Inbar Raz - Physical (In)Security – it’s not –ALL– about Cyber

•Descargar como PPTX, PDF•

1 recomendación•1,091 vistas

DefconRussia

Tecnología Empresariales

Physical (In)security

Inbar Raz
Malware & Security Manager
Check Point Software Technologies
©2013 Check Point Software Technologies Ltd.

Types of Vulnerability Disclosures
 Responsible Disclosure:
– Contact the vendor only and inform them of the vulnerability
– If asked, work with the vendor
– After 3-6 months, proceed to Full Disclosure

 Full Disclosure:
– Publish all information, including POC
– Sometimes – only a video of POC

©2013 Check Point Software Technologies Ltd.

2

Disclosure #1
 Vendor: An Online Movie Ticket Service
 Field: Online shopping and entertainment
 Affected Product: On-site Ticket Kiosk
 Vulnerability: Multiple vulnerabilities cause the compromise
of both customer and company data

©2013 Check Point Software Technologies Ltd.

3

Disclosure Details
 On-site Kiosk
 Touch Screen
 Credit Card
Reader

 Ticket Printer
 No peripherals,
No interfaces

 And the journey begins…
©2013 Check Point Software Technologies Ltd.

4

Disclosure Details
 Improper interface settings
allow the opening of menu
options.

 Menus can be used to
browse for a new printer.

©2013 Check Point Software Technologies Ltd.

5

Disclosure Details
 A limited browser is not
restricted enough.

 A right-click can be used…
 To open a full, unlimited
Windows Explorer.

Now the sky is the limit…
©2013 Check Point Software Technologies Ltd.

6

Disclosure Details
 Browsing through the
file system reveals
indicative directory names…

 And even more indicative
file names.

©2013 Check Point Software Technologies Ltd.

7

Disclosure Details
 Bingo: Credit Card Data
(Unencrypted!)
Tools of the trade: Notepad

 We can use the ticket
printer to take it home 

©2013 Check Point Software Technologies Ltd.

8

Disclosure Details
 But that’s not all:
RSA Keys and Certificates
are also found on the drive!

 Which we can print, take
home and then use a
free OCR software to read…

©2013 Check Point Software Technologies Ltd.

9

Disclosure Details
 The result:
RSA Keys used to
bill credit cards.

©2013 Check Point Software Technologies Ltd.

10

Disclosure #2
 Vendor: Point-of-Sale Manufacturer and Users
 Field: Network Security
 Vulnerability: Improper physical security allows access to
insecure PoS devices during afterhours.

©2013 Check Point Software Technologies Ltd.

11

Disclosure Details
 Point-Of-Sale devices
are all around you.

©2013 Check Point Software Technologies Ltd.

12

Disclosure Details
 Location: A bar in Tel-Aviv
 During working hours – tables, chair and PoS outside
 During afterhours – everything is locked inside the facility

 But the Ethernet port remains hot
– In public space…

©2013 Check Point Software Technologies Ltd.

13

Attack Vector
 In the past – play hacker/script kiddie with BackTrack.
 Today: Fire up wireshark, discover IPs of live machines.

©2013 Check Point Software Technologies Ltd.

14

Attack Vector
 In the past – play hacker/script kiddie with BackTrack.
 Today: Fire up wireshark, discover IPs of live machines.
 Detected IP addresses:
– 192.168.0.1
– 192.168.0.2
– 192.168.0.4
– 192.168.0.250
– 192.168.0.254

 Confirm by ping (individual and broadcast)

©2013 Check Point Software Technologies Ltd.

15

Attack Vector
 Evidence of SMB (plus prior knowledge) lead to the next
step:

 And the response:

©2013 Check Point Software Technologies Ltd.

16

Things to do with an open share
 #1: Look around

[Restricted] ONLY for designated groups and individuals

©2013 Check Point Software Technologies Ltd.

17

Things to do with an open share
 #1: Look around
 #2: Create a file list

[Restricted] ONLY for designated groups and individuals

©2013 Check Point Software Technologies Ltd.

18

The mystery of 192.168.0.250
 Answers a ping, but no SMB.
 First guess: the ADSL Modem.
 Try to access the Web-UI:

[Restricted] ONLY for designated groups and individuals

©2013 Check Point Software Technologies Ltd.

19

The mystery of 192.168.0.250
 Use the full URL:

[Restricted] ONLY for designated groups and individuals

©2013 Check Point Software Technologies Ltd.

20

Going for the ADSL router
 Reminder: We actually had this information.

[Restricted] ONLY for designated groups and individuals

©2013 Check Point Software Technologies Ltd.

21

Going for the ADSL router
 Naturally, there is access control:

 Want to guess?

[Restricted] ONLY for designated groups and individuals

©2013 Check Point Software Technologies Ltd.

22

Unlocked Achievements
 Best for me, worst for them: Credit card data.
 Database files (yet to be analyzed).
 The program files of the billing system.
 Potential attack through the internet.

[Restricted] ONLY for designated groups and individuals

©2013 Check Point Software Technologies Ltd.

23

Next Steps
 Create a Responsible Disclose document for the PoS
manufacturer

 Send an Advisory to businesses

©2013 Check Point Software Technologies Ltd.

24

IMPORTANT NOTICE
 The bar operation was with full cooperation and consent.
 DOING THIS ON YOUR OWN IS ILLEGAL.

[Restricted] ONLY for designated groups and individuals

©2013 Check Point Software Technologies Ltd.

25

Más contenido relacionado

Más de DefconRussia

Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...

DefconRussia

HTTP HOST header attacks

DefconRussia

Attacks on tacacs - Алексей Тюрин

DefconRussia

Weakpass - defcon russia 23

DefconRussia

nosymbols - defcon russia 20

DefconRussia

static - defcon russia 20

DefconRussia

Zn task - defcon russia 20

DefconRussia

Vm ware fuzzing - defcon russia 20

DefconRussia

Nedospasov defcon russia 23

DefconRussia

Advanced cfg bypass on adobe flash player 18 defcon russia 23

DefconRussia

Miasm defcon russia 23

DefconRussia

Расскажу где и как iCloud Keychain хранит пароли, и какие потенциальные риски это несёт. Apple утверждает, что пароли надежно защищены, и даже её сотрудники не могут получить к ним доступ. Чтобы это подтвердить или опровергнуть, необходимо разобраться с внутренним устройством iCloud Keychain, чем мы и займемся.

Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...

DefconRussia

Все шире и шире получают распространение bugbounty программы - программы вознаграждения за уязвимости различных вендоров. И порой при поиске уязвимостей находятся места, которые явно небезопасны (например - self XSS), но доказать от них угрозу сложно. Но чем крупнее (хотя, скорее адекватнее) вендор, тем они охотнее обсуждают и просят показать угрозу от сообщенной уязвимости, и при успехе – вознаграждают 8). Мой доклад – подборка таких сложных ситуаций и рассказ, как же можно доказать угрозу.

Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях

DefconRussia

Мои последние исселодования показали, что у SharePoint есть определенное количество вэб сервисов, которые могут помочь аудитору собрать крайне полезную информацию с сайта (списки пользователей, групп, ролей и т д). Также данные сервисы, в комбинации с хранимыми XSS, могут быть использованы для вертикального повышения привилегий или предоставить информацию для компрометации доменных записей AD.

George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...

DefconRussia

Кратко расскажу о концепции изолированных сетей и возможных путях их компрометации. Сделаю обзор аппаратной закладки pwnie express- для чего создавалось, какие возможности использования. Расскажу о том как pwnie express применялась в реальном проекте, какие были трудности и что из этого вышло.

Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...

DefconRussia

Alexey Sintsov- SDLC - try me to implement

DefconRussia

Anton Alexanenkov - Tor and Botnet C&C

DefconRussia

Tyurin Alexey - NTLM. Part 1. Pass-the-Hash

DefconRussia

Roman Korkikyan - Timing analysis workshop Part 2 Scary

DefconRussia

Roman Korkikyan - Timing analysis workshop Part 2 Practice

DefconRussia

Más de DefconRussia (20)

Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...

HTTP HOST header attacks

Attacks on tacacs - Алексей Тюрин

Weakpass - defcon russia 23

nosymbols - defcon russia 20

static - defcon russia 20

Zn task - defcon russia 20

Vm ware fuzzing - defcon russia 20

Nedospasov defcon russia 23

Advanced cfg bypass on adobe flash player 18 defcon russia 23

Miasm defcon russia 23

Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...

Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях

George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...

Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...

Alexey Sintsov- SDLC - try me to implement

Anton Alexanenkov - Tor and Botnet C&C

Tyurin Alexey - NTLM. Part 1. Pass-the-Hash

Roman Korkikyan - Timing analysis workshop Part 2 Scary

Roman Korkikyan - Timing analysis workshop Part 2 Practice

Último

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Introduction to use of FHIR Documents in ABDM

Kumar Satyam

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)

Samir Dash

The presentation was made in “Web3 Fusion: Embracing AI and Beyond” is more than a conference; it's a journey into the heart of digital transformation. The conference a provided a platform where the future of technology meets practical application. This three-day hybrid event, set in the heart of innovation, served as a gateway to the latest trends and transformative discussions in AI, Blockchain, IoT, AR/VR, and their collective impact on the information space.

AI in Action: Real World Use Cases by Anitaraj

AnitaRaj43

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

MINDCTI Revenue Release Quarter One 2024

MIND CTI

ICT role in 21st century education and its challenges

rafiqahmad00786416

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Discover the innovative features and strategic vision that keep WSO2 an industry leader. Explore the exciting 2024 roadmap of WSO2 API management, showcasing innovations, unified APIM/APK control plane, natural language API interaction, and cloud native agility. Discover how open source solutions, microservices architecture, and cloud native technologies unlock seamless API management in today's dynamic landscapes. Leave with a clear blueprint to revolutionize your API journey and achieve industry success!

WSO2's API Vision: Unifying Control, Empowering Developers

WSO2

Exploring Multimodal Embeddings with Milvus

Zilliz

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

Inbar Raz - Physical (In)Security – it’s not –ALL– about Cyber

2. Types of Vulnerability Disclosures  Responsible Disclosure: – Contact the vendor only and inform them of the vulnerability – If asked, work with the vendor – After 3-6 months, proceed to Full Disclosure  Full Disclosure: – Publish all information, including POC – Sometimes – only a video of POC ©2013 Check Point Software Technologies Ltd. 2

3. Disclosure #1  Vendor: An Online Movie Ticket Service  Field: Online shopping and entertainment  Affected Product: On-site Ticket Kiosk  Vulnerability: Multiple vulnerabilities cause the compromise of both customer and company data ©2013 Check Point Software Technologies Ltd. 3

6. Disclosure Details  A limited browser is not restricted enough.  A right-click can be used…  To open a full, unlimited Windows Explorer. Now the sky is the limit… ©2013 Check Point Software Technologies Ltd. 6

9. Disclosure Details  But that’s not all: RSA Keys and Certificates are also found on the drive!  Which we can print, take home and then use a free OCR software to read… ©2013 Check Point Software Technologies Ltd. 9

11. Disclosure #2  Vendor: Point-of-Sale Manufacturer and Users  Field: Network Security  Vulnerability: Improper physical security allows access to insecure PoS devices during afterhours. ©2013 Check Point Software Technologies Ltd. 11

13. Disclosure Details  Location: A bar in Tel-Aviv  During working hours – tables, chair and PoS outside  During afterhours – everything is locked inside the facility  But the Ethernet port remains hot – In public space… ©2013 Check Point Software Technologies Ltd. 13

15. Attack Vector  In the past – play hacker/script kiddie with BackTrack.  Today: Fire up wireshark, discover IPs of live machines.  Detected IP addresses: – 192.168.0.1 – 192.168.0.2 – 192.168.0.4 – 192.168.0.250 – 192.168.0.254  Confirm by ping (individual and broadcast) ©2013 Check Point Software Technologies Ltd. 15

19. The mystery of 192.168.0.250  Answers a ping, but no SMB.  First guess: the ADSL Modem.  Try to access the Web-UI: [Restricted] ONLY for designated groups and individuals ©2013 Check Point Software Technologies Ltd. 19

23. Unlocked Achievements  Best for me, worst for them: Credit card data.  Database files (yet to be analyzed).  The program files of the billing system.  Potential attack through the internet. [Restricted] ONLY for designated groups and individuals ©2013 Check Point Software Technologies Ltd. 23

25. IMPORTANT NOTICE  The bar operation was with full cooperation and consent.  DOING THIS ON YOUR OWN IS ILLEGAL. [Restricted] ONLY for designated groups and individuals ©2013 Check Point Software Technologies Ltd. 25

Inbar Raz - Physical (In)Security – it’s not –ALL– about Cyber

Recomendados

Recomendados

Más contenido relacionado

Más de DefconRussia

Más de DefconRussia (20)

Último

Último (20)

Inbar Raz - Physical (In)Security – it’s not –ALL– about Cyber