An introduction to Digital Security - Rishabh Dangwal
20
Devinder Goyal Parul Khanna Rishabh Dangwal
-
Upload
rishabh-dangwal -
Category
Technology
-
view
1.545 -
download
1
description
A presentation which provides insights in mobile hacking, XSS, network security and digital security in general
Transcript of An introduction to Digital Security - Rishabh Dangwal
Devinder GoyalParul Khanna
Rishabh Dangwal
Independent security researchers specializing in their domain .
We have provided corporate security solutions to the worthy .
Inculcated the sense of digital security in the generation of today .
Security is a misconception .
No Security, only opportunity.
Proactive security is notch better than Reactive and Preventive security.
Needless to say, security is directly proportional to the awareness.
Countless websites are defaced just for fun.
Prominent methods include SQLi, RFI, LFI, Zero-day/Zero-hour exploits
Massive threat if executed carefully.
Propaganda.
Possible server/data center access.
Sensitive Information disclosure.
Practice by script-kiddies/skids.
Possible botnet creation.
Upload our backdoor by any means on server.
Relies on php include() function . Vulnerable sites will have code like this -
Index.php?page=something
In place of “something” we can upload our backdoor.
Search vulnerable websites using Google dork
“inurl:index.php?page=”Or
inurl:"main.php?x="
Test it by inputting some parameter In the variable, if successful, exploit it.
Attacker can access all data on server by manipulation URL.
Directory traversal attack.
Manipulates php functions to get file level access.
xyz.com/main.php?page=../../etc/ passwd
Client side attack, allows to bypass client side security mechanism
Web 2.0 security nightmare
Persistent XSS – Inserted code is Permanent.
Non Persistent XSS – Inserted code is not permanent
Misuse of XSS -
Steal cookies
Log information
Deface pages
Spread misinformation
URL redirection
GSM/CDMA data stored at base station can be used to trace location.
Calls can be spoofed using commercially available spoof cards.
No regulation on call spoofing.
Google : Call Spoofing
SMS Bombing
Phone Explosion due to overheating of phone IC
Sim Cloning
Google reveals secrets, provided you know how to ask
Efficient manipulation of dorks
Automated tools
Find anything
One of the most exotic places on the web
Considered as the holy grail of all information
Archives of classified information available
Hotline/KDX access and UUCP
Protocol defying tools like Gobbler/yersinia
Black market has the sploits
Easy to setup LOIC, and spam with ddos
Exotic tools can be coded by efficient coders
Casual hunting through Shodan
Open source opens portals for security
Defeat latest security technologies (UTM/XTM) using custom blended attacks.
Again..The only secure computer is the one guarded by 2 guards buried 6 feet down the earth with no internet connection in power off state.
Obscurity is not Security.
Open Source rules
Thank You
