Wim Remes starts of his tool as giving us an overview of the lack of visualizati
Miniature Dotted Hot Pink Cake a CC NC ND image from - Stephanie Kilgast's Flicker account
on in security tools. There are some tools that have some visualization, but it is limited and lacks features.
He then takes us through the hall of fail of visualizations and gives us some tips on visualization.
Thinks as a designer, be aware of who you are visualizing for. Each group has different demands for visualization and want to take different things out of it.
He then proceeds to give us some tips and tricks. He recommends to follow the work of Edward Tufte and Stephen Few who have both done excellent work on data visualization.
If you do data visualization you may want to get data from external reports like osvdb.org datalossdb.org and other industry vendors.
Common problems of data visualization are redundant elements like 3D and color. This is expressed in the ink-to-info ratio. You may want to reduce the bell and whistles you use.
Dashboards are often messy, they should really be aware of their screen real estate. Most important places on the screen are top left and the center of the screen. In order to squeze as much info as possible into a dashboard dashboard often get messy.
Read more…
Cycle Garage a CC NC ND image from Ezu's Flickr stream
This talk focuses on ABAP, Advance Business Application Programming language from SAP.
ABAP:
- A proprietary language of which the exact specification is not freely available.
- It has platform independent code
- It has client separation built-in
- It has integrated auditing capabilities
- System-to-system calls via SAP RFC standard
- Built-in transportation system and version control
- Integrated platform-independent SQL Standard: Open SQL
- Built-in authentication, roles and (explicit) authorization model
- Thousands of well-known standard programs and database tables
- 150+ Million Line of Code in an ECC6.0 System
So what are the ABAP security risks?
- Back doors can be introduced, e.g. by a malicious developer.
- The program can have undesired side effect (e.g. SQL injection)
- Sub standard authentication used
Read more…
By Jonathan Pollet
The days that Scada systems could hide behind obscurity are over. These systems are on internet, use common protocols of which information is widely available. On 15 July this year, the first Trojan was found that specifically queries databases that are also used by Scada systems.
This presentation starts by explaining how the power grid works. A typical network architecture has three zones. A corporate network, a DCS (), EMS (Energy Management System) or DMS (Distribution Management System) network and a network with the industrial systems on it. These networks are typically separated by firewalls. When you add smart meters to the mix they are typically connected in a similar fashion.
The formal models around SCADA security all evolve around this zoning model.
Red Tiger Security has developed a special process to do assessment of these networks, because industrial equipment starts behaving funny when scanned with standard vulnerability scanners. Automated scanning of Scada systems form the network is okay, but scanning the industrial equipment will cause outages.
Scada environments are often poorly patched because patches are known to break Scada systems. Most of the vulnerabilities discovered in these infrastructures are found in the Scada DMZ, because these systems are often not maintained by corporate IT, because they don;t know how to maintain it, but it is also not owned by the Scada engineers.
Read more…
By Nicholas J. Percoco (@c7five) and Jibran Ilyas
The Spyderlabs guys had a busy year. They investigated over 200 incidents in 24 different countries and ended up collecting enough malware samples. Based upon last year’s DEFCON talk they are going to dive deeper and bring you the most interesting samples from around the world
This talk will bring you 4 new freaks and 4 new victims including: a Sports Bar in Miami, Online Adult Toy Store, US Defense Contractor, and an International VoiP Provider.
The malware being demoed are very advanced pieces of software written by very skilled developers. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic, even tough the major categories have stayed the same.
Malware comes in various categories: Keyboard logger, screen loggers and memory scrapers. Disk scrapers are not very popular because it is slow and is noticed to easily due to heavy disk activity. There are three basic ways to own a system: Physical, Easy and Uber . Physical means inserting something like a USB stick or key logger. Easy is e.g. through publicly exposed RDP and default passwords.
Malware is getting much harder to detect because they are better tested and using more stealthy techniques like root kits.
Sample SL2009-127 – Memory Rootkit Malware – Captain Brain Drain
Read more…
Moxie Marlinspike, Dan Kaminski and Mike Zusman all presented talks at both Blackhat and Defcon that expose serious flaws the implementation and model of SSL and the way we us it today.
Read more…
Categories: Blackhat, Conferences, Defcon Tags: Blackhat, CA, certificates, Citrix, Dan Kaminski, Defcon, DNS, DNSSEC, Maxie Marlinspike, Mike Zusman, Security, SSL, Thrust, VPN
Kostya started of by telling everybody: “I’m not a virtualisation expert”
Then he started to explain how he was able to build up his cloudburst exploit.he focused on the guest os devices, because the device are omnipresent in all VMWare pruducts, they run on the host, can be accessed from the guest, are written in C/C++ and parse some complex data.
Read more…
This is the talk that I blogged about earlier about owning the iPhone through SMS. The work Charlie and Collin did was actually amazing.
In their presentation they first looked at SMS. SMS is a building block of the phone system and essential to the working of the modern network because it is used for all kinds of stuff. Why is it good to attack? No firewall, processed by all phones, no user interaction and you only need a phone number to send an SMS.
Read more…
Soundbyte of the day: Lex Stamos about the twitter hack: “No matter how low opinion you have of your user, they will always prove you wrong”
Cloud computing is actually defined as three types of services: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastrcture as a Service (IaaS). A large VMWare farm for one company is not cloud computing.
Each of the models has their pro’s and cons.
Read more…
Charlies Miller’s and Collin Mulliners talk “Fuzzing the Phone in your Phone” today revealed full details that could make the first iPhone virus infection at the Blackhat security conference in Las Vegas.
Large SMS messages are cut up in smaller SMS messages, this means that the SMS messages need to be parsed by the phone to put it back together and thus can be used as an attack vector to breach the phone. By using a technique known as fuzzing, Miller and Mulliner where able to find exploitable conditions that could be turned into an attack and an iPhone virus. The attack takes a total of 519 SMS messages, but will work without any user interaction.
Read more…
Interoperability is everywhere in browsers Java <-> VBScript, VBscript <-> .NET, .NET <-> Javascript, Javascript <-> DOM etc. This interoperability presents a large attack surface, which is up to now where not well explored.
There is a lot of code involved converting types between various languages.
Read more…
