Technical Briefings

Stand Close to Me, & You’re pwned! : Owning SmartPhones using NFC (Aditya Gupta & Subho Halder)

NFC or the Near Field Communication allows cell phones to perform specified actions whenever they detect NFC tags or signals from other NFC enabled device. Most of the recent phones including Samsung Galaxy S3, Nokia Lumia 610, Blackberry Bold etc have NFC enabled with them. NFC even helps enterprise/payment gateways to ease up users actions, such as connecting to a wifi, setting a bookmark, making payments etc.

Gone are the days of sending Android malware links through URL or attachments. In this talk, we will be showing how an attacker could steal the private and sensitive information from one’s phone and even perform malicious actions on user’s phone, using NFC as an attack vector. NFC attack vectors come in two forms : Active(setting attacker’s phone as a proxy between victim’s smartphone and the payment terminal) and Passive(using NFC tags).For our demonstrations, we would be creating malicious NFC tags which when detected by any smartphone(NFC enabled) would steal sensitive information from the phones (without the users knowledge) as well as trick user to install malicious applications to his phone. Thereafter, we would also be talking about how an attacker could get in close proximity of another NFC-enabled phone, get a remote shell on the victim’s phone and compromise the phone’s security. We would also be discussing how viral an NFC attack could go in future, if proper security measures are not enforced.

 

The difference between the “Reality” and “Feeling” of Security: Information Security and the Human Being (Anup Narayanan & Thomas Kurian)

Let us assume that a person knows the traffic rules. But, does knowing the traffic rules make a person a better driver? Apply the same for “information security”. Does knowing the security policies guarantee that a person will practice the policies correctly and as required while at work. So, how do you make a person “accept and apply information security”? To answer this question, what we must understand is that for security practitioners, information security is a mathematical probability based on threats, vulnerabilities, impact and risk. For the end user (which is more than 99% of the workforce), security is a feeling. By influencing the feeling of security, it is possible to make the end user adopt responsible information security practices#.

 

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework (Ajin Abraham)

Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. . The tool supports both manual mode and automated time sharing based test modes. It includes a XSS encoder, a victim side keystroke logger, and an Executable Drive-by downloader.

Payload Comparisons

Payload Comparisons

Features of Xenotix XSS Exploit Framework are Built in XSS Payloads(380+), XSS Key logger, XSS Executable Drive-by downloader, Automatic XSS Testing, XSS Encoder.

 

Smart Grid Security (Falgun Rathod)

Smart grids is an added communication capabilities and intelligence to traditional grids. Smart grids are enabled by  Intelligent sensors and actuators, Extended data management system, Expanded two way communication between utility operation system facilities and customers, Network security, National integration, Self healing and adaptive –Improve distribution and transmission system operation, Allow customers freedom to purchase power based on dynamic pricing, Improved quality of power-less wastage, Integration of large variety of generation options.

We have seen the more complex and critical infrastructure the more vulnerable they are. From the Year of 1994 we have seen lots of incidents where Smart Grid were Hacked the latest and booming incident was Stuxnet Worm which targeted Nuclear Power System of Iran and Worldwide. There are different types of Attacks we will see. Security needed for Smart Grid.

 

HAWAS – Hybrid Analyzer for Web Application Security (Lavakumar Kuppan)

Today there is a flood of tools to help with the automation of active scanning and exploitation of web applications. Once you move beyond these two functions the flood reduces down to a trickle. Vulnerability hunting is a fine art that requires a knack for seeing hidden patterns and connections. Tests like hidden parameters guessing are seldom performed by even skilled testers because of the time and effort involved in preparing for and performing them. When was the last time you identified a piece of sensitive data hidden in plain sight because it was hex encoded in to a very inconsequential looking string? Do you enumerate all possible avenues for stored XSS in an application? A lot of times checks are missed because there is no good tooling available to perform them effectively and effficiently. HAWAS is the tool you have been missing for a long time now. It is an open source tool that is designed for hybrid analysis. It performs automated passive analysis of a web application with no input from the user for some cases and with specific application specific input for some other cases. Based on the initial set of findings the user can perform further checks from within HAWAS. HAWAS will help you hugely increase your test coverage with very little additional effort.

 

Real Time Event Recording System, the tool for Digital Forensics Investigation (Madhav Limaye)

This is the Tool kind of Application that records the system events, e.g. File Delete, File Execute etc., on the central Server, which are the potential events used by Digital Forensic Investigators while investigating Offensive Event, e.g. Hosting an Attack.

 

Content-Type attack -Dark  hole in the secure environment (Raman Gupta)

With the increased in security awareness it’s very difficult to compromise the network/workstation, as most of network administrator put very restrictive firewalll policy for incoming network traffic i.e. allow only traffic for http/https service and antivirus software can easily detect any virus/worm infected file. This talk is about content type attack that cannot be blocked at network perimeter/firewall and undetectable by antivirus. The discussion also includes demonstration of attack vector to compromise the system. At last it includes analysis of malicious file used to compromise the system.

 

Legal Nuances to the Cloud (Ritambhara Agrawal)

This presentation highlights the key legal risks and their implications in cloud computing. Cloud is inherently jurisdictional, encompassing, remote hosting and processing of the data. This gives rise to multiple legal issues including security and privacy of the data, IP Rights, data portability, contractual limitations, risk mitigation and jurisdictional disputes.

As the cloud involves remote hosting and data accessibility by multiple parties, security and privacy remains the biggest concern for the companies. Businesses should look at issues ranging from physical location of the data centers, protection of the data against any adversity and intrusion, and access rights management.

The cloud servers are often located in different countries, which results in trans-  border Data Flow. Each country has its own set of legal rules and regulations regarding data protection and privacy policies and the same can bring in     complications in form of conflicting laws and jurisdictional disputes. Issues pertaining to IP rights, trade secrets and ownership of the data placed in the cloud require utmost attention. Termination and exit clauses are critical to the contract in the clouds. Interoperability of the data in the event of termination of services of a vendor is an important aspect to be considered in the contracts.

 

FatCat Web Based SQL Injector (Sandeep Kamble)

What is FatCat Sql injector: This is an automatic SQL Injection tool called as FatCat.

Fatcat Purpose? : For testing your web application and exploit your application into more deeper.

FatCat Support:
1)Mysql 5.0

FatCat Features?
1) Union Based Sql Injection
2) Error Based Sql Injection
3) MOD Security Bypass (WAF)

 

Hacking and Securing iOS applications (Satish Bommisetty)

iOS applications share common set of classes and highly depends on the operating system solutions for data communication, storage and encryption. Solely depending on the Apple implementation made them less complex but it affects security of the applications. Though iOS comes with a great set of security features like code signing, ASLR, DEP, sand boxing and Data Protection, all of them are subject to attack. Relying only on the iOS security could lead to demise the sensitive data stored within the application when the iOS is compromised. Application security can be improved by understanding the weaknesses in the current implementation and incorporating own code that work better.

The presentation illustrates several types of iOS application attacks like run time manipulation, custom code injection, SSL session hijacking and forensic data leakage. It gives an insight into the iOS Keychain & data protection API and explains the techniques to circumvent it. The presentation will provide guidelines and suggests best practices for secure iOS application development.

 

Infrastructure Security (Sivamurthy Hiremath)

With the development of technology, the interdependence of various infrastructures has increased, which also enhanced their vulnerabilities. The National Information Infrastructure security concerns the nation’s stability and economic security. So far, the research in Internet security primarily focused on securing the information rather than securing the infrastructure itself.

The pervasive and ubiquitous nature of the Internet coupled with growing concerns about cyber attacks we need immediate solutions for securing the Internet infrastructure. Given the prevailing threat situation, there is a compelling need to develop Hardware redesign architectures, Algorithms, and Protocols to realize a dependable Internet infrastructure. In order to achieve this goal, the first and foremost step is to develop a comprehensive understanding of the security threats and existing solutions. These attempts to fulfil this important step by providing classification of Security attacks are classified into four main categories: DNS hacking, Routing table poisoning, Packet mistreatment, and Denial-of-Service attacks. We are generally discussing on the existing Infrastructure solutions for each of these categories, and also outline a methodology for developing secured Nation.

 

Critical Infrastructure Security (Subodh Belgi)

Industrial Automation & Control Systems are an integral part of various manufacturing & process industries as well as national critical infrastructure. Concerns regarding cyber-security of control systems are related to both the legacy nature of some of the systems as well as the growing trend to connect industrial control systems to corporate networks. These concerns have led to a number of identified vulnerabilities and have introduced new categories of threats that have not been seen before in the industrial control systems domain. Many of the legacy systems may not have appropriate security capabilities that can defend against modern day threats, and the requirements for availability and performance can preclude using contemporary cyber-security solutions. To address cyber-security issues for industrial control systems, a clear understanding of the security challenges and specific defensive countermeasures is required. The session will highlight some of the latest cyber security risks faced by industrial automation and control systems along with essential security controls & countermeasures.

 

XSSshell (Vandan Joshi)

Cross site scripting (XSS) attacks are considered one of the most dangerous attacks. When an application accepts un-validated user inputs and sends it back to the browser without validation, it provides attackers with an opportunity to execute malicious scripts in victim users’ browsers. By using this attack vector, malicious users can hijack user accounts, deface websites, carry out phishing attacks etc .XSS shell is a cross domain tool to carry out XSS attack in more controlled manner. It is used to setup a channel between attacker and victim’s browser and controlling the victim’s browser.

 

Anatomy of a Responsible Disclosure – Zero Day Vulnerability in Oracle BI Publisher (Vishal Kalro)

Oracle Business Intelligence (BI) Publisher is a reporting tool to manage and deliver reports. It can be integrated with various data sources like Oracle DB, Oracle BI, SQL server, PeopleSoft, Siebel, web services etc. to generate flexible reports in different layout types like Word, Excel, PDF etc.Oracle BI Publisher Enterprise 10.1.3.4.2 was vulnerable to a Zero Day Cross-Site Request Forgery (CSRF) security flaw whereby the attacker could force the authenticated user to perform malicious actions of interest to the attacker. In this case a successful exploitation of the administrator account could lead to malicious adding/deletion of users, malicious configuration for report delivery etc. This module being a reporting tool a successful exploitation of the CSRF vulnerability could severely affect the confidentiality, integrity and availability of data. Oracle had been very cooperative in acknowledging and addressing this issue. A patch for this vulnerability was released as part of their Critical Patch Update (CPU) on April 17 2012.