DEFCON 19: Hacking Google Chrome OS

Speakers: Kyle 'Kos' Osborn Application Security Specialist, WhiteHat Security
| Matt Johanson Application Security Specialist, WhiteHat Security

Google recently announced Chrome OS powered computers, called Chromebooks, at Google I/O and the company is getting ready to market them to businesses as well as consumers. What's different about Chrome OS and Chromebooks, other than the entire user-experience taking place exclusively in a Web browser (Google Chrome), is everything takes place in the cloud. Email, document writing, calendaring, social networking - everything. From a security perspective this means that all website and Web browser attack techniques, such as like Cross-Site Scripting, Cross-Site Request, and Clickjacking, have the potential of circumventing Chrome OS's security protections and exposing all the users data.

Two members of the WhiteHat Security's Threat Research Center, Matt Johansen and Kyle Osborn, have spent months hacking away on Google's Cr-48 prototype laptops. They discovered a slew of serious and fundamental security design flaws that with no more than a single mouse-click may victimize users by:

• Exposing of all user email, contacts, and saved documents.
• Conduct high speed scans their intranet work and revealing active host IP addresses.
• Spoofing messaging in their Google Voice account.
• Taking over their Google account by stealing session cookies, and in some case do the same on other visited domains.

While Chrome OS and Chromebooks has some impressive and unique security features, they are not all encompassing. Google was informed of the findings, some vulnerabilities were addressed, bounties generously awarded, but many of the underlying weaknesses yet remain -- including for evil extensions to be easily made available in the WebStore, the ability for payloads to go viral, and javascript malware survive reboot. With the cloud and web-based operating systems poised to make an impact on our computing future, Matt and Kyle ready to share all their never-before-seen research through a series of on-stage demonstrations.

For more information visit:
To download the video visit:
Playlist Defcon 19:

Speakers: Kyle 'Kos' Osborn Application Security Specialist, WhiteHat Security | Matt Johanson Application Security Specialist, WhiteHat Security


Google recently announced Chrome OS powered computers, called Chromebooks, at Google I/O and the company is getting ready to market them to businesses as well as consumers. What's different about Chrome OS and Chromebooks, other than the entire user-experience taking place exclusively in a Web browser (Google Chrome), is everything takes place in the cloud. Email, document writing, calendaring, social networking - everything. From a security perspective this means that all website and Web browser attack techniques, such as like Cross-Site Scripting, Cross-Site Request, and Clickjacking, have the potential of circumventing Chrome OS's security protections and exposing all the users data.

Two members of the WhiteHat Security's Threat Research Center, Matt Johansen and Kyle Osborn, have spent months hacking away on Google's Cr-48 prototype laptops. They discovered a slew of serious and fundamental security design flaws that with no more than a single mouse-click may victimize users by:

• Exposing of all user email, contacts, and saved documents.
• Conduct high speed scans their intranet work and revealing active host IP addresses.
• Spoofing messaging in their Google Voice account.
• Taking over their Google account by stealing session cookies, and in some case do the same on other visited domains.

While Chrome OS and Chromebooks has some impressive and unique security features, they are not all encompassing. Google was informed of the findings, some vulnerabilities were addressed, bounties generously awarded, but many of the underlying weaknesses yet remain -- including for evil extensions to be easily made available in the WebStore, the ability for payloads to go viral, and javascript malware survive reboot. With the cloud and web-based operating systems poised to make an impact on our computing future, Matt and Kyle ready to share all their never-before-seen research through a series of on-stage demonstrations.

For more information visit:
To download the video visit:
Playlist Defcon 19:

Hacking Google Chrome OS Speakers: Kyle 'Kos' Osborn - Application Security Specialist, WhiteHat Security Matt Johanson - Application Security Specialist, WhiteHat Security Google recently......

This video is part of the Infosec Video Collection at SecurityTube.net: ...

Speakers: Kyle 'Kos' Osborn Application Security Specialist, WhiteHat Security | Matt Johanson Application Security Specialist, WhiteHat Security Google recently announced Chrome OS powered...

Check out the following: (quality dedicated/vps servers and IT services)

Kyle 'Kos' Osborn, Matt Johanson - Hacking Google Chrome OS ...

BlackHat 2011 - Hacking Google ChromeOS BlackHat 2011 - Hacking Google ChromeOS.

DEFCON 19 (2011) - Hacking Google chromeos by Matt Johan

DEFCON 19 (2011) - Hacking Google ChromeOS

DEFCON 19 (2011) - Hacking Google ChromeOS

Hacking Google Chrome OS

Speakers:
Kyle 'Kos' Osborn - Application Security Specialist, WhiteHat Security
Matt Johanson - Application Security Specialist, WhiteHat Security

Google recently announced Chrome OS powered computers, called Chromebooks, at Google I/O and the company is getting ready to market them to businesses as well as consumers. What's different about Chrome OS and Chromebooks, other than the entire user-experience taking place exclusively in a Web browser (Google Chrome), is everything takes place in the cloud. Email, document writing, calendaring, social networking - everything. From a security perspective this means that all website and Web browser attack techniques, such as like Cross-Site Scripting, Cross-Site Request, and Clickjacking, have the potential of circumventing Chrome OS's security protections and exposing all the users data.

Two members of the WhiteHat Security's Threat Research Center, Matt Johansen and Kyle Osborn, have spent months hacking away on Google's Cr-48 prototype laptops. They discovered a slew of serious and fundamental security design flaws that with no more than a single mouse-click may victimize users by:

• Exposing of all user email, contacts, and saved documents.
• Conduct high speed scans their intranet work and revealing active host IP addresses.
• Spoofing messaging in their Google Voice account.
• Taking over their Google account by stealing session cookies, and in some case do the same on other visited domains.

While Chrome OS and Chromebooks has some impressive and unique security features, they are not all encompassing. Google was informed of the findings, some vulnerabilities were addressed, bounties generously awarded, but many of the underlying weaknesses yet remain -- including for evil extensions to be easily made available in the WebStore, the ability for payloads to go viral, and javascript malware survive reboot. With the cloud and web-based operating systems poised to make an impact on our computing future, Matt and Kyle ready to share all their never-before-seen research through a series of on-stage demonstrations.

Kyle 'Kos' Osborn is a web application security specialist at WhiteHat Security. He competes as a Red Team member in the West Coast Collegiate Cyber Defense Competition and has also done work for the US Cyber Challenge by building a CTF for three of the Cyber Camps. Mr. Osborn has also released Open Source security tools to the information security community, notably Man Just Left of the Middle, which was featured in Dave Kennedy's Social Engineer Toolkit. He attended his first security conference at the age of 16 and was hooked. He firmly believes in sharing information and best practices throughout the security community to promote greater web security for all. He's a regular participants at conferences, including attending more than 20 security events in the last 4 years. Most recently was a featured speaker at Toorcon Seattle, where he spoke about embedded HTML engines in desktop applications. Hacker by day, hacking harder by night. Living in the danger zone.
Twitter: @theKos

Matt Johanson is an application security specialist at WhiteHat Security where he oversees and assessments on more than 250 web applications for many Fortune 500 companies across a range of technologies such as PHP, .NET, Ruby on Rails, and Flash. He was previously a consultant for VerSprite, where he was responsible for performing network and web application penetration tests. Mr. Johansen is also a professor of Web Application Security at Adelphi University and San Jose State University. He recently was part of the cut-score panel for the SANS certification by the GIAC and is the 29th person worldwide to achieve this certification. He holds a Bachelor of Science in Computer Science from Adelphi University.
Twitter: @mattjay

Check out the following:
(quality dedicated/vps servers and IT services)

Speaker: Josh Phillips Senior Malware Researcher

Online games, such as MMORPG's, are the most complex multi-user applications ever created. The security problems that plague these games are universal to all distributed software systems. Online virtual worlds are eventually going to replace the web as the dominant social space on the 'Net, as Facebook apps have shown, and this is big business. MMORPG game security is something that is very important to game studios and players, yet bots and exploits continue to infest all major MMORPG's, the creators and maintainers of the next generation of MMORPG's will need to understand software security from the ground up or face failure. The problem extends from software bugs such as item or money duplication, to mechanical exploitation such as botting, which leads to economic forces and digital identity theft. There is upwards of a billion dollars at stake, for both game hackers and game operators. Both Josh and Kuba have explored game hacking from both sides, and this talk presents a pragmatic view of both threats and defenses.

For more information visit:
To download the video visit:
Playlist Defcon 19:

Speaker: Dave Kennedy (ReL1K)


When performing penetration tests on the internal network in conjunction with physical pentests your always concerned about being located. Let's remove that barrier and perform your penitents over power lines and never be detected. In this presentation we'll cover how you can perform full penetration tests over the power lines and hack into home automation systems. Home automation has been gaining momentum not only in small homes but in large companies and organizations. There's a huge variety of solutions out there both open-source and proprietary that provide these solutions to your homes and businesses. Home automation gives us several things for example, full-fledge 85mbps networks, security systems, lights, windows, HVAC, doors, and cameras and they are all generally done through the power lines or through short-wave wireless communications. So let's break it.... During this presentation we'll be going over the non-existence of security over these devices, show proof of concept demonstrations on hacking these devices, and while we're at it, demonstrate how to disable all security mechanisms that use the different protocols like X10.

For more information visit:
To download the video visit:
Playlist Defcon 19:

Speaker: Josh Phillips Senior Malware Researcher

Online games, such as MMORPG's, are the most complex multi-user applications ever created. The security problems that plague these games are universal to all distributed software systems. Online virtual worlds are eventually going to replace the web as the dominant social space on the 'Net, as Facebook apps have shown, and this is big business. MMORPG game security is something that is very important to game studios and players, yet bots and exploits continue to infest all major MMORPG's, the creators and maintainers of the next generation of MMORPG's will need to understand software security from the ground up or face failure. The problem extends from software bugs such as item or money duplication, to mechanical exploitation such as botting, which leads to economic forces and digital identity theft. There is upwards of a billion dollars at stake, for both game hackers and game operators. Both Josh and Kuba have explored game hacking from both sides, and this talk presents a pragmatic view of both threats and defenses.

For more information visit:
To download the video visit:
Playlist Defcon 19:

datagram Lockwiki.com

Tamper evident technologies are quickly becoming an interesting topic for hackers around the world. DEF CON 18 (2010) held the first ever Tamper Evident contest, where contestants were given a box sealed with a variety of tamper evident devices, many of which purport to be tamper proof. All of these devices were defeated, even by those with little experience and a limited toolkit. Like the computer world, many of these devices are overmarketed and it is difficult for the average person to compare different tamper evident technologies.

This talk covers the design and uses of tamper evident devices used in the commercial and government sectors. We'll dig into the nitty gritty of how many of these devices work, the methods by which they can be defeated, and live demonstrations of defeats against common tamper evident devices. Be advised: this talk is for only the stealthiest of ninjas; pirates need not apply.

For more information visit:
To download the video visit:
Playlist Defcon 19:

Speaker: Jon McCoy DigitalbodyGuard

This presentation will cover the Black Arts of making Cracks, KeyGens, Malware, and more. The information in this presentation will allow a .NET programmer to do unspeakable things .NET applications. I will cover the life cycle of developing such attacks and over coming common countermeasures to stop such attacks. New tools to assist in the attacks will be supplied. This presentation will focus on C# but applies to any application based on the .NET framework.

For more information visit:
To download the video visit:
Playlist Defcon 19:

Speaker: David Litchfield

David Litchfield is recognized as one of the world's leading authorities on database security. He is the author of Oracle Forensics, the Oracle Hacker's Handbook, the Database Hacker's Handbook and SQL Server Security and is the co-author of the Shellcoder's Handbook. He is a regular speaker at a number of computer security conferences and has delivered lectures to the National Security Agency, the UK's Security Service, GCHQ and the Bundesamt f¸r Sicherheit in der Informationstechnik in Germany.

For more information visit:
To download the video visit:
Playlist Defcon 19:

Speakers: Tom Eston Senior Security Consultant, SecureState | Josh Abraham Senior Security Consultant, Rapid7 | Kevin Johnson Security Consultant and Founder, Secure Ideas

Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.

In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques.

For more information visit:
To download the video visit:
Playlist Defcon 19:

Speaker: Alexander Kornbrust CEO of Red-Database-Security GmbH

DB2 for Linux, Unix and Windows is one of the databases where only little bit information about security problems is available. Nevertheless DB2 LUW is installed in many corporate networks and if not hardened properly could be an easy target for attackers. In many aspects DB2 is different from other databases, starting at the user management (normally no user/passwords in the database) to the privilege concept.

With the latest versions, DB2 LUW became more and more similar to Oracle (views, commands, concepts to make more stuff query-able from the database) and allows even to run PLSQL code from Oracle databases. IBM is also cloning the insecure configuration from Oracle by granting a lot of the PLSQL packages to public.

This talk will give a quick introduction into the DB2 architecture, differences to other relational database systems and the most common DB2 configuration problems.

Showing a lit of available exploits and typical pentester questions (how can I run OS commands, how can I access the network or file system) will also be covered.

This talk will also demonstrate SQL injection in stored procedure code inside of the database (SQL/PL and PL/SQL), how to find, exploit and fix it.

The last part covers the hardening of DB2 databases.

For more information visit:
To download the video visit:
Playlist Defcon 19:

Speaker: Skunkworks

In the post 9/11 era when it's nearly impossible to buy a pack of gum without alerting the big three credit bureaus, you may think that anonymity is long gone from the economy. That's where bitcoin comes in. Bitcoin is a decentralized peer-to-peer currency based solely on computing power. It is (mostly) untraceable and highly anonymous, not backed by any banks or companies, and in the words of Jason Calacanis the most dangerous project we've ever seen. In my talk I'll explain what bitcoin is and isn't, and why this 70+ PetaFLOP network has caught the attention of everyone from The Washington Post and MSNBC to Wikileaks and the EFF.

For more information visit:
To download the video visit:
Playlist Defcon 19:

Speaker: Alexander Kornbrust CEO of Red-Database-Security GmbH

DB2 for Linux, Unix and Windows is one of the databases where only little bit information about security problems is available. Nevertheless DB2 LUW is installed in many corporate networks and if not hardened properly could be an easy target for attackers. In many aspects DB2 is different from other databases, starting at the user management (normally no user/passwords in the database) to the privilege concept.

With the latest versions, DB2 LUW became more and more similar to Oracle (views, commands, concepts to make more stuff query-able from the database) and allows even to run PLSQL code from Oracle databases. IBM is also cloning the insecure configuration from Oracle by granting a lot of the PLSQL packages to public.

This talk will give a quick introduction into the DB2 architecture, differences to other relational database systems and the most common DB2 configuration problems.

Showing a lit of available exploits and typical pentester questions (how can I run OS commands, how can I access the network or file system) will also be covered.

This talk will also demonstrate SQL injection in stored procedure code inside of the database (SQL/PL and PL/SQL), how to find, exploit and fix it.

The last part covers the hardening of DB2 databases.

For more information visit:
To download the video visit:
Playlist Defcon 19:

Recorded with ScreenCastify ( the screen video recorder for Chrome

-------
Support us:
Amazon Associates:
Subscribe:
Website:
RSS:

THANKS!
Hak5!:
HakShop:

SOCIAL IT UP!
Twitter:
Facebook:
Google+:
Reddit:

EMAIL US!
[email protected]

-------
Today's topics:
01:28 Block Thumbdrive Hacks-
@GeneComer tweets “any suggestions on methods to check thumb drives which came from uncertain sources like a trade show?” Sure! We talk Rubber Duckies, VMs, burner PCs, hitting CTRL, and when it's time to kill that flash drive with FIRE in the video!



07:32 3 Things We're Excited To See At DEFCON!
What are we looking forward to at DEFCON 2016? Picking Bluetooth Low Energy Locks from a Quarter Mile Away, the Mr. Robot Panel, Ingress Egress (ie getting hacked via Pokemon Go), Blue Hydra, and Attacking Network Infrastructure to Generate a 4 Tb/s DDoS for $5... find out why in the video!




12:58 How Much RAM for Chromebook, Windows, OS X?
@garfnodie tweets, “@patricknorton Would running Android apps be a good reason to get a Chromebook with 4Gb of RAM instead of 2Gb?” We talk RAM for Chrome, the minimum (and what you should run) for Windows and OS X, The Great Suspender, and why Techspot says 16GB is overkill for almost Windows user in the show!




17:31 FLIRC, Harmony, Sideclick: Replacing A Dead Remote
The remote that came with Ant’s Nexus Player died, and he emailed [email protected], I really don't like using my phone to control it as I have to wake/unlock my phone every time. I am having trouble finding a replacement though. I am so confused with all the options I have found; sideclicker, flirc, firetv remote, and the really expensive harmony hub. We walk through all these options (and why you might want 'em for any box) in the show!




22:51 Do Something Analog!
And remember ... once in awhile... put down the phone, step away from the screen, close the laptop... and do something analog, like explore a beach and find REALLY TINY FROGS!!!

To Watch new Pranks,Crashes,Stunts,Dancing Videos,Magic Tricks,Bloopers & much more on one Platform:


So make sure you hit that subscribe button to never miss a video! Why not? It's free!

Twitter:

Tags:
hacking google
hacking google chromecast
hacking google play store
hacking google accounts
hacking google interview
hacking google hangouts
hacking google chrome
hacking google maps
hacking google search
hacking google docs
hacking google accounts
hacking google analytics
hacking google apps
hacking google adwords
hacking google authenticator
hacking google adsense
hacking google account software
hacking google android
hacking google autocomplete
hacking google apps account
hacking google chromecast
hacking google chrome
hacking google calendar
hacking google chromebook
hacking google chrome os
hacking google.com
hacking google cameras
hacking google chat
hacking google cache
hacking google commands
hacking google docs
hacking google drive
hacking google database
hacking google docs forms
hacking google doodle
hacking google documents
google hacking database pdf
google hacking database (ghdb)
google hacking download
google hacking database tool
hacking google email
hacking google earth
hacking google ebooks
hacking google earth pro
google hacking examples
google hacking ebook free download
google hacking email addresses
hacking en google
google hacking entries
google hacking event
hacking google glass
hacking google gmail account
hacking google gmail
google hacking guide
google hacking game
google hacking ghdb
wimax hacking google group
hacking google play games
google hacking database (ghdb)
google hacking mini game
hacking google books limited preview
hacking google books
hacking google books download
hacking google books preview
hacking google box
google hacking by ankit fadia pdf
google hacking basics
hacking by google
google hacking ebook pdf
google hacking bahasa indonesia
google hacking johnny
google hacking.jar
google hacking database johnny
google-hacking-penetration-testers-johnny
google hacking joomla
hacking con google johnny long
google hacking presentación de johnny pdf
google hacking od johnyho longa
hacking con google johnny long pdf
hacking google forms
hacking google for free music
hacking google filetype
google hacking for penetration testers

Kyle 'Kos' Osborn, Matt Johanson - Hacking Google Chrome OS House Republicans are seriously entertaining dramatic steps, including default or shutting down the government, to force President...

BlackHat 2011 - Hacking Google ChromeOS BlackHat 2011 - Hacking Google ChromeOS.

Swagbucks is a search engine like google or ask, but you can win these virtual dollars called swagbucks just by searching the web, And you can use swagbucks ... description. Hackers...

BlackHat 2011 - Hacking Google ChromeOS

BlackHat 2011 - Hacking Google ChromeOS

Learn how to make a 360 video camera!

-~-~~-~~~-~~-~-

This video shows you two different ways for installing Chrome OS by Google without harming your current computer settings. The links below are used in the video:
Win32 Image Writer -
ChromiumOS Cherry -
VirtualBox -

Google Chrome OS
version 19.0.1084.17 dev
acer Chromebook AC700-1099

今回のアップデートにより、Chrome OSのインターフェースが大きく変わりました。
デスクトップ画面が追加され、下部にはshelfが追加されました。数々のウェブアプリケーションは全てshelfに収まっているようです。
さらに、Bluetoothもしっかり動作するようになりました。この動画はBluetooth接続したマウスで操作しています。

それ以外にも動作が軽くなったように感じられます。
カメラで直撮りしているため、画質音質についてはご了承ください。

Speaker: Charlie Miller Principal Research Consultant, Accuvant Labs

Ever wonder how your laptop battery knows when to stop charging when it is plugged into the wall, but the computer is powered off? Modern computers are no longer just composed of a single processor. Computers possess many other embedded microprocessors. Researchers are only recently considering the security implications of multiple processors, multiple pieces of embedded memory, etc. This paper takes an in depth look at a common embedded controller used in Lithium Ion and Lithium Polymer batteries, in particular, this controller is used in a large number of MacBook, MacBook Pro, and MacBook Air laptop computers.

In this talk, I will demonstrate how the embedded controller works. I will reverse engineer the firmware and the firmware flashing process for a particular smart battery controller. In particular, I will show how to completely reprogram the smart battery by modifying the firmware on it. Also, I will show how to disable the firmware checksum so you can make changes. I present a simple API that can be used to read values from the smart battery as well as reprogram the firmware. Being able to control the working smart battery and smart battery host may be enough to cause safety issues, such as overcharging or fire.

For more information visit:
To download the video visit:
Playlist Defcon 19:

Kyle 'Kos' Osborn, Matt Johanson - Hacking Google Chrome OS House Republicans are seriously entertaining dramatic steps, including default or shutting down the government, to force President...

Kyle 'Kos' Osborn, Matt Johanson - Hacking Google Chrome OS House Republicans are seriously entertaining dramatic steps, including default or shutting down the government, to force President......

BlackHat 2011 - Macs in the Age of APT

BlackHat 2011 - Macs in the Age of APT

This and much more of the selected videos from around the world, on the site:

Russian student Sergey Glazunov received 60,000 dollars for breaking the browser Google Chrome. It happened at an international conference in Vancouver, dedicated to computer security. It is because of white hackers, such as Sergei, revealed the vulnerability of software.

Its not really hacking. If you finish early reading the dialogue, skip ahead in the tutorial to 1 minute and 13 seconds, give or take 5 seconds.

Finally, VUPEN, a security research firm seems to have gotten in and out of the Google Chrome sandbox with ease.This attack exploits the Chrome sandbox and successfully downloads a sample calculator program on your computer. This calculator can of course be any other malicious EXE file if you are a cracker.

To learn everything about internet and pc please visit mysite:
q=



The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).


.

The attack was carried out on Google Chrome v11.0.696.65 on a Windows 7 64 bit system. This attack exploits the Chrome sandbox and successfully downloads a sample calculator program on your computer. This calculator can of course be any other malicious EXE file if you are a cracker. The guys at VUPEN have refused to release any code for the hack, though they have decided to share it with the Government.

HACKING App Chrome Name Of App: Haxor

Created with TechSmith Snagit for Google Chrome™

This video is part of the Infosec Video Collection at SecurityTube.net:

Defcon 15 - Hacking the EULA: Reverse Benchmarking Web Application Security Scanners

Each year thousands of work hours are lost by security practitioners as time is spent sorting through web application security reports and separating out erroneous vulnerability data. Individuals must currently work through this process in a vacuum, as there is no publicly available information that is helpful. Restrictive EULAs (End User License Agreements) prohibit examining a signature code-base for common errors or signature flaws. Due to the latter point, a chilling effect and has discouraged public research into the common types of false positives that existing commercial technologies are prone to exhibit.

Reverse Benchmarking is a new species of reverse engineering that involves running a security solution against an application designed to solicit false positives. Unlike testing scenarios that emphasize gathering valid or accurate data, Reverse Benchmarking involves exposing architectural or logical flaws within a web application scanner by employing techniques to trick simple rule-based mechanisms. Running a scanner against a Reverse Benchmark target quickly reveals faulty rules, flawed testing logic, or poorly written or implemented security testing procedures. Additionally, a Reverse Benchmarking application will expose patterns in the propensity of a scanner to report false results, making it easier to spot false positives when they occur in the future.

Reverse Benchmarking opens up new opportunities for studying and improving existing web application security technology by exposing common faults in testing logic that are often the culprit of massive false positives. In turn this facilitates research into a taxonomy of general false positive types, ideally, a schema for mapping particular security tests to a common, generic language. This can provide a framework around which public discussion, research, and documentation of such flaws can occur without violating EULA agreements. We will also discuss the formation of a open community initiative centered around the use of Reverse Benchmarking to study false positive types.

This video is part of the Infosec Video Collection at SecurityTube.net:

Defcon 18 - Hacking Facebook Privacy

Facebook's privacy issues are numerous and well-documented, from software glitches to decisions that take control away from users. Despite that, it is a still-growing force in the modern Internet and is currently trying to position itself as the gateway to the social Web for its 500 million users. What can we, as hackers, do to protect the privacy of those millions? This panel walks through a few existing projects that apply software skills to the privacy challenges that Facebook presents, from working within the system using Facebook's Platform API to adding a layer to the system with browser extensions to presenting a robust open-source alternative to the whole Facebook platform. We'll discuss how these different tools fit into various strategies to alter or replace Facebook's existing privacy regime and what other approaches might be successful in protecting privacy on Facebook and other user networks.

Defcon 18

Check out the following:
(quality dedicated/vps servers and IT services)

DEF CON 16 - Greg Conti: Could Googling Take Down a President, a Prime Minister, or an Average Citizen?.
Every time we use the web, we disclosure tremendous amounts of information to ISPs, Internet backbone providers, and online companies; information that will be shared and data mined, but rarely discarded. Email addresses, phone numbers, aggregated search queries, cookies, IP addresses - any unique feature of our behavior provides a mechanism to link, profile, and identify users, groups, and companies. From these revelations all aspects of our daily lives emerge, including our activities, locations, and social networks. Making matters worse, ubiquitous advertising networks, dominant online companies, complicit network providers, and popular web analytic services possess the ability to track, and in some cases, eavesdrop on and modify our online communications.

The AOL dataset debacle and subsequent public outrage illustrated one facet of the problem - Search. This talk covers all aspects of the problem, including end user computers, network providers, online companies, and advertising networks. It also includes countermeasures to help protect your personal and organizational privacy. It is important to note that the research presented is the inverse of Google Hacking, which strives to retrieve sensitive information from the databases of search engines. This talk instead focuses on what information online companies can pull from you, as well as what network providers can see and modify. The long-term implications of web-based information disclosure are profound. Interaction by interaction we are ceding power to ISPs and online companies, disclosures which may one day alter the course of elections, remove world leaders from power, or cause the outspoken citizen to disappear from the web.

Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy, West Point, NY. His research includes security data visualization and web-based information disclosure. He is the author of Security Data Visualization (No Starch Press) and the forthcoming Googling Security (Addison-Wesley). His work can be found at gregconti.com and rumint.org.

For copies of the slides and additional materials please see the DEF CON 16 Archive here:

Hacking Driverless Vehicles by Zoz Cannytrophic Design

Are driverless vehicles ripe for the hacking? Autonomous and unmanned systems are already patrolling our skies and oceans and being tested on our streets and highways. All trends indicate these systems are at an inflection point that will show them rapidly becoming commonplace. It is therefore a salient time for a discussion of the capabilities and potential vulnerabilities of these systems.

This session will be an informative and light-hearted look at the current state of civil driverless vehicles and what hackers or miscreants might do to mess with them. Topics covered will include common sensors, decision profiles and their potential failure modes that could be exploited. With this talk Zoz aims to both inspire unmanned vehicle fans to think about robustness to adversarial and malicious scenarios, and to give the paranoid false hope of resisting the robot revolution. He will also present details of how students can get involved in the ultimate sports events for robot hacking, the autonomous vehicle competitions.

Zoz is a robotics interface designer and rapid prototyping specialist. He is a co-founder of Cannytrophic Design in Boston and CTO of BlueSky in San Francisco. As co-host of the Discovery Channel show 'Prototype This!' he pioneered urban pizza delivery with robotic vehicles, including the first autonomous crossing of an active highway bridge in the USA, and airborne delivery of life preservers at sea from an autonomous aircraft. He also hosts the annual AUVSI Foundation student autonomous robot competitions such as Roboboat and Robosub.

False positives are particular issues which come up on compromised systems as was ours here at our small office in Scarborough on the ChromeOS machine. False positives highlighted on this particular system in this video were as follows:

1 - Invalid system certificates
2 - TPM initialization
3 - Hacked devices (ELAN touchpad)
4 - Persistent modules and APIs (Office and other extension)
5 - Persistent Tor link
6 - Persistence surviving reboot and re-installation from trusted USB media

Note: For us to deal with this machine, we have informed the manufacturer of the device accordingly and will hand over this device for repair.

Please, those who get affected by malware, it is good practice to first troubleshoot the issue (if you can), then re-install the system from trusted USB or DVD media (if available), and only then, if all fails, to hand the hardware over to the product manufacturer.

Malicious extensions and plugins are capable of installing APIs hooks, through which an attacker can then become capable of controlling and subverting the entire system, so please make sure that you download and install only trusted extensions and plugin.

Reporting technical issues to ChromeOS developers forum:
We strongly recommend that anyone who got affected by similar technical issues relating to ChromeOS to immediately contact the Technical Support of the Operating System developer.

Speaker: Artem Dinaburg Security Researcher, Raytheon

We are generally accustomed to assuming that computer hardware will work as described, barring deliberate sabotage. This assumption is mistaken. Poor manufacturing, errant radiation, and heat can cause malfunction. Commonly, such malfunction DRAM chips manifest as flipped bits. Security researchers have known about the danger of such bit flips but these attacks have not been very practical. Thanks to ever-higher DRAM densities and the use of computing devices outdoors and in high-heat environments, that has changed. This presentation will show that far from being a theoretical nuisance, bit flips pose a real attack vector. First the presentation will describe bit-squatting, an attack akin to typo-squatting, where an attacker controls domains one bit away from a commonly queried domain (e.g. mic2osoft.com vs. microsoft.com). To verify the seriousness of the issue, I bit-squatted several popular domains, and logged all HTTP and DNS traffic. The results were shocking and surprising, ranging from misdirected DNS queries to requests for Windows updates. The presentation will show an analysis of 6 months of real DNS and HTTP traffic to bit-squatted domains. The traffic will be shown in terms of affected platform, domain queried, and HTTP resources requested. Using this data the presentation will also attempt to ascertain the cause of the bit-flip, such as corruption on the wire, in requestor RAM, or in the RAM of a third party. The presentation will conclude with potential mitigations of bit-squatting and other bit-flip attacks, including both hardware and software solutions. By the end I hope to convince the audience that bit-squatting, and other attacks enabled by bit-flip errors are practical and serious, and should be addressed by software and hardware vendors.

For more information visit:
To download the video visit:
Playlist Defcon 19:

This video is part of the Infosec Video Collection at SecurityTube.net:



Ever wonder how your laptop battery knows when to stop charging when it is plugged into the wall, but the computer is powered off? Modern computers are no longer just composed of a single processor. Computers possess many other embedded microprocessors. Researchers are only recently considering the security implications of multiple processors, multiple pieces of embedded memory, etc. This paper takes an in depth look at a common embedded controller used in Lithium Ion and Lithium Polymer batteries, in particular, this controller is used in a large number of MacBook, MacBook Pro, and MacBook Air laptop computers.

In this talk, I will demonstrate how the embedded controller works. I will reverse engineer the firmware and the firmware flashing process for a particular smart battery controller. In particular, I will show how to completely reprogram the smart battery by modifying the firmware on it. Also, I will show how to disable the firmware checksum so you can make changes. I present a simple API that can be used to read values from the smart battery as well as reprogram the firmware. Being able to control the working smart battery and smart battery host may be enough to cause safety issues, such as overcharging or fire.

Charlie Miller is Principal Research Consultant at Accuvant Labs. He was the first with a public remote exploit for both the iPhone and the G1 Android phone. He won the CanSecWest Pwn2Own competition for the last four years. He has authored two information security books and holds a PhD from the University of Notre Dame.
Twitter:@0xcharlie

Defcon 18

Tips de búsquedas especiales por GOOGLE.

To learn more about Chromebooks (and the rest of the Chrome device family), visit:

Defcon 2012 How to hack all the transport networks of a country

Please like, subscribe and share if you would like to see more videos like this uploaded.
Thank you in advance.



News - News4All
News - NSA - Google's Email and Cloud Based Services Hacked - David Seaman

Like - Follow
Facebook

Twitter

Google+

Blog


Infowars Nightly News for Thursday, October 24, 2013 (Full Show)


Impeach Obama Protests Erupt Across America


Another Retired Army officer warns DHS preparing for war against American citizens

By jhacker

Speakers: Rob Havelt Director of Penetration Testing, Trustwave SpiderLabs | Wendel Guglielmetti Henrique Security Consultant, Trustwave SpiderLabs

Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests brings the DEF CON 19 audience the most massive collection of weird, downright bizarre, freaky, and altogether unlikely hacks ever seen in the wild. This talk will focus on those complex hacks found in real environments — some in very high end and important systems, that are unlikely but true. Through stories and demonstrations we will take the audience into a bizarre world where odd business logic flaws get you almost free food [including home shipping], sourcing traffic from port 0 allows ownership of the finances a nation, and security systems are used to hack organizations.

The SpiderLabs team delivered more than 2300 penetration tests last year, giving us access to a huge variety of systems and services, we've collected a compendium of coolest and oddest compromises from the previous year to present at DEF CON. Our goal is to show effective attacks and at the same time not the trivial ones that can be found by automated methods. By the end of this presentation we hope to have the audience thinking differently about systems and applications that organizations use every day, and how they may be used against them.

For more information visit:
To download the video visit:
Playlist Defcon 19: