2013年6月9日 星期日

blackhat.com/us-13/briefings

http://www.blackhat.com/us-13/briefings.html

Briefings


A Practical Attack against MDM Solutions

Spyphones are surveillance tools surreptitiously planted on a users handheld device. While malicious mobile applications mainly phone fraud applications distributed through common application channels - target the typical consumer, spyphones are nation states tool of attacks. Why? Once installed, the software stealthy gathers information such as text messages (SMS), geo-location information, emails and even surround-recordings.
How are these mobile cyber-espionage attacks carried out? In this engaging session, we present a novel proof-of-concept attack technique which bypass traditional mobile malware detection measures- and even circumvent common Mobile Device Management (MDM) features, such as encryption.

A Tale of One Software Bypass of Windows 8 Secure Boot

Windows 8 Secure Boot based on UEFI 2.3.1 Secure Boot is an important step towards securing platforms from malware compromising boot sequence before the OS. However, there are certain mistakes platform vendors shouldn't make which can completely undermine protections offered by Secure Boot. We will demonstrate an example of full software bypass of Windows 8 Secure Boot due to such mistakes on some of the latest platforms and explain how those mistakes can be avoided.

Presented by

Yuriy Bulygin

Above My Pay Grade: Cyber Response at the National Level

Cyber professionals are, rightly, usually technical experts and understand their trade from the bottom up. However, this has lead to significant confusion when they must interact with national security, which is driven from the top down. Perhaps nowhere is this more evident than in cyber response, the actions taken after the detection of a malicious cyber incident. In the cyber field, incident response implies a deeply technical forensic investigation of individual computers and network traffic to determine exactly which bits and bytes interacted with which hardware to implement specific evil intent. Those with the "big picture" understand the larger framework of how a business would organize a total response, such as engaging the legal, media and investment relations teams. Almost none of this is applicable to cyber response for incidents that are not merely cyber crime but those which truly are national security events, such as large-scale disruptive attacks that could be acts of war by another nation. Response within the White House, Pentagon and Cabinet departments are of course informed by the technical details. But after some point, the response rapidly ceases to be "cyber" and it is treated like any other national security crisis. This talk will examine the flow of incident response, using a finance-sector scenario, starting from individual banks and exchanges, through the public-private sector information sharing processes. After that, the response branches. The finance sector leadership and the Treasury Department handle the financial aspects of the crisis, such as ensuring the overall health of the banking system. The other branch leads to the Department of Homeland Security, which will assess the incident from a cyber perspective. At DHS and the White House, decision makers and experts from other departments can be involved through a relatively well-understood interagency process. If needed, response can be escalated rapidly through the White House Situation Room to the President himself. The talk will conclude with the pros and cons of this system. For example, while the system is very flexible, since it follows normal national security escalation paths, if a future cyber conflict where sufficiently widespread, sustained or fast-moving, it could result in paralyzed process. The process should still be a model, as other nations such as China lack any similar process, meaning their response could be fragmented, a very dangerous situation.

Presented by

Jason Healey

Android: one root to own them all

This presentation is a case study showcasing the technical details of Android security bug 8219321, disclosed to Google in February 2013. The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature; that in turn is a simple step away from system access & control. The vulnerability affects a wide number of Android devices, across generations & architectures, with little to no modifications of the exploit. The presentation will review how the vulnerability was located, how an exploit was created, and why the exploit works, giving you insight into the vulnerability problem and the exploitation process. Working PoCs for major Android device vendors will be made available to coincide with the presentation.

Presented by

Jeff Forristal

BinaryPig - Scalable Malware Analytics in Hadoop

Over the past 2.5 years Endgame received 20M samples of malware equating to roughly 9.5 TB of binary data. In this, we’re not alone. McAfee reports that it currently receives roughly 100,000 malware samples per day and received roughly 10M samples in the last quarter of 2012 [1]. Its total corpus is estimated to be about 100M samples. VirusTotal receives between 300k and 600k unique files per day, and of those roughly one-third to half are positively identified as malware [2].
This huge volume of malware offers both challenges and opportunities for security research especially applied machine learning. Endgame performs static analysis on malware in order to extract feature sets used for performing large-scale machine learning. Since malware research has traditionally been the domain of reverse engineers, most existing malware analysis tools were designed to process single binaries or multiple binaries on a single computer and are unprepared to confront terabytes of malware simultaneously. There is no easy way for security researchers to apply static analysis techniques at scale; companies and individuals that want to pursue this path are forced to create their own solutions.
Our early attempts to process this data did not scale well with the increasing flood of samples. As the size of our malware collection increased, the system became unwieldy and hard to manage, especially in the face of hardware failures. Over the past two years we refined this system into a dedicated framework based on Hadoop so that our large-scale studies are easier to perform and are more repeatable over an expanding dataset.
To address this problem, we will present our open framework, BinaryPig, as well as some example uses of this technology to perform a multiyear, multi-terabyte, multimillion-sample malware census. This framework is built over Apache Hadoop, Apache Pig, and Python. It addresses many issues of scalable malware processing, including dealing with increasingly large data sizes, improving workflow development speed, and enabling parallel processing of binary files with most pre-existing tools. It is also modular and extensible, in the hope that it will aid security researchers and academics in handling ever-larger amounts of malware.
In addition, we will demonstrate the results of our exploration and the techniques used to derive these results. The framework, analysis modules, and some example applications will be released as open source (Apache 2.0 License) at Blackhat.
[1] http://www.darkreading.com/identityandaccessmanagement/167901114/security/attacksbrea ches/240006702/mcafeecloseto100knewmalwaresamplesperdayinq2.html
[2] https://www.virustotal.com/en/statistics/ as of 4/9/2013

BIOS Security

In 2011 the National Institute of Standard and Technology (NIST) released a draft of special publication 800-155. This document provides a more detailed description than the Trusted Platform Module (TPM) PC client specification for content that should be measured in the BIOS to provide an adequate Static Root of Trust for Measurement (SRTM). To justify the importance of 800-155, in this talk we look at the implementation of the SRTM from a vendor's pre-800-155 laptop. We discuss how the BIOS and thus SRTM can be manipulated either due to a configuration that does not enable signed BIOS updates, or via an exploit we discovered that allows for BIOS reflash even in the presence of a signed update requirement.
We also show how a 51 byte patch to the SRTM can cause it to provide a forged measurement to the TPM indicating that the BIOS is pristine. If a TPM Quote is used to query the boot state of the system, this TPM-signed falsification will then serve as the root of misplaced trust. We also show how reflashing the BIOS may not necessarily remove this trust-subverting malware. To fix the un-trustworthy SRTM we apply an academic technique whereby the BIOS software indicates its integrity through a timing side-channel.

Black-Box Assessment of Pseudorandom Algorithms

Last year at Black Hat, Argyros and Kiayias devastated all things pseudorandom in open-source PHP applications. This year, we're bringing PRNG attacks to the masses.
We'll point out flaws in many of the most common non-cryptographic pseudorandom number generators (PRNGs) and examine how to identify a PRNG based on a black-box analysis of application output. In many cases, most or all of the PRNG's internal state can be recovered, enabling determination of past output and prediction of future output. We'll present algorithms that run many orders of magnitude faster than a brute-force search, including reversing and seeking the PRNG stream in constant time. Finally, of course, we'll demonstrate everything and give away our tool so that you can perform the attacks during your own assessments.

BlackBerryOS 10 from a security perspective

BlackBerry prides itself with being a strong contender in the field of secure mobile platforms. While traditionally BlackBerryOS was based on a proprietary RTOS with a JVM propped on top, the architecture was completely overhauled with BlackBerryOS 10. Now the base operating system is the formerly off-the-shelf RTOS QNX, which doesn't exactly have an excellent security track record. Moreover, for the first time in BBOS history, native code applications are allowed on the platform.
This talk will present an analysis of the attack surface of BBOS 10, considering both ways to escalate privileges locally and routes for remote entry. Moreover, since exploitation is only half the work of offense, we'll show ways for rootkits to persist on the device. Last but not least we will settle whether BlackBerry Balance really holds what it promises: are mobile devices really ready to securely separate crucial business data from Angry Birds?

Bluetooth Smart: The Good, The Bad, The Ugly, and The Fix!

Bluetooth Smart, AKA Bluetooth Low Energy (BTLE), is a new modulation mode and link-layer packet format defined in Bluetooth 4.0. A new class of low-power devices and high-end smartphones are already on the market using this protocol. Applications include everything from fitness devices to wireless door locks. The Good: Bluetooth Smart is well-designed and good at what it does. We explain its workings from the PHY layer (raw RF) all the way to the application layer. The Bad: Bluetooth Smart's key exchange is weak. We will perform a live demonstration of sniffing and recovering encryption keys using open source tools we developed. The Ugly: A passive eavesdropper can decrypt all communications with a sniffed encryption key using our tools. The Fix: We implement Elliptic Curve Diffie-Hellman to exchange a key in-band. This backward-compatible fix renders the protocol secure against passive eavesdroppers.

Presented by

Mike Ryan

Bochspwn: Identifying 0-days via System-wide Memory Access Pattern Analysis

Throughout the last two decades, the field of automated vulnerability discovery has evolved into the advanced state we have today: effective dynamic analysis is achieved with a plethora of complex, privately developed fuzzers dedicated to specific products, file formats or protocols, with source code and binary-level static analysis slowly catching up, yet already proving useful in specific scenarios. Due to market demand and general ease of access, the efforts have been primarily focused around client software, effectively limiting kernel code coverage to a few generic syscall and IOCTL fuzzers. Considering the current impact of ring-0 security on the overall system security posture and number of kernel-specific bug classes, we would like to propose a novel, dynamic approach to locating subtle kernel security flaws that would likely otherwise remain unnoticed for years.
The presentation will introduce the concept of identifying vulnerabilities in operating systems’ kernels by employing dynamic CPU-level instrumentation over a live system session, on the example of using memory access patterns to extract information about potential race conditions in interacting with user-mode memory. We will discuss several different ways to implement the idea, with special emphasis on the “Bochspwn” project we developed last year and successfully used to discover around 50 local elevation of privilege vulnerabilities in the Windows kernel so far, with many of them already addressed in the ms13-016, ms13-017, ms13-031 and ms13-036 security bulletins. The tool itself will be open-sourced during the conference, thus allowing a wider audience to test and further develop the approach.

Bugalyze.com - Detecting Bugs Using Decompilation and Data Flow Analysis

Bugwise is a free online web service at www.bugalyze.com to perform static analysis of binary executables to detect software bugs and vulnerabilities. It detects bugs using a combination of decompilation to recover high level information, and data flow analysis to discover issues such as use-after-frees and double frees. Bugwise has been developed over the past several years and is implemented as a series of modules in a greater system that performs other binary analysis tasks such as malware detection. This entire system consists of more than 100,000 lines of C++ code and a scalable load balanced multi-node Amazon EC2 cluster. In this talk, I will explain how Bugwise works. The system is still in the development stage but has successfully found a number of real bugs and vulnerabilities in Debian Linux. This includes double free, use-after-free, and over 50 getenv(,strcpy) bugs statically found from scanning the entire Debian repository.

Presented by

Silvio Cesare

Buying into the Bias: Why Vulnerability Statistics Suck

Academic researchers, journalists, security vendors, software vendors, and other enterprising... uh... enterprises often analyze vulnerability statistics using large repositories of vulnerability data, such as CVE, OSVDB, and others. These stats are claimed to demonstrate trends in disclosure, such as the number or type of vulnerabilities, or their relative severity. Worse, they are often (mis)used to compare competing products to assess which one offers the best security.
Most of these statistical analyses are faulty or just pure hogwash. They use the easily-available, but drastically misunderstood data to craft irrelevant questions based on wild assumptions, while never figuring out (or even asking us about) the limitations of the data. This leads to a wide variety of bias that typically goes unchallenged, that ultimately forms statistics that make headlines and, far worse, are used for budget and spending.
As maintainers of two well-known vulnerability information repositories, we're sick of hearing about sloppy research after it's been released, and we're not going to take it any more.
We will give concrete examples of the misuses and abuses of vulnerability statistics over the years, revealing which studies do it right (rather, the least wrong), and how to judge future claims so that you can make better decisions based on these ""studies."" We will cover all the kinds of documented and undocumented bias that can exist in a vulnerability data source; how variations in counting hurt comparative analyses; and all the ways that vulnerability information is observed, cataloged, and annotated.
Steve will provide vendor-neutral, friendly, supportive suggestions to the industry. Jericho will do no such thing.

Combating the Insider Threat at the FBI: Real World Lessons Learned

What do T.S. Eliot, Puxatony Phil, eugenics, DLP, crowdsourcing, black swans, and narcissism have in common? They are all key concepts for an effective insider threat program. Come hear how the FBI uses a surprising variety of methods to combat insiders. In this session the FBI will provide five key lessons learned about effective detection and deterrence techniques used in the FBI's insider threat program developed over the last decade. The talk will provide insight on how our nation's premier law enforcement agency is detecting and deterring insider threat using a variety of techniques and technologies. This session will provide unique lessons learned from building a real world, operational insider threat monitoring and response program.

Presented by

Patrick Reidy

Compromising Industrial Facilities From 40 Miles Away

The evolution of wireless technologies has allowed industrial automation and control systems (IACS) to become strategic assets for companies that rely on processing plants and facilities in industries such as energy production, oil, gas, water, utilities, refining, and petrochemical distribution and processing. Effective wireless sensor networks in these facilities have helped reduced costs for implementation, maintenance, and equipment, and have enhanced personal safety by enabling new topologies for remote monitoring and administration in hazardous locations.
However, the way cryptographic keys are handled and controlled in these systems and devices differs in many aspects from the way cryptographic keys are handled in traditional business networks. Sensor networks involve large numbers of sensor nodes with limited hardware capabilities, so the distribution and revocation of keys is not a trivial task. We will review the most commonly implemented key distribution schemes, their weaknesses and how vendors can more effectively align their designs with high-end key distribution solutions.
This presentation demonstrates attacks that exploit key distribution vulnerabilities we recently discovered in every wireless device made during the last years by three leading providers of industrial wireless automation solutions. These devices are widely used by many energy, oil, water, nuclear, natural gas, and refined petroleum companies. An untrusted user or group within a 40-mile range would be able to read from and inject data into these devices by using RF transceivers. A remotely and wirelessly exploitable memory corruption bug can disable all the sensor nodes forever shutting down the entire facility. When sensors and transmitters are attacked, remote sensor measurements on which critical decisions are made can be modified, which could lead to unexpected, harmful, and dangerous consequences.

CreepyDOL: Cheap, Distributed Stalking

Are you a person with a few hundred dollars and an insatiable curiosity about your neighbors, who is fed up with the hard work of tracking your target's every move in person? Good news! You, too, can learn the intimate secrets and continuous physical location of an entire city from the comfort of your desk! CreepyDOL is a distributed sensing and data mining system combining very-low-cost sensors, open-source software, and a focus on user experience to provide personnel identification, tracking, and analysis without sending any data to the targets. In other words, it takes you from hand-crafted, artisan skeeviness to big-box commodity creepiness, and enables government-level total awareness for about $500 of off-the-shelf hardware.

Presented by

Brendan O'Connor

Defending Networks with Incomplete Information: A Machine Learning Approach

Let's face it: we may win some battles, but we are losing the war pretty badly. Regardless of the advances in malware and targeted attacks detection technologies, our top security practitioners can only do so much in a 24-hour day; even less, if you let them eat and sleep. On the other hand, there is a severe shortage of capable people to do ""simple"" security monitoring effectively, let alone complex incident detection and response.
Enter the use of Machine Learning as a way to automatically prioritize and classify potential events and attacks as something could potentially be blocked automatically, is clearly benign, or is really worth the time of your analyst.
On this presentation we will present publicly for the first time an actual implementation of those concepts, in the form of a free-to-use web service. It leverages OSINT and knowledge about the spatial distribution of the Internet to generate a fluid and constantly updated classifier that pinpoints areas of interest on submitted network traffic logs.

Presented by

Alexandre Pinto

Energy Fraud and Orchestrated Blackouts: Issues with Wireless Metering Protocols (wM-Bus)

Government requirements, new business cases, and consumer behavioral changes drive energy market players to improve the overall management of energy infrastructures.
While the energy infrastructure is steadily maintained and improved, some significant changes have been introduced to the power grids of late. Actually, the significance of the changes could be compared to the early days of the Internet where computers started to become largely interconnected. Naturally, questions arise whether a grid composed of so many interacting components can still meet today's requirements for reliability, availability, and privacy.
Nations absolutely recognize the criticality of the energy infrastructure for their economic and political stability. Therefore, various initiatives to ensure reliability and availability of their energy infrastructures are being driven at nation as well as at nation union levels. In order to contribute to the evaluation of national cyber security risks, the author decided to conduct a security analysis in the field of smart energy.
Utilities have started to introduce new field device technology - smart meters. As the name implies, smart meters do support many more use cases than any old conventional electricity meter did. Not only does the new generation of meters support fine granular remote data reading, but it also facilitates remote load control or remote software updates. Hence, to build a secure advanced metering infrastructure (AMI), communication protocols must support bi-directional data transmission and protect meter data and control commands in transit.
Therefore, analysis of smart metering protocols is of great interest. The work presented has analyzed the security of the Meter Bus (M-Bus) as specified within the relevant standards. The M-Bus is very popular in remote meter reading and has its roots in the heat metering industries. It has continuously been adopted to fit more complex applications during the past twenty years. According to a workshop note, an estimated 15 million devices were relying on the wireless version of M-Bus in 2010. It was analyzed whether smart meters using wireless M-Bus do fit the overall security and reliability needs of the grid or whether such devices might threaten the infrastructure.
The M-Bus standard has been analyzed whether it provides effective security mechanisms. It can be stated that wireless M-Bus seems to be robust against deduction of consumption behaviour from the wireless network traffic. For this reason, it is considered privacy-preserving against network traffic analysis. Unfortunately, vulnerabilities have been identified that render that fact obsolete. The findings are mainly related to confidentiality, integrity, and authentication.
Consequently, smart meters relying on wireless M-Bus and supporting remote disconnects are prone to become subject to an orchestrated remote disconnect which poses a severe risk to the grid. Further issues may lead to zero consumption detection, disclosure of consumption values, and disclosure of encryption keys.
Following that, the availability and reliability of the smart grid or at least parts of it may not be guaranteed.

Presented by

Cyrill Brunschwiler

Exploiting Network Surveillance Cameras Like a Hollywood Hacker

This talk will examine 0-day vulnerabilities that can be trivially exploited by remote attackers to gain administrative and root-level access to consumer and enterprise network surveillance cameras manufactured by D-Link, Trendnet, Cisco, IQInvision, Alinking and 3SVision. Thousands of these cameras are Internet accessible, and known to be deployed in homes, businesses, hotels, casinos, banks and prisons, as well as military and industrial facilities.
Additionally, a proof-of-concept attack will be demonstrated in which a remote attacker can leverage the described vulnerabilities to freeze and modify legitimate video streams from these cameras, in true Hollywood fashion.

Presented by

Craig Heffner

Fully Arbitrary 802.3 Packet Injection: Maximizing the Ethernet Attack Surface

It is generally assumed that crafting arbitrary, and sniffing, Fast Ethernet packets can be performed with standard Network Interface Cards (NIC) and generally available packet injection software. However, full control of frame values such as the Frame Check Sequence (FCS) or Start-of-Frame delimiter (SFD) have historically required the use of dedicated and costly hardware. Our presentation will dissect Fast Ethernet layer 1 & 2 presenting novel attack techniques supported by an affordable hardware setup with customized firmware which will be publicly released.
This research expands the ability to test and analyse the full attack surface of networked embedded systems, with particular attention on automation, automotive and avionics industries. Application of attacks against NICs with hard and soft Media Access Control (MAC) on industrial embedded systems will be explored.
We will illustrate how specific frame manipulations can trigger SFD parsing anomalies and Ethernet Packet-In-Packet injection. These results are analyzed in relation to their security relevance and scenarios of application. Finally, conditions for a successful remote Ethernet Packet-In-Packet injection will be discussed and demonstrated for what is believed to be the first time in public.

Hiding @ Depth - Exploring, Subverting and Breaking NAND Flash memory

In the world of digital storage, gone are the days of spinning platters and magnetic residue. These technologies have been replaced with electron trapping, small voltage monitoring and a lot of magic. These NAND devices are ubiquitous across our culture; from smart phones to laptops to USB memory sticks to GPS navigation devices. We carry many of these devices in our pockets daily without considering the security implications. The NAND-Xplore project is an attempt to explain how NAND Flash storage functions and to expose logical weaknesses in the hardware and implementation architectures. The project also showcases how the vulnerable underpinnings of NAND hardware can be subverted to hide and persist files on mobile devices. The project will release two open source POC tools for Android, one to inject and hide files on raw NAND based devices and another to find those files. The tools will showcase how advanced malware or other offensive tools could be using NAND to hide peristent files on your devices and how you would go about discovering them. The project also considers how typical forensic software interacts with NAND devices and how those tools can be subverted. Lastly, the talk will cover how remote NAND manipulation can brick devices beyond repair, from Smartphones to SCADA, and how this vulnerability cannot realistically be patched or fixed (Hint: your current tools probably don't work as well as you would like to believe).

Presented by

Josh 'm0nk' Thomas

Home Invasion v2.0 - Attacking Network-Controlled Hardware

A growing trend in electronics is to have them integrate with your home network in order to provide potentially useful features like automatic updates or to extend the usefulness of existing technologies such as door locks you can open and close from anywhere in the world. What this means for us as security professionals or even just as people living in a world of network-connected devices is that being compromised poses greater risk than before.
Once upon a time, a compromise only meant your data was out of your control. Today, it can enable control over the physical world resulting in discomfort, covert audio/video surveillance, physical access or even personal harm. If your door lock or space heater are compromised, you're going to have a very bad day. This talk will discuss the potential risks posed by network-attached devices and even demonstrate new attacks against products on the market today.

Honey, I’m home!! - Hacking Z-Wave Home Automation Systems

Home automation systems provide a centralized control and monitoring function for heating, ventilation and air conditioning (HVAC), lighting and physical security systems. The central control panel and various household devices such as security sensors and alarm systems are connected with each other to form a mesh network over wireless or wired communication links and act as a “smart home”. As you arrive home, the system can automatically open the garage door, unlock the front door and disable the alarm, light the downstairs, and turn on the TV. According to a study by the consulting firm AMA Research, in 2011, the UK home automation market was worth around £65 million with 12% increase on the previous year. The total number of home automation system installations in the UK is estimated to be 189000 by now. The home automation market in the US was worth approximately $3.2 billion in 2010 and is expected to exceed $5.5 billion in 2016.
Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems. Zigbee is based on an open specification (IEEE 802.15.4) and has been the subject of several academic and practical security researches. Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). It transmits on the 868.42 MHz (Europe) and 908.42MHz (United States) frequencies designed for low-bandwidth data communications in embedded devices such as security sensors, alarms and home automation control panels. Unlike Zigbee, no public security research on Z-Wave protocol was available before our work. Z-wave protocol was only mentioned once during a DefCon 2011 talk when the presenter pointed the possibility of capturing the AES key exchange phase without a demonstration.
The Z-Wave protocol is gaining momentum against the Zigbee protocol with regards to home automation. This is partly due to a faster, and somewhat simpler, development process. Another benefit is that it is less subjected to signal interference compared to the Zigbee protocol, which operates on the widely populated 2.4 GHz band shared by both Bluetooth and Wi-Fi devices.
Z-wave chips have 128-bit AES crypto engines, which are used by access control systems, such as door locks, for authenticated packet encryption. An open source implementation of the Z-wave protocol stack, openzwave , is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks.

HOW CVSS is DOSsing YOUR PATCHING POLICY (and wasting your money)

CVSS score is widely used as the standard-de-facto risk metric for vulnerabilities, to the point that the US Government itself encourages organizations in using it to prioritize vulnerability patching. We tackle this approach by testing the CVSS score in terms of its efficacy as a "risk score" and "prioritization metric." We test the CVSS against real attack data and as a result, we show that the overall picture is not satisfactory: the (lower-bound) over-investment by using CVSS to choose what vulnerabilities to patch can as high as 300% of an optimal one. We extend the analysis making sure to obtain statistically significant results. However, we present our results at a practical level, focusing on the question: "does it make sense for you to use CVSS to prioritize your vulnerabilities?"

Presented by

Luca Allodi

How to Build a SpyPhone

Learn how to build an Android SpyPhone service that can be injected into any application. The presentation will feature a live demonstration of how phones can be tracked and operated from a Web based command and control server and a demonstration of how to inject the SpyPhone service into any Android application. The presentation will also cover the APIs used to track the phone's location, intercept phone calls and SMS messages, extract e-mail and contact lists, and activate the camera and microphone without being detected.

Presented by

Kevin McNamee

How to Grow a TREE (Taint-enabled Reverse Engineering Environment) From CBASS (Cross-platform Binary Automated Symbolic-execution System)

Binary analysis techniques from academic research have been introduced into the reverse engineering community as well as research labs that are equipped with lots of computing power. Some program analyses using these techniques have even begun to show up in hacker conferences. But significant limitations remain:
  • No practical toolset delivers analyses of binary programs across multiple platforms (like x86, ARM, MIPS, PowerPC etc.);
  • No practical toolset scales to real-world large programs and automates all aspects of highly sophisticated tasks like vulnerability analysis and exploit generation;
  • No practical toolset runs on a typical engineer’s laptop or integrates seamlessly with any popular reverse engineering environment. Interested reverse engineers must switch back and forth between their familiar tool environment and some Dynamic Binary Instrumentation (DBI) environment (like PIN) or full system emulator (like QEMU).
In this talk, we will present our solution to these limitations. We will explain the Cross-platform Binary Automated Symbolic-execution System (CBASS) that we developed and demonstrate one of its interactive applications: an IDA based Taint-enabled Reverse Engineering Environment (TREE). TREE can deliver program analysis techniques (taint analysis, dynamic slicing, symbolic execution and constraint solving) into the reverse engineer’s hands now. Binary analysis and its security applications have been extensively researched, mainly in the context of a single instruction set architecture (predominantly x86) and popular desktop operating systems (Linux or Windows). CBASS performs its binary analysis on a common Intermediate Representation (IR) rather than on the native Instruction Set Architecture (ISA) of any program. This thin layer allows our powerful analysis tools to work on cross-platform binary applications.
While CBASS supports both automated and interactive security applications, TREE supports a subset of these capabilities but from with an IDA Pro plug-in. TREE provides useful interactive visualizations of the results of on-demand binary analysis. Symbolic execution and concolic execution (concrete-symbolic execution) are fundamental techniques used in binary analysis; but they are plagued by the exponential path explosion problem. Solving this problem requires vigorous path pruning algorithms and highly parallel computing infrastructure (like clouds). Neither of these is typically available to a reverse engineer. TREE solves this problem by helping the reverse engineer prioritize path execution through an interactive and intuitive visual representation of the results of on-demand analysis of what inputs and instruction sequences led to the crash site or other suspicious path, leverage path constraints and SMT solver to negate tainted branch condition for a new, unexplored path. The details of the taint analysis, dynamic slicing and path constraint solving mechanisms are transparent to reverse engineer.
Utilizing the existing IDA Pro debugging infrastructure, TREE can automate trace generation from diversified target platforms, including kernel mode tracing for Windows. To our surprise, despite the fact that IDA Pro debugging API has been around for a long time, there has been no serious effort to automate trace collection for extensible binary analysis, particularly for kernel mode tracing. Our work has directly contributed to two bug fixes in the latest IDA Pro patches (IDA 6.4.130206). Our presentation will feature several case studies of using TREE to analyze real world vulnerabilities.

Presented by

Nathan Li
Loc Nguyen

Hunting the Shadows: In Depth Analysis of Escalated APT Attacks

APT attacks are a new emerging threat and have made headlines in recent years. However, we have yet to see full-scale assessment of targeted attack operations. Taiwan has been a long term target for these cyber-attacks due to its highly developed network infrastructure and sensitive political position. We had a unique chance to monitor, detect, investigate, and mitigate a large number of attacks on government and private sector companies. This presentation will introduce our results of a joint research between Xecure-Lab and Academia Sinica on targeted attack operations across the Taiwan Strait. We have developed a fully automated system, XecScan 2.0 (http://scan.xecure-lab.com) equipped with unique dynamic (sandbox) and static malicious software forensics technology to analyze nature and behavior of malicious binaries and document exploits. The system performs real-time APT classification and associates the analyzed content with existing knowledge base. In our experiments, the XecScan system has analyzed and successfully identified more than 12,000 APT emails, which include APT Malware and Document Exploits. With this presentation we will also analyze and group the samples from the recent Mandiant APT1(61398) Report and will compare the relationships between APT1 samples to the samples discovered in Taiwan and discuss the history behind APT1 Hacker activities. During this presentation we will release a free, publicly accessible portal to our collaborative APT classification platform and access to the XecScan 2.0 APIs.

I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell

I have a box on my desk that your CDMA cell phone will automatically connect to while you send and receive phone calls, text messages, emails, and browse the Internet. I own this box. I watch all the traffic that crosses it and you don't even know you're connected to me. Welcome to the New World, where I, not them, own the towers. Oh, and thanks for giving me the box... for free.
This box is a femtocell, a low-power cellular base station given or sold to subscribers by mobile network operators. It works just like a small cell tower, using a home Internet connection to interface with the provider network. When in range, a mobile phone will connect to a femtocell as if it were a standard cell tower and send all its traffic through it without any indication to the user.
The state-of-the-art authentication protecting cell phone networks can be an imposing target. However, with the rising popularity of femtocells there is more than one way to attack a cellular network. Inside, they run Linux, and they can be hacked.
During this talk, we will demonstrate how we've used a femtocell for traffic interception of voice/SMS/data, active network attacks, and explain how we were able to clone a mobile device without physical access.

Is that a government in your network or are you just happy to see me?

Defense and military network operations center around the age-old game: establishing long-term footholds deep inside a network. In this talk, we will discuss specific techniques and tactics observed while providing defensive incident response services to organizations compromised by foreign intelligence and defense agencies. The discussion will also incorporate the release and open-sourcing of several private projects used to identify pass-the-hash/impersonation attacks, including: a set of network monitoring daemons known as breachbox, part of which was funded by DARPA's Cyber Fast Track program; and an open-source tool and blueprint to help trojanize your own network to monitor and detect adversarial activity.

Presented by

Eric Fiterman

Java Every-Days: Exploiting Software Running on 3 Billion Devices

Over the last three years, Oracle Java has become the exploit author's best friend, and why not? Java has a rich attack surface, broad install base, and runs on multiple platforms allowing attackers to maximize their return-on-investment. The increased focus on uncovering weaknesses in the Java Runtime Environment (JRE) shifted research beyond classic memory corruption issues into abuses of the reflection API that allow for remote code execution. This talk focuses on the vulnerability trends in Java over the last three years and intersects public vulnerability data with Java vulnerabilities submitted to the Zero Day Initiative (ZDI) program. We begin by reviewing Java's architecture and patch statistics to identify a set of vulnerable Java components. We then highlight the top five vulnerability types seen in ZDI researcher submissions that impact these JRE components and emphasize their recent historical significance. The presentation continues with an in-depth look at specific weaknesses in several Java sub-components, including vulnerability details and examples of how the vulnerabilities manifest and what vulnerability researchers should look for when auditing the component. Finally, we discuss how attackers typically leverage weaknesses in Java. We focus on specific vulnerability types attackers and exploit kits authors are using and what they are doing beyond the vulnerability itself to compromise machines. We conclude with details on the vulnerabilities that were used in this year's Pwn2Own competition and review steps Oracle has taken to address recent issues uncovered in Java.

Just-In-Time Code Reuse: The more things change, the more they stay the same

Fine-grained address space layout randomization (ASLR) has recently been proposed as a method of efficiently mitigating runtime attacks. In this presentation, we introduce the design and implementation of a framework based on a novel attack strategy, dubbed just-in-time code reuse, which both undermines the benefits of fine-grained ASLR and greatly enhances the ease of exploit development on today's platforms that combine standard ASLR and DEP (e.g. Windows 8). Specifically, we derail the assumptions embodied in fine-grained ASLR by exploiting the ability to repeatedly abuse a memory disclosure to map an application's memory layout on-the-fly, dynamically discover API functions and gadgets, and JIT-compile a target program using those gadgets-- all within a script environment at the time an exploit is launched. We demonstrate the power of our framework by using it in conjunction with a real-world exploit against Internet Explorer, show its effectiveness in Windows 8, and also provide extensive evaluations that demonstrate the practicality of just-in-time code reuse attacks. Our findings suggest that fine-grained ASLR may not be as promising as first thought.

Presented by

Kevin Snow

Let's get physical: Breaking home security systems and bypassing buildings controls

36 million home & office security systems reside in the U.S., and they are all vulnerable. This is not your grandpa’s talk on physical security; this talk is about bypassing home and office digital physical security systems, from simple door sensors to intercepting signals and even the keypad before it can alert the authorities. All the methods presented are for covert entry and leave no physical sign of entry or compromise. If you are interested in bettering your skills as a pen tester or just want to know how break into an office like a Hollywood spy this is the talk for you. Come join us to see live demos of what the security companies never want you to see.

Mactans: Injecting Malware into iOS Devices via Malicious Chargers

Apple iOS devices are considered by many to be more secure than other mobile offerings. In evaluating this belief, we investigated the extent to which security threats were considered when performing everyday activities such as charging a device. The results were alarming: despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software. All users are affected, as our approach requires neither a jailbroken device nor user interaction.
In this presentation, we demonstrate how an iOS device can be compromised within one minute of being plugged into a malicious charger. We first examine Apple’s existing security mechanisms to protect against arbitrary software installation, then describe how USB capabilities can be leveraged to bypass these defense mechanisms. To ensure persistence of the resulting infection, we show how an attacker can hide their software in the same way Apple hides its own built-in applications.
To demonstrate practical application of these vulnerabilities, we built a proof of concept malicious charger, called Mactans, using a BeagleBoard. This hardware was selected to demonstrate the ease with which innocent-looking, malicious USB chargers can be constructed. While Mactans was built with limited amount of time and a small budget, we also briefly consider what more motivated, well-funded adversaries could accomplish. Finally, we recommend ways in which users can protect themselves and suggest security features Apple could implement to make the attacks we describe substantially more difficult to pull off.

Mainframes: The Past Will Come Back to Haunt You

From governments to military, airlines to banks, the mainframe is alive and well and touches you in everything you do. The security community that's tasked with reviewing the security on mainframes, though, actually knows very little about these beasts. Be it a lack of access by the security community or the false notion that mainframes are dead, there is a distinct gap between the IT security world and the mainframe world. Mainframes in the IT security community are talked about in whispered hushed tones in the back alleys. Neither knowing if they're as secure as IBM (and mainframers) claim or if they're ripe with configuration problems ready to be exploited. This talk will remove some of the mystery surrounding the mainframe, breaking down that 'legacy wall.' Discussing how security is implemented on the mainframe (including where to find configuration files), how to access it, simple networking and configuration commands, file structure etc. will be presented at this session.

Presented by

Philip Young

Mobile rootkits: Exploiting and rootkitting ARM TrustZone

Exploiting and rootkitting ARM-based devices gets more and more interesting. This talk will focus on the exploitation of TEEs (Trusted Execution Environments) running in ARM TrustZone to hide a TrustZone-based-rootkit (Presented at Black Hat EU 2013).

Presented by

Thomas Roth

Multiplexed Wired Attack Surfaces

Manufacturers of mobile devices often multiplex several wired interfaces onto a single connector. Some of these interfaces, probably intended for test and development, are still enabled when the devices ship. We'll show you how you can get a shell on a popular mobile phone via its USB port without using a USB connection and we will release an open source tool for exploring multiplexed wired interfaces.

Presented by

Michael Ossmann

The Outer Limits: Hacking the Samsung Smart TV

There is nothing wrong with your television set. Do not attempt to adjust the picture. We are controlling the transmission.
"Smart" TVs are becoming more and more common. Samsung and other vendors such as Sony and LG have sold more than a hundred million Smart TVs in the last few years. During this talk, Aaron Grattafiori and Josh Yavor will discuss the Samsung SmartTV design, attack surfaces and overall insecurity of the platform. A short discussion of the current application stack, TV operating system and other details will be provided to help set the stage for details of significant flaws found within the Samsung SmartTV application architecture, APIs and current applications.
A number of vulnerabilities will be explored and demonstrated which allow malicious developers or remotely hijacked applications (such as the web browser or social media applications) to take complete control of the TV, steal accounts stored within it and install a userland rootkit. Exploitation of these vulnerabilities also provides the ability for an attacker to use the front-facing video camera or built-in microphone for spying and surveillance as well as facilitate access to local network for continued exploitation. This talk will also discuss methods to bypass what (meager) security protections exist and put forth several worst case scenarios (TV worm anyone?).
Concluding this talk, Aaron and Josh will discuss what has been fixed by Samsung and discuss what overall weaknesses should be avoided by future "Smart" platforms. Video demos of exploits and userland rootkits will be provided.

Pass-The-Hash 2: The Admin's Revenge

Some vulnerabilities just can't be patched. Pass-The-Hash attacks against Windows enterprises are still successful and are more popular than ever. Since the PTH-Suite was released at Black Hat last year, Microsoft published their guide for mitigating the attack. Skip and Chris will cover some of the shortcomings in their strategies and offer practical ways to detect and potentially prevent hashes from being passed on your network. Learn how to stop an attacker's lateral movement in your enterprise.

Power Analysis Attacks for Cheapskates

Power analysis attacks present a devious method of cracking cryptographic systems. But looking at papers published in this field show that often the equipment used is fairly expensive: the typical oscilloscope used often has at least a 1 GSPS sampling rate, and then various probes and amplifiers also add to this cost. What is a poor researcher to do without such tools? This presentation will give a detailed description of how to setup a power analysis lab for a few hundred dollars, one that provides sufficient performance to attack real devices. It's based on some open-source hardware & software I developed, and is small enough to fit in your pocket. This will be demonstrated live against a microcontroller implementing AES, with details provided so attendees can duplicate the demonstration. This includes an open-hardware design for the capture board, open-source Python tools for doing the capture, and open-source example attacks. Underlying theory behind side-channel attacks will be presented, giving attendees a complete picture of how such attacks work.

Presented by

Colin O'Flynn

Press ROOT to continue: Detecting OSX and Windows bootkits with RDFU

UEFI has recently become a very public target for rootkits and malware. Last year at Black Hat 2012, Snare’s insightful talk highlighted the real and very significant potential for developing UEFI rootkits that are very difficult, if not impossible, to detect and/or eradicate. Since then, a couple of practical bootkits have appeared.
To combat this new threat, we developed a Rootkit Detection Framework for UEFI (“RDFU”) that incorporates a unified set of tools that address this problem across a wide spectrum of UEFI implementations. We will demonstrate a sample bootkit for Apple OSX that was designed specifically for testing purposes. As a UEFI driver, it infects the OSX kernel utilizing a UEFI “rootkit” technique. The entire infection process executes in memory (by the UEFI driver itself). Therefore, the bootkit does not need to install any OSX kernel extension modules. The bootkit demonstrates the following functionality:
  • Sniffing FileVault passwords (sniffing keys while booting)
  • Privilege escalation (to root)
  • Hiding PIDs, files, and directories with selected patterns
Rootkit Detection Framework for UEFI was developed under DARPA CFT. Following this talk, we will publicly release the RDFU open source code along with whitepapers that outline a possible use case for this technology.

Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions

Embedded systems are everywhere, from TVs to aircraft, printers to weapons control systems. As a security researcher when you are faced with one of these “black boxes” to test, sometime in-situ, it is difficult to know where to start. However, if there is a USB port on the device there is useful information that can be gained. This talk is about using techniques to analyze USB stack interactions to provide information such as the OS running on the embedded device, the USB drivers installed and devices supported. The talk will also cover some of the more significant challenges faced by researchers attempting to exploit USB vulnerabilities using a Windows 8 USB bug recently discovered by the presenter (MS13-027) as an example.

Presented by

Andy Davis

Rooting SIM cards

SIM cards are among the most widely-deployed computing platforms with over 7 billion cards in active use. Little is known about their security beyond manufacturer claims.
Besides SIM cards’ main purpose of identifying subscribers, most of them provide programmable Java runtimes. Based on this flexibility, SIM cards are poised to become an easily extensible trust anchor for otherwise untrusted smartphones, embedded devices, and cars.
The protection pretense of SIM cards is based on the understanding that they have never been exploited. This talk ends this myth of unbreakable SIM cards and illustrates that the cards -- like any other computing system -- are plagued by implementation and configuration bugs.

Presented by

Karsten Nohl

Smashing The Font Scaler Engine in Windows Kernel

The Font Scaler Engine is widely used to scale the outline font definition such as TrueType/OpenType font for a glyph to a specific point size and converts the outline into a bitmap at a particular resolution. The revolution of font in computer that is mainly used for stylist purposes had make many users ignored its security issues. In fact, the Font Scaler engine could cause many security impacts especially in Windows kernel mode.
In this talk, the basic structure of the Font Scaler engine will be discussed. This includes the conversion of an outline into a bitmap, the mathematical description of each glyph in an outline font, a set of instruction in each glyph that instruct the Font Scaler Engine to modify the shape of the glyph, and the instruction interpreter etc.
Next, we introduce our smart font fuzzing method for identifying the new vulnerabilities of the Font Scaler engine. The different of dumb fuzzing and vulnerable functions will be explained and we will prove that the dumb fuzzing technique is not a good option for Windows Font Fuzzing.
Lastly, we focus on the attack vector that could be used to launch the attacks remotely and locally. A demonstration of the new TrueType font vulnerabilities and the attack vector on Windows 8 and Windows 7 will be shown.

SPY-JACKING THE BOOTERS

It's become commonplace for security reporters and providers of security technologies to find themselves targets of hackers' wrath, especially when they put criminal activity under the spotlight. Earlier this year, Brian Krebs had done some work to expose a "booter" service. Like other public security figures, he found himself the target of repeated DDoS attacks. In Brian's case, this culminated in a "SWATting" attack -- a surprise visit by dozens of heavily armed police at his front door. Research on "booter" services reveals a relatively unsophisticated, but high-profit criminal community of DDoS-for-hire web sites that are capable of considerable impact. They operate under legal auspices, leveraging legitimate DDoS protection services. Anyone with an axe to grind and a small amount of money can hire one of these services to have virtually any person or web site knocked off the Internet. As an indicator of how mainstream these services have become, most of them accept payment via Paypal. This talk will delve into the recent proliferation of these malicious commercial DDoS services, and reveal what's been learned about their surreptitious functioning, exposing the proprietors behind these illicit services, and what is known about their targets and their thousands of paying customers. Emphasis will be placed on detailing the vulnerabilities present in most booter sites, and the lessons we can draw about how targets of these attacks can defend themselves.

SSL, gone in 30 seconds - a BREACH beyond CRIME

In this hands-on talk, we will introduce new targeted techniques and research that allows an attacker to reliably retrieve encrypted secrets (session identifiers, CSRF tokens, OAuth tokens, email addresses, ViewState hidden fields, etc.) from an HTTPS channel. We will demonstrate this new browser vector is real and practical by executing a PoC against a major enterprise product in under 30 seconds. We will describe the algorithm behind the attack, how the usage of basic statistical analysis can be applied to extract data from dynamic pages, as well as practical mitigations you can implement today. We will also describe the posture of different SaaS vendors vis-à-vis this attack. Finally, to provide the community with ability to build on our research, determine levels of exposure, and deploy appropriate protection, we will release the BREACH tool.

What's on the Wire? Physical Layer Tapping with Project Daisho

We believe that flaws in network protocols will not be discovered unless physical layer communication tapping solutions are made available to security researchers. In order to have confidence in our communication media we need the ability to monitor and modify the packets transferred on the wire. 802.11 network monitoring allowed the flaws in WEP and WPA to be exposed, Bluetooth Low Energy monitoring has shown problems in the key exchange protocol, but we are often more trusting of wired connections. Project Daisho is an attempt to fix that trust by allowing researchers to investigate wired protocols using existing software tools wherever possible. Daisho is an open source, extensible, modular network tap for wired communication media such as gigabit Ethernet, HDMI connections, and USB 3.0 connections. All aspects of the project are open source, including the hardware designs, software and FPGA cores. The project is producing the first open source USB 3.0 FPGA core.

 

Workshops


JTAGulator: Assisted discovery of on-chip debug interfaces

On-chip debug (OCD) interfaces can provide chip-level control of a target device and are a primary vector used by hackers to extract program code or data, modify memory contents, or affect device operation on-the-fly. Depending on the complexity of the target device, manually locating available OCD connections can be a difficult and time consuming task, sometimes requiring physical destruction or modification of the device.
In this session, Joe will introduce the JTAGulator, an open source hardware tool that assists in identifying OCD connections from test points, vias, or component pads. He will discuss traditional hardware reverse engineering methods and prior art in this field, how OCD interfaces work, and how JTAGulator can simplify the task of discovering such interfaces.

Presented by

Joe Grand

PDF Attack: A Journey from the Exploit Kit to the shellcode

PDF Attack: A journey from the Exploit Kit to the shellcode is a workshop to show how to analyze obfuscated Javascript code from an Exploit Kit page, extract the exploits used, and analyze them. Nowadays it is possible to use automated tools to extract URLs and binaries but it is also important to know how to do it manually to not to miss a detail. We will focus on PDF documents mostly, starting from a simple Javascript Hello World document and ending with a real file used by a fresh Exploit Kit. This workshop will also include exercises to modify malicious PDF files and obfuscate them to try to bypass AV software; very useful in pentesting. The latest version of peepdf (included in REMnux, BackTrack and Kali Linux) will be used to accomplish these tasks, so this presentation covers the latest tricks used by cybercriminals like using new filters and encryption to make analysis more difficult.

Presented by

Jose Miguel Esparza

 

Turbo Talks


Abusing Web APIs Through Scripted Android Applications

This will be a presentation focused on abusing web application APIs through the use of associated Android apps. We'll demonstrate using the JVM based scripting language JRuby to load, modify, and run code from targeted APKs in an easily scriptable way. We'll leverage this to demonstrate attacks against web APIs that have reduced their security requirements in order to allow for a more frictionless mobile experience, such as removing the need for captchas, email validation, and other usage restrictions. Building on that, we'll show code building on the existing testing framework of Burp suite and its Ruby interface Buby to make requests to APIs using the functionality we've exposed through the scripting to find differing responses to similar requests, and identifying potential weak points. We'll conclude with several case studies of popular apps demonstrating private key retrieval, arbitrary unlimited account creation on a social network, and locating and using custom cryptographic routines in our own scripts without the need to understand their implementation.

Presented by

Daniel Peck

Beyond the Application: Cellular Privacy Regulation Space

Aggressive data collection practices by cell providers have sparked new FCC interest in closing regulatory gaps in consumer privacy protection. Tensions exist between consumers and carriers, as well as between regulatory agencies. This talk will explore the current landscape from a technical as well as regulatory perspective and examine how it may change in the near future.

Presented by

Christie Dudley

Big Data for Web Application Security

The security posture of an application is directly proportional to the amount of information that is known about the application. Although the advantages of analytics from a data science perspective are well known and well documented, the advantages of analytics from a web application security perspective are neither well known nor well documented. How can we, as web application security practitioners, take advantage of big data stacks to improve the security posture of our applications? This talk will dive into the ways that big data analytics can be taken advantage of to create effective defenses for web applications today. We'll outline the fundamental problems that can and should be solved with big data and outline the classes of security mechanisms that simply, based on their nature, cannot be solved with big data. Once an understanding of the domain is established, we'll explore several specific examples that outline how one security team uses big data every day to solve hard, interesting problems and create a safer experience for its users.

Presented by

Mike Arpaia

Clickjacking Revisited: A Perceptual View of UI Security

We revisit UI security attacks (such as clickjacking) from a perceptual perspective and identify novel attacks. Our perceptual view on UI security attacks helps identify new attacks on UI security. We develop five attacks that bypass current defenses. Our attacks are powerful with a 100% success rate in some cases. However, they only scratch the surface of possible perceptual attacks on UI integrity, and we posit that a number of attacks are possible with a comprehensive study of human perception. Finally, we argue that, due to the complex nature of human perception, defending against such attacks is challenging and requires further research taking user perception and new computer vision techniques into account.

Presented by

Devdatta Akhawe

CMX: IEEE Clean File Metadata Exchange

False positives are a huge problem in the security space. Organizations can spend more time and engineering on reducing FPs than on detecting new malware. Whitelists can help, but there are difficulties with these. Many organizations will not permit the exchange of files for copyright reasons. 3rd party developers must deal with multiple security vendors to get their software whitelisted.
CMX is a system being operated by IEEE. 3rd party software developers can submit metadata for their applications to a single portal. Security vendor subscribers can then pull -- in realtime -- all the metadata being pushed into the system. Since only metadata is being exchanged, there are no copyright problems.
This system will greatly simplify the maintenance of global whitelists.

CrowdSource: An Open Source, Crowd Trained Machine Learning Model for Malware Capability Detection

Due to the exploding number of unique malware binaries on the Internet and the slow process required for manually analyzing these binaries, security practitioners today have only limited visibility into the functionality implemented by the global population of malware. To date little work has been focused explicitly on quickly and automatically detecting the broad range of high level malware functionality such as the ability of malware to take screenshots, communicate via IRC, or surreptitiously operate users’ webcams.
To address this gap, we debut CrowdSource, an open source machine learning based reverse engineering tool. CrowdSource approaches the problem of malware capability identification in a novel way, by training a malware capability detection engine on millions of technical documents from the web. Our intuition for this approach is that malware reverse engineers already rely heavily on the web “crowd” (performing web searches to discover the purpose of obscure function calls and byte strings, for example), so automated approaches, using the tools of machine learning, should also take advantage of this rich and as of yet untapped data source.
As a novel malware capability detection approach, CrowdSource does the following:
  1. Generates a list of detected software capabilities for novel malware samples (such as the ability of malware to communicate via a particular protocol, perform a given data exfiltration activity, or load a device driver);
  2. Provides traceable output for capability detections by including “citations” to the web technical documents that detections are based on;
  3. Provides probabilistic malware capability detections when appropriate: e.g., system output may read, “given the following web documents as evidence, it is 80% likely the sample uses IRC as a C2 channel, and 70% likely that it also encrypts this traffic.”
CrowdSource is funded under the DARPA Cyber Fast Track initiative, is being developed by the machine learning and malware analysis group at Invincea Labs and is scheduled for beta, open source release to the security community this October. In this presentation we will give complete details on our algorithm for CrowdSource as it stands, including compelling results that demonstrate that CrowdSource can already rapidly reverse engineer a variety of currently active malware variants.

Presented by

Joshua Saxe

Denial of Service as a Service - asymmetrical warfare at it's finest

Imagine being DDOS'd repeatedly with up to 10Gbps of traffic on a daily basis. Your logs are useless (when your systems are even able to collect data). How do you stop the attacks? Crippling Distributed Denial of Service “As a Service” or DDoSaaS (tm) attacks can be done with $200 lifetime memberships against the largest organizations around - and almost impossible to stop. Asymmetrical warfare at its finest.
The presentation will focus on an investigation that was done in 2013 regarding a large DDOS attack against a regional ISP in Quebec, Canada. The DDOS attack affected tens of thousand of citizens including municipal 911 services (don't ask) to chicken farmers.
We'll talk about the investigative techniques (including social engineering) that were used to track down the suspect and the eventual arrest.

Presented by

Robert Masse

Denying service to DDOS protection services

In this age of cheap and easy DDOS attacks, DDOS protection services promise to go between your server and the Internet to protect you from attackers. DDOS protection relies entirely on maintaining the secrecy of the target's real IP. I will demonstrate a tool I wrote that exploits a new bypass method against DDOS protection, initially developed to unmask criminal websites protected by Cloudflare. Lensflare is written in Python and locates your DDOS protected target, enabling you to unmask a properly configured DDOS protected website.

Presented by

Allison Nixon

Detecting vulnerabilities in virtual devices using conformance testing -- "Turning old hardware into gold"

Virtual devices are key building blocks of virtual machines. Any flaws or vulnerabilities in a virtual device directly threaten the security of the whole virtual machine. In this talk, we will present our experience detecting bugs in virtual devices by comparing a virtual device to its physical counterpart.
Since the device drivers in a guest operating system assume the virtual devices behave the same as the physical devices, any diverging behavior could potentially cause problems for the device drivers and threaten the security of the guest operating system and the virtual machine platform. We compared the QEMU/KVM virtual implementations of the e1000 and eepro100 to their physical counterparts and found multiple bugs in each, one of which was confirmed to affect guest OS security, leading to CVE-2012-6075.
Our talk will cover the basic idea of using virtual and physical device comparison for fuzzing virtual devices, and additionally describe the observability of each device type, methods for capturing device events and states, and methods for comparing between them with only partial state information. We will explain each of these steps using the real examples that led to our discovery of bugs in the e1000 and eepro100 virtual devices. We expect this talk to attract a traditional OS security audience as well as people interested in new testing methods for cloud environments.

LTE BOOMS WITH VULNERABILITIES

LTE, is the NGN that is all IP-based with improved capacity, speed and profit but it brings internet security risks in telecom networks which until now have been closed. It comes up with new vulnerabilities, has more attack surfaces and is more likely to be attacked in near future. Having wider security threats opens up new doors for intruders. The new infrastructure elements IMS, STP, SIGTRAN and SS7 network protocols have unpatched vulnerabilities and multiple entry points for DDOS, code execution, which can lead to disruption to customer’s voice and data privacy. Techniques to perform attacks like DDOS, packet & Voip sniffing , modification, application layer attacks will be discussed here.

Presented by

Ankit Gupta

Malicious File for Exploiting Forensic Software

Commercial forensic software such as EnCase, FTK and X-Ways Forensics adopts the same library component for viewing file content. If the library component is exploitable, lots of forensic investigators are exposed to risks like malware infection and freeze of the software by checking crafted malicious files.
This presentation introduces anti-forensic techniques exploiting vulnerabilities of the component embedded in forensic software. Specifically, I show one malicious file can trigger arbitrary code execution on multiple forensic software products. The exploitation has great impact on forensic investigation because most forensic software includes it.
The presentation is made up as follows. First, I explain the file viewer component in forensic software and how to fuzz it with a custom script of forensic software, MiniFuzz and a kernel driver for anti-debugging. Next, I describe two vulnerabilities (heap overflow and infinite loop DoS) detected by the fuzzer then demonstrate arbitrary code execution and hang-up of forensic software process using malicious files. I also fill in the gaps on some tricks for exploiting heap overflow (e.g., overwriting function pointers, finding the condition of heap spraying with bitmap images). Finally, I refer to countermeasures.

OPSEC failures of spies

The CIA is no more technologically sophisticated than your average American, and as a result, has suffered serious and embarrassing operational failures.
This is a rare peek inside the CIA's intelligence gathering operations and the stunning lack of expertise they can bring to the job.
In 2005, news organizations around the world reported that an Italian court had signed arrest warrants for 26 Americans in connection with an extraordinary rendition of a Muslim cleric. At the heart of the case was the stunning lack of OPSEC the team of spies used while they surveilled and then snatched their target off the streets of Milan.
The incident, known as the Italian Job inside the CIA, became an international scandal and caused global outrage. What very few people ever understood was that the CIA's top spies were laughably uneducated about cell phone technology and ignorant of the electronic fingerprints left behind.
The story would be startling, though old, if not for the fact that eight years after the debacle in Milan, history repeated itself.
In 2011, an entire CIA network of Lebanese informants was busted by Hezbollah. The reason: cell phone OPSEC failures. After receiving a warning from Mossad, who had lost their network a year earlier the same way, the CIA dismissed Hezbollah's ability to run analytic software on raw cell phone traffic. But they did. And with a little effort, the CIA's network of spies, as well as their own officers, were identified one by one.
This is the true story of American Intelligence's Keystone Kops.

Presented by

Matthew Cole

Password Hashing: the Future is Now

Passwords are hashed everywhere: operating systems, smartphones, web services, disk encryption tools, SSH private keys, etc. Hashing passwords mitigates the impact of a compromised database by forcing attackers to bruteforce passwords. Bruteforce is easier when the hash function is not "salted", fast to evaluate, and easy to implement as multiple parallel instances on GPUs or multi-core systems. However existing solutions are not satisfactory, and the huge majority of systems rely on weak hashes (eg. leaks from Sony, LinkedIn, or more recently Evernote).
After a brief introduction of the problem and previous solution attempts, this talk presents a roadmap towards new improved hashing methods, as desired by a number of parties (from industry and standardization organizations).
First, we'll enumerate the technical challenges for software and security engineers as well as cryptographers and attackers, discussion questions like: why, counter-intuitively, parallelism is desirable? How can complexity theory benefit password hashing? How to define a metric that encompasses performance on GPUs and ASICs? Should hashing be performed by the client, server, or both? What about DoS induced by slow hashing? etc.
Then we'll describe the initiative that motivated this talk: the Password Hashing Competition (PHC), a project similar to the pure-cryptography competitions AES, eSTREAM, or SHA-3, but focused on the password hashing problem: the PHC gathers the leading experts from the password cracking scene as well as cryptographers and software engineers from academia, industry, as well as NIST, to develop the hashing methods of the future.

Truncating TLS Sessions to violate beliefs

We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application's state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts.

沒有留言:

張貼留言