SIM card exploita9on. The SRLabs Team. SRLabs Template v12
|
|
- Sheryl Robertson
- 8 years ago
- Views:
Transcription
1 SIM card exploita9on The SRLabs Team SRLabs Template v12
2 SIM cards are fully programmable computer systems Applica'ons on modern SIM card Smartcard with real- 9me opera9ng system Basic func'ons Iden9fica9on (IMSI) Authen9ca9on (Ki & Hash func9on) Simple file system Address book SMS messages Session keys Java virtual machine Custom Java apps Roaming mgmt Payment Tracking 2
3 SIM security involves many layers from smartcards to cryptography and Java process separa9on SIM card includes various protec'on mechanisms User authen'ca'on by simple comparison SIM authen'ca'on by cryptographic hash func9on (omen Comp128 in GSM; Milenage in 3G/4G) A Secure Java deployment using DES/3DES/AES signature + encryp9on PIN/PUK numbers Ki OTA keys B Applica'on separa'on: Java VM sand boxing Individual protec9on logic for banking applets, iden9fica9on applets, etc. Storage protec'on through proprietary smartcard security mechanisms Java crypto API: DES/3DES/AES; some9mes RSA 3
4 Agenda SIM card background A GeDng on to the SIM B Stealing SIM secrets 4
5 OTA security level is chosen by server while SIM enforces mandatory minimum level ILLUSTRATIVE OTA server ini9ates remote transac9on Binary SMS communica'on Target app / key set # Command possibly encrypted and/or signed Used security level Response protected according to request, but not below minimum level stored on card Reque- sted security level SIM card stores mul9ple key sets, possibly with different protec9on levels Key set 1 Encry- p9on Signa- ture Key set 3 Key set 2 DES 3DES AES Man- datory ü 5
6 OTA error handling is underspecified, possibly opening adack surface Binary SMS communica'on AOacker probes cards to gain material for DES key cracking Command with wrong signature Use: DES signature Request: DES signature Response to mal- signed request differs by card type a. (25%* of cards) (No response) SIM card with DES key (prevalence of DES keys varies between operators; can be up to 100%) b. (50%*) c. (25%*) Error message Error message Some9mes with all- zeros signatures DES signature Data useable for key cracking * Es9mated from rela9vely small and geographically skewed measurement set 6
7 OTA DES do not withstand key cracking Challenge: Derive 56 bit DES key from OTA response signature Cracking strategies Investment Cracking 'me Be pa'ent Brute force on GPU EUR months Throw money at it Brute force on FPGA cluster EUR day Ride the rainbow Time- memory trade- off using large hard disks & GPU EUR year pre- computa9on Only possible when OTA response is fully predictable 1 minute (but <100% success rate) 7
8 Adacker SMS asks for DES- signed SMS response with fully predictable content Command packet is sent by the adacker to provoke response UDHI PID DCS 246 Adack- specific features UDH CPL CHL SPI KIc KID TAR CNTR PCNTR CC Data Packet Header No DES App 01 Padding Rand. length length cipher signature counter invalid No ciphering Sign PoR request Generic command Packet details: No ciphering Cryptographic checksum Do not cipher PoR Sign PoR Send PoR in any case Response packet may offer adack surface UDH RPL RHL TAR CNTR PCNTR Status Code CC Packet length Header length App 01 Padding counter Status Code Crypto- Checksum Data Response or No response Signature over predictable data useable for rainbow table key cracking 8
9 Pre- computa9on tables store DES code book in condensed form E233 K K K 2F06 503A OCFE DB18 K K K B951 CAF3 77CF 22CB K K K A8F3 CAF3 77CF Collision 87A4 K K K 49A6 118F B33F The uncondensed code book is petabytes in size. Tables provide a trade- off: Longer chains := less storage, but also longer adack 9me 9
10 Table op9miza9on: Rainbow tables mi9gate the effect of collisions E233 K 1 44B2 K 2 BBA8 K 3 1B22 Collision DB18 K 1 ODE3 K 2 44B2 K 3 5DE2 22CB K 1 6C7A K 2 55D2 K 3 922A K 1 K 2 K 3 87A4 11F6 362E C7D5 Rainbow tables have no mergers, but an exponen9ally higher adack 9me Source:c t 10
11 Video and live demo: Remotely cracking OTA key Video source: hdp:// Hack- exponiert- Millionen- SIM- Karten html 11
12 OTA adacks extend beyond DES signatures Many mobile operators responded to the looming SIM hacking risk considerate and faster than we could have wished for others (too?) quickly concluded they were not affected Recent operator statements We use encryp9on instead of signa- tures; the adack does not apply here Does it make sense? No. Encryp9ng a known plaintext with DES is as bad as signing it. Even when both are required, the adack s9ll applies (but needs two rainbow tables) We don t even use OTA No. virtually all SIMs are Java cards. Even if you are not using those capabili9es, an adacker may (and will probably find that you never cared to update the keys of this virtual waste land) We only use 3DES Maybe. 3DES is good, but have you made sure to use full entropy 112/168 bit keys instead of mul9ple copies of a 56 bit key? changed all the standard keys? heard of downgrade a*acks? 12
13 For some cards, even 3DES keys are crackable Downgrade aoack flow AOacker Crack first third of key Command Error Command Request DES- signed response (KID = 1) DES- signed Request 2- key 3DES response (KID = 5) Some SIM cards with 3DES key use lower signature schemes when requested (in viola9on of the standard) Crack second third* Crack final third* Error Command Error 2- key 3DES- signed Request 3- key 3DES response (KID = 9) 3- key 3DES- signed 2- key 3DES DES 56 bit 3- key 3DES 56 bit 56 bit * Must be brute- forced; Rainbow table adack no longer possible 13
14 Only some cards provide crackable plaintext- signature pairs Adacker sends OTA command with wrong DES signature reques9ng DES- signed response Cards responding with a valid DES signature are vulnerable CC length No response 0 Bytes 8 Bytes CC content All zero or other fixed padern Valid signature (random padern) DES crack No Yes DES downgrade No Yes Vulnerable Not to this adack No No No Yes Yes 14
15 Agenda SIM card background A Getng on to the SIM B Stealing SIM secrets 15
16 Java virus does not automa9cally have access to all SIM assets OTA- deployed SIM virus can access SIM Toolkit API Java sand box should protect cri'cal data on SIM Data access on SIM would enable further abuse Standard STK func'on Abuse poten'al Protected func'on Abuse poten'al Send SMS Premium SMS fraud Read Ki SIM cloning Decrypt all 2G/3G/4G traffic Dial phone numbers, send DTMF tones Circumvent caller- ID checks Mess with voice mail Read hash func'on Reverse- engineer proprietary authen9ca9on func9ons; perhaps find weaknesses Send USSD numbers Query phone loca'on and sedngs Open URL in phone browser Redirect incoming calls; some9mes also SMS Abuse USSD- based payment schemes Track vic9m Phishing Malware deployment to phone Any other browser- based adack Read OTA keys Read Java processes Write to Flash or EEPROM Lateral adacks Clone NFC payment takers and other future SIM applica9ons Alter OS to prevent vulnerability patching 16
17 Java VM on many SIMs fails to confine malicious applets Java virus may try to intrude on other parts of SIM Simplis9c memory boundary viola9on adempt: X = small_array[ ] X Java VM needs to enforce sandbox boundaries of each app Java VM enforces array boundaries and stops request Other Java programs and na've SIM func'ons store value secrets Data in SIM Ki Banking applets Iden9fica- 9on applets Abuse scenario SIM cloning: SMS/call fraud, Steal balance Impersonate More complex construct to violate memory boundaries (responsible disclosure with vendors ongoing) Java VM fails to detect viola9on &! processes request All secret informa9on on SIM is exposed to malicious applets through vulnerabili9es in several popular Java implementa9ons 17
18 Putng it all together Remote SIM cloning A Infiltrate card with malicious Java applet B Exfiltrate valuable data Ac'on Send binary SMS with OTA command to card, reques9ng card response Crack DES signing key, then sign Java virus & send through binary SMS Leverage gaps in Java VM memory separa9on to access arbitrary SIM card data Result Card may respond with a DES- signed error message Card installs and executes signed Java applet Malicious applet extracts Ki, banking applets, etc., and send to adacker via SMS 18
19 Wide- scale SIM hacking risk must be mi9gated on several layers Mi'ga'on layer for OTA hacking risk Effec'veness Cost Low High Filter OTA messages from unapproved sources Prevents probing in home network; leaves SIMs exposed when roaming, to fake base sta9ons, and to phone malware Func9onality readily available in most SMSCs Network operators short- term mi9ga9on op9on Deac9vate OTA on card Prevents adack (but also any future use of OTA w/ DES key) Can be done through SMS Use 3DES or AES OTA keys Use cards that do not disclose crypto texts Filter suspicious messages on phone base band Prevents adack (expect for where downgrade adack works) Prevents the adack Prevents the adack Some cards need replacing, others updates Some cards need to be replaced New somware func9on for future phones Network operators mid- term mi9ga9on op9on Complimentary mi9ga9on op9on for phone manufacturers 19
20 OHM 2013 workshops confirm vulnerability and point to next issues Signature disclosure Cards s9ll disclose signatures even though: Many cards got patched over last 2 weeks OHM par9cipants use newer SIM cards than average 23% 29% Key entropy is low (measured at OHM) OTA DES key Entropy b ~16bit ~24bit 11% 2cee ae0a6 ~44bit aa7890c234aeee28 ~50bit Signature- disclosing cards in research set Cards affected in OHM sample (14 countries) 96a6141aaa5ef0ee ~52bit 20
21 Industry response was encouraging for responsibly disclosing hacking research The responsible disclosure went surprisingly well and is worth men9oning We disclosed several months ahead of the release to trusted contracts made around previous releases Experts from a few large companies verified the results and created best prac9ce responses Industry associa9ons disseminated guidelines to all other operators Many networks are now well underway implemen9ng filtering and reconfiguring cards Only a single lawyer stumbled into the interac9on, but quickly lem Take aways from a number of responsible disclosure that all went well (except for one) Find construc've partners in the industry; ask other hackers for their recommenda9ons Disclose early and don t be surprised if even the most mo9vated disclosure partner takes months to distribute the informa9on confiden9ally in their industry Bring someone with disclosure experience to mee9ngs Expect friendliness and remind your partner of the required e9quede should they ever act rude or arrogant Help your technical contacts win the internal badles: Refuse to speak to their lawyers; never sign an NDA prior to your disclosure Be extremely careful accep9ng money; and only ever to help with mi9ga9on 21
22 Take aways A Some DES- secured SIM- cards allow for remote key cracking and applet installa9on B Java vulnerabili9es enable adacker to remotely extract Ki, banking applet data Mi9ga9on op9ons exist on network, baseband, and SIM card level Ques9ons? Karsten Nohl <nohl@srlabs.de> 22
Karsten Nohl, karsten@srlabs.de. Breaking GSM phone privacy
arsten Nohl, karsten@srlabs.de Breaking GSM phone privacy GSM is global, omnipresent and wants to be hacked 80% of mobile phone market 200+ countries 5 billion users! GSM encryption introduced in 1987
More information@msecnet / www.m-sec.net. Bogdan ALECU
Business logic flaws in mobile operators services Bogdan Alecu About me Independent security researcher Sysadmin Passionate about security, specially when it s related to mobile devices; started with NetMonitor
More informationUAB Cyber Security Ini1a1ve
UAB Cyber Security Ini1a1ve Purpose of the Cyber Security Ini1a1ve? To provide a secure Compu1ng Environment Individual Mechanisms Single Source for Inventory and Asset Management Current Repor1ng Environment
More informationBadUSB On accessories that turn evil
BadUSB On accessories that turn evil Karsten Nohl Sascha Krißler Jakob Lell SRLabs Template v12 Demo 1 USB s&ck takes over Windows machine 2 Agenda
More informationBalancing Usability and Security for Medical Devices
Balancing Usability and Security for Medical Devices Ken Hoyme Adven&um Labs ken.hoyme@adven8umlabs.com Robert North, LLC bnorth@humancenteredstrategies.com March 17, 2014 3/17/2014 2014 Adven8um Labs
More informationDefending mobile phones. Karsten Nohl, nohl@srlabs.de Luca Melette, luca@srlabs.de
Defending mobile phones Karsten Nohl, nohl@srlabs.de Luca Melette, luca@srlabs.de GSM networks provide the base for various attacks SS7 Phone Base station GSM backend network User database (HLR) Vulnerability
More informationSecurity Protocols: SSH. Michael E. Locasto University of Calgary
Security Protocols: SSH Michael E. Locasto University of Calgary Agenda Philosophy: data protec?on on the network Discussion of SSH SSH history Authen?ca?on Mechanisms SSH2 design overview / architecture
More informationInvest in security to secure investments. Breaking SAP Portal. Dmitry Chastuhin Principal Researcher at ERPScan
Invest in security to secure investments Breaking SAP Portal Dmitry Chastuhin Principal Researcher at ERPScan 1 About ERPScan The only 360- degree SAP Security solu8on - ERPScan Security Monitoring Suite
More informationProtec'ng Informa'on Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protec/ng Informa/on Assets Greg Senko
Protec'ng Informa'on Assets - Week 10 - Identity Management and Access Control In the News Readings MIS5206 Week 10 Identity Management and Access Control Test Taking Tip Quiz In the News Discuss items
More informationData Privacy and Data Security in Telemedicine Applica5ons. Patrick Harpes www.monitor it.lu
Data Privacy and Data Security in Telemedicine Applica5ons Patrick Harpes www.monitor it.lu Agenda Right to privacy Data/Informa@on security Data security measures Risks using telemedicine Composi@on of
More informationSophos Ltd. All rights reserved.
Sophos Ltd. All rights reserved. 1 Sophos Approach to Unified Security Integrated Security for Be9er Protec;on James Burchell & Greg Iddon, Sales Engineers UK&I, Technology Services What we re going to
More informationMobile Applica,on and BYOD (Bring Your Own Device) Security Implica,ons to Your Business. Dmitry Dessiatnikov
Mobile Applica,on and BYOD (Bring Your Own Device) Security Implica,ons to Your Business Dmitry Dessiatnikov DISCLAIMER All informa,on in this presenta,on is provided for informa,on purposes only and in
More informationMobile network security report: Poland
Mobile network security report: Poland GSM Map Project gsmmap@srlabs.de Security Research Labs, Berlin February 2015 Abstract. Mobile networks differ widely in their protection capabilities against common
More informationA Brief Overview of the Mobile App Ecosystem. September 13, 2012
A Brief Overview of the Mobile App Ecosystem September 13, 2012 Presenters Pam Dixon, Execu9ve Director, World Privacy Forum Jules Polonetsky, Director and Co- Chair, Future of Privacy Forum Nathan Good,
More informationHow To Protect Virtualized Data From Security Threats
S24 Virtualiza.on Security from the Auditor Perspec.ve Rob Clyde, CEO, Adap.ve Compu.ng; former CTO, Symantec David Lu, Senior Product Manager, Trend Micro Hemma Prafullchandra, CTO/SVP Products, HyTrust
More informationPhone Systems Buyer s Guide
Phone Systems Buyer s Guide Contents How Cri(cal is Communica(on to Your Business? 3 Fundamental Issues 4 Phone Systems Basic Features 6 Features for Users with Advanced Needs 10 Key Ques(ons for All Buyers
More informationMobile network security report: Belgium
Mobile network security report: Belgium GSM Map Project gsmmap@srlabs.de Security Research Labs, Berlin December 2014 Abstract. Mobile networks differ widely in their protection capabilities against common
More informationMobile network security report: Netherlands
Mobile network security report: Netherlands GSM Map Project gsmmap@srlabs.de Security Research Labs, Berlin July 2014 Abstract. Mobile networks differ widely in their protection capabilities against common
More informationFTC Data Security Standard
FTC Data Security Standard The FTC takes the posi6on (Being tested now in li6ga6on) that Sec6on 5 of the FTC Act requires Reasonable Security under the circumstances: that companies have reasonable controls
More informationMobile network security report: Germany
Mobile network security report: Germany GSM Map Project gsmmap@srlabs.de Security Research Labs, Berlin December 2014 Abstract. Mobile networks differ widely in their protection capabilities against common
More informationData Management in the Cloud: Limitations and Opportunities. Annies Ductan
Data Management in the Cloud: Limitations and Opportunities Annies Ductan Discussion Outline: Introduc)on Overview Vision of Cloud Compu8ng Managing Data in The Cloud Cloud Characteris8cs Data Management
More informationMobile Weblink Security
Name Maryam Al- Naemi Date 11/01/2013 Subject ITGS higher level Title How safe is the informa@on we store on our smartphones? Area of impact Home & Leisure Social & Ethical Issue Security Ar:cle Smartphone
More informationNetwork Performance Tools
Network Performance Tools Jeff Boote Internet2/R&D June 1, 2008 NANOG 43/ Brooklyn, NY Overview BWCTL OWAMP NDT/NPAD BWCTL: What is it? A resource alloca=on and scheduling daemon for arbitra=on of iperf
More informationMobile network security report: Poland
Mobile network security report: Poland GSM Map Project gsmmap@srlabs.de Security Research Labs, Berlin October 2014 Abstract. Mobile networks differ widely in their protection capabilities against common
More informationFirewalls and Classical Network Security
Firewalls and Classical Network Security Real stories from the news SERVER- SIDE ATTACKS A Story from the News A program infected thousands of computers Vic:m computers were mostly in one country Reported
More informationVoIP Security How to prevent eavesdropping on VoIP conversa8ons. Dmitry Dessiatnikov
VoIP Security How to prevent eavesdropping on VoIP conversa8ons Dmitry Dessiatnikov DISCLAIMER All informa8on in this presenta8on is provided for informa8on purposes only and in no event shall Security
More informationIntro Fun. S#ck- figure strip humor sourced and courtesy of h8p://xkcd.com and is provided for informa#ve use only.
Intro Fun S#ck- figure strip humor sourced and courtesy of h8p://xkcd.com and is provided for informa#ve use only. Security & Trust Trends on security and trust within the Internet A focus on Phishing
More informationThe Seven Habits of State-of-the-Art Mobile App Security
#mstrworld The Seven Habits of State-of-the-Art Mobile App Security Mobile Security 8 July 2014 Anand Dwivedi, Product Manager, MicroStrategy strworld Agenda - Seven Habits of State of the Art Mobile App
More informationInterna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES
Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES Agenda Importance of Common Cloud Standards Outline current work undertaken Define
More informationBlackBerry 10.3 Work and Personal Corporate
GOV.UK Guidance BlackBerry 10.3 Work and Personal Corporate Published Contents 1. Usage scenario 2. Summary of platform security 3. How the platform can best satisfy the security recommendations 4. Network
More informationSecurity Evaluation CLX.Sentinel
Security Evaluation CLX.Sentinel October 15th, 2009 Walter Sprenger walter.sprenger@csnc.ch Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41
More informationPrinceton University Computer Science COS 432: Information Security (Fall 2013)
Princeton University Computer Science COS 432: Information Security (Fall 2013) This test has 13 questions worth a total of 50 points. That s a lot of questions. Work through the ones you re comfortable
More informationNetwork Security (2) CPSC 441 Department of Computer Science University of Calgary
Network Security (2) CPSC 441 Department of Computer Science University of Calgary 1 Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate
More informationSecurity testing the Internet-of-things
Security testing the Internet-of-things Lindholmen Software Development Day 2014-10-16 Emilie Lundin Barse Informa(on Security Consultant, Combitech emilie.barse@combitech.se Contents State of security
More informationUpdate on the Cloud Demonstration Project
Update on the Cloud Demonstration Project Khalil Yazdi and Steven Wallace Spring Member Meeting April 19, 2011 Project Par4cipants BACKGROUND Eleven Universi1es: Caltech, Carnegie Mellon, George Mason,
More informationProtocol Rollback and Network Security
CSE 484 / CSE M 584 (Spring 2012) Protocol Rollback and Network Security Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee,
More informationPrivacy- Preserving P2P Data Sharing with OneSwarm. Presented by. Adnan Malik
Privacy- Preserving P2P Data Sharing with OneSwarm Presented by Adnan Malik Privacy The protec?on of informa?on from unauthorized disclosure Centraliza?on and privacy threat Websites Facebook TwiFer Peer
More informationAlexander Polyakov CTO ERPScan
Invest in security to secure investments ERP Security. Myths, Problems, Solu6ons Alexander Polyakov CTO ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan Security Monitoring Suite
More informationEffec%ve AX 2012 Upgrade Project Planning and Microso< Sure Step. Arbela Technologies
Effec%ve AX 2012 Upgrade Project Planning and Microso< Sure Step Arbela Technologies Why Upgrade? What to do? How to do it? Tools and templates Agenda Sure Step 2012 Ax2012 Upgrade specific steps Checklist
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationGSM security country report: Germany
GSM security country report: Germany GSM Map Project gsmmap@srlabs.de Security Research Labs, Berlin December 2013 Abstract. GSM networks differ widely in their protection capabilities against common attacks.
More informationHIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC What cons?tutes PHI? HIPAA provides a list of 18 iden?fiers that cons?tute PHI. Any one of these iden?fiers
More informationKaseya Fundamentals Workshop DAY THREE. Developed by Kaseya University. Powered by IT Scholars
Kaseya Fundamentals Workshop DAY THREE Developed by Kaseya University Powered by IT Scholars Kaseya Version 6.5 Last updated March, 2014 Day Two Overview Day Two Lab Review Patch Management Configura;on
More informationTutorial on Smartphone Security
Tutorial on Smartphone Security Wenliang (Kevin) Du Professor wedu@syr.edu Smartphone Usage Smartphone Applications Overview» Built-in Protections (ios and Android)» Jailbreaking and Rooting» Security
More informationSecurity features include Authentication and encryption to protect data and prevent eavesdropping.
What is a SIM card? A SIM card, also known as a subscriber identity module, is a subscriber identity module application on a smartcard that stores data for GSM/CDMA Cellular telephone subscribers. Such
More informationMessage Authentication Codes
2 MAC Message Authentication Codes : and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l08, Steve/Courses/2013/s2/css322/lectures/mac.tex,
More informationBacula Open Source Project Bacula Systems (professional support)
Bacula Open Source Project Bacula Systems (professional support) The Enterprise Ready Open Source Network Backup Solu
More informationMobile self- defense. Karsten Nohl <nohl@srlabs.de> SRLabs Template v12
Mobile self- defense Karsten Nohl SRLabs Template v12 Agenda SS7 a0acks 3G security Self- defense opfons 2 SS7 network enables exchange of SMS and cryptographic keys Mobile operator Exchange
More informationGSM security country report: USA
GSM security country report: USA GSM Map Project gsmmap@srlabs.de Security Research Labs, Berlin August 2013 Abstract. GSM networks differ widely in their protection capabilities against common attacks.
More informationWireless Networks: Network Protocols/Mobile IP
Wireless Networks: Network Protocols/Mobile IP Mo$va$on Data transfer Encapsula$on Security IPv6 Problems DHCP Adapted from J. Schiller, Mobile Communications 1 Mo$va$on for Mobile IP Rou$ng based on IP
More information: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT
Subject Code Department Semester : Network Security : XCS593 : MSc SE : Nineth Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT Part A (2 marks) 1. What are the various layers of an OSI reference
More informationThe True Meaning of the Voice- Enabled Web. Keith R. McFarlane (@krmc)
The True Meaning of the Voice- Enabled Web Keith R. McFarlane (@krmc) Agenda Introduc8on WebRTC in the Contact Center LiveOps Browser VoIP Implementa8on Looking Ahead Remember Convergence? The evolution
More informationSandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers
Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security
More informationLoophole+ with Ethical Hacking and Penetration Testing
Loophole+ with Ethical Hacking and Penetration Testing Duration Lecture and Demonstration: 15 Hours Security Challenge: 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once said,
More informationSome Security Challenges of Cloud Compu6ng. Kui Ren Associate Professor Department of Computer Science and Engineering SUNY at Buffalo
Some Security Challenges of Cloud Compu6ng Kui Ren Associate Professor Department of Computer Science and Engineering SUNY at Buffalo Cloud Compu6ng: the Next Big Thing Tremendous momentum ahead: Prediction
More informationContent Teaching Academy at James Madison University
Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect
More informationWhat is network security?
Network security Network Security Srinidhi Varadarajan Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application
More informationCRYPTOGRAPHY AS A SERVICE
CRYPTOGRAPHY AS A SERVICE Peter Robinson RSA, The Security Division of EMC Session ID: ADS R01 Session Classification: Advanced Introduction Deploying cryptographic keys to end points such as smart phones,
More informationSHORT MESSAGE SERVICE SECURITY
SHORT MESSAGE SERVICE SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in
More information12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust
Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or
More informationChapter 8. Network Security
Chapter 8 Network Security Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic Principles Need for Security Some people who
More informationSMS Fuzzing SIM Toolkit Attack
SMS Fuzzing SIM Toolkit Attack Bogdan Alecu bogdalecu@gmail.com www.m-sec.net Abstract In this paper I will show how to make a phone send an SMS message without the user s consent and how to make the phone
More informationChapter 7: Network security
Chapter 7: Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer: secure e-mail transport
More informationCSA SDP Working Group
CSA SDP Working Group An Open Source Code Project for a Software Defined Perimeter to Defend Cloud Applications from DDoS CSA Conference - Berlin November 2015 DHS Problem Addressing the Changing Perimeter
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationAnalyzing the Security Schemes of Various Cloud Storage Services
Analyzing the Security Schemes of Various Cloud Storage Services ECE 646 Project Presentation Fall 2014 12/09/2014 Team Members Ankita Pandey Gagandeep Singh Bamrah Pros and Cons of Cloud Storage Services
More informationSecureDoc Disk Encryption Cryptographic Engine
SecureDoc Disk Encryption Cryptographic Engine FIPS 140-2 Non-Proprietary Security Policy Abstract: This document specifies Security Policy enforced by SecureDoc Cryptographic Engine compliant with the
More informationPLATFORM ENCRYPTlON ARCHlTECTURE. How to protect sensitive data without locking up business functionality.
PLATFORM ENCRYPTlON ARCHlTECTURE How to protect sensitive data without locking up business functionality. 1 Contents 03 The need for encryption Balancing data security with business needs Principles and
More informationCSE/ISE 311: Systems Administra5on Network Firewalls
Network Firewalls Don Porter Firewalls: An Essen2al Tool Previous Lectures: Every service on a system visible to the outside world is a poten2al a>ack vector Observa2ons: It is really hard to police every
More informationStill Aren't Doing. Frank Kim
Ten Things Web Developers Still Aren't Doing Frank Kim Think Security Consulting Background Frank Kim Consultant, Think Security Consulting Security in the SDLC SANS Author & Instructor DEV541 Secure Coding
More informationDesign considera-ons and Guiding Principles for Implemen-ng Cloud Security. William Stearns Security Analyst CloudPassage
Design considera-ons and Guiding Principles for Implemen-ng Cloud Security William Stearns Security Analyst CloudPassage In a nutshell How do Cloud Servers differ from Data Center Servers? How do the differences
More informationReviving smart card analysis
Reviving smart card analysis Christopher Tarnovsky Karsten Nohl chris@flylogic.net nohl@srlabs.de Executive summary Modern smart cards should be analyzed 1. Smart card chips provide the trust base for
More informationMonitoring mobile communication network, how does it work? How to prevent such thing about that?
Monitoring mobile communication network, how does it work? How to prevent such thing about that? 潘 維 亞 周 明 哲 劉 子 揚 (P78017058) (P48027049) (N96011156) 1 Contents How mobile communications work Why monitoring?
More informationComputer Security Incident Handling Detec6on and Analysis
Computer Security Incident Handling Detec6on and Analysis Jeff Roth, CISSP- ISSEP, CISA, CGEIT Senior IT Security Consultant 1 Coalfire Confiden+al Agenda 2 SECURITY INCIDENT CONTEXT TERMINOLOGY DETECTION
More informationSecurity Protocols/Standards
Security Protocols/Standards Security Protocols/Standards Security Protocols/Standards How do we actually communicate securely across a hostile network? Provide integrity, confidentiality, authenticity
More informationMobile network security report: Greece
Mobile network security report: Greece GSM Map Project gsmmap@srlabs.de Security Research Labs, Berlin October 2012 Abstract. Mobile networks differ widely in their protection capabilities against common
More informationSECURITY IN NETWORKS
SECURITY IN NETWORKS GOALS Understand principles of network security: Cryptography and its many uses beyond confidentiality Authentication Message integrity Security in practice: Security in application,
More informationconfigurability compares with typical SIEM & Log Management systems Able to install collectors on remote sites rather than pull all data
Software Comparison Sheet SIEM & Log OpViewTM from Software leverages a completely new database architecture to deliver the most flexible monitoring system available on the market today. This award-winning
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationInforma.on Systems in Organiza.ons
Informa.on Systems in Organiza.ons MIS 2101 Week 7 / Chapter 7 Enhancing Business Processes Using Enterprise Informa.on Systems Photo: Objet Mathema+que by Man Ray, 1934 Chapter 7 Learning Objec.ves Core
More informationAdventures in Bouncerland. Nicholas J. Percoco Sean Schulte Trustwave SpiderLabs
Adventures in Bouncerland Nicholas J. Percoco Sean Schulte Trustwave SpiderLabs Agenda Introduc5ons Our Mo5va5ons What We Knew About Bouncer Research Approach & Process Phase 0 Phase 1 7 Final Test What
More informationMain Research Gaps in Cyber Security
Comprehensive Approach to cyber roadmap coordina5on and development Main Research Gaps in Cyber Security María Pilar Torres Bruna everis Aerospace and Defence Index CAMINO WP2: Iden8fica8on and Analysis
More informationSecurity Awareness. Top Security Issues. Office of Informa(on Technology Informa5on Security Department 2011-2012 BE CYBER SAFE
Security Awareness Office of Informa(on Technology Informa5on Security Department 2011-2012 Top Security Issues BE CYBER SAFE 1 Top Security Items for 2011-2012 Passwords Social Networking Phishing Malware,
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationDDOS Mi'ga'on in RedIRIS. SIG- ISM. Vienna
DDOS Mi'ga'on in RedIRIS SIG- ISM. Vienna Index Evolu'on of DDOS a:acks in RedIRIS Mi'ga'on Tools Current DDOS strategy About RedIRIS Spanish Academic & research network. Universi'es, research centers,.
More informationTop 10 most interes.ng SAP vulnerabili.es and a9acks
Invest in security to secure investments Top 10 most interes.ng SAP vulnerabili.es and a9acks Alexander Polyakov CTO at ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan Security
More informationconfigurability compares with typical Asset Monitoring systems Able to install collectors on remote sites rather than pull all data
Software Comparison Sheet OpViewTM from Software leverages a completely new database architecture to deliver the most flexible monitoring system available on the market today. This award-winning solution
More informationChapter 7 Transport-Level Security
Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell
More informationResilience improving features of MPLS, IPv6 and DNSSEC
Resilience improving features of MPLS, IPv6 and DNSSEC So?ris Ioannidis Ins%tute of Computer Science (ICS) Founda%on for Research and Technology Hellas (FORTH) Crete, Greece MPLS, IPv6 and DNSSEC MPLS
More informationMobile network security report: Norway
Mobile network security report: Norway GSM Map Project gsmmap@srlabs.de Security Research Labs, Berlin August 2014 Abstract. Mobile networks differ widely in their protection capabilities against common
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationThe Transport Layer and Implica4ons for Network Monitoring. CS 410/510 Spring 2014
The Transport Layer and Implica4ons for Network Monitoring CS 410/510 Spring 2014 Review Preliminaries: Three Principles of Informa4on Security The Three A s Review: Network Protocol Stacks Review: Network
More informationBroadSAFE Enhanced IP Phone Networks
White Paper BroadSAFE Enhanced IP Phone Networks Secure VoIP Using the Broadcom BCM11xx IP Phone Technology September 2005 Executive Summary Voice over Internet Protocol (VoIP) enables telephone calls
More informationApache web server: ConceI avanza0 (Lezione 2, Parte I) Emiliano Casalicchio (C) emiliano.casalicchio@uniroma1.it
Corso di Proge+azione di Re0 e Sistemi Informa0ci Apache web server: ConceI avanza0 (Lezione 2, Parte I) Emiliano Casalicchio emiliano.casalicchio@uniroma1.it Agenda ConceI e pra0ca sul Virtual hos0ng
More informationLecture 9: Application of Cryptography
Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that
More informationCloud Security. Let s Open the Box. Abu Shohel Ahmed ahmed.shohel@ericsson.com NomadicLab, Ericsson Research
t Cloud Security Let s Open the Box t Abu Shohel Ahmed ahmed.shohel@ericsson.com NomadicLab, Ericsson Research Facts about Ericsson Ericsson is a world-leading provider of telecommunication equipment and
More informationCommon Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July 2006. The OWASP Foundation http://www.owasp.org/
Common Pitfalls in Cryptography for Software Developers OWASP AppSec Israel July 2006 Shay Zalalichin, CISSP AppSec Division Manager, Comsec Consulting shayz@comsecglobal.com Copyright 2006 - The OWASP
More informationHow Are Certificates Used?
The Essentials Series: Code-Signing Certificates How Are Certificates Used? sponsored by by Don Jones Ho w Are Certificates Used?... 1 Web Applications... 1 Mobile Applications... 2 Public Software...
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More information