parcomagic: security analysis of public terminals

14

PARCOMAGIC Security analysis of public terminals Denis Makrushin (@ difezza), Kaspersky Lab Stanislav Merzlyakov, Positive Technologies

Upload: denis-makrushin

Post on 05-Jul-2015

424 views

Category:

Technology

1 download

Report

Download

Embed Size (px):

DESCRIPTION

A video game called Watch Dogs offers a realistic view on our near future – our surroundings filled to the brim with digital devices, machines which accept and dispense cash, and a variety of other connected things ridden with all sorts of vulnerabilities, which a hacker can exploit. In the game, the main character successfully compromises a video surveillance system using a smartphone, gaining the ability to conduct surveillance and obtain additional information. The game’s fans are divided: some say this is too ‘dystopian’ – taking a smartphone and hacking into everything around you. Others are somewhat skeptical, saying that things really aren’t that great and the game world is in many ways a reflection of real life. Below, we argue that devices in parks and other public spaces, which we often pass without giving them a second thought, may be vulnerable and therefore dangerous, at least for our personal finances. ZeroNights 2014 is an international conference dedicated to the practical side of information security.

TRANSCRIPT

Page 1: Parcomagic: Security analysis of public terminals

PARCOMAGICSecurity analysis of public terminals

Denis Makrushin (@difezza), Kaspersky Lab

Stanislav Merzlyakov, Positive Technologies

https://twitter.com/difezza

Page 2: Parcomagic: Security analysis of public terminals

WATCH OUT! WATCHDOGS.

2

Page 3: Parcomagic: Security analysis of public terminals

Common usage terminals

Page 4: Parcomagic: Security analysis of public terminals

Life is a good teacher

Page 5: Parcomagic: Security analysis of public terminals

Methodic of Penetration testing

Virtual keyboard

Moving in Control panel

Arbitrary code execution

Windows Help or Desktop

Input Data fuzzing

Tap-fuzzing

Escape from the application

Fullscreen application

Calling the additional elements of the

system’s interface

Calling the undocumented features of

the application

Page 6: Parcomagic: Security analysis of public terminals

View from the developer

Page 7: Parcomagic: Security analysis of public terminals

Street magic: escape from the app

Page 8: Parcomagic: Security analysis of public terminals

Street magic: virtual keyboard

Page 9: Parcomagic: Security analysis of public terminals

Who am I?

Page 10: Parcomagic: Security analysis of public terminals

Another kind of PoC

Page 11: Parcomagic: Security analysis of public terminals

Catch me!

Page 12: Parcomagic: Security analysis of public terminals

Post-exploitation

• Located in public places

• 24/7 available

• Same configuration

• The higher degree of

confidence from the user

• Connected to each other and to

private network

• Advertising

• Social engineering/phishing

• Botnet use cases

• Dump of app for offline

reversing

• Internal network attack

• …

Page 13: Parcomagic: Security analysis of public terminals

Take a look around

Firewall

Terminal’s

server

Main office

Page 14: Parcomagic: Security analysis of public terminals

[email protected]

[email protected]

http://defec.ru/

http://defec.ru/

III. · 2018-01-30 · 3 (where applicable), transport terminals, markets, and other places of public gatherings Ensure that traffic is well-managed and that the safety and security

Evolution of public hEalth security 1 - · PDF fileThroughout history, ... International Health Regulations evolution of public health security. global public health security. and)

SOCIAL SECURITY SEMINARdefcomp.nv.gov/.../SocialSecutiryPresentation2017.pdf · Social Security Seminar for Public Employees Barbara Duckett Public Affairs Specialist Social Security

Ports & Terminals - aksetlaw.comaksetlaw.com/content/uploads/2017/11/Ports-and-Terminals-2018.pdf · Ports & Terminals Ports & Terminals ... • vessel services; • passenger transport;

Public Security Target Lite

THE CONCEPT OF PERSONAL SECURITY for staff being exposed … Security overview.pdf · 2012. 2. 29. · - alarm forwarding to other Tetra Security terminals - evacuation procedures

Contents Terminals, Z-Series - Центр загрузки … Terminals, Z-Series D Contents Terminals, Z-Series Overview Z-Series D.2 Feed-through terminals D.4 Modular PE terminals

Terminal Area Summary · For Terminals 1, 2, and 3, the majority of Concession Areas are located on the airside portion of the terminals, beyond the security screening checkpoints

A Privacy-Respectful Input Method for Public Terminals...machines, public information screens, ATMs, Internet terminals, etcetera. Besides their manifold advantages – like big displays

Container Terminals Concession Guidelines - World Bankdocuments.worldbank.org/...WP-PUBLIC-Container...Concession-Guidelines.pdf · Container Terminals Concession Guidelines x This

Co-modal transshipments and terminals (Intermediate ......D23.1 – Co-modal transshipments and terminals (Intermediate) CAPACITY4RAIL SCP3-GA-2013-605650 CAPACITY4RAIL PUBLIC Page

Internet Kiosk Terminals : The Redux - Security Assessment - Home

Dome9 Public Cloud Security

Port of Virginia's Homeland Security Program€¦ · Port of Virginia's Homeland Security Program Ed Merkle Formerly the Director of Port Security & ... Patrol Terminals 24/7 Marine

Feed-through terminals Terminals, I-Series

Australian Amalgamated Terminals Pty Limited (AAT ...€¦ · PUBLIC VERSION A glossary of acronyms used in this submission is set out below: AAT - Australian Amalgamated Terminals

Security regulations public

North America LNG Import Terminals Status: Existing Import... · North America LNG Import Terminals Status: Approved, Not Under Construction . Source: Various Public Sources . Approved

PORT AUTHORITY MARINE TERMINALS PAMT FMC NO. PA …...Port Authority Marine Terminals And Rates and Charges Applicable For the Use of Public Areas At Port Authority Marine Terminals

· Web viewWith Public IP Access, terminals get a single public IP address from Inmarsat’s range of public IP addresses. There is no NAT. Terminals are accessible from the Internet

Security Target Lite PUBLIC Chip Card & Security

PA Homeland Security/Public Safety Geospatial Portal ...€¦ · Security/Public Safety Geospatial Portal ... Emergency Alert and Readiness System ... PA Homeland Security/Public

IDB - Financing Public Security

DIN Rail Terminals - · PDF fileGlossary of Technical Terms Push-Fit Terminals DIN-Rail Accessories Mini Terminals Feed-Through Terminals High-Insulation Terminals Bolt-On Terminals

Public security

Port Security For Cruise Ships and Terminalsaapa.files.cms-plus.com/2017Seminars/17Cruise/Glenn...Port Security For Cruise Ships and Terminals 3.82 million passenger $55.3 million

School security public version

SECURITY HUMAN SECURITY: A Public Health Perspective HUMAN SECURITY: A Public Health Perspective HUMAN SECURITY: A Public Health Perspective Dr. Mirta

Public Sector Data & Information Security Survey · 2017-05-27 · Public Sector Data & Information Security 01 Public Sector Data & Information Security Survey ... enactment may

Synway Mobile Catching System · It is able to catch ID of mobile terminals, such as IMSI ... analysis and otherapplications, such as public security, informationanalysis of traffic

Motorola TETRA Terminals - American Communication Systems · 2011. 8. 13. · Indeed, in recent years, our TETRA terminals have been specified for almost every new nationwide public

Training Module on Security Vital Installations: Depots and Terminals

Security and regulatory requirements for public … and regulatory requirements for public cloud ... Security and regulatory requirements for public cloud offerings ... Security and

Alberta Sulphur Terminals Public Disclosure

Using Bloomberg Terminals in a Security Analysis and ... · Title: Using Bloomberg Terminals in a Security Analysis and Portfolio Management Course Author: Wchow33 Created Date: 8/23/2016