples that make it easy to see what the impact of an attack is
Kiwicon 2038AD Day 2 Summary
Provided the teams with a 4G network to play with Water purification stations Simulated drones Industrial systems are more difficult to scale for an environment like this than business systems Takeaways Simplify but do not oversimplify Involve real world experts Find win-wins with vendors, otherwise it’s very expensive! Systems with nice visualisations may not provide the best learning curve Some numbers from LS18 4000 VMs 2500 attacks 1000 people 30 nations 24 blue teams 40 people per blue team on average

Getting Shells from javascript: offensive JavaScript techniques for red teamers - Dylan Ayrey and Christian Frichot @xntrik

Javascript is super powerful Actions can still be performed cross-origin, despite the same origin policy (SOP). When it’s simple to get SQLi/RCE/LFI (mid-2000s), it’s easy to overlook single-client vulnerabilities (XSS). 30% of victims will click a link in their email, only 12% will open an attachment Try to focus on the 30%… BeEF is a great tool for exploiting this… It’s difficult to get browser RCE these days. Flash is gone Java is gone/somewhat safer Browser has access to many important places Local networks VPNs What’s the internal IP of the current machine? WebRTC - DOM needs to know local IP, meaning that any JS can get this as well. BeEF can do this. What other internal hosts are there? BeEF can discover this with WebSockets and timing… somehow. “Simple” vs “Non-Simple” HTTP request types Simple are allowed without pre-flight, non-simple are not.. XSS If you find XSS you can Do anything the user can do on the page Steal data Change state etc…. XSS is still #1 on HackerOne, by far. Recon of internal hosts Rapid7 Project Sonar Releases DNS/HTTP/SSL/Port scan info of the Internet periodically Can be useful for passive recon PassiveTotal Can drill in to other WhoIs records that share the same values If contactEmail is x@x.com, find other records that have x@x.com Internal open source tools can be discovered from DNS names Can be valuable, because a host that isn’t directly available becomes white box Tend to be less patched/protected than externally accessible services DNS rebinding allows you to bypass same origin policy You can’t target SSL only services though :( ServiceWorkers are helpful here as well You get to run arbitrary JS for up to 30min after the tab was opened, even after it has closed. In Closing Browsers have accsss to multile contexts Use this as part of assessments Recon for internal systems, especially open source software Look for vulns in them New browser features often provide new tools for attackers (ServiceWorkers/WebRTC/etc.) Secure your internal apps! Overwatch Cyber-Espionage Tool - Wayne Built a windows implant tool - Overwatch Offensive Gathers digital espionage from high value targets Inspired by Vault7 Wikileaks documents talking about C2 Takeaways : Don’t be afraid to embark on a large project/goal You will definitely learn new things making something yourself, even if people have made the same thing before. The satisfaction that you get when you reach your large goal will be immense. Tracing the Watchers: practical tooling - Paul McMillan Got here late, so missed the beginning… Researched, and created tooling for locating transmitters on a live public safety radio system Any radio transmitter is inadvertantly transmitting it’s location if somebody it listening propeprly. Used a bladeRF for all of the RX nodes A lot of this stuff kinda went over my head, but it was interesting :P

More coming…

XORcat


Viewing all articles
Browse latest Browse all 12749