• visit unknown web-links from any search engine? • host a Web Service? • use a Proxy? • log-in to your Web based accounts? • use any Web Service? • access any private data?
over your User Account. • use patched Web Browsers. • use Intrusion Detection System. • use trusted SSL Proxy. • log-in to your Web Accounts over encrypted connection. • use Firewall. • delete and format your storage media.
:: Hackers have tools: • Live Boot Discs to steal Password-Hash files (otherwise inaccessible). • Tool “John-The-Ripper” can try cracking passwords by matching hash of guessed passwords. • Tool “Rainbow Crack” and “OPHCrack” have precomputed hash tables of several passwords to match the hash in the stolen password file.
:: Cracking password consumes a lot of time against strong passwords. Hackers have tools: • Grub/Lilo (Unix/Linux) • Kon-Boot (Windows, Unix/Linux) • Keyboard (Macintosh only)
Web Page • IE supports “file://” and “res://” protocol for accessing local machine resources' URI. • Firefox has also started support for a similar “resource://” protocol. • Javascript can use these protocols to enumerate resources. • Could gather User Names using Brute Force. • e.g. if “file:///c:/oracle/ora81/bin/ orclcontainer.bmp” loads, means “Oracle 8” is present on system.
'res(ource)://' protocol hack using CPU Cycles. • An attacker can even get resources to execute on your machine. • Could measure CPU Cycles for resource enumeration, the CPU cycle count for existing resources is almost twice the CPU cycle count for non-existing resources. • Could even exhaust Victim's machine by generating infinite CPU cycles.
Denial-of-Service Attack.. • It's a stealth-mode attack. • Allows single machine to attack Web-Server with minimal bandwidth. • Uses Partial HTTP Connections to keep Web Server sockets busy, and slowly consumes all the sockets. • It works successfully over Apache 1.x, Apache 2.x, dhttpd, GoAhead, WebSense, etc. but fails against IIS 6.0, IIS 7.0, lighttpd, squid, nginx, etc.
• Websites protect against sniffing of passwords by encrypting the log-in mechanism, and create a session for further authenticated access. • But after log-in, if this Session Information is transferred in plain-text, it can be sniffed. • Attackers sniff this session information and use them to replicate the required cookies or session state managing file. • Now, an user can access the same Account without knowing the password.
problem. • Onion Proxy is one of the best Anonymizer. • TOR works on it, using a chain of random proxy servers between the entry node and the exit node. • According to Research, several TOR exit clients are Trojan-infected, sniffing all the sensitive data passed. • e.g. doing a Reverse DNS Lookup on POP3 packets and harvesting usernames and passwords.
Design and Poor Implementation. • Earlier it allowed any Digital Certificate Owner to sign any Digital Certificate (e.g. haxor.com can sign certificate for paypal.com and use itself) • It was patched by specifying signing authority field in Digital Certificate • If attacker send a forged certificate with expired validity date, several applications ask for date confirmation and perform no more checks for certificate validation.
an easy hack. • Default behaviour of maximum Websites is non-SSL. SSL is implemented by Redirecting to a SSL Link or let user click the SSL Service link. • e.g. opening Facebook.com, opens http://www.Facebook.com, here log-in button has https:// link for SSL based Log-in. • Attacker can modify webpage replacing https://login link to http://login link • Now log-in credentials transfer in plain-text mode, thus they can be sniffed.
hard to find, best to exploit. • Authority grants a digital certificate to an organisation Y.org for all sub-domains it asks say X.Y.org, irrespective of value of X. • If X is “www.PayPal.com\0”, then too it issues the certificate to Y.org for www.PayPal.com\0Y.org.
(except WebKit, Opera) www.PayPal.com\0Y.org get stored in a String and read back only as www.PayPal.com\0 . Null Character Escape (for WebKit, Opera) www.Pay\0Pal.com\0 get stored in a String and read back only as www.PayPal.com\0 . Wildcard ('*', '|') Match Matching several website certificates at once.
with two fields ResponseStatus and ResonseBytes (with signature). Setting “ResponseStatus=3” for “Try Later” has no ResponseBytes, so no signature and hence the victim does not see any effect of the attack. Software Updates Software Updates also work over SSL channel, which is already compromised.
Vulnerable. • Man-in-the-Middle attack are a major threat to DNS. • DNS Cache Poisoning is possible even if machines are behind a Firewall. When DNS queries about IP of any Domain, attacker spoofs as one of domain's NameServer and answers a specially crafted response making the Victim record the attacker's IP for requested Domain.
basic requirement of Security. • It provides Origin Authentication, Integrity Protection, PKI, and even authenticated denial of existence of data. • But no Confidentiality, and confidentiality is one of the fundamental requirement of Security. • DNS NameServer Enumeration is much deeper because of 'DNS Query Espionage'. • CPU Flooding is possible as it uses exhaustive encryption/decryption.
in Main Memory, Hackers stole it. • Data Carving. • Cold Boot Attack. • Imaging RAM. • Dig Information from O.S. • Dig information from Files. • Timestomp.
Restrict any kind of physical access to your machine, nothing else can counter it. RES-Timing and SMBEnum Attack • Turning off Javascript is a partial solution, victim is vulnerable till correct patches are provided by Microsoft and Mozilla. Slowloris Attack • Applying patches to Web Servers & IDSes, but no optimal patch is available.
• Don't log-in at any Public Hotspot. DeAnonymize Proxy • Use your own encryption channel for data exchange over proxy. Defeating SSL • Use secure proxy channel. • Check URL in Certificate with one in Address Bar, do a WHOIS on both & match them.
mapping for important domains. • Use DNSCurve instead of DNSSEC. Forensic eXpert Hackers • Encrypt your content or even entire disc. • Apply 'Secure Recursive Delete' on sensitive data. • Use ZipBomb to trouble the Hacker.
track of latest vulnerabilities and start/stop using resources based on them. Refer sites like SecurityFocus.com, CERT.org/vuls, updates.ZDNet.com/tags/security. html, etc. Most of the Insecurity In Security comes from badly written piece of code and we have only careless developers to thank for them.
abhishekkr
yng87
huffon
soudai
yokawasa
cyberagentdevelopers
tsukasa_ishimaru
kazzpapa3
yuu26
fullkaiten
koujikozaki
kazu_kichi_67
pamelafox
shpigford
garrettdimon
rmw
samlambert
danielanewman
bkeepers
jponch
scottboms
afnizarnur
samanthasiow
eileencodes
cromwellryan
