Where is my silver bullet?!

•

0 recomendaciones•80 vistas

In the past two years, companies all over the world spent $157 billion on information security products. For comparison, the total expenses of the state government of New York amounted to $150.7 billion in 2016. Just for our amusement, let's imagine a silver bullet with a cost comparable to information security expenses. It would weigh 302.5 tons since silver costs $515.70 per kilogram (actual price on the day this article was written)! Therefore, it is either a really heavy bullet the size of a 10-story building, or it isn't made of silver. I could continue hypothesizing about potential raw materials for such a bullet, but I'd rather discuss the reasons behind such a state of affairs. In short, it is unclear what needs to be protected and from what. I will elaborate on these two problems below.

Tecnología

Where is my
silver bullet?!
Or how to bypass any
intrusion detection system
RUCTF 2017

@d0znpp BIO
● Bug bounty
● SSRF bible https://goo.gl/AQiZt8
● Wallarm CEO
● Twitter, Medium, Facebook, Telegram: @d0znpp

“Gartner Says Worldwide
Information Security Spending Will
Grow 7.9 Percent to Reach $81.6
Billion in 2016”
2015 $75 B
2016 $81.6 B
This bullet definitely costs more than $156.6 B
It’s not a silver… Or the weight is about 269’400 tons

Why? Two important things since the 30s
No documentation (because of the Apple
and UX)
● Try to find documentation for Chrome
:)
● How to understand that it’s the bug but
not a backdoor
Closed source software (because of the
Intel et al.)
● What’s does “Intel inside” really mean?

Layer cake
How many layers do you know?
I spent last 10 year for the
security and don't sure that know
about all of them

Chomsky hierarchy
● Turing machine
● Linear bounded
automaton (LBA)
● LL parser
● Regular expression

Parsers. Grammars. Interpreters. Layers. Products
AV is a good example here.
● Binary program (ASM)
● Signature (regular
expression)
The same as
● IPS
● IDS
● WAF
● XXX

What should we detect?
● What is a vulnerability?
● Taxonomy/classification!
● Is it a bug or a backdoor?
● Can there be one thing malicious in one case and
completely normal in another

Classification issues
● CWE. Complicated hierarchy. Overlaps and intersections.
● OWASP. Something strange.
● WASC. Too old and non-formal.

Make it science!
Dear students! The world needs your help. It
is necessary to describe what a vulnerability
is in terms of Turing machines or other formal
models.
Do this before you work for someone and
these studies will become a private patents!

Thanks!
Follow me: @d0znpp
Twitter, Medium, Facebook, Telegram, Snapchat

Más contenido relacionado

Similar a Where is my silver bullet?!

Chat bots been have popping up everywhere for silly things, but what if they can help us make the world more safe and secure? The work of designing secure systems often involves iterating over designs with a team but what if you don’t have a team? What if you could iterate over system design and analysis in a chat window and have a design document with safety constraints as the end product? This talk will present an original chat bot that will do just that

Safety Bot Guaranteed -- Shmoocon 2017

Richard Seymour

Presentation from O'Reilly Solid Conference 2015 Looking back on our industrial past, we see countless examples of how technology has helped businesses reinvent organizations and processes to become more productive and outcompete. We are now at an inflection point in robotics and machine learning, two technology areas particularly poised to reshape industries like never before. In fact, it’s already happening. Robotic systems are automating warehouses. Machine learning and deep learning are helping firms handle massive and unwieldy datasets by automating analytics and decision-making. In the biotechnology world, companies are leveraging machines and data to build more productive R&D pipelines. Atoms and bits are both being automated en masse. With much more on the way, businesses will have to reinvent themselves once again, but how? In this talk, we will briefly review the current state of robotics and machine learning and why the timing is right. We will walk through a few case studies of both large companies and startups that have successfully ingrained these technologies into their everyday operations to become more productive and agile. Along the way, we will landscape relevant industries and opportunities and the ambitious startups chasing them.

Machine intelligence to free human intelligence: How automation helps you win

Roger Chen

How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)

Nick Malcolm

DEF CON 23 - Ryan Mitchell - separating bots from humans

Felipe Prado

XSS is about twenty years old by now and appears to be alive and kicking. JavaScript alerts are still popping left and right and bug bounty programs are drowning in submissions. But is XSS really still a problem of our time? Or is it just an undead foul-smelling zombie vulnerability from the dark ages of string concatenation that doesn't wanna perish because we are just too f**** stubborn? This talk will be an hour-long rant (yes, swearwords, leave your kids at home), paired with a stroll through the history of XSS and related issues. We will go back into the year 1998 and see how it all started, how things developed, what we tried to do against it and how hard we failed every single time. We will also look at the future and predict what is about to happen next. Mostly nothing - but good to know, right? We will not only look at our own failures but also see how the entire infrastructure and monetization of the web contributed to us being simply not capable or even just willing to fix XSS. And we might as well see if any of those behavioral and structural patterns can be compared to other human failures - and see if there is something we all can learn. Or, at least, agree that we knew it all along and are all on the same page.

CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)

PROIDEA

Future of Search and Links - The iGaming Summit Malta #sigma2014

Jan-Willem Bobbink - Freelance SEO Consultant

Future of SOC: More Security, Less Operations

Anton Chuvakin

The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk, we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us. This is an update to our 2016 Brucon talk. We plan to discuss what have we accomplished regarding the above in the last year. We plan to show how we have progressed with the automation of attacker activities and event generation using MITRE’s Cyber Analytics Repository & CAR Exploration Tool (CARET) along with pumping these results to Unfetter (https://iadgov.github.io/unfetter/) for aggregation and display in a useful format.

Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017

Chris Gates

IT in 2017

Dhaval Anjaria

Hacking - Breaking Into It

CTruncer

Over the last ten years we’ve seen cybercrime accelerate beyond all comprehension, We’ve seen the growing and relentless impact it has on our society and our economies. It’s taken a long time for the world to act but finally we’re coming together to resist this uniquely 21st century evil. At the heart of the resistance are developers. Whatever role you have, whatever programming language or software you use - the battle is at your door. In this session we’ll brief you on the state of the situation and what you can do to be more prepared. We’ll look at the bad guys and how they operate, we’ll examine recent legal and government responses and, most importantly, how the software industry is working together to create the tools, frameworks and education needed to help us all become the developers we need to be.

GIDS-2023 A New Hope for 2023? What Developers Must Learn Next

Steve Poole

[Shortened but updated version of talk] With all the market interest in artificial intelligence, it’s no surprise that many are asking about the best way to learn more about it. What should I read? What should I watch? There’s so much material out there. But, before one can properly answer those types of questions, it’s useful to take a step back and consider what “doing AI” even means because it turns out that AI can mean a lot of different things depending upon what you’re trying to accomplish. In this talk, Gordon Haff will provide you with both a high-level roadmap and specific pointers for adding AI smarts to your toolbox. He’ll distinguish between research AI and applied AI, discuss how AI intersects with data science more broadly, and look at some of the related research and practice areas that will help you understand AI beyond just machine learning. Armed with this knowledge, you will be better prepared to chart out a program for learning AI that targets your specific needs and objectives rather than wasting time on topics that are not interesting or relevant to you.

How do you get started in AI?

Gordon Haff

IoT: Entering an Era of Perfect Information

Christopher Mohritz

Data Scientist's Daily Life

Bryan Yang

OpenFest 2012 : Leveraging the public internet

tkisason

Secure All Teh Things - Add 2 factor authentication to your own CFML projects

Rob Dudley

Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,

Sigma Software

AI and Machine Learning In Cybersecurity | A Saviour or Enemy?

SahilRao25

Perfect Information - How IoT empowers you to know anything, anytime, anywhere

10x Nation

https://resources.bishopfox.com/resources/tools/google-hacking-diggity/ As of late, security professionals have been waging a losing battle against hackers. Google, Bing, and other major search engines have been kind enough to index and make searchable all the vulnerabilities on the web, including everything from exposed password files to SQL injection points. This fact has not gone unnoticed by hackers. Last year, LulzSec employed Google hacking to go on an epic 50 day hacking spree that left in its wake a wide variety of major victims including Sony, PBS, Arizona's Department of Public Safety, Infraguard, the FBI, and the CIA. Botnets have also been confirmed to be utilizing search engines for identifying targets as part of mass injection campaigns and other malware distribution techniques. This falls in line with the results of the 2012 Verizon Data Breach Investigations Report which found that 79% of all victims were targets of opportunity. Google Hacking is the perfect vehicle to enable opportunistic attackers who are seeking quick and easy targets to exploit on a massive scale. It is imperative that security professionals learn to take equal advantage of these techniques to help safeguard their organizations. In this workshop, the audience will gain an understanding of the magnitude of this threat, as well as the importance of being proactive in addressing it. We’ll be introducing you to slew of new tools and techniques that will allow you to leverage Google, Bing, SHODAN and many more open search interfaces to track down and eliminate information disclosures and vulnerabilities in your public facing systems and applications before hackers have the chance to exploit them. Some of the topics to be covered are: • Search engine hacking – primary attack methods o Google Hacking o Bing Hacking o Toolkit overview:  Diggity toolset, Maltego, theHarvester, FOCA, and more… • Footprinting target organization networks and applications o Identifying applications, URLs, hostnames, domains, IP addresses, emails and more o Port scanning networks passively via Google o DNS data mining via DeepMagic search engine • Data loss prevention tools and techniques o Locating sensitive data leaks via public web applications • Cloud hacking via Google o Targeting cloud implementations via search engines o Using the cloud and custom search to identify vulnerabilities • Adobe Flash hacking via Google and Bing • Open source code vulnerabilities • Finding sensitive information disclosures on 3rd party sites o Facebook, Twitter, YouTube, PasteBin o Cloud document storage (Dropbox, Google Drive, etc.) • Malware and Search Engines – Bound by Destiny, Unholy Union o Understanding how search engines are used to distribute malware to users o Leveraging search engines to identify and avoid malware • Advanced defense tools and techniques o Search engine hacking alerts and intrusion detection systems (IDS)

InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...

Bishop Fox

Similar a Where is my silver bullet?! (20)

Safety Bot Guaranteed -- Shmoocon 2017

Machine intelligence to free human intelligence: How automation helps you win

How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)

DEF CON 23 - Ryan Mitchell - separating bots from humans

CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)

Future of Search and Links - The iGaming Summit Malta #sigma2014

Future of SOC: More Security, Less Operations

Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017

IT in 2017

Hacking - Breaking Into It

GIDS-2023 A New Hope for 2023? What Developers Must Learn Next

How do you get started in AI?

IoT: Entering an Era of Perfect Information

Data Scientist's Daily Life

OpenFest 2012 : Leveraging the public internet

Secure All Teh Things - Add 2 factor authentication to your own CFML projects

Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,

AI and Machine Learning In Cybersecurity | A Saviour or Enemy?

Perfect Information - How IoT empowers you to know anything, anytime, anywhere

InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...

Más de Ivan Novikov

OpenSSL rands (fork-safe)

Ivan Novikov

Data normalization weaknesses

Ivan Novikov

Lie to Me: Bypassing Modern Web Application Firewalls

Ivan Novikov

Distributed computing in browsers as client side attack

Ivan Novikov

Yandex rewards. ONsec experience

Ivan Novikov

SSRF workshop

Ivan Novikov

Más de Ivan Novikov (6)

OpenSSL rands (fork-safe)

Data normalization weaknesses

Lie to Me: Bypassing Modern Web Application Firewalls

Distributed computing in browsers as client side attack

Yandex rewards. ONsec experience

SSRF workshop

Último

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

DBX First Quarter 2024 Investor Presentation

Dropbox

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Scalable LLM APIs for AI and Generative AI Application Development Ettikan Karuppiah, Director/Technologist - NVIDIA Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...

apidays

Architecting Cloud Native Applications

WSO2

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Navi Mumbai Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Navi Mumbai Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Navi Mumbai Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

AXA XL - Insurer Innovation Award Americas 2024

The Digital Insurer

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Where is my silver bullet?!

1. Where is my silver bullet?! Or how to bypass any intrusion detection system RUCTF 2017

2. @d0znpp BIO ● Bug bounty ● SSRF bible https://goo.gl/AQiZt8 ● Wallarm CEO ● Twitter, Medium, Facebook, Telegram: @d0znpp

4. “Gartner Says Worldwide Information Security Spending Will Grow 7.9 Percent to Reach $81.6 Billion in 2016” 2015 $75 B 2016 $81.6 B This bullet definitely costs more than $156.6 B It’s not a silver… Or the weight is about 269’400 tons

5. One simple question

6. How it works?

7. Why? Two important things since the 30s No documentation (because of the Apple and UX) ● Try to find documentation for Chrome :) ● How to understand that it’s the bug but not a backdoor Closed source software (because of the Intel et al.) ● What’s does “Intel inside” really mean?

8. Layer cake How many layers do you know? I spent last 10 year for the security and don't sure that know about all of them

9. Do you know this guy?

10. Chomsky hierarchy ● Turing machine ● Linear bounded automaton (LBA) ● LL parser ● Regular expression

11. Parsers. Grammars. Interpreters. Layers. Products AV is a good example here. ● Binary program (ASM) ● Signature (regular expression) The same as ● IPS ● IDS ● WAF ● XXX

12. What should we detect? ● What is a vulnerability? ● Taxonomy/classification! ● Is it a bug or a backdoor? ● Can there be one thing malicious in one case and completely normal in another

13. Classification issues ● CWE. Complicated hierarchy. Overlaps and intersections. ● OWASP. Something strange. ● WASC. Too old and non-formal.

14.

15. Computer science

16. Information security

17. Make it science! Dear students! The world needs your help. It is necessary to describe what a vulnerability is in terms of Turing machines or other formal models. Do this before you work for someone and these studies will become a private patents!

18. Thanks! Follow me: @d0znpp Twitter, Medium, Facebook, Telegram, Snapchat

Where is my silver bullet?!

Recomendados

Recomendados

Más contenido relacionado

Similar a Where is my silver bullet?!

Similar a Where is my silver bullet?! (20)

Más de Ivan Novikov

Más de Ivan Novikov (6)

Último

Último (20)

Where is my silver bullet?!