0XC0FFEE JHB
0XC0FFEE JHB
  • 21
  • 8 086
GIT Your Secrets - Isak van der Walt | 0xCON 2023
The talk covers three primary aspects:
- A technical overview of how the git version control tool works.
- Some inherent and typical security issues related to git.
- Prevention and resolution of the prior demonstrated issue.
This talk does not contain any "new" research but rather just a full presentation of the git internals, the known inherent vulnerabilities and their resolution - all of which have been previously documented.
The first section aims to provide an overview for people not familiar with git, before diving into the building block - so called "plumbing" - tools utilized by git to perform its version control. This serves to provide a better understanding for the vulnerabilities as well as how to better utilize git.
The second section covers inherent vulnerabilities such as lack of author validation and secrets in version control histories, some of which will be accompanied with a basic demonstration. This also provides a baseline for what to look for from a defender's perspective
Finally the preventative measures and resolutions will be covered to address the aforementioned issues. Some simple measures in addition to the knowledge of the vulnerabilities can vastly reduce most of the surface area and risk associated with the covered vulnerabilities.
Переглядів: 93

Відео

Hacking for Humanity - Matthew Hughes | 0xCON 202338:30Hacking for Humanity - Matthew Hughes | 0xCON 2023
Hacking for Humanity - Matthew Hughes | 0xCON 2023
Переглядів 3589 місяців тому
Have you ever tried your hand at GeoGuessr, the online game that challenges you to guess your location from random street views? In my talk, I'll unveil the surprising connections between the problem-solving skills used in this game and the world of hacking and cybersecurity. My journey started with GeoGuessr, where I noticed how similar the way we think during the game is to the thought proces...
This Wide World of Consent - Jonathon Everatt | 0xCON 202337:26This Wide World of Consent - Jonathon Everatt | 0xCON 2023
This Wide World of Consent - Jonathon Everatt | 0xCON 2023
Переглядів 10010 місяців тому
With the advent of cloud based technologies and identity management solutions; as well as the widespread adoption of these technologies by businesses and users has introduced new attack vectors that malicious actors can try abuse. One of these is a new type of phishing, called consent phishing. In Consent Phishing, an attacker-controlled application requests dangerous or sensitive permissions o...
Noooooooooo touch! - Michael Rodger | 0xCON 202351:51Noooooooooo touch! - Michael Rodger | 0xCON 2023
Noooooooooo touch! - Michael Rodger | 0xCON 2023
Переглядів 33210 місяців тому
A few years ago, a new addition to the standard lineup of access control equipment quietly appeared - the humble “No touch” sensor. These mostly replaced physical buttons, the typical use case being letting yourself out from the “inside”, where the “outside” would have some form of control such as a keypad, RFID scanner, biometrics, etc. Naturally if you were already inside, you wouldn’t have t...
ed2root - how ancient IPC mechanisms can help you today - Connor du Plooy | 0xCON 202310:48ed2root - how ancient IPC mechanisms can help you today - Connor du Plooy | 0xCON 2023
ed2root - how ancient IPC mechanisms can help you today - Connor du Plooy | 0xCON 2023
Переглядів 13710 місяців тому
This talk will go over how I found a vulnerability in a text editor on MacOS. Other variants of this vulnerability have been identified in other packages as well, and even though the APIs used by these packages have been deprecated for a really long time, it is still around in some software. The vulnerable component is exposed over IPC, so the talk will be broken down in to the following sectio...
Let the Children play - Leveraging AD CS for persistence and profit - Tinus Green | 0xCON 202339:44Let the Children play - Leveraging AD CS for persistence and profit - Tinus Green | 0xCON 2023
Let the Children play - Leveraging AD CS for persistence and profit - Tinus Green | 0xCON 2023
Переглядів 13710 місяців тому
In 2021, Active Directory Certificate Services (AD CS) came under scrutiny because of the opportunities it provides attackers for credential theft, domain and forest privilege escalation, and persistence. Since then, it has become a household name for red and blue teams alike. Unintended consequences and additional attack avenues are continually being discovered. This talk will cover new discov...
Keynote: Your Contributions, Today - Leon Jacobs | 0xCON 202334:51Keynote: Your Contributions, Today - Leon Jacobs | 0xCON 2023
Keynote: Your Contributions, Today - Leon Jacobs | 0xCON 2023
Переглядів 42110 місяців тому
Keynote: Your Contributions, Today - Leon Jacobs | 0xCON 2023
Pentesting Cloud... How? An introduction into Azure Pentesting - Javan Mnjama | 0xcon 202245:40Pentesting Cloud... How? An introduction into Azure Pentesting - Javan Mnjama | 0xcon 2022
Pentesting Cloud... How? An introduction into Azure Pentesting - Javan Mnjama | 0xcon 2022
Переглядів 45711 місяців тому
With the growth of cloud computing and the adoption of cloud. Security professionals are slowing being pushed from the traditional approach of pentesting and adapting in finding new techniques for cloud penetration testing. This talk will focus on a brief introduction into performing a penetration assessment against an Azure environment using the cyber attack kill chain from a cloud perspective...
Beyond String Theory: Symbolically Enhanced Reverse Engineering - Keith Makan40:13Beyond String Theory: Symbolically Enhanced Reverse Engineering - Keith Makan
Beyond String Theory: Symbolically Enhanced Reverse Engineering - Keith Makan
Переглядів 3052 роки тому
Reverse engineering software from binary executable forms remains a key challenge in morder software analysis. Common techniques include running good old strings or grep and hoping for the best before trying to derive control flow graphs, call stacks and resolve cross references via complex disassembly frameworks. Beyond cursory string inspection, symbolic execution gives us the power to emulat...
Attack and Defense techniques with kubernetes - Vignesh C22:46Attack and Defense techniques with kubernetes - Vignesh C
Attack and Defense techniques with kubernetes - Vignesh C
Переглядів 3712 роки тому
In modern day environment blue team had to face lot of issues with container security, This talk aims to address the overall summary of Kubernetes security and common mitre matrix scenarios, It also explains how to implement end to end fully hardened environment which will help to securely monitor the cloud and containers. About Vignesh: Vigneshc, He has a few security hall of fames and a few C...
Assless Chaps: a novel combination of prior work to crack MSCHAPv2 - Dominic White & Michael Kruger40:05Assless Chaps: a novel combination of prior work to crack MSCHAPv2 - Dominic White & Michael Kruger
Assless Chaps: a novel combination of prior work to crack MSCHAPv2 - Dominic White & Michael Kruger
Переглядів 942 роки тому
Cracking intercepted MSCHAPv2 challenge/response pairs from Wi-Fi or VPN attacks has long been known to be possible. However, unless the underlying cleartext password was common, this can take frustratingly long. Especially, for at-the-same-time attacks like the auto-crack-and-add we proposed in 2014 (1). We’ll combine some prior work and release tooling to show how even extremely large hashlis...
Why the Options Pattern is Great for Security - Dima Kotik43:25Why the Options Pattern is Great for Security - Dima Kotik
Why the Options Pattern is Great for Security - Dima Kotik
Переглядів 312 роки тому
Secure coding and functional programming are rarely mentioned in the same sentence. What if by applying a functional programming construct, we could write more secure code? Enter the Options Pattern, a hidden gem in securing your approach to object initialization. The options pattern is a modern object initialization idiom. It involves writing a set of second-order functions returning options t...
2021 Year in Review: The year of the Supply Chain - Jared Naude47:352021 Year in Review: The year of the Supply Chain - Jared Naude
2021 Year in Review: The year of the Supply Chain - Jared Naude
Переглядів 1862 роки тому
Looking back at events that have taken place for lessons that can be learned is an important ingredient to enable forward insight, especially in the cyber security space. In this talk, I will go through the various security news, events and incidents of note that occurred in 2021 while adding some commentary and analysis from myself. This will primarily focus on the various supply chain attacks...
Unlocking KeeLoq - Rogan Dawes44:44Unlocking KeeLoq - Rogan Dawes
Unlocking KeeLoq - Rogan Dawes
Переглядів 3,1 тис.2 роки тому
KeeLoq Remote Keyless Entry systems make use of radio frequency transmissions to operate and have many known weaknesses. This presentation is a journey into bringing existing research together with manufacturer documentation to make implementing a complete Keeloq solution practical, ultimately repurposing a commercial receiver as part of a home automation system integration project. I will demo...
How to install Doom on a Mars Rover | Gerard de Jong47:25How to install Doom on a Mars Rover | Gerard de Jong
How to install Doom on a Mars Rover | Gerard de Jong
Переглядів 1523 роки тому
How to install Doom on a Mars Rover | Gerard de Jong
PEpewpew, reverse engineering without reverse engineering | James Stephenson32:08PEpewpew, reverse engineering without reverse engineering | James Stephenson
PEpewpew, reverse engineering without reverse engineering | James Stephenson
Переглядів 1713 роки тому
PEpewpew, reverse engineering without reverse engineering | James Stephenson
OSINT: The gateway drug your mother never told you about | Charles Wroth32:00OSINT: The gateway drug your mother never told you about | Charles Wroth
OSINT: The gateway drug your mother never told you about | Charles Wroth
Переглядів 1153 роки тому
OSINT: The gateway drug your mother never told you about | Charles Wroth
2020: A Retrospective - Jared Naude58:232020: A Retrospective - Jared Naude
2020: A Retrospective - Jared Naude
Переглядів 1263 роки тому
2020: A Retrospective - Jared Naude
Modern attacks against routing protocols |T yron Kemp & Szymon Ziolkowski36:30Modern attacks against routing protocols |T yron Kemp & Szymon Ziolkowski
Modern attacks against routing protocols |T yron Kemp & Szymon Ziolkowski
Переглядів 543 роки тому
Modern attacks against routing protocols |T yron Kemp & Szymon Ziolkowski

КОМЕНТАРІ

  • @gabrielquiroz1149
    @gabrielquiroz1149 5 місяців тому

    Outstanding!

  • @frosty1433
    @frosty1433 8 місяців тому

    30:05 I am decoding a keeloq signal, but I’m not getting the serial number I expected. It thought it would be one of the numbers that are printed on a label on the back of the fob. Can anyone confirm or deny this?

  • @stephenlartiste671
    @stephenlartiste671 9 місяців тому

    Hi sir. Which certs can someone takes to become a Azure Pentester, being an OSCP certified?

  • @nighmare.2kytrewq337
    @nighmare.2kytrewq337 10 місяців тому

    nice

  • @timkatsapas
    @timkatsapas 10 місяців тому

    Awesome talk. I just dealt with these findings on a client, the remediation isn't fun at all. One note, we must treat CAs the same as a DC on Tier0 - although ESC1 still can bypass most traditional tiering concepts.

  • @forxan
    @forxan 10 місяців тому

    An Excel table would be good to calculate the Keeloq by writing the Key, MF, Synchronism and obtaining the following frame.

  • @QuincyNtuli
    @QuincyNtuli 10 місяців тому

    This was a fantastic presentation. I enjoyed this very much.

  • @forxan
    @forxan 2 роки тому

    Hi everyone, I would like to be able to receive the signal from a controller with an HCS301 (MICROCHIP KeeLoq) in the transmitter and with a PICxxx or an ATMELxxx in the receiver. There is a library for ARDUINO about receiving the signal from an HCS301 and another to emit the signal from an HCS301, but I can't find it... I'm still looking. Greetings to all.

  • @forxan
    @forxan 2 роки тому

    I would like to make a KEELOQ receiver with ARDUINO (ATMEL) you share the project

  • @itsonlybrad2278
    @itsonlybrad2278 2 роки тому

    Great overview Jared, thank you!

  • @olderbadboy
    @olderbadboy 2 роки тому

    I was in the middle of a deep dive into conscience /AI/ electrically neutral particles/time travel / reverse engineer mix and i stumbled upon your channel. thank you for your work and i hope you get more views because you can inspire others to pursue similar interests and who knows who is our next Einstein. we need people to inspire people.

  • @Mike-vq3mj
    @Mike-vq3mj 2 роки тому

    Good presentation, thanks

  • @aaronschwartz1234
    @aaronschwartz1234 2 роки тому

    Hey! Great job on the channel. Have you ever thought of using Promo Sm to promote your videos??

  • @Byte5
    @Byte5 3 роки тому

    wow so much information great video.

  • @Noeth
    @Noeth 3 роки тому

    Thank you for a great conference!!