Unstructured Supplementary Service Data (USSD) es un servicio estándar de las redes móviles GSM que se caracteriza por su capacidad de transmitir información o instrucciones a través de canales de señalización tal como lo hace el SMS-Center. La diferencia radica en su conexión mediante sesiones, mientras el SMSC usa el tipo de servicio “store and forward”.
O IPv6 é um protocolo de internet da próxima geração, criado para substituir o protocolo de internet atual, IP versão 4. Para estabelecer comunicação através da internet, os computadores e outros dispositivos devem possuir endereços de remetente e destinatário.
SwOS is an operating system designed specifically for administration of MikroTik Switch products that use Switch OS (SwOS) for RB250GS and now RB260GS with SFP Port for extend the network to up to 20KM ans support VLAN and VLAN Trunk on Gigabit Ethernet.
Kona Web Application Firewall Overview - Akamai at RSA Conference 2013Akamai Technologies
Web application performance and security are critical to innovation. Akamai's Web Application Firewall (WAF) is a highly scalable edge defense service architected to detect and mitigate potential attacks, including SQL injection attacks, in HTTP and HTTPs traffic as they pass through Akamai's Intelligent Platform in their attempt to reach origin data centers.
WAF is designed to scale instantly to preserve performance and filter attack traffic close to the source, protecting your infrastructure and keeping your web applications up and running. Learn more about Kona Security Solutions: http://www.akamai.com/html/solutions/kona-solutions.html
Learn more about Akamai's presence at RSA Conference 2013: http://www.akamai.com/html/ms/rsa_conference_2013.html
These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
Introduzioni all'uso dei preprocessori Sass e Less per la stesura di un foglio di stile CSS intelligente
Autore: Valerio Radice - valix85
Data: Giugno 2017
Find out how the unique architecture of MDS 9396S innovative, next-generation switch enables you to design a high-performing, scalable Fibre Channel SAN. Learn best practices for supporting flash storage applications as well as a wide variety of deployment scenarios. See how the new Cisco MDS 9396S can meet your SAN challenges today and tomorrow as we reveal:
• Architectural innovations inside the Cisco MDS 9396S
• Enterprise-class features and scale options
• Design and deployment scenarios
• Customer-tested best practices for implementation
O IPv6 é um protocolo de internet da próxima geração, criado para substituir o protocolo de internet atual, IP versão 4. Para estabelecer comunicação através da internet, os computadores e outros dispositivos devem possuir endereços de remetente e destinatário.
SwOS is an operating system designed specifically for administration of MikroTik Switch products that use Switch OS (SwOS) for RB250GS and now RB260GS with SFP Port for extend the network to up to 20KM ans support VLAN and VLAN Trunk on Gigabit Ethernet.
Kona Web Application Firewall Overview - Akamai at RSA Conference 2013Akamai Technologies
Web application performance and security are critical to innovation. Akamai's Web Application Firewall (WAF) is a highly scalable edge defense service architected to detect and mitigate potential attacks, including SQL injection attacks, in HTTP and HTTPs traffic as they pass through Akamai's Intelligent Platform in their attempt to reach origin data centers.
WAF is designed to scale instantly to preserve performance and filter attack traffic close to the source, protecting your infrastructure and keeping your web applications up and running. Learn more about Kona Security Solutions: http://www.akamai.com/html/solutions/kona-solutions.html
Learn more about Akamai's presence at RSA Conference 2013: http://www.akamai.com/html/ms/rsa_conference_2013.html
These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
Introduzioni all'uso dei preprocessori Sass e Less per la stesura di un foglio di stile CSS intelligente
Autore: Valerio Radice - valix85
Data: Giugno 2017
Find out how the unique architecture of MDS 9396S innovative, next-generation switch enables you to design a high-performing, scalable Fibre Channel SAN. Learn best practices for supporting flash storage applications as well as a wide variety of deployment scenarios. See how the new Cisco MDS 9396S can meet your SAN challenges today and tomorrow as we reveal:
• Architectural innovations inside the Cisco MDS 9396S
• Enterprise-class features and scale options
• Design and deployment scenarios
• Customer-tested best practices for implementation
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the resource originated.
A web page may freely embed images, stylesheets, scripts, iframes, videos and some plugin content (such as Adobe Flash) from any other domain. However embedded web fonts and AJAX (XMLHttpRequest) requests have
traditionally been limited to accessing the same domain as the parent web page (as per the same-origin security policy). "Cross-domain" AJAX requests are forbidden by default because of their ability to perform
advanced requests (POST, PUT, DELETE and other types of HTTP requests, along with specifying custom HTTP headers) that introduce many cross-site scripting security issues.
CORS defines a way in which a browser and server can interact to determine safely whether or not to allow the cross-origin request. It allows for more freedom and functionality than purely
same-origin requests, but is more secure than simply allowing all cross-origin requests. It is a recommended standard of the W3C.
Is your company in need of a cloud penetration test on AWS, Azure, or Google? Here are some things you might want to consider before starting your cloud pentest. Also tips for pentesters getting started in the cloud.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
Join Stormpath Developer Evangelist, Robert Damphousse, to dive deep into browser security. Robert will explain how Session IDs, Man in the Middle (MITM), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF) attacks work, and how to use cookies to support security best practices.
Topics Covered:
- Security concerns for modern web apps
- Cookies, the right way
- MITM, XSS, and CSRF attacks
- Session ID problems
- Examples in an Angular app
ZAP may not be featured in movies as much as nmap, but is a real hacker tool! If you are a tester in a DevOps organization you know that security is everybody's job, so you MUST add this tool to your toolbox! Attend this talk to see ZAP in action and learn how to use ZAP to test your web applications and web services for OWASP Top 10 vulnerabilities.
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
How to win big - Several Interesting Examples of Exploiting Financial & Gambl...Soroush Dalili
I am going to review a number of interesting flaws that I have seen within the payment systems and gambling games. This includes examples that allowed me to win big while I was gambling very responsibly as well as simple methods that brought me free goods such as expensive books that I really didn't need, fake moustaches, or even caskets for my fake funeral!
Disclaimer: all issues were reported responsibly to the companies and no moustache or slot machine was harmed in this process! I am not going to name any companies during this presentation.
Finally, Web Push API is available in all major browsers and platforms. It's a feature that can take your users' experience to the next level or... ruin it! In my session, after a tech intro about how Web Push works, we'll explore implementing smart permission request dialogues, various types of notifications themselves, and communicating with your app for more sophisticated scenarios - all done right, with the best possible UX.
The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the resource originated.
A web page may freely embed images, stylesheets, scripts, iframes, videos and some plugin content (such as Adobe Flash) from any other domain. However embedded web fonts and AJAX (XMLHttpRequest) requests have
traditionally been limited to accessing the same domain as the parent web page (as per the same-origin security policy). "Cross-domain" AJAX requests are forbidden by default because of their ability to perform
advanced requests (POST, PUT, DELETE and other types of HTTP requests, along with specifying custom HTTP headers) that introduce many cross-site scripting security issues.
CORS defines a way in which a browser and server can interact to determine safely whether or not to allow the cross-origin request. It allows for more freedom and functionality than purely
same-origin requests, but is more secure than simply allowing all cross-origin requests. It is a recommended standard of the W3C.
Is your company in need of a cloud penetration test on AWS, Azure, or Google? Here are some things you might want to consider before starting your cloud pentest. Also tips for pentesters getting started in the cloud.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
Join Stormpath Developer Evangelist, Robert Damphousse, to dive deep into browser security. Robert will explain how Session IDs, Man in the Middle (MITM), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF) attacks work, and how to use cookies to support security best practices.
Topics Covered:
- Security concerns for modern web apps
- Cookies, the right way
- MITM, XSS, and CSRF attacks
- Session ID problems
- Examples in an Angular app
ZAP may not be featured in movies as much as nmap, but is a real hacker tool! If you are a tester in a DevOps organization you know that security is everybody's job, so you MUST add this tool to your toolbox! Attend this talk to see ZAP in action and learn how to use ZAP to test your web applications and web services for OWASP Top 10 vulnerabilities.
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
How to win big - Several Interesting Examples of Exploiting Financial & Gambl...Soroush Dalili
I am going to review a number of interesting flaws that I have seen within the payment systems and gambling games. This includes examples that allowed me to win big while I was gambling very responsibly as well as simple methods that brought me free goods such as expensive books that I really didn't need, fake moustaches, or even caskets for my fake funeral!
Disclaimer: all issues were reported responsibly to the companies and no moustache or slot machine was harmed in this process! I am not going to name any companies during this presentation.
Finally, Web Push API is available in all major browsers and platforms. It's a feature that can take your users' experience to the next level or... ruin it! In my session, after a tech intro about how Web Push works, we'll explore implementing smart permission request dialogues, various types of notifications themselves, and communicating with your app for more sophisticated scenarios - all done right, with the best possible UX.
The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
Presentación que pretende educar a la población en general, acerca de como fue la evolución de la tecnología móvil; partiendo desde lo básico hasta lo mas complejo.
(PROYECTO) Límites entre el Arte, los Medios de Comunicación y la Informáticavazquezgarciajesusma
En este proyecto de investigación nos adentraremos en el fascinante mundo de la intersección entre el arte y los medios de comunicación en el campo de la informática.
La rápida evolución de la tecnología ha llevado a una fusión cada vez más estrecha entre el arte y los medios digitales, generando nuevas formas de expresión y comunicación.
Continuando con el desarrollo de nuestro proyecto haremos uso del método inductivo porque organizamos nuestra investigación a la particular a lo general. El diseño metodológico del trabajo es no experimental y transversal ya que no existe manipulación deliberada de las variables ni de la situación, si no que se observa los fundamental y como se dan en su contestó natural para después analizarlos.
El diseño es transversal porque los datos se recolectan en un solo momento y su propósito es describir variables y analizar su interrelación, solo se desea saber la incidencia y el valor de uno o más variables, el diseño será descriptivo porque se requiere establecer relación entre dos o más de estás.
Mediante una encuesta recopilamos la información de este proyecto los alumnos tengan conocimiento de la evolución del arte y los medios de comunicación en la información y su importancia para la institución.
Índice del libro "Big Data: Tecnologías para arquitecturas Data-Centric" de 0...Telefónica
Índice del libro "Big Data: Tecnologías para arquitecturas Data-Centric" de 0xWord escrito por Ibón Reinoso ( https://mypublicinbox.com/IBhone ) con Prólogo de Chema Alonso ( https://mypublicinbox.com/ChemaAlonso ). Puedes comprarlo aquí: https://0xword.com/es/libros/233-big-data-tecnologias-para-arquitecturas-data-centric.html
En este documento analizamos ciertos conceptos relacionados con la ficha 1 y 2. Y concluimos, dando el porque es importante desarrollar nuestras habilidades de pensamiento.
Sara Sofia Bedoya Montezuma.
9-1.
2. Puntos a tratar A nivel de radio y transmisión Formato del mensaje USSD USSD y SMS Ventajas de servicios USSD Ejemplo de casos de trafico Redundancia y Tolerancia a fallas Capacidad de tráfico Posibles servicios USSD (busyhour) Ejemplos del servicio Perfiles y accesos USSD Datos de abonados y estados
3. USSD UnstructuredSupplementaryService Data (USSD) es un servicio estándar de las redes móviles GSM que se caracteriza por su capacidad de transmitir información o instrucciones a través de canales de señalización tal como lo hace el SMS-Center. La diferencia radica en su conexión mediante sesiones, mientras el SMSC usa el tipo de servicio “store and forward”.
4. A nivel radio, los canales utilizados para la transmisión de información son los mismos que los utilizados en los SMS, es decir, los canales de señalización SACCH y SDCCH. La diferencia fundamental con los SMS, es que los USSD ofrecen un diálogo interactivo entre los dos extremos, es decir, cuando se establece la comunicación (sesión USSD) se abre un canal virtual entre el terminal móvil y el servidor para el intercambio síncrono de información. SlowAssociated Control Channel Stand Alone Dedicated Control Channel A nivel de radio y transmisión Interfase de Señalización Este modulo es el encargado de la conexión con los MSC a través de la red de Señalización pudiendo utilizarse las siguientes interfaces - SS7: Implementa los protocolos MTP1, MTP2 y MTP3 - SIGTRAN: Implementa los protocolos SCTP y M3UA (opcional) Módulo Gateway USSD Implementa los protocolos SCCP, TCAP, MAP (USSD). El sistema soporta tanto USSD Phase 1 como Phase 2. El sistema soporta interfases SMPP/XML hacia las aplicaciones. Cliente de Aplicaciones y Aplicaciones USSD: Desarrollo interno dando posibilidad de múltiples aplicaciones e integrar con múltiples plataformas internas. Mayor flexibilidad en muevas implementaciones sobre la plataforma. No dependencia del módulos rígidos o desarrollos externos.
5. USSD Fase 1 El único parámetro requerido en esta fase es “USSD string”. Este parámetro puede contener hasta 160 bytes, 182 caracteres (7-bit charactercodingscheme). El mensaje USSD es direccionado usando el International Mobile SubscriberIdentity (IMSI) del subscriptor móvil. Desde la fase 2 el MSISDN es incluido en el mensaje USSD. USSD Fase 2 Todas las solicitudes en esta fase contienes los siguientes parámetros mandatorios: • Indicador Data CodingScheme (DCS). La codificación del alfabeto, el lenguaje y parámetros específicos del estándar. • ServiceCode (SC) Servicio suplementario nombrado al iniciar la sesión. •USSD String, Datos a transferir en el mensaje. Ejemplos: [*#21#] [*128#] [*128*1#] [*434*2#] [*434*2*0971200100*20000#] Formato del mensaje USSD
7. Ventajas de servicios USSD Rápido e interactivo Simple acceso y de fácil utilización Disponibilidad (en cualquier red móvil) sin necesidad de implementaciones específicas SS7 en otras redes. Compatible con el 99% de los terminales Bajo costo de recursos de red y nodos externos: (Relación costo/recursos) Ahorro en canales/licencias de IVRs BSS: 1 TCH = 8 SDCCH. NSS: 1 ussd ≈ ½ sms (no hay reintentos ; headers_ussd_map mas cortos)
8. Ejemplo de casos de trafico Fase1 - se implementó a principio de los 90 y en este caso sólo permitía una única transacción por sesión. USSD fase 1 es compatible con prácticamente el 99% de los teléfonos y redes GSM. Fase 2 se introdujo como principales mejoras las llamadas originadas por la red y el soporte a varias transacciones u operaciones por sesión, facilitando significativamente la interactividad. Inicio sesión USSD USSD GW Ejemplo USSD Act. desvío: **21*0971200200# Pas. desvío: ##21# Con. Estado: *#21# Fin sesión USSD Inicio sesión USSD *126#[Portal] Respuesta USSD USSD GW continua USSD 3[Maxicarga] Respuesta USSD Fin sesión USSD Finaliza. OBS: Durante la sesión USSD el canal SDCCH es ocupado. El “Fin de sesión USSD” puede ser disparado tanto por el móvil o la aplicación según el flujo del servicio, y también por la red o el Gw por TimeOut”
11. Ruteo por GTTAplicación Externa SUN SERVER Ap. Interna LAN Aplicación Externa STP Interface señalización USSD Gateway N Aplicación Externa SUN SERVER Ap. Interna STP Interface señalización USSD Gateway
14. Ruteo por GTTAplicación Externa Servidores redundantes SUN SERVER Ap. Interna LAN Aplicación Externa STP Interface señalización USSD Gateway N Aplicación Externa SUN SERVER SUN SERVER Ap. Interna Ap. Interna STP STP Interface señalización Interface señalización USSD Gateway USSD Gateway Servidores redundantes SUN SERVER Ap. Interna STP Interface señalización USSD Gateway
15. Capacidad de tráfico Capacidad en mensajes USSD considerando el nivel de ocupación del link en 40% Cada LSL (LowSpeed Link) soporta (65536/8)*0.4 /100= 32.7 mensajes/s/p Capacidad actual licenciada: 4links (131 mensajes/s/p ) Capacidad de los Clúster. Cada Clúster cuenta con una placa de 4xE1, cada E1 soporta 4 links Cada Clúster tiene instalada la capacidad máxima teórica de tráfico con 40% de ocupación igual a
16. Ejemplo: Consulta de saldo Vía IVR Discando *121 Utiliza un TS-IVR y un TCH -BTS /CE -UMTS Duración para recibir la información total (37seg) Vía SMS Desde el menú “Mensajes” del celular enviar un sms al 121 Compone de dos SMSs, (MO+MT), utiliza un SDCCH-BTS /CE -UMTS Duración promedio (17seg) Vía USSD Discando *121# Utiliza un SDCCH-BTS /CE –UMTS Duración (5seg)
17. Ejemplo: Compra RingBackTones Vía IVR Discando *4040 Utiliza un TS-IVR y un TCH -BTS /CE -UMTS Duración promedio para comprar y asignar a todas las llamadas (120seg) OBS: Actualmente se cobra el tiempo aire conectado al IVR. Vía SMS Desde el menú “Mensajes” del celular enviar un sms al 4040 con el código del backtone Compone de cuatro SMSs, (MO+MT), utiliza un SDCCH-BTS /CE -UMTS Duración (45seg/p) Vía USSD Discando [*404*1144#] o vía un Portal [*404#] Utiliza un SDCCH-BTS /CE -UMTS Duración (10seg/p)