Slide 1

Slide 1 text

“ “Hacker's Work Hacker's Work is is a Form Of a Form Of Participation Participation in the Work of in the Work of God in Creation God in Creation.” .” -by, -by, Father Antonio Sapadaro (Vatican) Father Antonio Sapadaro (Vatican) R e c e n t N e w s

Slide 2

Slide 2 text

Do You? Do You? + O.S. User Accounts + Browse Web + Use Web Services + Use Computer Networks Any Way + Have Any Form Of Binary Data

Slide 3

Slide 3 text

You Are Not Secure If You Don't... You Are Not Secure If You Don't... + Use Strong Passwords 'n Keep Them Safe + Browse Web In Safe Browsers + Use SSL-ified Web Services + Use Patched Name Servers + Keep Your Data Protected

Slide 4

Slide 4 text

You Are InSecure Even If You Did... You Are InSecure Even If You Did...

Slide 5

Slide 5 text

I In nS Security ecurity S Security ecurity I In n Security is just maintained... it's never achieved.

Slide 6

Slide 6 text

First Some history from Version First Some history from Version 1 1

Slide 7

Slide 7 text

O.S. User Accounts O.S. User Accounts

Slide 8

Slide 8 text

Bypass Account Protection Bypass Account Protection

Slide 9

Slide 9 text

Vaccinated Browsers Vaccinated Browsers

Slide 10

Slide 10 text

Browsing WWW Browsing WWW [+] SMBEnum |=+ using 'file ://', 'res ://', 'resource ://' Say, if it gains success accessing 'file:///c:/oracle/ora81/bin/orclcontainer.bmp' [+] ResTiming Attack |=+ using 'res ://', 'resource ://' to execute So, gains timing for different binaries & Identify which exists

Slide 11

Slide 11 text

Protector of All Protector of All

Slide 12

Slide 12 text

Defeating SSL Defeating SSL [] “Signing Authority” field in Digital Certificates [] Tricking SSL Libraries with NULL Mod Certificates [] Online Certificate Revocation Policy {ResponseStatus=3, ResponseBytes='' || SSL}

Slide 13

Slide 13 text

Basis Of All Networks Basis Of All Networks

Slide 14

Slide 14 text

DNSSEC ain't all GOOD DNSSEC ain't all GOOD [] Provides 'Origin Auth', 'Integrity Protection', PKI & even Auth. Denial of Data Existence [] Still No 'Confidentiality' {basics of security} AND CPU-flooding is possible due to exhaustive cryptography [] Variation of DNS Rebinding Attack presented at BH2010 still affected network

Slide 15

Slide 15 text

Data Forensics Data Forensics

Slide 16

Slide 16 text

Data Forensic Hackers Data Forensic Hackers [] Data Carving (Imaging RAM, Dig O.S.) [] Dig Information from Files [] Timestomp, Zipbomb -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- [] Mining Network Traffic for Files/Sessions

Slide 17

Slide 17 text

Now Some Mystery for Version Now Some Mystery for Version 2 2

Slide 18

Slide 18 text

Hash-Crack on Steroids Hash-Crack on Steroids http://hashcat.net/oclhashcat/

Slide 19

Slide 19 text

'RSA' Theft & Threat 'RSA' Theft & Threat http://www.schneier.com/blog/archives/2011/03/rsa_security_in.html

Slide 20

Slide 20 text

Comodo Pwn3d CertS Comodo Pwn3d CertS Janam Fadaye Rahbar http://www.wired.com/threatlevel/2011/03/comodo_hack/

Slide 21

Slide 21 text

OpenBSD 'n Backdoors OpenBSD 'n Backdoors []10yrs back FBI consulted NETSEC, CTO Perry []Lotz of code commit by NETSEC developers []Few daz back, Perry's NDA expired with FBI []Alleged backdoors in IPSEC Stack []FreeBSD inherited lotz code from OpenBSD http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

Slide 22

Slide 22 text

Samsung Key-loG Conflict Samsung Key-loG Conflict http://arstechnica.com/hardware/news/2011/03/samsung-laptop-keylogger- almost-certainly-a-false-positive.ars

Slide 23

Slide 23 text

Who Is This Guy? Who Is This Guy? Family Named: AbhishekKr Friends Call: ABK g33k Handle: aBionic {@Twitter, @LinkedIn, @Facebook} Itweet : http://www.twitter.com/aBionic iBlog: http://abhishekkr.wordpress.com Security Enthusiast; Working for ThoughtWorks Inc.; OpenSource Lover My Crime Is That Of Curosity My Crime Is That Of Curosity ANY QUESTIONS? ANY QUESTIONS?