Submit Search
Upload
Message Queue Security Talk at NoSuchCon 2014
•
3 likes
•
1,881 views
AI-enhanced title
N
NoSuchCon
Follow
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
Read less
Read more
Technology
Report
Share
Report
Share
1 of 59
Download now
Download to read offline
Recommended
Webinar SSL English
Webinar SSL English
SSL247®
TLS Optimization
TLS Optimization
Nate Lawson
TLS/SSL Protocol Design
TLS/SSL Protocol Design
Nate Lawson
Ravencoin
Ravencoin
Hamidreza Sahraei
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
Trupti Shiralkar, CISSP
Common crypto attacks and secure implementations
Common crypto attacks and secure implementations
Trupti Shiralkar, CISSP
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat Security Conference
Open Source KMIP Implementation
Open Source KMIP Implementation
sedukull
Recommended
Webinar SSL English
Webinar SSL English
SSL247®
TLS Optimization
TLS Optimization
Nate Lawson
TLS/SSL Protocol Design
TLS/SSL Protocol Design
Nate Lawson
Ravencoin
Ravencoin
Hamidreza Sahraei
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
Trupti Shiralkar, CISSP
Common crypto attacks and secure implementations
Common crypto attacks and secure implementations
Trupti Shiralkar, CISSP
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat Security Conference
Open Source KMIP Implementation
Open Source KMIP Implementation
sedukull
Microservices Security landscape
Microservices Security landscape
Sagara Gunathunga
Open Source Cyber Weaponry
Open Source Cyber Weaponry
Joshua L. Davis
Bletchley
Bletchley
Diogo Mónica
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
Nate Lawson
網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark
Julia Yu-Chin Cheng
Normalizing Empire's Traffic to Evade Anomaly-Based IDS
Normalizing Empire's Traffic to Evade Anomaly-Based IDS
Utku Sen
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
nishchal29
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
Owasp crypto tools and projects
Owasp crypto tools and projects
OwaspCzech
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
Jyothishmathi Institute of Technology and Science Karimnagar
Cassandra and security
Cassandra and security
Ben Bromhead
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
NGINX, Inc.
MTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
Observability beyond logging for Java Microservices
Observability beyond logging for Java Microservices
Luke Marsden
Picking a message queue
Picking a message queue
Vladislav Kirshtein
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
confluent
WSO2 Microservices Framework for Java - Product Overview
WSO2 Microservices Framework for Java - Product Overview
WSO2
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
Lacework
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Infosec train
Advanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_content
priyanshamadhwal2
Inside Architecture of Neutron
Inside Architecture of Neutron
markmcclain
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
More Related Content
What's hot
Microservices Security landscape
Microservices Security landscape
Sagara Gunathunga
Open Source Cyber Weaponry
Open Source Cyber Weaponry
Joshua L. Davis
Bletchley
Bletchley
Diogo Mónica
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
Nate Lawson
網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark
Julia Yu-Chin Cheng
Normalizing Empire's Traffic to Evade Anomaly-Based IDS
Normalizing Empire's Traffic to Evade Anomaly-Based IDS
Utku Sen
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
nishchal29
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
Owasp crypto tools and projects
Owasp crypto tools and projects
OwaspCzech
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
Jyothishmathi Institute of Technology and Science Karimnagar
Cassandra and security
Cassandra and security
Ben Bromhead
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
NGINX, Inc.
MTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
What's hot
(13)
Microservices Security landscape
Microservices Security landscape
Open Source Cyber Weaponry
Open Source Cyber Weaponry
Bletchley
Bletchley
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark
Normalizing Empire's Traffic to Evade Anomaly-Based IDS
Normalizing Empire's Traffic to Evade Anomaly-Based IDS
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
Owasp crypto tools and projects
Owasp crypto tools and projects
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
Cassandra and security
Cassandra and security
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
MTLS in a Microservices World
MTLS in a Microservices World
Similar to Message Queue Security Talk at NoSuchCon 2014
Observability beyond logging for Java Microservices
Observability beyond logging for Java Microservices
Luke Marsden
Picking a message queue
Picking a message queue
Vladislav Kirshtein
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
confluent
WSO2 Microservices Framework for Java - Product Overview
WSO2 Microservices Framework for Java - Product Overview
WSO2
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
Lacework
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Infosec train
Advanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_content
priyanshamadhwal2
Inside Architecture of Neutron
Inside Architecture of Neutron
markmcclain
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
Manging Container Deployments at Scale
Manging Container Deployments at Scale
Mofizur Rahman
Istio Mesh – Managing Container Deployments at Scale
Istio Mesh – Managing Container Deployments at Scale
Mofizur Rahman
Code Quality - Security
Code Quality - Security
sedukull
Understanding container security
Understanding container security
John Kinsella
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
Microservice & Service Mesh Workshop
Microservice & Service Mesh Workshop
Claudio Acquaviva
Architecting for Microservices Part 2
Architecting for Microservices Part 2
Elana Krasner
Hashicorp Vault Connector - Dallas MuleSoft Meetup - May 6, 2020
Hashicorp Vault Connector - Dallas MuleSoft Meetup - May 6, 2020
AVIO Consulting
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
promediakw
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
Alert Logic
Similar to Message Queue Security Talk at NoSuchCon 2014
(20)
Observability beyond logging for Java Microservices
Observability beyond logging for Java Microservices
Picking a message queue
Picking a message queue
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
WSO2 Microservices Framework for Java - Product Overview
WSO2 Microservices Framework for Java - Product Overview
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_content
Inside Architecture of Neutron
Inside Architecture of Neutron
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Manging Container Deployments at Scale
Manging Container Deployments at Scale
Istio Mesh – Managing Container Deployments at Scale
Istio Mesh – Managing Container Deployments at Scale
Code Quality - Security
Code Quality - Security
Understanding container security
Understanding container security
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Microservice & Service Mesh Workshop
Microservice & Service Mesh Workshop
Architecting for Microservices Part 2
Architecting for Microservices Part 2
Hashicorp Vault Connector - Dallas MuleSoft Meetup - May 6, 2020
Hashicorp Vault Connector - Dallas MuleSoft Meetup - May 6, 2020
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
More from NoSuchCon
NSC #2 - Challenge Solution
NSC #2 - Challenge Solution
NoSuchCon
NSC #2 - Challenge Introduction
NSC #2 - Challenge Introduction
NoSuchCon
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NoSuchCon
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NoSuchCon
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NoSuchCon
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NoSuchCon
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NoSuchCon
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NoSuchCon
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NoSuchCon
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NoSuchCon
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NoSuchCon
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NoSuchCon
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NoSuchCon
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NoSuchCon
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NoSuchCon
More from NoSuchCon
(16)
NSC #2 - Challenge Solution
NSC #2 - Challenge Solution
NSC #2 - Challenge Introduction
NSC #2 - Challenge Introduction
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
Recently uploaded
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Pixlogix Infotech
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Antenna Manufacturer Coco
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
Recently uploaded
(20)
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Message Queue Security Talk at NoSuchCon 2014
1.
Labs.mwrinfosecurity.com | ©
MWR Labs 1 Labs.mwrinfosecurity.com | © MWR Labs Your Q is my Q NoSuchCon 2014 Paris, France Message Queue Security G. Geshev
2.
Labs.mwrinfosecurity.com | ©
MWR Labs 2 Introduction Georgi Geshev • Security Researcher at MWR Labs • Research Interests • Vulnerability Development • IPv6 Network Reconnaissance • Message Queues
3.
Labs.mwrinfosecurity.com | ©
MWR Labs 3 Agenda • MQ Concepts • Attack Surface • Case Studies • Attack Scenarios • Common Issues • MQ Hardening
4.
Labs.mwrinfosecurity.com | ©
MWR Labs 4 Disclaimer • This is not a talk on new classes of bugs, i.e. none of the vulnerabilities are MQ specific. • This is a talk on problems found to be common across some popular MQ implementations.
5.
Labs.mwrinfosecurity.com | ©
MWR Labs 5 MQ Concepts • Message-oriented Middleware (MOM) • Asynchronous Message Exchange • Decoupling – Space, Time and Synchronization Decoupling • Publish & Subscribe – Publishers Create Messages – Subscribers Consume Messages – Topic, Content and Type Based Subscriptions
6.
Labs.mwrinfosecurity.com | ©
MWR Labs 6 MQ Concepts Producer Consumer Broker
7.
Labs.mwrinfosecurity.com | ©
MWR Labs 7 MQ Concepts Producer Consumer Broker
8.
Labs.mwrinfosecurity.com | ©
MWR Labs 8 MQ Concepts Producer Consumer Broker
9.
Labs.mwrinfosecurity.com | ©
MWR Labs 9 MQ Concepts Producer Consumer Broker
10.
Labs.mwrinfosecurity.com | ©
MWR Labs 10 MQ Protocols
11.
Labs.mwrinfosecurity.com | ©
MWR Labs 11 MQ Protocols • MQ Transport Protocols • TCP, UDP, HTTP
12.
Labs.mwrinfosecurity.com | ©
MWR Labs 12 MQ Protocols • MQ Transport Protocols • TCP, UDP, HTTP • MQ Application Protocols
13.
Labs.mwrinfosecurity.com | ©
MWR Labs 13 MQ Protocols • MQ Transport Protocols • TCP, UDP, HTTP • MQ Application Protocols • Binary Protocols: – AMQP (Advanced Message Queuing Protocol) – MQTT (MQ Telemetry Transport) – OpenWire
14.
Labs.mwrinfosecurity.com | ©
MWR Labs 14 MQ Protocols • MQ Transport Protocols • TCP, UDP, HTTP • MQ Application Protocols • Binary Protocols: – AMQP (Advanced Message Queuing Protocol) – MQTT (MQ Telemetry Transport) – OpenWire • ASCII Protocols: – STOMP (Streaming Text Oriented Messaging Protocol) – XMPP
15.
Labs.mwrinfosecurity.com | ©
MWR Labs 15 MQ Security • Transport over SSL/TLS • Authentication and Authorisation Mechanisms: • Certificates, Kerberos, LDAP, etc. • Persistent Storage • SQL Databases • File Based Databases • Redundant Brokers • Clustering • Broker Networks
16.
Labs.mwrinfosecurity.com | ©
MWR Labs 16 Misconfigurations • Default Administrative Credentials • Management Interfaces Exposed • Java Management Extension (JMX) • Java Remote Method Invocation (RMI) • Java Debug Wire Protocol (JDWP) • Default Queues • Anonymous Access – Publish – Subscribe
17.
Labs.mwrinfosecurity.com | ©
MWR Labs 17 Demo • ActiveMQ 5.6.0 • Debian 7.5.0 • Ubuntu 14.04.1 • Default Configuration • Java Management Extension (JMX) • Custom script to identify RMI service endpoint via JMX. • RMI Registry endpoint is only locally exposed.* • Port forwarding to access the RMI service. • Deploying and executing a JAR payload.
18.
Labs.mwrinfosecurity.com | ©
MWR Labs 18 Case Studies • Sending Serialised Objects • Sending System Commands • Rendering Untrusted Messages in Administrative or Monitoring Consoles • Cross-Site Scripting • Inserting Unsanitised Messages in Databases • SQL Injection
19.
Labs.mwrinfosecurity.com | ©
MWR Labs 19 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS
20.
Labs.mwrinfosecurity.com | ©
MWR Labs 20 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS Anonymous vs. Client
21.
Labs.mwrinfosecurity.com | ©
MWR Labs 21 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS Anonymous vs. Client
22.
Labs.mwrinfosecurity.com | ©
MWR Labs 22 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS Anonymous vs. Client Client vs. Client
23.
Labs.mwrinfosecurity.com | ©
MWR Labs 23 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS Anonymous vs. Client Client vs. Client Client vs. Broker
24.
Labs.mwrinfosecurity.com | ©
MWR Labs 24 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS Anonymous vs. Client Client vs. Client Client vs. Broker
25.
Labs.mwrinfosecurity.com | ©
MWR Labs 25 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS Anonymous vs. Client Client vs. Client Client vs. Broker Broker vs. Client
26.
Labs.mwrinfosecurity.com | ©
MWR Labs 26 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS Anonymous vs. Client Client vs. Client Client vs. Broker Broker vs. Client Broker vs. Broker
27.
Labs.mwrinfosecurity.com | ©
MWR Labs 27 Bug Hunting
28.
Labs.mwrinfosecurity.com | ©
MWR Labs 28 Bug Hunting • Source Code Audit • Pattern Based
29.
Labs.mwrinfosecurity.com | ©
MWR Labs 29 Bug Hunting • Source Code Audit • Pattern Based • Fuzzing • Stateless – Radamsa • Stateful – MITM Fuzzing • Patching • Traffic Generation • Unit Tests • Performance Harness Tools • Code Samples
30.
Labs.mwrinfosecurity.com | ©
MWR Labs 30 Bug Hunting • Source Code Audit • Pattern Based • Fuzzing • Stateless – Radamsa • Stateful – MITM Fuzzing • Patching • Outdated Libraries • e.g. Vulnerable XStream in ActiveMQ < 5.10.0 • Traffic Generation • Unit Tests • Performance Harness Tools • Code Samples
31.
Labs.mwrinfosecurity.com | ©
MWR Labs 31 AMQP State Machine
32.
Labs.mwrinfosecurity.com | ©
MWR Labs 32 LDAP Wildcard Interpretation Attacker Broker LDAP Server (Authenticator) Credentials tommy foobar ronly ronly client secret
33.
Labs.mwrinfosecurity.com | ©
MWR Labs 33 LDAP Wildcard Interpretation Attacker Broker LDAP Server (Authenticator) Username: * Password: foobar Message Content Credentials tommy foobar ronly ronly client secret
34.
Labs.mwrinfosecurity.com | ©
MWR Labs 34 LDAP Wildcard Interpretation Attacker Broker LDAP Server (Authenticator) B: Does ‘*’ user exist? Credentials tommy foobar ronly ronly client secret
35.
Labs.mwrinfosecurity.com | ©
MWR Labs 35 LDAP Wildcard Interpretation Attacker Broker LDAP Server (Authenticator) A: Yes, user ‘tommy’ exists. Credentials tommy foobar ronly ronly client secret
36.
Labs.mwrinfosecurity.com | ©
MWR Labs 36 LDAP Wildcard Interpretation Attacker Broker LDAP Server (Authenticator) B: Authenticate with ‘tommy:foobar’? Credentials tommy foobar ronly ronly client secret
37.
Labs.mwrinfosecurity.com | ©
MWR Labs 37 LDAP Wildcard Interpretation Attacker Broker LDAP Server (Authenticator) A: Authenticated. Credentials tommy foobar ronly ronly client secret
38.
Labs.mwrinfosecurity.com | ©
MWR Labs 38 XML External Entities Processing Attacker Broker
39.
Labs.mwrinfosecurity.com | ©
MWR Labs 39 XML External Entities Processing Attacker Broker Malicious XML Message 1. Adversary enqueues an XML message which contains XML external entities.
40.
Labs.mwrinfosecurity.com | ©
MWR Labs 40 XML External Entities Processing Attacker Broker 1. Adversary enqueues an XML message which contains XML external entities.
41.
Labs.mwrinfosecurity.com | ©
MWR Labs 41 XML External Entities Processing Attacker Broker 1. Adversary enqueues an XML message which contains XML external entities. 2. Then requests dequeuing an XML message which matches a criteria expressed with XPath/XQuery based selector. XPath / XQuery Selector
42.
Labs.mwrinfosecurity.com | ©
MWR Labs 42 XML External Entities Processing Attacker Broker 1. Adversary enqueues an XML message which contains XML external entities. 2. Then requests dequeuing an XML message which matches a criteria expressed with XPath/XQuery based selector.
43.
Labs.mwrinfosecurity.com | ©
MWR Labs 43 XML External Entities Processing Attacker Broker 1. Adversary enqueues an XML message which contains XML external entities. 2. Then requests dequeuing an XML message which matches a criteria expressed with XPath/XQuery based selector. 3. The broker will evaluate the XPath expression and attempt to match it against the messages in the queue. This will cause the broker to resolve any external entity references.
44.
Labs.mwrinfosecurity.com | ©
MWR Labs 44 Demo (1) • Anonymous vs. Client / Broker • Authentication Bypass*
45.
Labs.mwrinfosecurity.com | ©
MWR Labs 45 Demo (2) • Client vs. Broker • XML External Entity Processing
46.
Labs.mwrinfosecurity.com | ©
MWR Labs 46 Common Vulnerabilities • XML External Entities Processing • Brokers: 6 – Java, Python and C++ • Clients: 2* • LDAP Wildcard Interpretation Bug • Brokers: 3 – Java • Unserialisation of Untrusted Data • Brokers: 2* – Java and Python
47.
Labs.mwrinfosecurity.com | ©
MWR Labs 47 Hardening MQ Applications
48.
Labs.mwrinfosecurity.com | ©
MWR Labs 48 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. Applications
49.
Labs.mwrinfosecurity.com | ©
MWR Labs 49 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. Applications
50.
Labs.mwrinfosecurity.com | ©
MWR Labs 50 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. • Disable JMX/RMI/JDWP/etc.* Applications
51.
Labs.mwrinfosecurity.com | ©
MWR Labs 51 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. • Disable JMX/RMI/JDWP/etc.* • Separate administration VLAN. Applications
52.
Labs.mwrinfosecurity.com | ©
MWR Labs 52 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. • Disable JMX/RMI/JDWP/etc.* • Separate administration VLAN. • Disable anonymous client access. Applications
53.
Labs.mwrinfosecurity.com | ©
MWR Labs 53 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. • Disable JMX/RMI/JDWP/etc.* • Separate administration VLAN. • Disable anonymous client access. • Whitelist explicit P&S client IP addresses. Applications
54.
Labs.mwrinfosecurity.com | ©
MWR Labs 54 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. • Disable JMX/RMI/JDWP/etc.* • Separate administration VLAN. • Disable anonymous client access. • Whitelist explicit P&S client IP addresses. Applications • Perform validation on received messages. Do not assume trusted sources.
55.
Labs.mwrinfosecurity.com | ©
MWR Labs 55 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. • Disable JMX/RMI/JDWP/etc.* • Separate administration VLAN. • Disable anonymous client access. • Whitelist explicit P&S client IP addresses. Applications • Perform validation on received messages. Do not assume trusted sources. • Enable integrity checking. Ideally, authenticated encryption.
56.
Labs.mwrinfosecurity.com | ©
MWR Labs 56 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. • Disable JMX/RMI/JDWP/etc.* • Separate administration VLAN. • Disable anonymous client access. • Whitelist explicit P&S client IP addresses. Applications • Perform validation on received messages. Do not assume trusted sources. • Enable integrity checking. Ideally, authenticated encryption. • Whitelist objects if unserialising from messages.
57.
Labs.mwrinfosecurity.com | ©
MWR Labs 57 Acknowledgments • MWR Labs • Red Hat and Apache’s Security Teams • NoSuchCon Organisers
58.
Labs.mwrinfosecurity.com | ©
MWR Labs 58 References • XML Out-of-Band Data Retrieval (BlackHat Europe 2013) • Timur Yunusov (@a66at) • Alexey Osipov (@Gi_sUngiven) • XML External Entities Out-of-Band Exploitation • Ivan Novikov (@d0znpp) • Exploiting JMX RMI • Braden Thomas
59.
Labs.mwrinfosecurity.com | ©
MWR Labs 59 Questions • Feedback • @munmap • georgi.geshev @ mwrinfosecurity . com
Download now