Ni Apple ni IBM, el primer ordenador personal se fabricó en Texas y se llamaba Datapoint 2200

Datapoint 2200 En 1968, mientras Steve Jobs y Steve Wozniak aún estaban en el instituto, dos tejanos llamados Phil Ray y Gus Roche estaban decidiendo si montar un restaurante Tex-Mex o una empresa de ordenadores. Afortunadamente se decidieron por la segunda opción, ya que ambos eran ingenieros electrónicos que habían trabajado para la NASA, y la electrónica se les daba un poco mejor que la comida mejicana. Entonces el 6 de Julio de 1968 nació CTC, Computer Terminal Corp.
Leer más

Vídeos De Usenix 17

USENIX 17 Además del material de USENIX 17, ya están disponibles también los vídeos de las charlas. Aquí tenéis la lista completa: Opening Remarks and Awards When Your Threat Model Is “Everything”: Defensive Security in Modern Newsrooms How Double-Fetch Situations turn into Double-Fetch Vulnerabilities… Postmortem Program Analysis with Hardware-Enhanced Post-Crash Artifacts Ninja: Towards Transparent Tracing and Debugging on ARM Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX On the effectiveness of mitigations against floating-point timing channels Constant-Time Callees with Variable-Time Callers Neural Nets Can Learn Function Type Signatures From Binaries CAn’t Touch This… Efficient Protection of Path-Sensitive Control Security Digtool: A Virtualization-Based Framework for Detecting Kernel Vulnerabilities kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Venerable Variadic Vulnerabilities Vanquished Towards Practical Tools for Side Channel Aware Software Engineering… Strong and Efficient Cache Side-Channel Protection… CacheD: Identifying Cache-Based Timing Channels in Production Software An Ant in a World of Grasshoppers From Problems to Patterns to Practice… BinSim: Trace-based Semantic Binary Diffing… PlatPal: Detecting Malicious Documents with Platform Diversity Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART Global Measurement of DNS Manipulation Characterizing the Nature and Dynamics of Tor Exit Blocking DeTor: Provably Avoiding Geographic Regions in Tor SmartAuth: User-Centered Authorization for the Internet of Things AWare: Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 6thSense: A Context-aware Sensor-based Attack Detector for Smart Devices Identifier Binding Attacks and Defenses in Software-Defined Networks HELP: Helper-Enabled In-Band Device Pairing… Attacking the Brain: Races in the SDN Control Plane Detecting Credential Spearphishing in Enterprise Settings SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data When the Weakest Link is Strong… Hacking in Darkness: Return-oriented Programming against Secure Enclaves vTZ: Virtualizing ARM TrustZone Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing AuthentiCall: Efficient Identity and Content Authentication for Phone Calls Picking Up My Tab… TrustBase: An Architecture to Repair and Strengthen… Transcend: Detecting Concept Drift in Malware Classification Models Syntia: Synthesizing the Semantics of Obfuscated Code Predicting the Resilience of Obfuscated Code… Differential Privacy: From Theory to Deployment OSS-Fuzz - Google’s continuous fuzzing service for open source software Extension Breakdown… CCSP: Controlled Relaxation of Content Security Policies… Same-Origin Policy: Evaluation in Modern Browsers Locally Differentially Private Protocols for Frequency Estimation BLENDER: Enabling Local Search with a Hybrid Differential Privacy Model Computer Security, Privacy, and DNA Sequencing… BootStomp: On the Security of Bootloaders in Mobile Devices Seeing Through The Same Lens… Oscar: A Practical Page-Permissions-Based Scheme… PDF Mirage: Content Masking Attack Against Information-Based Online Services Loophole: Timing Attacks on Shared Event Loops in Chrome Game of Registrars… Speeding up detection of SHA-1 collision attacks… Phoenix: Rebirth of a Cryptographic Password-Hardening Service Vale: Verifying High-Performance Cryptographic Assembly Code Exploring User Perceptions of Discrimination in Online Targeted Advertising Measuring the Insecurity of Mobile Deep Links of Android How the Web Tangled Itself Towards Efficient Heap Overflow Discovery DR.
Leer más

Laboratorio De Explotación De Apache Struts S2-052

Equifax - Apache Struts S2-052 Seguro que la mayoría, sino tod@s, habéis oído la noticia sobre la que hasta la fecha parace ser la mayor filtración de datos. Me refiero a Equifax, una de las tres empresas en EEUU que se encargan de monitorizar el crédito o la solvencia de los habitantes de dicho país. El problema incluso ha ido más haya de EEUU, y también se han visto comprometidos datos de argentinos (por distintos motivos), canadienses y del Reino Unido.
Leer más

Máquina Virtual Vulnerable Con Docker

Vulnerable Docker VM Si no has vivido bajo una roca en los últimos años, además de que Donald Trump es presidente de los EEUU, también habrás oído sobre Docker. De hecho, aquí en el blog ya hemos hablado varias veces sobre éste. Docker ha recibido muchas críticas desde la comunidad de seguridad. Además de correr como root, Docker también permite que los contenedores interactúen con el host, y esto supone un gran riesgo.
Leer más

Under The Wire

Under the wire Over The Wire es un sitio web muy popular el cual hospeda varios wargames para practicar conceptos de seguridad, y sean desde una consola en sistemas Linux, web, explotación. etc. Basado en este mismo concepto, pero enfocado específicamente a Powershell, existe otro sitio web llamado Under The Wire. En éste puedes actualmente econtrar cuatro wargames, cada uno con 15 fases: Century Cyborg Oracle Trebek Un sitio ideal para practicar tus habilidades de seguridad con Powershell.
Leer más

Material De Usenix Security 17, sesiones técnicas y talleres

Hace una semana se celebró en Canadá la conferencia “académica” sobre ciber seguridad Usenix junto a un puñado de talleres. Todo el material está disponible de forma gratuita para descarga de ambos eventos: Sesiones Técnicas y Talleres. Aquí tenéis la lista completa de las charlas y sus correspondientes enlaces: Sesiones técnicas de Usenix Security ‘17 When Your Threat Model Is “Everything”: Defensive Security in Modern Newsrooms Erinn Clark, Lead Security Architect, First Look Media/The Intercept How Double-Fetch Situations turn into Double-Fetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel Paper Slides Postmortem Program Analysis with Hardware-Enhanced Post-Crash Artifacts Paper Ninja: Towards Transparent Tracing and Debugging on ARM Paper Slides Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX Paper On the effectiveness of mitigations against floating-point timing channels Paper Slides Constant-Time Callees with Variable-Time Callers Paper Slides Neural Nets Can Learn Function Type Signatures From Binaries Paper CAn’t Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory Paper Efficient Protection of Path-Sensitive Control Security Paper Digtool: A Virtualization-Based Framework for Detecting Kernel Vulnerabilities Paper kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Paper Venerable Variadic Vulnerabilities Vanquished Paper Towards Practical Tools for Side Channel Aware Software Engineering: ‘Grey Box’ Modelling for Instruction Leakages Paper Slides Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory Paper Slides CacheD: Identifying Cache-Based Timing Channels in Production Software Paper An Ant in a World of Grasshoppers Ellen Cram Kowalczyk, Microsoft From Problems to Patterns to Practice: Privacy and User Respect in a Complex World Lea Kissner, Google BinSim: Trace-based Semantic Binary Diffing via System Call Sliced Segment Equivalence Checking Paper PlatPal: Detecting Malicious Documents with Platform Diversity Paper Slides Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART Paper Global Measurement of DNS Manipulation Paper Characterizing the Nature and Dynamics of Tor Exit Blocking Paper DeTor: Provably Avoiding Geographic Regions in Tor Paper SmartAuth: User-Centered Authorization for the Internet of Things Paper AWare: Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings Paper Slides 6thSense: A Context-aware Sensor-based Attack Detector for Smart Devices Paper Identifier Binding Attacks and Defenses in Software-Defined Networks Paper HELP: Helper-Enabled In-Band Device Pairing Resistant Against Signal Cancellation Paper Attacking the Brain: Races in the SDN Control Plane Paper Detecting Credential Spearphishing in Enterprise Settings Paper SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data Paper When the Weakest Link is Strong: Secure Collaboration in the Case of the Panama Papers Paper Slides Hacking in Darkness: Return-oriented Programming against Secure Enclaves Paper vTZ: Virtualizing ARM TrustZone Paper Slides Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Paper AuthentiCall: Efficient Identity and Content Authentication for Phone Calls Paper Picking Up My Tab: Understanding and Mitigating Synchronized Token Lifting and Spending in Mobile Payment Paper Slides TrustBase: An Architecture to Repair and Strengthen Certificate-based Authentication Paper Transcend: Detecting Concept Drift in Malware Classification Models Paper Syntia: Synthesizing the Semantics of Obfuscated Code Paper Predicting the Resilience of Obfuscated Code Against Symbolic Execution Attacks via Machine Learning Paper Differential Privacy: From Theory to Deployment Abhradeep Guha Thakurta, University of California, Santa Cruz OSS-Fuzz - Google’s continuous fuzzing service for open source software Slides Kostya Serebryany, Google Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies Paper CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition Paper Same-Origin Policy: Evaluation in Modern Browsers Paper Locally Differentially Private Protocols for Frequency Estimation Paper BLENDER: Enabling Local Search with a Hybrid Differential Privacy Model Paper Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More Paper BootStomp: On the Security of Bootloaders in Mobile Devices Paper Slides Seeing Through The Same Lens: Introspecting Guest Address Space At Native Speed Paper Oscar: A Practical Page-Permissions-Based Scheme for Thwarting Dangling Pointers Paper PDF Mirage: Content Masking Attack Against Information-Based Online Services Paper Loophole: Timing Attacks on Shared Event Loops in Chrome Paper Game of Registrars: An Empirical Analysis of Post-Expiration Domain Name Takeovers Paper Speeding up detection of SHA-1 collision attacks using unavoidable attack conditions Paper Phoenix: Rebirth of a Cryptographic Password-Hardening Service Paper Vale: Verifying High-Performance Cryptographic Assembly Code Paper Exploring User Perceptions of Discrimination in Online Targeted Advertising Paper Measuring the Insecurity of Mobile Deep Links of Android Paper How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security Paper Towards Efficient Heap Overflow Discovery Paper DR.
Leer más

Documentación Interna De Los Sims

Los Sims Los Sims es una serie de vídeojuegos de simulación social. Inicialmente fue desarrollado por una empresa llamada Maxis (subsidaria de EA) y publicado por EA (Eletronic Arts). El primero de la serie fue lanzado en el año 2000. Desde entonces, Los Sims batió todo tipo de records de venta y se convirtió en uno los vídeojuegos más influenciales de la época. Don Hopkins, quién después de pasar por Sun Microsystems, fue uno de los componentes que participaron en el desarrollo de dicho vídeojuego, tiene recopilado en su sitio web personal un gran número de documentos internos (y en su día confidenciales) sobre el desarrollo de Los Sims.
Leer más

Taller de análisis de malware, segunda parte

Malware Unicorn Este nuevo taller de análisis de malware es una continuación de otro taller de introducción del cual ya hablamos anteriormente aquí. Titulado como: Reverse Engineering Malware 102, Amanda Rousseau, nos guía a través del proceso de análisis de malware REAL. Con este taller aprenderás a analizar binarios Delphi, técnicas de evasión usadas por malware real para complicarnos la vida a la hora hacer uso de la ingeniería inversa. También aprenderamos a usar el motor Unicorn e identificar técnicas de compresión no comunes.
Leer más

Presentaciones de DEF CON 25

DEF CON 25 Pues ahora le toca el turno a DEF CON, en este caso la edición 25 que se acaba de celebrar y ya tienes también acceso a las presentaciones: 5A1F/ 5A1F-Demystifying-Kernel-Exploitation-By-Abusing-GDI-Objects-WP.pdf 5A1F-Demystifying-Kernel-Exploitation-By-Abusing-GDI-Objects.pdf Cheng Lei/ Cheng-Lei-The-Spear-to-Break-the-Security-Wall-of-S7CommPlus-WP.pdf Cheng-Lei-The-Spear-to-Break-the-Security-Wall-of-S7CommPlus.pdf Denton Gentry/ Denton-Gentry-I-Know-What-You-Are-By-The-Smell-Of-Your-Wifi-WP.pdf Denton-Gentry-I-Know-What-You-Are-By-The-Smell-Of-Your-Wifi.pdf Dimitry Snezhkov/ Dimitry Snezhkov - Extras/ Dimitry-Snezhkov-Abusing-Web-Hooks.pdf Dor Azouri/ Dor-Azouri-BITSInject-WP.pdf Dor-Azouri-BITSInject.pdf Duncan Woodbury and Nicholas Haltmeyer/ Woodbury-and-Haltmeyer-Linux-Stack-Based-V2X-Framework-Hack-Connected-Vehicles-WP.
Leer más

Presentaciones de Black Hat USA 2017

BlackHat 2017 Ya están disponible las presentaciones de Black Hat USA 2017: Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone ‘Ghost Telephonist’ Link Hijack Exploitations in 4G LTE CS Fallback Yuwei-Ghost-Telephonist-Link-Hijack-Exploitations-In-4G-LTE-CS-Fallback.pdf (in)Security in Building Automation: How to Create Dark Buildings with Light Speed Brandstetter-insecurity-In-Building-Automation-How-To-Create-Dark-Buildings-With-Light-Speed.pdf Brandstetter-insecurity-In-Building-Automation-How-To-Create-Dark-Buildings-With-Light-Speed-wp.pdf A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!
Leer más